<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 2.7.0) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-liao-cose-c509-revocation-00" category="std" consensus="true" submissionType="IETF" tocDepth="4" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="C509 Revocation">CBOR Encoded Certificate Revocation Management</title>
    <seriesInfo name="Internet-Draft" value="draft-liao-cose-c509-revocation-00"/>
    <author initials="L." surname="Liao" fullname="Lijun Liao">
      <organization>NIO</organization>
      <address>
        <email>lijun.liao@nio.io</email>
      </address>
    </author>
    <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE AB</organization>
      <address>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <author initials="J." surname="Höglund" fullname="Joel Höglund">
      <organization>RISE AB</organization>
      <address>
        <email>joel.hoglund@ri.se</email>
      </address>
    </author>
    <author initials="R." surname="Höglund" fullname="Rikard Höglund">
      <organization>RISE AB</organization>
      <address>
        <email>rikard.hoglund@ri.se</email>
      </address>
    </author>
    <author initials="S." surname="Raza" fullname="Shahid Raza">
      <organization>University of Glasgow</organization>
      <address>
        <email>shahid.raza@glasgow.ac.uk</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>COSE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 84?>

<t>This document specifies CBOR-encoded PKI structures for use with C509 certificates (draft-ietf-cose-cbor-encoded-cert), X.509 certificates (RFC 5280), and future certificate types. It defines C509 CRL and C509 OCSP, compact CBOR encodings of X.509 Certificate Revocation Lists (RFC 5280) and OCSP messages (RFC 6960), respectively. The structures defined in this document are certificate-type agnostic and can be used with C509 certificates, X.509 certificates, or future certificate types without modification. C509 OCSP improves on RFC 6960 by signing a wider set of fields to prevent algorithm-substitution and certificate-chain substitution attacks, replacing plaintext serial numbers with hashes to preserve requestor privacy, replacing the two-hash issuer identity with a single certificate hash, and identifying all participants (requestor, responder, issuer) by a uniform certificate hash rather than type-specific fields. C509 CRL and C509 OCSP are not wire-format-compatible with their DER-encoded X.509 counterparts and cannot be converted to or from them without semantic interpretation.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-liao-cose-c509-revocation/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        CBOR Object Signing and Encryption (cose) Working Group mailing list (<eref target="mailto:cose@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cose/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/cose/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/lijun-nio/idc509rev"/>.</t>
    </note>
  </front>
  <middle>
    <?line 88?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Public Key Infrastructure (PKI) for constrained environments <xref target="RFC7228"/> requires compact certificate representations and compact revocation information.  <xref target="I-D.ietf-cose-cbor-encoded-cert"/> defines C509 certificates, a CBOR encoding of X.509 certificates <xref target="RFC5280"/> that reduces certificate size by over 50% for typical constrained-device profiles.  However, revocation mechanisms -- Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) messages -- have not yet received the same treatment.</t>
      <t>CRLs as defined in <xref target="RFC5280"/> can be large, especially when many certificates have been revoked or when CRL extensions add overhead.  OCSP responses as defined in <xref target="RFC6960"/> carry per-certificate status information and may be exchanged during TLS <xref target="RFC8446"/> and DTLS <xref target="RFC9147"/> handshakes via OCSP stapling <xref target="RFC6066"/>, directly affecting handshake latency.</t>
      <t>Note on terminology: The label "C509" is used for consistency with the C509 certificate encoding and to promote a cohesive C509 PKI ecosystem (C509 certificates, CRLs, OCSP, and related tooling). Although this document uses "C509" in its names, the encodings and protocols defined here are certificate-type agnostic and apply equally to X.509 certificates and other certificate types; see <xref target="cert-type-interop"/>.</t>
      <t>This document specifies:</t>
      <ul spacing="normal">
        <li>
          <t><strong>C509 CRL</strong> -- a natively signed CBOR <xref target="RFC8949"/> encoding of X.509 CRLs (<xref section="5" sectionFormat="comma" target="RFC5280"/>).  The signature is computed over the CBOR Sequence <xref target="RFC8742"/> <tt>TBSCertList</tt>; no ASN.1 encoding is involved.</t>
        </li>
        <li>
          <t><strong>C509 OCSP</strong> -- a CBOR encoding of OCSP requests and responses (<xref target="RFC6960"/>).  The encoding compresses common fields while preserving semantic equivalence.  Four key improvements are made over <xref target="RFC6960"/>:  </t>
          <ul spacing="normal">
            <li>
              <t>The signature in signed requests and responses is computed over a wider set of fields than in <xref target="RFC6960"/>, including the signature algorithm and the certificate chain, preventing algorithm-substitution and certificate-chain substitution attacks.</t>
            </li>
            <li>
              <t>Certificate serial numbers in requests and responses are replaced by hashes (<tt>serialNumberHash</tt>), providing privacy against passive observers who do not already know the queried serial numbers.</t>
            </li>
            <li>
              <t>The issuer is identified by a single hash over the issuer certificate (<tt>issuerCertHash</tt>) rather than by the two-hash <tt>CertID</tt>, reducing per-issuer overhead.</t>
            </li>
            <li>
              <t>All participants -- requestor, responder, and issuer -- are identified by a hash over their certificate (<tt>requestorCertHash</tt>, <tt>responderCertHash</tt>, <tt>issuerCertHash</tt>) rather than by a plaintext Subject distinguished name or SubjectKeyIdentifier, avoiding structural <tt>CHOICE</tt> types such as the X.509 <tt>ResponderID</tt> (<tt>byName</tt> or <tt>byKey</tt>) and simplifying support for different certificate types (e.g., C509, X.509, or future types) because the same hash applies regardless of the certificate encoding.</t>
            </li>
          </ul>
          <t>
See the field encoding sections of this document for details.  </t>
          <t>
The request and response structures defined in this document are certificate-type agnostic: they can be used with C509 certificates, X.509 certificates, or any future certificate type without modification; see <xref target="cert-type-interop"/>.</t>
        </li>
      </ul>
      <t>C509 CRL and C509 OCSP apply the same compression techniques as C509 certificates: static fields are elided, OIDs are replaced with short integers, time values are compressed to POSIX timestamps, and redundant encoding is removed.  Implementers may use the CBOR playground <xref target="CborMe"/> to inspect encoded examples.</t>
      <t>C509 CRL and C509 OCSP are not wire-format-compatible with their DER-encoded counterparts defined in <xref target="RFC5280"/> and <xref target="RFC6960"/>.  Systems that use C509 CRL or C509 OCSP must explicitly support these CBOR-encoded formats; they cannot be transparently substituted for or derived from the corresponding DER-encoded structures.</t>
      <t>C509 CRL and C509 OCSP are designed to be compatible with certificate profiles for constrained deployments, such as <xref target="RFC7925"/>.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses the terminology from <xref target="RFC5280"/>, <xref target="RFC6960"/>, <xref target="RFC7228"/>, <xref target="RFC8610"/>, <xref target="RFC8742"/>, <xref target="RFC8949"/>, and <xref target="RFC9682"/>.  Unless otherwise stated, "CBOR" refers to deterministically encoded CBOR as specified in Sections <xref target="RFC8949" section="4.2.1" sectionFormat="bare"/> and <xref target="RFC8949" section="4.2.2" sectionFormat="bare"/> of <xref target="RFC8949"/>.</t>
    </section>
    <section anchor="imports">
      <name>Imported Definitions</name>
      <t>The following types are imported from <xref target="I-D.ietf-cose-cbor-encoded-cert"/>:</t>
      <ul spacing="normal">
        <li>
          <t><tt>Name</tt>: no limitation.</t>
        </li>
        <li>
          <t><tt>Extensions</tt>: only the <tt>( extensionID: int, extensionValue: Defined )</tt> choice of Extension is permitted.</t>
        </li>
        <li>
          <t><tt>COSE_C509</tt>: no limitation.</t>
        </li>
        <li>
          <t><tt>AlgorithmIdentifier</tt>: no limitation.</t>
        </li>
      </ul>
      <t>The following type is imported from <xref target="RFC9360"/>:</t>
      <ul spacing="normal">
        <li>
          <t><tt>COSE_X509</tt>: no limitation.</t>
        </li>
      </ul>
      <t>This document further defines the following constrained alias for use in all CDDL definitions:</t>
      <sourcecode type="cddl" name="c509crl.cddl"><![CDATA[
IntAlgorithmIdentifier = int
]]></sourcecode>
      <t><tt>IntAlgorithmIdentifier</tt> is the <tt>int</tt>-only instantiation of <tt>AlgorithmIdentifier</tt> from <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.  It is used throughout this document wherever an algorithm identifier appears in the wire encoding.</t>
    </section>
    <section anchor="time-encoding">
      <name>Encoding of Time Fields</name>
      <t>Time fields are encoded as unwrapped CBOR epoch-based date/time (<tt>~time</tt>).  The tag content <bcp14>MUST</bcp14> be a non-negative integer.  In POSIX time <xref target="POSIX"/>, leap seconds are ignored; a leap second has the same POSIX time as the second before it.</t>
    </section>
    <section anchor="c509crl">
      <name>C509 CRL</name>
      <section anchor="overview">
        <name>Overview</name>
        <t>A C509 CRL is a natively signed CBOR <xref target="RFC8949"/> encoding of an X.509 v2 CRL as defined in <xref section="5" sectionFormat="comma" target="RFC5280"/>.  The signature is computed over the CBOR Sequence <xref target="RFC8742"/> <tt>TBSCertList</tt>; no ASN.1 encoding is involved.  A C509 CRL preserves the semantics of the corresponding DER-encoded X.509 CRL for the subset of RFC 5280 structures supported by this document.</t>
        <t>A C509 CRL is not wire-format-compatible with a DER-encoded X.509 CRL.  The two formats cannot be mechanically converted to or from each other without semantic interpretation of the contained data.</t>
      </section>
      <section anchor="crl-cddl">
        <name>C509 CRL CDDL</name>
        <t>The following CDDL defines the top-level <tt>C509CRL</tt> structure and the <tt>TBSCertList</tt> sequence:</t>
        <figure anchor="fig-CRLcddl">
          <name>CDDL for C509CRL</name>
          <sourcecode type="cddl" name="c509crl.cddl"><![CDATA[
C509CRL = [
  TBSCertList,
  signatureValue : any,
]

TBSCertList = (
  CRLInfoData,
  revokedCertsList       : [+ PerIssuerRevokedCerts] / null
)

C509CRLInfo = [ CRLInfoData ]

CRLInfoData = (
  crlType                : uint,   ; 0 = C509CRL
  signatureAlgorithm     : IntAlgorithmIdentifier,
  authoritySubject       : Name / #6.121(bytes),
  authorityKeyIdentifier : bytes / null,
  crlNumber              : uint,
  thisUpdate             : ~time,
  nextUpdate             : uint / null,
  baseCrlNumber          : uint / null,
  crlExtensions          : Extensions,
)

PerIssuerRevokedCerts = (
  issuer                 : Name / #6.121(bytes) / null,
  revokedCertsControl    : RevokedCertsControl / null,
  extensions             : Extensions,
  revokedCerts           : bytes / null,
  removedFromCRLCerts    : bytes / null,
)

RevokedCertsControl = [
  flags               : uint,
  serialNumberLength  : uint,
  dateLength          : uint,
  baseDate            : ~time,
]
]]></sourcecode>
        </figure>
      </section>
      <section anchor="crl-fields">
        <name>Field Encodings</name>
        <section anchor="crlinfodata-and-c509crlinfo">
          <name>CRLInfoData and C509CRLInfo</name>
          <t><tt>CRLInfoData</tt> is a CDDL group that carries all CRL fields except <tt>revokedCertsList</tt>.  <tt>C509CRLInfo</tt> is the standalone CBOR array form of <tt>CRLInfoData</tt>; it can be used to convey CRL freshness information (crlType, signature algorithm, issuer identity, CRL number, validity window, extensions) without the potentially large revocation list.  <tt>TBSCertList</tt> embeds <tt>CRLInfoData</tt> and adds <tt>revokedCertsList</tt>.</t>
        </section>
        <section anchor="crltype">
          <name>crlType</name>
          <t>The <tt>crlType</tt> field serves as the type discriminator for <tt>C509CRL</tt>, following the same extensibility pattern as <tt>ocspRequestType</tt> and <tt>ocspResponseType</tt>.  This document defines only type 0, corresponding to the <tt>C509CRL</tt> structure.  Future specifications may define additional types by assigning new integer values.</t>
        </section>
        <section anchor="signaturealgorithm">
          <name>signatureAlgorithm</name>
          <t>Encoded identically to the <tt>int</tt> choice of <tt>issuerSignatureAlgorithm</tt> in C509 certificates (see <xref section="3.1.11" sectionFormat="comma" target="I-D.ietf-cose-cbor-encoded-cert"/>).  Algorithm integer values are from the same registry used for C509 certificates.</t>
          <t>Unlike in <xref target="RFC5280"/>, where the signature algorithm appears outside the <tt>TBSCertList</tt> and is therefore not covered by the CRL signature, <tt>signatureAlgorithm</tt> is part of <tt>CRLInfoData</tt> within <tt>TBSCertList</tt> and is therefore covered by the signature.  This prevents algorithm-substitution attacks on the CRL.</t>
        </section>
        <section anchor="authoritysubject-and-authoritykeyidentifier">
          <name>authoritySubject and authorityKeyIdentifier</name>
          <t>The <tt>authoritySubject</tt> and <tt>authorityKeyIdentifier</tt> fields identify the CRL authority.</t>
          <t>The <tt>authoritySubject</tt> field identifies the subject of the CRL issuer.  When the CRL is issued by a C509 CA, <tt>authoritySubject</tt> is a <tt>Name</tt> value identical to the <tt>subject</tt> field of the authority C509 certificate.  When the CRL is issued by an X.509 CA (e.g., in a hybrid deployment where a legacy CA issues a C509-format CRL), <tt>authoritySubject</tt> is encoded as <tt>#6.121(bytes)</tt>, where the byte string contains the DER-encoded <tt>Name</tt> from the <tt>subject</tt> field of the issuing X.509 CA certificate (<xref target="X.690"/>).</t>
          <t>The <tt>authorityKeyIdentifier</tt> field is identical to the value of the authority's <tt>subjectKeyIdentifier</tt> extension.  This field corresponds to the X.509 CRL extension <tt>authorityKeyIdentifier</tt> (<xref section="5.2.1" sectionFormat="comma" target="RFC5280"/>).  It is promoted to a dedicated field because it <bcp14>MUST</bcp14> be present in conforming X.509 CRLs and because making it explicit simplifies the structure and reduces encoded size compared to representing it as a generic extension.</t>
        </section>
        <section anchor="crlnumber">
          <name>crlNumber</name>
          <t>The <tt>crlNumber</tt> field is encoded as an unsigned integer (<tt>uint</tt>).  It corresponds to the <tt>cRLNumber</tt> extension in <xref section="5.2.3" sectionFormat="comma" target="RFC5280"/>, which this document replaces with a dedicated field.  The value is monotonically increasing for both full and delta CRLs.</t>
        </section>
        <section anchor="thisupdate-and-nextupdate">
          <name>thisUpdate and nextUpdate</name>
          <t>The <tt>thisUpdate</tt> field is encoded as described in <xref target="time-encoding"/>.  The <tt>nextUpdate</tt> field is encoded as a <tt>uint</tt> representing the number of seconds from <tt>thisUpdate</tt> until the next CRL is expected to be issued.  It is encoded as <tt>null</tt> when no next update time is known.</t>
        </section>
        <section anchor="basecrlnumber">
          <name>baseCrlNumber</name>
          <t>The <tt>baseCrlNumber</tt> field is encoded as <tt>null</tt> for a full CRL.  For a delta CRL, it contains the CRL number of the corresponding base full CRL.</t>
        </section>
        <section anchor="reasoncode-encoding">
          <name>reasonCode Encoding</name>
          <t>The <tt>reasonCode</tt> ENUMERATED value is encoded as one unsigned byte.  The byte values are aligned with the ENUMERATED values of the <tt>CRLReason</tt> type defined in <xref section="5.3.1" sectionFormat="comma" target="RFC5280"/>; a C509 <tt>revocationReason</tt> byte value equals the corresponding ASN.1 ENUMERATED integer value for the same reason code.</t>
          <table anchor="tab-reasoncode">
            <name>reasonCode encoding</name>
            <thead>
              <tr>
                <th align="center">Byte</th>
                <th align="left">reasonCode</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="center">0x00</td>
                <td align="left">unspecified</td>
              </tr>
              <tr>
                <td align="center">0x01</td>
                <td align="left">keyCompromise</td>
              </tr>
              <tr>
                <td align="center">0x02</td>
                <td align="left">cACompromise</td>
              </tr>
              <tr>
                <td align="center">0x03</td>
                <td align="left">affiliationChanged</td>
              </tr>
              <tr>
                <td align="center">0x04</td>
                <td align="left">superseded</td>
              </tr>
              <tr>
                <td align="center">0x05</td>
                <td align="left">cessationOfOperation</td>
              </tr>
              <tr>
                <td align="center">0x06</td>
                <td align="left">certificateHold</td>
              </tr>
              <tr>
                <td align="center">-</td>
                <td align="left">removeFromCRL</td>
              </tr>
              <tr>
                <td align="center">0x09</td>
                <td align="left">privilegeWithdrawn</td>
              </tr>
              <tr>
                <td align="center">0x0A</td>
                <td align="left">aACompromise</td>
              </tr>
            </tbody>
          </table>
          <t><tt>removeFromCRL</tt> (enumeration value 0x08) is not encoded in <tt>revokedCerts</tt>.  Certificates removed from the CRL are instead indicated in the <tt>removedFromCRLCerts</tt> field of <tt>PerIssuerRevokedCerts</tt>.</t>
        </section>
        <section anchor="revokedcertslist-and-perissuerrevokedcerts">
          <name>revokedCertsList and PerIssuerRevokedCerts</name>
          <section anchor="design-considerations">
            <name>Design Considerations</name>
            <t>In X.509 CRLs (<xref section="5.3.3" sectionFormat="comma" target="RFC5280"/>), an indirect CRL uses the <tt>certificateIssuer</tt> CRL entry extension to indicate that a revocation entry — and all subsequent entries — belong to a different issuer.  This mechanism has two significant drawbacks: (1) it is implicit and positional, making it difficult to parse correctly and error-prone to implement; and (2) it is impossible to represent an issuer that has no currently revoked certificates (e.g., to carry per-issuer extensions or to explicitly indicate that the issuer is known but has an empty revocation list), because there is no entry to attach the <tt>certificateIssuer</tt> extension to.</t>
            <t><tt>PerIssuerRevokedCerts</tt> solves both problems by introducing an explicit intermediate structure that groups all revocation information for one issuer.  The issuer is identified directly in the <tt>issuer</tt> field of the structure rather than being inferred from the position of a CRL entry extension.  This makes the grouping unambiguous and easy to parse, and it allows an issuer to appear in the list even when it has no revoked certificates.</t>
            <t>A second design problem in X.509 CRLs is that each revocation entry has variable length: the serial number length differs between certificates, the revocation date uses different encodings depending on whether the date falls before or after 2050, and optional per-entry extensions (e.g., reason code) may or may not be present.  This variable-length layout makes it impossible to determine whether a given serial number is present in the list without scanning every entry sequentially, resulting in O(n) lookup time.  In this document, the <tt>revokedCertsControl</tt> structure introduces fixed parameters (<tt>serialNumberLength</tt>, <tt>dateLength</tt>) that make every entry within <tt>revokedCerts</tt> exactly of the same size.  The <tt>flags</tt> field can additionally indicate that entries are sorted in ascending order by serial number, enabling binary search and reducing lookup time to O(log(n)).  Using a compact byte-string concatenation rather than a CBOR array of structured items further reduces encoded size and accelerates parsing.  Furthermore, certificates removed from the CRL (delta CRL <tt>removeFromCRL</tt> entries in X.509) are kept in a dedicated <tt>removedFromCRLCerts</tt> field rather than mixed into <tt>revokedCerts</tt>.  This keeps <tt>revokedCerts</tt> free of removal noise, reducing its size and allowing implementations to process currently-revoked and removed entries independently.</t>
          </section>
          <section anchor="fields">
            <name>Fields</name>
            <t>The <tt>revokedCertsList</tt> field is either a CBOR array of one or more <tt>PerIssuerRevokedCerts</tt> entries, each describing the revocation state for certificates issued by one issuer, or CBOR <tt>null</tt>.  <tt>revokedCertsList</tt> <bcp14>MUST</bcp14> be encoded as CBOR <tt>null</tt> when all of the following conditions hold: no certificates are currently revoked, no certificates have been removed from the CRL, the only issuer that would appear is the CRL's own <tt>authoritySubject</tt> (i.e., the <tt>issuer</tt> field is <tt>null</tt>), and there are no non-empty per-issuer extensions.</t>
            <t>Each <tt>PerIssuerRevokedCerts</tt> entry describes revoked certificates for one issuer using the following fields:</t>
            <ul spacing="normal">
              <li>
                <t>The <tt>issuer</tt> field identifies the issuer of the certificates covered by this <tt>PerIssuerRevokedCerts</tt> entry.  When the issuer is a C509 CA, it is encoded as a <tt>Name</tt> value identical to the <tt>issuer</tt> field of the covered C509 certificates.  When the issuer is an X.509 CA, it is encoded as <tt>#6.121(bytes)</tt> (tag 121 is alternative 0), where the byte string contains the DER-encoded <tt>Name</tt> from the <tt>issuer</tt> field of the covered X.509 certificates (<xref target="X.690"/>).  If the issuer is identical to the CRL's <tt>authoritySubject</tt> field, it <bcp14>MUST</bcp14> be encoded as CBOR <tt>null</tt>.</t>
              </li>
              <li>
                <t>The <tt>revokedCertsControl</tt> field defines the controls for interpreting <tt>removedFromCRLCerts</tt> and <tt>revokedCerts</tt>.  If either <tt>removedFromCRLCerts</tt> or <tt>revokedCerts</tt> is non-<tt>null</tt>, <tt>revokedCertsControl</tt> <bcp14>MUST NOT</bcp14> be <tt>null</tt>.  If both <tt>removedFromCRLCerts</tt> and <tt>revokedCerts</tt> are <tt>null</tt>, <tt>revokedCertsControl</tt> <bcp14>MUST</bcp14> be <tt>null</tt> to reduce CRL size.  </t>
                <ul spacing="normal">
                  <li>
                    <t>The <tt>flags</tt> field is an unsigned integer encoding boolean control bits for <tt>crlType = 0</tt>: bit 0 (value 0x01) indicates whether entries in <tt>revokedCerts</tt> are sorted in ascending order by the integer value of the certificate serial number; bit 1 (value 0x02) indicates whether each entry contains a reason code.  Bits greater than 1 are reserved for <tt>crlType = 0</tt> and <bcp14>MUST</bcp14> be zero and <bcp14>MUST</bcp14> be ignored by receivers.  Future <tt>crlType</tt> values defined in successor documents may assign additional bit meanings.</t>
                  </li>
                  <li>
                    <t>The <tt>serialNumberLength</tt> field defines the length, in bytes, of a certificate serial number.  It <bcp14>MUST</bcp14> be greater than 0.  It <bcp14>SHOULD</bcp14> be the smallest value that can encode all certificate serial numbers without leading zeros.</t>
                  </li>
                </ul>
                <t>
Each certificate serial number is encoded as a fixed-length big-endian integer of length <tt>serialNumberLength</tt>.  If the encoded value is shorter than <tt>serialNumberLength</tt>, it is left-padded with zeros.  </t>
                <ul spacing="normal">
                  <li>
                    <t>The <tt>dateLength</tt> field defines the length, in bytes, of the big-endian encoded revocation-date offset relative to <tt>baseDate</tt>.  A value of 0 means that no revocation date is included in <tt>revokedCerts</tt> entries.  This is permitted in C509-native deployments where the revocation date is not required -- for example, when minimizing revocation data is more important than recording the revocation time.  Implementations that need to convert a C509 CRL to an RFC 5280 DER-encoded CRL <bcp14>MUST</bcp14> set <tt>dateLength</tt> to a non-zero value, since <xref section="5.1" sectionFormat="comma" target="RFC5280"/> requires a <tt>revocationDate</tt> in every CRL entry.  When <tt>dateLength</tt> is non-zero, the offset <bcp14>MUST</bcp14> fit within the specified byte length without leading zero bytes.</t>
                  </li>
                  <li>
                    <t>The <tt>baseDate</tt> field is a reference time used to compute revocation and removal dates, encoded as described in <xref target="time-encoding"/>.  It <bcp14>MUST</bcp14> be greater than or equal to the issuer certificate's <tt>notBefore</tt>, which ensures that all stored offsets are non-negative.  It is <bcp14>RECOMMENDED</bcp14> to set <tt>baseDate</tt> to the earliest revocation date or removal-from-CRL date among all entries in this CRL, as this minimizes the magnitude of stored offsets and reduces encoding size.  Any time between the issuer certificate's <tt>notBefore</tt> (inclusive) and that earliest date (inclusive) is a conformant value.  Revocation dates in <tt>revokedCerts</tt> and removal dates in <tt>removedFromCRLCerts</tt> are stored as non-negative offsets, in seconds, from <tt>baseDate</tt>.</t>
                  </li>
                </ul>
              </li>
              <li>
                <t>The <tt>extensions</tt> field contains per-issuer extensions.  Only the <tt>(extensionID: int, extensionValue: Defined)</tt> choice is permitted.  If no per-issuer extensions are present, this field <bcp14>MUST</bcp14> be encoded as an empty CBOR array.</t>
              </li>
              <li>
                <t>The <tt>revokedCerts</tt> field is a CBOR byte string containing the concatenated byte sequence of revoked-certificate entries.  Each entry is the concatenation of:
                </t>
                <ul spacing="normal">
                  <li>
                    <t>a big-endian encoded certificate serial number of length <tt>serialNumberLength</tt>;</t>
                  </li>
                  <li>
                    <t>a big-endian encoded revocation-date offset from <tt>baseDate</tt>, in seconds, of length <tt>dateLength</tt> (absent when <tt>dateLength</tt> is 0); and</t>
                  </li>
                  <li>
                    <t>an optional reason code (1 byte if bit 1 of <tt>flags</tt> is set, absent otherwise).</t>
                  </li>
                </ul>
                <t>
If there are no entries, this field <bcp14>MUST</bcp14> be encoded as CBOR <tt>null</tt> instead of a zero-length byte string.  </t>
                <t>
The revocation date for a given entry is recovered by adding the stored offset to <tt>baseDate</tt>.  When <tt>dateLength</tt> is 0, no revocation date is stored and no date recovery is possible.  </t>
                <t>
Revoked-certificate entries have fixed length.  If bit 0 of <tt>flags</tt> is set, entries are sorted in ascending order, enabling binary search for a given serial number in O(log(n)) time.</t>
              </li>
              <li>
                <t>The <tt>removedFromCRLCerts</tt> field contains a concatenated byte sequence of entries for certificates removed from the CRL since publication of the CRL with <tt>crlNumber = baseCrlNumber</tt>.  Each entry is the concatenation of:
                </t>
                <ul spacing="normal">
                  <li>
                    <t>a big-endian encoded certificate serial number of length <tt>serialNumberLength</tt>; and</t>
                  </li>
                  <li>
                    <t>a big-endian encoded removal-date offset from <tt>baseDate</tt>, in seconds, of length <tt>dateLength</tt> (absent when <tt>dateLength</tt> is 0).</t>
                  </li>
                </ul>
                <t>
If there are no entries, this field <bcp14>MUST</bcp14> be encoded as CBOR <tt>null</tt> instead of a zero-length byte string.  </t>
                <t>
The removal date for a given entry is recovered by adding the stored offset to <tt>baseDate</tt>.  When <tt>dateLength</tt> is 0, no removal date is stored and no date recovery is possible.  </t>
                <t>
Removed-certificate entries have fixed length.  If bit 0 of <tt>flags</tt> is set, entries are sorted in ascending order, enabling binary search for a given serial number in O(log(n)) time.</t>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="crl-extensions">
          <name>CRL Extensions</name>
          <t>The <tt>crlExtensions</tt> field contains extensions for the CRL.  Only the <tt>(extensionID: int, extensionValue: Defined)</tt> choice is permitted.  This document does not define any new CRL-level extensions.</t>
          <t><xref target="tab-crlExt"/> lists X.509 CRL extensions and their equivalents.</t>
          <table anchor="tab-crlExt">
            <name>CRL extensions and their equivalents</name>
            <thead>
              <tr>
                <th align="left">Code</th>
                <th align="left">Extension</th>
                <th align="left">Reference</th>
                <th align="left">Equivalent</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">-</td>
                <td align="left">authorityKeyIdentifier</td>
                <td align="left">
                  <xref section="5.2.1" sectionFormat="comma" target="RFC5280"/></td>
                <td align="left">field <tt>authorityKeyIdentifier</tt></td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">issuerAltName</td>
                <td align="left">
                  <xref section="5.2.2" sectionFormat="comma" target="RFC5280"/></td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">cRLNumber</td>
                <td align="left">
                  <xref section="5.2.3" sectionFormat="comma" target="RFC5280"/></td>
                <td align="left">field <tt>crlNumber</tt></td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">deltaCRLIndicator</td>
                <td align="left">
                  <xref section="5.2.4" sectionFormat="comma" target="RFC5280"/></td>
                <td align="left">field <tt>baseCrlNumber</tt></td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">issuingDistributionPoint</td>
                <td align="left">
                  <xref section="5.2.5" sectionFormat="comma" target="RFC5280"/></td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">freshestCRL</td>
                <td align="left">
                  <xref section="5.2.6" sectionFormat="comma" target="RFC5280"/></td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">authorityInfoAccess</td>
                <td align="left">
                  <xref section="5.2.7" sectionFormat="comma" target="RFC5280"/></td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">orderedList</td>
                <td align="left">OID 2.5.29.56 (ITU-T X.509, Section 9.5.2.5)</td>
                <td align="left">field <tt>sorted</tt> (ascSerialNum); - (ascRevDate)</td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">toBeRevoked</td>
                <td align="left">OID 2.5.29.58 (ITU-T X.509, Section 9.5.2.6)</td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">revokedGroups</td>
                <td align="left">OID 2.5.29.59 (ITU-T X.509, Section 9.5.2.7)</td>
                <td align="left">-</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="per-issuer-extensions">
          <name>Per-Issuer Extensions</name>
          <t>The <tt>extensions</tt> field of <tt>PerIssuerRevokedCerts</tt> contains per-issuer extensions.  Only the <tt>(extensionID: int, extensionValue: Defined)</tt> choice is permitted.  This document defines one per-issuer extension (<tt>expiredCertsOnCRL</tt>, see <xref target="ext-expired-certs"/>).</t>
          <t><xref target="tab-perIssuerExt"/> lists per-issuer extensions defined in this document.</t>
          <table anchor="tab-perIssuerExt">
            <name>Per-issuer extensions and their equivalents</name>
            <thead>
              <tr>
                <th align="left">Code</th>
                <th align="left">Extension</th>
                <th align="left">Reference</th>
                <th align="left">Equivalent</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">TBD4</td>
                <td align="left">expiredCertsOnCRL</td>
                <td align="left">OID 2.5.29.60 (ITU-T X.509, Section 9.5.2.8)</td>
                <td align="left">-</td>
              </tr>
            </tbody>
          </table>
          <section anchor="ext-expired-certs">
            <name>expiredCertsOnCRL</name>
            <t>The <tt>expiredCertsOnCRL</tt> extension indicates that this CRL includes revocation information for certificates that have already expired.  The extension value is a time value indicating the earliest expiration date of certificates included on the CRL; certificates that expired on or after this date are listed even if they are now expired.</t>
            <t>The extension value <bcp14>MUST</bcp14> be encoded as follows.</t>
            <sourcecode type="cddl" name="c509crl.cddl"><![CDATA[
ExpiredCertsOnCRL = ~time
]]></sourcecode>
            <t>The value is encoded as described in <xref target="time-encoding"/>.  When this extension is present, a relying party processing expired certificates (for example, for audit or archiving purposes) <bcp14>SHOULD</bcp14> use the indicated date to determine the extent of historical revocation coverage.</t>
          </section>
        </section>
        <section anchor="crl-entry-extensions">
          <name>CRL Entry Extensions</name>
          <t><xref target="tab-crlEntryExt"/> lists X.509 CRL entry extensions.  No corresponding extension is defined in this document.</t>
          <table anchor="tab-crlEntryExt">
            <name>CRL entry extensions defined for X.509 CRLs</name>
            <thead>
              <tr>
                <th align="left">Code</th>
                <th align="left">Extension</th>
                <th align="left">Reference</th>
                <th align="left">Equivalent</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">-</td>
                <td align="left">reasonCode</td>
                <td align="left">
                  <xref section="5.3.1" sectionFormat="comma" target="RFC5280"/> / ITU-T X.509, Section 9.6.2.1</td>
                <td align="left">field <tt>removedFromCRLCerts</tt> and <tt>revokedCerts</tt></td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">holdInstructionCode</td>
                <td align="left">
                  <xref section="5.3.2" sectionFormat="comma" target="RFC5280"/> / ITU-T X.509, Section 9.6.2.2</td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">invalidityDate</td>
                <td align="left">
                  <xref section="5.3.2" sectionFormat="comma" target="RFC5280"/> / ITU-T X.509, Section 9.6.2.3</td>
                <td align="left">-</td>
              </tr>
              <tr>
                <td align="left">-</td>
                <td align="left">certificateIssuer</td>
                <td align="left">
                  <xref section="5.3.3" sectionFormat="comma" target="RFC5280"/> / ITU-T X.509, Section 9.6.2.4</td>
                <td align="left">field <tt>issuer</tt> within <tt>PerIssuerRevokedCerts</tt></td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="signaturevalue">
          <name>signatureValue</name>
          <t>Encoded identically to <tt>signatureValue</tt> in C509 certificates (see <xref section="3.1.12" sectionFormat="comma" target="I-D.ietf-cose-cbor-encoded-cert"/>).</t>
        </section>
      </section>
    </section>
    <section anchor="c509ocsp">
      <name>C509 OCSP</name>
      <section anchor="overview-1">
        <name>Overview</name>
        <t>C509 OCSP defines CBOR encodings for OCSP requests and OCSP responses as defined in <xref target="RFC6960"/>.  The encoding follows the same compression principles as C509 CRL and C509 certificates.</t>
        <t>C509 OCSP requests and responses are not wire-format-compatible with DER-encoded OCSP messages as defined in <xref target="RFC6960"/>.  The two formats cannot be mechanically converted to or from each other without semantic interpretation of the contained data.</t>
        <t><tt>C509OCSPRequest</tt> and <tt>C509OCSPResponse</tt> are designed to be extensible.  The first field of every message is <tt>ocspRequestType</tt> or <tt>ocspResponseType</tt>, an unsigned integer that identifies the structure type.  This document defines types 0, 1, and 2.  Future specifications may define additional types by assigning new integer values, enabling new request or response structures to be introduced without modifying the existing types.</t>
      </section>
      <section anchor="cert-identification">
        <name>Identification of Certificates</name>
        <t>To reduce OCSP message size, this document defines two truncated-hash identifier types used to refer to certificates compactly:</t>
        <ul spacing="normal">
          <li>
            <t><tt>HashId8</tt> — the leading 8 bytes of the hash value computed using the enclosing <tt>hashAlgorithm</tt>.  <tt>HashId8</tt> is used to identify issuer certificates and the certificates of OCSP requestors and responders in request and response structures where a short identifier provides sufficient uniqueness in the deployment context.</t>
          </li>
          <li>
            <t><tt>HashId20</tt> — the leading 20 bytes of the hash value computed using the enclosing <tt>hashAlgorithm</tt>. <tt>HashId20</tt> is intended for identifying certificate serial numbers (the <tt>serialNumberHash</tt> field) when higher uniqueness is required to minimize collision risk. When derived from a secure hash (e.g., SHA‑256 or SHA‑3‑256) and treated as a random output, it gives ~2^160 preimage work and ~2^80 collision resistance (birthday bound) for the truncated value. Since the relying party verifies a certificate's signature before querying OCSP, an adversary needs to construct a different certificate that (a) validates under the same issuer chain and (b) has a serial number whose hash truncation equals an existing certificate's <tt>HashId20</tt>. Such a construction is practically infeasible.</t>
          </li>
        </ul>
        <sourcecode type="cddl" name="c509ocsp.cddl"><![CDATA[
HashId8   = bytes .size 8
HashId20  = bytes .size 20
]]></sourcecode>
      </section>
      <section anchor="ocsp-request">
        <name>C509 OCSP Request</name>
        <section anchor="ocsp-req-cddl">
          <name>CDDL</name>
          <figure anchor="fig-OCSPReqCDDL">
            <name>CDDL for C509OCSPRequest</name>
            <sourcecode type="cddl" name="c509ocsp.cddl"><![CDATA[
C509OCSPRequest = C509UnsignedOCSPRequest /
                  C509SignedOCSPRequest /
                  C509SimpleOCSPRequest

C509UnsignedOCSPRequest = [
  ocspRequestType    : 0,
  hashAlgorithm      : IntAlgorithmIdentifier,
  nonce              : bytes / null,
  extensions         : Extensions,
  requests           : PerIssuerOCSPRequests
]

TBSOCSPRequest = (
  ocspRequestType    : 1,
  signatureAlgorithm : IntAlgorithmIdentifier,
  hashAlgorithm      : IntAlgorithmIdentifier,
  nonce              : bytes / null,
  requestorCertHash  : HashId8,
  extensions         : Extensions,
  requests           : PerIssuerOCSPRequests,
  requestorCerts     : COSE_C509 / #6.121(COSE_X509) / null,
)

C509SignedOCSPRequest = [
  TBSOCSPRequest,
  signatureValue     : any,
]

C509SimpleOCSPRequest = [
  ocspRequestType    : 2,
  hashAlgorithm      : IntAlgorithmIdentifier,
  nonce              : bytes / null,
  issuerCertHash     : HashId8,
  serialNumberHash   : HashId20,
  extensions         : Extensions
]

PerIssuerOCSPRequests = [ + PerIssuerOCSPRequest ]

PerIssuerOCSPRequest = (
  issuerCertHash   : HashId8,
  extensions       : Extensions,
  singleRequests   : SingleCertRequests,
)

SingleCertRequests  = [ + SingleCertRequest ]

SingleCertRequest = (
  serialNumberHash : HashId20,
  extensions       : Extensions,
)
]]></sourcecode>
          </figure>
        </section>
        <section anchor="field-encodings">
          <name>Field Encodings</name>
          <section anchor="ocsprequesttype">
            <name>ocspRequestType</name>
            <t>The <tt>ocspRequestType</tt> field serves as the discriminator for <tt>C509OCSPRequest</tt>:</t>
            <table>
              <thead>
                <tr>
                  <th align="center">Value</th>
                  <th align="left">Type</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td align="center">0</td>
                  <td align="left">
                    <tt>C509UnsignedOCSPRequest</tt></td>
                </tr>
                <tr>
                  <td align="center">1</td>
                  <td align="left">
                    <tt>C509SignedOCSPRequest</tt></td>
                </tr>
                <tr>
                  <td align="center">2</td>
                  <td align="left">
                    <tt>C509SimpleOCSPRequest</tt></td>
                </tr>
              </tbody>
            </table>
          </section>
          <section anchor="issuer-hash-id">
            <name>issuerCertHash</name>
            <t>The <tt>issuerCertHash</tt> field appears in <tt>PerIssuerOCSPRequest</tt>, <tt>PerIssuerOCSPResponse</tt>, <tt>C509SimpleOCSPRequest</tt>, and <tt>TBSSimpleOCSPResponse</tt>.  It contains a hash of the issuer certificate:</t>
            <ul spacing="normal">
              <li>
                <t><tt>issuerCertHash</tt>: hash computed over the CBOR-encoded issuer C509 certificate, or over the DER-encoded issuer X.509 certificate (<xref target="X.690"/>).  The hash algorithm is specified by the <tt>hashAlgorithm</tt> field of the enclosing request or response structure.</t>
              </li>
            </ul>
            <t>In X.509 OCSP (<xref section="4.1.1" sectionFormat="comma" target="RFC6960"/>), the <tt>CertID</tt> structure identifies the issuer using two separate hashes: <tt>issuerNameHash</tt> (a hash of the DER-encoded issuer name) and <tt>issuerKeyHash</tt> (a hash of the issuer's public key bit string).  This two-hash approach was designed for interoperability with DER-encoded X.509 structures, but it doubles the per-issuer overhead in the message.  In C509 OCSP, the issuer is identified by a single hash of the issuer certificate (<tt>issuerCertHash</tt>), which is simpler, smaller, and unambiguous.  Implementations that need to cross-reference a C509 <tt>issuerCertHash</tt> with an RFC 6960 DER-encoded <tt>CertID</tt> must recompute the respective hash inputs; the values are not directly comparable.</t>
          </section>
          <section anchor="per-issuer-requests">
            <name>PerIssuerOCSPRequests, PerIssuerOCSPRequest, SingleCertRequests and SingleCertRequest</name>
            <t><tt>PerIssuerOCSPRequests</tt> is a list of <tt>PerIssuerOCSPRequest</tt> entries.  In X.509 OCSP (<xref section="4.1.1" sectionFormat="comma" target="RFC6960"/>), every <tt>Request</tt> entry embeds a full <tt>CertID</tt> containing the issuer identity fields (<tt>hashAlgorithm</tt>, <tt>issuerNameHash</tt>, <tt>issuerKeyHash</tt>) alongside the <tt>serialNumber</tt>.  When multiple certificates from the same issuer are queried in a single request, these issuer fields are repeated verbatim for every entry, wasting space.  <tt>PerIssuerOCSPRequest</tt> solves this by grouping all single-certificate requests for the same issuer under one entry: the <tt>issuerCertHash</tt> field is encoded once and shared across all <tt>SingleCertRequest</tt> entries in the <tt>singleRequests</tt> list, eliminating the per-entry duplication.</t>
            <ul spacing="normal">
              <li>
                <t>The <tt>extensions</tt> field contains per-issuer extensions that apply to all single-certificate requests in this <tt>PerIssuerOCSPRequest</tt> entry; see <xref target="ocsp-per-issuer-extensions"/>.  If no per-issuer extensions are present, this field <bcp14>MUST</bcp14> be encoded as an empty CBOR array.</t>
              </li>
              <li>
                <t>The <tt>singleRequests</tt> field is a list of <tt>SingleCertRequest</tt> entries for certificates from this issuer.</t>
              </li>
            </ul>
            <t>Each <tt>SingleCertRequest</tt> contains:</t>
            <ul spacing="normal">
              <li>
                <t>The <tt>serialNumberHash</tt> field is the truncated hash of the certificate serial number of the target certificate, computed using the <tt>hashAlgorithm</tt> of the enclosing request structure.  The serial number is encoded in big-endian byte order without a leading zero byte (as in C509 certificates) before hashing.  Using a hash rather than the plain serial number preserves the privacy of the requestor: an observer cannot determine which certificate is being queried without already knowing the serial number.</t>
              </li>
              <li>
                <t>The <tt>extensions</tt> field contains extensions for the single request; see <xref target="ocsp-extensions"/>.</t>
              </li>
            </ul>
          </section>
          <section anchor="C509UnsignedOCSPRequest">
            <name>C509UnsignedOCSPRequest</name>
            <ul spacing="normal">
              <li>
                <t>The <tt>ocspRequestType</tt> field <bcp14>MUST</bcp14> be 0, which discriminates <tt>C509UnsignedOCSPRequest</tt> from <tt>C509SignedOCSPRequest</tt>.</t>
              </li>
              <li>
                <t>The <tt>hashAlgorithm</tt> field specifies the hash algorithm used to compute <tt>issuerCertHash</tt> and <tt>serialNumberHash</tt>.  The algorithm is encoded as an integer from the "C509 Hash Algorithms" registry defined in <xref target="hashalg"/>.</t>
              </li>
              <li>
                <t>The <tt>nonce</tt> field contains the request nonce, or <bcp14>MUST</bcp14> be <tt>null</tt> when no nonce is present.</t>
              </li>
              <li>
                <t>The <tt>extensions</tt> field contains request-level extensions; see <xref target="ocsp-extensions"/>.</t>
              </li>
              <li>
                <t>The <tt>requests</tt> field is a list of <tt>PerIssuerOCSPRequest</tt> entries, each grouping target certificates by issuer; see <xref target="per-issuer-requests"/>.</t>
              </li>
            </ul>
          </section>
          <section anchor="c509signedocsprequest">
            <name>C509SignedOCSPRequest</name>
            <ul spacing="normal">
              <li>
                <t>The <tt>ocspRequestType</tt> field <bcp14>MUST</bcp14> be 1, which discriminates <tt>C509SignedOCSPRequest</tt> from <tt>C509UnsignedOCSPRequest</tt>.</t>
              </li>
              <li>
                <t>The <tt>signatureAlgorithm</tt> field specifies the signature algorithm, as defined in <xref section="3.1.11" sectionFormat="comma" target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
              </li>
              <li>
                <t>The <tt>hashAlgorithm</tt> field specifies the hash algorithm used to compute <tt>requestorCertHash</tt>, <tt>issuerCertHash</tt>, and <tt>serialNumberHash</tt>.  The algorithm is encoded as an integer from the "C509 Hash Algorithms" registry defined in <xref target="hashalg"/>.</t>
              </li>
              <li>
                <t>The <tt>nonce</tt> field is as defined for <tt>C509UnsignedOCSPRequest</tt> (<xref target="C509UnsignedOCSPRequest"/>).</t>
              </li>
              <li>
                <t>The <tt>requestorCertHash</tt> field is a hash of the signer's certificate, computed using <tt>hashAlgorithm</tt>. <tt>requestorCerts</tt> <bcp14>MUST</bcp14> carry the corresponding certificate chain so that the receiver can verify the identity of the requestor.</t>
              </li>
              <li>
                <t>The <tt>extensions</tt> field contains request-level extensions; see <xref target="ocsp-extensions"/>.</t>
              </li>
              <li>
                <t>The <tt>requests</tt> field is as defined for <tt>C509UnsignedOCSPRequest</tt> (<xref target="C509UnsignedOCSPRequest"/>).</t>
              </li>
              <li>
                <t>The <tt>requestorCerts</tt> field contains a sorted certificate chain starting with the signer's certificate, or <bcp14>MUST</bcp14> be <tt>null</tt> if no certificates are transported.  When the signer holds a C509 certificate chain, the value is <tt>COSE_C509</tt>.  When the signer holds an X.509 certificate chain, the value is <tt>#6.121(COSE_X509)</tt>, wrapping a <tt>COSE_X509</tt> chain with CBOR tag 121 (alternative 0).</t>
              </li>
              <li>
                <t>The <tt>signatureValue</tt> field is the signature computed over the CBOR Sequence of the <tt>TBSOCSPRequest</tt> group.</t>
              </li>
            </ul>
          </section>
          <section anchor="C509SimpleOCSPRequest">
            <name>C509SimpleOCSPRequest</name>
            <t><tt>C509SimpleOCSPRequest</tt> is a compact request format for querying the status of a single certificate.  Unlike <tt>C509UnsignedOCSPRequest</tt>, which uses a two-level <tt>PerIssuerOCSPRequests</tt> / <tt>SingleCertRequest</tt> grouping to batch multiple serial numbers across one or more issuers, <tt>C509SimpleOCSPRequest</tt> flattens the structure into a single CBOR array for the common case of a one-certificate query.</t>
            <ul spacing="normal">
              <li>
                <t>The <tt>ocspRequestType</tt> field <bcp14>MUST</bcp14> be 2, which discriminates <tt>C509SimpleOCSPRequest</tt> from <tt>C509UnsignedOCSPRequest</tt> and <tt>C509SignedOCSPRequest</tt>.</t>
              </li>
              <li>
                <t>The <tt>nonce</tt> field contains the request nonce, or <bcp14>MUST</bcp14> be <tt>null</tt> when no nonce is present.</t>
              </li>
              <li>
                <t>The <tt>issuerCertHash</tt> field identifies the issuer of the target certificate; see <xref target="issuer-hash-id"/>.</t>
              </li>
              <li>
                <t>The <tt>serialNumberHash</tt> field is the hash of the certificate serial number of the target certificate, computed using the <tt>hashAlgorithm</tt> from <tt>C509SimpleOCSPRequest</tt>.  The serial number is encoded in big-endian byte order without a leading zero byte before hashing.  Using a hash rather than the plain serial number preserves the privacy of the requestor: an observer cannot determine which certificate is being queried without already knowing the serial number.</t>
              </li>
              <li>
                <t>The <tt>extensions</tt> field contains request-level extensions; see <xref target="ocsp-extensions"/>.  If no extensions are present, this field <bcp14>MUST</bcp14> be encoded as an empty CBOR array.</t>
              </li>
            </ul>
          </section>
        </section>
      </section>
      <section anchor="ocsp-response">
        <name>C509 OCSP Response</name>
        <section anchor="ocsp-resp-cddl">
          <name>CDDL</name>
          <figure anchor="fig-OCSPRespCDDL">
            <name>CDDL for C509OCSPResponse</name>
            <sourcecode type="cddl" name="c509ocsp.cddl"><![CDATA[
C509OCSPResponse = C509ErrorOCSPResponse /
                   C509BasicOCSPResponse /
                   C509SimpleOCSPResponse

C509ErrorOCSPResponse = [
  ocspResponseType  : 0,
  responseStatus    : int
]

TBSBasicOCSPResponse = (
  ocspResponseType   : 1,
  signatureAlgorithm : IntAlgorithmIdentifier,
  hashAlgorithm      : IntAlgorithmIdentifier,
  nonce              : bytes / null,
  responderCertHash  : HashId8,
  producedAt         : ~time,
  extensions         : Extensions,
  responses          : PerIssuerOCSPResponses,
  responderCerts     : COSE_C509 / #6.121(COSE_X509) / null,
)

C509BasicOCSPResponse = [
  TBSBasicOCSPResponse,
  signatureValue     : any
]

TBSSimpleOCSPResponse = (
  ocspResponseType   : 2,
  signatureAlgorithm : IntAlgorithmIdentifier,
  hashAlgorithm      : IntAlgorithmIdentifier,
  nonce              : bytes / null,
  responderCertHash  : HashId8,
  issuerCertHash     : HashId8,
  serialNumberHash   : HashId20,
  certStatus         : CertStatus,
  producedAt         : ~time,
  thisUpdate         : nint / 0,
  nextUpdate         : uint / null,
  extensions         : Extensions,
  responderCerts     : COSE_C509 / #6.121(COSE_X509) / null,
)

C509SimpleOCSPResponse = [
  TBSSimpleOCSPResponse,
  signatureValue     : any
]

PerIssuerOCSPResponses = [ + PerIssuerOCSPResponse ]

PerIssuerOCSPResponse = (
  issuerCertHash   : HashId8,
  extensions       : Extensions,
  singleResponses  : SingleCertResponses,
)

SingleCertResponses = [ + SingleCertResponse ]

SingleCertResponse = (
  serialNumberHash : HashId20,
  certStatus       : CertStatus,
  thisUpdate       : nint / 0,
  nextUpdate       : uint / null,
  extensions       : Extensions,
)

CertStatus = 0        ; good
           / 1        ; not-issued (issuer recognized,
                      ;   serial number not issued)
           / 2        ; unknown (issuer not recognized)
           / RevokedInfo

RevokedInfo = [
  revocationTime   : ~time,
  revocationReason : int,
]
]]></sourcecode>
          </figure>
        </section>
        <section anchor="ocsp-resp-fields">
          <name>Field Encodings</name>
          <section anchor="c509errorocspresponse">
            <name>C509ErrorOCSPResponse</name>
            <t>If the OCSP server cannot process the OCSP query, it returns a <tt>C509ErrorOCSPResponse</tt>.  The <tt>ocspResponseType</tt> value <bcp14>MUST</bcp14> be 0, and <tt>responseStatus</tt> has the following enumerated values:</t>
            <table anchor="tab-respstatus">
              <name>responseStatus values</name>
              <thead>
                <tr>
                  <th align="center">int</th>
                  <th align="left">responseStatus</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td align="center">-</td>
                  <td align="left">successful</td>
                </tr>
                <tr>
                  <td align="center">1</td>
                  <td align="left">malformedRequest</td>
                </tr>
                <tr>
                  <td align="center">2</td>
                  <td align="left">internalError</td>
                </tr>
                <tr>
                  <td align="center">3</td>
                  <td align="left">tryLater</td>
                </tr>
                <tr>
                  <td align="center">5</td>
                  <td align="left">sigRequired</td>
                </tr>
                <tr>
                  <td align="center">6</td>
                  <td align="left">unauthorized</td>
                </tr>
              </tbody>
            </table>
          </section>
          <section anchor="c509basicocspresponse">
            <name>C509BasicOCSPResponse</name>
            <t>The <tt>ocspResponseType</tt> field of <tt>C509BasicOCSPResponse</tt> is 1, distinguishing it from <tt>C509ErrorOCSPResponse</tt>.  It corresponds to <tt>BasicOCSPResponse</tt> in <xref target="RFC6960"/>.</t>
            <t><tt>TBSBasicOCSPResponse</tt> is the group of fields to be signed. The <tt>signatureValue</tt> field is the only field outside the signed group.  Covering <tt>signatureAlgorithm</tt> and <tt>responderCerts</tt> within the signed content prevents algorithm-substitution and certificate-chain substitution attacks; this design goes beyond the protections offered by the DER-encoded <tt>BasicOCSPResponse</tt> defined in <xref target="RFC6960"/>.</t>
          </section>
          <section anchor="C509SimpleOCSPResponse">
            <name>C509SimpleOCSPResponse</name>
            <t><tt>C509SimpleOCSPResponse</tt> is a compact signed response for a single-certificate status query.  It is the response counterpart to <tt>C509SimpleOCSPRequest</tt> (see <xref target="C509SimpleOCSPRequest"/>).  Unlike <tt>C509BasicOCSPResponse</tt>, which uses a two-level <tt>PerIssuerOCSPResponses</tt> / <tt>SingleCertResponse</tt> grouping to carry status for multiple certificates across one or more issuers, <tt>C509SimpleOCSPResponse</tt> flattens the structure into a single signed CBOR array for the common case of a one-certificate response.</t>
            <t><tt>TBSSimpleOCSPResponse</tt> is the group of fields to be signed.  The <tt>signatureValue</tt> field is the only field outside the signed group.  Covering <tt>signatureAlgorithm</tt>, <tt>responderCertHash</tt>, and <tt>responderCerts</tt> within the signed content prevents algorithm-substitution and certificate-chain substitution attacks.</t>
            <ul spacing="normal">
              <li>
                <t>The <tt>ocspResponseType</tt> field <bcp14>MUST</bcp14> be 2, which discriminates <tt>C509SimpleOCSPResponse</tt> from <tt>C509ErrorOCSPResponse</tt> and <tt>C509BasicOCSPResponse</tt>.</t>
              </li>
              <li>
                <t>The <tt>signatureAlgorithm</tt> field specifies the signature algorithm, as defined in <xref section="3.1.11" sectionFormat="comma" target="I-D.ietf-cose-cbor-encoded-cert"/>.  It is part of <tt>TBSSimpleOCSPResponse</tt> and is therefore covered by the signature.</t>
              </li>
              <li>
                <t>The <tt>hashAlgorithm</tt> field specifies the hash algorithm used to compute <tt>responderCertHash</tt>, <tt>issuerCertHash</tt>, and <tt>serialNumberHash</tt>.  The algorithm is encoded as an integer from the "C509 Hash Algorithms" registry defined in <xref target="hashalg"/>.</t>
              </li>
              <li>
                <t>The <tt>responderCertHash</tt> field identifies the OCSP responder; see <xref target="responderCertHash"/>.</t>
              </li>
              <li>
                <t>The <tt>nonce</tt> field contains the request nonce, or <bcp14>MUST</bcp14> be <tt>null</tt> when no nonce is present.  If present, it <bcp14>MUST</bcp14> have the same value as the <tt>nonce</tt> in the corresponding <tt>C509SimpleOCSPRequest</tt>.</t>
              </li>
              <li>
                <t>The <tt>issuerCertHash</tt> field identifies the issuer of the queried certificate; see <xref target="issuer-hash-id"/>.</t>
              </li>
              <li>
                <t>The <tt>serialNumberHash</tt> field is the hash of the certificate serial number of the queried certificate, computed using <tt>hashAlgorithm</tt>.  The serial number is encoded in big-endian byte order without a leading zero byte before hashing; see <xref target="serialNumberHash-section"/>.</t>
              </li>
              <li>
                <t>The <tt>producedAt</tt> field is the time at which this response was produced, encoded as described in <xref target="time-encoding"/>.</t>
              </li>
              <li>
                <t>The <tt>thisUpdate</tt> field is encoded as a non-positive integer (<tt>nint / 0</tt>) representing the number of seconds from <tt>producedAt</tt> at which the indicated status is known to be correct.  It <bcp14>MUST</bcp14> be 0 or negative, since the status cannot be known at a time in the future relative to the time the response was produced.</t>
              </li>
              <li>
                <t>The <tt>nextUpdate</tt> field is encoded as a <tt>uint</tt> representing the number of seconds from <tt>producedAt</tt> until the next response update is expected, or <tt>null</tt> if the update time is unknown.</t>
              </li>
              <li>
                <t>The <tt>certStatus</tt> field encodes the revocation status; see <xref target="SingleCertResponse"/>.</t>
              </li>
              <li>
                <t>The <tt>extensions</tt> field contains response-level extensions; see <xref target="ocsp-extensions"/>.  If no extensions are present, this field <bcp14>MUST</bcp14> be encoded as an empty CBOR array.</t>
              </li>
              <li>
                <t>The <tt>responderCerts</tt> field carries the certificate chain starting with the responder certificate identified by <tt>responderCertHash</tt>; see <xref target="responderCerts"/>.</t>
              </li>
              <li>
                <t>The <tt>signatureValue</tt> field is the signature computed over the CBOR Sequence of the <tt>TBSSimpleOCSPResponse</tt> group.</t>
              </li>
            </ul>
          </section>
          <section anchor="nonce">
            <name>nonce</name>
            <t>If present, this field <bcp14>MUST</bcp14> have the same value as the <tt>nonce</tt> in the corresponding request.</t>
          </section>
          <section anchor="responderCertHash">
            <name>responderCertHash</name>
            <t><tt>responderCertHash</tt> is a truncated hash over the responder's certificate, computed using the same <tt>hashAlgorithm</tt> as <tt>issuerCertHash</tt>.  In X.509 OCSP (<xref target="RFC6960"/>), the responder is identified by a <tt>ResponderID</tt> CHOICE that carries either a distinguished name or a public-key hash.  C509 OCSP replaces this with a single hash over the entire responder certificate, which is consistent with the <tt>issuerCertHash</tt> design for issuer identification.</t>
          </section>
          <section anchor="responderCerts">
            <name>responderCerts</name>
            <t>When present, the <tt>responderCerts</tt> field carries the certificate chain starting with the responder certificate identified by <tt>responderCertHash</tt>.  When the responder holds a C509 certificate chain, the value is <tt>COSE_C509</tt>.  When the responder holds an X.509 certificate chain, the value is <tt>#6.121(COSE_X509)</tt>, wrapping a <tt>COSE_X509</tt> chain with CBOR tag 121 (alternative 0).  The field is part of <tt>TBSBasicOCSPResponse</tt> and is therefore covered by the signature, which prevents certificate-chain substitution attacks.</t>
          </section>
          <section anchor="signaturealgorithm-and-signaturevalue">
            <name>signatureAlgorithm and signatureValue</name>
            <ul spacing="normal">
              <li>
                <t><tt>signatureAlgorithm</tt>: the signature algorithm used to compute <tt>signatureValue</tt>, as defined in <xref section="3.1.11" sectionFormat="comma" target="I-D.ietf-cose-cbor-encoded-cert"/>.  It is part of the <tt>TBSBasicOCSPResponse</tt> group and is therefore covered by the signature.</t>
              </li>
              <li>
                <t><tt>signatureValue</tt>: the signature computed over the CBOR Sequence of the <tt>TBSBasicOCSPResponse</tt> group.</t>
              </li>
            </ul>
          </section>
          <section anchor="producedat-thisupdate-nextupdate">
            <name>producedAt, thisUpdate, nextUpdate</name>
            <t>The <tt>producedAt</tt> field is encoded as described in <xref target="time-encoding"/>.  The <tt>thisUpdate</tt> field is encoded as a non-positive integer (<tt>nint / 0</tt>) representing the number of seconds from <tt>producedAt</tt> at which the indicated status is known to be correct; it <bcp14>MUST</bcp14> be 0 or negative, since the status cannot be known at a time in the future relative to when the response was produced.  The <tt>nextUpdate</tt> field is encoded as a <tt>uint</tt> representing the number of seconds from <tt>producedAt</tt> until the next update is expected to be available.  <tt>nextUpdate</tt> may be <tt>null</tt>, which indicates an unknown update time.</t>
          </section>
          <section anchor="extensions">
            <name>extensions</name>
            <t>See <xref target="ocsp-extensions"/>.</t>
          </section>
          <section anchor="perissuerocspresponses-and-perissuerocspresponse">
            <name>PerIssuerOCSPResponses and PerIssuerOCSPResponse</name>
            <t><tt>PerIssuerOCSPResponses</tt> is a list of <tt>PerIssuerOCSPResponse</tt> entries.  For the same reason as on the request side (see <xref target="per-issuer-requests"/>), the <tt>issuerCertHash</tt> field is encoded once per issuer and shared across all <tt>SingleCertResponse</tt> entries in the <tt>singleResponses</tt> list, avoiding the per-entry repetition that would occur if the issuer identity were embedded in every individual response entry.  <tt>PerIssuerOCSPResponse</tt> groups single responses for certificates issued by the same issuer; the issuer is identified by <tt>issuerCertHash</tt> (see <xref target="issuer-hash-id"/>).</t>
            <ul spacing="normal">
              <li>
                <t>The <tt>extensions</tt> field contains per-issuer extensions that apply to all single-certificate responses in this <tt>PerIssuerOCSPResponse</tt> entry; see <xref target="ocsp-per-issuer-extensions"/>.  If no per-issuer extensions are present, this field <bcp14>MUST</bcp14> be encoded as an empty CBOR array.</t>
              </li>
              <li>
                <t>The <tt>singleResponses</tt> field contains one <tt>SingleCertResponse</tt> for each queried certificate issued by that issuer.</t>
              </li>
            </ul>
          </section>
          <section anchor="SingleCertResponse">
            <name>SingleCertResponse</name>
            <section anchor="serialNumberHash-section">
              <name>serialNumberHash</name>
              <t>This field contains the truncated hash of the serial number of the certificate being queried.  It is computed using the <tt>hashAlgorithm</tt> from the enclosing <tt>TBSBasicOCSPResponse</tt> and contains the first 20 bytes.  The serial number is encoded in big-endian byte order without a leading zero byte before hashing.  In X.509, a <tt>CertificateSerialNumber</tt> INTEGER is DER-encoded with a leading zero byte when the most-significant bit is set; that leading zero <bcp14>MUST</bcp14> be stripped before computing the hash.  In X.509 OCSP (<xref section="4.1.1" sectionFormat="comma" target="RFC6960"/>), the <tt>CertID</tt> structure carries the plain <tt>serialNumber</tt> directly.  C509 OCSP replaces this with a hash to preserve privacy: an observer cannot determine which certificate was queried without already knowing the serial number.</t>
            </section>
            <section anchor="extensions-1">
              <name>extensions</name>
              <t>See <xref target="ocsp-extensions"/>.</t>
            </section>
            <section anchor="certstatus">
              <name>certStatus</name>
              <t><tt>CertStatus</tt> is encoded either as an integer (for <tt>good</tt>, <tt>not-issued</tt>, and <tt>unknown</tt>) or as a <tt>RevokedInfo</tt> array:</t>
              <ul spacing="normal">
                <li>
                  <t>0: <tt>good</tt> -- the certificate is not revoked.</t>
                </li>
                <li>
                  <t>1: <tt>not-issued</tt> -- the issuer is recognized but the serial number is unknown.</t>
                </li>
                <li>
                  <t>2: <tt>unknown</tt> -- the responder does not recognize the issuer identified by <tt>issuerCertHash</tt>.</t>
                </li>
                <li>
                  <t><tt>RevokedInfo</tt>: <tt>revoked</tt> -- a fixed-length 2-element array carrying <tt>revocationTime</tt> and <tt>revocationReason</tt>.  The <tt>revocationReason</tt> field is encoded as specified in <xref target="reasoncode-encoding"/>.  When the revocation reason is not known, <tt>revocationReason</tt> <bcp14>MUST</bcp14> be set to 0 (unspecified).</t>
                </li>
              </ul>
              <t>The integer values are chosen to align with the ASN.1 IMPLICIT tag numbers of <tt>CertStatus</tt> in <xref target="RFC6960"/>: <tt>good</tt> uses [0] (value 0) and <tt>unknown</tt> uses [2] (value 2).  The ASN.1 <tt>revoked</tt> alternative uses [1]; since C509 represents the revoked status as the explicit <tt>RevokedInfo</tt> array, the integer value 1 becomes available.  It is assigned to the <tt>not-issued</tt> status, which was introduced in <xref section="4.4.8" sectionFormat="comma" target="RFC6960"/> to distinguish unrecognized serial numbers from unrecognized issuers, thereby maintaining a contiguous integer range for the non-revoked statuses.</t>
            </section>
          </section>
          <section anchor="ocsp-per-issuer-extensions">
            <name>Per-Issuer OCSP Extensions</name>
            <t><tt>PerIssuerOCSPRequest.extensions</tt> and <tt>PerIssuerOCSPResponse.extensions</tt> carry per-issuer extensions.  Only the <tt>(extensionID: int, extensionValue: Defined)</tt> choice of <tt>Extensions</tt> is permitted.  If no per-issuer extensions are present, the field <bcp14>MUST</bcp14> be encoded as an empty CBOR array <tt>[]</tt>.</t>
            <t><xref target="tab-perIssuerOCSPExt"/> lists the per-issuer extensions defined in this document.</t>
            <table anchor="tab-perIssuerOCSPExt">
              <name>Per-issuer OCSP extensions</name>
              <thead>
                <tr>
                  <th align="center">Code</th>
                  <th align="left">Extension</th>
                  <th align="left">Applied in</th>
                  <th align="left">Comments</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td align="center">(none defined)</td>
                  <td align="left"> </td>
                  <td align="left"> </td>
                  <td align="left"> </td>
                </tr>
              </tbody>
            </table>
          </section>
          <section anchor="ocsp-extensions">
            <name>OCSP Extensions</name>
            <t><xref target="tab-ocspext"/> describes the OCSP extensions defined in <xref target="RFC6960"/> and their mapping in this document.</t>
            <table anchor="tab-ocspext">
              <name>OCSP extensions defined in RFC 6960</name>
              <thead>
                <tr>
                  <th align="center">Code</th>
                  <th align="left">Extension</th>
                  <th align="left">RFC Reference</th>
                  <th align="left">Applied in</th>
                  <th align="left">Replaced in this document</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td align="center">-</td>
                  <td align="left">nonce</td>
                  <td align="left">
                    <xref section="4.4.1" sectionFormat="comma" target="RFC6960"/></td>
                  <td align="left">Request Extension, Response Extension</td>
                  <td align="left">field <tt>nonce</tt></td>
                </tr>
                <tr>
                  <td align="center">-</td>
                  <td align="left">CRL References</td>
                  <td align="left">
                    <xref section="4.4.2" sectionFormat="comma" target="RFC6960"/></td>
                  <td align="left">Single Response Extension</td>
                  <td align="left">-</td>
                </tr>
                <tr>
                  <td align="center">TBD2</td>
                  <td align="left">Acceptable Response Types</td>
                  <td align="left">
                    <xref section="4.4.3" sectionFormat="comma" target="RFC6960"/></td>
                  <td align="left">Request Extension</td>
                  <td align="left">-</td>
                </tr>
                <tr>
                  <td align="center">-</td>
                  <td align="left">Archive Cutoff</td>
                  <td align="left">
                    <xref section="4.4.4" sectionFormat="comma" target="RFC6960"/></td>
                  <td align="left">Response Extension</td>
                  <td align="left">-</td>
                </tr>
                <tr>
                  <td align="center">-</td>
                  <td align="left">Service Locator</td>
                  <td align="left">
                    <xref section="4.4.5" sectionFormat="comma" target="RFC6960"/></td>
                  <td align="left">Request Extension</td>
                  <td align="left">-</td>
                </tr>
                <tr>
                  <td align="center">TBD3</td>
                  <td align="left">Preferred Signature Algorithms</td>
                  <td align="left">
                    <xref section="4.4.7" sectionFormat="comma" target="RFC6960"/></td>
                  <td align="left">Request Extension</td>
                  <td align="left">-</td>
                </tr>
                <tr>
                  <td align="center">-</td>
                  <td align="left">Extended Revoked Definition</td>
                  <td align="left">
                    <xref section="4.4.8" sectionFormat="comma" target="RFC6960"/></td>
                  <td align="left">Response Extension</td>
                  <td align="left">cert status <tt>not-issued</tt> (for serial numbers not issued by a recognized issuer) and <tt>unknown</tt> (for unrecognized issuers)</td>
                </tr>
                <tr>
                  <td align="center">TBD6</td>
                  <td align="left">TN Query</td>
                  <td align="left">
                    <xref target="I-D.ietf-stir-certificates-ocsp"/></td>
                  <td align="left">Single Request Extension</td>
                  <td align="left">-</td>
                </tr>
              </tbody>
            </table>
            <t>This document defines the following extension values:</t>
            <ul spacing="normal">
              <li>
                <t>Acceptable Response Types: The extension value <bcp14>MUST</bcp14> be encoded as follows.</t>
              </li>
            </ul>
            <sourcecode type="cddl" name="c509ocsp.cddl"><![CDATA[
AcceptableResponseTypes = [ + int]
]]></sourcecode>
            <t>The integers in <tt>AcceptableResponseTypes</tt> form a sorted list of preferred <tt>C509OCSPResponse</tt> types, in descending order of preference, that the requestor is willing to accept.  This document defines types 0 (<tt>C509ErrorOCSPResponse</tt>), 1 (<tt>C509BasicOCSPResponse</tt>), and 2 (<tt>C509SimpleOCSPResponse</tt>).  Type 0 (<tt>C509ErrorOCSPResponse</tt>) is always implicitly supported and does not need to be listed.  When this extension is absent, an OCSP server responding to a <tt>C509UnsignedOCSPRequest</tt> or <tt>C509SignedOCSPRequest</tt> <bcp14>MUST</bcp14> reply with a <tt>C509BasicOCSPResponse</tt> (type 1); an OCSP server responding to a <tt>C509SimpleOCSPRequest</tt> <bcp14>MUST</bcp14> reply with a <tt>C509SimpleOCSPResponse</tt> (type 2).  If <tt>AcceptableResponseTypes</tt> contains type 2 but not type 1, and the corresponding request contains entries for two or more certificates, the server <bcp14>SHALL</bcp14> return a <tt>C509ErrorOCSPResponse</tt> with <tt>responseStatus</tt> set to <tt>malformedRequest</tt> (1), since <tt>C509SimpleOCSPResponse</tt> can only carry status for a single certificate.</t>
            <ul spacing="normal">
              <li>
                <t>Preferred Signature Algorithms: The extension value <bcp14>MUST</bcp14> be encoded as follows.</t>
              </li>
            </ul>
            <sourcecode type="cddl" name="c509ocsp.cddl"><![CDATA[
PreferredSignatureAlgorithm = (
  sigIdentifier        : IntAlgorithmIdentifier,
  pubKeyAlgIdentifiers : [ 2* IntAlgorithmIdentifier ]
                         / IntAlgorithmIdentifier
                         / null,
)

IntAlgorithmIdentifier = int

PreferredSignatureAlgorithms = [ + PreferredSignatureAlgorithm ]
]]></sourcecode>
            <t>The <tt>sigIdentifier</tt> field carries the signature algorithm identifier.  The <tt>pubKeyAlgIdentifiers</tt> field carries the public key algorithm identifier and <bcp14>MUST</bcp14> be one of:</t>
            <ul spacing="normal">
              <li>
                <t>a CBOR array of two or more <tt>IntAlgorithmIdentifier</tt> values, sorted in descending order of preference, when the responder is willing to accept any of the listed public key algorithms as a match for this signature algorithm preference (e.g., to express hybrid or multi-algorithm key policies); the first entry in the array represents the most preferred public key algorithm,</t>
              </li>
              <li>
                <t>a single <tt>IntAlgorithmIdentifier</tt> value, when exactly one public key algorithm is acceptable, or</t>
              </li>
              <li>
                <t><tt>null</tt>, when the public key algorithm is unconstrained or implied by <tt>sigIdentifier</tt>.</t>
              </li>
            </ul>
            <t><tt>PreferredSignatureAlgorithms</tt> <bcp14>MUST</bcp14> be sorted in descending order of preference; the first entry represents the most preferred algorithm combination.</t>
            <ul spacing="normal">
              <li>
                <t>TN Query: The extension value <bcp14>MUST</bcp14> be encoded as follows.</t>
              </li>
            </ul>
            <sourcecode type="cddl" name="c509ocsp.cddl"><![CDATA[
TNQuery = text .size (1..15)
]]></sourcecode>
            <t>The <tt>TNQuery</tt> extension carries a telephone number string conforming to the TelephoneNumber ASN.1 type (<xref section="3" sectionFormat="comma" target="RFC8226"/>).  When included in single request extensions, it specifies the telephone number for which the OCSP query is being performed (typically the number from the "orig" field of a PASSporT being validated).</t>
            <t>Clients <bcp14>MUST</bcp14> include this extension in the single-request extensions per <xref target="I-D.ietf-stir-certificates-ocsp"/>.</t>
          </section>
        </section>
      </section>
      <section anchor="cert-type-interop">
        <name>Certificate Type Interoperability</name>
        <t>C509 OCSP uses a single set of request and response structures that handles both C509 and X.509 certificates without modification.  All participants -- requestor, responder, and issuer -- are identified by a hash over their certificate rather than by type-specific fields such as a Subject distinguished name, SubjectKeyIdentifier, or the X.509 <tt>ResponderID</tt> CHOICE (<tt>byName</tt> or <tt>byKey</tt>).  Because a hash applies uniformly regardless of the certificate encoding, the same OCSP structures accommodate C509 certificates (CBOR-encoded), X.509 certificates (DER-encoded), and any future certificate types.</t>
        <t>The only per-type differences are in how identity hashes are computed and how certificate chains are carried:</t>
        <table anchor="tab-certtypeinterop">
          <name>Per-type differences in C509 OCSP identity fields</name>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">C509 certificate</th>
              <th align="left">X.509 certificate</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>issuerCertHash</tt></td>
              <td align="left">Hash of CBOR-encoded <tt>C509Certificate</tt></td>
              <td align="left">Hash of DER-encoded X.509 certificate</td>
            </tr>
            <tr>
              <td align="left">
                <tt>requestorCertHash</tt></td>
              <td align="left">Hash of CBOR-encoded <tt>C509Certificate</tt></td>
              <td align="left">Hash of DER-encoded X.509 certificate</td>
            </tr>
            <tr>
              <td align="left">
                <tt>responderCertHash</tt></td>
              <td align="left">Hash of CBOR-encoded <tt>C509Certificate</tt></td>
              <td align="left">Hash of DER-encoded X.509 certificate</td>
            </tr>
            <tr>
              <td align="left">
                <tt>requestorCerts</tt> / <tt>responderCerts</tt></td>
              <td align="left">
                <tt>COSE_C509</tt></td>
              <td align="left">
                <tt>#6.121(COSE_X509)</tt></td>
            </tr>
          </tbody>
        </table>
        <t>In a hybrid deployment where the responder holds an X.509 certificate, <tt>responderCertHash</tt> contains the hash of the DER-encoded X.509 certificate and <tt>responderCerts</tt> carries a <tt>#6.121(COSE_X509)</tt> chain.  In a deployment using C509 certificates throughout, all identity hashes are computed over CBOR-encoded certificates and certificate chains are carried as <tt>COSE_C509</tt>.  The <tt>hashAlgorithm</tt> field at the top level of each request or response structure governs all hashes within that structure.</t>
      </section>
      <section anchor="ocsp-stapling-in-tls">
        <name>OCSP Stapling in TLS</name>
        <t>In standard TLS certificate status stapling (see the <tt>status_request</tt> extension, <xref section="4.4.2.1" sectionFormat="comma" target="RFC8446"/>), the stapled OCSP response is a DER-encoded <tt>OCSPResponse</tt>.  To allow C509 OCSP stapling, this document defines a new TLS <tt>CertificateStatusType</tt> value <xref section="8" sectionFormat="comma" target="RFC6066"/>:</t>
        <table anchor="tab-tlsstaple">
          <name>TLS CertificateStatusType for C509 OCSP</name>
          <thead>
            <tr>
              <th align="center">Value</th>
              <th align="left">Name</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">TBD1</td>
              <td align="left">c509_ocsp</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
        <t>When <tt>CertificateStatusType</tt> is <tt>c509_ocsp</tt>, the <tt>status</tt> field contains a CBOR-encoded <tt>C509OCSPResponse</tt> instead of a DER-encoded <tt>OCSPResponse</tt>.</t>
      </section>
    </section>
    <section anchor="hashalg">
      <name>C509 Hash Algorithms</name>
      <t>This document defines the following hash algorithms.</t>
      <figure anchor="tab-hash-alg">
        <name>C509 Hash Algorithms</name>
        <artwork><![CDATA[
+-------+----------------------------------------------------------+
| Value | Hash Algorithm                                           |
+=======+==========================================================+
|   0   | Name:        SHA-256                                     |
|       | Identifiers: id-sha256                                   |
|       | OID:         2.16.840.1.101.3.4.2.1                      |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 01                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   1   | Name:        SHA-384                                     |
|       | Identifiers: id-sha384                                   |
|       | OID:         2.16.840.1.101.3.4.2.2                      |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 02                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   2   | Name:        SHA-512                                     |
|       | Identifiers: id-sha512                                   |
|       | OID:         2.16.840.1.101.3.4.2.3                      |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 03                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   3   | Name:        SHA-224                                     |
|       | Identifiers: id-sha224                                   |
|       | OID:         2.16.840.1.101.3.4.2.4                      |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 04                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   4   | Name:        SM3                                         |
|       | Identifiers: id-sm3                                      |
|       | OID:         1.2.156.10197.1.401                         |
|       | Parameters:  absent                                      |
|       | DER:         06 08 2A 81 1C 84 8E 35 01 04 01            |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   5   | Name:        SHA3-256                                    |
|       | Identifiers: id-sha3-256                                 |
|       | OID:         2.16.840.1.101.3.4.2.8                      |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 08                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   6   | Name:        SHA3-384                                    |
|       | Identifiers: id-sha3-384                                 |
|       | OID:         2.16.840.1.101.3.4.2.9                      |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 09                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   7   | Name:        SHA3-512                                    |
|       | Identifiers: id-sha3-512                                 |
|       | OID:         2.16.840.1.101.3.4.2.10                     |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 0A                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   8   | Name:        SHA3-224                                    |
|       | Identifiers: id-sha3-224                                 |
|       | OID:         2.16.840.1.101.3.4.2.7                      |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 07                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   9   | Name:        SHAKE128                                    |
|       | Identifiers: id-shake128                                 |
|       | OID:         2.16.840.1.101.3.4.2.11                     |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 0B                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
|   10  | Name:        SHAKE256                                    |
|       | Identifiers: id-shake256                                 |
|       | OID:         2.16.840.1.101.3.4.2.12                     |
|       | Parameters:  absent                                      |
|       | DER:         60 86 48 01 65 03 04 02 0C                  |
|       | Comments:                                                |
+-------+----------------------------------------------------------+
]]></artwork>
      </figure>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>TODO</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document has the following actions for IANA.</t>
      <t>Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t>
      <section anchor="extension-identifiers-registry">
        <name>Extension Identifiers Registry</name>
        <t>IANA is requested to assign the new values shown in <xref target="tab-extensions-iana"/> in the "C509 Extensions" registry under the new registry group "CBOR Encoded X.509 (C509)" defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
        <figure anchor="tab-extensions-iana">
          <name>C509 extension identifier allocation requests</name>
          <artwork><![CDATA[
+-------+----------------------------------------------------------+
| Value | Extension                                                |
+=======+==========================================================+
| TBD2  | Name:            Acceptable Response Types               |
|       | Identifiers:     id-pkix-ocsp-response                   |
|       | OID:             1.3.6.1.5.5.7.48.1.4                    |
|       | DER:             06 09 2B 06 01 05 05 07 30 01 04        |
|       | Comments:        RFC 6960                                |
|       | extensionValue:  AcceptableResponseTypes                 |
+-------+----------------------------------------------------------+
| TBD3  | Name:            Preferred Signature Algorithms          |
|       | Identifiers:     id-pkix-ocsp-pref-sig-algs              |
|       | OID:             1.3.6.1.5.5.7.48.1.8                    |
|       | DER:             06 09 2B 06 01 05 05 07 30 01 08        |
|       | Comments:        RFC 6960                                |
|       | extensionValue:  PreferredSignatureAlgorithms            |
+-------+----------------------------------------------------------+
| TBD4  | Name:            Expired Certificates on CRL             |
|       | Identifiers:     id-ce-expiredCertsOnCRL                 |
|       | OID:             2.5.29.60                               |
|       | DER:             06 03 55 1D 3C                          |
|       | Comments:        ITU-T X.509, Section 9.5.2.8            |
|       | extensionValue:  ExpiredCertsOnCRL                       |
+-------+----------------------------------------------------------+
| TBD6  | Name:            TN Query                                |
|       | Identifiers:     id-pkix-ocsp-stir-tn                    |
|       | OID:             1.3.6.1.5.5.7.48.1.10                   |
|       | DER:             06 09 2B 06 01 05 05 07 30 01 0A        |
|       | Comments:        draft-ietf-stir-certificates-ocsp       |
|       | extensionValue:  TNQuery                                 |
+-------+----------------------------------------------------------+
]]></artwork>
        </figure>
      </section>
      <section anchor="iana-hash-alg">
        <name>C509 Hash Algorithms Registry</name>
        <t>IANA is requested to create a new registry "C509 Hash Algorithms" under the registry group "CBOR Encoded X.509 (C509)" defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
        <t>The registration policy is either "Private Use", "IETF Review with Expert Review", or "Expert Review" per <xref section="4.5" sectionFormat="comma" target="RFC8126"/>. "Expert Review" guidelines are provided in <xref target="expert-review-guidelines"/>.</t>
        <t>All assignments according to "IETF Review with Expert Review" are made on an "IETF Review" basis per <xref section="4.8" sectionFormat="comma" target="RFC8126"/>, with Expert Review additionally required per <xref section="4.5" sectionFormat="comma" target="RFC8126"/>. The procedure for early IANA allocation of Standards Track code points defined in <xref target="RFC7120"/> also applies. When such a procedure is used, IANA will ask the designated expert(s) to approve the early allocation before registration. In addition, WG chairs are encouraged to consult the expert(s) early during the process outlined in <xref section="3.1" sectionFormat="comma" target="RFC7120"/>.</t>
        <t>The columns of this registry are:</t>
        <ul spacing="normal">
          <li>
            <t>Value: This field contains the value used to identify the C509 hash algorithm. These values <bcp14>MUST</bcp14> be unique. The value can be a positive integer or a negative integer. Different ranges of values use different registration policies <xref target="RFC8126"/>. Integer values from -24 to 23 are designated as "IETF Review with Expert Review". Integer values greater than 32767 are marked as "Private Use". All other integer values are designated as "Expert Review". This field <bcp14>MUST NOT</bcp14> be empty.</t>
          </li>
          <li>
            <t>Name: This field contains the name of the C509 hash algorithm. This field <bcp14>MUST NOT</bcp14> be empty.</t>
          </li>
          <li>
            <t>Identifiers: This field contains additional identifiers of the C509 hash algorithm, if any is available.</t>
          </li>
          <li>
            <t>OID: This field contains the OID corresponding to the C509 hash algorithm. This field <bcp14>MUST NOT</bcp14> be empty.</t>
          </li>
          <li>
            <t>Parameters: This field contains the parameters of the C509 hash algorithm. This field <bcp14>MUST NOT</bcp14> be empty. If the C509 hash algorithm has no parameters, this field contains the string "absent".</t>
          </li>
          <li>
            <t>DER: This field contains the DER encoding of the ASN.1 value of type DigestInfo for the C509 hash algorithm. This field <bcp14>MUST NOT</bcp14> be empty.</t>
          </li>
          <li>
            <t>Comments: This field contains any optional comment about the C509 hash algorithm.</t>
          </li>
          <li>
            <t>Reference: This field contains a pointer to the public specification for the C509 hash algorithm, if one is available.</t>
          </li>
        </ul>
        <t>This registry has been initially populated with the entries defined in <xref target="hashalg"/>.</t>
      </section>
      <section anchor="tls-certificatestatustype-registry">
        <name>TLS CertificateStatusType Registry</name>
        <t>IANA is requested to assign the value shown in <xref target="tab-tls-certstatus-iana"/> in the "TLS Certificate Status Types" registry under "Transport Layer Security (TLS) Extensions":</t>
        <table anchor="tab-tls-certstatus-iana">
          <name>TLS CertificateStatusType allocation request</name>
          <thead>
            <tr>
              <th align="center">Value</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
              <th align="left">Comment</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">TBD1</td>
              <td align="left">c509_ocsp</td>
              <td align="left">This document</td>
              <td align="left">N/A</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="media-type-application-registry">
        <name>Media Type Application Registry</name>
        <t>IANA is requested to assign the following entries into the "application" registry in the registry group "Media Types" with this document as reference.</t>
        <section anchor="media-type-applicationc509-crlcbor">
          <name>Media Type application/c509-crl+cbor</name>
          <t>When the application/c509-crl+cbor media type is used, the data is a C509CRL structure.</t>
          <t>Subtype name: c509-crl+cbor</t>
          <t>Required parameters: N/A</t>
          <t>Encoding considerations: binary</t>
          <t>Security considerations: See <xref target="security"/> of [RFC-XXXX].</t>
          <t>Interoperability considerations: N/A</t>
          <t>Published specification: [RFC-XXXX]</t>
          <t>Applications that use this media type: Any MIME-compliant transport</t>
          <t>Fragment identifier considerations: N/A</t>
          <t>Additional information:</t>
          <ul spacing="normal">
            <li>
              <t>Deprecated alias names for this type: N/A</t>
            </li>
            <li>
              <t>Magic number(s): N/A</t>
            </li>
            <li>
              <t>File extension(s): .c509</t>
            </li>
            <li>
              <t>Macintosh file type code(s): N/A</t>
            </li>
          </ul>
          <t>Person &amp; email address to contact for further information: iesg@ietf.org</t>
          <t>Intended usage: COMMON</t>
          <t>Restrictions on usage: N/A</t>
          <t>Author: COSE WG</t>
          <t>Change controller: IETF</t>
        </section>
        <section anchor="media-type-applicationc509-crlinfocbor">
          <name>Media Type application/c509-crlinfo+cbor</name>
          <t>When the application/c509-crlinfo+cbor media type is used, the data is a C509CRLInfo structure.</t>
          <t>Subtype name: c509-crlinfo+cbor</t>
          <t>Required parameters: N/A</t>
          <t>Encoding considerations: binary</t>
          <t>Security considerations: See <xref target="security"/> of [RFC-XXXX].</t>
          <t>Interoperability considerations: N/A</t>
          <t>Published specification: [RFC-XXXX]</t>
          <t>Applications that use this media type: Any MIME-compliant transport</t>
          <t>Fragment identifier considerations: N/A</t>
          <t>Additional information:</t>
          <ul spacing="normal">
            <li>
              <t>Deprecated alias names for this type: N/A</t>
            </li>
            <li>
              <t>Magic number(s): N/A</t>
            </li>
            <li>
              <t>File extension(s): .c509</t>
            </li>
            <li>
              <t>Macintosh file type code(s): N/A</t>
            </li>
          </ul>
          <t>Person &amp; email address to contact for further information: iesg@ietf.org</t>
          <t>Intended usage: COMMON</t>
          <t>Restrictions on usage: N/A</t>
          <t>Author: COSE WG</t>
          <t>Change controller: IETF</t>
        </section>
        <section anchor="media-type-applicationc509-ocspreqcbor">
          <name>Media Type application/c509-ocspreq+cbor</name>
          <t>When the application/c509-ocspreq+cbor media type is used, the data is a C509OCSPRequest structure.</t>
          <t>Subtype name: c509-ocspreq+cbor</t>
          <t>Required parameters: N/A</t>
          <t>Encoding considerations: binary</t>
          <t>Security considerations: See <xref target="security"/> of [RFC-XXXX].</t>
          <t>Interoperability considerations: N/A</t>
          <t>Published specification: [RFC-XXXX]</t>
          <t>Applications that use this media type: OCSP clients</t>
          <t>Fragment identifier considerations: N/A</t>
          <t>Additional information:</t>
          <ul spacing="normal">
            <li>
              <t>Deprecated alias names for this type: N/A</t>
            </li>
            <li>
              <t>Magic number(s): N/A</t>
            </li>
            <li>
              <t>File extension(s): .c509</t>
            </li>
            <li>
              <t>Macintosh file type code(s): N/A</t>
            </li>
          </ul>
          <t>Person &amp; email address to contact for further information: iesg@ietf.org</t>
          <t>Intended usage: COMMON</t>
          <t>Restrictions on usage: N/A</t>
          <t>Author: COSE WG</t>
          <t>Change controller: IETF</t>
        </section>
        <section anchor="media-type-applicationc509-ocsprespcbor">
          <name>Media Type application/c509-ocspresp+cbor</name>
          <t>When the application/c509-ocspresp+cbor media type is used, the data is a C509OCSPResponse structure.</t>
          <t>Subtype name: c509-ocspresp+cbor</t>
          <t>Required parameters: N/A</t>
          <t>Encoding considerations: binary</t>
          <t>Security considerations: See <xref target="security"/> of [RFC-XXXX].</t>
          <t>Interoperability considerations: N/A</t>
          <t>Published specification: [RFC-XXXX]</t>
          <t>Applications that use this media type: OCSP servers</t>
          <t>Fragment identifier considerations: N/A</t>
          <t>Additional information:</t>
          <ul spacing="normal">
            <li>
              <t>Deprecated alias names for this type: N/A</t>
            </li>
            <li>
              <t>Magic number(s): N/A</t>
            </li>
            <li>
              <t>File extension(s): .c509</t>
            </li>
            <li>
              <t>Macintosh file type code(s): N/A</t>
            </li>
          </ul>
          <t>Person &amp; email address to contact for further information: iesg@ietf.org</t>
          <t>Intended usage: COMMON</t>
          <t>Restrictions on usage: N/A</t>
          <t>Author: COSE WG</t>
          <t>Change controller: IETF</t>
        </section>
      </section>
      <section anchor="content-format">
        <name>CoAP Content-Formats Registry</name>
        <t>IANA is requested to add entries for "application/c509-crl+cbor", "application/c509-crlinfo+cbor", "application/c509-ocspreq+cbor" and "application/c509-ocspresp+cbor" to the "CoAP Content-Formats" registry in the registry group "Constrained RESTful Environments (CoRE) Parameters".</t>
        <artwork><![CDATA[
+-------------------------+---------+-------+------------+
| Content                 | Content | ID    | Reference  |
| Type                    | Coding  |       |            |
+=========================+=========+=======+============+
| application/            | -       | TBD7  | [[this     |
| c509-crl+cbor           |         |       | document]] |
+-------------------------+---------+-------+------------+
| application/            |         |       | [[this     |
| c509-crlinfo+cbor       | -       | TBD8  | document]] |
+-------------------------+---------+-------+------------+
| application/            | -       | TBD9  | [[this     |
| c509-ocspreq+cbor       |         |       | document]] |
+-------------------------+---------+-------+------------+
| application/            | -       | TBD10 | [[this     |
| c509-ocspresp+cbor      |         |       | document]] |
+-------------------------+---------+-------+------------+
]]></artwork>
      </section>
      <section anchor="expert-review-guidelines">
        <name>Expert Review Guidelines</name>
        <t>TODO</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC6066">
          <front>
            <title>Transport Layer Security (TLS) Extensions: Extension Definitions</title>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <date month="January" year="2011"/>
            <abstract>
              <t>This document provides specifications for existing TLS extensions. It is a companion document for RFC 5246, "The Transport Layer Security (TLS) Protocol Version 1.2". The extensions specified are server_name, max_fragment_length, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_request. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6066"/>
          <seriesInfo name="DOI" value="10.17487/RFC6066"/>
        </reference>
        <reference anchor="RFC6960">
          <front>
            <title>X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP</title>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="M. Myers" initials="M." surname="Myers"/>
            <author fullname="R. Ankney" initials="R." surname="Ankney"/>
            <author fullname="A. Malpani" initials="A." surname="Malpani"/>
            <author fullname="S. Galperin" initials="S." surname="Galperin"/>
            <author fullname="C. Adams" initials="C." surname="Adams"/>
            <date month="June" year="2013"/>
            <abstract>
              <t>This document specifies a protocol useful in determining the current status of a digital certificate without requiring Certificate Revocation Lists (CRLs). Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFCs 2560 and 6277. It also updates RFC 5912.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6960"/>
          <seriesInfo name="DOI" value="10.17487/RFC6960"/>
        </reference>
        <reference anchor="RFC7120">
          <front>
            <title>Early IANA Allocation of Standards Track Code Points</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <date month="January" year="2014"/>
            <abstract>
              <t>This memo describes the process for early allocation of code points by IANA from registries for which "Specification Required", "RFC Required", "IETF Review", or "Standards Action" policies apply. This process can be used to alleviate the problem where code point allocation is needed to facilitate desired or required implementation and deployment experience prior to publication of an RFC, which would normally trigger code point allocation. The procedures in this document are intended to apply only to IETF Stream documents.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="100"/>
          <seriesInfo name="RFC" value="7120"/>
          <seriesInfo name="DOI" value="10.17487/RFC7120"/>
        </reference>
        <reference anchor="RFC7925">
          <front>
            <title>Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things</title>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>A common design pattern in Internet of Things (IoT) deployments is the use of a constrained device that collects data via sensors or controls actuators for use in home automation, industrial control systems, smart cities, and other IoT deployments.</t>
              <t>This document defines a Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) 1.2 profile that offers communications security for this data exchange thereby preventing eavesdropping, tampering, and message forgery. The lack of communication security is a common vulnerability in IoT products that can easily be solved by using these well-researched and widely deployed Internet security protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7925"/>
          <seriesInfo name="DOI" value="10.17487/RFC7925"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC8226">
          <front>
            <title>Secure Telephone Identity Credentials: Certificates</title>
            <author fullname="J. Peterson" initials="J." surname="Peterson"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="February" year="2018"/>
            <abstract>
              <t>In order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8226"/>
          <seriesInfo name="DOI" value="10.17487/RFC8226"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8742">
          <front>
            <title>Concise Binary Object Representation (CBOR) Sequences</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document describes the Concise Binary Object Representation (CBOR) Sequence format and associated media type "application/cbor-seq". A CBOR Sequence consists of any number of encoded CBOR data items, simply concatenated in sequence.</t>
              <t>Structured syntax suffixes for media types allow other media types to build on them and make it explicit that they are built on an existing media type as their foundation. This specification defines and registers "+cbor-seq" as a structured syntax suffix for CBOR Sequences.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8742"/>
          <seriesInfo name="DOI" value="10.17487/RFC8742"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC9360">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Header Parameters for Carrying and Referencing X.509 Certificates</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="February" year="2023"/>
            <abstract>
              <t>The CBOR Object Signing and Encryption (COSE) message structure uses references to keys in general. For some algorithms, additional properties are defined that carry parameters relating to keys as needed. The COSE Key structure is used for transporting keys outside of COSE messages. This document extends the way that keys can be identified and transported by providing attributes that refer to or contain X.509 certificates.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9360"/>
          <seriesInfo name="DOI" value="10.17487/RFC9360"/>
        </reference>
        <reference anchor="RFC9682">
          <front>
            <title>Updates to the Concise Data Definition Language (CDDL) Grammar</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="November" year="2024"/>
            <abstract>
              <t>The Concise Data Definition Language (CDDL), as defined in RFCs 8610 and 9165, provides an easy and unambiguous way to express structures for protocol messages and data formats that are represented in Concise Binary Object Representation (CBOR) or JSON.</t>
              <t>This document updates RFC 8610 by addressing related errata reports and making other small fixes for the ABNF grammar defined for CDDL.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9682"/>
          <seriesInfo name="DOI" value="10.17487/RFC9682"/>
        </reference>
        <reference anchor="I-D.ietf-cose-cbor-encoded-cert">
          <front>
            <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>University of Glasgow</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>IN Groupe</organization>
            </author>
            <author fullname="Lijun Liao" initials="L." surname="Liao">
              <organization>NIO</organization>
            </author>
            <date day="30" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a CBOR encoding of X.509 certificates.  The
   resulting certificates are called C509 certificates.  The CBOR
   encoding supports a large subset of RFC 5280 and common certificate
   profiles, and it is extensible.

   Two types of C509 certificates are defined.  One type is an
   invertible CBOR re-encoding of DER-encoded X.509 certificates with
   the signature field copied from the DER encoding.  The other type is
   identical except that the signature is computed over the CBOR
   encoding instead of the DER encoding, thereby avoiding the use of
   ASN.1.  Both types of certificates have the same semantics as X.509
   while providing comparable size reduction.

   This document also specifies CBOR-encoded data structures for
   certification requests and certification request templates, new COSE
   headers, as well as a TLS certificate type and a file format for
   C509.  This document updates RFC 6698 by extending the TLSA selectors
   registry to include C509 certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-20"/>
        </reference>
        <reference anchor="I-D.ietf-stir-certificates-ocsp">
          <front>
            <title>OCSP Usage for Secure Telephone Identity Certificates</title>
            <author fullname="Jon Peterson" initials="J." surname="Peterson">
              <organization>TransUnion, Inc.</organization>
            </author>
            <author fullname="Sean Turner" initials="S." surname="Turner">
              <organization>sn3rd</organization>
            </author>
            <date day="10" month="June" year="2026"/>
            <abstract>
              <t>   When certificates are used as credentials to attest the assignment or
   ownership of telephone numbers, some mechanism is required to convey
   certificate freshness to relying parties.  Certificate Revocation
   Lists (CRLs) are commonly used for this purpose, but for certain
   classes of certificates, including delegate certificates conveying
   their scope of authority by-reference in Secure Telephone Identity
   Revisited (STIR) systems, they may not be aligned with the needs of
   relying parties.  This document specifies the use of the Online
   Certificate Status Protocol (OCSP) as a means of retrieving real-time
   status information about such certificates, defining new extensions
   to compensate for the dynamism of telephone number assignments.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-stir-certificates-ocsp-14"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC7228">
          <front>
            <title>Terminology for Constrained-Node Networks</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="M. Ersue" initials="M." surname="Ersue"/>
            <author fullname="A. Keranen" initials="A." surname="Keranen"/>
            <date month="May" year="2014"/>
            <abstract>
              <t>The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7228"/>
          <seriesInfo name="DOI" value="10.17487/RFC7228"/>
        </reference>
        <reference anchor="POSIX" target="https://pubs.opengroup.org/onlinepubs/9699919799/">
          <front>
            <title>IEEE Standard for Information Technology--Portable Operating System Interface (POSIX(TM)) Base Specifications, Issue 7</title>
            <author>
              <organization/>
            </author>
            <date year="2018" month="January"/>
          </front>
        </reference>
        <reference anchor="CborMe" target="https://cbor.me/">
          <front>
            <title>CBOR Playground</title>
            <author initials="C." surname="Bormann">
              <organization/>
            </author>
            <date year="2018" month="May"/>
          </front>
        </reference>
        <reference anchor="X.690" target="https://www.itu.int/rec/T-REC-X.690">
          <front>
            <title>ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
    <?line 1170?>

<section anchor="examples">
      <name>Examples</name>
      <section anchor="overview-2">
        <name>Overview</name>
        <table anchor="tab-examples-overview">
          <name>Size comparison in examples (TODO: update the percent data)</name>
          <thead>
            <tr>
              <th align="left">Section</th>
              <th align="left">Description</th>
              <th align="left">size(C509)</th>
              <th align="left">size(X509)</th>
              <th align="left">Size Reduction</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <xref target="exam-crl-no-revoked"/></td>
              <td align="left">CRL Example Without Revoked Certificates</td>
              <td align="left">147</td>
              <td align="left">120</td>
              <td align="left">18%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-crl-revoked"/></td>
              <td align="left">CRL Example With Revoked Certificates</td>
              <td align="left">335</td>
              <td align="left">177</td>
              <td align="left">47%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-delta-crl-revoked"/></td>
              <td align="left">Delta CRL Example With Revoked Certificates</td>
              <td align="left">335</td>
              <td align="left">160</td>
              <td align="left">52%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-indirect-crl-revoked"/></td>
              <td align="left">Indirect CRL Example With Revoked Certificates</td>
              <td align="left">409</td>
              <td align="left">202</td>
              <td align="left">51%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-simple-ocsp-req"/></td>
              <td align="left">Simple OCSP Request Example</td>
              <td align="left">152</td>
              <td align="left">51</td>
              <td align="left">66%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-unsigned-ocsp-req"/></td>
              <td align="left">Unsigned OCSP Request Example</td>
              <td align="left">483</td>
              <td align="left">132</td>
              <td align="left">73%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-signed-ocsp-req"/></td>
              <td align="left">Signed OCSP Request Example Without Requestor's Certificate</td>
              <td align="left">592</td>
              <td align="left">209</td>
              <td align="left">65%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-signed-ocsp-req-withcert"/></td>
              <td align="left">Signed OCSP Request Example With Requestor's Certificate</td>
              <td align="left">1043</td>
              <td align="left">420</td>
              <td align="left">60%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-signed-ocsp-req-withcertchain"/></td>
              <td align="left">Signed OCSP Request Example With Requestor's Certificate Chain</td>
              <td align="left">1379</td>
              <td align="left">625</td>
              <td align="left">55%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-error-ocsp-resp"/></td>
              <td align="left">Error OCSP Response Example</td>
              <td align="left">5</td>
              <td align="left">3</td>
              <td align="left">40%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-simple-ocsp-resp"/></td>
              <td align="left">Simple OCSP Response Example</td>
              <td align="left">338</td>
              <td align="left">140</td>
              <td align="left">59%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-basic-ocsp-resp"/></td>
              <td align="left">Basic OCSP Response Example Without Responder's Certificate</td>
              <td align="left">845</td>
              <td align="left">248</td>
              <td align="left">71%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-basic-ocsp-resp-withcert"/></td>
              <td align="left">Basic OCSP Response Example With Responder's Certificate</td>
              <td align="left">1189</td>
              <td align="left">446</td>
              <td align="left">62%</td>
            </tr>
            <tr>
              <td align="left">
                <xref target="exam-basic-ocsp-resp-withcertchain"/></td>
              <td align="left">Basic OCSP Response Example With Responder's Certificate Chain</td>
              <td align="left">1525</td>
              <td align="left">651</td>
              <td align="left">57%</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="helper-keys-and-certificates">
        <name>Helper Keys and Certificates</name>
        <section anchor="ca-private-key-and-certificate">
          <name>CA Private Key and Certificate</name>
          <section anchor="ca-private-key">
            <name>CA Private Key</name>
            <artwork><![CDATA[
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIDP+AdMbqXudBAN3YNAwoR0i3nl4IuoSSA6Hazy2oAKc
-----END PRIVATE KEY-----
]]></artwork>
          </section>
          <section anchor="ca-cert">
            <name>CA Certificate</name>
            <section anchor="plain-hex">
              <name>Plain Hex</name>
              <artwork><![CDATA[
8B0241010C73746573742063726C6F6373702D726F6F7463611A677485801A6B36EC
7F6F746573742063726C6F6373702D63610C58205EF8A355A001A7C50D2349470120
8131A4BB2AB920D40BFB0EE1F6AB28FF74008801542F45E78D2CAEDF368CDF53C390
05D492450E1056211860230107542DA3A403F7D2F4E0B3D8031A73BA8A839F557F0F
5840E50465D60C02A2111EF3FC6E44F2A36008765B552351F9A3F5B2AA7C76F1F05D
259847A4F4250B2E4B0AE2099762A2596D3CC1DB2CCD180AA0A2D0E191310B0F
]]></artwork>
            </section>
            <section anchor="textual-representation">
              <name>Textual Representation</name>
              <artwork><![CDATA[
Certificate
  TBSCertificate
    Certificate Type: 2
    Serial Number
      01
    Signature Algorithm: Ed25519 (12)
    Issuer : CN=test crlocsp-rootca
    Subject: CN=test crlocsp-ca
    Validity
      Not Before: 2025-01-01T00:00:00Z
      Not After : 2026-12-31T23:59:59Z
    Subject Public Key Info:
      algorithm: Ed25519 (12)
      Raw public key
        5e:f8:a3:55:a0:01:a7:c5:0d:23:49:47:01:20:81:31:
        a4:bb:2a:b9:20:d4:0b:fb:0e:e1:f6:ab:28:ff:74:00
    Extensions
      SubjectKeyIdentifier (1)
        2f:45:e7:8d:2c:ae:df:36:8c:df:53:c3:90:05:d4:92:
        45:0e:10:56
      KeyUsage (2), critical
        0x60: [keyCertSign, cRLSign]
      BasicConstraints (4), critical
        CA: true, pathLenConstraint: 1
      AuthorityKeyIdentifier (7)
        Key Identifier
          2d:a3:a4:03:f7:d2:f4:e0:b3:d8:03:1a:73:ba:8a:83:
          9f:55:7f:0f
  Signature Value
    e5:04:65:d6:0c:02:a2:11:1e:f3:fc:6e:44:f2:a3:60:
    08:76:5b:55:23:51:f9:a3:f5:b2:aa:7c:76:f1:f0:5d:
    25:98:47:a4:f4:25:0b:2e:4b:0a:e2:09:97:62:a2:59:
    6d:3c:c1:db:2c:cd:18:0a:a0:a2:d0:e1:91:31:0b:0f
]]></artwork>
            </section>
          </section>
        </section>
        <section anchor="crl-signer-private-key-and-certificate">
          <name>CRL Signer Private Key and Certificate</name>
          <section anchor="crl-signer-private-key">
            <name>CRL Signer Private Key</name>
            <artwork><![CDATA[
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIOJ3HnsrBJ5g5Pb5oy7qlvijr3Wfx3ywAUvnmRV4354s
-----END PRIVATE KEY-----
]]></artwork>
          </section>
          <section anchor="crl-signer-cert">
            <name>CRL Signer Certificate</name>
            <section anchor="plain-hex-1">
              <name>Plain Hex</name>
              <artwork><![CDATA[
8B024212340C6F746573742063726C6F6373702D63611A6775D7001A69570A806A63
726C2D7369676E65720C5820C9BA1EC496DACB97AED087ADE390F398FBD477871EE9
203817EC0E31902789FF86015409E433582556550A27DB4A19BCE2D660884722B621
184007542F45E78D2CAEDF368CDF53C39005D492450E10565840D46E6A8F9FD53417
F36DFE56CBB8CACE0FC3E59ACBE72CD9916B3E4C5022D06D16CC9BF9AC54394037C9
5433644194FAE18FF783381959584A21BDC0E1C6CB0B
]]></artwork>
            </section>
            <section anchor="textual-representation-1">
              <name>Textual Representation</name>
              <artwork><![CDATA[
Certificate
  TBSCertificate
    Certificate Type: 2
    Serial Number
      12:34
    Signature Algorithm: Ed25519 (12)
    Issuer : CN=test crlocsp-ca
    Subject: CN=crl-signer
    Validity
      Not Before: 2025-01-02T00:00:00Z
      Not After : 2026-01-02T00:00:00Z
    Subject Public Key Info:
      algorithm: Ed25519 (12)
      Raw public key
        c9:ba:1e:c4:96:da:cb:97:ae:d0:87:ad:e3:90:f3:98:
        fb:d4:77:87:1e:e9:20:38:17:ec:0e:31:90:27:89:ff
    Extensions
      SubjectKeyIdentifier (1)
        09:e4:33:58:25:56:55:0a:27:db:4a:19:bc:e2:d6:60:
        88:47:22:b6
      KeyUsage (2), critical
        0x40: [cRLSign]
      AuthorityKeyIdentifier (7)
        Key Identifier
          2f:45:e7:8d:2c:ae:df:36:8c:df:53:c3:90:05:d4:92:
          45:0e:10:56
  Signature Value
    d4:6e:6a:8f:9f:d5:34:17:f3:6d:fe:56:cb:b8:ca:ce:
    0f:c3:e5:9a:cb:e7:2c:d9:91:6b:3e:4c:50:22:d0:6d:
    16:cc:9b:f9:ac:54:39:40:37:c9:54:33:64:41:94:fa:
    e1:8f:f7:83:38:19:59:58:4a:21:bd:c0:e1:c6:cb:0b
]]></artwork>
            </section>
          </section>
        </section>
        <section anchor="ocsp-requestor-private-key-and-certificate">
          <name>OCSP Requestor Private Key and Certificate</name>
          <section anchor="ocsp-requestor-private-key">
            <name>OCSP Requestor Private Key</name>
            <artwork><![CDATA[
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIDoXZF67Rh+ENmXzefN4vLk/o2fK5q/otI2G1xQYtThH
-----END PRIVATE KEY-----
]]></artwork>
          </section>
          <section anchor="ocsp-requestor-cert">
            <name>OCSP Requestor Certificate</name>
            <section anchor="plain-hex-2">
              <name>Plain Hex</name>
              <artwork><![CDATA[
8B024212360C6F746573742063726C6F6373702D63611A6775D7001A69570A806E6F
6373702D726571756573746F720C582004530B1764EDD4B4E33AB44AF0F838961C00
7176D74B6A3546ECB7FD57320DD3860154DD51BDB2A2C791C062D4027856DBACF526
07F0BE210107542F45E78D2CAEDF368CDF53C39005D492450E10565840F8C6183ECF
8C3EFD50DD4942D172814C46EC0FC01DD586A597178DF864A0D9DA86B7CA17FC9F77
2FF04C80E98B60D5B4B62408A277A5B70D0D2A3F5ED5442D07
]]></artwork>
            </section>
            <section anchor="textual-representation-2">
              <name>Textual Representation</name>
              <artwork><![CDATA[
Certificate
  TBSCertificate
    Certificate Type: 2
    Serial Number
      12:36
    Signature Algorithm: Ed25519 (12)
    Issuer : CN=test crlocsp-ca
    Subject: CN=ocsp-requestor
    Validity
      Not Before: 2025-01-02T00:00:00Z
      Not After : 2026-01-02T00:00:00Z
    Subject Public Key Info:
      algorithm: Ed25519 (12)
      Raw public key
        04:53:0b:17:64:ed:d4:b4:e3:3a:b4:4a:f0:f8:38:96:
        1c:00:71:76:d7:4b:6a:35:46:ec:b7:fd:57:32:0d:d3
    Extensions
      SubjectKeyIdentifier (1)
        dd:51:bd:b2:a2:c7:91:c0:62:d4:02:78:56:db:ac:f5:
        26:07:f0:be
      KeyUsage (2), critical
        0x1: [digitalSignature]
      AuthorityKeyIdentifier (7)
        Key Identifier
          2f:45:e7:8d:2c:ae:df:36:8c:df:53:c3:90:05:d4:92:
          45:0e:10:56
  Signature Value
    f8:c6:18:3e:cf:8c:3e:fd:50:dd:49:42:d1:72:81:4c:
    46:ec:0f:c0:1d:d5:86:a5:97:17:8d:f8:64:a0:d9:da:
    86:b7:ca:17:fc:9f:77:2f:f0:4c:80:e9:8b:60:d5:b4:
    b6:24:08:a2:77:a5:b7:0d:0d:2a:3f:5e:d5:44:2d:07
]]></artwork>
            </section>
          </section>
        </section>
        <section anchor="ocsp-responder-private-key-and-certificate">
          <name>OCSP Responder Private Key and Certificate</name>
          <section anchor="ocsp-responder-private-key">
            <name>OCSP Responder Private Key</name>
            <artwork><![CDATA[
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEII5swSxWTjlZinUj+5kie//qjgBbzupdc0lmaHF9NkXl
-----END PRIVATE KEY-----
]]></artwork>
          </section>
          <section anchor="ocsp-responder-cert">
            <name>OCSP Responder Certificate</name>
            <section anchor="plain-hex-3">
              <name>Plain Hex</name>
              <artwork><![CDATA[
8B024212350C6F746573742063726C6F6373702D63611A6775D7001A69570A806E6F
6373702D726573706F6E6465720C582081947BBC248AAC79738211A8D75BF92CB777
D994073DF23AE06380EF2C573976880154B5B4CAF35401D06151DF9629DB579DC8CC
A453A8210107542F45E78D2CAEDF368CDF53C39005D492450E105627095840A01B0C
BF3E34A4762D05404FD08A7AEC103035358314686D72B6159078C76E1D88597F3753
1886A3F52F256FD722192B289D6844014467F1F17F05ACBB7B660A
]]></artwork>
            </section>
            <section anchor="textual-representation-3">
              <name>Textual Representation</name>
              <artwork><![CDATA[
Certificate
  TBSCertificate
    Certificate Type: 2
    Serial Number
      12:35
    Signature Algorithm: Ed25519 (12)
    Issuer : CN=test crlocsp-ca
    Subject: CN=ocsp-responder
    Validity
      Not Before: 2025-01-02T00:00:00Z
      Not After : 2026-01-02T00:00:00Z
    Subject Public Key Info:
      algorithm: Ed25519 (12)
      Raw public key
        81:94:7b:bc:24:8a:ac:79:73:82:11:a8:d7:5b:f9:2c:
        b7:77:d9:94:07:3d:f2:3a:e0:63:80:ef:2c:57:39:76
    Extensions
      SubjectKeyIdentifier (1)
        b5:b4:ca:f3:54:01:d0:61:51:df:96:29:db:57:9d:c8:
        cc:a4:53:a8
      KeyUsage (2), critical
        0x1: [digitalSignature]
      AuthorityKeyIdentifier (7)
        Key Identifier
          2f:45:e7:8d:2c:ae:df:36:8c:df:53:c3:90:05:d4:92:
          45:0e:10:56
      ExtendedKeyUsage (8), critical
        OCSPSigning (9)
  Signature Value
    a0:1b:0c:bf:3e:34:a4:76:2d:05:40:4f:d0:8a:7a:ec:
    10:30:35:35:83:14:68:6d:72:b6:15:90:78:c7:6e:1d:
    88:59:7f:37:53:18:86:a3:f5:2f:25:6f:d7:22:19:2b:
    28:9d:68:44:01:44:67:f1:f1:7f:05:ac:bb:7b:66:0a
]]></artwork>
            </section>
          </section>
        </section>
      </section>
      <section anchor="crl-examples">
        <name>CRL Examples</name>
        <section anchor="exam-crl-no-revoked">
          <name>CRL Example Without Revoked Certificates</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 18%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ca-cert"/></t>
            </li>
            <li>
              <t>Direct CRL</t>
            </li>
            <li>
              <t>Full CRL</t>
            </li>
            <li>
              <t>No revoked certificates</t>
            </li>
            <li>
              <t>Note that the X.509 CRL and the C509 CRL are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-crl">
            <name>X.509 CRL</name>
            <t>PEM content (147 bytes):</t>
            <artwork><![CDATA[
-----BEGIN X509 CRL-----
MIGQMEQCAQEwBQYDK2VwMBoxGDAWBgNVBAMMD3Rlc3QgY3Jsb2NzcC1jYRcNMjUw
MTAyMDAwMDAwWhcNMjUwMTA5MDAwMDAwWjAFBgMrZXADQQBeSb215S+/7HT9HjQN
zeuuETZAjRIwCLxCIZatpkiov3ndsI7fjXcabny/kx9d5Ce39o3RcDG3QiDDdWOi
R5UK
-----END X509 CRL-----
]]></artwork>
          </section>
          <section anchor="c509-crl">
            <name>C509 CRL</name>
            <t>Plain Hex (120 bytes):</t>
            <artwork><![CDATA[
8B000C6F746573742063726C6F6373702D6361542F45E78D2CAEDF368CDF53C39005
D492450E1056011A6775D7001A00093A80F680F6584013834F4E38AA9F0DC5B8D21C
8650C776A6D961C31C894C36A71A6433F5ED7D30E67F787F13C7E4C349B2848A181F
DBBCE361A14C220021C4A267367AD5F1D90D
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509CRL
  TBSCertList
    CRL Type: C509CRL (0)
    Signature Algorithm: Ed25519 (12)
    Authority Subject: CN=test crlocsp-ca
    Authority Key Identifier:
      2F:45:E7:8D:2C:AE:DF:36:8C:DF:53:C3:90:05:D4:92:
      45:0E:10:56
    CRL Number: 1
    This Update: 2025-01-02T00:00:00Z
    Next Update: 2025-01-09T00:00:00Z
    Base CRL Number: <null>
    Extensions: <empty>
  revokedCertsList: <null>
  Signature Value
    13:83:4f:4e:38:aa:9f:0d:c5:b8:d2:1c:86:50:c7:76:
    a6:d9:61:c3:1c:89:4c:36:a7:1a:64:33:f5:ed:7d:30:
    e6:7f:78:7f:13:c7:e4:c3:49:b2:84:8a:18:1f:db:bc:
    e3:61:a1:4c:22:00:21:c4:a2:67:36:7a:d5:f1:d9:0d
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 8B             # C509CRL=array[11]
  1:   00             # [0]. crlType=0
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   6F             # [2]. authoritySubject=char[15]
  4:     746573742063726C6F6373702D6361 # "test crlocsp-ca"
 19:   54             # [3]. authorityKeyIdentifier=byte[20]
 20:     2F45E78D2CAEDF368CDF53C39005D492450E1056
 40:   01             # [4]. crlNumber=1
 41:   1A 6775D700    # [5]. thisUpdate=1735776000:
                      #      2025-01-02T00:00:00Z
 46:   1A 00093A80    # [6]. nextUpdate=604800: 2025-01-09T00:00:00Z
 51:   F6             # [7]. baseCrlNumber=<null>
 52:   80             # [8]. crlExtensions=array[0]
 53:   F6             # [9]. revokedCertsList: <null>
 54:   58 40          # [10]. signature value=byte[64]
 56:     13834F4E38AA9F0DC5B8D21C8650C776A6D961C31C894C36A71A6433F5
 85:     ED7D30E67F787F13C7E4C349B2848A181FDBBCE361A14C220021C4A267
114:     367AD5F1D90D
]]></artwork>
          </section>
        </section>
        <section anchor="exam-crl-revoked">
          <name>CRL Example With Revoked Certificates</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 47%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ca-cert"/></t>
            </li>
            <li>
              <t>Direct CRL</t>
            </li>
            <li>
              <t>Full CRL</t>
            </li>
            <li>
              <t>With revoked certificates</t>
            </li>
            <li>
              <t>With Per-Issuer Extension ExpiredCertsOnCRL</t>
            </li>
            <li>
              <t>Note that the X.509 CRL and the C509 CRL are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-crl-1">
            <name>X.509 CRL</name>
            <t>PEM content (335 bytes):</t>
            <artwork><![CDATA[
-----BEGIN X509 CRL-----
MIIBSzCB/gIBATAFBgMrZXAwGjEYMBYGA1UEAwwPdGVzdCBjcmxvY3NwLWNhFw0y
NTAxMDcwMDEyMzRaFw0yNTAxMTQwMDEyMzRaMIG3MCECAhEiFw0yNTAxMDYwMDEy
MzRaMAwwCgYDVR0VBAMKAQYwIQICEjQXDTI1MDEwMTAwMTIzNFowDDAKBgNVHRUE
AwoBATAhAgIzRBcNMjUwMTA0MDAxMjM0WjAMMAoGA1UdFQQDCgEGMCECAlVmFw0y
NTAxMDIwMDEyMzRaMAwwCgYDVR0VBAMKAQYwEwICVngXDTI1MDEwNTAwMTIzNFow
FAIDAJq8Fw0yNTAxMDMwMDEyMzRaMAUGAytlcANBAAK0jdEbZtlvJDmhKAJQTklZ
WqS7xaN9gHvLC/8lvmqsSdY8T/1YbdkVGCyKsWuDSBGVFtrM2DrBzSDarRKctwY=
-----END X509 CRL-----
]]></artwork>
          </section>
          <section anchor="c509-crl-1">
            <name>C509 CRL</name>
            <t>Plain Hex (177 bytes):</t>
            <artwork><![CDATA[
8B000C6F746573742063726C6F6373702D6361542F45E78D2CAEDF368CDF53C39005
D492450E1056021A677C71721A00093A80F68085F6840302031A677488728218571A
677485805824112206978006123400000001334403F4800655660151800656780546
00009ABC02A30000F6584070BB7A38065FBCABFE615170F05A9A9FE83DC892D5F735
812B2A053AF4B300EB466BABB4F1A387CDCE90D8302C680B77AA61566423D7C235F7
BD31344CF7F405
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509CRL
  TBSCertList
    CRL Type: C509CRL (0)
    Signature Algorithm: Ed25519 (12)
    Authority Subject: CN=test crlocsp-ca
    Authority Key Identifier:
      2F:45:E7:8D:2C:AE:DF:36:8C:DF:53:C3:90:05:D4:92:
      45:0E:10:56
    CRL Number: 2
    This Update: 2025-01-07T00:12:34Z
    Next Update: 2025-01-14T00:12:34Z
    Base CRL Number: <null>
    Extensions: <empty>
  revokedCertsList:
    PerIssuerRevokedCerts[0]
      Issuer: <null>
      RevokedCertsControl
        Flags: sorted, with reason (0x3)
        Serial number length: 2
        Date length: 3
        Base date: 2025-01-01T00:12:34Z
      Extensions
        ExpiredCertsOnCRL (87)
          2025-01-01T00:00:00Z
      RevokedCerts:
        0x1122, 2025-01-06T00:12:34Z, certificateHold
        0x1234, 2025-01-01T00:12:34Z, keyCompromise
        0x3344, 2025-01-04T00:12:34Z, certificateHold
        0x5566, 2025-01-02T00:12:34Z, certificateHold
        0x5678, 2025-01-05T00:12:34Z, unspecified
        0x9ABC, 2025-01-03T00:12:34Z, unspecified
      RemovedFromCRLCerts: <null>
  Signature Value
    70:bb:7a:38:06:5f:bc:ab:fe:61:51:70:f0:5a:9a:9f:
    e8:3d:c8:92:d5:f7:35:81:2b:2a:05:3a:f4:b3:00:eb:
    46:6b:ab:b4:f1:a3:87:cd:ce:90:d8:30:2c:68:0b:77:
    aa:61:56:64:23:d7:c2:35:f7:bd:31:34:4c:f7:f4:05
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 8B             # C509CRL=array[11]
  1:   00             # [0]. crlType=0
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   6F             # [2]. authoritySubject=char[15]
  4:     746573742063726C6F6373702D6361 # "test crlocsp-ca"
 19:   54             # [3]. authorityKeyIdentifier=byte[20]
 20:     2F45E78D2CAEDF368CDF53C39005D492450E1056
 40:   02             # [4]. crlNumber=2
 41:   1A 677C7172    # [5]. thisUpdate=1736208754:
                      #      2025-01-07T00:12:34Z
 46:   1A 00093A80    # [6]. nextUpdate=604800: 2025-01-14T00:12:34Z
 51:   F6             # [7]. baseCrlNumber=<null>
 52:   80             # [8]. crlExtensions=array[0]
 53:   85             # [9]. revokedCertsList=array[5]
                        #---PerIssuedRevokedCerts[0]---
 54:     F6             # [0]. issuer=<null>
 55:     84             # [1]. revokedCertsControl=array[4]
 56:       03             # [0]. flags: sorted, with reason (0x3)
 57:       02             # [1]. serialNumberLength=2
 58:       03             # [2]. dateLength=3
 59:       1A 67748872    # [3]. baseDate=1735690354:
                          #      2025-01-01T00:12:34Z
 64:     82             # [2]. extensions=array[2]
                          #---extension[0]---
 65:       18 57          # [0]. type=ExpiredCertsOnCRL (87)
 67:       1A 67748580    # [1]. value=1735689600:
                          #      2025-01-01T00:00:00Z
 72:     58 24          # [3]. revokedCerts=byte[36], 6 entries
                          #---entries[0]---
 74:       1122           # CSN=1122
 76:       069780         # date=069780: 2025-01-06T00:12:34Z
 79:       06             # reason=6: certificateHold
                          #---entries[1]---
 80:       1234           # CSN=1234
 82:       000000         # date=000000: 2025-01-01T00:12:34Z
 85:       01             # reason=1: keyCompromise
                          #---entries[2]---
 86:       3344           # CSN=3344
 88:       03F480         # date=03F480: 2025-01-04T00:12:34Z
 91:       06             # reason=6: certificateHold
                          #---entries[3]---
 92:       5566           # CSN=5566
 94:       015180         # date=015180: 2025-01-02T00:12:34Z
 97:       06             # reason=6: certificateHold
                          #---entries[4]---
 98:       5678           # CSN=5678
100:       054600         # date=054600: 2025-01-05T00:12:34Z
103:       00             # reason=0: unspecified
                          #---entries[5]---
104:       9ABC           # CSN=9ABC
106:       02A300         # date=02A300: 2025-01-03T00:12:34Z
109:       00             # reason=0: unspecified
110:     F6             # [4]. removedFromCRLCerts=<null>
111:   58 40          # [10]. signature value=byte[64]
113:     70BB7A38065FBCABFE615170F05A9A9FE83DC892D5F735812B2A053AF4
142:     B300EB466BABB4F1A387CDCE90D8302C680B77AA61566423D7C235F7BD
171:     31344CF7F405
]]></artwork>
          </section>
        </section>
        <section anchor="exam-delta-crl-revoked">
          <name>Delta CRL Example With Revoked Certificates</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 52%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ca-cert"/></t>
            </li>
            <li>
              <t>Direct CRL</t>
            </li>
            <li>
              <t>Delta CRL</t>
            </li>
            <li>
              <t>With revoked certificates</t>
            </li>
            <li>
              <t>With entries removed from CRL since last full CRL</t>
            </li>
            <li>
              <t>Note that the X.509 CRL and the C509 CRL are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-crl-2">
            <name>X.509 CRL</name>
            <t>PEM content (335 bytes):</t>
            <artwork><![CDATA[
-----BEGIN X509 CRL-----
MIIBSzCB/gIBATAFBgMrZXAwGjEYMBYGA1UEAwwPdGVzdCBjcmxvY3NwLWNhFw0y
NTAxMDgwMDEyMzRaFw0yNTAxMTAwMDEyMzRaMIG3MCECAjQSFw0yNTAxMDcxMjEy
MzRaMAwwCgYDVR0VBAMKAQEwEwICeFYXDTI1MDEwODAwMTAzNFowFAIDALyaFw0y
NTAxMDgwMDA4MzRaMCECAhEiFw0yNTAxMDcxMzEyMzRaMAwwCgYDVR0VBAMKAQgw
IQICM0QXDTI1MDEwNzE0MTIzNFowDDAKBgNVHRUEAwoBCDAhAgJVZhcNMjUwMTA3
MTUxMjM0WjAMMAoGA1UdFQQDCgEIMAUGAytlcANBAKxSjqeefzjGdniA3bQCg3rL
d7rrJnfh8GfsWdawC9BHjK1G336hRYaxwLOtyQS4Mn80jjSwrN+bXg10spSA4gA=
-----END X509 CRL-----
]]></artwork>
          </section>
          <section anchor="c509-crl-2">
            <name>C509 CRL</name>
            <t>Plain Hex (160 bytes):</t>
            <artwork><![CDATA[
8B000C6F746573742063726C6F6373702D6361542F45E78D2CAEDF368CDF53C39005
D492450E1056031A677DC2F21A0002A300028085F6840302021A677D1A32804F3412
0000017856A84800BC9AA7D0004C11220E1033441C2055662A305840369C3E6412E9
D0537CD39EA1DA40C68C32B4EC0E5678650D6AF73677A5A0CF37F1CDE75D663DE374
9101F4354CCD6D8D05773887650046932B583C5365D7EB0B
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509CRL
  TBSCertList
    CRL Type: C509CRL (0)
    Signature Algorithm: Ed25519 (12)
    Authority Subject: CN=test crlocsp-ca
    Authority Key Identifier:
      2F:45:E7:8D:2C:AE:DF:36:8C:DF:53:C3:90:05:D4:92:
      45:0E:10:56
    CRL Number: 3
    This Update: 2025-01-08T00:12:34Z
    Next Update: 2025-01-10T00:12:34Z
    Base CRL Number: 2
    Extensions: <empty>
  revokedCertsList:
    PerIssuerRevokedCerts[0]
      Issuer: <null>
      RevokedCertsControl
        Flags: sorted, with reason (0x3)
        Serial number length: 2
        Date length: 2
        Base date: 2025-01-07T12:12:34Z
      Extensions: <empty>
      RevokedCerts:
        0x3412, 2025-01-07T12:12:34Z, keyCompromise
        0x7856, 2025-01-08T00:10:34Z, unspecified
        0xBC9A, 2025-01-08T00:08:34Z, unspecified
      RemovedFromCRLCerts:
        0x1122, 2025-01-07T13:12:34Z
        0x3344, 2025-01-07T14:12:34Z
        0x5566, 2025-01-07T15:12:34Z
  Signature Value
    36:9c:3e:64:12:e9:d0:53:7c:d3:9e:a1:da:40:c6:8c:
    32:b4:ec:0e:56:78:65:0d:6a:f7:36:77:a5:a0:cf:37:
    f1:cd:e7:5d:66:3d:e3:74:91:01:f4:35:4c:cd:6d:8d:
    05:77:38:87:65:00:46:93:2b:58:3c:53:65:d7:eb:0b
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 8B             # C509CRL=array[11]
  1:   00             # [0]. crlType=0
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   6F             # [2]. authoritySubject=char[15]
  4:     746573742063726C6F6373702D6361 # "test crlocsp-ca"
 19:   54             # [3]. authorityKeyIdentifier=byte[20]
 20:     2F45E78D2CAEDF368CDF53C39005D492450E1056
 40:   03             # [4]. crlNumber=3
 41:   1A 677DC2F2    # [5]. thisUpdate=1736295154:
                      #      2025-01-08T00:12:34Z
 46:   1A 0002A300    # [6]. nextUpdate=172800: 2025-01-10T00:12:34Z
 51:   02             # [7]. baseCrlNumber=2
 52:   80             # [8]. crlExtensions=array[0]
 53:   85             # [9]. revokedCertsList=array[5]
                        #---PerIssuedRevokedCerts[0]---
 54:     F6             # [0]. issuer=<null>
 55:     84             # [1]. revokedCertsControl=array[4]
 56:       03             # [0]. flags: sorted, with reason (0x3)
 57:       02             # [1]. serialNumberLength=2
 58:       02             # [2]. dateLength=2
 59:       1A 677D1A32    # [3]. baseDate=1736251954:
                          #      2025-01-07T12:12:34Z
 64:     80             # [2]. extensions=array[0]
 65:     4F             # [3]. revokedCerts=byte[15], 3 entries
                          #---entries[0]---
 66:       3412           # CSN=3412
 68:       0000           # date=0000: 2025-01-07T12:12:34Z
 70:       01             # reason=1: keyCompromise
                          #---entries[1]---
 71:       7856           # CSN=7856
 73:       A848           # date=A848: 2025-01-08T00:10:34Z
 75:       00             # reason=0: unspecified
                          #---entries[2]---
 76:       BC9A           # CSN=BC9A
 78:       A7D0           # date=A7D0: 2025-01-08T00:08:34Z
 80:       00             # reason=0: unspecified
 81:     4C             # [4]. removedFromCRLCerts=byte[12], 3
                        #      entries
                          #---entries[0]---
 82:       1122           # CSN=1122
 84:       0E10           # date=0E10: 2025-01-07T13:12:34Z
                          #---entries[1]---
 86:       3344           # CSN=3344
 88:       1C20           # date=1C20: 2025-01-07T14:12:34Z
                          #---entries[2]---
 90:       5566           # CSN=5566
 92:       2A30           # date=2A30: 2025-01-07T15:12:34Z
 94:   58 40          # [10]. signature value=byte[64]
 96:     369C3E6412E9D0537CD39EA1DA40C68C32B4EC0E5678650D6AF73677A5
125:     A0CF37F1CDE75D663DE3749101F4354CCD6D8D05773887650046932B58
154:     3C5365D7EB0B
]]></artwork>
          </section>
        </section>
        <section anchor="exam-indirect-crl-revoked">
          <name>Indirect CRL Example With Revoked Certificates</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 51%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="crl-signer-cert"/></t>
            </li>
            <li>
              <t>Indirect CRL</t>
            </li>
            <li>
              <t>Full CRL</t>
            </li>
            <li>
              <t>With revoked certificates</t>
            </li>
            <li>
              <t>With two issuers</t>
            </li>
            <li>
              <t>Note that the X.509 CRL and the C509 CRL are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-crl-3">
            <name>X.509 CRL</name>
            <t>PEM content (409 bytes):</t>
            <artwork><![CDATA[
-----BEGIN X509 CRL-----
MIIBlTCCAUcCAQEwBQYDK2VwMBUxEzARBgNVBAMMCmNybC1zaWduZXIXDTI1MDEw
NzAwMTIzNFoXDTI1MDExNDAwMTIzNFowggEEMEoCAhI0Fw0yNTAxMDEwMDEyMzRa
MDUwCgYDVR0VBAMKAQEwJwYDVR0dBCAwHqQcMBoxGDAWBgNVBAMMD3Rlc3QgY3Js
b2NzcC1jYTATAgJWeBcNMjUwMTA1MDAxMjM0WjAUAgMAmrwXDTI1MDEwMzAwMTIz
NFowRQICESIXDTI1MDEwNjAwMTIzNFowMDAKBgNVHRUEAwoBBjAiBgNVHR0EGzAZ
pBcwFTETMBEGA1UEAwwKZXhhbXBsZSBDQTAhAgIzRBcNMjUwMTA0MDAxMjM0WjAM
MAoGA1UdFQQDCgEGMCECAlVmFw0yNTAxMDIwMDEyMzRaMAwwCgYDVR0VBAMKAQYw
BQYDK2VwA0EAUMWMYunvDSqQzFV+lo5O5TZmopxPvnMBpuR0Do8kCA4P4PHGg/E8
1U6GfBu/9MvUuTOX13loPDedsjvs/uK8AQ==
-----END X509 CRL-----
]]></artwork>
          </section>
          <section anchor="c509-crl-3">
            <name>C509 CRL</name>
            <t>Plain Hex (202 bytes):</t>
            <artwork><![CDATA[
8B000C6A63726C2D7369676E65725409E433582556550A27DB4A19BCE2D660884722
B6041A677C71721A00093A80F6808A6F746573742063726C6F6373702D6361840302
031A6774887280521234000000015678054600009ABC02A30000F66A6578616D706C
65204341840302031A6775D9F28052112205460006334402A30006556600000006F6
5840F00D6270F91486A7F378D06F01A807E64E086BB366BE3A1592CE4A64BFFD621F
30E2AB93766B4F8818116AB7DA7BEDF7C3EBCBDEAC6D0455F5F5669712006205
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509CRL
  TBSCertList
    CRL Type: C509CRL (0)
    Signature Algorithm: Ed25519 (12)
    Authority Subject: CN=crl-signer
    Authority Key Identifier:
      09:E4:33:58:25:56:55:0A:27:DB:4A:19:BC:E2:D6:60:
      88:47:22:B6
    CRL Number: 4
    This Update: 2025-01-07T00:12:34Z
    Next Update: 2025-01-14T00:12:34Z
    Base CRL Number: <null>
    Extensions: <empty>
  revokedCertsList:
    PerIssuerRevokedCerts[0]
      Issuer: CN=test crlocsp-ca
      RevokedCertsControl
        Flags: sorted, with reason (0x3)
        Serial number length: 2
        Date length: 3
        Base date: 2025-01-01T00:12:34Z
      Extensions: <empty>
      RevokedCerts:
        0x1234, 2025-01-01T00:12:34Z, keyCompromise
        0x5678, 2025-01-05T00:12:34Z, unspecified
        0x9ABC, 2025-01-03T00:12:34Z, unspecified
      RemovedFromCRLCerts: <null>
    PerIssuerRevokedCerts[1]
      Issuer: CN=example CA
      RevokedCertsControl
        Flags: sorted, with reason (0x3)
        Serial number length: 2
        Date length: 3
        Base date: 2025-01-02T00:12:34Z
      Extensions: <empty>
      RevokedCerts:
        0x1122, 2025-01-06T00:12:34Z, certificateHold
        0x3344, 2025-01-04T00:12:34Z, certificateHold
        0x5566, 2025-01-02T00:12:34Z, certificateHold
      RemovedFromCRLCerts: <null>
  Signature Value
    f0:0d:62:70:f9:14:86:a7:f3:78:d0:6f:01:a8:07:e6:
    4e:08:6b:b3:66:be:3a:15:92:ce:4a:64:bf:fd:62:1f:
    30:e2:ab:93:76:6b:4f:88:18:11:6a:b7:da:7b:ed:f7:
    c3:eb:cb:de:ac:6d:04:55:f5:f5:66:97:12:00:62:05
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 8B             # C509CRL=array[11]
  1:   00             # [0]. crlType=0
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   6A             # [2]. authoritySubject=char[10]
  4:     63726C2D7369676E6572 # "crl-signer"
 14:   54             # [3]. authorityKeyIdentifier=byte[20]
 15:     09E433582556550A27DB4A19BCE2D660884722B6
 35:   04             # [4]. crlNumber=4
 36:   1A 677C7172    # [5]. thisUpdate=1736208754:
                      #      2025-01-07T00:12:34Z
 41:   1A 00093A80    # [6]. nextUpdate=604800: 2025-01-14T00:12:34Z
 46:   F6             # [7]. baseCrlNumber=<null>
 47:   80             # [8]. crlExtensions=array[0]
 48:   8A             # [9]. revokedCertsList=array[10]
                        #---PerIssuedRevokedCerts[0]---
 49:     6F             # [0]. issuer=char[15]
 50:       746573742063726C6F6373702D6361 # "test crlocsp-ca"
 65:     84             # [1]. revokedCertsControl=array[4]
 66:       03             # [0]. flags: sorted, with reason (0x3)
 67:       02             # [1]. serialNumberLength=2
 68:       03             # [2]. dateLength=3
 69:       1A 67748872    # [3]. baseDate=1735690354:
                          #      2025-01-01T00:12:34Z
 74:     80             # [2]. extensions=array[0]
 75:     52             # [3]. revokedCerts=byte[18], 3 entries
                          #---entries[0]---
 76:       1234           # CSN=1234
 78:       000000         # date=000000: 2025-01-01T00:12:34Z
 81:       01             # reason=1: keyCompromise
                          #---entries[1]---
 82:       5678           # CSN=5678
 84:       054600         # date=054600: 2025-01-05T00:12:34Z
 87:       00             # reason=0: unspecified
                          #---entries[2]---
 88:       9ABC           # CSN=9ABC
 90:       02A300         # date=02A300: 2025-01-03T00:12:34Z
 93:       00             # reason=0: unspecified
 94:     F6             # [4]. removedFromCRLCerts=<null>
                        #---PerIssuedRevokedCerts[1]---
 95:     6A             # [5]. issuer=char[10]
 96:       6578616D706C65204341 # "example CA"
106:     84             # [6]. revokedCertsControl=array[4]
107:       03             # [0]. flags: sorted, with reason (0x3)
108:       02             # [1]. serialNumberLength=2
109:       03             # [2]. dateLength=3
110:       1A 6775D9F2    # [3]. baseDate=1735776754:
                          #      2025-01-02T00:12:34Z
115:     80             # [7]. extensions=array[0]
116:     52             # [8]. revokedCerts=byte[18], 3 entries
                          #---entries[0]---
117:       1122           # CSN=1122
119:       054600         # date=054600: 2025-01-06T00:12:34Z
122:       06             # reason=6: certificateHold
                          #---entries[1]---
123:       3344           # CSN=3344
125:       02A300         # date=02A300: 2025-01-04T00:12:34Z
128:       06             # reason=6: certificateHold
                          #---entries[2]---
129:       5566           # CSN=5566
131:       000000         # date=000000: 2025-01-02T00:12:34Z
134:       06             # reason=6: certificateHold
135:     F6             # [9]. removedFromCRLCerts=<null>
136:   58 40          # [10]. signature value=byte[64]
138:     F00D6270F91486A7F378D06F01A807E64E086BB366BE3A1592CE4A64BF
167:     FD621F30E2AB93766B4F8818116AB7DA7BEDF7C3EBCBDEAC6D0455F5F5
196:     669712006205
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="ocsp-request-examples">
        <name>OCSP Request Examples</name>
        <section anchor="exam-simple-ocsp-req">
          <name>Simple OCSP Request Example</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 66%</t>
            </li>
            <li>
              <t>Simple OCSP Request (<tt>C509SimpleOCSPRequest</tt>)</t>
            </li>
            <li>
              <t>Note that the X.509 OCSP Request and the C509 OCSP Request are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-request">
            <name>X.509 OCSP Request</name>
            <t>PEM content (152 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP REQUEST-----
MIGVMIGSMG0wazBpMA0GCWCGSAFlAwQCAQUABCAyU450hb03rkVPHw0rl1XXWLkf
bo46evOXoPQAYFxv+AQgzBHIdAoFCexNoUzliG5yNkwPY7YO1jR/E8Fu5yW3ZqIC
FBI0EjQSNBI0EjQSNBI0EjQSNBI0oiEwHzAdBgkrBgEFBQcwAQIEEBERERERERER
ERERERERERE=
-----END OCSP REQUEST-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-request">
            <name>C509 OCSP Request</name>
            <t>Plain Hex (51 bytes):</t>
            <artwork><![CDATA[
860200501111111111111111111111111111111148A01C73A5F3B063345410652787
FA0527BC2449A1BFC5AB31AA5A6F0D8D80
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509SimpleOCSPRequest
  Type: C509SimpleOCSPRequest (2)
  Hash Algorithm: SHA256 (0)
  IssuerCertHash:
    a0:1c:73:a5:f3:b0:63:34
  SerialNumberHash:
    10:65:27:87:fa:05:27:bc:24:49:a1:bf:c5:ab:31:aa:
    5a:6f:0d:8d
  Nonce
    11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
  Extensions: <empty>
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
 0: 86             # C509OCSPRequest=array[6]
 1:   02             # [0]. ocspRequestType=C509SimpleOCSPRequest
                     #      (2)
 2:   00             # [1]. hashAlgorithm=SHA256 (0)
 3:   50             # [2]. nonce=byte[16]
 4:     11111111111111111111111111111111
20:   48             # [3]. issuerCertHash=byte[8]
21:     A01C73A5F3B06334
29:   54             # [4]. serialNumberHash=byte[20]
30:     10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D
50:   80             # [5]. extensions=array[0]
]]></artwork>
          </section>
        </section>
        <section anchor="exam-unsigned-ocsp-req">
          <name>Unsigned OCSP Request Example</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 73%</t>
            </li>
            <li>
              <t>Unsigned OCSP Request (<tt>C509UnsignedOCSPRequest</tt>)</t>
            </li>
            <li>
              <t>Note that the X.509 OCSP Request and the C509 OCSP Request are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-request-1">
            <name>X.509 OCSP Request</name>
            <t>PEM content (483 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP REQUEST-----
MIIB3zCCAdswggG0MGswaTANBglghkgBZQMEAgEFAAQgMlOOdIW9N65FTx8NK5dV
11i5H26OOnrzl6D0AGBcb/gEIMwRyHQKBQnsTaFM5YhucjZMD2O2DtY0fxPBbucl
t2aiAhQSNBI0EjQSNBI0EjQSNBI0EjQSNDBrMGkwDQYJYIZIAWUDBAIBBQAEIDJT
jnSFvTeuRU8fDSuXVddYuR9ujjp685eg9ABgXG/4BCDMEch0CgUJ7E2hTOWIbnI2
TA9jtg7WNH8TwW7nJbdmogIUNFY0VjRWNFY0VjRWNFY0VjRWNFYwazBpMA0GCWCG
SAFlAwQCAQUABCAyU450hb03rkVPHw0rl1XXWLkfbo46evOXoPQAYFxv+AQgzBHI
dAoFCexNoUzliG5yNkwPY7YO1jR/E8Fu5yW3ZqICFFZ4VnhWeFZ4VnhWeFZ4VnhW
eFZ4MGswaTANBglghkgBZQMEAgEFAAQgMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMz
MzMzMzMzMzMEIEREREREREREREREREREREREREREREREREREREREREREAhQiMyIz
IjMiMyIzIjMiMyIzIjMiM6IhMB8wHQYJKwYBBQUHMAECBBARERERERERERERERER
ERER
-----END OCSP REQUEST-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-request-1">
            <name>C509 OCSP Request</name>
            <t>Plain Hex (132 bytes):</t>
            <artwork><![CDATA[
8500005011111111111111111111111111111111808648A01C73A5F3B06334808654
10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D805475D8BC4FBAFC6694467641E7
48DFD53A8B9D176D8054D1AC135D7DA29BDCF4DCA0D5281A51605B67840080482222
222222222222808254D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B80
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509UnsignedOCSPRequest
  Type: C509UnsignedOCSPRequest (0)
  Hash Algorithm: SHA256 (0)
  Nonce
    11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
  Requests
    OcspPerIssuerRequest
      issuerCertHash
        a0:1c:73:a5:f3:b0:63:34
      extensions: <empty>
      singleRequests
        SingleCertRequest
          SerialNumberHash:
            10:65:27:87:fa:05:27:bc:24:49:a1:bf:c5:ab:31:aa:
            5a:6f:0d:8d
          Extensions: <empty>
        SingleCertRequest
          SerialNumberHash:
            75:d8:bc:4f:ba:fc:66:94:46:76:41:e7:48:df:d5:3a:
            8b:9d:17:6d
          Extensions: <empty>
        SingleCertRequest
          SerialNumberHash:
            d1:ac:13:5d:7d:a2:9b:dc:f4:dc:a0:d5:28:1a:51:60:
            5b:67:84:00
          Extensions: <empty>
    OcspPerIssuerRequest
      issuerCertHash
        22:22:22:22:22:22:22:22
      extensions: <empty>
      singleRequests
        SingleCertRequest
          SerialNumberHash:
            d3:a0:c1:e3:db:92:e8:f6:81:05:37:d4:5c:fa:ec:f6:
            ce:41:7e:3b
          Extensions: <empty>
  Extensions: <empty>
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 85             # C509OCSPRequest=array[5]
  1:   00             # [0]. ocspRequestType=C509UnsignedOCSPRequest
                      #      (0)
  2:   00             # [1]. hashAlgorithm=SHA256 (0)
  3:   50             # [2]. nonce=byte[16]
  4:     11111111111111111111111111111111
 20:   80             # [3]. extensions=array[0]
 21:   86             # [4]. requests=array[6]
                        #---PerIssuerRequests[0]---
 22:     48             # [0]. issuerCertHash=byte[8]
 23:       A01C73A5F3B06334
 31:     80             # [1]. extensions=array[0]
 32:     86             # [2]. singleRequests=array[6]
                          #---SingleCertRequests[0]---
 33:       54             # [0]. serialNumberHash=byte[20]
 34:         10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D
 54:       80             # [1]. extensions=array[0]
                          #---SingleCertRequests[1]---
 55:       54             # [2]. serialNumberHash=byte[20]
 56:         75D8BC4FBAFC6694467641E748DFD53A8B9D176D
 76:       80             # [3]. extensions=array[0]
                          #---SingleCertRequests[2]---
 77:       54             # [4]. serialNumberHash=byte[20]
 78:         D1AC135D7DA29BDCF4DCA0D5281A51605B678400
 98:       80             # [5]. extensions=array[0]
                        #---PerIssuerRequests[1]---
 99:     48             # [3]. issuerCertHash=byte[8]
100:       2222222222222222
108:     80             # [4]. extensions=array[0]
109:     82             # [5]. singleRequests=array[2]
                          #---SingleCertRequests[0]---
110:       54             # [0]. serialNumberHash=byte[20]
111:         D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B
131:       80             # [1]. extensions=array[0]
]]></artwork>
          </section>
        </section>
        <section anchor="exam-signed-ocsp-req">
          <name>Signed OCSP Request Example Without Requestor's Certificate</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 65%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ocsp-requestor-cert"/></t>
            </li>
            <li>
              <t>Signed OCSP Request (<tt>C509UnsignedOCSPRequest</tt>) without requestor's certificate</t>
            </li>
            <li>
              <t>Note that the X.509 OCSP Request and the C509 OCSP Request are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-request-2">
            <name>X.509 OCSP Request</name>
            <t>PEM content (592 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP REQUEST-----
MIICTDCCAfqhHaQbMBkxFzAVBgNVBAMMDm9jc3AtcmVxdWVzdG9yMIIBtDBrMGkw
DQYJYIZIAWUDBAIBBQAEIDJTjnSFvTeuRU8fDSuXVddYuR9ujjp685eg9ABgXG/4
BCDMEch0CgUJ7E2hTOWIbnI2TA9jtg7WNH8TwW7nJbdmogIUEjQSNBI0EjQSNBI0
EjQSNBI0EjQwazBpMA0GCWCGSAFlAwQCAQUABCAyU450hb03rkVPHw0rl1XXWLkf
bo46evOXoPQAYFxv+AQgzBHIdAoFCexNoUzliG5yNkwPY7YO1jR/E8Fu5yW3ZqIC
FDRWNFY0VjRWNFY0VjRWNFY0VjRWMGswaTANBglghkgBZQMEAgEFAAQgMlOOdIW9
N65FTx8NK5dV11i5H26OOnrzl6D0AGBcb/gEIMwRyHQKBQnsTaFM5YhucjZMD2O2
DtY0fxPBbuclt2aiAhRWeFZ4VnhWeFZ4VnhWeFZ4VnhWeDBrMGkwDQYJYIZIAWUD
BAIBBQAEIDMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzBCBERERERERE
RERERERERERERERERERERERERERERERERAIUIjMiMyIzIjMiMyIzIjMiMyIzIjOi
ITAfMB0GCSsGAQUFBzABAgQQEREREREREREREREREREREaBMMEowBQYDK2VwA0EA
DVI0VPbgwwEJDSdfds+dKJ6GpFdP724NTTYL1GMvn/loUMeJAnnJ7jbxvP/R1PE5
Zyh+lISXhR4F1lvXRAHYCA==
-----END OCSP REQUEST-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-request-2">
            <name>C509 OCSP Request</name>
            <t>Plain Hex (209 bytes):</t>
            <artwork><![CDATA[
89010C0050111111111111111111111111111111114844F0528B56F35AD9808648A0
1C73A5F3B0633480865410652787FA0527BC2449A1BFC5AB31AA5A6F0D8D805475D8
BC4FBAFC6694467641E748DFD53A8B9D176D8054D1AC135D7DA29BDCF4DCA0D5281A
51605B67840080482222222222222222808254D3A0C1E3DB92E8F6810537D45CFAEC
F6CE417E3B80F658407DA70BE70D8C88F5150218B2F60A21320D26FAF8DC198F1665
4D54CB617A1C3C3F420B3F2FBF74C9B107D81D1815C2CE09B22EAF491313003C49D4
3AAB8D970B
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509SignedOCSPRequest
  TBSOCSPRequest
    Type: C509SignedOCSPRequest (1)
    Signature Algorithm: Ed25519 (12)
    Hash Algorithm: SHA256 (0)
    RequestorCertHash
      44:f0:52:8b:56:f3:5a:d9
    Nonce
      11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
    Extensions: <empty>
    Requests
      OcspPerIssuerRequest
        issuerCertHash
          a0:1c:73:a5:f3:b0:63:34
        extensions: <empty>
        singleRequests
          SingleCertRequest
            SerialNumberHash:
              10:65:27:87:fa:05:27:bc:24:49:a1:bf:c5:ab:31:aa:
              5a:6f:0d:8d
            Extensions: <empty>
          SingleCertRequest
            SerialNumberHash:
              75:d8:bc:4f:ba:fc:66:94:46:76:41:e7:48:df:d5:3a:
              8b:9d:17:6d
            Extensions: <empty>
          SingleCertRequest
            SerialNumberHash:
              d1:ac:13:5d:7d:a2:9b:dc:f4:dc:a0:d5:28:1a:51:60:
              5b:67:84:00
            Extensions: <empty>
      OcspPerIssuerRequest
        issuerCertHash
          22:22:22:22:22:22:22:22
        extensions: <empty>
        singleRequests
          SingleCertRequest
            SerialNumberHash:
              d3:a0:c1:e3:db:92:e8:f6:81:05:37:d4:5c:fa:ec:f6:
              ce:41:7e:3b
            Extensions: <empty>
    Requestor Certs: null
  Signature Value
    7d:a7:0b:e7:0d:8c:88:f5:15:02:18:b2:f6:0a:21:32:
    0d:26:fa:f8:dc:19:8f:16:65:4d:54:cb:61:7a:1c:3c:
    3f:42:0b:3f:2f:bf:74:c9:b1:07:d8:1d:18:15:c2:ce:
    09:b2:2e:af:49:13:13:00:3c:49:d4:3a:ab:8d:97:0b
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 89             # C509OCSPRequest=array[9]
  1:   01             # [0]. ocspRequestType=C509SignedOCSPRequest
                      #      (1)
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   00             # [2]. hashAlgorithm=SHA256 (0)
  4:   50             # [3]. nonce=byte[16]
  5:     11111111111111111111111111111111
 21:   48             # [4]. requestorCertHash=byte[8]
 22:     44F0528B56F35AD9
 30:   80             # [5]. extensions=array[0]
 31:   86             # [6]. requests=array[6]
                        #---PerIssuerRequests[0]---
 32:     48             # [0]. issuerCertHash=byte[8]
 33:       A01C73A5F3B06334
 41:     80             # [1]. extensions=array[0]
 42:     86             # [2]. singleRequests=array[6]
                          #---SingleCertRequests[0]---
 43:       54             # [0]. serialNumberHash=byte[20]
 44:         10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D
 64:       80             # [1]. extensions=array[0]
                          #---SingleCertRequests[1]---
 65:       54             # [2]. serialNumberHash=byte[20]
 66:         75D8BC4FBAFC6694467641E748DFD53A8B9D176D
 86:       80             # [3]. extensions=array[0]
                          #---SingleCertRequests[2]---
 87:       54             # [4]. serialNumberHash=byte[20]
 88:         D1AC135D7DA29BDCF4DCA0D5281A51605B678400
108:       80             # [5]. extensions=array[0]
                        #---PerIssuerRequests[1]---
109:     48             # [3]. issuerCertHash=byte[8]
110:       2222222222222222
118:     80             # [4]. extensions=array[0]
119:     82             # [5]. singleRequests=array[2]
                          #---SingleCertRequests[0]---
120:       54             # [0]. serialNumberHash=byte[20]
121:         D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B
141:       80             # [1]. extensions=array[0]
142:   F6             # [7]. requestorCerts=<null>
143:   58 40          # [8]. signatureValue=byte[64]
145:     7DA70BE70D8C88F5150218B2F60A21320D26FAF8DC198F16654D54CB61
174:     7A1C3C3F420B3F2FBF74C9B107D81D1815C2CE09B22EAF491313003C49
203:     D43AAB8D970B
]]></artwork>
          </section>
        </section>
        <section anchor="exam-signed-ocsp-req-withcert">
          <name>Signed OCSP Request Example With Requestor's Certificate</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 60%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ocsp-requestor-cert"/></t>
            </li>
            <li>
              <t>Signed OCSP Request (<tt>C509UnsignedOCSPRequest</tt>) with embedded requestor's certificate</t>
            </li>
            <li>
              <t>Note that the X.509 OCSP Request and the C509 OCSP Request are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-request-3">
            <name>X.509 OCSP Request</name>
            <t>PEM content (1043 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP REQUEST-----
MIIEDzCCAnmhHaQbMBkxFzAVBgNVBAMMDm9jc3AtcmVxdWVzdG9yMIIBtDBrMGkw
DQYJYIZIAWUDBAIBBQAEIDJTjnSFvTeuRU8fDSuXVddYuR9ujjp685eg9ABgXG/4
BCDMEch0CgUJ7E2hTOWIbnI2TA9jtg7WNH8TwW7nJbdmogIUEjQSNBI0EjQSNBI0
EjQSNBI0EjQwazBpMA0GCWCGSAFlAwQCAQUABCAyU450hb03rkVPHw0rl1XXWLkf
bo46evOXoPQAYFxv+AQgzBHIdAoFCexNoUzliG5yNkwPY7YO1jR/E8Fu5yW3ZqIC
FDRWNFY0VjRWNFY0VjRWNFY0VjRWMGswaTANBglghkgBZQMEAgEFAAQgMlOOdIW9
N65FTx8NK5dV11i5H26OOnrzl6D0AGBcb/gEIMwRyHQKBQnsTaFM5YhucjZMD2O2
DtY0fxPBbuclt2aiAhRWeFZ4VnhWeFZ4VnhWeFZ4VnhWeDBrMGkwDQYJYIZIAWUD
BAIBBQAEIDMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzBCBERERERERE
RERERERERERERERERERERERERERERERERAIUIjMiMyIzIjMiMyIzIjMiMyIzIjOi
gZ8wgZwwGgYJKwYBBQUHMAEEBA0wCwYJKwYBBQUHMAEBMF8GCSsGAQUFBzABCARS
MFAwBzAFBgMrZXAwITAKBggqhkjOPQQDAjATBgcqhkjOPQIBBggqhkjOPQMBBzAi
MAoGCCqGSM49BAMCMBQGByqGSM49AgEGCSskAwMCCAEBBzAdBgkrBgEFBQcwAQIE
EBERERERERERERERERERERGgggGOMIIBijAFBgMrZXADQQDwRoT41xL70gT6+NTW
ayTN07XdRKwHRyfduMPbJy0AsRw9TKioMQoLnts6C+6k4s+rORjaTcvZ0Aqv5fQ6
UJMFoIIBPDCCATgwggE0MIHnoAMCAQICAhI2MAUGAytlcDAaMRgwFgYDVQQDDA90
ZXN0IGNybG9jc3AtY2EwHhcNMjUwMTAyMDAwMDAwWhcNMjYwMTAyMDAwMDAwWjAZ
MRcwFQYDVQQDDA5vY3NwLXJlcXVlc3RvcjAqMAUGAytlcAMhAARTCxdk7dS04zq0
SvD4OJYcAHF210tqNUbst/1XMg3To1IwUDAdBgNVHQ4EFgQUsTbUWYobG2qG2mUQ
rqVk2BKX5PkwDgYDVR0PAQH/BAQDAgeAMB8GA1UdIwQYMBaAFNl9d+Y0wvcAMAyl
j8h3NlsVUAeiMAUGAytlcANBAJj5kiFekcWb6v8et+o+/Suqfh29AdErA3eBmFnJ
Z5A/+c/q9jFbvdahCBJJteLJhUIc0BJ0GlmWOBLI0no1fQI=
-----END OCSP REQUEST-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-request-3">
            <name>C509 OCSP Request</name>
            <t>Plain Hex (420 bytes):</t>
            <artwork><![CDATA[
89010C0050111111111111111111111111111111114844F0528B56F35AD984185D82
0001185E840CF600820118188648A01C73A5F3B0633480865410652787FA0527BC24
49A1BFC5AB31AA5A6F0D8D805475D8BC4FBAFC6694467641E748DFD53A8B9D176D80
54D1AC135D7DA29BDCF4DCA0D5281A51605B67840080482222222222222222808254
D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B8058C38B024212360C6F74657374
2063726C6F6373702D63611A6775D7001A69570A806E6F6373702D72657175657374
6F720C582004530B1764EDD4B4E33AB44AF0F838961C007176D74B6A3546ECB7FD57
320DD3860154DD51BDB2A2C791C062D4027856DBACF52607F0BE210107542F45E78D
2CAEDF368CDF53C39005D492450E10565840F8C6183ECF8C3EFD50DD4942D172814C
46EC0FC01DD586A597178DF864A0D9DA86B7CA17FC9F772FF04C80E98B60D5B4B624
08A277A5B70D0D2A3F5ED5442D075840EBF95F92812C9DF3DBC7C19699D5254485AD
DC930695239D1D68BF7988F3F1B0C76A588BF42F4FCFF373C3705AEB56FC3B6CDEAA
F66DA0F5BBB735F4A1CDB004
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509SignedOCSPRequest
  TBSOCSPRequest
    Type: C509SignedOCSPRequest (1)
    Signature Algorithm: Ed25519 (12)
    Hash Algorithm: SHA256 (0)
    RequestorCertHash
      44:f0:52:8b:56:f3:5a:d9
    Nonce
      11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
    Extensions
      AcceptOCSPResponseTypes (93)
        C509ErrorOCSPResponse (0)
        C509BasicOCSPResponse (1)
      preferredSignatureAlgorithms (94)
          Preferred Signature Algorithm:
            Signature Algorithm: Ed25519 (12)
          Preferred Signature Algorithm:
            Signature Algorithm: ecdsa-with-sha256 (0)
            Public Key Algorithms:
              EC public key on curve secp256r1 (1)
              EC public key on curve brainpoolp256r1 (24)
    Requests
      OcspPerIssuerRequest
        issuerCertHash
          a0:1c:73:a5:f3:b0:63:34
        extensions: <empty>
        singleRequests
          SingleCertRequest
            SerialNumberHash:
              10:65:27:87:fa:05:27:bc:24:49:a1:bf:c5:ab:31:aa:
              5a:6f:0d:8d
            Extensions: <empty>
          SingleCertRequest
            SerialNumberHash:
              75:d8:bc:4f:ba:fc:66:94:46:76:41:e7:48:df:d5:3a:
              8b:9d:17:6d
            Extensions: <empty>
          SingleCertRequest
            SerialNumberHash:
              d1:ac:13:5d:7d:a2:9b:dc:f4:dc:a0:d5:28:1a:51:60:
              5b:67:84:00
            Extensions: <empty>
      OcspPerIssuerRequest
        issuerCertHash
          22:22:22:22:22:22:22:22
        extensions: <empty>
        singleRequests
          SingleCertRequest
            SerialNumberHash:
              d3:a0:c1:e3:db:92:e8:f6:81:05:37:d4:5c:fa:ec:f6:
              ce:41:7e:3b
            Extensions: <empty>
    Requestor Certs
      C509Certificate
        8b:02:42:12:36:0c:6f:74:65:73:74:20:63:72:6c:6f:
        63:73:70:2d:63:61:1a:67:75:d7:00:1a:69:57:0a:80:
        6e:6f:63:73:70:2d:72:65:71:75:65:73:74:6f:72:0c:
        58:20:04:53:0b:17:64:ed:d4:b4:e3:3a:b4:4a:f0:f8:
        38:96:1c:00:71:76:d7:4b:6a:35:46:ec:b7:fd:57:32:
        0d:d3:86:01:54:dd:51:bd:b2:a2:c7:91:c0:62:d4:02:
        78:56:db:ac:f5:26:07:f0:be:21:01:07:54:2f:45:e7:
        8d:2c:ae:df:36:8c:df:53:c3:90:05:d4:92:45:0e:10:
        56:58:40:f8:c6:18:3e:cf:8c:3e:fd:50:dd:49:42:d1:
        72:81:4c:46:ec:0f:c0:1d:d5:86:a5:97:17:8d:f8:64:
        a0:d9:da:86:b7:ca:17:fc:9f:77:2f:f0:4c:80:e9:8b:
        60:d5:b4:b6:24:08:a2:77:a5:b7:0d:0d:2a:3f:5e:d5:
        44:2d:07
  Signature Value
    eb:f9:5f:92:81:2c:9d:f3:db:c7:c1:96:99:d5:25:44:
    85:ad:dc:93:06:95:23:9d:1d:68:bf:79:88:f3:f1:b0:
    c7:6a:58:8b:f4:2f:4f:cf:f3:73:c3:70:5a:eb:56:fc:
    3b:6c:de:aa:f6:6d:a0:f5:bb:b7:35:f4:a1:cd:b0:04
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 89             # C509OCSPRequest=array[9]
  1:   01             # [0]. ocspRequestType=C509SignedOCSPRequest
                      #      (1)
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   00             # [2]. hashAlgorithm=SHA256 (0)
  4:   50             # [3]. nonce=byte[16]
  5:     11111111111111111111111111111111
 21:   48             # [4]. requestorCertHash=byte[8]
 22:     44F0528B56F35AD9
 30:   84             # [5]. extensions=array[4]
                        #---extension[0]---
 31:     18 5D          # [0]. type=AcceptOCSPResponseTypes (93)
 33:     82             # [1]. value=array[2]
 34:       00             # [0]. C509ErrorOCSPResponse (0)
 35:       01             # [1]. C509BasicOCSPResponse (1)
                        #---extension[1]---
 36:     18 5E          # [2]. type=preferredSignatureAlgorithms
                        #      (94)
 38:     84             # [3]. value=array[4]
                          #---preferredSignatureAlgorithms[0]---
 39:       0C             # [0]. sigIdentifier=Ed25519 (12)
 40:       F6             # [1]. pubKeyAlgIdentifiers=<null>
                          #---preferredSignatureAlgorithms[1]---
 41:       00             # [2]. sigIdentifier=ecdsa-with-sha256 (0)
 42:       82             # [3]. pubKeyAlgIdentifiers=array[2]
 43:         01             # [0]. pubKeyAlgIdentifier=EC public key
                            #      on curve secp256r1 (1)
 44:         18 18          # [1]. pubKeyAlgIdentifier=EC public key
                            #      on curve brainpoolp256r1 (24)
 46:   86             # [6]. requests=array[6]
                        #---PerIssuerRequests[0]---
 47:     48             # [0]. issuerCertHash=byte[8]
 48:       A01C73A5F3B06334
 56:     80             # [1]. extensions=array[0]
 57:     86             # [2]. singleRequests=array[6]
                          #---SingleCertRequests[0]---
 58:       54             # [0]. serialNumberHash=byte[20]
 59:         10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D
 79:       80             # [1]. extensions=array[0]
                          #---SingleCertRequests[1]---
 80:       54             # [2]. serialNumberHash=byte[20]
 81:         75D8BC4FBAFC6694467641E748DFD53A8B9D176D
101:       80             # [3]. extensions=array[0]
                          #---SingleCertRequests[2]---
102:       54             # [4]. serialNumberHash=byte[20]
103:         D1AC135D7DA29BDCF4DCA0D5281A51605B678400
123:       80             # [5]. extensions=array[0]
                        #---PerIssuerRequests[1]---
124:     48             # [3]. issuerCertHash=byte[8]
125:       2222222222222222
133:     80             # [4]. extensions=array[0]
134:     82             # [5]. singleRequests=array[2]
                          #---SingleCertRequests[0]---
135:       54             # [0]. serialNumberHash=byte[20]
136:         D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B
156:       80             # [1]. extensions=array[0]
157:   58 C3          # [7]. requestorCerts(COSE_C509)=byte[195]
159:     8B024212360C6F746573742063726C6F6373702D63611A6775D7001A69
188:     570A806E6F6373702D726571756573746F720C582004530B1764EDD4B4
217:     E33AB44AF0F838961C007176D74B6A3546ECB7FD57320DD3860154DD51
246:     BDB2A2C791C062D4027856DBACF52607F0BE210107542F45E78D2CAEDF
275:     368CDF53C39005D492450E10565840F8C6183ECF8C3EFD50DD4942D172
304:     814C46EC0FC01DD586A597178DF864A0D9DA86B7CA17FC9F772FF04C80
333:     E98B60D5B4B62408A277A5B70D0D2A3F5ED5442D07
354:   58 40          # [8]. signatureValue=byte[64]
356:     EBF95F92812C9DF3DBC7C19699D5254485ADDC930695239D1D68BF7988
385:     F3F1B0C76A588BF42F4FCFF373C3705AEB56FC3B6CDEAAF66DA0F5BBB7
414:     35F4A1CDB004
]]></artwork>
          </section>
        </section>
        <section anchor="exam-signed-ocsp-req-withcertchain">
          <name>Signed OCSP Request Example With Requestor's Certificate Chain</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 55%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ocsp-requestor-cert"/></t>
            </li>
            <li>
              <t>Signed OCSP Request (<tt>C509UnsignedOCSPRequest</tt>) with embedded requestor's certificate chain (2 certificates)</t>
            </li>
            <li>
              <t>Note that the X.509 OCSP Request and the C509 OCSP Request are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-request-4">
            <name>X.509 OCSP Request</name>
            <t>PEM content (1379 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP REQUEST-----
MIIFXzCCAnmhHaQbMBkxFzAVBgNVBAMMDm9jc3AtcmVxdWVzdG9yMIIBtDBrMGkw
DQYJYIZIAWUDBAIBBQAEIDJTjnSFvTeuRU8fDSuXVddYuR9ujjp685eg9ABgXG/4
BCDMEch0CgUJ7E2hTOWIbnI2TA9jtg7WNH8TwW7nJbdmogIUEjQSNBI0EjQSNBI0
EjQSNBI0EjQwazBpMA0GCWCGSAFlAwQCAQUABCAyU450hb03rkVPHw0rl1XXWLkf
bo46evOXoPQAYFxv+AQgzBHIdAoFCexNoUzliG5yNkwPY7YO1jR/E8Fu5yW3ZqIC
FDRWNFY0VjRWNFY0VjRWNFY0VjRWMGswaTANBglghkgBZQMEAgEFAAQgMlOOdIW9
N65FTx8NK5dV11i5H26OOnrzl6D0AGBcb/gEIMwRyHQKBQnsTaFM5YhucjZMD2O2
DtY0fxPBbuclt2aiAhRWeFZ4VnhWeFZ4VnhWeFZ4VnhWeDBrMGkwDQYJYIZIAWUD
BAIBBQAEIDMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzBCBERERERERE
RERERERERERERERERERERERERERERERERAIUIjMiMyIzIjMiMyIzIjMiMyIzIjOi
gZ8wgZwwGgYJKwYBBQUHMAEEBA0wCwYJKwYBBQUHMAEBMF8GCSsGAQUFBzABCARS
MFAwBzAFBgMrZXAwITAKBggqhkjOPQQDAjATBgcqhkjOPQIBBggqhkjOPQMBBzAi
MAoGCCqGSM49BAMCMBQGByqGSM49AgEGCSskAwMCCAEBBzAdBgkrBgEFBQcwAQIE
EBERERERERERERERERERERGgggLeMIIC2jAFBgMrZXADQQDwRoT41xL70gT6+NTW
ayTN07XdRKwHRyfduMPbJy0AsRw9TKioMQoLnts6C+6k4s+rORjaTcvZ0Aqv5fQ6
UJMFoIICjDCCAogwggE0MIHnoAMCAQICAhI2MAUGAytlcDAaMRgwFgYDVQQDDA90
ZXN0IGNybG9jc3AtY2EwHhcNMjUwMTAyMDAwMDAwWhcNMjYwMTAyMDAwMDAwWjAZ
MRcwFQYDVQQDDA5vY3NwLXJlcXVlc3RvcjAqMAUGAytlcAMhAARTCxdk7dS04zq0
SvD4OJYcAHF210tqNUbst/1XMg3To1IwUDAdBgNVHQ4EFgQUsTbUWYobG2qG2mUQ
rqVk2BKX5PkwDgYDVR0PAQH/BAQDAgeAMB8GA1UdIwQYMBaAFNl9d+Y0wvcAMAyl
j8h3NlsVUAeiMAUGAytlcANBAJj5kiFekcWb6v8et+o+/Suqfh29AdErA3eBmFnJ
Z5A/+c/q9jFbvdahCBJJteLJhUIc0BJ0GlmWOBLI0no1fQIwggFMMIH/oAMCAQIC
AQEwBQYDK2VwMB4xHDAaBgNVBAMME3Rlc3QgY3Jsb2NzcC1yb290Y2EwHhcNMjUw
MTAxMDAwMDAwWhcNMjYxMjMxMjM1OTU5WjAaMRgwFgYDVQQDDA90ZXN0IGNybG9j
c3AtY2EwKjAFBgMrZXADIQBe+KNVoAGnxQ0jSUcBIIExpLsquSDUC/sO4farKP90
AKNmMGQwHQYDVR0OBBYEFNl9d+Y0wvcAMAylj8h3NlsVUAeiMA4GA1UdDwEB/wQE
AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFJEjnPr554Nssp9R
4TGR2xDTrhaTMAUGAytlcANBANZeAdfL+kF/sXuZ95ftaSevVi/2Po01s+On04Fg
zGRnQBBNjzkYl92rEZjz0FomGSBDYqb4PDOIIRs2vFY9QQI=
-----END OCSP REQUEST-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-request-4">
            <name>C509 OCSP Request</name>
            <t>Plain Hex (625 bytes):</t>
            <artwork><![CDATA[
89010C0050111111111111111111111111111111114844F0528B56F35AD984185D82
0001185E840CF600820118188648A01C73A5F3B0633480865410652787FA0527BC24
49A1BFC5AB31AA5A6F0D8D805475D8BC4FBAFC6694467641E748DFD53A8B9D176D80
54D1AC135D7DA29BDCF4DCA0D5281A51605B67840080482222222222222222808254
D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B808258C38B024212360C6F746573
742063726C6F6373702D63611A6775D7001A69570A806E6F6373702D726571756573
746F720C582004530B1764EDD4B4E33AB44AF0F838961C007176D74B6A3546ECB7FD
57320DD3860154DD51BDB2A2C791C062D4027856DBACF52607F0BE210107542F45E7
8D2CAEDF368CDF53C39005D492450E10565840F8C6183ECF8C3EFD50DD4942D17281
4C46EC0FC01DD586A597178DF864A0D9DA86B7CA17FC9F772FF04C80E98B60D5B4B6
2408A277A5B70D0D2A3F5ED5442D0758CA8B0241010C73746573742063726C6F6373
702D726F6F7463611A677485801A6B36EC7F6F746573742063726C6F6373702D6361
0C58205EF8A355A001A7C50D23494701208131A4BB2AB920D40BFB0EE1F6AB28FF74
008801542F45E78D2CAEDF368CDF53C39005D492450E1056211860230107542DA3A4
03F7D2F4E0B3D8031A73BA8A839F557F0F5840E50465D60C02A2111EF3FC6E44F2A3
6008765B552351F9A3F5B2AA7C76F1F05D259847A4F4250B2E4B0AE2099762A2596D
3CC1DB2CCD180AA0A2D0E191310B0F584071D39CBD6611FD5B0C3092FCE58016B966
232851AC3167CD0CDEF47DF0F0BC738616EB65BB2BA509C8CF45EDBC9B784A4A7092
5E97AE152871E9D665C477500E
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509SignedOCSPRequest
  TBSOCSPRequest
    Type: C509SignedOCSPRequest (1)
    Signature Algorithm: Ed25519 (12)
    Hash Algorithm: SHA256 (0)
    RequestorCertHash
      44:f0:52:8b:56:f3:5a:d9
    Nonce
      11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
    Extensions
      AcceptOCSPResponseTypes (93)
        C509ErrorOCSPResponse (0)
        C509BasicOCSPResponse (1)
      preferredSignatureAlgorithms (94)
          Preferred Signature Algorithm:
            Signature Algorithm: Ed25519 (12)
          Preferred Signature Algorithm:
            Signature Algorithm: ecdsa-with-sha256 (0)
            Public Key Algorithms:
              EC public key on curve secp256r1 (1)
              EC public key on curve brainpoolp256r1 (24)
    Requests
      OcspPerIssuerRequest
        issuerCertHash
          a0:1c:73:a5:f3:b0:63:34
        extensions: <empty>
        singleRequests
          SingleCertRequest
            SerialNumberHash:
              10:65:27:87:fa:05:27:bc:24:49:a1:bf:c5:ab:31:aa:
              5a:6f:0d:8d
            Extensions: <empty>
          SingleCertRequest
            SerialNumberHash:
              75:d8:bc:4f:ba:fc:66:94:46:76:41:e7:48:df:d5:3a:
              8b:9d:17:6d
            Extensions: <empty>
          SingleCertRequest
            SerialNumberHash:
              d1:ac:13:5d:7d:a2:9b:dc:f4:dc:a0:d5:28:1a:51:60:
              5b:67:84:00
            Extensions: <empty>
      OcspPerIssuerRequest
        issuerCertHash
          22:22:22:22:22:22:22:22
        extensions: <empty>
        singleRequests
          SingleCertRequest
            SerialNumberHash:
              d3:a0:c1:e3:db:92:e8:f6:81:05:37:d4:5c:fa:ec:f6:
              ce:41:7e:3b
            Extensions: <empty>
    Requestor Certs
      C509Certificate
        8b:02:42:12:36:0c:6f:74:65:73:74:20:63:72:6c:6f:
        63:73:70:2d:63:61:1a:67:75:d7:00:1a:69:57:0a:80:
        6e:6f:63:73:70:2d:72:65:71:75:65:73:74:6f:72:0c:
        58:20:04:53:0b:17:64:ed:d4:b4:e3:3a:b4:4a:f0:f8:
        38:96:1c:00:71:76:d7:4b:6a:35:46:ec:b7:fd:57:32:
        0d:d3:86:01:54:dd:51:bd:b2:a2:c7:91:c0:62:d4:02:
        78:56:db:ac:f5:26:07:f0:be:21:01:07:54:2f:45:e7:
        8d:2c:ae:df:36:8c:df:53:c3:90:05:d4:92:45:0e:10:
        56:58:40:f8:c6:18:3e:cf:8c:3e:fd:50:dd:49:42:d1:
        72:81:4c:46:ec:0f:c0:1d:d5:86:a5:97:17:8d:f8:64:
        a0:d9:da:86:b7:ca:17:fc:9f:77:2f:f0:4c:80:e9:8b:
        60:d5:b4:b6:24:08:a2:77:a5:b7:0d:0d:2a:3f:5e:d5:
        44:2d:07
      C509Certificate
        8b:02:41:01:0c:73:74:65:73:74:20:63:72:6c:6f:63:
        73:70:2d:72:6f:6f:74:63:61:1a:67:74:85:80:1a:6b:
        36:ec:7f:6f:74:65:73:74:20:63:72:6c:6f:63:73:70:
        2d:63:61:0c:58:20:5e:f8:a3:55:a0:01:a7:c5:0d:23:
        49:47:01:20:81:31:a4:bb:2a:b9:20:d4:0b:fb:0e:e1:
        f6:ab:28:ff:74:00:88:01:54:2f:45:e7:8d:2c:ae:df:
        36:8c:df:53:c3:90:05:d4:92:45:0e:10:56:21:18:60:
        23:01:07:54:2d:a3:a4:03:f7:d2:f4:e0:b3:d8:03:1a:
        73:ba:8a:83:9f:55:7f:0f:58:40:e5:04:65:d6:0c:02:
        a2:11:1e:f3:fc:6e:44:f2:a3:60:08:76:5b:55:23:51:
        f9:a3:f5:b2:aa:7c:76:f1:f0:5d:25:98:47:a4:f4:25:
        0b:2e:4b:0a:e2:09:97:62:a2:59:6d:3c:c1:db:2c:cd:
        18:0a:a0:a2:d0:e1:91:31:0b:0f
  Signature Value
    71:d3:9c:bd:66:11:fd:5b:0c:30:92:fc:e5:80:16:b9:
    66:23:28:51:ac:31:67:cd:0c:de:f4:7d:f0:f0:bc:73:
    86:16:eb:65:bb:2b:a5:09:c8:cf:45:ed:bc:9b:78:4a:
    4a:70:92:5e:97:ae:15:28:71:e9:d6:65:c4:77:50:0e
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 89             # C509OCSPRequest=array[9]
  1:   01             # [0]. ocspRequestType=C509SignedOCSPRequest
                      #      (1)
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   00             # [2]. hashAlgorithm=SHA256 (0)
  4:   50             # [3]. nonce=byte[16]
  5:     11111111111111111111111111111111
 21:   48             # [4]. requestorCertHash=byte[8]
 22:     44F0528B56F35AD9
 30:   84             # [5]. extensions=array[4]
                        #---extension[0]---
 31:     18 5D          # [0]. type=AcceptOCSPResponseTypes (93)
 33:     82             # [1]. value=array[2]
 34:       00             # [0]. C509ErrorOCSPResponse (0)
 35:       01             # [1]. C509BasicOCSPResponse (1)
                        #---extension[1]---
 36:     18 5E          # [2]. type=preferredSignatureAlgorithms
                        #      (94)
 38:     84             # [3]. value=array[4]
                          #---preferredSignatureAlgorithms[0]---
 39:       0C             # [0]. sigIdentifier=Ed25519 (12)
 40:       F6             # [1]. pubKeyAlgIdentifiers=<null>
                          #---preferredSignatureAlgorithms[1]---
 41:       00             # [2]. sigIdentifier=ecdsa-with-sha256 (0)
 42:       82             # [3]. pubKeyAlgIdentifiers=array[2]
 43:         01             # [0]. pubKeyAlgIdentifier=EC public key
                            #      on curve secp256r1 (1)
 44:         18 18          # [1]. pubKeyAlgIdentifier=EC public key
                            #      on curve brainpoolp256r1 (24)
 46:   86             # [6]. requests=array[6]
                        #---PerIssuerRequests[0]---
 47:     48             # [0]. issuerCertHash=byte[8]
 48:       A01C73A5F3B06334
 56:     80             # [1]. extensions=array[0]
 57:     86             # [2]. singleRequests=array[6]
                          #---SingleCertRequests[0]---
 58:       54             # [0]. serialNumberHash=byte[20]
 59:         10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D
 79:       80             # [1]. extensions=array[0]
                          #---SingleCertRequests[1]---
 80:       54             # [2]. serialNumberHash=byte[20]
 81:         75D8BC4FBAFC6694467641E748DFD53A8B9D176D
101:       80             # [3]. extensions=array[0]
                          #---SingleCertRequests[2]---
102:       54             # [4]. serialNumberHash=byte[20]
103:         D1AC135D7DA29BDCF4DCA0D5281A51605B678400
123:       80             # [5]. extensions=array[0]
                        #---PerIssuerRequests[1]---
124:     48             # [3]. issuerCertHash=byte[8]
125:       2222222222222222
133:     80             # [4]. extensions=array[0]
134:     82             # [5]. singleRequests=array[2]
                          #---SingleCertRequests[0]---
135:       54             # [0]. serialNumberHash=byte[20]
136:         D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B
156:       80             # [1]. extensions=array[0]
157:   82             # [7]. requestorCerts(COSE_C509)=array[2]
158:     58 C3          # [0]. C509CertData=byte[195]
160:       8B024212360C6F746573742063726C6F6373702D63611A6775D7001A
188:       69570A806E6F6373702D726571756573746F720C582004530B1764ED
216:       D4B4E33AB44AF0F838961C007176D74B6A3546ECB7FD57320DD38601
244:       54DD51BDB2A2C791C062D4027856DBACF52607F0BE210107542F45E7
272:       8D2CAEDF368CDF53C39005D492450E10565840F8C6183ECF8C3EFD50
300:       DD4942D172814C46EC0FC01DD586A597178DF864A0D9DA86B7CA17FC
328:       9F772FF04C80E98B60D5B4B62408A277A5B70D0D2A3F5ED5442D07
355:     58 CA          # [1]. C509CertData=byte[202]
357:       8B0241010C73746573742063726C6F6373702D726F6F7463611A6774
385:       85801A6B36EC7F6F746573742063726C6F6373702D63610C58205EF8
413:       A355A001A7C50D23494701208131A4BB2AB920D40BFB0EE1F6AB28FF
441:       74008801542F45E78D2CAEDF368CDF53C39005D492450E1056211860
469:       230107542DA3A403F7D2F4E0B3D8031A73BA8A839F557F0F5840E504
497:       65D60C02A2111EF3FC6E44F2A36008765B552351F9A3F5B2AA7C76F1
525:       F05D259847A4F4250B2E4B0AE2099762A2596D3CC1DB2CCD180AA0A2
553:       D0E191310B0F
559:   58 40          # [8]. signatureValue=byte[64]
561:     71D39CBD6611FD5B0C3092FCE58016B966232851AC3167CD0CDEF47DF0
590:     F0BC738616EB65BB2BA509C8CF45EDBC9B784A4A70925E97AE152871E9
619:     D665C477500E
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="ocsp-response-examples">
        <name>OCSP Response Examples</name>
        <section anchor="exam-error-ocsp-resp">
          <name>Error OCSP Response Example</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 40%</t>
            </li>
            <li>
              <t>Error Response (<tt>C509ErrorOCSPResponse</tt>)</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-response">
            <name>X.509 OCSP Response</name>
            <t>PEM content (5 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP RESPONSE-----
MAMKAQY=
-----END OCSP RESPONSE-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-response">
            <name>C509 OCSP Response</name>
            <t>Plain Hex (3 bytes):</t>
            <artwork><![CDATA[
820006
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509ErrorResponse
  Type:   C509ErrorOCSPResponse (0)
  Status: unauthorized (6)
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
0: 82             # C509OCSPResponse=array[2]
1:   00             # [0]. ocspResponseType=C509ErrorOCSPResponse
                    #      (0)
2:   06             # [1]. responseStatus=unauthorized (6)
]]></artwork>
          </section>
        </section>
        <section anchor="exam-simple-ocsp-resp">
          <name>Simple OCSP Response Example</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 59%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ocsp-responder-cert"/></t>
            </li>
            <li>
              <t>Simple OCSP Response (<tt>C509SimpleOCSPResponse</tt>) without responder's certificate</t>
            </li>
            <li>
              <t>Note that the X.509 OCSP response and the C509 OCSP response are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-response-1">
            <name>X.509 OCSP Response</name>
            <t>PEM content (338 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP RESPONSE-----
MIIBTgoBAKCCAUcwggFDBgkrBgEFBQcwAQEEggE0MIIBMDCB46IWBBTq5ZqK6ar0
EEsV5Q6O4BcVF3QYrxgPMjAyNTAzMDMwMDAwMDBaMIGUMIGRMGkwDQYJYIZIAWUD
BAIBBQAEIDJTjnSFvTeuRU8fDSuXVddYuR9ujjp685eg9ABgXG/4BCDMEch0CgUJ
7E2hTOWIbnI2TA9jtg7WNH8TwW7nJbdmogIUEjQSNBI0EjQSNBI0EjQSNBI0EjSA
ABgPMjAyNTAzMDIxNjAwMDBaoBEYDzIwMjUwMzAzMDcwMDAwWqEhMB8wHQYJKwYB
BQUHMAECBBARERERERERERERERERERERMAUGAytlcANBAGEzM3X9KkpZLfpEMRoz
3TwWMLEfWkJkVHA++53Yj9QrrI6Sqry4t9AouNcGLORbv42mroG3GkYESuMSK3uG
Wgg=
-----END OCSP RESPONSE-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-response-1">
            <name>C509 OCSP Response</name>
            <t>Plain Hex (140 bytes):</t>
            <artwork><![CDATA[
8E020C005011111111111111111111111111111111480600867838E3311A48A01C73
A5F3B063345410652787FA0527BC2449A1BFC5AB31AA5A6F0D8D001A67C4F1003970
7F19627080F65840E3419955AEB3D74AD5BC7D32264E8976C3AB6F68643C6BF66CC2
F9352FF3E861A0BD1506C78B09D3FAE869D1FD3C87EF461CF6D2096EA0AC11FCFF5E
BC0FA70C
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509SimpleOCSPResponse
  TBSSimpleOCSPResponse
    Type: C509SimpleOCSPResponse (2)
    Signature Algorithm: Ed25519 (12)
    Hash Algorithm: SHA256 (0)
    Nonce
      11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
    ResponderCertHash
      06:00:86:78:38:e3:31:1a
    IssuerCertHash
      a0:1c:73:a5:f3:b0:63:34
    SerialNumberHash
      10:65:27:87:fa:05:27:bc:24:49:a1:bf:c5:ab:31:aa:
      5a:6f:0d:8d
    Cert Status: good
    ProducedAt: 2025-03-03T00:00:00Z
    This Update: -28800, 2025-03-02T16:00:00Z
    Next Update: 25200, 2025-03-03T07:00:00Z
    Extensions: <empty>
    Responder Certs: null
  Signature Value
    e3:41:99:55:ae:b3:d7:4a:d5:bc:7d:32:26:4e:89:76:
    c3:ab:6f:68:64:3c:6b:f6:6c:c2:f9:35:2f:f3:e8:61:
    a0:bd:15:06:c7:8b:09:d3:fa:e8:69:d1:fd:3c:87:ef:
    46:1c:f6:d2:09:6e:a0:ac:11:fc:ff:5e:bc:0f:a7:0c
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 8E             # C509OCSPResponse=array[14]
  1:   02             # [0]. ocspResponseType=C509SimpleOCSPResponse
                      #      (2)
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   00             # [2]. hashAlgorithm=SHA256 (0)
  4:   50             # [3]. nonce=byte[16]
  5:     11111111111111111111111111111111
 21:   48             # [4]. responderCertHash=byte[8]
 22:     0600867838E3311A
 30:   48             # [5]. issuerCertHash=byte[8]
 31:     A01C73A5F3B06334
 39:   54             # [6]. serialNumberHash=byte[20]
 40:     10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D
 60:   00             # [7]. certStatus=good (0)
 61:   1A 67C4F100    # [8]. producedAt=1740960000:
                      #      2025-03-03T00:00:00Z
 66:   39 707F        # [9]. thisUpdate=-28800: 2025-03-02T16:00:00Z
 69:   19 6270        # [10]. nextUpdate=25200: 2025-03-03T07:00:00Z
 72:   80             # [11]. extensions=array[0]
 73:   F6             # [12]. responderCerts=<null>
 74:   58 40          # [13]. signatureValue=byte[64]
 76:     E3419955AEB3D74AD5BC7D32264E8976C3AB6F68643C6BF66CC2F9352F
105:     F3E861A0BD1506C78B09D3FAE869D1FD3C87EF461CF6D2096EA0AC11FC
134:     FF5EBC0FA70C
]]></artwork>
          </section>
        </section>
        <section anchor="exam-basic-ocsp-resp">
          <name>Basic OCSP Response Example Without Responder's Certificate</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 71%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ocsp-responder-cert"/></t>
            </li>
            <li>
              <t>Basic OCSP Response (<tt>C509BasicOCSPResponse</tt>) without responder's certificate</t>
            </li>
            <li>
              <t>Note that the X.509 OCSP response and the C509 OCSP response are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-response-2">
            <name>X.509 OCSP Response</name>
            <t>PEM content (845 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP RESPONSE-----
MIIDSQoBAKCCA0IwggM+BgkrBgEFBQcwAQEEggMvMIIDKzCCAt2iFgQU6uWaiumq
9BBLFeUOjuAXFRd0GK8YDzIwMjUwMzAzMDAwMDAwWjCCAnwwgZEwaTANBglghkgB
ZQMEAgEFAAQgMlOOdIW9N65FTx8NK5dV11i5H26OOnrzl6D0AGBcb/gEIMwRyHQK
BQnsTaFM5YhucjZMD2O2DtY0fxPBbuclt2aiAhQSNBI0EjQSNBI0EjQSNBI0EjQS
NIAAGA8yMDI1MDMwMjE2MDAwMFqgERgPMjAyNTAzMDMwNzAwMDBaMIGnMGkwDQYJ
YIZIAWUDBAIBBQAEIDJTjnSFvTeuRU8fDSuXVddYuR9ujjp685eg9ABgXG/4BCDM
Ech0CgUJ7E2hTOWIbnI2TA9jtg7WNH8TwW7nJbdmogIUNFY0VjRWNFY0VjRWNFY0
VjRWNFahFhgPMTk3MDAxMDEwMDAwMDBaoAMKAQYYDzIwMjUwMzAyMTYwMDAwWqAR
GA8yMDI1MDMwMzA3MDAwMFowgacwaTANBglghkgBZQMEAgEFAAQgMlOOdIW9N65F
Tx8NK5dV11i5H26OOnrzl6D0AGBcb/gEIMwRyHQKBQnsTaFM5YhucjZMD2O2DtY0
fxPBbuclt2aiAhRWeFZ4VnhWeFZ4VnhWeFZ4VnhWeKEWGA8yMDI1MDMwMTE2MDAw
MFqgAwoBBBgPMjAyNTAzMDIxNjAwMDBaoBEYDzIwMjUwMzAzMDcwMDAwWjCBkTBp
MA0GCWCGSAFlAwQCAQUABCAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMz
MwQgREREREREREREREREREREREREREREREREREREREREREQCFCIzIjMiMyIzIjMi
MyIzIjMiMyIzggAYDzIwMjUwMzAyMTYwMDAwWqARGA8yMDI1MDMwMzA3MDAwMFqh
MjAwMB0GCSsGAQUFBzABAgQQERERERERERERERERERERETAPBgkrBgEFBQcwAQkE
AgUAMAUGAytlcANBAHrbfHeKVrcvjeFMQT9cTvhYU81DmwQpZiyRtH+MhBfSjqsl
riv95/TO4bhcpRnJl5T3D8ojWrMGiFJo1IB8gwc=
-----END OCSP RESPONSE-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-response-2">
            <name>C509 OCSP Response</name>
            <t>Plain Hex (248 bytes):</t>
            <artwork><![CDATA[
8A010C005011111111111111111111111111111111480600867838E3311A1A67C4F1
00808648A01C73A5F3B06334808F5410652787FA0527BC2449A1BFC5AB31AA5A6F0D
8D0039707F196270805475D8BC4FBAFC6694467641E748DFD53A8B9D176D0139707F
1962708054D1AC135D7DA29BDCF4DCA0D5281A51605B678400821A67C32F00043970
7F19627080482222222222222222808554D3A0C1E3DB92E8F6810537D45CFAECF6CE
417E3B0239707F19627080F65840E4869C57A66BAB501ACAEB7E5024105253D72F45
D349AE21FB941ABE4435F8A6C9D1CA5D2784AB30CF177FF075B5502AEAEE09C1146C
F490663EAED9243A760D
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509BasicOCSPResponse
  TBSBasicOCSPResponse
    Type: C509BasicOCSPResponse (1)
    Signature Algorithm: Ed25519 (12)
    Hash Algorithm: SHA256 (0)
    Nonce
      11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
    ResponderCertHash
      06:00:86:78:38:e3:31:1a
    ProducedAt: 2025-03-03T00:00:00Z
    Extensions: <empty>
    Responses
      OcspPerIssuerResponse
        IssuerCertHash
          a0:1c:73:a5:f3:b0:63:34
        Extensions: <empty>
        SingleResponses
          SingleCertResponse
            SerialNumberHash:
              10:65:27:87:fa:05:27:bc:24:49:a1:bf:c5:ab:31:aa:
              5a:6f:0d:8d
            Cert Status: good
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
          SingleCertResponse
            SerialNumberHash:
              75:d8:bc:4f:ba:fc:66:94:46:76:41:e7:48:df:d5:3a:
              8b:9d:17:6d
            Cert Status: not-issued
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
          SingleCertResponse
            SerialNumberHash:
              d1:ac:13:5d:7d:a2:9b:dc:f4:dc:a0:d5:28:1a:51:60:
              5b:67:84:00
            Cert Status: revoked (superseded)
              Revoked at 2025-03-01T16:00:00Z
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
      OcspPerIssuerResponse
        IssuerCertHash
          22:22:22:22:22:22:22:22
        Extensions: <empty>
        SingleResponses
          SingleCertResponse
            SerialNumberHash:
              d3:a0:c1:e3:db:92:e8:f6:81:05:37:d4:5c:fa:ec:f6:
              ce:41:7e:3b
            Cert Status: unknown
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
    Responder Certs: null
  Signature Value
    e4:86:9c:57:a6:6b:ab:50:1a:ca:eb:7e:50:24:10:52:
    53:d7:2f:45:d3:49:ae:21:fb:94:1a:be:44:35:f8:a6:
    c9:d1:ca:5d:27:84:ab:30:cf:17:7f:f0:75:b5:50:2a:
    ea:ee:09:c1:14:6c:f4:90:66:3e:ae:d9:24:3a:76:0d
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 8A             # C509OCSPResponse=array[10]
  1:   01             # [0]. ocspResponseType=C509BasicOCSPResponse
                      #      (1)
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   00             # [2]. hashAlgorithm=SHA256 (0)
  4:   50             # [3]. nonce=byte[16]
  5:     11111111111111111111111111111111
 21:   48             # [4]. responderCertHash=byte[8]
 22:     0600867838E3311A
 30:   1A 67C4F100    # [5]. producedAt=1740960000:
                      #      2025-03-03T00:00:00Z
 35:   80             # [6]. extensions=array[0]
 36:   86             # [7]. responses=array[6]
                        #---PerIssuerResponses[0]---
 37:     48             # [0]. issuerCertHash=byte[8]
 38:       A01C73A5F3B06334
 46:     80             # [1]. extensions=array[0]
 47:     8F             # [2]. singleResponses=array[15]
                          #---SingleCertResponses[0]---
 48:       54             # [0]. serialNumberHash=byte[20]
 49:         10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D
 69:       00             # [1]. certStatus=good (0)
 70:       39 707F        # [2]. thisUpdate=-28800:
                          #      2025-03-02T16:00:00Z
 73:       19 6270        # [3]. nextUpdate=25200:
                          #      2025-03-03T07:00:00Z
 76:       80             # [4]. extensions=array[0]
                          #---SingleCertResponses[1]---
 77:       54             # [5]. serialNumberHash=byte[20]
 78:         75D8BC4FBAFC6694467641E748DFD53A8B9D176D
 98:       01             # [6]. certStatus=not-issued (1)
 99:       39 707F        # [7]. thisUpdate=-28800:
                          #      2025-03-02T16:00:00Z
102:       19 6270        # [8]. nextUpdate=25200:
                          #      2025-03-03T07:00:00Z
105:       80             # [9]. extensions=array[0]
                          #---SingleCertResponses[2]---
106:       54             # [10]. serialNumberHash=byte[20]
107:         D1AC135D7DA29BDCF4DCA0D5281A51605B678400
127:       82             # [11]. certStatus=array[2]
128:         1A 67C32F00    # [0]. revocationTime=1740844800:
                            #      2025-03-01T16:00:00Z
133:         04             # [1]. revocationReason=superseded (4)
134:       39 707F        # [12]. thisUpdate=-28800:
                          #       2025-03-02T16:00:00Z
137:       19 6270        # [13]. nextUpdate=25200:
                          #       2025-03-03T07:00:00Z
140:       80             # [14]. extensions=array[0]
                        #---PerIssuerResponses[1]---
141:     48             # [3]. issuerCertHash=byte[8]
142:       2222222222222222
150:     80             # [4]. extensions=array[0]
151:     85             # [5]. singleResponses=array[5]
                          #---SingleCertResponses[0]---
152:       54             # [0]. serialNumberHash=byte[20]
153:         D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B
173:       02             # [1]. certStatus=unknown (2)
174:       39 707F        # [2]. thisUpdate=-28800:
                          #      2025-03-02T16:00:00Z
177:       19 6270        # [3]. nextUpdate=25200:
                          #      2025-03-03T07:00:00Z
180:       80             # [4]. extensions=array[0]
181:   F6             # [8]. responderCerts=<null>
182:   58 40          # [9]. signature value=byte[64]
184:     E4869C57A66BAB501ACAEB7E5024105253D72F45D349AE21FB941ABE44
213:     35F8A6C9D1CA5D2784AB30CF177FF075B5502AEAEE09C1146CF490663E
242:     AED9243A760D
]]></artwork>
          </section>
        </section>
        <section anchor="exam-basic-ocsp-resp-withcert">
          <name>Basic OCSP Response Example With Responder's Certificate</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 62%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ocsp-responder-cert"/></t>
            </li>
            <li>
              <t>Basic OCSP Response (<tt>C509BasicOCSPResponse</tt>) with embedded responder's certificate</t>
            </li>
            <li>
              <t>Note that the X.509 OCSP response and the C509 OCSP response are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-response-3">
            <name>X.509 OCSP Response</name>
            <t>PEM content (1189 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP RESPONSE-----
MIIEoQoBAKCCBJowggSWBgkrBgEFBQcwAQEEggSHMIIEgzCCAt2iFgQU6uWaiumq
9BBLFeUOjuAXFRd0GK8YDzIwMjUwMzAzMDAwMDAwWjCCAnwwgZEwaTANBglghkgB
ZQMEAgEFAAQgMlOOdIW9N65FTx8NK5dV11i5H26OOnrzl6D0AGBcb/gEIMwRyHQK
BQnsTaFM5YhucjZMD2O2DtY0fxPBbuclt2aiAhQSNBI0EjQSNBI0EjQSNBI0EjQS
NIAAGA8yMDI1MDMwMjE2MDAwMFqgERgPMjAyNTAzMDMwNzAwMDBaMIGnMGkwDQYJ
YIZIAWUDBAIBBQAEIDJTjnSFvTeuRU8fDSuXVddYuR9ujjp685eg9ABgXG/4BCDM
Ech0CgUJ7E2hTOWIbnI2TA9jtg7WNH8TwW7nJbdmogIUNFY0VjRWNFY0VjRWNFY0
VjRWNFahFhgPMTk3MDAxMDEwMDAwMDBaoAMKAQYYDzIwMjUwMzAyMTYwMDAwWqAR
GA8yMDI1MDMwMzA3MDAwMFowgacwaTANBglghkgBZQMEAgEFAAQgMlOOdIW9N65F
Tx8NK5dV11i5H26OOnrzl6D0AGBcb/gEIMwRyHQKBQnsTaFM5YhucjZMD2O2DtY0
fxPBbuclt2aiAhRWeFZ4VnhWeFZ4VnhWeFZ4VnhWeKEWGA8yMDI1MDMwMTE2MDAw
MFqgAwoBBBgPMjAyNTAzMDIxNjAwMDBaoBEYDzIwMjUwMzAzMDcwMDAwWjCBkTBp
MA0GCWCGSAFlAwQCAQUABCAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMz
MwQgREREREREREREREREREREREREREREREREREREREREREQCFCIzIjMiMyIzIjMi
MyIzIjMiMyIzggAYDzIwMjUwMzAyMTYwMDAwWqARGA8yMDI1MDMwMzA3MDAwMFqh
MjAwMB0GCSsGAQUFBzABAgQQERERERERERERERERERERETAPBgkrBgEFBQcwAQkE
AgUAMAUGAytlcANBAHrbfHeKVrcvjeFMQT9cTvhYU81DmwQpZiyRtH+MhBfSjqsl
riv95/TO4bhcpRnJl5T3D8ojWrMGiFJo1IB8gwegggFUMIIBUDCCAUwwgf+gAwIB
AgICEjUwBQYDK2VwMBoxGDAWBgNVBAMMD3Rlc3QgY3Jsb2NzcC1jYTAeFw0yNTAx
MDIwMDAwMDBaFw0yNjAxMDIwMDAwMDBaMBkxFzAVBgNVBAMMDm9jc3AtcmVzcG9u
ZGVyMCowBQYDK2VwAyEAgZR7vCSKrHlzghGo11v5LLd32ZQHPfI64GOA7yxXOXaj
ajBoMB0GA1UdDgQWBBTq5ZqK6ar0EEsV5Q6O4BcVF3QYrzAOBgNVHQ8BAf8EBAMC
B4AwHwYDVR0jBBgwFoAU2X135jTC9wAwDKWPyHc2WxVQB6IwFgYDVR0lAQH/BAww
CgYIKwYBBQUHAwkwBQYDK2VwA0EAE6Mo4UW6t2eMBWxsYX3UvhUJnaoXUOH7fAsp
qSPXK/f3h5+FSrkt0RCxXzct4Flmgi+HToCGEf1F3T0sXCiHCA==
-----END OCSP RESPONSE-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-response-3">
            <name>C509 OCSP Response</name>
            <t>Plain Hex (446 bytes):</t>
            <artwork><![CDATA[
8A010C005011111111111111111111111111111111480600867838E3311A1A67C4F1
00808648A01C73A5F3B06334808F5410652787FA0527BC2449A1BFC5AB31AA5A6F0D
8D0039707F196270805475D8BC4FBAFC6694467641E748DFD53A8B9D176D0139707F
1962708054D1AC135D7DA29BDCF4DCA0D5281A51605B678400821A67C32F00043970
7F19627080482222222222222222808554D3A0C1E3DB92E8F6810537D45CFAECF6CE
417E3B0239707F1962708058C58B024212350C6F746573742063726C6F6373702D63
611A6775D7001A69570A806E6F6373702D726573706F6E6465720C582081947BBC24
8AAC79738211A8D75BF92CB777D994073DF23AE06380EF2C573976880154B5B4CAF3
5401D06151DF9629DB579DC8CCA453A8210107542F45E78D2CAEDF368CDF53C39005
D492450E105627095840A01B0CBF3E34A4762D05404FD08A7AEC103035358314686D
72B6159078C76E1D88597F37531886A3F52F256FD722192B289D6844014467F1F17F
05ACBB7B660A58400085EA27969E5A162EA31D371522F62F0DF278272225DEAD6F17
3C42D5482142A3F032872850A4E2C2D9A759A0F460E1250B6FDEBB6636B3672CA02E
FB880A04
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509BasicOCSPResponse
  TBSBasicOCSPResponse
    Type: C509BasicOCSPResponse (1)
    Signature Algorithm: Ed25519 (12)
    Hash Algorithm: SHA256 (0)
    Nonce
      11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
    ResponderCertHash
      06:00:86:78:38:e3:31:1a
    ProducedAt: 2025-03-03T00:00:00Z
    Extensions: <empty>
    Responses
      OcspPerIssuerResponse
        IssuerCertHash
          a0:1c:73:a5:f3:b0:63:34
        Extensions: <empty>
        SingleResponses
          SingleCertResponse
            SerialNumberHash:
              10:65:27:87:fa:05:27:bc:24:49:a1:bf:c5:ab:31:aa:
              5a:6f:0d:8d
            Cert Status: good
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
          SingleCertResponse
            SerialNumberHash:
              75:d8:bc:4f:ba:fc:66:94:46:76:41:e7:48:df:d5:3a:
              8b:9d:17:6d
            Cert Status: not-issued
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
          SingleCertResponse
            SerialNumberHash:
              d1:ac:13:5d:7d:a2:9b:dc:f4:dc:a0:d5:28:1a:51:60:
              5b:67:84:00
            Cert Status: revoked (superseded)
              Revoked at 2025-03-01T16:00:00Z
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
      OcspPerIssuerResponse
        IssuerCertHash
          22:22:22:22:22:22:22:22
        Extensions: <empty>
        SingleResponses
          SingleCertResponse
            SerialNumberHash:
              d3:a0:c1:e3:db:92:e8:f6:81:05:37:d4:5c:fa:ec:f6:
              ce:41:7e:3b
            Cert Status: unknown
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
    Responder Certs
      C509Certificate
        8b:02:42:12:35:0c:6f:74:65:73:74:20:63:72:6c:6f:
        63:73:70:2d:63:61:1a:67:75:d7:00:1a:69:57:0a:80:
        6e:6f:63:73:70:2d:72:65:73:70:6f:6e:64:65:72:0c:
        58:20:81:94:7b:bc:24:8a:ac:79:73:82:11:a8:d7:5b:
        f9:2c:b7:77:d9:94:07:3d:f2:3a:e0:63:80:ef:2c:57:
        39:76:88:01:54:b5:b4:ca:f3:54:01:d0:61:51:df:96:
        29:db:57:9d:c8:cc:a4:53:a8:21:01:07:54:2f:45:e7:
        8d:2c:ae:df:36:8c:df:53:c3:90:05:d4:92:45:0e:10:
        56:27:09:58:40:a0:1b:0c:bf:3e:34:a4:76:2d:05:40:
        4f:d0:8a:7a:ec:10:30:35:35:83:14:68:6d:72:b6:15:
        90:78:c7:6e:1d:88:59:7f:37:53:18:86:a3:f5:2f:25:
        6f:d7:22:19:2b:28:9d:68:44:01:44:67:f1:f1:7f:05:
        ac:bb:7b:66:0a
  Signature Value
    00:85:ea:27:96:9e:5a:16:2e:a3:1d:37:15:22:f6:2f:
    0d:f2:78:27:22:25:de:ad:6f:17:3c:42:d5:48:21:42:
    a3:f0:32:87:28:50:a4:e2:c2:d9:a7:59:a0:f4:60:e1:
    25:0b:6f:de:bb:66:36:b3:67:2c:a0:2e:fb:88:0a:04
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 8A             # C509OCSPResponse=array[10]
  1:   01             # [0]. ocspResponseType=C509BasicOCSPResponse
                      #      (1)
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   00             # [2]. hashAlgorithm=SHA256 (0)
  4:   50             # [3]. nonce=byte[16]
  5:     11111111111111111111111111111111
 21:   48             # [4]. responderCertHash=byte[8]
 22:     0600867838E3311A
 30:   1A 67C4F100    # [5]. producedAt=1740960000:
                      #      2025-03-03T00:00:00Z
 35:   80             # [6]. extensions=array[0]
 36:   86             # [7]. responses=array[6]
                        #---PerIssuerResponses[0]---
 37:     48             # [0]. issuerCertHash=byte[8]
 38:       A01C73A5F3B06334
 46:     80             # [1]. extensions=array[0]
 47:     8F             # [2]. singleResponses=array[15]
                          #---SingleCertResponses[0]---
 48:       54             # [0]. serialNumberHash=byte[20]
 49:         10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D
 69:       00             # [1]. certStatus=good (0)
 70:       39 707F        # [2]. thisUpdate=-28800:
                          #      2025-03-02T16:00:00Z
 73:       19 6270        # [3]. nextUpdate=25200:
                          #      2025-03-03T07:00:00Z
 76:       80             # [4]. extensions=array[0]
                          #---SingleCertResponses[1]---
 77:       54             # [5]. serialNumberHash=byte[20]
 78:         75D8BC4FBAFC6694467641E748DFD53A8B9D176D
 98:       01             # [6]. certStatus=not-issued (1)
 99:       39 707F        # [7]. thisUpdate=-28800:
                          #      2025-03-02T16:00:00Z
102:       19 6270        # [8]. nextUpdate=25200:
                          #      2025-03-03T07:00:00Z
105:       80             # [9]. extensions=array[0]
                          #---SingleCertResponses[2]---
106:       54             # [10]. serialNumberHash=byte[20]
107:         D1AC135D7DA29BDCF4DCA0D5281A51605B678400
127:       82             # [11]. certStatus=array[2]
128:         1A 67C32F00    # [0]. revocationTime=1740844800:
                            #      2025-03-01T16:00:00Z
133:         04             # [1]. revocationReason=superseded (4)
134:       39 707F        # [12]. thisUpdate=-28800:
                          #       2025-03-02T16:00:00Z
137:       19 6270        # [13]. nextUpdate=25200:
                          #       2025-03-03T07:00:00Z
140:       80             # [14]. extensions=array[0]
                        #---PerIssuerResponses[1]---
141:     48             # [3]. issuerCertHash=byte[8]
142:       2222222222222222
150:     80             # [4]. extensions=array[0]
151:     85             # [5]. singleResponses=array[5]
                          #---SingleCertResponses[0]---
152:       54             # [0]. serialNumberHash=byte[20]
153:         D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B
173:       02             # [1]. certStatus=unknown (2)
174:       39 707F        # [2]. thisUpdate=-28800:
                          #      2025-03-02T16:00:00Z
177:       19 6270        # [3]. nextUpdate=25200:
                          #      2025-03-03T07:00:00Z
180:       80             # [4]. extensions=array[0]
181:   58 C5          # [8]. responderCerts(COSE_C509)=byte[197]
183:     8B024212350C6F746573742063726C6F6373702D63611A6775D7001A69
212:     570A806E6F6373702D726573706F6E6465720C582081947BBC248AAC79
241:     738211A8D75BF92CB777D994073DF23AE06380EF2C573976880154B5B4
270:     CAF35401D06151DF9629DB579DC8CCA453A8210107542F45E78D2CAEDF
299:     368CDF53C39005D492450E105627095840A01B0CBF3E34A4762D05404F
328:     D08A7AEC103035358314686D72B6159078C76E1D88597F37531886A3F5
357:     2F256FD722192B289D6844014467F1F17F05ACBB7B660A
380:   58 40          # [9]. signature value=byte[64]
382:     0085EA27969E5A162EA31D371522F62F0DF278272225DEAD6F173C42D5
411:     482142A3F032872850A4E2C2D9A759A0F460E1250B6FDEBB6636B3672C
440:     A02EFB880A04
]]></artwork>
          </section>
        </section>
        <section anchor="exam-basic-ocsp-resp-withcertchain">
          <name>Basic OCSP Response Example With Responder's Certificate Chain</name>
          <ul spacing="normal">
            <li>
              <t>Size reduction: 57%</t>
            </li>
            <li>
              <t>Verifiable with certificate in <xref target="ocsp-responder-cert"/></t>
            </li>
            <li>
              <t>Basic OCSP Response (<tt>C509BasicOCSPResponse</tt>) with embedded responder's certificate chain (2 certificates)</t>
            </li>
            <li>
              <t>Note that the X.509 OCSP response and the C509 OCSP response are not convertible.</t>
            </li>
          </ul>
          <section anchor="x509-ocsp-response-4">
            <name>X.509 OCSP Response</name>
            <t>PEM content (1525 bytes):</t>
            <artwork><![CDATA[
-----BEGIN OCSP RESPONSE-----
MIIF8QoBAKCCBeowggXmBgkrBgEFBQcwAQEEggXXMIIF0zCCAt2iFgQU6uWaiumq
9BBLFeUOjuAXFRd0GK8YDzIwMjUwMzAzMDAwMDAwWjCCAnwwgZEwaTANBglghkgB
ZQMEAgEFAAQgMlOOdIW9N65FTx8NK5dV11i5H26OOnrzl6D0AGBcb/gEIMwRyHQK
BQnsTaFM5YhucjZMD2O2DtY0fxPBbuclt2aiAhQSNBI0EjQSNBI0EjQSNBI0EjQS
NIAAGA8yMDI1MDMwMjE2MDAwMFqgERgPMjAyNTAzMDMwNzAwMDBaMIGnMGkwDQYJ
YIZIAWUDBAIBBQAEIDJTjnSFvTeuRU8fDSuXVddYuR9ujjp685eg9ABgXG/4BCDM
Ech0CgUJ7E2hTOWIbnI2TA9jtg7WNH8TwW7nJbdmogIUNFY0VjRWNFY0VjRWNFY0
VjRWNFahFhgPMTk3MDAxMDEwMDAwMDBaoAMKAQYYDzIwMjUwMzAyMTYwMDAwWqAR
GA8yMDI1MDMwMzA3MDAwMFowgacwaTANBglghkgBZQMEAgEFAAQgMlOOdIW9N65F
Tx8NK5dV11i5H26OOnrzl6D0AGBcb/gEIMwRyHQKBQnsTaFM5YhucjZMD2O2DtY0
fxPBbuclt2aiAhRWeFZ4VnhWeFZ4VnhWeFZ4VnhWeKEWGA8yMDI1MDMwMTE2MDAw
MFqgAwoBBBgPMjAyNTAzMDIxNjAwMDBaoBEYDzIwMjUwMzAzMDcwMDAwWjCBkTBp
MA0GCWCGSAFlAwQCAQUABCAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMz
MwQgREREREREREREREREREREREREREREREREREREREREREQCFCIzIjMiMyIzIjMi
MyIzIjMiMyIzggAYDzIwMjUwMzAyMTYwMDAwWqARGA8yMDI1MDMwMzA3MDAwMFqh
MjAwMB0GCSsGAQUFBzABAgQQERERERERERERERERERERETAPBgkrBgEFBQcwAQkE
AgUAMAUGAytlcANBAHrbfHeKVrcvjeFMQT9cTvhYU81DmwQpZiyRtH+MhBfSjqsl
riv95/TO4bhcpRnJl5T3D8ojWrMGiFJo1IB8gwegggKkMIICoDCCAUwwgf+gAwIB
AgICEjUwBQYDK2VwMBoxGDAWBgNVBAMMD3Rlc3QgY3Jsb2NzcC1jYTAeFw0yNTAx
MDIwMDAwMDBaFw0yNjAxMDIwMDAwMDBaMBkxFzAVBgNVBAMMDm9jc3AtcmVzcG9u
ZGVyMCowBQYDK2VwAyEAgZR7vCSKrHlzghGo11v5LLd32ZQHPfI64GOA7yxXOXaj
ajBoMB0GA1UdDgQWBBTq5ZqK6ar0EEsV5Q6O4BcVF3QYrzAOBgNVHQ8BAf8EBAMC
B4AwHwYDVR0jBBgwFoAU2X135jTC9wAwDKWPyHc2WxVQB6IwFgYDVR0lAQH/BAww
CgYIKwYBBQUHAwkwBQYDK2VwA0EAE6Mo4UW6t2eMBWxsYX3UvhUJnaoXUOH7fAsp
qSPXK/f3h5+FSrkt0RCxXzct4Flmgi+HToCGEf1F3T0sXCiHCDCCAUwwgf+gAwIB
AgIBATAFBgMrZXAwHjEcMBoGA1UEAwwTdGVzdCBjcmxvY3NwLXJvb3RjYTAeFw0y
NTAxMDEwMDAwMDBaFw0yNjEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD3Rlc3QgY3Js
b2NzcC1jYTAqMAUGAytlcAMhAF74o1WgAafFDSNJRwEggTGkuyq5INQL+w7h9qso
/3QAo2YwZDAdBgNVHQ4EFgQU2X135jTC9wAwDKWPyHc2WxVQB6IwDgYDVR0PAQH/
BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHwYDVR0jBBgwFoAUkSOc+vnng2yy
n1HhMZHbENOuFpMwBQYDK2VwA0EA1l4B18v6QX+xe5n3l+1pJ69WL/Y+jTWz46fT
gWDMZGdAEE2PORiX3asRmPPQWiYZIENipvg8M4ghGza8Vj1BAg==
-----END OCSP RESPONSE-----
]]></artwork>
          </section>
          <section anchor="c509-ocsp-response-4">
            <name>C509 OCSP Response</name>
            <t>Plain Hex (651 bytes):</t>
            <artwork><![CDATA[
8A010C005011111111111111111111111111111111480600867838E3311A1A67C4F1
00808648A01C73A5F3B06334808F5410652787FA0527BC2449A1BFC5AB31AA5A6F0D
8D0039707F196270805475D8BC4FBAFC6694467641E748DFD53A8B9D176D0139707F
1962708054D1AC135D7DA29BDCF4DCA0D5281A51605B678400821A67C32F00043970
7F19627080482222222222222222808554D3A0C1E3DB92E8F6810537D45CFAECF6CE
417E3B0239707F196270808258C58B024212350C6F746573742063726C6F6373702D
63611A6775D7001A69570A806E6F6373702D726573706F6E6465720C582081947BBC
248AAC79738211A8D75BF92CB777D994073DF23AE06380EF2C573976880154B5B4CA
F35401D06151DF9629DB579DC8CCA453A8210107542F45E78D2CAEDF368CDF53C390
05D492450E105627095840A01B0CBF3E34A4762D05404FD08A7AEC10303535831468
6D72B6159078C76E1D88597F37531886A3F52F256FD722192B289D6844014467F1F1
7F05ACBB7B660A58CA8B0241010C73746573742063726C6F6373702D726F6F746361
1A677485801A6B36EC7F6F746573742063726C6F6373702D63610C58205EF8A355A0
01A7C50D23494701208131A4BB2AB920D40BFB0EE1F6AB28FF74008801542F45E78D
2CAEDF368CDF53C39005D492450E1056211860230107542DA3A403F7D2F4E0B3D803
1A73BA8A839F557F0F5840E50465D60C02A2111EF3FC6E44F2A36008765B552351F9
A3F5B2AA7C76F1F05D259847A4F4250B2E4B0AE2099762A2596D3CC1DB2CCD180AA0
A2D0E191310B0F5840B633C9598073E3920876FE12B86AD32422E7F2C2361177A6D5
90F20BEBBAA1EFDF94A0A944AC8CA67679CA04CEAF327C12CB9F1C2DCACA9D2E949B
FEA755C405
]]></artwork>
            <t>Textual Representation</t>
            <artwork><![CDATA[
C509BasicOCSPResponse
  TBSBasicOCSPResponse
    Type: C509BasicOCSPResponse (1)
    Signature Algorithm: Ed25519 (12)
    Hash Algorithm: SHA256 (0)
    Nonce
      11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
    ResponderCertHash
      06:00:86:78:38:e3:31:1a
    ProducedAt: 2025-03-03T00:00:00Z
    Extensions: <empty>
    Responses
      OcspPerIssuerResponse
        IssuerCertHash
          a0:1c:73:a5:f3:b0:63:34
        Extensions: <empty>
        SingleResponses
          SingleCertResponse
            SerialNumberHash:
              10:65:27:87:fa:05:27:bc:24:49:a1:bf:c5:ab:31:aa:
              5a:6f:0d:8d
            Cert Status: good
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
          SingleCertResponse
            SerialNumberHash:
              75:d8:bc:4f:ba:fc:66:94:46:76:41:e7:48:df:d5:3a:
              8b:9d:17:6d
            Cert Status: not-issued
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
          SingleCertResponse
            SerialNumberHash:
              d1:ac:13:5d:7d:a2:9b:dc:f4:dc:a0:d5:28:1a:51:60:
              5b:67:84:00
            Cert Status: revoked (superseded)
              Revoked at 2025-03-01T16:00:00Z
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
      OcspPerIssuerResponse
        IssuerCertHash
          22:22:22:22:22:22:22:22
        Extensions: <empty>
        SingleResponses
          SingleCertResponse
            SerialNumberHash:
              d3:a0:c1:e3:db:92:e8:f6:81:05:37:d4:5c:fa:ec:f6:
              ce:41:7e:3b
            Cert Status: unknown
            This Update: -28800, 2025-03-02T16:00:00Z
            Next Update: 25200, 2025-03-03T07:00:00Z
            Extensions: <empty>
    Responder Certs
      C509Certificate
        8b:02:42:12:35:0c:6f:74:65:73:74:20:63:72:6c:6f:
        63:73:70:2d:63:61:1a:67:75:d7:00:1a:69:57:0a:80:
        6e:6f:63:73:70:2d:72:65:73:70:6f:6e:64:65:72:0c:
        58:20:81:94:7b:bc:24:8a:ac:79:73:82:11:a8:d7:5b:
        f9:2c:b7:77:d9:94:07:3d:f2:3a:e0:63:80:ef:2c:57:
        39:76:88:01:54:b5:b4:ca:f3:54:01:d0:61:51:df:96:
        29:db:57:9d:c8:cc:a4:53:a8:21:01:07:54:2f:45:e7:
        8d:2c:ae:df:36:8c:df:53:c3:90:05:d4:92:45:0e:10:
        56:27:09:58:40:a0:1b:0c:bf:3e:34:a4:76:2d:05:40:
        4f:d0:8a:7a:ec:10:30:35:35:83:14:68:6d:72:b6:15:
        90:78:c7:6e:1d:88:59:7f:37:53:18:86:a3:f5:2f:25:
        6f:d7:22:19:2b:28:9d:68:44:01:44:67:f1:f1:7f:05:
        ac:bb:7b:66:0a
      C509Certificate
        8b:02:41:01:0c:73:74:65:73:74:20:63:72:6c:6f:63:
        73:70:2d:72:6f:6f:74:63:61:1a:67:74:85:80:1a:6b:
        36:ec:7f:6f:74:65:73:74:20:63:72:6c:6f:63:73:70:
        2d:63:61:0c:58:20:5e:f8:a3:55:a0:01:a7:c5:0d:23:
        49:47:01:20:81:31:a4:bb:2a:b9:20:d4:0b:fb:0e:e1:
        f6:ab:28:ff:74:00:88:01:54:2f:45:e7:8d:2c:ae:df:
        36:8c:df:53:c3:90:05:d4:92:45:0e:10:56:21:18:60:
        23:01:07:54:2d:a3:a4:03:f7:d2:f4:e0:b3:d8:03:1a:
        73:ba:8a:83:9f:55:7f:0f:58:40:e5:04:65:d6:0c:02:
        a2:11:1e:f3:fc:6e:44:f2:a3:60:08:76:5b:55:23:51:
        f9:a3:f5:b2:aa:7c:76:f1:f0:5d:25:98:47:a4:f4:25:
        0b:2e:4b:0a:e2:09:97:62:a2:59:6d:3c:c1:db:2c:cd:
        18:0a:a0:a2:d0:e1:91:31:0b:0f
  Signature Value
    b6:33:c9:59:80:73:e3:92:08:76:fe:12:b8:6a:d3:24:
    22:e7:f2:c2:36:11:77:a6:d5:90:f2:0b:eb:ba:a1:ef:
    df:94:a0:a9:44:ac:8c:a6:76:79:ca:04:ce:af:32:7c:
    12:cb:9f:1c:2d:ca:ca:9d:2e:94:9b:fe:a7:55:c4:05
]]></artwork>
            <t>Annotated hex</t>
            <artwork><![CDATA[
  0: 8A             # C509OCSPResponse=array[10]
  1:   01             # [0]. ocspResponseType=C509BasicOCSPResponse
                      #      (1)
  2:   0C             # [1]. signatureAlgorithm=Ed25519 (12)
  3:   00             # [2]. hashAlgorithm=SHA256 (0)
  4:   50             # [3]. nonce=byte[16]
  5:     11111111111111111111111111111111
 21:   48             # [4]. responderCertHash=byte[8]
 22:     0600867838E3311A
 30:   1A 67C4F100    # [5]. producedAt=1740960000:
                      #      2025-03-03T00:00:00Z
 35:   80             # [6]. extensions=array[0]
 36:   86             # [7]. responses=array[6]
                        #---PerIssuerResponses[0]---
 37:     48             # [0]. issuerCertHash=byte[8]
 38:       A01C73A5F3B06334
 46:     80             # [1]. extensions=array[0]
 47:     8F             # [2]. singleResponses=array[15]
                          #---SingleCertResponses[0]---
 48:       54             # [0]. serialNumberHash=byte[20]
 49:         10652787FA0527BC2449A1BFC5AB31AA5A6F0D8D
 69:       00             # [1]. certStatus=good (0)
 70:       39 707F        # [2]. thisUpdate=-28800:
                          #      2025-03-02T16:00:00Z
 73:       19 6270        # [3]. nextUpdate=25200:
                          #      2025-03-03T07:00:00Z
 76:       80             # [4]. extensions=array[0]
                          #---SingleCertResponses[1]---
 77:       54             # [5]. serialNumberHash=byte[20]
 78:         75D8BC4FBAFC6694467641E748DFD53A8B9D176D
 98:       01             # [6]. certStatus=not-issued (1)
 99:       39 707F        # [7]. thisUpdate=-28800:
                          #      2025-03-02T16:00:00Z
102:       19 6270        # [8]. nextUpdate=25200:
                          #      2025-03-03T07:00:00Z
105:       80             # [9]. extensions=array[0]
                          #---SingleCertResponses[2]---
106:       54             # [10]. serialNumberHash=byte[20]
107:         D1AC135D7DA29BDCF4DCA0D5281A51605B678400
127:       82             # [11]. certStatus=array[2]
128:         1A 67C32F00    # [0]. revocationTime=1740844800:
                            #      2025-03-01T16:00:00Z
133:         04             # [1]. revocationReason=superseded (4)
134:       39 707F        # [12]. thisUpdate=-28800:
                          #       2025-03-02T16:00:00Z
137:       19 6270        # [13]. nextUpdate=25200:
                          #       2025-03-03T07:00:00Z
140:       80             # [14]. extensions=array[0]
                        #---PerIssuerResponses[1]---
141:     48             # [3]. issuerCertHash=byte[8]
142:       2222222222222222
150:     80             # [4]. extensions=array[0]
151:     85             # [5]. singleResponses=array[5]
                          #---SingleCertResponses[0]---
152:       54             # [0]. serialNumberHash=byte[20]
153:         D3A0C1E3DB92E8F6810537D45CFAECF6CE417E3B
173:       02             # [1]. certStatus=unknown (2)
174:       39 707F        # [2]. thisUpdate=-28800:
                          #      2025-03-02T16:00:00Z
177:       19 6270        # [3]. nextUpdate=25200:
                          #      2025-03-03T07:00:00Z
180:       80             # [4]. extensions=array[0]
181:   82             # [8]. responderCerts(COSE_C509)=array[2]
182:     58 C5          # [0]. C509CertData=byte[197]
184:       8B024212350C6F746573742063726C6F6373702D63611A6775D7001A
212:       69570A806E6F6373702D726573706F6E6465720C582081947BBC248A
240:       AC79738211A8D75BF92CB777D994073DF23AE06380EF2C5739768801
268:       54B5B4CAF35401D06151DF9629DB579DC8CCA453A8210107542F45E7
296:       8D2CAEDF368CDF53C39005D492450E105627095840A01B0CBF3E34A4
324:       762D05404FD08A7AEC103035358314686D72B6159078C76E1D88597F
352:       37531886A3F52F256FD722192B289D6844014467F1F17F05ACBB7B66
380:       0A
381:     58 CA          # [1]. C509CertData=byte[202]
383:       8B0241010C73746573742063726C6F6373702D726F6F7463611A6774
411:       85801A6B36EC7F6F746573742063726C6F6373702D63610C58205EF8
439:       A355A001A7C50D23494701208131A4BB2AB920D40BFB0EE1F6AB28FF
467:       74008801542F45E78D2CAEDF368CDF53C39005D492450E1056211860
495:       230107542DA3A403F7D2F4E0B3D8031A73BA8A839F557F0F5840E504
523:       65D60C02A2111EF3FC6E44F2A36008765B552351F9A3F5B2AA7C76F1
551:       F05D259847A4F4250B2E4B0AE2099762A2596D3CC1DB2CCD180AA0A2
579:       D0E191310B0F
585:   58 40          # [9]. signature value=byte[64]
587:     B633C9598073E3920876FE12B86AD32422E7F2C2361177A6D590F20BEB
616:     BAA1EFDF94A0A944AC8CA67679CA04CEAF327C12CB9F1C2DCACA9D2E94
645:     9BFEA755C405
]]></artwork>
          </section>
        </section>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors thank xxx for reviewing and commenting on intermediate versions of the draft.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y963rb1pIo+J9PgZG/Pi3tkDLuAJlOnwZvtmJLtiU5tpPO
tEASlGBTBEOQluXE/Z1XON83DzBPMQ8w8ybnSaaq1gULN5KS7cT79NbOTiRg
YV2qatVtVdVqtVqN9x3NajRW8WoWdbS9XvfZqTaYj5NJNNF60XIVT+NxuIq0
0+h9Ar/EyVw7DufhZXQdzVd7jUkynofX8OVkGU5XrVkcJq1xkkatsaO3W0v5
UWsGnaSrRjgawcOO1oPXSp+NRrxYdrTVcp2uTF1v62YjXEZhRzuLxutlvLpt
3FzCR8/OBtqrZPkunl9qj5bJetF4d9PRjuaraDmPVq0+zqEBPXa0dDVppOvR
dZym0P3qdgFTPBqcDxsNWBp83tHWq2nLbzQWcaehaatk3NFuoxR+TZPlahlN
U/n37bX6J7ScRIvVVUezG4330Xwd4feXOBkBvmejt9F4pZ3Fl3OcaDifIESX
twuC3j6C52APu6JZ7eUWhM+vw3gGz7Hdv8XRanqYLC/xebgcw7B7V6vVIu08
fIjN8FH8PjoUzR7ig4ejZXKTRg+xg4f44WW8ulqP4NNZ/HY9b83j5GE8QQQB
KvYajXC9ukqWuIyWxpD5FNvBv8MEHmoadNzRTo6e0R8Rmx51dYj4/jfo7zBO
lM+PYRaJdh7PALtZB6dHgL2gq3ZyjQ0PV9Tw35bxYRopvfyYRDPt8f/3/1zO
1vPJxm7eQsvDq4Qalro5jd+Fy8luHS2pbW1XZ1fhVTzRTsOPyrJezgEByxRo
VEum2qNZmF4mN2qnKX11uISv/u2SvT4Mx4frd43GPFleA/2/Jxo6HfYc09f5
r67uuuLXtiueeoYpf22bDv/VN0zR1jezX21b/uoa4jPfs03xa9tu81/bhu2J
Xy05Wtv1qe1Rq08Uxnf2KFm2IsYiWmNgEbkm6Spe0lPOONJWMk4XHdjg82lh
tZ5p+vjr82dnR687BDLOho4Gg4F2toKdg6iD72CP869hB51H46t5Mksub1ut
57Bbw9Es0p4toiW8hn10dpuuomvGFabhONL2aYD98+ODA60bppF2tojGbHrQ
XdrUjtJ0HWkem0G4vIyAgYhdtliP0sNkEc1pi9MeS+azeB7hi4dtt91uG22v
3X5IX09gxUC54XwdLm81Uzd8eNwDgB1HncruEZiH19FDdfXERJ7PwlscklNs
tkfxp6XFc+BIvUOti1CZz5XBj0M58OtDt63nALsXnJ0cGhphD2G1XM8i6CgH
ECRjAFM8ZnIAm51iM22/Ozg9aGq9cJ7Moe2s9L4H74nd9eMUUbGO06toUmrW
h2Z7ldC4ubk5jFfrw3i+eriMxg/PW6eDXouW0WiAvIFNhss5Gzwdwlp+ARpq
vYafX4GJtVotLRylq2U4XjUa51dxqoFsWqOU0lK2PBgbQStoV3v+5AjkxHI9
Xq2X8A7JbA3UcQPcksknlYy1fSbhNuwDgM3rw/J3MEsNNza8RthM1zic2oYE
QXqoHa20STQF0krZ8L3Tp/QF/fGsd/a8qY2T6wUskJGIwGKKGGMj10jsp4AP
dSbULfaoXUdpCsKcv0ROA9MEaADEcKfObg+186tIBROb4gQoUFvloBzmV9XC
VWnh5TwBWhjTiONwro0iBPKkBspVEGwCn62FGvWTrFfaNYBCUPBhBjItvl4s
k/fQEMAglqiNbrVUSGfoYRIttTRaIRiBSmaTFKS8tgDhSMuaXSaggVxdt0Cf
gKWs1gRSWo+y2vFVCBDJN1mtwvG7FOG5mIVjHA3+C7QdfQCajJYxbKH5+noE
0oOB4yqE/SIGhwbvI/j0tzXoTQCBxTJ+H45v1d5WgJnVTdLC77QYmdhSg8XQ
PmE9hrDO+eUsDzhszmiRNZ7eEiBmM20RQqtxvAjnSC5ybEYRyRzg1OTjHCAM
Q209j5Evl7rXgBdfwWxWV4ByRFSL78Exh/BhDYkTFc2TFUx/GbUYz28R1a9i
ZPO0Kug6XmrARuRW5lQD7BKYPq4iFQSHfQHNjZM5SOkVNAXoIj0tk2vs51oS
UArieo6UGlMfy2jFaImxlut4MplFjcYDlCvLZAK7AVH8+4MY//zUaDxfj2bw
8ZPoFmXVMpQ7BsTPk6MD4i4wCWRQtH2i+ft4mcxx56Ta779zcfjpE2E8xo0m
9roKW8A9UsaczY0vkrfLlG0tzqTloQa9bxHgMGqO8eR3X5jnNhmzybE5WgIy
F+gMsI7TASDhMpTpp/HHCAkHNuRSc/R/IqgAeZA0UaDTmkTvY5DcsHWn8Qx5
o/Y4uYH9SKQol3kNikA4j9PrVAMUbeZ9QGkp53skvnPNQdVYrVPt+TIB9T6Z
aftIigcZc4Ter8L3jDBvI1zbOALuOKEdmIJuCJZLFK4QmUAvOJQW5jilCh3O
BWco+5oasVrgBDPYsVcRrCmc3+YhSyOPIniHS38HHQLQqC3uHuAl0TxlxDCZ
EGSvonACEKPtxDZuGlVOCHkhTWgJygroT60crhhMFFIi6F2DegGzjz4g6C+h
swnYZ0AV50/PWKeodkKnpAbIh6hfwkP4ZALq8DuYzvs4ZDOEcRYz7IFNCdTe
T5+a2gS2wHgFQAmnUxRF8F5+rKEtOR/fAqhPEpgpzAx27HXMdMIOCaxZOALr
YQ/JeQ9YFpM5Yg8CReD3kpmUqD4jdlwG8ePkGocK4Xtg0YB79g2qEBFsKqZy
7lfsHiSGJpfe2Nkywtljpwmu+uBQC2bIgC6vCuJ0jUgTC4AtDUSMVgh0hjPO
ZD92uuCEm6EYmG+0g0QOFwuAMXAcIkBYaMXOxnYJcfOS9P0euGYEiMMX1HuL
mGey+PTpsFYJA1ugpf3tb4L//+1vuL1CWBxTOEgyo/MBmQ6jKLBTgHjKDIg2
2r7cW030FhChOp8+AWCZ5gK9hcSHY8ZS1wh9YkCEeRzlDAXdfBzx4cBCguEu
zrtnyCOQf1x8D1tfK+jOMW6O98kM+MChsiREtVhTiXHyPUlyNeX0IDbovrIn
xezltzhzaJoyuXANa+Says0VMEihL2BLKcdQjrwPZ7gw6G2YrJfaO5BOXCFi
ggcp5DqcRAwgygQASWRnFEA4F9ipWUMJxjXqFaoFeS4EisV8PFtPhF6TDSoV
MLYZr/LKDOldTaGtMUXmMxW2Q7Z0VUAUtLV4XgcABChT0AACIOm4Srd/wXo4
oQ4ew8OLA5x08j6mFXPlDjYnTCpdgSKWEpNJRqQGooJ4lcBeIgkUzkDYTG61
d/PkhuABM1nGMF5+locZBoVumAqNL2azk+oh6WxyU/DmKpj3L9hDBAqbfk7F
g75yyugFtjvqXzSZGkBLBPnCO5ZCis0wKGqesHeqdU/SWVkfuL+QIgvryS0k
Lq5B9iqX0dQuZP/qw22rDRVV/mzNHH6TnNWLzBolNX8LiuGRmCuu5H3CMC/0
RMDbRe/xs6Pe4IJbNul6fIVSGwHL+N3FqZgqgBaWM7o9gUEucBT4HUa4YBpO
Cnt8xtX6dL1YJMsVyT6wkKYgF+arCjtqPzq8PGySVONGmGp3URvQ+aNxiCay
VHsI3ChE0LheRpfhErTklAzS4kYVrOyQOMtZxHohhpCxuZQxcN6BKj5o/qCT
x7OU9YB0zfGZ24Ofb6t2cGa3n2Otog5XY7FWGqyb5WidpUSyW6JCSIiY1KHx
1TxG2CABlebdIeVO2mIEjWgGW2kCmspRv8DFaO3pFRIRzuoSWAvoIDEMCdJl
zXmelE+kLpHDjdrAQNeLVKg+k/V8Ajs8J0OX0XWCIlTTjoBqSS4hv0M9U5Aa
idGFdIgBoJhLDU2NBF1h6K3QhC0YfQixo3QD5O5lY+asyxrdPqTZSaEGi2Le
yJTZRLggOSegk2xK12sg4+gDbKRxjGqv2LYwjTTKu63YhEH3ElTKTVywnQAS
Ie5v6oALNq730vZZktEibF9Y0ZIzP8SFutZsD22G4iTi+gDgYcSoQAWiSvzC
litZwhMgtOSW9JGmZHrMIm6bDu2AB9p5puCD0a2o+59Qz4xIs7lJlkDMe8cv
z873muy/2skz+v108OLl0emgj7+fPQ6ePpW/NHiLs8fPXj7tZ79lX/aeHR8P
TvrsY3iq5R419o6DN3uMwPeePT8/enYSPN2r5jgMSNK/AGsP0waAcLyMR4yW
ur3n/+//bdiw/P8D1m8aBiq+7A/f8Gz4Aw0/Nloy5zYjWQS3DeAHUbjEXtCV
Mw4X8Sqc4dZLcffezMkmAGD+7ReEzK8d7V9G44Vh/yt/gAvOPRQwyz0kmJWf
lD5mQKx4VDGMhGbueQHS+fkGb3J/C7grD//lv5OV3zL8//6vjaItQrYVKSwK
WdG2UDZzM6+eKj4a/geeqmR/kNXQVC2WZsYO8CSF2MHLOZOPqEzcxCkzs5Hv
0tHhHnDDKXI/oBQQdjQ5VCrGZJ6JzUnsELHKLaqMC+G40gpKNfvQBIMFJ4G/
mXwrAZtNyBPWRx4Ws6a/P4jpccr30zSZzZIbUsZJPSBdS3zIIbXVq0SW3gXp
KB00oGbxdSy8avBiIF0X8JqoGVFysZ/5NI76HdwuzezJTyhyOmzqMJODCzAA
EnQVgcIg+0OxskDgrVZom8FQeHL8H8i6KicSCIsh09DK7SrAQgp1ASj8BE0s
ngZ+XTlwgSan6yVpmMITt8oNpzLMcBaH2XEF3++9fv8p+5ZhFIb/z+xHG08m
s8bRfFWxVO0HhLHauvE7aAhgL44jxGYLNdkf9vC8eLycHWJPe0AlF9W9XSBQ
CI/Q6UWL0IomDdqk8nipEuI7kxWqCivp1FldLdF7gipVnuPeIL8jG3Su2JBx
tm7GMFPGqyPSBlQt9UF2cAVTPkeFZ8j0JRBA8FdLtMUtg29VbYpvVcDTen6z
xJH4vo0WyfiqNQpx6nhg95A0qf2L/8T/Xgi7fxUSyle4DmLOI/Q9zZN5aw5K
NjpKhC6GwJgrChcAkP5A9jOLwgWq1CDg+Q4GDRe0sO+hL+UdavGZHql0JR6z
VqMISA76WBFspFLw+wNOGQCGBw+0Z+/RDxHdNBpB1gbQckcHD+CM6dbvTaZ6
VKtcOZfPn+rx0TRlfeK4RsCLeWAyM6hWz5J+LOYJx49Bb2O+EnFapxo0XC1k
1m6O3A+LAN+m4IbVExEEeJMIRVNRMbnDnYmjyiOVKAT9jXkLtxysZMCZr7gi
GK7CQyIiuQ7iakBhy1kL+U5JOGVcTwj0ZNGawa5Haxo6gT4uMvhJB1IO0zBB
RgxVLJN3AjzyFzA6lc+aGBokKI2kktZBu6/Z+BUmmbWDL/cxBuD0KYYw9GGJ
+CX35GOjlFqxn472y3faczDvyftwqjT6VXuozdezWeOgIeaE/eG81L61X+n4
Qf7JBgfwnaO4Kvx0tDUJV037XtOhKe9XXZjk0/yDap6PK2IBCvHqVnhDxBgo
/mHyD9xDwzT2R7dgfx7kPsh5RuADasKX22SzZ26zytljHBXsg5cLZKaFBsRT
scUc9IfKFtiFMhSy5V55uFI7mFKmvKjtsqdNxFQlKjlSuB+rjJQqgCljq6TT
S/D0cca+O614kX0WVcy3NOV877lmRaxws30Imx5oRrYvNgQgVM2LbafpLLzM
T0dFq+oxfRrNL4FnKW8RmeJp+VtEZL+AbkkPv95V14EmD6bxZQsWik9YMM0P
e8R8ptyMh3d7TAKSkiB1h5SzL6YcUIsHuR0rjGr+DBQr5e0FE500EgUgMT8C
ntihx40UPxQeTPOIPoyjxQo9mnnucgFM/UIZQ+poKYVYzZI5F4vQbXhLfJ+0
NHUi34Pgz7nEgOmTBLhlMwDpdDVH00Y9MNznnKdZ5c5vFkMW6LCMe6+b6FyK
JyyQYT5JbhQbALaDkC24iEWCahI7QqVDVfWIeAbLx9XnGH4EIwC48oCm47AJ
Pi6Dj2GNL4bJoAv+1wV3YXL5z1Umsg4mMVr2YMKFGL+BhCJlUlO1JITmxRc4
ime4bBDWGNaKPV5gCN0p83WyMXGy/CnzetJjkt2qCiwkIzOucE56s6CNABpJ
IpalJR4aMR9mmouXI9cc6xkBRuZGOON2IrrGUxFbM49uhJrKfYUckmX50miI
oGNGDWNxIClNCcXQ4975s1IvF6gcVoRuMe/qFsMi0yWtQ+PQMNgpXCYB8ysh
fVp60gh/y+gSqGV5mx02l6YC6385n8XvooLjsMmslfqTL26qAM2nAKAKJYYd
jeCLJdPTUWUbo9YrlMWItpfsvaldlNFAnAE9nKX9T1sOJr1l1MKIcgRBmvyc
Lq09pWNHcHSmz2bMSaakX9B+rdQh+AYtfsF3TfU3F4KHipAoCTDZ/rC2X8YB
pGWZCkWe5snVXKaVI9kCKF5h9Eb2lL3gJ1hM9w2aVQORMGAOFUaG2W6ReyXN
z4oPL/sq0eTm6QgzrBeIEyL0N2hXt6NlrLpuOf2iXXmJB5nQnnpJ+Yq4FYIj
HNQtTTGaL3Laz4W6PfARMinuFUHbgQFcNWc4jOT+rIEKThH7kWvMHRf+/jtF
niIfKKK+inay41UFHQxLRST8cypnVOhJCjmxYVjXGc9ORc+Z6Si/qZ9gZZAE
egcZk2PuFB7kQqI9BNxOCA4TPgVx9hdnHgkei4YkAZhADCvApCCoefbddUhZ
DnF2zCHOKeWOydlpIn5MHklg7BgZsUs2RRkLx7sNkdYuozmojWMFjlJ2M00y
k97sbwV5Cv0B3a/n3E8h+P7+BWqXFxxeFRi5GJ8+FZ1mOKlxVwDwLcb343Ex
9IcfvaXCUC+ggpvonAGAPE6A1yfCLI/n42UU4rk+iaARGOPaFHRxAuokmoHK
ibjhcFFsJ3yfGUocTtn7akDlTi9+/z3vFxMemYus2xpwawy2eZwiTJk2iBtI
+LFoT+fmtYbmM9Yaj+M5EwMqA1jLoynG0yStq7wGLZULFlE3T1gfawYS8oJB
a4y0EJSUsxE5lHLPqpfIR0GUhAwfzNkypAcSL01Ss1W2lunE1e4kHDvrkM0R
CSCZ92DszIf5+wP2lMwc1XWJC8g+uNAGJy+PB6fB+aCfkZiyEDQW5N5AZsyR
THxZ0Y1AfacmMsiu2K90j6GecUoTuOCK82ZP36GFfOt7ISsvMnVf9JLNhcW2
pRVwY749ZVI5/S7zxzHNDvvVEAYA4T+0Lvb/hwpm9eePxh+dFvx02H8qfqCF
pn/QdehjPc+OcfJ9YAsDWryLbnt4up5c43lRsYUJLcZBVQPRwoIW4XQKVgXB
qMfjNpUWNrRI14toCXprfhqihYOjYDQs9vBsypNtACSyhUstpPR8nMwmah8Y
50MQQ68BdxqURmlDC4yEikGJiF4B3UyW4c1cbRHgWupWi2b6Khy1MjoXlrqC
KEH5dISRmw5IyQg2mlgZIwMY0z8Q7lSxC1ANVo1ENLx6qsHBnSOZ/kGKJAXQ
pasoxB4ER+eHDxcV/hRFWbmo9CRdyO1e8CYiK6/8gto/0Pp0bK/1MBZ2whcM
747mWwMrYe+B2KJUFloERunS6uSR6oVCBWwCF0xLmaNplMlFityY8MAYdGqE
qt3OWv+v//F/MT0fuBs5xtFRu6KXqDTg61E0S5gZGyrxTVLTJh1Kxomzk46b
hGV/4BzRSAYiG6HR0dH2jQPkv+xYj+koFF6bpNzKbSpqDI4Wj9ezFQUIg3XG
OQwLW4bPouUSTEyg1Dkd/ccivOV7ertvKmMlYDOjZ15VawjEzENC8MG5g3wa
r5c8xEOEg+dtXaalo3dGhnXzXhQXIDK3RI03yaNCCQIU0k8brdkUYFbR9WJ1
W/SyAE0o4WHs9AWmyxCJ6EHL7qqWRFTCALKuIXgtxdOXlGk1AFmA2TU5HWKe
lcFitjMVk84crkF/YiHtQsGkVZJDjTnRqnMnWODMPFLJqSaYUsari/0c83Xl
7I1sArlwwogoag60u1SZhiA7Og+r2kOSvimiHj+hJWFv63l4PYov18maaeHA
AG8lnfJASowknSU3qUpoiZaFkWCHiFkNTXamH8WSDKuIj86g+GkhiwwSOMLu
FNYS83goOi0q7Xoc4X24jCmvc0Y+3g4/WFPiW/kbvumBCKLVDSZJ5IPxVlc5
dyBpdcSqMl6RhdKDORsx5SCh9XIUReyzKUArFaegqLVNgbQ0U3d0Ho+z4J4w
3HIFTMl9qWgSB+RIg47wP/yAjW99gVgBhRZf6yy8pdBBwjdSd45ziIiRSM4d
7KEYcZcHHHPDCMtNYlme1+F5HwIBD89vOU446yUvK4XkAt9jVKs9258faLMk
eYfeaVCY2Yl0zqJpChlXOglQT+fEHsYYsfgD0BYQK2hfFA6YD6Bmjn+M082O
AS4OGE0hcHJTF46rnMTGKEHar2JnopqHJqYwWehsQmxf9Htnrs4SuxTyCCV8
yo5n0UuSjgU1LTEEHpMOVTw04TtALunw8TwkIGP6fmb94isFsIjjZ/uz5BIA
jlboy5QlMIoEMNR6W5lnBOc3Z2SvcptQdfWjXSXgjxwBuakIRKk0wEkaj8fR
DLWGiHyFOAvyFdNn1wm6FsdbtaF9afJoRTVMgFPwjAMC7Ds82iDnU2YOb9Ka
1DVfEzkBfSVlxY022rsoWqRFEpkuI3Ld0CCItiRG3ilRgyk5GVCEO1+Kee4t
Z9lDqDxnorsluCdDNQNPtmzGh6jlIdfYWOSJtNYKBxSKxRnzjZ9HMgox5DTI
uupEKx+/ybgyN+yFHa7wUIpYY1GcKpYzp2EmMSkYmmbCzF88iSlPXriTFCNT
+YYJHhTSfKvmgqImPH7tCuwNirDKpy6hR7qoLzVLzdQMuzKpMubFApkUdewm
Wc8mUlpKW/2fQbm6mVd5OPfjw+iwWaUdxMI9wFPEVzJ7C/0RybzFFK5KVQ4I
ZID42oTVW+mmSauVxryeAwJSoD2DNXOPU1DbecUK8r5vkedRygJI8wcEuPBN
81Z905napfjI46IzZ6t7vFIvE5Mqn9dUTyDzildMoeC71vYxmAse0JczPNNj
AVyYaf+5bu2Nq6kqRqD4tEFMTwsLK4GLEXTdkUdTdQZX795DSTCVwp/NWw3g
GbNXjCZlxBBCpZrZ05lOkafDwjgjrP4oWRZ5PRkr8xabdLNmtiJMGpcrGRqM
RdbIrtOjfb3DOHIMZhSiLOYHeB8jyoBpVSgqcbXrWkawjZJkFoVzAWVQPFYM
0uI4W/tB0y86+FzTtX3pA0G7mKs8qdQuFTldscSNihCRXc7fVpExlNOWvqc5
GcqczMo5IS9kPE/uojDnv9O0Li76EhO2hX5g8IwXOsSflAFCaBRY+Rgtk9wD
HlWJ6+KJ4cs0OzzPAgW411PxbqbrMSoGmJvBNWV2us6O0NXTdVz8NWAO7RQV
+xVaccWmYuYDnd0RV2oyk7IW2MxNLtaXA5XO3vFg/hE/sr4G+YyJWAw5PEZl
znkCy0eoz6YUhgdQJlEJApgneZFoq/20xPvJbBDGEpi/LaQ78lQxUoNV85dV
gMs4ouhU+r8p/UmAoNoUYXJgFk1XrQUgTni+s8VwjCkWy66YIvmQrUbMTqmu
RgZqMp2mVJxgxgQMarsiEOqCAlblVtOJmLgVzq151USmSFdMx63ydoqNL5Rn
NdpeBGC0uJBTknsUYVcxHBrAvPTFBJM7cQ/yTK4mr4wQz+Pr+COVLcp9H7JD
MJmhgE49QhTsRuA4FSqsMFOLqjpBI1KCm5YrqW0A60XvyDyLy1UlM76m/YIY
yOGYPJMoW4hvEAYwHEoGHxcdrIZaAyRUTzcIjwhgZt1Kh5BQUnLDcoGGg3IF
llEHTXIar4RZTNtXnkCQFsK3SNW2ZESpkrMkMEUCsSwWiq8muzWLF6NgbBUT
0gCCTT1hLpu7nC7WcSkkHjz4EXpMOaMZ1RqguS65cy7EOSwo1RRnzRzS6HVe
EWtnwEu5Tp5F4cvzRCVTCcckKshAw2cBlgImyq5K9J8sBRBaqNthoCF7EV4n
vDSPImxJbybDhKLNkPjZ1uA85Dq8nMer9SRi5n1+AcWTdcq6ZX6PYH7L8CVc
abtADswaZBSYrX7AjRdy7PGV0irUJkQfPFoANyptCBj8NA+SSq2iSCu8TZXa
hQoIW3mY5vMmOCSIxfIz5SY/VM6YpdRaM0NL+oKEWlFtjmlYX0ZkMu2cyJTl
MeVSl0ggAXuuduLjIrkjr8nogM2wQiOXTvvMLVCtmee2MTWuMEwER82cTIJ1
iFB65jahbnNFZTLJMcgUtTgt9MZ83qwgZVgl+eo1gs0S/vv6LmuEaYEw8lSj
DKay3v1wlPKQqDJT1g/o+IdNZJ45jRUVVds3GDTjKVd68QSQ6/mojESAbz6G
TCQ8IKbM9JfMeSB9OpvJQ3W3iCNK0hCR50t9KiMEGuu8QpCz8AbmdJbIRTEs
jX7UaUXQq8qaStpKpUjTmzXaitjsGMOSsKd8WJqCcJPTxE/rCZO5gpj3mS2b
W3hkD1WgYSfXb62nVwVXQbOdZ65epq4o27XW56mYPJv3pph2yYtX6atl2sqC
KpzlcnfwJWm5WTwV2Ev5aJi/bK9n26x6vzN5+5U3+1+0KzMh+adtSWXIO+9H
orm/u/3IMzmUDJosuHBQrzcoElwEGbFQsC+qOBQSAZKImVgibh9UPYzOh4F5
ulzOowyqdjhqsWWAOTKjEnoVAaepcFfHy6zc1CqlGCmKtvlDScou/PwBeBdW
QvZsIHuRYVSt2jCq6ld/aFUPYUYtNkRN4hm+qo+SxbcMj7UxtsoQTFcLZivK
5cotumYIkw3RUnuR4aRl0NVHlCoTVWJclV7p3I0i+8l3liy39mrnei3EOhZW
DXsKi/+C0Ubx/M8TTJyr7dmpWDVlEoHpkAsQ2zg/t6IXiSRMYAjIy7alF6+i
F+IW0UTJ0JRzeXbU12ABh2b70HG1/aPzl61zUTdJdNs+pEUeZMBjLAmlRjo+
EzILNMIWPQHFBFntgTqFVdKNuMKyaQr+xim4B8WVceX8EQuBqe22vbFbT3Qr
Iu8Yx5D5cTuwij2eEfccLBx2DFRmp2UbrD4i7k82z+rSraLK4bV9WMsCPVw0
2WdzlgrGspOgVYu/JUmYsrwDxooXYrEqQ662CutqXn2jTPm828fw0xJcKunR
1TfSo3+gFQhShZsgy+fVxvQG6nxQMb3fH5QRJum1iONcOoA4suCRdsyXI9yt
6aZQtJymzmMC30eyHiAfV5SOlENKL3aolO0SExGan/TYUC+qb2paOOcXfuEs
Rev7ipnxyWArGSvF6JH8WksWdIRhD6hsxaQh33IF+UYuhUG0uJQKXZkdVKPm
UUrhH5Rw9wPLBL5zyZNc1sVd3JT8DDlOVUJIM+cNekxnVK4Pc+9uRcAIBWFx
OOaPcXPecdJa1xNQifEXuhGEulovQc3G5HF+WCPKqWXBxyzJQY0cWwlwU+Ia
zBgUBDoQVsiS1PjwMqcCk2Ghcu5MhcRXNXpkIUgOIHWSFML0cwC7L2/7XLZ2
HzWzKjmgRvmgfAbtoVbD2lwq45QpEbseNCuTwfCYozkL9Yr5rGonY26bjFlS
lOK5SNfOsu7v379VVoWLAcOb+re29W8rwBQRFCJKsEatyOs4nKRzik4x4FPQ
Ku7OLPRV6Dv50iG12c8X+XZfMr/ZZPrFA6WiHyvlg2nlxVo+WRtZKD5/AwWu
slzceNcS5MVqx5ybZ5GZanHLxRJEUIwVHmVxy1xxwkJEcjb1DSV7txXLUY/6
8vdmbFvTX1hIh3L6cba8dABnEtlTBoGLqkqOohbBTATETuMlKAdS/WZHkBwK
FMBWqlGAQRSlEgXNyvgU0hiK+dNZsD58WKtrs7IDwAEMFjtnfo2yBYrDCF+K
srN0bFeuOivLPLJo5km+5Out1Lg+sHrB/PoX2nHCn5C5WXN5RbBBsUJsnGuF
iomMEFKJk871moXcUgk3oEuYMrlhJ/wGkcwZwqAizm3pOJcOcPORfBR2PLtl
le6wTvLRxL+grBwWysDOjX1eEoaTKQ3FtChZnCsLOIRNNkvorwtsmBUmwNBR
OUSczU3m65cPKqVSn39YKMOeLFWGMMmX966tLCzS3Xld3AxyrKY3lerC9KCY
yk1SLV5eHYUlFGSJ81Tm7cPqUAGiqZehaOpfCIzKGBTlscJQYyam1OtgNsTr
7K+KkUdUI5sxhwPmCb+KL5F1qStPs/gOwJs4sobZz0AvpCj1OH13yHTlXKna
EJ3wuKFpzTyR4uxx8L/+x/80HZdqbNMfFnvAj6EpHIDHBS3hCXQEexAARaE6
6ONNtf80/08DbEpgpfE1bpibZPmOvoYXvq5OLcJLI0LUH/dH8XJ1NcFrMLAY
8YF04srdJM60z+jYhIWeqNo9sE7G5sLCsXpW+YNnmWBhd/pQ3B8BnAujy9Bl
jXEqKQ9UYYSZy4DL1Z1G9rofHrCaOrQJ1kjpmXwVm4dq4lN22uiAZXsV/OA3
V6BbMETw9VLeDkuypcQrztQKAQOS6AAsVOI3m7Y0hoCZyBz2KaawswOCkkHH
2QCogD/wPXFIYfh+Q4xSfGPqO9l6KK2ksfdA1Yy4YAMGjG1anDuIak6sSJ14
IyrVVdaSU8Qxr7j2kgtD9c3DRtExo1Hbszu0RNtQackUoarBWC2ugvjGfjog
VuFNjoGwETYVgpsnqpXFmxerh1VUIytXIuPamtqP1M6VBaS84l5+Tft1azJy
lfuyhW1a09cAQekuAmzESfuLg6g0YMpby8K4WcU5WbL2QK3iVk1+siyi8rCi
MiIbS1RHrKTPTWRofi0c5G954I0UHBRlnPLe1HdAEq62Eh9Ut/G7SlxpNd/k
ygYqU95MNEWSYfd9nGaE00ExBY+wx4xaAOHlxxqfdekNTrn8kM23BMItACzW
ULwr3xa1+jjkiDdX1etTICts8kLhPu76LVAk9/GWrJ2qKnA1BeBUk6yDniu2
Sf7QiOKlK0qUj6DSB/D2ooaBM0ePIVqUNumFxsonmFmLwt5jLdhyC/T1+wP2
gCwEMDyEj7twPwpfvlJR+aKKhjHjofCc26DNuqkxqw6rjqnv+FeiFI+MemHX
v+TSWhRFhBkqhal32EfVhYKl0c87KzoYKMFNfqF6CfgHpRycQgrOuVDllQrV
aS4gl51V5bX4fL5PpuxvNEwPlQIPpNRkF05lriEbXUNU4IGGRSjhXTNKkm5l
phe3PLCyQoRZu/waSLxqhMMbT8IZqezn0VQBNNzZTIvnHz+Jbiu/ZW9Bv2Sx
SXQLBIaGsHiYA+E0kNcSAX0uE3Ss3DCvPfNCyEyjBMua8PKLJbcPA1xmAjap
IgLWgUhgcA6OikuOhMnHjXKWHa1c6VqVgVVzP1MdXVfcziQCmpGYaN8smzxL
g1+jpBQI2BoJv0zStJXFdIu6O0UewKpVKdes5lLXBCnRTScYC8RiwZl5JO6b
ZQuN5/CKXXCiVhSi+BVRZ4FVAguZifCAHyFXKD6Vj5sVQo+gUpZivz/IcCr0
fjzpq+RvKS/RR/n0uUPqHLfNomDvsiGZy+0i18utqGXKa0pJKBcidYuXw/Ji
h/sFvtIs7dZmcQvCvsSCK1kVSlXAyyCxaywPsJgVPC/5cpl8TuEyu8CM0rs5
yS8FqlZ0BQ5vrdTYX0YLZuIDXEZAt9csZyTL/G/iNidjNF2EdAleDT54URFy
lMGuk0U0KAGAZpOLTZNqd65GlOCEZFhjBADNoaPmaRbFpXKKSNoq3d11RfXt
Qtp0NIOLElHmUuQZEnJq3QURYBPvdCLlQ1BBVphisl6IWM77x7rzLAl2DVWy
FVri0G7DprgVF2GRLa1svGxQlvbxFaPiRWJdAaJKWLzc3RsQUzqu57Qvqmsu
Zd52RScC7Fm2dY2zTYTTZq4nVVBsjJylz+j69bw+U+FMLCoftWqHWjoYp12b
rIfZbVlILoWwstRQ4SkPy1lHGCFVefx1ILxlOE1Wi0JUxihfRY27YEYXP+bm
lr/AQdzGyBcqDecORezzKxnFaY5adSUuZCsiP6HiPoLByfUpVzjK2NtcBuYO
m7IikDTPO3O7KbeFuMiscwn9/qDmzSdJkTUGkNhlulBAFBsoSjfYMCz2utqA
kcCo1ILlxbKZXzxTpoupZyVOTFpmaXtxAs4p5XnGIQ6IpEyjq3rJts1qRqd4
oRMvCp07JcRZQueICb408leUUKyQH/NokMFRyA+XlStJiGRxJbvQEO+8FAS8
gXRkGsIm1rhR8eElRqScLfMhVtOLOhAzqVLDcoRcoptdadXYQKsV1nRGqVWE
rAiQcnHtKoKtrIxfPFW+c+nyL7llKm9NLeyj5re5keLcAb30wFRyINC+67ge
RkrkyT6pUubyxil1g8bpJvlaPp7Lu2l5MQhWy4+d8qvRUaqw4RcaJ5os4Seq
EVAuPp068coLwgwoCrg/n2N8ReRUZUXxlJAKsK3wAmKAqCxXW42+MveNp5Vl
h9htnDScWkSG9UrxWLKQTWk2zczypdCK7Pa6+q7mFa6mys5KXn5MfsYbypjK
pNxYx0HD7r5FDVkUstnPl7EpszwerJTTUTM+t+1OLlEWOH+scMHkRZ7jFw8R
mOJSev6JB8NUeD55PjKroCZELS9WjyQpj2BZTAqsIGVJWFzVUuDNrnfEyx1q
6VhIGipBGJJjit9WVeNOeFhpIGSSE3TjcAUdSoO7cFbP7Ui1/hfj3GmtxxWv
5Vnh9i2E4VD5NLnu/H0xnDXRxfRjLEhNIIJRc6YgwfJwV7FsbhTL5VlvFMtZ
6NMG9fJr6mA1HoBNdbPKapHgsQWffMZit9iJf4Z1qCryRSR9Fbvwv6j1d3c5
LPwmX7KEQCFKgp85yGAI9ndlnAT8a3ugBO+PRUoMsJ5y7nlV9AM17YZpPN6t
aflYiZ1Ql0dTT6izkEYZJyFWe8aEBJ1l4sWqLDqhPCM1RkHt7puKUeAxcTUx
Cgse4RislE7krXs7RTCIKNz6CAbeojSfe4UwVKGBhzCUXm0KZOBYLRPPJrSa
fydo/eywCOSC2TYQeJIPt5NOxZWOHW3OLmHUa250LN3SuDP9fQ5BVVIAp6jy
u20kVU361dEifLS6r75svIjcpvl4Ebk3CwEj+YmX3xQjRnJT3hIyUiKuImmV
iGcL6WwnnNLFntmAWB9QUNf32mWSTFRB81AzspegL7R4ldx9runhOejlPP4Y
TZpV8ok+0wraCqodrJuD/FBm9s16zor2i3FYdTUxVuE7nunCbp9U/uCEnGV+
0S3XuX1avHqFibxdr9isj9tJF1sCdxjB1ETu5JQM9eLNB9V6RKPB6/6RFpNX
8ETtZvmajBiKIV5GsIvJrXBR2a1Qd8tZEIU8Rl5A/iKvQVzIe7mzKrzighIR
ZJxS/BDLsS/rHyKWqPoiGpFe9YcoQzldzyRVsJAifHkdztAcjibCxhbRRCzv
ixwBM1p79qVFL1fL26dUkk3LdeuwMePLUxEOrrx06eV6zvP3P8q36vUu6YIb
4vJ6l9zKGWT2VJSXZHsujEvFTJZgXvkdOQyMJtqk6C5ax2R0IDVkdk8lIZSv
DLuo6jyfQtRoXFQpJvL+VnYlLEyWH4uzzBNm/R7u4JOhotZ8xcrNkjwuhvlb
QEtGPw05K6t82grlCjl6kSsuyDoTt9lvvQBynnPPtbh7ruKOyO95Zgu7aOIS
K5yMotuEp3zAvl0xnzj6a6bqpZS5sJQK4Nbkc9U4nqTJU/2iyvWkYDHzPXE4
ybgtVoum4kCd0z5zpoj6gyKMhj4dJ2vKEMN7PJHQajwmPG2w2mNG0WmqO6sM
qJ2dWVwbKHmzBBxUdxbzdPM1IgyqQ0nu5NcS4+zk2OJ4uI9/SyCA79salG/f
uH/Ozm0Wtq16jvNX7OeiY7DMle/qGZR438CaM8dgmcC/lbM8eUGnuJi3hrh2
v433i54Olmno2z0dLM+22hOrZC5PsjPo0tdf+QCfPHbSPyeK7VPRDxl3xlRJ
rimKWfC9mj8srHPKfoaLWng2/yofdcX4249Yv7oPWoCguNJWyna2AozMDVIM
6UJbC68Zye6HlfIdo5fFh3eplywG3XapK6tXza4fe58V6t+/EGb0xYG2802t
6gqV9ahlSLi0l1fNMWnIL9PLV3nWcfuIWr6ijrZyNJel2LOu6F5Bdo0r2xJT
lhuuFkmX4M4pUSqQs03+xS+yVcFTuMhWToXfRhtnl9oSF8kOoPGTwpW13AMg
Z555TcTM2bQFi8pd77OWpwhldU2ho42nE6z1X3s8UcX0lUu9lkvB1XYJCJC9
5A95cgH7FfKlUnaoYRFf/tS8SjfIHZ6TlCCvRy107ytkuLATI5VdzXgPcVGK
0lWsJcHMKlYVQlvF4mX7LQE2cglFXQdv6ilIvA0B+TIlJqOCimyNi1PxFmPw
e4+fHfUGGr8NgxGbvJ9LcSDA1+gTo+pNPJOlhZksOOFDTTlfk/eCE7L45eC5
DBEBHZzWsoZkldQQzMHGKlzzVUbmJTWAG9iUJaOmEYj6E5WoTot4Rg8cha4o
FPdXb001mibr4kvE5pR6+yvDc0QBF85WVCuiwvuxsxEh6EhagDubeQ9yFZCy
0y3KfygURmpVWl+dOnOrbJ8U2OvXsMcE362AJjP072SYFWdcXOsdBEHdhAQO
MuWjqZyaNJUjEu4nrVRT71IB7+9P7/xevdzsa6idN3lmUVQ5tb9A4ywrmhwm
4fswnoWsGlRuSlhUSRqyUrLIGpdU7ImBRNFPD2VVzaxe4NnmTIWag9HcRed5
/36tE3JjoLrYJlmK3lBN8uK3NISpqH4pU1/QA7e/IVL9oFktXaszwRaRFLY7
JIUVJl3KCpNLZ2lh4fsklhXfs5wwzKdbsQunlQsuk/F4vRQ2RjGN8AaLIFEG
IrecWfYd4v99PFlT2UhO2+KmojqA88u4ZQKLwPCGe0YlVkSigDrFonJWAvx+
tZvi4Ovnw4ml1SXEqej8BjPiJDUVYIK++EqypLRMTPio8Nbk0BmusuQ42vUV
IQK/P6gwSVnzB+XIgd8f1PpgULJJUOT8ddXZdJX+J3UluVg/qSPsGjHJtHZZ
tateN8tNlVXlE7XB/pzwSmEiNUkdzQBwpkD6Qjs6OR88Gpzi8Op5GzdaysNI
aXidpKsWleLDbkHuj9jNemm0+p7RSO5jQcSY8r9YICUJDQvhLkDOTakvUP9A
NU1YLGk+A1pmqG+33FgVrUSGn4rI0zsHmqLecI8YU75pdpfCD5TYGzzWVFxK
CpUJEzfnv6eKxRcYHoPHA1kkjDga4FoCKHjJkqs1SiTKBWNFlA+rd3g/eEtg
cQ/G4iJB+hRZl9HJDSc+ysREFhZDBR3KWz3vTDM72WRFZ5m1J+/ZkL2W5Wad
RCLdX110Rxb0pZEK11uarYiVbOCnlHRwGrN7ctWAHaU0sBqpI4NTSi8q1cys
Igkp+EwPonCeqkLXOYci15k4aghyzaph5U5mN8/o2v56Loc94KXA83U52QXf
WJJuziQuOiqkVyA4Ozk0tKPj50+PekfnZB6LtAiK71DJN3fULymMTrb//Rf9
33+V984e5OlVNDGzJqawuNn4GQ5Vs5x/Zvz7r99za4KYhVTiM7fsu8xQ4f43
0M1n8Ri4YsUW4fVEclfrGgBVYIcILkWNZ+KJVT1lej737WV7hQ0rtPobyr+W
RU1VkKn80z70P32iouKZhws2kLLNCikqJP5yDeRJPhnMsFWugc+KchZUOXDF
KpfIhS7D+WUkD+rRisyDLkoVQ0JcNEGcOQvsE1Fj1UpWTcWPQ1VJJMqoVOZy
zViIw9e5nwIJW7176P7XCUZ30hK1i19+vShfV4EwUGu/C4vjc6+t+EMLQM3m
7AjfX7MrZkXxrFzEWy76TfkD483256i28sHxOhP6X/n+CL6QijskiIqyhciw
sxrqypEUgxY+jwhIwo2inEFXg0hhVsrNFdfcTXj3qz/+oKI9+SL5BRifMhWm
jKFqoN+pfH6xAWKGxyZWBLRrsvZ7mffwq5pErKJcbTNLTlGpiBeB5wcayrBY
UVyCI906LL++iZkm1UOxevbn3T7WYcMbiRYr5MRZ43OquVw7hFWzMtk1n3lA
F0CAPFmvkul068xt0W3tlHm/Z1gLHlDxNFFvjart19k2XYCEBX88p7pS6N04
kx7OLLCjvn+8rmkHaNALZFviDiXimMzLUdu3vwEmqG0KeZwTlqThFkRbFqrN
zodKMq6oTVAnVbLwQMDMxTqBJ9oLjP6jFUj3NUjbpeppSImxEJgkXVZDS3A7
zogEk9vAf0SJrz1hRpfri1/l4pbzN7hg2PLf6jdBp/ICm7vd+pJ1rkaSiYwE
EKZ3D1FXFVBW47BmEHJ5XGfp5sLZuJC0XlGEn0qu05WTKAXU6wqzTyMKIFLy
+3lqokZG5WzGYyhDmta2kvnafk1IHBi/Bn9Z9kEc8DL7vEHFUTOpv5jytGEE
Uj1nN+Ftine2kzYLWk+6XrCMeRpC2lKiDt1I3BlUf6MOu4yTKmWrsfzK+TSF
etanCYsiBBV1P4j+0JC/FQZ8XYj4PkJYM+im3+3zqIjMrRmq6lyfjUU2Byh3
9RSZuY2oPdm6CFw21WZWKr/qNF+pOaTUt8JyjyL4VuU7TWFE45LPHgdPn/JU
ifpMCX6LbDEBQlxCWsxBgGUbB+IYphY0WPWC4mRLMcWV2fvIkjZLoy/Bl+QI
Z+XzT57+FF/mrqWkn005f4v16El0Cy+zxyl88Itm/q3mK+3Xmmwjygeq/mbT
FzIjrma4HygRdtPaZY7bBvDck2Nf5ABaFWJQdY6cXekgHCVVYK7qTalFWtUd
7TRBMxS/PiW/VqhaU+heVnbXRTVcL+T1JNlVt9uEx005RKFKeNANsdzJzS9q
q1pXynx111SDgpnfcVoJz2wO4gaHFYZ60a0+2tXtaBlPNBHt38o+w9EWCQqI
KD34XvF586uM2VoY0ArOE3QkKyK3avpNgjvnBZuBzCEXfaArT9gVj5WITjkE
kQdjmB569eTpKId93ZfrObsVgV3jg3L9mllg6C7MkzHmGGzaT4o/bUfaKEN3
M0CzmY+T61E8F8FAf5P66Zfgl+cnTNX9QcNbUvh9DvvG4aHh3L04OOMHvEv1
Vkaxf0MYZRYtrhC93P3LagmjBEQRxDcJguNctOSX9DJ3H8lTdrLgm6arRI+w
lBpSXOQdihgjkyvZp+jbFPCdj8UvTQ63XBbZkOUnZrUnFtGSiU7SFMTNYll4
QBZYD8i83Mvy30LteXB2BvrYOe9JXB5CvtjeLCa6IGTy5ZT0MZEwQmeg5QXS
KfcOBgwvM6G4+Um9PCqWbOa3IyEGWrye8yf1/i+epyTyfCLSybdd9MOv2ZxP
sMTzKMFYK+wQm5ciutL8TU8iPk4DFWJGwULAxhYhgq3VypT3ZsaKmzxSiBxL
6PJfFqPYwnygX5yPeFOLneCJKkJC3IIlUo1Sun4FAXG2Hr0F4qwIRWyKd7kr
rinoGDHKFl4Z7Lh/MbrF4sFMkx7hHdlkEHSjcYj3T/L5h+RZQoYXI3XOkNdc
hksEclp1tioOGZrZoT/TqzNEAdfF/CwKMqm4Ik+t5g6qYwXu9pVzSm7loBDk
kTvqbMSFXchNSMFElyZtfHH/zpifTcAWuEpusoAJVhSdHVuIg2EcCBuVQgN5
O2JNE0r0ZXnOf5RDE/+oCC+UFwlU+d8qXXIwQilMgrwoj/k5eK4kPundyq68
UBqWC6cXZlZZSO9rDVSKLP4TVsSyHYvhrX+oAaP4VzncU71qEj5CsuLMTHU+
l6gtVorKF+t8o+Q7QuuL61nK7WPsHrNdQ1YrUwbzEQl1pf3LMKtMNMwEcRVo
aFuwc/xQXQWLrSjv+tXVMllfIkduUjjOxn1IPDVHD/mM03lF3cDcFqWQ8lw8
8HlVtAe7KYN5cFaAVZYhgXcqYozMxisctEuc5JyFgPE1yNTMcJW760EcQYAt
vZjxU4Hzp2dECXiV2QTYLT7IJ1kxGzkV31CQFIslozf/sZSlXDPPOlN2bNst
+MSVQArqMCpcCMoi8XLZ2KXyCRRGBcwxo20xt7qLDUO6ohEXlgtOoemrxReY
71d3lVn7nz7l7mNBQVY8dyickRQva9nIZLkLl+7yRdX0P1C/Ufo+LxyrCD6w
mqUMgIID4OoqFyerZBCs9kTMfR0kMPhMTuSiqWK6onhmmVcWixeAnRhy5XED
WuWls4UsTlDgRMLmbl7lfGpqwXxofMeh/l0JLzv/fKcQQ36ytc6Q8s8fje9+
YD/iv/f4wZloVGmGkWVH9H72OGjhLYi7zeQPSWuKE6MDfLEFcN+tG7WTZ3gw
LX5gv7uHvq1jBJVuHFqMBWzv5Hm4hAWtaCLcgbvTanKdALllM3F1zXc129d0
Q3MdTbc03dZ0E//c2Ik4Ru6Um22byRciNo0XXSmh2PLtO8OkAsW7dXM3FJvb
O/kTUVwxm28Nxax0TgnFjlEDyQ3LqUDxbt3cDcXW9k7+RBRXzOZbQzErgFRm
1OYX2cW7dXM3FNf0+BehuGI23xqKba2M4uOajbIFJiUUX+/YTy2KDRS9jov4
bXuAZ7tK9FV08uVRrLua7mtmoPmGZvQ0kD/+QLMcxDji2qjr5FtAMatUVtzF
1q761jZZvFM/d9vF/vZO/sRdXDGbbw3FrN5cGcU76ltbUbxLP3dDcXt7J38i
iitm862h2NOqUbyjvrUVxbv0c0ejSd/ayZ+I4mBzJ98Cin2thlHvpm9tZ9Q7
9HM3FHvbO/kTUVwxm28NxW2tCsVPBoZZI/Pql1OB4nfRLv3ccRdXq1x/EYq7
mzv5FlCMbK8KxV9G3XoXfXl1q4bz/0Uo7m3u5K9GcSFYgzzblHYdzi5lpeeq
4n6YUYE++vUSj256WLNmgkWQeVpFyt+g0/hZ/xk2PgpOgnLDOJyHJc9yucZy
yKvGoisdOzpsNE6SFZVswLDnwSSmy0CezyIsBMozO+lEhnLl+XlcMtX2fv/9
v50Nng4/fdrLktKwCzWHOLvtm6fLUehrNItWPJ4Cbzm+XIaLK3amk8Vuq9F+
p7z8YaNBS4/l9SAscpZlefE6DzcieS69wroMrGAH4CILzGgRpD6JAA6GlSyV
Ram2yG67Ff3Kx6zqyR4FtA1yB4D72NfB3p0qsFAEyFfw6Fenwuy2Ib6MR5+y
QYo8D3/q80Pq93eO5+EP8L3Fu/hDK3cXS+Vyange/iCrc4HpOfA/79D20ZlQ
DZMadoU/6ARoa2aXfgHD36F/PM3SuR+gopMSu5LXim/5UTsp5stpdWkB5U6+
ELFRmksVirckvlQuZzOKMTQPM+eRoRZWdFcUV+pCn4Niv6qTr4PijVHGuU6+
HIrtShQPPiyovn1PjSMAdoPJZXXLqULxOALmTF1RlMSzebGDYiclFJuAWrN9
uBWyW1FsaY6jGX3NqlA2qjopofjo/GXrXBSQEAfvbZxenug2oniwFRqiky+H
YrcSxTIV6w6A3byLKQpyVSmT7rqLK/0In7OLg6pOSiieLMPpqrUhpLOikxKK
Rdzvtp8vp5xKpbSgCOV0UyW6VYnoB9VRFjtgBZ9YGnB1mINQ1rhKKpXgTzXa
23gZUbxUXseqKYSdaWRfUxs7z/pn66YYfQo75uU/9p5jMROY9ss02mtqe0eD
8yEmYcawBlKGYQ9jKiV7tEexpXv5Zzw+GIOLDDMXXORgsYli68s1oGTGYoAo
lT15H0/EoiJqi1UBoG0ra0qrwfBcpiKzLHIMJV2KLK1tM6fBrsMJhoJi0Jza
fk8bhWmc1i/E//SpWdGpFk4mlKNK0dpLcU/KZnggTui2mgmqEqzo0hI+J5pS
SBTMjjMe/5Vq58tw/E5D7AIKY1x8McvcM0zKMp+liQjbPWRR7CySWBkTMxhS
LE5MQ2JOCYD1HREjKyJKRZUYKvbTA7JMFognFmPGpqvMlJfyUQntkGL/OHSa
2qtHFIe3ZChHMl2DtSQqQM7T9WwlSmbwMdkgMF1ZAI1f8JOsV7PSwnPFHyXl
j5PZ+nqeSgNO7jSYBGW2ciZWV2CKBaCJSpWckbCofNrU+bgmwmwaCatNpE+s
5zHwCIZ21iHmu2GtPq1UQZFS3kT5QvH0UOvz+NEVq59BC+KjYKz2JHtd2uoY
oylJEanvKF+YhdIKWqaNCzQtwo5CAmBzb9tWpR4viQvy4HbL9FyP77zlO96j
ynEOKeY+IVZUUTOmMJfi0OeFImknz1jGCha9oAwXpgfU4ZdV851uQuim/v+W
1xCqRsn4gyKH0g1jNrGEH4azx2oVGBiK9Ii6hcDLQkIoz32516pUV1jdiAvZ
5v4A1I5qvyR3D1ZAkcPkKuLlpsITf/aY024PV0D6Ut3U4aXMUxCTZzlBbHvi
IwzR7Mew1VZ0wZooWHMvcGZ6VyWFYP7egtPImDXVwlHCS1xVjQh9yujWmk6Z
kMBdmKiJbHkP1oZVERli/lKeDJlPTrJRRNIoojwpoHKSgYtksZ7RfpWeNJGK
XHfjB+pf9YGyu3vMGPYKzrLVLCVtiAXLFh1mhWE1fjEZuRpK3rO9c3FVvPY0
vMWUaeHq3Id+DlTHWy46uU/FYha8lEWxdgunjtoI5VJs8o6xyqUoZe3kYZCP
VS4CZnvUclmB5vrzcTSJQ5buRcVoeKPdkadenSeKo3La3QuzHhWkxPNK7Tmb
SSq9uSocQpwDRwGrNaVOXhnqIUKzNV7OvkPVmgdoUxJrXRvtmjoi5iFVLFKq
wlXIgugpcQXMYDUB4Gw9ok/mJKsKo8q79xYKUwZMNhriFkVWHF76zzsapngi
yCV5Fhuc8UtPuDv+E3I86QI/pOTwfMJesQMa/zmyFMpEy3GVTtYVKOwZqHiG
HuorhJAMVh0tAB54fHQ8aGGOxyzGYpIrsdcajSFoioQ6xZKrnFGgCFtKAmUT
Qj2gjxmyrFZoCAOkBOw0y4Rm88Be/qYdh5fAKpnvHzRR8XgYz5QcWXpxiMhq
0CdjJFfgoFNsRehEXV1+jle/YnG9/wZiAbgp6gWUUM3U3xXeK4dzma6XXBPK
pq/BZrj8NzT0DpPlJcMOVcpZp6BB4y24x8fPTpBSUBCKm/Tm4jWDDN3SyG7M
BV280ehdUSE2HHsJOy+Cd6jn7bQfcHK77AnZbvd9QcJ2+95QZvCP/fGP/fEt
7Q+UviDjtu4Ptd2O+0OpPLNtj+Rn8V9ij1DO2Zhlu/9jT3yDeyJd7LgpeMM7
7YpiAuambSEn8l9nX7AaT//YF3/2vgDrLniOAS54dVNrSPPInSvw21lbbIp1
BwuwwlxBr71aEwQ9+Bt1scoGqrjYo8CWujZ87+wJv8Je1QK3G2k9pXrO6eDs
HG80H8zfx8uEe/b3e8np4EDxRO0VQksqzoZKv+XafkelVdlduKWzKfnmD+2o
z54odjqZ2EiGVcdaWK8VOYWWnZHlT73qA0tKv+Xa4oRVLORHbcnfwPj38L+/
/EK7TxzY5S1T9dPib39I4/jXX5VjuntBuH7C5VFrJpyZDZVr9f+sCedGbddN
OKfH/bUQzk3Y0DdOWMjYrz5h3LMsHE49NnuUHQH+/qD2yE/ECUJH2igcv2tg
yODgQ4gVBNmH7Ffmgnr2HgvfRjfoehOHQWI1qgtOBRkWqWJnq+KP1/yPMyxf
dRpN1qyjrEaL+NmphnL9H+rzxh908BleI/m35omoiU4lYdFbxNesveJVi0SN
3Fy8yh+aYXv4bxNRb/j/pBU63tRrXZeW5WBnHnRse7keAUmrsNRvH5/etXcX
J+yYue7xaiK8n6M0whF/sfMgtt6Gf5s6lnN2jNwgKRWjFHF3v/ESvNQjqU1Z
HV42DMzVYd3Av1w319eaVynN9yZql9b1Z/tYW9mwsFfPKkyu3N3Zhs4y4uDV
bf45zfm2YdptkyCB8HCdTYO10HHKggh2GHXDkIZu4wJtoklX32lMKtjyeQP3
6FZDBKxHizWRzpz8kiMsbprFXNKAVPBUjCeLSgtkYSe0muI6VCqSlZxVMip1
ZVk+bVii/HauO4xEGBd6o9q1NZ1leM8uWs0jwbdx5qaNQ3rGpsHyeN826oYh
DcNHwNu2S+DfacwM7/ceWOLdIYy7tFEdYlxZ0BATGq2Eywtx6kEcHx1s4TJO
WVU80VbbR0HUkVfjscsRxlTwBIzRA34I8jiaYeTHk+iWVSFSGRGzknuBJg6/
n2BNyXwjfiFBvlGj8Qs/Ffy1o/3Lv2r7PJC9hSN33kW3D4FDEjDH4cPFMoYn
h4vomtdcbJCE6Q4eHZ1oz0+PfgrOB9qTwRt62jju2b3gRXDTffGm/8T86abb
Oxoc9Z9/F0yOR7+9Xk+6wYn15iS4SU712JrP7KN1cnYWuI/Dj7dmEjwZs84H
J/1y12xwuR4VR2D0hCxASVxW9JyuZ3ocfdi8VvxGXSyqM6yQoHl4FX0QK/a7
umkbuqH3PMuzXQf/bequ5Zluzx3Cfy1PN/vw19AdwnvLNYzA9Tzbd3wdfuta
7qDX8NjLmo/xI73n+KbuDIZ+YDlOoMO3HmgSfdOy27angxRu+IZlBHa3awbd
tqn3bb077OqDgTF0g67pD2EAXfdhUMc2h7Yz8Py+2QsG/aHl+r3+0LF6Vltv
6E7fbpu2ow8M3XFN2FiublqwPA8+6wdWYOvW0OtDDwO9a/V9Hcb0rG7gB77V
HjqON9SHDce39YGjw4L6rt7TzQD6MQZDa9hzB7Y9NAPLhal4rtN1HNNyjGE7
sIYOTBzW5LlDYwizaJhO27e9wB7apqN3zYHd1YMBSJO250KHTtvtW72e0e+a
vV7f8PUg0AOzD9NuAxj0LsxCIYoH2jmY/3jx4KmoXUoq7f0pYPVhJShA3VIa
KMNn+QdaqURlRzPpObsZTWN1QnkdZd1gr8qx3x1tMDEdx2hr+4Z5QK34hTUd
rXfyw4rqcfPJLpNkNQ5ZT6xiY7kNf/8Tlu+MV7d8/JNkpXUpvqqDSozT0g34
51zXO/TPz0qzYLqiwaGZ2zLMlmWcm1bHacM/P6tDa89ZNACyIDxx6fA+wg0r
07TT8EaphyurTDtRZ+p3QhjH6YQwI6MTep2x09EnHRjcbndsDx+aesc3OpbR
kR+Gdmc06phhZ9TGtxO7o48601FHjzqR0Zm6nRDe+p3ptOPBK52+y47YeTdV
5S+x5rgcxZx2bKcTeR0f5jPuhFFnMu1Ybscf4y+O1RlbnTZM28EJtM1sevAV
zMTQO47Ln8EgL9EPpO2bB03AWrzCKq3yA/2Dq3e0XwA2dGEV0As0On2Kv4gq
3iTXpO8D3Rx2VU+9oIN3G0ZNbRGurp5G8+yTjmbwZswNBXRSWLuXrZ3wW1UX
3JwgwgAButWZep2J2ZnanUjvjKzOxMeHRtjxrM4o7Pjwj9VRPm1PEdHetKNP
G+quYLdAY4sIAGd3XACo29HHHd3shGbHMDoGEAoMN+64Uce2O1MT5wAgo490
v+O5HWeEnSPNAgG08f3U6YygIUxnjA2m8BwwMmEfmU6n7SN9wUpgAfAnUJAJ
vQMRhZ3I7OjtTtvruDQD2Ab0kTvpWOPO2OhMRkgQ40nH8LE50C60muhIfG2i
VOgMFpkxLbI4SCVd7iLFKxvvJM2ZZrz8EtL82Y/W43m67P7oXDrPR05y6/02
ex+/XVqvph+s25vg5fv59elPtuXY6a7SPFtXQarLiX+WdBeL3yTdTQOkrN7b
JqJJrjt9D2Wz23Y8PfB1N3CtBjYFFcBy267nDqALk0nzXrsbGIOeDaIs6HXb
HghjkIpBfwCCeGi1/WG3b3ue7xmDQbth6pZveIOePrCMtm56fns4BNkM0lxv
D2wwbX1goa7jgBT0+l07MNrd3gAm5oLMtz3T7IIwbxggmEmS1yoAefmPgrxv
w5wDf9ge9h3LNrwGtO8PB47b63b9XtAb6MOeNXDasISBZ/b67bYBWs3ABu3E
BIHs9g23BysFGd9zbKsN+oPXazfgV8u1baNtD4OBgdqJD0aK0XbaMCboC90+
rNTowSB698tJ8ipsfy1Jbpgdy/4SwrxCkGdL2VmGm9tleFWzryHDx23k9cCg
xyAD3c4E8DNCzonSEuQ2/DLpRCQngYMDy5UfgrgGsel52AY+j0iSW37H8DrR
GOUnsFH4yoQGbZDk95ThwMYju2OBWPCRyTsuSglg2dAtMHEbZg7zHyPDB5Ej
JAr++CQdTLMz2lmG2yjDC2L7s0TtffWPogZSJWrhExCmLsjoaQcE88QBAkfY
A5ZAzE0jBBVgcuR3xrjluKid4pggpduEZpgazGvSRqHnjjoWiM9xx9ERaoB7
l4taAzoad9ojEsvwHtABmh3gGnS9Nv0JQ9odG9ANsjhkH4EkhYmBggEqBBJF
m3RRHzFmGp3RpDMmaTumSeojVdSqLp9kF3Fb/8F2kSs8UOzbL2JEJ69/Hrre
6dV3g5Pr1x+j6Yn9/um7h4k5feL89jBZHZmPjA8v3qzOrx7vKHYL68uL3vwC
7i9+C4DYJoLde4rggTtsKHa44xmewzqB7rgo1m3H0ruG59qDft/u2gPLCrq2
HYA161t+2zV6YBLAh27fs7sumOAgFHtdD0SiZ4Gt3beYKO73HZBcYMiaPa8N
37gmmOEgqx233w16Q8d0GzpYyN2BaXCT+g6CeOj3XMO3Br1hwweJC2PDwGD9
m33DM33D7uGcQBjrBkzDdwOnDRP2+6Al2IHeb/cD3+16vcDwhr320PMa5nCo
2z1fH7T9rqv3nS6szLR1HxQIL3C6nt7X+yYa5oO+Y8MouveFBPEGvH9NYex+
JWGcX87fo0AGAwpEAxggwMyBrUYTlA4jG4WwFeIvwELBEALDG/gqSGz5oTHG
qXkGGksTDy0hkA6W07FdFMgjEA2TjuN1LBPt84l1T4E8maCFBgx8RKbV2EPh
AcwcLC00482O56PoAeEMsgJMuMwaB5PQw5mPol0FsgHyeBJfxqtwJinlmxfM
gBiQamBYgjgdT7FP+AVBr3cAdugUAUgBkkx0ioC8pY8YjlA86x1jgtLcdzuh
g4qYQdOEXoEYwFAFaT3hMhaaAFZBvKPYH6MWANoYrA1gDP36Oupk/gi1IugP
CIc+GrkdE/DkI/KgOYwBfQBBoM8GyAWWH2FzsNJNeOhVCGZxBcHOgrnig50F
M//2SwjmIye9Ofvw6vzt7Od4/vLtd867OHr48Le3l93Rx/ViMtZn1+HjYfvk
3evZ3QSzWF+lYOYvP1swC0BsE8zOlxLM8Bt8NnDtzEYGk9D2ut2eaftBAELV
s3wTevP7ngMmpQkyGCQZ2Jy27ln9oWkFAxgfZNrQ7EF/bc9lHu8uSLdeMAS5
DdJRdw3H6A/brtnudx2v3e/5vV4jABUg8O8qmE1PR4tVD3Sjq/ca3aE1sOzA
9kDy6zCYPQSTPgDLvmfolm45YKZbhu36oEeARW44bd3ze547MPq+D/J6aHmO
BVY6SG+Qu+bQdNwhtDSNttk1/Xbf9W1YgG273tAYgiDXHbC6u14XrPzgywrn
Ktx/TeHsfF3hzJfz9yicfTJyvBHanMBG/RClnNdGj6lPns7QR9nrkLFkjjPJ
AUwWuC2aWjaKQWuCTlCQ5xFITot49RTbo3yG3tx7CucR8XmQCGAFgmGmG2TH
GSixQbCBsmC2UTLDKG2wwBRjHgy8kPSO0P/fRjhLEE6iSbYav2o1yMhxEXSd
SvugRrKD9DVG6NceTVGmg70NMANlCwWlgxaxPSWfSdjxQhTnzHoGQ1lHNQz+
AVvYALPdR9PaQ89Ex3BwLaAygR4F5rzBTW7fR3PZm6KNDSsGZQLVAXKJA3hM
p+NOkczATgfD2hxxl7iPWIXebcI8/Nv1yGtukM/eQVIdjZB4XVDFwoxFqeE0
aebu3inyiEViFYOXalnbUkRVdeCLh9P1bNbisT78axbdhv2hixAlnPZP2va2
H5AzQnvSD1osgisbCyOi4OlPwO6mMRXsouRA9VIdShoVh9OfoHFfRhrBH0MY
nP96kmh8lbmrh+gNxQfwW4NY8Q6Eo7i1tycfAFXhtb7jZP4eu2DptSQp5Fe1
EMRItR2AlwPI88GxxqONgV3Ynja6hSkfdLZIoLsNUtLKXvOlcJXs6NGL48EL
UMsGUi077iYfHvWDV93Lk5+6wfFx3zqdja0Xl2+sH9ORefJx3DPevjkdnxy/
fXnTOD4Pbo/7wQ3+/9UVewjPHPnsbTDsXh4vf34d9F+86EZnI9Nwzr576D0+
bz9+++Kk8TFarwfnPwdvT49uek8/9I5+DleLd3Hy3ppP0iNv+vb1OBzNbx++
+9CeOL3IaifW6bj/yHoR9/uTV8/ixqnz8kmmGeaXlzsm+UI45BsA8CfURZRQ
+pfCnuxeapD6dt1xszLWULUxPadoQudtUOn0oYv/Ry3NsHzLHtoDC5TJ9lDv
95wu9Gr0Gr4LSqznuYHbR2ePZfT8tt2z3MCDDm2LnCBe39IHoHl5PmhfVs8b
QAO7DXoZqKaGbwwbfdBTBzDhwLB7pqnr0LEdmK5nuV7Qd4ZGv633BdbupZ/t
BF9VS2NpjpmG9jROV0w9A57A1DKRIryvH9xBBZPSdmt8QdYyL36FEDWHKHsH
IHv7HbPXCQad/pBkbw9/AUnUE7K3r8pelLsDRe7iEphSKc6sKR/9JYVQbVDs
TvD22FKrdqFVF0t6qkP8C17d+68FlQkeUxUGfM4ZNpUiQ6grn1TJecNCSQ3C
3I7QxxKGaFqDfTx20J0+AaE7RnkMBj1IbY97YEIXtTvQtUA9wfdttMEBdKGH
J+oueclBfEcg+SeoETAvuYuiGcQ//BtGhe4iGzuw2+he8UnBBOFvTFFrG3GN
IrJwmJCcB6ABAGRMA09vwKAHgQ9DgvYBFjyIfZiQPhFEHsxB5lDmztVWu3Mn
2p7E4aUgblAIO5qfr1/8QJDzD3T18y+GgeqhgSXIdL3Q8hf910MkVtwGP2C8
h0nNesVmBjSTN1fLPfFDYUtY+LE7LH5swseh2AF8q/wwvgqXvxgOTs1m1dE2
M0DoaK+wtfYaGqhh8KVjF4e01CFzyvAPyMV/MXUY2NQ7fPftZuY2NJu+KNwX
AsPZDIpsY/wAW88mcBuBJhgxb+hAQ8wPYJvtB8OzHGC4wKNVdTrfOZti5da1
XT6KYPJ8FBdGmcOe5qO4uu3DJzU726GpDt3CsL940MkItnxPrktsXoeIxC/R
ks+gkPECToAIa8eqHqUN39SzCYdIw/EB8Hly1FV6ZFVIGGJdGwdzGWLrJN12
QdfQfIf1sV3k1Um8hmFwyq6SfVXa/lZV/zP0fNS8d9f0q1pv0fVt74vp+gSL
Gm2f3uEtr9wBkhUqLhW+/Gttg60gzFkHmJZxL/1y6zBb7YOj7tnHXvfh5VE3
OJeq/M2jt4M3x903jwLj5SC4uXk+efTTx0mv+3Z8/eH9G+vk5umrk6vhjX7b
ODkPPhz3x2ALDG6PP56G+JCenb+Qz8AIsY57g15wNYjl+/4bet+gBjBE7/JN
/6dTHS2SJ8GLNzdHL456g7cvXvfPjwxoiEYH/P/o48kwuen3gydovTw+fTlo
BDcJTv0quDz6eNqVFooO1smH47fHOlgox8dBgkuZDF+86PcuB49oNrOfrpUl
HGXTrZjN4Oao99P8Us7mRJlNYxgc9YMff/OztR0rnb18FNyuZuPgpBsET/S3
k8Ho59Xs/Y/966snwY8vzt/Nfm68+u3M+xCetC8fv3/ae+jP3l//lp5N3vjn
D403o8m7nx71bp+kr9b9s+6jn4ar5bHZX3Y/nvXD5emT8ermzQ9fzzzawDfy
BpJ3T/N24wBfy0QyyUTqeYZn5k0k34F/27qlmxjUTTHqvmf6puE7IBwaImjd
8U3bMIDbu20PZKtLwXHsx7AsG+PDUea6juPimbhBv7vQ1LHdBrZqB12MCbfw
d2aWeXq36wWWDw2H3V7QHQ7QQ+/p6N9ug/ga+FYf5JQJggS0hoZvmF0z0B0r
GNpd6GbQtV23G3S79tCAXrxevzcAcePDSnqwrq7nBQF06Lq2afW9nmlBN41u
3zJgtr2hN7QBRF/QLKvD6j8MM3ODYeahYkYxcxsMM8MutPoChhm1BanKhOqp
8pq0N/ph73K9a5ratMey8aUmO5yFlzBsmixXWEfihkn1EBN99vUPVuaT5uch
/OqHWTS/XF0JQOFPH7UH8diSj2ndBQgaBdhUePOrSmTv+4qLXNsU9K8uOFPa
9Q/IDZrZh242j6aqwjxOZhP1K+AbzcrZN/H8o5dcL5bJdZxGyjfIX5Rv7N1G
Qk7ULNgRO3wFPEv5ylG/Ws95oYxI/QIZm/KFtfmL0+g6eR9NhrBIQAMD6mYn
gaeTMz1ED4Hudpwp2ufhCCPv2IELNMB49RBj7dpTbrr7ePIz9nGLoonu0amA
gS58M8Tda4UYzT6yENfRSMYGuCPsemSjUR9aGHE5nmBQH2z5iY/eBHOMjn99
hIdMzB0R0jRc9DyYFh4WjPFgD4ccTTA007LRfwB/wngZy/0MJ0Edp/2Hm+Cv
dhOYxeHybgIz7yYgZYQ3LLsJXFP3Pcfe1U2QEyT3dBPk5cyf6SbwneI3VW4C
/pnzaw1M4ENQgYVQmxSEGmrH3L9QtSwk+JgEXrYe7hHwS2RkFGbHBSGfoOqR
0Io3NPOhpltFpePJHkp0RduOZChDwVMSlUhgjl8/Lu43RDxvDXLVaYvWjCRJ
9+WtLY7nvvBbuW3dqidI9hX9VMtml4PeL60G5xUVicOsxzLDs/xC4NZ15GJ8
gF4J5Fjk6Ic6TcD1ipBw5LZBaDOPE4HBb7v17rtaMAidwjPZQI6vqfcocoCr
RMU4kuX+2tRcUZloG0xYKwERz5aLAmUlN8Pe2ckP+BAaZZRKto3SiLgEe9qp
1HTg63b2dQEIjJx/gO7r1I3NizDYInxdLgJ0p/IiTMw38U05DfopLYJ+6tRG
X1JOydPLFwG8sFo727wEky9BghhVudIS8GEDQxHEJMiWLC2BnnYq9cCG1ja+
Gh4stoi2BDFqlqVF4ENoZGeQRCO4tAh6WjyZkovwvtoibL4ICWRUdMuLgIcN
Q5cUh9Z7BTHR006llgxfWxkpVi8CPq1SpTcvwKEFGLoEMOrdpQXgQ2iUbWny
OJQWQE87lUo7fN2+4wIMQ6+TqjbxtJLKL0SsYRj38fcbBofx3VwoqgelYdic
nu/rS+n2G4bHd12VUwU9cHep1MO9/uWSPzv6/tmH273+9e22+Psd8/P8/RIY
uzj8RSU+TjzsCg0q6h1jubhZCBr/VA0W+lPd/jvC8P4O/x0H+HNc/ZcVrv6g
7Op/++Isc4ePPxy/rXX1D8i5Hg3fSOf6M4wtOg/IuU6+9ae3YWEGgU2dlQ4V
YKSPdV78y5sGHioc69mhwsnHgV51qIBnCr0+nin8+NPPWdST1Tg+f1l3qHCU
c/U/+XD29rcomn58+2gyjwNr9KJ3aS2fNibecvnjfHrlP5qmrybhTa/dffz2
ifHIstyr0zfhh5unz1a3L87s47mvv317drM8+W70+tLQ08VZYF8GX9jVv5VN
5J387h2ioHbo+mu595nrvt8zh8y9zxztZs69z44A+sDg4bk9tGzDbDAHPqaq
BT4aw91eOwi8Pjy0e+Tuh+5RPTN6po4aDvaLvnvLbfesgQtdDNqNPogUEBlW
exAYQKawMr9nmV0b09ZRo3Adve8GQ4yI8gIn0HtDyxsavf7Ac/qua/UHAIJG
29CNIdYI6PX6bt+HPj3P8rFcDMzFbUN/jm/1HMt1+t5ASQ+/r+9+M7L+4bW3
Nnjt/Z289vo2r735v6nDPntc5bD3zgEmNQ57FQLFuau+d9y7zcou673ouMmb
RRzqmzzbyAyKX+j+XTzb9ccFMGUrD4UKTz80ssuNCo59aORkjao86LAR2pQc
51JvURuD52FTeOPOBPZFhCFukxDj6scU/c8+MikXkgoMOC6GzrlUb8gNyZvu
8py2UMfcO4s7w6cG+ssjD6vHuC664CMLKwuBdaob6ADHLEmqB+NOMO2APoJd
CX1ZPnrbcQwdEynbFvrqHR/ryMBUsdKNh476LIP9jh70zfzuH77zv9p3XvJW
5n3nVt53TpKeN6zynbcdY3ffuV/nO5fGc9l3jsnnOd+5Xvadl/22Zd+5+Q+3
+TfmNq90Tytuc7PsNiedkrcuus1dEzbz3dzmOQkp3eYl+qh0myNxCEe4XeIa
1S5m4BhNzbqfi9nNXJsgk3OjkWsTlWzNzaCr59il4p2t0xC8zBn3ZX2z3L3s
SccpKgilBeBDaCR9emgmlBeAT0v6oc4X4NzRnbbb9LlrOfPeo7ZSmj4+hEYS
/mjbVEwfnhanzxQd1f2+6/R9DlG7JPHqvIGMCk2kwnoexf5zLyLNTgc2nIP4
met6YFQR6cAoEGlJgds8GeNehwFoeZYng087mxXFzZPh5NOW2N3k1JfgQ4FY
ngw+7dQopO37BXS3XRFIndnZdzOzG4bJN161wb2Lvd0whOCrsrzR73LHQunc
x1tZd/0uId6ygx2DvDe23+b2NXZz+xYqE6L7V4XOHQO+VzcJ1yv+qozP3WGW
c/NiJfy7hcXuPtAO7t7Zea8XvBwXsj9ffhh8DE5F9mfv+uR21DM+hq8m659f
H0nXaOPkowxxFg8/nPSzsOfLy8HgeJD0gqsjPXPADqQruHHcf1ly9f54Q39P
ur3g5vFvL8abclEbMhn1PDgPLn98FWXR3YYS3f0yuDwOrpc3Wag4n3kDp3mK
ceRn2bpO3mZLOC64fLtvg5j9rQ8efQx+biy645vh+eD8GCDM/eNPfn59dTV6
3U1/Puv2X2yJO29sCjzfJe68IdAW6IPg5fGr4zfr+fv+2W8vPg5/+m6WOM+c
85+vk8WH5+/nx93F+lTvJ/67XmA/t58/fnT5cABc66X7aNpdP2wfv3+5Pn/2
2rBmyfN+NEnfvk8frp/4wYsfvkb8+C5MKedcxusivuBWqXYyB8zwzVci3bV8
aKPr6nZt5HiwzYPNHM+NXGC57phq7LiIES+HiMPMHRBqhtv3dLfXcB1Tt0Gd
zsWqO/32kHWJvmrWjUvh6KwbFo7OfmBqVKJ8qIOYND192DZs3w2w+gpIP3eo
G7AuD2TtQPfdbtdy3e7ACgynbfYGduDa3eEQvjOGDUsfYLF1y4MW9tD3Dd8w
3KDr9QOvC7a+BwK72+v2B0HP7eu24wzhf67b9gwTJmF+oajzrZTwF3qwC3VK
tzmv9XZnUK68GWDlzX63YwdYeqLb6wzMTl+tvCnrbnbLzmv77z3kvOYc4O8r
/HxXb/Z9YsL/2jjtOjwaFXjk93toveAbRaH5JVB4r2SAPyuw/+5B91OdfP0m
Bde3sZiOTxn2UwtPArDW0ZRuIfCxxlLEM/PtCL0G7gjD6l23M4owyh4L75gY
Qm9Tcv5oiiX6oGODR+qD6RiZGHTftjDFH762px3gbZiNb+Bpw8jDwwlvhBn9
U37OgLV1R1jQdhJhsR13gtXwgWtO6R8YG8v5UcY+jPR5QfdbBc23fnQQFD/e
cHSgK0cHVXoTHhhk0g3PCuzPOCswuIG+ayn3hmbRF3ppuPxZAUg/S3jxv26c
vTiR+Jw4e3bgcJc4e9u7+4GBTQ4lv0QMGw4MDP0zTgxs7iIvn1wpJwbZeZUj
/VD3ObFyP+PEwf3sEwf3XicO7p0C9d0/MVDfu/uJg/BxOyUA1Jw4+Pc/ccg8
3hviwb3cicOd48GzYOqvcuaQ+aPro5BVf/Tdo5A1PyPKr3DqkLmn66OQFd/y
PaKQtfadw6jbtYeUW6KQNy28mslxPLY52ZdlrFNkcrri1IYPFMteGPbI2jJd
eS+L4i5zNXcbVzN07zO5mqFvOBGt5Wpq7Ph2ribjxrPCOe1hLVfzPHeDnGZf
0U+lYm8IZaPM1bwarmYYbh1X8780VzOMLP+o9ojKMNp3ZAlqqg708JVTdYD1
bj/akscyO7MFO7cI/6stwuSLkECuPxIzLOOO8iVHi5Z9j0UYllPH39pbsiyY
NnznLAuLw/r+HsOGIZQj5ju8j+uwYQi+WeVELNzaUaiuuumeYX4WV7yeeIdj
OH4d+UPlU/yT/5efvdU0wvMc0bDmwM11/4melqe+f4GmJHuDL/jzi4OaI7Lc
x7mzsvybbYdmauvNhwG7rjpfKNXZ8Rxg195L52RsAYMXLwdn57JK6k/w/7Pj
R/pN+LG7OA70R71XvUdnwXAW3GD11JegxAS3L21Hvxrp1vLdT88f3+jLmfH6
9aun76aNUWK70ftnr5PnL4I3ww/vvwteXH7sPj6aBMmwF304SV5+nMWPnNuT
dzfP33hvnhlvTx8O/OHauX1l/fzbUa8x7B7pg7cvzk4q/pvEg5vHH4NJ9/Ld
sns5GHZfjG+CF0eDQXdwKv7XyH4dKMc55aWWjnQ+G50KpecOdBzjs/CY65Yf
4rg6bHhHN7b82H6gGz3PCpyh1aUjEMcGBcoxPd9rDAMdfsFq+nY7MLrDnhN0
LSMInAB4WN/v+/rnHElsWUzhHKK0efFUQp5AlN5iUXBo8ThMr9SDiLPHgem4
/LCC+VqR42MzXpVCx9qYnoUhulOrM6Li53Qx25mit2XtQRMDI9qkO8amVCAD
fmel18GSDw30240ddNOB5Av5tRhOSG5AjORtYKn4+ZiX9TQ6d/mnUe1wvbvP
bgsmco469NMV5ShiQIE91wRd9FRVh3Oi+MTe+QfktatDcpXywf5DKDar/YGo
aV8BljIfn4p6UrecSjN9jtjgaimugGsc2/ZRg8Xv5mLcpDoe5wiNde7/2jAN
EWeT34ENsyaQ2C6YD1lv6Ba0uFEgtu+23dtgvqOyXu/U6PVK+M7LOXkyJxs1
hDVvdC8dIfdxvZZQaraDnuBZqCdUL4FpCuLdt60rbF97PsDGt+4mZbb3v5O+
cNS1PvZ6wSS9ubx8pB8/Sm/C8+Ckezm7vHp32f35xfEgAEkdgBpwPHv2bHL0
qn3iOsPzD/7JE2fyExhvsfPYdJ89my8/zkC7DR51x6OHmEN4c3r7+MWT7ot5
eh4Oj503V+vx25+P++Yzs796o08/PO+O1uNZY2WGcXBVrS/Qf/vd5fGjdzf9
F29+fHP081Hw6mW/Gxx1uy+CwVH/x/PG2/nZ8P15tD596U/7Z+vXP00mb9an
7fXbtwvXd6LLdtC9fP3ood3t9Y8H4yu9d/nyR29gXp0/e3U0mh+ZjfOg/XZ1
6b06eeyf37zy5j+OJtfJ5dHLk+Eb/ae3p68q/pvTrRq7Kld1ulVjV+VqOPzZ
/ml+9Soq/LeBv2xE3cfN/2sofwyOFA1s2/8Ac/Hx7dHHxtHbY/ol91/36Oq4
6988BtQ9uXkDKHv5+DgY9LrdoNQTqX1fWd3bxLTy6aHWHTX3zT1znc9B23m7
zueD1VnW+/CpYzd2lR4YfOM5fb/bs4fdYNgDGxMvGnJtY+A1bL+P1/8Gfrfd
x1sQsXHfCHpgivfBZjXb3X5vaPd7gd53TN8IHMPVna7r4X3Dvm77Jvw0TOUH
JmdCF1ag9/7/9r6sq3FkWfc9fwXr7Ie7e3H2rVQOGlirH1ITUxkwmGJ4uceD
bKbCgCkMnHX++41ISZZkWZ6gqrr3EV3VBUZDZkRkZEbEFxFGwH3XYSC1pm0g
stUX0guB6aEJ1rNhBdz9nHNpJcmnTqYzNovC2XTG75MD6NzT6UeOhclrYlfa
IQw7hzrIn6uKB5PJYav6EIxfUWWQf3R9P7iLCi/HrxP9Mb6lfKqbfapOv9Y6
XadfxVN2+lUNUfjIQC2JZe5gZKKPzYqxj7yJjZSEibF5YWBqn7CxPVBPl9Ar
3Gx3sC0ONlP8+QPtGRj3NzgmGlo9rMjvdLZ6XUwxhP+3dSM+ZmNDAGkUuhVr
inawfr8ttihdYqCryx1jW7P+/Hq563Gdn2lgFmavgziMyN7qm1gIEUsgWtjY
SXZRJKMufl64GSEbxpYVbfHOQip9rv1WqbHKUIvpBLjZJpxcgLiYZcPNVoez
vlIzTqu7tey4VQy5pS25JBWzbBfxqihubMiVzOIkfBZLZc4orvjKR83S9TIJ
3qYxiLKBSasNzI0srlCyMTdST3x5nkbVPHkyiPJMmfaH51fh4vnGMy4t0smU
+WTwZUuYzrWEN7I4wQrm8CRZcyWarDq5JAIqZfXk2PzJZameuO/MPoFNH8Dy
0f8VBHvVyaW5dVb15Ob7MHL4g42NZU+M+epky3sz5k2tvAzTwLVTtQzn+Hly
ddHY1FcWLi4PXFSFV9NYcbkgpKxahguLQlYuw1ysedVlmBQpi7+WPbvnQ4TL
L8Oca+pkjmMqaxSYtN/+P6OpnrhJaGttt9VSTqvVXVamXCqXrNhbPMsnm0WT
OZ4u/XSk01OOTrmX/eU8YSv5waSzctTsM7xgXsv3PNV/vNppNzsN9/Y1fFff
Jrlc352bLlfP3e/fXntn3957284bes6eE98UqXJOLeubIlXOqSrf1LSnjOQ+
+F2BP3+mq0z/u4xbkeT9iuu4FUnerxi7FY9LrrLJvzPciiRj3SKHWfaf62XB
S7LQYaZ2T2d6yvS/h9dkt6X6DRdYdzLaBpaF7rty1aDZnPm0tttoBMNxPrGO
+N926bejzmA8Dvb8k16/N9rs7e+Z2w9h78hi4qDVuvhqbDde7r/cDU8b0R7Y
MXvWTef15ejLsXEUSHL5drV5t3tyfnUsQuPu5fxY7Vx46s+fH4pdyjPHlk1D
Xea5iV/OoQb1lovGChHCMdV2pRlyqXwn9dWRWc66VX11ZJmj4iJfHZnlrFvV
V0fyzrqkq4uvLOoGFgzYs+1QGpIyw3ZZaFLFDM6oz8xQhbbvGY4dGqYpifCl
8FzTsJThcY+HglGXhyx0Q0t4jmvAM23DN2xDeswLqOMyFqhQOHDE4JRyTzi+
IFwp1/Yd62OV4RZIQymYPcNh6J5Mm8z5+HbJg2iskm8319O4kZ2HplwyQugO
EWzL7mB6Hfbsbm/1nDj9beKfXMdDWe02mnLjzPEiVfqRFnkw5/mSKr1J8/1J
izxKH/RlVnkz57sJPzrkD3k1q/yaP3fIH/JvVnk45w15Pfmc7+n8LfL5IZ9n
lddz4TIfPm0kaXUIuaxIqkNGWtg7BuQNV0AX89z6ElPkKMOEtw7DEdE29pnl
SZVKuJCZONy+jaw3nC27v2WYuAhFb0sKzIIzDeyPA5qCp8X7+luC4ZvgG9bH
JWnBhc5Wx8B8PVgMRk8n2ElsVgNTjt+ke+GyaKvdx6WM5W10exx4KPwIZIOl
Acva7mF23Vp1+BbsLmX3rlPgTZV718ncu6VGrdUQndWcu0bm3P1INl7ZM8zm
e4bFbM8wn+UZlkt7ho3ZIJ+co3c4yw2bOm+nDndkg68IwUm8tmUHrPl5rma+
lquZz3E1i9VdzeKXuprF+q5msZar2fyFrmZzfVezuZar2f6FrmZ7fVezvY6r
OZfe83NdzRMv72quZmOOq9lY3dVs/FJXM1vf1czWcjWLNVzNSf+L2XnHhU0g
yyOJ9Us5j8TOb4DfprJIRLJuVzeMU7uYGGlK6voWMmFpXxZflE3lZRzuK3rb
db0A7ble2+0elxzAZyzlgM9dvowrnv5yV/xGBBLf68Ftf0+H/DwCFxNaqFgR
o7r8i5bz0gc+YlXvv9de+tpL/xu99INLezy4HI+3BwVga+AqOvbGhc/cRmgX
vPmeOj4hjVCN4YdJ55rdFpbvGzxe3d4cHjWbvrpRLXfQTX6G6U5+13Dhvmtd
jc/zHrdPGsIB2fcabnPbfYt/BpbhG2/VuAGLJcAbShlXJJ9ylf23PRgMtg9x
0VzfTEbnw4DGx8OWMF6/WnTQMjcPWmek/dY6oNZ573h/vHP81u/9aBx19t6o
Gh2Pndb+9bDRHH69fx6Z3qZ5K0abT4fHN+1W9+WSqscX2W+a5HSvEQ7hTUcY
eGsNsAojbezu3A9hOjBErMbIJo1ofNVuHA/GIRYVhOH4yqHk8vyA7m4fvHW2
43V/wYLxTtbi5q2BJR7h75n+7KL42Y26JI3j7jhspk+UcY+g87277vm3uy4/
funeqMesFU7jSqnjlvfau7V6J1S8P1Jy8uKLw72LrtoJmUGfHw9OO6PnL8Z5
Y8BbQ2N3fOoj5Q++7TRFEA6ap6NW5/TsYtjZZo/b7Ptpkzw9frtl7v65PAIZ
jwsmHqnmzhdXgQwMItVwbV10cXfcvGi4bRUe3Dm9zQs6foHxqLc7cmNf8YO7
0bdTFV0Xuvbs3cjb6zC67Z51zBc7et4cbn45+fHYv2KO6gVPikfu9/B+j1xK
9WWz++XRuQk7L732lefu7T1HX/euTne71N2j23ffzw7dr7v0fmj0m7u/Ngw0
+6RQCAjBkemTtqTPDg0JwwabTPfigbO9DMBAgdMtpTbDnw27GuVdNlTJ6ijv
cuCIrI7yLgeOyPIob2l73HYpE1gZ0sw3RiKzq+AktR8tIJgyHWlRZVMzyK6B
O6RlWDJ5CDyPUU8CPamQnLowSxH4vnBFwLlyhVAhDW1uO6YBPLSQCJZwTcWl
MAPPtYA8FsEDus9tkxpAHV8aru8yxTzLgXtM5gvKsFQ6HBe8UDKTWiGc9WGt
w9E86+NEFnWD0PUpbc80bA4kArIE8G54r3AE87HlgiE8goOioUcNGIZtKunA
iIGHICbAIcdXtulanjKs0HNCy2JhSIVn08CxXRM46MLMQE6orRiWiXbBHgHL
Q/FQBmBuwGtgwDCKwA0dGTrwRuY5MGTf9SwwTEzHASGA62wQXeJ7DqfAAMZB
dHzTBnPEAdOGh4ZLPQuGZsNHOPvQC0PgjQfckbDRgOh73DU9P1CKhKbpKxpK
13UtLkMBJo7vAqc+P4w3Yw3XAb05Ab3kIarbjR6e4zmOHuDzCOc/2vink6tH
iMQInp6GT/nrJvNIr3Dbo+tu8QojvQL40Y+ewEI7KbmS8V3ij5w/4ii9diaZ
i/GSpfjwOY+Nur1R0mNndNXOM3Lyhh+du+uuLoSazW46BhN4Gw/xdbdw3fB+
o/vj6SXaGEXdB3jmk5Ej2oJbOk+w/z0Mh3fpjUwUBKuOzhZvr6OzSw25js7+
PaOzyT26HmfO65Q+BUSJMgycYp0ec4t2cTFYAleUpduYMb3CLbZl6l9NbsQP
OZZKZT28wDSQ9cBiS3ctw8I/8KOzJS2M7do5eTAjfE7+dnw4vM7AeyfvxWEw
HM/kRiwVTXXRU45hXhR/gQVSgXzYtY3jQoFvRBv3yb6d3cjtLcdEtQWjwreY
OELRwUKr2JvNRLp3LKzRCqPlLLsRlAIwzzax7KsEOe+hbHd6GDIG+e9a2OOt
q+utwhho7kbLxi0amA1Lpi8xmE0tHFUnwjA31RFpeCDrYwvHyMputHtbDFZT
hEuf68Z08A3Mt5v2cuzpXo7YxDHCbjsZcUwspS30xLsmBrp5hF3qbN0ED6dG
cfygEIHXsJazoTIURNFN6ED7OCOjh8sZy99KXVbWwgg4PNnM1SLDJe9gmVq4
DKjXbeNloMmcPra2g6nBfOGxwPrIwTNLJgBaVwCnOibqaGojMePOeh0NEsDw
fxvD+DLCKyc3wgkIpIVaFVCDqINle2UfCQRTAjqCkuzrNQesgvUHQuA4Wk8B
15OZ2LAx9FCDOSBU8Hv4JdfKFaTa1iACRyMW+FbfwN1O3wSPA9kBesO0+jEb
+0jsvhbqrpZr2Fai+KCW4hM6uISweG8bV7nZQ60AwtHp4LRBEOFJbd1LsINS
/mlQgxkn4Bp08DcHHZRCbDPDl2J++HJy/QQ9kITUDHtD+iXmPiNH59sFKZCg
HHJEzsWl1rJIY64i3MwMxTnmBc/q6ZUE0UhunWd3LCJIEn7nZkaQoPASlhJk
ngVT/bL4n9jASSvOlZnKp4g2h5/xBOYNZsLkrJ5iaX0lpfFyhauLS0tMgrzl
ECqSHcwRsHLgndkTFhYcXWLkCTeEUS0vrDTyCrtMTApCloWUV00hk9kMbVKl
A2c84M+CpTaHEhPJqLL/CogVG/8swYIPvH62LRlX7/6pQCZhrQNkElnPvxKQ
KU29XAG0k7bV/DVApqwd58pApqw35ypAJmty188HMtlz4CELgEx2Dh6yNJDJ
oHPgIZ8MZDIoq57cfCCTQXP6ZHkgU5Yb/pOBTEysA2TKqt2WgUyTI8LyQKb0
nPBrgEx8DuRuAZCJ5yB3ywOZ5BzIXSWQKVZN0t7weOGGMpDpn97hSfD/8ED0
R3KEdSQ+IEWHzYzBLBOCIUaKwlsUjKmOxRCW1oBePiozHZQhTCQUXCc8E0dn
CEur+a8fpyGcpoJqCG+9gA3h6foohm7mRW4IlxX9RudB1HgqdssEfWbHfAi3
0+rMK0V/8sEfIoy02+iMMNCHIGreFcaBFwDVunjRZ6DV9INWhKzF9yyBW5O/
PoV8IW5tQ48eToSFVqZ/vUqLKxK/iGnj1ocyShe+bTlgW3heA9tqYFsNbPuZ
wLavEdZ5YL8K2ObdILBtWAPb/hbANuBS2AAufUm5RIqtpsXrDrAq1chBrrlz
0tv5rcMcmucUaeiuyAVWYTtl/Gsctk4lsKrE+zzrScr7/ZzI7jbdaHP/4NtQ
bd+/NunNyWnX3d0NXh++jh5/nPin3pfRoei3n/aPQJDU/sH3xnYTC7AiBw5d
9yKYpnSR0EJzxR8H7pdxMyCwgLGV9EncSrrhqr4deL7aRlbCanRLbNwLbu6P
nqQUB6PRg3NMRGv7mL36raerdqvAxoPLSPX6Xzdvwy+j8x+Xjuw/t0+il2/X
X9jRkBqjzcN7KsIBed8+vm+67sHN++3FncOegsubdxoOv2+fuP7FY0cc+Ye7
u8cj9hJeOM3fh08snQ0LIEWTyc88Y9RIxU9GKsLlFVhFspyhPN88JvPs42Wt
YlI2i1c3hklqDX8Eq0jWNX3zBi+Zb/ECP5TmBw7f0x6GGV4LklA61OxKuQL2
rI1ccTmM0goXuTxIzBcZhDaQWyrkqAXqwWcc5mxRg1HbAFkWrotNfoAHgrqh
S4PACE3lMjuEF8DasW3kS9HpUE1mBivLpIwn3PEVV/AQHlo+PCGgLodlAC+1
uKtsZXMnlBL4GWoMp6QwIR+klAL7YUkHYJx7ZgDrGohIcOFapnQl2PLSCB2k
K4wc5mSZoQFL32cS1rylBFjxkrosEC5VAaOOY5nwQOmYPuGeZ4B0eZ5v2FQp
qoApgYGJZ9SNR2EZPnc81zeB6iAhLvU4dVjoBUh803VMYDFntoR1zA3T8nzq
+UEoLB9mQV1gKXaKC1wYqMtchdAV20Pa+a7nuLC0lVAWPJDIwLFUYMDCt4zA
gddJT8DKozT4mUjSoqKt4aQ1nPTzHlvDSWs4aQ0nreGkNZy0hpPWcNJfBSdd
QqRjOndTcaqQZ/g+I0VeIPvpQsjLttiyJc4If8zNiGvSWf0Fa2ci85MbJ2sH
xhmLN0wZ6NwGNStRa8AU2hbuXkiT3FCRjxb+Fm4B9uHGJhCYCnTrOPghCmRn
q99BOYly7Ab9AhshKOq+HiqsCNtOxHsijXkhzM9xoTSCEIJ4g+zl9T8MOxP4
Hk4Nhkr5Vh8UH8PtI4J1wXE/hA+NdoEdsDfa8IejUAFBgMIgn7GcRxJVAZC6
p7VWfvWBOOHRNtIgYKB8hODhPsNXw8BA3kADwH4kNXRY5onj4DUI8WV4ULC6
eGXf0OfuHoKQHRvJDuNHEHFOMoHULEKVArouAq3l4KoxtZaQDiKHeRc3AFAI
QNhuL7sRaAW3AKPhyh5FTjmam/BA2q+ATYMKA63kdFETwbEBporLu4NU4BT5
AXOOYjE1URr0TXAhTBb4LvU+Dq8AeYaRUI1whunAno5qk+KpxEokDVY2PCLq
IJlRuDq4RmFyXRtVCwpLDy+HgwAoPJGwDv619DBAlIEKIEaGPhnAsEER9HRR
uK7ABQ8qiUY/ATZdNPdq7HSNna6x03MIUmOna+x0jZ2usdM1drrGTs+ZXI2d
rrHTvxM7XabIfOz0hDhGqmzK6Ov05IU3+2Ba5AHX5mQVrwu5zgDXYH8trIAz
O6hMmDEh2WrFcLL4MmHZVrp2rJlZ2WFizbAz4VlzrmK5nOUj0ISzCU2rK+cs
gF/LTB5USQTL8sAoQ/y1VZCHuaHs2ZHsDH+NacyrRLWzoDYRRlb8ec0ANxHZ
6dIS68W6iTAnO2ox7r182JsIZ0LT6hD4/Ag4kZkCXi4aXg6GEyknNM0HxuFz
Z3WgvjQT4i6OqVeF1Il0koWySnC9GFsnZlpPeFaU/R//SOFSibmYIPRHMYZf
W6Kzr0gB+hFekuLzRw/LQ/JHD1+ye/WP6TcFFH75sgyMDZdWAO+FLhgbDz8z
hf9rpnX9X3/MQqrHv1sGP7bMCIvN0FaBjS3z9Co0+snR4cFJkMDRVWNfNS/K
ULr8RVVYuo8QI8/VAn5upaqzi56bAOZg06TmxyEkc942hRrR0jQhUAoPmY+J
OIGB/Bhtbfy4b/94vgKD/z3qbfzT/GNtF+ic4ea9nujznD48ZT7PeIi549Js
j2Lm8sxcYX/OnO3M02iu/3Ds75zpU3lKHhFT6s8qQsVpRlobzdVRI33Nmkoq
d/NcLTV93TJqSjqr5Afh5HpRIT9oxtxjLRf/qqjmci0mk0ctX9E65ciMHKDs
V0smAa2kTRaTtaBbObdXVCuLX7CUet3ddVuDoav2PU+ddhF47hezGIIgThnY
dRu+5wpz98x1W4/y8nHfbD9REgSjb7JpHgq3+y3kzYun18FR40a9HbTUe8Nv
jGPMudtu7G6fwt/jOXkmy6cI5TOEyDopQtm/J4rAQ3ND3n09uImHPHSDC/99
d6wzHd7xd90YPv8YXDVcG4HsOgeFJEkonuuqmYkuBaz5dvDe4OfO/u3D5df+
Q9A4Hr4TDoNtfA36Z7d7t9921Oam5Bc3TvPpadc8eXx6E8+OGv446G5/PTzu
vAj2/Wm4zbdvL4KTH42Tff5jm5wNBr9gh5ynUgpbpCFWqoO78NHJLhlQtiys
nOKx27TAxgSLE+yXFDNOMjfj8j0RNaza8kRoUModixIrNByTWTTtRxhwYTiO
xMRTDpasgtOyZ/mcMTCBbTi6e2D0gkUE9iD3TDc0Tc9jJHS4BPOPB3A8VtT1
DUlNzwLjzPF5qOBTx4dzN/dsC47VYCiHpg+GgBnAkd+DE7kXglFIXLA74fTs
fcrZoZIJJcjptJKOMaczPy9CT6cv2Pgn+0Ts6UdxpMfpBjOFzKKmRhqYGCfm
tsbqIKZC/3Z3FpRrHsxwGm+Vjnc9GOA0/A8HMjmpDYbD+NOjpyFs3lFPPW9t
MMrkvyiHPy2YlP5zGfPp6nq0cfoAMgHs+hcDs5r+Z3Y1axlm/uoDkLTJ1Uyy
wsXwaCt/cTXYKyH4Ep3dgOpg9zuOhpZEGnNhYdQewThdjP9zhkglEW3ZDgIf
9E1djhRD8IpG//AuAl+wGloXu7L1HURQMV1ILbIRyEIS7nV6umOciSgpBOQ4
iFlAiJuNqLCexizAw4BXUQIyERqiBY/uaQCFGWlYRFfjG7oIV5ERjpP2dX+6
7kcOzZXrtIwVyEVC552bDZGhBUp+ysqjc8V6rz49s/89eIEpRVLGC0zvUCle
oPxAOa+VWuKsKcfQ4thx2S9uLuhRlnhuVuhPRmfzBN3beEpPjCHURTE7YgeT
oTbSPTW5Ab1SDxNF9adhCdjuwDAugXGnxGq2Qov7kXFnw6JWmBuWg2gA0HSx
6voz1nNbFXoudhKC+OFunxdWXBP3oAGTp2j9t1Wh/2LP84yAQWXgztJiPiNu
z6ZlKwvZWxVFOQw+x9m3YaVVOdY4wcQHGGLQSVWOdY8yWdwIDzXTZxptL2uE
SIW5fJbYh5PdZHbzqA4+Yk1rOrt3rjE9ddkytrRlfMiWnkWX2JQuYWr+ppb0
QpoWDGlbrOqmXPj8Je1o/6SZ2NEUE7gbm2U7uvGC1+1jdY1ndo256uaPs/b1
j++PxHHdr2F0enjzQ52Hxz26vW9PGZ9pSj2W5hiPB5dBoYoEmVVGYpUqEmRW
GYlyFYkqO7p5Qg52ldpW9hvY0IY2/W8CpocdPg6C46Jb4OB94ha4T10C5CNV
Q9AlQFapGjKrPAeJv2lfhVcw3NYth+G/Nvxg4sUYxt7oPGfeGq2LxC2gjklh
/u+Kx/Mfjgft7sKiH8gt8pGiH8gtsnTRj/3grDDaVswtguxS46HrruoWufHc
25b7QCrKrSxdRYQ0xs3Bwuohk/+aXugVK4iQfCmRwUBVsms2tx6vSAPn6tJC
SRE1aDZnDqCljopL/TYganCqCm6fnadOfyfa//bUfbmJwkaz5XRbL1cXp7bh
fx83Hy6v346fdzYbV27/5OZxdEeerl8c+aV1KDpX3Yfj+7072eK+Pbw5e2ps
X4d7Q2PXtQfj7i/w+szZ+gpOHyZWdWHOfXLi81HLlxKYPlGnThtMh6YVZQPC
Zb1ABN1A6PzJfD/LFxGgRnwnyW5duqQA09PgLISDsJjyPs2sNiDh4QsBLSRG
tFBWnFLizhJwYvOkpUzTVS6QXmGBGyuQGjcgmYQjIobbic+BVAEzQtcRhnID
IbgMbWV6MG1PSZ9hdNfl1AsNywpDamEYnDIVqCCgDhz9hOmRUDjUNDl85jtM
cGWZQO3PcGdVideUN6t0ToqdWbM+zvuyqiHLf1tX1lJeovmunFFUkZ875R+Y
6TXDr0UJuvNyRE8SeFlxINlvYgjZDE/Fb0rRne2rS79Wc8elXyu55ZYh6oeJ
95OShQvEA6PjX9pF8u9Jwp+UvFwg4VP0MrzFOPXox0P0NIp6UW86A+M4uQSM
wwk9jAoi/iVIv6YOWpSE/Vt00E9Kwy7IwI/72/vh+P6vxsiVogQCNzeni7nQ
bRO9/aCVpU557eoOKUAC+BE0t6GrkeibpI4lxAmkQGfU6TrTud9BRQW3dnQO
JvZMsfGpcWhBxwHgoZhbqZcX6n+KqYWgrSydQAy6ryP1+xK9FsEYIp2DCLuu
wDAErGGHokrkkc5ZdXBsoAZBN9LeR6IEVcefcpBA5ZkwJ0hAl0opnAoSzD5H
lb/+F+YUrh0jKPvO5af6zmNcfdljbVY5rHlFlpGVA0WtnmaU3DfJhlsrz4jP
yTMSq+cZpclOdjh9Sz7PqDhjQ66S4jA1a7F+qpFYK9UoA0aX15BRFdOxJsj4
csSFzYy4zKNI/M/sTcaaYJ3LYRk+KyqzwouKYZs5uR5V+S9zXlXB5STnyrKq
uSznc9myMy4vnXO14UzuKutys8jl7HAda2fHqea19Zm8ziVrlXltfyKvJyGs
Wbx2Po3XaQqaWc1rY0HaErUyZq+Qg5blfpSzvafWdAakZTnBincc7YVK7qNa
tb8Mu9ol07r+HuldxxZiAcfLrMjbEJOkM/yiZfoU3noctUfD+z8zi2Xjn+KP
LJg4S0CNdbVRhYhyq1pEjTX1UYWQZhndM/arVTVSxVab5BKmCTar5RJm+drl
XEJJV84llMkgbDl9i6zcaj+w0xpyTmrogmUp86mhS2cTZltZGXQztSoTy0xD
aAxrjnx/6mZrWHOk+zM3W8OeI9uVAhJnG5dhEnYlSsKw2WyUhJO3LJJCDhOU
hGEnBF/WMV72ixOW5r2t7iFPHeSEpQtslqt8GZDEigiJSdeSD0AlSt1AF4Em
cjcsA58w2S+GT+QblfxdQRRzaVzsSGLYK3UkWe1VSyIrgmGCrHD3huPB4OSs
jKw42cHrBjWyokZW1MiKGlnxcWRFNBgMwlNMezrFzimnoBf6mwNsQQEj2PUC
mHPWj2P4uu2rs0mHpHI/jpuLlorCMUWWvxIgzETu9Yc3uBayz+a0XHrvbjs/
yOX2t7eGN5yMQL2ByF8eWy/eyf7Tzt374Gp7aBgv8uvXHmeXzZ2j/q4ptg+V
9fZ6fnjeviHtG3eIXND9NQbNQkpXKaPrXR3G7VVs3XIDG+EQV6jxzlg38rgB
cR6HQ3XKzsEavWl5zliN/f2zo7edLjt7/dZ0zd24rcgxvYvbrozHxBtc7KYN
fNT4NpsKhaOP2RiK0zPzmUUN9+x1dHHOT1+uTvfu28Pz08Mdq69GD+Tx5Oh8
/0ufX8nN8OTp9pkee6/n791nEd59H1xv7rSG3nbQN0I4Zo7OvesdT/35y8Ey
FYefAmxGCPOzNtgaQPPbATTS9uSk3opcVG+FLNm6A76DTwITH5UUWbENR1iu
bnJiK+VZjsVhpoayfTAhQod5rmVZvuMIanE/ZFwF8H6bBiED+wXGbMZVM1zp
Ck+FnEhBDZ+aYHT7IczF8V1pOb5ng+4TyIjZfSyLZTZIoc6GRR0EE4HMuNRz
Qx5woYRlMh+YR0XoU1tZQEyDcsollzYHW8c2fWIxF4bhUMv2LDMwfNuWjhVy
S3Js/oLlM1jIpBkCaZjhMJfZjm/aAsaP4hMaYEmFhErlua7lmiZVOAqQAxko
ZjmmE0hlmCxQ3PC5BUY/C02QDaCRZTN4JJN+oHwTnkK4J5gvQUYMgTVYKGe2
xWxJlQiYx3xHWdJRNBQmzBjLdcCYAhdeybEuigUUoiwgoQuUVlmPyU+ENM1a
+jW4qQY31eCm/E01uOmvTcIa3FSDm2pwU7RGvwv5W/td6B/xVxFmVuMns/pd
AAdBHVqdZEex27jYLQdvt3Wd+7aNA5C5dgR9B8vMdyyssd5z8HagKO9hCXzQ
oJGeILZl6ONlMtd9guu870lDgI7u0tBt615TAj/sUZw4qBHQx05OipiDUgeP
AmWMxeG7WCNfchzbz+t3AbssdZJuAHgw0BXwYa/lIMYCBwBzwX4REi+Y3Aj7
DMwCyGjptQDP5BQlAf7YXEPKbCzYD7zomJjCPrkRxgOnoq6F/DJ6SCXpIEoN
FhcM2LB1uwzdPQCmmW8OACxGcBwwy8ES+qCKgUrwFqFJCv8HKcImA4bub5C7
ERjd6SDrYUuk7Qq8Hp7XgKZtJAewxImwLRgsOxbhaGCgMD4swM9w2bNEoKkW
BpgO0wOD0fbg8h5KI+ylvKubhEjceIF9IgH54eQoFgmAcw42EqBI44hhHQCQ
sraF9AA+wLZj0knPCXg01fUD4AUdPRNgc4fjnJnenGCc/Y6WOTg6ic/D6806
29fIvRq5VyP3auRejdyrkXv4VSP3auRejdxbONoauVcj92rkXu5NfxXkHhaw
l4Ubysi9fEuEpLuBhQ9IW1MsHWubDrURuCt+xjpBtzjmRli63NaPvhGWnsAw
DrdeGI6wdGefU/d+QTwu60xQFZlbHJjLugwsDtHlI3SEx1K0Ii6T26m1tUZ0
Lw7uEWFMFOa6YT4iUv2OAb/peN+HcJketgJchM7U/QI/BaKZ7zy4PE4zvmup
utHWXw2suaEHD8o5/+Hoj78VhrOK/kUgp2QfK4y1+H1LojlDO0VzRojmPP9e
RnOen+N1tEZz1mjOGs1Zozk/B825fwtKxRvWaM5/CzTnDDa6qqVCd9B4ujyH
6dwEXWAl0iSAEbZ629/ee5570/3++nLBD8Zfz/deOvx4wkqCvMyrsJiVwVvj
Hf+eyoPWXXuebJCccDxmIt24UmCWDI2zgWr3Q//kYO94DDtca/v2x9uj3D1o
ft0cW1fO42hIvvCmGrKL8aWvejGLRIB73zxO+DEnjpATxFVNH5TldsPd1bIQ
jAP3y7i521AXyGtQMEGJzbcnh93Nl/v7AXt7I/fGzlXjcqcTHBz+CB8aBTYa
d8I17Bezeb75Gsl7frdpPOyZztnXLxebN62zd2H2W2Rw5jcut3sqCNjR4fH1
OW+Pjr8fHTXPri8ud4OD64eXgd0QINDvbfvbjQG64neCcsvH3QIy15TGp56Y
anjub4fn2mwVgC4pew1W9xWQ1FnwEYAuWdczkPcHkNUcArPdAGQZP8Ai658U
zX/giVq9KSGJuxKu24kw7j5IVm8/WG45SJbrOTi/zyCpbjS4fHNBUuwuuF5H
QaJYvo0gjsIFdeI58CQQ1oADWeCtYWAwF/jtc1hMLLBAcBmuF8tSpi+JQ0NG
3cB1lYIxg8wKRRWoEAUiC4wzLQf0gfACFXJmeQasByc0PAZawlOOzwJHOC4J
A2VJ6Qkqfyp8eko/1xjqGkNdY6jzN9UY6r82CWsMdY2hrjHUNYa6xlD/u2Oo
lxDsmNrdRJirpBq+n9xYEMt+uhzyEi4QpW3HEp4TM+AXENDqL1hBE8nPpCVd
QTDOWMhlpIurct3ejeIU2haemeBUxHJDheOUsPC38brA45RAErH2VsfBD0Fa
aAcx2SAtKYpbrwgTj19A+b4eKp5xUyGfyGReFPNzXCiTKIoGCkB+b4VhZ2Lf
w6nBUCmIh4U94mBrhmWIXexs/NBoF9gB5yCQT5BGp48EQanoJ3IewUs1qXsm
Uo+ynLRobWBEuFrxGKWr1sKSh1fDwKiNywG0BDwQxiaNgrqI5bbD8HhqdfFK
FEiqq9vKLcdGssP4Ydh5wQZSM3hLBzVepBvfObA6GJ5AYGmYukkebEmgGYCw
3V52o6ER89gij+FiBE45mpvwQNqvyBWA1ciBBw4+GmQRyARbHbAhnlg/QoXe
AR60sYgvKMoYwc+Qs32N8wdWAn0sXRkYTkTASvgc3hh1kOBwTE+b+aFuE3p0
DpIQViGIQFufR0HvdhHqvwUbZruP+QRWorDh7d0OMgzsE+B3V1cchnUOBIKH
wYEMRohpBnKrC3Igf0auwJQhWycM1AkDdcJAnTBQJwzUCQP4VScM1AkDdcLA
wtHWCQN1wkCdMJB7018lYaCs0uYnDGQKLkWKl1MOkN2pQ8UHI6uQZTCh/rp5
BlmWwcbGeuW9bHhGpg7WBRIQZuYOl2nVr9UwBYQ52TlpZgGwxfACwtmEpotr
gc1GGhCeLd/VyoJloIM04wC/dP6BkclHzkZOVmdZPkC0Mf+AF+RjJfhCjF7I
8g9Q+a2HZCCCT45pMaphdVADARpN+FICOCyHbyDCmZyt5mMdqqEORLIJTZeH
PRRRD0TKCU3XQ0AoRmAhpM/IgyGItOUamSrSTqi7OpAixVEQ00hW3/qICmKK
hEOOW4ZW/GNDdXHruYt6A/RAjWBa//2PdvGz/yH/vXWv98Wo9+d/9Nt3o+g/
/oeQ1lW00f7xfDV8GmHSxP3txuvr60Z/+IRHuOtoDFuxzpdInFv44/B+4/r+
OXr6HvWuMRPjBQ52qPU3hn2dVtF7avef/y/5/zPWObwytAIA

-->

</rfc>
