<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.34 (Ruby 4.0.2) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-wendt-stir-cert-tn-attr-ext-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="TN Attribute Certificate Extension">TN Attribute Certificate Extension for STI Certificates</title>

    <author fullname="Chris Wendt">
      <organization>Somos Inc.</organization>
      <address>
        <email>chris@appliedbits.com</email>
      </address>
    </author>
    <author fullname="Rob &#x015A;liwa">
      <organization>Somos Inc.</organization>
      <address>
        <email>robjsliwa@gmail.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>Applications and Real-Time</area>
    <workgroup>Secure Telephone Identity Revisited</workgroup>
    <keyword>stir</keyword> <keyword>certificates</keyword> <keyword>delegate certificates</keyword> <keyword>tn attributes</keyword> <keyword>do not originate</keyword>

    <abstract>


<?line 98?>
<t>This document specifies a non-critical X.509 v3 certificate extension that conveys a set of self-asserted attributes describing the telephone numbers identified in the certificate's TNAuthList. The attributes are declared by the holder of the certificate about its own telephone numbers and require no separate authority token, because they describe or constrain only those numbers and grant no authority to any other party. The extension defines an extensible framework with an IANA registry of attribute types and seeds that registry with four types: a PASSporT Placement Service (PPS) URI, a do-not-originate indication, a do-not-originate-messaging indication, and a set of authorized originating providers. Relying parties use these self-declarations as policy signals, treating communications that do not conform to them as candidates for blocking. The mechanism is backward compatible with existing STIR certificates.</t>



    </abstract>

    <note title="About This Document" removeInRFC="true">
      <t>
        The latest revision of this draft can be found at <eref target="https://github.com/appliedbits/draft-wendt-stir-cert-tn-attr-ext"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-wendt-stir-cert-tn-attr-ext/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Secure Telephone Identity Revisited Working Group mailing list (<eref target="mailto:stir@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/stir/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/stir/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/appliedbits/draft-wendt-stir-cert-tn-attr-ext"/>.</t>
    </note>


  </front>

  <middle>


<?line 100?>

<section anchor="introduction"><name>Introduction</name>

<t>The STIR (Secure Telephone Identity Revisited) framework provides a means of cryptographically asserting authority over the telephone numbers used in a communication, using PASSporTs carried in SIP requests as defined in <xref target="RFC8224"/> and <xref target="RFC8225"/>, signed with certificates that carry a TNAuthList extension <xref target="RFC8226"/>. A certificate, including a delegate certificate <xref target="RFC9060"/>, attests that its holder has been validated as authorized for the telephone numbers in its TNAuthList.</t>

<t>The holder of such a certificate is therefore in a unique position to make verifiable statements about those same telephone numbers. Because the certificate already establishes the holder's right to use the numbers, statements the holder makes about how those numbers are used, or about which providers may originate communications from them, are trustworthy self-assertions: they describe or constrain the holder's own numbers and grant no authority to any other party. This document defines a certificate extension that carries such self-asserted attributes, so that relying parties can obtain the number holder's own declarations about a number and apply them as policy signals.</t>

<t>These attributes are not authoritative in the sense of enabling a service or conferring a capability. They are transparent declarations of the number holder's intent. A relying party that obtains them can recognize communications that do not conform to the holder's declared intent, for example a call that purports to originate from a number the holder has declared never originates calls, and treat such communications as candidates for blocking. The defending value of an attribute therefore comes from a relying party being able to retrieve it, keyed by telephone number, and act on it.</t>

<t>These attributes express the number holder's intent regarding outbound origination from the covered telephone numbers, and they are evaluated within the STIR trust framework. STIR identity information, carried as PASSporTs <xref target="RFC8225"/> signed with STIR certificates and conveyed for example in a SIP Identity header field <xref target="RFC8224"/> or, for messaging, as described in <xref target="RFC9475"/>, is the means by which conformance to that intent is attested for outbound voice and messaging from a telephone number. The scope of these attributes therefore follows the scope of STIR itself, rather than any particular service or transport: a service that adopts STIR to attest origination from a telephone number participates in this framework and inherits these attributes, whether it is carried over interconnected networks or is otherwise proprietary. A service that does not use STIR is not evaluated under it.</t>

<t>Because each attribute describes only the holder's own telephone numbers and grants nothing to anyone else, no authority token is required to assert it. This distinguishes the attributes defined here from the authority recorded in the TNAuthList itself, which is validated at issuance and represents delegated scope. The self-asserted attributes are carried alongside that authority but are semantically separate from it: a relying party <bcp14>MUST NOT</bcp14> interpret any attribute defined here as extending or modifying the certificate's scope of telephone number authority.</t>

<t>This document defines the extension and an extensible IANA registry of attribute types, and seeds the registry with four types: a PASSporT Placement Service (PPS) URI, a do-not-originate indication, a do-not-originate-messaging indication, and a set of authorized originating providers. Future specifications may register additional types that meet the self-assertion criterion defined in the IANA Considerations.</t>

<t>Note: One of the attribute types defined here carries the URI of a PASSporT Placement Service (PPS). The service defined in <xref target="RFC8816"/> is named the Call Placement Service (CPS). This document refers to it as the PASSporT Placement Service (PPS). The two terms denote the same architectural role. The PPS name is used to avoid acronym collision with Certification Practice Statement (CPS) as used in <xref target="RFC8226"/> and certificate policy practice, and because the service places and serves PASSporTs and is not limited to telephone calls.</t>

<section anchor="relationship-to-other-specifications"><name>Relationship to Other Specifications</name>

<t>This document defines a certificate extension data format. It is designed to compose with the broader STIR ecosystem:</t>

<t><list style="symbols">
  <t><xref target="RFC8226"/> defines the TNAuthList extension that records the authority over which these attributes are asserted, and <xref target="RFC9060"/> defines delegate certificates that carry such authority.</t>
  <t><xref target="RFC8816"/> defines the Out-of-Band (OOB) architecture and the PASSporT Placement Service concept, which it names the Call Placement Service (CPS). The PPS URI attribute defined here points to such a service.</t>
  <t><xref target="RFC9888"/> describes a service-provider OOB deployment model and the possibility of embedding placement service information in STIR certificates.</t>
  <t><xref target="I-D.ietf-stir-certificate-transparency"/> defines STI Certificate Transparency logs, which are one mechanism by which certificates carrying this extension may be observed.</t>
</list></t>

<t>Retrieval of these attributes keyed by telephone number is out of scope for this document. Mechanisms for distributing and querying do-not-originate information by telephone number are already deployed, and the same distribution and query mechanisms are expected to carry the attributes defined here. In all cases the certificate is the authoritative source of the attribute values, and the distribution layer conveys them; see <xref target="conveyance"/>.</t>

</section>
</section>
<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

</section>
<section anchor="extension"><name>The id-pe-tnAttributes Certificate Extension</name>

<t>This extension is an X.509 <xref target="X.509"/> v3 certificate extension, profiled for the Internet PKI by <xref target="RFC5280"/>. It is non-critical, applicable only to end-entity certificates, and defined later in this section with ASN.1 <xref target="X.680"/> <xref target="X.681"/> <xref target="X.682"/> <xref target="X.683"/> using the PKIX ASN.1 modules of <xref target="RFC5912"/>.</t>

<t>The extension is intended for use in end-entity STI certificates <xref target="RFC8226"/> and delegate certificates <xref target="RFC9060"/> whose TNAuthList authorizes specific telephone numbers. It carries one or more typed attributes, each a self-assertion by the certificate holder about those numbers. In this document, the telephone numbers identified in the certificate's TNAuthList are referred to as the covered telephone numbers.</t>

<t>A TNAuthList <xref target="RFC8226"/> may syntactically contain telephone number and telephone number range entries, Service Provider Code (SPC) entries, or a combination of both. The attributes defined in this document describe telephone numbers, and they apply only to the telephone number entries in the TNAuthList; they make no assertion about SPC entries. This extension is therefore intended for certificates whose TNAuthList authorizes telephone numbers. It has no effect in a certificate whose TNAuthList contains only SPC entries, and a producer <bcp14>SHOULD NOT</bcp14> include it in such a certificate.</t>

<section anchor="the-self-assertion-principle"><name>The Self-Assertion Principle</name>

<t>Every attribute carried in this extension is a self-assertion by the holder of the certificate about the telephone numbers in the certificate's TNAuthList. An attribute does not require an authority token, and is trustworthy without one, precisely because it describes or constrains only the holder's own telephone numbers and grants no authority, capability, or service to any other party.</t>

<t>The worst outcome an incorrect or malicious self-assertion can produce is degradation of service to the asserting holder's own numbers. An attribute cannot expand the holder's authority, cannot confer authority on a third party, and cannot make a statement about a resource the holder does not control. Where an attribute references another party, as the authorized originating providers attribute references SPCs, that reference is a statement of the holder's own acceptance policy and confers nothing on the referenced party; the referenced party's authority, if any, derives solely from its own credentials.</t>

<t>This principle is the inclusion criterion for the IANA registry defined in <xref target="iana"/>. An attribute type qualifies for registration only if it satisfies it. Attributes that would grant authority, enable a capability, or assert facts about resources outside the holder's control do not qualify and belong in a token-gated mechanism instead.</t>

<t>The container guarantees only provenance: every attribute in it was asserted by the validated holder of the telephone numbers in the certificate. Each attribute type defines its own semantics, given in <xref target="attribute-types"/> for the types defined here and in the registering specification for types added later.</t>

</section>
<section anchor="asn1-module-syntax"><name>ASN.1 Module Syntax</name>

<t>The extension is identified by an object identifier (OID) assigned in the PKIX id-pe arc defined in <xref target="RFC5280"/>. Its value is a sequence of one or more typed attributes. Each attribute carries an integer type, which keys into the IANA "STIR TN Attribute Types" registry (<xref target="iana"/>), and a value whose syntax is defined by the registration for that type. The set of types is extensible: the extension marker in the object set below permits attributes of types not defined in this module to be carried and, if unrecognized, skipped. A specification that defines a new type registers it, with its value syntax, and adds it to the object set; existing implementations that do not recognize the new type are unaffected.</t>

<figure><artwork><![CDATA[
TN-ATTRIBUTES-EXTN
  { iso(1) identified-organization(3) dod(6) internet(1)
    security(5) mechanisms(5) pkix(7) id-mod(0)
    id-mod-tn-attributes(TBD0) }

DEFINITIONS EXPLICIT TAGS ::=
BEGIN

IMPORTS
  EXTENSION
  FROM PKIX-CommonTypes-2009  -- RFC 5912
    { iso(1) identified-organization(3) dod(6) internet(1)
      security(5) mechanisms(5) pkix(7) id-mod(0)
      id-mod-pkixCommon-02(57) }

  id-pe
  FROM PKIX1Explicit-2009  -- RFC 5912
    { iso(1) identified-organization(3) dod(6) internet(1)
      security(5) mechanisms(5) pkix(7) id-mod(0)
      id-mod-pkix1-explicit-02(51) } ;

-- TN Attributes Certificate Extension

ext-TNAttributes EXTENSION ::= {
  SYNTAX TNAttributes
  IDENTIFIED BY id-pe-tnAttributes }

id-pe-tnAttributes OBJECT IDENTIFIER ::= { id-pe TBD1 }

-- Information object class binding an attribute value type
-- to its registered integer identifier

TN-ATTRIBUTE ::= CLASS {
  &id    INTEGER UNIQUE,
  &Type
} WITH SYNTAX { TYPE &Type IDENTIFIED BY &id }

-- The extension value: one or more typed attributes

TNAttributes ::= SEQUENCE SIZE (1..MAX) OF TNAttribute

TNAttribute ::= SEQUENCE {
  type   TN-ATTRIBUTE.&id    ({TNAttributeTypes}),
  value  TN-ATTRIBUTE.&Type  ({TNAttributeTypes}{@type}) }

-- Set of attribute types defined in this document.
-- Extensible via the IANA registry; the marker permits
-- types registered by other specifications.

TNAttributeTypes TN-ATTRIBUTE ::= {
  tnAttr-ppsURIs              |
  tnAttr-doNotOriginate       |
  tnAttr-doNotOriginateMessaging   |
  tnAttr-authorizedOriginators,
  ... }

tnAttr-ppsURIs TN-ATTRIBUTE ::=
  { TYPE PPSURIs IDENTIFIED BY 1 }
tnAttr-doNotOriginate TN-ATTRIBUTE ::=
  { TYPE DoNotOriginate IDENTIFIED BY 2 }
tnAttr-doNotOriginateMessaging TN-ATTRIBUTE ::=
  { TYPE DoNotOriginateMessaging IDENTIFIED BY 3 }
tnAttr-authorizedOriginators TN-ATTRIBUTE ::=
  { TYPE AuthorizedOriginators IDENTIFIED BY 4 }

-- Value syntaxes for the defined types

PPSURIs ::= SEQUENCE SIZE (1..MAX) OF IA5String

DoNotOriginate ::= NULL

DoNotOriginateMessaging ::= NULL

AuthorizedOriginators ::= SEQUENCE SIZE (1..MAX) OF SPC

SPC ::= IA5String

END
]]></artwork></figure>

<t>Note: The numeric module and OID assignments marked TBD are temporary. IANA will allocate the permanent values during RFC publication.</t>

</section>
<section anchor="criticality"><name>Criticality</name>

<t>The extension <bcp14>MUST</bcp14> be marked non-critical, following the certificate extension processing rules of <xref target="RFC5280"/>, so that a relying party that does not recognize it can still validate the certificate. An attribute that a relying party does not understand, or whose type is not in its supported set, is ignored.</t>

</section>
</section>
<section anchor="attribute-types"><name>Attribute Types</name>

<t>Each attribute type defines its value syntax and its semantics. A relying party that does not support a given type ignores it. The absence of an attribute is not an assertion: a relying party <bcp14>MUST NOT</bcp14> infer a value, restrictive or permissive, for an attribute that is not present. The restrictive attributes defined here constrain behavior only when present.</t>

<t>Some attributes defined here are presence-only: they carry no value of their own and make their assertion simply by being present in the certificate. In the ASN.1 module such an attribute has the value syntax NULL, which conveys nothing beyond the attribute's presence.</t>

<t>A given type <bcp14>SHOULD</bcp14> appear at most once in the extension. If a type that is defined as single-valued appears more than once, a relying party <bcp14>MUST</bcp14> treat the certificate's attribute set as ambiguous for that type and ignore that type.</t>

<section anchor="pps-uris-type-1"><name>PPS URIs (type 1)</name>

<t>The value is a sequence of one or more absolute URIs <xref target="RFC3986"/>, each of which:</t>

<t><list style="symbols">
  <t>Uses the "https" scheme.</t>
  <t>Identifies a PASSporT Placement Service (PPS) for the covered telephone numbers (for example, "https://pps.example.net").</t>
</list></t>

<t>This attribute declares where PASSporTs for the covered telephone numbers may be published and retrieved out of band <xref target="RFC8816"/>. The URI locates the service; the interface a PPS exposes at that location is not specified by this document and may differ between deployments. A value that is not an absolute HTTPS URI <bcp14>MUST</bcp14> cause a relying party to ignore that entry. Producers <bcp14>MAY</bcp14> include multiple URIs to express redundancy or locality; selection among them is a matter of local policy.</t>

<t>This attribute is enabling rather than restrictive: it points a relying party to a service. It satisfies the self-assertion principle because it declares only where the holder publishes PASSporTs for its own numbers and grants nothing to any other party.</t>

</section>
<section anchor="do-not-originate-type-2"><name>Do Not Originate (type 2)</name>

<t>This attribute is presence-only. When present, it asserts that the covered telephone numbers do not originate calls. A call here is the STIR-attested session <xref target="RFC8224"/> established for a telephone number, independent of whether it carries voice or video media. A relying party that obtains this attribute for a number, and then sees a call purporting to originate from that number, has a strong signal that the call is illegitimate and <bcp14>SHOULD</bcp14> treat it as a candidate for blocking according to local policy. Absence of the attribute is not an assertion that the number does originate calls.</t>

<t>Note for Working Group consideration: this attribute treats a call as a single channel regardless of media. Should number-based video calling become established on the telephone network, the working group may wish to consider whether to distinguish voice from video origination through a separately registered attribute, for example a do-not-originate-video declaration, so that a holder could indicate that a number does not originate video calls specifically. This document does not make that distinction; the extensible registry defined in the IANA Considerations accommodates such a future type if a need arises.</t>

</section>
<section anchor="do-not-originate-messaging-type-3"><name>Do Not Originate Messaging (type 3)</name>

<t>This attribute is presence-only. When present, it asserts that the covered telephone numbers do not originate messages. A relying party that obtains this attribute for a number, and then sees a message purporting to originate from that number, has a strong signal that the message is illegitimate and <bcp14>SHOULD</bcp14> treat it as a candidate for blocking according to local policy. Absence of the attribute is not an assertion that the number does originate messages.</t>

<t>This attribute is the messaging counterpart of the do-not-originate attribute (type 2), applying the same presence-only semantics to the messaging channel. The two are parallel per-channel signals: do-not-originate declares that the number does not originate calls, and do-not-originate-messaging declares that it does not originate messages. A number that originates neither carries both.</t>

</section>
<section anchor="authorized-originators-type-4"><name>Authorized Originators (type 4)</name>

<t>The value is a sequence of one or more SPCs, each identifying a provider that the holder of the telephone numbers authorizes to originate and attest communications from those numbers. A relying party that obtains this attribute, and then sees a communication from the covered number attested by a provider whose SPC is not in the set, has a signal that the origination is unauthorized and <bcp14>SHOULD</bcp14> treat it as a candidate for blocking according to local policy. The providers named apply to origination across the channels the holder's numbers support; this document does not distinguish per-channel authorized originators, and a single set applies to both calls and messaging.</t>

<t>This attribute is a statement of the holder's acceptance policy for its own numbers. It confers no authority on the listed providers: a listed provider's ability to sign for the number derives solely from its own credentials, and a relying party <bcp14>MUST NOT</bcp14> interpret presence in this set as STIR authority of any kind. Likewise, a relying party <bcp14>MUST NOT</bcp14> interpret an SPC in this attribute as extending the certificate's own telephone number authority. Absence of this attribute imposes no origination restriction: the holder has declared no authorized-originator set, and communications may be attested by any provider as far as this attribute is concerned.</t>

<t>The do-not-originate and do-not-originate-messaging attributes each take precedence, on their own channel, over the authorized-originators attribute. Where do-not-originate is present, the covered telephone numbers originate no calls regardless of any authorized-originators value; where do-not-originate-messaging is present, they originate no messages regardless of any authorized-originators value. The authorized-originators attribute therefore governs only origination on channels not closed by a do-not-originate signal.</t>

</section>
</section>
<section anchor="processing-rules"><name>Processing Rules</name>

<t>A STIR Authentication Service <xref target="RFC8224"/> that holds a certificate carrying a PPS URIs attribute <bcp14>SHOULD</bcp14> publish out-of-band PASSporTs for the covered telephone numbers to one of the indicated PPS endpoints.</t>

<t>A relying party that has obtained a certificate carrying this extension, whether from a signed communication or by retrieval keyed to a telephone number, validates the certificate chain to a trusted STIR trust anchor before relying on any attribute. Having done so, it applies each supported attribute according to that attribute's semantics in <xref target="attribute-types"/>. The restrictive attributes, do-not-originate, do-not-originate-messaging, and authorized-originators, are policy signals: a relying party <bcp14>SHOULD</bcp14> treat a communication that does not conform to a present restrictive attribute as a candidate for blocking, subject to local policy.</t>

<t>The defending value of the restrictive attributes is realized only when a relying party can obtain them for a number independently of the communication being evaluated. The cases these attributes are designed to catch, such as an unsigned communication from a do-not-originate number or one attested by an unauthorized provider, are exactly the cases in which the holder's own certificate is not presented on the communication. In those cases the relying party obtains the attributes by retrieving the holder's certificate keyed by telephone number, by a mechanism outside the scope of this document.</t>

</section>
<section anchor="conveyance"><name>Distribution and Transparency</name>

<t>Retrieval and distribution of these attributes keyed by telephone number are out of scope for this document and are left to other specifications and to industry practice.</t>

<t>The certificate is the authoritative, signed source of the attribute values. A relying party validates the certificate independently of how it was obtained, so trust in an attribute derives from the certificate rather than from whatever mechanism delivered it.</t>

<t>Transparency logs provide a monitoring mechanism by which distributors can observe the attributes asserted for a telephone number as certificates are issued, and populate the authoritative information that relying parties consult.</t>

<t>A distribution mechanism <bcp14>SHOULD</bcp14> convey the signed certificate together with the distributed information, so that a relying party can verify each attribute directly against the certificate rather than trust the distributor. Where the signed certificate is not conveyed, the relying party depends on the distribution layer for the integrity of the information. This document does not otherwise mandate a distribution mechanism.</t>

</section>
<section anchor="lifecycle-considerations"><name>Lifecycle Considerations</name>

<t>The attributes reflect the holder's declarations at the time the certificate was issued. Because they are carried in the certificate, changing an attribute requires issuing a new certificate, and the change takes effect at relying parties only after the new certificate has propagated through the distribution mechanism in use. Attribute currency therefore follows certificate lifetime. Short-lived certificates bound the interval over which a stale declaration remains in use and are <bcp14>RECOMMENDED</bcp14> for this reason. This ties attribute updates to the same validated issuance path as the certificate itself, so that a declaration cannot be forged into the distribution layer.</t>

</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>The attributes defined here are self-assertions by the holder of the telephone numbers in the certificate's TNAuthList. Their trust rests on two things: the certificate having been validated at issuance as authorizing the holder for those numbers, and the relying party validating the certificate chain before acting on any attribute. A relying party <bcp14>MUST</bcp14> validate the chain to a trusted STIR trust anchor; the attribute values are not independently signed and derive their integrity from the certificate.</t>

<t>Because each attribute describes or constrains only the holder's own telephone numbers and grants nothing to any other party, the worst outcome of an incorrect or malicious assertion is degradation of service to the asserting holder's own numbers. An attribute cannot expand the holder's authority or confer authority on a third party. In particular, the authorized-originators attribute lists SPCs as a statement of the holder's acceptance policy; it confers no STIR authority on those providers, and a relying party <bcp14>MUST NOT</bcp14> treat presence in that list as authority of any kind, nor as extending the certificate's telephone number scope.</t>

<t>Misissuance is the relevant residual risk: a certificate that carries these attributes without the holder having been properly validated for the listed telephone numbers would carry self-assertions that should not be trusted. The validation that binds a certificate to its telephone numbers is the responsibility of the issuing CA and the certificate profile in use, and is outside the scope of this extension.</t>

<t>The restrictive attributes defend against impersonation only when a relying party can retrieve them keyed by telephone number, independently of the communication under evaluation, as discussed in <xref target="conveyance"/>. A relying party that cannot perform such retrieval gains no protection from them against the unsigned or wrongly-attested cases. Reliance on a distribution mechanism for retrieval inherits that mechanism's availability and integrity properties; because the certificate is signed, a compromised distribution layer can suppress or withhold attributes but cannot forge them.</t>

<t>Publication of these attributes in retrievable or publicly logged certificates may reveal deployment metadata about a number's usage. This exposure is consistent with existing STIR certificate practice and does not introduce privacy risk beyond what TNAuthList usage already entails.</t>

</section>
<section anchor="iana"><name>IANA Considerations</name>

<section anchor="tn-attributes-certificate-extension-oid"><name>TN Attributes Certificate Extension OID</name>

<t>IANA is requested to assign an object identifier for the TN Attributes certificate extension in the "SMI Security for PKIX Certificate Extension" registry:</t>

<t><list style="symbols">
  <t>Description: id-pe-tnAttributes</t>
  <t>Reference: (this document)</t>
</list></t>

</section>
<section anchor="stir-tn-attribute-types-registry"><name>STIR TN Attribute Types Registry</name>

<t>IANA is requested to create a new registry, "STIR TN Attribute Types", to record the integer type identifiers carried in the TN Attributes certificate extension defined in this document.</t>

<t>Each entry records:</t>

<t><list style="symbols">
  <t>Type: the integer identifier (the "type" field of a TNAttribute).</t>
  <t>Name: a short identifier for the attribute type.</t>
  <t>Value Syntax: the ASN.1 type of the attribute value.</t>
  <t>Reference: the defining specification.</t>
</list></t>

<t>The registration policy is Specification Required <xref target="RFC8126"/>. The designated expert <bcp14>MUST</bcp14> verify that a requested type satisfies the self-assertion criterion: the attribute describes or constrains only the asserting holder's own telephone numbers, grants no authority, capability, or service to any other party, and makes no assertion about a resource the holder does not control. A type that would grant authority, enable a capability, or assert facts about resources outside the holder's control does not qualify and is to be refused, as such a mechanism requires authorization beyond a self-assertion.</t>

<t>The registry is initialized with the following entries, all defined in this document:</t>

<texttable>
      <ttcol align='left'>Type</ttcol>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Value Syntax</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>1</c>
      <c>pps-uris</c>
      <c>PPSURIs</c>
      <c>(this document)</c>
      <c>2</c>
      <c>do-not-originate</c>
      <c>DoNotOriginate</c>
      <c>(this document)</c>
      <c>3</c>
      <c>do-not-originate-messaging</c>
      <c>DoNotOriginateMessaging</c>
      <c>(this document)</c>
      <c>4</c>
      <c>authorized-originators</c>
      <c>AuthorizedOriginators</c>
      <c>(this document)</c>
</texttable>

<t>Type value 0 is reserved.</t>

</section>
</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC3986">
  <front>
    <title>Uniform Resource Identifier (URI): Generic Syntax</title>
    <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
    <author fullname="R. Fielding" initials="R." surname="Fielding"/>
    <author fullname="L. Masinter" initials="L." surname="Masinter"/>
    <date month="January" year="2005"/>
    <abstract>
      <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="66"/>
  <seriesInfo name="RFC" value="3986"/>
  <seriesInfo name="DOI" value="10.17487/RFC3986"/>
</reference>
<reference anchor="RFC5280">
  <front>
    <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
    <author fullname="D. Cooper" initials="D." surname="Cooper"/>
    <author fullname="S. Santesson" initials="S." surname="Santesson"/>
    <author fullname="S. Farrell" initials="S." surname="Farrell"/>
    <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <author fullname="W. Polk" initials="W." surname="Polk"/>
    <date month="May" year="2008"/>
    <abstract>
      <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5280"/>
  <seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="RFC5912">
  <front>
    <title>New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)</title>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <author fullname="J. Schaad" initials="J." surname="Schaad"/>
    <date month="June" year="2010"/>
    <abstract>
      <t>The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5912"/>
  <seriesInfo name="DOI" value="10.17487/RFC5912"/>
</reference>
<reference anchor="RFC8224">
  <front>
    <title>Authenticated Identity Management in the Session Initiation Protocol (SIP)</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="C. Jennings" initials="C." surname="Jennings"/>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identity and for conveying a reference to the credentials of the signer.</t>
      <t>This document obsoletes RFC 4474.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8224"/>
  <seriesInfo name="DOI" value="10.17487/RFC8224"/>
</reference>
<reference anchor="RFC8225">
  <front>
    <title>PASSporT: Personal Assertion Token</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>This document defines a method for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representing the originator of personal communications. The Personal Assertion Token, PASSporT, is cryptographically signed to protect the integrity of the identity of the originator and to verify the assertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal-communications applications over IP networks and other multi-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8225"/>
  <seriesInfo name="DOI" value="10.17487/RFC8225"/>
</reference>
<reference anchor="RFC8226">
  <front>
    <title>Secure Telephone Identity Credentials: Certificates</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="S. Turner" initials="S." surname="Turner"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>In order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8226"/>
  <seriesInfo name="DOI" value="10.17487/RFC8226"/>
</reference>
<reference anchor="RFC8816">
  <front>
    <title>Secure Telephone Identity Revisited (STIR) Out-of-Band Architecture and Use Cases</title>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="February" year="2021"/>
    <abstract>
      <t>The Personal Assertion Token (PASSporT) format defines a token that can be carried by signaling protocols, including SIP, to cryptographically attest the identity of callers. However, not all telephone calls use Internet signaling protocols, and some calls use them for only part of their signaling path, while some cannot reliably deliver SIP header fields end-to-end. This document describes use cases that require the delivery of PASSporT objects outside of the signaling path, and defines architectures and semantics to provide this functionality.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8816"/>
  <seriesInfo name="DOI" value="10.17487/RFC8816"/>
</reference>
<reference anchor="RFC8126">
  <front>
    <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
    <author fullname="M. Cotton" initials="M." surname="Cotton"/>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <author fullname="T. Narten" initials="T." surname="Narten"/>
    <date month="June" year="2017"/>
    <abstract>
      <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
      <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
      <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="26"/>
  <seriesInfo name="RFC" value="8126"/>
  <seriesInfo name="DOI" value="10.17487/RFC8126"/>
</reference>
<reference anchor="RFC9060">
  <front>
    <title>Secure Telephone Identity Revisited (STIR) Certificate Delegation</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="September" year="2021"/>
    <abstract>
      <t>The Secure Telephone Identity Revisited (STIR) certificate profile provides a way to attest authority over telephone numbers and related identifiers for the purpose of preventing telephone number spoofing. This specification details how that authority can be delegated from a parent certificate to a subordinate certificate. This supports a number of use cases, including those where service providers grant credentials to enterprises or other customers capable of signing calls with STIR.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9060"/>
  <seriesInfo name="DOI" value="10.17487/RFC9060"/>
</reference>
<reference anchor="RFC9475">
  <front>
    <title>Messaging Use Cases and Extensions for Secure Telephone Identity Revisited (STIR)</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="December" year="2023"/>
    <abstract>
      <t>Secure Telephone Identity Revisited (STIR) provides a means of attesting the identity of a telephone caller via a signed token in order to prevent impersonation of a calling party number, which is a key enabler for illegal robocalling. Similar impersonation is sometimes leveraged by bad actors in the text and multimedia messaging space. This document explores the applicability of STIR's Personal Assertion Token (PASSporT) and certificate issuance framework to text and multimedia messaging use cases, including support for both messages carried as a payload in SIP requests and messages sent in sessions negotiated by SIP.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9475"/>
  <seriesInfo name="DOI" value="10.17487/RFC9475"/>
</reference>

<reference anchor="X.509" target="https://www.itu.int/rec/T-REC-X.509">
  <front>
    <title>Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks</title>
    <author >
      <organization>International Telecommunication Union</organization>
    </author>
    <date year="2016" month="October"/>
  </front>
  <seriesInfo name="ITU-T" value="Recommendation X.509, ISO/IEC 9594-8"/>
</reference>
<reference anchor="X.680" target="https://www.itu.int/rec/T-REC-X.680">
  <front>
    <title>Information Technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
    <author >
      <organization>International Telecommunication Union</organization>
    </author>
    <date year="2015" month="August"/>
  </front>
  <seriesInfo name="ITU-T" value="Recommendation X.680, ISO/IEC 8824-1"/>
</reference>
<reference anchor="X.681" target="https://www.itu.int/rec/T-REC-X.681">
  <front>
    <title>Information Technology - Abstract Syntax Notation One (ASN.1): Information object specification</title>
    <author >
      <organization>International Telecommunication Union</organization>
    </author>
    <date year="2015" month="August"/>
  </front>
  <seriesInfo name="ITU-T" value="Recommendation X.681, ISO/IEC 8824-2"/>
</reference>
<reference anchor="X.682" target="https://www.itu.int/rec/T-REC-X.682">
  <front>
    <title>Information Technology - Abstract Syntax Notation One (ASN.1): Constraint specification</title>
    <author >
      <organization>International Telecommunication Union</organization>
    </author>
    <date year="2015" month="August"/>
  </front>
  <seriesInfo name="ITU-T" value="Recommendation X.682, ISO/IEC 8824-3"/>
</reference>
<reference anchor="X.683" target="https://www.itu.int/rec/T-REC-X.683">
  <front>
    <title>Information Technology - Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specifications</title>
    <author >
      <organization>International Telecommunication Union</organization>
    </author>
    <date year="2015" month="August"/>
  </front>
  <seriesInfo name="ITU-T" value="Recommendation X.683, ISO/IEC 8824-4"/>
</reference>


<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC9888">
  <front>
    <title>Out-of-Band Secure Telephone Identity Revisited (STIR) for Service Providers</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="June" year="2026"/>
    <abstract>
      <t>The Secure Telephone Identity Revisited (STIR) framework defines means of carrying its Personal Assertion Tokens (PASSporTs) either in-band, within the headers of a Session Initiation Protocol (SIP) request, or out-of-band, through a service that stores PASSporTs for retrieval by relying parties. This specification defines a way that the out-of-band conveyance of PASSporTs can be used to support large service providers for cases in which in-band STIR conveyance is not universally available.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9888"/>
  <seriesInfo name="DOI" value="10.17487/RFC9888"/>
</reference>

<reference anchor="I-D.ietf-stir-certificate-transparency">
   <front>
      <title>STI Certificate Transparency</title>
      <author fullname="Chris Wendt" initials="C." surname="Wendt">
         <organization>Somos, Inc.</organization>
      </author>
      <author fullname="Robert Śliwa" initials="R." surname="Śliwa">
         <organization>Somos, Inc.</organization>
      </author>
      <author fullname="Alec Fenichel" initials="A." surname="Fenichel">
         <organization>TransNexus</organization>
      </author>
      <author fullname="Vinit Anil Gaikwad" initials="V. A." surname="Gaikwad">
         <organization>Twilio</organization>
      </author>
      <date day="18" month="May" year="2026"/>
      <abstract>
	 <t>   This document describes a framework for the use of the Certificate
   Transparency (CT) protocol for publicly logging the existence of
   Secure Telephone Identity (STI) certificates as they are issued or
   observed.  This allows any interested party that is part of the STI
   eco-system to audit STI certification authority (CA) activity and
   audit both the issuance of suspect certificates and the certificate
   logs themselves.  The intent is for the establishment of a level of
   trust in the STI eco-system that depends on the verification of
   telephone numbers requiring and refusing to honor STI certificates
   that do not appear in a established log.  This effectively
   establishes the precedent that STI CAs must add all issued
   certificates to the logs and thus establishes unique association of
   STI certificates to an authorized provider or assignee of a telephone
   number resource.  The primary role of CT in the STI ecosystem is for
   verifiable trust in the avoidance of issuance of unauthorized
   duplicate telephone number level delegate certificates or provider
   level certificates.  This provides a robust auditable mechanism for
   the detection of unauthorized creation of certificate credentials for
   illegitimate spoofing of telephone numbers or service provider codes
   (SPC).

   The framework borrows the log structure and API model from RFC6962 to
   enable public auditing and verifiability of certificate issuance.
   While the foundational mechanisms for log operation, Merkle Tree
   construction, and Signed Certificate Timestamps (SCTs) are aligned
   with RFC6962, this document contextualizes their application in the
   STIR eco-system, focusing on verifiable control over telephone number
   or service provider code resources.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-stir-certificate-transparency-02"/>
   
</reference>



    </references>

</references>


<?line 366?>

<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>

<t>TODO acknowledge.</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA9U92XbbSHbv/IqKfM6MlEPQlmx3y/IsTUtyN9PWMiKd7k5O
HkCiSCIGAQ4KkMyRnW/Jt+TLcpdaAZCSu30mGT9YFIiqunXr7kspiqLekydP
ek/E5FIMq6pMp3Ulxaksq3SezmL4fP6xkrlKi1zMi1KMJ6Obp+Mfhj+eX/pv
KZqlSqtMnoi9x88VzLHXi6fTUt4+aoa9Hv6+KMrNiVBV0uslxSyPV7B8Usbz
KrqTeVJFqkrLaAbjoyqPYpgxkh+r6Nmznqqnq1ThRNVmDYNG55O3QjwRcaYK
WD/NE7mGGWRe7fXFnkzSqijTOMNfRsM38APg3xvdTN7u9fJ6NZXlSS8BeE56
syJXAGGtTkRV1rIHu3nei0sZw6zD9TrDbcCqSsR5Im5knEWTdCX3endF+WFR
FvUa3hvLWV1KMZGZXC+LXIoRApJWGxhwm6q0ksle74PcwJjkpBcJ3CX8mPnn
EYkEhi8QZ43nVS5ig1t6rxB5UcGG0kWawzu9W5nXsBMhvggeIRiTez/BTtJ8
Ib7H0fh8FacZPEcov0tlNR8U5QKfx+VsCc+XVbVWJ0+f4mv4KL2VA/PaU3zw
dFoWd0o+xQme4sBFWi3rKQyNEaEymaaVevrgsePIDHFQeYvyVINZsXr6hZP1
4rpaFnDuIoKJhZjXWcYEeLosUyV+wsH0DewjztO/0bmfiHGxKpQY5bMBfSkZ
OzMc850HAoLUnvqmmIrfPfn47PDl8HWW3sWPnr8spv+pcMR3C3xAs/d6eVGu
YNgtnfbN29Pnr46/0R9fHh0/Mx9fHR7pj8dHRy/cx5fuoxl2fHxoPx7ap6+e
fWMme/XiWxr28+Dls1cnBKIRG6N8zvCAfKjkbJkXWbHYiEhcASuK8UZVcoU7
q2QJXJbLGb0ZiclSirO0hN9JGlzXU+CyCPiDeMzSus8HYl4CPpHn1B7BYA+T
/kWI0xNeKieA4ozIH9C2qnPNw+J9Dv/TEOJ9cQUQgCgQR88Ov+GdxeVCArkZ
aru7uxukVT1I8+opwPt0Et2cn0aECnpfyTKVKgU8GEhGk/fRBM6dVgaK4oVp
RF+MxldPR+en4tXLVy+iY0LqN3xq3Uid+EgdTlVVxrMKEJtX8UdxWVT81hUw
+P5wfDk4PABqWssZ4wy/KuZiGqt0hgKDnnxF5A3rRa0qxN3LL8Id7PgLcQcj
HO6Oj49eRIcad4d66FdCnj8c+A8IVCgfn4y934q+Lfj7AgQe8oAvweBhA4NH
GoNHX5X6TkFRwmsAcRfi/o/J7uiLye6ogbTnGmnPvyrSrmOUbYAFrRKQa+m7
EIdfU/D9eiQ+/2IkPm8g8UWvlxqEWUX26vj4GD+OojOyJZwS1wogAkTmag2G
WT7bnPR6URSJWKO3N1mC/gZ7soaVLeVJMNlA7uXRrEwrmCNjKSxunweKRVoT
t1rGlQBFdSs3OFTJCk9CyWwexQp2DFaTZ4iBuaZg5ilaThUotMoaW2xfKpGS
0QWAJCLN6R1v3d8rsOCHcJbvUlUNSCV6c8M2Yf4ZmFcweLqhwcsiS0BXAUiN
qQAPRV0JsEFEcZd3AIJatZR/rUHlAkJgR4BGGkekhGZhVXyQeV9M5SyulcQF
NmZ/Ei3nmeFrUeQZglOocPoFnE6Fk/tzwjcbUcBkpYAVqw1v0yE8kfM0x93m
5uE08zS9uANbD78cDS+HsIEFYKrcIAKciYAmLEOgpEwUn6F9lSaYF3XJ753A
qV4Px+N1UU7EdRbPJNHLWJa36QwY8vp6fCDe34z68F5SRKAzI2tkwxEmmpu6
vo5WUql4gcQQvIj2jKEkjZq/wZGacfj+uixugVRKNQDuyTb0CLCF9KvPAv4n
KmSKMO6IEusC7KaNUOkCuF71wX+RPGXA/Bop2muAk0Tew9OBmVc4zQygTFEu
KPLyplkxQ3+AT2sF8gyMVbUSwGLTePbhLi4TXGANk+NxEY7lR0A4rozuZuC/
DIhTV2mSZLIHbitIqrJIajIFez1cgYbsP8JlOfBIQyMN+XQlQTAgfmflZl0V
QInrJbI70CmzLcLlyLK4BXLsZlhAN7FqHCKwD1/gHIZ0EGNlqdl6PLom3gIv
hc6EaZq+ur/XBvjnz0QI5veXnz/36dDgNcKejy8thWABAN8TER7bmHm++fx5
IIb+6D4sO8vqhHbc6U/yYDTvEQjgI4Kb1kT5oWXMEjYylWDD38YZUUaCW/Po
F+lki9DLaSJPtvEpO+ml6tkSUewBlSIIspQwreQDAOQDToHC4eRJNhfglX6Q
Ag4PBsVIeAp0KTGw0gKQpZICEmnDNRBvnGwLhWcGXJNsBCACpk3Vks7AAAxi
Glh1WSEAZrSesu9D4AlohNOAtCzumsISdoh0RgEJfukOyHXpxABMsHHOfZOX
52WxIs7t01RVCXocOKJabnxNha+e7BLjwQ5Ra/wqYe5rXSvMd2pXYhzFNLBN
swJiCyPIQ3kIkgrs8spsgGEO9xHKSMJvbF4kaQwe+8aKvlCCMqmqliZGuWlQ
QUaL0ecYOJJI0zJH2iGuU1qbMLrnEjZMz2fxOp6mWarV4EYfnzFqqhByreWb
OwR7DF5FrvdRs2FsMWYUbw5RBZZbsciBYR+vENxS1vzgNfvE8/JjvFoD7+F2
soznWdclSEXkgcIjW6JTi3mPPZaxN3cuURrbUYqmVaw3SZsxpTTAf0hnASmC
BYrYAflV0wHFuW80WFkDE0tlYA1ROpV0bihpYGOlhMESTx4w8UFutFnWEDNa
4YPBX6AY7KIn+XFdgqmw43TRfAEdi6sD9QIF5569gJFYLQEAeEAeANISdhp/
hsgkYoGEOGobTbqkdUl6OK064Kep0byp82v6VucB8p0i9FRaoNFaZgBBxLa1
Vh+GlEjcoxa1Cn8J8hjQAoZzlgRKtCiZCq2t1WeNywLO6VwMWaF6Y7WiDQQ4
Lha0muDjfCaZ6FH3MeZhAKtEDaPF/22BLI17cHaeppom9pkE1axYS83FIQE4
4psXWVbcMYz2fT6BCmVjX4A0WBL3IPmC+CU5OKuBd3wxw0IEWPDEEz+0rTgp
1sCYfNaF3lubmNqb0Culazo7IplUeeYXYiLNAbaUdV+wxT4gWhLgKaHUUA5Z
XqkXDSQBUFFQD/cBr5J+uUthOlCHaxgFjukGxV2wraQAoFB2oUZmhPHvjtLh
0Gh9YEGj+GWMdocVAoZslHFpGgqx240i1UiLLcnxI7WIL8lMgfnV0JngVCFo
2vdK6HXSdwiZ1p9sONfO8AhcTDYmkWQc37sVUMCXifMvPXPRkBDTPCzkmXJ4
KqomBmDXEEUSmTHGZEyYIDUtb/OAUbhYsZAV+UKB6NCUZ2GcogYucRZguUob
5tYFpU2lRLmh+L14P56Iy6sJEwwAWBEH+Ofn4SZWbGmw1AQJUSTpfGNc89Dt
dqzZJHoLNAnuLuOmCvxXEvaB7/qQp9oPXFX5j+upvq0rdNfCABVZrrwlxGaS
pDogxV46EcZKykrbTr61KjBIA+LERgUsTRNKMa6IK/M6cDyXBcXvcyNjWyGB
gDyM2YkvAtZoiw/i1xA/P2r5dceH4H+R4AGhSNpWnKJN1DHbqZ7NpyjQAShT
QCKAkIwZtMdBBAITSLdc4R7hZNknIa+HknEVCNa6BKSXRaYZGMYSlAgt+bgo
h0CloalSFvkGrEVQRSnRNBGiS+Dio2uMsSEQY+Pv8JYQbOMyez4pq3rPB9BG
9lpPw7TmhZosjte4bRPNKW+lb2mQxmEpn6UrDAeQ8rYsTIYjEMaTJxhFYTpZ
pmt86Yp0UZAYUdsYfJv3ApIzFmwNDcSI1BooELZ4YAmMh6CXR9jDLU3LgowY
0k4gpRUlwzBuGaDKlyudvr52g1DMq4bwJ3XK4r1lZMQkE1li913wgf1+u2pn
wtkPQLCr7qRiFNC+D/xVDSJmHr3Bpfavrt4c+MQojT26i8LBJpjJdWU1VkUk
qx7FWEziyNlb9MO6SHP2UHT0QZOc3RLGn2lLxiiwr0RG6gnYFrywzooNQQE6
RmZ2Z3D8oALIvyOHEBRKQtpobcE2ZO6Z1RRB6giZAVCPi4R7x9CozhAT7zWR
FQtlUIvEgSzjQnvONvYJgWiAdWiqPJpEKY/xhCkxaQJMd8PeEQidLot3q7tE
Fl/NUXZSyhxW8vhyIC4MkOzooblE85JzBrj/ay0ZyA416NDctTjxiA7+8LEa
XrEC1a2mtT2t5hDHjAYuHRuzKAiIb3aYcSA9YCog51msNHW3I2GNaIMCu2DW
oenIu3XeXghuFm9kadMZGBN4jYYHUBY/Q/Pv82eUmKhdb9H3MlUuZwhvauWk
xBMUdySC9tAuw6IaY5/h55vzv7wf3Zyf4efxD8N37+yHnn5j/MPV+3dn7pMb
eXp1cXF+ecaD0d4LHvX2Loa/7PEO966uJ6Ory+G7PeuQWPFNsZQCqdKai+Sq
9gLn8M3p9f/89+ELQME/AcsfHR6+AvbhX44Pv0UPExwXbQuRU8C/oiPdi9dr
GZfkrdLhreFwKFIBBuUS/QU63F7vn/8dMfMfJ+IP09n68MWf9APccPDQ4Cx4
SDhrP2kNZiR2POpYxmIzeN7AdAjv8Jfgd4N37+Ef/pwBRYvo8PjPf+ohCSGV
pEm0BumUDx3ld9eS3T+xwuSzVsROuqSUD+JU3f09/YSD2Za066NROk8zLybN
uVCwMq9/HCHjk3zH6hgMl7Pq9rOCfQoJwie039kVLAR4EpGORvgikUnDsDPW
JpWWFpUubyETgNO3CP43uK7+dGg/HdlPz+ETpxdIP/44+lkPBvVSZ5IigbyD
V4dHxK9hDi3VYaNEYwBtKgDJ2wDqhUCuN221bjPANxjuKITtGSjWQVDWBeiK
uY9cxBefk2NWsoUeBnzZN2/6BDrx6R+8DiL6AX+3WkMq9H9zXpbkClnq1nvf
HXmD4xn6431Uo9pUWAcwM14wCGKOZbdUU96eW4A6X8DJ56hqAWXGCLo25skp
2CNif3x9euBewhwDGqdTE+/BgqCiWrYSzoHTFRrGOn2wM8pIQXXDPF1YNyC1
IxWveQrK7uQmPkL6ls4Y9mPGahcqoH0/beRxQUDJu6i3m2gxRg2wyPkcS4A4
I+gRYWtCfZA6lOSBbPzqNeU80R+wYlqn6iQFyfKOrBg7M5QhRbYYWsRclzA0
XWM+9fwW7RGvYs4lJqu2WN3CXw8VFmxN9O0uaRj6IXcbsjN1CBjRbJYfaB/P
z2mhNCUTMZco6kHUwB421ntMKz+O5yW4fmVUz8HU9xI2xEc2AtnOhLFMBogx
uFpXmFTA/cEpFSVWOZLgi0HHpEWtWoEPeFOTB3uVAEximdVblWw/m9DuSt41
cA4zU1D049oYiHZQsM3cpIH8EBhmMGIkojLhXfLx6LeJW2OXALWZtlJqY9Uj
LHv2yCZlkQ3ETxy084ElKQuuCvn/HnL7RuY+FJPqngt4EQsj2IvWTzUvWNg1
4QcYjWfojFKIVIcvdAKDojYm/FvkOoqnZ9aoet35NER7ijkp+AlLphjpUEWG
hK3joQzEDHQMqiqTmgS414b3jadAUkSFETRrCQXRyCCClcZ5TOUDeSNyBi4O
UCpVT+E0erSmR2QpABy4TsETRW9hJHvopzcA1XdFnZk0srdnypLKIBfKKopj
4nPQjCZna+iIHEQdVvaOSFOSyWEyzBsdWMJINAttkisRB7S9QhaQEeD1abbV
shvobVHHCLE0KQEkLQAZTvBEyIagpTIHcYdVESYwrqWpi7OHcvUxEnQgzsMk
BZ2IcfANWZhIOhD2Amgn5xO1gyIKgILBYYs02gFRzt94IWhJWeognMvjub4q
SYy9y1qJTdQLMlF1cWOXYeoMrSkejqmptc9LsX81OsNAog6laZjIDCZ3AsNI
rdirM+aVzvBq7Qbuec6O8i5zs4VlY6OSzK7kQvK+TbzkAzrQ8EXhmGqPgjZB
08sEMbXn2G3fMNmBMQIYVDYeFBeEpu5cNPkEDMcnCAyF4Jh4NAssOhen4adY
iBpmJ1Zx+cH4J9KWM8Nw5JA7sZblCinKMwLtvMhTTYuQ/RHtZdusT56QKKtz
W2sAD9SHFLzlhPJ2AUVx9s6GWnN5xxRuaFBRep08qNSeLaNKIzFJ8B2jDt2m
XrsStBTTyijYO4odXEUE5d/N+lSUk8dk7lFA67/8f73JZTScTG5Gb95PzsfR
+c+Ty54Q94D9Yv/wwKPyyG/s2H9+AKsm+98ccEwCPFJ4W1fPzmqUiPsvD7xY
Ev62/pB+3P8W54wA3/vP+H3+zXSz8GHtT96cPTsQ4D+fnb8dXY7QRR+L85+v
341ORxMxGX4/Ficnf+y9Of9+dNnrjS6ur24mY5gOwD+/HMPb8PntzdUFMVt0
WqxWRU40HB09A9dbRBHW5Qp0OwmI37DfL9+x3TN+zbBFz472X35LOxYsG/wN
HJ5/RCc+rf7fQX8YSQMa7gBA+CxeY/1yID62hEp6PWx/A6vavWfPD49X3MOC
418uJ8Ofhf8WVlKfnV9ORm9H52fizS9dsRlAZMfTqzf/cn46caNveBktjYHo
DnEgQN/RKzHLQJCLacpp2MC8Y1ZGZsOxlPVSlu11kRHKXacaegHbERSn74bj
MW35d2lCReeXk/PvAcT3l6O/vD/v4xdIwr3P4qfR5AeDmHsx+eX6nL9qoAXn
4e2EyovAPdmpRRA+D28I3/gcoLg8PRfj0b+di/3DweBi+POBuHrrn00wLhx2
r3vyYGf+3gd6t/v33khiVdAtMIRx2xhCm+0acv8dLvH5QO97rDO+W9KnzXgA
lvMa8kRb7jaN26Ym279a/2g9Q8dOU3unPjV+VJhHHgQ4IrBFixgIWUS50Xqt
3t+MlAj+fXLfJ8VlUV3ZxMAD31/Y/HjwkvM/zJvg7yH6B4MB4rIBSxNe0hhE
h9fXY3ojpERkq25wt890Fr4YTni0bUK3v8fO7EaESzx3S3RiZ8cCw873w+lf
aBL9V88M0G5JtXQJPqKqXs+gdTcjjoYvxxXauqA3Q+zhuMv37941v3Cbd290
Q797ZfBEez0MDeFrHhjnl2cNc0MXN0y4QhAs85kxvtAEAoNZ28tceUxslqBk
5iyIXK2LkqqmiCfv0izDlEVBioUylRKL39Dx5fyRSGoy/lFfrqkVk7iQDf1T
HSUH7dc08CmtMZUGgDCmzrVtHQU43gTgX4GDR7HvMgx1k33vyoCbtUFhEZiz
6dKKoilgBsKejR/W9rFCn7drAVdghmVkqiIztyi17U4iWtci6HJ3Va+xAA/r
pmRFhYdwPqA1EsqvNZwEcf+k6awBGTzg+Pm2MLtvuKzxBLdUBNt9aPhgo+wx
8hYIRKVr0TDap4z7FOhuvVV8ZqJWO+u1KI7EAPfRkYd5ZpTHLLQ2gDO/lVzK
GbfOQq+mS9IYMn+SbeVxrrZ9KpfxbYrlmyaHZ2cDDqTg3JY5kIH41ZmMcLSu
oeesbl64emJ4nJYcKcKiUAyH8SMX2FPoiGxQx3EpsYah0+0f8TM/86Mjwj5+
ljoUFtACSqS+K22lbK+JT03lptChPzvL75XdImUrPILQwWmd6sRirQIjmhQy
y0PvEkDGGioaZo7NoBJTorB6JiMCNNETKm1HYTErztnvpiEu+26Hlh0a0IfF
wMtqmi5qjKgGbjIzB5G25zuTMNNFIkrs04tg35NIe0QIAVijyHBtGk5CClvv
UUhR6gpepxOgAp/3JrHPlxbsCTVbgkOKZR0jY96qxxT4GU23Nd0k9r1K6r67
JAGMkIF+OgBPZu/AhA/98hgqwcfsCFK+K7R6eFFd/0G6Qi05CmAL5BNT0TF1
LU9ULsScjDU6rIuUX/r1WscywSycx1iWSmcFjlOBuCR6gP9ooI4tkVTTjZ46
eBIUBBBXgiRP5yiOprK6w34mV75DIlN7JZ7YQX4zZ/3DZKKriogwOePQ0kVF
QGyY9wHVe63zPUpcDH+xmZ5VnVUUuyUqwjSzbgYAPIOmibFQB7CP20SFi/Ua
mc4qx6uCdemKCXWFtdwUW6S3dZC6fcwYITK9KX41uSdRT1Bv6gKpjt25WinM
jLm4b0cNpwtOB/kZTWhGGpdBcsBQkWqQoAl2Plh83cjEAJufFdhoLZxpx+x+
dNCFnUDcU2bCaos+l2bi7nQUaTdfNO9l0TWJ2KKHNSO0cx21x/BhZFsNlFRB
Yx9Worh2NM5otmv0sdnPXnrDEshW3ZuIJvctwHDMkRRiJZM0frB7KEARr+23
t1SIIiW5WBI3phuA9JE0WoBobjMcFRhmXkokZm668hCLc6HllGXgIVbpijKQ
sKBWS6wYuFo2dg1AQf8P5m0K7p0BUALWwGZ8I9rDMqoO+8ZBpdPXZEk1T5Yt
dQIguEOHbBFbrnzSRCltxGKPUUL6UmBoKZeZ7gDKUDQAtPrUxkvKqjBA0TTG
yls+VpyH1T2lHn3S0Rkqj3a44YJrI+401HRvEMnLOxjGBa28A0tU8MxrVdCE
RSfMMPhNJdUS5ltwQQfX+Wcb3+23qGg2lbVq1XlurzPOdwq0BJkRWnQtuzXo
/XMLudLhzBWvYDlGq6HRDNXWHdrThAGSyK99ewgjIV15ti3160SlKzDzSA3q
zP+cK+rZMp9TdBxRVaZKqi1yzbmmLOGe/90lHPcSyG3+x6+SKXrOryVWzHT/
IJLFYrTrKN1+uMu/pmJHwLdZulUE64YbJcj1brY3hupcAxJxXqVJs3hLsoBy
jQjkMQFvAmYzdO4iI8J0S+1JGyRrEHRiokOD6qq77X0s4Yxp1TWTT6m2KTWu
/N7TXKYk6ozypEIpTne62gM/4MMoffF4N4KrEchj0IHuDTcH2xpzi5OHksd+
DZPPHfoGLUlVSV2d40HJ3BdwbYfyD66YabWlmlo2Y+VgCthtlEMpGA9zkRQ2
KSvL0A1O9lUMdrLkXknIV+RmPEtXVcLdPbprPFRz2DyjO3k11TduDjBnpaMv
rxs+iqVSX7H6PNRR8lKUtqZM2wzkDdM1dEQJSLRauQXtqp3yZFcVTLsCpsMs
5xJPWxUTlg/hdFlKZ2/xiYGjxjNcSzdOYH8GHLr1QY1geFyNjEHMg42ERtx5
tbtELZTU97ZAJToC6CUZiHfpB4mNqVuiFs1ORabsvKn5gj7Fdoyjq0LN678J
FU14mCt2lfOQRK2bx2bolib8wqO0yFEa8yLXPQWSRAcAAs7ON463YfJ5XHLh
VpPkqM2nzKUpv2lrrN2y3m+lRzlaoXGGhYFIBhhUYsLTwTnNSX1360vnTj0Y
TXFau51EOatpt5XkxuTGzgwNempk7YaDlMhr7Sbvat0ModmEixpl94Xr6jDw
AxgSruZ2gTgwtZY+3RW5E4lU+ZcVyqiAFmZZzlOk/NqlBG4wJYABSuJK1MCS
2odpfhMn8z1m0hNI380uPtvHFLsIoNuN1ho6DoHRK2xko+jVlwTFUDe4blTj
jSQcx8oTjq9QwLVD4yI7stZFXdMNfFjP63rsdQe/LqAKdTJqvI0JzYGK404s
Cuq0owkmYdJuSoKjTHM9DGtzYQ7v+ghQEUtciEnC7K7Iw37tgfghvuU+rRw7
mtj10HqLONnlUDx56atp9uy8OLYzVLsr4HYlD/otOmw/ifyLJlC1dHIGX8QT
3iTTzo8ExknTdgqTNd6NLLHNGnTuYpeJA55yzWUZTQtHC972JSnV9lQL3WIA
BEK2iE2rNDcZ3s+zChw9P1qVbWy1eYAHTpTYWxz4/GyjXLvFNWjBjavZsq+9
aarlq/NOptAM0xJDGkzKGzWVW2hsGkXX1+1/8azSteYMK2zf9uWGZcWNVj8v
0eViNQG0OjWEtrJrGAyR7l374+PHMb6xNVz1rAfFjrtsSFq7slm/ENe73iQo
DgERftbsmQz6UO+feN2HfuMoqX1/6Jd1klJP685WUuZgeC2Tc+KJrsoT9nEK
pNWagjmmad0UCz/Qqmnvddvdstl2vLYL3xbb4J1iuvbY6AyOipE0xrrnoPFC
287OPfPm9jMC9MIdCCK6kskdeyKzlJUeX2jU7Co23IC0UuR07TrsqqO32J4u
WhMsKaiBuEm4tqC6O+xNtz8FNwtRWF3Vpnt3XazrzCT+m9d2eRdWd14wBjRQ
ZxXp6YAa3X60IGcyZmbQUsZDbFUsWDvbCwHsbBQZ9O5V2lbkgBii2+42rZtr
6OpsvN5wgYzfSpYGx8pUEUBQlMbI3QJ9avUQXdfU7xA6TJPKyKyOzmNjMlFl
n/Gn+IHd/daQq7sHCDQ8qbZ4y3mQzHmXzuVsMwNvOAy0MtN6tAV2a0Yqcdm6
6cwIAN3vlK7aVwUiyzGlBdcJboKLcNrp/T7ZwotWTaRuheI52T7FiuRgpOnc
oRkkeTvK9KV10C+p5nheaWenMR3ZmXixUswtESZO3zpBv1cCO0q9Dg8xq0tm
fucGmIus/KUyOBJEIuUtyipCIZKEjMtXa9nEL10f4O60oNhEJv3Tge2uSNUx
VFaie43MTu6DuaIshRFyHObrtZa1hYuBur4NeznSOq6WtuXT5w99t5JjXR9I
3SI1JR204NrWYguXEPWOdXnxQ8TbKlVpXPjY3c/3Kzr3JuQ/s+Qo6YJQZHO8
dgbzrnyxZIOubjn/FF4Z6t8z5SKWoTmiD8yLSjqi71SRXTVl7KBoDwQVdqcD
0tS5FLgJy8Qe4ei87tTo9p7IUF1r4cpd1qiIdWzCCcUuvfyoS8t+e7Pjtiy6
zQ167YxcE7alo9ElN/7+DYzuns0dvYtkRbvL8/qPigRRnJI7CHWS9vGx0teU
hHdx0WZk0dj0Ni76QOyS3cYwbokFMdTNrLpjlngbXflQxLFlXfG9b73eRaos
86bW7QBTnX3RNKnxiqlUfThpBCyCe15bFrzp5w1ikU54oHKSZbbxpIixI3TU
uE3T3GyoLyxqSEQCRunEOQtlzdjsWxqZYuxB7F1oho90s0KHHDVoUWsU3O7y
H1JpWqefDp0O9+/E4lsrtCazrc/bfSxXecd6YXtJpERC0pZhugJ0ghr0+je3
Ou72ilNy3Xf4hY9w5Pn6Re3I8/1ydNXhrFb2wrDgGpruTJQWALAHCoiQb++i
WbRH5C5AZqXrpOz1yIFxbCMBWMOLWeJs46pvyK+mu9dTonYSHlvMIW6JNQB4
N2DSzXb6LRQIt/i3kTRFcLOlEfhM4miQvA4uQWsY4Axwn0NFMGaVIuK6bvjB
iud6zYVkBXscyFlBLKC2uCSbhDAEhHTtyr07/e3UUgXfjqLLtWYZuX6LpkHH
1//dSkCNf0+WrGK6Pi28jfn3eHlcvJD2Vod1oerS5AgUcjsM3n27vHXPddZA
mlRipRvq16BzY7BVUVCZalj0cf3LGwgKdw04dgPzTXKdpRv3T6irk+9meLiB
C8v1ez2aSF8EykTHN4FirquzLdYIvXCF7jJ6bc7tjS9GzpTECaiLtvtvsdlq
FSpYPSOrYs1ZonZPGLxxY3rZT8R+EFU5IERs6YaFYbzKFgzMUKtJ7fYYiPrb
m2v7fBMzhoSda6mbdT3sqaYv9hgsbm944tJ8Kuw0N/ER1ib019N8OPy+ZjoS
BGxPX2RMd056bU0HWA98SX8kLEYVVXYSQNgRgEO4G4Z7rnl5rhonJHTHmwbh
CVZL3VrQavm2usXrQdaBbUBJ+KelbsyltpyDOTyyNb4clSXljVejwcbY0uZg
hg12WEJAwHfWldqbDU4au3vQHN5ibnbcZfPbrgDp2zYA1XWJzWPvxRh6BfV/
xzsUNBj+LQqp0p3e4OLznyuIbaWaU4c2gmFsaRPGJ0HbvG8mpK4NX12VYuqe
ouo2VOZ6h9wtOlm2lUOBGT8RM4pPxE/ww+cR+NXSvvjU+xTRv/CH+ef/Cq+K
Qxi8Xquoxr8P+Ml27n1qCkGcVxzB81ZS4VOzSa977POOsV62tznLhfdN13Qv
4PkW9+bTlta7rol6hFVODz1j6W2vfMS/6oJ/Dob6m2Yf8uIuk8mCKut79yfM
VjL54948zpTcw2vers6uwFEyb4JQ+l8U1DCTzHQAAA==

-->

</rfc>

