<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 2.7.0) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-core-oscore-key-update-14" category="std" consensus="true" submissionType="IETF" updates="8613" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Key Update for OSCORE (KUDOS)">Key Update for OSCORE (KUDOS)</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-key-update-14"/>
    <author initials="R." surname="Höglund" fullname="Rikard Höglund">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>16440 Stockholm</code>
          <country>Sweden</country>
        </postal>
        <email>rikard.hoglund@ri.se</email>
      </address>
    </author>
    <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>16440 Stockholm</code>
          <country>Sweden</country>
        </postal>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <workgroup>CoRE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 84?>

<t>Communications with the Constrained Application Protocol (CoAP) can be protected end-to-end at the application-layer by using the security protocol Object Security for Constrained RESTful Environments (OSCORE). Under some circumstances, two CoAP endpoints need to update their OSCORE keying material before communications can securely continue, e.g., due to approaching key usage limits. This document defines Key Update for OSCORE (KUDOS), a lightweight key update procedure that two CoAP endpoints can use to update their OSCORE keying material by establishing a new OSCORE Security Context. Accordingly, this document updates the use of the OSCORE flag bits in the CoAP OSCORE Option as well as the protection of CoAP response messages with OSCORE. Also, it deprecates the key update procedure specified in Appendix B.2 of RFC 8613. Therefore, this document updates RFC 8613.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Constrained RESTful Environments Working Group mailing list (core@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/core/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/core-wg/oscore-key-update"/>.</t>
    </note>
  </front>
  <middle>
    <?line 88?>

<section anchor="intro">
      <name>Introduction</name>
      <t>The security protocol Object Security for Constrained RESTful Environments (OSCORE) <xref target="RFC8613"/> provides end-to-end protection at the application-layer for messages exchanged with the Constrained Application Protocol (CoAP) <xref target="RFC7252"/>. In particular, OSCORE ensures message confidentiality and integrity, replay protection, and binding of response to request between a sender and a recipient.</t>
      <t>Under some circumstances, two CoAP endpoints using OSCORE may need to update their shared keying material in order to ensure that their communications remain secure. Among other reasons, approaching key usage limits <xref target="I-D.irtf-cfrg-aead-limits"/><xref target="I-D.ietf-core-oscore-key-limits"/> requires updating the OSCORE keying material before communications can securely continue.</t>
      <t>This document defines Key Update for OSCORE (KUDOS), a lightweight key update procedure that two CoAP endpoints can use to update their OSCORE keying material by establishing a new OSCORE Security Context.</t>
      <t>Accordingly, this document updates <xref target="RFC8613"/> as follows:</t>
      <ul spacing="normal">
        <li>
          <t>With reference to the "OSCORE Flag Bits" registry defined in <xref section="13.7" sectionFormat="of" target="RFC8613"/> as part of the "Constrained RESTful Environments (CoRE) Parameters" registry group, it updates the entries with Bit Position 0 and 1 (see <xref target="sec-iana"/>), both of which were originally marked as "Reserved".  </t>
          <t>
In particular, it defines and registers the usage of the OSCORE flag bit with Bit Position 0, as the one intended to expand the space for the OSCORE flag bits in the OSCORE Option (see <xref target="ssec-oscore-option-extensions"/>). Also, it marks the bit with Bit Position of 1 as "Unassigned".</t>
        </li>
        <li>
          <t>It updates the protection of CoAP responses with OSCORE that was originally specified in <xref section="8.3" sectionFormat="of" target="RFC8613"/>, as defined in <xref target="sec-updated-response-protection"/> of this document.</t>
        </li>
        <li>
          <t>It deprecates the key update procedure specified in <xref section="B.2" sectionFormat="of" target="RFC8613"/>, as intended to be superseded by KUDOS.</t>
        </li>
      </ul>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<t>Readers are expected to be familiar with the terms and concepts related to CoAP <xref target="RFC7252"/>, Observe <xref target="RFC7641"/>, Concise Binary Object Representation (CBOR) <xref target="RFC8949"/>, OSCORE <xref target="RFC8613"/>, and Ephemeral Diffie-Hellman Over COSE (EDHOC) <xref target="RFC9528"/>.</t>
        <t>This document additionally defines the following terminology.</t>
        <ul spacing="normal">
          <li>
            <t>FS mode: the KUDOS execution mode that achieves forward secrecy (see <xref target="ssec-derive-ctx"/>).</t>
          </li>
          <li>
            <t>No-FS mode: the KUDOS execution mode that does not achieve forward secrecy (see <xref target="no-fs-mode"/>).</t>
          </li>
          <li>
            <t>Equilibrium: The situation where a peer has no execution of KUDOS currently ongoing with the other KUDOS peer for updating one of their OSCORE Security Contexts.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-current-methods">
      <name>Current Methods for Rekeying OSCORE</name>
      <t>Two peers communicating using OSCORE may choose to renew their shared keying information by establishing a new OSCORE Security Context for a variety of reasons. A particular reason is the approaching limits that have been set for safe key usage <xref target="I-D.ietf-core-oscore-key-limits"/>. Practically, when the relevant limits are reached for an OSCORE Security Context, the two peers have to establish a new OSCORE Security Context, in order to continue using OSCORE for secure communication. That is, the two peers must establish new Sender and Recipient Keys, which are the keys actually used by the AEAD algorithm.</t>
      <t>In addition to approaching key usage limits, there may be other reasons for a peer to initiate a key update procedure. These include: the OSCORE Security Context approaching its expiration time; application policies prescribing a regular key rollover; approaching the exhaustion of the Sender Sequence Number space in the OSCORE Sender Context.</t>
      <t>It is <bcp14>RECOMMENDED</bcp14> that the peer initiating the key update procedure starts it with some margin, i.e., well before actually experiencing the trigger event that forces it to perform a key update (e.g., the OSCORE Security Context expiration or the exhaustion of the Sender Sequence Number space). If the rekeying is not initiated ahead of these events, it may become practically impossible to perform a key update with certain methods and/or without aborting ongoing message exchanges.</t>
      <t>Other specifications define a number of ways for rekeying OSCORE, which are summarized below.</t>
      <ul spacing="normal">
        <li>
          <t>The two peers can run the procedure defined in <xref section="B.2" sectionFormat="of" target="RFC8613"/>. That is, the two peers exchange three or four messages that are protected with temporary Security Contexts, thus adding randomness to the OSCORE ID Context.  </t>
          <t>
As a result, the two peers establish a new OSCORE Security Context with new ID Context, Sender Key, and Recipient Key, while keeping the same OSCORE Master Secret and OSCORE Master Salt from the old OSCORE Security Context.  </t>
          <t>
This procedure does not require any additional components to what OSCORE already provides and it does not provide forward secrecy.  </t>
          <t>
The procedure defined in <xref section="B.2" sectionFormat="of" target="RFC8613"/> is used in 6TiSCH networks <xref target="RFC7554"/><xref target="RFC8180"/> when handling failure events. That is, a node acting as Join Registrar/Coordinator (JRC) assists new devices, namely "pledges", to securely join the network as per the Constrained Join Protocol <xref target="RFC9031"/>. In particular, a pledge exchanges OSCORE-protected messages with the JRC, from which it obtains a short identifier, link-layer keying material and other configuration parameters. As per <xref section="8.3.3" sectionFormat="of" target="RFC9031"/>, a JRC that experiences a failure event may likely lose information about joined nodes, including their assigned identifiers. Then, the reinitialized JRC can establish a new OSCORE Security Context with each pledge, through the procedure defined in <xref section="B.2" sectionFormat="of" target="RFC8613"/>.</t>
        </li>
        <li>
          <t>The two peers can use the OSCORE profile <xref target="RFC9203"/> of the Authentication and Authorization for Constrained Environments (ACE) Framework <xref target="RFC9200"/>.  </t>
          <t>
When a CoAP client uploads an access token to a CoAP server as an access credential, the two peers also exchange two nonces. Then, the two peers use the two nonces together with information provided by the ACE authorization server that issued the access token, in order to derive an OSCORE Security Context.  </t>
          <t>
This procedure does not provide forward secrecy.</t>
        </li>
        <li>
          <t>The two peers can run the EDHOC key exchange protocol based on Diffie-Hellman and defined in <xref target="RFC9528"/>, in order to establish a shared pseudo-random secret key in a mutually authenticated way.  </t>
          <t>
Then, the two peers can use the established pseudo-random key to derive external application keys. This allows the two peers to securely derive an OSCORE Master Secret and an OSCORE Master Salt, from which an OSCORE Security Context can be established.  </t>
          <t>
This procedure additionally provides forward secrecy.  </t>
          <t>
EDHOC also specifies an optional function, namely EDHOC_KeyUpdate, to perform a key update in a more efficient way than re-running EDHOC. The two communicating peers call EDHOC_KeyUpdate with equivalent input, which results in the derivation of a new shared pseudo-random secret key. Usage of EDHOC_KeyUpdate preserves forward secrecy.  </t>
          <t>
Note that EDHOC may be run standalone or as part of other workflows, such as when using the EDHOC and OSCORE profile of ACE <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>.</t>
        </li>
        <li>
          <t>If one peer is acting as LwM2M Client and the other peer as LwM2M Server, according to the OMA Lightweight Machine to Machine Core specification <xref target="LwM2M"/>, then the LwM2M Client peer may take the initiative to bootstrap again with the LwM2M Bootstrap Server, and again receive an OSCORE Security Context. Alternatively, the LwM2M Server can instruct the LwM2M Client to initiate this procedure.  </t>
          <t>
If the OSCORE Security Context information on the LwM2M Bootstrap Server has been updated, the LwM2M Client will thus receive a fresh OSCORE Security Context to use with the LwM2M Server.  </t>
          <t>
The LwM2M Client, the LwM2M Server, and the LwM2M Bootstrap server are also required to use the procedure defined in <xref section="B.2" sectionFormat="of" target="RFC8613"/> and overviewed above, when they use a certain OSCORE Security Context for the first time <xref target="LwM2M-Transport"/>.</t>
        </li>
      </ul>
      <t>Manually updating the OSCORE Security Context at the two peers should be a last resort option, and it might often be not practical or feasible.</t>
      <t>Even when any of the alternatives mentioned above is available, it is <bcp14>RECOMMENDED</bcp14> that two OSCORE peers update their Security Context by using the KUDOS procedure as defined in <xref target="sec-rekeying-method"/> of this document.</t>
    </section>
    <section anchor="sec-updated-response-protection">
      <name>Updated Protection of Responses with OSCORE</name>
      <t>The protection of CoAP responses with OSCORE is updated, by adding the following text at the end of step 3 of <xref section="8.3" sectionFormat="of" target="RFC8613"/> as well as before the text "Then, go to 4." of <xref section="8.3.1" sectionFormat="of" target="RFC8613"/>.</t>
      <blockquote>
        <t>If the server is using a different Security Context for the response compared to what was used to verify the request (e.g., due to an occurred key update), then the server <bcp14>MUST</bcp14> take the second alternative. That is, the server <bcp14>MUST</bcp14> include its Sender Sequence Number as Partial IV in the response and use it to build the AEAD nonce to protect the response.</t>
        <t>This prevents the server from using the same AEAD (key, nonce) pair for two responses, protected with different OSCORE Security Contexts.</t>
        <t>An exception is the procedure in <xref section="B.2" sectionFormat="of" target="RFC8613"/>, which is secure although not complying with the above. The reason is that, in that procedure, the server uses the new OSCORE Security Context only and solely to protect the outgoing response (response #1), and no other message is protected with that OSCORE Security Context. Other procedures where that holds would also remain secure.</t>
      </blockquote>
    </section>
    <section anchor="sec-rekeying-method">
      <name>Key Update for OSCORE (KUDOS)</name>
      <t>This section defines KUDOS, a lightweight procedure that two OSCORE peers can use to update their keying material and establish a new OSCORE Security Context.</t>
      <t>Hereafter, this document refers to two specific peers that run KUDOS to update specifically one OSCORE Security Context that they share with each other.</t>
      <t>KUDOS relies on the OSCORE Option defined in <xref target="RFC8613"/> and extended as defined in <xref target="ssec-oscore-option-extensions"/>, as well as on the support function updateCtx() defined in <xref target="ssec-update-function"/>.</t>
      <t>In order to run KUDOS, two peers exchange OSCORE-protected CoAP messages. The key update procedure is described in detail in <xref target="ssec-derive-ctx"/>, with particular reference to the stateful FS mode providing forward secrecy. The possible use of the stateless no-FS mode is described in <xref target="no-fs-mode"/>, as intended to peers that cannot write in non-volatile memory. Two peers <bcp14>MUST</bcp14> run KUDOS in FS mode if they are both capable of doing so.</t>
      <t>The key update procedure has the following properties:</t>
      <ul spacing="normal">
        <li>
          <t>It can be initiated by either peer.</t>
        </li>
        <li>
          <t>The new OSCORE Security Context enjoys forward secrecy, unless the no-FS mode is used (see <xref target="no-fs-mode"/>).</t>
        </li>
        <li>
          <t>The same ID Context value used in the old OSCORE Security Context (if set) is preserved in the new OSCORE Security Context.</t>
        </li>
        <li>
          <t>The same Sender and Recipient IDs used in the old OSCORE Security Context are preserved in the new OSCORE Security Context.</t>
        </li>
        <li>
          <t>It is robust against a peer rebooting and loss of state, avoiding the reuse of AEAD (nonce, key) pairs also in such cases.</t>
        </li>
        <li>
          <t>It typically completes in one round trip by exchanging two OSCORE-protected CoAP messages. The two peers achieve mutual key confirmation in a following exchange, which is protected with the newly established OSCORE Security Context.</t>
        </li>
      </ul>
      <section anchor="ssec-oscore-option-extensions">
        <name>Extensions to the OSCORE Option</name>
        <t>This document extends the use of the OSCORE Option originally defined in <xref target="RFC8613"/> as follows:</t>
        <ul spacing="normal">
          <li>
            <t>This document defines the usage of the eighth least significant bit, called "Extension-1 Flag", in the first byte of the OSCORE Option containing the OSCORE flag bits. The registration of this flag bit in the "OSCORE Flag Bits" registry is specified in <xref target="iana-cons-flag-bits"/>.  </t>
            <t>
When the Extension-1 Flag is set to 1, the second byte of the OSCORE Option <bcp14>MUST</bcp14> include the OSCORE flag bits 8-15.</t>
          </li>
          <li>
            <t>This document defines the usage of the least significant bit "Nonce Flag", 'd', in the second byte of the OSCORE Option containing the OSCORE flag bits 8-15. The registration of this flag bit in the "OSCORE Flag Bits" registry is specified in <xref target="iana-cons-flag-bits"/>.  </t>
            <t>
When it is set to 1, the compressed COSE object contains a field 'x' and a field 'nonce', to be used for the steps defined in <xref target="ssec-derive-ctx"/>. In particular, the 1 byte 'x' following 'kid context' (if any) includes the size of the following field 'nonce' and signaling bits that indicate specific behavior during KUDOS execution.  </t>
            <t>
Hereafter, a message is referred to as a "KUDOS message", if and only if the second byte of flags is present and the 'd' bit is set to 1. If that is not the case, the message is referred to as a "non KUDOS message".  </t>
            <t>
The encoding of the 'x' field is as follows:  </t>
            <ul spacing="normal">
              <li>
                <t>The four least significant bits encode the 'nonce' size in bytes minus 1, namely 'm'.</t>
              </li>
              <li>
                <t>The fifth least significant bit is the "No Forward Secrecy" 'p' bit. The sender peer indicates its wish to run KUDOS in FS mode or in no-FS mode, by setting the 'p' bit to 0 or 1, respectively.      </t>
                <t>
This makes KUDOS possible to run also for peers that cannot support the FS mode. At the same time, two peers <bcp14>MUST</bcp14> run KUDOS in FS mode if they are both capable of doing so, as per <xref target="ssec-derive-ctx"/>. The execution of KUDOS in no-FS mode is defined in <xref target="no-fs-mode"/>.</t>
              </li>
              <li>
                <t>The sixth least significant bit is the "Preserve Observations" 'b' bit. The sender peer indicates its wish to preserve or terminate the ongoing observations with the other peer beyond the KUDOS execution, by setting the 'b' bit to 1 or 0, respectively. The related processing is defined in <xref target="preserving-observe"/>.</t>
              </li>
              <li>
                <t>The seventh least significant bit is the 'z' bit, which has the following meaning:      </t>
                <ul spacing="normal">
                  <li>
                    <t>If the bit 'z' is set to 0, the present message is a "divergent" KUDOS message, i.e., it is protected with a temporary OSCORE Security Context and indicates that the sender peer is moving away from "equilibrium".          </t>
                    <t>
That is, the sender peer is offering its own nonce in the 'nonce' field of the message and is waiting to receive the other peer's nonce.</t>
                  </li>
                  <li>
                    <t>If the bit 'z' is set to 1, the present message is a "convergent" KUDOS message, i.e., it is protected with the newly established OSCORE Security Context and indicates that the sender peer is attempting to return to "equilibrium".          </t>
                    <t>
That is, the sender peer is offering its own nonce in the 'nonce' field of the message, has received the other peer's nonce, and is going to wait for key confirmation (as a pre-condition to return to equilibrium).</t>
                  </li>
                </ul>
              </li>
              <li>
                <t>The eight least significant bit is reserved for future use. This bit <bcp14>SHALL</bcp14> be set to 0 when not in use. According to this specification, if this bit is set to 1, the following applies:      </t>
                <ul spacing="normal">
                  <li>
                    <t>If the message is a request, it is considered to be malformed and decompression fails as specified in item 2 of <xref section="8.2" sectionFormat="of" target="RFC8613"/>.</t>
                  </li>
                  <li>
                    <t>If the message is a response, it is considered to be malformed, decompression fails as specified in item 2 of <xref section="8.4" sectionFormat="of" target="RFC8613"/>, and the client <bcp14>SHALL</bcp14> discard the response as specified in item 8 of <xref section="8.4" sectionFormat="of" target="RFC8613"/>.</t>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
        </ul>
        <t><xref target="fig-oscore-option"/> shows the extended OSCORE Option value, with the presence of the 'x' and 'nonce' fields.</t>
        <figure anchor="fig-oscore-option">
          <name>The Extended OSCORE Option Value</name>
          <artwork align="center"><![CDATA[
 0 1 2 3 4 5 6 7  8   9   10  11  12  13  14  15 <----- n bytes ----->
+-+-+-+-+-+-+-+-+---+---+---+---+---+---+---+---+---------------------+
|1|0|0|h|k|  n  | 0 | 0 | 0 | 0 | 0 | 0 | 0 | d | Partial IV (if any) |
+-+-+-+-+-+-+-+-+---+---+---+---+---+---+---+---+---------------------+

 <------ 1 byte ------> <----- s bytes ------>
+----------------------+----------------------+
|      s (if any)      | kid context (if any) |
+----------------------+----------------------+

 <----- 1 byte ------> <--- m + 1 bytes --->
+---------------------+---------------------+------------------+
|     x (if any)      |   nonce (if any)    |   kid (if any)   |
+---------------------+---------------------+------------------+
|                     |
|   0 1 2 3 4 5 6 7   |
|  +-+-+-+-+-+-+-+-+  |
|  |0|z|b|p|   m   |  |
|  +-+-+-+-+-+-+-+-+  |
]]></artwork>
        </figure>
      </section>
      <section anchor="ssec-update-function">
        <name>Function for Security Context Update</name>
        <t>This section defines the updateCtx() function shown in <xref target="function-update"/>, which takes as input the three parameters input1, input2, and CTX_IN.</t>
        <t>In particular, input1 and input2 are built from the 'x' and 'nonce' fields transported in the OSCORE Option value of the exchanged KUDOS messages (see <xref target="ssec-oscore-option-extensions"/>), while CTX_IN is the OSCORE Security Context to update through the KUDOS execution. The function returns a new OSCORE Security Context CTX_OUT.</t>
        <figure anchor="function-update">
          <name>Functions for Deriving a new OSCORE Security Context</name>
          <artwork align="left"><![CDATA[
function updateCtx(input1, input2, CTX_IN):

 // Output values
 CTX_OUT       // The new Security Context
 MSECRET_NEW   // The new Master Secret
 MSALT_NEW     // The new Master Salt

 // Define the label for the key update
 Label = "key update"

 // Create CBOR byte strings from input1 and input2
 input1_cbor = create_cbor_bstr(input1)
 input2_cbor = create_cbor_bstr(input2)

 // Concatenate the CBOR-encoded input1 and input2
 // according to their lexicographic order
 X_N = is_lexicographically_shorter(input1_cbor, input2_cbor) ?
       (input1_cbor | input2_cbor) : (input2_cbor | input1_cbor)

 // Set the new Master Salt to X_N
 MSALT_NEW = X_N

 // Determine the length in bytes of the current Master Secret
 oscore_key_length = length(CTX_IN.MasterSecret)

 // Create the new Master Secret using KUDOS_Expand_Label
 MSECRET_NEW = KUDOS_Expand_Label(CTX_IN.MasterSecret, Label,
                                  X_N, oscore_key_length)

 // Derive the new Security Context CTX_OUT, using
 // the new Master Secret, the new Master Salt,
 // and other parameters from CTX_IN
 CTX_OUT = derive_security_context(MSECRET_NEW, MSALT_NEW, CTX_IN)

 // Return the new Security Context
 return CTX_OUT

=== === === === === === === === === === === === === === === === === ===

function KUDOS_Expand_Label(master_secret, Label, X_N, key_length):

 struct {
     uint16 length = key_length;
     opaque label<7..255> = "oscore " + Label;
     opaque context<0..255> = X_N;
 } ExpandLabel;

 return KUDOS_Expand(master_secret, ExpandLabel, key_length)
]]></artwork>
        </figure>
        <t>The updateCtx() function builds the two CBOR byte strings input1_cbor and input2_cbor, whose values are the input parameter input1 and input2, respectively. Then, it builds X_N as the byte concatenation of input1_cbor and input2_cbor.</t>
        <t>In order to be agnostic of the order according to which the nonce values were exchanged, the binary representations of input1_cbor and input2_cbor are sorted in lexicographical order before they are concatenated. That is, with | denoting byte concatenation, X_N <bcp14>MUST</bcp14> take input1_cbor | input2_cbor if input1_cbor comes before input2_cbor in lexicographical order, or input2_cbor | input1_cbor otherwise.</t>
        <t>After that, the updateCtx() function derives the new values of the Master Salt and Master Secret for the Security Context CTX_OUT. In particular, the new Master Salt takes X_N as value. Instead, the new Master Secret is derived through a KUDOS-Expand step that is invoked through the KUDOS_Expand_Label() function. The latter takes as input the Master Secret value from the Security Context CTX_IN, the literal string "key update", X_N, and the length of the Master Secret in bytes.</t>
        <t>The definition of KUDOS-Expand depends on the key derivation function used for OSCORE by the two peers, as specified in CTX_IN. If the key derivation function is an HKDF Algorithm (see <xref section="3.1" sectionFormat="of" target="RFC8613"/>), then KUDOS-Expand is mapped to HKDF-Expand <xref target="RFC5869"/>, as shown below. In particular, the hash algorithm is the same one used by the HKDF Algorithm specified in CTX_IN.</t>
        <artwork align="left"><![CDATA[
KUDOS-Expand(CTX_IN.MasterSecret, ExpandLabel, key_length) =
   HKDF-Expand(CTX_IN.MasterSecret, ExpandLabel, key_length)
]]></artwork>
        <t>If a future specification updates <xref target="RFC8613"/> by admitting different key derivation functions than HKDF Algorithms (e.g., KMAC based on the SHAKE128 or SHAKE256 hash functions), that specification has to also update the present document in order to define the mapping between such key derivation functions and KUDOS-Expand.</t>
        <t>When an HKDF Algorithm is used, the derivation of new values follows the same approach used in TLS 1.3, which is also based on HKDF-Expand (see <xref section="7.1" sectionFormat="of" target="RFC8446"/>) and is used for computing new keying material in case of key update (see <xref section="4.6.3" sectionFormat="of" target="RFC8446"/>).</t>
        <t>After that, the newly computed Master Secret and Master Salt are used to derive a new Security Context CTX_OUT, as per <xref section="3.2" sectionFormat="of" target="RFC8613"/>. Any other parameter required for that derivation takes the same value as in the Security Context CTX_IN.</t>
        <t>Note that the following holds for the newly derived CTX_OUT:</t>
        <ul spacing="normal">
          <li>
            <t>In its Sender Context, the Sender Sequence Number is initialized to 0 as per <xref section="3.2.2" sectionFormat="of" target="RFC8613"/>.</t>
          </li>
          <li>
            <t>If the peer that has derived CTX_OUT supports CoAP Observe <xref target="RFC7641"/>, the Notification Number used for the replay protection of Observe notifications (see <xref section="7.4.1" sectionFormat="of" target="RFC8613"/>) is left as not initialized.</t>
          </li>
        </ul>
        <t>Finally, the updateCtx() function returns the newly derived Security Context CTX_OUT.</t>
        <t>Note that, thanks to the input parameters input1 and input2 provided to the updateCtx() function, the derivation of CTX_OUT also takes as input the information from the 'x' field conveyed in the OSCORE Option value of the exchanged KUDOS messages. In turn, this ensures that a successfully completed KUDOS execution has occurred as intended by the two peers.</t>
      </section>
      <section anchor="ssec-derive-ctx">
        <name>Key Update</name>
        <t>When using KUDOS as described in this section, forward secrecy is achieved for the new OSCORE keying material that results from the KUDOS execution, as long as the original OSCORE keying material was also established with forward secrecy. For peers that are unable to store information to persistent memory, <xref target="no-fs-mode"/> provides an alternative approach that does not achieve forward secrecy but allows also such very constrained peers to perform a key update.</t>
        <t>A peer can run KUDOS for active rekeying at any time, or for a variety of more compelling reasons. These include the (approaching) expiration of the OSCORE Security Context, approaching the limits for the corresponding key usage <xref target="I-D.ietf-core-oscore-key-limits"/>, the enforcement of application policies, and the (approaching) exhaustion of the OSCORE Sender Sequence Number space.</t>
        <t>The expiration time of an OSCORE Security Context and the key usage limits are hard limits. Once reached, a peer <bcp14>MUST</bcp14> stop using the keying material in the OSCORE Security Context for exchanging application data with the other peer and has to perform a rekeying before resuming secure communication.</t>
        <t>Before starting KUDOS, the two peers share the OSCORE Security Context CTX_OLD. In particular, CTX_OLD is the most recent OSCORE Security Context that a peer has with the other peer, before initiating the KUDOS procedure or upon having received and successfully verified a divergent KUDOS message. During an execution of KUDOS, a temporary OSCORE Security Context CTX_TEMP is also derived.</t>
        <t>Once successfully completed a KUDOS execution, the two peers agree on a newly established OSCORE Security Context CTX_NEW that replaces CTX_OLD. In particular, CTX_NEW is the most recent OSCORE Security Context that a peer has with the other peer, before sending a convergent KUDOS message to the other peer or upon having received and successfully verified a convergent KUDOS message from that other peer. CTX_OLD can be safely deleted upon receiving key confirmation from the other peer, i.e., upon gaining knowledge that the other peer also has CTX_NEW.</t>
        <t>The following specifically defines how KUDOS is run in its stateful FS mode achieving forward secrecy. That is, in the OSCORE Option value of all the exchanged KUDOS messages, the "No Forward Secrecy" 'p' bit is set to 0.</t>
        <t>In order to run KUDOS in FS mode, both peers have to be able to write in non-volatile memory. From the newly derived Security Context CTX_NEW, the peers <bcp14>MUST</bcp14> store to non-volatile memory the immutable parts of the OSCORE Security Context as specified in <xref section="3.1" sectionFormat="of" target="RFC8613"/>, with the possible exception of the Common IV, Sender Key, and Recipient Key that can be derived again when needed, as specified in <xref section="3.2.1" sectionFormat="of" target="RFC8613"/>. If either or both peers are unable to write in non-volatile memory, the two peers have to run KUDOS in its stateless no-FS mode (see <xref target="no-fs-mode"/>).</t>
        <section anchor="ssec-nonces-x-bytes">
          <name>Nonces and X Bytes</name>
          <t>When running KUDOS, each peer contributes by generating a nonce value N1 or N2 and providing it to the other peer. The size of the nonces N1 and N2 is application specific and the use of 8 byte nonce values is <bcp14>RECOMMENDED</bcp14>. The nonces N1 and N2 <bcp14>MUST</bcp14> be random values, with the possible exception described later in <xref target="key-material-handling"/>. Note that a good amount of randomness is important for the nonce generation. <xref target="RFC4086"/> provides guidance on the generation of random values.</t>
          <t>In the following, X1 and X2 denote the value of the 'x' field specified in the OSCORE Option value of a KUDOS message. From one peer's point of view, X1 and N1 are generated by that peer, while X2 and N2 are obtained from the other peer.</t>
          <t>In a KUDOS message, the sender peer sets the X1 value based on: the length of N1 in bytes, the specific settings that the peer wishes to run KUDOS with, and the message being divergent or convergent. During the same KUDOS execution, all the KUDOS messages sent by a peer <bcp14>MUST</bcp14> have the same value of the bit 'b' in the 'x' field conveying X1.</t>
          <t>N1, N2, X1, and X2 are used by the peers to build the 'input1' and 'input2' values provided as input to the updateCtx() function, in order to derive an OSCORE Security Context (see <xref target="ssec-update-function"/>). As for any newly derived OSCORE Security Context, the Sender Sequence Number and the Replay Window are re-initialized accordingly (see <xref section="3.2.2" sectionFormat="of" target="RFC8613"/>).</t>
          <t>Specifically, the input to updateCtx() is built as follows, where | denotes byte concatenation:</t>
          <ul spacing="normal">
            <li>
              <t>When deriving CTX_TEMP to protect a divergent outgoing message, input1 is X1 | N1 and input2 is 0x, where 0x denotes the empty byte string.</t>
            </li>
            <li>
              <t>When deriving CTX_TEMP to unprotect a divergent incoming message, input1 is X2 | N2 and input2 is 0x.</t>
            </li>
            <li>
              <t>When deriving CTX_NEW to protect or unprotect a convergent message, input1 is X1 | N1 and input2 is X2 | N2.</t>
            </li>
          </ul>
          <t>For any divergent KUDOS message, the sender peer's (X, nonce) are included in the 'x' and 'nonce' field of the OSCORE Option value, respectively. Also, both peers use those as input to updateCtx() for deriving CTX_TEMP, which is used to protect and unprotect the KUDOS message.</t>
          <t>For any convergent KUDOS message, the sender peer's (X, nonce) are included in the 'x' and 'nonce' field of the OSCORE Option value, respectively. Both the sender peer's (X, nonce) and the recipient peer's (X, nonce) are used as input to updateCtx() for deriving CTX_NEW, which is used to protect and unprotect the KUDOS message.</t>
          <t>A pair (X, nonce) offered by a peer is bound to CTX_OLD, and is reused as much as possible during the same KUDOS execution. A peer generates its (X, nonce) pair before invoking updateCtx(), if the peer does not have one such pair already associated with the CTX_OLD to use as input CTX_IN for updateCtx(). The peer associates the newly generated pair with CTX_OLD before entering updateCtx().</t>
        </section>
        <section anchor="ssec-states">
          <name>KUDOS States</name>
          <t>A peer performs a KUDOS execution according to the state machine specified in <xref target="ssec-state-machine"/> and illustrated as a figure in <xref target="kudos-state-machine-figure"/>, where the following states are considered.</t>
          <t>The peer can be in three possible states: IDLE, BUSY, and PENDING.</t>
          <t>Normally, the peer is in the IDLE state, i.e., in "equilibrium". The peer starts a KUDOS execution upon entering the BUSY state from a state different than BUSY. The peer successfully completes a KUDOS execution by entering the IDLE state, at which point the peer has the OSCORE Security Context CTX_NEW and has achieved key confirmation.</t>
          <t>The sending of a KUDOS message is per the KUDOS state machine and is based on the perception that the sender peer has about the state of the other peer.</t>
          <t>The processing of a received KUDOS message is per the KUDOS state machine and is based on the local status of the recipient peer. Moving to a state due to a received KUDOS message occurs only in case of successful decryption and verification of the message with OSCORE.</t>
          <t>In its local status, a peer tracks its current KUDOS state by means of the bits (c_tx, c_rx) as follows:</t>
          <ul spacing="normal">
            <li>
              <t>(00) IDLE - The peer is not running KUDOS.</t>
            </li>
            <li>
              <t>BUSY - The peer is running KUDOS and:
              </t>
              <ul spacing="normal">
                <li>
                  <t>(01) has not offered a nonce, but has received the nonce from the other peer; or</t>
                </li>
                <li>
                  <t>(10) has offered a nonce, but has not received the nonce from the other peer.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>(11) PENDING: the peer is running KUDOS, has offered its nonce, has received the nonce from the other peer, and is waiting for key confirmation.</t>
            </li>
          </ul>
          <t>While in the <strong>BUSY</strong> or the <strong>PENDING</strong> state, the peer <bcp14>MUST NOT</bcp14> send non KUDOS messages.</t>
        </section>
        <section anchor="ssec-state-machine">
          <name>KUDOS State Machine</name>
          <t>From a peer's point of view, KUDOS states evolve as follows.</t>
          <section anchor="startup">
            <name>Startup</name>
            <t>At startup, the peer enters a <strong>Pre-IDLE</strong> stage.</t>
          </section>
          <section anchor="ssec-state-machine-pre-idle">
            <name>Pre-IDLE Stage</name>
            <t>Upon entering the <strong>Pre-IDLE</strong> stage, perform the following steps:</t>
            <ol spacing="normal" type="1"><li>
                <t>If the peer has any CTX_TEMP Security Contexts, delete them.</t>
              </li>
              <li>
                <t>If the peer has both an old and a new OSCORE Security Context:  </t>
                <ul spacing="normal">
                  <li>
                    <t>Delete the (X, nonce) pair associated with the old OSCORE Security Context.</t>
                  </li>
                  <li>
                    <t>Delete the old OSCORE Security Context, or retain it only for processing late incoming messages as allowed by retention policies (see <xref target="ssec-retention"/>).</t>
                  </li>
                </ul>
              </li>
              <li>
                <t>Move to <strong>IDLE</strong>.</t>
              </li>
            </ol>
          </section>
          <section anchor="idle">
            <name>IDLE</name>
            <t>While in <strong>IDLE</strong>, the following applies:</t>
            <ul spacing="normal">
              <li>
                <t>Upon receiving a divergent message, move to <strong>BUSY</strong>.</t>
              </li>
              <li>
                <t>Upon sending a divergent message, move to <strong>BUSY</strong>.</t>
              </li>
              <li>
                <t>Upon receiving a convergent message:  </t>
                <ol spacing="normal" type="1"><li>
                    <t>Ignore the message for the sake of KUDOS processing, but process it as a CoAP message.</t>
                  </li>
                  <li>
                    <t>Stay in <strong>IDLE</strong>.</t>
                  </li>
                </ol>
              </li>
            </ul>
          </section>
          <section anchor="busy">
            <name>BUSY</name>
            <t>Upon entering <strong>BUSY</strong> due to receiving a divergent message:</t>
            <ol spacing="normal" type="1"><li>
                <t>Send a convergent message.</t>
              </li>
              <li>
                <t>Move to <strong>PENDING</strong>.</t>
              </li>
            </ol>
            <t>While in <strong>BUSY</strong>, the following applies:</t>
            <ul spacing="normal">
              <li>
                <t>Upon receiving a divergent message:  </t>
                <ol spacing="normal" type="1"><li>
                    <t>Send a convergent message.</t>
                  </li>
                  <li>
                    <t>Move to <strong>PENDING</strong>.</t>
                  </li>
                </ol>
              </li>
              <li>
                <t>Upon receiving a convergent message:  </t>
                <ol spacing="normal" type="1"><li>
                    <t>Achieve key confirmation.</t>
                  </li>
                  <li>
                    <t>Move to the <strong>Pre-IDLE</strong> stage.</t>
                  </li>
                </ol>
              </li>
              <li>
                <t>Upon sending a divergent message:  </t>
                <ul spacing="normal">
                  <li>
                    <t>If, as in most cases, CTX_TEMP is usable to protect the intended divergent message:      </t>
                    <ol spacing="normal" type="1"><li>
                        <t>Send the message protected with CTX_TEMP.</t>
                      </li>
                      <li>
                        <t>Stay in <strong>BUSY</strong>.</t>
                      </li>
                    </ol>
                  </li>
                  <li>
                    <t>Otherwise, perform the following steps (e.g., this happens upon eventually exhausting the Sender Sequence Number space of CTX_TEMP):      </t>
                    <ol spacing="normal" type="1"><li>
                        <t>Delete CTX_TEMP.</t>
                      </li>
                      <li>
                        <t>Delete the (X, nonce) pair associated with the Security Context CTX_IN that was used to generate the CTX_TEMP deleted at the previous step.</t>
                      </li>
                      <li>
                        <t>Generate a new (X, nonce) pair and associate it with CTX_IN.</t>
                      </li>
                      <li>
                        <t>Generate a new CTX_TEMP from CTX_IN.</t>
                      </li>
                      <li>
                        <t>Send the message protected with the CTX_TEMP generated at the previous step.</t>
                      </li>
                      <li>
                        <t>Stay in <strong>BUSY</strong>.</t>
                      </li>
                    </ol>
                  </li>
                </ul>
              </li>
            </ul>
          </section>
          <section anchor="pending">
            <name>Pending</name>
            <t>While in <strong>PENDING</strong>, the following applies:</t>
            <ul spacing="normal">
              <li>
                <t>Upon needing to send a message (e.g., the application wants to send a request):  </t>
                <ol spacing="normal" type="1"><li>
                    <t>Send the message as a convergent message.</t>
                  </li>
                  <li>
                    <t>Stay in <strong>PENDING</strong>.</t>
                  </li>
                </ol>
              </li>
              <li>
                <t>Upon receiving a non KUDOS message protected with the latest CTX_NEW:  </t>
                <ol spacing="normal" type="1"><li>
                    <t>Achieve key confirmation.</t>
                  </li>
                  <li>
                    <t>Move to the <strong>Pre-IDLE</strong> stage.</t>
                  </li>
                </ol>
              </li>
              <li>
                <t>Upon receiving a convergent message:  </t>
                <ol spacing="normal" type="1"><li>
                    <t>Achieve key confirmation.</t>
                  </li>
                  <li>
                    <t>Move to the <strong>Pre-IDLE</strong> stage.</t>
                  </li>
                </ol>
              </li>
              <li>
                <t>Upon receiving a divergent message:  </t>
                <ul spacing="normal">
                  <li>
                    <t>In case of successful decryption and verification of the message using a CTX_TEMP derived from CTX_OLD:      </t>
                    <ol spacing="normal" type="1"><li>
                        <t>Delete CTX_NEW.</t>
                      </li>
                      <li>
                        <t>Delete the pair (X, nonce) associated with the Security Context CTX_IN that was used to generate the CTX_NEW deleted at the previous step.</t>
                      </li>
                      <li>
                        <t>Abort the ongoing KUDOS execution.</t>
                      </li>
                      <li>
                        <t>Move to <strong>BUSY</strong> and enter it consistently with the reception of a divergent message.</t>
                      </li>
                    </ol>
                  </li>
                  <li>
                    <t>Otherwise, in case of successful decryption and verification of the message using a CTX_TEMP derived from CTX_NEW:      </t>
                    <ol spacing="normal" type="1"><li>
                        <t>Delete the oldest CTX_TEMP.</t>
                      </li>
                      <li>
                        <t>Delete the Security Context that was used as CTX_IN to generate the CTX_TEMP deleted at the previous step.</t>
                      </li>
                      <li>
                        <t>CTX_NEW becomes the oldest Security Context. From this point on, that Security Context is what this KUDOS execution refers to as CTX_OLD.</t>
                      </li>
                      <li>
                        <t>Abort the ongoing KUDOS execution.</t>
                      </li>
                      <li>
                        <t>Move to <strong>BUSY</strong> and enter it consistently with the reception of a divergent message.</t>
                      </li>
                    </ol>
                  </li>
                </ul>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="ssec-state-machine-optimization">
          <name>Optimization upon Receiving a Divergent Message while in PENDING</name>
          <t>When a peer is in the <strong>PENDING</strong> state and receives a divergent message, an optimization can be applied to avoid unnecessary state transitions and cryptographic derivations. It builds on comparing the just received divergent message MSG_A with a previously received divergent message MSG_B that originally caused the latest transition to <strong>PENDING</strong> or <strong>BUSY</strong>. Normally the reception of MSG_A would move the peer to <strong>BUSY</strong> state.</t>
          <t>If the two messages MSG_A and MSG_B contain the same X byte and Nonce from the other peer, then the peer stays in <strong>PENDING</strong>. Otherwise, the peer moves to <strong>BUSY</strong> upon reception of the divergent message MSG_A, as normal.</t>
          <t>If upon reception of MSG_A, CTX_NEW is not usable to protect outgoing messages (e.g., this happens upon eventually exhausting the Sender Sequence Number values of CTX_TEMP), the peer moves to <strong>BUSY</strong>, as normal.</t>
          <t>This optimization avoids repeated cryptographic operations and redundant transitions in the state machine when divergent messages originate from the same peer and carry identical X byte and Nonce.</t>
          <t>To determine whether message MSG_A and MSG_B are equivalent, the peer <bcp14>MUST</bcp14>:</t>
          <ol spacing="normal" type="1"><li>
              <t>Decompose the Master Salt from the current CTX_NEW into its CBOR byte string components, as described in <xref target="ssec-update-function"/>. Then identify:
              </t>
              <ul spacing="normal">
                <li>
                  <t>The component containing the peer's own X and Nonce, i.e., the (X, nonce) pair associated with the Security Context CTX_IN that was used to generate the CTX_TEMP used to unprotect MSG_A.</t>
                </li>
                <li>
                  <t>The component containing the other peer's X and Nonce that was used in the divergent message MSG_B, i.e., the result of removing from the Master Salt the component above related to this peer.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Extract the X and Nonce values from the latest received divergent message MSG_A.</t>
            </li>
            <li>
              <t>There is a match if the X and Nonce from message MSG_A are the same as those from message MSG_B identified above.</t>
            </li>
          </ol>
        </section>
        <section anchor="ssec-context-handling">
          <name>Handling of OSCORE Security Contexts</name>
          <t>A peer completes the key update procedure when it has derived the new OSCORE Security Context CTX_NEW and achieved key confirmation, and thus has moved back to the IDLE state.</t>
          <t>Once the peer has successfully derived CTX_NEW, the peer <bcp14>MUST</bcp14> use CTX_NEW to protect outgoing non KUDOS messages and <bcp14>MUST NOT</bcp14> use the originally shared OSCORE Security Context CTX_OLD for protecting outgoing messages.</t>
          <t>The peer <bcp14>MUST</bcp14> terminate all the ongoing observations <xref target="RFC7641"/> that it has with the other peer as protected with the old Security Context CTX_OLD, unless the two peers have explicitly agreed otherwise as defined in <xref target="preserving-observe"/>.</t>
          <t>More specifically, if either or both peers indicate the wish to cancel their observations, those will all be cancelled following a successful KUDOS execution.</t>
          <t>Note that, even in case a peer has no fundamental reason to update its OSCORE keying material, running KUDOS can be intentionally exploited as a more efficient way to terminate all the ongoing observations with the other peer, compared to sending one cancellation request per observation (see <xref section="3.6" sectionFormat="of" target="RFC7641"/>).</t>
        </section>
        <section anchor="ssec-message-handling">
          <name>KUDOS Messages as CoAP Requests or Responses</name>
          <t>If a KUDOS message is a CoAP request, then it can target two different types of resources at the recipient CoAP server:</t>
          <ul spacing="normal">
            <li>
              <t>The well-known KUDOS resource at /.well-known/kudos (see <xref target="well-known-kudos"/>), or an alternative KUDOS resource with resource type "core.kudos" (see <xref target="well-known-kudos-desc"/> and <xref target="rt-kudos"/>).  </t>
              <t>
In such a case, no application processing is expected at the CoAP server and the plain CoAP request composed before OSCORE protection <bcp14>SHOULD NOT</bcp14> include an application payload.</t>
            </li>
            <li>
              <t>A non-KUDOS resource, i.e., an actual application resource that a CoAP request can target in order to trigger application processing at the CoAP server.  </t>
              <t>
In such a case, the plain CoAP request composed before OSCORE protection can include an application payload, if admitted by the request method.</t>
            </li>
          </ul>
          <t>In either case, the link to the target resource can be accompanied by the "osc" target attribute to indicate that the resource is only accessible using OSCORE (see <xref section="9" sectionFormat="of" target="RFC8613"/>).</t>
          <t>Similarly, any CoAP response can also be a KUDOS message. If the corresponding CoAP request has targeted a KUDOS resource, then the plain CoAP response composed before OSCORE protection <bcp14>SHOULD NOT</bcp14> include an application payload. Otherwise, an application payload <bcp14>MAY</bcp14> be included.</t>
        </section>
        <section anchor="ssec-in-transit">
          <name>Avoiding In-Transit Requests During a Key Update</name>
          <t>Before sending a KUDOS message, a peer <bcp14>MUST</bcp14> ensure that it has no outstanding interactions with the other peer (see <xref section="4.7" sectionFormat="of" target="RFC7252"/>), with the exception of ongoing observations <xref target="RFC7641"/>.</t>
          <t>If any such outstanding interactions are found, the peer <bcp14>MUST NOT</bcp14> initiate or continue the KUDOS execution, before either:</t>
          <ul spacing="normal">
            <li>
              <t>having all those outstanding interactions cleared; or</t>
            </li>
            <li>
              <t>freeing up the Token values used with those outstanding interactions, with the exception of ongoing observations with the other peer.</t>
            </li>
          </ul>
          <t>Later on, this prevents a non KUDOS response protected with the new Security Context CTX_NEW from cryptographically matching with both the corresponding request also protected with CTX_NEW and with an older request protected with CTX_OLD, in case the two requests were protected using the same OSCORE Partial IV.</t>
          <t>During an ongoing KUDOS execution, a peer <bcp14>MUST NOT</bcp14> send a non KUDOS message to the other peer, until having aborted or successfully completed the key update procedure on its side. Note that, without the constraint above, this could otherwise be possible if a client running KUDOS uses a value of NSTART greater than 1 (see <xref section="4.7" sectionFormat="of" target="RFC7252"/>).</t>
        </section>
      </section>
      <section anchor="no-fs-mode">
        <name>Key Update Admitting no Forward Secrecy</name>
        <t>The FS mode of the KUDOS procedure defined in <xref target="ssec-derive-ctx"/> ensures forward secrecy of the OSCORE keying material. However, it requires peers running KUDOS to preserve their state (e.g., across a device reboot occurred in an unprepared way), by writing information such as data from the newly derived OSCORE Security Context CTX_NEW in non-volatile memory.</t>
        <t>This can be problematic for devices that cannot dynamically write information to non-volatile memory. For example, some devices may support only a single writing in persistent memory when initial keying material is provided (e.g., at manufacturing or commissioning time), but no further writing after that. Therefore, these devices cannot perform a stateful key update procedure and thus are not capable to run KUDOS in FS mode to achieve forward secrecy.</t>
        <t>In order to address these limitations, KUDOS can be run in its stateless no-FS mode, as defined in the following. This allows two peers to accomplish the same results as when running KUDOS in FS mode (see <xref target="ssec-derive-ctx"/>), with the difference that forward secrecy is not achieved, and no state information is required to be dynamically written in non-volatile memory.</t>
        <t>From a practical point of view, the two modes differ in which exact OSCORE Master Secret and Master Salt are used as part of the OSCORE Security Context CTX_IN that is provided as input to the updateCtx() function (see <xref target="ssec-update-function"/>).</t>
        <t>If either or both peers are unable to write in non-volatile memory, then the two peers have to run KUDOS in no-FS mode.</t>
        <section anchor="key-material-handling">
          <name>Handling and Use of Keying Material</name>
          <t>In the following, a device is denoted as "CAPABLE" if it is able to store information in non-volatile memory (e.g., on disk), beyond a one-time-only writing occurring at manufacturing or (re-)commissioning time. If that is not the case, the device is denoted as "non-CAPABLE".</t>
          <t>The following terms are used to refer to OSCORE keying material.</t>
          <ul spacing="normal">
            <li>
              <t>Bootstrap Master Secret and Bootstrap Master Salt. If pre-provisioned during manufacturing or (re-)commissioning, these OSCORE Master Secret and Master Salt are initially stored on disk and are never going to be overwritten by the device.</t>
            </li>
            <li>
              <t>Latest Master Secret and Latest Master Salt. These OSCORE Master Secret and Master Salt can be dynamically updated by the device. In case of reboot, they are lost unless they have been stored on disk.</t>
            </li>
          </ul>
          <t>Note that:</t>
          <ul spacing="normal">
            <li>
              <t>A peer running KUDOS can have none of the pairs above associated with another peer, only one, or both.</t>
            </li>
            <li>
              <t>If a peer has neither of the pairs above associated with another peer, then the peer cannot run KUDOS in any mode with that other peer.</t>
            </li>
            <li>
              <t>If a peer has only one of the pairs above associated with another peer, then the peer can attempt to run KUDOS with that other peer, but the procedure might fail depending on the other peer's capabilities. In particular:  </t>
              <ul spacing="normal">
                <li>
                  <t>In order to run KUDOS in FS mode, a peer must be a CAPABLE device. It follows that two peers have to both be CAPABLE devices in order to be able to run KUDOS in FS mode with one another.</t>
                </li>
                <li>
                  <t>In order to run KUDOS in no-FS mode, a peer must have Bootstrap Master Secret and Bootstrap Master Salt available as stored on disk.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>A peer that is a non-CAPABLE device <bcp14>MUST</bcp14> support the no-FS mode, with the exception described in <xref target="non-capable-fs-mode"/> for non-CAPABLE devices that lack Bootstrap Master Secret and Bootstrap Master Salt.</t>
            </li>
            <li>
              <t>A peer that is a CAPABLE device <bcp14>MUST</bcp14> support the FS mode and the no-FS mode.</t>
            </li>
            <li>
              <t>As an exception to the nonces being generated as random values (see <xref target="ssec-nonces-x-bytes"/>), a peer that is a CAPABLE device <bcp14>MAY</bcp14> use a value obtained from a monotonically incremented counter as nonce. Related privacy implications are described in <xref target="sec-cons"/>.  </t>
              <t>
In such a case, the peer <bcp14>MUST</bcp14> enforce measures to ensure freshness of the nonce values. For example, the peer can use the same procedure described in <xref section="B.1.1" sectionFormat="of" target="RFC8613"/> for handling the OSCORE Sender Sequence Number values. These measures require regularly storing the used counter values in non-volatile memory, which makes non-CAPABLE devices unable to safely use counter values as nonce values.</t>
            </li>
          </ul>
          <t>As a general rule, once successfully generated a new OSCORE Security Context CTX (e.g., CTX is the CTX_NEW resulting from a KUDOS execution, or it has been established through the EDHOC protocol <xref target="RFC9528"/>), a peer considers the Master Secret and Master Salt of CTX as Latest Master Secret and Latest Master Salt. After that:</t>
          <ul spacing="normal">
            <li>
              <t>If the peer is a CAPABLE device, it <bcp14>MUST</bcp14> store Latest Master Secret and Latest Master Salt on disk, with the exception of possible temporary OSCORE Security Contexts used during a key update procedure, such as CTX_TEMP used during the KUDOS execution. That is, the OSCORE Master Secret and Master Salt from such temporary Security Contexts are not stored on disk.</t>
            </li>
            <li>
              <t>The peer <bcp14>MUST</bcp14> store Latest Master Secret and Latest Master Salt in volatile memory, thus making them available to OSCORE message processing and possible key update procedures.</t>
            </li>
          </ul>
          <t>Following a state loss (e.g., due to a reboot occurred in an unprepared way), a device <bcp14>MUST</bcp14> complete a successful KUDOS execution before performing an exchange of OSCORE-protected application data with another peer, unless:</t>
          <ul spacing="normal">
            <li>
              <t>The device is CAPABLE and implements a functionality for safely reusing old keying material, such as that described in <xref section="B.1" sectionFormat="of" target="RFC8613"/>; or</t>
            </li>
            <li>
              <t>The device is exchanging OSCORE-protected data within a KUDOS message, as described in <xref target="ssec-message-handling"/>. In such a case, the plain CoAP message composed before OSCORE protection can include an application payload, if admitted.</t>
            </li>
          </ul>
        </section>
        <section anchor="no-fs-signaling">
          <name>Selection of KUDOS Mode</name>
          <t>The following refers to CTX_BOOTSTRAP as to the OSCORE Security Context where the OSCORE Master Secret is the Bootstrap Master Secret and the Master Salt is the Bootstrap Master Salt <xref target="key-material-handling"/>.</t>
          <t>During a KUDOS execution, the two peers agree on whether to perform the key update procedure in FS mode or no-FS mode, by leveraging the "No Forward Secrecy" bit, 'p', in the 'x' byte of the OSCORE Option value of the KUDOS messages (see <xref target="ssec-oscore-option-extensions"/>).</t>
          <t>The 'p' bit practically determines what OSCORE Security Context CTX_IN to use as input to updateCtx() during the KUDOS execution, consistently with the indicated mode. That is:</t>
          <ul spacing="normal">
            <li>
              <t>If the 'p' bit is set to 0 (FS mode), the updateCtx() function used to derive CTX_TEMP or CTX_NEW considers CTX_IN to be CTX_OLD, i.e., the current OSCORE Security Context shared with the other peer as is. In particular, CTX_OLD includes Latest Master Secret as OSCORE Master Secret and Latest Master Salt as OSCORE Master Salt.</t>
            </li>
            <li>
              <t>If the 'p' bit is set to 1 (no-FS mode), the updateCtx() function used to derive CTX_TEMP or CTX_NEW considers CTX_IN to be CTX_BOOTSTRAP. Thus, every execution of KUDOS in no-FS mode between these two peers considers the same CTX_BOOTSTRAP, i.e., the same CTX_IN as input to the updateCtx() function, hence the impossibility to achieve forward secrecy.  </t>
              <t>
In particular, updateCtx() will take CTX_BOOTSTRAP as input when creating every OSCORE Security Context for protecting or unprotecting a KUDOS message where the 'p' bit is set to 1.  </t>
              <t>
If at least one KUDOS message in a successful KUDOS execution had the 'p' bit set to 1, then that KUDOS execution was run in no-FS mode.  </t>
              <t>
When a peer moves to the <strong>Pre-IDLE</strong> stage after having successfully completed a KUDOS execution in no-FS mode, then the peer <bcp14>MUST</bcp14> additionally perform the following Step A before Step 1 in <xref target="ssec-state-machine-pre-idle"/>:  </t>
              <t>
A. Delete CTX_BOOTSTRAP.</t>
            </li>
          </ul>
          <t>A peer determines to run KUDOS either in FS mode or in no-FS mode with another peer as follows.</t>
          <ul spacing="normal">
            <li>
              <t>If a peer A is a non-CAPABLE device, it <bcp14>MUST</bcp14> run KUDOS only in no-FS mode. That is, when sending a KUDOS message, it <bcp14>MUST</bcp14> set to 1 the 'p' bit of the 'x' byte in the OSCORE Option value. Note that, if the peer A lacks a Bootstrap Master Secret and Bootstrap Master Salt to use with the other peer B, it can still run KUDOS in FS mode according to what is defined in <xref target="non-capable-fs-mode"/>.</t>
            </li>
            <li>
              <t>If a peer A is a CAPABLE device, it <bcp14>SHOULD</bcp14> run KUDOS only in FS mode. That is, when sending a KUDOS message, it <bcp14>SHOULD</bcp14> set to 0 the 'p' bit of the 'x' byte in the OSCORE Option value. An exception applies in the following cases.  </t>
              <ul spacing="normal">
                <li>
                  <t>The peer A is running KUDOS with another peer B, which A has learned to be a non-CAPABLE device (and hence not able to run KUDOS in FS mode).      </t>
                  <t>
Note that, if the peer A is a CAPABLE device, it is able to store such information about the other peer B on disk and it <bcp14>MUST</bcp14> do so. From then on, the peer A will perform every execution of KUDOS with the peer B in no-FS mode, including after a possible reboot.</t>
                </li>
                <li>
                  <t>While the peer A is running KUDOS with another peer B without knowing its capabilities, the peer A receives a KUDOS message where the 'p' bit of the 'x' byte in the OSCORE Option value is set to 1.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>If a peer A is a CAPABLE device and has learned that another peer B is also a CAPABLE device (and hence able to run KUDOS in FS mode), then the peer A <bcp14>MUST NOT</bcp14> run KUDOS with the peer B in no-FS mode. If the peer A receives a KUDOS message from the peer B where the 'p' bit of the 'x' byte in the OSCORE Option value is set to 1, then the peer A <bcp14>MUST</bcp14> ignore the message for the sake of KUDOS processing, but processes it as a CoAP message.  </t>
              <t>
Note that, if the peer A is a CAPABLE device, it is able to remember that the peer B is also a CAPABLE device and thus to store such information on disk, which it <bcp14>MUST</bcp14> do. This ensures that the peer A will perform every execution of KUDOS with the peer B in FS mode. This also prevents a possible downgrading attack aimed at making A believe that B is a non-CAPABLE device, hence at making A run KUDOS in no-FS mode although the FS mode can actually be used by both peers.</t>
            </li>
          </ul>
        </section>
        <section anchor="non-capable-fs-mode">
          <name>Non-CAPABLE Devices Operating in FS Mode</name>
          <t>Devices may not be pre-provisioned with Bootstrap material, for instance due to storage limitations of their persistent memory or to fulfill particular use cases. Bootstrap material specifically consists of the Bootstrap Master Secret and Bootstrap Master Salt, while Latest material specifically consists of the Latest Master Secret and Latest Master Salt as defined in <xref target="key-material-handling"/>.</t>
          <t>Normally, a non-CAPABLE device always uses KUDOS in no-FS mode. An exception is possible, if the Bootstrap material is dynamically installed at that device through an in-band process between that device and the peer device. In such a case, it is possible for that device to run KUDOS in FS mode with the peer device.</t>
          <t>Note that, under the assumption that peer A does not have any Bootstrap material with another peer B, peer A cannot use the no-FS mode with peer B, even though peer A is a non-CAPABLE device. Thus, allowing peer A to use KUDOS in FS mode ensures that peer A can perform a key update using KUDOS at all.</t>
          <t>In the situation outlined above, the following describes how a non-CAPABLE device, namely peer A, runs KUDOS in FS mode with another peer B:</t>
          <ul spacing="normal">
            <li>
              <t>Peer A is not provisioned with Bootstrap material associated with peer B at the time of manufacturing or commissioning.</t>
            </li>
            <li>
              <t>Peer A establishes OSCORE keying material associated with peer B through an in-band procedure run with peer B. Then, peer A considers that keying material as the Latest material with peer B and stores it only in volatile memory.  </t>
              <t>
An example of such an in-band procedure is the EDHOC and OSCORE profile of ACE <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>, according to which the two peers run the EDHOC protocol <xref target="RFC9528"/> for establishing an OSCORE Security Context to associate with access rights. This in-band procedure may occur multiple times over the device's lifetime.</t>
            </li>
            <li>
              <t>Peer A runs KUDOS in FS mode with peer B, thereby achieving forward secrecy for subsequent key update epochs, as long as the OSCORE keying material was originally established with forward secrecy. Peer A stores each newly derived Security Context in volatile memory.</t>
            </li>
          </ul>
          <t>As long as peer A does not reboot, executions of KUDOS rely on the Latest material stored in volatile memory. If peer A reboots, no OSCORE keying material associated with the peer B will be retained, as peer A is non-CAPABLE and therefore stores it only in volatile memory. Consequently, peer A must first establish new OSCORE keying material to use as Latest material with peer B, before running KUDOS again with peer B. This can be accomplished by running again the in-band procedure mentioned above.</t>
        </section>
      </section>
      <section anchor="preserving-observe">
        <name>Preserving Observations Across Key Updates</name>
        <t>As defined in <xref target="ssec-derive-ctx"/>, once a peer has successfully completed the KUDOS execution and derived the new OSCORE Security Context CTX_NEW, that peer normally terminates all the ongoing observations that it has with the other peer <xref target="RFC7641"/> and that are protected with the old OSCORE Security Context CTX_OLD.</t>
        <t>This section describes a method that the two peers can use to safely preserve the ongoing observations that they have with one another, beyond the completion of a KUDOS execution. In particular, this method ensures that an Observe notification can never successfully cryptographically match against the Observe requests of two different observations, e.g., against an Observe request protected with CTX_OLD and an Observe request protected with CTX_NEW.</t>
        <t>The actual preservation of ongoing observations has to be agreed by the two peers at each execution of KUDOS that they run with one another, as defined in <xref target="preserving-observe-management"/>. If, at the end of a KUDOS execution, the two peers have not agreed on that, they <bcp14>MUST</bcp14> terminate the ongoing observations that they have with one another, just as defined in <xref target="ssec-context-handling"/>.</t>
        <section anchor="preserving-observe-management">
          <name>Management of Observations</name>
          <t>As per <xref section="3.1" sectionFormat="of" target="RFC7641"/>, a client can register its interest in observing a resource at a server, by sending a registration request including the Observe Option with value 0.</t>
          <t>If the server registers the observation as ongoing, the server sends back a successful response also including the Observe Option, hence confirming that an entry has been successfully added for that client.</t>
          <t>If the client receives the successful response above from the server, then the client also registers the observation as ongoing.</t>
          <t>In case the client can ever consider preserving ongoing observations beyond a key update as defined below, then the client <bcp14>MUST NOT</bcp14> simply forget about an ongoing observation if not interested in it anymore. Instead, the client <bcp14>MUST</bcp14> send an explicit cancellation request to the server, i.e., a request including the Observe Option with value 1 (see <xref section="3.6" sectionFormat="of" target="RFC7641"/>). After sending this cancellation request, if the client does not receive a response confirming that the observation has been terminated, the client <bcp14>MUST NOT</bcp14> consider the observation terminated. The client <bcp14>MAY</bcp14> try again to terminate the observation by sending a new cancellation request.</t>
          <t>In case a peer A performs a KUDOS execution with another peer B and A has ongoing observations with B that it is interested to preserve beyond the key update, then A can explicitly indicate its interest to do so. To this end, the peer A sets to 1 the bit "Preserve Observations", 'b', in the 'x' byte of the OSCORE Option value (see <xref target="ssec-oscore-option-extensions"/>), in the KUDOS message that it sends to the other peer B.</t>
          <t>If a peer receives a KUDOS message with the bit 'b' set to 0, then the peer <bcp14>MUST</bcp14> set to 0 the bit 'b' in the KUDOS message that it sends as follow-up, regardless of its wish to preserve ongoing observations with the other peer.</t>
          <t>If a peer has sent a KUDOS message with the bit 'b' set to 0, the peer <bcp14>MUST</bcp14> ignore the bit 'b' in the follow-up KUDOS message that it receives from the other peer.</t>
          <t>Note that during the same KUDOS execution, all the KUDOS messages sent by a peer <bcp14>MUST</bcp14> have the same value in the bit 'b' for preserving ongoing observations.</t>
          <t>After successfully completing the KUDOS execution (i.e., after having successfully derived the new OSCORE Security Context CTX_NEW), both peers have expressed their interest in preserving their common ongoing observations if and only if the bit 'b' was set to 1 in all the exchanged KUDOS messages. In such a case, each peer X performs the following actions:</t>
          <ol spacing="normal" type="1"><li>
              <t>The peer X considers all the still ongoing observations that it has with the other peer, such that X acts as client in those observations. If there are no such observations, the peer X takes no further actions. Otherwise, it moves to Step 2.</t>
            </li>
            <li>
              <t>The peer X considers all the OSCORE Partial IV values used in the Observe registration requests associated with any of the still ongoing observations determined at Step 1.</t>
            </li>
            <li>
              <t>The peer X determines the value PIV* as the highest OSCORE Partial IV value among those considered at Step 2.</t>
            </li>
            <li>
              <t>In the Sender Context of the OSCORE Security Context shared with the other peer, the peer X sets its own Sender Sequence Number to (PIV* + 1), rather than to 0.</t>
            </li>
          </ol>
          <t>As a result, each peer X will "jump" beyond the OSCORE Partial IV (PIV) values that are occupied and in use for ongoing observations with the other peer where X acts as client.</t>
          <t>Note that, each time it runs KUDOS, a peer must determine if it wishes to preserve ongoing observations with the other peer or not, before sending a KUDOS message.</t>
          <t>To this end, the peer should also assess the new value that PIV* would take after a successful completion of KUDOS, in case ongoing observations with the other peer are going to be preserved. If the peer considers such a new value of PIV* to be too close to or equal to the maximum possible value admitted for the OSCORE Partial IV, then the peer may choose to run KUDOS with no intention to preserve its ongoing observations with the other peer, in order to "start over" from a fresh, entirely unused Sender Sequence Number space.</t>
          <t>Application policies can further influence whether attempting to preserve observations beyond a key update is appropriate or not.</t>
        </section>
      </section>
      <section anchor="ssec-retention">
        <name>Retention Policies</name>
        <t>Applications <bcp14>MAY</bcp14> define policies that allow a peer to temporarily keep the old Security Context CTX_OLD beyond having established the new Security Context CTX_NEW and having achieved key confirmation, rather than simply deleting CTX_OLD. This allows the peer to decrypt late, still on-the-fly incoming non KUDOS messages that are protected with CTX_OLD.</t>
        <t>When enforcing such policies, the following applies:</t>
        <ul spacing="normal">
          <li>
            <t>Outgoing non KUDOS messages <bcp14>MUST</bcp14> be protected only by using CTX_NEW.</t>
          </li>
          <li>
            <t>Incoming non KUDOS messages <bcp14>MUST</bcp14> first be attempted to decrypt by using CTX_NEW. If decryption fails, a second attempt can use CTX_OLD.</t>
          </li>
          <li>
            <t>KUDOS messages <bcp14>MUST NOT</bcp14> be protected or unprotected by using CTX_OLD.</t>
          </li>
          <li>
            <t>When an amount of time defined by the policy has elapsed since the establishment of CTX_NEW, the peer deletes CTX_OLD.</t>
          </li>
        </ul>
        <t>A peer <bcp14>MUST NOT</bcp14> retain CTX_OLD beyond the establishment of CTX_NEW and the achievement of key confirmation, if any of the following conditions holds:</t>
        <ul spacing="normal">
          <li>
            <t>CTX_OLD is expired.</t>
          </li>
          <li>
            <t>Limits set for safe key usage have been reached for the Recipient Key of the Recipient Context of CTX_OLD (see <xref target="I-D.ietf-core-oscore-key-limits"/>).</t>
          </li>
        </ul>
      </section>
      <section anchor="ssec-discussion">
        <name>Discussion</name>
        <t>KUDOS is intended to deprecate and replace the procedure defined in <xref section="B.2" sectionFormat="of" target="RFC8613"/>, as fundamentally achieving the same goal while displaying a number of improvements and advantages.</t>
        <t>In particular, it is especially convenient for the handling of failure events concerning the JRC node in 6TiSCH networks (see <xref target="sec-current-methods"/>). That is, among its intrinsic advantages compared to the procedure defined in <xref section="B.2" sectionFormat="of" target="RFC8613"/>, KUDOS preserves the same ID Context value when establishing a new OSCORE Security Context.</t>
        <t>Since the JRC uses ID Context values as identifiers of network nodes, namely "pledge identifiers", the above implies that the JRC does not have to perform anymore a mapping between a new, different ID Context value and a certain pledge identifier (see <xref section="8.3.3" sectionFormat="of" target="RFC9031"/>). It follows that pledge identifiers can remain constant once assigned and thus ID Context values used as pledge identifiers can be employed in the long-term as originally intended.</t>
        <section anchor="communication-overhead">
          <name>Communication Overhead</name>
          <t>Each KUDOS message results in communication overhead. This is determined by the following, additional information conveyed in the OSCORE Option (see <xref target="ssec-oscore-option-extensions"/>).</t>
          <ul spacing="normal">
            <li>
              <t>The second byte of the OSCORE Option value.</t>
            </li>
            <li>
              <t>The 1-byte 'x' field of the OSCORE Option value.</t>
            </li>
            <li>
              <t>The nonce conveyed in the 'nonce' field of the OSCORE Option value. Its size ranges from 1 to 16 bytes, is typically of 8 bytes, and is indicated in the 'x' field.</t>
            </li>
            <li>
              <t>The 'Partial IV' field of the OSCORE Option value, in a CoAP response message that is a KUDOS message.  </t>
              <t>
This takes into account the fact that OSCORE-protected CoAP response messages normally do not include the 'Partial IV' field, but they have to when they are KUDOS messages (see <xref target="sec-updated-response-protection"/>).</t>
            </li>
            <li>
              <t>The first byte of the OSCORE Option value (i.e., the first OSCORE flag byte), in a CoAP response message that is a KUDOS message.  </t>
              <t>
This takes into account the fact that OSCORE-protected CoAP response messages normally convey an OSCORE Option that only consists of the all zero (0x00) flag byte. In turn, this results in the OSCORE Option being encoded as with empty value (see <xref section="2" sectionFormat="of" target="RFC8613"/>).</t>
            </li>
            <li>
              <t>The possible presence of the 1-byte 'Option Length (extended)' field in the OSCORE Option (see <xref section="3.1" sectionFormat="of" target="RFC7252"/>). This is the case where the length of the OSCORE Option value is between 13 and 255 bytes (see <xref section="2" sectionFormat="of" target="RFC8613"/>).</t>
            </li>
          </ul>
          <t>The results shown in figure <xref target="_table-overhead-forward"/> are the minimum, typical, and maximum communication overhead in bytes introduced by KUDOS, when considering a nonce with size 1, 8, and 16 bytes. All the indicated values are in bytes.</t>
          <t>The overhead is calculated considering a scenario where a CoAP request serves as the divergent message and a following, corresponding CoAP response serves as the convergent message.</t>
          <t>In particular, the results build on the following assumptions.</t>
          <ul spacing="normal">
            <li>
              <t>Both messages of the same KUDOS execution use nonces of the same size and do not include the 'kid context' field in the OSCORE Option value.</t>
            </li>
            <li>
              <t>When included in the OSCORE Option value, the 'Partial IV' field has size 1 byte.</t>
            </li>
            <li>
              <t>CoAP request messages include the 'kid' field with size 1 byte in the OSCORE Option value.</t>
            </li>
            <li>
              <t>CoAP response messages do not include the 'kid' field in the OSCORE Option value.</t>
            </li>
          </ul>
          <table align="center" anchor="_table-overhead-forward">
            <name>Communication Overhead (Bytes)</name>
            <thead>
              <tr>
                <th align="left">Nonce size</th>
                <th align="left">Request KUDOS message</th>
                <th align="left">Response KUDOS message</th>
                <th align="left">Total</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">1</td>
                <td align="left">3</td>
                <td align="left">5</td>
                <td align="left">8</td>
              </tr>
              <tr>
                <td align="left">8</td>
                <td align="left">11</td>
                <td align="left">12</td>
                <td align="left">23</td>
              </tr>
              <tr>
                <td align="left">16</td>
                <td align="left">19</td>
                <td align="left">21</td>
                <td align="left">40</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="core-kudos-resource-type">
          <name>Resource Type core.kudos</name>
          <t>The "core.kudos" resource type registered in <xref target="rt-kudos"/> is defined to ensure a means for clients to send KUDOS requests without incurring any side effects. Specifically, a resource of this type does not pertain to any real application, which ensures that no application-level actions are triggered as a result of the KUDOS request.</t>
          <t>This allows clients to issue KUDOS requests when they do not include any actionable application payload in the plain CoAP request composed before OSCORE protection, or when no application-layer processing is intended to occur on the server.</t>
        </section>
        <section anchor="well-known-kudos-desc">
          <name>Well-Known KUDOS Resource</name>
          <t>If a client wishes to run the KUDOS procedure without triggering any application processing on the server, then a request sent as a KUDOS message can target a KUDOS resource with resource type "core.kudos" (see <xref target="core-kudos-resource-type"/>), e.g., at the Uri-Path "/.well-known/kudos" (see <xref target="well-known-kudos"/>). An alternative KUDOS resource can be discovered, e.g., by using a resource directory <xref target="RFC9176"/>, by using the resource type "core.kudos" as filter criterion.</t>
        </section>
        <section anchor="rekeying-when-using-schc-with-oscore">
          <name>Rekeying when Using SCHC with OSCORE</name>
          <t>In the interest of rekeying, the following points must be taken into account when using the Static Context Header Compression and fragmentation (SCHC) framework <xref target="RFC8724"/> for compressing CoAP messages protected with OSCORE, as defined in <xref target="I-D.ietf-schc-8824-update"/> and further specified in <xref target="schc"/> of the present document.</t>
          <t>The SCHC compression of the 'Partial IV' field in the OSCORE Option value has implications for the frequency of rekeying. That is, if the 'Partial IV' field is compressed, the communicating peers must perform rekeying more often, as the available Sender Sequence Number space that is used for the Partial IV becomes effectively smaller due to the compression. For instance, if only 3 bits of the Partial IV are sent, then the maximum Partial IV that can be used before having to rekey is only 2<sup>3</sup> - 1 = 7.</t>
          <t>Furthermore, any time the SCHC context Rules are updated on an OSCORE endpoint, that endpoint must perform a rekeying (see <xref section="12" sectionFormat="of" target="I-D.ietf-schc-8824-update"/>).</t>
          <t>That is, the use of SCHC plays a role in triggering KUDOS executions and in affecting their cadence. Hence, the employed SCHC Rules and their update policies should ensure that the KUDOS executions occurring as their side effect do not significantly impair the gain expected from message compression.</t>
        </section>
        <section anchor="combining-kudos-with-access-control">
          <name>Combining KUDOS with Access Control</name>
          <t>A resource at the server might be following the enforcement of access control means on the request. For example, when combining KUDOS with the EDHOC and OSCORE profile of ACE <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>, certain considerations must be taken into account to ensure proper access control behavior:</t>
          <ul spacing="normal">
            <li>
              <t>A KUDOS request that targets a non-KUDOS resource <bcp14>MUST</bcp14> trigger standard ACE-based access control checks.</t>
            </li>
            <li>
              <t>A KUDOS request that targets a KUDOS resource <bcp14>MUST NOT</bcp14> trigger ACE-based access control.</t>
            </li>
          </ul>
          <t>To support this, the path of any KUDOS resource can be included in the ACE access control exclusion list (i.e., the "do not enforce access control" list). The same principles have to be applied if other means are used to enforce access control.</t>
          <t>In some deployment scenarios, an ACE Access Token may be bound to both CTX_OLD and CTX_NEW, allowing it to be valid and still usable after the execution of a KUDOS procedure.</t>
          <t>It is important to note that KUDOS is not compatible with the OSCORE profile of ACE <xref target="RFC9203"/>, this is because KUDOS changes the OSCORE Master Secret, which is used as proof-of-possession key in that profile. However, as described above, KUDOS is compatible with the EDHOC and OSCORE profile of ACE <xref target="I-D.ietf-ace-edhoc-oscore-profile"/>.</t>
        </section>
      </section>
      <section anchor="edhoc-ead-signaling">
        <name>Signaling KUDOS support in EDHOC</name>
        <t>The EDHOC protocol defines the transport of additional External Authorization Data (EAD) within an optional EAD field of the EDHOC messages (see <xref section="3.8" sectionFormat="of" target="RFC9528"/>). An EAD field is composed of one or multiple EAD items, each of which specifies an identifying 'ead_label' encoded as a CBOR integer and an optional 'ead_value' encoded as a CBOR byte string.</t>
        <t>This document defines a new EDHOC EAD item KUDOS_EAD and registers its 'ead_label' in <xref target="iana-edhoc-aad"/>. By including this EAD item in an outgoing EDHOC message, a sender peer can indicate whether it supports KUDOS and in which modes, as well as query the other peer about its support. Note that peers do not have to use this EDHOC EAD item to be able to run KUDOS with each other, irrespective of the modes that they support. A KUDOS peer <bcp14>MUST</bcp14> only use the EDHOC EAD item KUDOS_EAD as non-critical. That is, when included in an EDHOC message, its 'ead_label' <bcp14>MUST</bcp14> be used with positive sign. The possible values of the 'ead_value' are as follows:</t>
        <table align="center" anchor="_table-kudos-ead">
          <name>Values for the EDHOC EAD Item KUDOS_EAD</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Value</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">ASK</td>
              <td align="left">h'' (0x40)</td>
              <td align="left">Used only in EDHOC message_1. It asks the recipient peer to specify in EDHOC message_2 whether it supports KUDOS.</td>
            </tr>
            <tr>
              <td align="left">NONE</td>
              <td align="left">h'00' (0x4100)</td>
              <td align="left">Used only in EDHOC message_2 and message_3. It specifies that the sender peer does not support KUDOS.</td>
            </tr>
            <tr>
              <td align="left">FULL</td>
              <td align="left">h'01' (0x4101)</td>
              <td align="left">Used only in EDHOC message_2 and message_3. It specifies that the sender peer supports KUDOS in FS mode and no-FS mode.</td>
            </tr>
            <tr>
              <td align="left">PART</td>
              <td align="left">h'02' (0x4102)</td>
              <td align="left">Used only in EDHOC message_2 and message_3. It specifies that the sender peer supports KUDOS in no-FS mode only.</td>
            </tr>
          </tbody>
        </table>
        <t>When the KUDOS_EAD item is included in EDHOC message_1 with 'ead_value' ASK, a recipient peer that supports the KUDOS_EAD item <bcp14>MUST</bcp14> specify whether it supports KUDOS in EDHOC message_2.</t>
        <t>When the KUDOS_EAD item is not included in EDHOC message_1 with 'ead_value' ASK, a recipient peer that supports the KUDOS_EAD item <bcp14>MAY</bcp14> still specify whether it supports KUDOS in EDHOC message_2.</t>
        <t>When the KUDOS_EAD item is included in EDHOC message_2 with 'ead_value' FULL or PART, a recipient peer that supports the KUDOS_EAD item <bcp14>SHOULD</bcp14> specify whether it supports KUDOS in EDHOC message_3. An exception applies in case, based on application policies or other context information, the recipient peer that receives EDHOC message_2 already knows that the sender peer is supposed to have such knowledge.</t>
        <t>When the KUDOS_EAD item is included in EDHOC message_2 with 'ead_value' NONE, a recipient peer that supports the KUDOS_EAD item <bcp14>MUST NOT</bcp14> specify whether it supports KUDOS in EDHOC message_3.</t>
        <t>In the following cases, the recipient peer silently ignores the KUDOS_EAD item specified in the received EDHOC message and does not include a KUDOS_EAD item in the next EDHOC message it sends (if any).</t>
        <ul spacing="normal">
          <li>
            <t>The recipient peer does not support the KUDOS_EAD item.</t>
          </li>
          <li>
            <t>The KUDOS_EAD item is included in EDHOC message_1 with 'ead_value' different than ASK.</t>
          </li>
          <li>
            <t>The KUDOS_EAD item is included in EDHOC message_2 or message_3 with 'ead_value' ASK.</t>
          </li>
          <li>
            <t>The KUDOS_EAD item is included in EDHOC message_4.</t>
          </li>
        </ul>
        <t>That is, by specifying 'ead_value' ASK in EDHOC message_1, a peer A can indicate to the other peer B that it wishes to know if B supports KUDOS and in what mode(s). In the following EDHOC message_2, the peer B indicates whether it supports KUDOS and in what mode(s), by specifying either NONE, FULL, or PART as 'ead_value'. Specifying the 'ead_value' FULL or PART in EDHOC message_2 also asks A to indicate whether it supports KUDOS in EDHOC message_3.</t>
        <t>To further illustrate the signaling process defined above, the following presents two examples of EDHOC execution where only the new KUDOS_EAD item is shown when present, assuming that no other EAD items are used by the two peers.</t>
        <t>In the example shown in <xref target="fig-edhoc-ead-example-1"/>, the EDHOC Initiator asks the EDHOC Responder about its support for KUDOS ('ead_value' = ASK). In EDHOC message_2, the Responder indicates that it supports both the FS and no-FS mode of KUDOS ('ead_value' = FULL). Finally, in EDHOC message_3, the Initiator indicates that it also supports both the FS and no-FS mode of KUDOS ('ead_value' = FULL). After the EDHOC execution has been successfully completed, both peers are aware that they both support KUDOS, in the FS and no-FS modes.</t>
        <figure anchor="fig-edhoc-ead-example-1">
          <name>Example of EDHOC Execution with Signaling of Support for KUDOS (Both Peers Support KUDOS)</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="272" width="480" viewBox="0 0 480 272" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,64 L 8,256" fill="none" stroke="black"/>
                <path d="M 472,64 L 472,256" fill="none" stroke="black"/>
                <path d="M 8,96 L 464,96" fill="none" stroke="black"/>
                <path d="M 16,160 L 472,160" fill="none" stroke="black"/>
                <path d="M 8,224 L 464,224" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="472,224 460,218.4 460,229.6" fill="black" transform="rotate(0,464,224)"/>
                <polygon class="arrowhead" points="472,96 460,90.4 460,101.6" fill="black" transform="rotate(0,464,96)"/>
                <polygon class="arrowhead" points="24,160 12,154.4 12,165.6" fill="black" transform="rotate(180,16,160)"/>
                <g class="text">
                  <text x="24" y="36">EDHOC</text>
                  <text x="456" y="36">EDHOC</text>
                  <text x="40" y="52">Initiator</text>
                  <text x="440" y="52">Responder</text>
                  <text x="164" y="84">EAD_1:</text>
                  <text x="240" y="84">(TBD_LABEL,</text>
                  <text x="308" y="84">ASK)</text>
                  <text x="240" y="116">message_1</text>
                  <text x="164" y="148">EAD_2:</text>
                  <text x="240" y="148">(TBD_LABEL,</text>
                  <text x="312" y="148">FULL)</text>
                  <text x="240" y="180">message_2</text>
                  <text x="164" y="212">EAD_3:</text>
                  <text x="240" y="212">(TBD_LABEL,</text>
                  <text x="312" y="212">FULL)</text>
                  <text x="240" y="244">message_3</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
EDHOC                                                 EDHOC
Initiator                                         Responder
|                                                         |
|                EAD_1: (TBD_LABEL, ASK)                  |
+-------------------------------------------------------->|
|                        message_1                        |
|                                                         |
|                EAD_2: (TBD_LABEL, FULL)                 |
|<--------------------------------------------------------+
|                        message_2                        |
|                                                         |
|                EAD_3: (TBD_LABEL, FULL)                 |
+-------------------------------------------------------->|
|                        message_3                        |
|                                                         |
]]></artwork>
          </artset>
        </figure>
        <t>In the example shown in <xref target="fig-edhoc-ead-example-2"/>, the EDHOC Initiator asks the EDHOC Responder about its support for KUDOS ('ead_value' = ASK). In EDHOC message_2, the Responder indicates that it does not support KUDOS at all ('ead_value' = NONE). Finally, in EDHOC message_3, the Initiator does not include the KUDOS_EAD item, since it already knows that using KUDOS with the other peer will not be possible. After the EDHOC execution has been successfully completed, the Initiator is aware that the Responder does not support KUDOS, which the two peers are not going to use with each other.</t>
        <figure anchor="fig-edhoc-ead-example-2">
          <name>Example of EDHOC Execution with Signaling of Support for KUDOS (the EDHOC Responder Does Not Support KUDOS)</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="480" viewBox="0 0 480 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,64 L 8,240" fill="none" stroke="black"/>
                <path d="M 472,64 L 472,240" fill="none" stroke="black"/>
                <path d="M 8,96 L 464,96" fill="none" stroke="black"/>
                <path d="M 16,160 L 472,160" fill="none" stroke="black"/>
                <path d="M 8,208 L 464,208" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="472,208 460,202.4 460,213.6" fill="black" transform="rotate(0,464,208)"/>
                <polygon class="arrowhead" points="472,96 460,90.4 460,101.6" fill="black" transform="rotate(0,464,96)"/>
                <polygon class="arrowhead" points="24,160 12,154.4 12,165.6" fill="black" transform="rotate(180,16,160)"/>
                <g class="text">
                  <text x="24" y="36">EDHOC</text>
                  <text x="456" y="36">EDHOC</text>
                  <text x="40" y="52">Initiator</text>
                  <text x="440" y="52">Responder</text>
                  <text x="164" y="84">EAD_1:</text>
                  <text x="240" y="84">(TBD_LABEL,</text>
                  <text x="308" y="84">ASK)</text>
                  <text x="240" y="116">message_1</text>
                  <text x="164" y="148">EAD_2:</text>
                  <text x="240" y="148">(TBD_LABEL,</text>
                  <text x="312" y="148">NONE)</text>
                  <text x="240" y="180">message_2</text>
                  <text x="240" y="228">message_3</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
EDHOC                                                 EDHOC
Initiator                                         Responder
|                                                         |
|                EAD_1: (TBD_LABEL, ASK)                  |
+-------------------------------------------------------->|
|                        message_1                        |
|                                                         |
|                EAD_2: (TBD_LABEL, NONE)                 |
|<--------------------------------------------------------+
|                        message_2                        |
|                                                         |
+-------------------------------------------------------->|
|                        message_3                        |
|                                                         |
]]></artwork>
          </artset>
        </figure>
      </section>
    </section>
    <section anchor="schc">
      <name>CoAP Header Compression with SCHC</name>
      <t>In order to compress the header of CoAP messages, it is possible to use the Static Context Header Compression and fragmentation (SCHC) framework <xref target="RFC8724"/>. In particular, <xref section="6.4" sectionFormat="of" target="I-D.ietf-schc-8824-update"/> specifies how to use SCHC for compressing headers of CoAP messages also when messages are protected with OSCORE.</t>
      <t>The following <xref target="fig-oscore-option-schc"/> builds on <xref target="fig-oscore-option"/> from <xref target="ssec-oscore-option-extensions"/> of the present document and accordingly extends Figure 4 from <xref section="6.4" sectionFormat="of" target="I-D.ietf-schc-8824-update"/>.</t>
      <figure anchor="fig-oscore-option-schc">
        <name>The Extended OSCORE Option Value with Superimposed Subfields for SCHC Compression</name>
        <artwork align="center"><![CDATA[
 0 1 2 3 4 5 6 7  8   9   10  11  12  13  14  15 <----- n bytes ----->
+-+-+-+-+-+-+-+-+---+---+---+---+---+---+---+---+---------------------+
|1|0|0|h|k|  n  | 0 | 0 | 0 | 0 | 0 | 0 | 0 | d | Partial IV (if any) |
+-+-+-+-+-+-+-+-+---+---+---+---+---+---+---+---+---------------------+
|                                               |                     |
|<------------------- flags ------------------->|<------- piv ------->|


 <- 1 byte -> <--------- s bytes --------->
+------------+----------------------------+
| s (if any) |    kid context (if any)    |
+------------+----------------------------+
|                                         |
|<--------------- kid_ctx --------------->|


 <------ 1 byte -----> <-- m + 1 bytes -->
+---------------------+-------------------+
|     x (if any)      |  nonce (if any)   |
+---------------------+-------------------+
|<-------- x -------->|<----- nonce ----->|
|                     |
|   0 1 2 3 4 5 6 7   |
|  +-+-+-+-+-+-+-+-+  |
|  |0|z|b|p|   m   |  |
|  +-+-+-+-+-+-+-+-+  |


+---------------------+
|   kid (if any) ...  |
+---------------------+
|                     |
|<------- kid ------->|
]]></artwork>
      </figure>
      <t>Like described in <xref section="6.4" sectionFormat="of" target="I-D.ietf-schc-8824-update"/>, the description of a SCHC compression Rule needs to identify the OSCORE Option value and its inner fields.</t>
      <t>In order to take into account the possible use of KUDOS, SCHC discerns six distinct pieces of information within the extended OSCORE Option value shown in <xref target="fig-oscore-option-schc"/> above: the flag bits, the Partial IV, the kid context prepended by its size s, the x byte, the nonce, and the kid. The SCHC Rule splits the OSCORE Option value into six corresponding Field Descriptors, in order to separately compress those pieces of information as distinct subfields:</t>
      <ul spacing="normal">
        <li>
          <t>flags</t>
        </li>
        <li>
          <t>piv</t>
        </li>
        <li>
          <t>kid_ctx</t>
        </li>
        <li>
          <t>x</t>
        </li>
        <li>
          <t>nonce</t>
        </li>
        <li>
          <t>kid</t>
        </li>
      </ul>
      <t>In <xref target="fig-oscore-option-schc"/>, the six subfields are superimposed on the shown extended format of the OSCORE Option value.</t>
      <t>Consistent with what is defined in <xref section="6.4" sectionFormat="of" target="I-D.ietf-schc-8824-update"/>, if a SCHC Rule is intended to compress a CoAP message that specifies the OSCORE Option as per <xref target="fig-oscore-option-schc"/>, then the related Field Descriptors must be listed in the same order according to which the corresponding pieces of information appear in the OSCORE Option value.</t>
      <t>As to the x subfield and the nonce subfield, the following applies.</t>
      <ul spacing="normal">
        <li>
          <t>For the x subfield, if both endpoints using SCHC know the value, then the corresponding Field Descriptor in the SCHC Rule describes the TV set to that value, with the MO set to "equal" and the CDA set to "not-sent". This models the following cases:  </t>
          <ul spacing="normal">
            <li>
              <t>The x subfield is not present, and thus TV is set to b''.</t>
            </li>
            <li>
              <t>Given a fixed z bit of the x subfield as denoting either a divergent or convergent KUDOS message, the two endpoints run KUDOS with a pre-agreed size of the nonce subfield as per the value encoded by m within the x subfield, as well as with a pre-agreed combination of its modes of operation, as per the bits b and p of the x subfield.      </t>
              <t>
Under the assumed pre-agreements above, this requires two distinct SCHC Rules, whose respective TV is set to a value that reflects the z bit as set or not set, respectively.</t>
            </li>
          </ul>
          <t>
As an alternative that is more flexible to changes in the value of the x subfield, the corresponding Field Descriptor in the SCHC Rule does not set the TV, while it sets the MO to "ignore" and the CDA to "value-sent". In the same spirit, the Rule may also use a "match-mapping" MO to compress this subfield, in case the two endpoints pre-agree on a set of alternative ways to run KUDOS, with respect to the size of the nonce subfield and the combination of the KUDOS modes of operation to use.</t>
        </li>
        <li>
          <t>If the nonce subfield is present, then the corresponding Field Descriptor in the SCHC Rule has the TV not set, while the MO is set to "ignore" and the CDA is set to "value-sent".  </t>
          <t>
For the value of the nonce subfield, SCHC <bcp14>MUST NOT</bcp14> send it as variable-length data in the Compression Residue. As a result, SCHC does not send the size of the residue resulting from the compression of the nonce subfield, which is otherwise requested for variable-size fields when the CDA specified in the Field Descriptor is "value-sent" or LSB (see <xref section="7.4.2" sectionFormat="of" target="RFC8724"/>).  </t>
          <t>
Instead, SCHC <bcp14>MUST</bcp14> use the value encoded by m within the x subfield to define the size of the Compression Residue. SCHC designates a specific function, "osc.x.m", that the Rule <bcp14>MUST</bcp14> use to complete the Field Descriptor. During the decompression, this function returns the length of the nonce subfield in bytes, as the value encoded by m within the x subfield, plus 1.  </t>
          <t>
This construct avoids ambiguity with the value m within the x subfield and results in a more efficient compression of the nonce subfield.</t>
        </li>
      </ul>
    </section>
    <section anchor="sec-implementation-status" removeInRFC="true">
      <name>Implementation Status</name>
      <t>Note to RFC Editor: when deleting this section, please also delete RFC 7942 from the references of this document.</t>
      <t>(Boilerplate as per <xref section="2.1" sectionFormat="of" target="RFC7942"/>:)</t>
      <t>This section records the status of known implementations of the
protocol defined by this specification at the time of posting of
this Internet-Draft, and is based on a proposal described in
<xref target="RFC7942"/>.  The description of implementations in this section is
intended to assist the IETF in its decision processes in
progressing drafts to RFCs.  Please note that the listing of any
individual implementation here does not imply endorsement by the
IETF.  Furthermore, no effort has been spent to verify the
information presented here that was supplied by IETF contributors.
This is not intended as, and must not be construed to be, a
catalog of available implementations or their features.  Readers
are advised to note that other implementations may exist.</t>
      <t>According to <xref target="RFC7942"/>, "this will allow reviewers and working
groups to assign due consideration to documents that have the
benefit of running code, which may serve as evidence of valuable
experimentation and feedback that have made the implemented
protocols more mature.  It is up to the individual working groups
to use this information as they see fit".
<?line -22?>
      </t>
      <section anchor="sec-implementation-1">
        <name>Implementation #1</name>
        <ul spacing="normal">
          <li>
            <t>Responsible organization: RISE Research Institutes of Sweden AB</t>
          </li>
          <li>
            <t>Implementation's name: KUDOS in Californium</t>
          </li>
          <li>
            <t>Available at: https://github.com/rikard-sics/californium/tree/oscore_kudos</t>
          </li>
          <li>
            <t>Description: Implementation in Java, based on the Californium CoAP library, see:  </t>
            <ul spacing="normal">
              <li>
                <t>https://github.com/eclipse-californium/californium</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Implementation's level of maturity: Prototype</t>
          </li>
          <li>
            <t>The implementation supports:  </t>
            <ul spacing="normal">
              <li>
                <t>The FS mode and the no-FS mode.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The implementation does not support:  </t>
            <ul spacing="normal">
              <li>
                <t>Preservation of observations.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Version compatibility: From version -13 onwards.</t>
          </li>
          <li>
            <t>Licensing: Eclipse Distribution License 1.0 / Eclipse Public License 2.0.</t>
          </li>
          <li>
            <t>Contact information: Rikard Höglund - rikard.hoglund@ri.se</t>
          </li>
          <li>
            <t>Information last updated on: 2026-07-06</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-implementation-2">
        <name>Implementation #2</name>
        <ul spacing="normal">
          <li>
            <t>Responsible organization: University of Murcia (Spain)</t>
          </li>
          <li>
            <t>Implementation's name: cKUDOS</t>
          </li>
          <li>
            <t>Available at: https://github.com/francislopezg/cKUDOS</t>
          </li>
          <li>
            <t>Description: Implementation in C, based on the uOSCORE-uEDHOC library, see:  </t>
            <ul spacing="normal">
              <li>
                <t>https://github.com/eriptic/uoscore-uedhoc</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Implementation's level of maturity: Prototype</t>
          </li>
          <li>
            <t>The implementation supports:  </t>
            <ul spacing="normal">
              <li>
                <t>The no-FS mode.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The implementation does not support:  </t>
            <ul spacing="normal">
              <li>
                <t>Preservation of observations.</t>
              </li>
              <li>
                <t>The FS mode.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Version compatibility: From version -13 onwards.</t>
          </li>
          <li>
            <t>Licensing: Following Apache 2.0 license.</t>
          </li>
          <li>
            <t>Contact information: Francisco López-Gómez - francisco.lopezg@um.es</t>
          </li>
          <li>
            <t>Information last updated on: 2026-07-06</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-cons">
      <name>Security Considerations</name>
      <t>Depending on the specific key update procedure used to establish a new OSCORE Security Context, the related security considerations also apply.</t>
      <t>As mentioned in <xref target="ssec-nonces-x-bytes"/>, it is <bcp14>RECOMMENDED</bcp14> that the size for the nonces N1 and N2 is 8 bytes. Applications need to set the size of each nonce such that the probability of its value being repeated is negligible throughout executions of KUDOS that aim to update a given OSCORE Security Context, even in case of loss of state (e.g., due to a reboot occurred in an unprepared way).</t>
      <t>Considering the birthday paradox and a nonce size of 8 bytes, the average collision for each nonce will happen after the generation of 2<sup>32</sup> (X, nonce) pairs generated by a given peer (see <xref target="ssec-nonces-x-bytes"/>), which is considerably more than the number of such pairs that a peer is expected to generate throughout the update of a given OSCORE Security Context using KUDOS (in fact, that number is expected to typically be 1). Yet, determining the appropriate nonce size also ought to take into account the possible use of KUDOS in no-FS mode (see <xref target="no-fs-mode"/>), in which case every execution in no-FS mode between two given peers considers the same CTX_BOOTSTRAP as the OSCORE Security Context to update (see <xref target="no-fs-signaling"/>), hence raising the chances of reusing a nonce.</t>
      <t>Overall, the size of the nonces N1 and N2 should be set such that the security level is harmonized with other components of the deployment. Considering the constraints of embedded implementations, there might be a need for allowing N1 and N2 values that have a size smaller than the recommended one. This is acceptable, provided that safety, reliability, and robustness within the system can still be assured. That is, if nonces with a smaller size are used and thus a collision will occur on average after fewer KUDOS executions that aim to update a given OSCORE Security Context, care must be taken to ensure that this does not pose significant problems, e.g., considering as benchmark a constrained server operating at a capacity of one request per second.</t>
      <t>The nonces exchanged in the KUDOS messages are sent in the clear, so using random nonces is preferable for maintaining privacy. Instead, if counter values are used (see <xref target="key-material-handling"/>), this can leak information such as the frequency according to which two peers perform a key update.</t>
      <t>As discussed in <xref target="Symmetric-Security"/>, key update methods built on symmetric key exchange have weaker security properties compared to methods built on ephemeral Diffie-Hellman key exchange. In fact, while the two approaches can co-exist, rekeying with symmetric key exchange is not intended as a substitute for ephemeral Diffie-Hellman key exchange. Peers should periodically perform a key update based on ephemeral Diffie-Hellman key exchange (e.g., by running the EDHOC protocol <xref target="RFC9528"/>). The cadence of such periodic key updates should be determined based on how much the two peers and their network environment are constrained, as well as on the maximum amount of time and of exchanged data that are acceptable between two such consecutive key updates.</t>
    </section>
    <section anchor="sec-iana">
      <name>IANA Considerations</name>
      <t>This document has the following actions for IANA.</t>
      <t>Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t>
      <section anchor="iana-cons-flag-bits">
        <name>OSCORE Flag Bits Registry</name>
        <t>IANA is asked to add the following entries to the "OSCORE Flag Bits" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t>
        <table align="center" anchor="_table-iana-oscore-flag-bits">
          <name>Registrations in the OSCORE Flag Bits Registry</name>
          <thead>
            <tr>
              <th align="left">Bit Position</th>
              <th align="left">Name</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0 (suggested)</td>
              <td align="left">Extension-1 Flag</td>
              <td align="left">Set to 1 if the OSCORE Option specifies a second byte, which includes the OSCORE flag bits 8-15</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
            <tr>
              <td align="left">8</td>
              <td align="left">Extension-2 Flag</td>
              <td align="left">Set to 1 if the OSCORE Option specifies a third byte, which includes the OSCORE flag bits 16-23</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
            <tr>
              <td align="left">15</td>
              <td align="left">Nonce Flag</td>
              <td align="left">Set to 1 if nonce is present in the compressed COSE object</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
            <tr>
              <td align="left">16</td>
              <td align="left">Extension-3 Flag</td>
              <td align="left">Set to 1 if the OSCORE Option specifies a fourth byte, which includes the OSCORE flag bits 24-31</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
            <tr>
              <td align="left">24</td>
              <td align="left">Extension-4 Flag</td>
              <td align="left">Set to 1 if the OSCORE Option specifies a fifth byte, which includes the OSCORE flag bits 32-39</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
            <tr>
              <td align="left">32</td>
              <td align="left">Extension-5 Flag</td>
              <td align="left">Set to 1 if the OSCORE Option specifies a sixth byte, which includes the OSCORE flag bits 40-47</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
            <tr>
              <td align="left">40</td>
              <td align="left">Extension-6 Flag</td>
              <td align="left">Set to 1 if the OSCORE Option specifies a seventh byte, which includes the OSCORE flag bits 48-55</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
            <tr>
              <td align="left">48</td>
              <td align="left">Extension-7 Flag</td>
              <td align="left">Set to 1 if the OSCORE Option specifies an eighth byte, which includes the OSCORE flag bits 56-63</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
          </tbody>
        </table>
        <t>In the same registry, IANA is asked to mark as 'Unassigned' the entry with Bit Position of 1, i.e., to update the entry as follows.</t>
        <table align="center" anchor="_table-iana-oscore-flag-bits-2">
          <name>Update in the OSCORE Flag Bits Registry</name>
          <thead>
            <tr>
              <th align="left">Bit Position</th>
              <th align="left">Name</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">1</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="coap-option-numbers-registry">
        <name>CoAP Option Numbers Registry</name>
        <t>IANA is asked to add this document as a reference for the OSCORE Option in the "CoAP Option Numbers" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t>
      </section>
      <section anchor="iana-edhoc-aad">
        <name>EDHOC External Authorization Data Registry</name>
        <t>IANA is asked to add the following entry to the "EDHOC External Authorization Data" registry defined in <xref section="10.5" sectionFormat="of" target="RFC9528"/> within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group.</t>
        <table align="center" anchor="_table-iana-edhoc-ead">
          <name>Registrations in the EDHOC External Authorization Data Registry</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Label</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">KUDOS_EAD</td>
              <td align="left">TBD1</td>
              <td align="left">Indicates whether this peer supports KUDOS and in which mode(s)</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="well-known-kudos">
        <name>The Well-Known URI Registry</name>
        <t>IANA is asked to add the 'kudos' well-known URI to the Well-Known URIs registry as defined by <xref target="RFC8615"/>.</t>
        <ul spacing="normal">
          <li>
            <t>URI suffix: kudos</t>
          </li>
          <li>
            <t>Change controller: IETF</t>
          </li>
          <li>
            <t>Specification document(s): [RFC-XXXX]</t>
          </li>
          <li>
            <t>Related information: None</t>
          </li>
        </ul>
      </section>
      <section anchor="rt-kudos">
        <name>Resource Type (rt=) Link Target Attribute Values Registry</name>
        <t>IANA is asked to add the resource type "core.kudos" to the "Resource Type (rt=) Link Target Attribute Values" registry under the registry group "Constrained RESTful Environments (CoRE) Parameters".</t>
        <ul spacing="normal">
          <li>
            <t>Value: "core.kudos"</t>
          </li>
          <li>
            <t>Description: KUDOS resource.</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
      </section>
      <section anchor="schc-coap-fields">
        <name>SCHC Compression of CoAP Fields</name>
        <t>IANA is asked to add the following two entries to the "SCHC Compression of CoAP Fields" registry defined in <xref target="I-D.ietf-schc-8824-update"/>, within the "Static Context Header Compression (SCHC) Parameters" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>Field: CoAP.option(9).x</t>
          </li>
          <li>
            <t>Description: CoAP option OSCORE (subfield x) [RFC-XXXX]</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]  </t>
            <t>
Consistent with what is defined in <xref section="13.4.2" sectionFormat="of" target="I-D.ietf-schc-8824-update"/>, this entry has to be added immediately after the entry whose value in the "Field" column is "CoAP.option(9).kid_ctx".  </t>
            <t>
Note to RFC Editor: Once the registration above is completed, please delete the paragraph immediately preceding this note. Then, please delete this note.</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Field: CoAP.option(9).nonce</t>
          </li>
          <li>
            <t>Description: CoAP option OSCORE (subfield nonce) [RFC-XXXX]</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]  </t>
            <t>
Consistent with what is defined in <xref section="13.4.2" sectionFormat="of" target="I-D.ietf-schc-8824-update"/>, this entry has to be added immediately before the entry whose value in the "Field" column is "CoAP.option(9).kid".  </t>
            <t>
Note to RFC Editor: Once the registration above is completed, please delete the paragraph immediately preceding this note. Then, please delete this note.</t>
          </li>
        </ul>
        <t>In the same registry, IANA is asked to update the two entries whose value in the "Field" column is "CoAP.option(9)" and "CoAP.option(9).flags". For both those entries, the value of the "Description" column is updated by adding a reference to [RFC-XXXX].</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC7641">
          <front>
            <title>Observing Resources in the Constrained Application Protocol (CoAP)</title>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a RESTful application protocol for constrained nodes and networks. The state of a resource on a CoAP server can change over time. This document specifies a simple protocol extension for CoAP that enables CoAP clients to "observe" resources, i.e., to retrieve a representation of a resource and keep this representation updated by the server over a period of time. The protocol follows a best-effort approach for sending new representations to clients and provides eventual consistency between the state observed by each client and the actual resource state at the server.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7641"/>
          <seriesInfo name="DOI" value="10.17487/RFC7641"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC8724">
          <front>
            <title>SCHC: Generic Framework for Static Context Header Compression and Fragmentation</title>
            <author fullname="A. Minaburo" initials="A." surname="Minaburo"/>
            <author fullname="L. Toutain" initials="L." surname="Toutain"/>
            <author fullname="C. Gomez" initials="C." surname="Gomez"/>
            <author fullname="D. Barthel" initials="D." surname="Barthel"/>
            <author fullname="JC. Zuniga" initials="JC." surname="Zuniga"/>
            <date month="April" year="2020"/>
            <abstract>
              <t>This document defines the Static Context Header Compression and fragmentation (SCHC) framework, which provides both a header compression mechanism and an optional fragmentation mechanism. SCHC has been designed with Low-Power Wide Area Networks (LPWANs) in mind.</t>
              <t>SCHC compression is based on a common static context stored both in the LPWAN device and in the network infrastructure side. This document defines a generic header compression mechanism and its application to compress IPv6/UDP headers.</t>
              <t>This document also specifies an optional fragmentation and reassembly mechanism. It can be used to support the IPv6 MTU requirement over the LPWAN technologies. Fragmentation is needed for IPv6 datagrams that, after SCHC compression or when such compression was not possible, still exceed the Layer 2 maximum payload size.</t>
              <t>The SCHC header compression and fragmentation mechanisms are independent of the specific LPWAN technology over which they are used. This document defines generic functionalities and offers flexibility with regard to parameter settings and mechanism choices. This document standardizes the exchange over the LPWAN between two SCHC entities. Settings and choices specific to a technology or a product are expected to be grouped into profiles, which are specified in other documents. Data models for the context and profiles are out of scope.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8724"/>
          <seriesInfo name="DOI" value="10.17487/RFC8724"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9363">
          <front>
            <title>A YANG Data Model for Static Context Header Compression (SCHC)</title>
            <author fullname="A. Minaburo" initials="A." surname="Minaburo"/>
            <author fullname="L. Toutain" initials="L." surname="Toutain"/>
            <date month="March" year="2023"/>
            <abstract>
              <t>This document describes a YANG data model for the Static Context Header Compression (SCHC) compression and fragmentation Rules.</t>
              <t>This document formalizes the description of the Rules for better interoperability between SCHC instances either to exchange a set of Rules or to modify the parameters of some Rules.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9363"/>
          <seriesInfo name="DOI" value="10.17487/RFC9363"/>
        </reference>
        <reference anchor="RFC9528">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9528"/>
          <seriesInfo name="DOI" value="10.17487/RFC9528"/>
        </reference>
        <reference anchor="I-D.ietf-schc-8824-update">
          <front>
            <title>Static Context Header Compression (SCHC) for the Constrained Application Protocol (CoAP)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Laurent Toutain" initials="L." surname="Toutain">
              <organization>IMT Atlantique</organization>
            </author>
            <author fullname="Iván Martínez" initials="I." surname="Martínez">
              <organization>IRISA</organization>
            </author>
            <author fullname="Ana Minaburo" initials="A." surname="Minaburo">
              <organization>Consultant</organization>
            </author>
            <date day="3" month="June" year="2026"/>
            <abstract>
              <t>   This document defines how to compress Constrained Application
   Protocol (CoAP) headers using the Static Context Header Compression
   and fragmentation (SCHC) framework.  SCHC defines a header
   compression mechanism adapted for constrained devices.  SCHC uses a
   static description of the header to reduce the header's redundancy
   and size.  While RFC 8724 describes the SCHC compression and
   fragmentation framework and its application for IPv6 and UDP headers,
   this document applies SCHC to CoAP headers.  The CoAP header
   structure differs from that of IPv6 and UDP headers, since CoAP uses
   a flexible header with a variable number of options that are in turn
   of variable length.  The CoAP message format is asymmetric, i.e.,
   request messages have a header format different from that of response
   messages.  This specification gives guidance on applying SCHC to
   flexible headers and on leveraging the message format asymmetry for
   defining more efficient compression Rules.  This document replaces
   and obsoletes RFC 8824.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-schc-8824-update-08"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC7554">
          <front>
            <title>Using IEEE 802.15.4e Time-Slotted Channel Hopping (TSCH) in the Internet of Things (IoT): Problem Statement</title>
            <author fullname="T. Watteyne" initials="T." role="editor" surname="Watteyne"/>
            <author fullname="M. Palattella" initials="M." surname="Palattella"/>
            <author fullname="L. Grieco" initials="L." surname="Grieco"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This document describes the environment, problem statement, and goals for using the Time-Slotted Channel Hopping (TSCH) Medium Access Control (MAC) protocol of IEEE 802.14.4e in the context of Low-Power and Lossy Networks (LLNs). The set of goals enumerated in this document form an initial set only.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7554"/>
          <seriesInfo name="DOI" value="10.17487/RFC7554"/>
        </reference>
        <reference anchor="RFC8180">
          <front>
            <title>Minimal IPv6 over the TSCH Mode of IEEE 802.15.4e (6TiSCH) Configuration</title>
            <author fullname="X. Vilajosana" initials="X." role="editor" surname="Vilajosana"/>
            <author fullname="K. Pister" initials="K." surname="Pister"/>
            <author fullname="T. Watteyne" initials="T." surname="Watteyne"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>This document describes a minimal mode of operation for an IPv6 over the TSCH mode of IEEE 802.15.4e (6TiSCH) network. This minimal mode of operation specifies the baseline set of protocols that need to be supported and the recommended configurations and modes of operation sufficient to enable a 6TiSCH functional network. 6TiSCH provides IPv6 connectivity over a Time-Slotted Channel Hopping (TSCH) mesh composed of IEEE Std 802.15.4 TSCH links. This minimal mode uses a collection of protocols with the respective configurations, including the IPv6 Low-Power Wireless Personal Area Network (6LoWPAN) framework, enabling interoperable IPv6 connectivity over IEEE Std 802.15.4 TSCH. This minimal configuration provides the necessary bandwidth for network and security bootstrapping and defines the proper link between the IETF protocols that interface to IEEE Std 802.15.4 TSCH. This minimal mode of operation should be implemented by all 6TiSCH-compliant devices.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="210"/>
          <seriesInfo name="RFC" value="8180"/>
          <seriesInfo name="DOI" value="10.17487/RFC8180"/>
        </reference>
        <reference anchor="RFC9031">
          <front>
            <title>Constrained Join Protocol (CoJP) for 6TiSCH</title>
            <author fullname="M. Vučinić" initials="M." role="editor" surname="Vučinić"/>
            <author fullname="J. Simon" initials="J." surname="Simon"/>
            <author fullname="K. Pister" initials="K." surname="Pister"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes the minimal framework required for a new device, called a "pledge", to securely join a 6TiSCH (IPv6 over the Time-Slotted Channel Hopping mode of IEEE 802.15.4) network. The framework requires that the pledge and the JRC (Join Registrar/Coordinator, a central entity), share a symmetric key. How this key is provisioned is out of scope of this document. Through a single CoAP (Constrained Application Protocol) request-response exchange secured by OSCORE (Object Security for Constrained RESTful Environments), the pledge requests admission into the network, and the JRC configures it with link-layer keying material and other parameters. The JRC may at any time update the parameters through another request-response exchange secured by OSCORE. This specification defines the Constrained Join Protocol and its CBOR (Concise Binary Object Representation) data structures, and it describes how to configure the rest of the 6TiSCH communication stack for this join process to occur in a secure manner. Additional security mechanisms may be added on top of this minimal framework.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9031"/>
          <seriesInfo name="DOI" value="10.17487/RFC9031"/>
        </reference>
        <reference anchor="RFC9200">
          <front>
            <title>Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)</title>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE-OAuth. The framework is based on a set of building blocks including OAuth 2.0 and the Constrained Application Protocol (CoAP), thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to better serve the IoT use cases.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9200"/>
          <seriesInfo name="DOI" value="10.17487/RFC9200"/>
        </reference>
        <reference anchor="RFC9203">
          <front>
            <title>The Object Security for Constrained RESTful Environments (OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework</title>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="M. Gunnarsson" initials="M." surname="Gunnarsson"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. It utilizes Object Security for Constrained RESTful Environments (OSCORE) to provide communication security and proof-of-possession for a key owned by the client and bound to an OAuth 2.0 access token.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9203"/>
          <seriesInfo name="DOI" value="10.17487/RFC9203"/>
        </reference>
        <reference anchor="RFC9176">
          <front>
            <title>Constrained RESTful Environments (CoRE) Resource Directory</title>
            <author fullname="C. Amsüss" initials="C." role="editor" surname="Amsüss"/>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="M. Koster" initials="M." surname="Koster"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>In many Internet of Things (IoT) applications, direct discovery of resources is not practical due to sleeping nodes or networks where multicast traffic is inefficient. These problems can be solved by employing an entity called a Resource Directory (RD), which contains information about resources held on other servers, allowing lookups to be performed for those resources. The input to an RD is composed of links, and the output is composed of links constructed from the information stored in the RD. This document specifies the web interfaces that an RD supports for web servers to discover the RD and to register, maintain, look up, and remove information on resources. Furthermore, new target attributes useful in conjunction with an RD are defined.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9176"/>
          <seriesInfo name="DOI" value="10.17487/RFC9176"/>
        </reference>
        <reference anchor="RFC8615">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="RFC4086">
          <front>
            <title>Randomness Requirements for Security</title>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <author fullname="J. Schiller" initials="J." surname="Schiller"/>
            <author fullname="S. Crocker" initials="S." surname="Crocker"/>
            <date month="June" year="2005"/>
            <abstract>
              <t>Security systems are built on strong cryptographic algorithms that foil pattern analysis attempts. However, the security of these systems is dependent on generating secret quantities for passwords, cryptographic keys, and similar quantities. The use of pseudo-random processes to generate secret quantities can result in pseudo-security. A sophisticated attacker may find it easier to reproduce the environment that produced the secret quantities and to search the resulting small set of possibilities than to locate the quantities in the whole of the potential number space.</t>
              <t>Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. This document points out many pitfalls in using poor entropy sources or traditional pseudo-random number generation techniques for generating such quantities. It recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose. It provides suggestions to ameliorate the problem when a hardware solution is not available, and it gives examples of how large such quantities need to be for some applications. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="106"/>
          <seriesInfo name="RFC" value="4086"/>
          <seriesInfo name="DOI" value="10.17487/RFC4086"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aead-limits">
          <front>
            <title>Usage Limits on AEAD Algorithms</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="4" month="December" year="2025"/>
            <abstract>
              <t>   An Authenticated Encryption with Associated Data (AEAD) algorithm
   provides confidentiality and integrity.  Excessive use of the same
   key can give an attacker advantages in breaking these properties.
   This document provides simple guidance for users of common AEAD
   functions about how to limit the use of keys in order to bound the
   advantage given to an attacker.  It considers limits in both single-
   and multi-key settings.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aead-limits-11"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-key-limits">
          <front>
            <title>Key Usage Limits for OSCORE</title>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="7" month="January" year="2026"/>
            <abstract>
              <t>   Object Security for Constrained RESTful Environments (OSCORE) uses
   AEAD algorithms to ensure confidentiality and integrity of exchanged
   messages.  Due to known issues allowing forgery attacks against AEAD
   algorithms, limits should be followed regarding the number of times a
   specific key is used for encryption or decryption.  Among other
   reasons, approaching key usage limits requires updating the OSCORE
   keying material before communications can securely continue.  This
   document defines how two OSCORE peers can follow these key usage
   limits and what steps they should take to preserve the security of
   their communications.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-key-limits-06"/>
        </reference>
        <reference anchor="I-D.ietf-ace-edhoc-oscore-profile">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC) and Object Security for Constrained Environments (OSCORE) Profile for Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE</organization>
            </author>
            <date day="1" month="March" year="2026"/>
            <abstract>
              <t>   This document specifies a profile for the Authentication and
   Authorization for Constrained Environments (ACE) framework.  It
   utilizes Ephemeral Diffie-Hellman Over COSE (EDHOC) for achieving
   mutual authentication between an ACE-OAuth client and resource
   server, and it binds an authentication credential of the client to an
   ACE-OAuth access token.  EDHOC also establishes an Object Security
   for Constrained RESTful Environments (OSCORE) Security Context, which
   is used to secure communications between the client and resource
   server when accessing protected resources according to the
   authorization information indicated in the access token.  This
   profile can be used to delegate management of authorization
   information from a resource-constrained server to a trusted host with
   less severe limitations regarding processing power and memory.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-edhoc-oscore-profile-10"/>
        </reference>
        <reference anchor="LwM2M" target="http://www.openmobilealliance.org/release/LightweightM2M/V1_2-20201110-A/OMA-TS-LightweightM2M_Core-V1_2-20201110-A.pdf">
          <front>
            <title>Lightweight Machine to Machine Technical Specification - Core, Approved Version 1.2, OMA-TS-LightweightM2M_Core-V1_2-20201110-A</title>
            <author>
              <organization>Open Mobile Alliance</organization>
            </author>
            <date year="2020" month="November"/>
          </front>
        </reference>
        <reference anchor="Symmetric-Security" target="https://eprint.iacr.org/2024/220">
          <front>
            <title>Security of Symmetric Ratchets and Key Chains - Implications for Protocols like TLS 1.3, Signal, and PQ3</title>
            <author fullname="John Preuß Mattsson">
              <organization>Ericsson Research</organization>
            </author>
            <date year="2024" month="February"/>
          </front>
        </reference>
        <reference anchor="LwM2M-Transport" target="http://www.openmobilealliance.org/release/LightweightM2M/V1_2-20201110-A/OMA-TS-LightweightM2M_Transport-V1_2-20201110-A.pdf">
          <front>
            <title>Lightweight Machine to Machine Technical Specification - Transport Bindings, Approved Version 1.2, OMA-TS-LightweightM2M_Transport-V1_2-20201110-A</title>
            <author>
              <organization>Open Mobile Alliance</organization>
            </author>
            <date year="2020" month="November"/>
          </front>
        </reference>
        <reference anchor="RFC7942">
          <front>
            <title>Improving Awareness of Running Code: The Implementation Status Section</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.</t>
              <t>This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="205"/>
          <seriesInfo name="RFC" value="7942"/>
          <seriesInfo name="DOI" value="10.17487/RFC7942"/>
        </reference>
      </references>
    </references>
    <?line 1222?>

<section anchor="examples">
      <name>Examples</name>
      <t>The following sections show multiple examples of KUDOS being executed, including successful completion of KUDOS and the procedure failing.</t>
      <section anchor="successful-kudos-execution-initiated-with-a-request-message">
        <name>Successful KUDOS Execution Initiated with a Request Message</name>
        <t>The following shows a successful execution of KUDOS where KUDOS is started by the client sending a divergent KUDOS message as a CoAP request.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="1472" width="592" viewBox="0 0 592 1472" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 112,736 L 112,752" fill="none" stroke="black"/>
              <path d="M 152,752 L 152,760" fill="none" stroke="black"/>
              <path d="M 200,96 L 200,976" fill="none" stroke="black"/>
              <path d="M 200,1056 L 200,1456" fill="none" stroke="black"/>
              <path d="M 384,96 L 384,976" fill="none" stroke="black"/>
              <path d="M 384,1056 L 384,1456" fill="none" stroke="black"/>
              <path d="M 504,592 L 504,608" fill="none" stroke="black"/>
              <path d="M 544,608 L 544,616" fill="none" stroke="black"/>
              <path d="M 200,240 L 376,240" fill="none" stroke="black"/>
              <path d="M 208,672 L 384,672" fill="none" stroke="black"/>
              <path d="M 200,1088 L 376,1088" fill="none" stroke="black"/>
              <path d="M 208,1328 L 384,1328" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="384,1088 372,1082.4 372,1093.6" fill="black" transform="rotate(0,376,1088)"/>
              <polygon class="arrowhead" points="384,240 372,234.4 372,245.6" fill="black" transform="rotate(0,376,240)"/>
              <polygon class="arrowhead" points="216,1328 204,1322.4 204,1333.6" fill="black" transform="rotate(180,208,1328)"/>
              <polygon class="arrowhead" points="216,672 204,666.4 204,677.6" fill="black" transform="rotate(180,208,672)"/>
              <g class="text">
                <text x="24" y="36">KUDOS</text>
                <text x="80" y="36">status:</text>
                <text x="456" y="36">KUDOS</text>
                <text x="512" y="36">status:</text>
                <text x="8" y="52">-</text>
                <text x="52" y="52">CTX_OLD:</text>
                <text x="104" y="52">-,-</text>
                <text x="440" y="52">-</text>
                <text x="484" y="52">CTX_OLD:</text>
                <text x="536" y="52">-,-</text>
                <text x="8" y="68">-</text>
                <text x="44" y="68">State:</text>
                <text x="92" y="68">IDLE</text>
                <text x="136" y="68">(0,0)</text>
                <text x="440" y="68">-</text>
                <text x="476" y="68">State:</text>
                <text x="524" y="68">IDLE</text>
                <text x="568" y="68">(0,0)</text>
                <text x="196" y="84">Client</text>
                <text x="388" y="84">Server</text>
                <text x="36" y="116">Generate</text>
                <text x="88" y="116">N1,</text>
                <text x="116" y="116">X1</text>
                <text x="36" y="148">CTX_TEMP</text>
                <text x="80" y="148">=</text>
                <text x="132" y="148">updateCtx(</text>
                <text x="76" y="164">X1</text>
                <text x="96" y="164">|</text>
                <text x="120" y="164">N1,</text>
                <text x="80" y="180">0x,</text>
                <text x="96" y="196">CTX_OLD</text>
                <text x="136" y="196">)</text>
                <text x="280" y="228">Request</text>
                <text x="324" y="228">#1</text>
                <text x="32" y="244">Protect</text>
                <text x="84" y="244">with</text>
                <text x="140" y="244">CTX_TEMP</text>
                <text x="468" y="244">/.well-known/kudos</text>
                <text x="236" y="260">OSCORE</text>
                <text x="272" y="260">{</text>
                <text x="24" y="276">KUDOS</text>
                <text x="80" y="276">status:</text>
                <text x="232" y="276">...</text>
                <text x="428" y="276">CTX_TEMP</text>
                <text x="472" y="276">=</text>
                <text x="524" y="276">updateCtx(</text>
                <text x="36" y="292">CTX_OLD:</text>
                <text x="88" y="292">X1,</text>
                <text x="116" y="292">N1</text>
                <text x="248" y="292">Partial</text>
                <text x="296" y="292">IV:</text>
                <text x="320" y="292">0</text>
                <text x="472" y="292">0x,</text>
                <text x="28" y="308">State:</text>
                <text x="76" y="308">BUSY</text>
                <text x="120" y="308">(1,0)</text>
                <text x="232" y="308">...</text>
                <text x="468" y="308">X1</text>
                <text x="488" y="308">|</text>
                <text x="512" y="308">N1,</text>
                <text x="224" y="324">d</text>
                <text x="256" y="324">flag:</text>
                <text x="288" y="324">1</text>
                <text x="488" y="324">CTX_OLD</text>
                <text x="528" y="324">)</text>
                <text x="228" y="340">x:</text>
                <text x="252" y="340">X1</text>
                <text x="272" y="340">=</text>
                <text x="328" y="340">b'00000111'</text>
                <text x="244" y="356">nonce:</text>
                <text x="284" y="356">N1</text>
                <text x="420" y="356">Verify</text>
                <text x="468" y="356">with</text>
                <text x="524" y="356">CTX_TEMP</text>
                <text x="232" y="372">...</text>
                <text x="216" y="388">}</text>
                <text x="248" y="404">Encrypted</text>
                <text x="320" y="404">Payload</text>
                <text x="360" y="404">{</text>
                <text x="232" y="420">...</text>
                <text x="216" y="436">}</text>
                <text x="416" y="468">KUDOS</text>
                <text x="472" y="468">status:</text>
                <text x="428" y="484">CTX_OLD:</text>
                <text x="476" y="484">-,</text>
                <text x="496" y="484">-</text>
                <text x="420" y="500">State:</text>
                <text x="468" y="500">BUSY</text>
                <text x="512" y="500">(0,1)</text>
                <text x="428" y="548">Generate</text>
                <text x="480" y="548">N2,</text>
                <text x="508" y="548">X2</text>
                <text x="424" y="580">CTX_NEW</text>
                <text x="464" y="580">=</text>
                <text x="516" y="580">updateCtx(</text>
                <text x="484" y="596">X2</text>
                <text x="532" y="596">N2),</text>
                <text x="484" y="612">X1</text>
                <text x="528" y="612">N1)</text>
                <text x="504" y="628">CTX_OLD</text>
                <text x="544" y="628">)</text>
                <text x="284" y="660">Response</text>
                <text x="332" y="660">#1</text>
                <text x="424" y="676">Protect</text>
                <text x="476" y="676">with</text>
                <text x="528" y="676">CTX_NEW</text>
                <text x="236" y="692">OSCORE</text>
                <text x="272" y="692">{</text>
                <text x="232" y="708">...</text>
                <text x="416" y="708">KUDOS</text>
                <text x="472" y="708">status:</text>
                <text x="32" y="724">CTX_NEW</text>
                <text x="72" y="724">=</text>
                <text x="124" y="724">updateCtx(</text>
                <text x="248" y="724">Partial</text>
                <text x="296" y="724">IV:</text>
                <text x="320" y="724">0</text>
                <text x="428" y="724">CTX_OLD:</text>
                <text x="480" y="724">X2,</text>
                <text x="508" y="724">N2</text>
                <text x="92" y="740">X1</text>
                <text x="136" y="740">N1,</text>
                <text x="232" y="740">...</text>
                <text x="420" y="740">State:</text>
                <text x="480" y="740">PENDING</text>
                <text x="536" y="740">(1,1)</text>
                <text x="92" y="756">X2</text>
                <text x="132" y="756">N2</text>
                <text x="224" y="756">d</text>
                <text x="256" y="756">flag:</text>
                <text x="288" y="756">1</text>
                <text x="112" y="772">CTX_OLD</text>
                <text x="152" y="772">)</text>
                <text x="228" y="772">x:</text>
                <text x="252" y="772">X2</text>
                <text x="272" y="772">=</text>
                <text x="328" y="772">b'01000111'</text>
                <text x="244" y="788">nonce:</text>
                <text x="284" y="788">N2</text>
                <text x="28" y="804">Verify</text>
                <text x="76" y="804">with</text>
                <text x="128" y="804">CTX_NEW</text>
                <text x="232" y="804">...</text>
                <text x="216" y="820">}</text>
                <text x="8" y="836">/</text>
                <text x="32" y="836">key</text>
                <text x="100" y="836">confirmation</text>
                <text x="160" y="836">/</text>
                <text x="256" y="836">Encrypted</text>
                <text x="328" y="836">Payload</text>
                <text x="368" y="836">{</text>
                <text x="240" y="852">...</text>
                <text x="36" y="868">Pre-IDLE</text>
                <text x="100" y="868">steps:</text>
                <text x="216" y="868">}</text>
                <text x="28" y="884">Delete</text>
                <text x="92" y="884">CTX_TEMP</text>
                <text x="28" y="900">Delete</text>
                <text x="92" y="900">CTX_OLD,</text>
                <text x="144" y="900">X1,</text>
                <text x="172" y="900">N1</text>
                <text x="24" y="932">KUDOS</text>
                <text x="80" y="932">status:</text>
                <text x="36" y="948">CTX_NEW:</text>
                <text x="84" y="948">-,</text>
                <text x="104" y="948">-</text>
                <text x="28" y="964">State:</text>
                <text x="76" y="964">IDLE</text>
                <text x="120" y="964">(0,0)</text>
                <text x="16" y="1012">The</text>
                <text x="60" y="1012">actual</text>
                <text x="104" y="1012">key</text>
                <text x="148" y="1012">update</text>
                <text x="208" y="1012">process</text>
                <text x="260" y="1012">ends</text>
                <text x="304" y="1012">here.</text>
                <text x="16" y="1028">The</text>
                <text x="48" y="1028">two</text>
                <text x="88" y="1028">peers</text>
                <text x="128" y="1028">can</text>
                <text x="160" y="1028">use</text>
                <text x="192" y="1028">the</text>
                <text x="224" y="1028">new</text>
                <text x="276" y="1028">Security</text>
                <text x="344" y="1028">Context</text>
                <text x="412" y="1028">CTX_NEW.</text>
                <text x="280" y="1076">Request</text>
                <text x="324" y="1076">#2</text>
                <text x="32" y="1092">Protect</text>
                <text x="84" y="1092">with</text>
                <text x="136" y="1092">CTX_NEW</text>
                <text x="416" y="1092">/temp</text>
                <text x="236" y="1108">OSCORE</text>
                <text x="272" y="1108">{</text>
                <text x="232" y="1124">...</text>
                <text x="216" y="1140">}</text>
                <text x="420" y="1140">Verify</text>
                <text x="468" y="1140">with</text>
                <text x="520" y="1140">CTX_NEW</text>
                <text x="248" y="1156">Encrypted</text>
                <text x="320" y="1156">Payload</text>
                <text x="360" y="1156">{</text>
                <text x="264" y="1172">Application</text>
                <text x="344" y="1172">Payload</text>
                <text x="400" y="1172">/</text>
                <text x="424" y="1172">key</text>
                <text x="492" y="1172">confirmation</text>
                <text x="552" y="1172">/</text>
                <text x="232" y="1188">...</text>
                <text x="216" y="1204">}</text>
                <text x="428" y="1204">Pre-IDLE</text>
                <text x="492" y="1204">steps:</text>
                <text x="420" y="1220">Delete</text>
                <text x="484" y="1220">CTX_TEMP</text>
                <text x="420" y="1236">Delete</text>
                <text x="484" y="1236">CTX_OLD,</text>
                <text x="536" y="1236">X2,</text>
                <text x="564" y="1236">N2</text>
                <text x="416" y="1268">KUDOS</text>
                <text x="472" y="1268">status:</text>
                <text x="428" y="1284">CTX_NEW:</text>
                <text x="476" y="1284">-,</text>
                <text x="496" y="1284">-</text>
                <text x="420" y="1300">State:</text>
                <text x="468" y="1300">IDLE</text>
                <text x="512" y="1300">(0,0)</text>
                <text x="284" y="1316">Response</text>
                <text x="332" y="1316">#2</text>
                <text x="424" y="1332">Protect</text>
                <text x="476" y="1332">with</text>
                <text x="528" y="1332">CTX_NEW</text>
                <text x="28" y="1348">Verify</text>
                <text x="76" y="1348">with</text>
                <text x="128" y="1348">CTX_NEW</text>
                <text x="236" y="1348">OSCORE</text>
                <text x="272" y="1348">{</text>
                <text x="232" y="1364">...</text>
                <text x="216" y="1380">}</text>
                <text x="248" y="1396">Encrypted</text>
                <text x="320" y="1396">Payload</text>
                <text x="360" y="1396">{</text>
                <text x="232" y="1412">...</text>
                <text x="264" y="1428">Application</text>
                <text x="344" y="1428">Payload</text>
                <text x="216" y="1444">}</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
KUDOS status:                                         KUDOS status:
- CTX_OLD: -,-                                        - CTX_OLD: -,-
- State: IDLE (0,0)                                   - State: IDLE (0,0)
                     Client                  Server
                        |                      |
Generate N1, X1         |                      |
                        |                      |
CTX_TEMP = updateCtx(   |                      |
        X1 | N1,        |                      |
        0x,             |                      |
        CTX_OLD )       |                      |
                        |                      |
                        |      Request #1      |
Protect with CTX_TEMP   +--------------------->| /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 | CTX_TEMP = updateCtx(
CTX_OLD: X1, N1         |  Partial IV: 0       |         0x,
State: BUSY (1,0)       |  ...                 |         X1 | N1,
                        |  d flag: 1           |         CTX_OLD )
                        |  x: X1 = b'00000111' |
                        |  nonce: N1           | Verify with CTX_TEMP
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        | }                    |
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_OLD: -, -
                        |                      | State: BUSY (0,1)
                        |                      |
                        |                      |
                        |                      | Generate N2, X2
                        |                      |
                        |                      | CTX_NEW = updateCtx(
                        |                      |           X2 | N2),
                        |                      |           X1 | N1),
                        |                      |           CTX_OLD )
                        |                      |
                        |      Response #1     |
                        |<---------------------+ Protect with CTX_NEW
                        | OSCORE {             |
                        |  ...                 | KUDOS status:
CTX_NEW = updateCtx(    |  Partial IV: 0       | CTX_OLD: X2, N2
          X1 | N1,      |  ...                 | State: PENDING (1,1)
          X2 | N2 ,     |  d flag: 1           |
          CTX_OLD )     |  x: X2 = b'01000111' |
                        |  nonce: N2           |
Verify with CTX_NEW     |  ...                 |
                        | }                    |
/ key confirmation /    |  Encrypted Payload { |
                        |   ...                |
Pre-IDLE steps:         | }                    |
Delete CTX_TEMP         |                      |
Delete CTX_OLD, X1, N1  |                      |
                        |                      |
KUDOS status:           |                      |
CTX_NEW: -, -           |                      |
State: IDLE (0,0)       |                      |
                        |                      |

The actual key update process ends here.
The two peers can use the new Security Context CTX_NEW.

                        |                      |
                        |      Request #2      |
Protect with CTX_NEW    +--------------------->| /temp
                        | OSCORE {             |
                        |  ...                 |
                        | }                    | Verify with CTX_NEW
                        | Encrypted Payload {  |
                        |  Application Payload | / key confirmation /
                        |  ...                 |
                        | }                    | Pre-IDLE steps:
                        |                      | Delete CTX_TEMP
                        |                      | Delete CTX_OLD, X2, N2
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_NEW: -, -
                        |                      | State: IDLE (0,0)
                        |      Response #2     |
                        |<---------------------+ Protect with CTX_NEW
Verify with CTX_NEW     | OSCORE {             |
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        |  Application Payload |
                        | }                    |
                        |                      |
]]></artwork>
        </artset>
      </section>
      <section anchor="successful-kudos-execution-initiated-with-a-response-message">
        <name>Successful KUDOS Execution Initiated with a Response Message</name>
        <t>The following shows a successful execution of KUDOS where KUDOS is started by the server sending a divergent KUDOS message as a CoAP response.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="1472" width="592" viewBox="0 0 592 1472" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 112,688 L 112,704" fill="none" stroke="black"/>
              <path d="M 200,96 L 200,1120" fill="none" stroke="black"/>
              <path d="M 200,1200 L 200,1456" fill="none" stroke="black"/>
              <path d="M 384,96 L 384,1120" fill="none" stroke="black"/>
              <path d="M 384,1200 L 384,1456" fill="none" stroke="black"/>
              <path d="M 504,832 L 504,848" fill="none" stroke="black"/>
              <path d="M 200,128 L 376,128" fill="none" stroke="black"/>
              <path d="M 208,336 L 384,336" fill="none" stroke="black"/>
              <path d="M 200,768 L 376,768" fill="none" stroke="black"/>
              <path d="M 208,1232 L 384,1232" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="384,768 372,762.4 372,773.6" fill="black" transform="rotate(0,376,768)"/>
              <polygon class="arrowhead" points="384,128 372,122.4 372,133.6" fill="black" transform="rotate(0,376,128)"/>
              <polygon class="arrowhead" points="216,1232 204,1226.4 204,1237.6" fill="black" transform="rotate(180,208,1232)"/>
              <polygon class="arrowhead" points="216,336 204,330.4 204,341.6" fill="black" transform="rotate(180,208,336)"/>
              <g class="text">
                <text x="24" y="36">KUDOS</text>
                <text x="80" y="36">status:</text>
                <text x="456" y="36">KUDOS</text>
                <text x="512" y="36">status:</text>
                <text x="8" y="52">-</text>
                <text x="52" y="52">CTX_OLD:</text>
                <text x="104" y="52">-,-</text>
                <text x="440" y="52">-</text>
                <text x="484" y="52">CTX_OLD:</text>
                <text x="536" y="52">-,-</text>
                <text x="8" y="68">-</text>
                <text x="44" y="68">State:</text>
                <text x="92" y="68">IDLE</text>
                <text x="136" y="68">(0,0)</text>
                <text x="440" y="68">-</text>
                <text x="476" y="68">State:</text>
                <text x="524" y="68">IDLE</text>
                <text x="568" y="68">(0,0)</text>
                <text x="204" y="84">Client</text>
                <text x="388" y="84">Server</text>
                <text x="280" y="116">Request</text>
                <text x="324" y="116">#1</text>
                <text x="32" y="132">Protect</text>
                <text x="84" y="132">with</text>
                <text x="136" y="132">CTX_OLD</text>
                <text x="416" y="132">/temp</text>
                <text x="236" y="148">OSCORE</text>
                <text x="272" y="148">{</text>
                <text x="232" y="164">...</text>
                <text x="216" y="180">}</text>
                <text x="420" y="180">Verify</text>
                <text x="468" y="180">with</text>
                <text x="520" y="180">CTX_OLD</text>
                <text x="248" y="196">Encrypted</text>
                <text x="320" y="196">Payload</text>
                <text x="360" y="196">{</text>
                <text x="232" y="212">...</text>
                <text x="428" y="212">Generate</text>
                <text x="480" y="212">N1,</text>
                <text x="508" y="212">X1</text>
                <text x="264" y="228">Application</text>
                <text x="344" y="228">Payload</text>
                <text x="216" y="244">}</text>
                <text x="428" y="244">CTX_TEMP</text>
                <text x="472" y="244">=</text>
                <text x="524" y="244">updateCtx(</text>
                <text x="468" y="260">X1</text>
                <text x="488" y="260">|</text>
                <text x="512" y="260">N1,</text>
                <text x="472" y="276">0x,</text>
                <text x="488" y="292">CTX_OLD</text>
                <text x="528" y="292">)</text>
                <text x="284" y="324">Response</text>
                <text x="332" y="324">#1</text>
                <text x="424" y="340">Protect</text>
                <text x="476" y="340">with</text>
                <text x="532" y="340">CTX_TEMP</text>
                <text x="236" y="356">OSCORE</text>
                <text x="272" y="356">{</text>
                <text x="232" y="372">...</text>
                <text x="416" y="372">KUDOS</text>
                <text x="472" y="372">status:</text>
                <text x="36" y="388">CTX_TEMP</text>
                <text x="80" y="388">=</text>
                <text x="132" y="388">updateCtx(</text>
                <text x="248" y="388">Partial</text>
                <text x="296" y="388">IV:</text>
                <text x="320" y="388">0</text>
                <text x="428" y="388">CTX_OLD:</text>
                <text x="480" y="388">X1,</text>
                <text x="508" y="388">N1</text>
                <text x="80" y="404">0x,</text>
                <text x="232" y="404">...</text>
                <text x="420" y="404">State:</text>
                <text x="468" y="404">BUSY</text>
                <text x="512" y="404">(1,0)</text>
                <text x="76" y="420">X1</text>
                <text x="96" y="420">|</text>
                <text x="120" y="420">N1,</text>
                <text x="224" y="420">d</text>
                <text x="256" y="420">flag:</text>
                <text x="288" y="420">1</text>
                <text x="96" y="436">CTX_OLD</text>
                <text x="136" y="436">)</text>
                <text x="228" y="436">x:</text>
                <text x="252" y="436">X1</text>
                <text x="272" y="436">=</text>
                <text x="328" y="436">b'00000111'</text>
                <text x="244" y="452">nonce:</text>
                <text x="284" y="452">N1</text>
                <text x="28" y="468">Verify</text>
                <text x="76" y="468">with</text>
                <text x="132" y="468">CTX_TEMP</text>
                <text x="232" y="468">...</text>
                <text x="216" y="484">}</text>
                <text x="248" y="500">Encrypted</text>
                <text x="320" y="500">Payload</text>
                <text x="360" y="500">{</text>
                <text x="224" y="516">...</text>
                <text x="216" y="532">}</text>
                <text x="24" y="564">KUDOS</text>
                <text x="80" y="564">status:</text>
                <text x="8" y="580">-</text>
                <text x="52" y="580">CTX_OLD:</text>
                <text x="104" y="580">-,-</text>
                <text x="8" y="596">-</text>
                <text x="44" y="596">State:</text>
                <text x="92" y="596">BUSY</text>
                <text x="136" y="596">(0,1)</text>
                <text x="36" y="644">Generate</text>
                <text x="88" y="644">N2,</text>
                <text x="116" y="644">X2</text>
                <text x="32" y="676">CTX_NEW</text>
                <text x="72" y="676">=</text>
                <text x="124" y="676">updateCtx(</text>
                <text x="92" y="692">X2</text>
                <text x="136" y="692">N2,</text>
                <text x="92" y="708">X1</text>
                <text x="136" y="708">N1,</text>
                <text x="112" y="724">CTX_OLD</text>
                <text x="152" y="724">)</text>
                <text x="280" y="756">Request</text>
                <text x="324" y="756">#2</text>
                <text x="32" y="772">Protect</text>
                <text x="84" y="772">with</text>
                <text x="136" y="772">CTX_NEW</text>
                <text x="468" y="772">/.well-known/kudos</text>
                <text x="236" y="788">OSCORE</text>
                <text x="272" y="788">{</text>
                <text x="24" y="804">KUDOS</text>
                <text x="80" y="804">status:</text>
                <text x="232" y="804">...</text>
                <text x="8" y="820">-</text>
                <text x="52" y="820">CTX_OLD:</text>
                <text x="104" y="820">X2,</text>
                <text x="132" y="820">N2</text>
                <text x="224" y="820">d</text>
                <text x="256" y="820">flag:</text>
                <text x="288" y="820">1</text>
                <text x="424" y="820">CTX_NEW</text>
                <text x="464" y="820">=</text>
                <text x="516" y="820">updateCtx(</text>
                <text x="8" y="836">-</text>
                <text x="44" y="836">State:</text>
                <text x="104" y="836">PENDING</text>
                <text x="160" y="836">(1,1)</text>
                <text x="228" y="836">x:</text>
                <text x="252" y="836">X2</text>
                <text x="272" y="836">=</text>
                <text x="328" y="836">b'01000111'</text>
                <text x="484" y="836">X1</text>
                <text x="528" y="836">N1,</text>
                <text x="244" y="852">nonce:</text>
                <text x="284" y="852">N2</text>
                <text x="484" y="852">X2</text>
                <text x="528" y="852">N2,</text>
                <text x="232" y="868">...</text>
                <text x="504" y="868">CTX_OLD</text>
                <text x="544" y="868">)</text>
                <text x="216" y="884">}</text>
                <text x="248" y="900">Encrypted</text>
                <text x="320" y="900">Payload</text>
                <text x="360" y="900">{</text>
                <text x="420" y="900">Verify</text>
                <text x="468" y="900">with</text>
                <text x="520" y="900">CTX_NEW</text>
                <text x="232" y="916">...</text>
                <text x="264" y="932">Application</text>
                <text x="344" y="932">Payload</text>
                <text x="400" y="932">/</text>
                <text x="424" y="932">key</text>
                <text x="492" y="932">confirmation</text>
                <text x="552" y="932">/</text>
                <text x="216" y="948">}</text>
                <text x="428" y="964">Pre-IDLE</text>
                <text x="492" y="964">steps:</text>
                <text x="420" y="980">Delete</text>
                <text x="484" y="980">CTX_TEMP</text>
                <text x="420" y="996">Delete</text>
                <text x="484" y="996">CTX_OLD,</text>
                <text x="536" y="996">X1,</text>
                <text x="564" y="996">N1</text>
                <text x="416" y="1028">KUDOS</text>
                <text x="472" y="1028">status:</text>
                <text x="400" y="1044">-</text>
                <text x="444" y="1044">CTX_NEW:</text>
                <text x="496" y="1044">-,-</text>
                <text x="400" y="1060">-</text>
                <text x="436" y="1060">State:</text>
                <text x="484" y="1060">IDLE</text>
                <text x="528" y="1060">(0,0)</text>
                <text x="16" y="1156">The</text>
                <text x="60" y="1156">actual</text>
                <text x="104" y="1156">key</text>
                <text x="148" y="1156">update</text>
                <text x="208" y="1156">process</text>
                <text x="260" y="1156">ends</text>
                <text x="304" y="1156">here.</text>
                <text x="16" y="1172">The</text>
                <text x="48" y="1172">two</text>
                <text x="88" y="1172">peers</text>
                <text x="128" y="1172">can</text>
                <text x="160" y="1172">use</text>
                <text x="192" y="1172">the</text>
                <text x="224" y="1172">new</text>
                <text x="276" y="1172">Security</text>
                <text x="344" y="1172">Context</text>
                <text x="412" y="1172">CTX_NEW.</text>
                <text x="284" y="1220">Response</text>
                <text x="332" y="1220">#2</text>
                <text x="424" y="1236">Protect</text>
                <text x="476" y="1236">with</text>
                <text x="528" y="1236">CTX_NEW</text>
                <text x="236" y="1252">OSCORE</text>
                <text x="272" y="1252">{</text>
                <text x="232" y="1268">...</text>
                <text x="28" y="1284">Verify</text>
                <text x="76" y="1284">with</text>
                <text x="128" y="1284">CTX_NEW</text>
                <text x="216" y="1284">}</text>
                <text x="248" y="1300">Encrypted</text>
                <text x="320" y="1300">Payload</text>
                <text x="360" y="1300">{</text>
                <text x="8" y="1316">/</text>
                <text x="32" y="1316">key</text>
                <text x="100" y="1316">confirmation</text>
                <text x="160" y="1316">/</text>
                <text x="232" y="1316">...</text>
                <text x="264" y="1332">Application</text>
                <text x="344" y="1332">Payload</text>
                <text x="36" y="1348">Pre-IDLE</text>
                <text x="100" y="1348">steps:</text>
                <text x="216" y="1348">}</text>
                <text x="28" y="1364">Delete</text>
                <text x="92" y="1364">CTX_TEMP</text>
                <text x="28" y="1380">Delete</text>
                <text x="92" y="1380">CTX_OLD,</text>
                <text x="144" y="1380">X1,</text>
                <text x="172" y="1380">N1</text>
                <text x="24" y="1412">KUDOS</text>
                <text x="80" y="1412">status:</text>
                <text x="36" y="1428">CTX_NEW:</text>
                <text x="84" y="1428">-,</text>
                <text x="104" y="1428">-</text>
                <text x="28" y="1444">State:</text>
                <text x="76" y="1444">IDLE</text>
                <text x="120" y="1444">(0,0)</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
KUDOS status:                                         KUDOS status:
- CTX_OLD: -,-                                        - CTX_OLD: -,-
- State: IDLE (0,0)                                   - State: IDLE (0,0)
                      Client                 Server
                        |                      |
                        |      Request #1      |
Protect with CTX_OLD    +--------------------->| /temp
                        | OSCORE {             |
                        |  ...                 |
                        | }                    | Verify with CTX_OLD
                        | Encrypted Payload {  |
                        |  ...                 | Generate N1, X1
                        |  Application Payload |
                        | }                    | CTX_TEMP = updateCtx(
                        |                      |         X1 | N1,
                        |                      |         0x,
                        |                      |         CTX_OLD )
                        |                      |
                        |      Response #1     |
                        |<---------------------+ Protect with CTX_TEMP
                        | OSCORE {             |
                        |  ...                 | KUDOS status:
CTX_TEMP = updateCtx(   |  Partial IV: 0       | CTX_OLD: X1, N1
        0x,             |  ...                 | State: BUSY (1,0)
        X1 | N1,        |  d flag: 1           |
        CTX_OLD )       |  x: X1 = b'00000111' |
                        |  nonce: N1           |
Verify with CTX_TEMP    |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        | ...                  |
                        | }                    |
                        |                      |
KUDOS status:           |                      |
- CTX_OLD: -,-          |                      |
- State: BUSY (0,1)     |                      |
                        |                      |
                        |                      |
Generate N2, X2         |                      |
                        |                      |
CTX_NEW = updateCtx(    |                      |
          X2 | N2,      |                      |
          X1 | N1,      |                      |
          CTX_OLD )     |                      |
                        |                      |
                        |      Request #2      |
Protect with CTX_NEW    +--------------------->| /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 |
- CTX_OLD: X2, N2       |  d flag: 1           | CTX_NEW = updateCtx(
- State: PENDING (1,1)  |  x: X2 = b'01000111' |           X1 | N1,
                        |  nonce: N2           |           X2 | N2,
                        |  ...                 |           CTX_OLD )
                        | }                    |
                        | Encrypted Payload {  | Verify with CTX_NEW
                        |  ...                 |
                        |  Application Payload | / key confirmation /
                        | }                    |
                        |                      | Pre-IDLE steps:
                        |                      | Delete CTX_TEMP
                        |                      | Delete CTX_OLD, X1, N1
                        |                      |
                        |                      | KUDOS status:
                        |                      | - CTX_NEW: -,-
                        |                      | - State: IDLE (0,0)
                        |                      |
                        |                      |
                        |                      |
                        |                      |

The actual key update process ends here.
The two peers can use the new Security Context CTX_NEW.

                        |                      |
                        |      Response #2     |
                        |<---------------------+ Protect with CTX_NEW
                        | OSCORE {             |
                        |  ...                 |
Verify with CTX_NEW     | }                    |
                        | Encrypted Payload {  |
/ key confirmation /    |  ...                 |
                        |  Application Payload |
Pre-IDLE steps:         | }                    |
Delete CTX_TEMP         |                      |
Delete CTX_OLD, X1, N1  |                      |
                        |                      |
KUDOS status:           |                      |
CTX_NEW: -, -           |                      |
State: IDLE (0,0)       |                      |
                        |                      |
]]></artwork>
        </artset>
      </section>
      <section anchor="successful-kudos-execution-initiated-with-a-request-message-with-non-capable-server-that-has-rebooted">
        <name>Successful KUDOS Execution Initiated with a Request Message, with Non-capable Server that has Rebooted</name>
        <t>The peers have run KUDOS prior to this KUDOS execution and have learned that they must from now on run KUDOS only in no-FS mode.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="1552" width="648" viewBox="0 0 648 1552" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 112,752 L 112,768" fill="none" stroke="black"/>
              <path d="M 200,112 L 200,1024" fill="none" stroke="black"/>
              <path d="M 200,1104 L 200,1520" fill="none" stroke="black"/>
              <path d="M 384,112 L 384,1024" fill="none" stroke="black"/>
              <path d="M 384,1104 L 384,1520" fill="none" stroke="black"/>
              <path d="M 504,608 L 504,624" fill="none" stroke="black"/>
              <path d="M 528,496 L 528,504" fill="none" stroke="black"/>
              <path d="M 200,256 L 376,256" fill="none" stroke="black"/>
              <path d="M 208,688 L 384,688" fill="none" stroke="black"/>
              <path d="M 200,1136 L 376,1136" fill="none" stroke="black"/>
              <path d="M 208,1392 L 384,1392" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="384,1136 372,1130.4 372,1141.6" fill="black" transform="rotate(0,376,1136)"/>
              <polygon class="arrowhead" points="384,256 372,250.4 372,261.6" fill="black" transform="rotate(0,376,256)"/>
              <polygon class="arrowhead" points="216,1392 204,1386.4 204,1397.6" fill="black" transform="rotate(180,208,1392)"/>
              <polygon class="arrowhead" points="216,688 204,682.4 204,693.6" fill="black" transform="rotate(180,208,688)"/>
              <g class="text">
                <text x="24" y="36">KUDOS</text>
                <text x="80" y="36">status:</text>
                <text x="456" y="36">KUDOS</text>
                <text x="512" y="36">status:</text>
                <text x="8" y="52">-</text>
                <text x="52" y="52">CTX_OLD:</text>
                <text x="104" y="52">-,-</text>
                <text x="440" y="52">-</text>
                <text x="460" y="52">No</text>
                <text x="504" y="52">CTX_OLD</text>
                <text x="552" y="52">due</text>
                <text x="580" y="52">to</text>
                <text x="620" y="52">reboot</text>
                <text x="8" y="68">-</text>
                <text x="44" y="68">State:</text>
                <text x="92" y="68">IDLE</text>
                <text x="136" y="68">(0,0)</text>
                <text x="440" y="68">-</text>
                <text x="476" y="68">State:</text>
                <text x="524" y="68">IDLE</text>
                <text x="568" y="68">(0,0)</text>
                <text x="196" y="84">Client</text>
                <text x="388" y="84">Server</text>
                <text x="200" y="100">(initiator)</text>
                <text x="384" y="100">(responder)</text>
                <text x="36" y="132">Generate</text>
                <text x="88" y="132">N1,</text>
                <text x="116" y="132">X1</text>
                <text x="36" y="164">CTX_TEMP</text>
                <text x="80" y="164">=</text>
                <text x="132" y="164">updateCtx(</text>
                <text x="76" y="180">X1</text>
                <text x="96" y="180">|</text>
                <text x="120" y="180">N1,</text>
                <text x="80" y="196">0x,</text>
                <text x="120" y="212">CTX_BOOTSTRAP</text>
                <text x="184" y="212">)</text>
                <text x="280" y="244">Request</text>
                <text x="324" y="244">#1</text>
                <text x="32" y="260">Protect</text>
                <text x="84" y="260">with</text>
                <text x="140" y="260">CTX_TEMP</text>
                <text x="468" y="260">/.well-known/kudos</text>
                <text x="236" y="276">OSCORE</text>
                <text x="272" y="276">{</text>
                <text x="24" y="292">KUDOS</text>
                <text x="80" y="292">status:</text>
                <text x="232" y="292">...</text>
                <text x="428" y="292">CTX_TEMP</text>
                <text x="472" y="292">=</text>
                <text x="524" y="292">updateCtx(</text>
                <text x="60" y="308">CTX_BOOTSTRAP:</text>
                <text x="136" y="308">X1,</text>
                <text x="164" y="308">N1</text>
                <text x="248" y="308">Partial</text>
                <text x="296" y="308">IV:</text>
                <text x="320" y="308">0</text>
                <text x="472" y="308">0x,</text>
                <text x="28" y="324">State:</text>
                <text x="76" y="324">BUSY</text>
                <text x="120" y="324">(1,0)</text>
                <text x="232" y="324">...</text>
                <text x="468" y="324">X1</text>
                <text x="488" y="324">|</text>
                <text x="512" y="324">N1,</text>
                <text x="224" y="340">d</text>
                <text x="256" y="340">flag:</text>
                <text x="288" y="340">1</text>
                <text x="512" y="340">CTX_BOOTSTRAP</text>
                <text x="576" y="340">)</text>
                <text x="228" y="356">x:</text>
                <text x="252" y="356">X1</text>
                <text x="272" y="356">=</text>
                <text x="328" y="356">b'00010111'</text>
                <text x="244" y="372">nonce:</text>
                <text x="284" y="372">N1</text>
                <text x="420" y="372">Verify</text>
                <text x="468" y="372">with</text>
                <text x="524" y="372">CTX_TEMP</text>
                <text x="232" y="388">...</text>
                <text x="216" y="404">}</text>
                <text x="248" y="420">Encrypted</text>
                <text x="320" y="420">Payload</text>
                <text x="360" y="420">{</text>
                <text x="232" y="436">...</text>
                <text x="216" y="452">}</text>
                <text x="416" y="484">KUDOS</text>
                <text x="472" y="484">status:</text>
                <text x="452" y="500">CTX_BOOTSTRAP:</text>
                <text x="520" y="500">-</text>
                <text x="536" y="500">-</text>
                <text x="420" y="516">State:</text>
                <text x="468" y="516">BUSY</text>
                <text x="512" y="516">(0,1)</text>
                <text x="428" y="564">Generate</text>
                <text x="480" y="564">N2,</text>
                <text x="508" y="564">X2</text>
                <text x="424" y="596">CTX_NEW</text>
                <text x="464" y="596">=</text>
                <text x="516" y="596">updateCtx(</text>
                <text x="484" y="612">X2</text>
                <text x="532" y="612">N2),</text>
                <text x="484" y="628">X1</text>
                <text x="532" y="628">N1),</text>
                <text x="528" y="644">CTX_BOOTSTRAP</text>
                <text x="592" y="644">)</text>
                <text x="284" y="676">Response</text>
                <text x="332" y="676">#1</text>
                <text x="424" y="692">Protect</text>
                <text x="476" y="692">with</text>
                <text x="528" y="692">CTX_NEW</text>
                <text x="236" y="708">OSCORE</text>
                <text x="272" y="708">{</text>
                <text x="232" y="724">...</text>
                <text x="416" y="724">KUDOS</text>
                <text x="472" y="724">status:</text>
                <text x="32" y="740">CTX_NEW</text>
                <text x="72" y="740">=</text>
                <text x="124" y="740">updateCtx(</text>
                <text x="248" y="740">Partial</text>
                <text x="296" y="740">IV:</text>
                <text x="320" y="740">0</text>
                <text x="452" y="740">CTX_BOOTSTRAP:</text>
                <text x="528" y="740">X2,</text>
                <text x="556" y="740">N2</text>
                <text x="92" y="756">X1</text>
                <text x="136" y="756">N1,</text>
                <text x="232" y="756">...</text>
                <text x="420" y="756">State:</text>
                <text x="480" y="756">PENDING</text>
                <text x="536" y="756">(1,1)</text>
                <text x="92" y="772">X2</text>
                <text x="132" y="772">N2</text>
                <text x="152" y="772">,</text>
                <text x="224" y="772">d</text>
                <text x="256" y="772">flag:</text>
                <text x="288" y="772">1</text>
                <text x="140" y="788">CTX_BOOTSTRAP)</text>
                <text x="228" y="788">x:</text>
                <text x="252" y="788">X2</text>
                <text x="272" y="788">=</text>
                <text x="328" y="788">b'01010111'</text>
                <text x="244" y="804">nonce:</text>
                <text x="284" y="804">N2</text>
                <text x="28" y="820">Verify</text>
                <text x="76" y="820">with</text>
                <text x="128" y="820">CTX_NEW</text>
                <text x="232" y="820">...</text>
                <text x="216" y="836">}</text>
                <text x="8" y="852">/</text>
                <text x="32" y="852">key</text>
                <text x="100" y="852">confirmation</text>
                <text x="160" y="852">/</text>
                <text x="256" y="852">Encrypted</text>
                <text x="328" y="852">Payload</text>
                <text x="368" y="852">{</text>
                <text x="240" y="868">...</text>
                <text x="36" y="884">Pre-IDLE</text>
                <text x="100" y="884">steps:</text>
                <text x="216" y="884">}</text>
                <text x="28" y="900">Delete</text>
                <text x="112" y="900">CTX_BOOTSTRAP</text>
                <text x="44" y="916">Delete</text>
                <text x="88" y="916">X1,</text>
                <text x="116" y="916">N1</text>
                <text x="28" y="932">Delete</text>
                <text x="92" y="932">CTX_TEMP</text>
                <text x="28" y="948">Delete</text>
                <text x="88" y="948">CTX_OLD</text>
                <text x="24" y="980">KUDOS</text>
                <text x="80" y="980">status:</text>
                <text x="36" y="996">CTX_NEW:</text>
                <text x="84" y="996">-,</text>
                <text x="104" y="996">-</text>
                <text x="28" y="1012">State:</text>
                <text x="76" y="1012">IDLE</text>
                <text x="120" y="1012">(0,0)</text>
                <text x="16" y="1060">The</text>
                <text x="60" y="1060">actual</text>
                <text x="104" y="1060">key</text>
                <text x="148" y="1060">update</text>
                <text x="208" y="1060">process</text>
                <text x="260" y="1060">ends</text>
                <text x="304" y="1060">here.</text>
                <text x="16" y="1076">The</text>
                <text x="48" y="1076">two</text>
                <text x="88" y="1076">peers</text>
                <text x="128" y="1076">can</text>
                <text x="160" y="1076">use</text>
                <text x="192" y="1076">the</text>
                <text x="224" y="1076">new</text>
                <text x="276" y="1076">Security</text>
                <text x="344" y="1076">Context</text>
                <text x="412" y="1076">CTX_NEW.</text>
                <text x="280" y="1124">Request</text>
                <text x="324" y="1124">#2</text>
                <text x="32" y="1140">Protect</text>
                <text x="84" y="1140">with</text>
                <text x="136" y="1140">CTX_NEW</text>
                <text x="416" y="1140">/temp</text>
                <text x="236" y="1156">OSCORE</text>
                <text x="272" y="1156">{</text>
                <text x="232" y="1172">...</text>
                <text x="216" y="1188">}</text>
                <text x="420" y="1188">Verify</text>
                <text x="468" y="1188">with</text>
                <text x="520" y="1188">CTX_NEW</text>
                <text x="248" y="1204">Encrypted</text>
                <text x="320" y="1204">Payload</text>
                <text x="360" y="1204">{</text>
                <text x="264" y="1220">Application</text>
                <text x="344" y="1220">Payload</text>
                <text x="400" y="1220">/</text>
                <text x="424" y="1220">key</text>
                <text x="492" y="1220">confirmation</text>
                <text x="552" y="1220">/</text>
                <text x="232" y="1236">...</text>
                <text x="216" y="1252">}</text>
                <text x="428" y="1252">Pre-IDLE</text>
                <text x="492" y="1252">steps:</text>
                <text x="420" y="1268">Delete</text>
                <text x="504" y="1268">CTX_BOOTSTRAP</text>
                <text x="436" y="1284">Delete</text>
                <text x="480" y="1284">X2,</text>
                <text x="508" y="1284">N2</text>
                <text x="420" y="1300">Delete</text>
                <text x="484" y="1300">CTX_TEMP</text>
                <text x="416" y="1332">KUDOS</text>
                <text x="472" y="1332">status:</text>
                <text x="428" y="1348">CTX_NEW:</text>
                <text x="476" y="1348">-,</text>
                <text x="496" y="1348">-</text>
                <text x="420" y="1364">State:</text>
                <text x="468" y="1364">IDLE</text>
                <text x="512" y="1364">(0,0)</text>
                <text x="284" y="1380">Response</text>
                <text x="332" y="1380">#2</text>
                <text x="424" y="1396">Protect</text>
                <text x="476" y="1396">with</text>
                <text x="528" y="1396">CTX_NEW</text>
                <text x="28" y="1412">Verify</text>
                <text x="76" y="1412">with</text>
                <text x="128" y="1412">CTX_NEW</text>
                <text x="236" y="1412">OSCORE</text>
                <text x="272" y="1412">{</text>
                <text x="232" y="1428">...</text>
                <text x="216" y="1444">}</text>
                <text x="248" y="1460">Encrypted</text>
                <text x="320" y="1460">Payload</text>
                <text x="360" y="1460">{</text>
                <text x="232" y="1476">...</text>
                <text x="264" y="1492">Application</text>
                <text x="344" y="1492">Payload</text>
                <text x="216" y="1508">}</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
KUDOS status:                                         KUDOS status:
- CTX_OLD: -,-                                        - No CTX_OLD due to reboot
- State: IDLE (0,0)                                   - State: IDLE (0,0)
                     Client                  Server
                   (initiator)            (responder)
                        |                      |
Generate N1, X1         |                      |
                        |                      |
CTX_TEMP = updateCtx(   |                      |
        X1 | N1,        |                      |
        0x,             |                      |
        CTX_BOOTSTRAP ) |                      |
                        |                      |
                        |      Request #1      |
Protect with CTX_TEMP   +--------------------->| /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 | CTX_TEMP = updateCtx(
CTX_BOOTSTRAP: X1, N1   |  Partial IV: 0       |         0x,
State: BUSY (1,0)       |  ...                 |         X1 | N1,
                        |  d flag: 1           |         CTX_BOOTSTRAP )
                        |  x: X1 = b'00010111' |
                        |  nonce: N1           | Verify with CTX_TEMP
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        | }                    |
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_BOOTSTRAP: -,-
                        |                      | State: BUSY (0,1)
                        |                      |
                        |                      |
                        |                      | Generate N2, X2
                        |                      |
                        |                      | CTX_NEW = updateCtx(
                        |                      |           X2 | N2),
                        |                      |           X1 | N1),
                        |                      |           CTX_BOOTSTRAP )
                        |                      |
                        |      Response #1     |
                        |<---------------------+ Protect with CTX_NEW
                        | OSCORE {             |
                        |  ...                 | KUDOS status:
CTX_NEW = updateCtx(    |  Partial IV: 0       | CTX_BOOTSTRAP: X2, N2
          X1 | N1,      |  ...                 | State: PENDING (1,1)
          X2 | N2 ,     |  d flag: 1           |
          CTX_BOOTSTRAP)|  x: X2 = b'01010111' |
                        |  nonce: N2           |
Verify with CTX_NEW     |  ...                 |
                        | }                    |
/ key confirmation /    |  Encrypted Payload { |
                        |   ...                |
Pre-IDLE steps:         | }                    |
Delete CTX_BOOTSTRAP    |                      |
  Delete X1, N1         |                      |
Delete CTX_TEMP         |                      |
Delete CTX_OLD          |                      |
                        |                      |
KUDOS status:           |                      |
CTX_NEW: -, -           |                      |
State: IDLE (0,0)       |                      |
                        |                      |

The actual key update process ends here.
The two peers can use the new Security Context CTX_NEW.

                        |                      |
                        |      Request #2      |
Protect with CTX_NEW    +--------------------->| /temp
                        | OSCORE {             |
                        |  ...                 |
                        | }                    | Verify with CTX_NEW
                        | Encrypted Payload {  |
                        |  Application Payload | / key confirmation /
                        |  ...                 |
                        | }                    | Pre-IDLE steps:
                        |                      | Delete CTX_BOOTSTRAP
                        |                      |   Delete X2, N2
                        |                      | Delete CTX_TEMP
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_NEW: -, -
                        |                      | State: IDLE (0,0)
                        |      Response #2     |
                        |<---------------------+ Protect with CTX_NEW
Verify with CTX_NEW     | OSCORE {             |
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        |  Application Payload |
                        | }                    |
                        |                      |

]]></artwork>
        </artset>
      </section>
      <section anchor="successful-kudos-execution-initiated-with-a-request-message-where-the-client-executes-kudos-again-after-the-first-execution">
        <name>Successful KUDOS Execution Initiated with a Request Message, where the Client Executes KUDOS again after the first Execution</name>
        <t>A second KUDOS execution is started by the client immediately after a successful KUDOS key update.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="2624" width="616" viewBox="0 0 616 2624" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 112,752 L 112,768" fill="none" stroke="black"/>
              <path d="M 112,1872 L 112,1888" fill="none" stroke="black"/>
              <path d="M 152,768 L 152,776" fill="none" stroke="black"/>
              <path d="M 152,1888 L 152,1896" fill="none" stroke="black"/>
              <path d="M 200,112 L 200,992" fill="none" stroke="black"/>
              <path d="M 200,1104 L 200,2112" fill="none" stroke="black"/>
              <path d="M 200,2192 L 200,2608" fill="none" stroke="black"/>
              <path d="M 384,112 L 384,992" fill="none" stroke="black"/>
              <path d="M 384,1104 L 384,2112" fill="none" stroke="black"/>
              <path d="M 384,2192 L 384,2608" fill="none" stroke="black"/>
              <path d="M 504,608 L 504,624" fill="none" stroke="black"/>
              <path d="M 504,1712 L 504,1728" fill="none" stroke="black"/>
              <path d="M 544,624 L 544,632" fill="none" stroke="black"/>
              <path d="M 544,1728 L 544,1736" fill="none" stroke="black"/>
              <path d="M 200,256 L 376,256" fill="none" stroke="black"/>
              <path d="M 208,688 L 384,688" fill="none" stroke="black"/>
              <path d="M 200,1248 L 376,1248" fill="none" stroke="black"/>
              <path d="M 208,1808 L 384,1808" fill="none" stroke="black"/>
              <path d="M 200,2224 L 376,2224" fill="none" stroke="black"/>
              <path d="M 208,2480 L 384,2480" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="384,2224 372,2218.4 372,2229.6" fill="black" transform="rotate(0,376,2224)"/>
              <polygon class="arrowhead" points="384,1248 372,1242.4 372,1253.6" fill="black" transform="rotate(0,376,1248)"/>
              <polygon class="arrowhead" points="384,256 372,250.4 372,261.6" fill="black" transform="rotate(0,376,256)"/>
              <polygon class="arrowhead" points="216,2480 204,2474.4 204,2485.6" fill="black" transform="rotate(180,208,2480)"/>
              <polygon class="arrowhead" points="216,1808 204,1802.4 204,1813.6" fill="black" transform="rotate(180,208,1808)"/>
              <polygon class="arrowhead" points="216,688 204,682.4 204,693.6" fill="black" transform="rotate(180,208,688)"/>
              <g class="text">
                <text x="24" y="36">KUDOS</text>
                <text x="80" y="36">status:</text>
                <text x="456" y="36">KUDOS</text>
                <text x="512" y="36">status:</text>
                <text x="8" y="52">-</text>
                <text x="52" y="52">CTX_OLD:</text>
                <text x="104" y="52">-,-</text>
                <text x="440" y="52">-</text>
                <text x="484" y="52">CTX_OLD:</text>
                <text x="536" y="52">-,-</text>
                <text x="8" y="68">-</text>
                <text x="44" y="68">State:</text>
                <text x="92" y="68">IDLE</text>
                <text x="136" y="68">(0,0)</text>
                <text x="440" y="68">-</text>
                <text x="476" y="68">State:</text>
                <text x="524" y="68">IDLE</text>
                <text x="568" y="68">(0,0)</text>
                <text x="196" y="84">Client</text>
                <text x="388" y="84">Server</text>
                <text x="200" y="100">(initiator)</text>
                <text x="384" y="100">(responder)</text>
                <text x="36" y="132">Generate</text>
                <text x="88" y="132">N1,</text>
                <text x="116" y="132">X1</text>
                <text x="36" y="164">CTX_TEMP</text>
                <text x="80" y="164">=</text>
                <text x="132" y="164">updateCtx(</text>
                <text x="76" y="180">X1</text>
                <text x="96" y="180">|</text>
                <text x="120" y="180">N1,</text>
                <text x="80" y="196">0x,</text>
                <text x="96" y="212">CTX_OLD</text>
                <text x="136" y="212">)</text>
                <text x="280" y="244">Request</text>
                <text x="324" y="244">#1</text>
                <text x="32" y="260">Protect</text>
                <text x="84" y="260">with</text>
                <text x="140" y="260">CTX_TEMP</text>
                <text x="468" y="260">/.well-known/kudos</text>
                <text x="236" y="276">OSCORE</text>
                <text x="272" y="276">{</text>
                <text x="24" y="292">KUDOS</text>
                <text x="80" y="292">status:</text>
                <text x="232" y="292">...</text>
                <text x="428" y="292">CTX_TEMP</text>
                <text x="472" y="292">=</text>
                <text x="524" y="292">updateCtx(</text>
                <text x="36" y="308">CTX_OLD:</text>
                <text x="88" y="308">X1,</text>
                <text x="116" y="308">N1</text>
                <text x="248" y="308">Partial</text>
                <text x="296" y="308">IV:</text>
                <text x="320" y="308">0</text>
                <text x="472" y="308">0x,</text>
                <text x="28" y="324">State:</text>
                <text x="76" y="324">BUSY</text>
                <text x="120" y="324">(1,0)</text>
                <text x="232" y="324">...</text>
                <text x="468" y="324">X1</text>
                <text x="488" y="324">|</text>
                <text x="512" y="324">N1,</text>
                <text x="224" y="340">d</text>
                <text x="256" y="340">flag:</text>
                <text x="288" y="340">1</text>
                <text x="488" y="340">CTX_OLD</text>
                <text x="528" y="340">)</text>
                <text x="228" y="356">x:</text>
                <text x="252" y="356">X1</text>
                <text x="272" y="356">=</text>
                <text x="328" y="356">b'00000111'</text>
                <text x="244" y="372">nonce:</text>
                <text x="284" y="372">N1</text>
                <text x="420" y="372">Verify</text>
                <text x="468" y="372">with</text>
                <text x="524" y="372">CTX_TEMP</text>
                <text x="232" y="388">...</text>
                <text x="216" y="404">}</text>
                <text x="248" y="420">Encrypted</text>
                <text x="320" y="420">Payload</text>
                <text x="360" y="420">{</text>
                <text x="232" y="436">...</text>
                <text x="216" y="452">}</text>
                <text x="416" y="484">KUDOS</text>
                <text x="472" y="484">status:</text>
                <text x="428" y="500">CTX_OLD:</text>
                <text x="476" y="500">-,</text>
                <text x="496" y="500">-</text>
                <text x="420" y="516">State:</text>
                <text x="468" y="516">BUSY</text>
                <text x="512" y="516">(0,1)</text>
                <text x="428" y="564">Generate</text>
                <text x="480" y="564">N2,</text>
                <text x="508" y="564">X2</text>
                <text x="424" y="596">CTX_NEW</text>
                <text x="464" y="596">=</text>
                <text x="516" y="596">updateCtx(</text>
                <text x="484" y="612">X2</text>
                <text x="532" y="612">N2),</text>
                <text x="484" y="628">X1</text>
                <text x="528" y="628">N1)</text>
                <text x="504" y="644">CTX_OLD</text>
                <text x="544" y="644">)</text>
                <text x="284" y="676">Response</text>
                <text x="332" y="676">#1</text>
                <text x="424" y="692">Protect</text>
                <text x="476" y="692">with</text>
                <text x="528" y="692">CTX_NEW</text>
                <text x="236" y="708">OSCORE</text>
                <text x="272" y="708">{</text>
                <text x="232" y="724">...</text>
                <text x="416" y="724">KUDOS</text>
                <text x="472" y="724">status:</text>
                <text x="32" y="740">CTX_NEW</text>
                <text x="72" y="740">=</text>
                <text x="124" y="740">updateCtx(</text>
                <text x="248" y="740">Partial</text>
                <text x="296" y="740">IV:</text>
                <text x="320" y="740">0</text>
                <text x="428" y="740">CTX_NEW:</text>
                <text x="480" y="740">X2,</text>
                <text x="508" y="740">N2</text>
                <text x="92" y="756">X1</text>
                <text x="136" y="756">N1,</text>
                <text x="232" y="756">...</text>
                <text x="420" y="756">State:</text>
                <text x="480" y="756">PENDING</text>
                <text x="536" y="756">(1,1)</text>
                <text x="92" y="772">X2</text>
                <text x="132" y="772">N2</text>
                <text x="224" y="772">d</text>
                <text x="256" y="772">flag:</text>
                <text x="288" y="772">1</text>
                <text x="112" y="788">CTX_OLD</text>
                <text x="152" y="788">)</text>
                <text x="228" y="788">x:</text>
                <text x="252" y="788">X2</text>
                <text x="272" y="788">=</text>
                <text x="328" y="788">b'01000111'</text>
                <text x="244" y="804">nonce:</text>
                <text x="284" y="804">N2</text>
                <text x="28" y="820">Verify</text>
                <text x="76" y="820">with</text>
                <text x="128" y="820">CTX_NEW</text>
                <text x="232" y="820">...</text>
                <text x="216" y="836">}</text>
                <text x="8" y="852">/</text>
                <text x="32" y="852">key</text>
                <text x="100" y="852">confirmation</text>
                <text x="160" y="852">/</text>
                <text x="256" y="852">Encrypted</text>
                <text x="328" y="852">Payload</text>
                <text x="368" y="852">{</text>
                <text x="240" y="868">...</text>
                <text x="36" y="884">Pre-IDLE</text>
                <text x="100" y="884">steps:</text>
                <text x="216" y="884">}</text>
                <text x="28" y="900">Delete</text>
                <text x="92" y="900">CTX_TEMP</text>
                <text x="28" y="916">Delete</text>
                <text x="92" y="916">CTX_OLD,</text>
                <text x="144" y="916">X1,</text>
                <text x="172" y="916">N1</text>
                <text x="24" y="948">KUDOS</text>
                <text x="80" y="948">status:</text>
                <text x="36" y="964">CTX_NEW:</text>
                <text x="84" y="964">-,</text>
                <text x="104" y="964">-</text>
                <text x="28" y="980">State:</text>
                <text x="76" y="980">IDLE</text>
                <text x="120" y="980">(0,0)</text>
                <text x="16" y="1028">The</text>
                <text x="60" y="1028">actual</text>
                <text x="104" y="1028">key</text>
                <text x="148" y="1028">update</text>
                <text x="208" y="1028">process</text>
                <text x="260" y="1028">ends</text>
                <text x="304" y="1028">here.</text>
                <text x="16" y="1044">The</text>
                <text x="48" y="1044">two</text>
                <text x="88" y="1044">peers</text>
                <text x="128" y="1044">can</text>
                <text x="160" y="1044">use</text>
                <text x="192" y="1044">the</text>
                <text x="224" y="1044">new</text>
                <text x="276" y="1044">Security</text>
                <text x="344" y="1044">Context</text>
                <text x="412" y="1044">CTX_NEW.</text>
                <text x="20" y="1076">Here</text>
                <text x="56" y="1076">the</text>
                <text x="100" y="1076">client</text>
                <text x="152" y="1076">sends</text>
                <text x="184" y="1076">a</text>
                <text x="232" y="1076">divergent</text>
                <text x="304" y="1076">message</text>
                <text x="36" y="1124">Generate</text>
                <text x="88" y="1124">N3,</text>
                <text x="116" y="1124">X3</text>
                <text x="40" y="1156">CTX_TEMP'</text>
                <text x="88" y="1156">=</text>
                <text x="140" y="1156">updateCtx(</text>
                <text x="76" y="1172">X3</text>
                <text x="96" y="1172">|</text>
                <text x="120" y="1172">N3,</text>
                <text x="80" y="1188">0x,</text>
                <text x="96" y="1204">CTX_NEW</text>
                <text x="136" y="1204">)</text>
                <text x="280" y="1236">Request</text>
                <text x="324" y="1236">#2</text>
                <text x="32" y="1252">Protect</text>
                <text x="84" y="1252">with</text>
                <text x="144" y="1252">CTX_TEMP'</text>
                <text x="468" y="1252">/.well-known/kudos</text>
                <text x="236" y="1268">OSCORE</text>
                <text x="272" y="1268">{</text>
                <text x="24" y="1284">KUDOS</text>
                <text x="80" y="1284">status:</text>
                <text x="232" y="1284">...</text>
                <text x="432" y="1284">CTX_TEMP'</text>
                <text x="480" y="1284">=</text>
                <text x="532" y="1284">updateCtx(</text>
                <text x="36" y="1300">CTX_NEW:</text>
                <text x="88" y="1300">X3,</text>
                <text x="116" y="1300">N3</text>
                <text x="248" y="1300">Partial</text>
                <text x="296" y="1300">IV:</text>
                <text x="320" y="1300">0</text>
                <text x="472" y="1300">0x,</text>
                <text x="28" y="1316">State:</text>
                <text x="76" y="1316">BUSY</text>
                <text x="120" y="1316">(1,0)</text>
                <text x="232" y="1316">...</text>
                <text x="468" y="1316">X3</text>
                <text x="488" y="1316">|</text>
                <text x="512" y="1316">N3,</text>
                <text x="224" y="1332">d</text>
                <text x="256" y="1332">flag:</text>
                <text x="288" y="1332">1</text>
                <text x="488" y="1332">CTX_OLD</text>
                <text x="528" y="1332">)</text>
                <text x="228" y="1348">x:</text>
                <text x="252" y="1348">X3</text>
                <text x="272" y="1348">=</text>
                <text x="328" y="1348">b'00000111'</text>
                <text x="244" y="1364">nonce:</text>
                <text x="284" y="1364">N3</text>
                <text x="420" y="1364">Verify</text>
                <text x="468" y="1364">with</text>
                <text x="528" y="1364">CTX_TEMP'</text>
                <text x="232" y="1380">...</text>
                <text x="400" y="1380">/</text>
                <text x="460" y="1380">verification</text>
                <text x="536" y="1380">fails</text>
                <text x="568" y="1380">/</text>
                <text x="216" y="1396">}</text>
                <text x="248" y="1412">Encrypted</text>
                <text x="320" y="1412">Payload</text>
                <text x="360" y="1412">{</text>
                <text x="232" y="1428">...</text>
                <text x="432" y="1428">CTX_TEMP'</text>
                <text x="480" y="1428">=</text>
                <text x="532" y="1428">updateCtx(</text>
                <text x="216" y="1444">}</text>
                <text x="472" y="1444">0x,</text>
                <text x="468" y="1460">X3</text>
                <text x="488" y="1460">|</text>
                <text x="512" y="1460">N3,</text>
                <text x="488" y="1476">CTX_NEW</text>
                <text x="528" y="1476">)</text>
                <text x="420" y="1508">Verify</text>
                <text x="468" y="1508">with</text>
                <text x="528" y="1508">CTX_TEMP'</text>
                <text x="400" y="1524">/</text>
                <text x="452" y="1524">successful</text>
                <text x="548" y="1524">verification</text>
                <text x="608" y="1524">/</text>
                <text x="428" y="1556">Cleanup:</text>
                <text x="420" y="1572">Delete</text>
                <text x="484" y="1572">CTX_TEMP</text>
                <text x="420" y="1588">Delete</text>
                <text x="484" y="1588">CTX_OLD,</text>
                <text x="532" y="1588">-,</text>
                <text x="552" y="1588">-</text>
                <text x="416" y="1620">KUDOS</text>
                <text x="472" y="1620">status:</text>
                <text x="428" y="1636">CTX_NEW:</text>
                <text x="480" y="1636">X2,</text>
                <text x="508" y="1636">N2</text>
                <text x="420" y="1652">State:</text>
                <text x="468" y="1652">BUSY</text>
                <text x="512" y="1652">(0,1)</text>
                <text x="428" y="1700">CTX_NEW'</text>
                <text x="472" y="1700">=</text>
                <text x="524" y="1700">updateCtx(</text>
                <text x="484" y="1716">X2</text>
                <text x="532" y="1716">N2),</text>
                <text x="484" y="1732">X3</text>
                <text x="528" y="1732">N3)</text>
                <text x="504" y="1748">CTX_NEW</text>
                <text x="544" y="1748">)</text>
                <text x="284" y="1796">Response</text>
                <text x="332" y="1796">#3</text>
                <text x="424" y="1812">Protect</text>
                <text x="476" y="1812">with</text>
                <text x="532" y="1812">CTX_NEW'</text>
                <text x="236" y="1828">OSCORE</text>
                <text x="272" y="1828">{</text>
                <text x="232" y="1844">...</text>
                <text x="416" y="1844">KUDOS</text>
                <text x="472" y="1844">status:</text>
                <text x="36" y="1860">CTX_NEW'</text>
                <text x="80" y="1860">=</text>
                <text x="132" y="1860">updateCtx(</text>
                <text x="248" y="1860">Partial</text>
                <text x="296" y="1860">IV:</text>
                <text x="320" y="1860">0</text>
                <text x="432" y="1860">CTX_NEW':</text>
                <text x="484" y="1860">-,</text>
                <text x="504" y="1860">-</text>
                <text x="92" y="1876">X3</text>
                <text x="136" y="1876">N3,</text>
                <text x="232" y="1876">...</text>
                <text x="420" y="1876">State:</text>
                <text x="480" y="1876">PENDING</text>
                <text x="536" y="1876">(1,1)</text>
                <text x="92" y="1892">X2</text>
                <text x="132" y="1892">N2</text>
                <text x="224" y="1892">d</text>
                <text x="256" y="1892">flag:</text>
                <text x="288" y="1892">1</text>
                <text x="112" y="1908">CTX_NEW</text>
                <text x="152" y="1908">)</text>
                <text x="228" y="1908">x:</text>
                <text x="252" y="1908">X2</text>
                <text x="272" y="1908">=</text>
                <text x="328" y="1908">b'01000111'</text>
                <text x="244" y="1924">nonce:</text>
                <text x="284" y="1924">N2</text>
                <text x="28" y="1940">Verify</text>
                <text x="76" y="1940">with</text>
                <text x="132" y="1940">CTX_NEW'</text>
                <text x="232" y="1940">...</text>
                <text x="216" y="1956">}</text>
                <text x="8" y="1972">/</text>
                <text x="32" y="1972">key</text>
                <text x="100" y="1972">confirmation</text>
                <text x="160" y="1972">/</text>
                <text x="256" y="1972">Encrypted</text>
                <text x="328" y="1972">Payload</text>
                <text x="368" y="1972">{</text>
                <text x="240" y="1988">...</text>
                <text x="36" y="2004">Pre-IDLE</text>
                <text x="100" y="2004">steps:</text>
                <text x="216" y="2004">}</text>
                <text x="28" y="2020">Delete</text>
                <text x="96" y="2020">CTX_TEMP'</text>
                <text x="28" y="2036">Delete</text>
                <text x="92" y="2036">CTX_NEW,</text>
                <text x="144" y="2036">X3,</text>
                <text x="172" y="2036">N3</text>
                <text x="24" y="2068">KUDOS</text>
                <text x="80" y="2068">status:</text>
                <text x="40" y="2084">CTX_NEW':</text>
                <text x="92" y="2084">-,</text>
                <text x="112" y="2084">-</text>
                <text x="28" y="2100">State:</text>
                <text x="76" y="2100">IDLE</text>
                <text x="120" y="2100">(0,0)</text>
                <text x="16" y="2148">The</text>
                <text x="60" y="2148">actual</text>
                <text x="104" y="2148">key</text>
                <text x="148" y="2148">update</text>
                <text x="208" y="2148">process</text>
                <text x="260" y="2148">ends</text>
                <text x="304" y="2148">here.</text>
                <text x="16" y="2164">The</text>
                <text x="48" y="2164">two</text>
                <text x="88" y="2164">peers</text>
                <text x="128" y="2164">can</text>
                <text x="160" y="2164">use</text>
                <text x="192" y="2164">the</text>
                <text x="224" y="2164">new</text>
                <text x="276" y="2164">Security</text>
                <text x="344" y="2164">Context</text>
                <text x="412" y="2164">CTX_NEW.</text>
                <text x="280" y="2212">Request</text>
                <text x="324" y="2212">#3</text>
                <text x="32" y="2228">Protect</text>
                <text x="84" y="2228">with</text>
                <text x="140" y="2228">CTX_NEW'</text>
                <text x="416" y="2228">/temp</text>
                <text x="236" y="2244">OSCORE</text>
                <text x="272" y="2244">{</text>
                <text x="232" y="2260">...</text>
                <text x="216" y="2276">}</text>
                <text x="420" y="2276">Verify</text>
                <text x="468" y="2276">with</text>
                <text x="524" y="2276">CTX_NEW'</text>
                <text x="248" y="2292">Encrypted</text>
                <text x="320" y="2292">Payload</text>
                <text x="360" y="2292">{</text>
                <text x="264" y="2308">Application</text>
                <text x="344" y="2308">Payload</text>
                <text x="400" y="2308">/</text>
                <text x="424" y="2308">key</text>
                <text x="492" y="2308">confirmation</text>
                <text x="552" y="2308">/</text>
                <text x="232" y="2324">...</text>
                <text x="216" y="2340">}</text>
                <text x="428" y="2340">Pre-IDLE</text>
                <text x="492" y="2340">steps:</text>
                <text x="420" y="2356">Delete</text>
                <text x="488" y="2356">CTX_TEMP'</text>
                <text x="420" y="2372">Delete</text>
                <text x="484" y="2372">CTX_NEW,</text>
                <text x="536" y="2372">X2,</text>
                <text x="564" y="2372">N2</text>
                <text x="416" y="2420">KUDOS</text>
                <text x="472" y="2420">status:</text>
                <text x="432" y="2436">CTX_NEW':</text>
                <text x="484" y="2436">-,</text>
                <text x="504" y="2436">-</text>
                <text x="420" y="2452">State:</text>
                <text x="468" y="2452">IDLE</text>
                <text x="512" y="2452">(0,0)</text>
                <text x="284" y="2468">Response</text>
                <text x="332" y="2468">#3</text>
                <text x="424" y="2484">Protect</text>
                <text x="476" y="2484">with</text>
                <text x="532" y="2484">CTX_NEW'</text>
                <text x="28" y="2500">Verify</text>
                <text x="76" y="2500">with</text>
                <text x="132" y="2500">CTX_NEW'</text>
                <text x="236" y="2500">OSCORE</text>
                <text x="272" y="2500">{</text>
                <text x="232" y="2516">...</text>
                <text x="216" y="2532">}</text>
                <text x="248" y="2548">Encrypted</text>
                <text x="320" y="2548">Payload</text>
                <text x="360" y="2548">{</text>
                <text x="232" y="2564">...</text>
                <text x="264" y="2580">Application</text>
                <text x="344" y="2580">Payload</text>
                <text x="216" y="2596">}</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
KUDOS status:                                         KUDOS status:
- CTX_OLD: -,-                                        - CTX_OLD: -,-
- State: IDLE (0,0)                                   - State: IDLE (0,0)
                     Client                  Server
                   (initiator)            (responder)
                        |                      |
Generate N1, X1         |                      |
                        |                      |
CTX_TEMP = updateCtx(   |                      |
        X1 | N1,        |                      |
        0x,             |                      |
        CTX_OLD )       |                      |
                        |                      |
                        |      Request #1      |
Protect with CTX_TEMP   +--------------------->| /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 | CTX_TEMP = updateCtx(
CTX_OLD: X1, N1         |  Partial IV: 0       |         0x,
State: BUSY (1,0)       |  ...                 |         X1 | N1,
                        |  d flag: 1           |         CTX_OLD )
                        |  x: X1 = b'00000111' |
                        |  nonce: N1           | Verify with CTX_TEMP
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        | }                    |
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_OLD: -, -
                        |                      | State: BUSY (0,1)
                        |                      |
                        |                      |
                        |                      | Generate N2, X2
                        |                      |
                        |                      | CTX_NEW = updateCtx(
                        |                      |           X2 | N2),
                        |                      |           X1 | N1),
                        |                      |           CTX_OLD )
                        |                      |
                        |      Response #1     |
                        |<---------------------+ Protect with CTX_NEW
                        | OSCORE {             |
                        |  ...                 | KUDOS status:
CTX_NEW = updateCtx(    |  Partial IV: 0       | CTX_NEW: X2, N2
          X1 | N1,      |  ...                 | State: PENDING (1,1)
          X2 | N2 ,     |  d flag: 1           |
          CTX_OLD )     |  x: X2 = b'01000111' |
                        |  nonce: N2           |
Verify with CTX_NEW     |  ...                 |
                        | }                    |
/ key confirmation /    |  Encrypted Payload { |
                        |   ...                |
Pre-IDLE steps:         | }                    |
Delete CTX_TEMP         |                      |
Delete CTX_OLD, X1, N1  |                      |
                        |                      |
KUDOS status:           |                      |
CTX_NEW: -, -           |                      |
State: IDLE (0,0)       |                      |
                        |                      |

The actual key update process ends here.
The two peers can use the new Security Context CTX_NEW.

Here the client sends a divergent message

                        |                      |
Generate N3, X3         |                      |
                        |                      |
CTX_TEMP' = updateCtx(  |                      |
        X3 | N3,        |                      |
        0x,             |                      |
        CTX_NEW )       |                      |
                        |                      |
                        |      Request #2      |
Protect with CTX_TEMP'  +--------------------->| /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 | CTX_TEMP' = updateCtx(
CTX_NEW: X3, N3         |  Partial IV: 0       |         0x,
State: BUSY (1,0)       |  ...                 |         X3 | N3,
                        |  d flag: 1           |         CTX_OLD )
                        |  x: X3 = b'00000111' |
                        |  nonce: N3           | Verify with CTX_TEMP'
                        |  ...                 | / verification fails /
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 | CTX_TEMP' = updateCtx(
                        | }                    |         0x,
                        |                      |         X3 | N3,
                        |                      |         CTX_NEW )
                        |                      |
                        |                      | Verify with CTX_TEMP'
                        |                      | / successful verification /
                        |                      |
                        |                      | Cleanup:
                        |                      | Delete CTX_TEMP
                        |                      | Delete CTX_OLD, -, -
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_NEW: X2, N2
                        |                      | State: BUSY (0,1)
                        |                      |
                        |                      |
                        |                      | CTX_NEW' = updateCtx(
                        |                      |           X2 | N2),
                        |                      |           X3 | N3),
                        |                      |           CTX_NEW )
                        |                      |
                        |                      |
                        |      Response #3     |
                        |<---------------------+ Protect with CTX_NEW'
                        | OSCORE {             |
                        |  ...                 | KUDOS status:
CTX_NEW' = updateCtx(   |  Partial IV: 0       | CTX_NEW': -, -
          X3 | N3,      |  ...                 | State: PENDING (1,1)
          X2 | N2 ,     |  d flag: 1           |
          CTX_NEW )     |  x: X2 = b'01000111' |
                        |  nonce: N2           |
Verify with CTX_NEW'    |  ...                 |
                        | }                    |
/ key confirmation /    |  Encrypted Payload { |
                        |   ...                |
Pre-IDLE steps:         | }                    |
Delete CTX_TEMP'        |                      |
Delete CTX_NEW, X3, N3  |                      |
                        |                      |
KUDOS status:           |                      |
CTX_NEW': -, -          |                      |
State: IDLE (0,0)       |                      |
                        |                      |

The actual key update process ends here.
The two peers can use the new Security Context CTX_NEW.

                        |                      |
                        |      Request #3      |
Protect with CTX_NEW'   +--------------------->| /temp
                        | OSCORE {             |
                        |  ...                 |
                        | }                    | Verify with CTX_NEW'
                        | Encrypted Payload {  |
                        |  Application Payload | / key confirmation /
                        |  ...                 |
                        | }                    | Pre-IDLE steps:
                        |                      | Delete CTX_TEMP'
                        |                      | Delete CTX_NEW, X2, N2
                        |                      |
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_NEW': -, -
                        |                      | State: IDLE (0,0)
                        |      Response #3     |
                        |<---------------------+ Protect with CTX_NEW'
Verify with CTX_NEW'    | OSCORE {             |
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        |  Application Payload |
                        | }                    |
                        |                      |
]]></artwork>
        </artset>
      </section>
      <section anchor="successful-kudos-execution-initiated-with-a-request-message-where-kudos-response-1-is-lost">
        <name>Successful KUDOS Execution Initiated with a Request Message, where KUDOS Response #1 is Lost</name>
        <t>The server's first response is dropped by the network, thus the client retries and both sides end up deriving the same CTX_NEW.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="2240" width="616" viewBox="0 0 616 2240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 112,1472 L 112,1488" fill="none" stroke="black"/>
              <path d="M 152,1488 L 152,1496" fill="none" stroke="black"/>
              <path d="M 200,112 L 200,896" fill="none" stroke="black"/>
              <path d="M 200,960 L 200,1712" fill="none" stroke="black"/>
              <path d="M 200,1792 L 200,2224" fill="none" stroke="black"/>
              <path d="M 384,112 L 384,896" fill="none" stroke="black"/>
              <path d="M 384,960 L 384,1712" fill="none" stroke="black"/>
              <path d="M 384,1792 L 384,2224" fill="none" stroke="black"/>
              <path d="M 504,608 L 504,624" fill="none" stroke="black"/>
              <path d="M 504,1328 L 504,1344" fill="none" stroke="black"/>
              <path d="M 544,624 L 544,632" fill="none" stroke="black"/>
              <path d="M 544,1344 L 544,1352" fill="none" stroke="black"/>
              <path d="M 200,256 L 376,256" fill="none" stroke="black"/>
              <path d="M 256,688 L 272,688" fill="none" stroke="black"/>
              <path d="M 328,688 L 384,688" fill="none" stroke="black"/>
              <path d="M 200,992 L 376,992" fill="none" stroke="black"/>
              <path d="M 208,1408 L 384,1408" fill="none" stroke="black"/>
              <path d="M 200,1824 L 376,1824" fill="none" stroke="black"/>
              <path d="M 208,2096 L 384,2096" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="384,1824 372,1818.4 372,1829.6" fill="black" transform="rotate(0,376,1824)"/>
              <polygon class="arrowhead" points="384,992 372,986.4 372,997.6" fill="black" transform="rotate(0,376,992)"/>
              <polygon class="arrowhead" points="384,256 372,250.4 372,261.6" fill="black" transform="rotate(0,376,256)"/>
              <polygon class="arrowhead" points="264,688 252,682.4 252,693.6" fill="black" transform="rotate(180,256,688)"/>
              <polygon class="arrowhead" points="216,2096 204,2090.4 204,2101.6" fill="black" transform="rotate(180,208,2096)"/>
              <polygon class="arrowhead" points="216,1408 204,1402.4 204,1413.6" fill="black" transform="rotate(180,208,1408)"/>
              <g class="text">
                <text x="24" y="36">KUDOS</text>
                <text x="80" y="36">status:</text>
                <text x="456" y="36">KUDOS</text>
                <text x="512" y="36">status:</text>
                <text x="8" y="52">-</text>
                <text x="52" y="52">CTX_OLD:</text>
                <text x="104" y="52">-,-</text>
                <text x="440" y="52">-</text>
                <text x="484" y="52">CTX_OLD:</text>
                <text x="536" y="52">-,-</text>
                <text x="8" y="68">-</text>
                <text x="44" y="68">State:</text>
                <text x="92" y="68">IDLE</text>
                <text x="136" y="68">(0,0)</text>
                <text x="440" y="68">-</text>
                <text x="476" y="68">State:</text>
                <text x="524" y="68">IDLE</text>
                <text x="568" y="68">(0,0)</text>
                <text x="196" y="84">Client</text>
                <text x="388" y="84">Server</text>
                <text x="200" y="100">(initiator)</text>
                <text x="384" y="100">(responder)</text>
                <text x="36" y="132">Generate</text>
                <text x="88" y="132">N1,</text>
                <text x="116" y="132">X1</text>
                <text x="36" y="164">CTX_TEMP</text>
                <text x="80" y="164">=</text>
                <text x="132" y="164">updateCtx(</text>
                <text x="76" y="180">X1</text>
                <text x="96" y="180">|</text>
                <text x="120" y="180">N1,</text>
                <text x="80" y="196">0x,</text>
                <text x="96" y="212">CTX_OLD</text>
                <text x="136" y="212">)</text>
                <text x="280" y="244">Request</text>
                <text x="324" y="244">#1</text>
                <text x="32" y="260">Protect</text>
                <text x="84" y="260">with</text>
                <text x="140" y="260">CTX_TEMP</text>
                <text x="468" y="260">/.well-known/kudos</text>
                <text x="236" y="276">OSCORE</text>
                <text x="272" y="276">{</text>
                <text x="24" y="292">KUDOS</text>
                <text x="80" y="292">status:</text>
                <text x="232" y="292">...</text>
                <text x="428" y="292">CTX_TEMP</text>
                <text x="472" y="292">=</text>
                <text x="524" y="292">updateCtx(</text>
                <text x="36" y="308">CTX_OLD:</text>
                <text x="88" y="308">X1,</text>
                <text x="116" y="308">N1</text>
                <text x="248" y="308">Partial</text>
                <text x="296" y="308">IV:</text>
                <text x="320" y="308">0</text>
                <text x="472" y="308">0x,</text>
                <text x="28" y="324">State:</text>
                <text x="76" y="324">BUSY</text>
                <text x="120" y="324">(1,0)</text>
                <text x="232" y="324">...</text>
                <text x="468" y="324">X1</text>
                <text x="488" y="324">|</text>
                <text x="512" y="324">N1,</text>
                <text x="224" y="340">d</text>
                <text x="256" y="340">flag:</text>
                <text x="288" y="340">1</text>
                <text x="488" y="340">CTX_OLD</text>
                <text x="528" y="340">)</text>
                <text x="228" y="356">x:</text>
                <text x="252" y="356">X1</text>
                <text x="272" y="356">=</text>
                <text x="328" y="356">b'00000111'</text>
                <text x="244" y="372">nonce:</text>
                <text x="284" y="372">N1</text>
                <text x="420" y="372">Verify</text>
                <text x="468" y="372">with</text>
                <text x="524" y="372">CTX_TEMP</text>
                <text x="232" y="388">...</text>
                <text x="216" y="404">}</text>
                <text x="248" y="420">Encrypted</text>
                <text x="320" y="420">Payload</text>
                <text x="360" y="420">{</text>
                <text x="232" y="436">...</text>
                <text x="216" y="452">}</text>
                <text x="416" y="484">KUDOS</text>
                <text x="472" y="484">status:</text>
                <text x="428" y="500">CTX_OLD:</text>
                <text x="476" y="500">-,</text>
                <text x="496" y="500">-</text>
                <text x="420" y="516">State:</text>
                <text x="468" y="516">BUSY</text>
                <text x="512" y="516">(0,1)</text>
                <text x="428" y="564">Generate</text>
                <text x="480" y="564">X2,</text>
                <text x="508" y="564">N2</text>
                <text x="424" y="596">CTX_NEW</text>
                <text x="464" y="596">=</text>
                <text x="516" y="596">updateCtx(</text>
                <text x="484" y="612">X2</text>
                <text x="532" y="612">N2),</text>
                <text x="484" y="628">X1</text>
                <text x="528" y="628">N1)</text>
                <text x="504" y="644">CTX_OLD</text>
                <text x="544" y="644">)</text>
                <text x="284" y="676">Response</text>
                <text x="332" y="676">#1</text>
                <text x="300" y="692">LOST</text>
                <text x="424" y="692">Protect</text>
                <text x="476" y="692">with</text>
                <text x="528" y="692">CTX_NEW</text>
                <text x="236" y="708">OSCORE</text>
                <text x="272" y="708">{</text>
                <text x="232" y="724">...</text>
                <text x="416" y="724">KUDOS</text>
                <text x="472" y="724">status:</text>
                <text x="248" y="740">Partial</text>
                <text x="296" y="740">IV:</text>
                <text x="320" y="740">0</text>
                <text x="428" y="740">CTX_OLD:</text>
                <text x="480" y="740">X2,</text>
                <text x="508" y="740">N2</text>
                <text x="232" y="756">...</text>
                <text x="420" y="756">State:</text>
                <text x="480" y="756">PENDING</text>
                <text x="536" y="756">(1,1)</text>
                <text x="224" y="772">d</text>
                <text x="256" y="772">flag:</text>
                <text x="288" y="772">1</text>
                <text x="228" y="788">x:</text>
                <text x="252" y="788">X2</text>
                <text x="272" y="788">=</text>
                <text x="328" y="788">b'01000111'</text>
                <text x="244" y="804">nonce:</text>
                <text x="284" y="804">N2</text>
                <text x="232" y="820">...</text>
                <text x="216" y="836">}</text>
                <text x="256" y="852">Encrypted</text>
                <text x="328" y="852">Payload</text>
                <text x="368" y="852">{</text>
                <text x="240" y="868">...</text>
                <text x="216" y="884">}</text>
                <text x="212" y="932">time</text>
                <text x="260" y="932">passes</text>
                <text x="304" y="932">...</text>
                <text x="280" y="980">Request</text>
                <text x="324" y="980">#2</text>
                <text x="32" y="996">Protect</text>
                <text x="84" y="996">with</text>
                <text x="140" y="996">CTX_TEMP</text>
                <text x="468" y="996">/.well-known/kudos</text>
                <text x="236" y="1012">OSCORE</text>
                <text x="272" y="1012">{</text>
                <text x="24" y="1028">KUDOS</text>
                <text x="80" y="1028">status:</text>
                <text x="232" y="1028">...</text>
                <text x="428" y="1028">CTX_TEMP</text>
                <text x="472" y="1028">=</text>
                <text x="524" y="1028">updateCtx(</text>
                <text x="36" y="1044">CTX_OLD:</text>
                <text x="88" y="1044">X1,</text>
                <text x="116" y="1044">N1</text>
                <text x="248" y="1044">Partial</text>
                <text x="296" y="1044">IV:</text>
                <text x="320" y="1044">1</text>
                <text x="472" y="1044">0x,</text>
                <text x="28" y="1060">State:</text>
                <text x="76" y="1060">BUSY</text>
                <text x="120" y="1060">(1,0)</text>
                <text x="232" y="1060">...</text>
                <text x="468" y="1060">X1</text>
                <text x="488" y="1060">|</text>
                <text x="512" y="1060">N1,</text>
                <text x="224" y="1076">d</text>
                <text x="256" y="1076">flag:</text>
                <text x="288" y="1076">1</text>
                <text x="488" y="1076">CTX_OLD</text>
                <text x="528" y="1076">)</text>
                <text x="228" y="1092">x:</text>
                <text x="252" y="1092">X1</text>
                <text x="272" y="1092">=</text>
                <text x="328" y="1092">b'00000111'</text>
                <text x="244" y="1108">nonce:</text>
                <text x="284" y="1108">N1</text>
                <text x="420" y="1108">Verify</text>
                <text x="468" y="1108">with</text>
                <text x="524" y="1108">CTX_TEMP</text>
                <text x="232" y="1124">...</text>
                <text x="400" y="1124">/</text>
                <text x="452" y="1124">successful</text>
                <text x="548" y="1124">verification</text>
                <text x="608" y="1124">/</text>
                <text x="216" y="1140">}</text>
                <text x="248" y="1156">Encrypted</text>
                <text x="320" y="1156">Payload</text>
                <text x="360" y="1156">{</text>
                <text x="428" y="1156">Cleanup:</text>
                <text x="232" y="1172">...</text>
                <text x="420" y="1172">Delete</text>
                <text x="480" y="1172">CTX_NEW</text>
                <text x="216" y="1188">}</text>
                <text x="420" y="1188">Delete</text>
                <text x="464" y="1188">X2,</text>
                <text x="492" y="1188">N2</text>
                <text x="416" y="1220">KUDOS</text>
                <text x="472" y="1220">status:</text>
                <text x="428" y="1236">CTX_OLD:</text>
                <text x="480" y="1236">-,-</text>
                <text x="420" y="1252">State:</text>
                <text x="468" y="1252">BUSY</text>
                <text x="512" y="1252">(0,1)</text>
                <text x="428" y="1284">Generate</text>
                <text x="480" y="1284">X3,</text>
                <text x="508" y="1284">N3</text>
                <text x="424" y="1316">CTX_NEW</text>
                <text x="464" y="1316">=</text>
                <text x="516" y="1316">updateCtx(</text>
                <text x="484" y="1332">X3</text>
                <text x="532" y="1332">N3),</text>
                <text x="484" y="1348">X1</text>
                <text x="528" y="1348">N1)</text>
                <text x="504" y="1364">CTX_OLD</text>
                <text x="544" y="1364">)</text>
                <text x="284" y="1396">Response</text>
                <text x="332" y="1396">#2</text>
                <text x="424" y="1412">Protect</text>
                <text x="476" y="1412">with</text>
                <text x="528" y="1412">CTX_NEW</text>
                <text x="236" y="1428">OSCORE</text>
                <text x="272" y="1428">{</text>
                <text x="232" y="1444">...</text>
                <text x="416" y="1444">KUDOS</text>
                <text x="472" y="1444">status:</text>
                <text x="32" y="1460">CTX_NEW</text>
                <text x="72" y="1460">=</text>
                <text x="124" y="1460">updateCtx(</text>
                <text x="248" y="1460">Partial</text>
                <text x="296" y="1460">IV:</text>
                <text x="320" y="1460">0</text>
                <text x="428" y="1460">CTX_OLD:</text>
                <text x="480" y="1460">X3,</text>
                <text x="508" y="1460">N3</text>
                <text x="92" y="1476">X1</text>
                <text x="136" y="1476">N1,</text>
                <text x="232" y="1476">...</text>
                <text x="420" y="1476">State:</text>
                <text x="480" y="1476">PENDING</text>
                <text x="536" y="1476">(1,1)</text>
                <text x="92" y="1492">X3</text>
                <text x="132" y="1492">N3</text>
                <text x="224" y="1492">d</text>
                <text x="256" y="1492">flag:</text>
                <text x="288" y="1492">1</text>
                <text x="112" y="1508">CTX_OLD</text>
                <text x="152" y="1508">)</text>
                <text x="228" y="1508">x:</text>
                <text x="252" y="1508">X3</text>
                <text x="272" y="1508">=</text>
                <text x="328" y="1508">b'01000111'</text>
                <text x="244" y="1524">nonce:</text>
                <text x="284" y="1524">N3</text>
                <text x="28" y="1540">Verify</text>
                <text x="76" y="1540">with</text>
                <text x="128" y="1540">CTX_NEW</text>
                <text x="232" y="1540">...</text>
                <text x="216" y="1556">}</text>
                <text x="8" y="1572">/</text>
                <text x="32" y="1572">key</text>
                <text x="100" y="1572">confirmation</text>
                <text x="160" y="1572">/</text>
                <text x="256" y="1572">Encrypted</text>
                <text x="328" y="1572">Payload</text>
                <text x="368" y="1572">{</text>
                <text x="240" y="1588">...</text>
                <text x="36" y="1604">Pre-IDLE</text>
                <text x="100" y="1604">steps:</text>
                <text x="216" y="1604">}</text>
                <text x="28" y="1620">Delete</text>
                <text x="92" y="1620">CTX_TEMP</text>
                <text x="28" y="1636">Delete</text>
                <text x="92" y="1636">CTX_OLD,</text>
                <text x="144" y="1636">X1,</text>
                <text x="172" y="1636">N1</text>
                <text x="24" y="1668">KUDOS</text>
                <text x="80" y="1668">status:</text>
                <text x="36" y="1684">CTX_NEW:</text>
                <text x="84" y="1684">-,</text>
                <text x="104" y="1684">-</text>
                <text x="28" y="1700">State:</text>
                <text x="76" y="1700">IDLE</text>
                <text x="120" y="1700">(0,0)</text>
                <text x="16" y="1748">The</text>
                <text x="60" y="1748">actual</text>
                <text x="104" y="1748">key</text>
                <text x="148" y="1748">update</text>
                <text x="208" y="1748">process</text>
                <text x="260" y="1748">ends</text>
                <text x="304" y="1748">here.</text>
                <text x="16" y="1764">The</text>
                <text x="48" y="1764">two</text>
                <text x="88" y="1764">peers</text>
                <text x="128" y="1764">can</text>
                <text x="160" y="1764">use</text>
                <text x="192" y="1764">the</text>
                <text x="224" y="1764">new</text>
                <text x="276" y="1764">Security</text>
                <text x="344" y="1764">Context</text>
                <text x="412" y="1764">CTX_NEW.</text>
                <text x="280" y="1812">Request</text>
                <text x="324" y="1812">#3</text>
                <text x="32" y="1828">Protect</text>
                <text x="84" y="1828">with</text>
                <text x="136" y="1828">CTX_NEW</text>
                <text x="416" y="1828">/temp</text>
                <text x="236" y="1844">OSCORE</text>
                <text x="272" y="1844">{</text>
                <text x="232" y="1860">...</text>
                <text x="216" y="1876">}</text>
                <text x="420" y="1876">Verify</text>
                <text x="468" y="1876">with</text>
                <text x="520" y="1876">CTX_NEW</text>
                <text x="248" y="1892">Encrypted</text>
                <text x="320" y="1892">Payload</text>
                <text x="360" y="1892">{</text>
                <text x="264" y="1908">Application</text>
                <text x="344" y="1908">Payload</text>
                <text x="400" y="1908">/</text>
                <text x="424" y="1908">key</text>
                <text x="492" y="1908">confirmation</text>
                <text x="552" y="1908">/</text>
                <text x="232" y="1924">...</text>
                <text x="216" y="1940">}</text>
                <text x="428" y="1940">Pre-IDLE</text>
                <text x="492" y="1940">steps:</text>
                <text x="420" y="1956">Delete</text>
                <text x="484" y="1956">CTX_TEMP</text>
                <text x="420" y="1972">Delete</text>
                <text x="480" y="1972">CTX_OLD</text>
                <text x="436" y="1988">Delete</text>
                <text x="480" y="1988">X3,</text>
                <text x="508" y="1988">N3</text>
                <text x="416" y="2036">KUDOS</text>
                <text x="472" y="2036">status:</text>
                <text x="428" y="2052">CTX_NEW:</text>
                <text x="476" y="2052">-,</text>
                <text x="496" y="2052">-</text>
                <text x="420" y="2068">State:</text>
                <text x="468" y="2068">IDLE</text>
                <text x="512" y="2068">(0,0)</text>
                <text x="284" y="2084">Response</text>
                <text x="332" y="2084">#3</text>
                <text x="424" y="2100">Protect</text>
                <text x="476" y="2100">with</text>
                <text x="528" y="2100">CTX_NEW</text>
                <text x="28" y="2116">Verify</text>
                <text x="76" y="2116">with</text>
                <text x="128" y="2116">CTX_NEW</text>
                <text x="236" y="2116">OSCORE</text>
                <text x="272" y="2116">{</text>
                <text x="232" y="2132">...</text>
                <text x="216" y="2148">}</text>
                <text x="248" y="2164">Encrypted</text>
                <text x="320" y="2164">Payload</text>
                <text x="360" y="2164">{</text>
                <text x="232" y="2180">...</text>
                <text x="264" y="2196">Application</text>
                <text x="344" y="2196">Payload</text>
                <text x="216" y="2212">}</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
KUDOS status:                                         KUDOS status:
- CTX_OLD: -,-                                        - CTX_OLD: -,-
- State: IDLE (0,0)                                   - State: IDLE (0,0)
                     Client                  Server
                   (initiator)            (responder)
                        |                      |
Generate N1, X1         |                      |
                        |                      |
CTX_TEMP = updateCtx(   |                      |
        X1 | N1,        |                      |
        0x,             |                      |
        CTX_OLD )       |                      |
                        |                      |
                        |      Request #1      |
Protect with CTX_TEMP   +--------------------->| /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 | CTX_TEMP = updateCtx(
CTX_OLD: X1, N1         |  Partial IV: 0       |         0x,
State: BUSY (1,0)       |  ...                 |         X1 | N1,
                        |  d flag: 1           |         CTX_OLD )
                        |  x: X1 = b'00000111' |
                        |  nonce: N1           | Verify with CTX_TEMP
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        | }                    |
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_OLD: -, -
                        |                      | State: BUSY (0,1)
                        |                      |
                        |                      |
                        |                      | Generate X2, N2
                        |                      |
                        |                      | CTX_NEW = updateCtx(
                        |                      |           X2 | N2),
                        |                      |           X1 | N1),
                        |                      |           CTX_OLD )
                        |                      |
                        |      Response #1     |
                        |      <-- LOST -------+ Protect with CTX_NEW
                        | OSCORE {             |
                        |  ...                 | KUDOS status:
                        |  Partial IV: 0       | CTX_OLD: X2, N2
                        |  ...                 | State: PENDING (1,1)
                        |  d flag: 1           |
                        |  x: X2 = b'01000111' |
                        |  nonce: N2           |
                        |  ...                 |
                        | }                    |
                        |  Encrypted Payload { |
                        |   ...                |
                        | }                    |
                        |                      |

                        time passes ...

                        |                      |
                        |      Request #2      |
Protect with CTX_TEMP   +--------------------->| /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 | CTX_TEMP = updateCtx(
CTX_OLD: X1, N1         |  Partial IV: 1       |         0x,
State: BUSY (1,0)       |  ...                 |         X1 | N1,
                        |  d flag: 1           |         CTX_OLD )
                        |  x: X1 = b'00000111' |
                        |  nonce: N1           | Verify with CTX_TEMP
                        |  ...                 | / successful verification /
                        | }                    |
                        | Encrypted Payload {  | Cleanup:
                        |  ...                 | Delete CTX_NEW
                        | }                    | Delete X2, N2
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_OLD: -,-
                        |                      | State: BUSY (0,1)
                        |                      |
                        |                      | Generate X3, N3
                        |                      |
                        |                      | CTX_NEW = updateCtx(
                        |                      |           X3 | N3),
                        |                      |           X1 | N1),
                        |                      |           CTX_OLD )
                        |                      |
                        |      Response #2     |
                        |<---------------------+ Protect with CTX_NEW
                        | OSCORE {             |
                        |  ...                 | KUDOS status:
CTX_NEW = updateCtx(    |  Partial IV: 0       | CTX_OLD: X3, N3
          X1 | N1,      |  ...                 | State: PENDING (1,1)
          X3 | N3 ,     |  d flag: 1           |
          CTX_OLD )     |  x: X3 = b'01000111' |
                        |  nonce: N3           |
Verify with CTX_NEW     |  ...                 |
                        | }                    |
/ key confirmation /    |  Encrypted Payload { |
                        |   ...                |
Pre-IDLE steps:         | }                    |
Delete CTX_TEMP         |                      |
Delete CTX_OLD, X1, N1  |                      |
                        |                      |
KUDOS status:           |                      |
CTX_NEW: -, -           |                      |
State: IDLE (0,0)       |                      |
                        |                      |

The actual key update process ends here.
The two peers can use the new Security Context CTX_NEW.

                        |                      |
                        |      Request #3      |
Protect with CTX_NEW    +--------------------->| /temp
                        | OSCORE {             |
                        |  ...                 |
                        | }                    | Verify with CTX_NEW
                        | Encrypted Payload {  |
                        |  Application Payload | / key confirmation /
                        |  ...                 |
                        | }                    | Pre-IDLE steps:
                        |                      | Delete CTX_TEMP
                        |                      | Delete CTX_OLD
                        |                      |   Delete X3, N3
                        |                      |
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_NEW: -, -
                        |                      | State: IDLE (0,0)
                        |      Response #3     |
                        |<---------------------+ Protect with CTX_NEW
Verify with CTX_NEW     | OSCORE {             |
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        |  Application Payload |
                        | }                    |
                        |                      |
]]></artwork>
        </artset>
      </section>
      <section anchor="successful-kudos-execution-completed-using-two-request-messages">
        <name>Successful KUDOS Execution Completed using two Request Messages</name>
        <t>Both peers independently initiate KUDOS and exchange two request messages that ultimately result in the same CTX_NEW.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="2816" width="592" viewBox="0 0 592 2816" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 32,1864 L 32,1888" fill="none" stroke="black"/>
              <path d="M 200,128 L 200,2800" fill="none" stroke="black"/>
              <path d="M 384,128 L 384,2800" fill="none" stroke="black"/>
              <path d="M 512,1216 L 512,1232" fill="none" stroke="black"/>
              <path d="M 552,1232 L 552,1240" fill="none" stroke="black"/>
              <path d="M 200,272 L 304,272" fill="none" stroke="black"/>
              <path d="M 256,672 L 384,672" fill="none" stroke="black"/>
              <path d="M 344,976 L 376,976" fill="none" stroke="black"/>
              <path d="M 256,1296 L 384,1296" fill="none" stroke="black"/>
              <path d="M 208,1600 L 232,1600" fill="none" stroke="black"/>
              <path d="M 200,1936 L 328,1936" fill="none" stroke="black"/>
              <path d="M 208,2176 L 336,2176" fill="none" stroke="black"/>
              <path d="M 240,2544 L 376,2544" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="384,2544 372,2538.4 372,2549.6" fill="black" transform="rotate(0,376,2544)"/>
              <polygon class="arrowhead" points="384,976 372,970.4 372,981.6" fill="black" transform="rotate(0,376,976)"/>
              <polygon class="arrowhead" points="336,1936 324,1930.4 324,1941.6" fill="black" transform="rotate(0,328,1936)"/>
              <polygon class="arrowhead" points="312,272 300,266.4 300,277.6" fill="black" transform="rotate(0,304,272)"/>
              <polygon class="arrowhead" points="264,1296 252,1290.4 252,1301.6" fill="black" transform="rotate(180,256,1296)"/>
              <polygon class="arrowhead" points="264,672 252,666.4 252,677.6" fill="black" transform="rotate(180,256,672)"/>
              <polygon class="arrowhead" points="216,2176 204,2170.4 204,2181.6" fill="black" transform="rotate(180,208,2176)"/>
              <polygon class="arrowhead" points="216,1600 204,1594.4 204,1605.6" fill="black" transform="rotate(180,208,1600)"/>
              <g class="text">
                <text x="24" y="36">KUDOS</text>
                <text x="80" y="36">status:</text>
                <text x="456" y="36">KUDOS</text>
                <text x="512" y="36">status:</text>
                <text x="8" y="52">-</text>
                <text x="52" y="52">CTX_OLD:</text>
                <text x="104" y="52">-,-</text>
                <text x="440" y="52">-</text>
                <text x="484" y="52">CTX_OLD:</text>
                <text x="536" y="52">-,-</text>
                <text x="8" y="68">-</text>
                <text x="44" y="68">State:</text>
                <text x="92" y="68">IDLE</text>
                <text x="136" y="68">(0,0)</text>
                <text x="440" y="68">-</text>
                <text x="476" y="68">State:</text>
                <text x="524" y="68">IDLE</text>
                <text x="568" y="68">(0,0)</text>
                <text x="196" y="100">Client</text>
                <text x="388" y="100">Server</text>
                <text x="200" y="116">(initiator)</text>
                <text x="384" y="116">(responder)</text>
                <text x="36" y="148">Generate</text>
                <text x="88" y="148">N1,</text>
                <text x="116" y="148">X1</text>
                <text x="44" y="180">CTX_TEMP_A</text>
                <text x="96" y="180">=</text>
                <text x="148" y="180">updateCtx(</text>
                <text x="92" y="196">X1</text>
                <text x="112" y="196">|</text>
                <text x="136" y="196">N1,</text>
                <text x="96" y="212">0x,</text>
                <text x="112" y="228">CTX_OLD</text>
                <text x="152" y="228">)</text>
                <text x="280" y="260">Request</text>
                <text x="332" y="260">#1_A</text>
                <text x="32" y="276">Protect</text>
                <text x="84" y="276">with</text>
                <text x="148" y="276">CTX_TEMP_A</text>
                <text x="328" y="276">...</text>
                <text x="468" y="276">/.well-known/kudos</text>
                <text x="236" y="292">OSCORE</text>
                <text x="272" y="292">{</text>
                <text x="24" y="308">KUDOS</text>
                <text x="80" y="308">status:</text>
                <text x="232" y="308">...</text>
                <text x="36" y="324">CTX_OLD:</text>
                <text x="88" y="324">X1,</text>
                <text x="116" y="324">N1</text>
                <text x="248" y="324">Partial</text>
                <text x="296" y="324">IV:</text>
                <text x="320" y="324">0</text>
                <text x="28" y="340">State:</text>
                <text x="76" y="340">BUSY</text>
                <text x="120" y="340">(1,0)</text>
                <text x="232" y="340">...</text>
                <text x="224" y="356">d</text>
                <text x="256" y="356">flag:</text>
                <text x="288" y="356">1</text>
                <text x="228" y="372">x:</text>
                <text x="252" y="372">X1</text>
                <text x="272" y="372">=</text>
                <text x="328" y="372">b'00000111'</text>
                <text x="244" y="388">nonce:</text>
                <text x="284" y="388">N1</text>
                <text x="232" y="404">...</text>
                <text x="216" y="420">}</text>
                <text x="248" y="436">Encrypted</text>
                <text x="320" y="436">Payload</text>
                <text x="360" y="436">{</text>
                <text x="232" y="452">...</text>
                <text x="216" y="468">}</text>
                <text x="428" y="548">Generate</text>
                <text x="480" y="548">N2,</text>
                <text x="508" y="548">X2</text>
                <text x="436" y="580">CTX_TEMP_B</text>
                <text x="488" y="580">=</text>
                <text x="540" y="580">updateCtx(</text>
                <text x="500" y="596">X2</text>
                <text x="520" y="596">|</text>
                <text x="548" y="596">N2),</text>
                <text x="508" y="612">0x),</text>
                <text x="520" y="628">CTX_OLD</text>
                <text x="560" y="628">)</text>
                <text x="280" y="660">Request</text>
                <text x="332" y="660">#1_B</text>
                <text x="424" y="676">Protect</text>
                <text x="476" y="676">with</text>
                <text x="540" y="676">CTX_TEMP_B</text>
                <text x="236" y="692">OSCORE</text>
                <text x="272" y="692">{</text>
                <text x="232" y="708">...</text>
                <text x="416" y="708">KUDOS</text>
                <text x="472" y="708">status:</text>
                <text x="248" y="724">Partial</text>
                <text x="296" y="724">IV:</text>
                <text x="320" y="724">0</text>
                <text x="428" y="724">CTX_OLD:</text>
                <text x="480" y="724">X2,</text>
                <text x="508" y="724">N2</text>
                <text x="232" y="740">...</text>
                <text x="420" y="740">State:</text>
                <text x="468" y="740">BUSY</text>
                <text x="512" y="740">(1,0)</text>
                <text x="224" y="756">d</text>
                <text x="256" y="756">flag:</text>
                <text x="288" y="756">1</text>
                <text x="228" y="772">x:</text>
                <text x="252" y="772">X2</text>
                <text x="272" y="772">=</text>
                <text x="328" y="772">b'00000111'</text>
                <text x="244" y="788">nonce:</text>
                <text x="284" y="788">N2</text>
                <text x="232" y="804">...</text>
                <text x="216" y="820">}</text>
                <text x="256" y="836">Encrypted</text>
                <text x="328" y="836">Payload</text>
                <text x="368" y="836">{</text>
                <text x="240" y="852">...</text>
                <text x="216" y="868">}</text>
                <text x="236" y="932">(Request</text>
                <text x="292" y="932">#1_A</text>
                <text x="348" y="932">arrives)</text>
                <text x="280" y="964">Request</text>
                <text x="332" y="964">#1_A</text>
                <text x="320" y="980">...</text>
                <text x="468" y="980">/.well-known/kudos</text>
                <text x="236" y="996">OSCORE</text>
                <text x="272" y="996">{</text>
                <text x="232" y="1012">...</text>
                <text x="436" y="1012">CTX_TEMP_A</text>
                <text x="488" y="1012">=</text>
                <text x="540" y="1012">updateCtx(</text>
                <text x="248" y="1028">Partial</text>
                <text x="296" y="1028">IV:</text>
                <text x="320" y="1028">0</text>
                <text x="472" y="1028">0x,</text>
                <text x="232" y="1044">...</text>
                <text x="468" y="1044">X1</text>
                <text x="488" y="1044">|</text>
                <text x="512" y="1044">N1,</text>
                <text x="224" y="1060">d</text>
                <text x="256" y="1060">flag:</text>
                <text x="288" y="1060">1</text>
                <text x="488" y="1060">CTX_OLD</text>
                <text x="528" y="1060">)</text>
                <text x="236" y="1076">x:X1</text>
                <text x="264" y="1076">=</text>
                <text x="320" y="1076">b'00000111'</text>
                <text x="244" y="1092">nonce:</text>
                <text x="284" y="1092">N1</text>
                <text x="420" y="1092">Verify</text>
                <text x="468" y="1092">with</text>
                <text x="532" y="1092">CTX_TEMP_A</text>
                <text x="232" y="1108">...</text>
                <text x="216" y="1124">}</text>
                <text x="416" y="1124">KUDOS</text>
                <text x="472" y="1124">status:</text>
                <text x="248" y="1140">Encrypted</text>
                <text x="320" y="1140">Payload</text>
                <text x="360" y="1140">{</text>
                <text x="428" y="1140">CTX_OLD:</text>
                <text x="480" y="1140">X2,</text>
                <text x="508" y="1140">N2</text>
                <text x="232" y="1156">...</text>
                <text x="420" y="1156">State:</text>
                <text x="468" y="1156">BUSY</text>
                <text x="512" y="1156">(1,0)</text>
                <text x="216" y="1172">}</text>
                <text x="424" y="1204">CTX_NEW</text>
                <text x="464" y="1204">=</text>
                <text x="516" y="1204">updateCtx(</text>
                <text x="492" y="1220">X2</text>
                <text x="540" y="1220">N2),</text>
                <text x="492" y="1236">X1</text>
                <text x="536" y="1236">N1)</text>
                <text x="512" y="1252">CTX_OLD</text>
                <text x="552" y="1252">)</text>
                <text x="284" y="1284">Response</text>
                <text x="340" y="1284">#2_A</text>
                <text x="424" y="1300">Protect</text>
                <text x="476" y="1300">with</text>
                <text x="528" y="1300">CTX_NEW</text>
                <text x="236" y="1316">OSCORE</text>
                <text x="272" y="1316">{</text>
                <text x="232" y="1332">...</text>
                <text x="416" y="1332">KUDOS</text>
                <text x="472" y="1332">status:</text>
                <text x="248" y="1348">Partial</text>
                <text x="296" y="1348">IV:</text>
                <text x="320" y="1348">0</text>
                <text x="428" y="1348">CTX_OLD:</text>
                <text x="480" y="1348">X2,</text>
                <text x="508" y="1348">N2</text>
                <text x="232" y="1364">...</text>
                <text x="420" y="1364">State:</text>
                <text x="480" y="1364">PENDING</text>
                <text x="536" y="1364">(1,1)</text>
                <text x="224" y="1380">d</text>
                <text x="256" y="1380">flag:</text>
                <text x="288" y="1380">1</text>
                <text x="228" y="1396">x:</text>
                <text x="252" y="1396">X2</text>
                <text x="272" y="1396">=</text>
                <text x="328" y="1396">b'01000111'</text>
                <text x="244" y="1412">nonce:</text>
                <text x="284" y="1412">N2</text>
                <text x="232" y="1428">...</text>
                <text x="216" y="1444">}</text>
                <text x="256" y="1460">Encrypted</text>
                <text x="328" y="1460">Payload</text>
                <text x="368" y="1460">{</text>
                <text x="240" y="1476">...</text>
                <text x="216" y="1492">}</text>
                <text x="236" y="1556">(Request</text>
                <text x="292" y="1556">#1_B</text>
                <text x="348" y="1556">arrives)</text>
                <text x="280" y="1588">Request</text>
                <text x="332" y="1588">#1_B</text>
                <text x="256" y="1604">...</text>
                <text x="424" y="1604">Protect</text>
                <text x="476" y="1604">with</text>
                <text x="540" y="1604">CTX_TEMP_B</text>
                <text x="236" y="1620">OSCORE</text>
                <text x="272" y="1620">{</text>
                <text x="232" y="1636">...</text>
                <text x="44" y="1652">CTX_TEMP_B</text>
                <text x="96" y="1652">=</text>
                <text x="148" y="1652">updateCtx(</text>
                <text x="248" y="1652">Partial</text>
                <text x="296" y="1652">IV:</text>
                <text x="320" y="1652">0</text>
                <text x="80" y="1668">0x,</text>
                <text x="232" y="1668">...</text>
                <text x="76" y="1684">X2</text>
                <text x="96" y="1684">|</text>
                <text x="120" y="1684">N2,</text>
                <text x="224" y="1684">d</text>
                <text x="256" y="1684">flag:</text>
                <text x="288" y="1684">1</text>
                <text x="96" y="1700">CTX_OLD</text>
                <text x="136" y="1700">)</text>
                <text x="228" y="1700">x:</text>
                <text x="252" y="1700">X2</text>
                <text x="272" y="1700">=</text>
                <text x="328" y="1700">b'00000111'</text>
                <text x="244" y="1716">nonce:</text>
                <text x="284" y="1716">N2</text>
                <text x="28" y="1732">Verify</text>
                <text x="76" y="1732">with</text>
                <text x="140" y="1732">CTX_TEMP_B</text>
                <text x="232" y="1732">...</text>
                <text x="216" y="1748">}</text>
                <text x="248" y="1764">Encrypted</text>
                <text x="320" y="1764">Payload</text>
                <text x="360" y="1764">{</text>
                <text x="224" y="1780">...</text>
                <text x="216" y="1796">}</text>
                <text x="32" y="1860">CTX_NEW</text>
                <text x="72" y="1860">=</text>
                <text x="124" y="1860">updateCtx(</text>
                <text x="12" y="1876">X1</text>
                <text x="56" y="1876">N1,</text>
                <text x="12" y="1892">X2</text>
                <text x="56" y="1892">N2,</text>
                <text x="32" y="1908">CTX_OLD</text>
                <text x="72" y="1908">)</text>
                <text x="284" y="1924">Response</text>
                <text x="340" y="1924">#2_B</text>
                <text x="32" y="1940">Protect</text>
                <text x="84" y="1940">with</text>
                <text x="136" y="1940">CTX_NEW</text>
                <text x="468" y="1940">/.well-known/kudos</text>
                <text x="236" y="1956">OSCORE</text>
                <text x="272" y="1956">{</text>
                <text x="24" y="1972">KUDOS</text>
                <text x="80" y="1972">status:</text>
                <text x="232" y="1972">...</text>
                <text x="8" y="1988">-</text>
                <text x="52" y="1988">CTX_OLD:</text>
                <text x="104" y="1988">X1,</text>
                <text x="132" y="1988">N1</text>
                <text x="224" y="1988">d</text>
                <text x="256" y="1988">flag:</text>
                <text x="288" y="1988">1</text>
                <text x="8" y="2004">-</text>
                <text x="44" y="2004">State:</text>
                <text x="104" y="2004">PENDING</text>
                <text x="160" y="2004">(1,1)</text>
                <text x="228" y="2004">x:</text>
                <text x="252" y="2004">X1</text>
                <text x="272" y="2004">=</text>
                <text x="328" y="2004">b'01000111'</text>
                <text x="244" y="2020">nonce:</text>
                <text x="284" y="2020">N1</text>
                <text x="232" y="2036">...</text>
                <text x="216" y="2052">}</text>
                <text x="248" y="2068">Encrypted</text>
                <text x="320" y="2068">Payload</text>
                <text x="360" y="2068">{</text>
                <text x="232" y="2084">...</text>
                <text x="264" y="2100">Application</text>
                <text x="344" y="2100">Payload</text>
                <text x="284" y="2164">Response</text>
                <text x="340" y="2164">#2_A</text>
                <text x="360" y="2180">.....</text>
                <text x="424" y="2180">Protect</text>
                <text x="476" y="2180">with</text>
                <text x="528" y="2180">CTX_NEW</text>
                <text x="236" y="2196">OSCORE</text>
                <text x="272" y="2196">{</text>
                <text x="232" y="2212">...</text>
                <text x="248" y="2228">Partial</text>
                <text x="296" y="2228">IV:</text>
                <text x="320" y="2228">0</text>
                <text x="232" y="2244">...</text>
                <text x="224" y="2260">d</text>
                <text x="256" y="2260">flag:</text>
                <text x="288" y="2260">1</text>
                <text x="228" y="2276">x:</text>
                <text x="252" y="2276">X2</text>
                <text x="272" y="2276">=</text>
                <text x="328" y="2276">b'01000111'</text>
                <text x="244" y="2292">nonce:</text>
                <text x="284" y="2292">N2</text>
                <text x="28" y="2308">Verify</text>
                <text x="76" y="2308">with</text>
                <text x="128" y="2308">CTX_NEW</text>
                <text x="232" y="2308">...</text>
                <text x="216" y="2324">}</text>
                <text x="8" y="2340">/</text>
                <text x="32" y="2340">key</text>
                <text x="100" y="2340">confirmation</text>
                <text x="160" y="2340">/</text>
                <text x="256" y="2340">Encrypted</text>
                <text x="328" y="2340">Payload</text>
                <text x="368" y="2340">{</text>
                <text x="240" y="2356">...</text>
                <text x="36" y="2372">Pre-IDLE</text>
                <text x="100" y="2372">steps:</text>
                <text x="216" y="2372">}</text>
                <text x="28" y="2388">Delete</text>
                <text x="100" y="2388">CTX_TEMP_A</text>
                <text x="28" y="2404">Delete</text>
                <text x="100" y="2404">CTX_TEMP_B</text>
                <text x="28" y="2420">Delete</text>
                <text x="92" y="2420">CTX_OLD,</text>
                <text x="144" y="2420">X1,</text>
                <text x="172" y="2420">N1</text>
                <text x="24" y="2452">KUDOS</text>
                <text x="80" y="2452">status:</text>
                <text x="36" y="2468">CTX_NEW:</text>
                <text x="84" y="2468">-,</text>
                <text x="104" y="2468">-</text>
                <text x="28" y="2484">State:</text>
                <text x="76" y="2484">IDLE</text>
                <text x="120" y="2484">(0,0)</text>
                <text x="284" y="2532">Response</text>
                <text x="340" y="2532">#2_B</text>
                <text x="32" y="2548">Protect</text>
                <text x="84" y="2548">with</text>
                <text x="136" y="2548">CTX_NEW</text>
                <text x="220" y="2548">....</text>
                <text x="236" y="2564">OSCORE</text>
                <text x="272" y="2564">{</text>
                <text x="232" y="2580">...</text>
                <text x="224" y="2596">d</text>
                <text x="256" y="2596">flag:</text>
                <text x="288" y="2596">1</text>
                <text x="420" y="2596">Verify</text>
                <text x="468" y="2596">with</text>
                <text x="520" y="2596">CTX_NEW</text>
                <text x="228" y="2612">x:</text>
                <text x="252" y="2612">X1</text>
                <text x="272" y="2612">=</text>
                <text x="328" y="2612">b'01000111'</text>
                <text x="400" y="2612">/</text>
                <text x="424" y="2612">key</text>
                <text x="492" y="2612">confirmation</text>
                <text x="552" y="2612">/</text>
                <text x="244" y="2628">nonce:</text>
                <text x="284" y="2628">N1</text>
                <text x="232" y="2644">...</text>
                <text x="428" y="2644">Pre-IDLE</text>
                <text x="492" y="2644">steps:</text>
                <text x="216" y="2660">}</text>
                <text x="420" y="2660">Delete</text>
                <text x="492" y="2660">CTX_TEMP_A</text>
                <text x="248" y="2676">Encrypted</text>
                <text x="320" y="2676">Payload</text>
                <text x="360" y="2676">{</text>
                <text x="420" y="2676">Delete</text>
                <text x="492" y="2676">CTX_TEMP_B</text>
                <text x="232" y="2692">...</text>
                <text x="420" y="2692">Delete</text>
                <text x="484" y="2692">CTX_OLD,</text>
                <text x="536" y="2692">X2,</text>
                <text x="564" y="2692">N2</text>
                <text x="264" y="2708">Application</text>
                <text x="344" y="2708">Payload</text>
                <text x="216" y="2724">}</text>
                <text x="416" y="2740">KUDOS</text>
                <text x="472" y="2740">status:</text>
                <text x="428" y="2772">CTX_NEW:</text>
                <text x="476" y="2772">-,</text>
                <text x="496" y="2772">-</text>
                <text x="420" y="2788">State:</text>
                <text x="468" y="2788">IDLE</text>
                <text x="512" y="2788">(0,0)</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
KUDOS status:                                         KUDOS status:
- CTX_OLD: -,-                                        - CTX_OLD: -,-
- State: IDLE (0,0)                                   - State: IDLE (0,0)

                     Client                  Server
                   (initiator)            (responder)
                        |                      |
Generate N1, X1         |                      |
                        |                      |
CTX_TEMP_A = updateCtx( |                      |
          X1 | N1,      |                      |
          0x,           |                      |
          CTX_OLD )     |                      |
                        |                      |
                        |      Request #1_A    |
Protect with CTX_TEMP_A +------------> ...     | /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 |
CTX_OLD: X1, N1         |  Partial IV: 0       |
State: BUSY (1,0)       |  ...                 |
                        |  d flag: 1           |
                        |  x: X1 = b'00000111' |
                        |  nonce: N1           |
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        | }                    |
                        |                      |
                        |                      |
                        |                      |
                        |                      |
                        |                      | Generate N2, X2
                        |                      |
                        |                      | CTX_TEMP_B = updateCtx(
                        |                      |             X2 | N2),
                        |                      |             0x),
                        |                      |             CTX_OLD )
                        |                      |
                        |      Request #1_B    |
                        |      <---------------+ Protect with CTX_TEMP_B
                        | OSCORE {             |
                        |  ...                 | KUDOS status:
                        |  Partial IV: 0       | CTX_OLD: X2, N2
                        |  ...                 | State: BUSY (1,0)
                        |  d flag: 1           |
                        |  x: X2 = b'00000111' |
                        |  nonce: N2           |
                        |  ...                 |
                        | }                    |
                        |  Encrypted Payload { |
                        |   ...                |
                        | }                    |
                        |                      |
                        |                      |
                        |                      |
                        |(Request #1_A arrives)|
                        |                      |
                        |      Request #1_A    |
                        |             ... ---->| /.well-known/kudos
                        | OSCORE {             |
                        |  ...                 | CTX_TEMP_A = updateCtx(
                        |  Partial IV: 0       |         0x,
                        |  ...                 |         X1 | N1,
                        |  d flag: 1           |         CTX_OLD )
                        |  x:X1 = b'00000111'  |
                        |  nonce: N1           | Verify with CTX_TEMP_A
                        |  ...                 |
                        | }                    | KUDOS status:
                        | Encrypted Payload {  | CTX_OLD: X2, N2
                        |  ...                 | State: BUSY (1,0)
                        | }                    |
                        |                      |
                        |                      | CTX_NEW = updateCtx(
                        |                      |            X2 | N2),
                        |                      |            X1 | N1),
                        |                      |            CTX_OLD )
                        |                      |
                        |      Response #2_A   |
                        |      <---------------+ Protect with CTX_NEW
                        | OSCORE {             |
                        |  ...                 | KUDOS status:
                        |  Partial IV: 0       | CTX_OLD: X2, N2
                        |  ...                 | State: PENDING (1,1)
                        |  d flag: 1           |
                        |  x: X2 = b'01000111' |
                        |  nonce: N2           |
                        |  ...                 |
                        | }                    |
                        |  Encrypted Payload { |
                        |   ...                |
                        | }                    |
                        |                      |
                        |                      |
                        |                      |
                        |(Request #1_B arrives)|
                        |                      |
                        |      Request #1_B    |
                        |<--- ...              + Protect with CTX_TEMP_B
                        | OSCORE {             |
                        |  ...                 |
CTX_TEMP_B = updateCtx( |  Partial IV: 0       |
        0x,             |  ...                 |
        X2 | N2,        |  d flag: 1           |
        CTX_OLD )       |  x: X2 = b'00000111' |
                        |  nonce: N2           |
Verify with CTX_TEMP_B  |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        | ...                  |
                        | }                    |
                        |                      |
                        |                      |
                        |                      |
CTX_NEW = updateCtx(    |                      |
X1 | N1,                |                      |
X2 | N2,                |                      |
CTX_OLD )               |                      |
                        |      Response #2_B   |
Protect with CTX_NEW    +--------------->      | /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 |
- CTX_OLD: X1, N1       |  d flag: 1           |
- State: PENDING (1,1)  |  x: X1 = b'01000111' |
                        |  nonce: N1           |
                        |  ...                 |
                        | }                    |
                        | Encrypted Payload {  |
                        |  ...                 |
                        |  Application Payload |
                        |                      |
                        |                      |
                        |                      |
                        |      Response #2_A   |
                        |<---------------......+ Protect with CTX_NEW
                        | OSCORE {             |
                        |  ...                 |
                        |  Partial IV: 0       |
                        |  ...                 |
                        |  d flag: 1           |
                        |  x: X2 = b'01000111' |
                        |  nonce: N2           |
Verify with CTX_NEW     |  ...                 |
                        | }                    |
/ key confirmation /    |  Encrypted Payload { |
                        |   ...                |
Pre-IDLE steps:         | }                    |
Delete CTX_TEMP_A       |                      |
Delete CTX_TEMP_B       |                      |
Delete CTX_OLD, X1, N1  |                      |
                        |                      |
KUDOS status:           |                      |
CTX_NEW: -, -           |                      |
State: IDLE (0,0)       |                      |
                        |                      |
                        |                      |
                        |      Response #2_B   |
Protect with CTX_NEW    +.....---------------->|
                        | OSCORE {             |
                        |  ...                 |
                        |  d flag: 1           | Verify with CTX_NEW
                        |  x: X1 = b'01000111' | / key confirmation /
                        |  nonce: N1           |
                        |  ...                 | Pre-IDLE steps:
                        | }                    | Delete CTX_TEMP_A
                        | Encrypted Payload {  | Delete CTX_TEMP_B
                        |  ...                 | Delete CTX_OLD, X2, N2
                        |  Application Payload |
                        | }                    |
                        |                      | KUDOS status:
                        |                      |
                        |                      | CTX_NEW: -, -
                        |                      | State: IDLE (0,0)
                        |                      |
]]></artwork>
        </artset>
      </section>
      <section anchor="successful-kudos-execution-initiated-with-a-request-message-final-response-is-lost">
        <name>Successful KUDOS Execution Initiated with a Request Message, Final Response is Lost</name>
        <artwork><![CDATA[
KUDOS status:                                         KUDOS status:
- CTX_OLD: -,-                                        - CTX_OLD: -,-
- State: IDLE (0,0)                                   - State: IDLE (0,0)

                     Client                  Server
                   (initiator)            (responder)
                        |                      |
Generate N1, X1         |                      |
                        |                      |
CTX_TEMP = updateCtx(   |                      |
        X1 | N1,        |                      |
        0x,             |                      |
        CTX_OLD )       |                      |
                        |                      |
                        |      Request #1      |
Protect with CTX_TEMP   +--------------------->| /.well-known/kudos
                        | OSCORE {             |
KUDOS status:           |  ...                 | CTX_TEMP = updateCtx(
CTX_OLD: X1, N1         |  Partial IV: 0       |         0x,
State: BUSY (1,0)       |  d flag: 1           |         X1 | N1,
                        |  x: X1               |         CTX_OLD )
                        |  nonce: N1           | Verify with CTX_TEMP
                        | }                    |
                        |                      | KUDOS status:
                        |                      | CTX_OLD: -,-
                        |                      | State: BUSY (0,1)
                        |                      |
                        |                      | Generate N2, X2
                        |                      |
                        |                      | CTX_NEW = updateCtx(
                        |                      |           X2 | N2,
                        |                      |           X1 | N1,
                        |                      |           CTX_OLD )
                        |                      |
                        |      Response #1     |
                        |<---------------------+ Protect with CTX_NEW
                        | OSCORE {             |
CTX_NEW = updateCtx(    |  Partial IV: 0       | KUDOS status:
          X1 | N1,      |  d flag: 1           | CTX_OLD: X2, N2
          X2 | N2,      |  x: X2               | State: PENDING (1,1)
          CTX_OLD )     |  nonce: N2           |
Verify with CTX_NEW     | }                    |
/ key confirmation /    |                      |
Pre-IDLE steps:         |                      |
Delete CTX_TEMP         |                      |
Delete CTX_OLD, X1, N1  |                      |
                        |                      |
KUDOS status:           |                      |
CTX_NEW: -, -           |                      |
State: IDLE (0,0)       |                      |

The key update process ends here.
Both peers now use CTX_NEW.

                        |                      |
                        |      Request #2      |
Protect with CTX_NEW    +--------------------->| /temp
                        | OSCORE {             |
                        |  Partial IV: 1       |
                        | }                    | Verify with CTX_NEW
                        | Encrypted Payload {  |
                        |  Application Payload |
                        | }                    |
                        |                      |
                        |      Response #2     |
                        |      <-- LOST -------+ Protect with CTX_NEW
                        | OSCORE {             |
                        |  Partial IV: 0       |
                        | }                    |
                        | Encrypted Payload {  |
                        |  Application Payload |
                        | }                    |

                (client times out and retransmits)

                        |                      |
                        |      Request #3      |
Protect with CTX_NEW    +--------------------->| /temp
                        | OSCORE {             |
                        |  Partial IV: 2       |
                        | }                    | Verify with CTX_NEW
                        | Encrypted Payload {  |
                        |  Application Payload |
                        | }                    |
                        |                      |
                        |      Response #3     |
                        |<---------------------+ Protect with CTX_NEW
Verify with CTX_NEW     | OSCORE {             |
                        |  Partial IV: 1       |
                        | }                    |
                        | Encrypted Payload {  |
                        |  Application Payload |
                        | }                    |
                        |                      |
                        |                      | Pre-IDLE steps:
                        |                      | Delete CTX_TEMP
                        |                      | Delete CTX_OLD, X2, N2
                        |                      |
                        |                      | KUDOS status:
                        |                      | CTX_NEW: -,-
                        |                      | State: IDLE (0,0)
]]></artwork>
      </section>
    </section>
    <section anchor="kudos-state-machine-figure">
      <name>KUDOS State Machine</name>
      <t>The following illustrates the states and transitions of the KUDOS state machine.</t>
      <artset>
        <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="800" width="568" viewBox="0 0 568 800" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
            <path d="M 8,32 L 8,64" fill="none" stroke="black"/>
            <path d="M 8,144 L 8,176" fill="none" stroke="black"/>
            <path d="M 8,304 L 8,336" fill="none" stroke="black"/>
            <path d="M 8,528 L 8,560" fill="none" stroke="black"/>
            <path d="M 48,72 L 48,136" fill="none" stroke="black"/>
            <path d="M 48,184 L 48,296" fill="none" stroke="black"/>
            <path d="M 48,344 L 48,520" fill="none" stroke="black"/>
            <path d="M 48,568 L 48,784" fill="none" stroke="black"/>
            <path d="M 104,32 L 104,64" fill="none" stroke="black"/>
            <path d="M 104,144 L 104,176" fill="none" stroke="black"/>
            <path d="M 104,304 L 104,336" fill="none" stroke="black"/>
            <path d="M 104,528 L 104,560" fill="none" stroke="black"/>
            <path d="M 224,160 L 224,224" fill="none" stroke="black"/>
            <path d="M 256,544 L 256,624" fill="none" stroke="black"/>
            <path d="M 280,320 L 280,384" fill="none" stroke="black"/>
            <path d="M 296,48 L 296,704" fill="none" stroke="black"/>
            <path d="M 8,32 L 104,32" fill="none" stroke="black"/>
            <path d="M 112,48 L 296,48" fill="none" stroke="black"/>
            <path d="M 8,64 L 104,64" fill="none" stroke="black"/>
            <path d="M 8,144 L 104,144" fill="none" stroke="black"/>
            <path d="M 112,160 L 224,160" fill="none" stroke="black"/>
            <path d="M 8,176 L 104,176" fill="none" stroke="black"/>
            <path d="M 192,224 L 224,224" fill="none" stroke="black"/>
            <path d="M 8,304 L 104,304" fill="none" stroke="black"/>
            <path d="M 112,320 L 280,320" fill="none" stroke="black"/>
            <path d="M 8,336 L 104,336" fill="none" stroke="black"/>
            <path d="M 184,384 L 280,384" fill="none" stroke="black"/>
            <path d="M 200,432 L 296,432" fill="none" stroke="black"/>
            <path d="M 8,528 L 104,528" fill="none" stroke="black"/>
            <path d="M 112,544 L 256,544" fill="none" stroke="black"/>
            <path d="M 8,560 L 104,560" fill="none" stroke="black"/>
            <path d="M 208,624 L 256,624" fill="none" stroke="black"/>
            <path d="M 184,704 L 296,704" fill="none" stroke="black"/>
            <path d="M 64,784 L 248,784" fill="none" stroke="black"/>
            <polygon class="arrowhead" points="256,784 244,778.4 244,789.6" fill="black" transform="rotate(0,248,784)"/>
            <polygon class="arrowhead" points="120,544 108,538.4 108,549.6" fill="black" transform="rotate(180,112,544)"/>
            <polygon class="arrowhead" points="120,320 108,314.4 108,325.6" fill="black" transform="rotate(180,112,320)"/>
            <polygon class="arrowhead" points="120,160 108,154.4 108,165.6" fill="black" transform="rotate(180,112,160)"/>
            <polygon class="arrowhead" points="120,48 108,42.4 108,53.6" fill="black" transform="rotate(180,112,48)"/>
            <polygon class="arrowhead" points="56,520 44,514.4 44,525.6" fill="black" transform="rotate(90,48,520)"/>
            <polygon class="arrowhead" points="56,296 44,290.4 44,301.6" fill="black" transform="rotate(90,48,296)"/>
            <polygon class="arrowhead" points="56,136 44,130.4 44,141.6" fill="black" transform="rotate(90,48,136)"/>
            <g class="text">
              <text x="52" y="52">PRE-IDLE</text>
              <text x="88" y="100">Clean</text>
              <text x="124" y="100">up</text>
              <text x="152" y="100">and</text>
              <text x="196" y="100">delete</text>
              <text x="132" y="116">CTX_TEMP/CTX_OLD</text>
              <text x="52" y="164">IDLE</text>
              <text x="88" y="212">Receive</text>
              <text x="168" y="212">CONVERGENT:</text>
              <text x="72" y="228">-</text>
              <text x="100" y="228">Stay</text>
              <text x="132" y="228">in</text>
              <text x="164" y="228">IDLE</text>
              <text x="76" y="260">Send</text>
              <text x="108" y="260">or</text>
              <text x="152" y="260">receive</text>
              <text x="228" y="260">DIVERGENT:</text>
              <text x="72" y="276">-</text>
              <text x="92" y="276">Go</text>
              <text x="116" y="276">to</text>
              <text x="148" y="276">BUSY</text>
              <text x="52" y="324">BUSY</text>
              <text x="76" y="372">Send</text>
              <text x="136" y="372">DIVERGENT</text>
              <text x="220" y="372">(stalled):</text>
              <text x="64" y="388">-</text>
              <text x="92" y="388">Stay</text>
              <text x="124" y="388">in</text>
              <text x="156" y="388">BUSY</text>
              <text x="88" y="420">Receive</text>
              <text x="168" y="420">CONVERGENT:</text>
              <text x="64" y="436">-</text>
              <text x="84" y="436">Go</text>
              <text x="108" y="436">to</text>
              <text x="156" y="436">PRE-IDLE</text>
              <text x="76" y="468">Send</text>
              <text x="140" y="468">CONVERGENT</text>
              <text x="68" y="484">or</text>
              <text x="112" y="484">Receive</text>
              <text x="188" y="484">DIVERGENT:</text>
              <text x="64" y="500">-</text>
              <text x="84" y="500">Go</text>
              <text x="108" y="500">to</text>
              <text x="152" y="500">PENDING</text>
              <text x="56" y="548">PENDING</text>
              <text x="76" y="596">Need</text>
              <text x="108" y="596">to</text>
              <text x="140" y="596">send</text>
              <text x="204" y="596">something:</text>
              <text x="64" y="612">-</text>
              <text x="92" y="612">Send</text>
              <text x="124" y="612">as</text>
              <text x="180" y="612">CONVERGENT</text>
              <text x="64" y="628">-</text>
              <text x="92" y="628">Stay</text>
              <text x="124" y="628">in</text>
              <text x="168" y="628">PENDING</text>
              <text x="88" y="660">Receive</text>
              <text x="164" y="660">CONVERGENT</text>
              <text x="68" y="676">OR</text>
              <text x="96" y="676">non</text>
              <text x="136" y="676">KUDOS</text>
              <text x="192" y="676">message</text>
              <text x="96" y="692">protected</text>
              <text x="156" y="692">with</text>
              <text x="212" y="692">CTX_NEW:</text>
              <text x="68" y="708">Go</text>
              <text x="92" y="708">to</text>
              <text x="140" y="708">PRE-IDLE</text>
              <text x="88" y="740">Receive</text>
              <text x="164" y="740">DIVERGENT:</text>
              <text x="88" y="756">Attempt</text>
              <text x="132" y="756">to</text>
              <text x="176" y="756">decrypt</text>
              <text x="232" y="756">using</text>
              <text x="292" y="756">CTX_OLD,</text>
              <text x="348" y="756">then</text>
              <text x="400" y="756">CTX_NEW</text>
              <text x="444" y="756">as</text>
              <text x="480" y="756">input</text>
              <text x="536" y="756">context</text>
              <text x="84" y="772">Revert</text>
              <text x="124" y="772">to</text>
              <text x="160" y="772">using</text>
              <text x="216" y="772">CTX_NEW</text>
              <text x="260" y="772">as</text>
              <text x="308" y="772">CTX_OLD,</text>
              <text x="356" y="772">or</text>
              <text x="404" y="772">continue</text>
              <text x="464" y="772">using</text>
              <text x="520" y="772">CTX_OLD</text>
              <text x="272" y="788">(Go</text>
              <text x="300" y="788">to</text>
              <text x="336" y="788">BUSY)</text>
            </g>
          </svg>
        </artwork>
        <artwork type="ascii-art"><![CDATA[
+-----------+
| PRE-IDLE  |<----------------------+
+-----------+                       |
     |                              |
     |  Clean up and delete         |
     |  CTX_TEMP/CTX_OLD            |
     v                              |
+-----------+                       |
|   IDLE    |<-------------+        |
+-----------+              |        |
     |                     |        |
     | Receive CONVERGENT: |        |
     |  - Stay in IDLE ----+        |
     |                              |
     | Send or receive DIVERGENT:   |
     |  - Go to BUSY                |
     v                              |
+-----------+                       |
|   BUSY    |<--------------------+ |
+-----------+                     | |
     |                            | |
     | Send DIVERGENT (stalled):  | |
     | - Stay in BUSY ------------+ |
     |                              |
     | Receive CONVERGENT:          |
     | - Go to PRE-IDLE ------------+
     |                              |
     | Send CONVERGENT              |
     | or Receive DIVERGENT:        |
     | - Go to PENDING              |
     v                              |
+-----------+                       |
|  PENDING  |<-----------------+    |
+-----------+                  |    |
     |                         |    |
     | Need to send something: |    |
     | - Send as CONVERGENT    |    |
     | - Stay in PENDING ------+    |
     |                              |
     | Receive CONVERGENT           |
     | OR non KUDOS message         |
     | protected with CTX_NEW:      |
     | Go to PRE-IDLE --------------+
     |
     | Receive DIVERGENT:
     | Attempt to decrypt using CTX_OLD, then CTX_NEW as input context
     | Revert to using CTX_NEW as CTX_OLD, or continue using CTX_OLD
     | -----------------------> (Go to BUSY)
]]></artwork>
      </artset>
    </section>
    <section anchor="sec-document-updates" removeInRFC="true">
      <name>Document Updates</name>
      <section anchor="sec-13-14">
        <name>Version -13 to -14</name>
        <ul spacing="normal">
          <li>
            <t>Remove redundant YANG data model.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
          <li>
            <t>Added section "Implementation Status".</t>
          </li>
          <li>
            <t>Updated legal boilerplate and other metadata.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-12-13">
        <name>Version -12 to -13</name>
        <ul spacing="normal">
          <li>
            <t>Defined SCHC compression of the extended OSCORE Option (originally defined in draft-ietf-schc-8824-update).</t>
          </li>
          <li>
            <t>Updated IANA considerations (SCHC-related actions).</t>
          </li>
          <li>
            <t>Added security considerations about the YANG data model.</t>
          </li>
          <li>
            <t>Added YANG data model.</t>
          </li>
          <li>
            <t>General editorial improvements.</t>
          </li>
          <li>
            <t>Add further message flow examples.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-11-12">
        <name>Version -11 to -12</name>
        <ul spacing="normal">
          <li>
            <t>Add multiple additional message flow examples.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
          <li>
            <t>Add diagram of KUDOS state machine.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-10-11">
        <name>Version -10 to -11</name>
        <ul spacing="normal">
          <li>
            <t>Extended security considerations.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
          <li>
            <t>Updates to IANA considerations according to IANA early reviews.</t>
          </li>
          <li>
            <t>Extended section about updated protection of CoAP responses.</t>
          </li>
          <li>
            <t>Discussion about combining usage of KUDOS with profiles of ACE.</t>
          </li>
          <li>
            <t>Optimization for traversing the state machine upon reception of a divergent message.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-09-10">
        <name>Version -09 to -10</name>
        <ul spacing="normal">
          <li>
            <t>Major re-design building on a state machine driving the KUDOS execution.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-08-09">
        <name>Version -08 to -09</name>
        <ul spacing="normal">
          <li>
            <t>Merge text about avoiding in-transit requests during a key update into a single subsection.</t>
          </li>
          <li>
            <t>Improved error handling.</t>
          </li>
          <li>
            <t>Editorial improvements and clarifications.</t>
          </li>
          <li>
            <t>State that the EDHOC EAD item must be used as non-critical.</t>
          </li>
          <li>
            <t>Extended description and updates values for KUDOS communication overhead.</t>
          </li>
          <li>
            <t>Introduce special case when non-CAPABLE devices may operate in FS Mode.</t>
          </li>
          <li>
            <t>Add parameter for signaling KUDOS support when using the ACE OSCORE profile.</t>
          </li>
          <li>
            <t>Enable using the reverse message flow for peers that are only CoAP servers.</t>
          </li>
          <li>
            <t>Further clarifications about achieving key confirmation and deletion of old contexts.</t>
          </li>
          <li>
            <t>Restructure distribution of content about FS and no-FS mode.</t>
          </li>
          <li>
            <t>Warn of consequences of running KUDOS with insufficient margin.</t>
          </li>
          <li>
            <t>Stressed usefulness of core.kudos for safe KUDOS requests without side effects.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-07-08">
        <name>Version -07 to -08</name>
        <ul spacing="normal">
          <li>
            <t>Add note about usage of the CoAP No-Response Option.</t>
          </li>
          <li>
            <t>Avoid problems for two simultaneously started key updates.</t>
          </li>
          <li>
            <t>Set Notification Number to be uninitialized for new OSCORE Security Contexts.</t>
          </li>
          <li>
            <t>Handle corner case for responder that reached its key usage limits.</t>
          </li>
          <li>
            <t>Re-organizing main section about Forward Secrecy mode into subsections.</t>
          </li>
          <li>
            <t>IANA considerations for CoAP Option Numbers Registry to refer to this draft for the OSCORE option.</t>
          </li>
          <li>
            <t>Use AASVG in diagrams.</t>
          </li>
          <li>
            <t>Use actual tables instead of figures.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
          <li>
            <t>Extended security considerations with reference to relevant paper.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-06-07">
        <name>Version -06 to -07</name>
        <ul spacing="normal">
          <li>
            <t>Removed material about the ID update procedure, which has been split out into a separate draft.</t>
          </li>
          <li>
            <t>Allow non-random nonces for CAPABLE devices.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
          <li>
            <t>Permit flexible message flow with KUDOS messages as any request/response.</t>
          </li>
          <li>
            <t>Enable sending KUDOS messages as regular application messages.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-05-06">
        <name>Version -05 to -06</name>
        <ul spacing="normal">
          <li>
            <t>Mandate support for both the forward and reverse message flow.</t>
          </li>
          <li>
            <t>Mention the EDHOC and OSCORE profile of ACE as method for rekeying.</t>
          </li>
          <li>
            <t>Clarify definition of KUDOS (request/response) message.</t>
          </li>
          <li>
            <t>Further extend the OSCORE option to transport N1 in the second KUDOS message as a request.</t>
          </li>
          <li>
            <t>Mandate support for the no-FS mode on CAPABLE devices.</t>
          </li>
          <li>
            <t>Explain when KUDOS fails during selection of mode.</t>
          </li>
          <li>
            <t>Explicitly forbid using old keying material after reboot.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-04-05">
        <name>Version -04 to -05</name>
        <ul spacing="normal">
          <li>
            <t>Note on client retransmissions if KUDOS execution fails in reverse message flow.</t>
          </li>
          <li>
            <t>Specify what information needs to be written to non-volatile memory to handle reboots.</t>
          </li>
          <li>
            <t>Extended recommendations and considerations on minimum size of nonces N1 &amp; N2.</t>
          </li>
          <li>
            <t>Arbitrary maximum size of the Recipient-ID Option.</t>
          </li>
          <li>
            <t>Detailed lifecycle of the OSCORE IDs update procedure.</t>
          </li>
          <li>
            <t>Described examples of OSCORE IDs update procedure.</t>
          </li>
          <li>
            <t>Examples of OSCORE IDs update procedure integrated in KUDOS.</t>
          </li>
          <li>
            <t>Considerations about using SCHC for CoAP with OSCORE.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-03-04">
        <name>Version -03 to -04</name>
        <ul spacing="normal">
          <li>
            <t>Removed content about key usage limits.</t>
          </li>
          <li>
            <t>Use of "forward message flow" and "reverse message flow".</t>
          </li>
          <li>
            <t>Update to RFC 8613 extended to include protection of responses.</t>
          </li>
          <li>
            <t>Include EDHOC_KeyUpdate() in the methods for rekeying.</t>
          </li>
          <li>
            <t>Describe reasons for using the OSCORE ID update procedure.</t>
          </li>
          <li>
            <t>Clarifications on deletion of CTX_OLD and CTX_NEW.</t>
          </li>
          <li>
            <t>Added new section on preventing deadlocks.</t>
          </li>
          <li>
            <t>Clarified that peers can decide to run KUDOS at any point.</t>
          </li>
          <li>
            <t>Defined preservation of observations beyond OSCORE ID updates.</t>
          </li>
          <li>
            <t>Revised discussion section, including also communication overhead.</t>
          </li>
          <li>
            <t>Defined a well-known KUDOS resource and a KUDOS resource type.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-02-03">
        <name>Version -02 to -03</name>
        <ul spacing="normal">
          <li>
            <t>Use of the OSCORE flag bit 0 to signal more flag bits.</t>
          </li>
          <li>
            <t>In UpdateCtx(), open for future key derivation different than HKDF.</t>
          </li>
          <li>
            <t>Simplified updateCtx() to use only Expand(); used to be METHOD 2.</t>
          </li>
          <li>
            <t>Included the Partial IV if the second KUDOS message is a response.</t>
          </li>
          <li>
            <t>Added signaling of support for KUDOS in EDHOC.</t>
          </li>
          <li>
            <t>Clarifications on terminology and reasons for rekeying.</t>
          </li>
          <li>
            <t>Updated IANA considerations.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-01-02">
        <name>Version -01 to -02</name>
        <ul spacing="normal">
          <li>
            <t>Extended terminology.</t>
          </li>
          <li>
            <t>Moved procedure for preserving observations across key updates to main body.</t>
          </li>
          <li>
            <t>Moved procedure to update OSCORE Sender/Recipient IDs to main body.</t>
          </li>
          <li>
            <t>Moved key update without forward secrecy section to main body.</t>
          </li>
          <li>
            <t>Define signaling bits present in the 'x' byte.</t>
          </li>
          <li>
            <t>Modifications and alignment of updateCtx() with EDHOC.</t>
          </li>
          <li>
            <t>Rules for deletion of old EDHOC keys PRK_out and PRK_exporter.</t>
          </li>
          <li>
            <t>Describe CBOR wrapping of involved nonces with examples.</t>
          </li>
          <li>
            <t>Renamed 'id detail' to 'nonce'.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-00-01">
        <name>Version -00 to -01</name>
        <ul spacing="normal">
          <li>
            <t>Recommendation on limits for CCM_8. Details in Appendix.</t>
          </li>
          <li>
            <t>Improved message processing, also covering corner cases.</t>
          </li>
          <li>
            <t>Example of method to estimate and not store 'count_q'.</t>
          </li>
          <li>
            <t>Added procedure to update OSCORE Sender/Recipient IDs.</t>
          </li>
          <li>
            <t>Added method for preserving observations across key updates.</t>
          </li>
          <li>
            <t>Added key update without forward secrecy.</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors sincerely thank <contact fullname="Christian Amsüss"/>, <contact fullname="Carsten Bormann"/>, <contact fullname="Simon Bouget"/>, <contact fullname="Rafa Marin-Lopez"/>, <contact fullname="John Preuß Mattsson"/>, and <contact fullname="Göran Selander"/> for their feedback and comments.</t>
      <t>The work on this document has been partly supported by the Sweden's Innovation Agency VINNOVA and the Celtic-Next projects CRITISEC and CYPRESS; and by the H2020 projects SIFIS-Home (Grant agreement 952652) and ARCADIAN-IoT (Grant agreement 101020259).</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y96XLcSJIg/J9PgY8y+0RWZ1JM6igVp6t6KJJqcVrXklR1
tW2tyZCZSBKtTCAHQJJiSdpX+b53WLN9gJ0XWz/jAAJ5UNRR1eKMushMIMLD
w8PDb+92u2sXu9HdtbUqrcbJbhT9LbmKXk2HcZVEo7yIXpzsvzg+jDb+9urg
xcnmWtzvFwm8MP+pYT7I4gmMNiziUdVNk2rUHeRF0s1L+s+b5Ko7o7e7Y/if
slpbS6fFblQVs7La2d7+YXtn7fJsN9rPYdC/58WbNDuL/lrks+nam8vd6Cir
kiJLqu4BDr82iKvdqKyGa+WsP0nLMs2z6moKsx8dnj5e43nK3ejhgx4sc5AP
YbDdaAYgPVxbi2fVeV7srkX005X/RlGawRvHW9GT//rfZ+NZNjRf8LqO0zdx
MWx+mxcw9PHRyWG098h8WFZFkgCIR2U8+mdeDMuzuIqzaGfHPDFIqyvAaVpW
sf0sH8JEJ4fd3oN797ajkyofvDnPxxPngVlWFfDeyWUyTDLzeTKJ0/FuVBCI
W+c5QfjvRbpVJuFlPtuKTtNxPohri3wWF4O8/tVXtMIJwrdVEXyyvrUsLyZx
lV4kuKXHj/fvP3zwg/z6/c79Hf31wb2e/IpUob9+v3NPf/3hnr72w90H+sAP
93ce4q9H3YMtoulycD7oPny4c0+oeRfoOBvVQHh4794Dnff+fTND7+G2Drt9
V6H5AYjf/mrm7X3/wIJ7X369t/3wgYGmwBM2Ks66cRIPu+N0klalB2r9+AUe
iQdJNxme5wN9blrko3RM63h6+WznGR8T/8gQPbyYJln0LO/Dw9HeeJzG2YBp
TZjK0/TsvLpM8H+BqgbnaZZEVW5+PU0G51k6iMfRyTQZpCP4tYJDHHWBARRJ
J9qbAiQXyTD6OSnwdEe9rZ1O9OLZXvf0pOuMDSC+xje6P/de73R3tne2e73e
dnePQKH9ifDDbq/HwMXFGVLteVVNd+/cuby83MphIRNaRyzL2IIF3ikS+KBM
7vhz3alNc2d5iLamwxHAcHI1mSRVkQ66J8lgVuAZCaB4NBuP+UT+R36eRS+L
ZPZf/x8gr6rKMs/cfTiEofCz6DgpEzgd5+4m6BRRPrITR8dxNThPqjKKsyFx
9f3zGLgC4P5oMh3LTpTE5F8WORzRfFxG4/QN7NrTE9iIu53oJD3L4nGHRnj5
3+762L7X3d5pYLsEdCfTIs2qrTQeFIRjfPbOzs62Elv3tIizcpoX1ecnOzN1
9CjN8L4oVyNC8/7XRYmtYBE5riVZJRR4cvj08W60/t+By3R/gZ//sb621u12
o7gPnD4ewHW9n08ms8yQx2VanUfVeQIHNsNHAL1DxJgSkKGdaGM/33u5GQ3g
eugnEaC0SgYVPJxkw26Vd+E/UVzRULF9HaSEq6SI+lfRrERRAL8ulZynOvSL
/j9hLEvnSLMuPMeHJ6dwlqLD7CIt8mwC6y2jDRZdNreiV9kQ5ijzSQK3VTGY
TeCuArTD1leXeYRgI5DTPMXXsgQGBFpivo8ApUYKAvaKQMIlkBQpUFc/AUhg
UB9liAFaQzK+gu8A99kMeF2ydbbViYYzotQYaY6o9QxHhdXHZ0nErBsu7fO0
jEDUmuFKomEyglWW8yUzOKTwuj0VNCg/DDMNkiGAA4vBHWiuGSGelcnSy76K
QLKL++O0pAXEgLRLfdhsEmxQlbyttqK9Adw5eNbGV4Bxb2kiwtG2IwDAwPBX
GWo0js+iPmAEpBmhQQBbvnwxJfKLgUST8Rj/i08I2eE3MBY9XyRwMjIYfJKU
iGWhaR4GoBuXeSdKEc3TIhkYcIIILJmdAIUARHAKAIXp2+jR1g7OBmeKRFHc
v6Qg0mhbr3mUT98kHQ7HIOPcQgG4yIczXsGt6N2tFD/4sLZ2evMHI3r3TsSk
Dx9wyIt0CKA5x9VBZuvJxRkNYpO3g/M4O4OJV2YbBAsKch8+bAEWomlcVOlg
No6Lju54kpWwB6VOh0drBCDD+YrHuHi8pQBdyRmiogP7PgUQnUXwPdZnvo8b
ZigD6L5I/nMGRA1HGk4QXD4xYJvYBr4Tw9eDdJrCXLBjK7ETZmuyggnAE+Qv
5XlcwMf1gwZEBicHJoPnefVyhOmlGtspUHhWzgN0PclxlfBoAV/FIDsAgPPY
DmxBq8D54YN82S5wAg0hDlPcIVqbsvOP551bSP5/II64trYES3QPZ4xi2nic
X4JYv/Zd9Hc8XMBggMkA3SGMiOd1me4xcs1HsCPr8MwZ6GXFlSCMuNa7dydy
poH9fC98y86D507Z8PpiVoJ6/Gb0Mi5AigVcuHOeoVZPnNXl8vBakSoPBiij
l3mZEjjbdNR60UaZJAAlUEEXpKP4wwfYyT7QMUJ1eZ4OzoHhw87lRXqWgnQK
dALq4huAEKBfR/G4AFluHZAc1flIaikHp2JIAWi5fvAohC+gELQdvXJyEDiR
7QBXoIOdvJ3i6CTJTEHzItKcd6v5F5ouH9cvhyynb7pAOsAE8JgATpyLC5fP
oIRBhTX1CDmvsrgsQaRn9HwXHflbM+fu9O5MPjSXMKKzB97NaGns4dZdj8QI
ax414joZimFXp+taUIAqaU+cI6Kwr3xhW7Dsje2A5W4iSLDlbAq0keAHcLyJ
p8DMt26BdlFM0iwf52dX0S28oyv7gdzUCMslmkui9WevTk7XO/zf6PkL+v34
8L+9Ojo+PMDfT57sPX1qflmTJ06evHj19MD+Zt/cf/Hs2eHzA34ZPo28j9bW
n+39Y51vuvUXL0+PXjzfe7rOlOZymbhIZJm46gIQWdEJWgMRYFCkfUbYo/2X
/+f/790DxP0/gKqdXu8H2A7+42Hv+3vwx+V5IvdqngEV8J+wG1drcNWAooqj
AH0AP52mVTwuCdHleX6ZRSgj4Vb+d8TM/9iN/twfTHv3fpIPcMHeh4oz70PC
WfOTxsuMxMBHgWkMNr3Pa5j24d37h/e34t358M9/GaNi2u09/MtPa2trx3C1
IuPBbQB+wYoS78conqSgFhZWhELyYo4FF+IgmVZ416N1lV6hc+pITyAu9YkH
yocP7vXwQ2DlgxQuNFB7Y2DOIjge4xECQadioWxj/9GLY5ULf7j3A43GZ965
jni/D6fnySQp4PI7SEdwwrpPQAyfwLX54gIkjv0XJ3ARHx48ebEv46GJDWS7
+lUeD4fEpYiJKHfGVfOFR0KEPV509B+fRBMyMOJjdC4Bh3DH0hLwG2ZQKOYk
FwlZOC7RpgucBvjFlcdhYRfSi6Q7qN4iT8XRn+fdJScY5jB4lpuZ2ibK8u6o
7OJ7OschyEnjtF+ks8luRJJ9Ws14Cy7xWID8ME0Ai+cxTuBMDjyL4QGJAi7/
CnAGUl6OWDLkwiIfP0aj4P1jJDK8rfiSs9JMXUApkc9F+zxF9CypzvMhG4qO
E5F8lCpuIRIFmO6En0QeCBIVzl268h281pCGB+d5rgI4ikwhcdgYXgEBKwla
BHIcXcQgcbB1TARhuDwdwUA+jdJSdRwjI4tkTNt9HsMW91E3KBMeuoxHiSNG
LyEib4HeE8MVNEBy7xC7pDnR+HMRA7JlQuQLANXgHLBAi8ja1thhFmHwTVCi
FKJYmo+ijqdjqMDt7xMtlWRyX1pHPRfwkpZ1GCYzUKQsADj9iVWmjlWVQvG9
7IhMRxcS35yw/AEcB2QIIILT7Yvf7B3uHcBdcgZCR3U+ARIF6U65xyKTCkEI
MyDJ9RNfKxIqoaMCw6QZjIhCRByUKEi5L/HaHIxnyiPa6M8FCbcVWH1aMCFX
6ST5N1efjqY5/IqiMbJkvIOZvkFKJSJFYArkicBe/80bmcTqt+cxYF14BH4i
GD9BvRa1hOezSR/VVhJJfclTHrXqyRHuqnvdGbWT0SQ40snDklcFB6yMVCIl
dRkkVZAXgea2kq0O221EDTQ7jrchHFe4rGRwUBfOzmBOYLBZxXDAG6Bu49AV
klyB7MHfrg02ts3bG2cvRD5fDYcggR+N5PAqo+LrQCkI5KlzuOdlMKAZWkIp
MjsS4gCRMrUcIUon0xxE9P44aV0aYXOQFBUq+8Jx8VzdyVlkyGdAd/28EG7P
l4OaTNRAgxz+BR2C0jWQq2iOPIOXijpXfMVnpPCZv3tyy9kE9jb9DU9rAtc2
3XKnHlNAjbqYZappCJUEFdO6dN7KaHQ58HGRoEoIcM4cexTLAYVrjeZrMgE8
FygHNa4+nGJWEmOBlRaA2HwCIkmpWraQ09GBc1yiKNor6aiWs3GDIy/JiRky
fMCO3VEKBE7ZaTJP2oExnr9kaoznoIjrFM9iVG9xJhDv6fXaF/EYDlORT1hu
GA/nWCxgjSS4OVun4o+YfWCCK0ecw7sClDkyEwDuLnErZPh4DKx3eGVtjmS5
cwQq+aIuUCkYKxMQnky6SuCpB6fpyf4TQDTsEOrNLCXfv38PbVzivhXFBi7T
bDhGzI7idIyz8Ql26BG2FOVBPMHIrcvoP+C8wS6RDSQu7uznZOeJK6DNjf84
BmEYVfCS/AyXAPxFSoZDdALC8V+fjpMhEC4ocIAyYwf7Zy78WoAmO01SNOyr
NLcxrLLUvX23F7CownVHM1mGIHvTtSfFN5fjXAB/h+mFTz5sWd6vyKkYo1JX
AE7IHgvqAEwCmHsjVuK6vYwURuI/ZMQ9mwknnhpD0hYeKVykZ0sw1gReFy4E
gOJzbm4OJCh/x4jdomsTkDnO6fa2IiUwS2CZiGNYNO4mcmi63eVMgUCqdhNn
fUQFou3CEWCmPyYWiCAhu1vp5KO0J7uCYxb57Oz8WswyzHrJmGn5lwQACJHs
bN9VOwvIWTP436xSsQS3ao88tOlv/EndyeBbBPf2Dzejx7iNRKo6wTZBFkV/
PyfjOmmtg3HKFs9xHtMlBudowLz2TcIyHT9I+izugvMMcASx/dcZbjwuc+dq
gM8z1Ju9DbNPK2LsczDxWULESRvj0oowJiuT7h+K+1qRI6BWzCDKWcKWQHdh
vszNGugcCZ/Q1sZ72znlvPuX9HISKgyajEupHyOjhJXU1HqkA48AjU7vr8cl
etHjpmUyG+ZdvkwZRDbHo3EItAUR/WJLeHhRx5bfNzbNpWgzYWMmnMJiGM2n
BV5MrtCN6ob4W2MysNcmctlwY6ea92vzuxgFAodntu+zes6d9QTvXc9iYq7Q
4FXJ+0znQQ2hdITYoAyoGM0ycY3JDURv/PoahAv2q3Ra5VDeO5TdE6CTAZ1k
2DOkfCC0pAu0liEDpRG3DDH69gDdTVAE6jMLVwTR4iIe4+BpNp1VKnSyqGVM
6LQ1sYruzG0XEN9W9Eot/o2pyShWBGxHjNbneSUmIEawaJV4utAVOIzHZGUp
XH8K33bIEkdIZh0QmZEaShY0bPCDbJmV1ZRTwxjIbRwjQ1tUl9wBoJ0gGKyw
lY6IQkE40T4zX3VVMHz0sHnkhHhZB5kXe6uMEPxsb1EIDsZG+coFgE7DIsOo
1PDhwUKzIzKr+A2fbVU02abRz/MKb51pFJ+h9mMEEx7lkfnaAI5Hkh6FzUsW
sNlob0wMAmdjt1zi4YHOZ4rX3mxQNYF3TQeVd2KZaI48z1Lj8Lu3TJ7NWRUZ
BckMJV6TThOWyxQOFOkxZt3Ag5LyvHV69HOWSR2jPKMVu91JmgjqGGKqQ673
N3IvZEaiMQx12muIOSxCwqgXaXKJqnYf/rAWNTIdwapVUZ5nISRrc1qUFRll
lExtlBqdp2dxJiapgG+7afipavcISMezMSrH6JSGqwEZGMrLzIk7qgFN6Djl
oyqhq4BveDEPkHqbxGQdAIAOQbDl5aLeJbJbbEkY4yQyHFyRQ0zgAsRiuF0S
MkIEbTwAsnIelo9c93djoV7gltic7U0VcPWpEUGMxWH33i3x6g9Jm7E+yeOg
O/KWmKHneRHZLbe0hzMt7enqX6k1oO6WsBuN0TIwIlz504hUlHYPqBuxJMYv
dvLAaOss65zleDDuba03Rtrq1WX9d7v/OYNFfVj7STmMHLZUY0/iaAiSXEK2
/Fb6N6EwqLXHcjQv1c9LujN8AOOmoyt5geNlNvywNkDsgNwBQ0dW2HQYvkBH
Lj7D5mH3cmTVlnprJh/3LbG8kkG1xUAHIL9EbRcOzdHPKiOYJeJZQ+7A9sP+
LB0PrYGZVAASephWvFe31n4CPIs8xrYAFzwS85w4RjTF0KAbb9BYQ0NvgkSQ
sk8Gj5ohv07dRmU3rd1Lg9DsZSjEJxw8kJY1XrrA6y16fKn2fdiBc1I8kfMg
KYyvPN8SMRIW5lynScx+BGIgZm5v52aluPXm6cHkQsbdKfMxCqO1XQA1na2Z
Zic3zG+3epvMRLNcRBk1efJN7Fn/HFNUUwpgs6hZRSkeOXYB5WPQUy+JlctF
5sZcIeOaG5JkWFWdC4pXtJSNMvFN+FY9jikQvOQx7LbQpZANZkkLBazsCSAh
hnupqMcrURwSm0cvjZoxUPUJIUS5mK8GC5KRDMfkwmy/SdXxcMXyvGMroW0G
yHho0NBQuclDITV1tdWRICimZsjBQ/5dNT/+puOycZm0nE0pslyVKlnrfvV2
YzMwuKRJ6dPEzY8cRdqgrROyeDfMdXSbqc2Oj2jQL4N758Z4DBMQkMYOXK5L
vMP49nyltbAzoKAqwcAw8ZqLSkpW05ryxKZbdXA48b40xhgNJJnxvjcA9R3p
jYgdh+DgBCD/ugRCIg4IjLd7kY/hYhljFDAorQiLwSndKpZI4QUDwohJDwmP
QtAG8RSlJ4R7SKyozLdsxE8D1+dxPZYBvgNtugJS3ZUoJtH6rdMIXdyp0caM
JWce40yyf+ZXDWW1E80yQirxXQ+xdKG3hiec6uVlPRERKOHkF+a9WOAviDYA
c2VSbTL3lZi8yFix5zEaZ/qg0/jooFwaDHb9rDg9Oz+LvI9ebNIe8b+snBYJ
6qAkVQFQYyBlFvvIUhJf5KmRE4tE6JsFALr7O0glLACIlRLvDrQDDOKSfHI0
e3U1FcZIN3CCAW5oYQMuWeQzVLGKdEpkwsyApjS3wHyW4FhJJWiFzW9Ev2SL
VyWU7DuWcJXxODJD41ol3I6vPItcO6Zv3YoODUetudeEcdN1OZcR18OJmJ+3
JRTIsE7YYtvV4AfchqOPq3rUKN3P5xHm8VQROgzohoM3+ikISLilMNO6WXS3
R7G66x2lTFZC+1dVC9wYngHkWFM+TTypymXse7J+bIDdBLLKTPNihVEO8aMm
MQy3C5OXXRyn2+dQFmPNJ7NVbVEsU5KA3VNBkGT89tV5wn1ofdHDbu/+1gr7
EdyIaP05ifiC+tvD2wb/C0FcsAEM4BfaBdbnfZwj/wD2h9ySAvJyjvqTZZCb
LE2Af95+e1vyHORvYle3OxKSSOxWNUXUcUOykis2NPyN+GKPEYtzWbZy+01K
YY3IE27TtRFnwCKFDES7Sn8z+2Hf9CBlrYGyFfG7vgnawmSPgStwwnrO44sU
FgM3ND5bi+8jhDrCbuwqEiT8iHKMzqhond+WR/Akj2wwbDoKURVuXmnuRccC
C5TIxGF3UUJMSBEmlYw2Fe4KxuhcyAAxkQ+dOJLQWsG58opU2hJCJ5qIXNYX
RXwdU1hF8DiVPBqfWN0N2rE0ozWX0STNZiWSpPgYbk9ubzlDp6M2nqnqLJzY
6LHINics26xHt6eELj5ukqsjwUm85SVZCC5RuXGlaVe+ywsWD1U0ImMPIN/Y
92QSHGAbn+51SPlENQ2NxGwZZXY0id+oxha5QTw4Md31eICaQqoqDTibQLEV
7VXWgIA2SVcD+DhptaOxA8FTS8TRDDb1cMRyuXP6XfnR2dcyfbtwX1+KbCYh
yxyDBFvbX2lrVcKjOC6KFRal14Q/5c7w9UBZGrifXOVyDGv8oEkSfUMSPZxx
u0YSwv45PptUgbKU4DAPbQI1GgEYvBr6yLy0AIG3f7vNsgXLZE11Y5LEeFvt
Mp1+pyZCHALftaxmuyOGI+ZJDmcBVjKElRVn8Pm6z1E0kI8BqomDsRNl1Sqf
U8ae7qmJMfS2HE5WfkESN3oXycS2ntj46XU5g1HdYOgNkaMtTaMwMfmAzXxy
DyvbYh4oTFFRQDAC1cRpJR4w9an4NHS75EG3FuK6Nw/XcFdcA9kryd5Loj2u
cAPtoqtZQTEZnxP7HaJpQXjdUakY7+ge8WFHwzVsFvHbhlazQZcjoB4lKRs7
bFfnLG7TOY5sems9jEbHxElHoFEVJDVJZAE+xHkpmFYkB459Nxwvys/u+W5W
KwGy/7TDDF7Ga5CTPfQU35CU9UPv0ZmY75WcUKxMYctMFsokHqM/Eg1jFPeh
kiTF/8TpmOQET0BNgVqinbrHohGbNA8ktuUuhqnzEQDdq+d9CduXWCTepmFa
DlDY8N0GofEfzh8fHTTvRumZr8CCgokpUJIQqRZIX9Uge0vHnm7mFoPEldkQ
du/0oAnhf9qfNaCyHqDgbnQvuh89iL6PAN4o+gH+9bbhXw/+7cC/u/DvHvy7
H/25iz+RSm70109rf+rW/6+78F/z509r73vvt+H/zt+/eR/BHNF7gK/93xD+
OV4coxu8vzF41mS9XdVN+K+fFA2liwbCQ3iglo/X3ksNJQs7/byPHKXHX9dq
4yv8IfCjSfQn+ZwW0Ab90p/qct42VhMJP3c/x09xlc5nbetbGYL6z3v6vEHq
/HmDVuRzoMPf3vffT/HVCQPc/rx7pt7tRrcaJ5rr0vyI/ls2hTQP9M94oNdB
OKcQ3i4oqmfZj+uDBNMv1z+QOeyxOg7wFmnc2uJVMjaxuv+gxYdEVhHHEWG8
E5yFSbKofiZjWs9gRUoNWdqnM4lpoFB7G6jLX/U6/N8d5qj7p7/8+vroOXs0
vBRselgkEHyetRW4c51I9DBviyoNyLC23ADPNMY4U4vCE6PKZROsNbhelqIi
97wAGvW22djdunGBNV7dAZY6ygXRwQTAi1enNd4e8DLVdwLeBMg3URC4cyd6
MatwDwlJ5Rp9CaPKGYLv1clQB2AtenZyuH98ePr6+eHf/Ue9AEh8bu+pPhV8
Lh5XDMsBp5mQkS7uJ2NjXbJulLXoKX3zY7RuP1zn1/eLBDGN2arM+coK5cuS
SahBY2vy0etBH6b5EUOH4XX66zXWPRLEbcpzO/Of29kUIIA44WujbCI0XTaG
DEMwwCv1QLoUjSpv00F+VsRTOHDs/FuLfnn9HKZPy9fet2iwfk1h9omCTLB1
XLA3o79oNT33GeBv3kO78u2O9y0/K+s7SSrjL3ETRgB0gM/d7R/pA9lY1sBl
b5PsjCKo5R6SoznQzFKffPgwvobdfi0v/igjbDAlb/EL/PymRwp1QDnMk2Mx
6BC+PqSyDK+JqHyS/jHwRGjGDlNkZ61+ATV/AB+d5no2FUeFqo+h86Yns8Pg
0yvB5XVC29NhQjP5FQ6jpsPB67LH/0cJa36txYVei2Cy4aCoYzfbcBVey7Eo
Tq28QzQrmW5t7ccff4xu4N+a5X+BzZsQPl6X3rbxpji7gXxRojnf8Z7O0qzq
PYgM9dmH/40fyKcx6E3Ms/78/dbWzv37PyGH4q2O1kHmosn8xwWjf942LwAo
8MiHiKGWVwyy3BXV1+K84S2mKaP4d7pKKCpjcEofkeLCPOqG1DJORtW6xNQF
ZQsKqrKx9E1GzezmV+Y+lkv+Kgzt8hyzdPiqMqnBLIMYgm7y2IAlLiNtUsCB
e/S5Vm0haAaGhYu9cy5YtfgMjOU8y/KyQr7NjI2/87i8yFHkgUchWdZEJWyM
iNIRSxGVZii8mgzlQrA4AdOIRbUrQ2CykYZsH7YrT4ZOrB2pm7+C7pVk7OZu
oqnDaLQBfB5wv773YUtrwGPGq4l79J9sAb3DVnrnSZ1DxyRGd5lieN7aHnpt
Io5Ia5V8mePZeDTZE9lE965DXPtXigoq7WJayPfVuENJrlZ6pPnxPXggHjbf
4JnJgFyIHYxFzJhZRZeZAoefqrsozS7yN86zRhz1WaVFCwunYzT7FSHB34eG
ZW0jsofRcfScFzNOK6oUwqffE+iYnKwdRnhvbS8EAyJHSMgNaTimxJGHiWEy
pTAAiczC+ZwUESs6q2NTGJ9kdRlnS6dh9FHFRi1YbSOnlGfz5G8Hj6M9LVmg
mocai+rRvBom662EPEvTKRvBcDz9gsIVsAiyxEKxOsfZ1yESPI8xys/AIuoM
uZgwssSttFADO4gAXxlxQQ6LTm33VvQjXpXOwlZ7vX7ttVxUR5gUJHZZPykl
VG6NIr4nKft8bBxuy16TBb2+16UGRv/t2d6+zamjo/Jk72+HvZ2HyNfo9537
D3h3zIhECXCMfVDJvZOzM9FGdho/gomH8LMLjaKFZEQsXSocUuBR65qoaLCz
q7DhnLrZoGoJJ2Mq8xOxHOYqPmVLdFrBwgRzmarDJsCIVmpw5xJ/7SR9b0/S
vXsP4CSpR8AccDQXz2g/EaZAnUX0quMYbhEJf5J7Ww9sKD9PE7hw2AvD0yX1
y8O9Tuh6KRITW6/Zha06wa+sFMT1tOi7jWoJe5gQ4kv/NuWGLzAsX2S3irm9
2Rrm7bHJrmtj7rB8mwrn+yA4UlovS0aK3l66Fo6AzNxAfq+oTUtwP91tNtma
fCkhpITyooVrc60XLupTNuBSn3wp9WZD5bRwFFi7PZwCnBcq06hAigDpcJnz
dtkk6Hv1ywHXjewsit0qI4QDWNpjjmebI/Sosam5H/MsTmZ/iSNlb0ygXk0Y
L5vSuE2WlldCYIW4htkHOv8BScTNlfOMhuxCJBfq1UcZCekGRXxJtLuWnuWC
Isg60a2P5dttkOawUSoMicukw7jhynU5g6MhndQBY+R14jOEATs2DQ5ad0Kk
K8cA3GmUI0tN0OfQPZltNU05dl/ybA2aG+ERAMM458RSVoE4trJtVEwn4gR9
x1FNakcjWvyxHzBDzDKLJaymrFiDsJTAicpYXIO96hjm3anFp7glR9x0I3sb
LVfZrY9FdvhC4+xqvEsvkoK8zaYwgkkhDyVQ493BjEgz8xm1VI2KVFhbcAdX
DzydQ4HyolnXbCKldKfJeMwZMlLn7NQtVkUbtOGUjtr0qiDNTVDtNEpOSaky
pSTQedlVOvQLcC1RFY2ZQJJRXScSYTCJO1Aay6oJ9VXUKzf5la2CBZxEi6jV
5KKp2/NFdf5G8eSYwv2BRLSG+wucT2q4dTR+nLRmIN2pkyYWEEbmORoQ307g
t4smIKs4GN6EUIv0aEnRUJdo43jUJxQlFqr1trb2iB+jul6GBdULM3CSzjz4
mbs/PWgoKfqFqiaTnNJkB3NS4JQfm2KJgcV3rLXBK1pWT1alIonEtC/4BEnM
CSnWLr+nJEjUhjCxUmJ1/OtjKzrg2FKsAdMIp+ssFRpF2Dg9fPbSCMJyXWPl
LiStljsobnJof4fiMyqVlbGkuWTEEEGDtnK5FECuwUIp8/cSn/9Ee4kBRmy2
tPFS/h6o0OGcguvscOvwciECyHaGLUvDktWDFSJJ0uLNoel5XmWSXnSSrcXl
LJnDvujVMwk+f5Pll1y/yYje7mlHakEM6i4Ip7PSuZd9p47i8/xS4z1Luo9S
Fs0bCV58KbYkeIkhcb7oFVN5gnbxi2l2XtivG7rYljfnxMZKBXG/RCYacEWa
mJ8q9li3ZRm5mXwkqmSUhuNzveXA8CzRAqutCJgpVU2cfxc3rFLtNiU3gkiD
km26sEyDLV/gr6OfF9SbizRwGVGnWJBSHBTMlmC17KbRzFfLainsqJNJvhsc
UGebfHlv3g611UD1KMGQcj3PsCUN7hZI5M+5HhQi4pfoEbkwRS7nSlHdt10y
SKpsrjVvhM9zSa+Eq5xVIKXPcAQQ/oGfJAVfRbHrF4ieU0jx8x2a0iZScrix
f8wlOtrJjZDqVc9ZCYNB8OZwxAOTAqFCjCRIPWQrv+ef8EtD8FyN8Ym2sfAN
19bhV+dTnFVXMEC6YOpAWVDFn67W3EPSsNaFODrLcyC2CTaOo0q+tjIjGgTw
Oq0wINMoNrQaRTRat0l/x9ZqrhpwNkuHMYXVMcOyL9hJZGHMZjwzRyf6hZHx
yw67TFj08VRMq5d6Z2Ied6xLE8R/tJbP7TKiHhX4JNY+MTDgvhRmBaplxpVc
IxzN8suObh4+y9X7UB1sXjxSYLcehExGIie8t0ykBgJAwStQg91uzZ4P8KkB
X4ZRepTweicUmYbG+H6qxuYcZKQtqwXoZdxP2FKrVzUZ/PTiNtKYsW81dVi5
j2qRQmRWRWOwI7wzb/EtZbkT6d2/beKaawYJBOGXHtpUeh3YANy3jhKPMQSK
ZcBojrY6xW02sEhkFJtYbutxNaYWayeZZ3NZqf6cFzDVSFrfpEKNXKP6qnZB
zi1Z3Va6Q7b2mG1nf0/hBF5KPeyua/eLbQuVpmOlbvxDhn7iCD0dx4ZlIrcY
SxhfTeFoNhGqIzUg1DGalAG/KHdmwVtgqE51K8M7lSxcrcFUtLAx/mxFAyDg
PMF8zz2LGny8/Vah2X5roCFZajIFFDtO9q358MyyEERpBqpEG0Q7BNFOA6KW
mUhfsAtH8duZ05Gsl1+9goAWTyG5Fh2swamAb278YoqwxIWxigzdA9sIOwwn
gkp0th9uwA1ZHAmGS1vlZeIdS+9IYh5iY3scF4h6BwzesHZN5lZF8e8Ki5c2
zeULIOZRLgJB+6yZBturuBmGjNCxPDJJFv8IXO5xsR4HCEplYT4dm/yWPmfl
50b9MxkpVAWAIJ5IuT8jEw3nX0rUogDH1/ucc94cUAg0Y9u4yKmVsoOPjiag
0jDGpEkXGAoTZLOkQbQec1yW+YCLUNj+barRSqk2g3yNizXdJXhWKfLBdQRl
ONfpYMUTmprmMXPIaigmurYakcgZSydV7MjiJNWjDC4YExNX2bSFNCsZ0rvR
RIoW1rQWO3pXnpCqMel4PKPsbt5bTJs+M9WW3syGeem/1uXvOa46EQOZo47z
ciQuR5JeRGk3FuK+JExR9LUSEb+5Gx0dPD3sRI9enfxDmrWC2H70/K/kwCkm
9sZTipWDja9p9QrJLstq+V12O6WgfxOpZJowe4bjIiCCWpIsY/nD+tLJZY6P
uROELFqhCbH0hTuduwysWEYHnoVks2jNjVxo4VJbqXGV1K00W9qM0fQRrAnJ
lJ8n5bn5C5/KhDd4QQHwvKpIwXw8gogKVVuq1aAzV2QnZNqkUwLOGLo+Gkrs
xz2m52bGRuGz7K3oGWdrUvFm2XWpDdcGCLnISsmZt554Sw6Y7lVcSb9PAIvt
cwPPbaGDub09SYNBrunCbWzx2O/2DXNVDUh28QBEhtmzpSPdA/sd/Pq6AgkM
/lO83ayXCdnY3t5kYuxaqpbMfc80QL5oOiT+g95DuNRdyZfb2O5tSjegytxB
saY/ojeqkSfJCnBAsfs3kMR02N42D9s6JNf3X2ZYWtNGD+AU5rPrcZyaacSd
FBEr0y6/CnPFamJuKN2TglZQ7RV+9913iPTvvtOOH999J7DCR8I/DMzahIyO
YdSoplA2LyRT+9a9l8zNAZIZs8KwEu+QXhklF/n4InHIiye7hfMU1WwKV13F
/Bg7LBqQiSkiw4R1gbaElMgLI2GGBtDPcaSzMKRdzI5Nh2ME+VWDtTeH7hif
Uv1WS6Z4LnpbXtgFcTKQT60y0ihs2BGDOb6EjX52miOQlI3VJsdDqVwyJ36Z
M2G/iw7MqA05KiT6LGyI4Y0452ny2RYJFaJNpcwhVYOwjHrMJbV95YvCHsjN
zBInNunLPIeop5ubr1nfvUu8mFjvd9/xhikV4F/O0dCv2xOJv4te+a4LV2c0
isXETMfHbMu8aP01K73mztfUF2lbkbrOMq2iarwzWqwGA5RNHQuLb2Zw8jfu
CUlxbr0s2mEgPDgnVy6OFIUIav18GPYiN95cdPHJOKG26IHFMdnbDTSMasvb
OJ7w4zZO8TgPFsJFGJqV9mpPAioCnNqbIsxqliIoKVtzNJISgex8pAprHd+t
OivVu+AqgSZKJzyyRZVLcLV6DGYayXj3CMlQOYJJ5UYxeH0uG7UNrVJ0b2Dj
8VLkbiwToq2zOApCOPXcBmAaZoUwbtp1CT8LgL8i72wLGYxM71jVxlUhtNom
bY+6TNUgXCQXaT4rCR0CFTC4v+rLzP8bkCFBK3SmFZmNXsRR7jVGsUBoxpTz
+P3Fm+8vxCq8c5byIEgffGMzpXun3hy/hQcfXXIijpd8vBVop0Wa6yS6jKVh
kzwuhSI2PSbhLp44ZzvPsMtawDMaElYIrXhNlpwhB7raTTOVz8vCFvNkio79
OHVIS4C7B4uN8yYb8MXTgxADkMCB5vGvm8Ru+vijEr7c6d/ra+UsLfQUKuZG
R/xZTcbg4r8ZuSArtrpQ3CD2MNZF4AYZP3lgj5oc/KO11yW2S+ne3S6RP+Vo
zGHd4aAbsx8aM4Ib9ZGc2WwldzksXRibRbclwiI1alEmGRDNPhkll6Wnh+uG
IVuLOnaCkwwRLEsv9z8ZvSBDR0v5RNtF0R1+7HCCA/PWM7VoKN8XBhpW2nJn
VA1HiOv2voa+S8sShbsMS+fSLshALLZIvmm43iDWvY1Av0+Q4jGojcemeg2p
TSehU2BS3W3MN0ZbmxxNqrKJLQhUjPnnrHRMEA0Ao2cnf/319Z7WHFNqHF8t
fOcRU5hTDHYQM1eyF41dQk3uRY3O3NSRGlmbZKDQUcl4VnRUjXWpixC2RXlK
+D2GshgdUIag3BGGW+p3Wt/BL+z3I89+u8Gk0mKtas69Kus3s8vMzJMIdumB
a+LYvDCitr3pcMoCooiX2HxdH3TjBtH01JTQ6y7TmxSNbR4oMloSjeehwV8X
FV/xTgqdC7RnTRO6HX36xzrgsT0cRTKcZUOMYHGPjW6yZ5mlWKsGskul5MrZ
fqIOEwI8iAusLDvkJmvjBtngKjAgQEs4wESV20qhSYnUv9606KpZz1jDPaBS
Xbl0+Ql2HlXzq939DLspYQJOLXHcaSraaWQ/tNbVp0Rwbd14RTZVtrua0eqV
fcVGhxmVv1j8qJPksylB+rX1UvIWbC2xBK9OnrOI2uTaQK2FR7pL5lwQbqMu
NRnNFnrJzR5Y3HtIC2JqZTuxGIN0cvgWDfH8lgum5g3qDMKRF94EbPk6JTcb
1ZUD6Rz9v6PGDDR0nbYLJ7qHXEZIuc0nH9lOoNJeSW73J9oyFlO9Whq36A0u
dSFsyJtNCTHeLwQm2FvgUoo+uxls1fn8PgGek6vVwaXxVbOSBke+N4z68eCN
ajXW36bB6J5t1vPjecl1XmwsW9jRpxyMFlE+37S8MwNS87z2D3Pucen8tygD
QW2wlJyHO1a/WlwXLNc7MNVlNWIsWGHWyRTk0ybbFEzNCNbyRGNyK9xeX4da
1GvyFlX5FOVSCvQf2uoIjRYnLRVon3md+8h1nLaE6Jrq2giJluMdYDwlYQfY
oouXjpwm6k4XU+93eXhMGWnGiOEqT00J3UlJxBveKF1O6kCWY7DbMMZcIrjn
pFWRLdGFV0s4P61T88EZz7uY1rVH/ThPjfM/1AQzX5ZWglkObhMu42fODLZi
UXa4Axc6cZ0hm8FwDyQUjinSj6R45ngayPx9zKOiNOG0WxOGJQfDZVhHQfd3
rM3VpMpoJcwK0VnFwLa5b5ETD3A1ZckL++LNCoq61t5b6l92WgHvap8QbMHT
xXQIZRL6Pr5+Z8t+fYfCMhQ59vMufU7FFyhwyssKrA1Je2X+QpCxXm+RbNEY
622Dd1FKkciRd++KykxJ6uaRZOLHUtgdaNdLffMqSGOP64GjfHvdkcUwNx2j
buDiPxIJbKgBNra1qCYmnzx58Qo4IjJUTRZEXLiAxFfYppnsV3sUhe9jRyUF
6tBMLUXcty3WOJrbB89ShRuZChLf2RkuLIyOJgqC+Lw2Srjd5zxccLl/qhRh
Q3d1Au7sxTEIwjwtQNgaXW9TWbnBkCrYA+ICWWqHxjJT6/p8XElGAXceNYzY
HBsZLpXICu5ALZ2XEH/amsxnFz8042ZBoxnHxZgyQq78rokELJdpSJpx66LN
+pmh3i5QVA6tx0ldsxRlNVZ3A51OhTdF1K7eG34kerb3D74JODZSuOie9vw5
yrhhKDA5w0I1C9DN7BZOmmZd0fM+2MxK49OqBWy68eecie6JFdjyblZR52Fi
E2iliget10uzrsX3ekHs3N/hypf6lpcqtEjWYeUeaYQOYCtMKGOPMGQyFG1h
euhyDD8IZjMWL5p1+SVYkM4WXQiS2Mf3LUoarSAMxgnerxQKAy+OQFLieEOa
6pTaz4sCQlqSIGTemCthLbAtgL2nlBKTa9EB02LSdY4Y8g9XgJ8j85MS49kg
SJgh9QgBpGH6GqrrH1o9r3TUQ75OVSrYDEdxGVJ0hESUwBskyKrsppJsoUeH
6qPZ12pNNeWo2+rQgDybctti3PXPkYnsCXmeGslWKHJX6dhQWJ/LreUtQYtO
jnhdbcslEy3FPh+OKIuI0fA+U0Og0rbGRA8DMiJaeb7vBILiRaQ1zH0Jljpv
xjZT5fnJ6d7xaXRGdTOpCkoW9RbyhEaFij1TIClrZGkCk3Oy6ViJMi1XRs5p
bun53OhMYupv1Osw+DHoNVl+K3qSXybUmDqttABOKaqLjyS3iwgrLmxyE9ti
PCiw1VsMYF6klNaPbeBsbY+U6iKhlSZhuR10gE3qHIJpi8wpbKEK7fxO6fqj
cG7pQg2+JVdV7JAiQwB+gThw2oFExyP4fgOa4VUWT4QXaJKlV1QjnBJLVQhi
JPdOVOaTxIyN/du1qQ0LHhEeXnjX4qJZqEPMGZzf0yyJ4GQ46ZbAm3E2G6Gs
SQefizxNUmoJQNwinWDnYQz0IX2woNOsQMSmbpMYi/AyoQuptGsRFNmaCSYX
Oni2jdkEbzjqoCsNeNr6D6HzJFxhpJbTHA+HhWj8pZScUJ3a01Pradu1XNdO
zQbgBQ9Iswopa2LtCgQkcTZS8JUHa2WYuOS98w+Us0g3RM091K6coYqgKgiB
0jVOOZahafXLp9QlWEq6sN3lMVG5RuAV2wzCp0djNE3T9VqYpvHO5Jg9ymBH
lP+MMedwIgamwMGSpb/QABQX1aKUb890nK6Y8bcohY8Et5tIws5CNqk69Vt6
rNtMEUmv2H/+N2YBz5QFvLsVzhIOJeUaPk0lMzFFjtC0vr/3cu/R08N1qkpK
WGyvJhRepHIfzGROyzfIXrhzVIz2mS6ynC4xPWUzfEWIutpgWBtF0t1scq0F
bd/Ci0NodYGNgg9ojCq9cnPkKsdfWu5OilCHSw4FkWmAlpvfAVUT4Bg+TNSJ
S0JDPS93icUr+136AMl9gSZf3MCh7gvbt5EJ4/Vv+wIBNwBxqlAuIGo145NW
/JSdDM2Za1/QWk+XB1ZrJjisiI/hsAaEG/HDUgYhhYv2jjGQ0dp+r/h49amY
o7d+10q6ywYbbl/bsG3SCBnaFoX/SHNactrUfVpx5krEROfwZkdZhlbYcw2x
ylRWHdz3Vcs97HER1DPpfrE93WvJCD4oCu4NwKKtsZqp6XU4WPygd42UMKFW
UtizSMrUsnW36bQj6SEdp9gtulZhhyOAutHiuieCgQlGUZCNRniEJbjKqc0p
/eRrdVLwOoB3/TdLz1bn1FIJSjqEnJzSirRv+/wFeEKLswYCamXGFMUXgG+C
EB1U9cNiDogyXVIKu/6CpZSL06/RhTGg/De6l2ddEQidgnQoljfnkr0Yo9Nt
dS4cXNCixZjqPtmwtjger+RqViZLLZenqCYIF2BwQl1Lv3aGJ4DUaqegIBgv
gnbvH5x9qnqsV7gCXTBAVnkmrDXNAEHo+8GgCywYwn42bs8XHZvejOlFjLLl
xBj7+IqsBxWwp1ab7Qbty455jorYYeqYVIzM1WQ3gj/PqWCJW69Fi4v4GpXH
bdTDycEcjsrsgamq+6OtXq3EDtGYCky+kDknDEbvN7MSEauxRfGM7MF0jnRI
kisU2VpEpkVQZGGZG6aGaN+p8sj1s2Zk7vXG1v20xVmQQoUEx8BLEI15o1Ca
Q6KLPOUq6+GvUsbMaN+s/JgIiEDRtbxQ8yzdz26RNbci++HBkxf7ZOjKB/mY
rak/3N956J4KzQkuvUiLsKDBsUuInZVEGVvFeLdeJjdwHMme4hS2WmEqZbpt
1lLbOXdRhTyxzA7Vxh7SyDvG1lKLqXGS7wMtmpxOlktJd0QDNJOFugmuGgUC
t48fZbA6UuGgBbSxGTUllnVOnCvQSv1OqL1xq2HlKd2FEFJLKjLhOOtJBx+j
gUxOjJPwu5SdLPYuJTWizo0DUOu/mGbE8qv15GzwTdfakMOVMn1Rj4Vr4122
mpYeAEo6RfgmYplXNToe42YjpxWehaUfSLIbD5tBBkqWUoi7jZF7bFydFT5g
TinQxorNKtNAIaeW6LmGi5+buc9zqSoR3bhLVcwDJ8nYls+WsAWUVNTKbPq+
f6irvTYenM7/oxcvTk9OjwHk2NSxbrsAbJ2GIAuQC2GebOYyazqkba/gl+1F
0KxnY+nKnhq36ZR7bfVH+N3Qa63Qx6g+x2fKKoMFGan/9O3pbVPzEavFaLN7
B3+h8tvX68wn1g2tBGlsdWQ+l9hVyRJYaE2rFTWpVZRpvyY6LTkA6ogfSid3
uUzcWzVQwTLaEKxvzingXmsUYG802DcjmFhZwVliP3FdbiaeU8Nu25AkYXQt
UWtpXSd1K/jyGW8TQsr2azVwuTUfVx2nFaG9aMNS8qfFqeEpuNdYXSKhMuDN
sr++Umu6cLDFyx5iX9gjkd+fx91B+/XR8yVLv50nGq+JNRPxmk/p5prriojq
O+2OTeF81AmqyWQZIPIPUDNFPE2MoHnlrd2YTKdoWCA2wmHTASpgyEdoeuXO
3WiAqMWqZfPFjPN46I3u9dyWWi31dzC2WhwxnhIdRW5WjkknwOGbeYLioBKH
87LFnuuWE990ReJVPOS258QvwynHJ9hHak+vcfqr11YRyVaL+MBGqT0/i9ie
DxPc7DBpz+ojtkL/RvJPTUNk82tkuDa/vTY7jtVe7NRae8bZL6cpGiKxNTjH
qELKelxycWqA0pXYXvjTCwZwC3ftkRUIl7K61UuutxAHf9TReMyywgMctNrV
OtnF0oTMcdUHjVrhnQjsggRoNffhGpsgY5kr9brbsOdauSSfuuEr5XICkgB6
areqUcOnSbCP1P6xR9YBDETKjK8yaHfcoJJUxLfJCTrHzropGYztxNS2FQ1n
GEn8rkfMlp9yV+O5XPQsDGGQ3NbNziIVVgUIujKU97RemLaOMM9U420sZFhf
fmzVVtY7ZXs4b75abZNMPA7G8VLQQuUb5L31OBmUi66n5UmxdpMtPFGmcpkh
KQq19ZelzQQaLztENpfA6nfKng2narhCwjvnF/OZgzwTGqNbckPIbFlC+pFl
ZJI5hWQ+5jiiKZvssn515Dl7aeJQ2g+zNcNxdUxzcCUKxGt4dBMn1+HoCrcT
32irYuaX2VkR87GuKvR/xOmEA97FmIWCyZgEVQLuUfs9L+TsvNniYsKg/3Nj
k9UPByaUHS6lvi3QbMMjbJl4M/eB2LBfTLXCOy/eWCya9yVo+E7sFLJ4Ct3y
veiEUnvLW1PSiIQkDEkdmFJ7uOmmN41tI1tRZFsz9ionUwEIlyPaXSPns92d
brrA1H4XCVGHjXNjZWFFK5SLBrjcLKsYSevpT+0GF1szM3gfx+NLTJ2mwMpQ
UIsvQqS25qs5/AFkomDlRAfQjlJeVFyplZAmN61fUdbv9qVPAJWxsiqlfdwk
hbDgbWIMPHse8xtzBp0OgTzlPJ9ufXAvP2tG/iV8JC7L2cSpbynsxK9Kiy79
AGqCMpQMIJEB6iKrqwr6NCWKyRGfrx2oGh+rpCePiyjdQILHKC1QUajll9+7
jTqI2aYCZQqchtnorBoTmZrgX1fyVKMtN2wJMz6go4S0OwSHUtrKlu3z0Upm
qpcGPxT7uJgHNcInhOvLzaFdteaHa245U1tnWVuaXtuUbaeDTJ1IxM7D2h9c
N80xvMRVYEKX4fi0qeulFsx5wYKAqjLNGMOIGQS5eqVUTAvEYjJmJyF+ZU3q
o5Rf3ts/dFusxYOkmwzPc2NAlUepSXC4L7m1PSGC5jslufuYbo94XVobOuVO
8S2mNrJiRAVGwJQiCjRXjbcguYyiCTpZEUtIQyXFbhGATOe3QdRNRwlFzDnU
M4falR0gySdYwrutkxE7cmb9klzjlXuGk2k+OC8bfQ/ntDt0MpMXNz2URQgd
UQeZBV2HgjS2Z6Grs1oNKzNyW2kFtyKhIKkgqYvfMjAdRf2pMI+Dl5TGuOTR
dSX8lLOCuVamtBKaOvzIsjq52AptSrfo2CG6ZDfxYpdBKaRolBbwv2Zr5vbE
NP6COYzApCbVyvlyoySfAdlYfRtjLcU+5WV+jX0LjZPCScleCQIs8Spp3dJr
VgTAPU5isDkcJbUZDWSBE/nMz8iQ2Aonvm5OIkyjCjt1aF+tZEHHuWEzU25H
c6zL+UnWi5Lw3YR9JizpN9qSmr+wt6GkYUgrVufOjiUv1CpWjulfY31M3Iub
kzJnZZWJBa2H2Zn4ZPL38KaYAlWNyIejetd4bD7P4PoNcLNgF2NaAEfc+sQQ
zjljyi4ZCzqeSQBDAd/LEPcrCUgSiIzgALQg5Ywjg5d73HbOk4Rm2Q5TuS24
I9JnE080F2CoN/tFuYj4ekBxtttphBVvNxeXcACVJgPVDzkDN1frqByGyW6h
fQ92TyNDoxSQyCLT3vyqXgfj+oRJdb3q6wmXRfkgevYzszTbSFvTUAN8zEUF
sbR6i3CNr9Cm3iaDjjryJmdpyfXeuHNzgXSCMa99Za+xV20glix08pxbSzWP
U/g1G6zt0iV+MVgRrthqtW1rgkmWv4IlBfWcug8U40w70XFfQEhKLt/iebpM
IinZYuYBpIYUqRHDDzEbAGQVVzbKzTv28XCYOO3mGbV2PZqsqNY/AjkEHkVo
24pWgmNjwpNxaBXLIIc1LpN16uw4cS5VAyJLT2ECN4kfjmzokHM/AX2tCabN
PcUoIpIzKZmfbOtO7qoLezqShu9Mg3xWUmoJjaVHkG/Dp7GkU7sTcYJrZqrC
hAuIaCsUwayUcViZVhtJpM3KIxJnqIejEvGnAZIxlMhiHNmVqIVPnpYB8Kmy
vvOGOA3TCiAKd8TsfH0E+yI3K9EX9/4RIfWLgJbXuaIzgscQUNoJLdohTGPm
n9PKJuS0wMttT7Id2rLOHxlpKC1dmnJTYB2hwVK3EDObN5w6Q6b2hMcoMaiC
vUCnUvIr8RL+96RzoHpM0Zy//lIBcHn7ege76q0UXrRkIJEZs5b9LfhhztnI
BQfBXcrecE5Nq+9HJUbtC6iuyaBb3vNb1joJzgPP+L+72AoCGCBok2MJMscN
0apMZm9XqEfgJ9BQN8TVFumsz/Gu1FZnwG9Zp0FwuOmI7RG6oKPWR7d5FHgV
fI5UmXtJoCLOHC+gHLVElkUbwoBb4z9WVZ02m92P4fhiPjEPkhaefOOsib8c
cHvgIOFgtCbKlaR1+20wL2MnHgvjbBY0fW7apW3/3F8sJ/StoVJ8g0tNnirF
/eJY83RaDnO4jnoo4br01C84I506uQWIKKguiLvv4uLEnHCK+paKKLViaAba
SlIhTJa6LMurSwMAmpghisnZ4QKKc1fdqJThlTVRf6lRhpqiahlIjjN1F+bg
1AT5kAeDY4hMaUaF140EOtdj9vLo51+/U7PaeXp2jnTZsg5sCEx0mpdu7zQz
JaLoHhEWDib5Lno+FmRct4c/entH1xhyWqxB1pJRAzu2wcv6U9SD4wgoPk+k
9kbFHcwpe4XTSnzCJ5vY+j9nk+m6ey83EYIzbOr2GgsGGlKnVKSSGmmSgQE5
17LXgHjd63Rfq8OH8JKdP60c+6ufuWfrynL6tW3vu/LdxKHKlTG0tcQFcT3b
gPBRnlMpFfaeo+fedCgUsiL08Y5x6WaKb9Q4E0dN8W0qsmpTBn7Z5VDfZidJ
WREy9GMl7PEWNmkBhskZXB6gynPYqJyNSWiy/88ZWy9xrEn8Np3MJtbhJ0dJ
C5lp1EODxOqCCxrqB+e5TFML/8hyWzXR22Q6K0uXQnSTTNep5RW5AdY18Yqy
6jqoiKZkvJ5lxNnmNT/B0+ZmHmgvJZRrlQGn2WjMb2owveT8yiZZkl2kE3IT
9iKfFlrWKqPQpFu3omPTz+mlwnBLC4TZZk4etCWpHaxkWsj5tOOdaDIpc5OL
lAJW3iTJ1Fgv2wuiCvwidPg5a4vKS8X2xTmVZV3OJyow9RPA14z11C9EotRG
YdpkS6RawB1z+3Thke6I8z65f1agZmybSdcx2VJ0Lidwisx1blA8r9HKizml
akmY7LuzkqjUvxJfsGNoxG4f7fDTQOypQNMiE6MGrzNWmoMi93C6T2DOOfU/
BAIjOpU0djU8O7j4Ljg/qsn+YpzwbDZ1OhDoSBz1nOFdPWPTHV0VxlIiLc8R
02xLSsbxFA8xDCWx6oYU1fgXKCfMfSm8vg97jkRPEWrcg61O73NnMCEUQtX6
fZO205ErGzmxolhETYzDcP6YaGyuBFX1TLnj63fRUwzZYcFZk8mYm5BOZAs+
FHjnOsz62JRJRQePwHDs1E41Mo+ZWbRk4ztmPZnVZQyOoeih0hT/OkjLwYzc
9ZZLDc1nwKbE58pGAOqgRcQJrHJgW01Mx7HWiw4X/7Lpb34LdzJ+O1V9x677
1mhqZzn64iiQCGDDFvJidGH+j0rxBEMaNH8PT8HwIs4qqfdcc4GwlYSaWaca
gHSRZIRSxbzJrIbB8YThiiSwDRvEJ4Upyf4fx/twtIekST44TU/2nwBPrS7z
4o3NfUL7N+fldNn1Qhtg46BZ4BVTC+i7ZTpwVuBVDr4WkjXEka83Jwvl6MAQ
EcsLFJHtxwLMU0epkqieZ8QExU/VRyUR05RWL8iMITgi1JUmuGUd5K4hZnDY
h9elnRVZjCmt341gxDn9eCMnP05sqVQufjrFxWg0FS2q4ziiGojg/pOw0cRc
GmDVzaIPt+5u3RWs/7B9lw2j9SoczcWJU2KCc1CBwJj65Awotio9y0TEp7jP
JlZNqanwuMDU4SYY51dWKcTwgS5K7JEfwqCHW3wy+/lkMstUlnoBotl5Eg/X
1g5RJfANOloxjBbgvpXLWxoR4mmPcj245Z1MBosX0kpH01mAbxhcPreQA/rl
ilxgaTSP96iYBRknAavj4TLvcP2COti36eMlhgGawTqSvyVYauNM7WM9src8
IMDhsGAE0dVU3K4w2EP9Qrrn2nxFx7xKUxswb1sFYDFUHc6o8iv1+ha9hqWU
QqJo59kOQt0/MBxiJg28R9wfwuRzOinOwYlKGyEwzMV3wknHVXA9pkrPleEL
l6LocOGlljxVU0xt2FUQujbb2aUmEdwWma1tZh+/IA+NxvEZvbz5taGXidcJ
AnvhxHiSpFuP2EXD1G9JkUcb22+xXbZZG1tpZoVWv3W4RRNfXG8G9LNcSuCR
LI/C7JXvAlCm619zdmOMDkw3XjYw+6MHWiZ8mmRnMMMGMQuYc1OPwjxmE/A0
SzVVw+jIEYW2ApvcMOap5tBJamN9e3fpJO/cv88He/G6cdWK2/IcjVawhFF6
hjLCu3cVRaYrQ+5KeBqGxWhqRJqh8aCjbIU5iZoUwnwdZ2DoUGbJh7MB83Ux
l3B6qNg2RI4g1kibShyu14ke8kzK2raiPTFxWhamEgSntfNjvGALCd53Y5Tu
uDiQO2k5SDJQl3PZi1qRepGHxC7Z7D7DUoBzTQXLnstJ8gcLds9sBOPYbaNW
aRqm5+ikJsa6lPJ9gD7bHWrU6hkh5U8qObmPEeopWCvARd+khD8UMuaeBXvn
/Z1LvHL99DkPd1rYNHuhiByYY5Ae5e6RWWwdUh3BoaiFmYDO6HX+14KPpfDw
XroPERTvtVh8TVR6b3pvNL44zbGlyXsYpxeZn/fR3Sj08z66H/wcvnjI/13T
3+TjXi/8eG+nZZyduzoOHE3n+R9aHg+OD1/c2+Zx3u1Gt8JcKKrSapz8uB4W
OaONR3jgN9fhigFx+Mf1AbVrXP/AcuqxRuqcYtsO27WDdFlWealXh0b0dLG9
hxQU8Zp8+P0/NOJEFSvb3cNNlbVFwDD+L86okLVY0m2zXQ3B1RLokoEIVKYl
RLG0fjqkZjPA34EHnnhtepx4JDrGLPwlVuuZio6CAkCGJWr8Lh2aDeYF+/n9
SLpYEmQcuaX8pU1HIt1wbJcw69y0EQ6uZc9ZfwqsK2kgwMhgtfOGsDMEXNEv
0K0hDfSNWLLxB9XuornrS4+vKC7Ibcjimjo4Zl3YsulIgsT3d+wI8zenS42h
RqS+cL8Ycb+Lm9E6SzRIv15B3RSQ5+1QemlpnuJBKXb92LnrMslk9LmP06il
3qxj2eY4rUcNwzFMaW+E7VWRdl/GMOh6s49Pa68djjKa28VHa7GmoAVeIN3q
vMZ66ZyjYVoAVWCSHGdB9L5/gFYS86hcy22LRpNViqBEAyydXKTUwYr5kcSW
E6W9osFO9p/sMx6ZKE1ukHHPU1VYfrFukaZC1aUp9ImyfubL+jSTBfukorrw
aih4AjyUnKMTCg3QOO1REZ+RwY0FWwRxEz+cJGSTIaw8/H7nnuSGDPR1FXnM
nVmzu/MKmxGtxhpZDs4H3YcPd+6JjiWh2eqgkbRAEzgKT8MTWtuVhHmMGxvM
JuytRD5O+B04C9T84aaoMSeTGKUQr2akGgJHBXubrtxtckx3aftspQHLRKfZ
S06S0GRv1WKlE3D7sXxUYS6TCJS21Ns8P5hRGMk4pKtwPMraupmvGzhKWPMR
FT+0ts9MmwwHo1zGUtNRacmkBd7FqBAjXDpTxOy9rRzXouoSzlPar8Bm4TLv
Fn8TJUmjkVx7He38uZxNf7r75zv4n6gLktKP0fdYto6JZ0Kl/pE7kiOisqTB
R+F4NhY1Qos002FQagCU0mGTlAT909+e2G5QTSXrkU42h85ZS3OKEM64HjTB
iCZtumZzbgrtsPuaVF+qyz/m7bPxPHDQqRLqkySTLkvW+keTCAIyDQ/SqmHq
bxT/uduLyF5Jbl6RrX5eylCO/KLXOlovSYihUlpwtLCfKo5HgZWm5ZnXhNOl
OWOI7Kf1og57nHCGPA4Qhg4hN2Lb3oBSlLnv1UxHtHA5V/X5SP7agIcTUU6u
UpVx/EKuotsGQMN3biixT03Pqs4KX5pzFViBFD3TFHDkrayf4NHKuc40FhP2
RDPZcRIENIu2dslymoA0cKN+SSjAw5q6/ZhM0f58g/Nk8EbrqSyYLTQTOvd0
trZJOBrEljzW0zWN2dqC/CAsKtR1Vtya2gKSt/AI3Slj0AdcS966ULlWBvZf
XKfnNzkqSgr8wnSY9OgU4Lbt1pGhVtyTOc78iv7hCdiSIB1a8IwTLaupgwzB
tB45Kdz6CgM7YNI+NukyFcC9FBrrfzWJ0mklsMI1mQ4lGxY99NLEWzuuJH7i
S1yXZBFiDk7G+AVyc1AXGg3zNG5G6rCC/q6KLHjmVLWdJZTfdrbJy1WJ+Q1u
uNimdXNcopfP6VUWMNUyHH9KkeejLvw/GhJFqqCbSPPcGQinFZFXd1MyvM2S
Qsu5ESbBLtwTrZQpM+phAGh5FlRHeADUu+uFNWt5wSy3SRtabGbHPX9GroPm
8C3J4eNobwbqSaGt0Q+wMunG4d7BpqlPmkXsj8GX9g58RwNPXLe/W/PqQ3Wn
ceVk0gDsIIJXUvooa4uicExuMT4IsvmklDg2eIS3WUVMqnyu3cMRebcBOb++
BgErGd92jdAx9ytHaZ36VnLyhVkWv0ZCZOg1p825KsoqvxpUs4eV0aFw817+
+hr/Zh+7JsGgyOXBSqJyGmexUEkcDzFJ7NGVl+QBE5uxZWc0wsXbCI4kIfnS
1Co3yQAaNoWB6kxlmpQtUokUAWefLlrwkzFl2QPPL9jl5wbIUX4MBUbwYE65
NBGOhc0qz+SKELgUH1ltvQrYgUD7X1F+WkrWW5Z7lQ65649NbTPA6JVlw01I
DtWyFKEN4/3ipGZUDtGIU6935l48cVbHfmN7NdjItiwEok9pAXiUt3yPh1jL
VQdyiROvFVtYb5eMlng3vY9+JhXIMdsdEC9j/ehz/qDBce/kbwjC+e3b6E26
t70pML0qNc4qrSHtdY9c7XH5phShTQNkNMSMD33gzZ12kt5yYHr+4vkhwbS9
zVD10Ms1F6YddqHIX3cJQst7jHTtHjVj0VMO7sFRx9PjV0+fMkw9hal38zDV
jrlbRpCaddn6OAjTS2xCSDDtKEw7nwMmp0IMzrJl8WQNz2yeQpuyWJx/5qOi
KrI9zkfecQ6Ynv+uWq3DpJmxlt7p9lb66+seH1/vUAK1s4nXJ1lctllmaCZO
LxKybmfLTSB2tubD75hkP/ka9v4hwuSnWMicRewEFkHHCUgBSfhaq9FSlddY
yt32ApWcM8OaT14rrq6KOwb+01wDUzzEBNB0ghwRF2MysBrIiccFYOaKqiS2
HMFU7mzRUuh+ptBafIeikW52d5ABX/+cUGrutfal2YiOS6cF0VqCUM7WDkqL
CwPkmThlkIQyv7zJxUOblL6PpIlKHiTDbfcHMMmEGxzCasMjamA3rp0A2Obd
j+d4NuaO4sWBeVxz8B0S+M1ehRnTNce+51rrMNGXqcfqCXaG0LJNjsyeLz8H
0k4jzVOzziA8Q2gTeNQqZGP1Q7jsNspNkwZlCbSOJiea+pEBpVxGlrfT1JEg
VZ35WCLr7CjvRBHTRZG6M6/U+tbKdYNbLNk8INlRtbYlNJHwMT61aXhw4cwo
IU5yQY36rCX31HURrNQmXgjupSoWQZK3eVInlZviTUjo4RN6GaJBDtYhvUBG
7nDIh0l9x0bwBLdRaa2BqF6FxPIrrURmgoHevRulZ11rBpAHuj22nKj8c8Sd
2vPCitP8BYcuDENqG4lQjPwNb3d/xPPBJBomSjuopUuTCa3barqXPz6pCZ22
xEp9XqQrmPgxh7d2QkTBENj1NiEg2rsJMPaMkaxOJOEiG6bQUqfetTW+jB3b
vFQt9dQFk/7eABOp43/anyiOy4uzNYZo1R96a80ib9kfs+GgLFz3533zXTga
r3u70cbpo4PXT/ceHQI7QsoLvfun7jV/fgrMqz9GEV0B5qV/Wta746+XSC30
7p+vu+A/LV5vOHzo06z37nLr/aT7G47H+uj1OqeSFNYWTq2K66GtMilKq18/
xBqE0b/Y5NEUQviSeMqJyzowyqqgrIxuQ+Vd9VrZ+VqvlbCRRQq3NiZCAWfF
e6QhtAfE6Y5kwdEl01C23IKyweRtVJm1orQY/j7qkqldhGXtmnHwGcZeJ1h4
VFvjmRxo07XCWmS/XUl/4CuJDk/o3d/hlfTHvVZ2bupaCTH1A+QXz4EJLH3R
3OIIs0DgGgOBkSyUqYqxYXQvmUoCGj5CfOicB8DUWDdirVEX3XiVbj52rlF7
03o3H2zdWxAv5BjBsSS4gEnLr4fk8VLLxlpZgSHd0n7UTJZnB/RWvc0i3+x+
Vp0E5FGqAsXIBB7CmEEM6lmYltcW18cuVi1rjfWVKT2nhFuY8lnu6fjLI9O/
Ztai7agX7UR3Yaj70YPo+4ii5TG2vbcdUbA8Bsb34Fj27sG/+xEzrEgTXvhg
A0+o/1934b8gT+u934b/O3//Bk57hr6u7Tn/hvDPLRAj1j3iUTcEz6qcpo13
hfg85YYJCuucUp+PpulFZD5dW1uDDdDcju5PkR02Kt0d0V1xFxNcorPS0kEg
Qu0kwNhvosYNsHDc5bl0A0sIw+tB9baOI8UEP6TooG/w02iCdYgMPn5qubJC
nyrAb70l08ZyzpbzcdtV2DKuWVxk16MbLYPr4lrJCP63cWD58wbFy+dwmn57
338/xVcnvJD259faVkQzI0GY5W9tbc3BQPsKDGHjaAYLwQu6yXD1fqZgHclU
rMUwswOfL8jZNClSCYw5mfUpWoa9nHR5ONfZnFv4afqmtRf9YnbLGsXQCSKg
kLBGpDZGpEZZknBBRg3GaY3R5mZkaLfP4F7mhW35IgBVdGrkwprLXmJuRWkh
eDBjICkyzEF7i39UoJhVwIASyZtzk9ElqokV4eBGMKA17Th4h5JxeZeNy5Qt
m1biVaqVZvJYEvbY5nn7V6wrY8KZvPiWDj//TkerY8qcwBgcKGIigUG+GKdV
2YpsQiLixM94fEzBVxofkhelX8ypxBbgQAOiX4o0hrWkwhjFuDnFeanESqVU
6JqA/8JVAP8rLBF+w3+0OP6Utr8dzVI0GZZhRufodPeUaNoM7ZrZWAZyfsr/
vmkXzIcv2E1xlXOTmnNCe1TLRTIo9ZuRiRvUCZqowxtrmey5eFJ/JKfRNnba
hB5jcKv1X1J8KxNASy8Sn4JaCGE6TeJifpLlnqnbarfTUDjfJfpxS2Un8gY+
loCPt87TgHcypWvYfylGGNoK8sfhGzaRNQssrI4wXYzdTtsxAD8//VkradL+
yeDG4PPshX69ToXe1s1S9w/2zFdZXnVRel6X7HM09I/r9TTJZU1R311iAg76
TEMg9T1ptRGAznbX69++vcWv/zW9oKSyUfoWSOA3t2Gfuyl4BLCLgHUVxk52
NekvJju61vVTjUh2K2rxfDG1UZM69sT/BACfBJTozcaZ6ExgnROXl7uE4MQs
NifjkH/TKQDZJwcPYgDqVEL0O+7ElCDTJ6xOm3iSvp6v/IZaydDOKQWN1BFJ
FRT+c5ZScAE1UhDeaRM80BaH/NaJc/S2MnaLIRbJaIw5pzQ5b6bUd+WKdvhr
xxlqLJ2OKHjWzcbTpCNKW4Ix36purdHXgmqvUfzb2nFd+TgZY2RSyYnSfnPc
1LnUg4QnhYMy/FOEnxNIeoaOHJ5WTtMircSijPNhAD2p1NQtJlqnhhddKS20
LvM41x4FyRgO45Sn98nbbDYF+DD2Rx52qTOdG9jaMYmZuDGm1vucs2C7hbgU
bEzTAToWk4Pbk702aFpavnFtnngeG25oCO7SNHcFnFrSDW6h87W7k0imyug9
oqvfEwSJjRJKuOEtAHURFykFDkrpjiFGtwv4rk3oOCnTIfUYdou9smxpCVQg
dreo4BflFcSWqYUdSGesw22SFsiOjsWENbVG0v4M/DSnyD6afc13SD0Uqblb
pYdV5ApPTx7VQ/W/37pnK46R5WtT2stLBwOLYzW1LcuQudgc1cWsoy+4B4z2
hGI6qIGQ6TSJVeYkE3wdJKCtt1uT9Y7j4kBatCDmxj0SRMxWdGDLkg8TZ7uE
S+tkWJxwVmRM4n4NmPphykwRp3IlFHWi6Rju656tCESFxIoZMIb4Ik9R4oVD
fzbDsm1GuuDR27DOGQemVE/MfD0ZjTDgMKsW0ydmpkRHiEFrKkXz6kyKoSaD
bup9S/3nZ+UH0IOLBCtip1kxQgMvZwTkSFvR4TAF5O8yFZsKo5XTlAmRkcTa
/4SLR9Kr3/9wb8eeL7j3MATNlEZxsjIA8o1HOfCfYjqW7h9+h5kdW/cHxvzw
YXez1heqSFAKliJ7vGasLEmFAvxFa5z+Wi37RgJ7cEwtBcFCst97EbSXis3x
a/TwEWrvWVJ1D4p4VJlqYDZ4lPIC8zIee6r92rt3fzGr2YpIQqzp7nWwiWKc
JaflmqunYO06aQF1dHj6OKLOJigSDqjppNtbOcO1n6kle4iAl7LdJcDyknfT
5onROUp13WiVWUMf7wUcf6wc51McRWBZfywVpgUgQZfh5E8On1pDGGEuL484
y5Hc0WNhvafThLPWQHAVM8Waq8LIXZgMI6n6BOBSufyZpPnBdIQOSuJL+zNU
qrbWtGiUdoPJOIFISjChyiWuXjnWibSVhwfWgC7icc6YMNnhDRqjWzAtolEC
xFhglSVgmOQyWKOYouFFKnG8Fs/sbq4PhRIQyHZU9GPPVfZcEgIGS8RBbmqu
X1wkF2lySU5hWBSanOC9tbMin01LJZizjNLPvXRXbjjCB1Oc49rDYa2fZHBY
uHqCdNUbUAt5yUGKrzgNGE8wTD/UOmDI+RBPa5iDXKSWWsi5A2I+dVWyc01i
8eEbZCRDc2BF4p0QYgGvnOM4m6pI5tCmrDriVa+52Uw1iwhFduEVC8sDSebP
f8HGsVF3Z+cvP61Rxl+Nsf56q9fGVXsfUHyTskMkk+fFWZxJxt5udHx0cohf
g+4NOMMLO61mFbPFk8tkiK1hHpEE6I17u6SCnbs25HI/HqewiCydTfDxPUON
cbUbnVfVtNy9c+cMLptZfwtujztF+iYuMBlxUN4Z2HfvVCAH32ELxWvK2MDR
nHSk3friYe7/ANp3YuRJOLBDsqlknPaLuLjqIF4l/zkAVTIYp9My6boQDfyV
NRDBtXOoFW5FtVF3o5dIHVg3RIOPa3xJYwoFkNPzxMuq4evUZNa0DFIPxZDB
Xtbb2fmdS76LfsZO4VRZk7NS0zHB/Bjvxgv5rtu7C5jE8kyl1C8eoNsuO9uN
DhlFWDiYmRgV0qPvExBCtqM75pGXs/4YBC/9cmdrW8pvwRIGXpYCECLRQ/Tk
v/732Rjzk7sRU8jWeU4f/HuRbpUJ19O2h2UcA3u05Rx2o53tnQfd7e+72w/C
B2Wn7aDsLDgor7KUkFNRHZBns2KQxtHGyTROs80552NAB2SpEzEq4gzuxzEo
YL+d3bEvLiD+/Rrlz6Tc44xd8UvSPU0wuDMT2+CMwgQ+Ibl/KvKuHaebIPjH
xoy2N8Xq3EjHgFai6XZ6fsy7Ocijp//1v2BHu3/9r/81SX4Duh7pN1u81f8+
m2wl5WqU7dVhdqtDMG3jHQr0fEC+ArcwlOpCTicDW2vKlBwwPXPnln7WFBi2
Fpf6ba1cBcfvgwAk/Yttc9vUtIbkIoXdt1ScsyQzOF2jx4f7L549O3x+cHhg
hT/WZkWzl/KGz3vEN5/v4FsPTSlJt8ECepnYQeEMA/TDvZhFd9F+QByVkPdj
phW19bHOxFVK0Q/DFXZx7LNxesYWL25VjpGMoU7M3K8gpYRl7S4YnZFJtRXL
1OXeNB8ZReOc+4ChapFEG1zlSgr3xNKqWWq0mBxjLOefcAnxy5gygfadIpls
qAThdwgyE/pvhvlbqXyZ2aqGbp1hslXC2eGiLeMxi/XURtzik+S/czTsZ06Z
iDMQ2wpzfKWmz44U9dn4pcMvb0ZYL6bUp1l4VlRREKRb+rlOQJuOecTQYx9b
1HK3sliSpkz5eO4KQTPyFpksN1OoBrCrwLi7TCyXd5J8nHM304vs3MAKrcA3
xAghwNSmtGWeQQHobW5F/0D7mBbS1s1zW5E4O0ZnDwGtVnSN1lJqBdXwyajs
4ifaZY+RTISJZTCunJhTfwQtbIuGT7uHdnOcivT7p7+8fvTixenJ6TGIbX4f
9lAzekG+B6MtcYGAcp/TIk5NkTQ0SovuXyRaHY4QBycDS08CxjsemwgyGymY
1E+Iq/jsw/BDvi9TrPsCqiUIFBp2pSmbE5A4SL2RaWxBl62ofkpZBYxTeTwB
kqF+rDU9jWBHtUTrH8XM//CAmsoudh1udylSeWJxK0tVMHNg0LIxmbCGCkDb
gsdYnWZKadYdZJyobUkzbGx1UV2hD2GcCjtlzRbYK+i2GVrKHRtUeVViYhQm
zXFmcJ+dIgW36bQ112QzxEejkDLZ611mfFmxw6SIK5mijsrEmD+NUEdtFry6
DtceIBR+rSZbnkmohKxOWsQTfTZOzSy6f8Zcv4Q4vFfVGC0S2eB8EhdvaHFC
FXQPU+UrseLjsxV13gPRRW4yrJRiGmQjzqgmvoT/CVptN7800KyyNAXe9OvB
OMH4RnKN0O0IqAfpSkZjP8GIeDDf3djvAItbcUJdehEPrpyGt7C9xKCSwi3+
TFsqxxwbmYCgBNiIx05H6U2xviL5AERvPMWau2uJa9QU9Qu5rE0Euy37ZgUm
FmOkRYpx8V/BsQB1aNBVSkApxpGypOsHRU5iDXUgdHmDnlJ8S1ttAJ03homK
q3lVaa0TSGPMZHoOTACYFyhno1GadJ8k4/EkzrwpyMfF9451s+CS6RJBAZfx
N8i7ZOnp2JJ3XGc5DHjTgEUt1fpiUGDZYDn4ODNFmCuaaPKh3IGh/bDaz1LD
q8DUvzJWI0RArQgSl5XSukN4MKS8nhUWBC4HktK5ENxWFwofhvFOZs00CVOQ
T1uiJNlFWuQZx8IWiXu+PQd17pdWrHViirkzvD3K5MAyHbMsy/ZuZ1ocTkjc
78JtFVyyUX/v+V5d6zA6dZzFH+pVjtTB12jvSTSBw22Frfxi+9XuQrHybWu4
X3/37v89OXz6+MOHdevZwCGsZBeyomNmfSK+HeRNIPGeFfH0nMtpCUt/jEFZ
j1DsP+YGmlewSKqyhNjpYnhSF737GIOOKMFbsHwj9u/hsLZkbKmeJiZ+Zb0+
ybq26bxyb8P1fYezHx+enGJzwkNLHWW0sZ8fH25iyBjITlgeyhmIDI1Umxxm
iF5S0aCcwoup7I8fwfvpK/5g9XPxulAw5jYw89nZGTksMfj2UEPDuz3Gy3u4
VrXRbCgIy6nk5TZ2MbI/p195AqSJtIsednv3CShDQvWq6fStBWpndaBgH4tV
YOo96FLd9TpQvfs+UFxqnsDRj1ygWAOwznlzSZtitNH+i5PDKO//E4MHlt6+
GlAP/G8tpu6ujqlRjr6XFVC1c697t9cEaudeG1D3rgFUOloJprs73bs/BDB1
d6cNqPvXIPT07UpA3dvu3vs+ABQX5g8B9eA6pw87o60E1sPu/ftNoB62AfX9
ykCBPIDazypA3X/QfXC3BpStH0W8X+yjhvtrbPax02S53t2meZMESkq5gUfK
wTtR42Zhib+Mbr/KtEHYbXoRLxhx73vcHq7AHkjUXLjUqC/2DVsQrnlTeBeF
f0XUmXnP3zgLXS05xP1rIXJtator6bq6Ol5vST6ZEAhXyrZvtF7ergQjHRB0
vbVOujKyvbIbs33Kyx3Wp8l67TU56xKMrRO5tPByZUSXhdM5UAbjoHvbW/e9
0p4eVg7bpHi0y/DFtUEgbAZFHUux76OnWECxQbrX+amTu631+D46fXTQ42eO
GrV1WL4M1KxrlMvcKDfncx6TuDmX5SxPC+GzgqqO09fi1fGRSzyNvgxzyOc2
PXE7su/QaEJF/hyl3Umnc0Bf2jM8fNC7Tyl8XRqhnAFZvN2NxDvcjfZZsZPS
yOMEVAcMs8CvTjzBXw804HrXohqfOxYvhufCATErkY7ObpeZjaL6cTN6mmZv
olPumrFXsSc0iaSkoIMy0zpmDqrmtJrQQ7cqCM7ZmJnoYv+4XIsB0S7wHLse
pPS556r0q27zi+YUefjHGsa11CSTy/qY4xY53xdUr3ja5VDG5VgXR9r6uteC
udrY19y8DZeDLU4jlqThuYz9OwZnl0Db4mSNjR82t97WXcIEOn+vV9KGCeR7
u+kg+rsW/EfRSnksvbsa77kgBQx9GXR1kAmAS/SKuXqSDFNOE3IKiLMIQ9Hr
moPEGCVMrKMRdzbJKCi1hhRJD+Kw35At4YX2qC0crqk9ZUu3FobEDxoDQWLt
Ax7c2AA5sbWVMXKKLEVZcwj9em3tz/3ip/at1bSm5bdXfGVf+RZLX4+P3+Ov
fn+XlOIdKdxlUNdBCwfD13FFyXPr3LVC6pbh0DIRu7a8qPh1h+bc2TQCAb2v
w6G2UVJRiAL/hMaQwXe7EQbPoZlQikmU9aoCEjHKhe9suXa3kB5fHNIMlLww
CeVPaC1zW8VG91WYuBWtxIEvgQ3Yv5vrr+NNY9/m522VC6kdow662LTxe8Z+
j8ZazrFkT+wC5DVBkJwlcsWZZgBlFReVLd0nncBKCdRws6T8Ll2xyfqzfdea
pXOkAwBFHe8uLd56b6FEdfoL9oTYjbqd7rJj+G+h7IXxCSCKHTwFjrXd2Q6U
vgkM0nhrLfjgPqOt8XNC7q/wO1FbpQIQtv+qrv3noC3/0lv8wsozIHZOD5+9
jH6UQ7Vfvd1YZgaA5j2BtSxI2287/jeLXpCNizaXfaHxzTVf0PN1q6cvvOTS
JHwADcowcT/089P7qNlFbs6kcn++q0HZdmgASkr4b4wT3Ms1Q/+/wGY992jI
pnTvRtv2Y/mBDVsTun/06uQf0UbPnpZWGPRHyWMerodk5Nr1rDR2BLP984Z4
i8uC9fZvb+NPr9e7PX9/STTZdfGAH//MofPe9s4bJbj2OS98CH4854XDbFBc
TZEhv5Qmk+8WEO4nByn88cov1Lj6yq877Dzqrv66R9Dbnd5c6gp+/BlQZNn+
DrD9nc8wI2L1+eHffc6x8ij255cdPP47m3PP/8JBmId83CBLsZHgx4uvCema
LPfEnBfCleX+FDXuFdiD1S+KOXCGmbR/BEN7L6+HLwh7owB5PnfJ0xcKWueX
Q/jy8PnB0fO/4sXinUMhnqijowQvCucFX1KQa2GHr4XeSteC6xN7v1a/FhBL
8xa2Oru9Q4EMgzwbpRoQdEdmCF0B82kyABOKLkmXxFZQsqeOHNEK0gHrj46U
Y2dY9AJsQsfIGTfHQOdIQuEXZLP4kljmhTat4ObWQEpaPKgw56oe516iuWJY
UoLeFj1o43Aw6EnTkzHsvRFsKmuVog0rwbTgBSMH7+gLIX6F37TLwVUymX56
jrbywWtIfPMZ7+rimBPlb94BdASO+2dYbI0HrH6d1njCRw3APKJ+cyw3zheR
Ng0juba0uchsEDlHTmUKPnM3JVO032Rf6gR+UeUnfDw/g7bkltZb3ewntPEJ
7X4Sp72a3Y/B+pc2/LVZ/q5r+FvwwhIWKpSHoz/CzQwL+fS8IqpZWj8972ix
1s2Zd/7Hyxjc5n+M9r5rv/z7UrMXCDGfTs9uMbUv0rNJo5pnSZ+rZ1vr7Tzr
/XwlO2CMvxnba0M0UaXzq5Q0QhB9FsFhZRW47dac80LDNjr/hZXXsPILNTvo
J5hhju1r0QxipbK2roUv1I1ji15omLUWvVD75pov3ITa/wXcXy7Fs3ppXwh7
moJG727QOmkYXsOq6Iy4zBUcNDS6YwhVrX7Z2J9l7uIbYpUr2lFuSFFb1Y5y
Q0z4a7Sj+JLBsuN8djtK17WkXMOQsrwi9kUvrJVf+F1ahT+Niap92ptSRduN
YDclOM5x59yQieqbO2eZFz69O+fjDHle/J5UTX6eZ10siICpz2w20tIXGLmP
5XOSIfMLZgGUk29rkE+LNOdeExj4WSsWQdGH9AJWRMi0CgZV9KNqEFSCFOvJ
Y6FQMyZ1CfZKpgSNfF/Uyvc8N/KOVBviWkNfX6jfRqpNAD1ANgptS3aNK+1f
PkDQ1uTZ/AIa0h8mQNCg0QkTbLVL6c9XECDobP+8gTxTVe9bmOAnBCn88Rdx
3DpEfS2l41usYPDjP3as4JIcJfjxl3Bl/G4iBt0r5iuKGzRgbdYtfKvcE9/i
Bl290Z6haO5hkVeaiQkLZ7iOKhstfiH8+R9clf1d2qC+RSby098iE5tc5zoi
gLKi68UlfrRh/4vIx98CG304/wDq2hcLbLxhg6i0qknUzMYvJ6ZOzVmcutW7
gWmVlZ1hbW1PS+/VDaGtqc7N4g9eJCWP49Vb/deNdvxm+1www7fk6Oj3Y/v8
lhytL3yzel4XpPDHX0Sq+5YcfdMz/rENnr+fqO3fjamTFKuvycj5LTn6W3K0
eeFf0wT5RDVKp7RV6SW4TTStbmXw7ZV0F3b47uIXVp5BCe52jREt1kSwcjSC
tSxI19JE8Ox/OU2k3QjMKPtKNZHbTVWELw7YreceEX1KVUTo4zOoInevo4rc
9T4OqSK3V7/i73CvZLWTYSG+8mYDyG8qLbGFVlaF1Pz2UTl+y9DK/I8Nr/gM
UvvKtBL++I5rBfTIZq5/5IYWsT9O4mw2/RpSDa6lUn45v8Z1PTm/Cx1YVrk0
V1j48c2opMwfPl4l/UwsYnkd9u6iF1bRYecxoU+qxNaFx4VK7O2GIckXJz+r
DmtlzE+qw96et7A/og57251h0QuAoI4RUL+8Dnu7rsT+sXXYlWFa8ILRoO7q
C0F+Ff1BwmjmMd5vcTQ+U/ioEZhLfKYSX19KxGxejku+/xGxMzcsh7Rff9+C
Z34/VcGCsTP8nuuFScvoaV5WfE9xna/bpUTOaA0v6rxR5NOpDY+R7q8dblnt
GFCLhNtDYGohNXPA1qt0z8HVF2FL6AttY6sd1H+Ve+wrSyH8Fjqz8IWVZ/gW
OtN84VvoDP18C51pHeUPcIl+C535es2Ghu1/tvK730Jnmh/fYOgM/weE/ujp
i5PT6OsKnZnz+qp9BZacf4HZsTHKIrNj44UbMjuuurAbZbc3ZHa8SZDCL7S+
UaUTbI9XlqBuAGxfJL3sjyeo9ezH8vNNUGsdpS2u4Dq+4psqxbeMrzgMt2+6
W936+HHJc19S1Pt9SHqO4Eaul9+j4HYTvuHfjeD2O6uMd3MNoerkeUMxz0w8
HxnzfPc6gpsXf/Yt5vlbzPONreEP6y/Gb/4Q/uJv7uJl3cUfNcD8Bh+tH6vQ
+Zkkoi/lZv69e5m/VWiovfA7cDLvc/96wMKsJB8uXD41P3O5tvYInb58J6XZ
MJnCjZVkFVWMZR+1FmvIhlHydnAeZ2d8j0mneE24KbkY7WxcpROuv1AkJfyF
lWdd7/G/lPP4m/cY75XXe74SssQMK3fZ8P3HS7zQUC4WvVD75povWO8xYCUK
Cl+CMk/4+slwqC/UlmNVP/HKJscbt/DfQFOjOS/8Ae6wL+Xj/Qpf+ELlCOik
P7ox69wNOVaRmX7sCJ/SPGcY6KOlXqiLuS2N5F4/+tdxrQZayQWG+Bi/6mpc
95tf9Svkie0vbHhCTFwU6UVSbn4OWWm5GXBHbtCBO2fS+Q7cmty7+nnXnwX5
vl+JC7chcd2UC/f13mcwpi3Lmtvctp+TNX+x6Lyb9ifekMByIx7Fz+NSJE52
EzLLt1iw0CjfYsG+ySzBbzY8veGzyCyL1BM85M2d+ILqyVqLTtpu5NFXl+1l
bV7w2+4ucXQD6R43pG4EJY5Hn+fo/n46V3/6F+bEq4RfqOcYLZyhTnRLgeQS
3cIXwp8H5YBH9MKynvefdJwv3pPZNf+2ntoF7Zd717lw/5VMsyu7F8Mff/kX
VpB86zLvFv18sTazc16YfxfexAxfSoz9FhlHVhs7w1IvPFrhhW+hdF+E9yy4
bYnVNOPcviybCRvlVotwC1+3Kwes3cwdvELA2vwUhaUMgy2GusbhXX0ZjeO8
0LjxhaKFPjJ47dr2wc8W7dYE+UaLcDxOM7jmj52yGlx7w5vkW9jSHzRs6VvR
C/vCt6IX9LMgl3K+G20ZRxxf142P5WcpD8WNpEZ+HRfQ7znH7/fe1+QmUvy+
+gy/L9zVZOUUvbbj1AiXDXOidnecbxo1BoX6Oha44xoxtataGVY3GoRfaLcB
tLzwLTtuGZWectjmZ7k56QRw0VOK22fIZPuaGggHqzGsrup+kUy2L+9IWiH7
mv/zBcrmrGr//QwOhhvazcYbG1ImEou1lFE+qygPCItGxlk5SauyTVmMbuBU
f035qe6e7yzxwrdT7b7we8hKvBm+/a+wm82Pv7ZM5M9Xt/oG84NvxGDq2z8F
OnosehYPztMMzmD07hbZX7oIddKd8OfdUXo2K5IPLOWN8vE4v8S00XQ8npUV
6rRcOJhe4oLBdAukSJ5wN4zoW4uOJJKBg9meLuv+0xpQ0PEhU1AbB4CnvHfa
ULU2D2PNp6jcEpY6xvUMmYgCTwld3lENpznWxaIZl4MeAWc8NDDxp6XGem+f
8v9e8NRxMkjSCzhBL57/fHj818Pnp7uhschcjMnBDGUNrjkzRo2nTrDIdF6A
NMEzHxyZif0Z/5pHVc5mnPBYN4h7nSVMhX9aaqz3S2HifQ0TZvnRBhyf8TgZ
bu56T1nUE5B1uBbPuGC3m08p6s3h9M/jSjPSGu10LU8BORyHyKEFLrFDhMa6
OZowswRo4k9LjfXeg74VJO+p5wkICrBG7HAZlfkkqYCXnu3WnuoyXuOyhtrG
U0I5uhYP+gVwRd5TTcoJPfXiGG0/chtIhYDmU1OW6dQDZ+5C/6k5NGipsA6e
pR79Zq9CpaDCsYYJSWJSF8HIDHB/ZUaMjLEewhQUngEX5LETXCQFjWLflufN
QEDF+FaazRJ/DrMh4Z+fog3L6xp3+UE+mE1QGXtF1peSLvIyGXSH8kWXzTLl
h7V3u0UyyS+SNCtGgw/kCAVRuUQ5stu7izN0e/eiWzpA7y78CY99B6vD14Al
D2fZMIa5/rEH1AKjxtEkh+txCx86HKZVXqCsnE5gCy8SnLykr/aGQ9hNGJNk
1vUjrECB37IMe0JS0jo9yYsYRuPkDAbq5+k4KaZjFBvwJs5hLwognCrGubdq
K9jhFdx1VrADf9IKDpIRyBzD6GT/yT7sAgAI1IeviYACW4klLoaqIbyYEmgb
sKAzdPeOr4A8eAg4L8MiHlXdNKlG3XJwPug+fLhzT9C86S3jaO/5Hm46tk8o
YhaJNhCGbpGM6YmYcFJu+njiok+1F+M+atoIbQj9/G7oG3Y+jKNk7gZFo1kh
6OVzOQJJD/AS42aVdVz3GNc7Dq578OcHHWyCFT/gxSgeDkkUhFnbBl5EOtEw
jc+KeIJ7FRYkPdC2GbSeA9o2/EmgHeo2t+CYptwfx7a6J4u0c1Cnxw4mDe12
PBjkxZAKrcgDSVxQGZSLNLmU5TtQEdnxTs+EiIQfCrXu53svTU8Pfv8gLQcz
Jmd+Ewi8n2Y46YwwbhBHDBXGG8G5IuF8b/+QhkB6n6S/Sc9U4FQgxF8gSrXL
h4txgAyeQgFtqlAFei3X9mX7B96Xbbsv2z/An7Qvz+J/ksjXHSZlepZF/Vk6
JqThkmqTD53mI7yqRIM36lM+pClhZjvlQ/iTp0RoIyqqxkiLL/KU5kyzrqgw
Ws2mjIZALfBV7Nq50wxGB+jgCyD0ctaX7SOEHjGdAOkUBSztHKhoDA/OIXci
tIFHe/Q0q2lURgeXfHjw5MV+dLh3EKVwc8FBK6uojxdKQhc+3K/dAVA2DDH2
iQtQC1/wjsXUyIUJ9yIewxpp0xmdQD2TWaYWBgCvOE/iIa8qq4p8OBvAcqfJ
AFcwiMsE29JkNPP+3su9R3AbD4G6BzDoBOSLfMquT+Cbj0+iZ8CWzMGexnCs
QbcqaHbc+RiRpKd8Np3mcKnS6DNDikCyyqWFknmdWdwfJ85zBV7JAJzHdnAe
9kMQQuMCDkc2vuJTxY1zGOuPhRsOasyASQUoMSEibHigjMIoByMfD1VW4IGP
gZ6K2aACpRrODPye9mf6MD2YKUE+5vJKWd6F3yaKt7/HhT5bInVmAz7JxSzL
LO7ooKdZORsB7GSrncQF3GRCUXj7UQWoZDQbZ+isoRGLZItMALwd8UgPmDkG
OCyChhwuSkYjIPj61bD9PR+6h86h+x7+NFdDluNtzhxOuRPuF23B87xrrIJ8
BzOx4NnE7YYtnjB4WGyqTPGeibMkn5WwicAnCmSY9ozKCUoqGLiyFZufzyZ9
2FuAE09OxvFI4/Q3eBeHxsqLQmH1Aow84BM8zQkiLEMSwSMwIv4lAUxMXEUC
dIICAyCOQKLVjlM0kAspdPPiLM7S33DjJjGcEP8GeJwXl3ExRCiA214RETDb
sdyGhwpdPQgSIVWEGV51CdOeId1d4fqLZMSIAD2iZLmGsQsbIijI7Ta8goXu
7Z38/FcSgvhWLs03Uu+ywnOIYnJZAdvA3WUT0nUu10X3NdM5LQIPAq9onFyg
jDqNgfHUifP/VnZtu20bQfRXCD9UFmA7tBK5CYI+KJIdK25kQzICFChgUOJK
ZkNxVV4SKYa/pX/Rp775x3pmZpdcUrIdA3qhyCV353LOmSFBnkhw/uoE5wk2
HZUL7YLA4elUgms4qN3cBBvwx7ii2S2QPUMUAaGyVQzGoBGWGBThW67ErBLH
1D5jpATBhHopt8KNq+rY+ZwwulIpAgmoptYRAV8N5tgstTIrI3IIko3N5VdW
QrjgSVVlhSHuyFQtCnjOC5zes93ftHFXbHzi2LiLTUP0CZvRYjstnD8wlnN3
UcJdbiZto/eR8HbCV6+4kA6vE4JRNjRxqpB1aNITWWg5WOLQqPrIArAsfL9p
o7ajaSpqkJphO1U4nUhA8ApHx+W77hSCN2xUv+QV65OjxyzEr4MtaYBE0c5g
WaNSwrWYL+Uq8yCKS/GSITNKGVnyCY0CRdC7/XCpaWTfC0jEJfZyEmJOXJ2q
qdb50/FZC4g3EhBdJyDeYJMDYkRsgKOcD8/xPUSWs0CReVPjmTVFyeMhMiFt
QjeACIWjBMsy5JwoFWYG9r8DTuA/2qJ8/KZRj0WcR0st2HgrKC/LbeAR4Bgq
SZGrShxrQBNlCEJrWSzBUz84Jk22IyR+8UYdQQSYHEvGFZfBunYwOX2MhazI
MIdAIIcPByiBMVnUyRE4eDOLyxEmEoeDbAuxzEhSgVMSpqYCo5HPjTr9uWMJ
+dQi5aolMjEo2barkpU444q8pCoGLrnCi+miFnPSzvCddob/Gps1oK/LrZ0U
TbyGNe9ZaHJjbY+ns7crDN1mBk1kfNb33p4cv676DPgzSmZxEapGfVcv7Ybm
GEa6mwu1kXPuty2oCL5l2wBnHU0yJLNyoFLHpRd3O7xhd0zNFbX8uUe64UEG
cL79aLsQJKCsksFvRSaixtcCZwnCWM++1sQAmYNStXoHdoi4D4XOC4tlJNfB
XyuNIDtyezrUy4FyD0rJPS03iZo3uuKHcrlWgH2LSAeHVQFtpn1gvMNFX5zp
p4oiO4/Aqx5lLoVzpot0Jt2roPlnvlmpF8Co9Ld8p7/ld7B578Sp41l60s8D
tnjcD5HaCqifqnKPjTATp/SYYfuAyjXpAMwLrlEoLfiDn7LyMJqz2CJdBEed
XwzOBHMx81h8WT212JaGqKmxwDQww377vRSrAsOfT6/PLwdex4124dTqzjux
wKMEGgmBOmLGdNHKahJ2cclUhiN9OKceifac1FWiY73YGDlSJVEtzZ7o9L3A
tdJO8512mn+MzXrPypmTKAUGsQp8ubaVXOBlu2kQzFKdZW5lRFfkkmOqw93n
I98JNpTFEBU3r0pSYg545DROn8QWjRZDM1PNWITYOoMklONBClZZWlK+Obi1
bnnTTa7MNcMGS2DgIuG+ONzvRiQzTOX6cREb/d2s2kVcYh2ZdzW++PPGPubE
G2pN8cT1hQO1/Q+XYwgLiGQTd1ECXUHmMMzPF6+1PscqCZY4oBVR34BYvUUG
afGA1gtCSNqevtP29H1sGsJz1QrFt1Cc8G7/883bIyMpWFj1VvS+52hdb2TZ
hDOPd2KFBxYa6XNIWLBTD1u5xCtlvSk6HHOE0OV3QZvmRo6ynVCpNdNFkt/8
3XJy+IWx6Ix0ZP/Pp4Qz/vnwJft7vRmhPYTYQlp4ZPqg/h/ddkm48lbhb3tz
WEztmacpggJnBuPBljPsjjeMqV+9u7u7/m2KGj0CwvaW2cN/WXZ/f3/AO4I0
I9n6gURtkti/Ab+a/iwWKrf/jYN5gHICrjn8Haj+w/7/Sd8m9GxO8fAPdud5
BmTjfeQQ7P/48C80OCwcB2Rj7LJFSARWgISeYolG8S5tLNJ66FvSDJ7cS7D3
pcoCGdUwVRkGi6uvUE++q1AlrQzwn2hDM70F6vmN92U4Gl1+6cljJdQjUnEe
zQ5H1LVFcPxF/SevPx5eDyenUgj2/7gan04m7+XT1XKB847f8avjJ8Oz4eTw
XC+Vt/8xpVZBsEgVZ5X3rts56XbaPLo37vcGwPXDob7ePvLYP8ZZO913dOvm
f6fsM8skSwIA

-->

</rfc>
