<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.3.8) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-tiloca-core-group-oscore-kem-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.33.0 -->
  <front>
    <title abbrev="Quantum-Resistant KEMs in Group OSCORE">Using Quantum-Resistant Key Encapsulation Mechanisms (KEMs) in the Pairwise Mode of Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
    <seriesInfo name="Internet-Draft" value="draft-tiloca-core-group-oscore-kem-00"/>
    <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>WIT</area>
    <workgroup>CoRE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 92?>

<t>Group communication for the Constrained Application Protocol (CoAP) can be protected end-to-end by using the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE). The pairwise mode of Group OSCORE provides authenticated encryption of CoAP messages, by means of symmetric keys that two group members establish only among themselves to achieve pairwise secure communication. This document defines the use of quantum-resistant Key Encapsulation Mechanisms (KEMs) as Pairwise Key Agreement Algorithm of Group OSCORE, enabling post-quantum secure derivation of the symmetric keys used in the pairwise mode. The Group Manager facilitates the exchange of KEM public keys and KEM ciphertexts among group members.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Constrained RESTful Environments Working Group mailing list (core@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/core/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://gitlab.com/crimson84/draft-tiloca-core-group-oscore-kem"/>.</t>
    </note>
  </front>
  <middle>
    <?line 96?>

<section anchor="intro">
      <name>Introduction</name>
      <t>The Constrained Application Protocol (CoAP) <xref target="RFC7252"/> also supports group communication <xref target="I-D.ietf-core-groupcomm-bis"/>, e.g., over IP multicast. Building on Object Security for Constrained RESTful Environments (OSCORE) <xref target="RFC8613"/>, the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) <xref target="I-D.ietf-core-oscore-groupcomm"/> provides end-to-end security of CoAP messages when using group communication for CoAP. An OSCORE group is associated with a Group Manager, i.e., an entity responsible for managing identifiers and keying material in the group and for handling the join process to add group members, among other tasks.</t>
      <t>Group OSCORE provides two ways to protect a CoAP message:</t>
      <ul spacing="normal">
        <li>
          <t>The group mode, which achieves group-level data confidentiality and provides source authentication by means of a digital signature. The message sender computes the signature with its own private key and embeds it in the protected CoAP message.</t>
        </li>
        <li>
          <t>The pairwise mode, which achieves pairwise data confidentiality and provides source authentication by means of integrity tags. The message sender performs authenticated encryption of the CoAP message by using a symmetric pairwise key that is exclusively shared with another group member as the intended message recipient.  </t>
          <t>
Symmetric pairwise keys are derived from a pairwise shared secret, which in turn is computed from the asymmetric keys of the message sender and recipient, ensuring authenticated key agreement.</t>
        </li>
      </ul>
      <t>In the event that a Cryptographically Relevant Quantum Computer (CRQC) is constructed, it is relatively simple to adapt the group mode of Group OSCORE to be quantum-resistant. That is, it is sufficient to rely on a quantum-resistant signature algorithm (e.g., ML-DSA <xref target="FIPS204"/><xref target="RFC9964"/>) as the Signature Algorithm used in the group (see <xref section="2.1.8" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
      <t>However, equivalent drop-in replacements are not available for the Pairwise Key Agreement Algorithm (see <xref section="2.1.10" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), which is used to compute the shared secret from which pairwise keys are derived (see <xref section="2.5.1" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>). In particular, the available Pairwise Key Agreement Algorithms are based on a direct Elliptic Curve Diffie-Hellman Static-Static key agreement <xref target="NIST-800-56A"/>.</t>
      <t>At the time of writing, there is no standardized Diffie-Hellman/Non-Interactive Key Exchange (DH/NIKE) that can be used for post-quantum secure establishment of the shared secret, which makes the pairwise mode of Group OSCORE vulnerable to quantum attacks.</t>
      <t>This document defines the use of quantum-resistant Key Encapsulation Mechanisms (KEMs), such as ML-KEM <xref target="FIPS203"/>, as Pairwise Key Agreement Algorithm of Group OSCORE. Consequently, it enables the post-quantum secure establishment of the shared secret and thus the post-quantum secure derivation of the symmetric keys used in the pairwise mode of Group OSCORE.</t>
      <t>The Group Manager facilitates the exchange of KEM public keys and KEM ciphertexts among group members that perform the KEM-based Pairwise Key Agreement Algorithm.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<t>Readers are expected to be familiar with the terms and concepts related to CoAP <xref target="RFC7252"/>, OSCORE <xref target="RFC8613"/>, Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/>, and CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/>.</t>
      </section>
    </section>
    <section anchor="sec-agreement-alg">
      <name>Pairwise Key Agreement Algorithm</name>
      <t>In an OSCORE group that uses the pairwise mode and a quantum-resistant KEM as the Pairwise Key Agreement Algorithm, the KEM is identified by the Pairwise Key Agreement Algorithm parameter, within the Common Context of the Group OSCORE Security Context (see <xref section="2.1.10" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
      <t>Like for other algorithms used in Group OSCORE, the KEM used as Pairwise Key Agreement Algorithm <bcp14>MUST</bcp14> be one of those defined for COSE and registered at <xref target="COSE.Algorithms"/>. For example, the COSE algorithms ML-KEM-512, ML-KEM-768, and ML-KEM-1024 are being registered by <xref target="I-D.ietf-jose-pqc-kem"/>, consistent with the three corresponding parameter sets of the standard ML-KEM <xref target="FIPS203"/>.</t>
      <t>For endpoints that support the pairwise mode and use a quantum-resistant KEM as Pairwise Key Agreement Algorithm, the algorithm ML-KEM-512 defined in <xref target="I-D.ietf-jose-pqc-kem"/> is mandatory to implement.</t>
    </section>
    <section anchor="sec-pairwise-keys">
      <name>Derivation of Pairwise Keys</name>
      <t>This section defines how pairwise keys are derived when the Pairwise Key Agreement Algorithm used is a quantum-resistant KEM.</t>
      <t>Analogous to the construction used by OSCORE in <xref section="3.2.1" sectionFormat="of" target="RFC8613"/>, the derivation of pairwise keys is aligned with the one defined in <xref section="2.5.1" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>, with the difference that two shared secrets are established through the Pairwise Key Agreement Algorithm, and they are separately used to derive a Pairwise Sender Key and the corresponding Pairwise Recipient Key.</t>
      <t>For a given endpoint, the derivation of the pairwise keys to use between itself and each other endpoint X in the group is as below:</t>
      <artwork><![CDATA[
Pairwise Sender Key    = HKDF(Sender Key, IKM-Sender, info, L)
Pairwise Recipient Key = HKDF(Recipient Key, IKM-Recipient, info, L)

with

IKM-Sender    = Sender Auth Cred | Recipient Auth Cred |
                Sender Shared Secret
IKM-Recipient = Recipient Auth Cred | Sender Auth Cred |
                Recipient Shared Secret
]]></artwork>
      <t>where:</t>
      <ul spacing="normal">
        <li>
          <t>The same as defined in <xref section="2.5.1" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/> applies for:  </t>
          <ul spacing="normal">
            <li>
              <t>HKDF <xref target="RFC5869"/>, info, and L.</t>
            </li>
            <li>
              <t>The Sender Key and the Recipient Key.</t>
            </li>
            <li>
              <t>Sender Auth Cred and Recipient Auth Cred.</t>
            </li>
            <li>
              <t>The Pairwise Sender Key, as the AEAD key for processing outgoing messages addressed to endpoint X.</t>
            </li>
            <li>
              <t>The Pairwise Recipient Key, as the AEAD key for processing incoming messages from endpoint X.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>IKM-Sender is the Input Keying Material (IKM) used in the HKDF for the derivation of the Pairwise Sender Key. IKM-Sender is the byte string concatenation of Sender Auth Cred, Recipient Auth Cred, and the Sender Shared Secret. The authentication credentials Sender Auth Cred and Recipient Auth Cred are binary encoded as defined in <xref section="2.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>.</t>
        </li>
        <li>
          <t>IKM-Recipient is the Input Keying Material (IKM) used in the HKDF for the derivation of the Pairwise Recipient Key. IKM-Recipient is the byte string concatenation of Recipient Auth Cred, Sender Auth Cred, and the Recipient Shared Secret. The authentication credentials Recipient Auth Cred and Sender Auth Cred are binary encoded as defined in <xref section="2.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>.</t>
        </li>
        <li>
          <t>The Sender Shared Secret is computed by the endpoint using the endpoint X's KEM public key, and it is encapsulated in the KEM ciphertext computed by the endpoint and intended to endpoint X.</t>
        </li>
        <li>
          <t>The Recipient Shared Secret is computed by the endpoint using the endpoint's own KEM private key to decrypt the KEM ciphertext that endpoint X computed using the endpoint's KEM public key.</t>
        </li>
      </ul>
      <t>A KEM public key associated with the endpoint is used by only one other endpoint X in the group, for computing only one shared secret encapsulated in a KEM ciphertext intended to the endpoint.</t>
      <t>In order to derive its Pairwise Sender Key, the endpoint has to obtain the endpoint X's KEM public key. Conversely, in order to derive its Pairwise Recipient Key, the endpoint has to obtain the KEM ciphertext that endpoint X computed using the endpoint's KEM public key.</t>
      <t>However, KEM public keys and KEM ciphertexts are not provided within messages that group members directly send to each other. Instead, group members exchange KEM public keys and KEM ciphertexts via the Group Manager responsible for the group, as defined in <xref target="sec-group-manager"/>.</t>
      <section anchor="sec-ml-kem">
        <name>Use of ML-KEM (FIPS 203)</name>
        <t>When using ML-KEM <xref target="FIPS203"/> as Pairwise Key Agreement Algorithm, the following applies.</t>
        <t>Editor's note: it should be sufficient to:</t>
        <ul spacing="normal">
          <li>
            <t>Point to the guidelines/conventions provided in <xref target="I-D.ietf-jose-pqc-kem"/>.</t>
          </li>
          <li>
            <t>Point to the COSE algorithms ML-KEM-* registered in <xref target="I-D.ietf-jose-pqc-kem"/>.</t>
          </li>
          <li>
            <t>State that the initial shared secret SS' in <xref target="I-D.ietf-jose-pqc-kem"/> is used here:  </t>
            <ul spacing="normal">
              <li>
                <t>As the Sender Shared Secret, by the endpoint that computes the KEM ciphertext and encapsulates SS' therein.</t>
              </li>
              <li>
                <t>As the Recipient Shared Secret, by the endpoint that decrypts the KEM ciphertext to compute SS'.</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-group-manager">
      <name>Assistance from the Group Manager</name>
      <t>This section defines the operations that the Group Manager performs to facilitate the exchange of KEM public keys and KEM ciphertexts among group members, when the Pairwise Key Agreement Algorithm used in the group is a quantum-resistant KEM.</t>
      <t>The following is not relevant for a node that joins the group exclusively as a silent server (see <xref section="1.1" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), or that does not support or does not intend to use the pairwise mode in the group.</t>
      <t>There are different ways to perform such supportive operations, depending on the specific realization of Group Manager. For example, it is possible to accordingly extend the interface provided by the realization of Group Manager specified in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/>, based on the ACE framework for authentication and authorization in constrained environments <xref target="RFC9200"/>.</t>
      <t>Given an OSCORE group, the following applies.</t>
      <section anchor="uploading-a-kem-public-key">
        <name>Uploading a KEM Public Key</name>
        <t>A group member P has to be able to upload its own KEM public keys at the Group Manager.</t>
        <t>P generates and uploads at the Group Manager a KEM public key to be retrieved and used by any and exactly one other group member. P can upload a KEM public key at the Group Manager already when joining the group, and then upload other KEM public keys later on as a group member.</t>
        <t>P stores its KEM public key, the corresponding KEM private key, and a SHA-256 hash <xref target="SHA-256"/> of the KEM public key as corresponding identifier.</t>
        <t>When the Group Manager receives a KEM public key from P, the Group Manager stores the KEM public key as associated with the Sender ID of P in the group. The Group Manager is able to identify P and thereby determine its Sender ID in the group, e.g., by means of the secure communication association shared with P.</t>
        <t>The Group Manager <bcp14>MUST</bcp14> keep the association between the KEM Public Key and Sender ID of P up-to-date over time, in the event that P changes its Sender ID in the group.</t>
        <t>The Group Manager is expected to be able to store multiple KEM public keys from the same group member P at any given time.</t>
      </section>
      <section anchor="retrieving-a-kem-public-key">
        <name>Retrieving a KEM Public Key</name>
        <t>Another group member Q has to be able to retrieve from the Group Manager a KEM public key uploaded by P.</t>
        <t>When Q retrieves a KEM public key of P from the Group Manager (see below), the Group Manager deletes that KEM public key of P from its local storage.</t>
        <t>P has to be able to gain knowledge about the number of own KEM public keys that are currently stored at the Group Manager. For example, this can rely on P accessing a dedicated resource hosted by the Group Manager. If such resource is observable <xref target="RFC7641"/>, P can use CoAP Observe to subscribe for updates about the resource representation, thereby receiving notifications from the Group Manager.</t>
        <t>Q retrieves a KEM public key of P from the Group Manager, by specifying to the Group Manager the Sender ID of P in the group.</t>
        <t>Q is expected to retrieve a KEM public key of P when it wants to send to P a message protected with the pairwise mode and it does not have the Pairwise Sender Key required to process the message.</t>
        <t>After the Group Manager provides Q with the KEM public key of P, the Group Manager deletes the KEM public key of P from its local storage.</t>
      </section>
      <section anchor="uploading-a-kem-ciphertext">
        <name>Uploading a KEM Ciphertext</name>
        <t>After Q retrieves a KEM public key of P from the Group Manager (see above), Q uses the KEM public key of P to compute a shared secret and encapsulate it in a KEM ciphertext intended to P.</t>
        <t>Q uses the shared secret as the Sender Shared Secret for deriving its own Pairwise Sender Key to use with P (see <xref target="sec-pairwise-keys"/>).</t>
        <t>Q has to be able to upload at the Group Manager the following information:</t>
        <ul spacing="normal">
          <li>
            <t>The KEM ciphertext.</t>
          </li>
          <li>
            <t>The Sender ID of P, identifying the intended consumer of the KEM ciphertext.</t>
          </li>
          <li>
            <t>The SHA-256 hash of the KEM public key of P that was used to compute the KEM ciphertext.</t>
          </li>
        </ul>
        <t>When the Group Manager receives from Q a KEM ciphertext intended to P, the Group Manager stores the KEM ciphertext as associated with the following information:</t>
        <ul spacing="normal">
          <li>
            <t>The Sender ID of Q, identifying the producer of the KEM ciphertext. The Group Manager is able to identify Q and thereby determine its Sender ID in the group, e.g., by means of the secure communication association shared with Q.</t>
          </li>
          <li>
            <t>The Sender ID of P received from Q, identifying the intended consumer of the KEM ciphertext.</t>
          </li>
          <li>
            <t>The SHA-256 hash received from Q, as the identifier of the KEM public key of P that was used to compute the KEM ciphertext.</t>
          </li>
        </ul>
        <t>When doing so, the Group Manager overwrites any already stored KEM ciphertext and SHA-256 hash identifier that are associated with the same consumer Sender ID and producer Sender ID.</t>
        <t>The Group Manager <bcp14>MUST</bcp14> keep up-to-date the association between the KEM ciphertext and the three pieces of information above, in the event that P or Q change their Sender IDs in the group.</t>
      </section>
      <section anchor="retrieving-a-kem-ciphertext">
        <name>Retrieving a KEM Ciphertext</name>
        <t>P has to be able to retrieve from the Group Manager the following information:</t>
        <ul spacing="normal">
          <li>
            <t>The KEM ciphertext computed for P by Q.</t>
          </li>
          <li>
            <t>The SHA-256 hash identifier of its own KEM public key that Q used to compute the KEM ciphertext.</t>
          </li>
        </ul>
        <t>In order to retrieve that information, P specifies the Sender ID of Q to the Group Manager. Then, the Group Manager provides the requested information, if it stores a KEM ciphertext associated with both:</t>
        <ul spacing="normal">
          <li>
            <t>The specified Sender ID of Q, identifying the producer of the KEM ciphertext; and</t>
          </li>
          <li>
            <t>The Sender ID of P, identifying the intended consumer of the KEM ciphertext. The Group Manager is able to identify P and thereby determine its Sender ID in the group, e.g., by means of the secure communication association shared with P.</t>
          </li>
        </ul>
        <t>After providing P with the requested KEM ciphertext and SHA-256 hash identifier, the Group Manager deletes those two pieces of information from its local storage, freeing up their association with the consumer Sender ID and producer Sender ID.</t>
        <t>P is expected to retrieve the KEM ciphertext computed by Q when it receives from Q a message protected with the pairwise mode and it does not have the Pairwise Recipient Key required to process the message.</t>
        <t>P uses the SHA-256 hash identifier to retrieve its own corresponding KEM public key and KEM private key from its local storage.</t>
        <t>Then, P computes the shared secret by decrypting the KEM ciphertext using its retrieved KEM private key. After that, P deletes from its local storage the KEM private key just used, as well as the corresponding KEM public key and the corresponding SHA-256 hash identifier.</t>
        <t>P uses the shared secret as the Recipient Shared Secret for deriving its own Pairwise Recipient Key to use with Q (see <xref target="sec-pairwise-keys"/>).</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security considerations from <xref target="I-D.ietf-core-oscore-groupcomm"/> hold for this document too. The security considerations for the specific KEM used as Pairwise Key Agreement Algorithm also apply.</t>
      <t>Editor's note: add further security considerations.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no actions for IANA.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC7641">
          <front>
            <title>Observing Resources in the Constrained Application Protocol (CoAP)</title>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a RESTful application protocol for constrained nodes and networks. The state of a resource on a CoAP server can change over time. This document specifies a simple protocol extension for CoAP that enables CoAP clients to "observe" resources, i.e., to retrieve a representation of a resource and keep this representation updated by the server over a period of time. The protocol follows a best-effort approach for sending new representations to clients and provides eventual consistency between the state observed by each client and the actual resource state at the server.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7641"/>
          <seriesInfo name="DOI" value="10.17487/RFC7641"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="I-D.ietf-core-groupcomm-bis">
          <front>
            <title>Group Communication for the Constrained Application Protocol (CoAP)</title>
            <author fullname="Esko Dijk" initials="E." surname="Dijk">
              <organization>IoTconsultancy.nl</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="10" month="February" year="2026"/>
            <abstract>
              <t>   The Constrained Application Protocol (CoAP) is a web transfer
   protocol for constrained devices and constrained networks.  In a
   number of use cases, constrained devices often naturally operate in
   groups (e.g., in a building automation scenario, all lights in a
   given room may need to be switched on/off as a group).  This document
   specifies the use of CoAP for group communication, including the use
   of UDP/IP multicast as the default underlying data transport.  Both
   unsecured and secured CoAP group communication are specified.
   Security is achieved by use of the Group Object Security for
   Constrained RESTful Environments (Group OSCORE) protocol.  The target
   application area of this specification is any group communication use
   cases that involve resource-constrained devices or networks that
   support CoAP.  This document replaces and obsoletes RFC 7390, while
   it updates RFC 7252 and RFC 7641.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-groupcomm-bis-18"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-groupcomm">
          <front>
            <title>Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <date day="23" month="December" year="2025"/>
            <abstract>
              <t>   This document defines the security protocol Group Object Security for
   Constrained RESTful Environments (Group OSCORE), providing end-to-end
   security of messages exchanged with the Constrained Application
   Protocol (CoAP) between members of a group, e.g., sent over IP
   multicast.  In particular, the described protocol defines how OSCORE
   is used in a group communication setting to provide source
   authentication for CoAP group requests, sent by a client to multiple
   servers, and for protection of the corresponding CoAP responses.
   Group OSCORE also defines a pairwise mode where each member of the
   group can efficiently derive a symmetric pairwise key with each other
   member of the group for pairwise OSCORE communication.  Group OSCORE
   can be used between endpoints communicating with CoAP or CoAP-
   mappable HTTP.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-groupcomm-28"/>
        </reference>
        <reference anchor="I-D.ietf-jose-pqc-kem">
          <front>
            <title>Post-Quantum Key Encapsulation Mechanisms (PQ KEMs) for COSE</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Aritra Banerjee" initials="A." surname="Banerjee">
              <organization>Nokia</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   This document describes conventions for using Post-Quantum Key
   Encapsulation Mechanisms (PQ-KEMs) with CBOR Object Signing and
   Encryption (COSE).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-jose-pqc-kem-06"/>
        </reference>
        <reference anchor="FIPS203" target="https://doi.org/10.6028/NIST.FIPS.203">
          <front>
            <title>Module-Lattice-Based Key-Encapsulation Mechanism Standard</title>
            <author>
              <organization/>
            </author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="NIST" value="FIPS 203"/>
        </reference>
        <reference anchor="SHA-256" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">
          <front>
            <title>Secure Hash Standard</title>
            <author>
              <organization>NIST</organization>
            </author>
            <date year="2015" month="August"/>
          </front>
          <seriesInfo name="NIST FIPS PUB 180-4, DOI 10.6028/NIST.FIPS.180-4" value=""/>
        </reference>
        <reference anchor="COSE.Algorithms" target="https://www.iana.org/assignments/cose/cose.xhtml#algorithms">
          <front>
            <title>COSE Algorithms</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9200">
          <front>
            <title>Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)</title>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE-OAuth. The framework is based on a set of building blocks including OAuth 2.0 and the Constrained Application Protocol (CoAP), thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to better serve the IoT use cases.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9200"/>
          <seriesInfo name="DOI" value="10.17487/RFC9200"/>
        </reference>
        <reference anchor="RFC9964">
          <front>
            <title>ML-DSA for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)</title>
            <author fullname="M. Prorock" initials="M." surname="Prorock"/>
            <author fullname="O. Steele" initials="O." surname="Steele"/>
            <date month="May" year="2026"/>
            <abstract>
              <t>This document specifies JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for the Module-Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum Cryptography (PQC) digital signature scheme defined in US NIST FIPS 204.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9964"/>
          <seriesInfo name="DOI" value="10.17487/RFC9964"/>
        </reference>
        <reference anchor="I-D.ietf-ace-key-groupcomm-oscore">
          <front>
            <title>Key Management for Group Object Security for Constrained RESTful Environments (Group OSCORE) Using Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <date day="14" month="March" year="2026"/>
            <abstract>
              <t>   This document defines an application profile of the Authentication
   and Authorization for Constrained Environments (ACE) framework, to
   request and provision keying material in group communication
   scenarios that are based on the Constrained Application Protocol
   (CoAP) and are secured with Group Object Security for Constrained
   RESTful Environments (Group OSCORE).  This application profile
   delegates the authentication and authorization of Clients, which join
   an OSCORE group through a Resource Server acting as Group Manager for
   that group.  This application profile leverages protocol-specific
   transport profiles of ACE to achieve communication security, server
   authentication, and proof of possession of a key owned by the Client
   and bound to an OAuth 2.0 access token.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-key-groupcomm-oscore-21"/>
        </reference>
        <reference anchor="FIPS204" target="https://doi.org/10.6028/NIST.FIPS.204">
          <front>
            <title>Module-Lattice-Based Digital Signature Standard</title>
            <author>
              <organization/>
            </author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="NIST" value="FIPS 204"/>
        </reference>
        <reference anchor="NIST-800-56A" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf">
          <front>
            <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography - NIST Special Publication 800-56A, Revision 3</title>
            <author initials="E." surname="Barker" fullname="Elaine Barker">
              <organization/>
            </author>
            <author initials="L." surname="Chen" fullname="Lily Chen">
              <organization/>
            </author>
            <author initials="A." surname="Roginsky" fullname="Allen Roginsky">
              <organization/>
            </author>
            <author initials="A." surname="Vassilev" fullname="Apostol Vassilev">
              <organization/>
            </author>
            <author initials="R." surname="Davis" fullname="Richard Davis">
              <organization/>
            </author>
            <date year="2018" month="April"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 314?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The work on this document has been partly supported by the Sweden's Innovation Agency VINNOVA and the Celtic-Next project CYPRESS.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81c2XLbSJZ9x1fkSA9lVxC0JMsumdPL0BLdZliyKFKu6oqO
fkgSSRIWCMBYRLM9mm+Zb5kvm7tkJhYmtVS5YsYPNgnmcvd77s2Efd/3bnvi
pecVYRGpnviUh/FCXJUyLsqVP1Z5mBfwWXxQGzGIZzLNy0gWYRKLCzVbyjjM
V7l49mFwkT8XYSyKpRIjGWbrMFfiIgmUSObib1lSpuJy+lnNCjFRszILi42Y
J5k4TeK8yGQYq0CMB5PreRnBLrdhlsQrFRewsp47Ob0cD557cjrNFNDroA8o
QALq470gmcVyBVwFmZwXfhFGyUz6syRT/gLH+UlOX27UygeuVF54XphmPVFk
ZV4cHRy8OTjyZKZkT/wyvPbWix5QPB6IX5LsBsVEm3k3654YxoXKYlX4Z7iT
N5NFT+RF4OXldBXmOcir2KRAyHBw/c7zZkkA03uiLOb+iefJslgmWc8T9MfX
/wpgJ++Ji664JrrtY2bpQmazpP1TksGq4+FkIPpv7UOQsFJAzzCX889JFuQL
CSITR0d2xAz00RMfUJTVM1BeT0wG/uHrY3F8UHtexkUGwydrFajYPlcrGUY9
sUKyuizp/8jCbq48L06yFdjMrUIWx+9OX528ftMTy5tgzt9/Onp11IOFZaq/
vz4+7IlkmqvsVvGjk9eHL+ERqYufvDngSTl+H/pn3VCBNCvdzpLVyp+GIEFW
tV6+OVLr304wg+1Gdvhn2MhPv8zQVnqi/g1GvRuOJkcHL1mD2pHA+MtI+eey
KMKZ8t/KHGwcvMjf4UViAkoJZBbQIgFYY08cHRwd+wcn9ASEEYK1x/PEGMre
x+Hkeq8n9nB7GPtyj/eX2QLVvSyKNO+9eBEkYRfs4sXhQff1wdHJC5zVxSld
mAIzJu/7/tGr17xq0xTJnHB8nTFyYCXey3zZpLlGIU0isYjRp7fi8OTAP+6I
s8uh2KaCfqwx3S8X4HzAz+ErJz/xbZSW07wLQiu6i+T2BX7AJy9wufbC3ZSs
7PRyMuj2o0UCoWe5yncyO+x/7NdomcuI7Msyj+uIah0ngev1uhvKWJLUJTj/
goPZCzRW+qv7dVmson1ZreOh2Jpe8gbiT0/ImbH3N6+Pwb0iP8gxhDXNHkaB
KW5qls8WTPOtlVemevywqZ6Fi7CQkZgA+bJAje9S9g5zPN7bEvK2VT/FWNFI
8Lt/cnDgv3rddymxFTwHXfFWZjcqawXPQYQ5p/lba+p5V5wua/GNJ56H0ab+
vDWp3xXjZAEfbzatif0oUnH7x+3ZP6O9ROq2PTtN8iKJ2j+35o+74kzehnlr
8jiEEJMFtd+03scKTUWBUikUYULG3O3/gsmbQhUkhGkU5ku0XzGZLdVK5Roi
nIX5LFOFEufJQpIVi9NskxbJIpPpciN8jgGTVM1CMKNRCQvNeCOtvw4QABTh
k5cN8zg88Q+On+j7ep/aNjkbz2TU1ftlLykYeMAL5jsMfYPzd2Cw/wD38v8O
f/6553m+7ws5RVQyAzTAcALFVMaGfJQT4pw6eOmnqWVvlCVFMgNtPTtN+qPn
YgbJdqpECo8BAMFgkLhfJD78I6YbUZI4ccHcQKPUrPDdkBOACNggNchs1URm
NAZ3vQ0DUDC6FAoJ+CFqZ6hX5AxmIEsCrCCXC5V3kP6VknGOP+UbMKYiC2cC
QlEOHMlCFOuEUyoMW01VlgtlbEokMfiSXCXM/SpX0S1sXiQQs5ahuq2Rm3PK
aagBOQpzARCvJOsM1ByEkZMgy5y4+6JRYvYkFCvzCsHi+P4C4BNtYeN+W3Qd
EBIyBZygo/p6Y0N3ALHyVhoJkqaboiox4Gr03NARq423uoCUslAZ5KRZGEFo
LjSz6itysCCOgQORkgvwwhCw6dksTJcqK9RXMAyWeEMpXTb7VRgEEeC1fYSz
GSSFGdG8L77th/jgzvOun2D3374R6Lq7E5BFE5GXaZpkQMDC4VMwtoJpd3cg
0O6i2xHJLTA8BIMrIzRHcHrxtgwjRM9gPr/RMbRL4J6cGXG/P9j/KgbNlpW7
1cKBpaDtaWINHqlDhUt+TFJ/1BX92PgzjwMfgaSRQHBEZ16D+QrZtKiOCLsK
hA1hikOjAIdJgb9wGilaeYUDcWugF0bMQ3RktC0wMnwMuAVMHKK8tmHeGQfg
bLDOIDIx7nMCY4D1GTBGvh4ETVvsaANNYDTEWZnfoHm6AxVGl7Xc0EI6vAJz
dcH1PO9H8iG9B/hUB2QJGdFEGW2PPmRVFWEKkiDaeM6cygjFgYzYPfOkzGaq
HiNR/vU4KEWgsVNusBP7saYJtBxDSEANpqXxYjuUVRSCBSVrlBRGDoWCJjJQ
RgEUuoUNFzar1NnuGrYb0WSLc/vr92AbQoRakPEWcpE7OU5Vhij3/gzDqbXi
pcqRshY3LekoGUo1YOgQCiMYCorciBwwjzX4mK2pbmgY53ErJBuIC+x2GQCJ
NATqQIgAEZw7AgcmrsPMeZasgLgqXfHW4MwAkIzQUV9lFiOZWvF6IhIhWwlB
i6ElPlSIpQ5zTg7BAuXSkCaZislZwMOQDQUUDimMJCXrSA1mRSCusQIHwBSp
WyugAiIyg2g+vjp9znRjzCvR2jpkgjmQE1HNggIPVynEC/JpmRa1QOBEGzAO
QNFWika7IWWaHfJyPg9nIRGf4H4bjPzSkdwrF7KFlXjGeeTi3D+b9CEI6/Ln
7g7ica2Wurt7buyhqneqdF/Pz8zSs1wpWA5SApntUfewe4IstoL8c5D/+2QN
socoq76U4MwRgZUsSX1YMFNpBBUaZww0KTBUIW9lGEkTexsdtV14xEHO4YGL
HmuNGnSASLU1chSqWy6bJ4/fbfxbW7/qHjolAaAClsnATAF7ZZxxK1YfYpE3
nVJpSvoPwgzD/SCKQggdM3FaZgAZz0KwFuW/V1EESQtLVvjN53+angE014vJ
uztQVZ+ttghXZK9r2Bn8i0iFzUFmMcAYXQWH/6Iiub7di49J7FMnEGoHEA7D
TQPPnp29h4rkA2ABckJdFZAWUM8u4Kga9ZfBjq7ospI3OpHcj/FvyygG8qbs
qGY7KPzljPLsH4OpO+DFmHdydETEo8YRXyL0+g2Au0v4CxwKRkUbChWEwI0M
fpMsKb4Wy3L3Gr8dyG8xwFD6D0f2bGs679KiMMlnN3pI6EDj/r64VtkqjJMo
WWzEPpYCRfVAFwToV2tsLIu9i0+T670O/ys+XtLn8eDq03A8OMPPk/f983P7
wdMjJu8vP52fVZ+qmaeXFxeDj2c8GZ6KxiNv76L/616HhLF3OboeXn7sn++x
Aup2jKGD8w1m+yzFvkUAducBspll4ZSV9vZ09D//fXgMxvlv43enR4eHbwCl
85eTw58gZxAI592oduWvINSNJ9NUyQxXgWwKvp0i/svJtvMlAjmMIIjK/oGS
+WdP/Gk6Sw+P/6IfIMONh0ZmjYcks+0nW5NZiI5Hjm2sNBvPW5Ju0tv/tfHd
yL328E9/jbC95h+e/PUvnueNlQyoYkA3/JoyXGV9zOUKTB4kRziNgq8igAgy
BrgxU2mhQQZPIWBoC8uOCWuNUq4R8LbqLtbf6dvLsa3rIOMTjILngwqKPsNe
r65iESGgOzwcqL7tQ6zwbZbxAYrcEQaTrbqMHBPihStqIyUuhIMOr2HKQ4R0
jLNj2rJlGzWcHoUoIFNLiGyIW1A1OqYBKIQYg8EXI44Jgg2B2yrZDHo0NgEB
n4c3jHoYr1cNchtZm20XwyP9+pg8Qs4GdpfEiqlPsPqhNMdpmBr8DLQXIHWF
6UEiWGidIIA9iHcwXn2VCHuZFJ5cEc3Zzn91eNQxn396fcIWqL8fHhwdM7RR
aIO1XUFTYHv1kyY0XsTgOAK4qlxmCYzCLxnX7dQdsfqD3FXYgsKAF0ceBukT
P3GQQole6MyhmzY7bBQxwT12+jgbrcB6JS6rkjDeFgJa9Ar5KJJsg0GBCg9d
7eyLs0aSrtOQa+80jOCRSX6nQU+u7dNgHoja96Beasc8ypHYcPNdckLUGUtI
pklJbQxc09ZZSA/NB1vQ7kUCMb70snvEYFufkJpGVhOnNLlAUiKIeKY2xvHo
DQ2JP4TmO9XcACAw2CuE6qrj24BVOu4b+IVxfAmLLZaPjGOMyhC6Z1gJo2EX
WAWa+oVVAvK1S024XP6geyYs0rpz2JFjU03jYO0BUixgvdh6gkukDXfgbndC
3jBVxVrB5LDIVTTnlo0E6MvxzCwp/t6sJqlHB3OjZN3zvP+q/ngunuDPn8X7
D2fvnlUPO2L44cLn7wCH43nSEefPPTejZnrjIa8wrtoLdhEPdQ05zG7AFOjP
/RIM4RTV/Z+1XWpP7WmU+aMnTthIJmQkXmNzWN25lGPPrdWric0N6lL11gjH
bG8wh0iJCniSCwiJrW8IFHM8fQQyfiShYrjCmw3oIyxBtIHzLo/A3RzW2TZD
HLrFKg52SKW2ssNYOgYv9Af9MwLqVGty/5W66GWxSKiHazrNMgjAVbRzVRbr
2qdlQA9sFcazZNXYihoMjS1+rNkxugWuN4zTknbAuRem1fwMBj5vFFwkftMy
2fZXh3S6jt2mmwLzJDXWEIHCfrFdp62UjksjNmQ5LZ0bo60+KvygG6/5oxXP
qCGMJSRBCL9JwBBohxEfO0zYyrta/Q8SedPA3XveK3inmLe1se1QT5O9U8xx
4NDJd5H99Q4baTSJNWK3blKdF1ee80PeahCwKLiDqmxzplJcs3WwezNaxXTI
2/GAGdgh6yfy8AOfdxAXtTMPyu9UkrnIJsBRS6p2P+f6TQkh8Go92jooa9Bs
WqbTDVf/VELcl9Y75BlMEx9Y6lnNrlNbPbLNZV3+dYq4t59kaD4VDsKTI2ci
aDCzlARZkmkhNcn3GBN1226hglfUa3tgz1ZSeGDb76tR22t/VLtM99v1GVdg
Cl2bnoiYZjuNu8542oHHtegQFt1hgxsKMwlhqHXjwbTxHkPUbShrNbXpDLYP
ZGs21g47WOBwqFnxZO5c7ItP3MDVld8zc2nwuS6KVhFVV573S3XSvF0lPr6s
mycRwFnqqzBQAioGQQg12w/YR8ebPhCe8mVSRgFW5I1zHoJmI7IBbfSLElSE
XSW8RhfjWRZe8al05yoUu1ur7CjQf6zX3TtXwlMEU+TQwWGISaPlzZPJDzuL
VgofGnkilurnO1FCZytk8qFB/ci45TpUa1SxJCdS6OQijLuNDXdE7B176vjr
3LN2fAS7Ufndz7m6hXrQHm82jVkbXNNId1ThVJ2mKuMbXZXwmyvac2Wgp2qi
f68eeufJ1X67tttZ+l83HIUOmApsd/JR7Jyq0Ri7LcQ43p3Ia0vXj7slboN3
A/EgFO9NZ+3G26H7XK4jKJ6gohPFBJimD/xgn3ESMmXudjuozjMzhuewWdUf
KKqbGvo0gs6E9F6YRSo9d0D/qYrNNR/qXOH9PggQIB0Zhf+ywLBhCK2WHMOf
NMk5cNLNMuAalwWJgbqVhot0KgCGo6p4ol3hvt0MTTZmNO7aYgFojyupLDod
gEdAqblOshvWbROIUteXbrOaHWHZWe2ekarfL+L9KDT9jfoVrQbz7iiMuSCN
EhnwnQr0AL42iVaNqKhxTWJkkjbEaHNuWNJ0e0lly68cPgr7jsRC4eEjxibq
HtIq7uGarho2YwoyPGxTtxqWGzwmY3075quk5FxBszorXeAFT1019Vs7uOmI
wAQCPushBzQwxKRfNiG7Km/blggG5IzOrdFNG0ShXHLIiionebZh/HbzqgWR
O/q0QF/jR20t0ev5KyQeXYttQd3WstXVrq7GAC4YMlMhXhzakh2F+lHHMUfz
5ibBBbh1OhyeUfu2GVgc1yExvmqz1CxsYJZWS6bAOgLFR5aMU6vlm1idL4rU
LzRR2HHcPLVU4+f6NaOR81SXjhxulEq5212ba5qFRjaVF9aLTiMICNpF4uMd
ab4WibcUOoaJ2u0eMHLKePk97DoJpQtUjdM5I1jSIV/CxCs+beu2eZ4aaa3o
gfeNwD25p4o0cwQasyPvCEGu+1pXjkBkwsEuqLFlp+ylHDVGxtCv7DoOyybZ
71ieMiy1bZ+7TB8AqypMHbFzWdQSvi0VkZj58p4r6C6wZLqJk3WkggU+TkoO
WHFJ8oEVXcGYb3yhDZdZRtclWJ2BO0y3D7WwipexvXc1whSq+3kSGAz0pTNw
cb4guEzyWsHfWns456RvR8Pq/JoXMYmnuPzSFyZPHaxzfRvwkn8hcyynfGxP
WbRMA04pViB2+Uyl8BmYJn/r2IjAcQx5AENDVKHhpVvNoI/faiEUUBgmUCtN
lyFNM3ko6OH2Ld+0du8mhpJViIiLDvISW62C+uylwurmqA292yd8YQ0WLuWt
2tVJBYq+lGHG1NnrvUtVu5Danxea2RZ4N1dMrypCHEzd72DOKbv9ywGBTm0R
YEj9fWEBzPFWQVi4qg75XUvUKijpuI5UK+j0pd9720MjMha7YWu93eUmORI1
cwgKaFzn0rMuADjfmRJj+1CVTvNdEduALxfWagJW+0ZcEtuTmibr7R6q9p6O
BQIGq1kRIZouVxwst8vZar06lnLjJ1Yexta1dN+l3Fr7IVBF1nT1gIIfAbHq
PQE3xLpfyA1pXm1LM6VXQ3YK8ZEY7er/BqNd7TAaowZ9KdvB9u8yoq3Vze1z
i7q/s50FdKiXJy57QfiId1upDtvYEkfDAkdbqcFKjWSLLVxGRmDQyqqStn6t
gE3IPn4AOtfA70MoukU7PuYLMmkIStCvKlir5zjtxtEJ5gDdPoIfwxq5eTtF
uyBtPaW4EN1D6PWp8bD2YgG+yomOcuU2x6bZuet4lsLV42yufhBh2eLXMiqy
EdOZnkkjF+lQ44RHFE9ilxlXrwER5vtSqpyPUGobhnPqMnOA3IqsbbOdQtlR
3Qqw3Z3fFxD/Hc3we2eq//+FMGMo1hHduakiQ6Wrx8ea++Ef3uLDi0duF3fD
wA48V3Tpjm5jonvX+bHUPiWEjXYCdUd0qp+OXlnMvg0HviNgb14Dehizjyos
uTMH1Jg0gcTRsKq1fXTXvX7MuxOos++PWu/KNWAtGTbf2tVO1JIzn2WFdJHY
dA9bBHSFqU5kgdsZy3LTVeXpGguf8T+twFhJuX2tosjk+AelsT1oh7CbGnGi
+12n8fcD/KZd1DH+1QMYf79x4TcHWnUPn/O5faF11viRBbv9TuwyiQJ9wFm/
v18kCUe8ncvpM1F7SvCkS8H0ejL2xzfbZ5T4fuq8zKgdtWN3kgL+xyEOCdS5
QAAQ4xlERTPO0i9fT+Xshs7PZqbHw31+fOVCNp/ded963PRRwZ/36P8o2dOv
YtDZQtJ+/2FJtwsVv3+FDSA+dKn6NPx/+QDTwzhO9B2e/gKKz434efjx4+XP
fWuopwpfxfY/omdB0KAb9Ke/jsaDyaTr/S8Zrcj8T0oAAA==

-->

</rfc>
