<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 4.0.4) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-oauth-transaction-tokens-09" category="std" consensus="true" submissionType="IETF" xml:lang="en" version="3">
  <!-- xml2rfc v2v3 conversion 3.32.0 -->
  <front>
    <title abbrev="Txn-Tokens">Transaction Tokens</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-transaction-tokens-09"/>
    <author initials="A." surname="Tulshibagwale" fullname="Atul Tulshibagwale">
      <organization>CrowdStrike</organization>
      <address>
        <email>atul.tulshibagwale@crowdstrike.com</email>
      </address>
    </author>
    <author initials="G." surname="Fletcher" fullname="George Fletcher">
      <organization>Practical Identity LLC</organization>
      <address>
        <email>george@practicalidentity.com</email>
      </address>
    </author>
    <author initials="P." surname="Kasselman" fullname="Pieter Kasselman">
      <organization>Defakto Security</organization>
      <address>
        <email>pieter@defakto.security</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>sec</area>
    <workgroup>oauth</workgroup>
    <keyword>Workloads</keyword>
    <keyword>OAuth</keyword>
    <keyword>JWT</keyword>
    <keyword>token exchange</keyword>
    <abstract>
      <?line 103?>
<t>Transaction Tokens (Txn-Tokens) are designed to maintain and propagate user identity, workload identity and authorization context throughout the Call Chain within a trusted domain during the processing of external requests (e.g. such as API calls) or requests initiated internally within the Trust Domain. Txn-Tokens ensure that this context is preserved throughout the Call Chain thereby enhancing security and consistency in complex, multi-service architectures.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://drafts.oauth.net/oauth-transaction-tokens/draft-ietf-oauth-transaction-tokens.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/oauth-wg/oauth-transaction-tokens"/>.</t>
    </note>
  </front>
  <middle>
    <?line 105?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Modern computing architectures often consist of multiple independently running components, referred to in this document as workloads. In many deployments, an external invocation through an interface such as an API results in the invocation of multiple internal workloads in order to process the request. These workloads often execute in virtually or physically isolated networks. Such networks, and the workloads operating within them, can be compromised through software supply chain attacks, privileged user compromise, malicious insiders, software defects, or other attacks. Such compromise can enable unauthorized actions, including</t>
      <ul spacing="normal">
        <li>
          <t>Invocation of workloads in the absence of a valid transaction.</t>
        </li>
        <li>
          <t>Arbitrary user or workload impersonation.</t>
        </li>
        <li>
          <t>Parameter modification or augmentation.</t>
        </li>
        <li>
          <t>Theft of tokens used to convey authorization context (e.g. OAuth 2.0 access tokens).</t>
        </li>
      </ul>
      <t>Transaction Tokens (Txn-Tokens) are intended to reduce these risks by carrying user or workload identity, along with authorization and request context, in short-lived, signed JWTs that are bound to specific transactions and propagated throughout the Call Chain within a Trust Domain. The authorization and request context include parameters of the original call, environmental attributes such as the IP address of the original caller, user and workload identity information and other information that is expected to remain consistent across subsequent workload invocations, including information added within the Trust Domain after the initial request. Downstream workloads use Txn-tokens to apply authorization decisions based on this context within a specific transaction. Txn-Tokens are cryptographically protected, enabling downstream workloads to detect unauthorized modification of this information. Txn-Tokens reduce risk by making it harder for an attacker to invoke workloads outside an authorized transaction, impersonate users or workloads within a transaction, modify request context for a transaction, or rely on stolen access tokens alone.</t>
      <t>Txn-Tokens apply both to transactions initiated by an external event, such as an Internet-facing API invocation, and to transactions initiated from within the Trust Domain.</t>
    </section>
    <section anchor="notational-conventions">
      <name>Notational Conventions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when,
they appear in all capitals, as shown here.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <dl>
        <dt>Workload:</dt>
        <dd>
          <t>A running instance of software executing for a specific purpose. Examples of workloads include containerized microservices, monolithic services and infrastructure services such as managed databases.</t>
        </dd>
        <dt>Trust Domain:</dt>
        <dd>
          <t>A logical grouping of systems that share a common set of security controls and policies. In practice this may include a virtually or physically separated network, which contains two or more workloads. The workloads within a Trust Domain may be invoked only through published interfaces.</t>
        </dd>
        <dt>External Endpoint:</dt>
        <dd>
          <t>A published interface to a Trust Domain that results in the invocation of a workload within the Trust Domain. In practice, the external endpoint may be accessed through a gateway service as described in the WIMSE architecture <xref target="I-D.ietf-wimse-arch"/>.</t>
        </dd>
        <dt>Call Chain:</dt>
        <dd>
          <t>The set of invocations across all workloads invoked to complete the requested transaction.</t>
        </dd>
        <dt>Transaction Token (Txn-Token):</dt>
        <dd>
          <t>A signed JWT with a short lifetime, providing immutable information about the user or workload, certain parameters of the call, and specific contextual attributes of the call. The Txn-Token is used to authorize subsequent calls in the Call Chain.</t>
        </dd>
        <dt>Transaction Token Service (TTS):</dt>
        <dd>
          <t>A special service within the Trust Domain that issues Txn-Tokens to requesting workloads. Each Trust Domain using Txn-Tokens MUST have exactly one logical TTS.</t>
        </dd>
      </dl>
    </section>
    <section anchor="what-are-transaction-tokens">
      <name>What are Transaction Tokens?</name>
      <t>Txn-Tokens are short-lived, signed JWTs <xref target="RFC7519"/> that assert the identity of a user or a workload and an authorization context. The authorization context provides information expected to remain constant during the execution of the transaction as it passes through the Call Chain.</t>
      <section anchor="authorization-context">
        <name>Authorization Context</name>
        <t>Authorization context includes information used for authorization, accounting and auditing purposes and often contains information about the request being made. A key aspect of the authorization context is the intent or purpose of the transaction, which should be as narrowly defined as possible for the given deployment. A narrowly scoped, short-lived, transaction token reduces the attack surface of captured and replayed transaction tokens.</t>
      </section>
    </section>
    <section anchor="creating-txn-tokens">
      <name>Creating Txn-Tokens</name>
      <section anchor="creation">
        <name>Creation</name>
        <t>Txn-Tokens are typically created when a workload is invoked using an endpoint that is externally visible, and is authorized using a separate mechanism, such as an OAuth <xref target="RFC6749"/> access token. The externally visible endpoint exchanges the external authorization token for a transaction token before sending it to the workload. The transaction token may be obtained through a local interface, or it may be requested from a remote server.</t>
        <t>If the transaction token request is made via HTTP to a remote server, it MUST use <xref target="RFC8693"/> as described in this specification. To do this, it invokes a special Token Service (the Transaction Token Service (TTS)) and provides context that is sufficient for the TTS to generate a Txn-Token.</t>
        <t>The context information provided to the TTS MUST include:</t>
        <ul spacing="normal">
          <li>
            <t>The identification of the Trust Domain in which the issued Txn-Token is valid.</t>
          </li>
          <li>
            <t>A token which identifies the subject of the Txn-Token (e.g. an OAuth access token, a self-issued JWT, etc).</t>
          </li>
          <li>
            <t>The desired authorization scope for the issued Txn-Token.</t>
          </li>
        </ul>
        <t>Additional contextual information MAY be provided such as:</t>
        <ul spacing="normal">
          <li>
            <t>Parameters that are required to be integrity protected for the duration of this call.</t>
          </li>
          <li>
            <t>Additional context, such as the incoming IP address, User Agent information, or other context that can help the TTS to issue the Txn-Token.</t>
          </li>
        </ul>
        <t>The TTS responds to a successful invocation by generating a Txn-Token. The calling workload then uses the Txn-Token to authorize its calls to subsequent workloads.</t>
        <t>If the requesting service does not have an inbound token that it can use in its request to the TTS, it MAY generate a self-signed JWT and present that in the request in place of the external authorization token. This can be the case when the external authentication does not use an access token or when the requesting service is initiating a scheduled internal request for itself or on behalf of a user of the system.</t>
      </section>
    </section>
    <section anchor="txn-token-lifetime">
      <name>Txn-Token Lifetime</name>
      <t>Txn-Tokens are expected to be short-lived (on the order of minutes or less), and as a result MUST be used only for the expected duration of an external or internal invocation. If the token or other credential (e.g. self-signed JWT) presented to the TTS when requesting a Txn-Token has an expiration time, then the TTS MUST NOT issue a Txn-Token if the expiration time has passed. The lifetime of the Txn-Token itself MAY exceed the expiration time of the presented token, subject to the policy of the TTS. The TTS SHOULD assess whether the Txn-Token’s assigned lifetime and transaction binding adequately mitigate the risks of a Txn-Token lifetime that exceeds the presented subject token’s expiration time. If a long-running process such as a batch or offline task is involved, the mechanism used to perform the external or internal invocation still results in a short-lived Txn-Token (see <xref target="lifetime"/>).</t>
    </section>
    <section anchor="benefits-of-txn-tokens">
      <name>Benefits of Txn-Tokens</name>
      <t>Txn-Tokens prevent unauthorized invocations by allowing a workload to independently verify the identity of the user or workload that initiated an external call, as well as any contextual information relevant to processing that call. This results in the following benefits:</t>
      <ul spacing="normal">
        <li>
          <t>Short-lived, Txn-Tokens, bound to a single transaction, reduce replay risk.</t>
        </li>
        <li>
          <t>Narrowly scoped Txn-Tokens limit lateral movement and blast radius.</t>
        </li>
        <li>
          <t>Signed Txn-Tokens protect the original call context and identity from modification along the Call Chain.</t>
        </li>
        <li>
          <t>Independent verification at each workload helps prevent unauthorized invocation.</t>
        </li>
        <li>
          <t>Restricting which workloads can obtain Txn-Tokens limits exposure from compromised or untrusted services, including some SBOM-related attack paths.</t>
        </li>
      </ul>
    </section>
    <section anchor="txn-token-issuance-and-usage-flows">
      <name>Txn-Token Issuance and Usage Flows</name>
      <section anchor="basic-flow">
        <name>Basic Flow</name>
        <t><xref target="fig-arch-basic"/> shows the basic flow of how Txn-Tokens are used in a multi-workload environment.</t>
        <figure anchor="fig-arch-basic">
          <name>Basic Transaction Tokens Architecture</name>
          <artwork type="ascii-art"><![CDATA[
     1    +--------------+    2      +--------------+
--------->│              │---------->│              │
          │   External   │           │  Txn-Token   │
     8    │   Endpoint   │    3      │   Service    │
<---------│              │<----------│              │
          +--------------+           +--------------+
               │   ^
             4 v   │ 7
          +--------------+
          │              │
          │   Internal   │
          │   Workload   │
          │              │
          +--------------+
               │   ^
               v   │
                 o
             5   o    6
                 o
               │   ^
               v   │
          +--------------+
          │              │
          │   Internal   │
          │   Workload   │
          │              │
          +--------------+
]]></artwork>
        </figure>
        <ol spacing="normal" type="1"><li>
            <t>External endpoint is invoked using conventional authorization mechanism such as an OAuth 2.0 Access token.</t>
          </li>
          <li>
            <t>External endpoint provides context and incoming authorization (e.g., access token) to the TTS.</t>
          </li>
          <li>
            <t>TTS mints a Txn-Token that provides immutable context for the transaction and returns it to the requester.</t>
          </li>
          <li>
            <t>The external endpoint initiates a call to an internal workload and provides the Txn-Token as authorization.</t>
          </li>
          <li>
            <t>Subsequent calls to other internal workloads use the same Txn-Token to authorize calls.</t>
          </li>
          <li>
            <t>Responses are provided to calling workloads based on successful authorization by the invoked workloads.</t>
          </li>
          <li>
            <t>Response provided to external endpoint based on successful authorization by the invoked workload.</t>
          </li>
          <li>
            <t>External client is provided a response to the external invocation.</t>
          </li>
        </ol>
      </section>
      <section anchor="internally-initiated-txn-token-flow">
        <name>Internally Initiated Txn-Token Flow</name>
        <t>An internal workload may need to initiate a transaction not on the basis of a current external request, but as part of a scheduled task or in reaction to a specific condition. The transaction may be requested on behalf of the identity of the requesting workload or as an impersonation on behalf of a specific user chosen based on information accessible to the workload.</t>
        <figure anchor="fig-arch-internal">
          <name>Internally Initiated Txn-Token Flow</name>
          <artwork type="ascii-art"><![CDATA[
        1 ┌──────────────┐    2      ┌──────────────┐
          │              ├───────────▶              │
          │   Internal   │           │  Txn-Token   │
          │   Workload   │    3      │   Service    │
          ┤              ◀───────────│              │
          └────┬───▲─────┘           └──────────────┘
               │   │
             4 │   │ 7
          ┌────▼───┴─────┐
          │              │
          │   Internal   │
          │   Workload   │
          │              │
          └────┬───▲─────┘
               │   │
               ▼   │
                 o
             5   o    6
               │ o ▲
               │   │
               │   │
          ┌────▼───┴─────┐
          │              |
          │   Internal   │
          │   Workload   │
          │              |
          └──────────────┘

]]></artwork>
        </figure>
        <t>In the diagram above, steps 5-7 are the same as in <xref target="basic-flow"/>.</t>
        <ol spacing="normal" type="1" start="1"><li>
            <t>A workload determines that it needs to initiate a request on behalf of a user in response to a scheduled timer or other trigger.</t>
          </li>
          <li>
            <t>The internal workload authenticates to the token service and makes a request for a Txn-Token. The request contains information about the transaction along with optional additional authorization credentials.</t>
          </li>
          <li>
            <t>TTS authorizes the requester and then mints a Txn-Token that provides immutable context for the transaction and returns it to the requester.</t>
          </li>
          <li>
            <t>The originating workload then contacts another internal workload and provides the Txn-Token as authorization.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="txn-token-format">
      <name>Txn-Token Format</name>
      <t>A Txn-Token is a JSON Web Token <xref target="RFC7519"/> protected by a JSON Web Signature <xref target="RFC7515"/>. The following describes the required values in a Txn-Token:</t>
      <section anchor="txn-token-header">
        <name>JWT Header</name>
        <t>In the JWT Header:</t>
        <ul spacing="normal">
          <li>
            <t>The <tt>typ</tt> Header Parameter MUST be present and MUST have the value <tt>txntoken+jwt</tt>.</t>
          </li>
          <li>
            <t>Key rotation of the signing key SHOULD be supported through the use of a <tt>kid</tt> Header Parameter.</t>
          </li>
        </ul>
        <t><xref target="figtxtokenheader"/> is a non-normative example of the JWT Header of a Txn-Token</t>
        <figure anchor="figtxtokenheader">
          <name>Example: Txn-Token Header</name>
          <sourcecode type="json"><![CDATA[
{
    "typ": "txntoken+jwt",
    "alg": "RS256",
    "kid": "identifier-to-key"
}
]]></sourcecode>
        </figure>
      </section>
      <section anchor="txn-token-claims">
        <name>JWT Body Claims</name>
        <t>The transaction token body follows the JWT format and includes existing
JWT claims as well as defines new claims. These claims are described below:</t>
        <dl>
          <dt><tt>iss</tt>:</dt>
          <dd>
            <t>OPTIONAL The <tt>iss</tt> claim as defined in <xref target="RFC7519"/> is not required as Txn-Tokens are bound to a single Trust Domain as defined by the <tt>aud</tt> claim and often the signing keys are known.</t>
          </dd>
          <dt><tt>iat</tt>:</dt>
          <dd>
            <t>REQUIRED The issued at time of the Txn-Token as defined in <xref target="RFC7519"/>.</t>
          </dd>
          <dt><tt>aud</tt>:</dt>
          <dd>
            <t>REQUIRED This claim, defined in <xref target="RFC7519"/>, MUST identify the Trust Domain in which the Txn-Token is valid. A Txn-Token MUST NOT be accepted outside the Trust Domain identified by the <tt>aud</tt> claim.</t>
          </dd>
          <dt><tt>exp</tt>:</dt>
          <dd>
            <t>REQUIRED Expiry time of the Txn-Token as defined in <xref target="RFC7519"/>.</t>
          </dd>
          <dt><tt>txn</tt>:</dt>
          <dd>
            <t>REQUIRED A unique transaction identifier as defined in Section 2.2 of <xref target="RFC8417"/>.</t>
          </dd>
          <dt><tt>sub</tt>:</dt>
          <dd>
            <t>REQUIRED This claim represents the principal of the transaction as defined by Section 4.1.2 of <xref target="RFC7519"/>. The value MUST be unique within the context of the <tt>aud</tt> Trust Domain. Note: Unlike OpenID Connect, the <tt>sub</tt> claim is NOT associated with the <tt>iss</tt> claim.</t>
          </dd>
          <dt><tt>scope</tt>:</dt>
          <dd>
            <t>REQUIRED The scope claim is defined in <xref section="4.2" sectionFormat="of" target="RFC8693"/>. Note that the value of this claim is determined by the TTS and is not required to match the requested scope nor the scope in any supplied external token. For additional context please refer to <xref target="scope-claim"/></t>
          </dd>
          <dt><tt>tctx</tt>:</dt>
          <dd>
            <t>RECOMMENDED A JSON object that contains values that remain immutable throughout the Call Chain. For additional context please refer to <xref target="request-context"/></t>
          </dd>
          <dt><tt>rctx</tt>:</dt>
          <dd>
            <t>RECOMMENDED A JSON object that describes the environmental context of the requested transaction. For additional context please refer to <xref target="transaction-context"/></t>
          </dd>
          <dt><tt>req_wl</tt>:</dt>
          <dd>
            <t>REQUIRED. A string value that identifies the workload that requested the Txn-Token.</t>
          </dd>
        </dl>
        <section anchor="scope-claim">
          <name>Scope claim</name>
          <t>The <tt>scope</tt> claim captures, as narrowly as possible, the purpose of this particular transaction. The values used for this claim are defined by the TTS as representative of the authorization model defined by the Trust Domain. The value may be literately and semantically different from, and represent an intent narrower, than a scope value issued to an external client. How a given deployment represents the authorization model within the Trust Domain is at its discretion and not prescribed by this specification.</t>
        </section>
        <section anchor="request-context">
          <name>Request Context</name>
          <t>The Txn-Token SHOULD contain an <tt>rctx</tt> claim. The JSON value of the <tt>rctx</tt> claim MAY include any values the TTS determines are relevant to downstream services that rely on the Txn-Token. For example, this may include the IP address information of the originating request, information about the computational entity that requested the Txn-Token and contextual attributes of the originating request itself.</t>
          <t>The following is a non-normative example of an <tt>rctx</tt> claim initiated by an external call:</t>
          <sourcecode type="json"><![CDATA[
{
    "rctx": {
      "req_ip": "69.151.72.123", // IP address of the originating request
      "authn": "face", // from RFC 8176
      "transport": "https" // transport method used for the originating request
    }
}
]]></sourcecode>
        </section>
        <section anchor="transaction-context">
          <name>Transaction Context</name>
          <t>The Txn-Token SHOULD contain an <tt>tctx</tt> claim. The value of this claim is a JSON object that contains fields (wherein the value could itself be an object), which together assert the details that remain immutable through the Call Chain where this Txn-Token is used.</t>
          <t>Txn-Tokens are primarily used to assure identity and context for a transaction, and the content of this field is a critical part of that context.</t>
          <t>Whereas the <tt>rctx</tt> field contains environmental values related to the request, the <tt>tctx</tt> field contains the actual authorizaton details that are determined by the TTS. These values are used by services using the Txn-Token to reliably obtain specific parameters needed to perform their work. The content of the <tt>tctx</tt> field is determined by the TTS and the claims may be computed internally or from parameters it receives from the service that requests the Txn-Token.</t>
          <t>The following is a non-normative example of an <tt>tctx</tt> claim initiated by an external call:</t>
          <sourcecode type="json"><![CDATA[
{
    "tctx": {
      "action": "BUY", // parameter of external call
      "ticker": "MSFT", // parameter of external call
      "quantity": "100", // parameter of external call
      "customer_type": { // computed value not present in external call
        "geo": "US",
        "level": "VIP"
    }
}
]]></sourcecode>
        </section>
        <section anchor="example">
          <name>Example</name>
          <t>The figure below <xref target="figleaftxtokenbody"/> shows a non-normative example of the JWT body of a Txn-Token initiated by an external call:</t>
          <figure anchor="figleaftxtokenbody">
            <name>Example: Txn-Token Body</name>
            <sourcecode type="json"><![CDATA[
{
  "iat": 1686536226,
  "aud": "trust-domain.example",
  "exp": 1686536586,
  "txn": "97053963-771d-49cc-a4e3-20aad399c312",
  "sub": "d084sdrt234fsaw34tr23t",
  "req_wl": "apigateway.trust-domain.example", // the internal entity that requested the Txn-Token
  "rctx": {
    "req_ip": "69.151.72.123", // env context of external call
    "authn": "face" // from RFC 8176
  },
  "scope" : "trade.stocks",
  "tctx": {
    "action": "BUY", // parameter of external call
    "ticker": "MSFT", // parameter of external call
    "quantity": "100", // parameter of external call
    "customer_type": { // computed value not present in external call
      "geo": "US",
      "level": "VIP"
    }
  }
}
]]></sourcecode>
          </figure>
          <t>A Txn-Token from an internal request would look much the same except the rctx and tctx field claims would be populated with information from the initiating workloads request.</t>
        </section>
      </section>
    </section>
    <section anchor="txn-token-service-tts">
      <name>Txn-Token Service (TTS)</name>
      <t>A Txn-Token Service (TTS) uses <xref target="RFC8693"/> as described in this specification to issue transaction tokens in response to HTTP requests. The unique properties of the Txn-Token requests and responses are described below. The TTS MAY optionally support other OAuth 2.0 endpoints and features, but that is not a requirement for it to be a TTS.</t>
      <t>Each Trust Domain that uses Txn-Tokens MUST have exactly one logical TTS.</t>
    </section>
    <section anchor="requesting-txn-tokens">
      <name>Requesting Txn-Tokens</name>
      <t>A workload requests a Txn-Token from a TTS. If the transaction token request is made via HTTP to a remote server, it MUST use <xref target="RFC8693"/> as described in this specification. Txn-Tokens may be requested for both externally originating or internally originating requests. This profile describes how required and optional context can be provided to the TTS in order for the Txn-Token to be issued. The request to obtain a Txn-Token using this method is called a Txn-Token Request, and a successful response is called a Txn-Token Response. The Txn-Token profile of the OAuth 2.0 Token Exchange <xref target="RFC8693"/> is described below.</t>
      <section anchor="txn-token-request">
        <name>Txn-Token Request</name>
        <t>A workload requesting a Txn-Token provides the TTS with proof of its identity (client authentication), the purpose of the Txn-Token and optionally any additional context relating to the transaction being performed. Most of these elements are provided by the OAuth 2.0 Token Exchange specification and the rest are defined as new parameters. Additionally, this profile defines a new token type URN <tt>urn:ietf:params:oauth:token-type:txn_token</tt> which is used by the requesting workload to identify that it is requesting the Txn-Token Response to contain a Txn-Token.</t>
        <t>To request a Txn-Token the workload invokes the OAuth 2.0 <xref target="RFC6749"/> token endpoint with the following parameters:</t>
        <ul spacing="normal">
          <li>
            <t><tt>grant_type</tt> REQUIRED. The value MUST be set to <tt>urn:ietf:params:oauth:grant-type:token-exchange</tt>.</t>
          </li>
          <li>
            <t><tt>audience</tt> REQUIRED. The value MUST be set to the Trust Domain name.</t>
          </li>
          <li>
            <t><tt>scope</tt> REQUIRED. A space-delimited list of case-sensitive strings where the value(s) MUST represent the specific purpose or intent of the transaction.</t>
          </li>
          <li>
            <t><tt>requested_token_type</tt> REQUIRED. The value MUST be <tt>urn:ietf:params:oauth:token-type:txn_token</tt>.</t>
          </li>
          <li>
            <t><tt>subject_token</tt> REQUIRED. The value MUST contain a token that represent the subject of the transaction. The manner in which the subject is represented in the <tt>subject_token</tt> depends on the <tt>subject_token_type</tt>. The <tt>subject_token</tt> MAY be:
            </t>
            <ul spacing="normal">
              <li>
                <t>An inbound token received by an external endpoint (e.g. an API Gateway).</t>
              </li>
              <li>
                <t>A self-signed JWT constructed by a workload initiating a transaction.</t>
              </li>
              <li>
                <t>An unsigned JSON object constructed by a workload initiating a transaction.</t>
              </li>
              <li>
                <t>Any other format that is understood by the TTS.</t>
              </li>
            </ul>
            <t>
The type of the <tt>subject_token</tt> field is identified by <tt>subject_token_type</tt>.</t>
          </li>
          <li>
            <t><tt>subject_token_type</tt> REQUIRED. The value MUST indicate the type of the token or value present in the <tt>subject_token</tt> parameter.</t>
          </li>
        </ul>
        <t>The following additional parameters are defined for the Txn-Token Request:</t>
        <ul spacing="normal">
          <li>
            <t><tt>request_context</tt> RECOMMENDED. This parameter contains a JSON object which represents the context of this transaction.</t>
          </li>
          <li>
            <t><tt>request_details</tt> RECOMMENDED. This parameter contains a JSON object which contains additional details about the request. This could include API parameters, authorization criteria or other details the requester would like to pass to the TTS. The TTS uses this data along with other information at its disposal to construct the <tt>tctx</tt> JSON object (if required).</t>
          </li>
        </ul>
        <t>All parameters are encoded using the "application/x-www-form-urlencoded" format per Appendix B of <xref target="RFC6749"/>.</t>
        <t>The figure below <xref target="figtxtokenrequest"/> shows a non-normative example of a Txn-Token Request. Line breaks added for readability.</t>
        <figure anchor="figtxtokenrequest">
          <name>Example: Txn-Token Request</name>
          <sourcecode type="http"><![CDATA[
POST /txn-token-service/token_endpoint HTTP/1.1
Host: txn-token-service.trust-domain.example
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Atxn_token
&audience=trust-domain.example
&scope=trade.stocks
&subject_token=eyJhbGciOiJFUzI1NiIsImtpZC...kdXjwhw
&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token
&request_context=%7B%0A%20%20%20%20%20%20%22req_ip%22%3A%20%2269.151.72.123%22%2C%20%0A%20%20%20%20%20%20%22authn%22%3A%20%22face%22%0A%7D
&request_details=%7B%0A%20%20%20%20%20%20%22action%22%3A%20%22BUY%22%2C%0A%20%20%20%20%20%20%22ticker%22%3A%20%22MSFT%22%2C%0A%20%20%20%20%20%20%22quantity%22%3A%20%22100%22%0A%7D
]]></sourcecode>
        </figure>
      </section>
      <section anchor="subject-token-types">
        <name>Subject Token Types</name>
        <t>The <tt>subject_token_type</tt> parameter value MUST be a URI <xref target="RFC3986"/>. It MAY be:</t>
        <ul spacing="normal">
          <li>
            <t>Any one of the subject token types described in Section 3 of OAuth 2.0 Token Exchange <xref target="RFC8693"/> except the Refresh Token type (i.e., <tt>urn:ietf:params:oauth:token-type:refresh_token</tt>).</t>
          </li>
          <li>
            <t>A URN type name when the subject token is a self-signed JWT, as described below.</t>
          </li>
          <li>
            <t>A URN type name when the subject token is an unsigned JSON object, as described below.</t>
          </li>
          <li>
            <t>A custom URN agreed to between requesters and the TTS. The TTS MAY support other token formats, which MAY be specified in the <tt>subject_token_type</tt> parameter.</t>
          </li>
        </ul>
        <section anchor="self-signed-subject-token-type">
          <name>Self-Signed Subject Token Type</name>
          <t>A requester MAY use a self-signed JWT as a <tt>subject_token</tt> value. In that case, the requester MUST set the <tt>subject_token_type</tt> value to: <tt>urn:ietf:params:oauth:token-type:self_signed</tt>. This self-signed JWT MUST contain the following claims:</t>
          <ul spacing="normal">
            <li>
              <t><tt>iss</tt>: The unique identifier of the requesting workload.</t>
            </li>
            <li>
              <t><tt>sub</tt>: The subject for whom the Txn-Token is being requested. The TTS SHALL use this value in determining the <tt>sub</tt> value in the Txn-Token issued in the response to this request.</t>
            </li>
            <li>
              <t><tt>aud</tt>: The unique identifier of the TTS. The TTS SHALL verify that this value matches its own unique identifier.</t>
            </li>
            <li>
              <t><tt>iat</tt>: The time at which the self-signed JWT was created. Note that the TTS may reject self-signed tokens with an <tt>iat</tt> value that is unreasonably far in the past or future.</t>
            </li>
            <li>
              <t><tt>exp</tt>: The expiration time for the JWT. <xref target="txn-token-lifetime"/> provides guidance on setting the expiry of a Txn-Token.</t>
            </li>
          </ul>
          <t>The self-signed JWT MAY contain other claims.</t>
        </section>
        <section anchor="unsigned-json-subject-token-type">
          <name>Unsigned JSON Object Subject Token Type</name>
          <t>A requester MAY use an unsigned JSON object as a <tt>subject_token</tt> value. In that case, the requester MUST set the <tt>subject_token_type</tt> value to: <tt>urn:ietf:params:oauth:token-type:unsigned_json</tt>. The JSON object in the subject token MUST contain the following fields:</t>
          <ul spacing="normal">
            <li>
              <t><tt>sub</tt>: The subject for whom the Txn-Token is being requested. The TTS SHALL use this value in determining the <tt>sub</tt> value in the Txn-Token issued in the response to this request.</t>
            </li>
          </ul>
          <t>The unsigned JSON object MAY contain other fields, and the TTS MAY consider them when generating the Txn-Token.</t>
        </section>
      </section>
      <section anchor="txn-token-request-processing">
        <name>Txn-Token Request Processing</name>
        <t>When the TTS receives a Txn-Token Request it:</t>
        <ul spacing="normal">
          <li>
            <t>MUST validate the requesting workload client authentication and determine if that workload is authorized to obtain the Txn-Tokens with the requested value(s) (see <xref target="tts-issuance-policies"/>). The authorization policy for determining such issuance is out of scope for this specification.</t>
          </li>
          <li>
            <t>The TTS MUST validate the <tt>subject_token</tt>, including verifying the signature, if it is signed.</t>
          </li>
          <li>
            <t>The TTS determines the value to specify as the <tt>sub</tt> of the Txn-Token and MUST ensure the <tt>sub</tt> value is unique within the Trust Domain defined by the <tt>aud</tt> claim.</t>
          </li>
          <li>
            <t>The TTS MUST set the <tt>iat</tt> claim to the time of issuance of the Txn-Token.</t>
          </li>
          <li>
            <t>The TTS MUST set the <tt>aud</tt> claim to an identifier representing the Trust Domain of the TTS. If the TTS supports multiple Trust Domains, then it MUST determine the correct <tt>aud</tt> value for this request.</t>
          </li>
          <li>
            <t>The TTS MUST set the <tt>exp</tt> claim to the expiry time of the Txn-Token. The TTS MAY consider any <tt>exp</tt> value present in the <tt>subject_token</tt> parameter of the Txn-Token Request in determining the <tt>exp</tt> value of the resulting Txn-Token.</t>
          </li>
          <li>
            <t>The TTS MUST set the <tt>txn</tt> claim to a unique ID specific to this transaction.</t>
          </li>
          <li>
            <t>The TTS MAY set the <tt>iss</tt> claim of the Txn-Token to a value defining the entity that signed the Txn-Token.</t>
          </li>
          <li>
            <t>The TTS MUST evaluate the value specified in the <tt>scope</tt> parameter of the request to determine the <tt>scope</tt> claim of the issued Txn-Token.</t>
          </li>
          <li>
            <t>If a <tt>request_context</tt> parameter is present in the Txn-Token Request, the TTS SHOULD evaluate the content of the <tt>request_context</tt> parameter and may include claims in the <tt>rctx</tt> claim of the issued Txn-Token based on the <tt>request_context</tt> parameter. The TTS is authoritative for the set of claims made available in the <tt>rctx</tt> claim. The claims included in the <tt>rctx</tt> claim of the issued Txn-Token may be an exact match of those on the <tt>request_context</tt>, may be derived from the <tt>request_context</tt>, or independently asserted by the TTS.</t>
          </li>
          <li>
            <t>If a <tt>request_details</tt> parameter is present in the Txn-Token Request, the TTS SHOULD evaluate the content of the <tt>request_details</tt> parameter and may include claims in the <tt>tctx</tt> claim of the issued Txn-token based on the <tt>request_details</tt> parameter. The claims included in the <tt>tctx</tt> claim of the issued Txn-Token may be an exact match of those on the <tt>request_details</tt>, or may be derived from the <tt>request_details</tt>. The TTS is authoritative for the set of claims made available in the <tt>tctx</tt> claim and MAY include additional claims unrelated to the <tt>request_details</tt>.</t>
          </li>
        </ul>
        <t>The TTS MAY provide additional processing and verification that is outside the scope of this specification.</t>
      </section>
      <section anchor="txn-token-response">
        <name>Txn-Token Response</name>
        <t>A successful response to a Txn-Token Request MUST include the following values defined in <xref target="RFC8693"/>:</t>
        <ul spacing="normal">
          <li>
            <t>The <tt>token_type</tt> value MUST be set to <tt>N_A</tt> per guidance in OAuth 2.0 Token Exchange <xref target="RFC8693"/>.</t>
          </li>
          <li>
            <t>The <tt>access_token</tt> value MUST be the Txn-Token JWT.</t>
          </li>
          <li>
            <t>The <tt>issued_token_type</tt> value MUST bet set to <tt>urn:ietf:params:oauth:token-type:txn_token</tt>.</t>
          </li>
        </ul>
        <t>The Txn-Token Response MUST NOT include the <tt>refresh_token</tt> value.</t>
        <t>If the TTS responds with an error, the error response is as described in Section 5.2 of <xref target="RFC6749"/>.</t>
        <t><xref target="figtxtokenresponse"/> shows a non-normative example of a Txn-Token Response.</t>
        <figure anchor="figtxtokenresponse">
          <name>Example: Txn-Token Response</name>
          <sourcecode type="http"><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "token_type": "N_A",
  "issued_token_type": "urn:ietf:params:oauth:token-type:txn_token",
  "access_token": "eyJCI6IjllciJ9...Qedw6rx"
}
]]></sourcecode>
        </figure>
      </section>
      <section anchor="Mutual-Authentication">
        <name>Mutual Authentication of the Txn-Token Request</name>
        <t>A TTS and requesting workload MUST authenticate each other (mutual authentication). Workloads MUST authenticate the TTS to ensure that they do not disclose sensitive information, such as OAuth access tokens, to a rogue TTS. A TTS MUST authenticate a workload to ensure the workload is authorized to request a transaction token.</t>
        <t>Workloads SHOULD use the <tt>https</tt> scheme to secure the communication channel and authenticate the TTS. When using <tt>https</tt>, TLS certificates MUST be checked according to <xref section="4.3.4" sectionFormat="of" target="RFC9110"/>. At the time of this writing, TLS version 1.3 <xref target="RFC8446"/> is the most recent version.</t>
        <t>Workloads SHOULD authenticate to a Transaction Token Server using asymmetric (public-key based) methods or signed client authentication JWTs in accordance with <xref target="RFC7523"/>, which MAY be provisioned using mechanisms such as <xref target="SPIFFE"/> or other provisioning protocols.</t>
        <t>Examples of public-key based authentication include those defined in OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens <xref target="RFC8705"/>, Workload Authentication Using Mutual TLS <xref target="I-D.ietf-wimse-mutual-tls"/>, WIMSE Workload-to-Workload Authentication with HTTP Signatures <xref target="I-D.ietf-wimse-http-signature"/> and WIMSE Workload Proof Token <xref target="I-D.ietf-wimse-wpt"/>.</t>
      </section>
    </section>
    <section anchor="using-txn-tokens">
      <name>Using Txn-Tokens</name>
      <t>Txn-Tokens need to be communicated between workloads that depend upon them to authorize the request. Such workloads will often present HTTP <xref target="RFC9110"/> interfaces for being invoked by other workloads. This section specifies the HTTP header the invoking workload MUST use to communicate the Txn-Token to the invoked workload, when the invoked workload presents an HTTP interface. Note that the standard HTTP <tt>Authorization</tt> header MUST NOT be used because that may be used by the workloads for other purposes.</t>
      <section anchor="txn-token-http-header">
        <name>"Txn-Token" HTTP Header</name>
        <t>A workload that invokes another workload using HTTP and needs to present a Txn-Token to the invoked workload MUST use the HTTP Header "Txn-Token" to communicate the Txn-Token in the HTTP Request. The value of this header MUST be exactly one Txn-Token.</t>
      </section>
      <section anchor="txn-token-validation">
        <name>Txn-Token Validation</name>
        <t>A workload that receives a Txn-Token MUST evaluate the token for validity before authorizing it for activities supported by the workload. To validate the Txn-Token, the workload MUST:</t>
        <ul spacing="normal">
          <li>
            <t>Validate the Txn-Token JWS signature.</t>
          </li>
          <li>
            <t>Verify the <tt>aud</tt> claim identifies the Trust Domain of the workload.</t>
          </li>
          <li>
            <t>Verify the Txn-Token is not expired.</t>
          </li>
        </ul>
        <t>In addition, any outbound calls made by this workload MUST include the Txn-Token as it was received so that it is passed unmodified to any downstream workloads.</t>
        <t>Once the Txn-Token is determined to be valid, the workload MAY use any of the data contained in the Txn-Token to determine if the Txn-Token authorizes the requested activity. How the workload determines this authorization is out of scope for this specification.</t>
      </section>
    </section>
    <section anchor="Security">
      <name>Security Considerations</name>
      <section anchor="lifetime">
        <name>Txn-Token Replay Risks</name>
        <t>A Txn-Token is not resistant to replay attacks. A long-lived Txn-Token therefore represents a risk if it is discovered by an attacker (e.g. if it is stored in a file), and then replayed. For this reason, a Txn-Token lifetime MUST be kept short and follow the guidance given in <xref target="txn-token-lifetime"/>.</t>
        <t>The use of a unique transaction identifier (<tt>txn</tt> claim) allows for discovery of Txn-Token replay as described in <xref target="uti"/>.</t>
      </section>
      <section anchor="uti">
        <name>Unique Transaction Identifier</name>
        <t>A Txn-Token conveys user identity and authorization context across workloads in a Call Chain. The <tt>txn</tt> claim is a unique identifier that, when logged by the TTS and workloads, enables discovery and auditing of successful and failed transactions. The <tt>txn</tt> value SHOULD be unique within the Trust Domain.</t>
        <t>A workload receiving a Txn-Token can store the <tt>txn</tt> value of each Txn-Token for the time window in which the Txn-Token would be accepted to prevent multiple uses of the same Txn-Token. Requests to the same workload for which the <tt>txn</tt> value has been seen before would be declined. When strictly enforced, such a single-use check provides a very strong protection against Txn-Token replay, but it may not always be feasible in practice, e.g., when multiple instances of the same workload receiving a Txn-Token have no shared state.</t>
      </section>
      <section anchor="refresh-tokens">
        <name>Refresh Tokens</name>
        <t>OAuth refresh tokens are used to obtain access tokens as defined in <xref target="RFC6749"/> and MUST NOT be used to request transaction tokens (see <xref target="subject-token-types"/>. Since Txn-Tokens are short-lived (<xref target="txn-token-lifetime"/>), the Txn-Token response from the TTS MUST NOT include a refresh token (see <xref target="txn-token-response"/>).</t>
      </section>
      <section anchor="access-tokens">
        <name>Access Tokens</name>
        <t>When creating Txn-Tokens, the Txn-Token MUST NOT contain the access token presented to the external endpoint. If an access token is included in a Txn-Token, an attacker may extract the access token from the Txn-Token, and replay it to any Resource Server that can accept that access token. Txn-Token expiry does not protect against this attack since the access token may remain valid even after the Txn-Token has expired.</t>
        <t>Access tokens are typically short-lived but they can be invalidated before their expiration due to security or policy changes. In addition to standard access token validation, a TTS MAY, based on the risk profile of the deployment or transaction, verify whether the presented access token was invalidated. Where appropriate, implementations can use OAuth 2.0 Token Introspection <xref target="RFC7662"/> or similar mechanisms to obtain up-to-date token status from the authorization server.</t>
      </section>
      <section anchor="sec-sub-token-types">
        <name>Subject Token Types</name>
        <t>Identifies the token type of the <tt>subject_token</tt> which is generally a token the requesting workload received (e.g. an OAuth token or a SAML assertion). In the absence of an appropriate incoming token, the requesting service MAY use a self-signed JWT, an unsigned JSON object or any other format to represent the details of the requester and the transaction to the TTS.</t>
      </section>
      <section anchor="scope-processing">
        <name>Scope Processing</name>
        <t>The authorization model within a Trust Domain boundary may be quite different from the authorization model (e.g. OAuth scopes) used with clients external to the Trust Domain. This makes managing unintentional scope increase a critical aspect of the TTS. The TTS MUST ensure that the requested <tt>scope</tt> of the Txn-Token is equal or less than the scope(s) identified in the <tt>subject_token</tt>.</t>
      </section>
      <section anchor="tts-discovery">
        <name>TTS Discovery</name>
        <t>A workload may use various mechanisms to determine the correct instance of a TTS with which to interact. Workloads MUST retrieve configuration information from a trusted source to minimize the risk of a threat actor providing malicious configuration data that points to an instance of a TTS under it's control which could be used to collect access tokens sent as part of the Transaction Token Request message.</t>
        <t>To mitigate this risk, workloads SHOULD authenticate the service providing the configuration information and verify the integrity of the configuration information. This ensures that no unauthorized entity can insert or alter configuration data. The workload SHOULD use Transport Layer Security (TLS) to authenticate the endpoint and secure the communication channel. Additionally, application-layer signatures or message authentication codes MAY be used to detect any tampering with the configuration information.</t>
      </section>
      <section anchor="workload-configuration-protection">
        <name>Workload Configuration Protection</name>
        <t>A deployment may include multiple instances of a TTS to improve resiliency, reduce latency and enhance scalability. A workload may be configured to access more than one instance of a TTS to ensure reliability or reduce latency for transaction token requests. The workload configuration should be protected against unauthorized addition or removal of TTS instances. An attacker may perform a denial of service attack or degrade the performance of a system by removing an instance of a TTS from the workload configuration.</t>
      </section>
      <section anchor="tts-authentication">
        <name>TTS Authentication</name>
        <t>A workload may accidently send a transaction token request to a service that is not a TTS, or an attacker may attempt to impersonate a TTS in order to gain access to transaction token requests which includes sensitive information like access tokens. To minimise the risk of leaking sensitive information like access tokens that are included in the transaction token request, the workload MUST ensure that it authenticates the TTS and only contacts instances of the TTS that is authorized to issue transaction tokens.</t>
      </section>
      <section anchor="tts-issuance-policies">
        <name>TTS Issuance Policies</name>
        <t>A TTS should be selective in which workloads can successfully request a Txn-Token. A TTS does not need to issue a Txn-Token to every workload that requests one. TTS token issuance decisions, including whether to issue a Txn-Token and the claims it contains, are typically subject to deployment-specific issuance policies and business logic. For example, an API gateway handling a user-initiated request might be permitted to obtain a Txn-Token carrying request context such as a transaction amount, while a downstream service in the same Call Chain might not. Such policies may vary based on system architecture, workload identity, transaction context, or risk, and may result in different Txn-Token contents or denial of issuance. The definition and management of these policies are deployment-specific and out of scope for this specification.</t>
      </section>
      <section anchor="tts-key-rotation">
        <name>TTS Key Rotation</name>
        <t>The TTS may need to rotate signing keys. When doing so, it MAY adopt the key rotation practices in Section 10.1.1 of <xref target="OpenIdConnect"/>.</t>
      </section>
      <section anchor="transaction-tokens-are-not-authentication-credentials">
        <name>Transaction Tokens Are Not Authentication Credentials</name>
        <t>A workload MUST NOT use a transaction token to authenticate itself to another workload, service or the TTS. Transaction tokens represents information relevant to authorization decisions and are not workload identity credentials. Authentication between the workload and the TTS is described in <xref target="Mutual-Authentication"/>.</t>
      </section>
      <section anchor="transaction-tokens-are-not-oauth-20-access-tokens">
        <name>Transaction Tokens Are Not OAuth 2.0 Access Tokens</name>
        <t>A workload MUST NOT use a transaction token as an OAuth 2.0 Access Token. An OAuth 2.0 Access Token represents a grant of authority to a client, a transaction token represents the context of a specific transaction. The separation of the transaction token from the OAuth 2.0 Access Token is a deliberate design choice as described in <xref target="introduction"/>.</t>
        <t>Transaction tokens support the principle of least privilege since they are narrowly scoped to a single transaction and have short lifetimes. This makes them less susceptible to broad replay attacks than the longer-lived access tokens. By maintaining a distinct token type, the protocol ensures that context propagation while minimizing the risk of lateral access if a transaction token is intercepted within the Trust Domain. This separation also reduces the need for including transaction context in the access token, reducing token size.</t>
        <t>Using a dedicated HTTP header from the <tt>Authorization: Bearer</tt> header for transaction tokens allows services to distinguish between an access token, which carries authorization delegation information, and the transaction token, which carries transaction context.</t>
      </section>
      <section anchor="txn-token-as-a-subjecttoken">
        <name>Txn-Token as a <tt>subject_token</tt></name>
        <t>A TTS MUST exercise caution when receiving a Txn-token as a <tt>subject_token</tt>. Any Txn-Token issued in response to such a request is effectively a replacement Txn-Token. Replacing Txn-Tokens potentially negates the primary purpose of having Txn-Tokens. When issuing replacement Txn-Tokens, a TTS:</t>
        <ul spacing="normal">
          <li>
            <t>MAY enable modifications to asserted values that reduce the scope of permitted actions.</t>
          </li>
          <li>
            <t>MAY enable additional asserted values.</t>
          </li>
          <li>
            <t>MUST NOT enable modification to asserted values that expand the scope of permitted actions.</t>
          </li>
          <li>
            <t>MUST NOT modify <tt>txn</tt>, <tt>sub</tt>, and <tt>aud</tt> values of the Txn-Token in the request.</t>
          </li>
          <li>
            <t>MUST NOT issue a new Txn-Token when the Txn-Token being replaced has expired.</t>
          </li>
          <li>
            <t>MAY issue a replacement Txn-Token with a lifetime exceeding the lifetime of the input Txn-Token, subject to the policy of the TTS.</t>
          </li>
          <li>
            <t>SHOULD limit the number of times a Txn-Token is replaced if it allows extending the lifetime beyond that of the input Txn-Token to reduce replay risks.</t>
          </li>
          <li>
            <t>MUST maintain the Call Chain of workloads that requested the Txn-Token being replaced in the subsequently issued Txn-Token. The mechanism for maintaining this Call Chain is out of scope for this specification.</t>
          </li>
        </ul>
      </section>
      <section anchor="determining-signing-keys">
        <name>Determining signing keys</name>
        <t>The <tt>iss</tt> claim may be used to identify the signer of the Txn-Token in cases where the signing keys are not predetermined.</t>
      </section>
    </section>
    <section anchor="preserving-transaction-context-across-trust-domains">
      <name>Preserving transaction context across Trust Domains</name>
      <t>Txn-Tokens are only valid within the Trust Domain identified by the <tt>aud</tt> claim as defined in <xref target="txn-token-claims"/>. When a workload needs to access a resource in a different Trust Domain to complete a transaction, and the identity and authorization context from the Txn-Token needs to be preserved, it SHOULD use OAuth Identity and Authorization Chaining Across Domains <xref target="I-D.ietf-oauth-identity-chaining"/>.</t>
    </section>
    <section anchor="Privacy">
      <name>Privacy Considerations</name>
      <section anchor="handling-of-personal-information">
        <name>Handling of Personal Information</name>
        <t>Claims contained within transaction tokens may be considered personal information (PI) or personally identifying information (PII) in some jurisdictions and if so their values should be protected accordingly. For example, requester IP address (req_ip) is often considered personal information and therefore must be handled according to jurisdictional requirements.</t>
      </section>
      <section anchor="logging">
        <name>Logging</name>
        <t>Complete Txn-Tokens MUST NOT be logged verbatim. This is in order to prevent replay of tokens or leakage of PII or other sensitive information via log files. A hash of the Txn-Token may be logged to allow for correlation with the log files of the TTS that records issued tokens. Alternatively the JWS payload of a Txn-Token may be logged after the signature has been removed. If the Txn-Token contains PII, then care should be taken in logging the content of the Txn-Token so that the PII does not get logged.</t>
      </section>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <t>This specification registers the following token type identifiers to the "OAuth URI" subregistry of the "OAuth Parameters" <xref target="IANA.OAuth.Parameters"/> registry. It also registers the following claims defined in Section <xref target="txn-token-claims"/> in the IANA JSON Web Token Claims Registry defined in <xref target="RFC7519"/>. It also registers the Media Type <xref target="IANA.MediaTypes"/> "txntoken+jwt" as defined in the section <xref target="txn-token-header"/>.</t>
      <section anchor="oauth-uri-subregistry-contents">
        <name>OAuth URI Subregistry Contents</name>
        <ul spacing="normal">
          <li>
            <t>URN: urn:ietf:params:oauth:token-type:txn_token
            </t>
            <ul spacing="normal">
              <li>
                <t>Common Name: Transaction Token</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Specification Document Section <xref target="txn-token-request"/> of this specification</t>
              </li>
            </ul>
          </li>
          <li>
            <t>URN: urn:ietf:params:oauth:token-type:self_signed
            </t>
            <ul spacing="normal">
              <li>
                <t>Common Name: Token type for Self-signed JWT</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Specification Document: Section <xref target="self-signed-subject-token-type"/> of this specification</t>
              </li>
            </ul>
          </li>
          <li>
            <t>URN: urn:ietf:params:oauth:token-type:unsigned_json
            </t>
            <ul spacing="normal">
              <li>
                <t>Common Name: Token type for Unsigned JSON Object</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Specification Document: Section <xref target="unsigned-json-subject-token-type"/> of this specification</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
      <section anchor="jwt-claims-registry-contents">
        <name>JWT Claims Registry Contents</name>
        <ul spacing="normal">
          <li>
            <t>Claim Name: <tt>tctx</tt>
            </t>
            <ul spacing="normal">
              <li>
                <t>Claim Description: The transaction authorization details</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Specification Document: Section <xref target="txn-token-claims"/> of this specification</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Claim Name: <tt>rctx</tt>
            </t>
            <ul spacing="normal">
              <li>
                <t>Claim Description: The requester context</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Specification Document: Section <xref target="txn-token-claims"/> of this specification</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
      <section anchor="iana-media-type-registration-contents">
        <name>IANA Media Type Registration Contents</name>
        <t>The following entry will be proposed using the IANA Media Type registration <xref target="IANA.MediaTypes"/> form.</t>
        <ul spacing="normal">
          <li>
            <t>Type Name: application</t>
          </li>
          <li>
            <t>Subtype Name: txntoken+jwt</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Required Parameters: N/A.</t>
          </li>
          <li>
            <t>Optional Parameters: N/A.</t>
          </li>
          <li>
            <t>Encoding Considerations: 7-bit text</t>
          </li>
          <li>
            <t>Security Considerations:
            </t>
            <ol spacing="normal" type="1"><li>
                <t>The media type is used to identify JWTs that may be used as Transaction Tokens. It is a piece of data, and may not contain executable content.</t>
              </li>
              <li>
                <t>Transaction Tokens are short-lived tokens used within a trusted environment, so there are no privacy considerations. Transaction Tokens are unmodifiable tokens, which need integrity protection.</t>
              </li>
              <li>
                <t>The JWTs representing Transaction Tokens are signed, and therefore are integrity protected. A recipient of a Transaction Token must verify the signature on the Transaction Token before using it.</t>
              </li>
              <li>
                <t>There are no additional security considerations specific to the use of JWTs as Transaction Tokens.</t>
              </li>
              <li>
                <t>The Transaction Tokens format does not require the use of links within the token. If links are used by specific instances of Transaction Tokens, then their interpretation is usage specific.</t>
              </li>
            </ol>
          </li>
          <li>
            <t>Interoperability Considerations: Transaction Tokens inherit all interoperability properties of JWTs.</t>
          </li>
          <li>
            <t>Published Specification: this document (when published).</t>
          </li>
          <li>
            <t>Application Usage: Any application supporting the use of JWTs.</t>
          </li>
          <li>
            <t>Fragment Identifier Consideration: N/A.</t>
          </li>
          <li>
            <t>Restrictions on Usage: Any application supporting the use of JWTs.</t>
          </li>
          <li>
            <t>Intended Usage: Common</t>
          </li>
          <li>
            <t>Contact Person: Atul Tulshibagwale</t>
          </li>
        </ul>
      </section>
      <section anchor="http-header">
        <name>HTTP Header</name>
        <t>The header name <tt>Txn-Token</tt> is proposed to be added to the HTTP Field Name Registry <xref target="IANA.HTTP.FieldNames"/> as an unstructured Header Field. This header is defined in the section <xref target="txn-token-http-header"/>. The following entry will be proposed in the HTTP Field Name Registry. Note that this is an unstructured field, therefore the value of the Type field is left empty as shown below:</t>
        <ul spacing="normal">
          <li>
            <t>Field Name: <tt>Txn-Token</tt></t>
          </li>
          <li>
            <t>Type:</t>
          </li>
          <li>
            <t>Status: permanent</t>
          </li>
          <li>
            <t>Specification Document: Section <xref target="txn-token-http-header"/> of this document</t>
          </li>
          <li>
            <t>Comment: The <tt>Authorization</tt> header cannot be used for Txn-tokens because that header may be used for service-to-service authorization, and the services may simultaneously require the use of Txn-tokens to convey detailed immutable information such as user identity and details of fine-grained authorization that are included in the Txn-token.</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC6749" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC7515">
          <front>
            <title>JSON Web Signature (JWS)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7515"/>
          <seriesInfo name="DOI" value="10.17487/RFC7515"/>
        </reference>
        <reference anchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="RFC7662">
          <front>
            <title>OAuth 2.0 Token Introspection</title>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <date month="October" year="2015"/>
            <abstract>
              <t>This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7662"/>
          <seriesInfo name="DOI" value="10.17487/RFC7662"/>
        </reference>
        <reference anchor="RFC8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8693">
          <front>
            <title>OAuth 2.0 Token Exchange</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="January" year="2020"/>
            <abstract>
              <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8693"/>
          <seriesInfo name="DOI" value="10.17487/RFC8693"/>
        </reference>
        <reference anchor="RFC8417" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8417.xml">
          <front>
            <title>Security Event Token (SET)</title>
            <author fullname="P. Hunt" initials="P." role="editor" surname="Hunt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="W. Denniss" initials="W." surname="Denniss"/>
            <author fullname="M. Ansari" initials="M." surname="Ansari"/>
            <date month="July" year="2018"/>
            <abstract>
              <t>This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8417"/>
          <seriesInfo name="DOI" value="10.17487/RFC8417"/>
        </reference>
        <reference anchor="RFC8705">
          <front>
            <title>OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens</title>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8705"/>
          <seriesInfo name="DOI" value="10.17487/RFC8705"/>
        </reference>
        <reference anchor="RFC9068">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens</title>
            <author fullname="V. Bertocci" initials="V." surname="Bertocci"/>
            <date month="October" year="2021"/>
            <abstract>
              <t>This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9068"/>
          <seriesInfo name="DOI" value="10.17487/RFC9068"/>
        </reference>
        <reference anchor="RFC9110">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="RFC9111">
          <front>
            <title>HTTP Caching</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.</t>
              <t>This document obsoletes RFC 7234.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="98"/>
          <seriesInfo name="RFC" value="9111"/>
          <seriesInfo name="DOI" value="10.17487/RFC9111"/>
        </reference>
        <reference anchor="RFC9651">
          <front>
            <title>Structured Field Values for HTTP</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="P-H. Kamp" surname="P-H. Kamp"/>
            <date month="September" year="2024"/>
            <abstract>
              <t>This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields.</t>
              <t>This document obsoletes RFC 8941.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9651"/>
          <seriesInfo name="DOI" value="10.17487/RFC9651"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-identity-chaining">
          <front>
            <title>OAuth Identity and Authorization Chaining Across Domains</title>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Kelley Burgin" initials="K." surname="Burgin">
              <organization>MITRE</organization>
            </author>
            <author fullname="Michael J. Jenkins" initials="M. J." surname="Jenkins">
              <organization>NSA-CCSS</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <date day="26" month="June" year="2026"/>
            <abstract>
              <t>   This specification describes a mechanism for preserving identity and
   authorization information across trust domains that use the OAuth 2.0
   Framework.  A JSON Web Token (JWT) authorization grant, obtained
   through an intra-domain OAuth 2.0 Token Exchange, facilitates the
   cross-domain acquisition of an access token.  The relevant identity
   and authorization information is chained throughout the flow by being
   conveyed in the respective artifacts exchanged at each step of the
   process.  Chaining across multiple domains is achieved by using the
   same protocol every time a trust domain boundary is crossed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-chaining-16"/>
        </reference>
        <reference anchor="IANA.HTTP.FieldNames" target="https://www.iana.org/assignments/http-fields/">
          <front>
            <title>HTTP Authentication Schemes</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="IANA.OAuth.Parameters" target="https://www.iana.org/assignments/oauth-parameters">
          <front>
            <title>OAuth Parameters</title>
            <author initials="" surname="IANA" fullname="IANA">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="IANA.MediaTypes" target="http://www.iana.org/assignments/media-types">
          <front>
            <title>Media Types</title>
            <author initials="" surname="IANA" fullname="IANA">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="OpenIdConnect" target="https://openid.net/specs/openid-connect-core-1_0.html">
          <front>
            <title>OpenID Connect Core 1.0 incorporating errata set 2</title>
            <author initials="N." surname="Sakimura" fullname="Nat Sakimura">
              <organization>NRI</organization>
            </author>
            <author initials="J." surname="Bradley" fullname="John Bradley">
              <organization>Ping Identity</organization>
            </author>
            <author initials="M." surname="Jones" fullname="Mike Jones">
              <organization>Microsoft</organization>
            </author>
            <author initials="B. de" surname="Medeiros" fullname="B. de Medeiros">
              <organization>Google</organization>
            </author>
            <author initials="C." surname="Mortimore" fullname="Chuck Mortimore">
              <organization>Salesforce</organization>
            </author>
            <date year="2014" month="November"/>
          </front>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8176">
          <front>
            <title>Authentication Method Reference Values</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>The "amr" (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry, but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8176"/>
          <seriesInfo name="DOI" value="10.17487/RFC8176"/>
        </reference>
        <reference anchor="SPIFFE" target="https://spiffe.io/docs/latest/spiffe-about/overview/">
          <front>
            <title>Secure Production Identity Framework for Everyone</title>
            <author>
              <organization>Cloud Native Computing Foundation</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.ietf-wimse-arch">
          <front>
            <title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The increasing prevalence of cloud computing and micro service
   architectures has led to the rise of complex software functions being
   built and deployed as workloads, where a workload is defined as
   software executing for a specific purpose, potentially comprising one
   or more running instances.  This document discusses an architecture
   for designing and standardizing protocols and payloads for conveying
   workload identity and security context information.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch-07"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-mutual-tls">
          <front>
            <title>Workload Authentication Using Mutual TLS</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>Palo Alto Networks</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones to complex multi-service, multi-cloud, multi-tenant
   deployments.  This document profiles a workload authentication based
   on X.509 workload identity certificates using mutual TLS (mTLS).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-mutual-tls-02"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-http-signature">
          <front>
            <title>WIMSE Workload-to-Workload Authentication with HTTP Signatures</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>Palo Alto Networks</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones to complex multi-service, multi-cloud, multi-tenant
   deployments.  This document defines one of the mechanisms to provide
   workload authentication, using HTTP Signatures.  While only
   applicable to HTTP traffic, the protocol provides end-to-end
   protection of requests (and optionally, responses), even when service
   traffic is not end-to-end encrypted, that is, when TLS proxies and
   load balancers are used.  Authentication is based on the Workload
   Identity Token (WIT).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-http-signature-04"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-wpt">
          <front>
            <title>WIMSE Workload Proof Token</title>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from basic
   deployments to complex multi-service, multi-cloud, multi-tenant
   systems.  This document specifies the Workload Proof Token (WPT), a
   mechanism for workloads to prove possession of the private key
   associated with a Workload Identity Token (WIT).  The WPT is a signed
   JWT that binds the workload's authentication to a specific HTTP
   request, providing application-level proof of possession for
   workload-to-workload communication.  This specification is designed
   to work alongside the WIT credential format defined in draft-ietf-
   wimse-workload-creds and can be combined with other WIMSE protocols
   in multi-hop call chains.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-wpt-01"/>
        </reference>
      </references>
    </references>
    <?line 696?>

<section numbered="false" anchor="Acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors would like to thank John Bradley, Kelley Burgin, Brian Campbell, Naveen CM, Andrii Deinega, Apoorva Deshpande, Daniel Fett, Evan Gilman, Joseph Heenan, Watson Ladd, Kai Lehmann, Jeff Lombardo, Dan Moore, Steinar Noem, Ashay Raut, Justin Richer, Joe Salowey, Dean Saxe, Arndt Schwenkschuster, Dag Sneeggen, Yaron Scheffer, Orie Steele, Dmitry Telegin, and Hannes Tschofenig for supporting, commenting, contributing and providing feedback on this specification.</t>
    </section>
    <section numbered="false" anchor="document-history">
      <name>Document History</name>
      <t>[[ To be removed from final specification ]]</t>
      <section numbered="false" anchor="since-draft-08">
        <name>Since Draft 08</name>
        <ul spacing="normal">
          <li>
            <t>Added document history for changes from 07 to 08</t>
          </li>
          <li>
            <t>Added TTS Issuance Guidance policies (see issue https://github.com/oauth-wg/oauth-transaction-tokens/issues/321)</t>
          </li>
          <li>
            <t>Provide guidance on cross-domain access (see https://github.com/oauth-wg/oauth-transaction-tokens/issues/326)</t>
          </li>
          <li>
            <t>Added security consideration for invalidated tokens (see issue https://github.com/oauth-wg/oauth-transaction-tokens/issues/321)</t>
          </li>
          <li>
            <t>Added doublequotes around the "Txn-Token" header name to distinguish it from the usage of Txn-Token as a name for Transaction Tokens.</t>
          </li>
          <li>
            <t>Added Brian Campbell as a contributor.</t>
          </li>
          <li>
            <t>Renamed Requester-Context section to Request Context and removed specification of <tt>rctx</tt> specific claims (see issue https://github.com/oauth-wg/oauth-transaction-tokens/issues/323)</t>
          </li>
          <li>
            <t>Clarified how multiple workloads are represented in the <tt>req_wl</tt> claim (see issue https://github.com/oauth-wg/oauth-transaction-tokens/issues/331)</t>
          </li>
          <li>
            <t>Clarify transaction tokens vs OAuth 2.0 access tokens</t>
          </li>
          <li>
            <t>Merged Overview and Introduction sections (see https://github.com/oauth-wg/oauth-transaction-tokens/issues/327)</t>
          </li>
          <li>
            <t>Changed additionally defined request parameters from OPTIONAL to RECOMMENDED see https://github.com/oauth-wg/oauth-transaction-tokens/issues/332)</t>
          </li>
          <li>
            <t>Consistent cappitalisation of trust domain and call chain (see https://github.com/oauth-wg/oauth-transaction-tokens/issues)</t>
          </li>
          <li>
            <t>Updated JWT body claims from OPTIONAL to RECOMMENDED (see https://github.com/oauth-wg/oauth-transaction-tokens/issues/330)</t>
          </li>
          <li>
            <t>Clarified TTS behaviour wrt txtx and rctx, fixed examples (see https://github.com/oauth-wg/oauth-transaction-tokens/issues/349)</t>
          </li>
        </ul>
      </section>
      <section numbered="false" anchor="since-draft-07">
        <name>Since Draft 07</name>
        <ul spacing="normal">
          <li>
            <t>Fixed author affiliation (https://github.com/oauth-wg/oauth-transaction-tokens/pull/318)</t>
          </li>
          <li>
            <t>Added details to the benefits section (https://github.com/oauth-wg/oauth-transaction-tokens/pull/316)</t>
          </li>
          <li>
            <t>Updated the definition of the <tt>req_wl</tt> claim (https://github.com/oauth-wg/oauth-transaction-tokens/pull/315)</t>
          </li>
          <li>
            <t>Editorial changes for grammar and clarity (https://github.com/oauth-wg/oauth-transaction-tokens/pull/307, https://github.com/oauth-wg/oauth-transaction-tokens/pull/308)</t>
          </li>
          <li>
            <t>Standardized terminology throughout the document (https://github.com/oauth-wg/oauth-transaction-tokens/pull/304)</t>
          </li>
          <li>
            <t>Revised handling of personal information in Privacy section (hhttps://github.com/oauth-wg/oauth-transaction-tokens/pull/306/)</t>
          </li>
          <li>
            <t>Clarified token replay risks (https://github.com/oauth-wg/oauth-transaction-tokens/pull/305)</t>
          </li>
          <li>
            <t>Fixed section numbering issue (https://github.com/oauth-wg/oauth-transaction-tokens/issues/352)</t>
          </li>
          <li>
            <t>Made <tt>iss</tt> optional in all circumstances, and added Seurity Consideration that provides guideance on using it when signing keys are not predetmined.</t>
          </li>
        </ul>
      </section>
      <section numbered="false" anchor="since-draft-06">
        <name>Since Draft 06</name>
        <ul spacing="normal">
          <li>
            <t>Remove contradiction in "request_details" description and simplify normative langugage <eref target="https://github.com/oauth-wg/oauth-transaction-tokens/issues/228">Clarify claim usage</eref>.</t>
          </li>
          <li>
            <t>Consistency in terms of expectations of input token (https://github.com/oauth-wg/oauth-transaction-tokens/issues/224)</t>
          </li>
          <li>
            <t>Replace StringOrURI with string <eref target="https://github.com/oauth-wg/oauth-transaction-tokens/issues/195">Replace StringOrURI with String</eref></t>
          </li>
          <li>
            <t>Include token theft as a threat to be mitigated <eref target="https://github.com/oauth-wg/oauth-transaction-tokens/issues/207">Consider information disclosure as a benefit</eref></t>
          </li>
          <li>
            <t>Remove definition of Authorization Context <eref target="https://github.com/oauth-wg/oauth-transaction-tokens/issues/192">Be more specific on Authorization Context</eref></t>
          </li>
          <li>
            <t>Clarify text on use of empty parameter: https://github.com/oauth-wg/oauth-transaction-tokens/issues/235</t>
          </li>
          <li>
            <t>Clarify that workloads should ensure it is communicating with a legitimate instance of a transaction token service (https://github.com/oauth-wg/oauth-transaction-tokens/issues/233)</t>
          </li>
          <li>
            <t>Clarify need to validate signature on subject_token if it is signed.</t>
          </li>
          <li>
            <t>Clarify role of transaction tokens in call chain (https://github.com/oauth-wg/oauth-transaction-tokens/issues/203)</t>
          </li>
          <li>
            <t>Revise normative langugage for enforcement of token expiry (https://github.com/oauth-wg/oauth-transaction-tokens/issues/210)</t>
          </li>
          <li>
            <t>Remove exp field from unsigned token (https://github.com/oauth-wg/oauth-transaction-tokens/issues/201)</t>
          </li>
          <li>
            <t>Change document category from informational to standards track (https://github.com/oauth-wg/oauth-transaction-tokens/issues/169)</t>
          </li>
          <li>
            <t>Clarify that <tt>txn</tt>should remain unchanged when included in a replacement transaction token.</t>
          </li>
          <li>
            <t>Editorial updates (https://github.com/oauth-wg/oauth-transaction-tokens/issues/204)</t>
          </li>
          <li>
            <t>Removed the requirement to encode parameters in based64url format</t>
          </li>
          <li>
            <t>Rename the <tt>purpose</tt> claim to <tt>scope</tt></t>
          </li>
          <li>
            <t>Enhanced the description of the <tt>sub</tt> claim addressing issue #225</t>
          </li>
          <li>
            <t>Removed references to replacing transaction tokens, and added a note in the Security Considerations to clarify replacement concerns.</t>
          </li>
          <li>
            <t>Editorial updates identified by Dan Moore (https://github.com/oauth-wg/oauth-transaction-tokens/issues/236)</t>
          </li>
          <li>
            <t>Editorial comments from Joe Saloway (https://github.com/oauth-wg/oauth-transaction-tokens/issues/219)</t>
          </li>
          <li>
            <t>Clarify request_details (https://github.com/oauth-wg/oauth-transaction-tokens/issues/197)</t>
          </li>
          <li>
            <t>Add normative language for processing Txn-Tokens (https://github.com/oauth-wg/oauth-transaction-tokens/issues/270)</t>
          </li>
          <li>
            <t>Strengthen normative language for Txn-Token Requests (https://github.com/oauth-wg/oauth-transaction-tokens/issues/209)</t>
          </li>
          <li>
            <t>Aligned with WIMSE terminology (https://github.com/oauth-wg/oauth-transaction-tokens/issues/213)</t>
          </li>
          <li>
            <t>Updated Acknowledgement section (https://github.com/oauth-wg/oauth-transaction-tokens/issues/260)</t>
          </li>
          <li>
            <t>Rewrote the 'Handling of Personal Information' section of Privacy Considerations (https://github.com/oauth-wg/oauth-transaction-tokens/issues/290)</t>
          </li>
          <li>
            <t>Removed text related to replacement transaction tokens</t>
          </li>
          <li>
            <t>Updated references to call chain to be capitalized and fixed some definitions (https://github.com/oauth-wg/oauth-transaction-tokens/issues/284)</t>
          </li>
          <li>
            <t>Update definition of <tt>req_wl</tt> claim (https://github.com/oauth-wg/oauth-transaction-tokens/issues/311)</t>
          </li>
        </ul>
      </section>
      <section numbered="false" anchor="since-draft-05">
        <name>Since Draft 05</name>
        <ul spacing="normal">
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/173">Strengthened prohibition on expanding TraT scope</eref></t>
          </li>
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/170">Clarified that TraTs can exceed request token lifetime, but cannot use expired tokens in request</eref></t>
          </li>
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/160">Improved abstract for clarity</eref></t>
          </li>
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/176">Clarified that the HTTP header Txn-Token is unstructured</eref></t>
          </li>
        </ul>
      </section>
      <section numbered="false" anchor="since-draft-04">
        <name>Since Draft 04</name>
        <ul spacing="normal">
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/153">Clarified Transaction Token Service discovery</eref></t>
          </li>
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/148">Language improvements</eref></t>
          </li>
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/150">Renamed azd claim to tctx claim</eref></t>
          </li>
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/151">Fixed terminology captialization</eref></t>
          </li>
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/156">Added key rotation guidance</eref></t>
          </li>
          <li>
            <t><eref target="https://github.com/oauth-wg/oauth-transaction-tokens/pull/157">Clarified text around external vs internal invocation</eref></t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="contributors" numbered="false" toc="include" removeInRFC="false">
      <name>Contributors</name>
      <contact initials="B." surname="Campbell" fullname="Brian Campbell">
        <organization>Ping Identity</organization>
        <address>
          <email>bcampbell@pingidentity.com</email>
        </address>
      </contact>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9V9S3MbSZrYHb+igorZFXsAiC+REsPtHYiSutmj14rUtMcd
62YBSADVLFShqwqEMFpObPjsgw8T63WEjz76tOHwaX/N/BJ/r8z8sqpAUmLv
xG5HRzdRVfn+3q/s9Xqdsoqz8Y9xmmfmOKqKpekki4L+Kqu9nZ2nO3udUVwd
R2U1jh5EJzMzuuyUy+E8Kcskz6r1Apqdvjh/2YkLE8NnZtRZTY+jPF5Ws05n
nI+yeA6fjIt4UvUSU0169KpXFXFWxqMKOulV+aXJyt7O086VyZbmuBNF06Sa
LYfH0RZ/vZo+2tRsC75O48qUMMmtWVUtyuNHj2i4sk9t+pmpNrZ+dIeJ9WfV
PN3qdKqkSmEp5/6D6Jw+6MTDYWGu4NXHrCeP0jiDbTBZ53KF6+lF3+fFZZrH
45J+vR3g/uBf331/Tv+nsSLzcTSDlqbzIBrDoo6jvZ29vd4O/hv1evQsSspo
kqSpGUdJFsGc83lcJaM4TdfRcB19nKd7xWQUJZMoyyvYSNjTDq4sL447PWhS
HkeDfnS+TMtZMoynqzg1MAE+pkG1TBuv8gJWclLkq/FZVSSX+MjM4yQ9jmL4
vF/pz38zwu9K+q4/yucdO+Q3/ehlaqrRzBRutG8MdG30cxrqXYG7CwuKTscm
g11fR69enfhRp9TsNwv7WSJfBeO960e/jcvSpPM4cwO+g3M2RfCCRnxuJvFl
lUdnZrQsoCc/1oJa/GbMH/RL+0FnBMBfJEPYfb+tz/rRSTxfDE2auiGfFUmc
6ce8xCSbutX50YYj+e43C/ggXFeWF3jOV4Qe71+e7O3uPj0GlPytWa/ygsAK
nu4/fXKITz+8P+UHTw4O6MH5qzN+cHh0gO0sAMKTo8fUEwMi/35Mv8/s7719
7AI+iAawcwWB/ss0X8n7w8M9GoIg+BT2JS8XhhBE5rB7dIAfDObDZLrE8wTA
Def95PApjUHTivb6O9LbC4sPspjdI/yKzslELwC0K/nw4dmL82356mjnse/r
tVv5053DJ3Yd74occMhEk7xQYw5GI1OWFqu50e7uDjb69vz8nXuya5/AwY5m
cFTy5vAxvQE0WY4qmOGYP/rWxGMAu0liUlrvae95X1Ece849WGqSJUg37OQd
AgCRjgaExMkfYtr/E/m4gx0O3gz6OFT/JY7xBiCvRDCJIqFZNA1sj92NuIMz
wDn4jj+LAaOAgFr6uVqt+gC3cR+g9RFgSzLN5tC0fIQf9Hghj6ilpSwR/dNj
oMf52GnRQvrv4gLeACqF8+JV+pefNxnevkXYWk+oFzXn89qMk/gc+FY4E3oc
0fPGJG6awxzb9SrX7obh3y5Mdjo+ybMMkCPcBnzzPJJX8H8A7l2AxyQb5cUi
L+DAgF6YAv6IgcVW0V7rRuXQTTImfocIWMqD3oj7hf8Xprf74w4xtI2zfRNX
0Vl8mcyXRSzHSjTrDZEU/913+SwD8haPU7PW39Vpm2/xGpgCNMtkq+T71wnw
jDKfVMG3QEvHBk/FJPBWf/9Nnk+JL/mPT2bL0WX0OgfKNIc16q/PgCmVgOUj
fmqZ6u5Bb3e300mySY2sAq0iellDltcGNmocvTcTU5hsZKLfxemS1nH27vTl
yxfBcQp5AhozXrKc4PD4JcIq0L1LojxAwIo17EfraZaLZDIx/SR/BFJU+Yhl
HHnai4f5EqQaaH+VmFUTFXvCtdN8OcYThQUCWM0XS4Kkl/kyG9PCgF+CWBEP
gWMDN+00ZZvooRdqtiMQ8uBYEPqBtgHDBLaVVTGKIUCfFkW+iKcooSyBSUSW
rHWjlYg+7hF9HgfkDPmp+VhF1azIl9MZrA7+hDmDWMOkLlqBSIgjsWwK449z
HD4aA0eGNeHXMAMk4Pgzn4AsBUQhAzGiMD/DWVWwFtOf9qNyOZpFcRkN3p1G
KDbBuuAs3EdAVaskrki84g5AsJLBcZBzHD56ToP3lcgHwl6Jx17NYpw7SGl2
TfDnojCwJ1e4axsXCD8LAxKcyYDljXARVtyg/YLeygQWno2If4JQsEjNx240
X6ZV0sPeE4DLuACGVBliP2WfTneejAFHOyBSEm+2MPnpQaJ+Xnc6r3PgUtwx
g0nQF+wojG1ngftLA8McYDZjA5QGDxe2qlhmyJeoH4BtIJJd2FzAm4JhhlYK
WwJQvUQaikdhIaTswxwBqrI1gNkizddzbh9n/jST7CoXrJS9xNd0VpMYdsAe
LzzEE4apwzzLSE5PtQ6XIL27mWADkE8AkGHOAljUgwAKHP0MzlQ14A0yH+HQ
UErPoqukqJYEPgBfi9m6FCk9KfOUAAwoNTaHVZ/hpO3PLp03jqU6XxhhAx4U
512A3ywaGtrrIgelzANYhCR1hQhbLhcLGJWkCxDZq3iEQyyK5AokoCm0IHT1
XQBIgVA9SvIlbkIJSFvA9647kIUBJOAJLCpHmLV9yip8RzQ7k8VD2OBlZvEd
BmQKA10Ag0uXY5JivoKT10cTHATuBRAporzwLo6uUOyPlK7Whw4GxTCBR8Wa
VwTz85RnDvtX5llsv3UyRzTPx8nE0nloEy+nCHXuSzjmCcE7a4PYN8ExYMKV
WW8gY0xpvGQZs2TJXWz3O3eitAiUgFU0GiDPcoTEBWGuSMrLEpW9UVwUawSK
5oId9UXdnqGmNlcEMgFmO288kaiEb6peCixjDMfOtB5k5pIpG05siPwDZ4Vi
Bm6ePokyZAY3UTxH0ms0FU/7tqkK7ADRd/IfHRK0hXbTBJEZ0a0LEAiImJO8
Bs8AWElvA4pmKQW2OX0XxeNxgYfU1ospurzHOJMmP3NyhMyV8UI/pb0Dqmc+
ompkz5QYmCPssLkoCuHEANZhtfDEj+WwQ+NNOPIYgWUDq4riCUI700DkcKmn
ZM/zVQYSgInnCu1gucTdBOxhvjHRkfBkxgAAJZ36MEbEyLOQ97kjbgOVgH0i
YI2K9aLKp0W8mAmtBDiqaMO6TElwzeO26cL8xgY/DUlNiN0TnpzatGAKgmSI
Xohdc5CCcYuraBYTJ0CZLbY0lDkDHstlQKiXFZJM+s5PQy26q4gRi0qlxtxS
CzqqES1k3cACmlL4JQkzyHQAlas8BZ4UUB8iCAZJkNp7OtkhgC2uKUBmLw4N
1wEfNqh9dzW7PSUmaqoe8GHcOGS/HmyFq23sfgJMY6OchdLLm5yJMox9grQ3
ox5gHfDxJVBiMidEW68/nJ1vdfn/0Zu39Pf7F3/74fT9i+f499m3g1ev3B8d
+eLs27cfXj33f/mWJ29fv37x5jk3hqdR8Kiz9Xrw+y1e29bbd+enb98MXm21
CDkoGebIq0nUAHkQ1xyXHRCnR0CQ2Jr37ORdtHsQffokBp7ra/4bLSjw9wpU
Eh4qz1AoxZ8d2Ks1HqCJCzIIpkixFgnQOhQkSiTnqyxC2ZJ28dwU8yTL03y6
7nSsUfK4cxwNnOQGTL+KhdU6ts9yDb5mkHP4vFiCilqafvTiY4wiaVnn3kym
EWDhJI2gJSl9LLOWCNwwIzz6UWQf0jIBUYu4tOYU/84CHUiKMUowoMzESH9K
4qwebnhdsFYyJ06BDy1EOSjXQHHnwtPKGa4wRtFljlhjiN876ZtsfXkqjC1H
2ciwpCo2SMOHPY/XbrnxRumvNMixlPgHChIsfGZ3COa0yrENqrJaMj4PBMJW
3klTGBqhSgImViBcLIF8ljOr2KCwjPv1wiL0i2y8yOEVb1rL18QDwvFo+24U
sWPPwjYqUWonu/TaExmZk10YUzIl5cYRChmreB05DaiMApzC/r4/fX32ItBn
AK/+xtnhVsm8BJ0aXl9fw454CQW3ArddIELxYMuq8VMN7LzvJB4iMlRG6wym
JrI2pUAlBG7zOXgBTGQ4ls+iNJmYKpkblOTzq4SFgfl8WZG4HYgFQyt61aVE
0B9MQfp7U4hi2Qkh3mG68JxlKEWp7xlG3QpQ3rHSsuOFWrgh7duekd/11o05
k+N9eH5+ZrcGJwaTsSe/SfIR2auEI9DcniQwOhdSqzyivYgBG4MelmRTUG2J
ucziKwRVmCZxW+MIDUyRaO33VmBuSvt/06mJPhulbmIAaKMHBsASONngGdWs
AEqIZo9XoRwZWrJ2JaVN0LZiBcOUCUSlTbIr8IpKW2GEU1h5y2iYR+wEeWqB
aygdEjeO/8GDurWb59UZtM5WiG44W4I84lW6TRdJCKgvbOAgM9Q4oR/Cx5jK
O2MHU+R2dLKy2NBg+3k8BiY4IFEkJgeIXX/7FielUEuS/JFH8ARads1yCICR
ZTomOlhGGeh++SpFS8kkyUiYAOZUlslQ/BrYCbn/lC0FJ+galqN8QdCmQU8f
FvskWSrm2bLoCzjMDAGmCrIGuzpYR1uk8TokcyJ2EkKcgNBehahEh83P86yO
FNV6IVxzhF+gdjNDeVapRZ7oMpKSyUGYhle6nCHvKqENYsoGr5SMLu0dg47m
Bp1PSTkPpFxW6gkr0ZcGWKnFa0aq5oB+UtbFW4acLgQS3vmGcC/Ph2aSkziU
jUVBQbFaiQc8i2ZD4aL5kEQxzUXTfES2NWH1pEUkju16/kVSeozoD3oZUV5T
wNGeNjHdAg/jCIlHIBddJTF7o0iWCLrp4oBEWFH1ZLn38Ok+bnCDpUN3li1Z
NQ70v5zeUD8MFKUVVJEoh2yEucSNXGbbWjKYFHoTNUNVuZxMUBTMKodu0AoX
NjWZIQiKPaD3WVHxJMtTFBlhbE8Re6F9ELp23GEzlJD7UJ2t8Tq0qhCtINqC
PG8cMmSynJG1TE6IP7ddC1gCk/5JUTDfAxu2HBpo0O8S7qSTngwL3AuU9mq0
LVY08hwQpQhAnaiQ28H6lGHbBmOk0KT3KQlEbyCoYAilbh8FW2nfvHPR268Q
KBMxR4tGNiVJ31kb3HyAr4W2A5JzcPsas+oGBiX03c3JFeYsS93oA3LowRRB
Rs1fmVIDGEPz6cykCw1atD/hmQhk4QcwyiLP2BoS43TwdCbLwGgOarzAJ5M7
3w8dEq5Py0M4FjHTsgYJgVCXVKVIc2gVbJqvSk8jlMxlBbdxDr1jtApJVGTN
tyZGGokQjvcDSQOCeVU60uKxhikIAINCQIJIJUQzSpvSOP6QBcwcheFUeNtt
BBp3jECCjPAsBaNLYGayZlvlTXTrxdXEoX2G5HPbQcteJc5mItxqBDraMlXu
KreUCdFw3AACMJzkLMYfXljkNbIyzOYBd76vRMGIPj2orBmwZ7WO6zqn1rLh
MJBmo4d5JgbVMQ8JaMGaQxGlsO5tZsbIXUWVZOo3NCzDkRJr8dGNoxFTm6Vw
zVnDVQQ6pnAou8eCb0AF8GDgY3EOhuCybWElpM50QOpwFBYBDJc8oUUiM2Q1
rbKH6sg7GpMYn3X7xMJd0J66JbFZmLs9iSaJliNHPABZw5hxa3/STC+PaLil
/LJaMnes3SCg2ESW2IihjET5EreEdjSYy5//4X+WEYdLwAhuymQIVLx3mLAg
AwLCz0tAWzjvOYA4+ZIJDcjfQWDrl+l6IyzmlZa1NfnF2MnUtoHgAqWfbNqz
5i/r7HMyXzSMK/gTgWYyAeIIQ8blpRU9UxabZ0pedFrvAqQpoPIhMWiH0Agg
KU21LSUOsEix4NKgeORQ8XqbMPcZ0LwJ0kXYJyVeKzyFfaGIqcBArm0aaOFN
03zFIO05QF5z8YKwhrbougbaZmKwNNZaeTWqiokBYMfAyglt1ptYfGFSc4WK
pvfGsr4ZV870kJR1U9Qkt8sZyu6QTHCmFR6/QV3v2IK9h1ZpTQuz/gHScggq
URJ4E+pT2kyQJgDHFJ5awHrm+ZVhYzAMMkxjINFFPE6WJfZyxjgSHBcJI01n
lJMSSIexB0CSeeDuYM9fXblGR6s7TD5K1wDwCG0f7vBQ+rgVbrDL9wZjPkds
SSGB0hvFkD2yxtHYGsLHnMImaPrajw1ABGq6xHp4U7F3fZU5IP/Zs7evewAc
DFysnS7ialbWuNkp0FmyaeOefShjijvNV6x+PovLZES/gdkN8UdvAj+uO58+
TZIpGQZ79Bh0ETSnM5mhJxF+iMAPj+veLKIChMgco+G2VXkkYZp//OMfAfhH
SQIDVR0OXtrF//y6F/zza3y2x7FN9Vcd9+d//POf/msU/AMPeje/7gS/4L/O
JmwfBK/9rqrWT1Rrq+q61vu6c6tjSev/4ObWNjX/tvW1mnnbbm141YkaHcF/
/0v4+CC6kldHN4zS2LqN8+PXp5ne2cZr65DZ8PrOi7/TCiO7wvrjKMrDR4/x
Ef5xeOunnzHWv5e9BATtfDqOHoS0gKP9vt5i4tESzzFQ7oat605nt+/xylmD
GvarkXNtNnQOL180zFEqepk1k85e22gNWwY72URTDUcjebgb6CbbSgbud/b7
JAZC06oMJDNiyt6C7JwS2mfdsAuT9RC2KiuVPcvanYp+5yC0rKkdFNkC50Dc
Edl31ozoCo05ocgcl+Hi+53HGM1Uc1RAxzawoxEthpocqVLxfKOSTL30O4d9
ZJegp5OxuTCB/aeufqu4CqXOhyc1XDu/G8KR0rmP/FDBKM1d/OJR+p0nCtJG
KdnDKOJRhovFKlEae6otoXxs87cIDbLUqZMY/WZSykFn0Ha2aKfMjA0w5KY1
0ynq26KJIv6KPjFaFoUhq2yoPIMsuKTQxAUwZf7Ua9ok/pMYD587c6d2igOo
s3moaYltmFQDxbxNpm7xUpGbh/A/iGyrK/luPhziN8tLtB7bow68GnTqZKmu
25LbJZQIhZQ//+m//flP/3Dnf/87ttqzNPfzmt5Mv//X7V384//7XI4S1V63
yj0bGQ4+v0nu0a3/d21q/+MuW3ILh/xT+PX/UTvxz42+/im6oenN//5TO/9v
iBUH/kUgUdUB4R//Rf38v58LCH8xKeFzN/iOuwSP/vFf2l98hlSGnefQ0z/f
fdSWF7/kyfz9v965/P1Np3Ib7DaFO8dcRL67A1NC6e6UWcs4iadFPEcv8ZXp
RkDgQYF+3Dtid6YVEGKyUHz6pHRNDDz5dFxWQGG/3toVeXHgCf4YfRgga5nS
2cMztngFHM/aftusvcSuPCsOOFoyZ7sNCzigy0+nKHXtMf9qEaa8RduUlmWw
cdUF4mTIl9kJp03SDZeDjmm8wd0eiIs+qDlfWGHZe2RqHndn5C2d1OqksjIU
NG3offYXlmvFwFM1XS+0KyOcSrZB+vw8yTYwi7ykfe4MQh9hHH139vZN9L0Z
iltUx6B4HxmaC/2XaMCKJbRKskgBqGlx3gxn3bh+18kPd0XZVGwrcTM5JpkQ
fTaSQKkdETN6dG3Rzn/lnKUX1XpxYZv6cH/rWrA+INw7H82DfdFkoPnHjIb6
9U+r6gJtXL8166iQGFTnOYFF47ow6EPs4UPOuMgLFftuTaOMjBeXybg5M8R/
NDdVH2lYWeA1n0eWZz2XAYwxRxhcZiehtii0kbPk9hNIh51PRCS3YE+2juF/
am1bXX4Vp1N89f5s7/GhfQYTxWfOOVzA7vdgrVuda004gylbuinhoCorXiaJ
tE0O9lk+XkcnaZzMy+B0R/Tomh2bLfEP2IyBqnQ7wCTDarQcD2Q+JiQ3d/AD
7lTbmzlypgRCupK3NqvHfsv5bhJ5MDQwIMDXRVKWFxiCZuN9Gd7wKTf0fY+Z
znvsSdjx5yA/LutWw6YNOgzj912LRnYRL8duYBe7VINO7vsyy1dIAi6AW9AK
bGA0U3n2vWP6WqtjaeOqsEecRK1HdI3irLobmnUlyoGha31LMENLFEOk6ZZz
qUmY6IJ0K4nGb3ZtQbptG3E95uMiXM8L9Bytv2RrAK7DrgbRMkt+Xoag7ZGs
1tsZ59JHe/09HJgDYw52j7jzcjnctO/oqGAqZ/1igBjJAl1QrYF5Cq7smAf9
XTWqLImAhamkc9TyelQEpmWKMhTvbhj2+ybHZNwPWYp5wWEONDvUaHGyFlgU
Hm5clvmIZTDi/lWIebQj6IZpQjfHmbjOguPyy6XFusgjnmMkKZ120S4UxPcl
spkDJhIxOMIsQHfKma0Eor0JgOeWifzAvyirds3ZewimzkIhoQcvUZRqBKFE
QHIxBoEyLnG4T5+oOyap19cIjqPqo2yPS2QAkCRGnou/lNxqVhwT7iyx3ow+
TvjZmN31GTOUjejJFzTL4o6zDCWKMNerBoPtUdh3n6YuDRNM1fz84yoNIA5J
E3rEgPgyzLDMHgZZhT5SNbtadM8D4JZnCno/PdBHSjxSgF4+kJhMzv9w4Z4q
PpTRKwg4TdjUlYyWaVzUkrQs5Jc+qFYhgCSFNsC/9PSHxZbWcNh5PjZpo30j
H5B3UWxnaVJReE/KmdElwGRmS+CMMT+eTHroUezasFQn7dmAW94WjDqE3Sdn
O+0wjyOckC3JJjRu9qNv8xXmHdRCa+vUtm2ZmyLUUcarKKhpnAA4G6c6IPHA
Xq0Esm6LfWQIeS9alIRKA5TU0YrDxBzPEnlV0BxXykgnlJS2ndBNUT0TfEMx
Ji7jBYiVoxQMAkpn5bA778NXOXwuq0fQgFPXQiQgJBWxtxs1sm3wY5XBqfXH
MJuT9Ctn4m3XMzkB3qaaiSn2JhS16fmbkyNaRpcwHQne8xrSzeJ+7ZA2Z+ch
Mhw35X9sCxL9JzGZbCHpSkglOHza33282z/a6+/u7W91o0ePNufE6nXYnhDc
M+wIw4e5Pbn0gZdGWFTDfkeUBbWjLVuvawu/dY+jOZfaUJRm87jXoocQAmgX
nEeCNqJ9OyJUdUTYwPnjG9gml8mJHq4w906wnrsZURi/xGkNKQSQe9i2kf5V
PuVwKpXsAdgUJ+ktfLjGhCManCfdyMup5YCSJyqZx0WSrn3eTknRGUHljhty
T23hAvokq9yG0V7whgEp4+pe1rPidg1zUjqd73HGEkQrsM6t3caGTF5ojo0B
CS0sIkdWbd0QkR4xxjpaTSnNap+ZubWId1ZTlOFdvMdw7QnasrQ5MYFHEKaa
wJmtbVSMT6X0scpo22vEkCUcVyWBunqLa2u8USal82H9VvgpU7yw4gmcLeGv
mlOCYDcyQJJKfkfCqlj7NIGsGaG+gMZV96BxVY3GMWwiuXn24fdMmdyigjox
2J8jUwlmeGOj12cvz+/a6udlTGiC7XZ3du7abASiQD43xY9YRwqnjs3coTDN
sJIAx4639gM9TU2OY384EwsOPQSua1J8/LvTd1tNuimGGj6jZIroTpaOiMxR
IAVPxL6DZhcXAXUHmxSZaWpRm591mFvwJcx79/DJ4eP9w729Q1wUcBoySlFo
WI+LAPVldFr1FqjuvtXjJ9wKlHBs9fRo5/H+08P93tHR7rh38HQ06sUHZr+3
txPH4/2nT0f7u3vcC+ie2GC88+SgHBfV3v7BpIxX+wdVsbfPRrMtFvzxq3iR
SB5qv31exOO0Jf0OckWnzrBvZtdAFrXG04SQGo9uY9HXvHQUhbci2mTMagPo
HF2WvOYAu74At74Es74Ir34prGrBqVaM8lglVtEa5txgF0Uz6NZ1YIXnPCsV
6mDFxhXJDmmeX0bzpRgSyKeEEdALSUyEM2JSj38I22OKv7IZhIt8sUy9HUWL
wo62q0QDH49iq4aEjoQgcSpYSfCGE0k+L7dLpb00sgrrPi1KLbNciPmkmKaw
IA2WrvRCuZ+iY1usLOrYnJr110e/o+pjXU/p2pr8xX/mg7JsgA33PTGxKObD
pU8kQyCMrY1obvPJ2Fs0pOQAyidupiVTB7Sjn52a/N7HlKhgceVv9HvSgEoW
f/4NpPz5RTfzFGEHqZ6JSsXUWoQKwq+90dDDcUxUKdTbmTDS19vv0eC+qJmO
JCGoLa/PVRVzKYNaMhxa00PoGMXAMxYV9WFY6RL3mXUmSU+joCv/3XsrClOW
jQ7wcpizqSG/rqf12y0RPNpUszU4z6RsoBJ5gRrTDPxAsgHXLYBZT7sJ/Z+Y
o4NkDZ7m5AJH24pTYh5KmFqYlrXdYhWra/kK49He0WI2JD2EDiZv4AcniotA
j4f8Oi+tAA8jmpSwvxYUKNL7xl0OaaUV8AvcSm2Zi9nN5cX5vkphTNdiVPHQ
zp6xmBpJGh6w0ejD+zfRxbLIjrFwxjH1Vh5TIdZjPjIqCQ4n+CP9vLDppaXT
jjZFtCGV954gjnBISv1peBzvFdl3qnuodLgCDzU3vjK92jzhcIt1djcv3gVK
Oq+DV2cWqrht56voYgpHXpHUcaEMwk2nCVYVgclv2E7qRbaTdtYmjpMzGv0p
CdbDu9MQDYMj1k2lbsRuHNitFyAd9saGMjQobYuBFHMbeyAplQkJ/GzeLp2F
QYZ+WG7z6N7oSiJKrVyQJcBega0V87twtJwh6Q77+TlwyYvn9DALqhv79uCl
ElJr6wsTphv283mcZRyC4z2atk2iLOW+Zk19dpyzU1rbaPiad4eHqjfk7Giu
Qj+o59aKQt+s7mXh3SV8YzWvb1jH2e5zZ43kWioHgtWabHSIwjOVsxoctUxr
mdl+lEHty/tbiyQmUQFW1IKFA5pWeR6YcjCklSINkMJZe0ptF51hJfQctx5D
A7ZuA17MfxzZbEc9C5euyh8rVaVtjgsVSxJaXBSjUgYdzR+a8ogwZKZpgo0/
Cpu70G45Kyk5fcyZ2ELzKEN+zU0S+OiwJko7GfhRrHL3GNi/9JthbX2Noi42
tZstteJmQBTw29dthJmhWwqEXRdG5y2JOsJMNDh0eqN5Ly5LJSB6BUNS7lFw
wrLfOuKtqleX9M4joK3kIvaoo62DelMeJhMnxmIG6SBtwAbwl3zsMlOwny2s
FCiyxqOPvdVq1cNZ9JZFKh9vWZRbYKmDBdKs5GP0zMUQMFe1ANowN4nCbAW/
O1ibWkTdfvQKs3SHhYkvSymLOaGyiPE4HiYpXqrApiZ0QHTevQUUfOSlTjFp
PmLUdZQQdZhHu/3dzrc5XjbS+L7V8tM5YTNt75yuSrl1+zodLz18DfzsV/sD
5GjwP+Zp8AdxNfi/FxDgRygidP6qjXve0p/nk/jDcsrOX1lJ4+vW9f0VSRBf
a0MRPNN06Wuz/m42/GaUvE2+e/nhD6e7b5LT8nReLf7zSb/fvxz/p59Ws1Wt
zWfPl/MX7JRr1OrrXx09+9XO4Fd7O41/99ikBn9AJ/wkMK3hi70TfLGhPdnU
dHO0reFv+P7ouZ+K0IKbpsJUT/f17MPvZQIbmrAxTTdBo9rNbawxTbfa3dnx
c25G9jlFdKMJSzBPYvvORLLhd3SrAkYt8NOeP7jSRi+0MEtP1UMpL8bLTZiW
4G0nGKRzWjkhByuzZGzysCGaugYAMdeaacEG/+xjizsps8rU9t5MgJvN5Gti
3Q+Tvul37yCNFtxWuPc2F+VBBYu6QRHdVwIJV0EOlJrw1Q1tJqJjf1aX7VLY
5o7Zwkr9x9PC2Oof1cp4MxDxElFKA/6GJxZazXgizD5K6wmV2j6iP2wSj+sw
Y6NmcIsks74JkwiSfg97TfBEu4Pn2zgTKtjSrCmDx1EXxghqqbalFCkoJexG
9YggTSrapgVJ8FB+fAdwwln9yLO6EPGlPtFAmwmVWLYPs7BH8a3aeKpiEzfn
pFmxV5pa8JpQQRuxKAc+aDaHOE6lK4sMXr2SlMqktDE5mfNpWmmE4wPd6/oA
FMPjyvvoHMREmbFZl75tvbXKJzg/VwXD3vdgY5TwNquSBDKsvNvokoakAFxW
OqgiSqX1wtqprQC+pP5dPSCREnCxFoWhvdYtxUDORUMzHjEIRkNtCD3teUbO
6AnXDyYTGJamQAfwEq3VNF8Kh5UM3LCQjFUcYKZ9DJJr1gq69sa56TIZc2lh
KrPrzDqGg2tDcU6ExAYQAx5aGJYqPhy7zTj/ISBhbxkIW5HfErseOhzvjv4b
dNV/G0TATu1HXNOFCuKSWSZttP8GssBBLEwW/v3hdodxuuW0mkDEK+1qZmW/
ojsw8OGcuaeqn1YPdGg1ab9zBWswusVXgXLRFC06DNAP2nU6Gwp3j8NiwoHx
tNWgTUtxcSBcWCrWVwoE5S+9kyFYU+ktnt674ix9Uouoqkqq+oeo3bMVsrEw
UUuJWakohaCjz5xKGtg+cGqokGMVblUesBn5+JUXJxr7VMNFXTqGSbc9v9Jm
LnVxj9jszCCjBwgS8IxDSpnR2tb9Y7htdR7QFN0tQTUQL1ti6AOT7easj8Y2
OGpCNJ+jaKw7QtIX3E7XZ7q5M5VmIiUWPJd0Rh2HE3rqmoeeur+t9Ff6a3h0
q1JKplkPoQdkNhsVBeIxz4r30AGJ4u3tS0FuFu6LuSG7I5RZHT1ABxD39HnG
uSZwOJRvIYNqACd6YY2rwHO7eaWYe6IOzQLZ6XN1IUfeankL5HQHUD7HqbEK
6p9nSrDqeLuKdLGyyY0QZ7ATi8XcYYv4z46Lxq4qn2kIMWGIvC210Cg3+hVX
hGsaPP1I9j4vf9YtzlYL5BJcGqypHrp3w1icROsjnSWMw+6CjgXesCR9McuN
Y3kw94xBIvetjCd18F30IIZ9X8VJKjXnG3OSSEU7Z1rC+LMmb+v+ZxzNINkz
9DV5kTasqmsbAqKSe8PFtLR8Sq4oXd+Og27DcM8GYDiD9F8AMFrGugUwqhv3
troBMJpj3XyKN4/0Radop0BHc+tB2q9/KfjVCyK2rZMclMOfO0EdKog8bs7L
1+fFrkQXClwyvqAhDhjU5LO6ms5kZJnIekyaySBtXvIwrIIfooLTFg7C93w0
2JOuSV1TEyQKup4DyfYylZLd0GrqvvA3Pw4uyHXgNMUku5NRznKRC20Jro8S
oiRqrLYVg2yL2iVNq1u89RuczLVMA3cavv6r2s6L0CAoyqMrnBwUeLZqvSmK
vJBLU/DPIKanHkRlLZ2PVU6n88eE7hcBkM/2v0jEkPKuWLdJtLezE7397Q0O
EYr7xRuVTe+Er9w5hmF7ZYV3unJAsD8fjL4EYOGg1Mbp4du7HxR3ogEH25v1
dyenh6c/peko+e5pv9//WzNeHRYf25PfPfLcYCPnT8RI/npJuQe1m2Y3Coef
HnCDXtiAwkYlsr9NMyRI09U6uMQn67wP50uX/6ACofr+tvqW9hYWsY5YcOWp
WWMJfoxmxCy2FCm7DxcJ6p3b+nXNIvIo9VOYYD5disYw8JJhMI+wQq3SqzYr
uD4cqBG22Pe3YZWWN9uibheUp3RB9VLmrPTxFb/Ms+dzkKrl+JAwZSZ1N9zW
dw22duZi96TfLt7OTlfxMBk3pSNYMOAIq63hpSXFWMLKdL7yfv9AMpbxpnJ0
hgyqQNEjFrEq6I4THgjYC97YF+32920y+cEhh+hhwznGpKFlgqvDlsxUGnsT
Lo4vhmq7TQGgTC7WKNdzECcK0Dge0uVSI6wkwULItkQwUk1w0RHaTRp0JU6S
yYYQgyBSKPnpe/tYViDwHBC/xVU4R7aro+hrPMOW0j3OsA3Oe+8aSlHoKh/l
Kd+Y5S86q6+kPl9P3xEdFH/0PE3QGo/mhNc8aJpxTjx09J5R/E5wWb0c5NHO
Y1y/q51U6+gDLV/oDo7XvASLCUKvSkvqiO7Nst1h8Y9NXdMhUJSvqwNTtnRP
98c7ewvG+cJKwlHQWoYlrAmCmj2sFhWxqweymvZS15lzRin8JOcVO6fUvZGc
RI7Cf7RcsCQ6D+s2KrVS7rjV17ClqVTcsKI/7QKdB6Okv1Wl5LBkw5fscR3F
oY1UCm56I98No5JVfRk7qXNbaGUm5RibBH9p4yLd2pvKumuuqjl2vXuw/squ
j/yENA23rrpXAq+EGsfFmD+7GGj734Wdva7XwbGhZhQzxY3dxTM6aNRv+sTj
qFzaxGLvllvfFg/dVjgIIdBWDxrUcvDdrTFZeCZCOKhPSsu2lbdcXvntW6sO
xp6jTE9P+8ZDEw2F2rpQl/NZPTtVb/AwTAPYaKr+HVtO4YAam9JqpW4aapz3
lq2waPKRe4osJsldRZQ2CrB9lVA2hi+WVDtnutMnsOi64bshn8fJkJLxu9av
gWmceSMvivy/8wXstVmzVp+hzYapnZ2ql8D3gRIQ2RMpxfY0c6pel2yGoMlx
BCZXlSUt1Cb2h8CilYOg1gzs4orqK0jwZplHKmSar4kAzZSrwdtCBuvWi3Nh
hm+zUQPSggRSJqR0FPWdd04xV62UotXsbZ/jpiEkMMwlDTt5e122sYWYNZdf
CCYRWOaVzCcc+I6uhA6GC8iNnydi45V7ET49sG+uG+o1XQXwni6o+PTAX48y
aIIEkIqEL8sjSZQauqvTB3wHRf2uB6RCjEQqbDLmG4qdrwKl7RwELRfF6y4o
5uBd79RATUpK0mOY/7bzdmWRvbqNSy2IGR2dw932WzcsdbnESBi+kpIynMgk
QOfjNHiulEE2gTbvsHXT2fJoN9dGeqhM2tt8XQUzBLsL6+ACDLfRNVX406dl
lbAggS5jGlELsKd+xE8P8NPgRPnu91LKKurc+FpIqC2zzZeFBnfax0GtnPOa
sZ4ifJrRCIjlwqPTfDptJne7IeS+bFOqjQnuO0SEULWe8eziJA2L45R6Ysxk
fJW7m/1VGFGqk3aQUtVzdjBPimBS+SocKyM1VaWe2eKKCHyrJANatqk+mMtx
dGXAmFPTJRbO10TxtTZGLKja3bfM1QXm0nu3GPZ623H1tPGSnqGhGpjGXdPn
pjM2I7w9Ziw6IN+YAYzZoGo8opsYSR2Rum89xAhSAH38RBzRQULTXJQSkRLj
KbrMqgbgc6ah3ORHiYbpKl7jLDEZkQs+J/r6Xa76ThDmtspeCB3u1y2HSymI
Wc6XK49RJqwMo1sQM1d2WBMS25cNW3H1FFTuW3iLedPaaK9jtK5WLVwq5b8l
i1Tc2G0BiqBRnyVIxWqlMoIbrtoJmySU6SMRG5EzYod3Qbm7o4PNcE72pv2W
r/55EOqCHGMwal61WZ+OG1iHfgR3kTUuv2rkh/AFSrUrzJLQTRBrwU2zJ4RJ
6BFhrzm23yPd2N4xKumxKHe8N2W+BPyx5gZ3dx6jP/+u3dHp9kD8vu5GNnvp
jsUnFijk1tPECkrBRDn+ioREEpEiJDRRPKnqt2ERefCC4SCE5+C6Uw1dnCps
1jatFBQLEXPHlsRUVBtERWaNl95MRZXkCxt3IZePUkySlUvpU6uzBWu7cmpB
l/N+UeLrhp4jEkZqOaGqLFZehCViJGxO3xfmwSwYfEVlkt1iiWyiOrHAXO4C
q0h0sfw9Z02KqGbvCKy7DE7Rnky38uJ62Vp0eLjH9p4ymSdY9UwZhjzZWS7Q
7sFaBXWFlGypKqCELN9dibo5DNqMMNgsDIM+DVUPHummfCSXV8nBSJSR6tLT
2oOEnLpQu8STW1Exn7PB61fi/mRDsNTXjYelkWgRRCx/Av72kMorZi3XFm4M
nu1uDKjLOcQizOPKa3l3NsWmVuLP1XGuUXvvzu24onoqOuu8cZxB3bY4VAlJ
i4uBeoix4udlUplaAboWCOEu+Qz4AEgxKbeZU5EljY2f/ubitiROsRNxie15
nMVT3HCQysi/wp5FW0oSuQHtvqu+FF5RHUZmB3FKcZAXBRO0gRTNiwdhvj8v
+Ya7lNAYK+s5hyXGi6nkufYwGbFLwCyeW7FVy5G400uqulQk+bKsYWx7iJCV
XsRZZVPDbaEtNmMBhDS8HgVaq4GYI3+kTCVr0q2VykBvglxTxowIq3wmGRAV
azxECkmjVzNky6jM5mJgHvPd4RgyhwsKhyJdmsuOcxEJe7dNfUWU1wg88a/5
ap8iT13SmwifVgoagYJGDC7gPmzEKlVNLtNiz7euqDm0jKeGU6zVTY2oM8JS
u0rRafUWzHzZKL8HfGSbNtr5xe0tNPbKXpnsxpaCJQzOYu4FqTS4y070txFv
LdZbQ9qTSkZh7TwYTxxEKlfRuath9wo06cKbEx6evzrbtjblYBtcchnXsbzZ
qVTP2Fe+015KI5be9o6RE3xMdZcE5pmV1jtiwQJRB6ECCG4V45Uyic02vHl3
CV2d6f4k+O6dU08AhZVEoMNW2nWM2DoYE7wP8Ipi3hIkiaO1u4URgy7gN+2c
yWaEDyVQNpvgF9XIxtAvQyxijAFzFqCwBl9mWlDL+xa5bhv1HpGnPZjHJBR0
wmIoZQ1qwg0Fac9W5XHF9a0AGgCqE9ho+Hl+xbWcubCI7F8fs6kDEdtWkIvh
ELKEm7hLGli0pWDcKebwsUDGLfxG8A3BaGygYTlSpWWzHMtrX6mn7qH7qE7i
4WgSicXCS+7b/LU60C8Oq9C5kjp0JTSJEeGGwA8zX1QCYHJ9khTa8RVa8CL3
QO+84XitOGYLz7f6vTnnNyC8ZONmXlGGvCI18SULUHfrKXLlCusRWhtn3WJF
D9h+EnhfVWkVqoSCtzK7uykaFgLCHDmM0Ae/qZSThw13V+c7iSRHB05rhLnE
Pnj8AeESKQ7tVutFpN7kla7bqoPYcAOnELpbxRoXNSNhIGtMax1nLNRg+kJB
bM4CrWpsRuRWDi4zdepQ20i1qo2JLzLareuN/vZmT3B7LtTXzcHuIF9Fi94t
hCQqElWrtSuVH6S6Haiw2ThlUw8aP3u+np/dzHkynVVEy1AWq6rQhhNY/4pi
rSviWmupv3g5KFA/B3GbjJ+oZ8YtFYRdcgtap1QNVJ4RHKZ4b93ikRZcoQDv
b79jOherqxu9NOMsvd1gYjJtojQs/tjYTLnNHMO6nVIQGJErEvKJ+FrCbI+I
GQYHUjsJiKR8LhHmqgb5oyxM66ETtt7NA8L4hxedvJeLTlzoor5hj25BCa+X
EJvmOOebebmwF4gY8TiXTNlLfX2KtTeWOixtd6ePcWIUmUbXAYzlNgBrp2+9
ZNOg87kejnDir/zRvMVZvFgVbVLGuowmNXpJ7A5dwl0HdbZwBqlQTduictxs
utA61A8dfWB7fcFVChtAGFxrVF+/jXMICLzObEoa/pD26LLbd75xAalYIT9n
2zdcZWop8qZXoVOM6iGQKCKxv2uWDViX7m4QIjYVI1GXJzaK+ZQGQwp1uF6z
ZycJbZg6OXiwyNKQStnjaQA64R2NJJY1jidBrQ4ETncqLaBm06nZpkaXfbBJ
Dq8yQNtmcgW0E2uGWUvmmuGrdoP5hgvQCYDIrM/+PmvpLgNLRIXxM6T+l8sS
DbD2UslhwUYo7fj0JgJ0fwI/YZNnTUZ6hiaWhDges54xXesTJPVL8TYJ0wr1
PXelQ5EvQK7mgCViI6KmW/3TCV9yY7vMI5m0Ag+ZueFDcTJtcoTZcB4HM4Cw
uWgPDHZEV6nmo5MHWhhM1GKhF23I2d/g1P6AejnHRiGAjSXySQcO+Rj6IDTn
OHpmABwKF6LTqtKU1unq6/bnciDTZVLOHO2peQVsWB6yfWJXNaIHgNlQL7sb
zHgt3bVsWD3GpS1Dt6OiS81HOEuUw0cwN4YRVyHLe7eqjX31qfREW5aqjqwX
H5+qkmlANiChlWy4hCAjZvKBSxIfhw4d4P0Vc4AUmfPUCelcx32taxkC3oaN
hWPjJFkIaxm2FKs/Z6ICO2efcsSBJSOxuXOZeM6YCe+KIQXZGQApXtIJhdbD
HPasL/EL++zbZFhkJC3z2DgN83FhoeiWadjeqds1e3a7nKbJkKiyDVvKyCaB
6T3o0cr0WE1ROapdMrBP1jLqMMahx4g3ynbVemCSF+DDNLBUiXH2NffYJupk
i2WlHWxKfyA4Yp+RMhLDJMTiReUBmXwt50NJwENuENb7Lv1iOA5FqAdatrPm
xIZmnWeiSbVPkn0ABFnCS5Bq+wO0nILaKi0AeqtFfW66zqN2Bj5lXq4DB2Rr
5A1ykT93QfuEEpc8yyJxW03m7kFJD6LnOktaidxcOkdlZOqYybCaJsvqbamn
SUZFCXQZx8atcVIk2weEUbDUOxSciqtNzEpCXoKM3vp1E2RDYJ/pxptxbrqn
rREE4F3kcoPgtVA5lSvgYjeFOdH95Gy3JwVVqWpBrWUKzAR5qn6xuOdRdwgE
ajq1/XzspZTFFYaCAKYo0zILkad6gIB1M1jhWQx432XHYU9c/DTlv/TsJHsj
aSHR1O9AOIxHLaFv8oIj37616j8A0js2nKXRqWfYHbnM0cf/2YNtihHeKEsD
wrcL26NWlB6+O90m/7W8ROwTyOY46uBT+BZv1MiBlPy0BMIA4k/ldCkgQBQp
ic5yIeKtplebbJGua8YQ715Ud+M85BJi24TUFAl+25IEYCSyb45QNjRsWqnn
euhFSBV4KRIuBrNX+RT9fp0TC5wKx3QUjISLXZliCJOYi1RKIqy3d9ogKSGs
SC24J/LoxZfoTcCTPz31aRLtBkos+g1DUpghhTcCJ5s1yY+90Isnh0hJ4YNI
Dsl9l6rsAtYSpMuGnRHENFhG6a/uYhlnkJIDVaQrbIHBwIt4TbSglr4WzsZH
cDi3ig/wIjM4xiSc1pfkykzCLkkJg5EEDAmkVbFQ3pTPzquePvXX92dje/Ep
bryzTE5NJVMlBD4dvBk0sRef0j2qjar6hZkmXJ4Le/apnCr0wAceuki4LaZE
H96fbiFH5E4KJyLIa3epbbmFFAjm0KcXff/i+jqyjamAmyhF7XMSw2fLpZht
NN9ybNqR2k3GQp/e23lvuLVzw4xegygVS/kgXhY9OedIsdq9ujXuxF7P5qzt
Rb+Mzm57MXjE7a7kTJYohn94/+Y4untuYyeKvoL28zkM+wb2/rhpy+FPOKNW
Ei9TUxxHpy/OX9K7swBwnuejJUmdbWfgC3e2pifffQGqmlnLEjyMIqk4C0NK
vnA9x2pBt9SFu/fqgjJNt66vraTVL7DIW+tfbVymXN9cRyYNpvROlsMp9Txj
evycbFsLNjqc19T7umGAAnx+geW2EIqNpxjMvrht9l4sEDnvLzrbB0L7FXGS
ExHR0J7KeUBT4RH6rjB/jaUftBToWr/1TgvdaRv5Q+7fp1x//Jw3T8UooOq4
HFb+naaWnc379RXFndBtG559HEdvHg1Q53trL99oefcCa+rickK2eBwd9Yao
u+JJfbUp6wMLpu9avQ43gVli2dSvKCe1kbWGN3s3rObEWMj0u0gMO84xpsS7
jJCx23Bc8xFmxrf7iXSA1c33+m3W+HpIsshtLqKMq9dLmJK6QK8rEjHGVZKq
R1ZiVARGwW5sHNRmGfElhGI0YtMcmTV9pI6PVsdl7EttOty7oHrUpsURqerW
ZGf2d9dGMHQzOAiEySIRkaotO5nkbhVT5KW83Cqi9SYSbss4ktBxHNA6/PYp
A5aLvg23slZ5yWW+0Fa0Qw2M81ji85q7I6GRTi4UHUF3DSrbZal1bImDPrWv
gusLnbdYO/WbA4twy+oUGcLhFCuXdLWk2CPbGdGFU/wIr2GyUTR1vGxZXZLB
7rLZiAfR7cNLnXADEe3fYU52OYPVBGT2mKnn2IovD8n8trAfc/1dT66iD7iA
Y7LpKipmnSyWSqrDww5eFvGUelcJRMEqHXF6bzgBhEDiS4fDHc0w1kNasxSB
xJQjM0RJh26rZRqdL9Nylgzj6SpODevzPg2V2IMY/qlQ8IXTQS64spFwCLmV
aqxuNqJuXtINCUjavUQgbALf9+k9vi75fieO+6Ua9RSSJdmw9JmopzKd5G6C
tMrslUvqb+V2OqO2Zf5hYjPry/VpU93IrqJJ2GFQsI3Yobs/IjWTKsLwI0pK
w/IqGddUJiO7n8SxPgBhqsfIrij8/JhM2HEG6+p8njgRbJOTKSxWdFgSpdbn
DQ+R8wyN4gxJjeV1KKQ630gZZnJLC80a8XPxHmFsvYtF00N5s5rzM2EXZYIR
g7DufFlKBE+N1ql58DUIV1iXhKRIPHB3Ya62VtiIk2Y+n4ovRwDsTQs2a4VC
6sbYKzcZoH+9Xi8axqNLVNYHo8ssX8GEpnLl06cH9UfXWGCGTetm/PXWBNRR
rBxz7uLJ7WV+9iYJdKVeRt/lsyx6VsTj1Ky70W8NCFLr6NmymCawpc+KBMD3
JJ4vAOLSLsDZFRozTl53ge6MiyQB2TZBRxL8XuR5cRWjsDtD/4npRs/jDKAz
emkqEBteXEFP3yQpwGAXBi3NYgYYbDL8+X1cAdGJXgGNgCnESfTKzPACHPjQ
TCbRq3w+jItxTj1Gr2Ec6PysgpHjAhDOzGH0coZptbBQaLNE32L0HkQKvDHu
u9xEZzHgC67vuYEezuKP0MGgyMagk45mKwMcbTRDUafAIabRGUgi0yn6N34f
g9yDH6HPDd6+LRKDQxu07j2fJ0gkztEVmQgAfouRt8CTocN8YrJkysDriHKX
QnVZdOly7DVe/W1Lefnw5gkIQ0MKtWy9zA6BwinW3yaYFbluB4AffsCYQbrs
jkxQbFMG4ESJI6ADf/d3nOVAzv7nRQx0Z+cJdNrsEzkf0XPHHGc8BbbEccoQ
D7RzhLAG/dgmQcTeNzbn10UlUfIa+6yo2s3xo0dTkEOWwz5s3CO2Sa+m8oe+
rJtx+BE1LR/t7+1uI2uX4mm6jjQZvOVaCmvUp1HvN97htltiuyAnHnufjCVU
55ddsT0XEFOA1uUVBXrxBU5ob1OlIzTvrrnkE+V5YLksyJEmZza1I0LeIn/a
eYQEhBs6oM8Llmuwp7FNFjBFz17Gbpk2TM5mEthXnNjH8BwCMUxUCkU6uVSs
gb/YPu9vs8ZfsJ8J73d0YeneZRjrJHyVv8KXAFuP1C81qf1dP6l1m/fkqlSR
RUG8DDpCTYEW7LdXyDrNirb3VAUQ2aP4RRDlaNsp72Ol/qTeuGpjHdT1QgSO
b9+dn759M3hFEOGvdYruPaf9vW2WgbHiApKzEYjUSQWYWvqwLfLuWbIh5Tgi
8orde1dw9A8LpgruJmwB2xtXfv/j2N8JoRnJ89Bg9Ee+LKIVRod9lNuBEa26
wDk+oknA1rS6/wwOnm43+c7RJr7zkoZniSaKJxNQ7MSZ90WTWCzT9NH+7hNF
Ou0lXKyqDE0GUFn5+kr3GudQn3QVBuyqIq6aQNxnuMc43AvAMBA949QzZtg6
EEzn85jzHkd4+ph3dI+xdo66XwYG0pxO4EySijn2n6IH8jSfor0FeNh0Zi9d
8zr5fYY82Cb2c5WUFDnjPdWtTtgkcz5vDwr3Gf7wUYh5LsLUxajcb3l0+Iwu
dsKMUWSMIpbzZf1bxH1MVPM1JgFxWIm72BgpJBLHpIBzEqOQ3CdMOHZmWiyo
rBUFV38YK7NZCxqHQN0QceLiTWr05HATPXlPUgQLJbE4znH+W7WyvFsSYLtw
HvkSc8mR2/oypyng13KK8tIPlhUzFpMQ9Xf32u69vSdkcnJcarQmmQKwpOQb
7TFBV0yGmBhAYVAMVPccWBCF4psARxGA3hbocyQ/O1/sGv2w8QN+cL/V7z4l
cD61Fa7Y4TVD2whnfnCiLNuabIrpGI7BVt/XqCzlRtF0S42Fxt/zfHaOtj08
hXS9FnsjQuwPzwxnEzpJFV62fnrfvdsLhEOKWM+s/YNNS07UOr4XM9/bf6xH
0teHuNgZSRnjElMqcdUmkMYR6tNVMudyATplsBlTbW1B9zu6/X29QTZtxdWS
Cyz9QQxv2wUgtpsil/oWTWGcoui89Hg/sNv3bKyVFCG3l5JBLhOI5i61TO43
/O6OgnroUQyXJLW6Mg2/BBXa2fV6gxcAMFh9SoYHHFAhOddAsFVKKN57dHm/
KewePt2uQzfF/ApgS1GXZTYS5YaYVVjZRkfhttQU1tLaksTELxUC3LYd+POx
V727mDBOVsYEb61rJVLq//BgWaTiLnKKOsuoEiiurgqRKg/kRaXkaivfeqap
KpO4gEyOifMSyYO9vcdqvoWh2ErJGihcTHsTp7R4gdXHK5fet6lKH1p7Laqq
UwFJYGQKNmI0DyOML3X2yPvSn8OaoM42QlH+nAUzvjeyBgBck3DuiRxPj0SH
qhMhS4PUrQUq5vB+CzraYbUBYGRK3sUNYzfKo98brWgnBynTN+JbXJZYay33
PKx9rSzWzP33VEftGIdCvVdFLhUm/vq2kN2/dkPjB+1RwPeb1NOdgGShuKLu
zLiRgpZqx0Laofit1HmO2cJDdRKwmiFrShgJ7IW3+y7lyYE/w5pM+Ivo+VYV
291tsaE83qTz/OARxpDPYZYMZV6ZpL9IZMU55xt8ofxJiujuEcHxD0rRRcaJ
nXOKPaecqPoMl6puKNcjFPchSqyS3aIkKWl4vzkSyP1wyuVDxli/isvMkT+D
zSP3GoARrb4JzpcstvggD0Z7je+3uMMW4Dho9xaFk2wv0Y/ytisSeq+ZPWbQ
eGVJtZRvId53r44PyJz0g/UtxH8Yq+vbRtVH/nW/ufOJsoFFU30gLJhiJyrc
/cYgmfcHNkwGCfHWoXW/7g/rQEm+FXYXuVJiV5K2yoadq3z0C6wLZAX+5/8D
oy4NrlTkAAA=

-->

</rfc>
