<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 2.7.0) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-core-oscore-key-limits-07" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Key Usage Limits for OSCORE">Key Usage Limits for OSCORE</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-key-limits-07"/>
    <author initials="R." surname="Höglund" fullname="Rikard Höglund">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>16440 Stockholm</code>
          <country>Sweden</country>
        </postal>
        <email>rikard.hoglund@ri.se</email>
      </address>
    </author>
    <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>16440 Stockholm</code>
          <country>Sweden</country>
        </postal>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Internet</area>
    <workgroup>CoRE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 62?>

<t>Object Security for Constrained RESTful Environments (OSCORE) uses AEAD algorithms to ensure confidentiality and integrity of exchanged messages. Due to known issues allowing forgery attacks against AEAD algorithms, limits should be followed on the number of times a specific key is used for encryption or decryption. Among other reasons, approaching key usage limits requires updating the OSCORE keying material before communications can securely continue. This document defines how two OSCORE peers can follow these key usage limits and what steps they should take to preserve the security of their communications.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Constrained RESTful Environments Working Group mailing list (core@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/core/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/core-wg/oscore-key-limits"/>.</t>
    </note>
  </front>
  <middle>
    <?line 66?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Object Security for Constrained RESTful Environments (OSCORE) <xref target="RFC8613"/> provides end-to-end protection of CoAP <xref target="RFC7252"/> messages at the application-layer, ensuring message confidentiality and integrity, replay protection, as well as binding of response to request between a sender and a recipient.</t>
      <t>OSCORE uses AEAD algorithms to provide confidentiality and integrity of messages exchanged between two peers. Due to known issues allowing forgery attacks against AEAD algorithms, limits should be followed on the number of times a specific key is used to perform encryption or decryption <xref target="I-D.irtf-cfrg-aead-limits"/>.</t>
      <t>The OSCORE specification <xref target="RFC8613"/> does not consider such key usage limits. However, should they be exceeded, an adversary may break the security properties of the used AEAD algorithm, such as message confidentiality and integrity, e.g., by performing a message forgery attack. This and other reasons require that peers who are approaching the key usage limits update the OSCORE keying material before communications can securely continue. This document defines what steps an OSCORE peer should take to preserve the security of its communications, by stopping the use of an OSCORE Security Context shared with another peer when approaching the key usage limits.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
        <t>Readers are expected to be familiar with the terms and concepts related to CoAP <xref target="RFC7252"/> and OSCORE <xref target="RFC8613"/>.</t>
      </section>
    </section>
    <section anchor="aead-key-usage-limits-in-oscore">
      <name>AEAD Key Usage Limits in OSCORE</name>
      <t>This section details how key usage limits for AEAD algorithms can be considered when using OSCORE. In particular, it discusses specific limits for common AEAD algorithms used with OSCORE; parameters to track associated with an OSCORE Security Context; and additions to the OSCORE message processing.</t>
      <section anchor="problem-overview">
        <name>Problem Overview</name>
        <t>The OSCORE security protocol <xref target="RFC8613"/> uses AEAD algorithms to provide integrity and confidentiality of messages, as exchanged between two peers sharing an OSCORE Security Context.</t>
        <t>When processing messages with OSCORE, each peer should follow specific limits as to the number of times it uses a specific key. This applies separately to the Sender Key used to encrypt outgoing messages, and to the Recipient Key used to decrypt and verify incoming protected messages.</t>
        <t>Exceeding these limits may allow an adversary to break the security properties of the AEAD algorithm, such as message confidentiality and integrity, e.g., by performing a message forgery attack.</t>
        <t>The following refers to the two parameters 'q' and 'v' introduced in <xref target="I-D.irtf-cfrg-aead-limits"/>, to use when deploying an AEAD algorithm.</t>
        <ul spacing="normal">
          <li>
            <t>'q': this parameter has as value the number of messages protected with a specific key, i.e., the number of times the AEAD algorithm has been invoked to encrypt data with that key.</t>
          </li>
          <li>
            <t>'v': this parameter has as value the number of alleged forgery attempts that have been made against a specific key, i.e., the number of failed decryptions that have occurred with the AEAD algorithm for that key.</t>
          </li>
        </ul>
        <t>When a peer uses OSCORE:</t>
        <ul spacing="normal">
          <li>
            <t>The key used to protect outgoing messages is its Sender Key from its Sender Context.</t>
          </li>
          <li>
            <t>The key used to decrypt and verify incoming messages is its Recipient Key from its Recipient Context.</t>
          </li>
        </ul>
        <t>Both keys are derived as part of the establishment of the OSCORE Security Context, as defined in <xref section="3.2" sectionFormat="of" target="RFC8613"/>.</t>
        <t>As mentioned above, exceeding specific limits for the 'q' or 'v' value can weaken the security properties of the AEAD algorithm used, thus compromising secure communication requirements.</t>
        <t>Therefore, in order to preserve the security of the used AEAD algorithm, OSCORE has to observe limits for the 'q' and 'v' values, throughout the lifetime of the used AEAD keys.</t>
        <section anchor="limits">
          <name>Limits for 'q' and 'v'</name>
          <t>Formulas for calculating the security levels, as Integrity Advantage (IA) and Confidentiality Advantage (CA) probabilities, are presented in <xref target="I-D.irtf-cfrg-aead-limits"/>. These formulas take as input specific values for 'q' and 'v' (see <xref target="problem-overview"/>) and for 'l', i.e., the maximum length of each message (in cipher blocks).</t>
          <t>For the algorithms shown in <xref target="algorithm-limits"/> that can be used as AEAD Algorithm for OSCORE, the main property to achieve is having IA and CA values which are no larger than p = 2^-64, which will ensure a safe security level for the AEAD Algorithm. This can be achieved by using the values q = 2^20, v = 2^20, and l = 2^10, that this document recommends using for these algorithms.</t>
          <t><xref target="algorithm-limits"/> also shows the resulting IA and CA probabilities enjoyed by the considered algorithms, when taking the value of 'q', 'v' and 'l' above as input to the formulas defined in <xref target="I-D.irtf-cfrg-aead-limits"/>.</t>
          <figure anchor="algorithm-limits">
            <name>Probabilities for algorithms based on chosen q, v and l values.</name>
            <artwork align="center"><![CDATA[
+------------------------+----------------+----------------+
| Algorithm name         | IA probability | CA probability |
|------------------------+----------------+----------------|
| AEAD_AES_128_CCM       | 2^-64          | 2^-66          |
| AEAD_AES_128_GCM       | 2^-97          | 2^-89          |
| AEAD_AES_256_GCM       | 2^-97          | 2^-89          |
| AEAD_CHACHA20_POLY1305 | 2^-73          | -              |
+------------------------+----------------+----------------+
]]></artwork>
          </figure>
          <t>When AEAD_AES_128_CCM_8 is used as AEAD Algorithm for OSCORE, the triplet (q, v, l) considered above yields larger values of IA and CA. Hence, specifically for AEAD_AES_128_CCM_8, this document recommends using the triplet (q, v, l) = (2^20, 2^14, 2^8). This is appropriate, since the resulting CA and IA values are not greater than the threshold value of 2^-50 defined in <xref target="I-D.irtf-cfrg-aead-limits"/>, and thus yields an acceptable security level. Achieving smaller values of CA and IA would require inconveniently reducing 'q', 'v' or 'l', with no additional security benefit since the threshold is already met, as further elaborated in <xref target="aead-aes-128-ccm-8-details"/>.</t>
          <figure anchor="l-values-as-bytes">
            <name>Maximum length of each message (in bytes)</name>
            <artwork align="center"><![CDATA[
+------------------------+----------+----------+-----------+
| Algorithm name         | l=2^6 in | l=2^8 in | l=2^10 in |
|                        | bytes    | bytes    | bytes     |
|------------------------+----------+----------|-----------|
| AEAD_AES_128_CCM       | 1024     | 4096     | 16384     |
| AEAD_AES_128_GCM       | 1024     | 4096     | 16384     |
| AEAD_AES_256_GCM       | 1024     | 4096     | 16384     |
| AEAD_AES_128_CCM_8     | 1024     | 4096     | 16384     |
| AEAD_CHACHA20_POLY1305 | 4096     | 16384    | 65536     |
+------------------------+----------+----------+-----------+
]]></artwork>
          </figure>
          <t>With regards to the limit for 'l', the recommended 'l' value for the algorithms shown in <xref target="algorithm-limits"/>, and for AEAD_AES_128_CCM_8, is 2^10 (16384 bytes) and 2^8 (4096 bytes) respectively. Considering a typical MTU size of 1500 bytes, and the fact that the maximum block size when using block-wise transfers with CoAP is 1024 bytes (see <xref section="2" sectionFormat="of" target="RFC7959"/>), it is unlikely that a larger size of 'l' than what is recommended makes sense to use in typical network setups.</t>
          <t>However, although under typical circumstances an 'l' limit of 2^8 (4096 bytes) is acceptable, exceptional cases can warrant a higher value of 'l'. For instance, Block-wise Extension for Reliable Transport (BERT) extends the CoAP Block-Wise transfer functionality, enabling use of larger messages over reliable transports such as TCP or WebSockets (see <xref target="RFC8323"/>). In case the OSCORE peers wish to take full advantage of BERT functionality and the large message sizes it allows for, the OSCORE peers must use higher values of 'l'. The maximum length of each message in bytes for different values of 'l' and different AEAD algorithms is shown in <xref target="l-values-as-bytes"/>.</t>
          <t>An alternative means of allowing for larger values of 'l', while still maintaining the security properties of the used AEAD algorithm, is to adjust the 'q' and 'v' values to compensate. In practice, this means reducing the value of 'q' and 'v' considering the new value of 'l', to ensure an acceptably low value of the IA and CA probabilities. A reasonable target for the IA and CA probability values is the threshold value of 2^-50 defined in <xref target="I-D.irtf-cfrg-aead-limits"/>.</t>
        </section>
      </section>
      <section anchor="context">
        <name>Additional Information in the Security Context</name>
        <t>In addition to what is defined in <xref section="3.1" sectionFormat="of" target="RFC8613"/>, the following parameters associated with an OSCORE Security Context can be used for keeping track of the expiration of that OSCORE Security Context and maintaining key usage below safe limits.</t>
        <section anchor="common-context">
          <name>Common Context</name>
          <t>The Common Context has the following associated parameter.</t>
          <ul spacing="normal">
            <li>
              <t>'exp': with value the expiration time of the OSCORE Security Context, as a non-negative integer. The parameter contains a numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds, analogous to what is specified for NumericDate in <xref section="2" sectionFormat="of" target="RFC7519"/>.  </t>
              <t>
At the time indicated by this parameter, a peer must stop using this Security Context to process any incoming or outgoing messages, and is required to establish a new Security Context to continue OSCORE-protected communications with the other peer. That is, the expiration of an OSCORE Security Context means that the current Sender Key must no longer be used for protecting outgoing messages, and the Recipient Key must no longer to decrypt and verify incoming messages.  </t>
              <t>
The value of 'exp' must be set upon installing the OSCORE Security Context, namely at time t_1, considering a lifetime value t_l. In particular, t_l can be a default value (potentially differing between the two peers sharing the OSCORE Security Context), or can be agreed by the two peers during the establishment of the OSCORE Security Context. For instance, this value may be stored and/or transported in the OSCORE LwM2M object <xref target="LwM2M"/>, or specified as part of an EDHOC Application Profile <xref section="3.9" sectionFormat="of" target="RFC9528"/> used when executing EDHOC to establish the OSCORE Security Context. Regardless of how the lifetime value is determined, the 'exp' parameter is set to indicate the point in time corresponding to t_1 offset by t_l.</t>
            </li>
          </ul>
        </section>
        <section anchor="sender-context">
          <name>Sender Context</name>
          <t>The Sender Context has the following associated parameters.</t>
          <ul spacing="normal">
            <li>
              <t>'count_q': a non-negative integer counter, keeping track of the current 'q' value for the Sender Key. At any time, 'count_q' has as value the number of messages that have been encrypted using the Sender Key. The value of 'count_q' is set to 0 when establishing the Sender Context.</t>
            </li>
            <li>
              <t>'limit_q': a non-negative integer, which specifies the highest value that 'count_q' is allowed to reach, before stopping using the Sender Key to process outgoing messages.  </t>
              <t>
The value of 'limit_q' depends on the AEAD algorithm specified in the Common Context, considering the properties of that algorithm. The value of 'limit_q' is determined according to <xref target="limits"/>.</t>
            </li>
          </ul>
          <t>Note for implementers: it is possible to avoid storing and maintaining the counter 'count_q'. Rather, an estimated value to be compared against 'limit_q' can be computed, by leveraging the Sender Sequence Number (SSN) of the peer and (an estimate of) the other peer's SSN. A possible method to achieve this is described in <xref target="estimation-count-q"/>. While this relieves peers from storing and maintaining the precise 'count_q' value, it results in overestimating the number of encryptions performed with a Sender Key. This in turn results in approaching 'limit_q' sooner and thus in performing a key update procedure more frequently.</t>
        </section>
        <section anchor="recipient-context">
          <name>Recipient Context</name>
          <t>The Recipient Context has the following associated parameters.</t>
          <ul spacing="normal">
            <li>
              <t>'count_v': a non-negative integer counter, keeping track of the current 'v' value for the Recipient Key. At any time, 'count_v' has as value the number of failed decryptions that have occurred for incoming messages using the Recipient Key. The value of 'count_v' is set to 0 when establishing the Recipient Context.</t>
            </li>
            <li>
              <t>'limit_v': a non-negative integer, which specifies the highest value that 'count_v' is allowed to reach, before stopping using the Recipient Key to process incoming messages.  </t>
              <t>
The value of 'limit_v' depends on the AEAD algorithm specified in the Common Context, considering the properties of that algorithm. The value of 'limit_v' is determined according to <xref target="limits"/>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="oscore-message-processing">
        <name>OSCORE Message Processing</name>
        <t>To keep track of the 'q' and 'v' values and ensure that AEAD keys are not used beyond reaching their limits, OSCORE peers protect messages with OSCORE as defined in this section.</t>
        <t>A limitation that is introduced is that, in order to not exceed the selected value for 'l', the total size of the COSE plaintext <xref target="RFC9052"/>, authentication tag, and possible ciphertext padding for a message must not exceed the block size for the selected algorithm multiplied by 'l'. The size of the COSE plaintext is calculated as described in <xref section="5.3" sectionFormat="of" target="RFC8613"/>.</t>
        <t>If OSCORE peers need to transmit messages exceeding the maximum recommended size calculated from 'l', CoAP Block-Wise transfers <xref target="RFC7959"/> may be used to split content into smaller segments. The following steps can be adopted by a client or server to determine whether the usage of block-wise transfer is necessary for the transmission of a specific OSCORE protected message.</t>
        <ol spacing="normal" type="1"><li>
            <t>The CoAP message to transmit is first produced.</t>
          </li>
          <li>
            <t>The sum of the total size of the COSE plaintext, the length of the authentication tag, and the length of any potential ciphertext padding should be computed to produce a value T. It should be noted that the size of the padding and the length of the authentication tag depend on the used AEAD algorithm.</t>
          </li>
          <li>
            <t>If the value of T exceeds the 'l' value for the used AEAD algorithm, block-wise transfer is to be used with the CoAP message before protecting it with OSCORE.</t>
          </li>
        </ol>
        <t>The processing of CoAP messages with OSCORE follows the steps outlined in <xref section="8" sectionFormat="of" target="RFC8613"/>, with the additions defined below.</t>
        <section anchor="protecting-req-resp">
          <name>Protecting a Request or a Response</name>
          <t>Before encrypting the COSE object using the Sender Key, the 'count_q' counter is incremented.</t>
          <t>If 'count_q' exceeds the 'limit_q' limit, the message processing is aborted. From then on, the Sender Key must not be used to encrypt further messages.</t>
        </section>
        <section anchor="verifying-req-resp">
          <name>Verifying a Request or a Response</name>
          <t>If an incoming message is detected to be a replay (see <xref section="7.4" sectionFormat="of" target="RFC8613"/>), the 'count_v' counter is not incremented.</t>
          <t>If the decryption and verification of the COSE object using the Recipient Key fails, the 'count_v' counter is incremented.</t>
          <t>After 'count_v' has exceeded the 'limit_v' limit, incoming messages must not be decrypted and verified using the Recipient Key, and their processing must be aborted.</t>
        </section>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This document mainly covers security considerations about using AEAD keys in OSCORE and their usage limits, in addition to the security considerations of <xref target="RFC8613"/>.</t>
      <t>[TODO: Add more considerations.]</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.irtf-cfrg-aead-limits">
          <front>
            <title>Usage Limits on AEAD Algorithms</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="4" month="December" year="2025"/>
            <abstract>
              <t>   An Authenticated Encryption with Associated Data (AEAD) algorithm
   provides confidentiality and integrity.  Excessive use of the same
   key can give an attacker advantages in breaking these properties.
   This document provides simple guidance for users of common AEAD
   functions about how to limit the use of keys in order to bound the
   advantage given to an attacker.  It considers limits in both single-
   and multi-key settings.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aead-limits-11"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC7959">
          <front>
            <title>Block-Wise Transfers in the Constrained Application Protocol (CoAP)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="Z. Shelby" initials="Z." role="editor" surname="Shelby"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a RESTful transfer protocol for constrained nodes and networks. Basic CoAP messages work well for small payloads from sensors and actuators; however, applications will need to transfer larger payloads occasionally -- for instance, for firmware updates. In contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, CoAP is based on datagram transports such as UDP or Datagram Transport Layer Security (DTLS). These transports only offer fragmentation, which is even more problematic in constrained nodes and networks, limiting the maximum size of resource representations that can practically be transferred.</t>
              <t>Instead of relying on IP fragmentation, this specification extends basic CoAP with a pair of "Block" options for transferring multiple blocks of information from a resource representation in multiple request-response pairs. In many important cases, the Block options enable a server to be truly stateless: the server can handle each block transfer separately, with no need for a connection setup or other server-side memory of previous block transfers. Essentially, the Block options provide a minimal way to transfer larger representations in a block-wise fashion.</t>
              <t>A CoAP implementation that does not support these options generally is limited in the size of the representations that can be exchanged, so there is an expectation that the Block options will be widely used in CoAP implementations. Therefore, this specification updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7959"/>
          <seriesInfo name="DOI" value="10.17487/RFC7959"/>
        </reference>
        <reference anchor="RFC8323">
          <front>
            <title>CoAP (Constrained Application Protocol) over TCP, TLS, and WebSockets</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="S. Lemay" initials="S." surname="Lemay"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="B. Silverajan" initials="B." surname="Silverajan"/>
            <author fullname="B. Raymor" initials="B." role="editor" surname="Raymor"/>
            <date month="February" year="2018"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP), although inspired by HTTP, was designed to use UDP instead of TCP. The message layer of CoAP over UDP includes support for reliable delivery, simple congestion control, and flow control.</t>
              <t>Some environments benefit from the availability of CoAP carried over reliable transports such as TCP or Transport Layer Security (TLS). This document outlines the changes required to use CoAP over TCP, TLS, and WebSockets transports. It also formally updates RFC 7641 for use with these transports and RFC 7959 to enable the use of larger messages over a reliable transport.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8323"/>
          <seriesInfo name="DOI" value="10.17487/RFC8323"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9528">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9528"/>
          <seriesInfo name="DOI" value="10.17487/RFC9528"/>
        </reference>
        <reference anchor="LwM2M" target="http://www.openmobilealliance.org/release/LightweightM2M/V1_2-20201110-A/OMA-TS-LightweightM2M_Core-V1_2-20201110-A.pdf">
          <front>
            <title>Lightweight Machine to Machine Technical Specification - Core, Approved Version 1.2, OMA-TS-LightweightM2M_Core-V1_2-20201110-A</title>
            <author>
              <organization>Open Mobile Alliance</organization>
            </author>
            <date year="2020" month="November"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 230?>

<section anchor="aead-aes-128-ccm-8-details">
      <name>Detailed considerations for AEAD_AES_128_CCM_8</name>
      <t>For the AEAD_AES_128_CCM_8 algorithm when used as AEAD Algorithm for OSCORE, larger IA and CA values are achieved, depending on the value of 'q', 'v' and 'l'. <xref target="algorithm-limits-ccm8"/> shows the resulting IA and CA probabilities enjoyed by AEAD_AES_128_CCM_8, when taking different values of 'q', 'v' and 'l' as input to the formulas defined in <xref target="I-D.irtf-cfrg-aead-limits"/>.</t>
      <t>As shown in <xref target="algorithm-limits-ccm8"/>, it is especially possible to achieve the lowest IA = 2^-50 and a good CA = 2^-70 by considering the largest possible value of the (q, v, l) triplet equal to (2^20, 2^14, 2^8), while still keeping a good security level. Note that the value of 'l' does not impact the IA, while CA displays good values for every considered value of 'l'.</t>
      <figure anchor="algorithm-limits-ccm8">
        <name>Probabilities for AEAD_AES_128_CCM_8 based on chosen q, v and l values.</name>
        <artwork align="center"><![CDATA[
+-----------------------+----------------+----------------+
| 'q', 'v' and 'l'      | IA probability | CA probability |
|-----------------------+----------------+----------------|
| q=2^20, v=2^20, l=2^8 | 2^-44          | 2^-70          |
| q=2^15, v=2^20, l=2^8 | 2^-44          | 2^-80          |
| q=2^10, v=2^20, l=2^8 | 2^-44          | 2^-90          |
| q=2^20, v=2^15, l=2^8 | 2^-49          | 2^-70          |
| q=2^15, v=2^15, l=2^8 | 2^-49          | 2^-80          |
| q=2^10, v=2^15, l=2^8 | 2^-49          | 2^-90          |
| q=2^20, v=2^14, l=2^8 | 2^-50          | 2^-70          |
| q=2^15, v=2^14, l=2^8 | 2^-50          | 2^-80          |
| q=2^10, v=2^14, l=2^8 | 2^-50          | 2^-90          |
| q=2^20, v=2^10, l=2^8 | 2^-54          | 2^-70          |
| q=2^15, v=2^10, l=2^8 | 2^-54          | 2^-80          |
| q=2^10, v=2^10, l=2^8 | 2^-54          | 2^-90          |
|-----------------------+----------------+----------------|
| q=2^20, v=2^20, l=2^6 | 2^-44          | 2^-74          |
| q=2^15, v=2^20, l=2^6 | 2^-44          | 2^-84          |
| q=2^10, v=2^20, l=2^6 | 2^-44          | 2^-94          |
| q=2^20, v=2^15, l=2^6 | 2^-49          | 2^-74          |
| q=2^15, v=2^15, l=2^6 | 2^-49          | 2^-84          |
| q=2^10, v=2^15, l=2^6 | 2^-49          | 2^-94          |
| q=2^20, v=2^14, l=2^6 | 2^-50          | 2^-74          |
| q=2^15, v=2^14, l=2^6 | 2^-50          | 2^-84          |
| q=2^10, v=2^14, l=2^6 | 2^-50          | 2^-94          |
| q=2^20, v=2^10, l=2^6 | 2^-54          | 2^-74          |
| q=2^15, v=2^10, l=2^6 | 2^-54          | 2^-84          |
| q=2^10, v=2^10, l=2^6 | 2^-54          | 2^-94          |
+-----------------------+----------------+----------------+
]]></artwork>
      </figure>
    </section>
    <section anchor="estimation-count-q">
      <name>Estimation of 'count_q'</name>
      <t>This section defines a method to compute an estimate of the counter 'count_q' (see <xref target="sender-context"/>), hence not requiring a peer to store it in its own Sender Context.</t>
      <t>This method relies on the fact that, at any point in time, a peer has performed <em>at most</em> ENC = (SSN + SSN*) encryptions using its own Sender Key, where:</t>
      <ul spacing="normal">
        <li>
          <t>SSN is the current value of this peer's Sender Sequence Number.</t>
        </li>
        <li>
          <t>SSN* is the current value of the other peer's Sender Sequence Number. That is, SSN* is an overestimation of the responses without Partial IV that this peer has sent.</t>
        </li>
      </ul>
      <t>Thus, when protecting an outgoing message (see <xref target="protecting-req-resp"/>), the peer aborts the message processing if the estimated est_q &gt; limit_q, where est_q = (SSN + X) and X is determined as follows.</t>
      <ul spacing="normal">
        <li>
          <t>If the outgoing message is a response, X is the Partial IV specified in the corresponding request that this peer is responding to. Note that X &lt; SSN* always holds.</t>
        </li>
        <li>
          <t>If the outgoing message is a request, X is the highest Partial IV value marked as received in this peer's Replay Window plus 1, or 0 if it has not accepted any protected message from the other peer yet. Note that, also in this case, X &lt; SSN* always holds.</t>
        </li>
      </ul>
    </section>
    <section anchor="sec-document-updates" removeInRFC="true">
      <name>Document Updates</name>
      <section anchor="sec-06-07">
        <name>Version -06 to -07</name>
        <ul spacing="normal">
          <li>
            <t>Added missing references.</t>
          </li>
          <li>
            <t>Revised content.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-05-06">
        <name>Version -05 to -06</name>
        <ul spacing="normal">
          <li>
            <t>Minor revision.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-04-05">
        <name>Version -04 to -05</name>
        <ul spacing="normal">
          <li>
            <t>Editorial updates.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-03-04">
        <name>Version -03 to -04</name>
        <ul spacing="normal">
          <li>
            <t>Various editorial updates.</t>
          </li>
          <li>
            <t>Improved references.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-02-03">
        <name>Version -02 to -03</name>
        <ul spacing="normal">
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-01-02">
        <name>Version -01 to -02</name>
        <ul spacing="normal">
          <li>
            <t>Updated references.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-00-01">
        <name>Version -00 to -01</name>
        <ul spacing="normal">
          <li>
            <t>Extended discussion on setting the lifetime of OSCORE Security Contexts.</t>
          </li>
          <li>
            <t>Mention adjusting the 'q' and 'v' values to compensate for a larger 'l' value.</t>
          </li>
          <li>
            <t>Specify how to perform pre-calculation of message size to determine need for block-wise.</t>
          </li>
          <li>
            <t>Cover exceptional cases where the 'l' value needs to be larger than 2^8.</t>
          </li>
          <li>
            <t>Note on relevance of 'l' limit considering maximum block size and typical MTU.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-00">
        <name>Version -00</name>
        <ul spacing="normal">
          <li>
            <t>Editorial improvements.</t>
          </li>
          <li>
            <t>Extended terminology.</t>
          </li>
          <li>
            <t>Recommendation on limits for CCM_8. Details in Appendix.</t>
          </li>
          <li>
            <t>Example of method to estimate and not store 'count_q'.</t>
          </li>
          <li>
            <t>Split out material from Key Update for OSCORE draft into this new document.</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors sincerely thank <contact fullname="Christian Amsüss"/>, <contact fullname="Carsten Bormann"/>, <contact fullname="John Preuß Mattsson"/>, <contact fullname="Göran Selander"/> and <contact fullname="Rafa Marin-Lopez"/> for their feedback and comments.</t>
      <t>The work on this document has been partly supported by VINNOVA and the Celtic-Next projects CRITISEC and CYPRESS; and by the H2020 project SIFIS-Home (Grant agreement 952652).</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81cW3cbN5J+56/AkR9sZ9g0SV0sadZ7lpaVWDuW5BVlJ9nx
jE+zCZIdNRtMd5M0x9b+lf0X87Rv+WNbFwANdPMiJ9k98cmJqFYDKNTlq0JV
gUEQNBanYr/RKOIikafiL3Il3uXhWIo38TQucjFSmbjun13fnDfCwSCTi+3v
DFWUhlOYaJiFoyKIZTEKIpXJQOX0406ugoRGBUlYyLxoNB6JvAjT4ccwUSkM
LLK5bDTiWUYf86Lbbp+0u40wk+GpuEgLmaWyaCzHp+JM3ZyL71V2F6dj8V2m
5rPG3bJ8J3iFJDSisDgVcTpSjXw+mMZ5Hqu0WM1gpYvz228bjUgNYfypmAOl
x41GOC8mKjttCPoX6J8CZshPxU1LvP7ln+Nkng7tH3i7N/FdmA3rf1UZTH1z
0T8XvZf2YV5kUgJVF3k4+kllw3wcAgdEt2vfiOJiBYyOgTPlMzWEhfrnQefo
4KAt+oWK7iYqmTovzNMig3H9pRzK1D6X0zBOTkVGJLYmiij8tyxu5XL9Ni9b
4jZOVBRWNnkZZpGq/ukPtMMp0tcqiD69v0aqsmlYxAuJIr359qzb6Zzoj8+7
h1398bjz/MB8POrsn4ICgsY4Iy+CV604Q2UeZeMglOFQq7GZ67Cc9uTQfDze
7+7rjydtu9jJYfcYP75ZXnYvWdN8rSOWXs9kKi7VIE6k6CVJHKYRi0tb6pt4
PCmWEv8PgokmcSpFoezHWxlN0jgKE9GfySgewccCNF8EYDaZbIrebJaphRyK
9zJDkxCdVrcpri97wW0/cOYGEj/iiOB952M36La77U6n0w56RMoQTPhU4MOg
02HiwmyMgp8Uxez02bPlctlSsJEp7SPU22jBBp9lEh7k8pm/1rPKMs8eTlFr
Nhw1GjItULOAmP75m29Pxd5fgePBD/Dvb3uNRhAEIhyAdoYRIM/14CcZFaIv
o3kGgwjHzlSKfwYWDsXNef92NE/EebqIM5VOYe5cPGGkeyrmucxF77z3SoTJ
WMEEk2mOEpBpPs8k6Go6iodITpjg5ABxYF2FHNNSaiTkp2gSpmNYZypzhNO8
JV7NSYh3qVqmArBqDksA19QSIQ7IG8sMZiqKMLqDP4yBzLyo0tAUrJkin6h5
MhQDCSNxDlgJ5FxMpEjn04HMkIginuISItdKIgCgYWHc3JD4IdMoW81IdeC3
oTS/tURvqoAoBfNlAsA5B8Y1RYhqRSo4pqnm5Cc0QZn8eR5nsN58BpqDryAx
zE98G5+AyckMWAZkw/LIxul0nmrtzUUEKJKjvGSyQhbDLHMJcDUBmsH3zFFG
QOUI5JeLiVqKYqnMCjMJqk4zMD9w9VzWyURJLSdhASgmZzm+tTK8LMI7EtAM
diGzhaQN5EZ/kJ8TGWcVolusd9N4OEwk+jvwUJkaziPi6iPx+VGMD+5/q0J+
/qzh6/5eoHGD9uUgv2FQqAB+4LNC8qJA6ZnqveUhiIMwxGgh6BdtC0SZ6C2A
r17JrMmqTVLid7creRMEPoORzsKgILlYyiTBn4M4RdeLxAA7Z7BP4i1qCQQG
oABg8ICBoJxAPSgZTh7Cn6N4FsOSwFYt2E2WqJmw2xTt1kubNKuj/pDi/NGM
E/cnM3RSG20UxLvRb93fA/9uS/PLPS/hqtJQARGpKpCNeYyCyOfRpGY2EBrB
LhaoJsZY0HBgg8BUCe56CMIHaQ7hlTwETk1BMyCgDO98IwKhwb6KGBZle+Lt
+nxsMg2gRA/URNkat5pisDI8Q5GFdrAvPA0nOIOHbga/gCgwEUaT5UQJCE09
3EOaa6BCkCf/jwHPQS0Y5sDeg/ELSfUpIK7lhZrNzN5AHvhquYLFK8CqQn4C
EibAEwBREBW8xkwkMpYTNOgdvALFfPQIAhiUkkrUeCUeIUgW5YN7Vl0cuMTo
Uuxdvuvf7jX5p7i6ps835//x7uLm/BV+7r/uvXljP5g3+q+v3715VX4qR55d
X16eX73iwfBUVB5d9n7ca5KK7F2/vb24vuq92QN9g/24ckHNAG6DDaAqZsD1
AtgCWgvIHGXxQKKOipdnb0XngG0Ow1OwObY/CErhM/KMl1Ip6AD/SrYFjJRh
hlMADIGmzOIiTHLCWJA3gBTwXQI3b8DsUVmRHPkJDL1g/EDwCacxBGUZywql
gWxm5Qdti+SM/Dae1WhIzWvgi1oNHNBAEbLJ1g6LsVEblCEwK9cuaSgLCOLZ
adesBx1hFeDRMgbSohLqG2rXPEe94iVa4GrFLAQ0ieZJCMgUg63EeTTP0WNY
WHUWQd0HYqprEQQRi3jiP+OscCYqkK3AFgwo74DvuYpiYpVW/U0W8md2ZsNh
zFaOU5TIYGAJzCSCj7AfNom3mRokciquAUIXsVyCUcz4UaD0o3sf1B1QhcOU
Sjxg3+U2SxeptcEDWMdtksZtcZ2EB4S4GxkCG/wepVduuXTKDt8ByAE4PEjT
sVxVmKFlatWfgg7Qzn2/akAfgx7UDYkCLhB09TR9DkL+QqrJxqD9rlDzYqxc
ktlc9cAbE7B4Y7WXphdBdvEIPHsK2ofT6HjJPRk0GufkRTVm5tYy0ItSEOI7
V7Tuh/jW/0+3yqrJ8sIXMzky5oO4g9pSGtXjnx/TYo8Xj0Ws42WGy61BTROn
QwdFWDCE+FOttOb5WwVqvsFFThmy7cpiEpLyLMJkLiv6YzWyFBDbuadJgDIt
2Wqu1b06y2m9AZpLnC7Una9YEDKEBpnBs6OaEtmLryIb1EOO+ThnxCGniOs0
6SSEMIAImIKXsHHrQ/Y0AsCGecuA051SRaB0NgpYs3GEW2dbZP4hmzbZJ1v8
KW741kYJOvBl/tcND6NjtArHWEeZmrrPSsCpz7vNKKtL+GZtVykflwu9hAgI
12EPDETECw4D0DUZS4QjTzhI4nxCkYN+uAEtmxxDjOhQSCbR1150v9XFsa4j
7qE1p/hXXHQAnqKpQ3Lc1joniCuj/cFHND/WKXS3S0AUmX4dphBzUXPmFFnC
69OY8J2jWj/aNCE2nWwZMDIKi5u4TQj1QIA7jt/rjwuakRN2C2rAw9fs2WAO
bTpHujM1H4Or4UNxEo8kmnJ9MZQvuelHblrcnfLzI41Sjca3gJUQkeiYI0ww
PLEJEbuhBI5TOp67sL64N1yEaYHw+uSi95QmP6uAtPPKGbyCMUI4gDAPhdQk
HSQGpsUDABX9IrqbkaGYjhAhxnEz4IlVH+ZXbc9PcilhgVqYcs+U0+vJYxde
puGneDqfwubTMZgNJsrQ5Ruf8gQIBgvDE8UgUXDSftoidnLKooxjOACm3dmn
dlOMOzqAJBGGOhLqefBkgg6mK06NspN/xRMMCAjxAAAPhXfRY3H0DDeWkxjd
KTA8VSLB1ChBHswjXoju34Ojg6Z+ZxlDBK8zhwC94aiqBlZJfTJ12KK3okka
okfmOBhHaGJ+pjW77aZY2E9IbkK/ddpN5op/gskk2icgZ64n1GTkLrNBAmu5
DIcRRYJgxwc6N08Kn1GebgIDflIrJh8HOKG9m0Eh1w5q6O0PFQUUr0laR9qX
PGa0K5VVRxpWlT0E3Z4p+a/yX+NPwYZ/tT/UHzS+OCqGVRVTwhBfkCslO1bw
4KzyoPHl16/8BVcG1fnYO+9/7HSPP56dXdqVSRWFQwo+OHIeVAd/5w8+eV4Z
fHyyYXD38OjXDT573YP/uu2Pb6/f/NjZbx/yu8/33cGB8P59+W2icmX++VQ8
qmo4V2Je7L31dBgNxMGhQZhzai+aKIBc8TOaH5sd22VrDwACgt/sLgD0Hqcv
9iJE5mzvXsdEuP0PyLwPyPoPKLgPH49tHnA3chVZPEtkIZ7g2k2RPPUMi0xk
FcsETFxDlAYMsChrqC3xGoJScMM2T5gkK3ssr5PX3IUj6wl7IZ4wMAEgHeD/
j59qhOOzGcBvhgdsoAMCM1mBlTOm9sLiLyNvIcZwFCoM9tLKExg1UXB8tOAB
ynTYfjAk6BMeBjWad3j8ijBfAlFcFbxbokfITGHPFONxl8kl2Us60Zo0I4ae
6UKmGE0Cs0Fa8whnsDBnnCdF2OBhTD4hTMr1BzKFLRUOv8q9I08TYM1wBe6V
g8rRPKNsnUxAMbLQRgi0+VDmAcg4iKJpcBzohM2vgsf1H7fDY/Ki+/cjpIY/
HpcfO236DIM3/PsCHqUAZm/8+EBsdT66r2/F1k67e6A/HrRPjszTo/3jg93Y
+lWDq9j61SsD2QAsXzl4HTCvG/FFHB0e7h99BTBvVJIqMCcBG1MQ5gGLVCPz
5e5Ykt5/ug2D0bgyOQ4xz6wjCEKBMnhlFNIAJzn0YFwZfWVg2rRR8SZYBZsl
hX/CjGXyaRSaxBPivH6IRTU8FgIArVpUR0TM5xRNsZpRc8Dl7TuAhn8QAnYO
220ea9AN88NRYeLCMjanyJvHOTlXehosYyzjZWGaU3aHsImyxkA5KRVLSB8M
zLnVnFqxeQIOB5SpRQ+XJvEdJeGQhNA4KEMxMpownQofce5JYQoHFUzk6bIi
JoUwQa83nkqSN/y9mM8wgrXVqzApJnjkg8XpuKkHRHEGvgxblSJJaI+LsyKQ
96gwH7HVugM+cM80NkchpjfoPB1mwCjc2CQeT4xT0DtrCTzWYDImJM/7smTv
+acCtoV8Q1W5kUlMTucWuT5TGXjUl+c3t09h1YJcLsqOZMBzfO+KCCA/jZgy
TumlmIYAceoyj2a5TX/gEQ4rArxkYZbMberw9uwteqbv5aAPi8nCylo3xIB4
KS+PbHCTHLqgFucTMjM8Zo7mWCm2p1mgBvflU2xVlQi1to0qQrleSo5SWNas
rzad55QN9vifWwHc7j6PGgghSQzjEXAU4x1vIiKx/Fs15R57oFADM07iYI0H
+9qoIwlWB7br3J6tP9fDN44OJthClBd4wsRDLHjttJZqeGDVNSYIDIc/Id/W
p0zwBczzgIJC+MAVGGy3iVGHKShk4m04Uz3C2fkiB7Eo8SiXnoE0nW4bN/qC
oEs5b+LQDQdOiMt0cZeVmZqXLGivG7Qyu4zz3yeQ5MpOr4zcLkzjmUq5oCjr
9VUsh0b8GTzURWojP+SIwcIN+cGOlx9s6hOxUSMnA//wapaXSUHu3UnJ1WIq
i5kE56dZnIWm/YQAfdN8yHZXVct64EBSsQfzI06x+BGMpLqdzyB8FJR8uiUU
9N6jfKDHAGfXlhecdAf6H58yK8osu7MpNy24LW8bQqieBilEFGTKVE2BNQhs
ynw+ko2ZeHwdjlCZSbFhTw0n76xZ2Hw8WLNCuKdkdOfkeTtod+C/23b7lP77
T/Hu9gzcGkABWz+f5WCr+Bz7E57hJsDMx6kis0tkODPTYlAQJmqs5rmrZuUk
KPkrpvUV9jp4imcd/CEWuIGjEAb2GEOIcdgLFBHbKfnj1jaapixAaI2tCPYM
Ged15eH6AFYRgWAngQ/UbSjUxba1g6svJhOPvAfMWbeC6cTQkg7KilClf8NW
P8ouCBQ18a65xi62WBnjpg3GqLySFm6tgxiEqUaVoiNwTdL0YCEjNpQra7XK
ynQPLJCwbG89VEfb4ekG6HTA584I3oDTSVJpBKwbDR4EkxX1paGqFBASNz3v
EJZ5eW2aHz4mteI/PrSZUoTHcJ5oTy2ezIA9lECHhdhVU0hrStmmQOmVs7cQ
DREsZfZ5sXEmy6xmOc9wbqf5mupPNTAkM+BtUE8VOntFuZ10+Ax9mYnR2Bk4
M1MHslDcdfj5M/2KPgEGlWbt1KlgO+evXl+fYfew6Q3EroQRRhiukznR1o6t
ztxpoLsz5CfYDGkhT+SZ29Y939ARLEGzhrkn3L5ZlTu5PW4U4qKT1LpXAiu1
nJANG8ih12ZgEQWxB2eLVMYtiVxwV6RzsO4Ih6IcUb/Y8/hlRfI83K9Y8TyV
9x7meXJ2PdT3/uEjVqvXew/ujEeoXOt6DVRgdOUfTEvwaCEcI2CyCyjXfFBF
vFJK1gVs2EqZ7XOX8tGhXKoUTlvri1GOyixuFfcxRQLb2GOqLEapmfUU8+eF
3RjswCcl1I2Z1JQKQX/T9OjZdrh1u3MdUA1q14GjJR/7Fei8pjtBK4XU0iS1
FfvBTLMWMFeDejxCu4Wj9UR4NoRRtcqMFcDppAxbrwAxSY/i6Syhii3o66k+
uM9UnscUU8NxYaHiIWESd2IMa8cQrb0O+8HeQ3SY1DMKQoqnZBhaVIobv6Yz
ajM0LQvOHmxv2HQ2LxAJBpyJzcJxRWB97DbG1OgVK/WTfv/qqbEbijqQ4CcO
FfDHpxWP/hjCkP4VnibsvsF8J2ro1gkLncb2ev8+f9bTxhSqwu6Dn7Ho+j0d
2mgInrVhfK6dBgV325g5ww5pONI6ukxso5wKJ8upCw8P8mbxWihZthTnpren
7HbxLTmm2Yp5lrqzu02ejmBypVLNU0qeY03VbR2iSJ9bZcmGhni4m6LNjagv
HDPhGnhrnRaEvbY9vAK/9bd/DQIvfjMCL6oI7IVcG0B4sRWEH9aGQ5Zaa2Yp
AaxCx1qEXjwEodd1wJQgvZmDXw3Si68GaT+8dXD6QUGs3cEfAKcXD8dpMBUd
VF3qnNXbssnyEViHIpX19XVNXgd/1dkWItF2vdgyG4V5A7mCsIlloTcYZ/qw
3vSzb6aNa12nZ6XDqXBahTEdxhPqg7c+ibptgmwCftcQksiNTzr3lfCJrbRH
m80vVIFFNJ1mJhle94HsBLEWwYOymXinj3L2c3gDDg86IC7CMZ+orDPghhUa
OMNUjc7XlZ2S+qTl0eck2Q1WWJJLZZti7RN7Vul8YbOWW0indhHuOFrTjF5G
8Yet/Wor2cXIF2Aq2fDohIGZcPciTdmtanOobnqeKHQIIb9GAtiUqc514zmV
CMxRx7Tu5cADuqKCxzhUBWUrrbkccz8ZcaaEe74oYc5oQzXT2YdQRAmBBB6D
sE9MH321rSHskefnLKlOTK8pfiCnU4mWhh25RoaaV3QPmc5UZQ+V4W21/Rc4
32HiiTVGaVzGw1KjOAMlmmkTgDFdrQrAeK0Ju9Salb/MdFPpaoNy+2+iz7JH
6HX6Xt53MkGZxl+kFpjARngLh/bCeRdMgqxBpzxcys3EdVrWU61B22D2mvQ2
sGwf1h/5GelbrcvsjuqlvbV58g3awIFreZmgqIpUuy4nWQOydVBR91A7XfLm
Jt9aDGVdZ8pZ2+FAktSzwseVnLAlrryhYLCYErA6AntbkhmCb+Vre4RrN+Y+
H93cKbcTQBAX4MkaorKXvFcTaWqoIIXUGYl1pyt9qC9jW3N2IAcQcesoqf+F
d7L0hWjjUfqkG/xqty4ovBhQ4qQlvkV8QqUSiu/frEm8FS4imSZu01LhhBbI
vPeUPtvJu4V5zWXdBaViqkGLiQic6z2huYJZKbc+bx14In/qs3XhsRX3VWMt
vu7cNLQJQWNxLr7UxFnpncY2km0E+Iv3Ru5RUYfG5o6hJ9+FlW898HUlpvfB
GTO9DS914dFr4S/OvOsqOrtpFAZvQLlZLIr4OCmsbz7Z5ig8wdHtvgVlF82g
yBuEE88NE8vYy16ncqhyr05RCOSWh7yyX2UJEJp/ievDX2+vX12fYn2KT2H+
gNaHv9F95t5Vr7JFvtYcpuF9dbMorVTxmDByL0gPIP7E6V5RYxGl0r0pTVtE
pV8FV9rSnlR2B29opCtjKd3LsLOpTtdZa+2+dBFUt+A2tb8hjE5rRU6vT7W1
phcEd4Gp01/ZPrupfcTtnV1bra610P4OzbO9rV0veqem5YOaVjgP7yWRbBZF
YnkX0RLY8EJXW/lq+Fgp4go9fY69LLWjFokOwyQztVcmLhsRTWsiADPEM7B+
rS/RL6ybQ78motr+R7kyG8a4RezyenU8nXGzDVaezeywm2GcI4TnPLPTZ4/5
rJXby+l1jzysKe9hLcs1rdDNXb++Y/lhDcs/v9AN6/on9/1R4+9BtV8Z5O00
/vLYzuHDxh6vG/vAdU/WjDU04/ru2JPK2G007xq7jeZdY7fSfOCNPWxXxm6l
ecfYrTTvGLuVZl9Gh1+jG7vGbqV5x9gKzb+7LRxtsoWDNTQfPmzs8bqxD1z3
ZM3Yqi0cbbKFLTTvGruN5l1jt9J84I2t28I2mneM3UrzjrFbafZlVLeFbTTv
GLuV5h1jfZp/iz/adS+DAorNlzPWhJC/6ZLGI3FuSzhlshwPlxiZrinv1L74
gL+8I3RqRjpHIvyy04ZamTncVcrOeKibUGkLowtucOEQhcpamCDDNgEKu1K6
u4ohWq2+esste0QZlaJs2tv2BjexNYMzQE4R3bbtYMRf1pA+wrtTlRcfxfnV
GV746PevxJ+wfvbhm6de3YmPOhXC6AC2xGuhdDMYB+tWPFNicSK6OLflubXV
vpae4sM3WyapFvrWz1T29Nj5Qr/GVh6KzbcdcbIGT3VvsU0Fm//ei/ISnmVe
zt92dDuZm9tvToIIV6lUmZ1bl7W8iznqc2lzQJ27m7If9mKyrr7CJ9A38a/C
5E+0JMwfrDB/4I70H6o1itxkpIjxOotQox5ZZ3nU5FnwRYdJtRKL37BhvkKq
wksqpjpdHW5c/oP4Fy25MFlitI1NnQ+ik5ZyyDQVK4dc05yT3TEXMhlJugNu
Khtat244WfN9nA7VUsySeS461I3TRmHE5vBc6F5XSlis6vlizqX7mitWsnD2
2+TLmWZ97MVubuYBnMnN8f0dFWdz3ecSBeZcH3DVFs7bn08zOQXFj9NsFN1T
/cl8x2DQPkLcCdrPObmFE7SP4Nd75HNvSG37MWsffTsEWhgL4UYu4pxzAgWb
gzfvIc975Mx7CL/SvJdxqrBlHSbg6pE38oBHHjojD+BXGnk+jLHQDkLUu6sO
3ufBB87gffiVBr8Psxh7JeWaSUCppvr7F719epN3efJ9Z/Iu/FqhLOaJzI15
b4YOz9B1ZujArzQDC3Lb+m0e3XFGY0cpr083C7DqzF+nQ+iG31RV2Eyue1V+
Q1cXs+KSv51At5Wb4bs6y3UFTedibF6eIZ3gYcVdYuX3pM0yGdjL9gzH7nUB
v8pDtS1co8zl09xndAGifp+DkdCvEaSccqZUrHv9G04MNBeZI33rQSIX2Mxn
kgJ8r8RNXqy5ekMJv/IeT118jty2K40jT+dbtrTd6ZKdZlnqfmkCZ5VaOmNH
ycjejLJen/SsIfYGMaNNbGMDGqQfwYzDEKf3h0WI9Tz0jfYL0gjV6PukuEGk
TMnxtw1z1Y/wDNt2DTLxd1FF+LV9iRxyKZCThv4zRC5uqpDDF3sjwEe5p5tH
+OtZc75Emen7SOkduNjPZ5Mshg3h98tM81/+J8/vMZWFfwizHHgqXmI3f5qa
x/+uJtgyKee//Le4DIsiz5X923e//DMLMdJJQowx7vXXa8FfbsJRiF+/G6fB
GzWT/8A/6QJUnIkRqNmAvoAq5f7j8tszBF1yUtUvJrNfOoOdnbCdfD7TDaKD
lXh/cXV1/b5nK2tnMiniKLiicl6mMJefi7Obi9uL/vkZZyJ/fHtz3u/zt1rp
NtfX+M2s5n3Rv/j2oh+8VgAHT77jO0/YFEvEnBx2jw67T1uN/wUd93W4jloA
AA==

-->

</rfc>
