<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-reddy-seat-expat-transport-01" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="ALTEA">Application-Layer Transport for Exported Authenticators and Attestation</title>
    <seriesInfo name="Internet-Draft" value="draft-reddy-seat-expat-transport-01"/>
    <author fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <country>India</country>
        </postal>
        <email>k.tirumaleswar_reddy@nokia.com</email>
      </address>
    </author>
    <author fullname="Hannes Tschofenig">
      <organization abbrev="UniBw M.">University of the Bundeswehr Munich</organization>
      <address>
        <postal>
          <city>Neubiberg</city>
          <region>Bavaria</region>
          <country>Germany</country>
        </postal>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>SEAT</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 57?>

<t>This document defines a binary, application-layer transport
protocol for exchanging Exported Authenticator messages between
two peers over TLS. It provides the signaling required to initiate
and complete post-handshake authentication exchanges at the
application layer, without requiring modifications to the TLS
layer itself.</t>
      <t>While primarily intended to support attestation exchange, the
transport is generic and can be used independently for any
Exported Authenticator exchange.</t>
      <t>The document further specifies how protocol messages are
conveyed as Capsules over an HTTP connection established
using the Extended CONNECT method, with support for both
HTTP/2 and HTTP/3. In addition, it defines how the protocol
can operate directly over TLS or DTLS 1.3 without an HTTP
binding, using a so-called "Shim Mode".</t>
    </abstract>
  </front>
  <middle>
    <?line 77?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>TLS Exported Authenticators <xref target="RFC9261"/> provide a mechanism for
post-handshake authentication over an established TLS 1.3 connection.
Either peer may request an Exported Authenticator from the other after
the TLS handshake has completed. However, <xref target="RFC9261"/> defines only the
authenticator mechanism itself; it does not define how authenticator
requests, responses, or errors are signaled between peers. Each
application protocol is therefore responsible for defining its own
transport and signaling mechanism.</t>
      <t><xref target="I-D.fossati-seat-expat"/> extends Exported Authenticators to carry
attestation Evidence and Attestation Results, enabling attestation
to be performed after the TLS handshake. As with <xref target="RFC9261"/>,
it defines the semantics and content of the messages, but not the
application-layer transport used to carry them.</t>
      <t>This document defines such a transport. It specifies a binary
application-layer protocol for exchanging Exported Authenticator
messages between two peers over an established TLS connection. The
protocol is generic: although it is primarily motivated by attestation
exchange, it can be used for any Exported Authenticator exchange.</t>
      <t>The specification defines:</t>
      <ul spacing="normal">
        <li>
          <t>Binary message structures, using the presentation
language of <xref target="RFC8446"/>, for carrying Exported Authenticator requests,
responses, and errors.</t>
        </li>
        <li>
          <t>A capability negotiation mechanism that allows peers to determine the
supported attestation message patterns and Conceptual Message Wrapper
(CMW) encoding formats before exchanging Exported Authenticator
 messages.</t>
        </li>
        <li>
          <t>An HTTP binding in which protocol messages are carried as Capsules
<xref target="RFC9297"/> over an HTTP connection established using the Extended
CONNECT method <xref target="RFC8441"/> <xref target="RFC9220"/>.</t>
        </li>
        <li>
          <t>A direct TLS and DTLS 1.3 binding, referred to as Shim Mode, for use
cases where the protocol is run directly over the secure transport
without an HTTP binding.</t>
        </li>
      </ul>
      <t>In the HTTP binding, the client sends an Extended CONNECT request using
the upgrade token "exported-authenticator". Once the connection has been
established, both peers exchange protocol messages as Capsules on the
resulting HTTP stream. This design supports both HTTP/2 and HTTP/3 and
allows the Exported Authenticator exchange to be multiplexed with other
application traffic.</t>
      <t>The protocol supports re-attestation on an HTTPS connection. Either peer
may request a fresh Exported Authenticator at any time. However,
re-attestation is not supported in Shim Mode.</t>
      <section anchor="requirements-language">
        <name>Requirements Language</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<ul spacing="normal">
          <li>
            <t>"TLS" refers to TLS 1.3 and DTLS 1.3 unless otherwise specified. References to TLS
connections, exporters, and Exported Authenticators apply equally to DTLS as defined in <xref target="RFC9261"/>. In the context of Shim Mode (<xref target="shim-mode"/>), "TLS" also encompasses DTLS.</t>
          </li>
          <li>
            <t>The term "terminate the connection" refers to closing the underlying secure transport
connection carrying this protocol.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="protocol-overview">
      <name>Protocol Overview</name>
      <t>The client initiates the protocol using one of the two bindings defined
in this document:</t>
      <ul spacing="normal">
        <li>
          <t>In the TLS binding (<xref target="shim-mode"/>), the client establishes a TLS
connection with the server. The attestation exchange begins immediately
after the TLS handshake completes, with no additional connection setup
step.</t>
        </li>
        <li>
          <t>In the HTTP binding (<xref target="http-binding"/>), the client sends an Extended
CONNECT request with the HTTP upgrade token "exported-authenticator"
and the Capsule-Protocol header field set to true. The server signals
acceptance with a 2xx response that also includes the Capsule-Protocol
header field.</t>
        </li>
      </ul>
      <t>If attestation features are used, once the connection is established,
the server sends an auth_capabilities (EXPAT_AUTH_CAPABILITIES Capsule
in the HTTP binding) message advertising its supported attestation
models and CMW types. The client replies with an auth_capabilities message
containing its selected attestation model and CMW type chosen from the
server's advertised list. If no common attestation model or CMW type
exists, the client sends an auth_error (EXPAT_AUTH_ERROR Capsule in
the HTTP binding) message and terminates the connection.</t>
      <t>Once capabilities are exchanged successfully, either peer may act as
Initiator and send an auth_request (EXPAT_AUTH_REQUEST Capsule in the
HTTP binding) message at any time. The other peer (the Responder)
replies with either an authenticator (EXPAT_AUTHENTICATOR Capsule in
the HTTP binding) message or an auth_error (EXPAT_AUTH_ERROR Capsule
in the HTTP binding) message.</t>
      <figure anchor="fig-overview-shim">
        <name>Protocol overview: TLS binding (Shim Mode)</name>
        <artwork><![CDATA[
Server                                   Client
  |                                        |
  | [TLS binding]                          |
  |<===TLS Handshake======================>|
  |                                        |
  |   [if attestation features are used]   |
  |                                        |
  +----auth_capabilities------------------>|
  |<---auth_capabilities-------------------+
  |                                        |
  |   [either peer may now initiate]       |
  |                                        |
  |<---auth_request(id=1) -----------------+
  +----authenticator(id=1) --------------->|
  |                                        |
  +----auth_request(id=0x8001) ----------->|
  |<---authenticator(id=0x8001) -----------+
]]></artwork>
      </figure>
      <figure anchor="fig-overview-http">
        <name>Protocol overview: HTTP binding</name>
        <artwork><![CDATA[
Server                                   Client
  |                                        |
  | [HTTP binding]                         |
  |<---Extended CONNECT (upgrade token)----+
  +----200 OK (Capsule-Protocol: ?1)------>|
  |                                        |
  |   [if attestation features are used]   |
  |                                        |
  +----EXPAT_AUTH_CAPABILITIES Capsule---->|
  |<---EXPAT_AUTH_CAPABILITIES Capsule-----+
  |                                        |
  |   [either peer may now initiate]       |
  |                                        |
  |<---EXPAT_AUTH_REQUEST(id=1) -----------+
  +----EXPAT_AUTHENTICATOR(id=1) --------->|
  |                                        |
  +----EXPAT_AUTH_REQUEST(id=0x8001) ----->|
  |<---EXPAT_AUTHENTICATOR(id=0x8001) -----+
]]></artwork>
      </figure>
    </section>
    <section anchor="mdef">
      <name>Message Definitions</name>
      <t>All structures use the presentation language of TLS 1.3 <xref target="RFC8446"/>.
All multi-byte integers are in network byte order.</t>
      <t>A peer <bcp14>MUST NOT</bcp14> have more than one outstanding AuthenticatorRequest in
each direction at any time. A peer awaiting a response <bcp14>MUST</bcp14> be prepared
to receive and process an AuthenticatorRequest from the other peer. A peer <bcp14>MUST</bcp14>
treat any message that does not conform to the sequencing and matching rules
defined in this document, or that does not match an outstanding request
where required, as a protocol_error.</t>
      <section anchor="authmessagetype">
        <name>AuthMessageType</name>
        <artwork><![CDATA[
enum {
    auth_request(1),
    authenticator(2),
    auth_error(3),
    auth_capabilities(4),
    (255)
} AuthMessageType;
]]></artwork>
        <t>Values 5-254 are unassigned and available for future assignment via the
IANA registry defined in <xref target="iana-auth-message-type"/>. The
AuthMessageType enum applies to the Shim Mode framing (<xref target="shim-mode"/>)
and DTLS binding (<xref target="dtls-considerations"/>); in the HTTP binding, message
type discrimination is performed by the Capsule Type field instead (see
<xref target="iana-capsule-types"/>).</t>
      </section>
      <section anchor="authcapabilities">
        <name>AuthCapabilities</name>
        <artwork><![CDATA[
enum {
    background_check(1),
    passport(2),
    (255)
} AttestationModel;

opaque cmw_type<1..255>;

struct {
    AuthMessageType  msg_type;             /* auth_capabilities(4)  */
    AttestationModel models<1..255>;       /* RATS models           */
    cmw_type         cmw_types<1..2^16-1>; /* CMW media types       */
} AuthCapabilities;
]]></artwork>
        <t>If attestation-related features defined in <xref target="I-D.fossati-seat-expat"/>
are to be used, the server <bcp14>MUST</bcp14> send an AuthCapabilities message
(EXPAT_AUTH_CAPABILITIES Capsule in the HTTP binding) immediately after
accepting the Extended CONNECT request (i.e., after sending the 2xx
response) in the HTTP binding, or immediately after the TLS handshake
completes in Shim Mode, before any other message. The client <bcp14>MUST</bcp14> reply
with its own AuthCapabilities message before sending any other message.</t>
        <t>Both fields <bcp14>MUST</bcp14> be non-empty. A peer that receives an AuthCapabilities
message (EXPAT_AUTH_CAPABILITIES Capsule in the HTTP binding) with an
empty models or cmw_types field <bcp14>MUST</bcp14> send an AuthError message
(EXPAT_AUTH_ERROR Capsule in the HTTP binding) with error_code
protocol_error(1) and terminate the connection.</t>
        <t>The cmw_types field contains a vector of UTF-8 media type strings (e.g.,
"application/cmw+cbor"), each individually length-prefixed as defined by
the cmw_type type above.</t>
        <t>The AuthCapabilities message sent by the client conveys the selected
attestation model and CMW type for the connection. The client <bcp14>MUST</bcp14>
select a single attestation model and a single CMW type from the
server's advertised lists and include only the selected values in
its AuthCapabilities message.</t>
        <t>If the client does not support any attestation model or CMW type
advertised by the server, it <bcp14>MUST</bcp14> send an AuthError message
(EXPAT_AUTH_ERROR Capsule in the HTTP binding) with error_code
protocol_error(1) and terminate the connection.</t>
        <t>If the client selects an attestation model or CMW type that was not
advertised by the server, the server <bcp14>MUST</bcp14> send an AuthError message
(EXPAT_AUTH_ERROR Capsule in the HTTP binding) with error_code
protocol_error(1) and terminate the connection.</t>
        <t>A peer that sends an AuthCapabilities message and does not receive
a corresponding response <bcp14>MUST</bcp14> treat this as a protocol_error and
terminate the connection. This rule applies to the HTTP binding
and Shim Mode over TLS 1.3; the analogous behaviour for Shim Mode
over DTLS 1.3 is described in <xref target="dtls-considerations"/>.</t>
        <t>If the AuthCapabilities exchange is omitted, peers <bcp14>MUST NOT</bcp14> use
attestation-related features defined in <xref target="I-D.fossati-seat-expat"/>.</t>
        <t>A peer that receives an AuthCapabilities message (EXPAT_AUTH_CAPABILITIES
Capsule in the HTTP binding) outside of the initial capability exchange
<bcp14>MUST</bcp14> treat it as a protocol_error.</t>
        <t>A client that requires attestation and does not receive an AuthCapabilities
message (EXPAT_AUTH_CAPABILITIES Capsule in the HTTP binding) as the first
message from the server <bcp14>MUST</bcp14> send an AuthError message (EXPAT_AUTH_ERROR
Capsule in the HTTP binding) with error_code protocol_error(1) and
terminate the connection. When determining whether an AuthCapabilities
message was received as the first message, unknown Capsule Types that
are silently ignored per <xref target="RFC9297"/> <bcp14>MUST NOT</bcp14> be counted.</t>
      </section>
      <section anchor="authenticatorrequest">
        <name>AuthenticatorRequest</name>
        <artwork><![CDATA[
struct {
    AuthMessageType msg_type;          /* auth_request(1)     */
    uint16          request_id;        /* request identifier  */
    opaque          authenticator_request<1..2^24-1>;
                                       /* certificate request */
} AuthenticatorRequest;
]]></artwork>
        <t>The authenticator_request field contains a CertificateRequest or
ClientCertificateRequest message encoded as a TLS handshake message,
as defined in <xref target="RFC9261"/>.</t>
        <t>The request_id is used to correlate protocol messages, while the
certificate_request_context contained within authenticator_request is
used by <xref target="RFC9261"/> for binding the resulting Authenticator.</t>
        <section anchor="request-id">
          <name>Request ID</name>
          <t>The request_id namespace is split on the high bit to avoid collision when
both peers initiate requests concurrently:</t>
          <ul spacing="normal">
            <li>
              <t>Client-initiated requests: 0x0001 to 0x7FFF</t>
            </li>
            <li>
              <t>Server-initiated requests: 0x8001 to 0xFFFF</t>
            </li>
            <li>
              <t>0x0000 and 0x8000 are reserved for use in AuthError messages
(EXPAT_AUTH_ERROR Capsules in the HTTP binding) when no specific
request is implicated. A Client <bcp14>MUST</bcp14> use 0x0000 and a Server <bcp14>MUST</bcp14>
use 0x8000 for these messages. Any AuthError message received during
the AuthCapabilities exchange <bcp14>MUST</bcp14> use these reserved values.</t>
            </li>
          </ul>
          <t>A receiver that receives an AuthError message with a reserved
request_id that does not correspond to the sender's role
(i.e., 0x0000 from the server or 0x8000 from the client) <bcp14>MUST</bcp14>
treat it as a protocol_error and terminate the connection.</t>
          <t>The Initiator <bcp14>MUST NOT</bcp14> reuse a request_id that is currently pending,
except when retransmitting a request over DTLS 1.3 as described in
<xref target="dtls-considerations"/>. When the maximum value in its range is reached,
the Initiator wraps around within its assigned range and <bcp14>MUST</bcp14> select the
next request_id that is not currently in use by a pending request.</t>
        </section>
      </section>
      <section anchor="authenticatorresponse">
        <name>AuthenticatorResponse</name>
        <artwork><![CDATA[
struct {
   AuthMessageType msg_type;                      /* authenticator(2) */
   uint16          request_id;
   opaque          authenticator_blob<1..2^24-1>; /* RFC 9261         */
                                                  /* Authenticator    */
} AuthenticatorResponse;
]]></artwork>
        <t>The request_id <bcp14>MUST</bcp14> match the corresponding AuthenticatorRequest.</t>
        <t>The authenticator_blob contains the Authenticator structure. When used
with <xref target="I-D.fossati-seat-expat"/>, the Certificate message within the
Authenticator carries the cmw_attestation extension.</t>
        <t>A receiver that receives an AuthenticatorResponse message
(EXPAT_AUTHENTICATOR Capsule in the HTTP binding) when no request is
outstanding, or with a request_id that does not match any outstanding
request, <bcp14>MUST</bcp14> treat it as a protocol_error.</t>
        <t>A receiver that receives more than one AuthenticatorResponse message
(EXPAT_AUTHENTICATOR Capsule in the HTTP binding) for the same
request_id <bcp14>MUST</bcp14> treat it as a protocol_error.</t>
        <t>The Initiator <bcp14>MUST</bcp14> verify the Authenticator as specified in <xref target="RFC9261"/>
and abort the request if verification fails.</t>
      </section>
      <section anchor="autherror">
        <name>AuthError</name>
        <artwork><![CDATA[
enum {
    protocol_error(1),
    authenticator_failed(2),
    request_id_conflict(3),
    internal_error(4),
    attestation_service_unavailable(5),
    attestation_validation_failed(6),
    attestation_policy_violation(7),
    (255)
} AuthErrorCode;

struct {
    AuthMessageType msg_type;    /* auth_error(3)                        */
    uint16          request_id;  /* 0x0000 (client) or 0x8000 (server)  */
                                 /* if no request is implicated          */
    AuthErrorCode   error_code;
} AuthError;
]]></artwork>
        <t>AuthError messages (EXPAT_AUTH_ERROR Capsules in the HTTP binding) are
bidirectional: either peer may send one at any time.</t>
        <t>Error code semantics:</t>
        <dl newline="true">
          <dt>protocol_error(1):</dt>
          <dd>
            <t>A message was malformed, received out of sequence, or violated a
requirement of this specification (including capability mismatch at
session setup).</t>
          </dd>
          <dt>authenticator_failed(2):</dt>
          <dd>
            <t>The sender was unable to produce a valid Authenticator because the
required attestation Evidence could not be collected.</t>
          </dd>
          <dt>request_id_conflict(3):</dt>
          <dd>
            <t>The received request_id is already in use for an outstanding request
(e.g., due to protocol violation or peer misbehavior).</t>
          </dd>
          <dt>internal_error(4):</dt>
          <dd>
            <t>An unrecoverable internal error occurred that prevents further
processing of the protocol.</t>
          </dd>
          <dt>attestation_service_unavailable(5):</dt>
          <dd>
            <t>The attestation service (TEE or Verifier) is unreachable or timed out.</t>
          </dd>
          <dt>attestation_validation_failed(6):</dt>
          <dd>
            <t>A cryptographic check on the received Authenticator
failed (e.g., signature invalid or Attestation Binder mismatch).</t>
          </dd>
          <dt>attestation_policy_violation(7):</dt>
          <dd>
            <t>The Authenticator is cryptographically valid but does not satisfy the
Relying Party's attestation policy.</t>
          </dd>
        </dl>
        <t>Upon sending or receiving an AuthError message (EXPAT_AUTH_ERROR Capsule
in the HTTP binding) with any error_code other than
attestation_service_unavailable(5), the peer <bcp14>MUST</bcp14> terminate the
connection immediately.</t>
        <t>If the error_code is attestation_service_unavailable(5), the connection
<bcp14>MAY</bcp14> remain open as the failure is transient. The initiator <bcp14>MUST</bcp14> retry
with a new AuthenticatorRequest message (EXPAT_AUTH_REQUEST Capsule in
the HTTP binding) using a new request_id. The initiator <bcp14>MUST</bcp14> apply an
exponential backoff strategy between retries to avoid overwhelming the
attestation service.</t>
        <t>A receiver that receives an AuthError message (EXPAT_AUTH_ERROR Capsule
in the HTTP binding) with a request_id that does not correspond to any
outstanding request and is not a reserved value (0x0000 or 0x8000) <bcp14>MUST</bcp14>
terminate the connection immediately. Any AuthError message sent with a
reserved request_id (0x0000 or 0x8000) <bcp14>MUST</bcp14> be treated as a
session-level error and results in immediate termination.</t>
      </section>
    </section>
    <section anchor="http-binding">
      <name>HTTP Binding</name>
      <section anchor="http-upgrade-token">
        <name>HTTP Upgrade Token</name>
        <t>The HTTP upgrade token defined by this document is:</t>
        <artwork><![CDATA[
exported-authenticator
]]></artwork>
        <t>This token is registered in the "HTTP Upgrade Token Registry" as
defined in <xref target="iana-upgrade-token"/>.</t>
      </section>
      <section anchor="connection-establishment">
        <name>Connection Establishment</name>
        <t>The client initiates the protocol by sending an Extended CONNECT request
<xref target="RFC8441"/><xref target="RFC9220"/> with the following pseudo-header fields and header
fields:</t>
        <artwork><![CDATA[
:method    = CONNECT
:protocol  = exported-authenticator
:scheme    = https
:path      = <configured path, e.g. /.well-known/expat/>
:authority = <server authority>
Capsule-Protocol: ?1
]]></artwork>
        <t>The server <bcp14>MUST</bcp14> respond with a 2xx (successful) response that also
includes:</t>
        <artwork><![CDATA[
Capsule-Protocol: ?1
]]></artwork>
        <t>If the server does not support the "exported-authenticator" upgrade
token, it <bcp14>MUST</bcp14> respond with a 4xx or 5xx response. The client <bcp14>MUST</bcp14>
treat any non-2xx response as a failure and <bcp14>MUST NOT</bcp14> send any Capsules
on the stream.</t>
        <t>Once a 2xx response has been received, both client and server switch
to the Capsule Protocol <xref target="RFC9297"/> on the HTTP stream. All subsequent
bytes on that stream are Capsules as defined in Section 3.2 of
<xref target="RFC9297"/>.</t>
      </section>
      <section anchor="capsule-framing">
        <name>Capsule Framing</name>
        <t>Each protocol message defined in <xref target="mdef"/> <bcp14>MUST</bcp14> be sent as exactly one
Capsule. The Capsule Type field identifies the message type as specified
in <xref target="iana-capsule-types"/>. The Capsule Value field contains the body of
the message: all fields of the relevant struct from <xref target="mdef"/>, excluding
the msg_type field, which is replaced by the Capsule Type.</t>
        <t>Unknown Capsule Types <bcp14>MUST</bcp14> be silently ignored per Section 3.2 of
<xref target="RFC9297"/>. This provides forward compatibility: future extensions <bcp14>MAY</bcp14>
define new Capsule Types without requiring version negotiation.</t>
      </section>
      <section anchor="capsule-type-to-message-mapping">
        <name>Capsule Type to Message Mapping</name>
        <t>The following table maps Capsule Type names to the protocol messages
defined in <xref target="mdef"/>:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Capsule Type Name</th>
              <th align="left">Protocol Message</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">EXPAT_AUTH_REQUEST</td>
              <td align="left">AuthenticatorRequest</td>
            </tr>
            <tr>
              <td align="left">EXPAT_AUTHENTICATOR</td>
              <td align="left">AuthenticatorResponse</td>
            </tr>
            <tr>
              <td align="left">EXPAT_AUTH_ERROR</td>
              <td align="left">AuthError</td>
            </tr>
            <tr>
              <td align="left">EXPAT_AUTH_CAPABILITIES</td>
              <td align="left">AuthCapabilities</td>
            </tr>
          </tbody>
        </table>
        <t>Capsule Type values are assigned in the IANA registry defined in
<xref target="iana-capsule-types"/>.</t>
      </section>
      <section anchor="bidirectionality">
        <name>Bidirectionality</name>
        <t>After the connection is established, both client and server <bcp14>MAY</bcp14> send
any Capsule Type at any time, subject to the sequencing and request_id
rules in <xref target="mdef"/>. Either peer <bcp14>MAY</bcp14> initiate an EXPAT_AUTH_REQUEST
Capsule, consistent with the request_id namespace split defined in <xref target="mdef"/>.</t>
      </section>
      <section anchor="tls-requirement">
        <name>TLS Requirement</name>
        <t>This protocol <bcp14>MUST</bcp14> be used only over TLS 1.3 or later versions.
When operating over HTTP/3, TLS 1.3 is used internally by QUIC as
specified in <xref target="RFC9001"/>, satisfying this requirement. DTLS is not
applicable to the HTTP transport; DTLS 1.3 is supported only for
the Shim Mode defined in this document.</t>
      </section>
      <section anchor="operation-over-http2-and-http3">
        <name>Operation over HTTP/2 and HTTP/3</name>
        <t>When operating over HTTP/2 <xref target="RFC9113"/> or HTTP/3 <xref target="RFC9114"/>, the
Extended CONNECT mechanism is used as defined in <xref target="RFC8441"/> and
<xref target="RFC9220"/>, respectively. In both cases, the server <bcp14>MUST</bcp14> advertise
the SETTINGS_ENABLE_CONNECT_PROTOCOL setting with value 1 before the
client <bcp14>MAY</bcp14> send an Extended CONNECT request with the
"exported-authenticator" upgrade token.</t>
      </section>
      <section anchor="path-configuration">
        <name>Path Configuration</name>
        <t>The path is carried in the :path pseudo-header field of the Extended
CONNECT request. This document registers the well-known URI suffix
"expat" (see <xref target="iana-well-known"/>), yielding the default path
/.well-known/expat/.</t>
      </section>
    </section>
    <section anchor="use-with-draft-fossati-seat-expat">
      <name>Use with draft-fossati-seat-expat</name>
      <t>When used with <xref target="I-D.fossati-seat-expat"/>:</t>
      <ul spacing="normal">
        <li>
          <t>Whether attestation features are used on a given connection
is determined by whether the cmw_attestation extension was negotiated per
Section 3.1 of <xref target="I-D.fossati-seat-expat"/>. A server <bcp14>MUST NOT</bcp14> send an
auth_capabilities message on a connection where that extension was not
negotiated.</t>
        </li>
        <li>
          <t>An auth_capabilities (EXPAT_AUTH_CAPABILITIES Capsule in the HTTP
binding) message <bcp14>MUST</bcp14> advertise at least one AttestationModel and one
CMW media type (e.g., "application/cmw+cbor" or "application/cmw+json").</t>
        </li>
        <li>
          <t>The authenticator_blob in an authenticator (EXPAT_AUTHENTICATOR Capsule
in the HTTP binding) message contains an Authenticator whose Certificate
message carries the cmw_attestation extension with Evidence
(background-check model) or an Attestation Result (passport model).</t>
        </li>
        <li>
          <t>The Initiator applies the Authenticator validation procedure defined
in <xref target="I-D.fossati-seat-expat"/> to the received Authenticator.</t>
        </li>
      </ul>
      <t>For re-attestation on long-lived connections, either peer <bcp14>MAY</bcp14> send a
new auth_request (EXPAT_AUTH_REQUEST Capsule in the HTTP binding)
message at any time. Re-attestation is not supported in Shim Mode;
implementations requiring re-attestation <bcp14>MUST</bcp14> use the HTTP binding.</t>
    </section>
    <section anchor="dtls-considerations">
      <name>DTLS 1.3 Considerations</name>
      <t>When this protocol is used in Shim Mode over DTLS 1.3 <xref target="RFC9147"/>,
message loss and reordering may occur. In such environments,
retransmission of messages may be required. The Capsule Protocol and
the HTTP binding are not used over DTLS; all references in this section
are to the Shim Mode framing defined in <xref target="shim-mode"/>.</t>
      <t>If a peer does not receive a response to an AuthCapabilities message,
it <bcp14>MUST</bcp14> retransmit using the same exponential backoff and timeout
mechanism as the DTLS handshake retransmission defined in <xref target="RFC9147"/>.
If no response is received after the retransmission timeout expires,
the peer <bcp14>MUST</bcp14> treat it as a protocol_error and terminate the connection.</t>
      <t>If a peer does not receive a response (AuthenticatorResponse or
AuthError) for an outstanding AuthenticatorRequest within an
implementation-defined timeout, it <bcp14>MAY</bcp14> retransmit the request.</t>
      <t>A retransmitted AuthenticatorRequest <bcp14>MUST</bcp14> use the same request_id and
authenticator_request value as the original.</t>
      <t>A receiver that receives a duplicate AuthenticatorRequest with the
same request_id and identical authenticator_request value <bcp14>MUST</bcp14> treat
it as a retransmission and <bcp14>MAY</bcp14> resend the corresponding
AuthenticatorResponse.</t>
      <t>A receiver that receives duplicate AuthenticatorResponse messages for
the same request_id and identical authenticator_blob <bcp14>MUST</bcp14> treat them
as retransmissions and ignore duplicates.</t>
      <t>A receiver <bcp14>MUST</bcp14> ensure that retransmission does not result in multiple
distinct cryptographic operations for the same request_id. To achieve
this, the receiver <bcp14>SHOULD</bcp14> cache the generated AuthenticatorResponse for
a period sufficient to handle potential retransmissions. If a duplicate
AuthenticatorRequest is received, the cached AuthenticatorResponse
<bcp14>SHOULD</bcp14> be returned.</t>
      <t>Fatal AuthError messages require best-effort coordinated termination.
A peer that receives a fatal AuthError <bcp14>MUST</bcp14> stop sending application
data and <bcp14>SHOULD</bcp14> send a close_notify alert. The sender of a fatal
AuthError <bcp14>MAY</bcp14> retransmit the error if it continues to receive any
records from the peer. If no records are received for a period
exceeding the retransmission timeout, the sender <bcp14>SHOULD</bcp14> assume the
peer has terminated and terminate the connection locally.</t>
    </section>
    <section anchor="shim-mode">
      <name>Direct TLS and DTLS Usage (Shim Mode)</name>
      <t>Shim Mode is intended for short-lived TLS connections where attestation
exchange is performed immediately after the TLS handshake is complete.
Re-attestation on long-lived connections is not supported in this mode;
implementations requiring re-attestation <bcp14>MUST</bcp14> use the HTTP binding
instead.</t>
      <t>This protocol <bcp14>MAY</bcp14> be used directly over a TLS 1.3 connection without
the HTTP binding defined in this document. In this mode, the messages
defined in <xref target="mdef"/> are exchanged immediately after the TLS handshake
completes and before any application data is sent.</t>
      <t>Each message <bcp14>MUST</bcp14> be framed as an AuthFrame. A receiver <bcp14>MUST</bcp14> verify the
magic field is equal to 0x414C5441. If the first 4 bytes of a message
in Shim Mode do not match 0x414C5441, the receiver <bcp14>MUST</bcp14> terminate the
connection immediately. This prevents the misinterpretation of
application-layer data (e.g., HTTP methods) as large ALTEA frame
lengths. As per <xref target="RFC8446"/> Section 3.4, the body field is encoded with
a 4-byte length prefix in network byte order. Receivers <bcp14>MUST</bcp14> use this
length to delimit message boundaries and parse msg_type from the first
byte of the body.</t>
      <artwork><![CDATA[
struct {
    uint32   magic;          /* Constant: 0x414C5441 ("ALTA") */
    opaque  body<1..2^32-1>;
} AuthFrame;
]]></artwork>
      <t>Note: The magic value 0x414C5441 is the ASCII encoding of "ALTA" and
serves solely as a framing guard against misinterpretation of
application-layer data.</t>
      <t>Peers <bcp14>MUST</bcp14> complete the protocol exchange before sending application
protocol messages (e.g., HTTP request/response). Messages defined in
this document <bcp14>MUST NOT</bcp14> be interleaved with application data.</t>
      <t>After the protocol exchange is complete, all subsequent data on the
connection is interpreted as application protocol data.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="transport-security">
        <name>Transport Security</name>
        <t>Although <xref target="RFC9261"/> supports both TLS 1.2 and TLS 1.3, this protocol
restricts use to TLS 1.3 as TLS 1.2 is deprecated. When attestation
features defined in <xref target="I-D.fossati-seat-expat"/> are used, TLS 1.3 is
further required because the attestation binding depends on the TLS
exporter defined in TLS 1.3. When operating over HTTP/3, TLS 1.3 is
provided by QUIC <xref target="RFC9001"/>.</t>
      </section>
      <section anchor="capability-mismatch">
        <name>Capability Mismatch</name>
        <t>Capability mismatch at session setup is treated as a fatal error. This
prevents silent downgrade to unauthenticated operation.</t>
      </section>
      <section anchor="capability-downgrade">
        <name>Capability Downgrade</name>
        <t>Implementations that require attestation <bcp14>MUST</bcp14> ensure that the
AuthCapabilities exchange is performed. Failure to receive or process
an AuthCapabilities message (EXPAT_AUTH_CAPABILITIES Capsule in the
HTTP binding) when attestation is expected <bcp14>MUST</bcp14> be treated as a
protocol_error to prevent downgrade attacks.</t>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <section anchor="iana-upgrade-token">
        <name>HTTP Upgrade Token Registration</name>
        <t>IANA is requested to register the following entry in the "HTTP Upgrade
Token Registry" defined in Section 16.7 of <xref target="RFC9110"/>:</t>
        <dl newline="true">
          <dt>Value:</dt>
          <dd>
            <t>exported-authenticator</t>
          </dd>
          <dt>Description:</dt>
          <dd>
            <t>Exported Authenticator Transport</t>
          </dd>
          <dt>Expected Version Tokens:</dt>
          <dd>
            <t>None</t>
          </dd>
          <dt>Reference:</dt>
          <dd>
            <t>This document</t>
          </dd>
        </dl>
      </section>
      <section anchor="iana-capsule-types">
        <name>HTTP Capsule Types</name>
        <t>IANA is requested to register the following entries in the "HTTP
Capsule Types" registry defined in Section 5.4 of <xref target="RFC9297"/>.</t>
        <t>Registration policy: Specification Required.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Capsule Type Name</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">TBD1</td>
              <td align="left">EXPAT_AUTH_REQUEST</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">TBD2</td>
              <td align="left">EXPAT_AUTHENTICATOR</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">TBD3</td>
              <td align="left">EXPAT_AUTH_ERROR</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">TBD4</td>
              <td align="left">EXPAT_AUTH_CAPABILITIES</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-well-known">
        <name>Well-Known URI Registration</name>
        <t>IANA is requested to register the following Well-Known URI in the
"Well-Known URIs" registry defined in <xref target="RFC8615"/>:</t>
        <dl newline="true">
          <dt>URI Suffix:</dt>
          <dd>
            <t>expat</t>
          </dd>
          <dt>Change Controller:</dt>
          <dd>
            <t>IETF</t>
          </dd>
          <dt>Specification Document:</dt>
          <dd>
            <t>This document</t>
          </dd>
          <dt>Related Information:</dt>
          <dd>
            <t>For use with the "exported-authenticator" HTTP upgrade token.</t>
          </dd>
        </dl>
      </section>
      <section anchor="iana-auth-message-type">
        <name>AuthMessageType Registry</name>
        <t>IANA is requested to create a new registry "Transport Message Types"
under a new "Exported Authenticator Transport" registry group.</t>
        <t>This registry maps conceptual message type names to their struct
definitions, for use in the Shim Mode framing (<xref target="shim-mode"/>) and
DTLS binding (<xref target="dtls-considerations"/>). In the HTTP binding, message
type discrimination is performed by the Capsule Type field; see
<xref target="iana-capsule-types"/>.</t>
        <t>Registration policy: Specification Required for values 5-254.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">Reserved</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">auth_request</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">authenticator</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">3</td>
              <td align="left">auth_error</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">4</td>
              <td align="left">auth_capabilities</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">5-254</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
            </tr>
            <tr>
              <td align="left">255</td>
              <td align="left">Reserved</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="autherrorcode-registry">
        <name>AuthErrorCode Registry</name>
        <t>IANA is requested to create a new registry "Error Codes"
under the same registry group.</t>
        <t>Registration policy: Specification Required for values 8-191; Private Use
for 192-254.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">Reserved</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">protocol_error</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">authenticator_failed</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">3</td>
              <td align="left">request_id_conflict</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">4</td>
              <td align="left">internal_error</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">5</td>
              <td align="left">attestation_service_unavailable</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">6</td>
              <td align="left">attestation_validation_failed</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">7</td>
              <td align="left">attestation_policy_violation</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">8-191</td>
              <td align="left">Unassigned (Specification Required)</td>
              <td align="left"> </td>
            </tr>
            <tr>
              <td align="left">192-254</td>
              <td align="left">Private Use</td>
              <td align="left"> </td>
            </tr>
            <tr>
              <td align="left">255</td>
              <td align="left">Reserved</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="attestation-model-registry">
        <name>Attestation Model Registry</name>
        <t>IANA is requested to create a new registry "Attestation Models" under
the same registry group.</t>
        <t>Registration policy: Specification Required for values 3-254.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">Reserved</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">background_check</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">passport</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">3-254</td>
              <td align="left">Unassigned (Specification Required)</td>
              <td align="left"> </td>
            </tr>
            <tr>
              <td align="left">255</td>
              <td align="left">Reserved</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>Thanks to Ionut Mihalcea and Thomas Fossati for the comments.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8441">
          <front>
            <title>Bootstrapping WebSockets with HTTP/2</title>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <date month="September" year="2018"/>
            <abstract>
              <t>This document defines a mechanism for running the WebSocket Protocol (RFC 6455) over a single stream of an HTTP/2 connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8441"/>
          <seriesInfo name="DOI" value="10.17487/RFC8441"/>
        </reference>
        <reference anchor="RFC9261">
          <front>
            <title>Exported Authenticators in TLS</title>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes a mechanism that builds on Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) and enables peers to provide proof of ownership of an identity, such as an X.509 certificate. This proof can be exported by one peer, transmitted out of band to the other peer, and verified by the receiving peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9261"/>
          <seriesInfo name="DOI" value="10.17487/RFC9261"/>
        </reference>
        <reference anchor="I-D.fossati-seat-expat">
          <front>
            <title>Remote Attestation with Exported Authenticators</title>
            <author fullname="Muhammad Usama Sardar" initials="M. U." surname="Sardar">
              <organization>TU Dresden</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <author fullname="Ionuț Mihalcea" initials="I." surname="Mihalcea">
              <organization>Arm Limited</organization>
            </author>
            <date day="4" month="July" year="2026"/>
            <abstract>
              <t>   This specification defines a method for two parties in a
   communication interaction to exchange Evidence and Attestation
   Results using exported authenticators, as defined in [RFC9261].
   Additionally, it introduces the cmw_attestation extension, which
   allows attestation credentials to be included directly in the
   Certificate message sent during the Exported Authenticator-based
   post-handshake authentication.  The approach supports both the
   passport and background check models from the RATS architecture while
   ensuring that attestation remains bound to the underlying
   communication channel.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fossati-seat-expat-03"/>
        </reference>
        <reference anchor="RFC9220">
          <front>
            <title>Bootstrapping WebSockets with HTTP/3</title>
            <author fullname="R. Hamilton" initials="R." surname="Hamilton"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The mechanism for running the WebSocket Protocol over a single stream of an HTTP/2 connection is equally applicable to HTTP/3, but the HTTP-version-specific details need to be specified. This document describes how the mechanism is adapted for HTTP/3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9220"/>
          <seriesInfo name="DOI" value="10.17487/RFC9220"/>
        </reference>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC9297">
          <front>
            <title>HTTP Datagrams and the Capsule Protocol</title>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="L. Pardue" initials="L." surname="Pardue"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document describes HTTP Datagrams, a convention for conveying multiplexed, potentially unreliable datagrams inside an HTTP connection.</t>
              <t>In HTTP/3, HTTP Datagrams can be sent unreliably using the QUIC DATAGRAM extension. When the QUIC DATAGRAM frame is unavailable or undesirable, HTTP Datagrams can be sent using the Capsule Protocol, which is a more general convention for conveying data in HTTP connections.</t>
              <t>HTTP Datagrams and the Capsule Protocol are intended for use by HTTP extensions, not applications.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9297"/>
          <seriesInfo name="DOI" value="10.17487/RFC9297"/>
        </reference>
        <reference anchor="RFC9110">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="RFC9113">
          <front>
            <title>HTTP/2</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="C. Benfield" initials="C." role="editor" surname="Benfield"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection.</t>
              <t>This document obsoletes RFCs 7540 and 8740.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9113"/>
          <seriesInfo name="DOI" value="10.17487/RFC9113"/>
        </reference>
        <reference anchor="RFC9114">
          <front>
            <title>HTTP/3</title>
            <author fullname="M. Bishop" initials="M." role="editor" surname="Bishop"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9114"/>
          <seriesInfo name="DOI" value="10.17487/RFC9114"/>
        </reference>
        <reference anchor="RFC9001">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="RFC8615">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="STET" target="https://github.com/GoogleCloudPlatform/stet">
          <front>
            <title>STET: Split-Trust Encryption Tool</title>
            <author>
              <organization>Google LLC</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.draft-ietf-httpbis-secondary-server-certs">
          <front>
            <title>Secondary Certificate Authentication of HTTP Servers</title>
            <author fullname="Eric Gorbaty" initials="E." surname="Gorbaty">
              <organization>Apple</organization>
            </author>
            <author fullname="Mike Bishop" initials="M." surname="Bishop">
              <organization>Akamai</organization>
            </author>
            <date day="17" month="June" year="2026"/>
            <abstract>
              <t>   This document defines a way for HTTP/2 and HTTP/3 servers to send
   additional certificate-based credentials after a TLS connection is
   established, based on TLS Exported Authenticators.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-secondary-server-certs-02"/>
        </reference>
      </references>
    </references>
    <?line 842?>

<section anchor="design-rationale">
      <name>Design Rationale</name>
      <t><xref target="I-D.draft-ietf-httpbis-secondary-server-certs"/> defines a mechanism for HTTP/2
and HTTP/3 servers to present additional certificate-based credentials
after TLS connection establishment using TLS Exported Authenticators
<xref target="RFC9261"/>. However, it has several limitations that prevent its use
for mutual post-handshake attestation. The protocol is strictly
unidirectional: the client is explicitly prohibited from sending
certificate frames, and there is no mechanism for the server to
challenge the client to present a certificate. Once a CERTIFICATE frame is
received and validated, it is cached for the lifetime of the connection with
no mechanism to request re-authentication, making re-attestation impossible.</t>
      <t>For these reasons, this document does not use the mechanism
defined in <xref target="I-D.draft-ietf-httpbis-secondary-server-certs"/>.</t>
    </section>
    <section anchor="motivating-example-stet">
      <name>Motivating Example: STET</name>
      <t>The Split-Trust Encryption Tool (STET) <xref target="STET"/> requires attestation as a
precondition for key release from a KMS, and implements this using
a four-message gRPC protocol (BeginSession, Handshake, NegotiateAttestation,
Finalize) with attestation evidence bound to the TLS session via
Exported Keying Material. The result is an application-specific
implementation that does not support re-attestation on an established
TLS connection or server attestation.</t>
    </section>
    <section anchor="document-history">
      <name>Document History</name>
      <section anchor="draft-reddy-seat-expat-transport-00">
        <name>draft-reddy-seat-expat-transport-00</name>
        <t>Initial version.</t>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81923bbRpboe31FHfphpA5Ji7LsJHKcHlmWJ1rxbWS6c3r1
ytECySKJMQhwAFASx/F8y/mW82VnX+oKFCjK03PRyopJEKjatWvfL4XBYCDq
tM7UqeydrddZOk3qtMgHb5KtKuW4TPJqXZS1nBelvLjDj2omzzb1UuU13luU
lUxyuFTXqqrp2Z5IJpNS3eCIb8YXZz0xK6Z5soIpZmUyrwelms22g0ol9UDd
reH/tZlmkCU4jICB1aIot6eyqmei2kxWaVXB0PV2DaNcXoxfC5Guy1NZl5uq
Pj46+vHoWCSlSk7lRzXdlGm9FbdF+XlRFps1XLs4G4vPaguXZvB4XqsyV/Xg
FUIjBICdz66TrMhh7K2qxDo9FVLWxZS/SlkBaKWaV/b7duW+igSwUZTwyAB+
knK+yTJe7TgtN6skU9VtUsorXDTdUJSLJE//jXB1Kt8Vn9OErk8B6lP5MskX
AEup6FqpFnTXr0mZJ3XyWd9ZbPIasXOZz/TDapWkGWD887D2Zr0mVP9jjnMM
p8Wq1wbylyTPVSXH1XRZzFWeLiIwfsrTG1VWAJ8s5hL2Xr7c5DOYQS1L+XaT
p9MlPWX2He5/eSvfDr1lvVObSTpR5SJY1svkJinTxqL+SZWrJN8Gy1oSlMPa
QvmPi9XdEDaxJ0RewP01QIi7dvX6/IeTk5H++OPxM/p4OXg1nBdVBbd5dGdv
Oj4yH0cn39urP9qPo5G7YfTEfTwxH4+OzIw/PBs9dXA8OwU6zec+gB/HF+NT
WpthO7oiPwLv1YMx0rO8yKfldo24l+OiyHqMXENmUm8QYKooFpmSb96c84BJ
uVD1qVzW9bo6ffx4kdbLzQT3/THfeZ4Vm9kH4DGE6HFVK6D+wWAA+1YBC07h
23iZVhLYdbMC/pYzNU+ROBI5SfOk3PZl4omIjESE5V2xLgvgmSIjWaHuprBn
izRfdIgNuVKwHwsYfaLqW6VyUd8Wcq2AzmRxg7LnzcehvKwlDHuTArER3VXp
Ik8yHLVU/7pJgbyBT2Wap3UKIkOgJILlrjNVK7kuqnoAQMyqZfJZEf707IhY
DSCursahhbc0SUvry1tAYLGp9Vw466qYpXN9V4VTI1AAqWBkpHWlsvlQiN+W
KWzMukxXQN/ZFiCsFXAMQVtt1iRSEycyLTR9AsXiVMJuLFSuynRKUnaa5IAu
ualgpBTGW+OgeQ0TIM6RaTqQbcYf4hYrt8PzTQm3lbJaqyksDLCxLG6l3Um7
RyBbxbTIb9QWhk4qeZ6sqw3IGN4qgOqX8fgDoB64dMoLgpVNsrRaqpnYVIg6
xNTFnUbD+ft37y7OxzABYHjGmLaIwbVMinopcNDHx7Ry+vgECCKXyWyW4hx9
QLclUQQbZzCgC0RVsVYlkIWcAaFMEUuGsIB95Cv8dzR8YndZr0IArc8A4L5k
uBMQ/4NpkmUAdu/jMl3Jt8VM9YbMOqt0NsuUEI9QrZTFbEPLByzD4F368ssX
LZq+fjXUDbOsFG5RWq1w/WI38Rqse1iWZjluE4biIqXdRa6Sq2RLhAzP4KMd
hDIvixUhsqAnQUGqUmgilw6eJdCAYbTZUP5S3Kob5Bh/aWZrihwwTxzW4H+z
Xuaa57SdBTyQF2ZfaVuDx4ReQtWHxQCP5JWCj0jhZUm2SGmEBCxNSxaWKkN5
kYCe8tnc0nlK0gV0OuhdM246AQ5GUiRQkBIATlnc5h57ImU6kWRXBLTx5Utc
5wBeFDFB1UkeICKmSVluhS8gLpBK8qlqGltgVwAjIjpUjqSABOt+FTAWyAtg
A5T4yLq4n7K1n0N5VjEPehvYFx5/kfAFbYxgssUHdFajCNEWgREVfTkBXsIt
bAjVpr5gKWYWi3evhl0KqNpMl8Ai9llSDE5mGf0Ume5hSkk0lZJsKKUIz3n8
JkG2Cp+otOw+lUmGMmaxRBqH604xrAowDBIEZLINds5pBHjEl/ta0ncxcEPS
ayRpgtf4BKtkIF8Sysy+gaFdguzalLiDTmCv4TuMzSBJ0Iv5YoN3w6YTpaCN
A5RCQNE+7lD4lnOF9HkXaYmZF0WqPINx1skkzdDazMELQM2OsDt5US9BZYNA
Lm4rvTdARTOQROUKZQbSnTTKBGne4xaz2jVeLHOm5PMCGGtdb5JMvtW//1YC
KYHkk/Lg/O1vh8Bc0wKVgmRbDumDZMX9FAV2mSEqXp/WlVrLgBqXt0swoONK
l5CahjoXhtRc+uP3IE720MCyrYFhkFAH2/1E0a3HPz76+lVvCqtQInhEmVWe
VlmC8IRdZI4GYK2iZNoAyoUZpwnsOCwXJG2grJElyk3e0NMscsCbU56RKZvq
2kAAcIJtgM/4V8mektMsRWlSkdgl3dcwQ4xeJDyRutusF2UCerkuPoMU6Cm9
uYNAGfWG8j3KZJrDYR6V4wQtWm8L+mTRaHI1PBrbc9+2ovWAxkMJjxtIKwNG
VckKZQ1KSoXqxxB7xZO0zCb8KDTDMBHsFB2StcYKZwUNfwc3km4gkyBQoLAv
cxAuWtbY1VhwSjXwuQ/+07sWik3PTBGBmQLmiKqWXfCiFABBWKcr5UwQ0Zgz
ZXvCiQNgOEucAPijR6BCyZVAjVPJN1rE8ZI+q63EqEEle28/fRz3+vyvfPee
Pl9d/POny6uLV/j54y9nb97YD0Lf8fGX95/evHKf3JPn79++vXj3ih+GqzK4
JHpvz/7aY+nYe/9hfPn+3dmbHgJfBxoSZQRvF7oYJchrEnmVAMqYluBx04Jf
nn/4f/93dAJ8/b+AsY9Hox+JyfHLD6PvT+ALMGXOs5G5xl8B2aRTVVLiKEBB
KJzTOslQboNaBvMMyB3YGRD5p78hZn4/lT9NpuvRyc/6Ai44uGhwFlwknLWv
tB5mJEYuRaax2AyuNzAdwnv21+C7wbt38ac/Z6hjBqMf/vyzgEXLHkjCHks/
0kNGMAZScpMDP1fMQLdpZdUy2s5X+CiaduZxFJSWOdCwY+ovta7sjMIBX24l
kDJs0xaHotmTSit9ogPPuiNXSguuGkxSVOmWL+TBly8VfBmAv6u+fj3s62XC
xhekC1frpEJZjnMMAQvIK6h/ZY+1MHpdoVT0cTTNCquQMJBUZmQ3RIS9J1Wt
eUEMYGQNcrD8YATPe5AAN6m6ZebVYt9EB6pQ57BOLHJlLFg09bTasEgTTYYj
00ljDvFr1HgLYZ7ecWoATdXmDrNsZWVXAvxkRUaDA8DlYGlUMl2BKY8ryjBI
1mHSW/es0t51XljPGQwdb/5K1Zs1Wky1Wg+95QVmCqwPw0oD/b25xJZq9ewL
I83tOmng/RQsrg9oHp/SanFgN3up4HnwWFOVzXARFI4pN4oRyMjU3hnaTMkU
jbwE9TVBksjjuztriBqjssJo0jTbmIBTc1YYyJ8XrY55sFlzcPXQiibJjAY7
eKcRGwFIyrcORO2BbHCJqLi21jA6OgcX//vD2fj67NP4l+vzsw9nLy/fXI4v
Lz4aMJlcw607tEZvMoPh67QyvmzURBZIwZk2jN/+JjHkXjFK9V6XCgwApf3F
KJh6QowY1YnzncHLh9U3LXKcLphNTpcF4MCGIgTj5R8quwAYAvCGXuAcyRoo
fYWmRWtUsBHMoOBPpRQ1iBEtrYB8kADDF1dX768MaoEsxA7UIpEayVc1NhuI
hMzEAEeJ8x5gOeDgggKoMCy/BYnfCNskYHmDSr9kQUb+34ygt8AbHvPBR0V7
AQrYLYCw2bEA35Ya2/gPgXCAy7kiRgHCPxQBAWhYNSDOOPMguXg3vjw/G++L
y6Lcd092kjtg/d/xT3xktrr/75zIAjj8jz1upr8/6Oa/eYrg93tu/unFixd4
+y9GTr+I/v38x8PBkPJv6T2y6Hfv5r1H/m4Afy0mH7T+GOaf9rt58N03LbDJ
GXlxa/X7742b9x/ZwqzZ6CCdvRgdyijMFhuW1ON3P3wHHZ49MI7ufjg6CkcP
8RyAEbn7O80FX07lo3m6GBTaRBqgucI5qBc9q1PNr6ehcWMNw8Pe1/86tvLZ
upuvLDZaXv1BYGMcBjt4fHQk3/8qD5r6/VT+eXT4rTv4n8yD9yj/kDb2uPl/
HA+2lVebt75rY8Pql+bd38iDcTAC3orhOQAjuLuTB9Gk3sGDPgMg4z2y8clX
lJPgLOSXRyvwVuDnM/DPXRgXia0Vww0iuMY71YEACuUOaRQK/Qwm25rDCgul
Myugb3NVY2WFpB+LEgwCULRnTA3G3wcv5EaBDUZhPszDoZO1qanQAuVJ4Lle
adMFbAKVTJc6CJiSQefZJHqK5DZJa07LWdOdpp3QQtcA5QyzHjCGSm/YMAOX
D40rtCqiMzdyXjiPnQ/HFhhxY1iMjULegk1WgamHcWGTD65w3HxKUML0q6Se
LillTdFbzx0PPEvKYoXj0pMIto88rRwEh1FNGpziMYn1btly4vAWrlnTzRgt
YSRGofLNSn6xhQVW5YwO+/aiUy3H3lUe+uCJf8nX9Qcn+peD46dPD8XX5vzP
aX7xlySDCeXTwfHTE5aNeVKht4b+AVq2N0maJSYHN98gTUu+gwJfN2lC5uzl
2bszqicByt+GsY40yRPSkQO9bQP0BDD0gXmaBliSMELBTWUz+y4gMi+TVcTP
FzbM4znKszqrBlNMIc4w/4xMCrc+lxFrtW99JfJ8ZikG7ciL0E6iS91Ntr5D
Kglm9n3THFz3ZCYPKqWEXvZUi3ly32B2Rwrn3l61aGGSTKloKp9dT5dq+tnS
A8Z70Fm0pGB31+k6RFT2XIhinQAxyenq9hqn/2k0HMLNPz/HUiuUTnqu5gbI
VbWgB54HYvnxn6I0JuWfHvMwDQDY96vsrG6Yq7PxR/2rN74exkBrr5sLPNL/
GT0bjGAwGAZdSgrAsG/shvnawq+m9TBEMChVRhk/axoEVNuVNxYu1MthBS9k
QBLQOIRNICyJ3Rc9iBHooR9t0uUAHEnprOmwvmg6VMO+jk8hcOaJ47s7YYT3
YZwrgOVb87ZjXMLGuIKoft9k51Bis0w3PqEfxyCkoS+7FeTJ6vR+J/7MqGYp
7dGFeIn5F+LKyqqlHLZcrdb11ioVkvJaQ1WxLTN56HsDPvEt05EZQbMaiscM
rSFpLThaZHNB/naMXpqxkK5ZSTlcT2FKEeoikCRhlKQdJKG9aYCoQ0io227g
RoAODJdP49eDHzweRKuHorYHargY9kXPy1E9hhG/m06KsnfYl2RgILw36Yzj
5JnKF6AgwHSYp3ecZzXcONlSkMIKBvpfMgHzTMPaSShobhl5rYmNi6dMHQXH
wcQ9cbB5UTaR1KRfwWNhkRIgIFMdoTX7sxv7vuAaRwB1LNTW8LgY3g3rb7Da
kG+6UMHxUQ8P1raxVXD59p7InQfYZOtJPaqM+B9GwuFiGVkcYty1RBYItwlh
Zsd6d0n8/951+4LNhlU7+QMHs4Sg5aBIYMSS1YK2c33znk1wMpgjhi4luDvB
41Q5Wt9N+87HAplyzuCzpYLgIT2nm8GsyopFscHkPjg4abEpiUXtM4KesUk/
Ts+7JGyHYeiopoUvm/iBoYpVCiQEap9LCKyrhZUV/3HjorGFu3STvE83iZ2k
hq4MFjzqpBsHDjK/6MesWngbn9Yd/s2Z4TUNN3lDVcBuMWr7T1C6CQv3eVqC
c2aGsq7lXmzbjnTvxmWDbWWUbXfwxW/g4tnCKeQ58ClNNL8TOyimNBZnwaLN
Kvrgyn3O0ZLyfZWKdkhwfWbGRcvgyxVYMgROTlDSZIl7orgtQM2c/9J039mH
2elZRBwL41U4v9d3BjZpXo+eubv1Xdfp7Lk3gDF0sTKzxmx+aQfQLpD9C9xp
Myk7Fscn6FiI+6JTbtopagcq6VMWBOt9NLGjPRBKKcdgaJtZ5254EyApSsFB
3MhvhiyoQo4pImlkog1diO5iBIbQoRklnq0PRbWAQq1dLtXH2rmMS/48tJjF
XZvaBr08XciU5h24SCux0WrXL2SmevTU+S+uICvAOJEoVxPhYJevWovCjptq
nUxJoFfY8KFrvOQyXSxhDsphJzdFijuSgRlG9QEwhfCqx0ys1RZU4vKmG0AS
MhUVKPBuDcydM3vrqTy6Ozo6GuE8R3ffv379Gu7mSH7H3T/Yu1/z3TTAEUlV
+vWIojcYYyxvdHkqRh7TiHzDNHynZVJ1yDiUUXlhC1mFdHyHpRBs6GMhzZle
NosPhMEDNdGrZKtZ6p8JfG1mV66GGcYCq7Qtnq3Ym23Q38AmsZ1q2wLCw1sc
se1M2ksP2aF3w+l12YIZRniU1YxHGkPKhSQxdQtWfllkYB2yZ67R09RRMKPB
jPmFdeyhHw2Na+R9XDyXxrZyvlSIpUQ2VwQ7bAlbrtnv7mNptFrXTBmlonIh
NI5MVFjLrMAWS0JbTHTZYqwSEexVcpeuNiveKyRNdHNKY42V6Emaug23oNsS
aBn4AQNoRtTgczayyQMgkrQlQN4biq8c5VRk/bSfFgcwHmIKa8UNPsxDUQ3J
JnRbRe6hISMxOD8grDXdDk0p7tWDk6yY+EqQgnSvzyXKXfuI1qgP+4OBwlpR
KaM6kvHjKUlvB2iHOATPdOx7JzFdO4zpWVyjU69GXjjAbMJG0x4qIKFbMbqs
dfYEPWUciAhd5xFOw3XkujJldXsd1pfVKq+MI7dbIrVwF3M5YwUfO0S7p369
RAcFAa3I65B0JkOy9VMkRjD25X4eRMeKw/zV33vxJrhTgU0gmlR3D8gRKQrg
p/NthL6wTNcUmzasLvJ4kwlGYWpH+jKd82imyHuepFnlpAvppFbioOV6RNJI
1ziSmtkUgls1GmpzUOS1TStRNTM43Ho8k1PyyPYa1VU6Vdeb3OaKDp5G7gMJ
ns74owbgWeSudQHzb6/Brc/owsH3kTQWrf0c7Nz7chmBPDW+hkmcdQmtfZwP
GEur7QOjlJ2+PmANfrif0ISh0nnIf5491QIrWD98d37ncx87Wpa2bb8HW37Y
czpJbTo4yU5bhXHkSSN3+qliIXhicoltzxrYxV9O5Q2Z3y96R72v7SDXqTgF
I9L3c1dJxtm3vrP9sPekmJskryIxxVSD3o82T3U7AUc50qrRhnXAYVXUI17c
Y5VWWpxhsUyl6MQDrs7F9F0HKyHQY2vhEdSbnPKmYPqtqSMVLStigoZomKhp
oq1TB3ZYnWnbDsENBzcRRS755BlHgQGsOBMbqCzWQtcuyUDAzaw5wy1t0Sy3
1DF9MLnNitgFtIyK+GeCSCsdmCsRXy0JQtsLE+YAFFqHhCRzF5OzLKZka2k1
sy7VDTWF6DZpIU0tAZWOz4OCctyie6WTwYuPY32nPBhfXOBi/kLCF9kYneCc
TE2CFTVGumISbMwWk3FMznSSQLEAw3SZTiUldY3TaTen2bHGQxjMUwk1pd/T
nMkIAPFbUF+mRHqGfg8bsEUkq0FDSI9o7fvQUoKGZ8SeUpc6gGEqVnZ40oLi
7oEPSVlv/yEM/fHUAM+nNSGaaYt6EXHpnMXbJw63u+JU59u2fiyOM4NoPuxB
FmzQuRqawIMSftm4S4q6uLE3a1rtoyIbfpl4e/ZXwMgKLFRsmc9tVA8eoW2v
uCcD1Q1noNLQ+EAnTCdRE5mr23iZTQy57RrlSGGw6cPHkZ0ciULCTTCY+ryD
HUcQgLWxqKGYz9HUxnNltra5F+HW2QAOuqBYAKs0W+lQj4jw6YPd9m8ipm6T
N3Tu8cyHiNzk5B0/4CIG2pk90BaENRyMY9/htwdU1xEaoZQngy7sdN4aOuZE
bULGro4cCq32BhlIXiOUcS0ccyNLwUJj2YRdl0eMyJc6UvflUdCwQvYr3fBJ
V4WOsSqUjelIR4rLAodlWoDVU239RltWjCuJTEMDUbQAy5NUaaq+lOy1IQFB
xkVMPW7faxYyafAGNCqFTGFB526TLkw7CUK5TwPUZOuVMnSWcQivL9hrC3bd
PPMCG0txlHWlNrNi4PfHcBaZrwi+orF3qtuO4e+FmVOcWuDgYgd+TytQYivF
D9JRN/BYAsBIvvQTmiHpYkOJBbjel6jG5OPhrcqyASUmHpMf/fhnccqH6qD1
BQ/q+Je99rPJvgTVwS5W4Od0DEt6rUUHrqnjMNJnJEyfkUZI91xazOvpWhl0
oqeO/ilD1IKoxmXMG+CeALjAaE+9hqh2qYGrgsSKlqB5itxUoy5sdAsjezrX
tXXd69r40G3MujWm0YxlOqitiaLbpzU43P7CzVKwgulS6DCnUSO2ljZolPek
rWmippLZzYSN+VpgUavuu8ZENt1E4W3rqYQpjI+a954Mj8EcFN5smj01PK+5
ehA8kyTS6R8mRaiY96uVjiRYEwwqJ9wanytDKrxFsYJAk5BijrdFq1TA4sUD
hJMujXrBcGiq1WxminDkSTHDI8GEN8sptQlr5tcmcqlAnCd5rYNdHFc2K8UG
V+0N8TjadeYx+vp0BJKi6wyct2glJJp40aSjRWMs57hj+7hmwJ49BR7KbVLy
4VKgb9hjOzVlqTaABvOd/VXLbjJXQmDa50nRsWpF7h90EVIO7SpQtyn8fgsW
DlHSOBC9NTkIK4w+B09SxskkAVrpMxEhPJBGf4RjvEtWNoL7h2MtA5H+QfwR
afLRf50/wVMyYg2auaJmJM0lY/G2+FNapDSe0paYDOZikyb4azwVlAPop4Lc
j3lKBCjUxVKJLWF2lkBX/XJHIS9Tx0s/LIKHHYozWyHZ3WTaJUPR/Ec5LTw5
zXB7YZU+ysl/oWxFtMrd2XqiNDEdQ1PBCQ80nc1houXRIgCDvL6kBE1VW+PS
i1OGCVXOpkbomRGGeSDvmAdtoFmGMFKCsr9U6+aX/6BqxPBOadi1GgqK1fP5
YuRS4u182EZfegVA+qQ2jjHAsCC6/vnT5TlaeJGo7NERHrtk/Fvb6+4FlIac
0kp1pRiXOepgj1VutoH+eVCM5Np9aYV4ylgd1Lh3dSYwCt+vdZ7MW6x/yIjo
xsmxXt9o9AT1sMGUvXqiUxoicj6cPSRMIzNSQ6APrcFaF89C5QPCkBNuyG+5
zDX9J3TsULMox1bdMVIuxuPLd//08fri3dnLNxfXGp7rD1fvx+/P37/BsBwt
kqiS3aqRKRAmn10bTpq1dp46Yyhb3GfFsUfB2/EBTd5zbeom+tC5JZ1sRNrS
HBykxQybyBEL3eho27jfgM4cNGPcH+PLsAHgbGr56eoSSGw+T+9oHUndo4YE
Y2C4O+nsgC3ObQoqYEMT8O4IdhEx1Mm5+1TpDDgfItvOi2kCJCq5J4FGRRK/
mWKnXd16dGaNXAAN5X7ERHJ1nz5yikwSUzu1M8PGRZ5a2bMVgmeCWjtkxCdr
dZbpybOAaD0LW0RacVxLNS7CP3JCH8EE8r0BWoEhVwegObLq4UcR+DF9GLLV
5R0yHWqaTCWYt8dcW7Olg8+lwWhf2HxhQpTxgm+UNK1f/qUq8t4hrasjWZvm
D+tmR2LYdeyCq61qpFBhG4oqyOMK6Z7aJ2HLdG6C9Bgsdw08A471UrHxoW6q
bx8cKA9MZ4++02LGO23AFM22IrYu7MyB8Rlaw+boFLm75NSorHgUGsB4TXHa
5gFSWZEvBhk9EJ6S07AwmC0EGuEPPCEh3EZb9xh0I1494JCp5wKzaqS+9bmx
zv5vrM8vGGqebvbIKfPzoGxFfnkUK2bR4jA4LcczSZqlzq9cN6g+CBlPgDSL
z4qq0mYe9XzScZfJlvMlpFvpiEaV36RlQQ16FZ7EpWtzOJMFks3mAvHZiete
DN1N62JQ9WoDEySZEdksnQ3oz8ntLN1ZSsaIqbTE1t1TocVjuvoCi8Lr79PH
uzBVtWuIvahOsatUmk7StJFyLlfyzuTDEgAZC1hTMRXQG/iMwllCOjr/Kiyy
bCC7VWdJGzoUlzrjq+FO/Vpe60I0xtIgIIhYXM1FT16y4j9QD7Yfdg/iLh0Y
sNZrO4wlEaP+o6kAzRtsOTAo08vlYBllRuyeee6HTgPY6rOmADPTBSxNO+35
L3QuX7QUlU1KvdVFmS4AgdnO1IOcbXTuvnvdZGVGgNARoynQ3i5w3HYLs90N
UqHYH+GM5G/drJsS0Z3cta7OVYUVOJX1Zx6yPNL3QX+JWgmqb/dXpVuhKHDk
4GnUb9IooJU3xrBqMqSjb9K7QILmgEUxA4s6zcG1DpO1xdqKeL9aKMyBgeCZ
LlN1g35Lqv0aC5Q+G2+KxYr0Cx1Im0SIVWMTkYgMWabFjK35KXdXFCRq8Ezz
otZSqoEkOo3Jo8LmVtsaExfTJfKgQsqOukUNP2kKsMtzMkhfJzXMHikw0doE
bq/AypjP0aiZFqCvSPjMwnRRvN1FzhuDc5lmXaxdrsQZlAJsn4SIQwPKRged
b6euYbOxJCvJVFkP/RqNYm4m8spkIpKGJWg6pxOAwYhM8w0H81wTy1ZgMQOe
T2lrdfn4AiPn+Ueu0NZyngSl3mOqpVVeZXtM8BtnmYDXKwWjEfxBkieER4zY
Wzk/2yn2wZig1D7bNJFzZT9x2tQdOgMWjlPKQjj9jRVL5mR9XFa1pJeI0DLD
s5nNsbOxI5bDPvs9+o7Jv9atx0NxtaeNGrUSyUZZ/Z2sRKFPAhi24ltAXCa8
FR6ym0TOjTdx6rbt1Rkh4jMD9VL6ftYhGmRunH72sFZvpBOvwds/j5b4kYw+
ilpRtiVwOCds8+lsM1tsmJyhA0ZCWe4qKsUqWYA41rmVis/Y5J6Ik9HJ+dOT
kxExXG07oU6kziTN6WB/rhENbO5Z4dWvunEa8nv/YhCTr9AFS7QBeNKfPhNW
k+Y8ckI64Uz70bTZnJitqKMtw1eKSHqNDyNOcMN0RSfG274tPjvGi2Oc9F1+
yOFNtwgheYGWOeEDZnhAyR3YHSfMgL/FGKl84k8rDQ2f/52lKDhtsz76wAm5
0HQGTFJWfm7JSEtu1+Op5hbmYaSpDMsynxzDB6KGsJUMHTIwOutTbyvlAb7+
6Kx32OwJwwm46v3JMbV+fXVkqKsn34GS5QopJj02v7yxU+2Nfzy/vHSHk8MK
eE4yLClQBLxQZMRXpN20v7PYYDIrWWBYon4IoQBiPrj+U/uqlSC75B1XGp6X
4CnO9sHXPgVqA+exPSRiaLJNfvBXhHUZftMgLSdTyY0JBTaFxNDPmLQh9+R7
nxxLlyNmftFHc4e5lvAEZhl904Se/JF9T1XDmedshX1Hgn2blTgzbxDwO9PC
c79ZknNMXkv1fuj/Y2lOXabYk75hr9VrkDGPU2QTlqHbqiiK4KvNh3UWe+eg
ulyEMO+dsUWnXi1qEJB1mmdNbeWFPXrX1N+UPhx6Cg31vfkZoRO8M5uY8RIx
NhFrCnTf6gJHSu5FqnbDml0um3OlTdq05Bp+EtfCimvOTgMt3+Ym0I9VvM4m
xlCH8QZacL0yj4E/3bAh/K5o2bIhfHel1i0jnQ3o1kIayte60sMzRYvSlMaK
b+kZ331I6W2DBEmZ3K35IIpoGVkjCkGFw4RrD8cwYDL9TJ0NnIVthdUwcdFV
OGbKtRggvrdRoyX4cCqdwQPguZ/VZFAa1VMK334WrQ8TzfqwSAXK6Nnwe/tW
DnxhGSU5GhXvVMeBtbcdpVXiFfXI0ZvH8LaOc/eteBL4uinehb/oQgYCtcKH
32HAXtjTzbnk1xPYDq9hkYRGZZj3fjgqU9dWQMgMEvJVL5Zyt8h8OjxxuDTl
PMF+c2ExvrXNr+u/MuFMrKHgopmdtRQWOY0SigeUUmB9wvjlqxEOt6OSIszh
6YeOw4dahRTRh540ZmrWUUQfOmk81CyjaD6EpPEbZgF/tanFGLt5OcWHEUhj
bC10euHlDiJhg/fZ6GmMw3C0j5QE1WyGaclzlqEgXuoSOydK/I1fYhnSzyt7
yHyLV670sR6X5m2CzKGvdbe1LY7oTCG3S1yjpwNaKWNw3D4/rwPVU5K/tkxb
j9JztowpGGIGFHTwv769d5+k8baC3ulpPFx7lUqfpu5FPkHNm18FlZqWS/ZL
U50+8trW4ymCxsF/ZGHvd/DfMHag/t/j4L/nsvvAv4cJLFr+jXciYyDBfKH1
bbIrJrWO7EC6WlzulCIj/UuQzOu+/di7PegCjt/+xB9dBWVgsdtP/NuDtHj0
dj7k8g/5yR1x6UZv15sdP326P2aCtkxqzTMc/DA+5SgkDmB50ws4N3jvG0nr
h8Hox9Fz+aGkV55hRYfAX0c/HjdoTsaprvXXTYY7lehelNmxAxEYuogVf2sY
onuPcGx/i/X97TPCE/tbpEVvLxhO7G9hL93+q3jqVrG7K6lzhGfREVrtbjtg
+D46QrMpbdcqiGzpN4+BD+LkfhjlaE3hVD5raT+ORrlLJnw7TZKY8P0/qqv5
NlHRGgcsJZIY4u8uMZ7so4wiy/8Gy/rb1dUe6Hf6q3nC7r7PG4Vmy3UeOP+T
tg56EAnvUEp7zA8u9tkULXXg1QW/aQ1M53yzmmBX1IvePMkqhUecj8FW/ky2
2mWRb8BoTJdJNlWcZRsvixW49685zOSdj7miEfUreRHDlFrid+NdJVwmrfCl
rH/GMBUXEKaqntMB7JO0GlQKJOMsKfG19HQYEp4mVXkvsW28n1fXtQrvHXv8
YKVjDdy24b1vyRV5DSYJ5mGAuWacSa0EJz3CjJUr3SYccrnIjtcKi+DlXvaN
vGlNubkKvwEcFCT3g0MmLpJyTJAU8mpDNnTzHcSO7Tmd6VcVcVgx24LpELbs
114fGkVtgPVTOs6nLJbpJKWzCjEar8PE/jlenHLQ7z2rKX9HObTGXnilvHUh
4JcM0wLKn9rfFH8v9AscE3l+cTW+fI3+7wXPitFBVxqTz0ytGwYy+SWuOnNt
IMjSucKEqckjNPJpIgC7dqcuYHLPbWSK77VeJZ8jab90BRtCryXWxXG1PlUq
qciFCcPhtt7ARFXt5GFC7qEcQeGyt/zWWn7taYIxx1N6sT2XIO94lT3IHLjt
UP4N//ndRCYb5zVyAI/mT7kqFxaLb2LEPqKk0tmbRP769iOThs2cVowEfo1n
As9tSuO7ysXVh3NHsgcv8V1qHzlg23ev4+nLd6b41VNzffEa62/Sf1OmP9ev
xjRnJFDKyXspvI0H36SJezH7r4oq+99iQwEw/1Cfk8BFIXxWrJd6sceehdnh
Rk+waQWMvm/TawERDRGDKXPd9OgxNwlPQ0e/gNou0EIAA4LJBOTWbOvF+Ae2
32BwdCT0W6oy0ysxFP8fwpdow2OEAAA=

-->

</rfc>
