<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-acme-device-attest-08" category="std" consensus="true" submissionType="IETF" updates="8555" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="ACME DA">Automated Certificate Management Environment (ACME) Device Attestation Extension</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-acme-device-attest-08"/>
    <author initials="B." surname="Weeks" fullname="Brandon Weeks">
      <organization abbrev="Google Inc">Google Inc</organization>
      <address>
        <email>me@brandonweeks.com</email>
      </address>
    </author>
    <author initials="G." surname="Mallaya" fullname="Ganesh Mallaya">
      <organization abbrev="AppViewX Inc.">AppViewX Inc.</organization>
      <address>
        <email>ganesh.mallaya@appviewx.com</email>
      </address>
    </author>
    <author initials="S." surname="Rajala" fullname="Sven Rajala">
      <organization abbrev="Keyfactor">Keyfactor</organization>
      <address>
        <email>sven.rajala@keyfactor.com</email>
      </address>
    </author>
    <author initials="C." surname="Bonnell" fullname="Corey Bonnell">
      <organization abbrev="TurboLight Solutions">TurboLight Solutions</organization>
      <address>
        <email>corey.bonnell@turbolightsolutions.com</email>
      </address>
    </author>
    <author initials="R." surname="Hurst" fullname="Ryan Hurst">
      <organization abbrev="Peculiar Ventures">Peculiar Ventures</organization>
      <address>
        <email>ryan.hurst+ietf@peculiarventures.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>ACME Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 83?>

<t>This document specifies new identifiers and a challenge for the Automated Certificate Management Environment (ACME) protocol which allows validating the identity of a device using attestation. This document updates RFC 8555 to enable a privacy-preserving mode for the identifiers defined in this document.</t>
    </abstract>
  </front>
  <middle>
    <?line 87?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Automatic Certificate Management Environment (ACME) <xref target="RFC8555"/> standard specifies methods for validating control over identifiers, such as domain names. It is also useful to be able to validate properties of the device requesting the certificate, such as the identity of the device and whether the certificate key is protected by a secure cryptoprocessor.</t>
      <t>Many operating systems and device vendors offer functionality enabling a device to generate a cryptographic attestation of their identity, such as:</t>
      <ul spacing="normal">
        <li>
          <t><eref target="https://source.android.com/security/keystore/attestation">Android Key Attestation</eref></t>
        </li>
        <li>
          <t><eref target="https://developers.google.com/chrome/verified-access/overview">Chrome OS Verified Access</eref></t>
        </li>
        <li>
          <t><eref target="https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/">Trusted Platform Module</eref></t>
        </li>
        <li>
          <t><eref target="https://support.apple.com/en-om/guide/deployment/dep28afbde6a/web">Managed Device Attestation for Apple Devices</eref></t>
        </li>
      </ul>
      <t>The following changes to the ACME specification are described in this document:</t>
      <ul spacing="normal">
        <li>
          <t>Addition of <tt>permanent-identifier</tt> <xref target="RFC4043"/> and <tt>hardware-module</tt> <xref target="RFC4108"/> identifier types.</t>
        </li>
        <li>
          <t>Addition of the <tt>device-attest-01</tt> challenge type to prove control of the <tt>permanent-identifier</tt> and <tt>hardware-module</tt> identifier types.</t>
        </li>
        <li>
          <t>The challenge response payload contains a serialized WebAuthn attestation statement format instead of an empty JSON object (<tt>{}</tt>).</t>
        </li>
        <li>
          <t>Accounts and external account binding being used as a mechanism to pre-authenticate requests to an enterprise CA.</t>
        </li>
      </ul>
      <t>This document does not specify the attestation verification procedures. Section 13 of <xref target="WebAuthn"/> gives some guidance, however verification procedures are complex and may require changes to address future security issues.</t>
      <t>Efforts are underway within the Remote ATtestation ProcedureS (RATS) working group to define a set of standard formats and protocols for attestation. An explicit aim of this document is to support vendor specific formats and protocols that are widely deployed at publication time of this specification.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="permanent-identifier">
      <name>Permanent Identifier</name>
      <t>A new identifier type, <tt>permanent-identifier</tt> is introduced to represent the identity of a device assigned by the manufacturer, typically a serial number. Additionally, the assigner of the identifier <bcp14>MAY</bcp14> be specified. The name of this identifier type was chosen to align with <xref target="RFC4043"/>. This specification does not prescribe the lifetime of the identifier, which is at the discretion of the Assigner Authority (<xref target="RFC4043"/>).</t>
      <t>Although <xref target="RFC4043"/> permits any valid UTF-8 string to be used as the identifier, this specification mandates that identifiers <bcp14>MUST NOT</bcp14> contain the forward-slash "/" (UTF-8: U+002F) character. This restriction is required to make the ABNF production rule for the <tt>permanent-identifier-value</tt> unambiguous.</t>
      <section anchor="representation-in-order-resources">
        <name>Representation in Order resources</name>
        <t>The identifier's <tt>value</tt> field contains a UTF-8 string representation of the identity of the device. In addition to the value being a valid UTF-8 string, the value <bcp14>MUST</bcp14> match the <tt>permanent-identifier-value</tt> production rule as defined in this ABNF <xref target="RFC5234"/> syntax:</t>
        <artwork><![CDATA[
assigner-value = first-and-second-components *("." component)
first-and-second-components = (("0" / "1") "." (*1(%x31-33) %x30-39)) / ("2" "." component)
component = "0" / (%x31-39 *%x30-39)
device-identifier-value = 1*(%x00-2E / %x30-FF)

permanent-identifier-value = device-identifier-value ["/" assigner-value]
]]></artwork>
        <t>A valid <tt>permanent-identifier-value</tt> value is a UTF-8 string that contains an identity consisting of one or more characters without any forward-slash "/" (UTF-8: U+002F) characters. Optionally, a forward-slash "/" character and "dotted-decimal" object identifier identifying the assigner may follow the identity. The assigner-value is a dotted-decimal representation of an ASN.1 OBJECT IDENTIFIER.</t>
        <t>The Server <bcp14>MUST</bcp14> verify that identifier values in newOrder requests conform to the <tt>permanent-identifier-value</tt> production rule and <bcp14>MUST</bcp14> reject requests containing non-conforming values with a "malformed" error.</t>
        <t>Example of an identifier without an assigner:</t>
        <artwork><![CDATA[
{
  "type": "permanent-identifier",
  "value": "ABCDEF123456"
}
]]></artwork>
        <t>Example of an identifier with an assigner:</t>
        <artwork><![CDATA[
{
  "type": "permanent-identifier",
  "value": "ABCDEF123456/1.2.3.4"
}
]]></artwork>
      </section>
      <section anchor="representation-in-certificate-signing-requests-csrs-and-x509-certificates">
        <name>Representation in Certificate Signing Requests (CSRs) and X.509 Certificates</name>
        <t>This section describes the X.509 representation of the <tt>permanent-identifier</tt>. Other credential types may use the same identifier values with representations appropriate to those credential types.</t>
        <t>The identity is included in the Subject Alternative Name Extension ("SAN") using the <tt>identifierValue</tt> field of the PermanentIdentifier form described in <xref target="RFC4043"/>. Although <xref target="RFC4043"/> permits the requester to include the <tt>identifierValue</tt> in a <tt>serialNumber</tt> subject attribute, this specification mandates that the <tt>identifierValue</tt> field of the PermanentIdentifier <bcp14>MUST</bcp14> be present and <bcp14>MUST</bcp14> contain the identifier.</t>
        <t>The value of the identifierValue field of the PermanentIdentifier <bcp14>MUST</bcp14> be an octet-for-octet match of the device-identifier-value value as encoded in the Order resource. If the <tt>assigner-value</tt> value is included in the identifier as encoded in the Order resource, then the <tt>assigner</tt> field of the PermanentIdentifier <bcp14>MUST</bcp14> be the encoding of the "dotted-decimal" object identifier encoded as the <tt>assigner-value</tt> value.</t>
        <t>This strict matching requirement ensures that the SAN in the issued certificate appears exactly as it appeared during proof-of-ownership validation, preventing identifier malleability. Serial number allocation schemes may be case-sensitive or otherwise sensitive to exact byte representation, so no normalization or transformation is permitted.</t>
        <t>To ensure that the identifier as presented in the Order resource and CSR match, the Server <bcp14>MUST</bcp14> perform the logical equivalent of extracting the <tt>device-identifier-value</tt> and <tt>assigner-value</tt> values from the CSR and reconstructing the UTF-8 representation of the identifier. The Server <bcp14>MUST</bcp14> then ensure that the UTF-8 representation and the identifier presented in the Order resource are an octet-for-octet match and reject the Order otherwise. Servers that derive identifier values directly from verified attestation evidence and construct the certificate SAN from that evidence, provided the derived values are verified against the attested device identity in the attestation statement, satisfy the intent of this requirement.</t>
        <t><xref target="RFC8555"/> section 7.4 mandates that "The CSR <bcp14>MUST</bcp14> indicate the exact same set of requested identifiers as the initial newOrder request". However, there are some environments where the Server requires validation of the identifier but does not include the identifier in certificates due to privacy concerns. To support privacy-preserving certificates, Clients <bcp14>MAY</bcp14> omit this identifier in the certificate signing request (CSR). Similarly, if the Server wishes to issue privacy-preserving certificates, it <bcp14>MAY</bcp14> reject CSRs containing a PermanentIdentifier in the subjectAltName extension. See the <xref target="privacy-considerations"/> for more information.</t>
      </section>
    </section>
    <section anchor="hardware-module">
      <name>Hardware Module</name>
      <t>A new identifier type, <tt>hardware-module</tt> is introduced to represent the identity of the secure crypto-processor that generated the certificate key. The identity is modeled after the HardwareModuleName form described in <xref target="RFC4108"/>. It consists of two components: an OBJECT IDENTIFIER to represent the type of hardware module, and a serial number that identifies the specific hardware module.</t>
      <t>Although <xref target="RFC4108"/> specifies that serial numbers can be represented as any sequence of bytes, this specification requires that serial numbers <bcp14>MUST</bcp14> be representable as valid UTF-8 strings consisting of at least one code point and <bcp14>MUST NOT</bcp14> contain a forward-slash "/" (UTF-8: U+002F) character. This restriction ensures that serial numbers can be included in <tt>hardware-module</tt> identifier string values and that the ABNF production rule for the value is unambiguous.</t>
      <section anchor="representation-in-order-resources-1">
        <name>Representation in Order resources</name>
        <t>The identifier's <tt>value</tt> field contains a UTF-8 string representation of the identity of the hardware module. In addition to the value being a valid UTF-8 string, the value <bcp14>MUST</bcp14> match the <tt>hardware-module-value</tt> production rule as defined in this ABNF <xref target="RFC5234"/> syntax:</t>
        <artwork><![CDATA[
hw-type-value = first-and-second-components *("." component)
first-and-second-components = (("0" / "1") "." (*1(%x31-33) %x30-39)) / ("2" "." component)
component = "0" / (%x31-39 *%x30-39)
hw-serial-num-value = 1*(%x00-2E / %x30-FF)

hardware-module-value = hw-serial-num-value "/" hw-type-value
]]></artwork>
        <t>A valid <tt>hardware-module-value</tt> value is a UTF-8 string that contains a serial number consisting of one or more characters without any forward-slash "/" (UTF-8: U+002F) characters. A forward-slash "/" character and "dotted-decimal" object identifier identifying the hardware type follows the serial number.</t>
        <t>The Server <bcp14>MUST</bcp14> verify that identifier values in newOrder requests conform to the <tt>hardware-module-value</tt> production rule and <bcp14>MUST</bcp14> reject requests containing non-conforming values with a "malformed" error.</t>
        <t>Example of an identifier with the type of the hardware module represented using the OBJECT IDENTIFIER "1.2.3.4" and a serial number of "ABCD":</t>
        <artwork><![CDATA[
{
  "type": "hardware-module",
  "value": "ABCD/1.2.3.4"
}
]]></artwork>
      </section>
      <section anchor="representation-in-certificate-signing-requests-and-x509-certificates">
        <name>Representation in Certificate Signing Requests and X.509 Certificates</name>
        <t>This section describes the X.509 representation of the <tt>hardware-module</tt> identifier. Other credential types may use the same identifier values with representations appropriate to those credential types.</t>
        <t>The hardware module identity is included in the Subject Alternate Name Extension using the HardwareModuleName form described in <xref target="RFC4108"/>. The HardwareModuleName is encoded as an otherName with the OID id-on-hardwareModuleName (1.3.6.1.5.5.7.8.4) and consists of:</t>
        <ul spacing="normal">
          <li>
            <t>hwType: An OBJECT IDENTIFIER that identifies the type of hardware module</t>
          </li>
          <li>
            <t>hwSerialNum: An OCTET STRING containing the hardware module serial number</t>
          </li>
        </ul>
        <t>The value of the hwSerialNum field of the HardwareModuleName <bcp14>MUST</bcp14> be an octet-for-octet match of the hw-serial-num-value value as encoded in the Order resource. If the <tt>hw-type-value</tt> value is included in the identifier as encoded in the Order resource, then the <tt>hwType</tt> field of the HardwareModuleName <bcp14>MUST</bcp14> be the encoding of the "dotted-decimal" object identifier encoded as the <tt>hw-type-value</tt> value.</t>
        <t>This strict matching requirement ensures that the SAN in the issued certificate appears exactly as it appeared during proof-of-ownership validation, preventing identifier malleability. Serial number allocation schemes may be case-sensitive or otherwise sensitive to exact byte representation, so no normalization or transformation is permitted.</t>
        <t>To ensure that the identifier as presented in the Order resource and CSR match, the Server <bcp14>MUST</bcp14> perform the logical equivalent of extracting the <tt>hw-serial-num-value</tt> and <tt>hw-type-value</tt> values from the CSR and reconstructing the UTF-8 representation of the identifier. The Server <bcp14>MUST</bcp14> then ensure that the UTF-8 representation and the identifier presented in the Order resource are an octet-for-octet match and reject the Order otherwise. Servers that derive identifier values directly from verified attestation evidence and construct the certificate SAN from that evidence, provided the derived values are verified against the attested device identity in the attestation statement, satisfy the intent of this requirement.</t>
        <t><xref target="RFC8555"/> section 7.4 mandates that "The CSR <bcp14>MUST</bcp14> indicate the exact same set of requested identifiers as the initial newOrder request". However, there are some environments where the Server requires validation of the identifier but does not include the identifier in certificates due to privacy concerns. To support privacy-preserving certificates, Clients <bcp14>MAY</bcp14> omit this identifier in the certificate signing request (CSR). Similarly, if the Server wishes to issue privacy-preserving certificates, it <bcp14>MAY</bcp14> reject CSRs containing a HardwareModuleName in the subjectAltName extension. See the <xref target="privacy-considerations"/> section for more information.</t>
      </section>
    </section>
    <section anchor="device-attestation-challenge">
      <name>Device Attestation Challenge</name>
      <t>A Client can prove control over a permanent identifier of a device by providing an attestation statement containing the identifier of the device.</t>
      <t>The device-attest-01 ACME challenge object has the following format:</t>
      <dl>
        <dt>type (required, string):</dt>
        <dd>
          <t>The string "device-attest-01".</t>
        </dd>
        <dt>token (required, string):</dt>
        <dd>
          <t>A random value that uniquely identifies the challenge.</t>
        </dd>
      </dl>
      <t>An example message with a device-attest-01 challenge is provided below:</t>
      <artwork><![CDATA[
{
  "type": "device-attest-01",
  "url": "https://example.com/acme/chall/Rg5dV14Gh1Q",
  "status": "pending",
  "token": "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
}
]]></artwork>
      <t>A Client fulfills this challenge by constructing a key authorization (<xref section="8.1" sectionFormat="of" target="RFC8555"/>) from the "token" value provided in the challenge and the Client's account key. The Client then generates a WebAuthn attestation object using the key authorization as the challenge.</t>
      <t>This specification borrows the WebAuthn <em>attestation object</em> representation as described in Section 6.5.4 of <xref target="WebAuthn"/> for encapsulating attestation formats, but with these modifications:</t>
      <ul spacing="normal">
        <li>
          <t>The key authorization is used to form <em>attToBeSigned</em>. This replaces the concatenation of <em>authenticatorData</em> and <em>clientDataHash</em>. <em>attToBeSigned</em> is hashed using an algorithm specified by the attestation format.</t>
        </li>
        <li>
          <t>Some attestation formats use an external attestation authority that issues a certificate binding the challenge to the device before the Client's account key is available. In these formats, <em>attToBeSigned</em> is formed from the token alone rather than the full key authorization, because the external authority signs at attestation time before the account key thumbprint can be incorporated. The token construction provides freshness. The key authorization construction additionally binds the attestation to a specific account key. The Server <bcp14>MUST</bcp14> process and verify attestations in accordance with the format-specific documentation. Attestation formats whose signing procedure does not incorporate <em>attToBeSigned</em> cannot be used to satisfy this challenge type.</t>
        </li>
        <li>
          <t>The <em>authData</em> field carries browser-context data (including the RP ID hash) that has no meaning in the ACME context and <bcp14>SHOULD</bcp14> be omitted.</t>
        </li>
      </ul>
      <t>A Client responds with the response object containing the WebAuthn attestation object in the "attObj" field to acknowledge that the challenge can be validated by the Server. Clients <bcp14>MAY</bcp14> include additional fields beyond "attObj" in the response object. Servers <bcp14>MUST</bcp14> ignore unrecognized fields in the challenge response.</t>
      <t>On receiving a response, the Server constructs and stores the key authorization from the challenge's "token" value and the current Client account key.</t>
      <t>To validate a device attestation challenge, the Server performs the following steps:</t>
      <ol spacing="normal" type="1"><li>
          <t>Perform the verification procedures described in Section 6 of <xref target="WebAuthn"/>.</t>
        </li>
        <li>
          <t>Verify that <em>attToBeSigned</em> contains the key authorization or the token, according to the construction required by the attestation format, and that the value matches what the Server stored.</t>
        </li>
        <li>
          <t>Verify that the attestation statement contains a device identifier and that it matches the identifier in the Order. The means by which the identifier is encoded in the attestation statement are specific to the attestation format.</t>
        </li>
      </ol>
      <t>If any of the steps fail, then the Server <bcp14>MUST</bcp14> respond to the Client with a "badAttestationStatement" error and set the status of the challenge object to "invalid". The Server <bcp14>MUST</bcp14> provide the reason for rejecting the challenge in the "detail" field of the problem document, unless the disclosure of the reason to the Client presents a privacy concern; see the <xref target="privacy-considerations"/> section for more information.</t>
      <t>An example challenge response containing the WebAuthn attestation object in the payload:</t>
      <artwork><![CDATA[
POST /acme/chall/Rg5dV14Gh1Q
Host: example.com
Content-Type: application/jose+json

{
  "protected": base64url({
    "alg": "ES256",
    "kid": "https://example.com/acme/acct/evOfKhNU60wg",
    "nonce": "SS2sSl1PtspvFZ08kNtzKd",
    "url": "https://example.com/acme/chall/Rg5dV14Gh1Q"
  }),
  "payload": base64url({
    "attObj": base64url(/* WebAuthn attestation object */),
  }),
  "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4"
}
]]></artwork>
      <t>The webauthn payload <bcp14>MAY</bcp14> contain any identifiers registered in "WebAuthn Attestation Statement Format Identifiers" and any extensions registered in "WebAuthn Extension Identifiers" <xref target="IANA-Webauthn"/>.</t>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <section anchor="enterprise-pki">
        <name>Enterprise PKI</name>
        <t>ACME was originally envisioned for issuing certificates in the Web PKI, however this extension is primarily useful in enterprise PKI. The sections below provide operational considerations for enterprise PKIs.</t>
        <section anchor="external-account-binding">
          <name>External Account Binding</name>
          <t>An enterprise CA likely only wants to receive requests from authorized devices. It is <bcp14>RECOMMENDED</bcp14> that the Server require a value for the "externalAccountBinding" field to be present in "newAccount" requests.</t>
          <t>If an enterprise CA desires to limit the number of certificates that can be requested with a given account, including limiting an account to a single certificate, after the desired number of certificates have been issued to an account the Server <bcp14>MAY</bcp14> revoke the account as described in Section 7.1.2 of <xref target="RFC8555"/>.</t>
        </section>
        <section anchor="attestation-posture">
          <name>Attestation Posture</name>
          <t>Enterprise deployments often consist of heterogeneous device fleets where not all devices are capable of hardware attestation. A Server <bcp14>MAY</bcp14> offer device-attest-01 alongside other challenge types within a single authorization, allowing capable devices to complete device-attest-01 while other devices complete an alternative challenge. This posture allows operators to observe fleet attestation coverage before enforcing policy and is compatible with phased deployments.</t>
          <t>Servers <bcp14>MAY</bcp14> rely on other authorization mechanisms, such as external account binding or pre-authorized accounts, to establish device identity instead of completing the device-attest-01 challenge.</t>
        </section>
        <section anchor="multiple-challenge-types">
          <name>Multiple Challenge Types</name>
          <t><xref target="RFC8555"/> permits a Server to offer multiple challenge types within a single authorization, with any one being sufficient to complete it. Servers <bcp14>MAY</bcp14> offer device-attest-01 alongside other challenge types for the same authorization, allowing capable devices to attest while other devices use an alternative challenge type.</t>
        </section>
      </section>
      <section anchor="attestation-trust">
        <name>Attestation Trust</name>
        <t>Attestation formats differ in the authority that enforces the boundary around the attested key and in the claims that authority can make. At one end, dedicated security hardware (such as a TPM or HSM) provides manufacturer-backed guarantees that the key is generated and stored within the hardware and cannot be exported. At the other end, OS-enforced isolation boundaries (such as platform keystores protected by the operating system kernel) provide meaningful key protection guarantees without discrete security hardware. Intermediate cases include TEE-based attestation where a hypervisor or trusted execution environment acts as the authority.</t>
        <t>Server operators must consider the trust properties of each attestation format when establishing issuance policy, including the nature of the authority making the attestation and the key protection guarantees it can assert. The key authorization construction described in <xref target="device-attestation-challenge"/> also contributes to this trust model: formats that use the full key authorization as <em>attToBeSigned</em> bind the attestation to a specific account key, while formats that use the token alone provide freshness without account key binding.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>This section analyzes the privacy implications of the <tt>permanent-identifier</tt> and <tt>hardware-module</tt> identifier types introduced in this document. The guidance here is informed by the threat taxonomy defined in <xref target="RFC6973"/> and is intended to help implementers make informed decisions about whether and when to include these identifiers in certificate requests and issued certificates.</t>
      <t>Both identifier types represent unchanging hardware-bound properties of a device. Unlike domain names or other identifiers whose lifetime is bounded by operational changes, these identifiers typically persist across the entire operational life of a device and cannot be rotated or revoked by the device owner. This permanence has material privacy consequences that implementers must weigh carefully.</t>
      <t>The privacy analysis below addresses the two phases in which these identifiers appear: the attestation exchange between the Client and server during challenge validation, and the optional embedding of identifiers in the issued certificate.</t>
      <section anchor="identification-and-correlation">
        <name>Identification and Correlation</name>
        <t>The <tt>permanent-identifier</tt> type encodes a manufacturer assigned device identity, typically a serial number. The <tt>hardware-module</tt> type encodes the identity of the secure cryptoprocessor that generated the certificate key. In both cases, the identifier is globally unique within its assigner scope and unchanging for the lifetime of the device or hardware module.</t>
        <t>From the perspective of <xref target="RFC6973"/> Section 5.2.2, such identifiers enable direct identification of a device across protocol interactions, deployments, and time. Any entity that receives or observes these identifiers, including the server, intermediary infrastructure, and any relying party that processes the issued certificate acquires an observable reference that can be used to track the device's certificate issuance history, renewal patterns, and operational context.</t>
        <t>When the same <tt>permanent-identifier</tt> or <tt>hardware-module</tt> value appears across multiple certificate requests (as it will in any recurring renewal workflow), it enables <xref target="RFC6973"/> correlation: an observer with access to server logs can reconstruct the full lifecycle of a device's certificate activity. Similarly, when such identifiers are included in issued certificates, logging issued certificates in a central location (in certificate transparency logs, etc.) produces a persistent device audit trail regardless of whether the log operator intends to maintain one.</t>
        <t>Implementers should assess whether the operational benefit of unchanging device identification outweighs this correlation exposure. In deployments where device anonymity or pseudonymity is a requirement, such as systems handling sensitive workloads on behalf of individuals, implementers should consider whether alternative validation mechanisms that do not bind the certificate to a permanent hardware identifier are more appropriate.</t>
      </section>
      <section anchor="fingerprinting-via-attestation-payloads">
        <name>Fingerprinting via Attestation Payloads</name>
        <t>The <tt>device-attest-01</tt> challenge response carries a WebAuthn attestation object that may contain significantly more information than the identifier value alone. Depending on the attestation format, this payload may include device model, firmware version, bootloader state, hardware security level, and operating system version. Even when the resulting certificate is issued in a privacy-preserving form that omits the identifier from the subjectAltName extension (see Section 3.2 and Section 4.2), the attestation payload itself is transmitted to and evaluated by the server during challenge validation.</t>
        <t>This constitutes a fingerprinting surface as defined in <xref target="RFC6973"/> Section 3.2. The combination of a hardware serial number, hardware type OID, and firmware attestation attributes may uniquely identify not just the device model but the specific device unit, even in the absence of an explicit <tt>permanent-identifier</tt> value. Implementers operating servers may consider applying data minimization principles to attestation payload handling by limiting only the attributes necessary to make the authorization decision should be evaluated, and the full attestation payload should not be retained beyond the duration of the challenge validation exchange unless there is a specific, documented operational requirement to do so.</t>
        <t>Implementers operating ACME Clients should be aware that the attestation format selected may expose more device state than is necessary to satisfy the server's authorization policy. Where multiple attestation formats are available, Clients should prefer formats that minimize the set of disclosed attributes.</t>
      </section>
      <section anchor="secondary-use-of-attestation-data">
        <name>Secondary Use of Attestation Data</name>
        <t>The server receives attestation data in the context of authorizing a certificate issuance request. <xref target="RFC6973"/> Section 5.2.3 identifies secondary use as the processing of data for purposes beyond the original collection context and as a distinct privacy threat.</t>
        <t>Attestation payloads received during challenge validation may contain information about device health, software configuration, and hardware capability that is operationally useful beyond certificate issuance. For example, for asset inventory, compliance monitoring, or security posture assessment. Implementers operating servers must clearly define and document the purposes for which attestation data is processed and must not process attestation data for purposes materially different from authorization of the certificate request without explicit policy disclosure to the device owner or operator.</t>
        <t>Implementers integrating ACME device attestation into enterprise PKI platforms should publish a clear attestation data handling policy that specifies what attributes are evaluated, how long they are retained, and whether they are shared with other systems.</t>
      </section>
      <section anchor="privacy-preserving-certificate-issuance">
        <name>Privacy-Preserving Certificate Issuance</name>
        <t>This document provides an explicit mechanism to decouple attestation-based validation from identifier disclosure in the issued certificate. Clients <bcp14>MAY</bcp14> omit the <tt>permanent-identifier</tt> or <tt>hardware-module</tt> from the CSR, and servers <bcp14>MAY</bcp14> issue certificates that do not contain these identifiers in the subjectAltName extension, even when those identifiers were used to authorize the request.</t>
        <t>Implementers should treat this privacy-preserving mode as the default posture unless there is a specific operational requirement for the identifier to appear in the certificate. The following considerations apply to this decision:</t>
        <ul spacing="normal">
          <li>
            <t>If the issued certificate will be presented to relying parties outside the issuing organization's trust boundary, embedding a <tt>permanent-identifier</tt> or <tt>hardware-module</tt> value in the certificate enables those relying parties to correlate certificate presentations with specific physical hardware. This may be acceptable in closed enterprise environments but is likely inappropriate in any context where the certificate is presented to external services, counter-parties, or public infrastructure.</t>
          </li>
          <li>
            <t>If the certificate is used for mutual TLS in a workload identity context, embedding an unchanging hardware identifier couples the cryptographic identity of the workload to the physical device rather than to the logical identity of the workload. This can impede key rotation, device replacement, and workload migration, in addition to creating the correlation risks described above. In such cases, implementers should prefer logical workload identifiers (such as SPIFFE URIs) in the issued certificate and treat the hardware attestation as a bootstrap authorization mechanism only.</t>
          </li>
          <li>
            <t>If the certificate is intended for use in certificate transparency logs, implementers must consider that embedding a <tt>permanent-identifier</tt> or <tt>hardware-module</tt> value will make that identifier permanently and publicly discoverable, indexed by issuance time, issuer, and subject. This constitutes an irreversible disclosure under <xref target="RFC6973"/> Section 5.2.4 and should be avoided unless public discoverability of the device identifier is an explicit operational requirement.</t>
          </li>
        </ul>
      </section>
      <section anchor="stored-data-and-account-binding">
        <name>Stored Data and Account Binding</name>
        <t>This document recommends the use of externalAccountBinding to pre-authenticate device requests to an enterprise server. When an ACME account is persistently bound to a device identity, the server's account store contains a durable mapping between the cryptographic account credential and the physical device. Per <xref target="RFC6973"/> Section 5.1.2, this stored association constitutes a target for compromise: an attacker who obtains the account store gains not only account credentials but a historical record of device-to-identity mappings across all certificate issuances.</t>
        <t>Implementers operating servers should store account-to-device bindings using the minimum fidelity necessary for authorization decisions. Where the operational requirement is only to confirm that a given device is authorized to request certificates, it may be sufficient to store a hash or other one-way transformation of the device identifier rather than the identifier itself. Implementers should also define and enforce retention limits on historical account-to-certificate linkage records.</t>
      </section>
      <section anchor="implementer-decision-guidance">
        <name>Implementer Decision Guidance</name>
        <t>Implementers considering whether to include <tt>permanent-identifier</tt> or <tt>hardware-module</tt> in CSRs and issued certificates should work through the following questions before enabling these identifiers:</t>
        <ul spacing="normal">
          <li>
            <t>Is unchanging hardware identity in the certificate necessary for the relying party to make authorization decisions, or is it sufficient for the server to have validated it at issuance time? If the latter, prefer privacy-preserving certificate mode.</t>
          </li>
          <li>
            <t>Will the certificate be logged to a certificate transparency log or otherwise made publicly accessible? If so, embedding a permanent hardware identifier creates an irrevocable, publicly indexed disclosure and should be avoided unless explicitly required.</t>
          </li>
          <li>
            <t>Will the certificate be presented to parties outside the issuing organization's administrative control? If so, consider whether those parties should have visibility into the device's hardware identity.</t>
          </li>
          <li>
            <t>Does the deployment have requirements for device replacement or key rotation without service interruption? Binding the certificate's identity to a specific hardware module OID and serial number complicates these operational scenarios and may require reissuance policies that expose additional identifier churn in logs.</t>
          </li>
          <li>
            <t>What is the attestation data handling policy of the server operator? If this is not documented or auditable, device operators should treat the attestation exchange as a full disclosure of all attributes present in the attestation payload.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>Please reference <xref target="RFC8555"/> for other security considerations.</t>
      <t>See Section 13 of <xref target="WebAuthn"/> for additional security considerations related to attestation statement formats, including certificate revocation.</t>
      <t>Key attestation statements may include a variety of information in addition to the public key being attested. While not described in this document, the Server <bcp14>MAY</bcp14> use any policy when evaluating this information. This evaluation can result in rejection of a certificate request that features a verifiable key attestation for the public key contained in the request. For example, an attestation statement may indicate use of an unacceptable firmware version.</t>
      <t>The "token" value <bcp14>MUST</bcp14> have at least 128 bits of entropy. It <bcp14>MUST NOT</bcp14> contain any characters outside the base64url alphabet, including padding characters ("="). The "token" value <bcp14>MUST</bcp14> be generated using a cryptographically secure pseudorandom number generator ("CSPRNG"). See <xref target="I-D.ietf-tls-rfc8446bis"/>, Appendix C.1 for guidance on random number generation.</t>
      <t>The binding between the certified public key and the device identifier is established through the attestation statement rather than through the CSR alone. The attestation authority cryptographically binds the public key to the device identity, either by signing the attestation statement directly, by issuing an attestation certificate, or by other cryptographic means specific to the attestation format. The Server verifies this chain: the attestation is produced by a trusted attestation authority, the public key in the attestation matches the public key in the CSR, and the device identifier in the attestation matches the identifier in the Order. This three-way binding is the basis on which the Server can associate a certified public key with a particular device.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="acme-identifier-types">
        <name>ACME Identifier Types</name>
        <t>The "ACME Identifier Types" registry is to be updated to include the following entries:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Label</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">permanent-identifier</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">hardware-module</td>
              <td align="left">RFC XXXX</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="acme-validation-method">
        <name>ACME Validation Method</name>
        <t>The "ACME Validation Methods" registry is to be updated to include the following entries:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Label</th>
              <th align="left">Identifier Type</th>
              <th align="left">ACME</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">device-attest-01</td>
              <td align="left">permanent-identifier</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">device-attest-01</td>
              <td align="left">hardware-module</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
          </tbody>
        </table>
        <!-- Begin WebAuthn registry text -->
<!-- Editor's note: the below text was written by Carl Wallance as part of draft-wallace-lamps-key-attestation-ext. These registries only need to be established by a single document, so if they are established by another document prior to this document being approved, this text will be removed and replaced with a reference to the other document.  -->

</section>
      <section anchor="new-error-types">
        <name>New Error Types</name>
        <t>The "ACME Error Types" registry is to be updated to include the following entry:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Type</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">badAttestationStatement</td>
              <td align="left">The attestation statement is unacceptable (e.g. not signed by an attestation authority trusted by the CA)</td>
              <td align="left">RFC XXXX</td>
            </tr>
          </tbody>
        </table>
        <!-- End WebAuthn registry text -->

</section>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC4043">
        <front>
          <title>Internet X.509 Public Key Infrastructure Permanent Identifier</title>
          <author fullname="D. Pinkas" initials="D." surname="Pinkas"/>
          <author fullname="T. Gindin" initials="T." surname="Gindin"/>
          <date month="May" year="2005"/>
          <abstract>
            <t>This document defines a new form of name, called permanent identifier, that may be included in the subjectAltName extension of a public key certificate issued to an entity.</t>
            <t>The permanent identifier is an optional feature that may be used by a CA to indicate that two or more certificates relate to the same entity, even if they contain different subject name (DNs) or different names in the subjectAltName extension, or if the name or the affiliation of that entity stored in the subject or another name form in the subjectAltName extension has changed.</t>
            <t>The subject name, carried in the subject field, is only unique for each subject entity certified by the one CA as defined by the issuer name field. However, the new name form can carry a name that is unique for each subject entity certified by a CA. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="4043"/>
        <seriesInfo name="DOI" value="10.17487/RFC4043"/>
      </reference>
      <reference anchor="RFC4108">
        <front>
          <title>Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages</title>
          <author fullname="R. Housley" initials="R." surname="Housley"/>
          <date month="August" year="2005"/>
          <abstract>
            <t>This document describes the use of the Cryptographic Message Syntax (CMS) to protect firmware packages, which provide object code for one or more hardware module components. CMS is specified in RFC 3852. A digital signature is used to protect the firmware package from undetected modification and to provide data origin authentication. Encryption is optionally used to protect the firmware package from disclosure, and compression is optionally used to reduce the size of the protected firmware package. A firmware package loading receipt can optionally be generated to acknowledge the successful loading of a firmware package. Similarly, a firmware package load error report can optionally be generated to convey the failure to load a firmware package. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="4108"/>
        <seriesInfo name="DOI" value="10.17487/RFC4108"/>
      </reference>
      <reference anchor="RFC5234">
        <front>
          <title>Augmented BNF for Syntax Specifications: ABNF</title>
          <author fullname="D. Crocker" initials="D." role="editor" surname="Crocker"/>
          <author fullname="P. Overell" initials="P." surname="Overell"/>
          <date month="January" year="2008"/>
          <abstract>
            <t>Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="STD" value="68"/>
        <seriesInfo name="RFC" value="5234"/>
        <seriesInfo name="DOI" value="10.17487/RFC5234"/>
      </reference>
      <reference anchor="RFC8555">
        <front>
          <title>Automatic Certificate Management Environment (ACME)</title>
          <author fullname="R. Barnes" initials="R." surname="Barnes"/>
          <author fullname="J. Hoffman-Andrews" initials="J." surname="Hoffman-Andrews"/>
          <author fullname="D. McCarney" initials="D." surname="McCarney"/>
          <author fullname="J. Kasten" initials="J." surname="Kasten"/>
          <date month="March" year="2019"/>
          <abstract>
            <t>Public Key Infrastructure using X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. As of this writing, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8555"/>
        <seriesInfo name="DOI" value="10.17487/RFC8555"/>
      </reference>
      <reference anchor="RFC8809">
        <front>
          <title>Registries for Web Authentication (WebAuthn)</title>
          <author fullname="J. Hodges" initials="J." surname="Hodges"/>
          <author fullname="G. Mandyam" initials="G." surname="Mandyam"/>
          <author fullname="M. Jones" initials="M." surname="Jones"/>
          <date month="August" year="2020"/>
          <abstract>
            <t>This specification defines IANA registries for W3C Web Authentication (WebAuthn) attestation statement format identifiers and extension identifiers.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8809"/>
        <seriesInfo name="DOI" value="10.17487/RFC8809"/>
      </reference>
      <reference anchor="I-D.ietf-tls-rfc8446bis">
        <front>
          <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
          <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
            <organization>Independent</organization>
          </author>
          <date day="13" month="September" year="2025"/>
          <abstract>
            <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
      </reference>
      <reference anchor="IANA-Webauthn" target="https://www.iana.org/assignments/webauthn/webauthn.xhtml">
        <front>
          <title>IANA Registries for Web Authentication (WebAuthn)</title>
          <author>
            <organization/>
          </author>
          <date>n.d.</date>
        </front>
      </reference>
      <reference anchor="WebAuthn" target="https://www.w3.org/TR/webauthn-2/">
        <front>
          <title>Web Authentication: An API for accessing Public Key Credentials Level 2</title>
          <author fullname="Jeff Hodges">
            <organization>Google</organization>
          </author>
          <author fullname="J.C. Jones">
            <organization>Mozilla</organization>
          </author>
          <author fullname="Michael B. Jones">
            <organization>Microsoft</organization>
          </author>
          <author fullname="Akshay Kumar">
            <organization>Microsoft</organization>
          </author>
          <author fullname="Emil Lundberg">
            <organization>Yubico</organization>
          </author>
          <date year="2021" month="April"/>
        </front>
      </reference>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
      <reference anchor="RFC6973">
        <front>
          <title>Privacy Considerations for Internet Protocols</title>
          <author fullname="A. Cooper" initials="A." surname="Cooper"/>
          <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
          <author fullname="B. Aboba" initials="B." surname="Aboba"/>
          <author fullname="J. Peterson" initials="J." surname="Peterson"/>
          <author fullname="J. Morris" initials="J." surname="Morris"/>
          <author fullname="M. Hansen" initials="M." surname="Hansen"/>
          <author fullname="R. Smith" initials="R." surname="Smith"/>
          <date month="July" year="2013"/>
          <abstract>
            <t>This document offers guidance for developing privacy considerations for inclusion in protocol specifications. It aims to make designers, implementers, and users of Internet protocols aware of privacy-related design choices. It suggests that whether any individual RFC warrants a specific privacy considerations section will depend on the document's content.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6973"/>
        <seriesInfo name="DOI" value="10.17487/RFC6973"/>
      </reference>
    </references>
    <?line 441?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>We thank the participants on the ACME Working Group mailing list for their insightful feedback and comments. In particular, the authors extend sincere appreciation to Aaron Gable, Christopher Inacio, Deb Cooley, Eric Vyncke, Mahesh Jethanandani, Mike Bishop, Mike Ounsworth, Mohamed Boucadair, Richard Barnes, Roman Danyliw, and Tommy Jensen for their reviews and suggestions, which greatly improved the quality of this document.</t>
    </section>
    <section numbered="false" anchor="contributors">
      <name>Contributors</name>
      <t>These contributors provided significant implementation experience using Smallstep CA, which shaped the evolution and design of this document.</t>
      <t>Mariano Cano
Smallstep
mariano.cano@gmail.com</t>
      <t>Herman Slatman
Smallstep
mail@hermanslatman.nl</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+196XbbVprgfz7FbdbpEylFUpYsO46mFtOSbCvxopLkuNI5
OTFIXJKIQICNRRTjpJ5lnmWebL7tbgAo26lUz/TpqOrEJAjc5bvfvmE4HPaq
pEr1keqP6ypfRpWO1bEuqmSWTOGLehll0VwvdVap0+wmKfKMPu+Mj1+e7qoT
fZNMtRpXlS6rqEryTJ3eVjor4VO/F00mhb7BoeFmdTLu93DIeV5sjlRZxb2y
niyTEu+tNitYwtnp1dNeL86nWbSEr3ERzaphoqvZMJou9TCmyYYRTTa896gH
Q9/vRYWOjtSlntZFUm1667y4nhd5vTpSNOtb+J5kc/UMr/Wu9QZuiGGqrNJF
pqvhCU7Sq1cxrKw8Uo8ePHjQ60V1tciLo54a9hT8JRn88mSk3mp9XdIVXuCT
Ispi2LK7nhfzI/Usz+ephimmdM1AoXFZL6MkPVJL/XjCw6xxlNE0XwbTPhvB
EaRptIm8iZ9FmS4XwQ8083i1+ibR67/jJKNg8vYvMv+chhoteajH0Wp1A/fd
ttZxOVIX0Y9R6i/j8kZn/lVaw9d6M4umVV4E84dXZe4Snh8V9Pzja3NDa+bj
kXqSZ5lOU2/q47zQm+A6TX5VF5P8RTJfVOoyT2tEyDJYx9YbZElTHHc04XEf
V3h3ineX5ubW8i5G6nldlJW3uItNlHkXaWXngKBpEhXqGyCfutDhsrp/lTUV
MNxogcP9EYnh8UpuvpF7aUm9XpYXQL7JjQa8VRdPjw/vHd43H/fvPZKPDw7u
H8pHxHXz8dG9L/Hj2fBkRARXpeWwmE0fHR4+nCQl/TR+NR6+1ROkjeyI1mc4
B/6kLvQ8Kasi0aWa5QXQxEQBR1nAGpGRIGfYgWt4Kdvt8+NRMdfVkVpU1ao8
2ttbr9ejBNjNCAC2FwFfmBOvKffWMqv9MLpdVEs8djNiuJ723EAAmRqfn9HS
oulUw+jAFM7rSZpMETnVcaFjvD9KS/VC3+hUHfAqLS+gv6H8q9SsTlM+7q/0
bKae5/Fcjk3OPMqSn2RyJn37o5zrj/GCHno8p58Zs7bPMgJC+CrPtk7yMv8p
SYUS/Vmmj5f8ywcmeJlMFxHs+8kHpkmmRV7ms6o50XLy4+Ol+fEDc42vy0W0
UV/Xy6j41Hkieva6/ujJTpdJql7UWTzRxXzLbN/Wk2SaN6fS8OTjDf1k50BB
caQO7h3sD+8dbsXj9X3C4qsLi7PDg71ebzgcAs0DmQCr6/WuFkmpQNzVJFJL
oGuQukA/mV6rhLARvhalAvGgIgWnk6Y6m2tCYsBu9Wsk9qrIq3yap2q9gPNW
MGS+LtVNlCawMaQJHJgnrzYqn8HELHdVTSQTOVE/UuEGRIgiPyE5qqpc6Sya
gNCLYN7kJppuhitgWLq4waGWeez24u831rMkg10lGfzkzTBiAC6TOAZq6v0B
pXiRx/UUVwPQtBABmv54iLx/L7zwl19AKwFYR0XsHcZSA/3HzNQ8ME1znDtV
+Y0u/MUPVFkjXHHVgEQZiYRypM4qBTsB7pIDIDUgJ0JnApBB8MBHGVrjAa1w
7TA1QB9BI/Av9H/WAHpzRlO3QTdn8/C8xxGJ1gvYjC6azysQvrg6xA09RXya
bODIStSp4MZis6py+A25JsjnXg/gCaPDKhkU5aas9JLRVCYD0RTnBe5gBtPN
6oyOCLYIyyKUIFQyd8P25zrD4RBTeL55Ea0AQ318kw0lhd2i3fgRYIb6bpzF
RZ7ExM89lfT7HUOZZV4XUz2K+D4k6b1SFMc9gEEJ6ofe82bcxVGPF0W+1Or1
JQjnAg85VmOSIG7cGAUGAqQcOV6+N6UH927kqSHLnT3EGNSxaPCroi4R4Odp
VAGGLYGLx3Wq3dAV3wDjrWqENum2xFuAkGg75pbhSsYYLmmMYbVaDst6CSx2
s0eTMR3EXVo7YjfoiICL/KO3ubJerfKiGkX4M21MZ0P477yGY4Ctr9J8g/SE
Hw8eRbNJrB9GyPZ2e0STsxx5DNHMIgL2VeJ5E/tC/VwITVQEUOYBKcppkUw6
6J9OeRzHicGGdwDyJSiwGZgJlgTfAUX/m+g/QNKIle8WQNNrGFxAY28BvQhu
cc8qNETKUWMaXOy7hvWx/85jyPgU7gqI5EY71iBPdi+ye11dS0Egurng2Feg
hwKjiDZpHsU0HTCakii2AAUm+QlgZzSjgIDwX+aDM1IWUYOtNIyBfD4DcbcC
+vzq8vUrlU9+BE6gdt69/+XdLsFjOs1rUMZo3foWracoRVUKr6pJksV4whON
/wUGFyM3ioB54pkn5ZKhA+BzapnlaIQQOD3aZCAnYG/H41FTPMY5SsbcyMkN
wdbfHNOZIBKxq5i0Y7QN6dr+fdzn+/cGNHDyc1CXS1UifSM6R9kUmOkiX2vk
6lsGJCRFekz1LUFjCZoMbiUptI/iURzD3SA4atTSlWE0wGjLGg+2dzqDU6h4
PNBOdLGGgdYJoHxGm7vQS+DHanzl9nhuVnGpdi7GV5e7ai32LfEFnJaFJyFD
hfu1Io2PnA/QaAEs1gKZDoqyvl2BWpxUKkqWjMX+QSS0O+EKwuktGW+ZpVoA
suE+14Dg6UYx10AsqdSKlHDeX5XASZgZA9YwQnl/nGdo9KAdRhOc4F4TNuKI
16AgQwO/VP2Xby6v+gP+V716TZ8vTv/25uzi9AQ/Xz4fv3hhP/Tkjsvnr9+8
OHGf3JPHr1++PH11wg/DVRVc6vVfjr+FX3BV/dfnV2evX41f9FscjGDAgj9h
bNcV0Uov4HpPjs//z//ePxQudbC//yXgKn95tP/FIXwBSZ7xbHkG8OSvgDSb
HrBpDYYkjAIcQ02jVVKB1jFAeiwBszMFCoAGaH7+HULm+yP1p8l0tX/4F7mA
Gw4uGpgFFwlm7SuthxmIHZc6prHQDK43IB2ud/xt8N3A3bv4p7+mSA3D/Ud/
/UsPUejcMGN1Zlltrzdu6NzEfAfbWDccaCKaJ5wXHGehSa2FQbdqz2zPsmqF
N8GwNTo8gJaLAU4HeJ6mG8vEVVYvwV4ZWUGEvw6Y6fFQhREw3rIBIohbRnuN
RyQ8UAW1VNXYpFoDYkwXOayemFYKQxMTCqSoqPqhsLYcGTdPyEvLSZOZdnTs
L28gRgcqwgyqOIEHtS9nx2ZzY7K7EYw7/kpAGPXGKfxUz8MlKjyrhDjPhrVp
9ebq6fCRQqcE6sxEdUY0NRfWZjh4QmzPEPPy7RNDJ0b00mjA+ECSx8MyjcqF
6u/11Q7Nf6Te/PHevYOnuygb0O7DQyVoAtRgaSyb6CuJEEKoZXTNwBw/efUU
+agYOaoALcHaTJ3oOYS916BJ1HDqk2Re5zXKmj/8AcSJIClvD5b9ugCho4we
KSzUjfRZqd7JYPA1DTSNALRFOHJw7k07BCyhDEUjK1eiCdIsojxEHYc38O4i
4IOIATz6IAyagIvatiUBmPEIXWNoA25gI7ega/7jH//oGVrjEdWfARIFqH+A
GkMQ6Dn8g5pAjvOX6vOd/qiv7IXd3l03/1nt7PTv9dWe6u/3dxU+ufP5/s6/
397fH96/v6vgw73h/S93d+GOnf5BXzXGth9hJB5Hnv1SfW6e7YnS2oQMPLL/
Odx+797w4BSepPufPgWFfTs04Zlto32H2B5C6nuCHvBVPsw7T4kHSVpoRXTn
cC5zGAUXy4RNYUAugIICiljmrH8xjZXExPK6In7wCcQJCuPrlWO4Ucez9l4W
93FeofkVA/NYRmnf6M4eo5WPG2O7Ww6OqiPbRwHJMNtu4B4BKJyrg/IATOPL
V6N99frJV6fHV+rs5PTV1dnTs9OLEdP3JVifKCmQjEjD3TQZHB8IyjiUioZJ
iKoOoCc7VSj308gPoEXzFpog5A+Kh4zgyfJsKHPgV1kKCaRI9WHP+IuO+0oX
BTkjTm8jVMVl794u3PlbSApRv+8p1Ufh1z9S/a4NgD4Hd9DceMv4yfHJ6dN9
YA8PHvZ7vzBq3znvbzzp3v7oYHR/dGgn72TnvsvrEqZG+F0YEO8cX16Uu3QE
fx89uPelf3cptlYphpLRRVlM8u3dPL5bQQIKIjfT1PrU2ZgldAcJTI+WqJS0
kY6gF04GeL9CrxioRZVmxAN1pTX6yJdfZGcBUKZpHRtuD1CpmTRBgUD7FYMl
6hWuwwYtgdVejl8BP2ZvJ+3RLfIbXxoKCKxC6fRJMoJCP0aoTN2twOCoQhqo
pOVmG1tWg5q+esda4ytSGt+BdcYbBcsOllCji/CDGs6v3CsR9EQrowFbIveV
IzesnBKztJaGSJN+/JxAZTnw4WoIAB/SJ9EMApWjLbD4v6AN6Gyae/gRKkSg
qgiWh5zYk1hNBPPw+UOjk06TheN/ArjxdxpfhCB+/whJZJYkKnD3zozvhdVT
BinreaShkiEL5ELOEIs6QDYWCujhiAMPM1ulAJJbEJxo5gDsKrkKt8Y1SXyg
8nw2xP+vYU3lIllZl3sO9i2gGJn/cKe3JQxd62iSpCQ4L33ricIbguzldAEr
Zx4E8JtGpQatDIieuADoDznyrDV6n9xljGDgisFqI3+Vz5YGqsxBXCmKu6YS
ScKBqiLKSvaDiGrPlA1Hg5DNBXYOdCHWyBzb8IYIDJg5Hwtrxr5Mh7lYQKMp
ls/RrFR4bgBIPDdAFX1L8SfL37ZQibgoOzGkVLMi5zlwKXhjgRouYEztRmZt
7i7rgDiCaqolRBhNIHUOhhM3IPhB8BV38A3eCBGNe9QixkhWKVgPvyGOtGVY
DERCWE5AMv7/wFkJIIfH5DQt4FqBGSQqgTRMaB4akKM5QTpmLofriM3suEE3
5xyV58pzlmobpHGSMms5U62nGLAcrpTib0WnFSNRtXAmq8TmxEElkTTRJb4Y
HTbkTP9KsIbOGh3HtFViaERrpBmI99LIwTgMiIoBj74/JPaGltofqefswyXy
KPjQycurXfyvRK9ZoX0Ckv2UHtfpcLKAPHW+D182+xp/5p8joEQtAQKKguKJ
w88Z2BpXzpXaESL1xxio4zShdaOXJweG0nLoyEH6GFSKIiigIT1wFxA5WSZp
VKCFk8x8EACeL9h/TVz8w4uCZeB6hGpQy/TV+ahTiMk6RUsBbYiUMG2UMKQz
huj792Z+MvliCjnCJ0CwmTH5kszyWnISP5eYioTStjv32sGXj/fr0fL9+OjQ
BkgZy01AM+4KtjLL8zVVjIWnSK+zSuKzZhu8CwJQW638ToJY31OAWcxiDhyv
c+ctKI+Q5bUswvYWySMITxvQKAbNQFIQAtdkw2xkkrRxgMYIvtfOLtqLstNY
wfCARrDmiSd1JagE5nyJyIzcE5aKkrnsVG8tNXcNbvQoJ1Am7CBqe5/Khr8B
BgOFA2gJHQ+oTqlVnviar+8a7PIffIpjMNCzugHkK6F3RhTFr2LkBMlOka53
+hmtuvv/nU+xiWW/tXOxAc3fzq+4WA+R1v6buhVh9YyKQ0DFD7kUO2EIt3cN
gtQRgKbhRtxyHh/pQWzwr3+xF3H8r/AcWoQnTs2uQ+G8QdjoX+Lr+1hq+C93
8wWyq4MvBDLEeXbaArFvHG2dAg8GJ7dcv8ul1wBOhzfvN/Di/dbuuzukxf9T
J17z/D7Fqddy6bkD/yidyk8NYkWt47Gk9F0paE8isOgni5Cvz05g4UPA9EV7
gJ19QIWHo/3RA/jfF6NHo8NdawuKDkfpTov1FdVGjDv1tw4NbIsKR0NdGich
j3d8dXqlLq8uzl4982mzi4ACQuhw4Xljhz6sDth9rPeuS0B8qucuECa/veOO
T+fdR2/5N/Lade3qd6fd/yinXQdxmJzCDuT43V/3u7/ud3/d7/66j/DXdSk7
v4G7zuDXVrddR1L6sUl6RguQgUk+j0aaNYIhUjYS7QPYz8CbbIQMaZ/bEqMb
elA4lospip7aTArnnHaXrC2ifCEE4FLhee+g4ZG6tmNyvwZiue4e9Y6IzYoh
229O1IcFVPk18N3uZ8eKikqXovEQIddZAjgFbK6hMdrlopMOs3/Z0gK5W0Zz
bYyy1lbdLrl0hBncRMMO2T6Sv9BMam2E7KS6SMmGkpIDWQIVG2Dp7x7NtXcx
fxB/s3/4bLH/N34Mj60uOaGCEtD5MgEGr+qb6NntbHxSPlxdXkwOXoxvvjz7
j9n+FyfV/R/r22dfDc+Pqy8P1iBTxmKUmTU7hJvV6SxJKYc5Kb1NTzYqEKAR
JR9ztaDRK3bevzfJ549G+4hBjuPuOpEsC5azsqA03MFOaaQnr+yz0qbfW5ey
rJkEsvFAo+OjsxpAkNOZR+0NRG0M6UgEneRgpIsbws70Q3uqH1rqQBmaXgZY
D8EmOmwl6yPrAHEarco65cqjKKxgwcTzAbF7Y4OVZMDYlXKd0FXnVtG9WbLb
n1QxXP9V/kRfUtruD9Y1u0qjqSEckAoA4MwKnh+88oa8OImq6Ac6tB+mdC54
4XlULmCwxug4OzCJhXVPIH9K55j/uli6dF6TPNzeN5ZoqEuUmB0wIXMdCyxs
2YZ3T2TzbNmapOoELMPyhJIp7wjRUdxChr3qWS7SuQs/yTt3E4EQm4iflo/H
HlsHRNgH5OiEGV6UoqsOMJsr2SJJv63TtH2qgA16Ghlvhdu/3TOKW8pG9kFC
2cvefvxtVAswUkDKiShi93tegEKAwR6mQl6n4w5cPoJEjXq4LhcZsNbRFjwM
Hou85G86hbJ1/pi07cIuLY4QWBkcoiKUFHegNxI5AfH5gupgnB+Dj2ho5zDF
DKZgpAPh1uTcMbqMrZ0J1DADtNbJA1zxFpOtjcUmVqUNWDDKFFMgRaTHFCeB
haigYvQJsiZdoEZSAQJg/W6kdlgNNDh9ca7OTogAd5kKUGCDlbjUEW1AODEL
dxkHgSi1DLDS3JqKVnBwoVZcOkDa0i3hvA1d4y4mLSvow0+vJz/2ZY949tPr
LF+nOp57tpcDkeCoqS61HITRYhSoqEY1dkjH0wAM9SZHf7WZXVbT2I8zt9hS
mGc5VTahpQmIgFVpMl5LspmRAH6vMXA31ckNC1XzS2AzWxphXKa6zXKLCLPc
w84GjCmUuEauTuuiwJOTA/RpiVwAtkbXVXV4J2XHD5Yqln1T/wMTaYXSaH+E
AXJr+28rOeuWkihyvjNY8/2odzDiElVh5S26MoGQbkBJsI8gMxBGIIUTIuwc
X7K1ClsF0iCMLzKgyWhH/7D1PzGQ6ACBeO6HG9hq5PoxncA4ZneMmTip7Ixt
c8/6C5hPIqmXuB0uUWne3/IJdq+L7FbDJwVwXcK6dzajiJLJJEBsUDOQjp5z
0efcwkvMkIKgJlwyiWKPCV+a1UjwhElEVzITasxm3pahAuP3k4zwvN8pP1CI
Ce1HpZhzbEq29QPDs2INZ5X2QycpjAWKwNIKkwEwihSFE6kUSTlNc/Inye0y
Xbh/0SVL117AGOr/Czb8z5qkninUUX376bxb6nVD2+j8NcB1i43Te56X1ZHy
jKHecU4OnSHHBLAiW5jF3o8gcP/4I8Cox/aWreUHO2gSlfrhIdhYO++pYUUf
VEs0j04vDx48JJMJrl0n8Z0mGDCEak/fvJ59vXj15uG99dw8mCHI8dHLy4Py
Mt0/r8rVzdP/uPfo+lX109exue3TTTx47pddMugEdJ1bYZHk/7L3+Z3H8fke
DSpDo44SYRUeLu5v+5M3F/Ov8tMynZzsTx+MRqP7q2/jy5cvkvzBF8u/vXp1
2LATkURMhw9bkY3C1OZ/ZJvAFVZQmxxdMCfp24X6WpSlYPWUy7Rd6lQpkUkY
1fpftg/qYmDBCN8FvXy+J/fL65VQBkj944BSKE556mqzz78+A+JAVQhLB0F+
zBPWT9FXh5NpqjUmS6LpfjK0gB16YBxXa02and0RexSSZVQk6cb0y0iCCnF4
mhmUUHHJngfLo3JvPyHlix3pj8TZLH8geJGBINXu6gkbPswM/PJ0lSbX6Erh
6tso4yJ2Vly8wnZSPoyYtZ5c2w7EK2z1YjKBb5NTVmqXjNM3VoysUZboqYRe
Mj5iQ6bXcmvfLsxIoMamQM3ghKkc9scOS+0Fv4OT5NwKk6JlvL4ikrCuPjMK
1EA5bZuGNQauAJktGLiYNrqauGQ4Xli8bS2L6AYNNp2ZKBY3FLATeHKMXJ83
+XVo2W1zRHwx2h8dsCPCOm4EV3yCPQdGDSyk1/PIxDXGQHFbiUGYlOQmX2i4
L0cPTV6XRoWZpVpbLzdaQFjALRjDTQeiFWWp+dHdsHbf3yb3Xmm57dB8npdE
ImRBh+ZUaRoQ2BNp2NORbeYhizELrHJpilB1uEVBqUrNhOYBezf5OlxBjnM2
sctlxcA1rYqYsLG5DMyYT9DJLaALtXF0C6P7Uux4jbJ9StZoDkJzQ2w04VXA
E7gTwt0VmH5EqPb04LytXUPYQ2QvmwlVaNvuwmsDtLVXRl7YjhjCHeQOzGbM
Fe5kkibloiP8Y5t2CAyNFrLdRytI+7JOqwQ1GutaV6hKlBgMcrEgW0lt0Akh
Tdi0NM9/ItZITdyGsqw4Fa+sZ0C+7K70UCfxzchfj8WGW1Js6hNQmGfoxFdx
onWiqrgieg2+QN19QHh0eEjihDZmrInQCcfIKmbLBHAijgrA2AI/haFBMuMy
5ytOo2Rp2m3YMZFLY0U5+mroBHQWD2BfHMmLXWsSy1V2DPZG6ur8JaLq88uX
u86L5XcvGE6i6TWMMq+jAgSh9vMLxPHnkqGtuR77nU4cN8PoqnX/6FuMs6FX
bczD8YHQ6l9fDgVKSMZ5ajzRBCv0+9gtmLZIynR4ajS6ooEbzazg3iLTqd2x
8QShHoJ7kgFwSm/bJldQuhroNmBH3Hh0CaBHPwLmM9hcFHV1ejqcEPfxGRmL
g0gtAMMKULAw6QHTFbhvlL6FKSRR2HU2i8gzUoaoZfmYx0KXMIpVj9j8x4Eb
Tch0hJBsITF1HXF8ihxlIH7JechM1pf8pEqQpm1sOoeggJy2NNp3TQu2b4d4
wipIVIIYqD7Ko9pI9QoYC90+tESNzaOwXxsFGqmKUlpXYQccAhNl7R9ZmuYo
mzibux3SeCpNvwwKhI936w6EOXVO6nvIDepaj7PLZfX82SKNyAY4FyO6qf8H
2YURyLLNT8KbjNmdLK0lap0L/1TfK78Qo9UGkM7Z9Guifjac0iXxAqHpalFo
ZEPRbZ7ly42foc2ZDw+//MI0COPKD2AsrDsudLqiPZEVhqKIGnLYGTBViy2v
aIIANX31pMde1ijaLcP2hmGugTMWeCHNLCzUP54A42uDyJVu1Bn1nUIaspAl
VtggZOMtG6k3GRowQY9Cm04VLJY9+banCwCKBmYwB0YWd74adGzYdbfBFnmo
AkfYuZNRCG8rQnsNZwub5wRiATgByRJyPaEqb49cbqdENKM9ChIiokR4jhXn
mnkOI1NNYjq9BOeOZL7WyXyBAQW0Q9ONxP7NCEQQZWIMUGn7ZbIx1zmrlHTs
1rfYABCn1B21mIC+ZajC0NVai1/QeKfJq0f8XBLxnDbi598ZJppLUwulwYSK
TQJiAy/J7dlCQVZsjAth6pjzcV6AOkzfGSZbaJ6SHNiBSl3hPO3BNUZqqLl3
NkWiuVpMJJjGeXC3VGx9WsHWGSoX1YJF9qDDPzxP8wktltMsjHpDerRp91FO
Ac0Jch7FGlW12TfJIHPRUUv11AQ1kKBWyJlvNJupHmMzRuyD0cHoQAwS/7yl
Nytnv9lfpq6ViCU/plbbOpZal0Xsdhn4ppJgG2wC+8htlECf4Cu+EWYzbLaV
bVJoagyM4QOektSmAg2gWRGxSIfjHFiPGJpmZOFFhZlVDtngQ0eO61RSyDDH
kJZFQAFSB7GCXMP3c5h4JKZiXnuH9FkZjGm1IGBAoGYBKsNQeo1cB6m7yARQ
DR8VhhXhbN+aAADZLlsoCoDYxn+JZknWrpyaM9m6ZM4O5/Suk5QcbAxFjINx
DhqvGnsMzoC37VL2GKNNGeLa1HGCIwdK2w2FOp9SJJevpvmcy9e8LFSnNSEl
TDfTNBACDRgj+t1w8rBLjSPZ28LzqAhr5Dpk7ABXNDcabONH7rAxhQELFE4m
N3mnIccpgxhQD7BmQxscKF1NR7tSH0OcT+Qf8m9DW4DrFT6bYDefORwpRUFg
436zXhjOau2iqZTcJyxhNzMofOjT80VXCbpeGpNuXJbBaD7eTeCMZwk5pTye
1AiqGZ5QVyQKTS6UO3My1TBeQ4zSd32x+WLleJ5tlsSQC7UqdR2b71S75aWn
Ov+J6S4MS4upbbBL9Ea8RId7if6YiQbxNyOZBhotaL41tT1MOkBiDR6rt3k2
vZdK6tw5zAXinNxyVl8PTj8PchAty/bjksTBC+1XwrBofQr7Ir8h58nfJFHo
XuS4ghRT3tmJ1sWnJP3h7twv2hYm15twBaVs4JYyzIduRsWUTbdpJlGzzTFS
J1oy8VTejpOayDBhjwmW4OxGVxY0IbNqgDWRy7VkR5eczJPnFT5EIWNyEVs4
W1M7xV7MAX91Vr0MNFKn6J5eG0YLQEMmGcYqyCZgZkD035FYK2F7AGFuG/d4
gLGZB9sSZ9UORimNmL4/OuCkEvl+ODrYHbRgaMAG82lAdzJFge9w+gn7vWOl
8Uz8dI8PK4oms4/YcVLVnDc4CxETKBz0tma9a6fSAbthNW2aL4FgPKXCOzJP
pxs0Shtfn53wIVosCDwDlbXIqRytkdm6ITr9sZZEeh+tKD2QQGLTmaS9fZYA
amKtinXKgQyTIvPIa4q7RSJzEY4KWLCHgOLSFFpj9oPxW1JYKCdpmWQgyX4y
uR9AEyi2Pa9kiACWH8IR26gKhaMEZQyAMo3CF/Umv7Fk6JUwBq3hkOh8Mzjk
TAgSzl1rkaeMfYbxfmp1ymlDdAR1EaTnd6GgM3dcKkAhZb3mtAbWC6BD/ckv
c8IuyKBq5E2J6I6Dwpcm98ntOWL868o9EZcXEB07DvEgSegJTxcsIrbEbDJp
gN6vy2B0wAzJ4BjYazZSb2njVnPrSukkijD5lIPmXlakv4Y+IsEvKdzkcg1J
tGCXoyAMi6RLqizHpb8piQR8gYR5diyMShOsFOXeXyphtXFMS9Yc0pJsmfO7
OvVmUU9H2+2Z+34Se2nXSj5645rKzWtecKO4FrS0VnWBh1b6yGli2LDKNJVJ
/DQ/8oPHVCo+tWUf4l8ahe59oYjSQCS+i+cGktcXs+xVEpRaaFBPFli4NqvW
3Hs8myVzISimTss7KaRBVXXizCh9KnHBdNl9F/RHmHVgsk4G3CC8RHxJqPk2
2TMUrknorJY5MM6cGylgI3Ajh23YjvRP9tt9iDmSNzrVqMzbPub4UgnTPZvO
1RwgLkxeYtJCutIafhxyoJG5VbGkwDYfCXDDeIlwGRSnoUIAP5YfMrO2ZWV9
rVZsSNjRS20K86fJaUXGsej5Te6Fav/c518dOYhwT97IbbDxD8ccao4rRgzr
NiysaJE1c+8R26uFsvc8AYN450mLRb5WGJ3DzW3oRyMQBs2XkPDP5SIy8SBx
QIrOz5xIvNLDc6d4+TXyZ4K2zfcF2FiVL7uD9xGA0MvrBn+VAIxHo3Tsnlbn
HeB2h1lX6den2fJ+vebAc/ZJqi7VerXzMcRC8Vovtn3Pd2mkogCJZpw3Hl6j
VDI+EBu3FhWaOXa3DVqxJ37BaT2d7wESrg1UH4HYs9xjuyawVfq33yhEy7Vt
8RsUy1qq95KSMFmIdDQb9jF6EtWRSI15h1OJ3CkuDcc0k3LeKfLH11VpsilN
rpT/UqrPTJTJBIAHnus2+hWOoY5qQ+PL4bNurpDi8mzjh4+FjR2IcO2xrBab
kuqXXcyTCFNKuNEVtOJmS+g/YeXD41hBwSfq6vCo5FqBiPZaSIi3yshpVxva
sOGCM7DJGIR7U3T8UChMF0PZNAkxfiVFw8848s68MQfRBKWR1lUNo1+9uGSj
0XgogtbVuN7gLLOuAI6Pv8ynpOgoeD1S08NtJxThYk/DvETKL5vJjW+J7tg2
lJwfeuuS5UrHHGKlIAxxDPt6KqqMYucN8XmzlGUyN7pKErZnmiJfsInDnjsJ
UOHaT8kCheiGfUvkFhInfJdvRzRfs6nGATAfs6kBl+dnT5+eqjcXZ+XuXX0Q
MsfCdGfqFauI6J7Ad7uttqUFkX12Bx7ZGCTiEuqyH3YxtqNVXjgfU0n+KZZB
jExsxrBvkB0q5QQUJpmUFRzKvSK7JIHt3LIfwmr3GB8YMJwLEW21FJC0XRCA
dAV2kCjKhIMVVvrSK3O2WwiHPLKz7W5yqqoUiSIk7lbLSnMYewkjPL4isUX4
iO3ECS5oJdEiWtmkoaaCPvDlUpvirprtre40z873KIUviOt4nVIp1T4UWsAO
8ag+miwADpKKWxrLzDjLKG/WVlTy+hFnu8oAlFQTlGTUdPqAOKsVeSi86GXj
7W4yhNcGyDgbGpyL6mS2nfY+xre4AyCDHoyOfJp46R/Wo8UvayQCQyMGtCwA
0JHUg2MiExoVmFjoSmXCfVKDBtKyyNnS3gGLrUiCP7QFPOGCEvbEd1vlQ8tu
BUo2YEOv7emwy8rt7gyjGgq280JlZTiXKdFkHCq9kl9yClDPnlgTATiXBRl+
nV6i0ngomsEEXw1DyzNj1YkMVuMqNcnBBrdKPz+a1CQ2oFpdC0SBCPMGZatU
u+cSGPJMD/FlWo2mLluJu1lM6tM9+VkbpqsJrWB2kGenSkIa2jv4PMxIjjkK
T3jY4B2Mf85gcV1H5MJHZBHjx5tWnRgn3TNJfWngg2H8eLbWyHKJKJ/C/bEP
GXaG2JKSYgCA0hX9INTWswrUaH5XJeflSwKuvPaxZZSwMl3eoQS5nic+wEJU
ZSskCACLu3MLEpOml1D408MpmzhqM18pudwVUGIHpCoUZn814jyl8O7AKCF3
9+Igu4eUgbcoZZu7m5BmNhdj6041IGyEtIywI6kRx/KyY2DHtMoyD62IuyNW
pJ95UjifslS3oxvx7onlO6WukZ+pfWNefCcEAuX9EwynKEbGhroY5+lyqxAL
gVYAkO0fM4Esnw8ekEV0A3KuBEH/FprSZk5ybYxZEwflsTz2yO6rtuqMR+mr
19aPJAYLJ0IUNSXz/FU98QvzHeg+Kx3hhImEzb5u2KNOnAtBZ0zJ57MpGj6X
L6dAy0WSl623HxY6TAC1nX3FU+5VFvtYtqgLCrqgRsvoIK7LphO+0ztlc3uC
3FahSQrikbT24wYFh90ZmY3/zSbFNpwWW1KySOOniEhYrRhxjMQ4x7xKnC2h
PEq9vDRu02bu5Tm2GvbzUYKuTTMr8qzfNfRfUNKvizF2vAKTxLw7ly3jKPYC
xM1oVPONokECT+gXvcntmxzxBb2do5RBOBhLn4pEs1ru+8cbZiS7hUmfp5RW
7XqDYPL4W8qXJRzY+mrZsCXb+FvJ9t8YJONUZ3ZyMsHZjFOpvSGd3tyBaidl
t2BgGSeTGlkTA+3yGBOhzDSlSCNucS04KdLXDXgZIeVtWtRvV6BsYyiBN39r
3yOGu/T2EhOEHBOew6YZkJdEyLCYniqFid3ZPtn7B49A9+S+5JhFk682VAHX
bpaNDh3Xe9dn9La8EwhstYjApPAxbRWxQPMe3un/ub/Lzr2OBYJscQl/0nIl
tE3I+y8Jg5yqIh2VhEfK4wDcnf7x5fnFq2c4HRLb+/dnw5MR4O1sWKXlsJhN
Hx0ePpwk5S+/DPAly5ggcauOR/t0jjaPGd0eXTM4QLu37Hr2FGOSjn1kMDZU
pxlrE/Yp1dHpbt14EarG7m5qI8g5H1fNtH1XeNICqOth4i03DIQ4a1MnNPdk
YzuJbF+n6eE3MK6Gji5fQXFhTgNL9VBglHIrgI8o4/cL5KWDn2sTlWTtfF6O
S3FWO71i3ZRxdIJv0IRThwzx+xu077Sxgy3IcPd4d/RLINlcaLayDFqKwAZK
JdvP66Rg2nZwqQZZ5tpxwRB3pYKUdLFpnUZGSyIxiYXLXeXJ5NBwNc6mqI2I
v/O3vtRMFxt5nzFmd65iI+L8LoHOpkHeBUcM9srP6gWwoFQ1/n5WF1ZO/ww3
HQ3bf8q7TDd1mWU40tNj9Xf4U3RTw0Kz03k3WTh844JXL0G9zWMfEK0f/wWg
+LkJbnOZVvBhMKkPQK4FwlZ54FaoKvVtG3KdA2yBeOcAvT/9G6zkCYAxc+l2
FqoUnxgO/8J3ncYYLv+MlFLNLIILBziMAWrlusBkrgw5xHEEAu8tcE6SEFjM
BmRBfqQimlVAfSkaDsMUpHs5BOoJCpkwnRhZFKmPtBayntApk2ltSsV9cUA8
SSo4nWZU5tJzksO1zQcyKZN0gdckL1zEzFwWrWxFzRtjcdfxniVaBpYR/iRN
XckksgXlXj42s+Nw0pEiACMJvNJrdUp9T1pMwLv8q5F+QyjvkFr9fEJKJRlk
+DVA7Q4sxr+ft35DZNzSzgVwrilpnfjjl3M4VW1Hj+Yj0nnda6cb0tCrORUp
JMmCx+PdJn4L6sLB3IHePSRHLAZFTj22falIr++9P2KtRsd/7s+itNT9X3q9
t5wqxan0zPGTFTVTyL2OW2/lFffP6BX3yyhJuZNAab01CUoo2OiiwtyWGSA3
LkN69S65ihuDR06oSGIlgUAaT8SI+VMt+bnauI8BG8ZRgV43ybRaFOjKWyH6
nQHIk3ygTvQEpFKeYnXeaQGC7JtNNr2Gm19GQH4L9ZXGbWJX3SyBi1h59QQI
KF/Jl9d1Vq7zArN8XuaLCEvMnuT1NIqjBFZ6kaBaC5eiIkNf6EUOnE2dgLKc
JmuW71ewyw1Mk+FrvB1QwOhK9FqaZNXzubjkzHu452jhplS9R0RJMPnPOnKR
EL/qDk/12JRCAtS6j5T5zdS7zzW09JKLXdzK5o+DAkVkw9r4JXYIx75IgI5m
veUiWskqwZpMa1uHhO0h5lnXkl+CAQkcChhplvfsmL0lXx7BUvLHc0Qpaq/T
e05SQ12CrQv/Bg8k6eMF/Vryj6Ms7f1fg3b9MD+RAAA=

-->

</rfc>
