<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-fletcher-transaction-token-chaining-profile-02" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Txn-Token Chaining Profile">Transaction Token Authorization Grant Profile for OAuth Identity and Authorization Chaining</title>
    <seriesInfo name="Internet-Draft" value="draft-fletcher-transaction-token-chaining-profile-02"/>
    <author initials="G." surname="Fletcher" fullname="George Fletcher">
      <organization>Practical Identity LLC</organization>
      <address>
        <email>george@practicalidentity.com</email>
      </address>
    </author>
    <author initials="P." surname="Kasselman" fullname="Pieter Kasselman">
      <organization>Defakto Security</organization>
      <address>
        <email>pieter@defakto.security</email>
      </address>
    </author>
    <author initials="S." surname="O'Dell" fullname="Sean O'Dell">
      <organization>CVS Health</organization>
      <address>
        <email>sean.odell@cvshealth.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <workgroup>Web Authorization Protocol</workgroup>
    <keyword>oauth</keyword>
    <keyword>transaction tokens</keyword>
    <keyword>identity chaining</keyword>
    <keyword>cross-domain</keyword>
    <keyword>trust domain</keyword>
    <abstract>
      <?line 150?>

<t>This specification defines a profile of the OAuth Identity and
Authorization Chaining Across Domains
<xref target="I-D.ietf-oauth-identity-chaining"/> mechanism that uses a Transaction
Token (Txn-Token) <xref target="I-D.ietf-oauth-transaction-tokens"/> as the subject
token in a Token Exchange <xref target="RFC8693"/> request to obtain a JWT
Authorization Grant for crossing a trust boundary.</t>
      <t>A Txn-Token is scoped to a single trust domain and represents the
full authorization context of an in-progress transaction, regardless
of whether that transaction was initiated by a human user calling an
external API, by an internal system event, or by an automated
workload.  This profile specifies how a service operating within that
trust domain can present its Txn-Token to obtain a JWT Authorization
Grant that carries the necessary context across a trust boundary,
enabling an access token to be issued for a partner service,
without exposing internal trust-domain credentials or token formats
beyond the trust boundary.</t>
    </abstract>
    <note>
      <name>Note to Readers</name>
      <?line 170?>

<t><em>RFC EDITOR: please remove this section before publication</em></t>
      <t>Discussion of this document takes place on the Web Authorization
Protocol Working Group mailing list (oauth@ietf.org), which is
archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/">https://mailarchive.ietf.org/arch/browse/oauth/</eref>.</t>
      <t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/george-fletcher/draft-fletcher-transaction-token-chaining-profile">https://github.com/george-fletcher/draft-fletcher-transaction-token-chaining-profile</eref>.</t>
    </note>
  </front>
  <middle>
    <?line 181?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Organizations routinely deploy services that, in fulfilling a
transaction for a user or an automated process, must call one or more
partner APIs that lie outside the organization's own trust boundary.
The challenge is to carry the authorization context of the original
transaction — including the identity and authorization of the
Initiating Principal — across that boundary in a way that is
trustworthy to the partner, without leaking internal credentials or
internal token formats.</t>
      <t>Transaction Tokens (Txn-Tokens) <xref target="I-D.ietf-oauth-transaction-tokens"/>
address the first half of this problem.  A Txn-Token is a
short-lived, cryptographically signed JWT scoped to a single trust
domain (for example, an enterprise or a cloud service provider's
internal environment).  It is minted by a Transaction Token Service
(TTS) at the point where a transaction enters the trust domain and
captures, in immutable form, the identity of the initiating
principal, the purpose of the transaction, and relevant request
parameters.  Every workload within the trust domain that handles the
transaction receives and validates this Txn-Token, ensuring a
consistent and authoritative authorization context throughout the
internal call chain.</t>
      <t>A Txn-Token may represent any of several originating contexts:</t>
      <dl>
        <dt>External User Request:</dt>
        <dd>
          <t>A human user or external client calls an API exposed at the
trust domain's perimeter (e.g., a financial services API that
adds a stock to a watch list on behalf of the user, authenticated
via an OAuth 2.0 access token).  The TTS mints a Txn-Token
anchored to the user's identity and the authorized scope of that
external access token.</t>
        </dd>
        <dt>Internal System Event:</dt>
        <dd>
          <t>An internal system triggers processing that has no direct external
human caller (e.g., an SMTP server receiving an inbound message
and initiating storage of that message in the recipient's mailbox).
The TTS mints a Txn-Token representing the system's identity and
the purpose of the transaction.</t>
        </dd>
        <dt>Automated Workload Request:</dt>
        <dd>
          <t>One workload within the trust domain invokes another as part of
an automated pipeline (e.g., a scheduled job triggering a data
aggregation service).  The Txn-Token represents the workload
identity and the pipeline's authorization scope.</t>
        </dd>
      </dl>
      <t>In all three cases, the Txn-Token provides a uniform, internal
representation of the authorization context.  The problem this
specification addresses is what happens when a service within the
trust domain, in the course of executing such a transaction, needs
to call a service in a <em>different</em> trust domain — a partner
organization, a SaaS provider, or a third-party API — in order to
complete the transaction.</t>
      <t>Consider a mail service within an enterprise trust domain.  Upon
receiving an inbound message via SMTP, the mail service is issued a
Txn-Token representing the mail delivery transaction on behalf of the
recipient user.  Before storing the message, the mail service must
call a partner spam-rating API in the spam service's trust domain.
The mail service cannot present its internal Txn-Token to the spam
service — the Txn-Token is scoped to the enterprise trust domain and
carries internal context that must not be disclosed externally.
Instead, the mail service must obtain a credential that is meaningful
to the spam service's authorization server while preserving the
relevant authorization context of the original transaction.</t>
      <t>The OAuth Identity and Authorization Chaining Across Domains
specification <xref target="I-D.ietf-oauth-identity-chaining"/> defines a general
mechanism by which a client in Trust Domain A can obtain a JWT
Authorization Grant from the Authorization Server of Trust Domain A
and present it to the Authorization Server of Trust Domain B to
receive an access token.  The base specification deliberately leaves
the choice of subject token type open, allowing profiles to constrain
and specialize the mechanism for specific deployment scenarios.</t>
      <t>This specification defines the additional details necessary to use a
Txn-Token as the <tt>subject_token</tt> in the Token Exchange request
described in Section 2.3 of <xref target="I-D.ietf-oauth-identity-chaining"/>.
The Txn-Token is consumed by the Authorization Server of Trust Domain
A, which validates it, applies claims transcription and minimization
policy, and issues a JWT Authorization Grant targeted at the
Authorization Server of Trust Domain B.  The JWT Authorization Grant
crosses the trust boundary carrying only the context that Trust
Domain B is authorized to see.  The Txn-Token itself never leaves
Trust Domain A.</t>
      <t>This profile is complementary to the Identity Assertion JWT
Authorization Grant profile
<xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>, which targets
deployments where the target authorization server already trusts a
common IdP for SSO and subject resolution, using an OpenID Connect
ID Token or SAML 2.0 assertion as the subject token.  That profile
is optimized for the human-user, single-sign-on scenario, where the
trust relationship between AS-A and AS-B is mediated through a
shared identity provider.  This profile addresses scenarios where
the trust relationship between AS-A and AS-B is established through a
bilateral or federated Cross-Domain Trust Agreement, and where the
input credential is a Txn-Token representing any authorized
transaction within Trust Domain A.</t>
      <t>A detailed structural comparison of the two profiles appears in
<xref target="relationship-to-related-specifications"/>.</t>
      <section anchor="requirements-language">
        <name>Requirements Language</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

</section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
"<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and
"<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all
capitals, as shown here.</t>
      <section anchor="roles">
        <name>Roles</name>
        <t>The following roles are used in this document.  They extend the
OAuth 2.0 roles defined in <xref target="RFC6749"/> as used in
<xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
        <dl>
          <dt>Initiating Principal:</dt>
          <dd>
            <t>The entity whose authorization context is captured in the Txn-Token.
The Initiating Principal may be a human user who made an external
request to Trust Domain A, an internal system acting on its own
behalf, or an automated workload operating within Trust Domain A.
The Initiating Principal is not necessarily the same entity as the
Requesting Workload that performs the cross-domain token exchange.</t>
          </dd>
          <dt>Requesting Workload:</dt>
          <dd>
            <t>A service operating inside Trust Domain A that, in the course of
processing a transaction, needs to call a Protected Resource in
Trust Domain B.  The Requesting Workload holds a Txn-Token
representing the current transaction context and acts as the OAuth
2.0 client in the Token Exchange flow with AS-A.</t>
          </dd>
          <dt>Transaction Token Service (TTS):</dt>
          <dd>
            <t>The service within Trust Domain A that mints and signs Txn-Tokens.
The TTS is the authoritative source of transaction authorization
context within Trust Domain A.  In some deployments the TTS and
AS-A <bcp14>MAY</bcp14> be co-located; in others they are separate services within
the same Trust Domain.</t>
          </dd>
          <dt>Authorization Server of Trust Domain A (AS-A):</dt>
          <dd>
            <t>The OAuth 2.0 Authorization Server within Trust Domain A that
receives the Token Exchange request from the Requesting Workload,
validates the presented Txn-Token, applies claims transcription and
minimization policy, and issues the JWT Authorization Grant targeted
at AS-B.</t>
          </dd>
          <dt>Authorization Server of Trust Domain B (AS-B):</dt>
          <dd>
            <t>The OAuth 2.0 Authorization Server within Trust Domain B that
receives the JWT Authorization Grant from the Requesting Workload
and issues an access token for the Protected Resource.</t>
          </dd>
          <dt>Protected Resource:</dt>
          <dd>
            <t>The resource server in Trust Domain B that the Requesting Workload
needs to call in order to complete the transaction in progress in
Trust Domain A.</t>
          </dd>
        </dl>
      </section>
      <section anchor="terms">
        <name>Terms</name>
        <dl>
          <dt>Transaction:</dt>
          <dd>
            <t>A unit of work initiated by an Initiating Principal that may span
multiple workloads within Trust Domain A and that has a single,
coherent authorization context.  A transaction is identified by the
<tt>txn</tt> claim in the Txn-Token.</t>
          </dd>
          <dt>Trust Domain:</dt>
          <dd>
            <t>A deployment-specific security and administrative boundary within
which services, identifiers, credentials, and policy decisions are
mutually trusted.  This term is used in
<xref target="I-D.ietf-oauth-identity-chaining"/> without a formal definition;
this profile formalizes it.  Txn-Tokens are scoped to a single
Trust Domain.  In this specification, Trust Domain A is the Trust
Domain in which the transaction originates and in which the
Requesting Workload operates.  Trust Domain B is the Trust Domain
in which the Protected Resource and AS-B operate.</t>
          </dd>
          <dt>Cross-Domain Trust Agreement:</dt>
          <dd>
            <t>A bilateral or federated configuration through which AS-A and AS-B
establish mutual trust, permitting AS-A to issue JWT Authorization
Grants that AS-B will accept, and defining the subject identifier
mappings, permitted claims, and authorization policy that apply to
cross-domain requests.  The mechanism for establishing this trust
is out of scope for this specification, but <bcp14>MUST</bcp14> be established
prior to any cross-domain token exchange under this profile.</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="overview">
      <name>Overview</name>
      <section anchor="txn-token-in-domain">
        <name>Transaction Token Context Within a Trust Domain</name>
        <t>A transaction enters Trust Domain A at its perimeter.  The
initiating event may be:</t>
        <t>(a) <strong>An inbound API call from an external client</strong>, in which case
  the external client presents an OAuth 2.0 access token or similar
  credential at the trust domain's API gateway;</t>
        <t>(b) <strong>An internal system event</strong>, such as an SMTP server receiving
  an inbound message, where the triggering input arrives from outside
  the enterprise boundary; or</t>
        <t>(c) <strong>An automated workload trigger</strong>, with no direct external caller,
  such as a scheduled job or an event-driven pipeline invocation.</t>
        <t>In all cases, the workload that first handles the transaction requests
a Txn-Token from the TTS, presenting whatever inbound credential or
context is available.  The TTS validates the inbound context and
mints a Txn-Token that captures the Initiating Principal's identity
(which may be a user identity, a system identity, or a workload
identity), the purpose of the transaction (<tt>scope</tt>), and relevant
request parameters (<tt>rctx</tt>).  The Txn-Token is propagated to all
downstream workloads within Trust Domain A that participate in
processing the transaction.</t>
      </section>
      <section anchor="cross-domain-invocation">
        <name>Cross-Domain Invocation</name>
        <t>When a Requesting Workload within Trust Domain A determines that it
needs to call a Protected Resource in Trust Domain B in order to
complete the transaction, it follows the flow defined in this profile.
The complete end-to-end sequence is illustrated in <xref target="fig-flow"/>.</t>
        <figure anchor="fig-flow">
          <name>Transaction Token Chaining Flow</name>
          <artwork type="ascii-art"><![CDATA[
+----------+  +----------+  +---------+  +---------+  +---------+  +---------+
|Initiating|  |Requesting|  |   TTS   |  |  AS-A   |  |  AS-B   |  |Protected|
| Request  |  | Workload |  |(Trust A)|  |(Trust A)|  |(Trust B)|  |Resource |
|(Perimeter|  |(Trust A) |  |         |  |         |  |         |  |(Trust B)|
| Trust A) |  |          |  |         |  |         |  |         |  |         |
+-----+----+  +-----+----+  +----+----+  +----+----+  +----+----+  +----+----+
      |             |            |            |            |            |
      | (1) Inbound |            |            |            |            |
      | Request     |            |            |            |            |
      | (any origin)|            |            |            |            |
      |------------>|            |            |            |            |
      |             |            |            |            |            |
      |             | (2) Request|            |            |            |
      |             | Txn-Token  |            |            |            |
      |             |----------->|            |            |            |
      |             |            |            |            |            |
      |             | (3) Txn-Token           |            |            |
      |             |< - - - - - |            |            |            |
      |             |            |            |            |            |
      |             | (4) Discover AS-B       |            |            |
      |             | (RFC9728)  |            |            |            |
      |             |......................................|            |
      |             |            |            |            |            |
      |             | (5) Token Exchange      |            |            |
      |             | [RFC8693]  |            |            |            |
      |             | subject_token=Txn-Token |            |            |
      |             | audience=AS-B issuer URL|            |            |
      |             |------------------------>|            |            |
      |             |            |            |            |            |
      |             | (6) JWT Authorization   |            |            |
      |             | Grant      |            |            |            |
      |             |< - - - - - - - - - - - -|            |            |
      |             |            |            |            |            |
      |             | (7) Present JWT Grant   |            |            |
      |             | [RFC7523]  |            |            |            |
      |             |------------------------------------->|            |
      |             |            |            |            |            |
      |             | (8) Access Token        |            |            |
      |             |< - - - - - - - - - - - - - - - - - - |            |
      |             |            |            |            |            |
      |             | (9) Call Protected Resource          |            |
      |             |-------------------------------------------------->|
      |             |            |            |            |            |
]]></artwork>
        </figure>
        <t>The steps are as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>An inbound request arrives at the Requesting Workload's perimeter.</t>
          </li>
          <li>
            <t>The Requesting Workload (or the first workload within Trust Domain
A that receives the transaction) requests a Txn-Token from the TTS.</t>
          </li>
          <li>
            <t>The TTS issues a Txn-Token to the Requesting Workload.  The
Txn-Token is scoped to Trust Domain A and <bcp14>MUST NOT</bcp14> be presented
to any entity outside Trust Domain A.</t>
          </li>
          <li>
            <t>The Requesting Workload discovers AS-B using the mechanisms defined
in Section 2.2 of <xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
          </li>
          <li>
            <t>The Requesting Workload presents the Txn-Token as the <tt>subject_token</tt>
in an OAuth 2.0 Token Exchange <xref target="RFC8693"/> request to AS-A,
identifying AS-B in the <tt>audience</tt> parameter and optionally
specifying the target Protected Resource in the <tt>resource</tt>
parameter.</t>
          </li>
          <li>
            <t>AS-A validates the Txn-Token, applies subject
identifier mapping (<xref target="subject-identifier-mapping"/>) and claims
minimization (<xref target="claims-transcription"/>), and issues a signed JWT
Authorization Grant.  The Txn-Token is consumed entirely within
Trust Domain A and is not forwarded.</t>
          </li>
          <li>
            <t>The Requesting Workload presents the JWT Authorization Grant to
AS-B using the JWT Profile for OAuth 2.0 Authorization Grants
<xref target="RFC7523"/>.</t>
          </li>
          <li>
            <t>AS-B validates the JWT Authorization Grant and issues an access
token for the Protected Resource.</t>
          </li>
          <li>
            <t>The Requesting Workload calls the Protected Resource with the
access token, completing the cross-domain portion of the
transaction.</t>
          </li>
        </ol>
      </section>
      <section anchor="chaining-across-multiple-trust-domains">
        <name>Chaining Across Multiple Trust Domains</name>
        <t>Trust Domain A and Trust Domain B are roles when crossing from one Trust Domain to another, not fixed positions in a deployment. The profile in this specification <bcp14>MAY</bcp14> be applied recursively, allowing a single transaction to traverse any number of Trust Domains.</t>
        <t>When the Requesting Workload calls the Protected Resource in Trust Domain B (Step 9 of Figure 1), that call is an ordinary inbound request at Trust Domain B's perimeter (<xref target="txn-token-in-domain"/>). The receiving workload <bcp14>MAY</bcp14> exchange the inbound access token for a Txn-Token issued by Trust Domain B's own TTS, following <xref target="I-D.ietf-oauth-transaction-tokens"/>. If a workload in Trust Domain B's Internal Call Chain subsequently needs to call a Protected Resource in Trust Domain C, it applies this profile unchanged, with Trust Domain B now in the role of Trust Domain A and Trust Domain C in the role of Trust Domain B.</t>
        <t>Each time a Trust Domain boundary is crossed, it is self-contained and is governed solely by the Cross-Domain Trust Agreement between the two Trust Domains directly involved. The originating Authorization Server applies its own claims transcription and minimization policy <xref target="claims-transcription"/>, and no Txn-Token leaves its Trust Domain. Whether Authorization Server B propagates the txn claim it receives (<xref target="mandatory-transcription"/>) into the access token it issues, and whether Trust Domain B's TTS includes it in the Txn-Token it mints, are deployment decisions.  Deployments requiring end-to-end correlation <bcp14>SHOULD</bcp14> specify in the applicable Cross-Domain Trust Agreements how the originating transaction identifier and any other context are carried forward at each crossing. Deployments seeking to limit cross-domain linkability <bcp14>SHOULD</bcp14> instead generate independent transaction identifiers in each Trust Domain (see <xref target="privacy-considerations"/>).</t>
      </section>
    </section>
    <section anchor="transaction-token-as-subject-token">
      <name>Transaction Token as Subject Token</name>
      <section anchor="subject-token-requirements">
        <name>Subject Token Requirements</name>
        <t>When this profile is used, the <tt>subject_token</tt> in the Token Exchange
request (Step 5 of <xref target="fig-flow"/>) <bcp14>MUST</bcp14> be a Txn-Token as defined in
<xref target="I-D.ietf-oauth-transaction-tokens"/>.</t>
        <t>The <tt>subject_token_type</tt> parameter <bcp14>MUST</bcp14> be:</t>
        <sourcecode type="abnf"><![CDATA[
subject_token_type =
    "urn:ietf:params:oauth:token-type:txn_token"
]]></sourcecode>
        <t>This value is defined in <xref target="I-D.ietf-oauth-transaction-tokens"/>.</t>
        <t>The Txn-Token presented as the <tt>subject_token</tt> <bcp14>MUST</bcp14> satisfy all of
the validity requirements specified in
<xref target="I-D.ietf-oauth-transaction-tokens"/>, including:</t>
        <ul spacing="normal">
          <li>
            <t>The Txn-Token <bcp14>MUST NOT</bcp14> be expired.</t>
          </li>
          <li>
            <t>The Txn-Token <bcp14>MUST</bcp14> be signed and verifiable by AS-A using keys
published by the TTS.</t>
          </li>
          <li>
            <t>The Txn-Token's <tt>aud</tt> claim <bcp14>MUST</bcp14> identify AS-A (or a value that
AS-A accepts as a valid audience for presented subject tokens).</t>
          </li>
        </ul>
        <t>A Txn-Token failing any of the above checks <bcp14>MUST</bcp14> be rejected per
Section 2.2.2 of <xref target="RFC8693"/>.</t>
      </section>
      <section anchor="txn-token-initiating-principal-context">
        <name>Txn-Token Initiating Principal Context</name>
        <t>The Txn-Token's <tt>sub</tt> claim identifies the Initiating Principal of
the transaction.  The Initiating Principal type is not constrained
by this profile; a Txn-Token may represent any originating context
defined by the Transaction Token specification
<xref target="I-D.ietf-oauth-transaction-tokens"/>.  The following are common
examples:</t>
        <dl>
          <dt>Human User Identity:</dt>
          <dd>
            <t>The <tt>sub</tt> claim identifies a human user whose identity was
established when the transaction entered Trust Domain A via an
OAuth 2.0-protected API call.  In this case the <tt>sub</tt> value is
typically derived from the user's identity in the external access
token presented at the API gateway, and the Txn-Token's <tt>rctx</tt>
claim captures relevant attributes of the external request (such
as the OAuth client identifier and originating IP address).</t>
          </dd>
          <dt>System Identity:</dt>
          <dd>
            <t>The <tt>sub</tt> claim identifies an internal system component (such as
an SMTP server or a messaging gateway) acting in its own right,
with no external user as the Initiating Principal.  The <tt>scope</tt>
claim is particularly significant in this case, as it conveys the
reason for the transaction in the absence of a user-facing
authorization context.</t>
          </dd>
          <dt>Workload Identity:</dt>
          <dd>
            <t>The <tt>sub</tt> claim identifies an automated workload (such as a
scheduled job or pipeline service).  Workload identifiers <bcp14>MAY</bcp14> take
the form of SPIFFE URIs <xref target="I-D.ietf-wimse-arch"/> when
WIMSE-compatible infrastructure is in use within Trust Domain A.</t>
          </dd>
        </dl>
        <t>The above examples are illustrative; other Initiating Principal types
are possible.  The claims transcription rules in
<xref target="claims-transcription"/> and the subject identifier mapping rules in
<xref target="subject-identifier-mapping"/> apply regardless of which Initiating
Principal type the Txn-Token represents.  AS-A <bcp14>MUST</bcp14> map the <tt>sub</tt>
claim to an identifier appropriate for Trust Domain B, applying the
mapping logic defined in the Cross-Domain Trust Agreement for the
Initiating Principal type in question.</t>
      </section>
      <section anchor="token-exchange-request-parameters">
        <name>Token Exchange Request Parameters</name>
        <t>In addition to the subject token requirements in
<xref target="subject-token-requirements"/>, the Token Exchange request
(<xref target="RFC8693"/> Section 2.1) <bcp14>MUST</bcp14> include the following parameters when
this profile is in use.</t>
        <section anchor="identifying-the-target-authorization-server-and-resource">
          <name>Identifying the Target Authorization Server and Resource</name>
          <t>This profile uses the <tt>audience</tt> and <tt>resource</tt> parameters following
the convention in <xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>
Section 4.3.  The two parameters serve distinct purposes and <bcp14>MUST NOT</bcp14>
be conflated.</t>
          <dl>
            <dt><tt>audience</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The <tt>issuer</tt> identifier of AS-B (<xref target="RFC8414"/> Section 2).
Becomes the <tt>aud</tt> claim of the JWT Authorization Grant.
Implementations <bcp14>MUST</bcp14> use this parameter to identify AS-B and <bcp14>MUST
NOT</bcp14> pass the AS-B issuer URL as <tt>resource</tt>.</t>
            </dd>
            <dt><tt>resource</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>.  A URI identifying the Protected Resource (resource
server) in Trust Domain B, as defined in <xref target="RFC8707"/> Section 2.
When present, AS-A <bcp14>SHOULD</bcp14> propagate this value into the <tt>resource</tt>
claim of the JWT Authorization Grant.</t>
            </dd>
          </dl>
        </section>
        <section anchor="remaining-parameters">
          <name>Remaining Parameters</name>
          <dl>
            <dt><tt>grant_type</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The value <bcp14>MUST</bcp14> be
<tt>urn:ietf:params:oauth:grant-type:token-exchange</tt>.</t>
            </dd>
            <dt><tt>subject_token</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The Txn-Token as described in
<xref target="subject-token-requirements"/>.</t>
            </dd>
            <dt><tt>subject_token_type</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The value <bcp14>MUST</bcp14> be
<tt>urn:ietf:params:oauth:token-type:txn_token</tt>.</t>
            </dd>
            <dt><tt>requested_token_type</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>.  When present, the value <bcp14>MUST</bcp14> be
<tt>urn:ietf:params:oauth:token-type:jwt</tt>.  If absent, AS-A <bcp14>MUST</bcp14>
still produce a JWT Authorization Grant conforming to this profile
when the other parameters conform to this profile.</t>
            </dd>
            <dt><tt>scope</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>.  Space-separated list of scopes requested for the JWT
Authorization Grant.  AS-A <bcp14>MUST NOT</bcp14> issue a grant with scope
exceeding the <tt>scope</tt> claim of the presented Txn-Token (see
<xref target="claims-transcription"/>).</t>
            </dd>
          </dl>
          <t>The <tt>actor_token</tt> and <tt>actor_token_type</tt> parameters defined in
<xref target="RFC8693"/> are not used in this profile.</t>
        </section>
        <section anchor="example-token-exchange-request">
          <name>Example Token Exchange Request</name>
          <t>The following is a non-normative example conforming to this profile.
A mail service workload in an enterprise (Trust Domain A) has
received an SMTP message and holds a Txn-Token representing a
<tt>mail-delivery</tt> transaction.  The mail service needs to call a
spam-rating API operated by a partner spam service whose
Authorization Server is <tt>https://as.spamsvc.example</tt> and whose
spam-rating API is <tt>https://api.spamsvc.example/spam-rating</tt>.</t>
          <sourcecode type="http-message"><![CDATA[
POST /token HTTP/1.1
Host: as.enterprise.example
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer <mail-service-client-credential>

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&subject_token=<txn-token>
&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Atxn_token
&audience=https%3A%2F%2Fas.spamsvc.example
&resource=https%3A%2F%2Fapi.spamsvc.example%2Fspam-rating
&scope=spam.rating.read
]]></sourcecode>
        </section>
        <section anchor="token-exchange-response">
          <name>Token Exchange Response</name>
          <t>If the request is valid and the Requesting Workload is authorized to
receive a JWT Authorization Grant for the indicated audience, AS-A
returns a Token Exchange response as defined in Section 2.2 of
<xref target="RFC8693"/>.</t>
          <dl>
            <dt><tt>access_token</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The JWT Authorization Grant.  (Token Exchange uses the
<tt>access_token</tt> field for the returned token for historical
compatibility reasons; this is not an OAuth access token.)</t>
            </dd>
            <dt><tt>issued_token_type</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The value <bcp14>MUST</bcp14> be
<tt>urn:ietf:params:oauth:token-type:jwt</tt>.</t>
            </dd>
            <dt><tt>token_type</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The value <bcp14>MUST</bcp14> be <tt>N_A</tt>.</t>
            </dd>
            <dt><tt>expires_in</tt>:</dt>
            <dd>
              <t><bcp14>RECOMMENDED</bcp14>.  The lifetime of the JWT Authorization Grant in
seconds.  This value <bcp14>SHOULD</bcp14> reflect the <tt>exp</tt> claim of the
returned grant JWT and <bcp14>SHOULD</bcp14> be short (see
<xref target="jwt-claims-requirements"/>).</t>
            </dd>
            <dt><tt>refresh_token</tt>:</dt>
            <dd>
              <t>This parameter <bcp14>SHOULD NOT</bcp14> be present.</t>
            </dd>
          </dl>
          <t>On error, AS-A returns an error response as defined in Section 5.2
of <xref target="RFC6749"/> and Section 2.2.2 of <xref target="RFC8693"/>.</t>
          <sourcecode type="http-message"><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store

{
  "access_token": "eyJ...<JWT Authorization Grant>...",
  "issued_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_type": "N_A",
  "expires_in": 60
}
]]></sourcecode>
        </section>
      </section>
    </section>
    <section anchor="processing-rules">
      <name>Processing Rules</name>
      <section anchor="as-a-processing-rules">
        <name>AS-A Processing Rules</name>
        <t>Upon receipt of a Token Exchange request conforming to this profile,
AS-A <bcp14>MUST</bcp14> perform the following steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Authenticate the client (Requesting Workload) using the mechanisms
specified in Section 5.1 of <xref target="I-D.ietf-oauth-identity-chaining"/>
and Section 2.5 of <xref target="RFC9700"/>.</t>
          </li>
          <li>
            <t>Validate the Txn-Token signature using the public keys of the TTS
that issued it.  AS-A <bcp14>MUST</bcp14> be configured with the TTS's <tt>jwks_uri</tt>
or equivalent key material.</t>
          </li>
          <li>
            <t>Validate that the Txn-Token is not expired.</t>
          </li>
          <li>
            <t>Validate that the <tt>aud</tt> claim of the Txn-Token identifies AS-A
or a value AS-A is configured to accept as a valid audience for
presented subject tokens.</t>
          </li>
          <li>
            <t>Verify that the <tt>audience</tt> value identifies a known AS-B for which
a Cross-Domain Trust Agreement has been established.  AS-A <bcp14>MUST
NOT</bcp14> accept a resource server URI in <tt>audience</tt> in place of an
AS-B issuer identifier.  If the audience is unknown or disallowed
by policy, AS-A <bcp14>MUST</bcp14> return an error per Section 2.2.2 of
<xref target="RFC8693"/>.</t>
          </li>
          <li>
            <t>If the <tt>resource</tt> parameter is present, validate that it
identifies a Protected Resource within Trust Domain B consistent
with the indicated AS-B.  AS-A <bcp14>SHOULD</bcp14> propagate the <tt>resource</tt>
value into the <tt>resource</tt> claim of the JWT Authorization Grant.</t>
          </li>
          <li>
            <t>Validate that the requested <tt>scope</tt>, if present, does not exceed
the <tt>scope</tt> claim of the Txn-Token.  AS-A <bcp14>MUST NOT</bcp14> issue a JWT
Authorization Grant with broader scope than the Txn-Token asserts.</t>
          </li>
          <li>
            <t>Determine the Initiating Principal type from the Txn-Token and
apply the appropriate subject identifier mapping as described in
<xref target="subject-identifier-mapping"/>.  If no mapping can be determined,
AS-A <bcp14>MUST</bcp14> return an error.</t>
          </li>
          <li>
            <t>Apply claims transcription and minimization policy as described in
<xref target="claims-transcription"/>.</t>
          </li>
          <li>
            <t>Construct and sign the JWT Authorization Grant as described in
<xref target="jwt-authorization-grant"/>, setting the <tt>aud</tt> claim to the AS-B
issuer identifier resolved in step 5.</t>
          </li>
          <li>
            <t>Return the JWT Authorization Grant in the Token Exchange response
as described in <xref target="token-exchange-request-parameters"/>.</t>
          </li>
        </ol>
      </section>
      <section anchor="as-b-processing-rules">
        <name>AS-B Processing Rules</name>
        <t>Upon receipt of a JWT Bearer grant request (<xref target="RFC7523"/>) conforming
to this profile, AS-B <bcp14>MUST</bcp14> perform the following steps in addition
to the processing rules specified in Section 2.4.2 of
<xref target="I-D.ietf-oauth-identity-chaining"/>:</t>
        <ol spacing="normal" type="1"><li>
            <t>Validate the <tt>typ</tt> header of the JWT Authorization Grant.  The
value <bcp14>MUST</bcp14> be <tt>txn-chain+jwt</tt> as defined in <xref target="jwt-authorization-grant"/>.</t>
          </li>
          <li>
            <t>Validate that the <tt>aud</tt> claim matches AS-B's own issuer identifier.</t>
          </li>
          <li>
            <t>Validate that the <tt>iss</tt> claim identifies an AS-A with which a
Cross-Domain Trust Agreement has been established, and validate
the JWT signature using the public keys advertised by that AS-A.</t>
          </li>
          <li>
            <t>Validate that the JWT is not expired and that the <tt>jti</tt> value has
not been previously presented (single-use enforcement).</t>
          </li>
          <li>
            <t>Resolve the subject from the <tt>sub</tt> claim according to the mapping
rules defined in the Cross-Domain Trust Agreement.  AS-B <bcp14>SHOULD</bcp14>
evaluate the <tt>sub</tt> claim against its configured cross-domain
access policy; supplementary identifiers in <tt>txn_claims</tt> (e.g.,
<tt>email</tt>) <bcp14>MAY</bcp14> also be used for subject resolution where the
Cross-Domain Trust Agreement permits.  If subject resolution fails
and the Cross-Domain Trust Agreement does not permit Just-In-Time
provisioning, AS-B <bcp14>MUST</bcp14> return an error.</t>
          </li>
          <li>
            <t>If present, evaluate the <tt>txn_claims</tt> claim to apply
context-aware authorization policy (see <xref target="claims-transcription"/>),
for example verifying that the <tt>scope</tt> value is consistent with
the requested scope.</t>
          </li>
          <li>
            <t>Issue an access token constrained by the <tt>scope</tt> and, if present,
the <tt>resource</tt> claim in the JWT Authorization Grant.  AS-B <bcp14>SHOULD
NOT</bcp14> issue refresh tokens, consistent with Section 5.4 of
<xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="jwt-authorization-grant">
      <name>JWT Authorization Grant</name>
      <section anchor="grant-format">
        <name>Grant Format</name>
        <t>The JWT Authorization Grant produced by AS-A in response to a Token
Exchange request conforming to this profile is a JWT <xref target="RFC7519"/>
that <bcp14>MUST</bcp14> conform to the JWT Authorization Grant requirements
specified in Section 2.3.3 of <xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
        <section anchor="jwt-header">
          <name>JWT Header</name>
          <dl>
            <dt>typ:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The value <bcp14>MUST</bcp14> be <tt>txn-chain+jwt</tt> (<xref target="RFC8725"/>).</t>
            </dd>
            <dt>alg:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  An asymmetric signing algorithm.  Deployments <bcp14>SHOULD</bcp14>
use PS256, PS384, PS512, ES256, ES384, or ES512 as defined in
<xref target="RFC7519"/>.  The <tt>none</tt> algorithm and symmetric algorithms are
prohibited.</t>
            </dd>
            <dt>kid:</dt>
            <dd>
              <t><bcp14>RECOMMENDED</bcp14>.  The key identifier corresponding to the signing key.</t>
            </dd>
          </dl>
        </section>
        <section anchor="jwt-claims-requirements">
          <name>JWT Claims Requirements</name>
          <t>The following claims <bcp14>MUST</bcp14> be present:</t>
          <dl>
            <dt>iss:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The Issuer identifier of AS-A (<xref target="RFC8414"/> Section 2).</t>
            </dd>
            <dt>sub:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The Initiating Principal's identity as mapped by AS-A
according to <xref target="subject-identifier-mapping"/>.  The value <bcp14>MUST</bcp14> be
meaningful to AS-B within the context of the Cross-Domain Trust
Agreement.</t>
            </dd>
            <dt>aud:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  The Issuer URL of AS-B, derived from the <tt>audience</tt>
parameter of the Token Exchange request.  <bcp14>MUST</bcp14> be a single value.</t>
            </dd>
            <dt>iat:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  Issuance time (<xref target="RFC7519"/> Section 4.1.6).</t>
            </dd>
            <dt>exp:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  Expiration time (<xref target="RFC7519"/> Section 4.1.4).  The
lifetime <bcp14>SHOULD</bcp14> be short.  Deployments <bcp14>SHOULD</bcp14> use a value no
greater than 300 seconds and <bcp14>SHOULD</bcp14> prefer values of 60 seconds or
less, consistent with the short-lived nature of Txn-Tokens.</t>
            </dd>
            <dt>jti:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  A unique identifier for this JWT (<xref target="RFC7519"/> Section
4.1.7).  AS-B <bcp14>MUST</bcp14> enforce single-use semantics by tracking
presented <tt>jti</tt> values within the grant's validity window.</t>
            </dd>
            <dt>scope:</dt>
            <dd>
              <t><bcp14>RECOMMENDED</bcp14>.  The authorized scope (<xref target="RFC6749"/> Section 3.3).
<bcp14>MUST NOT</bcp14> be wider than the <tt>scope</tt> claim of the source Txn-Token.</t>
            </dd>
          </dl>
          <t>The following claims <bcp14>SHOULD</bcp14> be present:</t>
          <dl>
            <dt>txn:</dt>
            <dd>
              <t>The unique transaction identifier from the originating Txn-Token
(<xref target="I-D.ietf-oauth-transaction-tokens"/>).  AS-B <bcp14>SHOULD</bcp14> record this
value in its audit logs.</t>
            </dd>
          </dl>
          <t>The following claims <bcp14>MAY</bcp14> be present:</t>
          <dl>
            <dt>resource:</dt>
            <dd>
              <t>A URI or array of URIs identifying the Protected Resource(s) in
Trust Domain B (<xref target="RFC8707"/> Section 2), derived from the <tt>resource</tt>
parameter of the Token Exchange request.  AS-B <bcp14>SHOULD</bcp14> use this to
issue a resource-bound access token.</t>
            </dd>
            <dt>txn_claims:</dt>
            <dd>
              <t>A JSON object containing a curated subset of Txn-Token claims,
selected and minimized per the policy in <xref target="claims-transcription"/>.
AS-B <bcp14>MAY</bcp14> use these claims for context-aware authorization decisions.</t>
            </dd>
            <dt>cnf:</dt>
            <dd>
              <t>If sender-constraining is in use (see <xref target="sender-constraining"/>),
the confirmation method claim conveying the Requesting Workload's
public key, as defined in <xref target="RFC7800"/>.</t>
            </dd>
          </dl>
        </section>
        <section anchor="example-jwt-authorization-grant">
          <name>Example JWT Authorization Grant</name>
          <t>The following is a non-normative example corresponding to the mail
service scenario in <xref target="token-exchange-request-parameters"/>.  The
Initiating Principal is the mail service's system identity
(<tt>mail-gateway@enterprise.example</tt>) and the Txn-Token's <tt>rctx</tt>
carries the SMTP envelope sender.  The <tt>scope</tt> and a minimized <tt>rctx</tt>
are transcribed into <tt>txn_claims</tt>.</t>
          <t>Header:</t>
          <sourcecode type="json"><![CDATA[
{
  "typ": "txn-chain+jwt",
  "alg": "ES256",
  "kid": "as-enterprise-2026-01"
}
]]></sourcecode>
          <t>Claims:</t>
          <sourcecode type="json"><![CDATA[
{
  "iss": "https://as.enterprise.example",
  "sub": "mail-gateway@enterprise.example",
  "aud": "https://as.spamsvc.example",
  "iat": 1746700000,
  "exp": 1746700060,
  "jti": "8f14e45f-ceee-467a-a19e-ab8f290a1f30",
  "scope": "spam.rating.read",
  "resource": "https://api.spamsvc.example/spam-rating",
  "txn": "a9b2c3d4-e5f6-7890-abcd-ef1234567890",
  "txn_claims": {
    "scope": "mail-delivery",
    "rctx": {
      "smtp_from": "sender@external.example"
    }
  }
}
]]></sourcecode>
          <t>The <tt>aud</tt> claim (<tt>https://as.spamsvc.example</tt>) identifies the
authorization server of Trust Domain B.  The <tt>resource</tt> claim
(<tt>https://api.spamsvc.example/spam-rating</tt>) identifies the specific
API endpoint.  These are distinct values serving distinct purposes.</t>
        </section>
      </section>
    </section>
    <section anchor="claims-transcription">
      <name>Claims Transcription</name>
      <t>This profile constrains and extends the claims transcription rules of
Section 2.5 of <xref target="I-D.ietf-oauth-identity-chaining"/> as follows.</t>
      <section anchor="mandatory-transcription">
        <name>Mandatory Transcriptions</name>
        <t>AS-A <bcp14>MUST</bcp14> derive the <tt>sub</tt> claim of the JWT Authorization Grant from
the <tt>sub</tt> claim of the Txn-Token, applying the subject identifier
mapping defined in <xref target="subject-identifier-mapping"/>.</t>
        <t>AS-A <bcp14>MUST</bcp14> include the <tt>txn</tt> claim from the Txn-Token as the <tt>txn</tt>
claim in the JWT Authorization Grant, preserving the transaction
correlation identifier across the domain boundary.</t>
      </section>
      <section anchor="constrained-scope-transcription">
        <name>Constrained Scope Transcription</name>
        <t>The scope in the JWT Authorization Grant <bcp14>MUST</bcp14> be the intersection of
the Txn-Token's <tt>scope</tt> claim and the <tt>scope</tt> parameter of the Token
Exchange request (if present).  AS-A <bcp14>MUST NOT</bcp14> expand scope beyond the
Txn-Token's scope under any circumstances.</t>
      </section>
      <section anchor="subject-identifier-mapping">
        <name>Subject Identifier Mapping</name>
        <t>The <tt>sub</tt> claim of the Txn-Token identifies the Initiating Principal
within Trust Domain A's namespace.  AS-A <bcp14>MUST</bcp14> translate this
identifier to a form that is both meaningful and authorized for use
in Trust Domain B, according to the mapping rules defined in the
Cross-Domain Trust Agreement.  The Cross-Domain Trust Agreement <bcp14>MUST</bcp14>
define mapping rules for every Initiating Principal type that may
appear in Txn-Tokens exchanged under this profile.  If no mapping
can be determined for the Initiating Principal presented, AS-A <bcp14>MUST</bcp14>
deny the Token Exchange request.</t>
      </section>
      <section anchor="claims-minimization">
        <name>Claims Minimization</name>
        <t>Txn-Tokens <bcp14>MUST NOT</bcp14> be forwarded across trust boundaries.
The JWT Authorization Grant is the only artifact that crosses the
boundary, and AS-A <bcp14>MUST</bcp14> apply strict claims minimization.</t>
        <t>The optional <tt>txn_claims</tt> object in the JWT Authorization Grant <bcp14>MAY</bcp14>
carry a curated subset of Txn-Token claims that are relevant to
AS-B's authorization policy.  AS-A <bcp14>MUST</bcp14> apply the following
minimization rules:</t>
        <dl>
          <dt>Scope Claim (<tt>scope</tt>):</dt>
          <dd>
            <t><bcp14>SHOULD</bcp14> be included when it is meaningful to AS-B's authorization
policy (e.g., to enable the Protected Resource to apply different
handling based on transaction type).</t>
          </dd>
          <dt>Requester Context (<tt>rctx</tt>):</dt>
          <dd>
            <t><bcp14>MAY</bcp14> be included in a minimized form.  Information relevant to the
cross-domain request (e.g., the originating client IP address for
a user-initiated transaction, or the SMTP envelope sender address
for a mail delivery transaction) <bcp14>MAY</bcp14> be included.  Internal
network addresses, intermediate workload identifiers, and
internal infrastructure topology details <bcp14>MUST</bcp14> be omitted.</t>
          </dd>
          <dt>Internal Call Chain:</dt>
          <dd>
            <t>Claims that record intermediate workloads or the internal call
chain within Trust Domain A <bcp14>MUST NOT</bcp14> be included in <tt>txn_claims</tt>.</t>
          </dd>
          <dt>Supplementary Identity Claims:</dt>
          <dd>
            <t>For human user Initiating Principals, claims such as <tt>email</tt> <bcp14>MAY</bcp14>
be included in <tt>txn_claims</tt> if the Cross-Domain Trust Agreement
explicitly permits their disclosure and AS-B requires them for
subject resolution.</t>
          </dd>
        </dl>
        <t>The Cross-Domain Trust Agreement <bcp14>SHOULD</bcp14> define the set of claims
permitted to appear in <tt>txn_claims</tt> and their expected semantics.</t>
      </section>
    </section>
    <section anchor="authorization-server-metadata">
      <name>Authorization Server Metadata</name>
      <t>This profile adds to the Authorization Server Metadata framework
defined in <xref target="RFC8414"/> and Section 3 of
<xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
      <t>An Authorization Server that supports this profile <bcp14>MUST</bcp14> include the
value <tt>urn:ietf:params:oauth:token-type:txn_token</tt> in its
<tt>identity_chaining_requested_token_types_supported</tt> metadata
parameter.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="client-authentication">
        <name>Client Authentication</name>
        <t>The Requesting Workload <bcp14>MUST</bcp14> authenticate to AS-A when performing
the Token Exchange request.  The use of asymmetric key-based client
authentication (e.g., a JWT client assertion per <xref target="RFC7523"/>) is
<bcp14>RECOMMENDED</bcp14>.  Static shared secrets <bcp14>SHOULD NOT</bcp14> be used.  AS-A <bcp14>SHOULD</bcp14>
follow the client authentication guidance in Section 2.5 of
<xref target="RFC9700"/>.</t>
      </section>
      <section anchor="sender-constraining">
        <name>Sender Constraining Tokens</name>
        <t>AS-B <bcp14>SHOULD</bcp14> issue sender-constrained access tokens.  Both DPoP
(OAuth 2.0 Demonstrating Proof of Possession) and Mutual-TLS
(<xref target="RFC9700"/> Section 2.3) are <bcp14>RECOMMENDED</bcp14> mechanisms.</t>
        <t>When AS-A acts as the client toward AS-B (the authorization-server-
as-client topology described in Appendix B.2 of
<xref target="I-D.ietf-oauth-identity-chaining"/>), the delegated key binding
mechanism described in Appendix B.3 of that document <bcp14>SHOULD</bcp14> be used.
AS-A <bcp14>MUST</bcp14> verify proof of possession of the Requesting Workload's
key and convey it to AS-B using the <tt>cnf</tt> claim in the JWT
Authorization Grant.</t>
      </section>
      <section anchor="txn-token-confidentiality">
        <name>Txn-Token Confidentiality</name>
        <t>A Txn-Token <bcp14>MUST NOT</bcp14> be forwarded to any entity outside Trust Domain A.
All communication between the Requesting Workload and AS-A <bcp14>MUST</bcp14> be
encrypted and the Requesting Workload <bcp14>MUST</bcp14> be authenticated (e.g.,
via mutual TLS; see also <xref target="client-authentication"/>).
Txn-Token lifetimes <bcp14>SHOULD</bcp14> be short.</t>
      </section>
      <section anchor="jwt-authorization-grant-replay-prevention">
        <name>JWT Authorization Grant Replay Prevention</name>
        <t>The JWT Authorization Grant is a bearer token.  AS-B <bcp14>MUST</bcp14> enforce
single-use semantics on the <tt>jti</tt> claim.  AS-A <bcp14>SHOULD</bcp14> set a short
validity lifetime (see <xref target="jwt-claims-requirements"/>).  Additional
guidance is provided in Section 5.5 of
<xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
      </section>
      <section anchor="scope-boundary-enforcement">
        <name>Scope Boundary Enforcement</name>
        <t>AS-A <bcp14>MUST</bcp14> enforce that the JWT Authorization Grant scope does not
exceed the Txn-Token's scope.  AS-B <bcp14>MUST</bcp14> independently enforce that
the access token it issues does not convey scope exceeding the JWT
Authorization Grant.  These controls together prevent the chaining
mechanism from being used to escalate privileges beyond the
originating transaction's authorized scope.</t>
      </section>
      <section anchor="cross-domain-trust-agreement-integrity">
        <name>Cross-Domain Trust Agreement Integrity</name>
        <t>Operators <bcp14>MUST</bcp14> ensure that:</t>
        <ul spacing="normal">
          <li>
            <t>AS-A issues JWT Authorization Grants only for AS-B instances with
which a bilateral Cross-Domain Trust Agreement has been explicitly
established and is actively maintained.</t>
          </li>
          <li>
            <t>AS-B accepts JWT Authorization Grants only from AS-A instances
listed in its trusted issuers configuration.</t>
          </li>
          <li>
            <t>The Cross-Domain Trust Agreement, including subject identifier
mappings and permitted <tt>txn_claims</tt>, is reviewed whenever the
participating services or their authorization policies change.</t>
          </li>
        </ul>
      </section>
      <section anchor="refresh-tokens">
        <name>Refresh Tokens</name>
        <t>AS-B <bcp14>SHOULD NOT</bcp14> issue refresh tokens.  Because Txn-Tokens are
short-lived and transaction-specific, re-obtaining a new Txn-Token
and repeating the chaining flow is the correct renewal mechanism.
Issuing a refresh token would decouple the access lifetime from the
originating transaction's authorization context and create a
persistent credential outside the control of Trust Domain A.</t>
      </section>
      <section anchor="trust-across-multiple-trust-domains">
        <name>Trust Across Multiple Trust Domains</name>
        <t>When this profile is applied recursively (<xref target="chaining-across-multiple-trust-domains"/>), trust remains strictly pairwise. An Authorization Server accepts a JWT Authorization Grant because it trusts the issuing Authorization Server under their Cross-Domain Trust Agreement, not because it has any relationship with Trust Domains further upstream. Because context propagation each time a Trust Domain boundary is crossed is a deployment decision (<xref target="chaining-across-multiple-trust-domains"/>), claims in a JWT Authorization Grant may be derived from context that the issuing Trust Domain itself received from an upstream Trust Domain.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>Txn-Tokens may contain claims that relate to the Initiating
Principal, including personal identity information for
human-user-initiated transactions (e.g., user identifier, email
address, IP address) that may be subject to applicable privacy
regulations.</t>
      <t>AS-A <bcp14>MUST</bcp14> apply claims minimization (<xref target="claims-transcription"/>)
before issuing a JWT Authorization Grant.  Specifically:</t>
      <ul spacing="normal">
        <li>
          <t>Only identity claims necessary for AS-B to resolve the subject and
apply authorization policy <bcp14>SHOULD</bcp14> be included in <tt>txn_claims</tt>.</t>
        </li>
        <li>
          <t>Claims that could be used to reconstruct internal activity patterns
within Trust Domain A <bcp14>MUST NOT</bcp14> be included.</t>
        </li>
        <li>
          <t>The Cross-Domain Trust Agreement <bcp14>MUST</bcp14> specify which identity claims
AS-A is permitted to disclose to AS-B, consistent with the data
handling and privacy policies of both organizations.</t>
        </li>
      </ul>
      <t>The <tt>txn</tt> claim enables end-to-end transaction correlation across the
domain boundary.  Operators <bcp14>SHOULD</bcp14> evaluate whether the auditability
benefits outweigh the privacy implications for their specific
deployment, particularly for human-user-initiated transactions.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="jwt-typ-registration">
        <name>JWT Typ Registration</name>
        <t>This specification requests registration of the following value in
the "JSON Web Signature and Encryption Header Parameters" registry
(maintained by IANA):</t>
        <ul spacing="normal">
          <li>
            <t>Header Parameter Name: <tt>txn-chain+jwt</tt></t>
          </li>
          <li>
            <t>Header Parameter Description: JWT type for a Transaction Token
Chaining Authorization Grant as defined in this document</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Specification Document(s): <xref target="jwt-authorization-grant"/> of this
document</t>
          </li>
        </ul>
      </section>
      <section anchor="jwt-claims-registry">
        <name>JWT Claims Registry</name>
        <t>This specification requests registration of the following claim name
in the "JSON Web Token Claims" registry (maintained by IANA):</t>
        <ul spacing="normal">
          <li>
            <t>Claim Name: <tt>txn_claims</tt></t>
          </li>
          <li>
            <t>Claim Description: Transcribed claims from a Transaction Token,
included in a JWT Authorization Grant to convey cross-domain
authorization context</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Specification Document(s): <xref target="claims-transcription"/> of this
document</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC7521">
          <front>
            <title>Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="Y. Goland" initials="Y." surname="Goland"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type. Mechanisms are specified for transporting assertions during interactions with a token endpoint; general processing rules are also specified.</t>
              <t>The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions and to provide alternative client authentication mechanisms.</t>
              <t>Note that this specification only defines abstract message flows and processing rules. In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7521"/>
          <seriesInfo name="DOI" value="10.17487/RFC7521"/>
        </reference>
        <reference anchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="RFC7800">
          <front>
            <title>Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="April" year="2016"/>
            <abstract>
              <t>This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of- possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7800"/>
          <seriesInfo name="DOI" value="10.17487/RFC7800"/>
        </reference>
        <reference anchor="RFC8414">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="RFC8693">
          <front>
            <title>OAuth 2.0 Token Exchange</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="January" year="2020"/>
            <abstract>
              <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8693"/>
          <seriesInfo name="DOI" value="10.17487/RFC8693"/>
        </reference>
        <reference anchor="RFC8707">
          <front>
            <title>Resource Indicators for OAuth 2.0</title>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document specifies an extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8707"/>
          <seriesInfo name="DOI" value="10.17487/RFC8707"/>
        </reference>
        <reference anchor="RFC8725">
          <front>
            <title>JSON Web Token Best Current Practices</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="225"/>
          <seriesInfo name="RFC" value="8725"/>
          <seriesInfo name="DOI" value="10.17487/RFC8725"/>
        </reference>
        <reference anchor="RFC9700">
          <front>
            <title>Best Current Practice for OAuth 2.0 Security</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="A. Labunets" initials="A." surname="Labunets"/>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="240"/>
          <seriesInfo name="RFC" value="9700"/>
          <seriesInfo name="DOI" value="10.17487/RFC9700"/>
        </reference>
        <reference anchor="RFC9728">
          <front>
            <title>OAuth 2.0 Protected Resource Metadata</title>
            <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <author fullname="A. Parecki" initials="A." surname="Parecki"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9728"/>
          <seriesInfo name="DOI" value="10.17487/RFC9728"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-identity-chaining" target="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-chaining-11">
          <front>
            <title>OAuth Identity and Authorization Chaining Across Domains</title>
            <author initials="A." surname="Schwenkschuster" fullname="Arndt Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author initials="P." surname="Kasselman" fullname="Pieter Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author initials="K." surname="Burgin" fullname="Kelley Burgin">
              <organization>MITRE</organization>
            </author>
            <author initials="M." surname="Jenkins" fullname="Michael Jenkins">
              <organization>NSA-CCSS</organization>
            </author>
            <author initials="B." surname="Campbell" fullname="Brian Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author initials="A." surname="Parecki" fullname="Aaron Parecki">
              <organization>Okta</organization>
            </author>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-chaining-11"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-transaction-tokens" target="https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/">
          <front>
            <title>Transaction Tokens</title>
            <author initials="A." surname="Tulshibagwale" fullname="Atul Tulshibagwale">
              <organization>SGNL</organization>
            </author>
            <author initials="G." surname="Fletcher" fullname="George Fletcher">
              <organization>Practical Identity LLC</organization>
            </author>
            <author initials="P." surname="Kasselman" fullname="Pieter Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-transaction-tokens-08"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9068">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens</title>
            <author fullname="V. Bertocci" initials="V." surname="Bertocci"/>
            <date month="October" year="2021"/>
            <abstract>
              <t>This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9068"/>
          <seriesInfo name="DOI" value="10.17487/RFC9068"/>
        </reference>
        <reference anchor="RFC9396">
          <front>
            <title>OAuth 2.0 Rich Authorization Requests</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Richer" initials="J." surname="Richer"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <date month="May" year="2023"/>
            <abstract>
              <t>This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9396"/>
          <seriesInfo name="DOI" value="10.17487/RFC9396"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-arch" target="https://datatracker.ietf.org/doc/draft-ietf-wimse-arch/">
          <front>
            <title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
            <author initials="J." surname="Salowey" fullname="Joseph Salowey">
              <organization>CyberArk</organization>
            </author>
            <author initials="Y." surname="Rosomakho" fullname="Yaroslav Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
              <organization/>
            </author>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch-07"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-workload-creds" target="https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-creds/">
          <front>
            <title>WIMSE Workload Credentials</title>
            <author initials="B." surname="Campbell" fullname="Brian Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author initials="J." surname="Salowey" fullname="Joseph Salowey">
              <organization>CyberArk</organization>
            </author>
            <author initials="A." surname="Schwenkschuster" fullname="Arndt Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author initials="Y." surname="Sheffer" fullname="Yaron Sheffer">
              <organization>Intuit</organization>
            </author>
            <author initials="Y." surname="Rosomakho" fullname="Yaroslav Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date year="2025"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-workload-creds-00"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-identity-assertion-authz-grant" target="https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/">
          <front>
            <title>Identity Assertion JWT Authorization Grant</title>
            <author initials="A." surname="Parecki" fullname="Aaron Parecki">
              <organization>Okta</organization>
            </author>
            <author initials="K." surname="McGuinness" fullname="Karl McGuinness">
              <organization>Independent</organization>
            </author>
            <author initials="B." surname="Campbell" fullname="Brian Campbell">
              <organization>Ping Identity</organization>
            </author>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-assertion-authz-grant-03"/>
        </reference>
      </references>
    </references>
    <?line 1156?>

<section anchor="use-cases">
      <name>Use Cases</name>
      <t>The following use cases illustrate the three Initiating Principal
types described in <xref target="txn-token-initiating-principal-context"/>, each
demonstrating a scenario where a workload within a Trust Domain must
call a partner service in a separate Trust Domain to complete the
transaction.</t>
      <section anchor="user-initiated-external-api-call-requiring-a-partner-service">
        <name>User-Initiated External API Call Requiring a Partner Service</name>
        <t>A financial services enterprise exposes a portfolio management API to
its customers.  A customer uses a mobile application to add a stock
to their watch list, calling <tt>POST /watchlist</tt> at the enterprise's
API gateway with an OAuth 2.0 access token.</t>
        <t>The API gateway workload requests a Txn-Token from the TTS,
presenting the user's access token as the inbound credential.  The
TTS mints a Txn-Token with <tt>sub</tt> set to the user's enterprise
identifier, <tt>scope</tt> set to <tt>watchlist-update</tt>, and <tt>rctx</tt> capturing
the mobile client's OAuth client identifier and IP address.  This
Txn-Token propagates through the internal portfolio service call
chain.</t>
        <t>To enrich the watch list entry with current market data, the
portfolio service must call a market-data API operated by a partner
financial data provider in Trust Domain B.  The portfolio service
exchanges the Txn-Token for a JWT Authorization Grant using this
profile.  AS-A maps the user's enterprise identifier to a
cross-domain user identifier agreed with the partner (e.g., the
user's email address or a pairwise identifier), and includes a
minimized <tt>txn_claims</tt> carrying <tt>scope: watchlist-update</tt>.</t>
        <t>The partner's authorization server issues an access token that
identifies the user (enabling per-user rate limiting and audit
logging at the partner) without receiving the enterprise's internal
Txn-Token, internal access token, or internal user database
identifiers.</t>
      </section>
      <section anchor="system-initiated-event-requiring-a-partner-service">
        <name>System-Initiated Event Requiring a Partner Service</name>
        <t>An enterprise mail service receives an inbound email message via
SMTP.  The SMTP server is an internal system component operating
under its own system credential; no external OAuth client is
involved.  The SMTP server requests a Txn-Token from the TTS with
<tt>sub</tt> set to its system identity (<tt>system:mail-gateway@enterprise.example</tt>),
<tt>scope</tt> set to <tt>mail-delivery</tt>, and <tt>rctx</tt> carrying the SMTP envelope
sender address and the recipient user's internal identifier.  This
Txn-Token propagates to the mail storage service workload.</t>
        <t>Before storing the message in the recipient's mailbox, the mail
storage service must call a spam-rating API operated by a partner
spam service in Trust Domain B (whose Authorization Server is
<tt>https://as.spamsvc.example</tt> and whose spam-rating API is
<tt>https://api.spamsvc.example/spam-rating</tt>).</t>
        <t>The mail storage service exchanges the Txn-Token for a JWT
Authorization Grant using this profile.  AS-A maps the system
identity to the cross-domain service identifier agreed with the spam
service, and includes a minimized <tt>txn_claims</tt> carrying
<tt>scope: mail-delivery</tt> and <tt>rctx.smtp_from</tt> (the envelope sender
address, stripped of internal routing metadata).</t>
        <t>The spam service's authorization server issues an access token for
the spam-rating API.  The spam service can apply per-sender and
per-recipient policy based on <tt>txn_claims</tt>, enabling personalized
spam filtering without requiring the enterprise to expose internal
user tokens or the Txn-Token outside its trust boundary.</t>
      </section>
      <section anchor="automated-workload-requiring-a-partner-service">
        <name>Automated Workload Requiring a Partner Service</name>
        <t>An enterprise data platform runs a nightly telemetry aggregation job.
The job is an automated workload with no direct external caller,
triggered by an internal scheduler.  The scheduler requests a
Txn-Token from the TTS with <tt>sub</tt> set to the job's SPIFFE workload
URI (<tt>spiffe://enterprise.example/telemetry/nightly-agg</tt>), <tt>scope</tt>
set to <tt>telemetry-aggregation</tt>, and no user context in <tt>rctx</tt>.</t>
        <t>To complete the aggregation, the job must query a third-party
analytics API in Trust Domain B.  The job exchanges the Txn-Token
for a JWT Authorization Grant using this profile.  AS-A maps the
SPIFFE workload URI to a cross-domain workload identifier agreed with
the analytics provider, and includes <tt>scope: telemetry-aggregation</tt>
in <tt>txn_claims</tt>.</t>
        <t>The analytics provider's authorization server issues a scoped access
token.  The <tt>txn</tt> claim in the JWT Authorization Grant allows the
analytics provider to correlate API calls to the originating job run
for billing and audit purposes, without receiving the internal SPIFFE
URI or other Trust Domain A infrastructure details.</t>
      </section>
    </section>
    <section anchor="relationship-to-related-specifications">
      <name>Relationship to Related Specifications</name>
      <t>This specification is one of a family of profiles of
<xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
      <section anchor="identity-assertion-jwt-authorization-grant">
        <name>Identity Assertion JWT Authorization Grant</name>
        <t><xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/> (the "ID-JAG"
specification, adopted by the OAuth Working Group as of April 2026)
targets deployments where AS-B already trusts AS-A (acting as an
IdP) for Single Sign-On (SSO) and subject resolution, using an
OpenID Connect ID Token or SAML 2.0 assertion as the subject token.</t>
        <t>The key structural differences between the two profiles are:</t>
        <dl>
          <dt>Subject Token Type:</dt>
          <dd>
            <t>The ID-JAG profile uses an OpenID Connect ID Token or SAML 2.0
assertion as the <tt>subject_token</tt>.  This profile uses a Txn-Token
(<tt>urn:ietf:params:oauth:token-type:txn_token</tt>).</t>
          </dd>
          <dt>Initiating Principal Scope:</dt>
          <dd>
            <t>The ID-JAG profile is exclusively centered on a human End-User
whose authenticated session at the IdP drives the cross-domain
access.  This profile supports all three Initiating Principal
types — human user, internal system, and automated workload —
uniformly, because Txn-Tokens capture all three.</t>
          </dd>
          <dt>Trust Relationship Basis:</dt>
          <dd>
            <t>The ID-JAG profile relies on a pre-existing SSO trust relationship
between AS-A (the IdP) and AS-B (the Resource AS) for the same
user population.  This profile relies on a bilateral Cross-Domain
Trust Agreement between AS-A and AS-B, which may exist
independently of any shared identity provider.</t>
          </dd>
          <dt><tt>audience</tt> and <tt>resource</tt> Parameters:</dt>
          <dd>
            <t>Both profiles use <tt>audience</tt> to identify AS-B (the target
authorization server) and <tt>resource</tt> (<xref target="RFC8707"/>) optionally to
identify the target Protected Resource.  These parameters serve
the same distinct purposes in both profiles: <tt>audience</tt> → AS-B
issuer URL → <tt>aud</tt> in the grant; <tt>resource</tt> → resource server URI
→ <tt>resource</tt> claim in the grant.</t>
          </dd>
          <dt><tt>client_id</tt> Requirement:</dt>
          <dd>
            <t>The ID-JAG includes a <bcp14>REQUIRED</bcp14> <tt>client_id</tt> claim identifying the
OAuth 2.0 client at AS-B acting on behalf of the resource owner.
This is appropriate where the application has a pre-registered
client relationship with AS-B.  This profile does not require a
pre-registered <tt>client_id</tt> at AS-B; the Requesting Workload's
identity is conveyed through client authentication to AS-A and the
subject mapping in the JWT Authorization Grant.</t>
          </dd>
          <dt>Multi-Tenancy:</dt>
          <dd>
            <t>The ID-JAG profile defines <tt>tenant</tt>, <tt>aud_tenant</tt>, and <tt>aud_sub</tt>
claims for multi-tenant SaaS deployments.  This profile does not
define equivalent tenant-scoping claims, as Trust Domain
boundaries are typically organizational or service-provider
boundaries rather than tenant partitions within a shared platform.</t>
          </dd>
          <dt>Rich Authorization Requests (RAR):</dt>
          <dd>
            <t>The ID-JAG profile supports the optional <tt>authorization_details</tt>
claim (<xref target="RFC9396"/>) in the grant.  This profile does not currently
define RAR integration; a future revision <bcp14>MAY</bcp14> define how
<tt>authorization_details</tt> from a Txn-Token are transcribed into the
JWT Authorization Grant.</t>
          </dd>
          <dt>SAML 2.0 Interoperability:</dt>
          <dd>
            <t>The ID-JAG profile includes SAML 2.0 identity assertion
interoperability.  This profile addresses only JWT-based
Txn-Tokens.</t>
          </dd>
          <dt>Sender Constraining:</dt>
          <dd>
            <t>Both profiles use the <tt>cnf</tt> claim to convey a sender-constraining
key to AS-B.  The ID-JAG profile embeds <tt>cnf</tt> in the ID-JAG
itself; this profile includes <tt>cnf</tt> in the JWT Authorization
Grant, derived from the Requesting Workload's client credential
presented to AS-A (see <xref target="sender-constraining"/>).</t>
          </dd>
        </dl>
        <t>The two profiles are complementary.  A deployment <bcp14>MAY</bcp14> support both:
the ID-JAG profile for human-user cross-domain access coordinated
through a shared identity provider, and this profile for any
transaction-driven cross-domain access (user-initiated,
system-initiated, or workload-initiated) where the trust relationship
is established through a bilateral Cross-Domain Trust Agreement.  An
Authorization Server implementing both <bcp14>MUST</bcp14> distinguish between them
by inspecting the JWT <tt>typ</tt> header: <tt>oauth-id-jag+jwt</tt> for the
ID-JAG profile and <tt>txn-chain+jwt</tt> for this profile.</t>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The author would like to thank Atul Tulshibagwale, Pieter Kasselman,
Aaron Parecki, Brian Campbell, Arndt Schwenkschuster, Kelley Burgin,
Karl McGuinness, and the members of the IETF OAuth Working Group for
their foundational work on the specifications that this profile
depends on.</t>
      <t>The Transaction Tokens concept was originally developed by Atul
Tulshibagwale, George Fletcher, and Pieter Kasselman.  The OAuth
Identity and Authorization Chaining Across Domains specification was
authored by Arndt Schwenkschuster, Pieter Kasselman, Kelley Burgin,
Michael Jenkins, Brian Campbell, and Aaron Parecki.</t>
    </section>
    <section numbered="false" anchor="document-history">
      <name>Document History</name>
      <t>[[ To be removed from final specification ]]</t>
      <section numbered="false" anchor="since-draft-01">
        <name>Since Draft 01</name>
        <ul spacing="normal">
          <li>
            <t>Added Pieter Kasselman and Sean O'Dell as authors</t>
          </li>
          <li>
            <t>Fixed the sequence diagram in section 3.2</t>
          </li>
          <li>
            <t>Streamlined the text descriptions for the sequence in section 3.2</t>
          </li>
          <li>
            <t>Cleaned up language that used purpose instead of scope</t>
          </li>
        </ul>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81963LbVrbm//0UGKVOR0wTtCTf5SSnJdlOlMSxx1I61dPV
ZYHkJoUIBNgAKJntuOv8mgeYOg8wzzKP0k8y67ZvuFC0nZyZpKsjksC+rr2u
31o7jmNVp3WmD6Od8zLJq2RSp0UenRdXOo+OVvVlUab/SOi7b+D3OnpVFrM0
09GsKKOX+EB0OtU5tLGOknzaeOXkMknzNJ/vqGQ8LvU19vI2j7l186NpckdN
i0meLGAs0zKZ1fEs0/XkUpdx7UYW1/huPJF34yW/G+8dqElS63lRrg+jqp6q
ajVepFUFr9TrJTR5+uz8uUqX5WFUl6uqPtjbewzv3BTl1bwsVsvD6Gc9bowe
xlUXkyJTV3oND04PVRTFUZHAQ/SXN6yIhlXR16lZDzNI+nZSFlUVT4sFfCdv
wzAi+UJVNazemyQrchjrWleqWiRl/ebvq6LW1WGUF2qZYv8wIP49iqqirEs9
q+zn9cJ9VAlNhYec5vDtN6PouSwofBlFvNLf6KKc6/AX+CbJZREOYRVwipMk
cxv9ww8n9KCGsWeH0Zza+NPSPGgWYDQpFq7/V6Po+6SqdLZIcm8Ar1Jd67Lx
E7R3GD3Vs+SqLqIzPVmV0Jzf5ZLe+tOUHxlV7hHp7WwUvfz8qc4yr6szneT+
t+E8T/58Fn2rk4w213ZUwTujYgqv/GlyXV3S7zQvlRflAl691rjGr5+fHOzv
P5Y/H+0/vCd/Pnh4z3z78P6++/Ng3/151/z5aG/PtHBv37Tw6MFj88Cjh3sP
7Z8H9+XPxw/ta48fHjzCP0/jpyNYoVlMxBqbDbHH5pCmaA7+1sc4OiIqjp4S
0VY73EoCm18fRpd1vawO79yZJnUCJ2NypUsawwiW+Q6c7DuX9SK7wyd709ji
/X1q1xEw/iPbejSKziaXNzq/qiaXcH6EYt0eH5X5tO59pp+u+sn0FlLdstnv
R9HxqpynzTa/B8rS6+Zv1OCL0/PXz8JWXoyi72BeKXEav5kXKSyfzlq/UkM/
nh3FJydnZ2Fbx6PoJFksx+Y0uMaOyxQOSutHausVkoEhldbevEpKPblKm3uS
lMhNG79Rcy+v6oS+AaqBJw/2Dh7Qx0qXqa7SfFYYAjjNYe1zXcdPkYKMiLid
kBpHoSVKqvAstITgh1J5a1ztHu9spO/zVVZdpuNkfpNkurmS9SrreYCW8+yb
H38IG2xyfddWF+d329zP9H+nk/LpBNBe6HjvkVLYRsipH+89eGT+vPv4QcAw
b9JFpeOknFyGdPEzKApZkUzdeqR5lEQvVlmdRmdr4DKL6Fl+nQKlL+CBaPfn
0xdnzwbAjyaXaa0n9arUH09JblQbaOc74I2gQNzodWM3visqvbxs/Uh7cbIe
6/KovAqb+ssoel1UwOWvLotGY3+Bw1xlyXXHA9Tg/6iAaiw5SXvfAlkDMy5m
Ok/njQa/TfJcV83fP4Uc3GrFew/bm3sjWxlPSj1tHH/atchu9gk8gdudZJ/A
Brp63bCNvzlf/g3p4vcXv0B5Z5d6Nmu1/BcSIs3fqEUghVVa/y4UbMnw/seS
Ybjv8d7eBvUM2WVJ/Au//0c8R4srJFDLfo7Ms9F3P593WWqfKrc2j2qzDPt4
PcBXmF5MvlmlyBya2s73SZl1/SrUMNVLnePof5+D9RuqKp1LG+/dVSqO4ygZ
V7hVtVLnl2kVVUs9SWcglGmPwfRJkW8mkZjAUTGL6kvdYZSrrbR59e7dbWbD
+/fRQsOHPK0W0FdSR6uKhuBpTYqN+11r5w+iVsNtSQ0tJxUNH+z2X0BcKvqe
hSy3+Owt9gway7t3YhXBS6X++0qDGQ38pBjXCT0O50F1eS7QY0EzxrknYn+P
i1U+Tcr1SKmjyPkmcLknxVJPseUkwldghX2TncykUi9LXcEq0djVbJVlciZM
15MCiOFtjZuT4HTQYTGHdyrfezCEhuZJOc2QmOHJm0sNzZW8xL6X4QYWCXYC
BFINQxvD7kaXK9CvcB9gckmW0dxyBV0CCYL6dvTqdEgPYufyXcXqir6GgQ+B
yuV3GDjMDBpWhmeNoogoz1CYUCBs+WVxg8uiy+t0ApS31CVMF7q+SetLWBsc
uApWawIdyFpFKSyXW+rG1oWsTPHW0UJMkhJPGlFJriewVrBvdoETJubmvg6V
zpOxLAs8NKGlNx2PNex0tYK1ROKAo5SUdQ4rKRMbKpxPsaoj/XZZEN3YRaRu
YjM7pyfgenL7rHZWaqzXBdAKDrtFc3jM86LWb37E/6uLN691MtVlpdQXQOTR
s6en5y9fH0bLTCeVBipZFNfQCnEDzSQx1tCPjpYrmCSzhi+UeppWkxU5v5gr
wPPA41ekmdbJFSziMktw43IaVsv1pYzri1QhnPc36CSL0CeCn7IUprFLh/lP
RooMhkC3YIbCiirUvUDfnkawbV8a0YMvyw9O9JBOOy6Lm0rfofbufA3Lclas
ygn7GHnwyEHpxCEd445FIsSIsMb46Ap/rZXtbg5btxqjr+YOO6isP/HOB7sX
v5atWqRTOKRKfYY8viymK2Z56qXnSaoiWCo4DDpbA5NeZsXakFNFdDxEpgac
AtplslT+CWc6pOOMf3mnEk8hUu8wWiAR4WGH/dP42AIoQBnahRPPHcEuwa+r
ugI+Ttvs+7s+B0K9yVsEeQ6PweSzTCOnTfGo0LlbUwO9rI1bT+cpnIxgOv/6
j/+E6U6y1RSnio+lvpspbJAbUqfM4NgzDC+nSzhu2JAccZqbGTJLiJtkzV8D
7dGUgIPVl2scPfYpSzOMzHGG43QVnObwACt3yv2TDETQdg94kq7aUtSpZDpl
EQBjm6Ul7AAs+cweVdjocaYXwH0bIilRFSxXHWd4toYw6PWyBmmSLC/RVAd6
q9J5DpSCbLRPfClhWbtIafot6DyZHiKhaZzzskwrIqkkmmTFampZPIzpGrau
/Lxyi6OdvTuAwZ7i8sMRya1sakcUzrg5tXt+fjZA7kDbU8A7KPSAjyWBvKMx
VR7rdLJXTZIlGtUVnad0sVjVwOeJZyyGIaUJgaaWrtTS0BU/uVyVwN6tBhVI
Zhbzmb5GOSTqBp41UBxxbDDvZ9ca6NDITCcCG2Mm+gQNBqU80bk/UVCJNWxq
Rd1dowsdjnzF5GBJYAjrUYHNREwDTl8FXBg5uneSavJz9BzU+hI405wOAPbv
iB9ZCbG8hha0gGNlVRzohpayAr2hhLfkvNM5lR7AmFbPjObxE/Kw17xghwq0
f19VIdoz3QOfypmh4fyRgbG8ZfmBQ42CpQTeBQpHShsQ7erRfATbBAcpT2BT
Ub8x7BZbIlUELJXpFJWDCqTaFR+KmwS4P0syEqPuCGoa45BWEUloQkpRFF2n
CY6PFeyD0V6gTgxIWdIREDadAVKLzUriAPIJbAmfSNMFTCRghz6PhSfpCPOQ
aA52xfx+YctOzUYaPxQqdrTkbaWvhl2b45kSacJsmSizAk0kmqZAirXtCnrl
XcPd8VYbTvKL81e00vAtU6/oWGlOvBksBVDQ5pqmPvUOH+5BCT+YiZkHIzk0
0Fi6RIqA1UGVYVy8HYzUhsV1JGpkDM+1sbpIRBvPOhK/FbbWBeRR8EuQtrce
8zS/Lq7oIBekw8OyoviB/mglfHmeLjVoANqRcAXqyHSVwW+/FGOzVWytoN2O
DcznaCrQsRYyt4TXXg/mnGbI8HqL2swYYK1CnkG0R7QVIXcA1qFBMwAltGKW
6XoTyYBbsspTZr+G6pQdii/hu9mTTEOEH7E+FZq8IjahK+CKN0y0yyXKYJAd
uWePuL0JjJChIbEJqJdMAvqtnqyYKlfADZKQ9+daT0GhKJhDuvZJ5/himqIr
Cub2RUgBpKoYnUP5Shfu8VmSnFlpOmRRC6MtpzG+sSaexVoT/DZFI7AAXo9S
utYdFHuCYgAfS+iwNJcglOv+MGG5f1qC7rrp7BLHw4POex50kFbGdErUhqNI
70w1aiyoRHoir8l0lT34xBthfMds2iC/sM3xwDrGg0qxkn2yZtwyWcRimeK6
yvbj1+a9z6twVUgDDhoGAwOOcmC8WqYaWLGmaWXexG0Mz0rgVsCfejZHFBy2
d52ctnIcuSY+jQMD42cK5l5G8tLw7Qx0+dMcuGAy7VkrZ3Q73dfo0LDMCZo/
YKUob2LemjWYBYsBMP8yzQtVXsuOKas7bWU8NKj7vNOftV10usE8tvJuOafa
XOeo5Sjn7wKNlu3bxGgssHrntGncI2g4aIze7ocqiwVNOvzxjBcRFiRsVOGM
HfUZytnq5WPkHqJbNv0fwm/H6FhouhazdIweHTRhwVQCvVQR27wsyNszM046
40hZL8kHhPwty4ob3AsxnNmABB4F+5rmNBXqCzTcf2g50WaB0SAxAxHLmRwW
1UTnSZkWZH/1O0JJsEynKX6ZIM+BbQCF0nmKYCTAWAJ2JT7HC5nPG5rPheET
Db+jUf5B1k1KWCBUajCKQaM4GN3FhdmGypjHBEwBV2i1YLNp281VR8bh4uyF
tIYtWC4zZBuTLEkX4maE8S5ZhCJzh3EsjKNnWWTpZM1mDvHzqssNJ5TLwQSn
lm9Hg0JoPY0qOrTaN/KsbU+eB6SmIs/WIrk9FkjdKEvqaeUrz7DbldYt3QjY
twaRk6MRY2g7PG+GyozTk7YH5S8So9ARDqU7EtN54qWpDR72zkDA+/dmh3nh
K+VORSX2Mq0a/drNk5OsBBmw5pWtyG5cLODn0+krOnBnZy9p782JBj5TZCtW
VlaVqAUv4WyfPo1A18jRNQ9/8mLi+0cvfmBbyK5C6Mj3mE3iVgIWtQCKXNBW
sZtPs6URs+3FLosYHRoxqaPMA4Zu2qLagXxht9tlugRZWN9oBC6exUcsKc7i
YxZoU/aZiw1MrpQEzTGrEhudrOn0dlqnZUQ8COUodrtBAPNAV3R1GYxjnMK7
YlFHMxDFJQ30hPCCQpRMoUeg+xMV8nF1K5HmS7DpPTmebjCQ0Ix35yTwQojS
2DoPR8JN0SaFCSOYgdSRBShaaeX0+vqmcIwfVfOkRPUF6N5foLguYvqsp3HA
yivkjeqzz8jmAjuU6fwHYL4rNCSJbV5pcrWAMb/z4qez850h/zf68SX9/frZ
f//p9PWzp/j32bdHP/xg/1DyxNm3L3/64an7y7158vLFi2c/PuWX4dso+Ert
vDj6yw6v/M7LV+enL388+mGHRYXvXk9wTziywLodM8wqFBvHJ6/+z//evwfy
4r8JdBC0D/6A4EH4gCYN90bMjz/CIq8VLywZIei3SZZpnWRglsG5qy7RqYt0
AQv5xV9xZf52GH05niz3730tX+CEgy/NmgVf0pq1v2m9zIvY8VVHN3Y1g+8b
Kx2O9+gvwWez7t6XX/472dDx/qN//1opdM0Dm0IHCLnicf2eooJAakH1iTTE
T6iPpqHI0ZD6GBqKfBpSQEMRkZBPQVsQUBQQkOonIDyJRaZl1WaF0e3Kgs53
SU6saWv4LHPXZIuwm0E5lxm/yzobvUpDRpQsh4Clxa2C0eSeaMcK0FVzzrYV
8vWbS3T3dFsfKNvZjTy1Sp/hmsbn1BmOQM/oWIfhV+gIvp+Sou35z7wQdchY
h11BWeTEpPCQoQmbAS2wmTxsBYSsL6oVf21y8A0zSSuyIo2anIqiVSULu4Is
0BEwx1PBBqx/jDQx6B8dPyz4faS7WAhadGjYsY422DvcDian5Npo2lg2hhZ4
cmB0nkezy48TOT8ORjdBNdHo3as41Ejg2069tWvSl0U2bTp4W66PyaosKeDq
SVgbrUaX/QQVssqBNqARPCLOuuwwQmZwBmmXSb3oikiZGEtEMRZzGBp+oY41
NY5VVAZB6/LiDpXvfk0r34Un8QZZRFQDvOEEZw6aMJPvJlLEzUBDQHa+lltL
t+zAJZUKeCievUkRZwW55p+Qswy9rZUwOPQaaQzS1NpFA7hbcQMTffsjYO/v
FvZ4tIujsAvrWFvn6/3rTSQjUZ9+a9N5CzrocIhBCS9YpI2fACjbixrdZhFC
K75NGHXYhHW/AWetQnRP16TsbruWx7SWx5+ylseda9k31E2LaQIVYgQ3wCLG
RmmzDphs+0szo9LwFzHHuoe/YUgh6/KcwlGfUxgfsiCjNls7YsF+roFdB9yD
ufAKZATuE8qWBtQo7xYgzDtAHlZLAnovEBINI7Piqeo5BByDkNCTCVIPiU9c
kl+9N05wFM7XxHlmqfWgQCsX9dv8gmm+Q7YHRj9P3bEda5ZEJrGIGfYUjwm6
sojpWTeFZSxsrBuGM3TDKquhDzHgo8XHDLqdpBUrq6Wm9atXFMwn01JbEBbo
CQucq9GQou1cmgbykDCKIWPdi9ThJ8QLPVOXnwCzED1J2K+VAMxSW5CCBnEx
D69bPrphc+tFiLADJzLfw//E3dGgaBNqlvi4/1yPVsJKhMbwfOO8+V0bT1oU
dt2hHlgzXhrGyMsGA50JqseyBzqepfNVyVRtHAHcfeAzwJCvcRkIWTBRDFHh
WqQ1BzbwFdgThkW1EXQR8z7BzdAkbtKMg8hLcSUwTZjoqThuHPUiVYIQgQcq
2zVOhOTJsAPJI6RNPaL0QacZHmxfMxQBV4maFfqB7bx5UKlEaXCnKsQ0kROa
wuMWI9aguDE8RFYdqAqe44X0xJQweuQJ2aCsAi8kVuudkBEZmC+v8YTrG2ak
Lf3rRNScnyUEF1Lgu8+ALwnMLM2l5/foY+kAvjQ5JoefLPiBl055sXXCdIp1
cqjUbjKIvvjiyAX2MApGkoQkoWeoiNb5xRdDdxYw3CvqUhOsYQPMvXgIpPkK
dIosKWnnrW9KxF0D0IEDm8PxuEnWT2DcYzvuDswqDpLDtVUvEoGD7Y145tB3
mrroOrvPMNqG+gOtjMDmzOxdlM4w/ScIE1O7Exlnh1EmHeBgSV9vgysEVIEi
z06ngQFgk49mHU9xfLmDDSDSgKndxem9CP1NYKEZmJmFH0Uh/IjPovK9hlZZ
Av17GHnGDYbeNWszvLze7sKqeMZ1co2Yz3GmPXBMqLDaJpxhpNoID8H/MuCL
ve8dqogH+FC7TMLWTicL3fxKWAsmKPcVReItVsJ8P7gNIRbtXhAjuhiEWDFl
FHiHFYNHy0n99qKN2GAOs0zm7KMuyDEzBesflA2dLG5VpdgIT8o6xYWoyZwN
AD5N2AAwrkB+nVpaUupnBlN0idXu3qc4u4UE4YhHqa0s7pZo3gLyMMQQKLui
BD+JBrHnTwrZ9Tn5CKQpnU/R94xOqQonlwuMIctWpNQZhxRI5xibJQ/TP//5
TziYkzSNYXnVH2P7zx+jqO/Tth/Ur46Mf42iX92S46coovNCf/0qtq/34Vg+
2KX9Vf1qNk0es/uGn3ZFRxn0fTge8Bhkf6C53VdG0gTvyBjkn80fXNswuu4G
PqQ590G24o/BqgafPuiDsn14//z6MR9sS7v7AzhXzN4+rSW7q58+JgJxkjo9
+KSWYu+frz9tTB/z8jYt7R4MzMp9YkuOUX/imD5m0X7/dbo78Gf48S19GcX2
3/9/ZndvEGE6TIEKi7DNj2xJCmwMPnVMo63++a9ep/uDpgvyI1v6q6Tn/e2T
xxTAcr5yNPrhLSWraYry/iuJxYOpXEY/vf7hU05wvC0P/P337sGgw+X5MS2x
m/Q3GJPPC4J//5+u08MBaKKMpMP1MrP9OBrHyj2fTON99LSJuH7/dQIed8S2
fCAUfjsqCP79r57d40F0gmZJh1HyQS1ttXeNjfwNZweWiXp3GH1mzBWuEfBV
Rx03i5B9Do/tvOd4Ppi/S/brJpWxqA6V2h9Fnr/IGLHGOdIfq/CTcsBsOhj1
Bk93JZTCLolmQkXDMWuM2yC849mDA+u7iPp8FzCauyMvfikgxxZ2u2Os4mCL
oj4Md0dIw0BJ0O9gw3HYhHgcTVKaJGa2gjP3+lduKnpMxYrMyhr31nlqoRXY
YQBPPdgenqru9w8hyCy5DUgrgwh8hNsl86OxO6TX2Qm9Fk/3sQnlXBiJfuEc
LAx2WTIAOKNiDewUXlsnCCMlu70R1KwJ2NHYbcuwJg9GbIGH7quOKKspYOAG
n8LQxH8e7b57Jw/E7tdYfn3/fkBzYMc6thDEZeFd/iUOQrjwVgO/69JA6QS1
A6FdDiiLQcZRlQj9tnGtLjIX3MisKG+ScqqnsEQPtySb3kAyFWJpkDY+3K45
2Y4Rc5ADGyCSQuFMtPxoxC2G+9Y3hK4IMJ/dW4PAj/tnz6mNPaElcg5zJCtw
oA+N48riSfxQxbIo/ZxpHGLLwdfIi3hhArP+blbRu89stjsnWMcmghv7NQ6q
90p1kEHDhYfihCFelJJly22wUz1vsDviiATcGDIxpW8xL66oGK3HeVYuLDsy
CWKMy+6KNBpwCB9GlF+TVVmB4MjWXnKClxHtV/DEj8hdNfHpfLUYtzELmIRA
DtIeibF5r9s+z90zEMPRY+zmOQYFdbRPLudEMvxTIsSinKY5Z7s35HLdaDDM
jX33rivY9H4wEnCCSf2yQhiXz8a/fP98CwyRBNyDEsHG6/ZgEE5I8QMHH9wq
R34Unc48f3x75aBtm/dK2hyRO3Jf9u3WwMA+wgt9Qg5mw8uD6Pgq53WZSkCn
sZM5aGAmhbXgcjy3nZeTjS8gjOZZgjFp2M5mGNHVP6j4lOGwUgq6YIJDjPGU
hHziwqznqDjg5wr6grWRTJNNUWyLZDfY7pBxcDQrW1MgKrtGpMK5S+Xi2HQX
jMcsrgAct0tUMSHlPhHIEjAvPKrk7A6uNhOAFH6W8jqdozt2kRhRNt/mBkXi
qaFwtBbQY1IX5boljjFsyTplcGxoe1C2WPw+DaNF16SmUtEMGn4LvYLfUYxs
SPzWS5WyWBIQ8E89FF1JgHoKELsYyKQoDSw/EhyzqEumR9qpCZVV2EQnXA6o
bux9ANFxihAXcVkzXs+F/Uot9X2mRqVA3qaR/I0QGQVTqrSmEh6w0BlQSR2K
xyzNr5JxmqGmLXNLOR1SMvsoRmYLhfUMliQQjSHYo13oGwhxCSZRMlnHE0nB
NTkMAxS/HbgA0JHPBFrBmFEU0sE3QeKDlTNhLtKKTnqHst0NGLVhSBY099kK
cBGugQVJJKE670JqbSx2J8NmqzIc1BtMDfQ1dOnsUOJq43ym2i9EX5GVvLMq
80Ps9ZDerw6p80OWZlTUG44mv7ZDxjDnbYGit6KVCkDm28/Az2w3YMqePEGa
TQX7XsGZoXo8M0oKIl0TSa/0E1lM9azt13ToaufAisUNnd03NPXbJfSDSnjn
U/CE2ARUXwQUhFlKxxqkAFk1rG9f6TVqu1RLirKUREiwEd1oGRgVGmEGYkf9
GGuNG90lNYH3Q1CajG8i5FHFeAdaK+ufJdXCrXuQQ1YNGuVJZlKNSgqTEMca
Y4GsyaWeXFV26qX+haU+aEbKs4iNTWwtUIFG2g468Y4G3hMCecyDsS0tEwtv
e98gK1w3mJeFJhpu049rMGTla/gbEP10hMQ8s6m3eqpoMx0zeRKc+I5SL+36
LsocKUMXLR4XKONbMg6eitMPSRZQlqKS+kTol/qWEi2oqIzJvDQg257lbCZn
VF5JoJuk8tF1esr2ShPbQcAfPW0qclwIBhqwxigWChPV0kCsPDAkonIsA7mw
HArRReullG4CAUIV06znqlkgRth7owiMMrapx6zYR+chqoa23kdAhQRGQXAW
rZyF17iM/bou0/EKFSE5XrZzK1UQuIRYKy+NwSYwhELfp6fTVyatEs+0lK3Z
dlvbqDA0lMG4zGU8EW1uAxlGvIhxYDgCWZmBSbhJbcJNBOO8rNH5ZGBbdtZE
SUn/QRVSFkCQXdm0EmzOKktKqdJFh8RkeQiJUAZWSof2GjixGPalTqrC+R4a
SG9mehXxTqwxSWOMZ8lEMHCdCGpQLZrlrG9f9A6I266FrSGErQlcs0A1r1CN
7ddXstDoxKqEgrZDFDLO5ezV6fPnz6KfXp9WvgB31Z0lyQ1eo7LNMSWk1umY
nAOzMjG5qozyIUbQm+J6boWH4TnEhyw2CM7mE9FZe5ku1j3EamagrTrIW6d1
U64yLZmx3eaMPbBtMK51JXqNbHIpCgDXVRgleD+h49xMVEN8hPaGKyg0Mjk4
KFqhC8fVFNMMuXSCo79Ee6rENAKi4dDaYbep8c8qM7WsmFMNCA/VdYupKsej
u3ggS8Q8Ym8N+cdI0IeuaIOyeeUAeyDjSb4bl0gsfC92oL73jL2UwhO2DkxQ
ICNQA4MN4+b931Hra6vxtvjEru8wd7rMvujxYjbKObLFONyM6MA0bQo+G6T9
fCYcwfnMz9ln3m3K586V0iibsDI1HTxPPT7uPOz+sOxYudCIzeDtVN5vq5pg
dbx7o7tyCikz3XVHMgHDKUAosEuC7qyC+I2iHLN8RonqsDZuHsgrTZKwYfkM
KbjwKR+OGXmeZcvu7d/zt4xqmh1r4FneOhnOK+K2x0uNb57aihTsKqVRryop
DusMLkwM8JTyYztFaANth2UidSgbwAjk6m6rcPr2A5VCk+RlSsYBDh3EaXqc
n7umBRWJUB603XrD0PYU7fzh3sOA3JHlXzqlZ8hMSQx967/htRBty3hkggjP
dqtNx+I1XgjE11VZOoJVIZJjM7eDLLhvsUMwJ6nbpOWy32zSBvyGFj40Ojt6
adjtXoo4BkM2sZpW8586ky7jXKiH+JeeNvvxKCnc0vqjev3lpr5AzXvGWpEh
DaF4OO9gpS+pcq/eUOgGz32BkOY5M3TH1yjLSywFVgc8tiKvNd+hVSaVsDHh
s2Uy0bHJVJ1KMUrJbKkiu2ZW+eOIXndAz8llPNecDZRERFqsyVKraPW8nWht
6/HKyMKj0JFGSl4vIqieGKRxAIFuWpTGQ0Ic3/um6RBq+JmcaENNCg3YoMKA
W088kc9YUesR482iBVQSJQdRYe/tMpreht0eqaNGWT0vHhHW1tsNVcoBZjWa
0ltTa4yYwnq4Lq0k8kadFnWBXcemeN5Fh/0fjK0R7VDN6neSuia1ef0aeW56
aCV35+7ColyY0tpJNcLXquvJSNbwQjza+Hqr6p7/5jJtvnrHe/5CAPf4eGwK
iL56CTR9hzWpb8/PX93ZH+2rb4uqPgR+N3JbYBpU5KEBhnpOF/+JExvncudt
fHNzE+Nmx6syA2FeTHXjeoRDEMpAfGX0Ja2+rEzMNm3sMl2+Vsrx/q+AL/3b
3SPkTPAf5k3wB3En+K/j7/Ah5PDqDyHI8UvrVPq68dM2HTlGiB8MA1Z/sPBH
2gf47d8OnsP/2vuo/mDEY/PR9sbBt97WwWiRkXyFX434qxGWnmLP7Gdd6nYF
RjvQizplpmN8Ciyz06m1gbrCrM1iX67KXX/ytzDRNJ9ySV/rdWQhAU2AsZhX
7RsnShlqQzcJwTUqdCResH+mX2r3qRsRsJKwe6NKowAMWo1Az8ycdODx03KY
KC3wMqyeOaFKJMY+5rAI+xWqJ8zwxF9ooTpBpcABTIdjvL+5lkDyGpr/gHaj
ix/fHNFL7PWu3qRmgW2tHXkvS2eaoqebVTxWlSpQxvNpZfKtuU/RKUs9y8ie
QwkH3Ybykrw0svYscLEjJF95Hf3vWLndCVGYdyyCNFTJBqwtzWBelx7xnIdq
vas75MHM4M2XIJPKsihF7bEULV/fRsn3RwfKuMRNTR6cxWafeYtjGy4dHezt
RS+/38CQfwESVCfJ5FLH+FBZZHjXaTzBbxATEiP5Aot4B4u249P+zmG0o9ff
jUajL3s29Wv4bQfdeDst0sWXt6FMfj18D2iPv3bEB18/2FPvmdOpz9D2MZl3
r1dUPwm4H+1H+xeswctR5SVfEtNXB6RfSRkqp/pJIZ6G/U9QT8F2ejXNGVXE
ztrdDiY76EQYOlhd2iSe/W0xhoR1CgjrviUrvM6UyOpgFP1ZQFsNfxQ6UBNy
7LkB8gUoFMIyp/38nK68lKK2BFFJQ01ZTHwC3kwtEgtfRP/4LzdX1ZtVmRIW
EJPS4ZwCV8DlwhJi6AwtQRNgfKk3VHHAB+g6ZK4uSHev6/kOB4DXhPPFkqzi
EZnoGs2IMXxmMuiIozhbX5iNAI49kTbGgP4Z44TrcIDiyRGj2g+2XOXoPCc3
Akoe8jDSPm923GHxjzGCTLxgjL9H2ASyOTOZVkkV8j7k/uAQHsfX28w4TBM4
N5yHhu1E8qCbdcEAe84zgTlM04owYwynBbXZVMZxFMQc1jHYJTLnBru0oETL
MR+MTM9d7jBOBxYz+DqgkzTElVbdoKbuQjnuxghswxK7U4eodE/U60tpomN7
HSvbulUedp0CZ/SKZTqM0plbjmmhzWFCK5bPd48V68q99FnH/QhZXp9xWeB1
TFJqAsbYROKwB7JinOlTkwfdH8klT7QDp7t2qAqTqZXB0BvrNt8QA2g7fKLN
0QCm+bywLcj9STaHm4pK9RM4A12PaJwfBNzqHGm3KwH62N8bYaCdIzi2Jtlm
6G67A9GzgiCYK61b6dpia33eawpscwWWqM03uEjuNUu/imA1OGSQrq95sTar
mt3ufTGGsMPGTGAWt0chBLtAjG4bLQOHJ4Yua6w2ouvBpwee1qGaWgf3dZvW
QY4SCY6YWvJeZQKOYXWqEweje8auul2hYOUmUBcu4KxdRJd0n9ptvMimeTQM
DTTGqZM/op3Sck33EldLe+kQ8Qu8f4bFuQHKtiVUj2qB1lh3lJYOLvEuKVaP
s/pgATwM7iEyTJaulbpF9Uqm1xiSqQxIhEsOHfXpPNhkqB25smA00V/q1Ggb
lxTWlzsP2FN8nRarKlt7esyuFI7GUIhG2p1ovp+KNJrXfHCDEJ3lxn7oG7QN
wlzPDTcQdokDYJr9gODkSBQQlqnYhMYZWUL1+50jtJbL/HjKnI9t9PIEmLU+
gaksvfrkDfwiEvEbZrQXctUMNnGB8YzsYkDR9ySrqNwseVupDn+rHLhXbvo2
iuIKURWLmo6WELdVGRPg1siulfjcbPQd5iScguAEu5512OKaQK+wPT5Tagsu
1rqsKhFugr9KLpSNcg47EeREnNxQwlxXsStBhfZl6GAr3pVrDMKTcJkhdlFi
LILRu+MLj7Q5h05FMrf0gCZ1yipNo2yhh/8yoC3TCyx+oFpZVaqpx6UbBVqb
uJ2CJW4MMSqGzfl4luM9qyZvlaAGRnaffH33WR9XJgHJDz2nGACHCPoakijR
1GIkqWaZuE+oBh6jeD/AUucgBHYoQhaLNivafyLZIH7UPzLfYaR6ZOfdD7mP
gtyz2Nu3JC2VAtF5uxeuIRwlzP3w4D47sZJs3mgD62RV6wVoLCWWVkQUFKqw
2RwLyV4uGph1S1DIyl+dHdx/MIT/3H10D/9zf/9gGD3jL5/xl3C2nuH3DfBy
5K+1idbnRY4nwPTMCqYdmf3elGSE7btMxynjAK7SabezEX0CnpJI8HokF1+M
mEnDs96yn7AiHZS9ZzruchE2I1uihpt9kfMMGhEcwo5dPG2pswxUOOoHKiBG
u6ulzTW4cCNQbLojpKJQsN5qqnT5lN3dRJIoeuzfxda4V6gtWTB+agUzUOlq
2r9GiIMQFMewDdB0HgflpYpa47PTjQftO7y9JKHRBGEosJSNoeAwEnRLkA97
1yPkyEFc9kcPcItAfWq8/QwVKikyufH9ewOrAFuHecNx3Xk2+Tod2aAckzdh
YZOaL67Oo7t7e8an7vvCgT5n8Ai9Ra66B+4x8kpldMltU1bQ6XG3n0aihWLS
lFenWoG+2OQ6WNP27763qnRFI/H0da0LDANX5uHAiDfaNVEoI0/HrECNQndq
ReIV7yRmLdFppJ4KW/mUSkLp88olC8BhnhY3eNpQQHfzmNbtkLu+r95sKjB/
ghf5GQI36dRsTK/DRNxHQZncLlbjiMMxG5AGBkMq692TAGTPjw8I9gup724F
Gx+Eigdat8BYaFeV802RIo3ntEZMYdU3IckadbMpvTrODHBCb2tZJpRpQJDU
2xFPu9Wgq668lZQhqGnQxWJ8h9v2LMZfF4sJo+xq4/gy7cbt7M4R7aXowjz/
785e/hgVrMdLYiGn0U5WjCigrMs6OIymOiwF1jJeGM83xNkYbD6y/kwWdZ9D
yJxC2CeeEGyU2Tw8zJv0c5cUp9Qkn+GU0C7BzK8ytgqyYEQEJizKfMdDosuL
rJmlBCaBXmBnLoupwdITgttQRme1DJNnQ3ZzJ+rt4SMJhPhgl75btD4E7dKh
l6AtaO8tNPccbe97YvHRd7+E6cC7P7BRfVPtMtZFUPl/aoM6LgabchjMVYn4
M+FsNKx/hvyRdzAE5nMOokeJ0gpduyKUx643WB3fMIS9YA1Z8tcoekmhSVCY
MTgYqMQcJgRlEn8hXZW/AQUSv0mq2E0zPtg7eBDv7e+YMOKJHL9GP3B+8V0P
iNNeKu4FjiQ+ecuyyhhX00arDaiHxFGTGh7bf3jvwcM9/MeEQb0vH/CXIPKw
wUez/Xv63v1ZPNFax/BEEif7j3WcjB/NDh7vJfuzu3syWtwYfKUJH+GfDbsK
RrkZSiSx27cUKU4ejw8md6f3Yn1/9iB++OjxHoxhMo31bP/g7r37D/Ab+4Ls
Nrz3jvMQ7eACPBY9j2MD2rHP4tOLevkGOThNh8jvTyaDxK4nPYxh0Pdmw88b
7sHdTWirQSNtTHXe/dZ3E1/Twle7W+Ozmh3bhC9Ft3bnU7rLnftB5bD0UNai
ApnLQVvoa7brxRY6D4IK7z7rFAwNyLll06xv8v1DcidNfxZGMVOtMPQWdfVd
0ST2vL8w2eDh0NGQ60sUV17gnkV/yx94C24FyUz1vNMoTWOlUUd5dxMLCiTQ
RtPMH7qfc+BfutAV5qrcU2ob79KwcZ2sr1QqP4Hdzzjhcif49DQsliB1UTyf
2Bkp0cGOSXUs+mHz4Kwpx2FUlIVCSJKwGeZ8+gq3kWXm227dru1b2nUOu0Er
qgmsmBwZNPSxXhdy+5Y/DP6RK9tT/fu0nKwWVY1mplCySUk/dUv6Qgjk3Wcb
qMIlgG+DYugLkarODC0YeQ4LVCFgOpg30UNmwP7KIwNy0UlYim81HhdgR3ru
A//eAvF7g+6nunISesIBnbGAjTdDCAve6PEm2AO32eiIHMh0k3Z/dNncx+Ld
E+jd42H0uGnX7QaN2LBqxYYt1LCze2vz+qB72JD1JmuFj6SYYf7NtMobtW/I
2opT9qD7l8amSMWb3Lqij9KdeJiUOUsmcp2sdxGtMhxjaC7jEHLjAH2FbsLa
CBU/2i0GpilCFoYVxIK6jakc/YX02fVW9hUPncoumbRdMPQkptgVpwhOj8Mb
uASsIHhPZAdaKPPJE9FMpOA9WlLOFSBiQDKp08Y94sZX1xwVmkESP6HQFD4H
1gfmcHYb1TYsAwrEbEb3BEEbdLEBUiNeZ403HoalneBcDNzdc0D2JonfVOTH
qYgTwM6Dqk85IwFZCeV0zwpj83lLLoGxrhtO7MwaPg9B3rlcaEFlSQ6vu3wp
KH8vB7DLyjHtqEgqNJHRZfTVsGpiY7I0MXtlYa5ruv/JXn07ZPEmt+h6WRD+
BUeMYbG52Y0U3LqAfS7ma3sxtxGeBd8mQ3dYtOo54b6ceIQuXp7O0VSRBXh7
92vgplBlqO67C3zO4u98w+w7CyKs9urnE+skeY5ga1duoIs/olOTp2LSpiUG
S0c+2jQCjNPdFiilzB5E1qZYk0lisPhWSkC2SVZUuA/2JiOJKdAjCyG9drBW
GNpGeSU8QCQW6ZjMrKSOobsxiM+uSKVggqIQpRggXfKJt65VNgw6s1JeADGB
bp00LAEg3MrieDa9B0oqqBVIQaqVdMhxEB+mendbOArqx3l3z0TGGLAvyrpR
YKypTSv2Yn5Iqp24PNWFGdQbM6g3XRl41RsZiQa7c2HW0i97CQt/Zu5AOwkK
HYngJh7moYqtBt2VtcFCJ4AgFwJZodw/xhGZNOBe/yY5mfk2Fi+geKXXMbN/
5qwqCUZl2DAHYIX5ulvL0RsZQJ9Amwz972eYazuJ5N5wUPVL7UIhwkIQQBFC
KBVLVrFCudNwXPNVOqUoTxDAvW9TSiwgGnVzZvQnvtdSdCTQzTu8lWSoWWcw
u3+bz+nQAYzAjWNUlZ++Kl6pXVdw86le8CvC1wpYf/jfK1KbKhIrlF1MN5XF
5z+cSbY6T8APTg9IY/GW18OXmwKLUirI3ZEqq1cXVB2MU6vry4a3N2bfR6yS
KrYvWMnjgeqOllj7K30bHW+PMpPLgECiar6pB0O+45Q8qcpdYNbXz102iJLa
3fTs1CeiHM+qZnwI8gZe5aVdZWNWdbuVcUgJX6h0jQHp2kZJHWDrYpLP2ugO
1aGNNisinaDLWzLg0G8b1GPq1tK3K3t8lNGF8otVbo6FX3ywi5eEivlYK51P
yvXSxBn6XrPhV48LTQ0uCgv7yEV7QL5PsMgcY6MwMkEJgOHZJaSDV3FQoqdV
K3xKy9in8b/WyyxZY2V6qXqwGZhCvv0xYzdrB28OY5SqM0ZZ5B6qjva/gfdG
wZ3wmJUNTNqgsERFNuQuQWsC9gRF0jG2ilFa02bCyP0PEKjI/cgKOTalL585
fJ/vjzJR2gBk2LWQ7Asx+DLFiPJWiIExVv4Se4UDs3XQHYmt7pqPDscmJ5N7
D5Ox+06h8adOOEcKG59z8cglEw0zSFkujxWRD26ssX3C9qF1VYFajKIX6xeC
2jHXle8s6inh+HnVij13XCPW1AxRo5+XxCheUvZxUVZmk0gbxUWj0naSwUIr
1bNfFRvtaNpIJXBxWxlwnCBevXs3twS+WrVZhTXBpHQqrgBWEEZ7SqqqjmTM
x7aY3S2Dxn0QFJmMmtAWlVw6Rqo63/cqKGCH/zSOhfhWz5FXL3DzLZ58/6xV
y31NfIgzRmStvhFbXrPaqjkELVfMURfmZm22u0B373A40MXT5vJ3qqPBmEDW
WkL1pA85OKJKKQnysvBKWuUjQojre0gBE5oYQmtxMXZR61zfeIADvrQPjBJX
aNsUzqZbFcRhRM5mMo3gdSAte8ZGCmE63HIwbDBMVxnerTopVkvxZwhvsBzV
+Mi3OHZBCS8W8YS2iRI0sAxWxr+KUUStgUUB42gXJRYBz3S0qU54TznSjkLb
VKd+u5LipFFRL6XmosLsWkMDNknLG4xURn2WlC0j2cvgx0I0qARhL3LlpGxX
Z6PGK4rUvPmoMQ7ddkCXWOeYVs0RieoyXbbrRFfRbFUS414t+W7HkSVts7Um
5wpHpT+g/jMrBh3VgD9wQ8RJQe6vvpWVezUDwIoZv5W7ZqGDgQOn09ksspUx
zEW0Zj3CWs2cTkt1dhvmJ9g7PQV4A88xDlQgK4HHlLZJGx9BVyE0n5niASN/
rleN0bkB0XdCvp+433FXGfPTu4gUmfIwIh+QElfb0C+NaF35pEfaBE2/LLMs
gSr1fCV0F8TmEj9Ra8vLJNRYw4zc9vVSAVWwkXqfWbYmOf4SpZ1dJek418j1
kFqt8IZplB3JGOxD5FF3ouw7/M1tb10c+AwnxIZNdgN1PLGpZdZXSEIexwzC
Db9C+by9y3Ar8Sz1gqXGNmsrjaVSkc3lDbxm4sAz/pLjbnwkeW88ZzhJeTk9
VhiDCKBAWFHOQX79wxLNeSN8y174yq8Y7vvU/eCri7iqZsQ1ipziJ3tn8y5M
AXQ24sFskIrdQIC5nlE5zhXYgOmcZ2dmki5s/YDKBKTS0iERHAcchnU3Z8ZH
u+mcss/r9OjHoy5/F56E8/UStJh5yp4QttZa91DYW4lK70ljuTuclsEpkuGw
Qzi7n/U4OrNZVriFz9iwxQYYfuSVINsxHazVrlNPEYyKUxjQmWy+FP0I/z1s
Avi7HnyqLWM4pLlz/ipf/9As/guU564c6UvQDO/pNX4QPLHs5JMqEJkuD6PT
Z+fP4ZezYGGfyiu71eBwUwoerzWBQW0vqom3l5X7hA3ks4KxaSWeFLeL4jJh
NJHdp6h3nzi85jbHcDT7U7AdBrQw1lOLhCRZ2t6ZIcVl/LBW/xU8xjxtpJx1
aqEfv209VU+79kzFcRyNk8kVnsufgAWe4B3nIP7hEMd033krI4K0KXrK3e3M
6JFLYMXdsANyh7fybrer8P1+SIoacB7fQZo4ICXnziWty84aSt0C8xPkrhJb
n0tAmfS0KRXXukbHvy5btW4CwqrZ8alld89MPWPEbFGs7bW9HyLB008dn3HH
6OKDQwsmK9oU1uRzUEI0n7l4Jl1KBLuQIoIgT+Ys9LCTulCU0QiDLhbAtQiW
bz5xfaMkWhRjit248jCk7EwRqwlPAgGwtga8/gZzZ8l8HlKQD0d+wXXC6Cf8
5cIUwnZD/bxSXlVslpvB5WQNHDRSVfCC2b5b75wbKq+SW31pq3kHviHxa5sr
dpzpJnhavAeE7vkIuqFRM8oGvXWiwUr7bq7K1zENzEheuLCLFK+WmJB7MZTa
rBgMl0rgJgoj28L+T+hiU41vp7xKFSXPORpcq1IWq7kpPyHE6IjHkDyFb0lA
4V4gLqBElQnfcgSAUy5lL8EERTwAUF95BTNFdYg89qrdNh41cy0QPx5TPLC3
UJ5yh4AeFIdm2S5hKgGqVp/KYG+al+exPO1jycZtD4vpcDqkJC6SZdW9+VED
B6UCXELDBIkSVFC98jeG9TjcgjI9EKLAwBVo2MZO9xo019GZK2wS5UGtgzxb
hLnQ2eWUl6hFl3IIZUQtb0hlahOGN7bJ+SKPbANyRnPfJd1WDDtSBiPiqnSR
jFGcSSNVWTGnevHCS2QgA1os0E69O7SarMZStjsDQ9/c8G96K0r3Cw0HSQxj
md4pNug8Qs773Jz8v5s5eFCpMigaaS80Styln7zLplTldZooRJsIWfs19dNb
qvHzQUJGwm4VU2HfPGgZ3pOgzH7IYSrl7pdqjeBWRsy+4YBd4iga+QeIaaJv
Dm9NQxiqJjMNq3Q2OKkQeAuyo0LIjg1ZwX6kS5q4uf/B4mn8ukUbeKtL6ECp
WeIWNquXAiUds41P1QFtiS/ecHMnmRnJ5xW1Ni7eDr1ckUbTPj/dqvCoCgqP
tqsV7fKNHT21SNV2tUhbQwnevA3rLsyncylv5eVdcRyPl0d9vJzpUFnKlP0M
GLhdtX4ejhMxCT1Ndhzdwo6VYceN+rOWsEc2x+GCQ/ANIJrzZqE7lzKAQbO3
lAzCnzbEAE7MQvsU8YGsHl1wZtrefgvHCEgNQa3sYELmb45hPkUveuyOn/ib
LJ4wjJH4AoQ8g7iaTNKwq1gXDn5zMsLw5lBGUDSOlGcnK4j7c9TDwNkccRmP
vo0WNZDtR/aKDhvu/gC5wGpNltQEmi5XVAk1x8tQECOqEf6GmlYyn+NdErQp
vxRjRtvilR9p3zUh5h4VvjDQ8XlkF6Cdgr2Szud0zw4yCF+gyJUiJn/Lfvb4
vtrA99tqMowTKEtuFjEDVJjfCRJgiYBSYAxttn/HTv+OLEgMywDCwN71YoSB
fTD21unC3k5I22sc5ei4JDnB6q1vw/mrPDQjZyYLEydsMHCRcoppePVagbWV
rSnCT0yuRyPFJnr4ltpWB+3jW6qxppQzSxD8gHN1IEd91sXxczsZo2M3GJhh
T91rrdr+4PPOVm9jMeaab7loyUAtmn7SW+DcVEBQkrRaQ2DTvZRghLk5ygpx
PyiImwdnkjYKDLIsUFNtDtWwRzG1R4q3SUlGM1ewb/i3G8BdweuyX/S1H92C
UdJnzKPxnT3onPHDYOg+5ilO48DJVr3vdL2lFV0VTHXKZskizSjpWgiv+jDI
iIXqHlmkX28K7QdfNMLCb+f0afzd0Tc7KpgF0Oy0WNau7g5rtciYcVO+ASG4
RA8A1pcAXpNFmAE6UHxDeeWF8SrxHjHaIMOkyLUJZ3LZDrnCigKQ6nT6akBa
yBlXl0BXcvwyj3bPzl4yPq8N8h3KAYfXXy51fvoU/Xk55QA9FS8mNnj04gf2
ktilFA9GUDxUzhvi0AwRoc0sYP0JoU3Ca2XtziYl3gwZXolJNYOlsAAvdHjF
DPpvbh8zejCbo25crGHqPoeth5UJPgSKOyBEe0eazJkp79AxpZQydLKVRNIn
Wi6gw1ELvvxZPo3RoUeAF9QdQiSbAQmKwQrkEE1LsvCaaqQydcSaM7foZFTn
N7hMI771KvrXf/ynh30fNg3CoUm0auoF8B6W98lTVDjwgu5xG+Qht9K5oYzM
NeQBKzpOqrTqWVNgPRT3wiVcljrWb1PGBMKJsOgD1xYh8ZlA+XjJMg4cdH6X
wYWSkHJ0NrB5UVVCRclIzC+LpcRkmwvsj6gbrGSLRrQvY2ZcrAxlKGFEDBLT
vMjT78PTqAbu2qCWrVlhJFBwsVHzgiYXZsKlJUywPau4T96brXuGaI2Ym7XC
B+b2n0Z3fl2Mgc2hQuWTSleY5l3DHelBFirXvO1JajbgBnVc/EQhS296h/7c
/vU//5epBupdkITfcsK2X9DliT8hfKSjXDG0Qy/3FFqbC/D2gj0gb1LowisN
1aByz6wzRW8i/82gSKS9aM27utKi0msDaKPDQQjcyySbmZiXnUhxkyPdCE0z
BsjWqrVVAgM/PoFj6PBxFAx5GibmcM9tyIxUIg4OjcVPCuaUSluGTQYTl/k8
2YCVjjw8RyWBL0KAsnu6G65vMhbEY+NlzZhczVsK5ilFCKv4XKNDed3DtThU
WqFFAY/VYEIgsb2xn/hmHfiGLt+L/GIohO2J+cnoLEnOfG2ib1kx5sYJPF6Z
c24jRkXYVcuhYiW+zogc02ZfErLfXWvqowwQk2YDWrHhQOHbYLtf2jpFPAOK
4bNeacNmws6MtYq5fcgGw+V+bYzE3ddHrwc96+yl4vh5mwHDeiM6sLsyTBIb
7j5+wNe9ewe3j2wlOEEgU1lpGBYJyzlHl/FG3tmKxB0CMEmMY56ePH1Z3Kio
b2Q29uty7buqmTDB9lOm1fEoF48cd4zJ6NNXDPexL3rV30TfMkmBXmvNRbKJ
hoyWhfFxJg8yGb+6V0f6S7dkqhtZDi6unXRV/oF+UF8VcI0pAhdOVS/GeL8S
tyo7zo/gBAnV9qQBj7QGq/9Oa/Hhdal10Kr/1Mm2DF9y7vOg3pjhTxtLGImS
3tS+xQcheY4UpfXwhEiLclxIWh6qur1MIcgmtP7FZTcpKJkelUFleG3Sq6GY
y4u9hSVnRb72A90xKbl5Z3+7IdxnqFgv9b5BvmTUUvf1wJNmHXoi6uoeWNzN
ZDv8ORXE7Llry2wCZTQjcXONENZbV9Cfb0Mt8GbvNEfr04abkcj8AtigzxiT
Nv4lmXPFTntnariDJFkaxT1twTx3BRumZE7wqoRMT+dSjPTdYb6CYwL7+NXO
LMkqvSPYDGZagojO0itBXib5VXRUr7LofJXBmo6T+U2CpcVfpQQ/+h55SAa0
NFRHSQnrAwqpnlylw+gYtI08OkkWy7HOsmF0VOZTkHWTyxudX1WTS0TSA+V8
Dz/CuT5elfMUGvk+KbPoxeSbVQqWYlW5a7EXeLhLe3EIIlg67XVxM6dYQRBF
lkgLSpaW3JrQwWHAsN4FgqycI6eTQ9iC65AqQrdd3KCDgJ1AfEc4u9m5oCas
m2qs2zca5K2Onmcaa4vL0WkuprA3mp+y/hGyKAJidGAuhvcZBHPorMGb1Hl3
ZVjdO9Ha0ebevAD5negs+g5eS7FYcHOLaYA+FRA42OCKom/ppqs1kGDUpsG/
/hVWFvGaoEIXlsNiRD9rTOdvf+Moa4p5S0/LZFZHe/vddP0F5jrp9vpKyjA6
Jj5/qjEiZhyNFbzzPH0rSUYVMnfsZpomoAGQ/m8KyNwdHcCzZ4SIzggpRkwI
vcZT7RUXsnanaavVxkkGI8FyH8soS4B5YBCLiJLQsGIAUVYKMAp7+aT6v72u
kkcZ4AAA

-->

</rfc>
