<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.34 (Ruby 4.0.2) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-wendt-stir-vesper-use-cases-04" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="VESPER Use Cases">Verifiable STI Presentation and Evidence for RTU (VESPER) Use Cases and Requirements</title>

    <author fullname="Chris Wendt">
      <organization>Somos, Inc.</organization>
      <address>
        <postal>
          <country>US</country>
        </postal>
        <email>chris@appliedbits.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>Applications and Real-Time</area>
    <workgroup>Secure Telephone Identity Revisited</workgroup>
    <keyword>telephone number</keyword> <keyword>right-to-use</keyword>

    <abstract>


<?line 57?>

<t>This document describes use cases and requirements that motivate VESPER (Verifiable STI Presentation and Evidence for RTU), work within the Secure Telephone Identity Revisited (STIR) framework. STIR establishes that a signing credential is authorized for a telephone number, but not what entity holds that authority, what verifiable information that entity declares about its numbers, or how a relying party obtains and verifies this across the channels where a number appears. This document presents a set of use cases that illustrate the resulting trust gaps and states the requirements a solution should satisfy. It motivates the mechanisms defined in the VESPER framework and its companion specifications rather than defining them.</t>



    </abstract>



  </front>

  <middle>


<?line 61?>

<section anchor="introduction"><name>Introduction</name>

<t>The Secure Telephone Identity Revisited (STIR) framework (<xref target="RFC8224"/>, <xref target="RFC8225"/>, <xref target="RFC8226"/>, and <xref target="RFC9060"/>) enables cryptographic signing of calls using credentials constrained by TNAuthList <xref target="RFC8226"/>, grounded in explicit Right-to-Use (RTU) validation by recognized numbering authorities or responsible providers. STIR verifies that a signing credential is authorized for a specific telephone number, but does not on its own establish what entity holds that right-to-use, what verifiable information that entity declares about its numbers, or how a relying party obtains and verifies this across the channels where a number appears.</t>

<t>Closing these gaps is the aim of VESPER, the work this document motivates. What is needed is verifiable evidence that the right-to-use for a number is held by an accountable entity, established by an authorized issuer and carried in a delegate certificate that serves as an extensible credential. Alongside the right-to-use, such a credential can convey verifiable information the holder declares about its numbers: the providers authorized to originate, whether the numbers originate calls or messages, rich call data, and a binding to a domain the holder controls. This credential should be presentable and verifiable wherever telephone numbers appear, in band or out of band, and its issuance recorded in public transparency logs for independent auditability.</t>

<t>One component of this framework, and the newest, addresses the entity side of the trust equation: identifying the entity behind a number by associating it with a second identifier the same entity controls, a domain. The telephone number and the domain are the two identifier systems on which global digital communications rest, the one allocated under the ITU-T E.164 numbering plan <xref target="E.164"/> on the public telephone network, the other under the DNS on the public internet, and both are obtained and governed through responsible providers under the law of the relevant jurisdiction. Binding a number's right-to-use to demonstrated control of a domain would associate the same entity across both networks, reusing the domain trust that the Web PKI and TLS already establish rather than creating a new mechanism to secure the web or email. This would enable cross-validation, a number listed on a website or in an email checked against its associated domain and the reverse, and it would be a signal stronger than either anchor alone, because forging it would require compromising two independent chains.</t>

<t>Because each of these resources is provider-governed and jurisdiction-bound, the association also creates accountability: activity that departs from established practice, as judged by provider policy or local law, could be answered by revoking either the number authority or the domain, and anchoring an entity's channels to one verifiable identity would help curb cross-channel impersonation across voice, messaging, email, and the web. This entity association is one important, and new, part of VESPER's larger goal; the broader purpose is the verifiable presentation of telephone number trust, and of the information a holder declares about its numbers, wherever those numbers are used.</t>

<t>This document motivates these capabilities through a set of use cases and states the requirements they should satisfy; the mechanisms that provide them are defined in the VESPER framework and its companion specifications.</t>

</section>
<section anchor="conventions"><name>Conventions</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

</section>
<section anchor="design-principles"><name>Design Principles</name>

<t>STIR has developed a substantial set of tools over its lifetime: PASSporTs <xref target="RFC8225"/>, certificates and the TNAuthList <xref target="RFC8226"/>, delegate certificates <xref target="RFC9060"/>, authority tokens <xref target="RFC9447"/> <xref target="RFC9448"/>, rich call data <xref target="RFC9795"/>, out-of-band delivery <xref target="RFC8816"/>, and certificate transparency <xref target="I-D.ietf-stir-certificate-transparency"/>, among others. VESPER does not redefine any of these. It is a profile framework that composes existing STIR tools for a specific purpose: telephone-number-scoped trust in a right-to-use and the associated information a number holder declares, carried in a delegate certificate issued through authoritative chains so that it can be trusted by all participants in the STIR ecosystem.</t>

<t>VESPER's core mechanism is a telephone-number-scoped delegate certificate. The certificate carries a verifiable right-to-use for specific telephone numbers, chained to an authorized issuer, a numbering authority or responsible provider accountable for the assignment of those numbers. That chain is what makes the right-to-use trustworthy: a relying party relies on the certificate not because of who presents it, but because it descends from an issuer with authority over the numbers. It is that issuer that establishes the association between a number and the entity assigned to it, at issuance and under the law of its jurisdiction; the relying party validates the chain rather than re-adjudicating who the entity is.</t>

<t>A telephone-number-scoped certificate is also an extensible vehicle for verifiable statements about the numbers it authorizes and the entity that holds them. Beyond the right-to-use itself, these can include rich call data such as a calling name or brand, declarations of how a number is used such as whether it originates calls or messages <xref target="RFC9475"/>, the providers a holder authorizes to originate on its behalf, and a binding to a domain the holder controls. Each is a self-contained, verifiable statement scoped to the certificate's numbers, and a relying party applies whichever it supports.</t>

<t>The domain binding is distinctive among these because it reaches the trust in the telephone number into the trust systems of the internet. A domain is the other identifier on which global digital communications rest, carrying the established trust that already anchors the web and email. Binding a telephone number authority to a domain the same entity controls associates that entity across both networks, a signal stronger than either alone, because forging it would require compromising two independent chains, and it lets misuse be answered by revoking either the telephone number authority or the domain, each independently administered and revocable.</t>

<t>None of this makes the network an identity system for people or businesses. The association between a number and a real-world entity is established by its issuer at assignment, and for a domain by the certificate authority at validation, each under its own practices and the law of its jurisdiction. A telephone number and a domain are globally consistent network facts, verifiable the same way everywhere, whereas legal identity, liability, and know-your-customer obligations are defined and adjudicated jurisdiction by jurisdiction; resolving them is genuinely hard and is not the network's role. A relying party validates cryptographic chains and self-asserted attributes mechanically and objectively. The role of this work is to provide the objective substrate that local policy and law can rely on and govern, accommodating and supporting those regimes rather than dictating them, and on which real-world identity, where it is needed, operates separately.</t>

</section>
<section anchor="use-cases"><name>Use Cases</name>

<t>The following scenarios illustrate the trust gaps that VESPER is designed to address. Each describes a real-world situation where the absence of verifiable telephone number authority creates meaningful risk, and what becomes possible when that authority can be cryptographically established. These scenarios span both business-to-consumer (B2C) and business-to-business (B2B) contexts, reflecting the range of trust relationships in which telephone number authority matters.</t>

<section anchor="trusted-caller-id-and-verified-messaging"><name>Trusted Caller ID and Verified Messaging</name>

<t>Consumers receive fraudulent calls and messages that spoof trusted telephone numbers, often accompanied by coordinated web or messaging interactions to reinforce the deception. Because there is no standard mechanism for a relying party to verify that the entity presenting a number is the same entity it was assigned to, attackers can credibly simulate legitimate communications across channels.</t>

<t>What is needed is a way for the RTU holder to cryptographically bind their numbers to credentials that can be validated across SIP signaling, messaging, and web-based contexts, so that relying parties can verify both telephone number authority and, where present, the associated domain-controlled context before applying local trust decisions.</t>

</section>
<section anchor="preventing-impersonation-and-business-communication-fraud"><name>Preventing Impersonation and Business Communication Fraud</name>

<t>Fraudsters impersonate businesses by spoofing well-known telephone numbers and directing targets to fraudulent websites or callback numbers. Because recipients rely on number recognition as a proxy for legitimacy, this attack is effective across voice, messaging, and web channels simultaneously.</t>

<t>This calls for a way for enterprises to maintain a consistent cryptographic binding between their assigned numbers and their domain-controlled identity, grounded in RTU validation, so that communications referencing those numbers can be verified as authorized by the same accountable entity across any channel.</t>

</section>
<section anchor="preventing-financial-fraud-through-caller-impersonation"><name>Preventing Financial Fraud Through Caller Impersonation</name>

<t>Financial institutions are frequent targets of impersonation: adversaries spoof bank telephone numbers and reinforce the deception through fraudulent web portals or follow-up messages. Customers who recognize the number often extend that trust to the broader interaction even when the surrounding context is malicious.</t>

<t>A solution should let financial institutions cryptographically assert their authorized use of specific telephone numbers and bind those numbers to their domain-controlled context, so that relying applications can validate this authorization before presenting trust indicators or proceeding with sensitive interactions.</t>

</section>
<section anchor="self-declared-signals-about-a-numbers-intended-use"><name>Self-Declared Signals About a Number's Intended Use</name>

<t>The entity that holds the right-to-use for a telephone number is uniquely positioned to state how that number is, and is not, intended to be used, and a relying party that can verify those statements gains a strong basis for recognizing illegitimate communications. STIR authenticates that a communication was signed by a credentialed provider, but it does not convey the number holder's own intent about the number's use, so a technically valid signature on a communication the holder would never originate is indistinguishable from a legitimate one.</t>

<t>What is needed is a way for the RTU holder to make such statements as verifiable evidence bound to the same credential that establishes its right-to-use. These form a family of self-declared signals about a number's intended use, each a plain, verifiable declaration by the holder about its own network asset.</t>

<t>The holder can declare which originating providers it authorizes to attest communications from its numbers. In enterprise and multi-provider deployments, numbers are frequently originated across many providers and platforms, and an originating provider may sign for a number without the holder's knowledge or consent; a STIR/SHAKEN Attestation "A" claim <xref target="RFC8588"/> is today self-certified with no external validation. A verifiable list of authorized originators lets a relying party distinguish authorized origination from technically valid but unauthorized traffic: a provider in the holder's declaration has verifiable authorization behind its attestation, one that is not does not.</t>

<t>The holder can declare that a number does not originate calls. Many numbers are inbound-only, an inbound customer-service line, or a number that only receives one-time passcodes, and legitimately never place calls. A verifiable declaration to that effect turns any call purporting to originate from such a number into an unambiguous indication of spoofing.</t>

<t>The holder can declare that a number does not originate messages. The same reasoning applies to the messaging channel: a number provisioned only for voice, or only to receive messages, can declare that messages purporting to originate from it are illegitimate. The call and messaging declarations are independent, reflecting that a number may originate on one channel but not the other.</t>

<t>In each case the signal is a mechanical declaration of intent about a network asset, applied by a relying party as a policy signal according to local policy. None of these signals requires resolving who the real-world entity is, which is what makes them objective and widely applicable.</t>

</section>
<section anchor="authenticated-access-and-identity-assurance-for-digital-services"><name>Authenticated Access and Identity Assurance for Digital Services</name>

<t>Digital services increasingly use telephone numbers as account identifiers or recovery mechanisms, yet there is no standard way to verify that a number presented by a domain or application is legitimately associated with the entity operating that service.</t>

<t>What is needed is a way for service operators authorized for a telephone number to present cryptographic proof of that authorization, optionally bound to a domain-controlled origin, so that relying services can validate it before granting elevated access, enabling callbacks, or trusting embedded contact references, reducing abuse by attackers who reference well-known telephone numbers without authorization.</t>

</section>
<section anchor="public-sector-and-emergency-communications-integrity"><name>Public Sector and Emergency Communications Integrity</name>

<t>Public safety communications and official notifications are vulnerable to spoofing, particularly when attackers combine fraudulent calls, messages, and web content to simulate official communications with coordinated credibility.</t>

<t>A solution should let authorized public entities assert cryptographic control over designated telephone numbers and bind those numbers to official domain-controlled contexts, so that receiving networks or applications can validate this authorization before elevating trust treatment in emergency or public safety communications.</t>

</section>
<section anchor="carrier-backed-consumer-identity"><name>Carrier-Backed Consumer Identity</name>

<t>Individual consumers do not directly hold the Right-to-Use for their telephone numbers; that authorization rests with the telephone service provider that assigned the number to them. When a consumer places a call, it is their carrier that backs the legitimacy of that number's use. Today there is no cryptographically verifiable way for the called party to confirm that the originating number is actively backed by a legitimate carrier assignment rather than a spoofed or fraudulently used number.</t>

<t>What is needed is a way for carriers to issue credentials covering the telephone numbers assigned to their consumers, with the carrier's RTU authority forming the trust chain, so that the carrier's domain can serve as the corroborating identity signal, giving the called party verifiable evidence that the number is legitimately assigned and actively backed by a responsible provider. This applies equally in B2C contexts: a business receiving a call from a consumer should be able to validate that the number is carrier-backed and legitimately assigned, and a consumer receiving a call from a business should benefit from the same verification in reverse. Connected identity would extend this further, letting each party's carrier independently assert and verify the other's number authority, establishing mutual trust in the call.</t>

</section>
<section anchor="bidirectional-identity-verification"><name>Bidirectional Identity Verification</name>

<t>In many communication contexts, particularly B2B interactions such as a financial institution calling a business customer or two enterprises coordinating a transaction, a single direction of identity proof is insufficient. The called party has no cryptographic mechanism to verify that the entity calling them is the legitimate holder of the telephone number being presented, and the calling party has no way to confirm the called party is who they expect.</t>

<t>This calls for bidirectional identity verification, as provided by Connected Identity <xref target="RFC9970"/>. Both parties would hold credentials authorized for their respective telephone numbers; the called party could return a signed PASSporT asserting their number authority, and the calling party could validate it. The result would be a mutually authenticated communication transaction in which both parties' telephone number authority is cryptographically verified.</t>

</section>
<section anchor="credential-retrieval-across-communication-channels"><name>Credential Retrieval Across Communication Channels</name>

<t>In many communication environments a relying party cannot rely on the signaling path to carry VESPER credentials inline. This includes PSTN/TDM interconnects where SIP Identity headers are stripped, messaging platforms that have no equivalent header mechanism, web-based interactions where a telephone number is referenced but no call is in progress, and asynchronous contexts where verification happens after the communication event.</t>

<t>This calls for two complementary capabilities. Credentials should be retrievable from a stable, publicly resolvable location under the entity's domain, independently of how the communication arrived. And a portable, signed proof of right-to-use should be conveyable in any channel, presented in a message, embedded in a web interaction, or delivered asynchronously, as verifiable evidence of telephone number authority outside of in-band signaling. Together these would decouple credential verification from any specific transport, making the approach applicable wherever telephone numbers are used.</t>

</section>
<section anchor="platform-and-multi-tenant-number-authorization"><name>Platform and Multi-Tenant Number Authorization</name>

<t>Communication platforms, CPaaS providers, and ISVs commonly control telephone number pools on behalf of multiple tenants, customers, or automated systems. In these deployments the platform holds RTU for the number pool but originates communications through many different downstream parties. Today there is no standard way for a terminating network or relying party to verify that a given tenant's use of a platform number was explicitly authorized by the RTU holder, or to distinguish authorized tenant traffic from misuse by unauthorized parties.</t>

<t>What is needed is a way for the platform RTU holder to declare which originating providers are authorized to place calls from those numbers on the platform's behalf, as part of the same credential that establishes its right-to-use for the pool. Individual tenants would interact with the platform's calling infrastructure without needing to establish independent RTU or certificate relationships, and the platform's credential would serve as the auditable authorization record for the entire number pool, making the authorization chain verifiable end-to-end regardless of how many layers exist between the RTU holder and the originating call.</t>

</section>
</section>
<section anchor="requirements-for-self-declared-number-use-signals"><name>Requirements for Self-Declared Number-Use Signals</name>

<t>The use cases above motivate a standardized, verifiable mechanism allowing the responsible RTU holder to make self-declared statements about the intended use of a given telephone number, including which signing identities it authorizes to originate for the number and whether the number originates calls or messages at all. The following requirements capture the intended properties of such a mechanism:</t>

<t><list style="symbols">
  <t>Verifiable Declaration: It should be possible to verify a statement the RTU holder has made about a number, whether enabling a specific signing identity to originate for it, or declaring that the number does not originate on a given channel.</t>
  <t>Lifecycle Management: It should be possible to update and revoke origination eligibility declarations in a timely manner, consistent with RTU state and certificate lifecycles.</t>
  <t>Transparency and Auditability: Enablement and revocation events should be observable through transparency mechanisms, enabling independent audit without requiring centralized enforcement control.</t>
  <t>Cross-Channel Applicability: The mechanism should support both voice and messaging use cases and should accommodate scenarios where telephone numbers are referenced within domain-controlled contexts.</t>
  <t>Policy Separation: The mechanism defines verifiable authorization inputs but does not prescribe enforcement, blocking, presentation, or regulatory policy decisions, which remain local to relying parties.</t>
  <t>Attestation Grounding: Where the mechanism supports provider-level origination authorization, it should be possible for a relying party to determine whether an originating provider's STIR/SHAKEN attestation is backed by an explicit RTU-holder declaration, providing an objective basis for evaluating attestation claims rather than relying on self-certification. This is particularly important in the common case where the originating provider is different from the responsible provider or organization that assigned the telephone number to the entity.</t>
</list></t>

</section>
<section anchor="roles-and-responsibilities"><name>Roles and Responsibilities</name>

<t>Deploying VESPER builds on existing STIR/SHAKEN operational roles and trust anchors. The following functional roles are relevant to VESPER deployment. Governance, policy, and regulatory considerations remain external to the protocol.</t>

<t>Telephone service providers, responsible organizations, and numbering authorities ground RTU validation in existing number assignment and delegation practices. Within the VESPER framework, these entities issue cryptographic RTU evidence (e.g., Authority Tokens) that enables STI Certification Authorities to issue TNAuthList-constrained delegate certificates, and manage revocation and lifecycle controls for those assertions.</t>

<t>Application-layer communications providers, including CPaaS and UCaaS platforms, integrate cryptographic identity assertions and delegate certificates into their voice, messaging, and API-based services. They provide token management capabilities for their enterprise customers and implement operational controls for token issuance, expiration, delegation, and revocation.</t>

<t>Business and enterprise entities are the RTU holders responsible for issuing and managing delegate credentials for their telephone numbers. They define which originating providers or internal systems are authorized to use those numbers, and are accountable for monitoring and revoking credentials in response to misuse.</t>

<t>Transparency log operators maintain independently operated, publicly accessible logs that record certificate and authorization artifacts in a tamper-evident, append-only manner <xref target="I-D.ietf-stir-certificate-transparency"/>. They issue Signed Certificate Timestamps (SCTs) proving log inclusion and support ecosystem-wide auditability without centralizing control. The effectiveness of this model is well established through the CA/Browser Forum's mandate for Certificate Transparency <xref target="CABF.CT"/> in the Web PKI ecosystem <xref target="RFC6962"/>.</t>

</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>This informational use-case document defers security considerations to the resulting technical specifications.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document has no IANA actions.</t>

</section>
<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>

<t>The author acknowledges the years of industry interactions and innovations that contributed to the technical approaches described here.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC8224">
  <front>
    <title>Authenticated Identity Management in the Session Initiation Protocol (SIP)</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="C. Jennings" initials="C." surname="Jennings"/>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identity and for conveying a reference to the credentials of the signer.</t>
      <t>This document obsoletes RFC 4474.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8224"/>
  <seriesInfo name="DOI" value="10.17487/RFC8224"/>
</reference>
<reference anchor="RFC8225">
  <front>
    <title>PASSporT: Personal Assertion Token</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>This document defines a method for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representing the originator of personal communications. The Personal Assertion Token, PASSporT, is cryptographically signed to protect the integrity of the identity of the originator and to verify the assertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal-communications applications over IP networks and other multi-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8225"/>
  <seriesInfo name="DOI" value="10.17487/RFC8225"/>
</reference>
<reference anchor="RFC8226">
  <front>
    <title>Secure Telephone Identity Credentials: Certificates</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="S. Turner" initials="S." surname="Turner"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>In order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8226"/>
  <seriesInfo name="DOI" value="10.17487/RFC8226"/>
</reference>
<reference anchor="RFC8588">
  <front>
    <title>Personal Assertion Token (PaSSporT) Extension for Signature-based Handling of Asserted information using toKENs (SHAKEN)</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="M. Barnes" initials="M." surname="Barnes"/>
    <date month="May" year="2019"/>
    <abstract>
      <t>This document extends the Personal Assertion Token (PASSporT), which is a token object that conveys cryptographically signed information about the participants involved in communications. The extension is defined based on the "Signature-based Handling of Asserted information using toKENs (SHAKEN)" specification by the ATIS/SIP Forum IP-NNI Task Group. It provides both (1) a specific set of levels of confidence in the correctness of the originating identity of a call originated in a SIP-based telephone network as well as (2) an identifier that allows the Service Provider (SP) to uniquely identify the origin of the call within its network.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8588"/>
  <seriesInfo name="DOI" value="10.17487/RFC8588"/>
</reference>
<reference anchor="RFC8816">
  <front>
    <title>Secure Telephone Identity Revisited (STIR) Out-of-Band Architecture and Use Cases</title>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="February" year="2021"/>
    <abstract>
      <t>The Personal Assertion Token (PASSporT) format defines a token that can be carried by signaling protocols, including SIP, to cryptographically attest the identity of callers. However, not all telephone calls use Internet signaling protocols, and some calls use them for only part of their signaling path, while some cannot reliably deliver SIP header fields end-to-end. This document describes use cases that require the delivery of PASSporT objects outside of the signaling path, and defines architectures and semantics to provide this functionality.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8816"/>
  <seriesInfo name="DOI" value="10.17487/RFC8816"/>
</reference>
<reference anchor="RFC9060">
  <front>
    <title>Secure Telephone Identity Revisited (STIR) Certificate Delegation</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="September" year="2021"/>
    <abstract>
      <t>The Secure Telephone Identity Revisited (STIR) certificate profile provides a way to attest authority over telephone numbers and related identifiers for the purpose of preventing telephone number spoofing. This specification details how that authority can be delegated from a parent certificate to a subordinate certificate. This supports a number of use cases, including those where service providers grant credentials to enterprises or other customers capable of signing calls with STIR.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9060"/>
  <seriesInfo name="DOI" value="10.17487/RFC9060"/>
</reference>
<reference anchor="RFC9447">
  <front>
    <title>Automated Certificate Management Environment (ACME) Challenges Using an Authority Token</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="M. Barnes" initials="M." surname="Barnes"/>
    <author fullname="D. Hancock" initials="D." surname="Hancock"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="September" year="2023"/>
    <abstract>
      <t>Some proposed extensions to the Automated Certificate Management Environment (ACME) rely on proving eligibility for certificates through consulting an external authority that issues a token according to a particular policy. This document specifies a generic Authority Token Challenge for ACME that supports subtype claims for different identifiers or namespaces that can be defined separately for specific applications.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9447"/>
  <seriesInfo name="DOI" value="10.17487/RFC9447"/>
</reference>
<reference anchor="RFC9448">
  <front>
    <title>TNAuthList Profile of Automated Certificate Management Environment (ACME) Authority Token</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="D. Hancock" initials="D." surname="Hancock"/>
    <author fullname="M. Barnes" initials="M." surname="Barnes"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="September" year="2023"/>
    <abstract>
      <t>This document defines a profile of the Automated Certificate Management Environment (ACME) Authority Token for the automated and authorized creation of certificates for Voice over IP (VoIP) telephone providers to support Secure Telephone Identity (STI) using the TNAuthList defined by STI certificates.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9448"/>
  <seriesInfo name="DOI" value="10.17487/RFC9448"/>
</reference>
<reference anchor="RFC9475">
  <front>
    <title>Messaging Use Cases and Extensions for Secure Telephone Identity Revisited (STIR)</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="December" year="2023"/>
    <abstract>
      <t>Secure Telephone Identity Revisited (STIR) provides a means of attesting the identity of a telephone caller via a signed token in order to prevent impersonation of a calling party number, which is a key enabler for illegal robocalling. Similar impersonation is sometimes leveraged by bad actors in the text and multimedia messaging space. This document explores the applicability of STIR's Personal Assertion Token (PASSporT) and certificate issuance framework to text and multimedia messaging use cases, including support for both messages carried as a payload in SIP requests and messages sent in sessions negotiated by SIP.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9475"/>
  <seriesInfo name="DOI" value="10.17487/RFC9475"/>
</reference>
<reference anchor="RFC9795">
  <front>
    <title>Personal Assertion Token (PASSporT) Extension for Rich Call Data</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="July" year="2025"/>
    <abstract>
      <t>This document extends Personal Assertion Token (PASSporT), a token for conveying cryptographically signed call information about personal communications, to include rich metadata about a call and caller that can be signed and integrity protected, transmitted, and subsequently rendered to the called party. This framework is intended to include and extend caller- and call-specific information beyond human-readable display name, comparable to the "Caller ID" function common on the telephone network. It is also enhanced with an integrity mechanism that is designed to protect the authoring and transport of this information for different authoritative use cases.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9795"/>
  <seriesInfo name="DOI" value="10.17487/RFC9795"/>
</reference>
<reference anchor="RFC9970">
  <front>
    <title>Connected Identity for Secure Telephone Identity Revisited (STIR)</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="June" year="2026"/>
    <abstract>
      <t>The Session Initiation Protocol (SIP) Identity header field conveys cryptographic identity information about the originators of SIP requests. However, the Secure Telephone Identity Revisited (STIR) framework provides no means for determining the identity of the called party in a conventional telephone-calling scenario. This document updates prior guidance on the "connected identity" problem to reflect the changes to SIP identity that accompanied STIR. It also considers a revised problem space for connected identity as a means of detecting calls that have been retargeted to a party impersonating the intended destination and preventing the spoofing of mid-dialog or dialog-terminating events by intermediaries or third parties.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9970"/>
  <seriesInfo name="DOI" value="10.17487/RFC9970"/>
</reference>

<reference anchor="I-D.ietf-stir-certificate-transparency">
   <front>
      <title>STI Certificate Transparency</title>
      <author fullname="Chris Wendt" initials="C." surname="Wendt">
         <organization>Somos, Inc.</organization>
      </author>
      <author fullname="Robert Śliwa" initials="R." surname="Śliwa">
         <organization>Somos, Inc.</organization>
      </author>
      <author fullname="Alec Fenichel" initials="A." surname="Fenichel">
         <organization>TransNexus</organization>
      </author>
      <author fullname="Vinit Anil Gaikwad" initials="V. A." surname="Gaikwad">
         <organization>Twilio</organization>
      </author>
      <date day="18" month="May" year="2026"/>
      <abstract>
	 <t>   This document describes a framework for the use of the Certificate
   Transparency (CT) protocol for publicly logging the existence of
   Secure Telephone Identity (STI) certificates as they are issued or
   observed.  This allows any interested party that is part of the STI
   eco-system to audit STI certification authority (CA) activity and
   audit both the issuance of suspect certificates and the certificate
   logs themselves.  The intent is for the establishment of a level of
   trust in the STI eco-system that depends on the verification of
   telephone numbers requiring and refusing to honor STI certificates
   that do not appear in a established log.  This effectively
   establishes the precedent that STI CAs must add all issued
   certificates to the logs and thus establishes unique association of
   STI certificates to an authorized provider or assignee of a telephone
   number resource.  The primary role of CT in the STI ecosystem is for
   verifiable trust in the avoidance of issuance of unauthorized
   duplicate telephone number level delegate certificates or provider
   level certificates.  This provides a robust auditable mechanism for
   the detection of unauthorized creation of certificate credentials for
   illegitimate spoofing of telephone numbers or service provider codes
   (SPC).

   The framework borrows the log structure and API model from RFC6962 to
   enable public auditing and verifiability of certificate issuance.
   While the foundational mechanisms for log operation, Merkle Tree
   construction, and Signed Certificate Timestamps (SCTs) are aligned
   with RFC6962, this document contextualizes their application in the
   STIR eco-system, focusing on verifiable control over telephone number
   or service provider code resources.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-stir-certificate-transparency-02"/>
   
</reference>
<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC6962">
  <front>
    <title>Certificate Transparency</title>
    <author fullname="B. Laurie" initials="B." surname="Laurie"/>
    <author fullname="A. Langley" initials="A." surname="Langley"/>
    <author fullname="E. Kasper" initials="E." surname="Kasper"/>
    <date month="June" year="2013"/>
    <abstract>
      <t>This document describes an experimental protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. The intent is that eventually clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs.</t>
      <t>Logs are network services that implement the protocol operations for submissions and queries that are defined in this document.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6962"/>
  <seriesInfo name="DOI" value="10.17487/RFC6962"/>
</reference>

<reference anchor="E.164" target="https://www.itu.int/rec/T-REC-E.164">
  <front>
    <title>The international public telecommunication numbering plan</title>
    <author >
      <organization>International Telecommunication Union</organization>
    </author>
    <date year="2010" month="November"/>
  </front>
  <seriesInfo name="ITU-T" value="Recommendation E.164"/>
</reference>
<reference anchor="CABF.CT" target="https://cabforum.org/working-groups/server/baseline-requirements/documents/">
  <front>
    <title>Baseline Requirements for TLS Server Certificates</title>
    <author >
      <organization>CA/Browser Forum</organization>
    </author>
    <date year="2025"/>
  </front>
  <seriesInfo name="CABForum" value="CA-Browser-Forum TLS BR 2.1.6"/>
</reference>


    </references>

</references>



  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA81d23Ybx5V9x1fU0A+SswDoEtmS6EwyJCUnXJFkjQjZK2vW
PDS6C0BHjS5MVzcZxEv/Mt8yXzbnWpcGQNnJPIwfIhJEV1edOpd99jlVmc1m
k77uG3tuzn60Xb2qi2Vjzc3i2rzvrLdtX/S1a03RVub1bV3ZtrRm5TrzYfHR
PPzx9c371x++Nh+9NVeFt56+98H+11B3dgsP+7NJsVx29haHpy/H755NyqK3
a9ftz03drtxkUrmyLbYwlaorVv3szrZVP/N93c1urd/ZbjZ4Oyvx2dnjZxM/
LLe19zC7fr+Dh65fL7435itTNN7B6+q2sjsYAWZxNjVntqp719VFg79cX1zC
P7CKs+sPi+/PJu2wXdrufFLBhM4npWth4X7w56bvBjuByf92UnS2gFEvdrum
LkkmutiimS3qrT2b3Lnu07pzww6+d2PLobNmYRu727jWmmucSN3v4YHb2te9
rc4mn+wenqnOJ2Zm+vBNngx+1tXrTT/rHa57MimGfuM6/PLEwH+roWlYWleb
rvbmJ5QW/cV166Kt/06TPDc3buv81Fy35Zz+ardF3cAMS3zq3wpcj62Wde/n
pdue0VdKN7Q9bsvHm8mkdd0WhroFwRjz4furF0+fPos/fhN//FZ//ObFC/3x
xRP99OXjbx/rj8+ePY8/vgg/PtfBXj5/GX58+Zweu569mte2X7E6lLbrQVVR
f2Z9V7R+B9vTlvvzCSpSPt9vX377FH98PX/yLU3cGFX4xcaC5vW2a0lWRWN2
wxK2lzYDpLEdWtlr2ZS6XZtdU7QsprAh9N8M5Q5amI23OBjoYwv/S4+Qspl3
7tbi0Obp4yePeXZFt7b9udn0/c6fP3p0d3c3r/thDjN91Nny0WL24fXVjJZD
3/cwL+tx4TqV68XH2eIcNA1fDWrBb9Ynri4uv59fLXJRXIJVNTVoX2q8ZOiL
Nzfmxna3MMWrKHZ/jwiuLh5ddu4O5mW+d92wTVb79PHTb44usiyWK/zuHEZ4
hIYEop6RMflHnt7+aClTnHXJFB+Bzxj4pxPCwOXiyLDIq4uZTGxGH9HaLj+Y
p/Mn82/PJpPZbGaKpQeNKvvJZLEBq9LhTWV92dVLcHFgjKYMzi6djOk3RW+2
DrQPVmvE4T38tX7166lBCZi7ut/ULQwKz33ZnZiHMDj44lUHTgGfn+PbPhjr
e3h17TdW5lcYX69bVOWyszQMKCoslfey/jsMhRMpDlzS1CyH3rSuN3c4jkxg
45pKR+YR+v2Uv3EbFx7s0rX8XXm6smUDtgtvXzoYHNyQvMyTf964O5hIZ5s9
mV7RwSNu2Re1eF9+A60MV1B2znsSWLkp2tY2HiZiQXCFjGrA39mi83OT7+6O
98SjcGxv3CrZZZpu3TQDKgZsKw4PXx+aHucEEcL3Zl3seEIg7N56+U6iGTCu
awZavt+4oYFvgjD8aj8311Fl+MGtxdnXfgsTtCvQ+MqIGohGhS2mV6LMwNB3
RUuj72zJNkohCmYMAsA1tDwYzXljt3NW921dVQ0El6/QcXWuGkp8DpX/H1M6
8/DnnyVIfP48NfrLN+kv3+IvOHP6AAPD589fg0KgosBSuv2ud+uu2G3AE6uq
wo6URdOg9eWai2tvcWdITsu9Wby7ADV8U8OuZC9EZwJogGRp/4ZRvO7NB42w
iEoeou2Z26KpxWPCaOBwHcwAjSKGANVzVDxQUlCGHcyhRj3fdQ6tGTWMrC9R
0F9jerqLJ2ywcjAiGiJMErff3bXRzk9ZZ4om/v8b6GRy1Tgv2gqbQxZW87NF
vUWFYGuY0keke31m08Go5uYnMmGYubWkAT5duVX3S8smy00kJRsis4MnN7Yh
PQODKkpCSjwKiWuauNvwrbi5AFcHXCMIpiw6iFSkjQUIubFr9C0JsOHpUOwD
waE0QW17K3oW9WduLhrXrj0s4mDyU+OHcgMvSNSthIHAZG7t/vT2W9IbmOnp
3T+nrwV1T1fZO9CMel0DCiJFs+KCVId9/LMYNYh4a70v1ha0qqthyvg5YoaC
PUVhloDnSRscyssBiM0mCisC99WoY0/WK+52adXJ03qjbtKvpIQIccb25kUh
p7hRS3wK5oqiAP3DX6fBBePeFqhG6DI6cTSKJxOMahq3ZmSVZCggPshPimXd
gBKB7v8AE0CfDhNp6V2k2sHL8ltJovYONA5+rypYnZcIIrZLOkEPW4lTEJIk
LahJPqu9WJg+srQAOaqo8KjC3ruyLijagctEVEJhEkRe6TC1bLCHCepQuiXT
sGG4OfZAxGEtsqsgJp7xnUuH93vfWwiJoKB3G1SRdeOWsL8VqFKPep3CbI9O
uWfXgG8CbXJoVJXBGMBzJZTMqHgE7yFw0MefPxsxhyQvkKnbnjeC3kAKHkd+
9e5m9CBnGbbnjVs6FCEskz0lzAo/XUMm0OEv/QZC1XpzPK4kr2mKO91dcMD2
tgBV+esAWV1VUxSfm0sxGt3OBz73bWBMld1y/EThyJbhqMHI7sh8VAnswTaL
T6c1iVTQiO2gzjtYK2lgcLI/2aV5/+drWjri8KKBDLvaJ3EsxS5g0KyBBap8
hEi4BM84hcIADAqWRTmuuAKeP6MLQ3OdxRA/jZoOr0QRICbHYRDeGDJS8rw4
IMQsW37C3VpjfGN3GARTBf0VdSaHgj6YPYRMZGkFBaBrAmG3a12irWm54EM2
GHLAqcOzS1sWEoXWaoA0jqBL8hKd29YsbTSZxKuAkGCi4E8uZRhbgOGwznhC
sW7oSkuBVTVsFvQQ553q02yJCIpVPjgFlFfjHW8QBgqNieTKzuF3iMKoJ7Tx
MDWACOjJ3DYLlTvMueoSpeXhpdWaw6dOyuwcmNEeNwQNuUHdnyJPIRJt/R04
8IoR263D7FHlGeNOzE9wnKiZEmJI7qRireg2mEuAKRjUwO7TkKlomDcEcMHO
gCIuRcnkSVNvd6AGrhVZsbXcOlorBz1455Q1LPp10EDRXzWzROC1p7nAyK7r
wer5MbCLKSGwiI1gAQ0m2h04l6L5jkZedq4giQ7dzoESCKZKFrZLE1RUlrHD
Jkvml4r/SeFD8WXwME0C7gYnEYItaDToaTUfp99ZhkSp2Y5VjLElO8wjydt9
ORl8sB9lY9+NEzDSWtFCyptoiv9sWjbHhOsKQVhLv3O+9cmiLnWA18/efrxZ
IFGJ/5p3P9DPH17/+8frD69f4c83f7p48yb8MJFv3Pzph49vXsWf4pNXP7x9
+/rdK34YPjXZR5Oztxd/OeMNPfvh/eL6h3cXb854dekmUGR2aHAUz0BP0O0V
fqLkCEnk8ur9//z3k2cQRP8F0q+nT568hDjKv7x48hyDKmy+GJ1rm738irsx
YbBFTrdBqLrD0O7JKcBGQZaDagPS+81/oGT+89z8blnunjz7vXyAC84+VJll
H5LMDj85eJiFeOSjI68J0sw+H0k6n+/FX7LfVe7Jh7/7A1Fysycv/vD7CarM
K4uRw7wHN1XWO8iWJxPKMjcFUgW3tnE73BBA/UuPjoHwL5tE7xwCbTQ51Mym
Xtm+Rvb4/cXNDfiRhc+T9SQT8cErncqtj+UvPk3vp4nv7d0nyGLkr8+ePSft
EC4Yv5njf/nb85c0K/AjM7eaERCHl9awnL1M5cWTwCtkWVQKvX/++ZfxyDQQ
4KI1QzvIKsTEQ+KN+QX6AHjfPgRU4nIwzUWPsarBlUaXQI6EID26Jfs3kCHG
Gto+3ptR5i/++Ty63xl7yZkvaZsZT1H+mIE63awEmeTuWbz4yEtPf0FKSvlr
BKi6p0S3C9gwgAWYMesp1VxK6iHpMOwqhqga1LdAH6z8JjGVpWOQDwYe4hfk
UolDZumeksixOXPOkS6Cl4njJDHvIOU/ycCgoDaM2jEXPZLfR1CZkkX7U1RR
RiOsBJnA5oGlb0P2lwRJXFEh2A7lQUzOtvikIS4D+Ch60L9+g1BsxNPAb8Rg
8RakIkINV+QJr7/buMiQ1j1zUPr3mrlxQJwC64pWeQ5OFeP6b3MaQM2F1YUf
Yeopo6xzsLmEFMPaRI1V3SNOAsHx5uBUZWjKzPGrB+kTesMU5X6nCVUiKUkY
bKCuQPJpdtLZWVEBaqX4Dk+hwJI51RjwL06qbW5hDKdztucWsvJStCNRWgI2
wi8TxEo5lrqPmunHUiIxKzcIBmcu7d5p3pIqEEjHNqtpQF2wt23ZDJUdu2km
mtCq8DMUAhYnUeeXHfEk7GckOwe5M3MYeTWEfWEUJY1gEYEr8odkkQaO5xQc
RoSUOrhECikzpdzp0m4KXOGvpJleYyZVc8GgWc3wD+QUpkc3yKjPdmNbe5CA
Yp5CrnpcoPXMeVgO3yCmHUJ/P2fgKPPUuSNko/BSkl/mQMYbmBhth7mgaHQI
Jf0xfgbAnku+FogYhf5MbczNhU5EUgqmRRIK51dRN+imIzuVpIoJj6CcAedu
PlAAKEjhACIFcsg7JZAk3+1jNFaMpz4jyI/zH1/I8f/vkvtALzQWlBm+OtA2
fzElvkcao+SYOIPkxYDYi2pbt8iXdEIT4BtKVHnQyHc4qFKWMS6JbCg8aObM
qkRubWcdAFryF8gcEZfJsfuL3h9NpmhmMDoRPeJyx0y8crT4UJ/EVxYggy81
pP1BRIzSwbJJwh+RdDioaCVGuYzodU+EGjSZo2xokXKhbCwNaaJHocPeqzBX
8CafuZygvnfF3qC/2FOqLRk3uFaESE3YgilkAsLVsCA+te5utncDgGMwM7dF
swUprrXlJcl+aaYa9mzOFaEM86iKZFNzq+VH3KC1bQcYCFa2KToermZ0negL
UpYO9ApEdSom5xVDgaGU+KNnhp2GfcTp9j3kqAM+IXiyJLFSHrr8qyVv2exZ
6fCdQYlJ1DWFj4QKiA9xvtWFog1TVEJZ4fC4/yXhBHifVP2ZZpsS+ttuXSX0
Jk6bvTuLyhFPt4ZUbVTMBbkWvYpTs2nxr4k9xI3mQludFMIgn9rZjmTokZiD
n5o9cROhSYsDzMo1jbvDlyHQK7ra+XFFPKmDkwwkYcJYZCMikzKFhM/YU5GZ
sK97rlLIlAkCLj3V6GBLUmU/7cSUj9zaAguuq6EBxOKlckKQeYntMfANyLIY
ZSEPYfJGBk1hMhUjrUm8C2kMCCzKBvLIliOCOjPEU2i/AxrUw8unV19zJSD5
s/6Mf778muIOQEDi0lcNKprEQoBTa9ZNEjnoFNvmpt5RPsUqcI9oIBHsLZVY
v/rKLCQ5u4JVwbeuX9G8uGUFPn6rDOVkciXTxwBdWlR7yG6HamgoGBE0w0cD
NuP65c7pTFEDDnMpt+otV1KJKmNfXTrXVYTSKqX0A1XKgKMo2R+BTnWW0tuS
FQVgpt1J9UPCa8+Kj64FEVlbobeJKSW7/ty5wLCkZvtYr5DAInlQWlVRvJOi
BgzlhU+zEUxF+qL8hAIsuaJRgdphlW47NGhG4Jnrvt5SjpojIsEYSkbDzh1W
tAvy+Jo/YnumYNbeHVFfxIr4xboLCQN9L7ZVMGHB6q++ttKZ3Fy/F4BD5HXC
Y5N52eUMu7WqRImVFkjlXFsWhYiaDOYevaU0gl2C7EJeiwglmJlgtibOAFax
QiYB4TS9n300mxDoTO2Vl/0KG7RuZYuvc/Ie1napVnqVtfV9j6YwmdA/iIt8
wvvbBNKgdpNNUJpom2aGAbc9VndGigtAoBg+9cvRJiVWJ3UqyolwX5egXzG7
Vv2HMepdTWmiBiCRrXS38OKEt/obK5EqY7mfchBk7SVgtVpJ3DtZzRAtiOUT
UnKwPesGTzGGy/TkNdgAVXstU8u153wN97MnKJTinzzka+Kj6JD1OtheKlH+
06GaxDCZ9gmhFaVgT5X4IGFZWeQNY8TWV6r9qDstskYJwZnkNw57SVS6yDCK
HA/083twkvBe0GTSPAhEzMypN0/VF7QzfBvLlxBlI6ZbYcqBklVFQ7iaPn0O
sRvrmQVxZ+zWl0X76YTmnnDKgTrMldhQIYtze8Yas2EXIsncXAkU9cSshJ6s
tLbHcYQ4k0qcNueJLqt6JcED0XGrQR8xXEc7T91Z4jQogcFOMdBaonDGTXyQ
dJnVcake+lxGoqqdUQ2EZTvNODJUYI+dahev7ag+ywoO/W6RNrCT8xXfLlYu
09J0i5xmEvOUKSDM76iVB51GCWGIPBoyftg8X5N/SEM16+4NQvJXTDlX5oZC
iDcXxF4V5p12KWAXNRnhR+x8X5wiro51ah3SF9gzUYN2wxYA1iNvx2iU6Bki
omjY8P1pkotMaRE0Fy59IU91nKoJETNAB9yshKRbc2YinACYj6/Z+6lGE7xp
TuIA6SnEPUJxlJGLKPJvEvYQ74esexLYqdbOHBnzuHXSTih9YYlZMYZ4wIkt
SaI/4BofEHlHqobiLzeaWZFqMU7osUPDtQcTTbg1pj5a4rgiS1d70jaqlgwA
t5klJ545BUywpb8aFSE3wYxjSqQe7w2k1gd1JuSwkxazA9IaE/1UNTVDwCoM
TGlVbOuGykaUoVZqDl7MoRBzCOINKkhyJsqhwE4lpGeS2SYUq8YW5UBDBR73
MVAx4JB64RCV4KQ+YZqPJBK6FaTngV3N2WXM7CCn8AeRkTYqKfzPwbKTCM8J
A3ZSz0I1pLK7xu1pM6ZZX4CGKJScqkcApFuMkgn5C+OCfHoUuBKr7dGlwJN7
Enze6ImOTLU82ABCNTCgNdFUfEqo/w6eQat8dPOniz+/fmcuSA68B2cXZwZE
WW+lRPnNixefPzORUOFbiThmkgkTHfSdkKJgDOuQOozIA9mPZJ+xVYl6tGIM
0aWhSyYmcOycEhM69hxOlzbr0H7RSQxt2t/ZFSuIU+eMF1mKGU3+wGequMlt
ahxiqOGQWqmi6KbU4NKrObvoo06rqzhC2cDYIp33ms7NW1SVVLHqlqx7hs0I
U+In+QOjDNgMu3AB4hosx1Pbc3gNvZS6GCQpptacGZbWQfDel66yooDRW8G3
2c2BipZhXhenTLmXEM6424ArbQUVUjkV68TCFqXlDdpNaf9NiXxYH+zmdlmv
B0A1Gsql1UdTk39CyhG1LdRVIu/o2oA+rCKXJKkXgHsehybV8hyrScBU/OJM
A3tw8SPK/pmLiP3DB7MNjMS9oqq5vyUNv1I7RilHZgOfzmpZrEKBHh/xNam0
0NVk9SdUcu0T07M1oXICe4DOsqAymxdml4sKFNgiiZlpCwL3NE4Xubufyh4I
MBgVmygHZN5SXoV5SaclsZTYnJtI9BP7JcFLahc+IXy1HHqMpp9KmDkoZG8T
fpXSSfAzzV7xK5caAFBeJGCoMhdlaT27/3BY5cIDtC/0fNUrqTndsEn7yUQ/
ESNHk0DyEGsu8D4ikA4BeWh0TOpbchikdNSVEpvIpmZv++MsFIKTEdeUGACh
bt0pqQi4LoXwOF7mVxIuhOJJwlwx1xu0Upb7BdSkno8fdnmj/wnA3YdugVGe
DiYN6kIaE0nWv6vD3/GZSSSnFGwVRzIbNqDDxCZsX5bU1IH5gUlwCkOt0gwd
UFmm3BtMTkgoFD7aQqkOPQCrqipJqiCbCfk+nVaw1UCJf7Gkyts+ofk4WZXv
3s/2KN7IhCLpPreQ34AtOC4PvYaYtKaGpqscbmHatEaubDKRp3yxslTEzPlE
6tyEGI7oFZxOcmAMvdnt0LSw3cSwuxATptK5M4Crka69lNJ0EFLaQ054mnjm
wAo5dlA4uJKfYTqjqZIWp3ww86Z6UOJ4Sp7oqDTgkw1Q1w8n4aOakfa93xIA
5YzlGF99TyYeFnAyGc9YUIxa1CUhJeORYf/i3Jy1OabmPdY9qOUAz7kFRcE0
/R6NYE27os6obnZZUJu7Ev7BlWJAqmDa1UD7pOWAyjFCI7Ky4TNnnG6lp+sk
B6uPnLH57ohDoC4AH51YfEhdUsCe/HBg2jepI+Lulp9IV8OUGXdpr8pUamI8
Oe4Ok0HJGXAFN9ChwX+lyS8gBYL0qZM/JIDSA0dJVop/RE3VygNMc1VDohhK
D2neEkmNQgqWNEuNEil3ICtJWsnSAmLBhk0eNbFaDnlKmn4hOsgrSP+ptj46
mHnLLXDH+g2y2ojKXlVqGvddXgFixuQ9FgMwswtjk+ZT4TeaWP6wRE80KjpS
hxGcvuG6zi2dBMbYmEBgZmrWtVas81269/hg3KJxaOb1UjZ6bPOOdQfKKQAF
zniAC1UJ+6yfXgXPgrg51A+jc2EFV7okqH88Eqc+PnE0B4sQIc5kpgepjK5L
SbHwmlPzCBMN82jtCmyQ809NGljECnNaPU4zR7fUgqNJSHs946PkL7JqQ4eq
PsVwwEEccTRt3oOwpHFXC4eGcDRwH7F46NJKz7gHxgfH3w79EApKkg3jotmz
XtZSyqFbIQI0/TFZI6F9ojFyhiwGjyz8Xj69zCuhsQHvKCEd2vIS+ccOj466
i9LSSwi50jyF3dH8Km5uAnBsTVgUZR26KoZ5RNz5gaIi/CHmUsGIkBcY+8n8
ZNeJGqwuRRtJUgfdh6xVDz6O4enSMv8j6DqeudFhs9kJQo8+ebSI2mt6s8dj
5SCOw+LWMtv9IKdUw+mIg9g8eYOo5UFbuNnx5fPHnz/PzSUWS7WIKieQMO6m
DngE1dnJopORtOpoIB6tr5SGNGQdpKsN/qaHBsRmZDNCMTm1kuPS5WETmC5t
N3SvQnpUju0KrTNL9EYsctTO2AGxTCT04L66cn2sWKMlO0FGkez9YHvwHTBz
SDaJeswLwVdS8Txlzra9rTvX6q0Qef4N4YkPF3CVNmb8/BUMiY4bI7W/Jt3u
ukV+SgKGtOl68/5m8e7R4tVb9hYlq5Ueu8c6ftCvjS0q5cQ8LHK3Q+uIrEcg
VKUKU9xa4ish3wdxIL7gEaINT5NWgMxZ6aH/Y8WakDFVwolw8KA1oYmsO8ra
KNj4fVtuQJzIZKmjlMGz+LHBg0WY3ax66X8c7QoWVA8NF50iNqY0VBwoun12
7myeqEUSzNBYSEOSSgVFCjsVDE5sIZIjzOY6mURsTQ/HD7UHMw9U0j19uAwM
a7fYkHRBkZiqqvReMduQgGd1szhzrv/IhQBp4XmasBFUi5ekbhqT41oOzqYb
TXm0nNOx+XYR1Xq81nLsyGHSnTr0eq4dsiw6CRRsBGH4Olw34K04ksqCu9ll
tybk6iHnFvZJDZZOA4H8pshIKQYELeocVV8CC3Xv1QHxNCPm8WI+pLlvqeix
sC0e2uayJ1FZIf/Bfqt0a5NqxtX7oriJxQ42heubHykJ3xIxqgntgRx3fAys
lbZ3lCLVX3bUTYezQQZVy+3MdQ/wCzld6fymIg7LNynWkIB0llKiRciuWU4y
AbLrtK8/T/m1R4C8Z1WvyB1gBeAOD6rbYqte/VjWlVFrSlBhqiDpk3ChxNTd
0/FVIPTHzgCSCSd5fCw+LFErRYUP98lImMrbO2LRkWkld6oWw+/S8gorpTZ0
7/MSjArgyyXPMN289vlLanz49/xaj6ReoWg9ZUH0zgN55YPkcIUPJ5P/oQJq
XA6oD+pfoCFEacXS1ffE/DGZjCKQuoV0FzRpKKkqrdRbKz0MsM54B0HacI8S
xKQ3aQvPmi8j1klfGlfJU8zST7n246AqxneIhFXjAF1mQrlbyp7l40mpY20r
FKOltpw12EaD4F+CCBlZU+xx/+hUYtpFlSqNri3VFU1wDm+Ny/s82MERDSQt
H1xfSs5pLx0WcfTqtCLYMapeVuSOCUKhTclcW4i587Eyf15oP3ZwKi2ys6mr
CxhfwcTYiisbaD56qZMg+9oeqY8n1abcIXI/8viOnPuPPdHRl4Yhc+zNzg63
A1Dp9VaMsDKw7Z3llAGLfVwcDAI9n0x+Y5LL6l7FqtI5HtVLbtLRlunoNYvk
sNNIczCT2gIwHPU1xKuBAgGfHH8dyXR/KEM83ef0/GooayQiPFKcpA4U3tbY
Uvcb86Ze2XKPJ+zeFi1IGFdxz5KHHSUtevDlk83K6AB31kJQ54VCQkhYGW6w
Bxte3k3TnkZyWSg2bksaH2RudI6eprxIzzXjdy+SG4TOzWu674RP7YfzORHq
pnDVLdElyeERjrzZoem0kBV26uDuouBGWQvJO8AfO8BlGDwsdwPShASc0DKu
6K4MSZqM3K6qi1hsUnPXmxr4dASnd1QPHhVnR5c/8FPxlEXapy/nC44CtyQN
kYsYTxP7tJT3XDe94ZMUZDT5AvjczD29EHW7G/BEYnrDG+JuOiSRinBqlpA1
fOKiTHJbx5RxzRpLKq7bayk39DdPw/kQYkOlB9qNm7JpOWkjyx+1M/IcqXTx
KsnOyHHEeIdMg5cRZFYxqvbVR23rRCt+ZRnC2eAxTjTzQLxNe3GShhIERgnV
ml4BuPg4y47Cywx5TLkPJpaiY9MecgCD8GPJi6jhx4+OB/OCsEiV9PyU0tvD
+brP+b1wuUsgEwnbcytAPBdztKWJDoAqbA6s6tGz59hJkVwXfKSWcqy8G3NU
jv6uCVc/yzskRZ5MXlGGgNMTxmI51JgaoCdKL0HQPZMqNTFlXRiXaVU55jmO
e6uhLfMnuuRGLJiuXt4QkpW5+SOdvsKugKlYyVQcZTAecs2VVe8tNhO6s0QM
IMneleTNFidLVFQnjtJPJS6o8fjlktyLPmpD5wssRXQKImKNR67GsGvJG/Uw
4tz8FO+THd9Yowe8I36Rak5KzeI0QpL+0M7X86nmrGCnC7rW42vB8nKZJ953
e5Vqe3hAuoD4PfFekVl6m+fRa0VYXluK02lco7pEiOPh1C6jLcxShKrkamdy
j/eM0O84CU22LsI9zrzxTR+vKAePSXlNpXeabCa0gF/i69MtGl2Zoket6+7E
oYqL99fCp2m/A1lD6H3k21VEPBxt05uSIg2cNGGGdJ/bnpXuykwxlye9Q69V
mKIvrdVtRtWbjpAHXkOmlQc6oB1nEKvz4tYievSZ5RDug/fqUUlaJ3dkqTgT
Su6ekrNITS5xuS8Ldp3eEd6Eo++HmTGfM0uSYSEoO3twvQd4cbqKXpYQDmfn
VK4umwAnswDoYkYXSSZ9OeGgzIgr5BOeVcI9ct9LzdzjWm+H5YwzO/OMC8gA
CgYoOnIsWLbAEyIz9gncWWalj1IA7q+4cUd2hB3CDcef5MJxg3fse3yjNw9v
rhbgaWiP6CjXmm3Uqx9QjBhulJlh91h2yWbAqwGl6sEPhKYUYcI5p1byZT7R
7ipLbDT28+QXEyh6hmfHd6A/oBblSnOXbGH5DUVyPTs2CrOv1osSw2K4EIT3
2oPUMP7SRc24pqssZAmdnVz+Ayqs/xcK6c3mK9Rzr4OM4l6vvXvhxmvtED52
qdn1xbuL49MI75PCGn0zORtiLkrtr6YMdvLzOZuSrf71bAVGYc8+M2vAOgnP
hn5sJlP2eHEw88IVHk3e5zUHcm5t624DzVhILkKnwkN3f1yf0r3Wm3jDmdxA
hpdnI6Cc/C9iVe+yQmMAAA==

-->

</rfc>

