<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-rats-corim-11" category="std" consensus="true" submissionType="IETF" tocDepth="3" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="CoRIM">Concise Reference Integrity Manifest</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-rats-corim-11"/>
    <author initials="H." surname="Birkholz" fullname="Henk Birkholz">
      <organization>Fraunhofer SIT</organization>
      <address>
        <email>henk.birkholz@ietf.contact</email>
      </address>
    </author>
    <author initials="T." surname="Fossati" fullname="Thomas Fossati">
      <organization>Linaro</organization>
      <address>
        <email>Thomas.Fossati@linaro.org</email>
      </address>
    </author>
    <author initials="Y." surname="Deshpande" fullname="Yogesh Deshpande">
      <organization>arm</organization>
      <address>
        <email>yogesh.deshpande@arm.com</email>
      </address>
    </author>
    <author initials="N." surname="Smith" fullname="Ned Smith">
      <organization>Independent</organization>
      <address>
        <email>ned.smith.ietf@outlook.com</email>
      </address>
    </author>
    <author initials="W." surname="Pan" fullname="Wei Pan">
      <organization>Huawei Technologies</organization>
      <address>
        <email>william.panwei@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Remote ATtestation ProcedureS</workgroup>
    <keyword>RIM, RATS, attestation, verifier, supply chain</keyword>
    <abstract>
      <?line 147?>

<t>Remote Attestation Procedures (RATS) enable Relying Parties to assess the trustworthiness of a remote Attester and therefore to decide whether or not to engage in secure interactions with it.
Evidence about trustworthiness can be rather complex and it is deemed unrealistic that every Relying Party is capable of the appraisal of Evidence.
Therefore that burden is typically offloaded to a Verifier.
In order to conduct Evidence appraisal, a Verifier requires not only fresh Evidence from an Attester, but also trusted Endorsements and Reference Values from Endorsers and Reference Value Providers, such as manufacturers, distributors, or device owners.
This document specifies the information elements for representing Endorsements and Reference Values in CBOR format.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/ietf-rats-wg/draft-ietf-rats-corim"/>.</t>
    </note>
  </front>
  <middle>
    <?line 155?>

<section anchor="sec-intro">
      <name>Introduction</name>
      <t>The RATS Architecture <xref section="4" sectionFormat="of" target="RFC9334"/> specifies several roles, including Endorsers and Reference Value Providers.
These two roles are typically fulfilled by supply chain actors, such as manufacturers, distributors, or device owners.
Endorsers and Reference Value Providers supply Endorsements (e.g., test results or certification data) and Reference Values (e.g., digest ) relating to an Attester.
This information is used by a Verifier to appraise Evidence received from an Attester which describes Attester operational state.</t>
      <t>In a complex supply chain, multiple actors will likely produce these values over several points in time.
As such, one supply chain actor might only supply a portion of the Reference Values or Endorsements that otherwise fully characterizes an Attester.
Ideally, only the supply chain actor who is the most knowledgeable entity regarding a particular component will supply Reference Values or Endorsements for that component.</t>
      <t>Attesters vary across vendors and even across products from a single vendor.
Not only Attesters can evolve and therefore new measurement types need to be expressed, but an Endorser may also want to provide new security relevant attributes about an Attester at a future point in time.</t>
      <t>In order to promote interoperability, consistency and accuracy in the representation of Endorsements and Reference Values this document specifies a data model for Endorsements and Reference Values known as Concise Reference Integrity Manifests (CoRIM).
The CoRIM data model is expressed in CDDL which is used to realize a CBOR <xref target="STD94"/> encoding suitable for cryptographic operations (e.g., hashing, signing, encryption) and transmission over computer networks.
Additionally, this document describes multiple phases of a Verifier Appraisal and provides an example of a possible use of CoRIM messages from multiple supply chain actors to represent a homogeneous representation of Attester state.
CoRIM is extensible to accommodate supply chain diversity while supporting a common representation for Endorsement and Reference Value inputs to Verifiers.
In essence, the goal of a CoRIM is to describe expected Attester state to Verifiers.</t>
      <t>This document is divided into two parts.
The core data model is described in <xref target="sec-corim"/>, <xref target="sec-comid"/> and <xref target="sec-cotl"/>.
These sections describe the primary CoRIM structures, the Concise Module Identifier (CoMID), which is used to express Endorsements and Reference Values, as well as the Concise Tag Lists (CoTL), which express the currently active sources of Endorsements and Reference Values.
<xref target="sec-reference-verifier"/> outlines the architecture of a reference Verifier.
The architecture details four phases of the appraisal process that explain how CoRIM inputs are validated, evaluated relative to Evidence, and ultimately accepted as additional expressions of Attester state data.
In addition, this document also covers how CoRIMs are used within the reference Verifier. Refer to {#sec-verifier-rec}</t>
      <section anchor="terminology-and-requirements-language">
        <name>Terminology and Requirements Language</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
        </t>
        <t>This document uses terms and concepts defined by the RATS architecture.
Specifically the terms Attester, Reference Value Provider, Endorser, Verifier Owner, and Relying Party are taken from <xref section="4" sectionFormat="of" target="RFC9334"/>.</t>
        <t>For a complete glossary, see <xref section="4" sectionFormat="of" target="RFC9334"/>.</t>
        <t>This document uses the terms <em>"actual state"</em> and <em>"reference state"</em> as defined in <xref section="2" sectionFormat="of" target="I-D.ietf-rats-endorsements"/>.</t>
        <t>In this document, the term CoRIM message and CoRIM documents are used as synonyms. A CoRIM data structure can be at rest (e.g., residing in a file system as a document) or can be in flight (e.g., conveyed as a message in a protocol exchange). The bytes composing the CoRIM data structure are the same either way.</t>
        <t>The terminology from CBOR <xref target="STD94"/>, CDDL <xref target="RFC8610"/> and COSE <xref target="STD96"/> applies;
in particular, CBOR diagnostic notation is defined in <xref section="8" sectionFormat="of" target="STD94"/>
and <xref section="G" sectionFormat="of" target="RFC8610"/>. Terms and concepts are always referenced as proper nouns, i.e., with Capital Letters.</t>
        <section anchor="sec-glossary">
          <name>Glossary</name>
          <t>This document uses the following terms:</t>
          <dl newline="true">
            <dt>Appraisal Claims Set (ACS):</dt>
            <dd>
              <t>A structure that holds Environment-Claim Tuples that have been appraised.
The ACS contains Attester state that has been authorized by Verifier processing and Appraisal Policy.</t>
            </dd>
            <dt>Appraisal Policy:</dt>
            <dd>
              <t>A description of the conditions that, if met, allow appraisal of Claims.
Typically, the entity asserting a Claim should have knowledge, expertise, or context that gives credibility to the assertion.
Appraisal Policy resolves which entities are credible and under what conditions.
See also "Appraisal Policy for Evidence" in <xref target="RFC9334"/>.</t>
            </dd>
            <dt>Authority:</dt>
            <dd>
              <t>The entity that asserts a Claim.
Typically, a Claim is asserted using a cryptographic key to digitally sign the Claim.
A cryptographic key can be a proxy for a human or organizational entity.</t>
            </dd>
            <dt>Claim:</dt>
            <dd>
              <t>A piece of information, in the form of a key-value pair.
See also <xref section="4.2" sectionFormat="of" target="RFC9334"/> and <xref section="2" sectionFormat="of" target="RFC7519"/>.
Within this document, Claims appear in Evidence, a Reference Value or an Endorsement.</t>
            </dd>
            <dt>Class ID:</dt>
            <dd>
              <t>An identifier for an Environment that is shared among similar Environment instances, such as those with the same hardware assembly.
See also <xref section="4.2.4" sectionFormat="of" target="RFC9711"/>.</t>
            </dd>
            <dt>Composite Attester:</dt>
            <dd>
              <t>A Composite Attester is either a Composite Device (<xref section="3.3" sectionFormat="of" target="RFC9334"/>) or a Layered Attester (<xref section="3.2" sectionFormat="of" target="RFC9334"/>) or any composition involving a combination of one or more Composite Devices or Layered Attesters.</t>
            </dd>
            <dt>Domain:</dt>
            <dd>
              <t>A domain is a hierarchical description of a Composite Attester in terms of its constituent Environments and their compositional relationships.</t>
            </dd>
            <dt>Endorsed values:</dt>
            <dd>
              <t>A set of characteristics of an Attester that do not appear in Evidence.
For example, Endorsed Values may include testing or certification data related to a hardware or firmware module.
Endorsed Values are said to be "conditional" when they apply if Attester's actual state matches certain conditions.
See also <xref section="3" sectionFormat="of" target="I-D.ietf-rats-endorsements"/>.</t>
            </dd>
            <dt>Environment:</dt>
            <dd>
              <t>A logical partition within an Attester.
The term "Target Environment" refers to the group of system security metrics that are reported through Evidence.
The term "Attesting Environment" refers to the entity that collects and cryptographically signs such security metrics.
See also <xref section="3.1" sectionFormat="of" target="RFC9334"/>.</t>
            </dd>
            <dt>Environment-Claim Tuple (ECT):</dt>
            <dd>
              <t>A structure containing a set of values that describe a Target Environment plus a set of Measurement / Claim values that describe properties of the Target Environment.
The ECT also contains Authority which identifies the entity that authored the ECT.</t>
            </dd>
            <dt>Instance ID:</dt>
            <dd>
              <t>An identifier of an Environment that is unique to that Environment instance, such as the serial number of a hardware module.
See also <xref section="4.2.1" sectionFormat="of" target="RFC9711"/>.</t>
            </dd>
            <dt>Measurement:</dt>
            <dd>
              <t>A value associated with specific security characteristics of an Attester that influences the trustworthiness of that Attester.
The object of a Measurement could be the invariant part of a firmware component loaded into memory during startup, a run-time integrity check (RTIC), a file system object, or a CPU register.
A measured object is part of the Attester's Target Environment.
Expected, or "golden," Measurements are compiled as Reference Values, which are used by the Verifier to assess the trust state of the Attester.
See also <xref target="TNC.Arch"/>, and Section 9.5.5 of <xref target="TPM2.Part1"/>.</t>
            </dd>
            <dt>Reference Values:</dt>
            <dd>
              <t>A set of values that represent the desired or undesired state of an Attester.
Reference Values are compared against Evidence to determine whether Attester state is corroborated by a Reference Value Provider.
Reference Values with matching Evidence produce "acceptable Claims."
See also <xref section="4.2" sectionFormat="of" target="RFC9334"/>, <xref section="8.3" sectionFormat="of" target="RFC9334"/>, and <xref section="2" sectionFormat="of" target="I-D.ietf-rats-endorsements"/>.</t>
            </dd>
            <dt>Triple:</dt>
            <dd>
              <t>A term derived from the Resource Description Framework (RDF) to mean a statement expressing a relationship between a subject and an object resource.
The nature of the relationship between subject and object is expressed via a predicate.
In CoRIM, unlike RDF, the predicate of the triple is implicit and is encoded in the triple's name/codepoint.
CoRIM triples typically represent assertions made by the CoRIM author regarding Attesting or Target Environments and their security features, such as Measurements and cryptographic key material.
See also Section 3.1 of <xref target="W3C.rdf11-primer"/>.</t>
            </dd>
          </dl>
        </section>
      </section>
    </section>
    <section anchor="sec-verifier-rec">
      <name>Use of CoRIM in a Verifier</name>
      <t>The Evidence appraisal process can be thought of as a conversation about an Attester, mediated and recorded by the Verifier.
The Verifier keeps a strict record of exactly what is being claimed in the various Conceptual Message inputs and, crucially, who is making the claims (known as the "authority").
Authority determines which entity asserts which Claims about an Attester.
To achieve this, the Verifier creates an internal scratchpad of Attester state called the Appraisal Claims Set (ACS).</t>
      <t>The motivation for describing a reference CoRIM Processor is for consistent Verifier operation across the ecosystem.</t>
      <section anchor="interactions-with-acs">
        <name>Interactions with ACS</name>
        <t>Multiple parties contribute to the "conversation" about a device's trustworthiness: the device itself (the Attester), the manufacturer (the CoRIM issuer), and potentially the organization relying on the device (the Verifier Owner).</t>
        <t>The Verifier uses the ACS to determine the actual state of the Attester, as defined by the various entities providing inputs.</t>
        <t>Different RATS conceptual messages contribute to the construction of an ACS following the requirements in <xref target="tbl-cmrr"/>.</t>
        <table anchor="tbl-cmrr">
          <name>Conceptual Message Representation Requirements</name>
          <thead>
            <tr>
              <th align="left">Input Type</th>
              <th align="left">Source</th>
              <th align="left">How the Verifier Updates the ACS</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <strong>Evidence</strong></td>
              <td align="left">The Device</td>
              <td align="left">If the device proves its identity, its claims are added to the ACS and tagged with the device's authority.</td>
            </tr>
            <tr>
              <td align="left">
                <strong>Reference Values</strong></td>
              <td align="left">CoRIM</td>
              <td align="left">The Verifier checks the Reference Values in the CoRIM against the ACS. If a value matches a claim the device just made, that claim gets an extra tag noting the manufacturer agrees with it.</td>
            </tr>
            <tr>
              <td align="left">
                <strong>Endorsements</strong></td>
              <td align="left">CoRIM</td>
              <td align="left">If the device's claims meet certain expectations in the ACS, the Verifier adds new, broader claims (Endorsed Values) to the ACS, tagged with the manufacturer's authority.</td>
            </tr>
          </tbody>
        </table>
        <t><em>Note: If the Attester's Evidence is not matched and corroborated by the manufacturer's Reference Values, the manufacturer's claims do not get added to the ACS.</em></t>
      </section>
      <section anchor="consistency-of-acs">
        <name>Consistency of ACS</name>
        <t>To ensure everyone builds these systems consistently, the specification uses CDDL to define both the exact structure of the CoRIM and a theoretical data model for the ACS.
However, the exact way a Verifier's software is implemented to realize the internal representation is up to the implementor.
<xref target="sec-corim-processor"/> describes these reconciliation principles in detail.
Once the ACS is built and the conversation is consistent, the ACS is available for processing of subsequent phases.</t>
      </section>
    </section>
    <section anchor="sec-type-conv">
      <name>Typographical Conventions for CDDL</name>
      <t>The CDDL definitions in this document follows the naming conventions illustrated in <xref target="tbl-typography"/>.</t>
      <table anchor="tbl-typography">
        <name>Type Traits and Typographical Conventions</name>
        <thead>
          <tr>
            <th align="left">Type trait</th>
            <th align="left">Example</th>
            <th align="left">Typographical convention</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">extensible type choice</td>
            <td align="left">
              <tt>int / text / ...</tt></td>
            <td align="left">
              <tt>$</tt>NAME<tt>-type-choice</tt></td>
          </tr>
          <tr>
            <td align="left">closed type choice</td>
            <td align="left">
              <tt>int / text</tt></td>
            <td align="left">NAME<tt>-type-choice</tt></td>
          </tr>
          <tr>
            <td align="left">group choice</td>
            <td align="left">
              <tt>( 1 =&gt; int // 2 =&gt; text )</tt></td>
            <td align="left">
              <tt>$$</tt>NAME<tt>-group-choice</tt></td>
          </tr>
          <tr>
            <td align="left">group</td>
            <td align="left">
              <tt>( 1 =&gt; int, 2 =&gt; text )</tt></td>
            <td align="left">NAME<tt>-group</tt></td>
          </tr>
          <tr>
            <td align="left">type</td>
            <td align="left">
              <tt>int</tt></td>
            <td align="left">NAME<tt>-type</tt></td>
          </tr>
          <tr>
            <td align="left">tagged type</td>
            <td align="left">
              <tt>#6.123(int)</tt></td>
            <td align="left">
              <tt>tagged-</tt>NAME<tt>-type</tt></td>
          </tr>
          <tr>
            <td align="left">map</td>
            <td align="left">
              <tt>{ 1 =&gt; int, 2 =&gt; text }</tt></td>
            <td align="left">NAME-<tt>map</tt></td>
          </tr>
          <tr>
            <td align="left">flags</td>
            <td align="left">
              <tt>&amp;( a: 1, b: 2 )</tt></td>
            <td align="left">NAME-<tt>flags</tt></td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="sec-corim">
      <name>Concise Reference Integrity Manifest (CoRIM)</name>
      <t>A CoRIM is a collection of tags and related metadata in a concise CBOR <xref target="STD94"/> encoding.
A CoRIM can be digitally signed with a COSE <xref target="STD96"/> signature.
A tag is a structured, machine-readable data format used to uniquely identify, describe, and manage modules or components of a system.</t>
      <t>Tags can be of different types:</t>
      <ul spacing="normal">
        <li>
          <t>Concise Module ID (CoMID) tags (<xref target="sec-comid"/>) contain metadata and claims about the hardware and firmware modules.</t>
        </li>
        <li>
          <t>Concise Software ID (CoSWID) tags (<xref target="RFC9393"/>) are used to identify, describe and manage software components.</t>
        </li>
        <li>
          <t>Concise Tag List (CoTL) tags (<xref target="sec-cotl"/>) contain the list of CoMID and CoSWID tags that the Verifier should consider as "active" at a certain point in time.</t>
        </li>
      </ul>
      <t>CoRIM allows for new types of tags to be added in future specifications.
For example, Concise Trust Anchor Stores (CoTS) (<xref target="I-D.ietf-rats-concise-ta-stores"/>) is currently being defined as a standard CoRIM extension.</t>
      <t>Each CoRIM contains a unique identifier to distinguish a CoRIM from other CoRIMs.</t>
      <t>CoRIM can also carry the following optional metadata:</t>
      <ul spacing="normal">
        <li>
          <t>A locator, which allows discovery of possibly related RIMs.</t>
        </li>
        <li>
          <t>A profile identifier, which is used to interpret the information contained in the enclosed tags.
A profile allows the base CoRIM CDDL definition to be customized to fit a specific Attester by augmenting the base CDDL data definition via the specified extension points or by constraining types defined.
A profile MUST NOT change the base CoRIM CDDL definition's semantics, which includes not changing or overloading names and numbers registered at IANA registries used by this document.
For more detail, see <xref target="sec-corim-profile-types"/>.</t>
        </li>
        <li>
          <t>A validity period, which indicates the time period for which the CoRIM contents are valid.</t>
        </li>
        <li>
          <t>Information about the supply chain entities responsible for the contents of the CoRIM and their associated roles.</t>
        </li>
      </ul>
      <t>A CoRIM can be signed (<xref target="sec-corim-signed"/>) using COSE Sign1 to provide end-to-end security to the CoRIM contents.
When CoRIM is signed, the protected header carries further identifying information about the CoRIM signer.
Alternatively, CoRIM can be encoded as a #6.501 CBOR-tagged payload (<xref target="sec-corim-map"/>) and transported over a secure channel.</t>
      <t>The following CDDL describes the top-level CoRIM.</t>
      <sourcecode type="cddl"><![CDATA[
corim = concise-rim-type-choice

concise-rim-type-choice /= tagged-unsigned-corim-map
concise-rim-type-choice /= signed-corim
]]></sourcecode>
      <t>See Sections 4 and 5 of <xref target="DICE.endorsement"/> for diagrams and additional information on CoRIM structure.</t>
      <section anchor="sec-corim-map">
        <name>CoRIM Map</name>
        <t>The CDDL specification for the <tt>corim-map</tt> is as follows and this rule and its
constraints MUST be followed when creating or validating a CoRIM map.</t>
        <sourcecode type="cddl"><![CDATA[
corim-map = {
  &(id: 0) => $corim-id-type-choice
  &(tags: 1) => [ + $concise-tag-type-choice ]
  ? &(dependent-rims: 2) => [ + corim-locator-map ]
  ? &(profile: 3) => $profile-type-choice
  ? &(rim-validity: 4) => validity-map
  ? &(entities: 5) => [ + corim-entity-map ]
  * $$corim-map-extension
}
unsigned-corim-map = corim-map
]]></sourcecode>
        <t>The following describes each child item of this map.</t>
        <ul spacing="normal">
          <li>
            <t><tt>id</tt> (index 0): A unique identifier to identify a CoRIM. Described
in <xref target="sec-corim-id"/>.</t>
          </li>
          <li>
            <t><tt>tags</tt> (index 1):  An array of one or more CoMID, CoSWID or CoTL tags.  Described
in <xref target="sec-corim-tags"/>.</t>
          </li>
          <li>
            <t><tt>dependent-rims</tt> (index 2): One or more services supplying additional,
possibly dependent, manifests or related files.
Described in <xref target="sec-corim-locator-map"/>.</t>
          </li>
          <li>
            <t><tt>profile</tt> (index 3): An optional profile identifier for the tags contained in
this CoRIM.  The profile MUST be understood by the CoRIM processor.  Failure
to recognize the profile identifier MUST result in the rejection of the
entire CoRIM.
See <xref target="sec-corim-profile-types"/></t>
          </li>
          <li>
            <t><tt>rim-validity</tt> (index 4): Specifies the validity period of the CoRIM.
Described in <xref target="sec-common-validity"/>.</t>
          </li>
          <li>
            <t><tt>entities</tt> (index 5): A list of entities involved in a CoRIM life-cycle.
Described in <xref target="sec-corim-entity"/>.</t>
          </li>
          <li>
            <t><tt>$$corim-map-extension</tt>: This CDDL socket is used to add new information
structures to the <tt>corim-map</tt>.
Described in <xref target="sec-iana-corim"/>.</t>
          </li>
        </ul>
        <t>A <tt>corim-map</tt> is unsigned, and its tagged form is an entrypoint for parsing a CoRIM, so it is named <tt>tagged-unsigned-corim-map</tt>.</t>
        <sourcecode type="cddl"><![CDATA[
tagged-unsigned-corim-map = #6.501(unsigned-corim-map)
]]></sourcecode>
        <section anchor="sec-corim-id">
          <name>CoRIM Identifier</name>
          <t>A CoRIM Identifier uniquely identifies a CoRIM instance within the context of a CoRIM issuer.
In other words the CoRIM identifier can be used to distinguish CoRIMs that come from the same issuer.</t>
          <t>The base CDDL definition allows UUID and text identifiers.
Other types of identifiers could be defined as needed.</t>
          <sourcecode type="cddl"><![CDATA[
$corim-id-type-choice /= tstr
$corim-id-type-choice /= uuid-type
]]></sourcecode>
        </section>
        <section anchor="sec-corim-tags">
          <name>Tags</name>
          <t>A <tt>$concise-tag-type-choice</tt> is a tagged CBOR payload that carries either a
CoMID (<xref target="sec-comid"/>), a CoSWID (<xref target="RFC9393"/>), or a CoTL (<xref target="sec-cotl"/>).</t>
          <sourcecode type="cddl"><![CDATA[
$concise-tag-type-choice /= tagged-concise-swid-tag
$concise-tag-type-choice /= tagged-concise-mid-tag
$concise-tag-type-choice /= tagged-concise-tl-tag
]]></sourcecode>
        </section>
        <section anchor="sec-corim-locator-map">
          <name>Locator Map</name>
          <t>The locator map contains pointers to repositories where dependent manifests,
certificates, or other relevant information can be retrieved by the Verifier.
The contents of the locator map are purely advisory.
Verifiers are not required to follow these URLs or use the information retrieved from the corresponding resources.</t>
          <sourcecode type="cddl"><![CDATA[
;# import measured-component as eatmc

corim-locator-map = {
  &(href: 0) => uri / [ + uri ]
  ? &(thumbprint: 1) => eatmc.digest / [ + eatmc.digest ]
}
]]></sourcecode>
          <t>The following describes each child element of this type.</t>
          <ul spacing="normal">
            <li>
              <t><tt>href</tt> (index 0): a URI or array of alternative URIs identifying locations where the additional resource can be fetched.</t>
            </li>
            <li>
              <t><tt>thumbprint</tt> (index 1): expected digest or an array of digests referenced by <tt>href</tt> or an array of <tt>href</tt>s. See <xref target="sec-common-hash-entry"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="sec-corim-profile-types">
          <name>Profile Types</name>
          <t>Profiling is the mechanism that allows the base CoRIM CDDL definition to be customized to fit a specific Attester.</t>
          <t>A profile defines which of the optional parts of a CoRIM are required, which are prohibited and which extension points are exercised and how.
A profile MUST NOT alter the syntax or semantics of CoRIM types defined in this document.</t>
          <t>A profile MAY constrain the values of a given CoRIM type to a subset of the values.
A profile MAY extend the set of a given CoRIM type using the defined extension points (<xref target="sec-extensibility"/>).
Exercised extension points SHOULD preserve the intent of the original semantics.</t>
          <t>CoRIM profiles SHOULD be specified in a publicly available document.</t>
          <t>A CoRIM profile can use one of the base CoRIM media type defined in <xref target="sec-mt-rim-cbor"/> with the <tt>profile</tt> parameter set to the appropriate value.
Alternatively, it MAY define and register its own media type.</t>
          <t>A profile identifier is either an OID <xref target="RFC9090"/> or a URL <xref target="STD66"/>.</t>
          <t>The profile identifier uniquely identifies a documented profile.  Any changes
to the profile, even the slightest deviation, is considered a different profile
that MUST have a different identifier.</t>
          <t>The CoRIM profile must describe at a minimum the following:  (a) how cryptographic verification key material is represented (e.g., using Attestation Keys triples, or CoTS tags), and
(b) how key material is associated with the Attesting Environment.
The CoRIM profile should also specify whether CBOR deterministic encoding is required.</t>
          <sourcecode type="cddl"><![CDATA[
$profile-type-choice /= uri 
$profile-type-choice /= tagged-oid-type
]]></sourcecode>
          <t>For an example profile definition, see <xref target="I-D.fdb-rats-psa-endorsements"/>.</t>
        </section>
        <section anchor="sec-corim-entity">
          <name>Entities</name>
          <t>The CoRIM Entity is an instantiation of the Entity generic (<xref target="sec-common-entity"/>) using a <tt>$corim-role-type-choice</tt>.</t>
          <t>The only role defined in this specification for a CoRIM Entity is
<tt>manifest-creator</tt>.</t>
          <t>The <tt>$$corim-entity-map-extension</tt> extension socket is empty in this
specification.</t>
          <sourcecode type="cddl"><![CDATA[
corim-entity-map =
  entity-map<$corim-role-type-choice, $$corim-entity-map-extension>

$corim-role-type-choice /= &(manifest-creator: 1)
$corim-role-type-choice /= &(manifest-signer: 2)
]]></sourcecode>
          <t>The <tt>corim-entity-map</tt> MUST NOT contain two entities with the <tt>manifest-signer</tt> role.</t>
        </section>
      </section>
      <section anchor="sec-corim-signed">
        <name>Signed CoRIM</name>
        <sourcecode type="cddl"><![CDATA[
signed-corim = #6.18(COSE-Sign1-corim)
]]></sourcecode>
        <t>Signing a CoRIM follows the procedures defined in CBOR Object Signing and
Encryption <xref target="STD96"/>. A CoRIM tag MUST be wrapped in a COSE_Sign1 structure.
The CoRIM MUST be signed by the CoRIM creator.</t>
        <t>The following CDDL specification defines a restrictive subset of COSE header
parameters that MUST be used in the protected header alongside additional
information about the CoRIM encoded in a <tt>corim-meta-map</tt> (<xref target="sec-corim-meta"/>) or alternatively in a <tt>CWT-Claims</tt> (<xref target="RFC9597"/>).</t>
        <sourcecode type="cddl"><![CDATA[
COSE-Sign1-corim = [
  protected: bstr .cbor protected-corim-header-map
  unprotected: unprotected-corim-header-map
  payload: bstr .cbor tagged-unsigned-corim-map /
                      hash-envelope-digest /
                      nil
  signature: bstr
]

hash-envelope-digest = bstr

]]></sourcecode>
        <t>The following describes each child element of this type.</t>
        <ul spacing="normal">
          <li>
            <t><tt>protected</tt>: A CBOR Encoded protected header which is protected by the COSE
signature. Contains information as given by Protected Header Map below.</t>
          </li>
          <li>
            <t><tt>unprotected</tt>: A COSE header that is not protected by COSE signature.</t>
          </li>
          <li>
            <t><tt>payload</tt>: When the payload is signed directly, either a CBOR-encoded tagged CoRIM, or nil if it is detached.
When the payload is signed indirectly, the digest of a CBOR-encoded tagged CoRIM.</t>
          </li>
          <li>
            <t><tt>signature</tt>: A COSE signature block, as defined in <xref section="4" sectionFormat="of" target="STD96"/>.</t>
          </li>
        </ul>
        <section anchor="protected-header-map">
          <name>Protected Header Map</name>
          <sourcecode type="cddl"><![CDATA[
; protected corim header map needs to contain at least one of
; corim-meta (8) or CWT-Claims (15)

protected-corim-header-map = protected-corim-header-map-inline /
                             protected-corim-header-map-hash-envelope

protected-corim-header-map-inline = {
  &(alg: 1) => int
  &(content-type: 3) => "application/rim+cbor"
  meta-group
  * cose-label => cose-value
}

protected-corim-header-map-hash-envelope = {
  &(alg: 1) => int,
  &(payload_hash_alg: 258) => int
  &(payload_preimage_content_type: 259) => "application/rim+cbor"
  ? &(payload_location: 260) => tstr
  meta-group
  * cose-label => cose-value
}

meta-group = ((
  corim-meta-identity,
  ? cwt-claims-identity,
) // cwt-claims-identity)

corim-meta-identity = (&(corim-meta: 8) => bstr .cbor corim-meta-map)
cwt-claims-identity = (&(CWT-Claims: 15) => cwt-claims)
]]></sourcecode>
          <t>The CoRIM protected header map uses some common COSE header parameters plus additional metadata.
Additional metadata can either be carried in a <tt>CWT_Claims</tt> (index: 15) parameter as defined by <xref target="RFC9597"/>,
or in a <tt>corim-meta</tt> map as a legacy alternative, described in <xref target="sec-corim-meta"/>.</t>
          <t>The following describes each child item of this map.</t>
          <ul spacing="normal">
            <li>
              <t><tt>alg</tt> (index 1): An integer that identifies a signature algorithm.</t>
            </li>
          </ul>
          <t>Either, when the payload is signed directly:</t>
          <ul spacing="normal">
            <li>
              <t><tt>content-type</tt> (index 3): A string that represents the "MIME Content type" carried in the CoRIM payload.</t>
            </li>
          </ul>
          <t>Or, when the payload is signed indirectly using a Hash Envelope (<xref target="I-D.ietf-cose-hash-envelope"/>):</t>
          <ul spacing="normal">
            <li>
              <t><tt>payload_hash_alg</tt> (index 258): The hash algorithm used to produce the payload.</t>
            </li>
            <li>
              <t><tt>payload_preimage_content_type</tt> (index 259): A string that represents the "MIME Content type" of the CoRIM document used as the pre-image of the payload.</t>
            </li>
            <li>
              <t><tt>payload_location</tt> (index 260): An optional identifier enabling retrieval of the original resource (preimage) identified by the payload.</t>
            </li>
          </ul>
          <t>At least one of:</t>
          <ul spacing="normal">
            <li>
              <t><tt>CWT-Claims</tt> (index 15): A map that contains metadata associated with a signed CoRIM.
Described in <xref target="RFC9597"/>.</t>
            </li>
            <li>
              <t><tt>corim-meta</tt> (index 8): A map that contains metadata associated with a signed CoRIM.
Described in <xref target="sec-corim-meta"/>.</t>
            </li>
          </ul>
          <t>Documents MAY include both <tt>CWT-Claims</tt> and <tt>corim-meta</tt>, in which case the signer MUST ensure that their contents are semantically identical: the <tt>CWT-Claims</tt> issuer (<tt>iss</tt>) MUST have the same value as <tt>signer-name</tt> in <tt>corim-meta</tt>, and the <tt>nbf</tt> and <tt>exp</tt> values in the <tt>CWT-Claims</tt> MUST match the <tt>signature-validity</tt> in <tt>corim-meta</tt>.</t>
          <t>Additional data can be included in the COSE header map as per (<xref section="3" sectionFormat="of" target="STD96"/>).</t>
        </section>
        <section anchor="cwt-claims">
          <name>CWT Claims</name>
          <t>The CWT Claims (<xref target="RFC9597"/>) map identifies the entity that created and signed the CoRIM.
This ensures the consumer is able to identify credentials used to authenticate its signer.
To avoid any possible ambiguity with the contents of the CoRIM tags, the CWT Claims map MUST NOT contain claims that have semantic overlap with the information contained in CoRIM tags.</t>
          <t>The following describes each child item of this group.</t>
          <ul spacing="normal">
            <li>
              <t><tt>iss</tt> (index 1): Issuer or signer for the CoRIM, formerly <tt>signer-name</tt> or <tt>signer-uri</tt> in <xref target="sec-corim-signer"/>.</t>
            </li>
            <li>
              <t><tt>sub</tt> (index 2): Optional - identifies the CoRIM document, equivalent to a string representation of $corim-id-type-choice</t>
            </li>
          </ul>
          <t>Additional data can be included in the CWT Claims, as per <xref target="RFC8392"/>, such as:</t>
          <ul spacing="normal">
            <li>
              <t><tt>exp</tt> (index 4): Expiration time, formerly <tt>signature-validity</tt> in <xref target="sec-common-validity"/>.</t>
            </li>
            <li>
              <t><tt>nbf</tt> (index 5): Not before time, formerly <tt>signature-validity</tt> in <xref target="sec-common-validity"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="sec-corim-meta">
          <name>Meta Map</name>
          <t>The CoRIM meta map identifies the entity or entities that create and sign the CoRIM.
This ensures the consumer is able to identify credentials used to authenticate its signer.</t>
          <sourcecode type="cddl"><![CDATA[
corim-meta-map = {
  &(signer: 0) => corim-signer-map
  ? &(signature-validity: 1) => validity-map
}
]]></sourcecode>
          <t>The following describes each child item of this group.</t>
          <ul spacing="normal">
            <li>
              <t><tt>signer</tt> (index 0): Information about the entity that signs the CoRIM.
Described in <xref target="sec-corim-signer"/>.</t>
            </li>
            <li>
              <t><tt>signature-validity</tt> (index 1): Validity period for the CoRIM.
Described in <xref target="sec-common-validity"/>.</t>
            </li>
          </ul>
          <section anchor="sec-corim-signer">
            <name>Signer Map</name>
            <sourcecode type="cddl"><![CDATA[
corim-signer-map = {
  &(signer-name: 0) => $entity-name-type-choice
  ? &(signer-uri: 1) => uri
  * $$corim-signer-map-extension
}
]]></sourcecode>
            <ul spacing="normal">
              <li>
                <t><tt>signer-name</tt> (index 0): Name of the organization that performs the signer
role</t>
              </li>
              <li>
                <t><tt>signer-uri</tt> (index 1): A URI identifying the same organization</t>
              </li>
              <li>
                <t><tt>$$corim-signer-map-extension</tt>: Extension point for future expansion of the
Signer map.</t>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="sec-corim-unprotected-header">
          <name>Unprotected CoRIM Header Map</name>
          <sourcecode type="cddl"><![CDATA[
unprotected-corim-header-map = {
  * cose-label => cose-value
}
]]></sourcecode>
        </section>
      </section>
      <section anchor="sec-conveyed-signer">
        <name>Signer authority of securely conveyed unsigned CoRIM</name>
        <t>An unsigned (#6.501-tagged) CoRIM may be a payload in an enveloping signed document, <xref target="RFC5280"/> or it may be conveyed unsigned within the protection scope of a secure channel.
The CoRIM signer authority is taken from the authenticated credential (e.g., OAUTH token) of the entity that originates the CoRIM.
For example, this entity could be the sending peer in a secure channel.
A CoRIM role entry expressing the origin of the unsigned CoRIM (i.e., the enveloping signed document or the origin endpoint of the secure channel) via the <tt>manifest-signer</tt> role MUST be added to <tt>corim-entity-map</tt>.
If the authority cannot be expressed directly via the existing authority types, the receiver SHOULD establish a local authority in one of the supported authority formats (e.g., if an unsigned CoRIM is received over a secure channel where authentication is token- or password-based).
If it is impossible to assert the authority of the origin, the Verifier's appraisal policy MAY assert the Verifier’s authority as the CoRIM origin.</t>
        <t>It is out of scope of this document to specify a method of delegating the signer role in the case that an unsigned CoRIM is conveyed through multiple secured links with different notions of authenticity without end-to-end integrity protection.</t>
        <section anchor="corim-collections">
          <name>CoRIM collections</name>
          <t>Several CoRIMs may share the same signer (e.g., as collection payload in a different signed message) and use locally-resolvable references to each other, for example using a RATS Conceptual Message Wrapper (CMW) <xref target="I-D.ietf-rats-msg-wrap"/>.
The Collection CMW type is similar to a profile in its way of restricting the shape of the CMW collection.
The Collection CMW type for a CoRIM collection SHALL be <tt>tag:{{&amp;SELF}}:corim</tt>.</t>
          <t>A COSE_Sign1-signed CoRIM Collection CMW has a similar requirement to a signed CoRIM.
The signing operation MUST include either a <tt>CWT-Claims</tt> or a <tt>corim-meta</tt> and MAY contain both, in the COSE_Sign1 <tt>protected-header</tt> parameter.
These metadata containers ensure that each CoRIM in the collection has an identified signer.
The COSE protected header can include a Collection CMW type name by using the <tt>cmwc_t</tt> content type parameter for the <tt>&amp;(content-type: 3)</tt> COSE header, or <tt>&amp;(payload_preimage_content_type: 259)</tt> in the case of hash envelopes.</t>
          <t>If using other signing envelope formats, (<xref target="sec-conveyed-signer"/>) the CoRIM signing authority MUST be specified. For example, this can be accomplished by adding the <tt>manifest-signer</tt> role to every CoRIM, or by using a protected header analogous to <tt>corim-meta</tt>.</t>
          <sourcecode type="cddl"><![CDATA[
corim-cbor-collection = {
  "__cmwc_t" => "tag:{{&SELF}}:corim",
  + cmw-label => [TBD1, bytes .cbor tagged-corim-map]
}
cmw-label = text / int
]]></sourcecode>
          <t>The Collection CMW MAY use any label for its CoRIMs.
If there is a hierarchical structure to the CoRIM Collection CMW, the base entry point SHOULD be labeled <tt>0</tt> in CBOR or <tt>"base"</tt> in JSON.
It is RECOMMENDED to label a CoRIM with its tag-id in string format, where <tt>uuid-type</tt> string format is specified by <xref target="RFC9562"/>.
CoRIMs distributed in a CoRIM Collection CMW MAY declare their interdependence <tt>dependent-rims</tt> with local resource indicators.
It is RECOMMENDED that a CoRIM with a <tt>uuid-type</tt> tag-id be referenced with URI <tt>urn:uuid:</tt><em>tag-id-uuid-string</em>.
It is RECOMMENDED that a CoRIM with a <tt>tstr</tt> tag-id be referenced with <tt>tag:{{&amp;SELF}}:local,</tt><em>tag-id-tstr</em>.
It is RECOMMENDED for a <tt>corim-locator-map</tt> containing local URIs to afterwards list a nonzero number of reachable URLs as remote references.</t>
          <t>The following example demonstrates these recommendations for bundling CoRIMs with a common signer but have different profiles.</t>
          <sourcecode type="cbor-diag"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

/ cbor-collection / {
  "__cmwc_t": "tag:{{&SELF}}:corim",
  "adee8cd4-4e47-461f-b341-2aba3ae4cbda":
    / cbor-cmw / [TBD1, << / tagged-corim-map / 501({
      / id / 0: h'adee8cd44e47461fb3412aba3ae4cbda',
      / tags / 1: [/ tagged-concise-mid-tag / 506(<<{
        / tag-identity / 1: {
          / tag-id / 0: h'315cfc0208d548ee9c89906df96e7fb8'
        },
        / triples / 4: {
          / reference-triples / 0: [[
            / ref-env / {/ class / 0: {/ class-id / 0: 560(h'c0de')}\
                                                                   },
            / ref-claims / {
              / mval / 1: {
                / profile-foo / -404:
                  h'\
                  6094685f8bb9b67daaf35707bd2c391f536a1df2ce5152c3cc'
              }}]],
          / coswid-triples / 6: [[
            {/ class / 0: {/ class-id / 0: 560(h'c0de')}},
            [h'369a6688451240b9b74905b1dd5fae9f']]]}}>>)],
      / profile / 3: "tag:example.com,2025/example-profile",
      / dependent-rims / 2: [{
        / href / 0: [
          "urn:uuid:51a5f633-71c0-45f5-855e-43e8254c1806",
          "https://example.com/369a6688451240b9b74905b1dd5fae9f.\
                                                               corim"
        ]}]}) >>],
  "51a5f633-71c0-45f5-855e-43e8254c1806":
    / cbor-cmw / [TBD1, << / tagged-corim-map / 501({
      / id: / 0: h'51a5f63371c045f5855e43e8254c1806',
      / tags / 1: [/ tagged-concise-swid-tag / 505(<<{
          / tag-id / 0: h'369a6688451240b9b74905b1dd5fae9f',
          / tag-version / 12: 2,
          / software-name / 1: "Gadget Firmware",
          / entity / 2: {
            / entity-name / 31: "ACME Firmware",
            / role / 33: / software-creator / 2
          },
          / profile-bar / 4294967295: {
           / profile-baz / 0: 5,
           / profile-qux / 1: h'f76e41f3462a62e8'}}>>)],
      / profile / 3: "tag:example.com,2025/software-profile"})>>]
}
]]></sourcecode>
        </section>
      </section>
    </section>
    <section anchor="sec-comid">
      <name>Concise Module Identifier (CoMID)</name>
      <t>A CoMID tag contains information about hardware, firmware, or module composition.</t>
      <t>Each CoMID has a unique ID that is used to unambiguously identify CoMID instances when cross referencing CoMID tags, for example in typed link relations, or in a CoTL tag.</t>
      <t>A CoMID defines several types of Claims, using "triples" semantics.</t>
      <t>At a high level, a triple is a statement that links a subject to an object via a predicate.
CoMID triples typically encode assertions made by the CoRIM author about Attesting or Target Environments and their security features, for example measurements, cryptographic key material, etc.</t>
      <t>This specification defines two classes of triples, the Mandatory To Implement (MTI) and the Optional To Implement (OTI).
The MTI triples are essential to basic appraisal processing as illustrated in <xref target="RFC9334"/> and <xref target="I-D.ietf-rats-endorsements"/>.
Every CoRIM Verifier MUST implement the MTI triples.
The OTI class of triples are generally useful across profiles.
A CoRIM Verifier SHOULD implement OTI triples.
Verifiers may be constrained in various ways that may make implementation of the OTI class infeasible or unnecessary.
For example, deployment environments may have constrained resources, limited code size, or limited scope Attesters.</t>
      <t>MTI Triples:</t>
      <ul spacing="normal">
        <li>
          <t>Reference Values triples: containing Reference Values that are expected to match Evidence for a given Target Environment (<xref target="sec-comid-triple-refval"/>).</t>
        </li>
        <li>
          <t>Endorsed Values triples: containing "Endorsed Values", i.e., features about an Environment that do not appear in Evidence. Specific examples include testing or certification data pertaining to a module (<xref target="sec-comid-triple-endval"/>).</t>
        </li>
        <li>
          <t>Conditional Endorsement triples: describing one or more conditions that, once matched, result in augmenting the Attester's actual state with the supplied Endorsed Values (<xref target="sec-comid-triple-cond-endors"/>).</t>
        </li>
      </ul>
      <t>OTI Triples:</t>
      <ul spacing="normal">
        <li>
          <t>Conditional Endorsement Series triples: describing conditional endorsements that are evaluated using a special matching algorithm (<xref target="sec-comid-triple-cond-endors"/>).</t>
        </li>
        <li>
          <t>Device Identity triples: containing cryptographic credentials - for example, an IDevID - uniquely identifying a device (<xref target="sec-comid-triple-identity"/>).</t>
        </li>
        <li>
          <t>Attestation Key triples: containing cryptographic keys that are used to verify the integrity protection on the Evidence received from the Attester (<xref target="sec-comid-triple-attest-key"/>).</t>
        </li>
        <li>
          <t>Trust dependency triples: describing trust relationships between domains, i.e., collection of related environments and their measurements (<xref target="sec-comid-triple-trust-dependency"/>).</t>
        </li>
        <li>
          <t>Domain membership triples: describing topological relationships between (sub-)modules. For example, in a composite Attester comprising multiple sub-Attesters (sub-modules), this triple can be used to define the topological relationship between lead- and sub- Attester environments (<xref target="sec-comid-triple-domain-membership"/>).</t>
        </li>
        <li>
          <t>CoMID-CoSWID linking triples: associating a Target Environment with existing CoSWID Payload tags (<xref target="sec-comid-triple-coswid"/>).</t>
        </li>
      </ul>
      <t>CoMID triples are extensible (<xref target="sec-comid-triples"/>).
Triples added via the extensibility feature MUST be OTI class triples.
This document specifies profiles (see <xref target="sec-extensibility"/>).
OTI triples MAY be reclassified as MTI using a profile.
Conversely, profiles can choose not to <em>use</em> certain MTI triples.
Profiles MUST NOT reclassify MTI triples as OTI.</t>
      <section anchor="structure">
        <name>Structure</name>
        <t>The CDDL specification for the <tt>concise-mid-tag</tt> map is as follows and this
rule and its constraints MUST be followed when creating or validating a CoMID
tag:</t>
        <sourcecode type="cddl"><![CDATA[
concise-mid-tag = {
  ? &(language: 0) => text
  &(tag-identity: 1) => tag-identity-map
  ? &(entities: 2) => [ + comid-entity-map ]
  ? &(linked-tags: 3) => [ + linked-tag-map ]
  &(triples: 4) => triples-map
  * $$concise-mid-tag-extension
}
]]></sourcecode>
        <t>The following describes each member of the <tt>concise-mid-tag</tt> map.</t>
        <ul spacing="normal">
          <li>
            <t><tt>lang</tt> (index 0): A textual language tag that conforms with IANA "Language
Subtag Registry" <xref target="IANA.language-subtag-registry"/>. The context of the specified language
applies to all sibling and descendant textual values, unless a descendant
object has defined a different language tag. Thus, a new context is
established when a descendant object redefines a new language tag.  All
textual values within a given context MUST be considered expressed in the
specified language.</t>
          </li>
          <li>
            <t><tt>tag-identity</tt> (index 1): A <tt>tag-identity-map</tt> containing unique
identification information for the CoMID.
Described in <xref target="sec-comid-tag-id"/>.</t>
          </li>
          <li>
            <t><tt>entities</tt> (index 2): Provides information about one or more organizations
responsible for producing the CoMID tag.
Described in <xref target="sec-comid-entity"/>.</t>
          </li>
          <li>
            <t><tt>linked-tags</tt> (index 3): A list of one or more <tt>linked-tag-map</tt> providing typed relationships between this and
other CoMIDs.
Described in <xref target="sec-comid-linked-tag"/>).</t>
          </li>
          <li>
            <t><tt>triples</tt> (index 4): One or more triples providing information specific to
the described module, e.g.: reference or endorsed values, cryptographic
material, or structural relationship between the described module and other
modules.
Described in <xref target="sec-comid-triples"/>.</t>
          </li>
        </ul>
        <section anchor="sec-comid-tag-id">
          <name>Tag Identity</name>
          <sourcecode type="cddl"><![CDATA[
tag-identity-map = {
  &(tag-id: 0) => $tag-id-type-choice
  ? &(tag-version: 1) => tag-version-type
}
]]></sourcecode>
          <t>The following describes each member of the <tt>tag-identity-map</tt>.</t>
          <ul spacing="normal">
            <li>
              <t><tt>tag-id</tt> (index 0): A universally unique identifier for the CoMID.
Described in <xref target="sec-tag-id"/>.</t>
            </li>
            <li>
              <t><tt>tag-version</tt> (index 1): Optional versioning information for the <tt>tag-id</tt>.
Described in <xref target="sec-tag-version"/>.</t>
            </li>
          </ul>
          <section anchor="sec-tag-id">
            <name>Tag ID</name>
            <sourcecode type="cddl"><![CDATA[
$tag-id-type-choice /= tstr
$tag-id-type-choice /= uuid-type
]]></sourcecode>
            <t>A Tag ID is either a 16-byte binary string, or a textual identifier, uniquely
referencing the CoMID. The tag identifier MUST be globally unique. Failure to
ensure global uniqueness can create ambiguity in tag use since the tag-id
serves as the global key for matching, lookups and linking. If represented as a
16-byte binary string, the identifier MUST be a valid universally unique
identifier as defined by <xref target="RFC9562"/>. There are no strict guidelines on how the
identifier is structured, but examples include a 16-byte GUID (e.g., class 4
UUID) <xref target="RFC9562"/>, or a URI <xref target="STD66"/>.</t>
          </section>
          <section anchor="sec-tag-version">
            <name>Tag Version</name>
            <sourcecode type="cddl"><![CDATA[
tag-version-type = uint .default 0
]]></sourcecode>
            <t>Tag Version is an integer value that indicates the specific release revision of
the tag.  Typically, the initial value of this field is set to 0 and the value
is increased for subsequent tags produced for the same module release.  This
value allows a CoMID tag producer to correct an incorrect tag previously
released without indicating a change to the underlying module the tag
represents. For example, the tag version could be changed to add new metadata,
to correct a broken link, to add a missing reference value, etc. When producing
a revised tag, the new tag-version value MUST be greater than the old
tag-version value.</t>
          </section>
        </section>
        <section anchor="sec-comid-entity">
          <name>Entities</name>
          <sourcecode type="cddl"><![CDATA[
comid-entity-map =
  entity-map<$comid-role-type-choice, $$comid-entity-map-extension>
]]></sourcecode>
          <t>The CoMID Entity is an instantiation of <tt>entity-map</tt> (<xref target="sec-common-entity"/>) using a <tt>$comid-role-type-choice</tt>.</t>
          <t>The <tt>$$comid-entity-map-extension</tt> extension socket is empty in this
specification.</t>
          <sourcecode type="cddl"><![CDATA[
$comid-role-type-choice /= &(tag-creator: 0)
$comid-role-type-choice /= &(creator: 1)
$comid-role-type-choice /= &(maintainer: 2)
]]></sourcecode>
          <t>The roles defined for a CoMID entity are:</t>
          <ul spacing="normal">
            <li>
              <t><tt>tag-creator</tt> (value 0): creator of the CoMID tag.</t>
            </li>
            <li>
              <t><tt>creator</tt> (value 1): original maker of the module described by the CoMID tag.</t>
            </li>
            <li>
              <t><tt>maintainer</tt> (value 2): an entity making changes to the module described by the CoMID tag.</t>
            </li>
          </ul>
        </section>
        <section anchor="sec-comid-linked-tag">
          <name>Linked Tag</name>
          <t>The linked tag map represents a typed relationship between the embedding CoMID
tag (the source) and another CoMID tag (the target).</t>
          <sourcecode type="cddl"><![CDATA[
linked-tag-map = {
  &(linked-tag-id: 0) => $tag-id-type-choice
  &(tag-rel: 1) => $tag-rel-type-choice
}
]]></sourcecode>
          <t>The following describes each member of the <tt>tag-identity-map</tt>.</t>
          <ul spacing="normal">
            <li>
              <t><tt>linked-tag-id</tt> (index 0): Unique identifier for the target tag.
See <xref target="sec-tag-id"/>.</t>
            </li>
            <li>
              <t><tt>tag-rel</tt> (index 1): the kind of relation linking the source tag to the
target identified by <tt>linked-tag-id</tt>.</t>
            </li>
          </ul>
          <sourcecode type="cddl"><![CDATA[
$tag-rel-type-choice /= &(supplements: 0)
$tag-rel-type-choice /= &(replaces: 1)
]]></sourcecode>
          <t>The relations defined in this specification are:</t>
          <ul spacing="normal">
            <li>
              <t><tt>supplements</tt> (value 0): the source tag provides additional information about
the module described in the target tag.</t>
            </li>
            <li>
              <t><tt>replaces</tt> (value 1): the source tag corrects erroneous information
contained in the target tag.  The information in the target MUST be
disregarded.</t>
            </li>
          </ul>
        </section>
        <section anchor="sec-comid-triples">
          <name>Triples</name>
          <t>The <tt>triples-map</tt> contains all the CoMID triples broken down per category.  Not
all category need to be present but at least one category MUST be present and
contain at least one entry.</t>
          <t>In most cases, the supply chain entity that is responsible for providing a triple (i.e., Reference Values or Endorsed Values) is by default the CoRIM signer.
The signer of a triple is said to be its <em>authority</em>.
However, multiple authorities may be involved in signing triples.
See <xref target="STD96"/>.
Consequently, authority may differ for search criteria.
See <xref target="sec-measurements"/>.</t>
          <sourcecode type="cddl"><![CDATA[
triples-map = non-empty<{
  ? &(reference-triples: 0) =>
    [ + reference-triple-record ]
  ? &(endorsed-triples: 1) =>
    [ + endorsed-triple-record ]
  ? &(identity-triples: 2) =>
    [ + identity-triple-record ]
  ? &(attest-key-triples: 3) =>
    [ + attest-key-triple-record ]
  ? &(dependency-triples: 4) =>
    [ + trust-dependency-triple-record ]
  ? &(membership-triples: 5) =>
    [ + domain-membership-triple-record ]
  ? &(coswid-triples: 6) =>
    [ + coswid-triple-record ]
  ? &(conditional-endorsement-series-triples: 8) =>
    [ + conditional-endorsement-series-triple-record ]
  ? &(conditional-endorsement-triples: 10) =>
    [ + conditional-endorsement-triple-record ]
  * $$triples-map-extension
}>
]]></sourcecode>
          <t>The following describes each member of the <tt>triples-map</tt>:</t>
          <ul spacing="normal">
            <li>
              <t><tt>reference-triples</tt> (index 0): Triples containing reference values.
Described in <xref target="sec-comid-triple-refval"/>.</t>
            </li>
            <li>
              <t><tt>endorsed-triples</tt> (index 1): Triples containing endorsed values.
Described in <xref target="sec-comid-triple-endval"/>.</t>
            </li>
            <li>
              <t><tt>identity-triples</tt> (index 2): Triples containing identity credentials.
Described in <xref target="sec-comid-triple-identity"/>.</t>
            </li>
            <li>
              <t><tt>attest-key-triples</tt> (index 3): Triples containing verification keys associated with attesting environments.
Described in <xref target="sec-comid-triple-attest-key"/>.</t>
            </li>
            <li>
              <t><tt>dependency-triples</tt> (index 4): Triples describing trust relationships between domains.
Described in <xref target="sec-comid-triple-trust-dependency"/>.</t>
            </li>
            <li>
              <t><tt>membership-triples</tt> (index 5): Triples describing topological relationships between (sub-)modules.
Described in <xref target="sec-comid-triple-domain-membership"/>.</t>
            </li>
            <li>
              <t><tt>coswid-triples</tt> (index 6): Triples associating modules with existing CoSWID tags.
Described in <xref target="sec-comid-triple-coswid"/>.</t>
            </li>
            <li>
              <t><tt>conditional-endorsement-series-triples</tt> (index 8): Triples describing a series of Endorsements that are applicable based on the acceptance of a condition.
Described in <xref target="sec-comid-triple-cond-series"/>.</t>
            </li>
            <li>
              <t><tt>conditional-endorsement-triples</tt> (index 10): Triples describing a series of conditional Endorsements based on the acceptance of a stateful environment.
Described in <xref target="sec-comid-triple-cond-endors"/>.</t>
            </li>
          </ul>
          <section anchor="sec-environments">
            <name>Environments</name>
            <t>An <tt>environment-map</tt> may be used to represent a whole Attester, an Attesting
Environment, or a Target Environment.  The exact semantic depends on the
context (triple) in which the environment is used.</t>
            <t>An environment is named after a class, instance or group identifier (or a
combination thereof).</t>
            <t>An environment MUST be globally unique.
The combination of values within <tt>class-map</tt> MUST combine to form a globally unique identifier.</t>
            <sourcecode type="cddl"><![CDATA[
environment-map = non-empty<{
  ? &(class: 0) => class-map
  ? &(instance: 1) => $instance-id-type-choice
  ? &(group: 2) => $group-id-type-choice
}>
]]></sourcecode>
            <t>The following describes each member of the <tt>environment-map</tt>:</t>
            <ul spacing="normal">
              <li>
                <t><tt>class</tt> (index 0): Contains "class" attributes associated with the module.
Described in <xref target="sec-comid-class"/>.</t>
              </li>
              <li>
                <t><tt>instance</tt> (index 1): Contains a unique identifier of a module's instance.
Described in <xref target="sec-comid-instance"/>.</t>
              </li>
              <li>
                <t><tt>group</tt> (index 2): identifier for a group of instances, e.g., if an
anonymization scheme is used.
Described in <xref target="sec-comid-group"/>.</t>
              </li>
            </ul>
          </section>
          <section anchor="sec-comid-class">
            <name>Environment Class</name>
            <t>The Class name consists of class attributes that distinguish the class of
environment from other classes. The class attributes include class-id, vendor,
model, layer, and index. The CoMID author determines which attributes are
needed.</t>
            <sourcecode type="cddl"><![CDATA[
class-map = non-empty<{
  ? &(class-id: 0) => $class-id-type-choice
  ? &(vendor: 1) => tstr
  ? &(model: 2) => tstr
  ? &(layer: 3) => uint
  ? &(index: 4) => uint
}>

$class-id-type-choice /= tagged-oid-type
$class-id-type-choice /= tagged-uuid-type
$class-id-type-choice /= tagged-bytes
]]></sourcecode>
            <t>The following describes each member of the <tt>class-map</tt>:</t>
            <ul spacing="normal">
              <li>
                <t><tt>class-id</tt> (index 0): Identifies the environment via a well-known identifier.
Typically, <tt>class-id</tt> is an object identifier (OID) variable-length opaque byte string (<xref target="sec-common-tagged-bytes"/>) or universally unique identifier (UUID).
Use of this attribute is preferred.</t>
              </li>
              <li>
                <t><tt>vendor</tt> (index 1): Identifies the entity responsible for choosing values for
the other class attributes that do not already have naming authority.</t>
              </li>
              <li>
                <t><tt>model</tt> (index 2): Describes a product, generation, and family.  If
populated, vendor MUST also be populated.</t>
              </li>
              <li>
                <t><tt>layer</tt> (index 3): Is used to capture where in a sequence the environment
exists. For example, the order in which bootstrap code is executed may have
security relevance.</t>
              </li>
              <li>
                <t><tt>index</tt> (index 4): Is used when there are clones (i.e., multiple instances)
of the same class of environment.  Each clone is given a different index
value to disambiguate it from the other clones. For example, given a chassis
with several network interface controllers (NIC), each NIC can be given a
different index value.</t>
              </li>
            </ul>
          </section>
          <section anchor="sec-comid-instance">
            <name>Environment Instance</name>
            <t>An <tt>instance-id</tt> is a unique value that identifies a Target Environment instance.
The identifier is reliably bound to the Target Environment.
For example, if an X.509 certificate's subject public key is unique for each instance of a target environment, the <tt>instance-id</tt> might be created from that subject public key.
See <xref section="4.1" sectionFormat="of" target="RFC5280"/>.
Alternatively, if the certificate's subject public key is large, the <tt>instance-id</tt> might be a key identifier that is a digest of that public key.
See <xref section="4.2.1.2" sectionFormat="of" target="RFC5280"/>.
The key identifier is reliably bound to the subject public key because the identifier is a digest of the key.</t>
            <t>The types defined for an instance identifier are CBOR tagged expressions of
UEID, UUID, variable-length opaque byte string (<xref target="sec-common-tagged-bytes"/>), cryptographic keys, or cryptographic key identifiers.</t>
            <sourcecode type="cddl"><![CDATA[
$instance-id-type-choice /= tagged-ueid-type
$instance-id-type-choice /= tagged-uuid-type
$instance-id-type-choice /= tagged-bytes
$instance-id-type-choice /= tagged-pkix-base64-key-type
$instance-id-type-choice /= tagged-pkix-base64-cert-type
$instance-id-type-choice /= tagged-cose-key-type
$instance-id-type-choice /= tagged-key-thumbprint-type
$instance-id-type-choice /= tagged-cert-thumbprint-type
$instance-id-type-choice /= tagged-pkix-asn1der-cert-type
]]></sourcecode>
          </section>
          <section anchor="sec-comid-group">
            <name> Environment Group</name>
            <t>A group carries a unique identifier that is reliably bound to a group of
Attesters, for example when a number of Attester are hidden in the same
anonymity set.</t>
            <t>The types defined for a group identifier are UUID and variable-length opaque byte string (<xref target="sec-common-tagged-bytes"/>).</t>
            <sourcecode type="cddl"><![CDATA[
$group-id-type-choice /= tagged-uuid-type
$group-id-type-choice /= tagged-bytes
]]></sourcecode>
          </section>
          <section anchor="sec-measurements">
            <name>Measurements</name>
            <t>Measurements can be of a variety of things including software, firmware,
configuration files, read-only memory, fuses, IO ring configuration, partial
reconfiguration regions, etc. Measurements comprise raw values, digests, or
status information.</t>
            <t>An environment has one or more measurable elements. Each element can have a
dedicated measurement or multiple elements could be combined into a single
measurement. Measurements can have class, instance or group scope.  This is
typically determined by the triple's environment.</t>
            <t>Class measurements apply generally to all the Attesters in a given class.</t>
            <t>Instance measurements apply to a specific Attester instance.  Environments
identified by a class identifier have measurements that are common to the
class. Environments identified by an instance identifier have measurements that
are specific to that instance.</t>
            <t>An environment may have multiple measured elements.
Measured elements are distinguished from each other by measurement keys.
Measurement keys may be used to disambiguate measurements of the same type originating from different elements.</t>
            <t>Triples that have search conditions may specify authority as matching criteria by populating <tt>authorized-by</tt>.</t>
            <sourcecode type="cddl"><![CDATA[
measurement-map = {
  ? &(mkey: 0) => $measured-element-type-choice
  &(mval: 1) => measurement-values-map
  ? &(authorized-by: 2) => [ + $crypto-key-type-choice ]
}
]]></sourcecode>
            <t>The following describes each member of the <tt>measurement-map</tt>:</t>
            <ul spacing="normal">
              <li>
                <t><tt>mkey</tt> (index 0): An optional measurement key.
 Described in <xref target="sec-comid-mkey"/>.
 A <tt>measurement-map</tt> without an <tt>mkey</tt> is said to be anonymous.</t>
              </li>
              <li>
                <t><tt>mval</tt> (index 1): The measurements associated with the environment.
 Described in <xref target="sec-comid-mval"/>.</t>
              </li>
              <li>
                <t><tt>authorized-by</tt> (index 2): The cryptographic identity of the entity (individual or organization) that is
 the designated authority for measurement Claims.
 For example, the signer of a CoMID triple.
 See <xref target="sec-crypto-keys"/>.
 An entity is authoritative when it makes Claims that are inside its area of
competence.</t>
              </li>
            </ul>
            <section anchor="sec-comid-mkey">
              <name>Measurement Keys</name>
              <t>A Measurement Key is an identifier for a measured element.
It can be used to identify the type of measured element (see <xref target="I-D.ydb-rats-cca-endorsements"/>) or to identify
multiple measured element instances within the same environment.
The initial types defined are OID, UUID, uint, and tstr.</t>
              <sourcecode type="cddl"><![CDATA[
$measured-element-type-choice /= tagged-oid-type
$measured-element-type-choice /= tagged-uuid-type
$measured-element-type-choice /= uint
$measured-element-type-choice /= tstr
]]></sourcecode>
            </section>
            <section anchor="sec-comid-mval">
              <name>Measurement Values</name>
              <t>A <tt>measurement-values-map</tt> contains measurements associated with a certain
environment. Depending on the context (triple) in which they are found,
elements in a <tt>measurement-values-map</tt> can represent class or instance
measurements. Note that some of the elements have instance scope only.</t>
              <t>Measurement values may support use cases beyond Verifier appraisal.
Typically, a Relying Party determines if additional processing is desirable
and whether the processing is applied by the Verifier or the Relying Party.</t>
              <sourcecode type="cddl"><![CDATA[
measurement-values-map = non-empty<{
  ? &(version: 0) => version-map
  ? &(svn: 1) => svn-type-choice
  ? &(digests: 2) => digests-type
  ? &(flags: 3) => flags-map
  ? (
      &(raw-value: 4) => $raw-value-type-choice,
      ? &(raw-value-mask-DEPRECATED: 5) => raw-value-mask-type
    )
  ? &(mac-addr: 6) => mac-addr-type-choice
  ? &(ip-addr: 7) => ip-addr-type-choice
  ? &(serial-number: 8) => text
  ? &(ueid: 9) => ueid-type
  ? &(uuid: 10) => uuid-type
  ? &(name: 11) => text
  ? &(cryptokeys: 13) => [ + $crypto-key-type-choice ]
  ? &(integrity-registers: 14) => integrity-registers
  ? &(int-range: 15) => int-range-type-choice
  * $$measurement-values-map-extension
}>
]]></sourcecode>
              <t>The following describes each member of the <tt>measurement-values-map</tt>.</t>
              <ul spacing="normal">
                <li>
                  <t><tt>version</tt> (index 0): Typically changes whenever the measured environment is updated.
Described in <xref target="sec-comid-version"/>.</t>
                </li>
                <li>
                  <t><tt>svn</tt> (index 1): The security version number typically changes only when a security relevant change is made to the measured environment.
Described in <xref target="sec-comid-svn"/>.</t>
                </li>
                <li>
                  <t><tt>digests</tt> (index 2): Contains the digest(s) of the measured environment
together with the respective hash algorithm used in the process.
It uses the <tt>digests-type</tt>.
Described in <xref target="sec-common-hash-entry"/>.</t>
                </li>
                <li>
                  <t><tt>flags</tt> (index 3): Describes security relevant operational modes.
For example, whether the environment is in a debug mode, recovery mode, not fully
configured, not secure, not replay protected or not integrity protected.
The <tt>flags</tt> field indicates which operational modes are currently associated with measured environment.
Described in <xref target="sec-comid-flags"/>.</t>
                </li>
                <li>
                  <t><tt>raw-value</tt> (index 4): Contains the actual (not hashed) value of the element.
The vendor determines the encoding of <tt>raw-value</tt>.
When used for comparison, the <tt>tagged-masked-raw-value</tt> variant includes a mask indicating which bits in the value to compare.
Described in <xref target="sec-comid-raw-value-types"/></t>
                </li>
                <li>
                  <t><tt>raw-value-mask-DEPRECATED</tt> (index 5): Is an obsolete method of indicating which bits in a raw value to compare. New CoMID files should use the <tt>tagged-masked-raw-value</tt> on index 4 instead of using index 5.</t>
                </li>
                <li>
                  <t><tt>mac-addr</tt> (index 6): An EUI-48 (Extended Unique Identifier 48) or EUI-64 MAC address <xref target="IEEE-802.OandA"/> associated with the measured environment.
Described in <xref target="sec-comid-address-types"/>.</t>
                </li>
                <li>
                  <t><tt>ip-addr</tt> (index 7): An IPv4 or IPv6 address associated with the measured environment.
Described in <xref target="sec-comid-address-types"/>.</t>
                </li>
                <li>
                  <t><tt>serial-number</tt> (index 8): A text string representing the product serial number.</t>
                </li>
                <li>
                  <t><tt>ueid</tt> (index 9): UEID associated with the measured environment.
Described in <xref target="sec-common-ueid"/>.</t>
                </li>
                <li>
                  <t><tt>uuid</tt> (index 10): UUID associated with the measured environment.
Described in <xref target="sec-common-uuid"/>.</t>
                </li>
                <li>
                  <t><tt>name</tt> (index 11): a name associated with the measured environment.</t>
                </li>
                <li>
                  <t><tt>cryptokeys</tt> (index 13): identifies cryptographic keys that are protected by the Target Environment
See <xref target="sec-crypto-keys"/> for the supported formats.
An Attesting Environment determines that keys are protected as part of Claims collection.
Appraisal verifies that, for each value in <tt>cryptokeys</tt>, there is a matching Reference Value entry.
Matching is described in <xref target="sec-cryptokeys-matching"/>.</t>
                </li>
                <li>
                  <t><tt>integrity-registers</tt> (index 14): A group of one or more named measurements associated with the environment.  Described in <xref target="sec-comid-integrity-registers"/>.</t>
                </li>
              </ul>
            </section>
            <section anchor="sec-comid-version">
              <name>Version</name>
              <t>A <tt>version-map</tt> contains details about the versioning of a measured
environment.</t>
              <sourcecode type="cddl"><![CDATA[
;# import rfc9393 as coswid

version-map = {
  &(version: 0) => text
  ? &(version-scheme: 1) => coswid.$version-scheme
}
]]></sourcecode>
              <t>The following describes each member of the <tt>version-map</tt>:</t>
              <ul spacing="normal">
                <li>
                  <t><tt>version</tt> (index 0): the version string</t>
                </li>
                <li>
                  <t><tt>version-scheme</tt> (index 1): an optional indicator of the versioning
convention used in the <tt>version</tt> attribute.
Defined in <xref section="4.1" sectionFormat="of" target="RFC9393"/>.
The CDDL is copied below for convenience.</t>
                </li>
              </ul>
              <sourcecode type="cddl"><![CDATA[
$version-scheme /= &(multipartnumeric: 1)
$version-scheme /= &(multipartnumeric-suffix: 2)
$version-scheme /= &(alphanumeric: 3)
$version-scheme /= &(decimal: 4)
$version-scheme /= &(semver: 16384)
$version-scheme /= int / text
]]></sourcecode>
            </section>
            <section anchor="sec-comid-svn">
              <name>Security Version Number</name>
              <t>The following details the security version number (<tt>svn</tt>) and the minimum security version number (<tt>min-svn</tt>) statements.
A security version number is used to track changes to an object (e.g., a secure enclave, a boot loader executable, a configuration file, etc.) that are security relevant.
Rollback of a security relevant change is considered to be an attack vector; as such, security version numbers cannot be decremented.
If a security relevant flaw is discovered in the Target Environment and is subsequently fixed, the <tt>svn</tt> value is typically incremented.</t>
              <t>There may be several revisions to a Target Environment that are in use at the same time.
If there are multiple revisions with different <tt>svn</tt> values, the revision with a lower <tt>svn</tt> value may
or may not be in a security critical condition. The Endorser may provide a minimum security version number
using <tt>min-svn</tt> to specify the lowest <tt>svn</tt> value that is acceptable.
<tt>svn</tt> values that are equal to or greater than <tt>min-svn</tt> do not signal a security critical condition.
<tt>svn</tt> values that are below <tt>min-svn</tt> are in a security critical condition that is unsafe for normal use.</t>
              <t>The <tt>svn-type-choice</tt> measurement consists of a <tt>tagged-svn</tt> or <tt>tagged-min-svn</tt> value.
The <tt>tagged-svn</tt> and <tt>tagged-min-svn</tt> tags are CBOR tags with the values <tt>#6.552</tt> and <tt>#6.553</tt> respectively.</t>
              <sourcecode type="cddl"><![CDATA[
svn-type = uint
svn = svn-type
min-svn = svn-type
tagged-svn = #6.552(svn)
tagged-min-svn = #6.553(min-svn)
svn-type-choice = svn / tagged-svn / tagged-min-svn
]]></sourcecode>
            </section>
            <section anchor="sec-comid-flags">
              <name>Flags</name>
              <t>The <tt>flags-map</tt> measurement describes a number of boolean operational modes.
If a <tt>flags-map</tt> value is not specified, then the operational mode is unknown.
Note that, while the fields may not be completely independent of one another, this specification imposes no restrictions on combinations of the <tt>flags-map</tt> booleans.
However, a profile may restrict the possible <tt>flags-map</tt> booleans and their valid combinations.</t>
              <sourcecode type="cddl"><![CDATA[
flags-map = non-empty<{
  ? &(is-configured: 0) => bool
  ? &(is-secure: 1) => bool
  ? &(is-recovery: 2) => bool
  ? &(is-debug: 3) => bool
  ? &(is-replay-protected: 4) => bool
  ? &(is-integrity-protected: 5) => bool
  ? &(is-runtime-meas: 6) => bool
  ? &(is-immutable: 7) => bool
  ? &(is-tcb: 8) => bool
  ? &(is-confidentiality-protected: 9) => bool
  ? &(is-runtime-updatable: 10) => bool
  * $$flags-map-extension
}>
]]></sourcecode>
              <t>The following describes each member of the <tt>flags-map</tt>:</t>
              <ul spacing="normal">
                <li>
                  <t><tt>is-configured</tt> (index 0): If the flag is true, the measured environment is fully configured for normal operation.</t>
                </li>
                <li>
                  <t><tt>is-secure</tt> (index 1): If the flag is true, the measured environment's configurable
security settings are fully enabled.</t>
                </li>
                <li>
                  <t><tt>is-recovery</tt> (index 2): If the flag is true, the measured environment is in recovery
mode.</t>
                </li>
                <li>
                  <t><tt>is-debug</tt> (index 3): If the flag is true, the measured environment is in a debug enabled
mode.</t>
                </li>
                <li>
                  <t><tt>is-replay-protected</tt> (index 4): If the flag is true, the measured environment is
protected from rollback to previous software images.</t>
                </li>
                <li>
                  <t><tt>is-integrity-protected</tt> (index 5): If the flag is true, the measured environment is
protected from unauthorized update.</t>
                </li>
                <li>
                  <t><tt>is-runtime-meas</tt> (index 6): If the flag is true, the measured environment is measured
after being loaded into memory.</t>
                </li>
                <li>
                  <t><tt>is-immutable</tt> (index 7): If the flag is true, the measured environment is immutable.</t>
                </li>
                <li>
                  <t><tt>is-tcb</tt> (index 8): If the flag is true, the measured environment is a trusted
computing base.</t>
                </li>
                <li>
                  <t><tt>is-confidentiality-protected</tt> (index 9): If the flag is true, the measured environment
is confidentiality protected. For example, if the measured environment consists of memory,
the sensitive values in memory are encrypted.</t>
                </li>
                <li>
                  <t><tt>is-runtime-updatable</tt> (index 10): If the flag is true, the measured environment
supports being updated at run time without requiring a system reboot for the update to
take effect. This is sometimes referred to as "Live Firmware Activation" (LFA) or hitless
update or impactless updates. The flag describes a capability of the measured environment;
it does not by itself imply that an update has occurred or is pending.</t>
                </li>
              </ul>
            </section>
            <section anchor="sec-comid-raw-value-types">
              <name>Raw Values Types</name>
              <t>Raw value measurements are typically vendor defined values that are checked by Verifiers
for consistency only, since the security relevance is opaque to Verifiers. A profile may choose
to define more specific semantic meaning to a raw value.</t>
              <t>A <tt>raw-value</tt> measurement, or an Endorsement, is a tagged value of type <tt>bytes</tt>.
This specification defines tag #6.560.
The default raw value measurement is of type <tt>tagged-bytes</tt> (<xref target="sec-common-tagged-bytes"/>).</t>
              <t>Additional value types can be added to <tt>$raw-value-type-choice</tt>. These additional values MUST be CBOR tagged <tt>bstr</tt>s.
Constraining all raw value types to be <tt>bstr</tt> lets Verifiers compare raw values without understanding their contents.</t>
              <t>A raw value intended for comparison can include a mask value, which selects the bits to compare during appraisal.
The mask is applied by the Verifier as part of appraisal.
Only the raw value bits with corresponding TRUE mask bits are compared during appraisal.</t>
              <t>The <tt>raw-value-mask-DEPRECATED</tt> in <tt>measurement-values-map</tt> is deprecated, but retained for backwards compatibility.
This code point may be removed in a future revision of this specification.</t>
              <sourcecode type="cddl"><![CDATA[
$raw-value-type-choice /= tagged-bytes
$raw-value-type-choice /= tagged-masked-raw-value

raw-value-mask-type = bytes
tagged-masked-raw-value = #6.563([
  value: bytes
  mask : bytes
])
]]></sourcecode>
            </section>
            <section anchor="sec-comid-address-types">
              <name>Address Types</name>
              <t>This specification defines types for 48-bit and 64-bit MAC identifiers.
For IP addresses, it reuses the "Address Format" types defined in <xref target="RFC9164"/> with the CBOR tag removed.</t>
              <t>All the types represent a single address.</t>
              <sourcecode type="cddl"><![CDATA[
mac-addr-type-choice = eui48-addr-type / eui64-addr-type
eui48-addr-type = bytes .size 6
eui64-addr-type = bytes .size 8

;# import rfc9164 as cbor-ip

ip-addr-type-choice /= cbor-ip.ipv4-address
ip-addr-type-choice /= cbor-ip.ipv6-address
]]></sourcecode>
            </section>
          </section>
          <section anchor="sec-crypto-keys">
            <name>Crypto Keys</name>
            <t>A cryptographic key can be one of the following formats:</t>
            <ul spacing="normal">
              <li>
                <t><tt>tagged-pkix-base64-key-type</tt>: PEM encoded SubjectPublicKeyInfo.
Defined in <xref section="13" sectionFormat="of" target="RFC7468"/>.</t>
              </li>
              <li>
                <t><tt>tagged-pkix-base64-cert-type</tt>: PEM encoded X.509 public key certificate.
Defined in <xref section="5" sectionFormat="of" target="RFC7468"/>.</t>
              </li>
              <li>
                <t><tt>tagged-pkix-base64-cert-path-type</tt>: X.509 certificate chain created by the
concatenation of as many PEM encoded X.509 certificates as needed.  The
certificates MUST be concatenated in order so that each directly certifies
the one preceding.</t>
              </li>
              <li>
                <t><tt>tagged-cose-key-type</tt>: CBOR encoded COSE_Key or COSE_KeySet.
Defined in <xref section="7" sectionFormat="of" target="STD96"/>.</t>
              </li>
              <li>
                <t><tt>tagged-pkix-asn1der-cert-type</tt>: a <tt>bstr</tt> of ASN.1 DER encoded X.509 public key certificate.
Defined in <xref section="4" sectionFormat="of" target="RFC5280"/>.</t>
              </li>
            </ul>
            <t>A cryptographic key digest can be one of the following formats:</t>
            <ul spacing="normal">
              <li>
                <t><tt>tagged-key-thumbprint-type</tt>: a <tt>digest</tt> (e.g., the SHA-2 hash) of a raw public key.
For example, the digest value can be used to locate a public key contained in a lookup table.
Ultimately, the discovered keys have to be successfully byte-by-byte compared with the corresponding keys.</t>
              </li>
              <li>
                <t><tt>tagged-cert-thumbprint-type</tt>: a <tt>digest</tt> of a certificate.
The digest value may be used to find the certificate if contained in a lookup table.</t>
              </li>
              <li>
                <t><tt>tagged-cert-path-thumbprint-type</tt>: a <tt>digest</tt> of a certification path.
The digest value may be used to find the certificate path if contained in a lookup table.</t>
              </li>
              <li>
                <t><tt>tagged-bytes</tt>: a key identifier with no prescribed construction method.</t>
              </li>
            </ul>
            <sourcecode type="cddl"><![CDATA[
;# import measured-component as eatmc

$crypto-key-type-choice /= tagged-pkix-base64-key-type
$crypto-key-type-choice /= tagged-pkix-base64-cert-type
$crypto-key-type-choice /= tagged-pkix-base64-cert-path-type
$crypto-key-type-choice /= tagged-cose-key-type
$crypto-key-type-choice /= tagged-pkix-asn1der-cert-type
$crypto-key-type-choice /= tagged-key-thumbprint-type
$crypto-key-type-choice /= tagged-cert-thumbprint-type
$crypto-key-type-choice /= tagged-cert-path-thumbprint-type
$crypto-key-type-choice /= tagged-bytes
tagged-pkix-base64-key-type = #6.554(tstr)
tagged-pkix-base64-cert-type = #6.555(tstr)
tagged-pkix-base64-cert-path-type = #6.556(tstr)
tagged-key-thumbprint-type = #6.557(eatmc.digest)
tagged-cose-key-type = #6.558(COSE_Key)
tagged-cert-thumbprint-type = #6.559(eatmc.digest)
tagged-cert-path-thumbprint-type = #6.561(eatmc.digest)
tagged-pkix-asn1der-cert-type = #6.562(bstr)
]]></sourcecode>
          </section>
          <section anchor="sec-comid-integrity-registers">
            <name>Integrity Registers</name>
            <t>An Integrity Registers map groups together one or more measured "objects".
Each measured object has a unique identifier and one or more associated digests.
Identifiers are either unsigned integers or text strings and their type matters, e.g., unsigned integer 5 is distinct from the text string "5".
The digests use <tt>digests-type</tt> semantics (<xref target="sec-common-hash-entry"/>).</t>
            <sourcecode type="cddl"><![CDATA[
integrity-register-id-type-choice = uint / text

integrity-registers = {
  + integrity-register-id-type-choice => digests-type
}
]]></sourcecode>
            <t>All the measured objects in an Integrity Registers map are explicitly named and the order in which they appear in the map is irrelevant.
Any digests associated with a measured object represent an acceptable state for the object.
Therefore, if multiple digests are provided, the acceptable state is their cross-product.
For example, given the following Integrity Registers:</t>
            <sourcecode type="cbor-diag"><![CDATA[
{
  0: [ [ 0, h'00' ] ],
  1: [ [ 0, h'11' ], [ 1, h'12' ] ]
}
]]></sourcecode>
            <t>then both</t>
            <sourcecode type="cbor-diag"><![CDATA[
{
  0: [ 0, h'00' ],
  1: [ 0, h'11' ]
}
]]></sourcecode>
            <t>and</t>
            <sourcecode type="cbor-diag"><![CDATA[
{
  0: [ 0, h'00' ],
  1: [ 1, h'12' ]
}
]]></sourcecode>
            <t>are acceptable states.</t>
            <t>Integrity Registers can be used to model the PCRs in a TPM or vTPM, in which case the identifier is the register index, or other kinds of vendor-specific measured objects.</t>
          </section>
          <section anchor="sec-comid-int-range">
            <name>Int Range</name>
            <t>An int range describes an integer value that can be compared with linear order in the target environment.
An int range is represented with either major type 0 or major type 1 ints.</t>
            <sourcecode type="cddl"><![CDATA[
int-range-type-choice = int / tagged-int-range
int-range = [min: int / negative-inf, max: int / positive-inf]
tagged-int-range = #6.564(int-range)
positive-inf = null
negative-inf = null
]]></sourcecode>
            <t>The signed integer range representation is an inclusive range unless either <tt>min</tt> or <tt>max</tt> are infinite as represented by <tt>null</tt>, in which case, each infinity is necessarily exclusive.</t>
          </section>
        </section>
        <section anchor="sec-comid-triple-refval">
          <name>Reference Values Triple</name>
          <t>Reference Values Triples describe the possible intended states of an Attester.
At any given point in time, an Attester is expected to match only one of these states.</t>
          <t>A Reference Values Triple provides reference values pertaining to a Target Environment.
In a Reference Value triple, the subject identifies a Target Environment, the object contains reference measurements associated with one or more measured elements of the Environment, and the predicate asserts that these represent the expected state of the Target Environment.</t>
          <t>The Reference Values Triple has the following structure:</t>
          <figure anchor="triple-rv">
            <name>Reference Values Triple Definition</name>
            <sourcecode type="cddl"><![CDATA[
reference-triple-record = [
  ref-env: environment-map
  ref-claims: [ + measurement-map ]
]
]]></sourcecode>
          </figure>
          <t>The <tt>reference-triple-record</tt> has the following parameters:</t>
          <ul spacing="normal">
            <li>
              <t><tt>ref-env</tt>: Identifies the Target Environment</t>
            </li>
            <li>
              <t><tt>ref-claims</tt>: Contains one or more reference measurements for the Target Environment</t>
            </li>
          </ul>
          <t>CoMID triples may contain multiple <tt>reference-triple-record</tt> entries.
Each <tt>reference-triple-record</tt> describes a reference state for the Target Environment identified by <tt>ref-env</tt>.
Different reference states for a Target Environment MUST be expressed using separate <tt>reference-triple-record</tt> entries.
An exception to the above requirement is when using range types to specify the <tt>ref-claims</tt> as explained further down.</t>
          <t>Since a given <tt>reference-triple-record</tt> can describe only a single Target Environment, the reference state of a device comprising multiple different Target Environments will necessarily be spread across multiple <tt>reference-triple-record</tt>s.
In other words, <tt>reference-triple-record</tt> alone cannot, in the general case, describe the reference state for a complex device.
The CoRIM author must therefore rely on other CoMID triples (e.g., conditional endorsements) or profile-specific conventions (e.g., using CoRIM or CoMID boundaries, possibly in conjunction with CoTL) to express the entire reference state of a complex device.</t>
          <t>The <tt>ref-claims</tt> of a given <tt>reference-triple-record</tt> can contain one or more entries.
Each <tt>ref-claims</tt> entry represents the reference state of a different measured element within the expected overall state of the Target Environment.
As an encoding shortcut, some measurement key-value pairs, for example when using <tt>int-range</tt>, <tt>min-svn</tt> and <tt>integrity-registers</tt>, can be defined to encode multiple states simultaneously.</t>
          <t>To process a <tt>reference-triple-record</tt>, the <tt>ref-env</tt> and <tt>ref-claims</tt> criteria are compared with Evidence entries.
First, <tt>ref-env</tt> is used as search criteria to locate matching Evidence environments.
Then, the <tt>ref-claims</tt> from this triple are used to match against the Evidence measurements for a matched environment.
If the search criteria are satisfied, the matching entry is added to the body of Attester state, except these Claims are asserted with the Reference Value Provider's authority.
By re-asserting Evidence matched with Reference Values using the RVP's authority, the Verifier avoids confusing Reference Values (reference / possible state) with Evidence (actual state).
See <xref target="I-D.ietf-rats-endorsements"/>.
Evidence Claims that are re-asserted using RVP authority are said to be "corroborated Evidence" because the actual state in Evidence was found within the corpus of the RVP's possible state.</t>
        </section>
        <section anchor="sec-comid-triple-endval">
          <name>Endorsed Values Triple</name>
          <t>Endorsed Values Triples provide additional Endorsements - i.e., claims reflecting actual state - for an existing Target Environment.
In an Endorsed Values Triple, the subject identifies a Target Environment, the object contains Endorsement Claims for the Environment, and the predicate asserts that these represent actual state associated with the subject.</t>
          <t>The Endorsed Values Triple has the following structure:</t>
          <figure anchor="triple-ev">
            <name>Endorsed Values Triple Definition</name>
            <sourcecode type="cddl"><![CDATA[
endorsed-triple-record = [
  condition: environment-map
  endorsement: [ + measurement-map ]
]
]]></sourcecode>
          </figure>
          <t>The <tt>endorsed-triple-record</tt> has the following parameters:</t>
          <ul spacing="normal">
            <li>
              <t><tt>condition</tt>: Search criterion that locates an Evidence, corroborated Evidence, or Endorsements environment.</t>
            </li>
            <li>
              <t><tt>endorsement</tt>: Additional Endorsement Claims.</t>
            </li>
          </ul>
          <t>To process a <tt>endorsed-triple-record</tt>, its <tt>condition</tt> is compared with existing Evidence, corroborated Evidence, and Endorsements.
If the search criterion is satisfied, the endorsement is added to the Attester's actual state under the Endorser's authority.</t>
        </section>
        <section anchor="sec-comid-triple-cond-endors">
          <name>Conditional Endorsement Triple</name>
          <t>Conditional Endorsement Triples declare one or more conditions that, once matched, results in augmenting the Attester's actual state with the Endorsement Claims.
The conditions are expressed via <tt>stateful-environment-record</tt>s, which match Target Environments from Evidence in certain reference state.</t>
          <t>The Conditional Endorsement Triple has the following structure:</t>
          <figure anchor="triple-ce">
            <name>Conditional Endorsement Triple Definition</name>
            <sourcecode type="cddl"><![CDATA[
conditional-endorsement-triple-record = [
  conditions: [ + stateful-environment-record ]
  endorsements: [ + endorsed-triple-record ]
]

stateful-environment-record = [
  environment: environment-map,
  claims-list: [ + measurement-map ]
]
]]></sourcecode>
          </figure>
          <t>The <tt>conditional-endorsement-triple-record</tt> has the following parameters:</t>
          <ul spacing="normal">
            <li>
              <t><tt>conditions</tt>: Search criteria that locates Evidence, corroborated Evidence, or Endorsements.</t>
            </li>
            <li>
              <t><tt>endorsements</tt>: Additional Endorsements.</t>
            </li>
          </ul>
          <t>To process a <tt>conditional-endorsement-triple-record</tt> the <tt>conditions</tt> are compared with existing Evidence, corroborated Evidence, and Endorsements.
If the search criteria are satisfied, the <tt>endorsements</tt> entries are asserted with the Endorser's authority as new Endorsements.</t>
        </section>
        <section anchor="sec-comid-triple-cond-series">
          <name>Conditional Endorsement Series Triple</name>
          <t>The Conditional Endorsement Series Triple is used when an Endorser wants to match Claims of the same type (for example <tt>version</tt>) but with differing values.  If the conditions are met, new Claims are added as Endorsements.
For example, if version 1.0 of a component has a Common Vulnerability and Exposure (CVE), but version 2.0 does not, a series condition might contain <tt>version</tt> = "1.0" and an addition <tt>cve</tt> = "CVE_PLACEHOLDER". Another series condition might contain <tt>version</tt> = "2.0" and an addition <tt>cve</tt> = "CVE_NONE".
As soon as the condition value is matched the remaining conditions can be ignored.</t>
          <t>The Conditional Endorsement Series Triple has two forms of conditions,  those that are common to all series list items and those that are specific to a particular item in the series.
The common conditions are separated out of the series list for convenience.</t>
          <t>The Conditional Endorsement Series Triple has the following structure:</t>
          <figure anchor="triple-ces">
            <name>Conditional Endorsement Series Triple Definition</name>
            <sourcecode type="cddl"><![CDATA[
conditional-endorsement-series-triple-record = [
  common-condition: [
    environment: environment-map
    claims-list: [ * measurement-map ]
    ? authorized-by: [ + $crypto-key-type-choice ]
  ]
  series: [ + conditional-series-record ]
]

conditional-series-record = [
  condition: [ + measurement-map]
  addition: [ + measurement-map ]
]
]]></sourcecode>
          </figure>
          <t>The <tt>conditional-endorsement-series-triple-record</tt> has the following parameters:</t>
          <ul spacing="normal">
            <li>
              <t><tt>common-condition</tt>: Matching conditions that are common to every item in the series.
Common conditions include <tt>environment-map</tt>, (optional) <tt>claims-list</tt>, and (optional) <tt>authorized-by</tt>.</t>
            </li>
            <li>
              <t><tt>series</tt>: A list of <tt>conditional-series-record</tt> items where each item's condition uses the same type of measurements, meaning same label(code point) inside measurement-values-map, but differ in value.</t>
            </li>
          </ul>
          <t>The <tt>conditional-series-record</tt> has the following elements:</t>
          <ul spacing="normal">
            <li>
              <t><tt>condition</tt>: Match conditions where the same type of measurements appear in each series item, but with different values. Each series item is paired with an <tt>addition</tt> series item.</t>
            </li>
            <li>
              <t><tt>addition</tt>: Claims to be added when its paired <tt>condition</tt> matches.
Addition Claims are added to the ACS record matching <tt>common-condition</tt>.<tt>environment</tt>.</t>
            </li>
          </ul>
          <section anchor="matching-considerations">
            <name>Matching Considerations</name>
            <t>For consistent results, every series item condition MUST use the same measurement types; differing only in terms of measurement values.
This requirement also extends to use of <tt>mkey</tt> in <tt>measurement-map</tt>.
Series entries are ordered such that the most precise match is evaluated first and least precise match is evaluated last.
The first series condition that matches terminates series matching and the endorsement values are added to the Attester's actual state.
These restrictions ensure that evaluation order does not change the meaning of the triple during the appraisal process.</t>
            <t>Note: <tt>authorized-by</tt> in <tt>common-condition</tt> takes precedence over the <tt>authorized-by</tt> in <tt>condition</tt>.</t>
          </section>
        </section>
        <section anchor="sec-comid-triple-identity">
          <name>Device Identity Triple</name>
          <t>Device Identity Triples endorse that the listed keys were securely provisioned to the named Target Environment.
A single Target Environment (as identified by <tt>environment</tt> and <tt>mkey</tt>) may contain one or more cryptographic keys.
The existence of these keys is asserted in Evidence, Reference Values, or Endorsements.</t>
          <t>The device identity keys may have been used to authenticate the Attester device or may be held in reserve for later use.</t>
          <t>Device Identity Triples instruct a Verifier to perform key validation checks, such as revocation, certification path construction and verification, or proof of possession.
If the key is certified (i.e., a certificate is issued for the key by a certification authority), the certification path is validated according to <xref section="6" sectionFormat="of" target="RFC5280"/>.
The Verifier SHOULD verify keys contained in Device Identity triples.</t>
          <t>Additional details about how a key was provisioned or is protected may be asserted using Endorsements such as <tt>endorsed-triple-record</tt>s.</t>
          <t>Depending on key formatting, as defined by <tt>$crypto-key-type-choice</tt>, the Verifier may take different steps to locate and verify the key.</t>
          <t>If a key has usage restrictions that limit its use to device identity challenges, the Verifier SHOULD enforce key use restrictions.</t>
          <t>Each successful verification of a key in <tt>key-list</tt> SHALL produce Endorsement Claims that are added to the Attester's Claim set.
Claims are asserted with the joint authority of the Endorser (CoRIM signer) and the Verifier.
The Verifier MAY report key verification results as part of an error reporting function.</t>
          <figure anchor="triple-di">
            <name>Device Identity Triple Definition</name>
            <sourcecode type="cddl"><![CDATA[
identity-triple-record = [
  environment: environment-map
  key-list: [ + $crypto-key-type-choice ]
  ? conditions: non-empty<{
    ? &(mkey: 0) => $measured-element-type-choice,
    ? &(authorized-by: 1) => [ + $crypto-key-type-choice ] 
  }>
]
]]></sourcecode>
          </figure>
          <ul spacing="normal">
            <li>
              <t><tt>environment</tt>: An <tt>environment-map</tt> condition used to identify the target Evidence or Reference Value.
See <xref target="sec-environments"/>.</t>
            </li>
            <li>
              <t><tt>key-list</tt>: A list of <tt>$crypto-key-type-choice</tt> keys that identifies which keys are to be verified.
See <xref target="sec-crypto-keys"/>.</t>
            </li>
            <li>
              <t><tt>mkey</tt>: An optional <tt>$measured-element-type-choice</tt> condition used to identify the element within the target Evidence or Reference Value.
See <xref target="sec-comid-mkey"/>.</t>
            </li>
            <li>
              <t><tt>authorized-by</tt>: An optional list of <tt>$crypto-key-type-choice</tt> keys that identifies the authorities that asserted the <tt>key-list</tt> in the target Evidence or Reference Values.</t>
            </li>
          </ul>
        </section>
        <section anchor="sec-comid-triple-attest-key">
          <name>Attest Key Triple</name>
          <t>Attest Key Triples endorse that the keys were securely provisioned to the named Attesting Environment.
An Attesting Environment (as identified by <tt>environment</tt> and <tt>mkey</tt>) may contain one or more cryptographic keys.
The existence of these keys is asserted in Evidence, Reference Values, or Endorsements.</t>
          <t>The attestation keys may have been used to sign Evidence or may be held in reserve for later use.</t>
          <t>Attest Key Triples instruct a Verifier to perform key validation checks, such as revocation, certification path construction and validation, or proof of possession.
If the key is certified, the certification path is validated according to <xref section="6" sectionFormat="of" target="RFC5280"/>.
The Verifier SHOULD verify keys contained in Attest Key triples.</t>
          <t>Additional details about how a key was provisioned or is protected may be asserted using Endorsements such as <tt>endorsed-triples</tt>.</t>
          <t>Depending on key formatting, as defined by <tt>$crypto-key-type-choice</tt>, the Verifier may take different steps to locate and verify the key.
If a key has usage restrictions that limits its use to Evidence signing, the Verifier SHOULD enforce key use restrictions.
For example, see Section 5.1.5.3 in <xref target="DICE.cert"/>).</t>
          <t>Each successful verification of a key in <tt>key-list</tt> SHALL produce Endorsement Claims that are added to the Attester's Claim set.
Claims are asserted with the joint authority of the Endorser (CoRIM signer) and the Verifier.
The Verifier MAY report key verification results as part of an error reporting function.</t>
          <figure anchor="triple-ak">
            <name>Attest Key Triple Definition</name>
            <sourcecode type="cddl"><![CDATA[
attest-key-triple-record = [
  environment: environment-map
  key-list: [ + $crypto-key-type-choice ]
  ? conditions: non-empty< {
    ? &(mkey: 0) => $measured-element-type-choice,
    ? &(authorized-by: 1) => [ + $crypto-key-type-choice ]
  }>
]
]]></sourcecode>
          </figure>
          <t>See <xref target="sec-comid-triple-identity"/> for additional details.</t>
        </section>
        <section anchor="sec-comid-domains">
          <name>Triples for domain definition</name>
          <t>A domain is a graphical description of a Composite Attester in terms of its constituent Environments and their compositional relationships.</t>
          <t>The following CDDL describes domain type.</t>
          <sourcecode type="cddl"><![CDATA[
domain-type = environment-map
]]></sourcecode>
          <t>Domain structure is defined in terms of directed acyclic graphs (DAG) describing membership and trust dependency using the following types of triples.</t>
          <section anchor="sec-comid-triple-domain-membership">
            <name>Domain Membership Triple</name>
            <t>A Domain Membership Triple (DMT) links a domain identifier to its member Environments.
The triple's subject is the domain identifier while the triple’s object lists all the member Environments within the domain.</t>
            <t>The Domain Membership Triple allows an Endorser (for example, an Integrator) to issue an authoritative statement about the composition of an Attester as a collection of Environments.
This allows a topological description of an Attester to be expressed by linking a parent Environment (e.g., a lead Attester) to its child Environments (e.g., one or more sub-Attesters).</t>
            <t>If the Verifier Appraisal policy requires Domain Membership, the Domain Membership Triple is used to match an Attester's reference composition with the actual composition represented in Evidence.</t>
            <t>Representing members of a DMT as domains enables the recursive construction of an entity's topology, such as a Composite Device (see <xref section="3.3" sectionFormat="of" target="RFC9334"/>), where multiple lower-level domains can be aggregated into a higher-level domain.
The domain topology MUST be acyclic.</t>
            <figure anchor="triple-dm">
              <name>Domain Membership Triple Definition</name>
              <sourcecode type="cddl"><![CDATA[
domain-membership-triple-record = [
  domain-id: domain-type
  members: [ +  domain-type ]
]
]]></sourcecode>
            </figure>
            <t>Domain membership triples are transformed into an internal representation (see <xref target="sec-trans-domain-mem"/>) then processed as described in <xref target="sec-proc-dm"/>.</t>
          </section>
          <section anchor="sec-comid-triple-trust-dependency">
            <name>Trust Dependency Triple</name>
            <t>A Trust Dependency Triple (TDT) links a domain to a set of <em>trustee</em> domains.
A trust dependency triple is used by an Endorser to assert that a trust dependency exists between various components.
A TDT specifies which component (identified by <tt>domain-id</tt>) depends on which other components (identified by <tt>trustees</tt>) for proper operation.
A series of TDTs can be used to describe the trust dependencies of a system of components as a graph.
CoRIM uses <tt>environment-map</tt> to identify components and groupings of components (i.e., domains).</t>
            <t>Trust dependency means that an environment can only be fully trusted if one or more trustee environments have been appraised and found to be trustworthy.
A candidate environment can only be trusted if the trustee environments it depends on exist, have been appraised and are found to be trustworthy.</t>
            <t>The first four phases of appraisal (see <xref target="sec-match-and-augment"/>) might not determine whether a component is trustworthy.
Subsequent Verifier stages or Relying Party processing might be needed to finalize trustworthiness.
Therefore, the trustworthiness of trustee domains MUST be appraised before the trustworthiness of the subject domain can be finalized.
Consequently, trust dependency semantics may need to be represented in Attestation Results if Relying Parties play a role in finalizing which components are trustworthy.</t>
            <t>There are a variety of use cases where trust dependency might exist.
For example, trust in an operating system (OS) might depend on trustworthy loading of the OS loader image.
Consequently, the OS loader is a trustee domain of the OS.
Alternatively, trust in a peripheral device might depend on trustworthy operation of a peripheral device's bus controller.
The bus controller is therefore a trustee domain of the peripheral device.</t>
            <t>TDTs cannot create domains.
Instead, TDT processing first checks that a <tt>domain-id</tt> has already been accepted into the ACS before adding trust dependencies.</t>
            <t>The trust dependency triple subject (<tt>domain-id</tt>) identifies the member domain (see <xref target="sec-comid-triple-domain-membership"/>) that has trustees.
The triple object <tt>trustees</tt> lists the domains that are trustees of the subject domain.
The triple predicate asserts that a trust appraisal of <tt>domain-id</tt> is not complete without appraisal of the <tt>trustees</tt>.</t>
            <figure anchor="triple-td">
              <name>Trust Dependency Triple Definition</name>
              <sourcecode type="cddl"><![CDATA[
trust-dependency-triple-record = [
  domain-id: domain-type
  trustees: [ + domain-type ]
]
]]></sourcecode>
            </figure>
            <t>All of the TDT subjects (<tt>domain-id</tt>) and objects (<tt>trustees</tt>) MUST also be domain members for the TDT expression to be processed.</t>
            <t>Trust dependency graphs are acyclic, meaning a <tt>domain-id</tt> MUST NOT appear in the <tt>trustees</tt> list or within a trustee's subtree.</t>
            <t>A terminus trustee can be thought of as a "root of trust" for a trust dependency graph.
Terminus trustees SHOULD have a corresponding Endorsement triple.
Verifiers MAY use TDTs with appraisal policies to assess the veracity of domain-to-trustee linkages.</t>
            <t>Trust dependency typically exists if any of the following are true:</t>
            <ul spacing="normal">
              <li>
                <t>A trustee performs any Attesting Environment functions relating to a Target Environment (TE), such as Claims collection, Claims signing, loading or initialization of the TE, provisioning TE secrets - including cryptographic keys or other security-relevant material.</t>
              </li>
              <li>
                <t>A trustee executes security-relevant code in response to an execution thread that originates from the <tt>domain-id</tt> environment.</t>
              </li>
              <li>
                <t>A trustee is a component embedded within another component identified by <tt>domain-id</tt>.</t>
              </li>
            </ul>
            <t>Trust dependency triples are transformed into an internal representation (see <xref target="sec-trans-trust-dep"/>) then processed as described in <xref target="sec-proc-td"/>.</t>
          </section>
        </section>
        <section anchor="sec-comid-triple-coswid">
          <name>CoMID-CoSWID Linking Triple</name>
          <t>A CoSWID triple relates reference measurements contained in one or more CoSWIDs
to a Target Environment. The subject identifies a Target Environment, the
object one or more unique tag identifiers of existing CoSWIDs, and the
predicate asserts that these contain the expected (i.e., reference)
measurements for the Target Environment.</t>
          <figure anchor="triple-ccl">
            <name>CoMID-CoSWID Linking Triple Definition</name>
            <sourcecode type="cddl"><![CDATA[
;# import rfc9393 as coswid

coswid-triple-record = [
  environment-map
  [ + coswid.tag-id ]
]
]]></sourcecode>
          </figure>
        </section>
      </section>
      <section anchor="sec-extensibility">
        <name>Extensibility</name>
        <t>The base CoRIM document definition is described using CDDL <xref target="RFC8610"/> that can be extended only at specific allowed points known as "extension points".</t>
        <t>The following types of extensions are supported in CoRIM.</t>
        <section anchor="map-extensions">
          <name>Map Extensions</name>
          <t>Map extensions provide extensibility support to CoRIM map structures.
CDDL map extensibility enables a CoRIM profile to extend the base CoRIM CDDL definition.
CDDL map extension points have the form <tt>($$NAME-extension)</tt> where "NAME" is the name of the map and '$$' signifies map extensibility.
Typically, map extension requires a convention for code point naming that avoids code-point reuse.
Well-known code points may be in a registry, such as CoSWID <xref target="IANA.coswid"/>.
Non-negative integers are reserved for IANA to assign meaning globally.</t>
        </section>
        <section anchor="data-type-extensions">
          <name>Data Type Extensions</name>
          <t>Data type extensibility has the form <tt>($NAME-type-choice)</tt> where "NAME" is the type name and '$' signifies type extensibility.</t>
          <t>New data type extensions SHOULD be documented to facilitate interoperability.
CoRIM profiles are best used to document vendor or industry defined extensions.</t>
        </section>
      </section>
    </section>
    <section anchor="sec-cotl">
      <name>CoTL</name>
      <t>A Concise Tag List (CoTL) object represents the signal for the
Verifier to activate the listed tags. Verifier policy determines whether CoTLs are required.</t>
      <t>When CoTLs are required, each tag MUST be activated by a CoTL before being processed.
All the tags listed in the CoTL MUST be activated atomically. If any tag activated by a CoTL is not available to the Verifier, the entire CoTL is rejected.</t>
      <t>The number of CoTLs required in a given supply chain ecosystem is dependent on
Verifier Owner's Appraisal Policy for Evidence. Corresponding policies are often driven by the complexity and nature of the use case.</t>
      <t>If a Verifier Owner has a policy that does not require CoTL, tags within a CoRIM received by a Verifier
are activated immediately and treated valid for appraisal.</t>
      <t>There may be cases when Verifier receives CoRIMs from multiple
Reference Value providers and Endorsers. In such cases, a supplier (or other authorities, such as integrators)
may be designated to issue a single CoTL to activate all the tags submitted to the Verifier
in these CoRIMs.</t>
      <t>In a more complex case, there may be multiple authorities that issue CoTLs at different points in time.
An Appraisal Policy for Evidence may dictate how multiple CoTLs are to be processed within the Verifier.</t>
      <section anchor="structure-1">
        <name>Structure</name>
        <t>The CDDL specification for the <tt>concise-tl-tag</tt> map and additional grammatical requirements specified in the text of this Section MUST be followed when creating or validating a CoTL tag are given below:</t>
        <sourcecode type="cddl"><![CDATA[
concise-tl-tag = {
  &(tag-identity: 0) => tag-identity-map
  &(tags-list: 1) => [ + tag-identity-map ],
  &(tl-validity: 2) => validity-map
}
]]></sourcecode>
        <t>The following describes each member of the <tt>concise-tl-tag</tt> map.</t>
        <ul spacing="normal">
          <li>
            <t><tt>tag-identity</tt> (index 0): A <tt>tag-identity-map</tt> containing unique
identification information for the CoTL.
Described in <xref target="sec-comid-tag-id"/>.</t>
          </li>
          <li>
            <t><tt>tags-list</tt> (index 1): One or more <tt>tag-identity-maps</tt> identifying
the CoMID and CoSWID tags that constitute the list, i.e.,
a complete set of verification-related information.  The <tt>tags-list</tt> behaves
like a signaling mechanism from the supply chain (e.g., a product vendor) to
a Verifier that activates the tags in <tt>tags-list</tt> for use in the Evidence
appraisal process, and the activation is atomic. All tags listed in <tt>tags-list</tt>
MUST be activated or no tags are activated.</t>
          </li>
          <li>
            <t><tt>tl-validity</tt> (index 2): Specifies the validity period of the CoTL.
Described in <xref target="sec-common-validity"/>.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-common-types">
      <name>Common Types</name>
      <t>The following CDDL types may be shared by CoRIM, CoMID, and CoTL.</t>
      <section anchor="sec-non-empty">
        <name>Non-Empty</name>
        <t>The <tt>non-empty</tt> generic type is used to express that a map with only optional
members MUST at least include one of the members.</t>
        <sourcecode type="cddl"><![CDATA[
non-empty<M> = (M) .and ({ + any => any })
]]></sourcecode>
      </section>
      <section anchor="sec-common-entity">
        <name>Entity</name>
        <t>The <tt>entity-map</tt> is a generic type describing an organization responsible for
the contents of a manifest. It is instantiated by supplying two parameters:</t>
        <ul spacing="normal">
          <li>
            <t>A <tt>role-type-choice</tt>, i.e., a selection of roles that entities of the
instantiated type can claim</t>
          </li>
          <li>
            <t>An <tt>extension-socket</tt>, i.e., a CDDL socket that can be used to extend
the attributes associated with entities of the instantiated type</t>
          </li>
        </ul>
        <sourcecode type="cddl"><![CDATA[
entity-map<role-type-choice, extension-socket> = {
  &(entity-name: 0) => $entity-name-type-choice
  ? &(reg-id: 1) => uri
  &(role: 2) => [ + role-type-choice ]
  * extension-socket
}

$entity-name-type-choice /= text
]]></sourcecode>
        <t>The following describes each member of the <tt>entity-map</tt>.</t>
        <ul spacing="normal">
          <li>
            <t><tt>entity-name</tt> (index 0): The name of entity which is responsible for the action(s) as defined by the role.
<tt>$entity-name-type-choice</tt> can only be text.
Other specifications can extend the <tt>$entity-name-type-choice</tt>.
See <xref target="sec-iana-comid"/>.</t>
          </li>
          <li>
            <t><tt>reg-id</tt> (index 1): A URI associated with the organization that owns the entity name.</t>
          </li>
          <li>
            <t><tt>role</tt> (index 2): A type choice defining the roles that the entity is claiming.
The role is supplied as a parameter at the time the <tt>entity-map</tt> generic is instantiated.</t>
          </li>
          <li>
            <t><tt>extension-socket</tt>: A CDDL socket used to add new information structures to the <tt>entity-map</tt>.</t>
          </li>
        </ul>
        <t>Examples of how the <tt>entity-map</tt> generic is instantiated can be found in
(<xref target="sec-corim-entity"/>) and (<xref target="sec-comid-entity"/>).</t>
      </section>
      <section anchor="sec-common-validity">
        <name>Validity</name>
        <t>A <tt>validity-map</tt> represents the time interval during which the signer
warrants that it will maintain information about the status of the signed
object (e.g., a manifest).</t>
        <t>In a <tt>validity-map</tt>, both ends of the interval are encoded as epoch-based
date/time as per <xref section="3.4.2" sectionFormat="of" target="STD94"/>.</t>
        <sourcecode type="cddl"><![CDATA[
validity-map = {
  ? &(not-before: 0) => time
  &(not-after: 1) => time
}
]]></sourcecode>
        <ul spacing="normal">
          <li>
            <t><tt>not-before</tt> (index 0): the date on which the signed manifest validity period
begins</t>
          </li>
          <li>
            <t><tt>not-after</tt> (index 1): the date on which the signed manifest validity period
ends</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-common-uuid">
        <name>UUID</name>
        <t>Used to tag a byte string as a binary UUID.
Defined in <xref section="4" sectionFormat="of" target="RFC9562"/>.</t>
        <sourcecode type="cddl"><![CDATA[
uuid-type = bytes .size 16
tagged-uuid-type = #6.37(uuid-type)
]]></sourcecode>
      </section>
      <section anchor="sec-common-ueid">
        <name>UEID</name>
        <t>Used to tag a byte string as Universal Entity ID Claim (UEID).
Defined in <xref section="4.2.1" sectionFormat="of" target="RFC9711"/>.</t>
        <sourcecode type="cddl"><![CDATA[
ueid-type = bytes .size (7..33)
tagged-ueid-type = #6.550(ueid-type)
]]></sourcecode>
      </section>
      <section anchor="sec-common-oid">
        <name>OID</name>
        <t>Used to tag a byte string as the BER encoding <xref target="X.690"/> of an absolute object
identifier <xref target="RFC9090"/>.</t>
        <sourcecode type="cddl"><![CDATA[
oid-type = bytes
tagged-oid-type = #6.111(oid-type)
]]></sourcecode>
      </section>
      <section anchor="sec-common-hash-entry">
        <name>Digest</name>
        <t>A digest represents the value of a hashing operation together with the hash algorithm used.
This specification reuses the <tt>digest</tt> type defined in <xref section="4.2" sectionFormat="of" target="I-D.ietf-rats-eat-measured-component"/>.
Only the CBOR serialization is used.</t>
        <sourcecode type="cddl"><![CDATA[
;# import measured-component as eatmc

digests-type = [ + eatmc.digest ]
]]></sourcecode>
        <t>A measurement can be obtained using different hash algorithms.
A <tt>digests-type</tt> can be used to collect multiple digest values obtained by applying different hash algorithms on the same input.
Each entry in the <tt>digests-type</tt> MUST have a unique <tt>alg</tt> value.</t>
      </section>
      <section anchor="sec-common-tagged-bytes">
        <name>Tagged Bytes Type</name>
        <t>An opaque, variable-length byte string.
It can be used in different contexts: as an instance, class or group identifier in an <tt>environment-map</tt>; as a raw value measurement in a <tt>measurement-values-map</tt>.
Its semantics are defined by the context in which it is found, and by the overarching CoRIM profile.
When used as an identifier the responsible allocator entity SHOULD ensure uniqueness within the context that it is used.</t>
        <sourcecode type="cddl"><![CDATA[
tagged-bytes = #6.560(bytes)
]]></sourcecode>
      </section>
    </section>
    <section anchor="sec-reference-verifier">
      <name>Reference Verifier</name>
      <t>This section outlines the behaviour of a "CoRIM processor" within the Evidence appraisal procedure carried out by the RATS Verifier (<xref section="7.4" sectionFormat="of" target="RFC9334"/>).</t>
      <t>In the remainder of this section, the terms
Environment,
Claim,
Environment-Claim Tuple (ECT),
Authority,
Appraisal Claims Set (ACS),
and
Appraisal Policy
are used with the meanings defined in <xref target="sec-glossary"/>.</t>
      <section anchor="sec-appraisal-phases">
        <name>Appraisal Logical Phases</name>
        <t>For clarity, the appraisal procedure is divided into several logical phases.</t>
        <t><strong>Phase 1</strong>: Input Validation and Transformation.</t>
        <t>During this phase, all available Conceptual Messages are processed for validation.
This involves checking digital signatures to verify their integrity and authenticity, ensuring they are not outdated and confirming their relevance to the current appraisal.
If validation fails, the input Conceptual Message is discarded.
If validation succeeds, the Conceptual Message is transformed from its external representation into an internal one.
These internal representations are then collected in an implementation-specific "staging area", which acts as a database for subsequent appraisal processing.</t>
        <t><strong>Phase 2</strong>: Evidence Augmentation.</t>
        <t>During this phase, Evidence Claims are added to a structure describing the Attester's actual state, known as the ACS.
These Claims are added to the ACS with Attester Authority.</t>
        <t><strong>Phase 3</strong>: Reference Values Corroboration and Augmentation.</t>
        <t>During this phase, Reference Value Claims are compared with Evidence Claims from the ACS.
Reference Value Claims describe the possible states of the Attester.
If the Attester's actual state, as described in the ACS, is one of these possible states, the Attester's actual state is said to be "corroborated".
These Claims are added to the ACS with the Authority of the Reference Value Provider.</t>
        <t><strong>Phase 4</strong>: Endorsed Values Augmentation.</t>
        <t>During this phase, Endorsed Values inputs containing conditions that describe the expected state of the Attester are processed.
If the conditions are met, additional Claims about the Attester are added to the ACS.
These Claims are added with the Endorser's Authority.</t>
        <t><strong>Subsequent Phases</strong>: Before producing an Attestation Result, a Verifier may undergo subsequent phases of the appraisal procedure.</t>
        <t>For example, the Verifier may perform consistency, integrity or additional validity checks.
These checks may result in additional Claims about the Attester being added to the ACS.
These Claims are added with the Verifier's Authority.
Typically, a Verifier applies Appraisal Policy for Evidence on the ACS that describes desirable or undesirable Attester states.
If these conditions are met, the policy may add further Claims about the Attester to the ACS.
These Claims are added with the Authority of the Verifier's Owner.
Finally, the outcome of appraisal and the set of Attester Claims of interest to a Relying Party are copied from the Attester state to an output staging area.
The Claims in the output staging area and other Verifier-related metadata are then transformed into an external representation suitable for consumption by a Relying Party.
This external representation is the Attestation Result message (see <xref section="8.4" sectionFormat="of" target="RFC9334"/>).</t>
        <t>Please note that a detailed description of subsequent phases is beyond the scope of this document.
They are mentioned here to provide an overview of the appraisal procedure.
The CoRIM processor described in <xref target="sec-corim-processor"/> describes the handoff interface between Phase 4 and the subsequent phases in terms of the computed ACS.</t>
      </section>
      <section anchor="sec-corim-processor">
        <name>The CoRIM Processor</name>
        <t>This document assumes that Verifier implementations will differ.
In order to describe normative Verifier behaviour, this section presents a reference Verifier and illustrates how the data is utilized within the appraisal phases detailed in <xref target="sec-appraisal-phases"/>.
If the Verifier operates on CoRIM documents, it is RECOMMENDED that it follows this algorithm.</t>
        <section anchor="high-level-view">
          <name>High-Level View</name>
          <t>The RATS Verifier takes Evidence, Reference Values, Endorsements and an Appraisal Policy for Evidence as inputs, and produces Attestation Results as output.
<xref target="fig-verifier-internal"/> illustrates how the CoRIM processor fits into the wider RATS Verifier architecture.</t>
          <figure anchor="fig-verifier-internal">
            <name>CoRIM Processing Flow</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="896" width="560" viewBox="0 0 560 896" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,352 L 8,384" fill="none" stroke="black"/>
                  <path d="M 8,464 L 8,496" fill="none" stroke="black"/>
                  <path d="M 8,704 L 8,768" fill="none" stroke="black"/>
                  <path d="M 72,384 L 72,440" fill="none" stroke="black"/>
                  <path d="M 72,512 L 72,528" fill="none" stroke="black"/>
                  <path d="M 144,352 L 144,384" fill="none" stroke="black"/>
                  <path d="M 144,464 L 144,496" fill="none" stroke="black"/>
                  <path d="M 144,704 L 144,768" fill="none" stroke="black"/>
                  <path d="M 168,224 L 168,536" fill="none" stroke="black"/>
                  <path d="M 168,552 L 168,728" fill="none" stroke="black"/>
                  <path d="M 168,744 L 168,768" fill="none" stroke="black"/>
                  <path d="M 192,256 L 192,536" fill="none" stroke="black"/>
                  <path d="M 192,552 L 192,672" fill="none" stroke="black"/>
                  <path d="M 216,512 L 216,656" fill="none" stroke="black"/>
                  <path d="M 232,528 L 232,560" fill="none" stroke="black"/>
                  <path d="M 232,592 L 232,624" fill="none" stroke="black"/>
                  <path d="M 256,656 L 256,712" fill="none" stroke="black"/>
                  <path d="M 280,528 L 280,560" fill="none" stroke="black"/>
                  <path d="M 280,592 L 280,624" fill="none" stroke="black"/>
                  <path d="M 296,512 L 296,656" fill="none" stroke="black"/>
                  <path d="M 304,384 L 304,480" fill="none" stroke="black"/>
                  <path d="M 312,32 L 312,80" fill="none" stroke="black"/>
                  <path d="M 312,144 L 312,176" fill="none" stroke="black"/>
                  <path d="M 320,288 L 320,320" fill="none" stroke="black"/>
                  <path d="M 320,416 L 320,464" fill="none" stroke="black"/>
                  <path d="M 328,128 L 328,144" fill="none" stroke="black"/>
                  <path d="M 344,112 L 344,128" fill="none" stroke="black"/>
                  <path d="M 344,544 L 344,608" fill="none" stroke="black"/>
                  <path d="M 368,416 L 368,464" fill="none" stroke="black"/>
                  <path d="M 392,176 L 392,264" fill="none" stroke="black"/>
                  <path d="M 392,336 L 392,376" fill="none" stroke="black"/>
                  <path d="M 392,480 L 392,520" fill="none" stroke="black"/>
                  <path d="M 392,720 L 392,768" fill="none" stroke="black"/>
                  <path d="M 408,80 L 408,112" fill="none" stroke="black"/>
                  <path d="M 416,416 L 416,464" fill="none" stroke="black"/>
                  <path d="M 440,544 L 440,608" fill="none" stroke="black"/>
                  <path d="M 440,816 L 440,848" fill="none" stroke="black"/>
                  <path d="M 456,288 L 456,320" fill="none" stroke="black"/>
                  <path d="M 464,416 L 464,464" fill="none" stroke="black"/>
                  <path d="M 472,144 L 472,176" fill="none" stroke="black"/>
                  <path d="M 480,384 L 480,480" fill="none" stroke="black"/>
                  <path d="M 488,128 L 488,160" fill="none" stroke="black"/>
                  <path d="M 496,816 L 496,848" fill="none" stroke="black"/>
                  <path d="M 504,32 L 504,80" fill="none" stroke="black"/>
                  <path d="M 504,112 L 504,144" fill="none" stroke="black"/>
                  <path d="M 504,256 L 504,672" fill="none" stroke="black"/>
                  <path d="M 504,720 L 504,768" fill="none" stroke="black"/>
                  <path d="M 528,224 L 528,728" fill="none" stroke="black"/>
                  <path d="M 528,744 L 528,768" fill="none" stroke="black"/>
                  <path d="M 312,32 L 504,32" fill="none" stroke="black"/>
                  <path d="M 312,80 L 504,80" fill="none" stroke="black"/>
                  <path d="M 344,112 L 504,112" fill="none" stroke="black"/>
                  <path d="M 328,128 L 488,128" fill="none" stroke="black"/>
                  <path d="M 312,144 L 472,144" fill="none" stroke="black"/>
                  <path d="M 488,144 L 504,144" fill="none" stroke="black"/>
                  <path d="M 472,160 L 488,160" fill="none" stroke="black"/>
                  <path d="M 312,176 L 472,176" fill="none" stroke="black"/>
                  <path d="M 184,208 L 384,208" fill="none" stroke="black"/>
                  <path d="M 400,208 L 512,208" fill="none" stroke="black"/>
                  <path d="M 208,240 L 488,240" fill="none" stroke="black"/>
                  <path d="M 336,272 L 440,272" fill="none" stroke="black"/>
                  <path d="M 336,336 L 440,336" fill="none" stroke="black"/>
                  <path d="M 8,352 L 144,352" fill="none" stroke="black"/>
                  <path d="M 8,384 L 144,384" fill="none" stroke="black"/>
                  <path d="M 304,384 L 480,384" fill="none" stroke="black"/>
                  <path d="M 320,416 L 368,416" fill="none" stroke="black"/>
                  <path d="M 416,416 L 464,416" fill="none" stroke="black"/>
                  <path d="M 24,448 L 128,448" fill="none" stroke="black"/>
                  <path d="M 320,464 L 368,464" fill="none" stroke="black"/>
                  <path d="M 416,464 L 464,464" fill="none" stroke="black"/>
                  <path d="M 304,480 L 480,480" fill="none" stroke="black"/>
                  <path d="M 24,512 L 128,512" fill="none" stroke="black"/>
                  <path d="M 216,512 L 296,512" fill="none" stroke="black"/>
                  <path d="M 232,528 L 280,528" fill="none" stroke="black"/>
                  <path d="M 360,528 L 424,528" fill="none" stroke="black"/>
                  <path d="M 88,544 L 208,544" fill="none" stroke="black"/>
                  <path d="M 296,544 L 336,544" fill="none" stroke="black"/>
                  <path d="M 232,560 L 280,560" fill="none" stroke="black"/>
                  <path d="M 232,592 L 280,592" fill="none" stroke="black"/>
                  <path d="M 304,608 L 344,608" fill="none" stroke="black"/>
                  <path d="M 232,624 L 280,624" fill="none" stroke="black"/>
                  <path d="M 360,624 L 424,624" fill="none" stroke="black"/>
                  <path d="M 216,656 L 296,656" fill="none" stroke="black"/>
                  <path d="M 208,688 L 488,688" fill="none" stroke="black"/>
                  <path d="M 8,704 L 144,704" fill="none" stroke="black"/>
                  <path d="M 208,720 L 336,720" fill="none" stroke="black"/>
                  <path d="M 392,720 L 504,720" fill="none" stroke="black"/>
                  <path d="M 144,736 L 184,736" fill="none" stroke="black"/>
                  <path d="M 352,736 L 384,736" fill="none" stroke="black"/>
                  <path d="M 504,736 L 552,736" fill="none" stroke="black"/>
                  <path d="M 208,752 L 336,752" fill="none" stroke="black"/>
                  <path d="M 8,768 L 144,768" fill="none" stroke="black"/>
                  <path d="M 392,768 L 504,768" fill="none" stroke="black"/>
                  <path d="M 184,784 L 512,784" fill="none" stroke="black"/>
                  <path d="M 352,816 L 400,816" fill="none" stroke="black"/>
                  <path d="M 440,816 L 496,816" fill="none" stroke="black"/>
                  <path d="M 352,848 L 400,848" fill="none" stroke="black"/>
                  <path d="M 440,848 L 496,848" fill="none" stroke="black"/>
                  <path d="M 184,208 C 175.16936,208 168,215.16936 168,224" fill="none" stroke="black"/>
                  <path d="M 512,208 C 520.83064,208 528,215.16936 528,224" fill="none" stroke="black"/>
                  <path d="M 208,240 C 199.16936,240 192,247.16936 192,256" fill="none" stroke="black"/>
                  <path d="M 488,240 C 496.83064,240 504,247.16936 504,256" fill="none" stroke="black"/>
                  <path d="M 336,272 C 327.16936,272 320,279.16936 320,288" fill="none" stroke="black"/>
                  <path d="M 440,272 C 448.83064,272 456,279.16936 456,288" fill="none" stroke="black"/>
                  <path d="M 336,336 C 327.16936,336 320,328.83064 320,320" fill="none" stroke="black"/>
                  <path d="M 440,336 C 448.83064,336 456,328.83064 456,320" fill="none" stroke="black"/>
                  <path d="M 24,448 C 15.16936,448 8,455.16936 8,464" fill="none" stroke="black"/>
                  <path d="M 128,448 C 136.83064,448 144,455.16936 144,464" fill="none" stroke="black"/>
                  <path d="M 24,512 C 15.16936,512 8,504.83064 8,496" fill="none" stroke="black"/>
                  <path d="M 128,512 C 136.83064,512 144,504.83064 144,496" fill="none" stroke="black"/>
                  <path d="M 360,528 C 351.16936,528 344,535.16936 344,544" fill="none" stroke="black"/>
                  <path d="M 424,528 C 432.83064,528 440,535.16936 440,544" fill="none" stroke="black"/>
                  <path d="M 88,544 C 79.16936,544 72,536.83064 72,528" fill="none" stroke="black"/>
                  <path d="M 360,624 C 351.16936,624 344,616.83064 344,608" fill="none" stroke="black"/>
                  <path d="M 424,624 C 432.83064,624 440,616.83064 440,608" fill="none" stroke="black"/>
                  <path d="M 208,688 C 199.16936,688 192,680.83064 192,672" fill="none" stroke="black"/>
                  <path d="M 488,688 C 496.83064,688 504,680.83064 504,672" fill="none" stroke="black"/>
                  <path d="M 208,720 C 199.16936,720 192,727.16936 192,736" fill="none" stroke="black"/>
                  <path d="M 336,720 C 344.83064,720 352,727.16936 352,736" fill="none" stroke="black"/>
                  <path d="M 208,752 C 199.16936,752 192,744.83064 192,736" fill="none" stroke="black"/>
                  <path d="M 336,752 C 344.83064,752 352,744.83064 352,736" fill="none" stroke="black"/>
                  <path d="M 184,784 C 175.16936,784 168,776.83064 168,768" fill="none" stroke="black"/>
                  <path d="M 512,784 C 520.83064,784 528,776.83064 528,768" fill="none" stroke="black"/>
                  <path d="M 352,816 C 343.16936,816 336,823.16936 336,832" fill="none" stroke="black"/>
                  <path d="M 400,816 C 408.83064,816 416,823.16936 416,832" fill="none" stroke="black"/>
                  <path d="M 352,848 C 343.16936,848 336,840.83064 336,832" fill="none" stroke="black"/>
                  <path d="M 400,848 C 408.83064,848 416,840.83064 416,832" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="560,736 548,730.4 548,741.6" fill="black" transform="rotate(0,552,736)"/>
                  <polygon class="arrowhead" points="400,520 388,514.4 388,525.6" fill="black" transform="rotate(90,392,520)"/>
                  <polygon class="arrowhead" points="400,376 388,370.4 388,381.6" fill="black" transform="rotate(90,392,376)"/>
                  <polygon class="arrowhead" points="400,264 388,258.4 388,269.6" fill="black" transform="rotate(90,392,264)"/>
                  <polygon class="arrowhead" points="392,736 380,730.4 380,741.6" fill="black" transform="rotate(0,384,736)"/>
                  <polygon class="arrowhead" points="344,544 332,538.4 332,549.6" fill="black" transform="rotate(0,336,544)"/>
                  <polygon class="arrowhead" points="312,608 300,602.4 300,613.6" fill="black" transform="rotate(180,304,608)"/>
                  <polygon class="arrowhead" points="264,712 252,706.4 252,717.6" fill="black" transform="rotate(90,256,712)"/>
                  <polygon class="arrowhead" points="216,544 204,538.4 204,549.6" fill="black" transform="rotate(0,208,544)"/>
                  <polygon class="arrowhead" points="192,736 180,730.4 180,741.6" fill="black" transform="rotate(0,184,736)"/>
                  <polygon class="arrowhead" points="80,440 68,434.4 68,445.6" fill="black" transform="rotate(90,72,440)"/>
                  <g class="text">
                    <text x="384" y="52">Reference</text>
                    <text x="452" y="52">Values</text>
                    <text x="360" y="68">and</text>
                    <text x="428" y="68">Endorsements</text>
                    <text x="360" y="164">CoRIM</text>
                    <text x="416" y="164">file(s)</text>
                    <text x="196" y="228">RATS</text>
                    <text x="252" y="228">Verifier</text>
                    <text x="224" y="260">CoRIM</text>
                    <text x="288" y="260">Processor</text>
                    <text x="372" y="292">Validation</text>
                    <text x="424" y="292">&amp;</text>
                    <text x="364" y="308">Internal</text>
                    <text x="424" y="308">Repr.</text>
                    <text x="388" y="324">Transformation</text>
                    <text x="76" y="372">Evidence</text>
                    <text x="368" y="404">Staging</text>
                    <text x="420" y="404">Area</text>
                    <text x="344" y="436">Int</text>
                    <text x="440" y="436">Int</text>
                    <text x="344" y="452">Rep</text>
                    <text x="392" y="452">...</text>
                    <text x="440" y="452">Rep</text>
                    <text x="60" y="468">Validation</text>
                    <text x="112" y="468">&amp;</text>
                    <text x="52" y="484">Internal</text>
                    <text x="112" y="484">Repr.</text>
                    <text x="76" y="500">Transformation</text>
                    <text x="256" y="548">ECT</text>
                    <text x="376" y="564">ACS</text>
                    <text x="256" y="580">...</text>
                    <text x="384" y="580">Match</text>
                    <text x="416" y="580">&amp;</text>
                    <text x="392" y="596">Augment</text>
                    <text x="256" y="612">ECT</text>
                    <text x="256" y="644">ACS</text>
                    <text x="72" y="724">Appraisal</text>
                    <text x="60" y="740">Policy</text>
                    <text x="104" y="740">for</text>
                    <text x="244" y="740">Subsequent</text>
                    <text x="316" y="740">Phases</text>
                    <text x="448" y="740">Attestation</text>
                    <text x="68" y="756">Evidence</text>
                    <text x="432" y="756">Results</text>
                    <text x="40" y="820">Legend:</text>
                    <text x="40" y="836">ACS</text>
                    <text x="64" y="836">=</text>
                    <text x="112" y="836">Appraisal</text>
                    <text x="180" y="836">Claims</text>
                    <text x="224" y="836">Set</text>
                    <text x="376" y="836">Process</text>
                    <text x="468" y="836">Data</text>
                    <text x="40" y="852">ECT</text>
                    <text x="64" y="852">=</text>
                    <text x="148" y="852">Environment-Claims</text>
                    <text x="248" y="852">Tuple</text>
                    <text x="40" y="868">Int</text>
                    <text x="72" y="868">Rep</text>
                    <text x="96" y="868">=</text>
                    <text x="140" y="868">Internal</text>
                    <text x="236" y="868">Representation</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
                                       .-----------------------.
                                       |    Reference Values   |
                                       |    and Endorsements   |
                                       '-----------+-----------'
                                                   |
                                           .-------+-----------.
                                         .-+-----------------. |
                                       .-+-----------------. +-'
                                       |   CoRIM file(s)   +-'
                                       '---------+---------'
                                                 |
                      .--------------------------|---------------.
                     | RATS Verifier             |                |
                     |   .-----------------------+------------.   |
                     |  | CoRIM Processor        v             |  |
                     |  |                .--------------.      |  |
                     |  |               | Validation &   |     |  |
                     |  |               | Internal Repr. |     |  |
                     |  |               | Transformation |     |  |
                     |  |                '-------+------'      |  |
 .----------------.  |  |                        |             |  |
 |    Evidence    |  |  |                        v             |  |
 '-------+--------'  |  |             .---------------------.  |  |
         |           |  |             |    Staging Area     |  |  |
         |           |  |             | .-----.     .-----. |  |  |
         v           |  |             | | Int |     | Int | |  |  |
  .--------------.   |  |             | | Rep | ... | Rep | |  |  |
 | Validation &   |  |  |             | '-----'     '-----' |  |  |
 | Internal Repr. |  |  |             '----------+----------'  |  |
 | Transformation |  |  |                        |             |  |
  '------+-------'   |  |  .---------.           v             |  |
         |           |  |  | .-----. |      .---------.        |  |
          '--------------->| | ECT | +---->|           |       |  |
                     |  |  | '-----' |     |  ACS      |       |  |
                     |  |  |   ...   |     |  Match &  |       |  |
                     |  |  | .-----. |     |  Augment  |       |  |
                     |  |  | | ECT | |<----+           |       |  |
                     |  |  | '-----' |      '---------'        |  |
                     |  |  |   ACS   |                         |  |
                     |  |  '----+----'                         |  |
                     |  |       |                              |  |
                     |   '------+-----------------------------'   |
 .----------------.  |          v                                 |
 |   Appraisal    |  |   .-----------------.     .-------------.  |
 |   Policy for   +---->| Subsequent Phases +--->| Attestation +----->
 |   Evidence     |  |   '-----------------'     | Results     |  |
 '----------------'  |                           '-------------'  |
                      '------------------------------------------'

  Legend:                                  .-------.   .------.
    ACS = Appraisal Claims Set            | Process |  | Data |
    ECT = Environment-Claims Tuple         '-------'   '------'
    Int Rep = Internal Representation
]]></artwork>
            </artset>
          </figure>
          <t>The CoRIM processor accepts Reference Values and Endorsements in the form of CoRIM documents, as well as Evidence that has been converted into a CoRIM-compatible format using transforms such as those described in <xref target="I-D.ietf-rats-evidence-trans"/>.
Before the appraisal can begin, all Conceptual Messages must be broken down and reshaped into a common internal representation.
The internal representations of Reference Values and Endorsements are stored in a staging area prior to appraisal initiation.
Instead, the internal representation of Evidence is used to initialize the ACS.
A Verifier can have multiple simultaneous sessions with different Attesters.
Each Attester has a different ACS.
The Verifier ensures that Evidence inputs are associated with the correct ACS.
All the internal representations are based on the Environment-Claim Tuple (ECT).
The ECT is the core data structure used to represent both Claims and matching conditions during appraisal by the CoRIM processor.
The CoRIM processor algorithm loads items from the staging area one by one and applies the required condition-matching rules against the ECTs in the ACS.
If the match is successful, the ACS is "augmented" with Claims from the matched item.
Once all the items in the staging area have been processed, the state of the Attester, as understood by the CoRIM processor, is reflected in the ACS.
The computed ACS can then be handed over to subsequent appraisal phases, such as Appraisal Policy evaluation and Attestation Results computation, repackaging and signing.</t>
        </section>
        <section anchor="data-structures">
          <name>Data Structures</name>
          <t>This section describes the data structures used by the CoRIM processor.</t>
          <section anchor="sec-ect">
            <name>ECT</name>
            <t>The Environment-Claim Tuple is a core internal construct of the CoRIM Verifier.
It is used to describe a feature (or "Claim") of the appraised environment alongside relevant metadata.
All ECTs, except those containing Evidence Claims, are typically obtained from CoMID triples.</t>
            <t>Claims in ECTs have a both name and a value.
The value represents the state associated with the Claim.
This specification does not assign any special meaning to Claim names; it only specifies the rules for determining whether two Claim names are the same.</t>
            <t>An ECT (<xref target="fig-ect"/>) can be one of the following specializations:</t>
            <ul spacing="normal">
              <li>
                <t><tt>E-ECT</tt> (Element ECT): used to represent Evidence, Reference Value and Endorsement Claims, as detailed in <xref target="sec-element-ect"/>;</t>
              </li>
              <li>
                <t><tt>M-ECT</tt> (Domain Membership ECT): used to represent domain membership Claims, as detailed in <xref target="sec-domain-ect"/>;</t>
              </li>
              <li>
                <t><tt>T-ECT</tt> (Trust Dependency ECT): used to represent trust dependency Claims, as detailed in <xref target="sec-domain-ect"/>;</t>
              </li>
              <li>
                <t><tt>K-ECT</tt> (Key ECT): used to represent Identity and Attestation keys, as detailed in <xref target="sec-key-ect"/>.</t>
              </li>
            </ul>
            <figure anchor="fig-ect">
              <name>ECT definition</name>
              <sourcecode type="cddl"><![CDATA[
ECT = E-ECT /
      M-ECT /
      T-ECT /
      K-ECT
]]></sourcecode>
            </figure>
            <t>While the internal representation of each specialization varies, all ECT specializations share the attributes captured in the <tt>ECT-common</tt> group (<xref target="fig-ect-common"/>).</t>
            <figure anchor="fig-ect-common">
              <name>ECT common attributes</name>
              <sourcecode type="cddl"><![CDATA[
ECT-common = (
  ? environment: environment-map
  ? authority: [ + $crypto-key-type-choice ]
  ? profile: $profile-type-choice
)
]]></sourcecode>
            </figure>
            <ul spacing="normal">
              <li>
                <t><tt>environment</tt>: Identifies the Environment that is the subject of the stated Claims.
In an Element ECT, it is the target environment to which the elements belong.
In a Domain ECT, it is the parent environment to which the child domains are related.
In a Key ECT, it is the environment to which the keys belong.
In all cases, Environments are identified using instance, class, or group identifiers.</t>
              </li>
              <li>
                <t><tt>authority</tt>: Identifies the entity that issued the tuple.
The authority of a given ECT is typically established through a digital signature on the Claim.
For instance, a signature of the authoritative supply chain entity over the CoRIM containing the triple from which the ECT was obtained, or the Attesting Environment that signed the Evidence from which the ECT is derived.
It is represented as the key material by which the authority (and corresponding provenance) of the tuple can be determined.
A typical example is the authority's PKIX certificate.
This is a mandatory attribute in an ECT.</t>
              </li>
              <li>
                <t><tt>profile</tt>: The profile that defines the domain of interpretation of this tuple.
This is the <tt>profile</tt> attribute of the CoRIM that contained the original triple from which this ECT was obtained.
This is an optional attribute in an ECT.
If no profile is used, the attribute is omitted, and the only comparison rules that apply are those specified in <xref target="sec-comparison-rules"/>.</t>
              </li>
            </ul>
            <section anchor="sec-element-ect">
              <name>Element ECT</name>
              <t>An Element ECT (<tt>E-ECT</tt>) is used to represent Evidence, Reference Value and Endorsement Claims.</t>
              <figure anchor="fig-e-ect">
                <name>Element ECT</name>
                <sourcecode type="cddl"><![CDATA[
E-ECT = {
  ECT-common
  ? element-list: [ + element-map ]
  ? cmtype: cm-type
}

element-map = {
  ? element-id: $measured-element-type-choice
  element-claims: measurement-values-map
}

cm-type = &(
  reference-values: 0
  endorsements: 1
  evidence: 2
)
]]></sourcecode>
              </figure>
              <t>The following describes the specialized members of the <tt>E-ECT</tt>.</t>
              <ul spacing="normal">
                <li>
                  <t><tt>element-list</tt>: Identifies the set of elements contained within a Target Environment and their trustworthiness Claims, each described by an <tt>element-map</tt>.
An <tt>element-map</tt> is very similar to a <tt>measurement-map</tt>, with the <tt>element-id</tt> and <tt>element-claims</tt> corresponding to the <tt>mkey</tt> and <tt>mval</tt>, respectively.
The pseudocode in <xref target="algo-mm-to-em"/> describes the transformation from <tt>measurement-map</tt>(s) to <tt>element-map</tt>(s).</t>
                </li>
                <li>
                  <t><tt>cmtype</tt>: Identifies the type of Conceptual Message that originated the tuple (Reference Values, Endorsements or Evidence).</t>
                </li>
              </ul>
              <figure anchor="algo-mm-to-em">
                <name>Transform Measurement Map(s) into Element Map(s)</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC mm_to_em(mm: measurement-map) -> element-map {
    em := element-map::NEW()

    IF mm.mkey:
        em.element-id = mm.mkey

    em.element-claims = mm.mval

    RETURN em
}

FUNC mms_to_ems(mms: [ + measurement-map ]) -> [ + element-map ] {
    ems := [ + element-map ]::NEW()

    FOREACH mm IN mms:
        em := mm_to_em(mm)
        ems::APPEND(em)

    RETURN ems
}
]]></sourcecode>
              </figure>
              <t><strong>Claim Names.</strong>
The combination of <tt>environment</tt>, optional <tt>element-id</tt>, and map key within each <tt>element-claims</tt> encodes the name of an Element Claim.
The value of the corresponding map element represents an atom of actual state.
This specification does not assign special meanings to any Claim name, it only specifies rules for determining whether two Claim names are the same.</t>
              <t><strong>Merge Rules.</strong></t>
              <t>If two Element ECTs have the same <tt>environment</tt>, <tt>cmtype</tt>, <tt>authority</tt> and <tt>profile</tt> then their <tt>element-list</tt>s are merged.
Any duplicates MUST be pruned.</t>
              <t>Two <tt>element-map</tt>s containing duplicate codepoints and with non-equivalent measurement values MUST NOT be merged.
These are effectively two different acceptable states that need to be processed separately.</t>
            </section>
            <section anchor="sec-domain-ect">
              <name>Domain Membership ECT</name>
              <t>A Domain Membership ECT (<tt>M-ECT</tt>) is used to represent domain membership Claims between environments.
It describes the direct relationship between a specific node in the membership (i.e., the parent <tt>environment</tt>) and the <tt>member</tt> nodes that comprises the domain.</t>
              <figure anchor="fig-d-ect">
                <name>Domain Membership ECT</name>
                <sourcecode type="cddl"><![CDATA[
M-ECT = {
  ECT-common
  members: [ + environment-map ]
}
]]></sourcecode>
              </figure>
              <t>The following describes the specialized members of the <tt>M-ECT</tt>.</t>
              <ul spacing="normal">
                <li>
                  <t><tt>members</tt>: Identifies the set of members of the domain rooted in the parent <tt>environment</tt>.</t>
                </li>
              </ul>
              <t>A Domain Claim specifies the type of relationship that the parent domain is expected to have with its child environments.
In a Domain ECT, the <tt>environment</tt> attribute encodes the name of the Claim.
The value of the Claim is encoded in the <tt>members</tt> attributes.</t>
              <t><strong>Merge Rules.</strong></t>
              <t>If two Domain ECTs have the same <tt>environment</tt>, <tt>authority</tt> and <tt>profile</tt> then their <tt>members</tt> are merged.
Any duplicates MUST be pruned.</t>
            </section>
            <section anchor="sec-trust-ect">
              <name>Trust Dependency ECT</name>
              <t>A Trust Depedency ECT (<tt>T-ECT</tt>) is used to represent trust dependency Claims between environments.
It describes the direct relationship between a specific node in the trust domain (i.e., the parent <tt>environment</tt>) and the <tt>trustees</tt> nodes that comprises the trust chain.</t>
              <figure anchor="fig-t-ect">
                <name>Trust Dependency ECT</name>
                <sourcecode type="cddl"><![CDATA[
T-ECT = {
  ECT-common
  trustees: [ + environment-map ]
}
]]></sourcecode>
              </figure>
              <t>The following describes the specialized members of the <tt>T-ECT</tt>.</t>
              <ul spacing="normal">
                <li>
                  <t><tt>trustees</tt>: Identifies the set of environments that becomes a part of a trust chainto the parent <tt>environment</tt>.</t>
                </li>
              </ul>
              <t>A Trust Claim specifies the type of relationship that the parent domain is expected to have with its trustee environments.
In a Trust ECT, the <tt>environment</tt> attribute encodes the name of the Claim.
The value of the Claim is encoded in the <tt>trustees</tt> attributes.</t>
              <t><strong>Merge Rules.</strong></t>
              <t>If two Trust ECTs have the same <tt>environment</tt>, <tt>authority</tt> and <tt>profile</tt> then their <tt>trustees</tt> are merged.
Any duplicates MUST be pruned.</t>
            </section>
            <section anchor="sec-key-ect">
              <name>Key ECT</name>
              <t>A Key ECT (<tt>K-ECT</tt>) is used to represent Identity and Attestation keys.</t>
              <figure anchor="fig-k-ect">
                <name>Key ECT</name>
                <sourcecode type="cddl"><![CDATA[
K-ECT = {
  ECT-common
  ? key-id: $measured-element-type-choice
  ? key-list: [ + $crypto-key-type-choice ]
  ? key-type: key-type
}

key-type = &(
  attest-key: 0
  identity-key: 1
)
]]></sourcecode>
              </figure>
              <t>The following describes the specialized members of the <tt>K-ECT</tt>.</t>
              <ul spacing="normal">
                <li>
                  <t><tt>key-id</tt>: Identifies a specific namespace within <tt>environment</tt> that the keys in <tt>key-list</tt> are associated with.</t>
                </li>
                <li>
                  <t><tt>key-list</tt>: Identifies the set of keys associated with <tt>environment</tt> and (optionally) <tt>key-id</tt>.</t>
                </li>
                <li>
                  <t><tt>key-type</tt>: Either <tt>attest-key</tt> or <tt>identity-key</tt>, depending on the triple that originated this <tt>K-ECT</tt> instance.</t>
                </li>
              </ul>
              <t><strong>Claim Names.</strong></t>
              <t>A Key Claim specifies one or more keys associated with the <tt>environment</tt>, as well as the semantics of these keys.</t>
              <t>In a Key ECT, the <tt>environment</tt>, <tt>key-type</tt> and optional <tt>key-id</tt> attributes encodes the name of the Claim.
The value of the Claim is encoded in the <tt>key-list</tt> attribute.</t>
              <t><strong>Merge Rules.</strong></t>
              <t>No merge rules are specified for a Key ECT.</t>
            </section>
          </section>
          <section anchor="sec-ir">
            <name>Internal Representation</name>
            <t>This section describes how the relevant RATS Conceptual Messages are represented within the CoRIM processor.
This internal representation is based on the concept of "relations", which in turn are based on ECTs.
Typically, a relation is structured as a "condition" ECT that specifies the matching criteria used to compare entries in the ACS, along with an "addition" ECT that is appended to the ACS if the specified condition are met.
While this is the common structure, some relations may differ slightly from the condition/addition pattern.
This is because they either do not require a condition (e.g., Evidence) or they require more sophisticated matching criteria that cannot be expressed solely via a condition (e.g., Conditional Endorsement Series).
<cref>
[TODO]
Merge §2.1 and §2.2. to explain the high-level principles before delving into the details.
</cref></t>
            <section anchor="sec-ir-evidence">
              <name>Evidence</name>
              <t>The internal representation of Evidence uses the <tt>ae</tt> relation.</t>
              <figure anchor="fig-ae">
                <name>Attestation Evidence Relation</name>
                <sourcecode type="cddl"><![CDATA[
ae = [ + ae-item ]

ae-item = {
  addition: Evidence-addition-ECT
}
]]></sourcecode>
              </figure>
              <t>The <tt>addition</tt> is a list of ECTs with Evidence Claims (<tt>ae-item</tt>s) to be appraised.
Note that there is no <tt>condition</tt> in the <tt>ae</tt> relation, meaning that the addition of Evidence Claims is unconditional once Evidence has been verified.</t>
              <t><xref target="fig-ae-ect"/> shows the profiled ECT for an <tt>ae</tt> item.</t>
              <figure anchor="fig-ae-ect">
                <name>Profiled ECT for Evidence</name>
                <sourcecode type="cddl"><![CDATA[
Evidence-addition-ECT = ({
  environment: environment-map
  element-list: [ + element-map ]
  authority: [ + $crypto-key-type-choice ]
  cmtype: 2
  ? profile: $profile-type-choice
}) .within E-ECT
]]></sourcecode>
              </figure>
              <t>All <tt>E-ECT</tt> attributes are mandatory, except <tt>profile</tt>.</t>
            </section>
            <section anchor="sec-ir-refval">
              <name>Reference Values</name>
              <t>The internal representation of Reference Values uses the <tt>rv</tt> relation where each <tt>rv-item</tt> corresponds to a <tt>reference-triple-record</tt>.</t>
              <figure anchor="fig-rv">
                <name>Reference Values Relation</name>
                <sourcecode type="cddl"><![CDATA[
rv = [ + rv-item ]

rv-item = {
  condition: Reference-Value-condition-ECT
  addition: Reference-Value-addition-ECT
}
]]></sourcecode>
              </figure>
              <t>The <tt>rv</tt> relation is a list of condition-addition pairs, each of which is evaluated together.
If the <tt>condition</tt> containing the "reference" ECTs matches the Evidence ECTs, the Evidence ECTs are re-asserted with the RVP authority carried in the <tt>addition</tt> ECT and the <tt>cmtype</tt> set to <tt>reference-values</tt>.
The re-asserted ECTs are added to the ACS.
Refer to <xref target="sec-proc-rv"/> for how the <tt>rv</tt> entries are processed.</t>
              <t><xref target="fig-rv-ect-cond"/> shows the profiled Element ECT for a Reference Values condition.</t>
              <figure anchor="fig-rv-ect-cond">
                <name>Profiled ECT for Reference Values (condition)</name>
                <sourcecode type="cddl"><![CDATA[
Reference-Value-condition-ECT = ({
  environment: environment-map
  element-list: [ + element-map ]
  ? authority: [ + $crypto-key-type-choice ]
}) .within E-ECT
]]></sourcecode>
              </figure>
              <t><xref target="fig-rv-ect-add"/> shows the profiled Element ECT for a Reference Values addition.</t>
              <figure anchor="fig-rv-ect-add">
                <name>Profiled ECT for Reference Values (addition)</name>
                <sourcecode type="cddl"><![CDATA[
Reference-Value-addition-ECT = ({
  environment: environment-map
  ? element-list: [ + element-map ]
  authority: [ + $crypto-key-type-choice ]
  cmtype: 0
  ? profile: $profile-type-choice
}) .within E-ECT
]]></sourcecode>
              </figure>
              <t>As this is used to corroborate an Evidence ECT, its layout is identical to that of an <tt>Evidence-addition-ECT</tt>.
The only differences are the values of the <tt>element-list</tt>, <tt>authority</tt> and <tt>cmtype</tt> attributes.
Here, the <tt>authority</tt> value is that of the RVP rather than the Attester, and the <tt>cmtype</tt> value is <tt>reference-values</tt> rather than <tt>evidence</tt>.
Furthermore, the <tt>element-list</tt> is created if a match is found during processing, rather than when the triple is transformed into the internal representation.
Therefore, it may be absent.</t>
            </section>
            <section anchor="sec-ir-endval">
              <name>Endorsed Values</name>
              <t>The internal representation of Endorsed Values uses the <tt>ev</tt> and <tt>evs</tt> relations.
These are lists of ECTs that describe matching conditions and the additions that apply when these conditions are met.</t>
              <t>The <tt>ev</tt> relation (<xref target="fig-ev"/>) applies to Endorsed Values (EV) and Conditional Endorsement (CE) triples.</t>
              <figure anchor="fig-ev">
                <name>Endorsed Values Relation</name>
                <sourcecode type="cddl"><![CDATA[
ev = [ + ev-item ]

ev-item = {
  condition: [ + Endorsement-condition-ECT ]
  addition: [ + Endorsement-addition-ECT ]
}
]]></sourcecode>
              </figure>
              <t>The <tt>ev</tt> relation compares the condition ECTs with those in the ACS.
If all the ECTs are found in the ACS, the addition ECTs are added to it.
Note that when the <tt>ev</tt> relation is for an EV triple, the optional <tt>element-list</tt> inside the condition is not used; however, it is used for CE triples.</t>
              <t>The <tt>evs</tt> relation (<xref target="fig-evs"/>) applies to Conditional Endorsement Series (CES) Triples.</t>
              <figure anchor="fig-evs">
                <name>Endorsed Values Series Relation</name>
                <sourcecode type="cddl"><![CDATA[
evs = [ + evs-item ]

evs-item = {
  series: [ + series-item ]
}

series-item = [
  condition: [ + Endorsement-condition-ECT ]
  addition: [ + Endorsement-addition-ECT ]
]
]]></sourcecode>
              </figure>
              <t>The <tt>evs</tt> relation compares the condition ECTs with the ACS.
<cref>
[TBC]
There is only one ECT in the condition.
The description doesn't seem to match the data format.
</cref>
If all the ECTs are found in the ACS, each entry in the series list is evaluated.
The selection ECTs are then compared with the ACS.
If the selection criteria are met, the addition ECTs are added to the ACS and the series evaluation ends.
If the selection criteria are not satisfied, evaluation proceeds to the next series list entry.</t>
              <t><xref target="fig-ev-cond"/> shows the profiled Element ECT an Endorsed Value condition.</t>
              <figure anchor="fig-ev-cond">
                <name>Profiled ECT for Endorsed Values and Endorsed Values Series tuples (condition)</name>
                <sourcecode type="cddl"><![CDATA[
Endorsement-condition-ECT = ({
  environment: environment-map
  ? element-list: [ + element-map ]
  ? authority: [ + $crypto-key-type-choice ]
}) .within E-ECT
]]></sourcecode>
              </figure>
              <t><xref target="fig-ev-sel"/> shows the profiled Element ECT an Endorsed Value selection.</t>
              <figure anchor="fig-ev-sel">
                <name>Profiled ECT for Endorsed Values and Endorsed Values Series tuples (selection)</name>
                <sourcecode type="cddl"><![CDATA[
Endorsement-selection-ECT = ({
  environment: environment-map
  element-list: [ + element-map ]
  ? authority: [ + $crypto-key-type-choice ]
}) .within E-ECT
]]></sourcecode>
              </figure>
              <t><xref target="fig-ev-add"/> shows the profiled Element ECT an Endorsed Value addition.</t>
              <figure anchor="fig-ev-add">
                <name>Profiled ECT for Endorsed Values and Endorsed Values Series tuples (addition)</name>
                <sourcecode type="cddl"><![CDATA[
Endorsement-addition-ECT = ({
  environment: environment-map
  element-list: [ + element-map ]
  authority: [ + $crypto-key-type-choice ]
  cmtype: 1
  ? profile: $profile-type-choice
}) .within E-ECT
]]></sourcecode>
              </figure>
            </section>
            <section anchor="sec-ir-keys">
              <name>Keys</name>
              <t>The internal representation of Attest Key and Device Identity triples uses the <tt>keys</tt> relation (<xref target="fig-k"/>), whereby each <tt>key-item</tt> corresponds to either an <tt>attest-key-triple-record</tt> or an <tt>identity-triple-record</tt>.</t>
              <figure anchor="fig-k">
                <name>Keys Relation</name>
                <sourcecode type="cddl"><![CDATA[
keys = [ + key-item ]

key-item = {
  condition: Key-condition-ECT
  addition: Key-addition-ECT
}
]]></sourcecode>
              </figure>
              <t><cref>
[TODO]
Specialise condition/addition ECTs.
Define constraints.
</cref></t>
            </section>
            <section anchor="sec-ir-domain-mem">
              <name>Domain Memberships</name>
              <t>The internal representation of Domain Membership uses the <tt>dm</tt> relation (<xref target="fig-dm"/>), whereby each <tt>domain-item</tt> corresponds to a <tt>domain-membership-triple-record</tt>.</t>
              <figure anchor="fig-dm">
                <name>Domain Membership Relation</name>
                <sourcecode type="cddl"><![CDATA[
dm = [ + domain-item ]
]]></sourcecode>
              </figure>
              <figure anchor="fig-dm-item">
                <name>Domain Item</name>
                <sourcecode type="cddl"><![CDATA[
domain-item = {
  condition: Domain-condition-ECT
  addition: Domain-addition-ECT
}
]]></sourcecode>
              </figure>
              <t><xref target="fig-domain-ect-cond"/> shows the profiled Domain ECT for Domain Membership conditions.</t>
              <figure anchor="fig-domain-ect-cond">
                <name>Profiled ECT for Domain Membership (condition)</name>
                <sourcecode type="cddl"><![CDATA[
Domain-condition-ECT = ({
  members: [ + environment-map ]
  authority: [ + $crypto-key-type-choice ]
  ? profile: $profile-type-choice
}) .within M-ECT
]]></sourcecode>
              </figure>
              <t>Only the <tt>members</tt> are used for matching, not the <tt>environment</tt>.
Therefore, the <tt>environment</tt> attribute is excluded from the ECT condition.</t>
              <t><xref target="fig-domain-ect-add"/> shows the profiled Domain ECT for Domain Membership additions.</t>
              <figure anchor="fig-domain-ect-add">
                <name>Profiled ECT for Domain Membership (addition)</name>
                <sourcecode type="cddl"><![CDATA[
Domain-addition-ECT = ({
  environment: environment-map
  authority: [ + $crypto-key-type-choice ]
  ? profile: $profile-type-choice
  members: [ + environment-map ]
}) .within M-ECT
]]></sourcecode>
              </figure>
            </section>
            <section anchor="sec-ir-trust-dep">
              <name>Trust Dependencies</name>
              <t>The internal representation of Trust Dependency uses the <tt>td</tt> relation (<xref target="fig-td"/>), whereby each <tt>td-item</tt> corresponds to a <tt>trust-dependency-triple-record</tt>.</t>
              <figure anchor="fig-td">
                <name>Trust Dependency Relation</name>
                <sourcecode type="cddl"><![CDATA[
td = [ + td-item ]
]]></sourcecode>
              </figure>
              <figure anchor="fig-td-item">
                <name>Trust Dependency Item</name>
                <sourcecode type="cddl"><![CDATA[
td-item = {
  condition: Trust-Dependency-condition-ECT
  addition: Trust-Dependency-addition-ECT
}
]]></sourcecode>
              </figure>
              <t><xref target="fig-td-ect-cond"/> shows the profiled <tt>T-ECT</tt> for Trust Dependency conditions.</t>
              <figure anchor="fig-td-ect-cond">
                <name>Profiled ECT for Trust Dependency (condition)</name>
                <sourcecode type="cddl"><![CDATA[
Trust-Dependency-condition-ECT = ({
  environment: environment-map
  authority: [ + $crypto-key-type-choice ]
  ? profile: $profile-type-choice
  trustees: [ + environment-map ]
}) .within T-ECT
]]></sourcecode>
              </figure>
              <t>Both the <tt>trustees</tt> and <tt>environment</tt> are used for matching.</t>
              <t><xref target="fig-td-ect-add"/> shows the profiled <tt>T-ECT</tt> for Trust Dependency additions.</t>
              <figure anchor="fig-td-ect-add">
                <name>Profiled ECT for Trust Dependency (addition)</name>
                <sourcecode type="cddl"><![CDATA[
Trust-Dependency-addition-ECT = ({
  environment: environment-map
  authority: [ + $crypto-key-type-choice ]
  ? profile: $profile-type-choice
  trustees: [ + environment-map ]
}) .within T-ECT
]]></sourcecode>
              </figure>
              <t>Before the <tt>td</tt> relation is added to the Staging Area, the trust dependency graph it describes MUST be checked to ensure that it is a directed acyclic graph.
If a cycle is detected, the <tt>td</tt> relation MUST NOT be added to the Staging Area, and this condition SHOULD be logged.
This is a prerequisite for the <tt>match_and_augment</tt> algorithm described in <xref target="algo-match-and-augment"/>.
Please note that a subsequent Appraisal Policy for Evidence may decide not to produce Attestation Results in this case.</t>
              <t>A trust dependency relation is added to the ACS if the <tt>enviroment</tt> and all <tt>trustess</tt> exist in the membership graph expressed by the <tt>dm</tt> relation (<xref target="fig-dm"/>) in the ACS.</t>
            </section>
          </section>
          <section anchor="acs">
            <name>ACS</name>
            <t>The ACS (<xref target="fig-acs"/>) is a list of ECTs that represent the Attester's actual state as determined by various authoritative sources (Reference Value Providers and Endorsers) collected by the Verifier.</t>
            <figure anchor="fig-acs">
              <name>ACS</name>
              <sourcecode type="cddl"><![CDATA[
ACS = [ + ECT ]
]]></sourcecode>
            </figure>
            <t>The <tt>authority</tt> attribute in each ECT represents one such source, while the Claims in the ECT are statements made by that source about the Attester.</t>
            <t>The ACS is initialized with Evidence Claims and is then populated with Reference Values and Endorsement Claims via the "match and augment" algorithm (see <xref target="sec-match-and-augment"/>) implemented by the CoRIM processor.</t>
            <t>Once the staging area has been drained by the CoRIM processor, processing stops and the computed ACS is handed over to subsequent phases.
In this way, the ACS represents the CoRIM processor's output interface.</t>
            <t>The order of the ECTs in the ACS is not significant.
Logically, as the ACS represents the conjunction of all claims, adding an ECT entry to the existing ACS at the end has the same effect as inserting it anywhere else.</t>
          </section>
          <section anchor="staging-area">
            <name>Staging Area</name>
            <t>The staging area (<xref target="fig-sa"/>) is a list of the relations corresponding to the transformed triples.</t>
            <figure anchor="fig-sa">
              <name>Staging Area</name>
              <sourcecode type="cddl"><![CDATA[
StagingArea = [
  ? rv,
  ? ev,
  ? evs,
  ? keys,
  ? dm,
  ? dd,
]
]]></sourcecode>
            </figure>
            <t>All relations are optional.
Whether a given relation is present in the staging area depends on whether a triple exists and has been successfully transformed.</t>
          </section>
        </section>
        <section anchor="sec-phase-1">
          <name>Input Validation and Transformation (Phase 1)</name>
          <t>This section provides a detailed description of Phase 1, which was outlined at a high level in <xref target="sec-appraisal-phases"/>, explaining how the relevant Conceptual Messages are ingested by the CoRIM processor.</t>
          <t>During the initialization phase, various Conceptual Message inputs are collected: CoMID tags (see <xref target="sec-comid"/>); CoSWID tags (see <xref target="RFC9393"/>); CoTL tags (see <xref target="sec-cotl"/>); cryptographic validation key material (including raw public keys, root certificates and intermediate CA certificate chains); and Concise Trust Anchor Stores (CoTS) (see <xref target="I-D.ietf-rats-concise-ta-stores"/>) are collected.
These objects will be utilized at various stages in the subsequent Evidence Appraisal phases that follow.
The primary goal of this phase is to ensure that all necessary information is available for subsequent processing.</t>
          <t>Once initialization is complete, no further inputs are accepted until the appraisal processing is finished.</t>
          <section anchor="corim-selection">
            <name>CoRIM Selection</name>
            <t>All available CoRIMs tags are collected.</t>
            <t>CoRIM tags MUST be discarded if they have expired, or if they are not associated with an authenticated and authorized source, or if they have been revoked by an authorized source.
Any CoRIM secured by a cryptographic mechanism that fails validation MUST be discarded.</t>
            <t>Other selection criteria MAY be applied.
For example, if the Evidence format is known in advance, CoRIMs using a profile that is not understood by a Verifier can be readily discarded.</t>
            <t>Further selection criteria may be applied to the CoRIM contents at later stages.</t>
          </section>
          <section anchor="corim-trust-anchors">
            <name>CoRIM Trust Anchors</name>
            <t>If CoRIM tags are signed, the signatures MUST be validated using the appropriate trust anchors available to the Verifier.
The Verifier is expected to have a trust anchor store.
The way in which these trust anchors are provisioned in the Verifier is beyond the scope of this specification.
If the CoRIM is signed, it should include at least one certificate (e.g., as part of the <tt>x5chain</tt> in the COSE header) that corresponds to the key pair used for signing.
This certificate MUST have a valid certification path to one of the Verifier's trust anchors.</t>
          </section>
          <section anchor="tags-extraction-and-validation">
            <name>Tags Extraction and Validation</name>
            <t>The Verifier extracts tags from the selected CoRIMs, including CoMID, CoSWID, CoTL, and CoTS.</t>
            <t>The Verifier MUST discard any tags that are not syntactically or semantically valid.
Cross-referenced triples MUST be successfully resolved.
An example of a cross-referenced triple is a CoMID-CoSWID linking triple described in <xref target="sec-comid-triple-coswid"/>.</t>
          </section>
          <section anchor="cotl-extraction">
            <name>CoTL Extraction</name>
            <t>(This section is not applicable if the Verifier appraisal policy does not require CoTLs.)</t>
            <t>CoTLs that are outside their validity period MUST be discarded.</t>
            <t>The Verifier processes all CoTLs that are valid at the time of Evidence appraisal and activates all referenced tags.</t>
            <t>Depending on any locally configured authorization policies, the Verifier MAY decide to discard some of the available and valid CoTLs.
Such policies model the trust relationships between the Verifier Owner and the relevant suppliers, and are out of the scope of the present document.
For example, a composite device (see <xref section="3.3" sectionFormat="of" target="RFC9334"/>) is likely to be fully described by multiple CoRIMs, each signed by a different supplier.
In such a case, the Verifier Owner may instruct the Verifier to discard any tags activated by a supplier's CoTL that has not also been activated by the trusted integrator.</t>
            <t>Once the Verifier has processed all CoTLs, it MUST discard any tags that have not been activated by a CoTL.</t>
          </section>
          <section anchor="sec-ev-coll">
            <name>Evidence Collection</name>
            <t>The Verifier communicates with Attesters to gather Evidence.
Discovery of Evidence sources is untrusted.
Verifiers may rely on conveyance protocol-specific context to identify an Evidence source, which acts as the Evidence input oracle for appraisal.</t>
            <t>The collected Evidence is then transformed into an internal representation (see <xref target="sec-ir-evidence"/>), making it suitable for appraisal processing.</t>
            <t>The exact protocol used to collect Evidence is out of scope of this specification.</t>
          </section>
          <section anchor="sec-crypto-validate-evidence">
            <name>Cryptographic Validation of Evidence</name>
            <t>If Evidence is cryptographically signed, it is validated before being transformed into an internal representation.</t>
            <t>If Evidence is not cryptographically signed, the conveyance protocol used to collected it MUST provide the required security.
In such cases, the cryptographic validation of Evidence depends on the security offered by the conveyance protocol.</t>
            <t>How cryptographic signature validation works depends on the specific Evidence collection method used.
For example, in DICE, a proof of liveness is carried out on the final key in the certificate chain (i.e., the "alias" certificate).
If this is successful, a suitable certification path is looked up in the Verifier trust anchor store based on the linking information obtained from the DeviceID certificate.
See Section 9.2.1 of <xref target="DICE.Layer"/>.
If a trusted root certificate is found, X.509 certificate validation is performed.</t>
            <t>As a second example, the verification public key use to verify <xref target="RFC9783"/> Evidence is looked up in the appraisal context using the <tt>ueid</tt> claim found in the PSA claims-set.
If found, COSE Sign1 verification is performed.</t>
            <t>Regardless of the specific integrity protection method used, the Verifier MUST NOT process Evidence that is not successfully validated.</t>
          </section>
          <section anchor="sec-input-trans">
            <name>Input Transformation</name>
            <t>This section describes how the relevant RATS Conceptual Messages are transformed upon ingestion by the CoRIM processor.</t>
            <section anchor="sec-trans-evidence">
              <name>Evidence</name>
              <t>Evidence transformation involves mapping Evidence into one or more <tt>Evidence-ECT</tt>s (see <xref target="sec-ir-evidence"/>), and adding them to the <tt>addition</tt> list of an <tt>ae</tt> relation.
Evidence transformation algorithms may be well-known (e.g., <xref target="I-D.ietf-rats-evidence-trans"/>), defined by a CoRIM profile (see <xref target="sec-corim-profile-types"/>), or supplied dynamically.
Evidence transformation algorithms are out of scope for this document.</t>
              <t>For successful transformation, Evidence MUST contain a relevant value for all the mandatory <tt>Evidence-ECT</tt> attributes.
Otherwise, the CoRIM processor MUST reject the Evidence.</t>
            </section>
            <section anchor="sec-trans-reference-values">
              <name>Reference Values</name>
              <t>Reference Values transformation involves mapping Reference Value triples into into an <tt>rv</tt> relation (see <xref target="sec-ir-refval"/>).
Each <tt>reference-triple-record</tt> (<xref target="triple-rv"/>) is transformed into an <tt>rv-item</tt> (<xref target="fig-rv"/>) as described in <xref target="algo-rv-transform"/>.
(The code reuses the <tt>mms_to_ems</tt> function from <xref target="algo-mm-to-em"/>.)</t>
              <figure anchor="algo-rv-transform">
                <name>Reference Value Triple Transformation</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC transform(
    T: reference-triple-record,
    signer: [ + $crypto-key-type-choice ],
    profile: $profile-type-choice
) -> rv-item {
    item := rv-item::NEW()

    item.addition.cmtype = reference-values

    item.addition.environment = T.ref-env
    item.condition.environment = T.ref-env

    item.condition.element-list = mms_to_ems(T.ref-claims)

    item.addition.authority = signer

    IF profile:
        item.addition.profile = profile

    RETURN item
}
]]></sourcecode>
              </figure>
              <t>Note that the <tt>ref-claims</tt> are not copied to the addition ECT.
Since they may contain ranges rather than individual values (see, for example, <xref target="sec-comid-int-range"/>), we need to wait until the condition is satisfied by an Evidence ECT before we can copy the matched claims from the Evidence ECT to the addition ECT.</t>
            </section>
            <section anchor="sec-trans-endorsed-values">
              <name>Endorsed Values</name>
              <t>Endorsed Values transformation involves mapping EV, CE and CES triples into into <tt>ev</tt> or <tt>evs</tt> relations (see <xref target="sec-ir-endval"/>).</t>
              <t>A <tt>endorsed-triple-record</tt> (<xref target="triple-ev"/>) is transformed into an <tt>ev-item</tt> (<xref target="fig-ev"/>) as described in <xref target="algo-ev-transform"/>.
(The code reuses the <tt>mms_to_ems</tt> function from <xref target="algo-mm-to-em"/>.)</t>
              <figure anchor="algo-ev-transform">
                <name>Endorsed Value Triple Transformation</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC transform(
    T: endorsed-triple-record,
    signer: [ + $crypto-key-type-choice ],
    profile: $profile-type-choice
) -> ev-item {
    item := ev-item::NEW()

    ect-cond := Endorsement-condition-ECT::NEW()
    ect-cond.environment = T.condition
    item.condition::APPEND(ect-cond)

    ect-add := Endorsement-addition-ECT::NEW()
    ect-add.environment = T.condition
    ect-add.element-list = mms_to_ems(T.endorsement)
    ect-add.cmtype = endorsements
    ect-add.authority = signer
    IF profile:
        ect-add.profile = profile

    item.addition::APPEND(ect-add)

    RETURN item
}
]]></sourcecode>
              </figure>
              <t>A <tt>conditional-endorsement-triple-record</tt> (<xref target="triple-ce"/>) is transformed into an <tt>ev-item</tt> (<xref target="fig-ev"/>) as described in <xref target="algo-ce-transform"/>.
(The code reuses the <tt>mms_to_ems</tt> function from <xref target="algo-mm-to-em"/>.)</t>
              <figure anchor="algo-ce-transform">
                <name>Conditional Endorsement Triple Transformation</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC transform(
    T: conditional-endorsement-triple-record,
    signer: [ + $crypto-key-type-choice ],
    profile: $profile-type-choice
) -> ev-item {
    item := ev-item::NEW()

    FOREACH ser IN T.conditions:
        ect := Endorsement-condition-ECT::NEW()
        ect.environment = ser.environment
        ect.element-list = mms_to_ems(ser.claims-list)
        item.condition::APPEND(ect)

    FOREACH etr IN T.endorsements:
        ect := Endorsement-addition-ECT::NEW()
        ect.environment = etr.condition
        ect.element-list = mms_to_ems(etr.endorsement)
        ect.cmtype = endorsements
        ect.authority = signer
        IF profile:
            ect.profile = profile
        item.addition::APPEND(ect)

    RETURN item
}
]]></sourcecode>
              </figure>
              <t>Each <tt>conditional-endorsement-series-triple-record</tt> (<xref target="triple-ces"/>) is transformed into an <tt>evs-item</tt> (<xref target="fig-evs"/>) as described in <xref target="algo-ces-transform"/>.
(The pseudocode reuses the <tt>mms_to_ems</tt> function defined in <xref target="algo-mm-to-em"/>.)</t>
              <t>The <tt>conditional-endorsement-series-triple-record</tt> contains a condition that is common to all series items.
Each entry in the series is a <tt>conditional-series-record</tt> with conditions that have differing values and additions that are specific to those values.</t>
              <t>The internal representation for a conditional endorsement series consists of a list of condition-addition pairs where the common condition in the series is replicated for each series item.
The transformation algorithm combines the common conditions with each series item condition to simplify Verifier processing (see <xref target="sec-proc-evs-rel"/>).</t>
              <figure anchor="algo-ces-transform">
                <name>Conditional Endorsement Series Triple Transformation</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC transform(
    T: conditional-endorsement-series-triple-record,
    signer: [ + $crypto-key-type-choice ],
    profile: $profile-type-choice
) -> evs-item {
    evsitem := evs-item::NEW()
    FOREACH csr in T.series:
       // stage the condition
       sitem := series-item::NEW()
       sitem.condition.environment = T.condition.environment
       ems1 = mms_to_ems(T.condition.claims-list)
       sitem.condition.element-list = ems1
       ems2 := mms_to_ems(csr.condition)
       sitem.condition.element-list::APPEND(ems2)
       IF T.condition.authorized-by:
           sitem.condition.authority = T.condition.authorized-by
       ELSE_IF csr.series.condition.authorized-by:
           sitem.condition.authority = csr.series.condition.authorized-by
       // stage the addition
       sitem.addition.environment = T.condition.environment
       ems3 = mms_to_ems(csr.addition)
       sitem.addition.element-list = ems3
       sitem.addition.cmtype = `endorsements`
       sitem.addition.authority = signer
       IF profile:
           sitem.addition.profile = profile
       evsitem[index-of(sitem)] = sitem
    RETURN evsitem
}
]]></sourcecode>
              </figure>
            </section>
            <section anchor="keys">
              <name>Keys</name>
              <t>Keys transformation involves mapping Attest Key and Device Identity triples into into a <tt>key</tt> relation (see <xref target="sec-ir-keys"/>).</t>
              <t>An <tt>attest-key-triple-record</tt> (<xref target="triple-ak"/>) or an <tt>identity-triple-record</tt> (<xref target="triple-di"/>) is transformed into a <tt>key-item</tt> (<xref target="fig-k"/>) as described in <xref target="algo-key-transform"/>.</t>
              <figure anchor="algo-key-transform">
                <name>Key Triple Transformation</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC transform(
    T: attest-key-triple-record / identity-triple-record,
    verifier: [ + $crypto-key-type-choice ],
    profile: $profile-type-choice
) -> key-item {
    item := key-item::NEW()

    IF TYPEOF(T) == attest-key-triple-record:
        item.addition.key-type = attest-key
        item.condition.key-type = attest-key
    ELIF TYPEOF(T) == identity-triple-record:
        item.addition.key-type = identity-key
        item.condition.key-type = identity-key

    item.condition.environment = T.environment
    item.addition.environment = T.environment

    item.condition.key-list = T.key-list

    IF T.conditions.mkey:
        item.condition.key-id = T.conditions.mkey
        item.addition.key-id = T.conditions.mkey

    IF T.conditions.authorized-by:
        item.condition.authority = T.conditions.authorized-by

    item.addition.authority = verifier

    IF profile:
        item.addition.profile = profile

    RETURN item
}
]]></sourcecode>
              </figure>
              <t>Note that keys are added under the authority of the verifier.</t>
            </section>
            <section anchor="sec-trans-domain-mem">
              <name>Domain Membership Transformation</name>
              <t>Domain membership transformation maps Domain Membership triples into <tt>dm</tt> relations (see <xref target="sec-ir-domain-mem"/>).</t>
              <t>Prior to adding a domain membership relation, a <tt>domain-membership-triple-record</tt> (<xref target="triple-dm"/>) is transformed into a <tt>domain-item</tt> (<xref target="fig-dm"/>) using the domain membership transformation algorithm <xref target="algo-domain-member-transform"/>.</t>
              <figure anchor="algo-domain-member-transform">
                <name>Domain Membership Transformation</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC transform(
    T: domain-membership-triple-record
    signer: [ + $crypto-key-type-choice ],
    profile: $profile-type-choice
) -> domain-item {
    item := domain-item::NEW()
    item.condition.members = T.members

    item.addition.environment = T.domain-id
    item.addition.members = T.members
    item.addition.authority = signer

    IF profile:
        item.addition.profile = profile

    RETURN item
}
]]></sourcecode>
              </figure>
              <t>Subsequent to transformation the domain membership relations are processed using the domain membershp processing algorithm <xref target="sec-proc-dm"/>.</t>
            </section>
            <section anchor="sec-trans-trust-dep">
              <name>Trust Dependency Transformation</name>
              <t>Prior to adding a trust dependency relation, Trust Dependency triples <tt>trust-dependency-triple-record</tt> (<xref target="triple-td"/>) are transformed into <tt>td</tt> relations (see <xref target="sec-ir-trust-dep"/>) using the trust dependency transformation algorithm <xref target="algo-trust-dependency-transform"/>.</t>
              <figure anchor="algo-trust-dependency-transform">
                <name>Trust Dependency Transformation</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC transform(
    T: trust-dependcy-triple-record,
    signer: [ + $crypto-key-type-choice ],
    profile: $profile-type-choice
) -> trust-dependency-item
    item := T-ECT::NEW()

    item.condition.environment = T.domain-id
    item.condition.members = T.members

    item.addition.environment = T.domain-id
    item.addition.members = T.members
    item.addition.authority = signer

    IF profile:
        item.addition.profile = profile

    RETURN item
}
]]></sourcecode>
              </figure>
              <t>Subsequent to transformation, the trust dependency relations are processed using the trust dependency processing algorithm <xref target="sec-proc-td"/>.</t>
            </section>
          </section>
          <section anchor="sec-appraisal-ctx-init">
            <name>Appraisal Context Initialization</name>
            <t>At the end of Phase 1 all of the extracted and validated tags are loaded into an "appraisal context", consisting of the ACS and the staging area.
The ACS is initialized with all the addition ECTs in the <tt>ev</tt> relation:</t>
            <figure anchor="algo-init-acs">
              <name>ACS Initialization</name>
              <sourcecode type="pseudocode"><![CDATA[
FUNC init_acs(ae: ae) -> ACS {
    FOREACH item IN ae:
        acs::APPEND(item.addition)

    RETURN acs
}
]]></sourcecode>
            </figure>
            <t>The staging area is loaded with <tt>rv</tt>, <tt>ev</tt>, <tt>evs</tt>, <tt>keys</tt>, <tt>dm</tt> and <tt>td</tt> relations, in that order.</t>
            <figure anchor="algo-init-sa">
              <name>Staging Area Initialization</name>
              <sourcecode type="pseudocode"><![CDATA[
FUNC init_staging_area(
    rv: rv,
    ev: ev,
    evs: evs,
    keys: keys,
    dm: dm,
    dd: td,
) -> StagingArea {
    sa := StagingArea::NEW()

    IF rv    sa::APPEND(rv)
    IF ev:   sa::APPEND(ev)
    IF evs:  sa::APPEND(evs)
    IF keys: sa::APPEND(keys)
    IF dm:   sa::APPEND(dm)
    IF td:   sa::APPEND(td)

    RETURN sa
}
]]></sourcecode>
            </figure>
          </section>
        </section>
        <section anchor="sec-match-and-augment">
          <name>ACS Augmentation (Phases 2, 3 and 4)</name>
          <t>This section describes the "match and augment" algorithm, through which the ACS is updated incrementally to reflect the actual state of the Attester as asserted by RATS Roles (i.e., Attester, Reference Value Provider, and Endorser).</t>
          <t>Generally, the match and augment process involves pulling relations from the staging area one by one, in a specific order, and matching their conditions against the current state of the ACS according to the matching rules defined for each relation.
If there is a match, the additions in the matched relation are added to the ACS, thereby providing its "augmentation".
Otherwise, the algorithm moves on to the next relation.
Any augmentations to the ACS (i.e., the <tt>acs::APPEND</tt> operation in <xref target="algo-match-and-augment"/>) MUST be atomic.
Once all the relations in the staging area have been processed, the CoRIM processor forwards the augmented ACS to subsequent appraisal processors as needed.</t>
          <figure anchor="algo-match-and-augment">
            <name>Match and Augment Algorithm</name>
            <sourcecode type="pseudocode"><![CDATA[
FUNC match_and_augment(acs: ACS, sa: StagingArea) -> ACS {
    FOREACH rel IN sa:
        FOREACH item IN rel:
            IF acs::MATCH(item.condition):
                IF acs::CHECK(item.addition):
                        acs::APPEND(item.addition)

    RETURN acs
}
]]></sourcecode>
          </figure>
          <t>The <tt>acs::MATCH</tt> operation depends on the type of relation.
The matching logic for each type of relation is described in the following sections.
The <tt>acs::CHECK</tt> operation does consistency checks.
The checking logic for each type of relation is described in the following sections.
The <tt>acs::APPEND</tt> operation also depends on the type of relation.
This could involve simply appending the addition ECT.</t>
          <t>The addition could result in inconsistent ACS.  Additional ACS consistency checking might be needed.</t>
          <section anchor="ordering-of-relations">
            <name>Ordering of Relations</name>
            <t>The order in which items within relations are processed is important.
Processing a relation may result in ACS modifications that affect the matching behaviour of other relations.
The verifier MUST ensure that any relation including a matching condition is processed after any other relation that modifies or adds an ACS entry with an <tt>environment</tt> matching the condition.
This can be achieved by sorting the relations before processing, repeating the processing of some relations after ACS modifications, or using other algorithms.
The "match and augment" algorithm described in <xref target="algo-match-and-augment"/> assumes that relations have been topologically sorted prior to loading into the staging area (<xref target="algo-init-sa"/>).</t>
          </section>
          <section anchor="sec-proc-rv">
            <name>Reference Values Corroboration and Augmentation (Phase 3)</name>
            <t>Corroboration is the process of determining whether actual Attester state (as contained in the ACS) can be satisfied by Reference Values.</t>
            <section anchor="sec-proc-rv-rel">
              <name>Processing <tt>rv</tt> Relations</name>
              <t>Reference Values are matched with ACS entries by iterating through the <tt>rv</tt> list.
For each <tt>rv</tt> entry, the condition ECT is compared against an ACS ECT with <tt>cmtype</tt> 2 (i.e., <tt>evidence</tt>).</t>
              <t>If the two match, the following two steps are performed:</t>
              <ol spacing="normal" type="1"><li>
                  <t>The <tt>element-list</tt> of the matched ACS ECT is copied to the <tt>element-list</tt> of the addition ECT.</t>
                </li>
                <li>
                  <t>The addition ECT is added to the ACS.</t>
                </li>
              </ol>
              <t>Note that this new ACS item is essentially a copy of the matched evidence ECT, which has been re-asserted under the authority of the Reference Value Provider.</t>
            </section>
          </section>
          <section anchor="endorsed-values-augmentation-phase-4">
            <name>Endorsed Values Augmentation (Phase 4)</name>
            <t>Endorsed values augmentation is the process of adding Claims about the Attester's actual state with Endorser authority rather than Attester authority.
Augmentation is predicated on a certain condition matching the actual state currently encoded in the ACS.</t>
            <section anchor="sec-proc-ev-rel">
              <name>Processing <tt>ev</tt> Relations</name>
              <t>Endorsed Values and Conditional Endorsed Values are matched with ACS entries by iterating through the <tt>ev</tt> list.
For each <tt>ev</tt> entry, the condition ECT is compared with an ACS ECT with <tt>cmtype</tt> 0, 1 or 2 (i.e., reference-values, endorsements or evidence).
If the two match, the addition ECT is added to the ACS.</t>
            </section>
            <section anchor="sec-proc-evs-rel">
              <name>Processing <tt>evs</tt> Relations</name>
              <t>The Conditional Endorsement Series relation is processed using a modified <tt>match_and_augment</tt> function (see <xref target="algo-match-and-augment"/>) where SERIES-MATCH() calls MATCH() (see <xref target="algo-series-match-and-augment"/>).</t>
              <t>The first series item that matches terminates processing of subsequent series items.</t>
              <t>The matched item is appended to the ACS.</t>
              <figure anchor="algo-series-match-and-augment">
                <name>Series Match and Augment Algorithm</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC match_and_augment(acs: ACS, sa: StagingArea) -> ACS {
    FOREACH rel IN sa:
        FOREACH item IN rel:
            IF ser-add = SERIES-MATCH(acs, item.series):
                acs::APPEND(ser-add)

    RETURN acs
}

FUNC SERIES-MATCH(acs: ACS, series: SERIES)
    -> Endorsement-addition-ECT {
    FOREACH sitem IN series:
        IF acs::MATCH(sitem.condition):
            RETURN sitem.addition
}
]]></sourcecode>
              </figure>
            </section>
            <section anchor="processing-keys-relations">
              <name>Processing <tt>keys</tt> Relations</name>
              <t>Keys relations identify cryptographic keys that require additional key verification steps.</t>
              <t>Keys are matched with ACS entries by iterating through the <tt>keys</tt> list.
For each <tt>keys</tt> entry, the condition ECT is compared with an ACS ECT with <tt>cmtype</tt> 1 or 2 (i.e., endorsements or evidence).
If they match, perform the following steps for each key in the condition ECT <tt>key-list</tt>:</t>
              <ol spacing="normal" type="1"><li>
                  <t>Verify the certificate signatures for each certificate in the certification path.</t>
                </li>
                <li>
                  <t>Verify the revocation status for each certificate in the certification path.</t>
                </li>
                <li>
                  <t>Verify the key usage restrictions that are appropriate for <tt>key-type</tt>.</t>
                </li>
              </ol>
              <t>A key that successfully passes the above checks is said to be verified.</t>
              <t>Add all the verified keys to the addition ECT's <tt>key-list</tt> and add the addition ECT to the ACS.</t>
            </section>
            <section anchor="sec-proc-dm">
              <name>Processing <tt>dm</tt> Relations</name>
              <t>Domain Membership relations describe the expected topological arrangement of the Attester.</t>
              <t>Domains are matched with ACS entries by iterating through the <tt>dm</tt> list, in the staging area.</t>
              <t>The acs::CHECK() does acyclic graph consistency checks of the condition ECTs in the <tt>dm</tt> relation.</t>
              <t>For each dm entry (M-ECT), the condition ECT is compared with either an ACS Element ECT with cmtype 2 (i.e., evidence) or a Domain ECT (M-ECT). All other ECTs are ignored.</t>
              <t>If all the <tt>member</tt> environments in the condition ECT have a matching ECT in the ACS, the <tt>addition ECT</tt> is added to the ACS.
The matching dm entry is pruned from the dm list.</t>
              <t>If there is no match, processing moves to the next dm entry, till the list is exhausted and is known as one complete iteration.</t>
              <t>If there are additions to ACS, then the above algorithm is repeated until there are no more additions.
The algorithm is terminated when there are no more additions to ACS.</t>
              <t>This algorithm can be optimised to complete in a single iteration, if the <tt>dm</tt> entries in the staging area and the ACS entries are topologically sorted (bottom up, from leaves to root).
This specification does not mandate any specific topological sorting algorithm.</t>
            </section>
            <section anchor="sec-proc-td">
              <name>Processing <tt>td</tt> Relations</name>
              <t>The objective of processing a <tt>td</tt> relation is to verify that each edge in a trust dependency graph (TDG) has a corresponding edge in a domain membership graph (DMG).
TDGs MUST be directed acyclic graphs (DAG) before they can be added to the ACS.
TDGs need not be isomorphs of DMGs.</t>
              <t>The matching algorithm ensures that the <tt>td</tt> items queued for addition to the ACS are also Domain Membership ECTs already contained in the ACS.
This matching algorithm is the plug-in for the parameter <tt>item-condition</tt> of <tt>acs::MATCH</tt> defined in <xref target="algo-match-and-augment"/>.</t>
              <figure anchor="algo-process-trust-dep">
                <name>Process Trust Dependency Algorithm</name>
                <sourcecode type="pseudocode"><![CDATA[
FUNC ACS::MATCH(condition: Trust-Dependency-condition-ECT) -> bool {
    FOREACH dm-item IN ACS.ECT(.cm==member):
        IF condition.environment == dm-item.environment:
            FOREACH trustee IN condition.trustees:
                IF !trustee::IS-MEMBER(dm-item.members):
                    BREAK   # break inner loop, try another dm-item
            RETURN TRUE

    RETURN FALSE
]]></sourcecode>
              </figure>
              <t>The ACS::CHECK() function does acyclic graph consistency checks of the condition ECTs in the <tt>td</tt> relation.</t>
              <t>The ACS:: APPEND() function adds the dm-item.addition to the ACS.</t>
              <t>Subsequent to the append, the ACS acyclic consistency check needs to be performed.</t>
              <t>Subsequent processing phases SHOULD evaluate the Trust Domain Graph against ACS corroborated Evidence to ensure trustee graphs are also trusted.
For example, a target environment (TE-1) with corroborated Evidence that has another trustee target environment (TE-2), should ensure TE-2 also has corroborated Evidence before TE-1 is considered trustworthy.
Additionally, a trust dependency might specify a strength of function requirement for TE-1.
The trust dependency implies TE-2 should have a minimum strength of function as TE-1.</t>
            </section>
          </section>
          <section anchor="sec-comparison-rules">
            <name>Rules of Comparison</name>
            <t>The matching component of the "match and augment" algorithm (see <xref target="sec-match-and-augment"/>) relies on a standardized set of comparison rules for ECTs.
These rules depend on the type of elements being compared.
This section provides a normative description of the rules for comparing ECT elements found in relation conditions (referred to as C-ECTs for the remainder of this text) with ECTs in the ACS (referred to as ACS-ECTs for the remainder of this text).</t>
            <t>When comparing a C-ECT against the ACS, the processor iterates over all ACS entries and attempts to match the C-ECT with each ACS entry.
Typically, the comparison is between ECTs of the same type (i.e., Element ECTs are compared with Element ECTs, Key ECTs with Key ECTs and Domain ECTs with Domain ECTs).
However, ECTs of different types can sometimes be compared if the comparison is based on common attributes (<xref target="fig-ect-common"/>).
See <xref target="sec-proc-dm"/> for an example of this, where the <tt>environment</tt>s of <tt>M-ECT</tt>s and <tt>E-ECT</tt>s are compared.</t>
            <t>Conceptually, the processor creates a "matched entries" set and populates it with all ACS entries that match the C-ECT.
If, after visiting all the entries in the ACS, the matched entries set is not empty, the C-ECT matches the ACS.
Conversely, if the matched entries set is empty, the C-ECT does not match the ACS.</t>
            <t>If the C-ECT contains a profile and the profile defines an algorithm for a given codepoint, the processor MUST use the algorithm defined by the profile in comparisons involving that codepoint.
If the condition ECT contains a profile, but the profile does not define an algorithm for a particular codepoint, the processor MUST use the standard algorithm described in this document for comparisons involving that codepoint.</t>
            <t>The specific comparisons performed depend on the type of relation being processed.
In general, the processor will perform comparisons based on <tt>environment</tt> (see <xref target="sec-compare-environment"/>) as well as more specialized comparisons based on the type of ECT matched.
Element ECTs will match on <tt>element-list</tt> (see <xref target="sec-compare-element-list"/>), Key ECTs will match on <tt>key-list</tt>, Domain Membership ECTs will typically match on <tt>members</tt> (see <xref target="sec-proc-dm"/>) and Trust Dependency ECTs will typically match on <tt>trustees</tt> (see <xref target="sec-proc-td"/>).</t>
            <t><cref>
[TBC]
Check, for each relation processing, where authority comparisons apply.
</cref></t>
            <t>Each of these comparisons compares one attribute in the C-ECT against the same attribute in the ACS-ECT.
If all the attributes match, the C-ECT matches the ACS-ECT.
If any attributes do not match, the C-ECT does not match the ACS-ECT.</t>
            <section anchor="sec-compare-environment">
              <name>Environment Comparison</name>
              <t>The processor MUST compare each attribute which is present in the C-ECT's <tt>environment</tt> with the corresponding attribute in the ACS-ECT's <tt>environment</tt> using binary comparison.
Before performing the binary comparison, the processor SHOULD convert the attributes in both <tt>environment</tt>s into a form that meets the CBOR core deterministic encoding requirements described in <xref section="4.2" sectionFormat="of" target="STD94"/>.</t>
              <t>If all the attributes which are present in the C-ECT <tt>environment</tt> (e.g., <tt>instance-id</tt> or <tt>group-id</tt>) are also present in the ACS-ECT and are binary identical, the two environments match.
Otherwise, the environments do not match.</t>
              <t>Any attribute that is present in the ACS-ECT but not in the C-ECT is ignored in the comparison.</t>
            </section>
            <section anchor="sec-compare-authority">
              <name>Authority Comparison</name>
              <t>The comparison between a C-ECT's <tt>authority</tt> value and an ACS-ECT's <tt>authority</tt> value is as follows: if every entry in the C-ECT <tt>authority</tt> matches byte-by-byte an entry in the ACS-ECT <tt>authority</tt>, the authorities match.
Otherwise, the authorities do not match.</t>
              <t>The order of the items within each <tt>authority</tt> does not affect the result of the comparison.</t>
              <t>When comparing two <tt>$crypto-key-type-choice</tt> items for equality, the processor MUST treat them as equal if their deterministic CBOR encoding is binary equal.</t>
            </section>
            <section anchor="sec-compare-element-list">
              <name>Element List Comparison</name>
              <t>A C-ECT's <tt>element-list</tt> matches an ACS-ETC's <tt>element-list</tt> if all the <tt>element-map</tt>s in the C-ECT's <tt>element-list</tt> match the <tt>element-map</tt>s in the ACS-ECT's <tt>element-list</tt>.</t>
              <t>Any <tt>element-map</tt> that is present in the ACS-ECT's <tt>element-list</tt> but not in the C-ECT's is ignored in the comparison.</t>
              <t>The rules for matching <tt>element-map</tt>s are described in <xref target="sec-compare-element-map"/>.</t>
            </section>
            <section anchor="sec-compare-element-map">
              <name>Element Map Comparison</name>
              <t>The C-ECT's <tt>element-map</tt> matches an ACS-ECT's <tt>element-map</tt> if both the <tt>element-id</tt> and <tt>element-claims</tt> match.</t>
              <t>Two <tt>element-id</tt>s are considered the same if they are either both omitted, or both present with binary identical deterministic encodings.
Before performing the binary comparison, the processor SHOULD convert the <tt>element-id</tt> attributes into a form that meets the CBOR core deterministic encoding requirements described in <xref section="4.2" sectionFormat="of" target="STD94"/>.</t>
              <t>The rules for matching <tt>element-claims</tt> are described in <xref target="sec-compare-mvm"/>.</t>
            </section>
            <section anchor="sec-compare-mvm">
              <name>Measurement Values Map Comparison</name>
              <t>The C-ECT's <tt>element-claims</tt> match an ACS-ECT's <tt>element-claims</tt> if:</t>
              <ol spacing="normal" type="1"><li>
                  <t>Each attribute in the C-ECT's <tt>measurement-values-map</tt> is also present in the ACS-ECT's <tt>measurement-values-map</tt>; and</t>
                </li>
                <li>
                  <t>The attribute values match.</t>
                </li>
              </ol>
              <t>Otherwise, the element claims do not match.</t>
              <t>The rules for matching a single <tt>measurement-values-map</tt> attribute are described in <xref target="sec-match-one-codepoint"/></t>
              <section anchor="sec-match-one-codepoint">
                <name>Comparison of a Single Measurement Values Map Attribute</name>
                <t>The algorithm used to compare two values of a <tt>measurement-values-map</tt> attribute depends on the attribute's type.</t>
                <t>The processor needs to select the appropriate algorithm for the given attribute, including any extensions defined by a supported profile.</t>
                <t>Non-negative codepoints represent standard data representations.
The comparison algorithms for these are defined in this document (in the sections below) or in other specifications.
Some attributes allow different types.
These are designated by a CBOR tag that allows clear type disambiguation.</t>
                <t>Negative codepoints represent profile-defined data representations.
The processor MUST use the attribute name, the profile associated with the condition ECT, and, if present, the CBOR tag value to select the comparison algorithm.</t>
                <t>If the processor is unable to determine the applicable comparison algorithm for an attribute, it MUST behave as though the C-ECT does not match the ACS-ECT.</t>
                <t>The following subsections define the comparison algorithms for the <tt>measurement-values-map</tt> attributes defined by this specification.</t>
              </section>
              <section anchor="comparison-for-version-entries">
                <name>Comparison for version entries</name>
                <t>The value stored under <tt>measurement-values-map</tt> codepoint 0 is of type <tt>version-map</tt>.</t>
                <t>Since, in general - with the exception of <tt>semver</tt> - they are colloquial versions that cannot specify ordering, two <tt>version-map</tt> values can only be compared for equality.</t>
              </section>
              <section anchor="comparison-for-svn-entries">
                <name>Comparison for svn entries</name>
                <t>The value stored under <tt>measurement-values-map</tt> codepoint 1 is a security version number of type <tt>svn-type-choice</tt>.</t>
                <t>If the ACS-ECT's <tt>svn-type-choice</tt> is a <tt>svn</tt> or <tt>tagged-svn</tt> (i.e., <tt>uint</tt> or a <tt>uint</tt> wrapped in tag 552), comparison with the <tt>uint</tt> in the C-ECT is as follows:</t>
                <ul spacing="normal">
                  <li>
                    <t>If the C-ECT value is of type <tt>svn</tt> or <tt>tagged-svn</tt>, an equality comparison is performed on the <tt>uint</tt> components.
The comparison MUST return true if the <tt>uint</tt> values are equal.</t>
                  </li>
                  <li>
                    <t>If the C-ECT value is of type <tt>tagged-min-svn</tt>, a minimum comparison is performed.
The comparison MUST return true if the <tt>uint</tt> value in the C-ECT is less than or equal to the value in the ACS-ECT.</t>
                  </li>
                </ul>
                <t>If the ACS-ECT's <tt>svn-type-choice</tt> is <tt>tagged-min-svn</tt> (i.e., <tt>uint</tt> wrapped in tag 553), then comparison with the <tt>uint</tt> in the C-ECT is as follows.</t>
                <ul spacing="normal">
                  <li>
                    <t>If the C-ECT value for <tt>measurement-values-map</tt> codepoint 1 is <tt>svn</tt> or <tt>tagged-svn</tt> (i.e., <tt>uint</tt> or a <tt>uint</tt> wrapped in tag 552), the comparison is not allowed and MUST return false.</t>
                  </li>
                  <li>
                    <t>If the condition ECT value for <tt>measurement-values-map</tt> codepoint 1 is a <tt>tagged-min-svn</tt> (i.e., <tt>uint</tt> wrapped in tag 553), an equality comparison is performed.
The comparison MUST return true if the <tt>uint</tt> values are equal.</t>
                  </li>
                </ul>
                <t>A minimum SVN is only meaningful as an entry value when it is an endorsed value that has been added to the ACS.
The condition therefore treats the minimum SVN as an exact state, rather than as something to be compared with inequality.</t>
                <t>The pseudocode for the above algorithm is shown in <xref target="fig-comp-svn"/>.</t>
                <figure anchor="fig-comp-svn">
                  <name>SVN Comparison</name>
                  <sourcecode type="pseudocode"><![CDATA[
FUNC compare(
    c_ect: svn-type-choice,
    acs_ect: svn-type-choice
) -> bool {
    IF is_plain_svn(acs_ect):
        IF is_plain_svn(c_ect):
            RETURN get_svn_value(c_ect) == get_svn_value(acs_ect)
        ELSE:
            RETURN get_svn_value(c_ect) <= get_svn_value(acs_ect)
    ELSE:
        IF is_plain_svn(c_ect):
            RETURN false
        ELSE:
            RETURN get_svn_value(c_ect) == get_svn_value(acs_ect)
}

FUNC get_svn_value(v: svn-type-choice) -> uint {
    IF TYPEOF(v) == svn:
        RETURN v
    ELIF TYPEOF(v) == tagged-svn:
        RETURN ~v
    ELIF TYPEOF(v) == tagged-min-svn:
        RETURN ~v
}

FUNC is_plain_svn(v: svn-type-choice) -> bool {
    RETURN TYPEOF(v) == svn OR TYPEOF(v) == tagged-svn
}
]]></sourcecode>
                </figure>
              </section>
              <section anchor="sec-cmp-digests">
                <name>Comparison for digests entries</name>
                <t>A <tt>digests</tt> entry contains one or more digests, each measuring the same object.
When multiple digests are provided, each represents a different acceptable algorithm to the C-ECT author.</t>
                <t>In the simplest case, a C-ECT <tt>digests</tt> entry containing one digest matches an ACS-ECT entry containing a single entry with the same algorithm and value.</t>
                <t>If there are multiple algorithms in common between the C-ECT and ACS-ECT, the bytes paired with common algorithms MUST be equal.
This is to prevent downgrade attacks.
The processor MUST treat two algorithm identifiers as equal if they have the same deterministic binary encoding.
If both an integer and a string representation are defined for an algorithm, then entities creating ECTs SHOULD use the integer representation.
If C-ECT and ACS-ECT use different names for the same algorithm, and the processor does not recognize that they are the same, then a downgrade attack is possible.</t>
                <t>The comparison MUST return false if the CBOR encoding of the <tt>digests</tt> entry in the C-ECT or the ACS-ECT value with the same codepoint is incorrect.
For example, if fields are missing or if they are the wrong type.</t>
                <t>The comparison MUST return false if the C-ECT <tt>digests</tt> entry does not contain any digests.</t>
                <t>The comparison MUST return false if either <tt>digests</tt> entry contains multiple values for the same hash algorithm.</t>
                <t>The processor iterates over the C-ECT <tt>digests</tt> array to locate the common hash algorithm identifiers which are present in both the C-ECT and in the ACS-ECT.
The comparison MUST return false if there are no hash algorithms in common between the C-ECT and the ACS-ECT.
The comparison MUST return false if the value associated with any common hash algorithm identifier in the C-ECT differs from the value for the same algorithm identifier in the ACS-ECT.
If all the values associated with the common hash algorithm identifiers match, the comparison returns true.</t>
              </section>
              <section anchor="comparison-for-raw-value-entries">
                <name>Comparison for raw-value entries</name>
                <t>A <tt>raw-value</tt> entry contains binary data.</t>
                <t>The value stored under <tt>measurement-values-map</tt> codepoint 4 in an ACS-ECT MUST be a <tt>raw-value</tt> entry, which MUST be <tt>tagged-bytes</tt>.</t>
                <t>The value stored under the C-ECT <tt>measurement-values-map</tt> codepoint 4 may additionally be a <tt>tagged-masked-raw-value</tt> entry, which specifies an expected value and a mask.</t>
                <t>If the C-ECT <tt>measurement-values-map</tt> codepoint 4 is of type <tt>tagged-bytes</tt>, and there is no value stored under codepoint 5, the processor treats it as if it were a <tt>tagged-masked-raw-value</tt> with the <tt>value</tt> field holding the same contents and a <tt>mask</tt> of the same length as the value, with all bits set.
The standard comparison function defined in this document removes the CBOR tag before performing the comparison.</t>
                <t>For backwards compatibility, if the C-ECT <tt>measurement-values-map</tt> codepoint 4 is of type <tt>tagged-bytes</tt>, and there is a mask stored under codepoint 5, the processor treats it as a <tt>tagged-masked-raw-value</tt> with the <tt>value</tt> field holding the same contents and a <tt>mask</tt> holding the contents of codepoint 5.</t>
                <t>The comparison MUST return false if the lengths of the ACS-ECT entry value and the C-ECT value are different.</t>
                <t>The comparison MUST return false if the lengths of the C-ECT mask and value are different.</t>
                <t>The comparison MUST use the mask to determine which bits to compare.
If a bit in the mask is 0 then this indicates that the corresponding bit in the ACS-ECT value is ignored.</t>
                <t>The comparison returns true if, for every bit position in the mask whose value is 1, the corresponding bits in both values are equal.</t>
              </section>
              <section anchor="sec-cryptokeys-matching">
                <name>Comparison for cryptokeys entries</name>
                <t>The CBOR tag of the first entry in the C-ECT <tt>cryptokeys</tt> array is compared with the CBOR tag of the first entry of the ACS-ECT <tt>cryptokeys</tt> value.
If the CBOR tags match, then the bytes following the CBOR tag from the C-ECT entry are compared byte-by-byte with the bytes following the CBOR tag from the ACS-ECT entry.
If the byte strings match and there are more array entries, the next C-ECT array entry is compared with the next ACS-ECT array entry.
If all the C-ECT array entries match their corresponding entries in the ACS-ECT array, the C-ECT <tt>cryptokeys</tt> match.
Otherwise, the C-ECT <tt>cryptokeys</tt> do not match.</t>
              </section>
              <section anchor="sec-cmp-integrity-registers">
                <name>Comparison for Integrity Registers</name>
                <t>For each Integrity Register entry in the C-ECT, the processor will use the associated identifier (i.e., <tt>integrity-register-id-type-choice</tt>) to look up the matching Integrity Register entry in the ACS-ECT.
If no matching entry is found, the comparison MUST return false.
Instead, if an entry is found, the digest comparison proceeds as defined in <xref target="sec-cmp-digests"/> after equivalence has been established according to <xref target="sec-comid-integrity-registers"/>.
Note that it is not required for all the entries in the C-ECT to be used during matching: the C-ECT may represent only a subset of the device's register space.
In TPM parlance, a TPM "quote" may report all PCRs in Evidence, while a C-ECT could describe a subset of PCRs.</t>
              </section>
              <section anchor="comparison-for-int-range-entries">
                <name>Comparison for int-range entries</name>
                <t>The ACS-ECT value stored under <tt>measurement-values-map</tt> codepoint 15 is an int range value of <tt>int-range-type-choice</tt>.</t>
                <t>Consider an <tt>int</tt> ACS-ECT value named ENTRY in a <tt>measurement-values-map</tt> codepoint (e.g., 15) that allows comparing <tt>int</tt> against a either another <tt>int</tt> or an <tt>int-range</tt> named CONDITION.</t>
                <ul spacing="normal">
                  <li>
                    <t>If CONDITION is an <tt>int</tt> then an equality comparison is performed with ENTRY.</t>
                  </li>
                  <li>
                    <t>If CONDITION is an <tt>int-range</tt> (CBOR tag 564), then a range inclusion comparison is performed.
The comparison MUST return true if and only if all the following conditions are true:  </t>
                    <ul spacing="normal">
                      <li>
                        <t>CONDITION.min is <tt>null</tt> or ENTRY is greater than or equal to CONDITION.min.</t>
                      </li>
                      <li>
                        <t>CONDITION.max is <tt>null</tt> or ENTRY is less than or equal to CONDITION.max.</t>
                      </li>
                    </ul>
                  </li>
                </ul>
                <t>Consider an <tt>int-range</tt> (CBOR tag 564) value named ENTRY in a <tt>measurement-values-map</tt> codepoint (e.g., 15) that allows comparing an <tt>int-range</tt> against either another <tt>int-range</tt> or an <tt>int</tt> named CONDITION.</t>
                <ul spacing="normal">
                  <li>
                    <t>If CONDITION is an <tt>int</tt>, then the comparison MUST return true if and only if ENTRY.min and ENTRY.max are both equal to CONDITION.</t>
                  </li>
                  <li>
                    <t>If CONDITION is an <tt>int-range</tt> (CBOR tag 564), then a range subsumption comparison is performed (i.e., the condition range includes all values of the entry range).
The comparison MUST return true if and only if all the following conditions are true:  </t>
                    <ul spacing="normal">
                      <li>
                        <t>CONDITION.min is <tt>null</tt> or ENTRY.min is an <tt>int</tt> that is greater than or equal to CONDITION.min</t>
                      </li>
                      <li>
                        <t>CONDITION.max is <tt>null</tt> or ENTRY.max is an <tt>int</tt> that is less than or equal to CONDITION.max.</t>
                      </li>
                    </ul>
                  </li>
                </ul>
              </section>
            </section>
            <section anchor="sec-compare-profile">
              <name>Profile-directed Comparison</name>
              <t>A profile MUST specify comparison algorithms for its additions to <tt>$</tt>-prefixed CoRIM CDDL codepoints when this specification does not prescribe binary comparison.
The profile MUST specify how to compare the CBOR tagged value against the ACS.</t>
              <t>Note that the processor may compare Reference Values in any order, so the comparison SHOULD NOT be stateful.</t>
            </section>
          </section>
        </section>
        <section anchor="handoff">
          <name>Handoff</name>
          <t>Once all the relations in the staging area have been processed, the computed ACS is ready to be handed over to the verifier for further processing in subsequent phases.
Typically, the ACS is passed to a policy engine that applies a policy to deduce high-level characteristics of the Attester from the low-level information contained in the ACS.
This information can then be encoded in an Attestation Result that can be understood by a Relying Party, which does not need to know all the details in order to make a trust decision.</t>
        </section>
        <section anchor="example-appraisal">
          <name>Example Appraisal</name>
          <t>The following example describes the appraisal of a PSA Attester <xref target="RFC9783"/> from the fictitious vendor "Acme Inc.", which uses the CoRIM profile documented in <xref target="I-D.fdb-rats-psa-endorsements"/>.</t>
          <section anchor="input-corims">
            <name>Input CoRIMs</name>
            <t>In this scenario, the Verifier obtains two CoRIM files from two different actors in the supply chain:</t>
            <ul spacing="normal">
              <li>
                <t>The device manufacturer (Acme Inc.); and</t>
              </li>
              <li>
                <t>A certifier (Certifier Inc.), which has evaluated the device according to the PSA Certified scheme.</t>
              </li>
            </ul>
            <t>The manufacturer's CoRIM contains a single CoMID with two Reference Values triples (see <xref target="ex-comid-rvt"/>) describing two acceptable states of the Attester.
The Attester is identified by the class attribute Implementation ID with the value <tt>6163..3031</tt>.
One state has a digest of <tt>9a27..86aa</tt> for the "PRoT" component, and the other has a digest of <tt>a3fe..5065</tt>.</t>
            <t>For the remainder of this section, we will assume that the CoRIM containing this CoMID is signed using the manufacturer's certificate, which has a thumbprint of <tt>482e..78b3</tt>.</t>
            <figure anchor="ex-comid-rvt">
              <name>Example Manufacturer CoMID</name>
              <sourcecode type="cbor-diag"><![CDATA[
/ concise-mid-tag / {
  / comid.tag-identity / 1 : {
    / comid.tag-id / 0 : "acme.example/gizmo-v1",
  },
  / comid.entity / 2 : [ {
    / comid.entity-name / 0 : "ACME Inc.",
    / comid.reg-id / 1 : 32("https://acme.example"),
    / comid.role / 2 : [ 0 ] / tag-creator /
  } ],
  / comid.triples / 4 : {
    / comid.reference-triples / 0 : [ [
      / environment-map / {
        / comid.class / 0 : {
          / comid.class-id / 0 :
            / tagged-bytes / 560(
              h'61636d652d696d706c656d656e746174
                696f6e2d69642d303030303030303031'
            )
        }
      },
      [
        / measurement-map / {
          / comid.mkey / 0 : "psa.software-component",
          / comid.mval / 1 : {
            / comid.digests / 2 : [ [
              / hash-alg-id / "sha-256",
              / hash-value / h'9a271f2a916b0b6ee6cecb2426f0b320
                               6ef074578be55d9bc94f6f3fe3ab86aa'
            ] ],
            / name / 11 : "PRoT",
            / cryptokeys / 13 : [ 560(h'5378796307535df3ec8d8b15a2
                                        e2dc5641419c3d3060cfe32238
                                        c0fa973f7aa3') ]
          }
        }
      ]
    ],
    [
      / environment-map / {
        / comid.class / 0 : {
          / comid.class-id / 0 :
            / tagged-bytes / 560(
              h'61636d652d696d706c656d656e746174
                696f6e2d69642d303030303030303031'
            )
        }
      },
      [
        / measurement-map / {
          / comid.mkey / 0 : "psa.software-component",
          / comid.mval / 1 : {
            / comid.digests / 2 : [ [
              / hash-alg-id / "sha-256",
              / hash-value / h'a3fe9f414586c0d3cacbe3b6920a09d8
                               718e503bca22e23fef882203bf765065'
            ] ],
            / name / 11 : "PRoT",
            / cryptokeys / 13 : [ 560(h'5378796307535df3ec8d8b15a2
                                        e2dc5641419c3d3060cfe32238
                                        c0fa973f7aa3') ]
          }
        }
      ]
    ] ]
  }
}
]]></sourcecode>
            </figure>
            <t>The CoMID from the certifier contains a Conditional Endorsement triple that describes the Attester who was granted the security certification <tt>1234567890123 - 12345</tt> (see <xref target="ex-comid-cet"/>).
This Attester has Implementation ID <tt>6163..3031</tt> and the digest associated with the "PRoT" component is <tt>9a27..86aa</tt>.
In the triple, the security certification is represented as <tt>endorsements</tt>, while the target identification information is represented as <tt>conditions</tt>.</t>
            <figure anchor="ex-comid-cet">
              <name>Example Certifier CoMID</name>
              <sourcecode type="cbor-diag"><![CDATA[
/ concise-mid-tag / {
  / comid.tag-identity / 1 : {
    / comid.tag-id / 0 : "certifier.example/gizmo-v1",
  },
  / comid.entity / 2 : [ {
    / comid.entity-name / 0 : "Certifier Inc.",
    / comid.reg-id / 1 : 32("https://certifier.example"),
    / comid.role / 2 : [ 0 ] / tag-creator /
  } ],
  / comid.triples / 4 : {
    / comid.conditional-endorsement-triple / 10 : [
      [
        / conditions / [
          / stateful-environment / [
            / environment-map / {
              / comid.class / 0 : {
                / comid.class-id / 0 :
                  / tagged-bytes / 560(
                    h'61636d652d696d706c656d656e746174
                      696f6e2d69642d303030303030303031'
                  )
              }
            },
            / claims-list / [
              / measurement-map / {
                / comid.mkey / 0 : "psa.software-component",
                / comid.mval / 1 : {
                  / comid.digests / 2 : [ [
                    / hash-alg-id / "sha-256",
                    / hash-value / h'9a271f2a916b0b6ee6cecb2426f0b320
                                     6ef074578be55d9bc94f6f3fe3ab86aa'
                  ] ],
                  / name / 11 : "PRoT",
                  / cryptokeys / 13 : [ 560(h'5378796307535df3ec8d8b15a2
                                              e2dc5641419c3d3060cfe32238
                                              c0fa973f7aa3') ]
                }
              }
            ]
          ]
        ],
        / endorsements / [
          / endorsed-triple / [
            / environment / {
              / comid.class / 0 : {
                / comid.class-id / 0 :
                  / tagged-bytes / 560(
                    h'61636d652d696d706c656d656e746174
                      696f6e2d69642d303030303030303031'
                  )
              }
            },
            [
              / measurement-map / {
                / comid.mkey / 0 : "psa.certification",
                / comid.mval / 1 : {
                  / psa.cert-num / 100 : "1234567890123 - 12345"
                }
              }
            ]
          ]
        ]
      ]
    ]
  }
}
]]></sourcecode>
            </figure>
            <t>For the remainder of this section, we will assume that the CoRIM containing this CoMID is signed using the certifier's certificate, which has a thumbprint of <tt>768f..75b1</tt>.</t>
          </section>
          <section anchor="input-evidence">
            <name>Input Evidence</name>
            <t>The Verifier obtains Evidence from a PSA Attester in the format described in <xref target="RFC9783"/> and verifies its cryptographic integrity and validity.</t>
          </section>
          <section anchor="internal-representations">
            <name>Internal Representations</name>
            <t>As described in <xref target="sec-phase-1"/>, once all the "raw" inputs and have been validated, input transformations can start.</t>
            <t>The two Reference Values triples from the manufacturer's CoMID are mapped to their corresponding <tt>rv-item</tt>s (<xref target="ex-rv-item-1"/>, <xref target="ex-rv-item-2"/>) using the transformations defined in <xref target="algo-rv-transform"/>.</t>
            <t>The first triple:</t>
            <figure anchor="ex-rv-item-1">
              <name>First rv Relation Item</name>
              <sourcecode type="cbor-diag"><![CDATA[
{
  "condition": {
    "environment": {
      0: {
        0: 560(h'61636d652d696d706c656d656e746174
                 696f6e2d69642d303030303030303031')
      }
    },
    "element-list": [
      {
        "element-id": "psa.software-component",
        "element-claims": {
          2: [
            [
              "sha-256",
              h'9a271f2a916b0b6ee6cecb2426f0b320
                6ef074578be55d9bc94f6f3fe3ab86aa'
            ]
          ],
          11: "PRoT",
          13: [ 560(h'5378796307535df3ec8d8b15a2e2dc56
                      41419c3d3060cfe32238c0fa973f7aa3') ]
        }
      }
    ]
  },
  "addition": {
    "environment": {
      0: {
        0: 560(h'61636d652d696d706c656d656e746174
                 696f6e2d69642d303030303030303031')
      }
    },
    "authority": [
      559([
        "sha-256",
        h'482e829ad29ac6ea6eda2d47d1d93a00
          2bf41d9d88710ba972c36e59038f78b3'
      ])
    ],
    "cmtype": 0,
    "profile": 32("tag:arm.com,2025:psa#1.0.0")
  }
}
]]></sourcecode>
            </figure>
            <t>The second triple:</t>
            <figure anchor="ex-rv-item-2">
              <name>Second rv Relation Item</name>
              <sourcecode type="cbor-diag"><![CDATA[
{
  "condition": {
    "environment": {
      0: {
        0: 560(h'61636d652d696d706c656d656e746174
                 696f6e2d69642d303030303030303031')
      }
    },
    "element-list": [
      {
        "element-id": "psa.software-component",
        "element-claims": {
          2: [
            [
              "sha-256",
              h'a3fe9f414586c0d3cacbe3b6920a09d8
                718e503bca22e23fef882203bf765065'
            ]
          ],
          11: "PRoT",
          13: [ 560(h'5378796307535df3ec8d8b15a2e2dc56
                      41419c3d3060cfe32238c0fa973f7aa3') ]
        }
      }
    ]
  },
  "addition": {
    "environment": {
      0: {
        0: 560(h'61636d652d696d706c656d656e746174
                 696f6e2d69642d303030303030303031')
      }
    },
    "authority": [
      559([
        "sha-256",
        h'482e829ad29ac6ea6eda2d47d1d93a00
          2bf41d9d88710ba972c36e59038f78b3'
      ])
    ],
    "cmtype": 0,
    "profile": 32("tag:arm.com,2025:psa#1.0.0")
  }
}
]]></sourcecode>
            </figure>
            <t>Note the authorities in the addition ECT of both items, which are set to <tt>482e..78b3</tt>, and correspond to the thumbprint of the manufacturer's signing certificate.</t>
            <t>The Conditional Endorsement triple from the certifier's CoMID is mapped to its corresponding <tt>ev-item</tt> (<xref target="ex-ev-item"/>) using the transformation defined in <xref target="algo-ce-transform"/>.</t>
            <figure anchor="ex-ev-item">
              <name>First (and only) ev Relation Item</name>
              <sourcecode type="cbor-diag"><![CDATA[
{
  "condition": [
    {      
      "environment": {
          0: {
            0:
              560(h'61636d652d696d706c656d656e746174
                    696f6e2d69642d303030303030303031')
          }
      },
      "element-list": [
        {
          "element-id": "psa.software-component",
          "element-claims": {
            2 : [ [
              "sha-256",
              h'9a271f2a916b0b6ee6cecb2426f0b320
                6ef074578be55d9bc94f6f3fe3ab86aa'
            ] ],
            11 : "PRoT",
            13 : [ 560(h'5378796307535df3ec8d8b15a2
                         e2dc5641419c3d3060cfe32238
                         c0fa973f7aa3') ]
          }
        }
      ]
    }
  ],
  "addition": [
    { 
      "environment": {
        0: {
          0:
            560(h'61636d652d696d706c656d656e746174
                  696f6e2d69642d303030303030303031')
        }
      },
      "element-list": [
        {
          "element-id": "psa.certification",
          "element-claims": {
            100: "1234567890123 - 12345"
          }
        }
      ],
      "authority": [
        559([
          "sha-256",
          h'768ff09154f6aacda857cb175ef29cf9
            d23ef9c38c69efdbf20354dbfd7875b1'
        ])
      ],
      "cmtype": 1,
      "profile": 32("tag:arm.com,2025:psa#1.0.0")
    }
  ]
}
]]></sourcecode>
            </figure>
            <t>Note the authority in the addition ECT, which is set to <tt>768f..75b1</tt>, and corresponds to the thumbprint of the certifier's signing certificate.</t>
            <t>Evidence from the PSA Attester is transformed into the corresponding <tt>ae-item</tt> using the transformation defined in <xref target="I-D.fdb-rats-psa-endorsements"/>:</t>
            <figure anchor="ex-ae-item">
              <name>ae-item</name>
              <sourcecode type="cbor-diag"><![CDATA[
{
  "addition": {
    "environment": {
      0: {
        0: 560(h'61636d652d696d706c656d656e746174
                 696f6e2d69642d303030303030303031')
      },
      1: 550(h'01
               4ca3e4f50bf248c39787020d68ffd05c
               88767751bf2645ca923f57a98becd296')
    }
    "element-list": [
      {
        "element-id": "psa.software-component",
        "element-claims": {
          2: [
            [
              "sha-256",
              h'9a271f2a916b0b6ee6cecb2426f0b320
                6ef074578be55d9bc94f6f3fe3ab86aa'
            ]
          ],
          11: "PRoT",
          13: [ 560(h'5378796307535df3ec8d8b15a2e2dc56
                      41419c3d3060cfe32238c0fa973f7aa3') ]
        }
      }
    ],
    "authority": [
      554("-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETl4iCZ47zrRbRG0TVf0dw7VFlHtv
18HInYhnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8ANHS5HgGCCSr7E/Lg==
-----END PUBLIC KEY-----
")
    ],
    "cmtype": 2,
    "profile": 32("tag:arm.com,2025:psa#1.0.0")
  }
}
]]></sourcecode>
            </figure>
            <t>Note the authority in the ECT, which is set to <tt>MFkw..Lg=="</tt>, and corresponds to the Attester's PEM-encoded SPKI.</t>
          </section>
          <section anchor="appraisal">
            <name>Appraisal</name>
            <t>As described in <xref target="sec-appraisal-ctx-init"/>, the appraisal context is bootstrapped by loading the <tt>ae</tt> ECT(s) into the ACS, and the <tt>rv</tt> and <tt>ev</tt> relations into the Staging Area.
Then, ACS augmentation described in <xref target="sec-match-and-augment"/> can begin.</t>
            <t>The first relation to be processed is <tt>rv</tt>, according to the rules described in <xref target="sec-proc-rv-rel"/>.</t>
            <t>The condition of the first <tt>rv-item</tt> (<xref target="ex-rv-item-1"/>) is matched against the ACS which, at this time, contains a single ECT obtained from the <tt>ae-item</tt> (<xref target="ex-ae-item"/>).
The <tt>cmtype</tt> of the ACS-ECT is 2 (evidence), which is exactly the type <tt>rv-item</tt>s need to match against.
When the two are compared, it is found that the environments of the <tt>rv-item</tt> condition and the ACS-ECT match (note that the instance identifier in the ACS-ECT is ignored because it is not present in the <tt>rv-item</tt>).
The matching algorithm then proceeds to try to match the respective <tt>element-list</tt>s.
Both lists contain a single element, whose ID and claims are a perfect match.
Therefore, all the matching criteria are satisfied and the <tt>rv-item</tt> addition ECT is appended to the ACS.
Before this addition is made, the matched element from the <tt>rv-item</tt> condition is copied to the addition <tt>element-list</tt>.</t>
            <t>The ACS now contains two ECTs, one with <tt>cmtype</tt> 2 (evidence), and a second one with <tt>cmtype</tt> 0 (reference-value) that corroborates the first one with manufacturer authority (<xref target="ex-acs-1"/>).</t>
            <figure anchor="ex-acs-1">
              <name>ACS State after Corroboration</name>
              <artwork><![CDATA[
[
  / Evidence ECT / {
    "environment": {
      0: {
        0: 560(h'61636d652d696d706c656d656e746174
                 696f6e2d69642d303030303030303031')
      },
      1: 550(h'01
               4ca3e4f50bf248c39787020d68ffd05c
               88767751bf2645ca923f57a98becd296')
    }
    "element-list": [
      {
        "element-id": "psa.software-component",
        "element-claims": {
          2: [
            [
              "sha-256",
              h'9a271f2a916b0b6ee6cecb2426f0b320
                6ef074578be55d9bc94f6f3fe3ab86aa'
            ]
          ],
          11: "PRoT",
          13: [ 560(h'5378796307535df3ec8d8b15a2e2dc56
                      41419c3d3060cfe32238c0fa973f7aa3') ]
        }
      }
    ],
    "authority": [
      554("-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETl4iCZ47zrRbRG0TVf0dw7VFlHtv
18HInYhnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8ANHS5HgGCCSr7E/Lg==
-----END PUBLIC KEY-----
")
    ],
    "cmtype": 2,
    "profile": 32("tag:arm.com,2025:psa#1.0.0")
  },
  / Reference Value ECT / {
    "environment": {
      0: {
        0: 560(h'61636d652d696d706c656d656e746174
                 696f6e2d69642d303030303030303031')
      }
    },
    "element-list": [
      {
        "element-id": "psa.software-component",
        "element-claims": {
          2: [
            [
              "sha-256",
              h'9a271f2a916b0b6ee6cecb2426f0b320
                6ef074578be55d9bc94f6f3fe3ab86aa'
            ]
          ],
          11: "PRoT",
          13: [ 560(h'5378796307535df3ec8d8b15a2e2dc56
                      41419c3d3060cfe32238c0fa973f7aa3') ]
        }
      }
    ],
    "authority": [
      559([
        "sha-256",
        h'482e829ad29ac6ea6eda2d47d1d93a00
          2bf41d9d88710ba972c36e59038f78b3'
      ])
    ],
    "cmtype": 0,
    "profile": 32("tag:arm.com,2025:psa#1.0.0")
  }
]
]]></artwork>
            </figure>
            <t>The algorithm then moves on to the second <tt>rv-item</tt> (<xref target="ex-rv-item-2"/>), checking its condition against the ACS.
Once again, the ACS-ECT with <tt>cmtype</tt> 2 (evidence) is selected for matching.
This time, the environments match, but the state represented in the <tt>rv-item</tt>'s <tt>element-list</tt> is not (the digest differs).
This results in a no-op on the ACS.</t>
            <t>Next, the <tt>ev</tt> relation is popped from the Staging Area for processing according to the rules described in <xref target="sec-proc-ev-rel"/>.
The condition of the first (and only) <tt>ev-item</tt> (<xref target="ex-ev-item"/>) is then matched against the ACS.
The only applicable ACS-ECT is the one with <tt>cmtype</tt> 2 (evidence).
<cref>
The fact that {{sec-proc-ev-rel}} requires matching against reference values seems incorrect.
</cref>
When compared, the environment in the <tt>ev-item</tt> condition matches that of the ACS-ECT (again, the instance identifier in the ACS-ECT is ignored because it is not present in the <tt>ev-item</tt>), and the matching algorithm proceeds to try to match the respective <tt>element-list</tt>s.
Both lists contain a single element, whose ID and claims are an exact match.
Therefore, all the matching criteria are satisfied and the <tt>ev-item</tt> addition ECT is appended to the ACS.</t>
            <t>The ACS now contains three ECTs, one with <tt>cmtype</tt> 2 (evidence), a second with <tt>cmtype</tt> 0 (reference-value), which corroborates the first with manufacturer authority, and a third one with <tt>cmtype</tt> 1 (endorsements) which adds the PSA certification identifier as an endorsed value for the appraised environment with certifier's authority (<xref target="ex-acs-2"/>).</t>
            <figure anchor="ex-acs-2">
              <name>ACS State after Endorsements Augmentation</name>
              <artwork><![CDATA[
[
  / Evidence ECT / {
    "environment": {
      0: {
        0: 560(h'61636d652d696d706c656d656e746174
                 696f6e2d69642d303030303030303031')
      },
      1: 550(h'01
               4ca3e4f50bf248c39787020d68ffd05c
               88767751bf2645ca923f57a98becd296')
    }
    "element-list": [
      {
        "element-id": "psa.software-component",
        "element-claims": {
          2: [
            [
              "sha-256",
              h'9a271f2a916b0b6ee6cecb2426f0b320
                6ef074578be55d9bc94f6f3fe3ab86aa'
            ]
          ],
          11: "PRoT",
          13: [ 560(h'5378796307535df3ec8d8b15a2e2dc56
                      41419c3d3060cfe32238c0fa973f7aa3') ]
        }
      }
    ],
    "authority": [
      554("-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETl4iCZ47zrRbRG0TVf0dw7VFlHtv
18HInYhnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8ANHS5HgGCCSr7E/Lg==
-----END PUBLIC KEY-----
")
    ],
    "cmtype": 2,
    "profile": 32("tag:arm.com,2025:psa#1.0.0")
  },
  / Reference Value ECT / {
    "environment": {
      0: {
        0: 560(h'61636d652d696d706c656d656e746174
                 696f6e2d69642d303030303030303031')
      }
    },
    "element-list": [
      {
        "element-id": "psa.software-component",
        "element-claims": {
          2: [
            [
              "sha-256",
              h'9a271f2a916b0b6ee6cecb2426f0b320
                6ef074578be55d9bc94f6f3fe3ab86aa'
            ]
          ],
          11: "PRoT",
          13: [ 560(h'5378796307535df3ec8d8b15a2e2dc56
                      41419c3d3060cfe32238c0fa973f7aa3') ]
        }
      }
    ],
    "authority": [
      559([
        "sha-256",
        h'482e829ad29ac6ea6eda2d47d1d93a00
          2bf41d9d88710ba972c36e59038f78b3'
      ])
    ],
    "cmtype": 0,
    "profile": 32("tag:arm.com,2025:psa#1.0.0")
  },
  / Endorsed Value ECT / {
    "environment": {
      0: {
        0:
          560(h'61636d652d696d706c656d656e746174
                696f6e2d69642d303030303030303031')
      }
    },
    "element-list": [
      {
        "element-id": "psa.certification",
        "element-claims": {
          100: "1234567890123 - 12345"
        }
      }
    ],
    "authority": [
      559([
        "sha-256",
        h'768ff09154f6aacda857cb175ef29cf9
          d23ef9c38c69efdbf20354dbfd7875b1'
      ])
    ],
    "cmtype": 1,
    "profile": 32("tag:arm.com,2025:psa#1.0.0")
  }
]
]]></artwork>
            </figure>
            <t>At this point, all the relations in the Staging Area have been processed, and the <tt>match_and_augment</tt> algorithm (<xref target="algo-match-and-augment"/>) terminates, returning the computed ACS.</t>
          </section>
        </section>
      </section>
    </section>
    <section anchor="implementation-status">
      <name>Implementation Status</name>
      <t>This section records the status of known implementations of the protocol
defined by this specification at the time of posting of this Internet-Draft,
and is based on a proposal described in <xref target="RFC7942"/>. The description of
implementations in this section is intended to assist the IETF in its decision
processes in progressing drafts to RFCs.  Please note that the listing of any
individual implementation here does not imply endorsement by the IETF.
Furthermore, no effort has been spent to verify the information presented here
that was supplied by IETF contributors.  This is not intended as, and must not
be construed to be, a catalogue of available implementations or their features.
Readers are advised to note that other implementations may exist.</t>
      <t>According to <xref target="RFC7942"/>, "this will allow reviewers and working groups to
assign due consideration to documents that have the benefit of running code,
which may serve as Evidence of valuable experimentation and feedback that have
made the implemented protocols more mature.  It is up to the individual working
groups to use this information as they see fit".</t>
      <section anchor="veraison">
        <name>Veraison</name>
        <ul spacing="normal">
          <li>
            <t>Organization responsible for the implementation: Veraison Project, Linux
Foundation</t>
          </li>
          <li>
            <t>Implementation's web page:
<eref target="https://github.com/veraison/corim/blob/main/README.md">https://github.com/veraison/corim/README.md</eref></t>
          </li>
          <li>
            <t>Brief general description: There are three CoRIM libraries under project Veraison.
            </t>
            <ol spacing="normal" type="1"><li>
                <t><eref target="https://github.com/veraison/corim">CoRIM golang library</eref> The <tt>corim/corim</tt> and <tt>corim/comid</tt> packages
provide a golang API for low-level manipulation of Concise Reference
Integrity Manifest (CoRIM) and Concise Module Identifier (CoMID) tags
respectively.</t>
              </li>
              <li>
                <t><eref target="https://github.com/veraison/corim-rs">CoRIM rust library</eref> provide a rust implementation of
CoRIM specification.</t>
              </li>
              <li>
                <t><eref target="https://github.com/veraison/cover">CoRIM Processor</eref> provides a library for appraisal of Evidence by processing CoRIMs as outlined in <xref target="sec-corim-processor"/> of this specification.</t>
              </li>
            </ol>
            <t>
In addition to the base CoRIM Libraries, the <eref target="https://github.com/veraison/cocli">cocli package</eref> uses the golang API above (as well as the
API from the <tt>veraison/swid</tt> package) to provide a user command line
interface for working with CoRIM, CoMID and CoSWID. Specifically, it allows
creating, signing, verifying, displaying, uploading, and more. See
<eref target="https://github.com/veraison/cocli/README.md">https://github.com/veraison/cocli/README.md</eref> for further details.</t>
          </li>
          <li>
            <t>Implementation's level of maturity: alpha.</t>
          </li>
          <li>
            <t>Coverage: the whole protocol is implemented, including PSA-specific
extensions <xref target="I-D.fdb-rats-psa-endorsements"/>.</t>
          </li>
          <li>
            <t>Version compatibility: Version -06 of the draft</t>
          </li>
          <li>
            <t>Licensing: Apache 2.0
<eref target="https://github.com/veraison/corim/blob/main/LICENSE">https://github.com/veraison/corim/blob/main/LICENSE</eref></t>
          </li>
          <li>
            <t>Implementation experience: n/a</t>
          </li>
          <li>
            <t>Contact information:
<eref target="https://veraison.zulipchat.com">https://veraison.zulipchat.com</eref></t>
          </li>
          <li>
            <t>Last updated:
<eref target="https://github.com/veraison/corim/commits/main">https://github.com/veraison/corim/commits/main</eref>
              <eref target="https://github.com/veraison/corim-rs/commits/master/">https://github.com/veraison/corim-rs/commits/master/</eref>
              <eref target="https://github.com/veraison/cover/commits/main/">https://github.com/veraison/cover/commits/main/</eref></t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-sec">
      <name>Security and Privacy Considerations</name>
      <t>Evidence appraisal is at the core of any RATS protocol flow, mediating all interactions between Attesters and their Relying Parties.
The Verifier is effectively part of the Attesters' and Relying Parties' trusted computing base (TCB).
Any mistake in the appraisal procedure conducted by the Verifier could have security implications.
For instance, it could lead to the subversion of an access control function, which creates a chance for privilege escalation.</t>
      <t>Therefore, the Verifier’s code and configuration, especially those of the CoRIM processor, are primary security assets that must be built and maintained as securely as possible.</t>
      <t>The protection of the Verifier system should be considered throughout its entire lifecycle, from design to operation.
This includes the following aspects:</t>
      <ul spacing="normal">
        <li>
          <t>Minimizing implementation complexity (see also <xref section="6.1" sectionFormat="of" target="I-D.ietf-rats-endorsements"/>);</t>
        </li>
        <li>
          <t>Using memory-safe programming languages;</t>
        </li>
        <li>
          <t>Using secure defaults;</t>
        </li>
        <li>
          <t>Minimizing the attack surface by avoiding unnecessary features that could be exploited by attackers;</t>
        </li>
        <li>
          <t>Applying the principle of least privilege to the system's users;</t>
        </li>
        <li>
          <t>Minimizing the potential impact of security breaches by implementing separation of duties in both the software and operational architecture;</t>
        </li>
        <li>
          <t>Conducting regular, automated audits and reviews of the system, such as ensuring that users' privileges are correctly configured and that any new code has been audited and approved by independent parties;</t>
        </li>
        <li>
          <t>Failing securely in the event of errors to avoid compromising the security of the system.</t>
        </li>
      </ul>
      <t>It is critical that appraisal procedures are auditable and reproducible.
The integrity of code and data during execution is an explicit objective, for example, ensuring that the appraisal functions are executed in an attestable trusted execution environment (TEE).</t>
      <t>Please review the Security and Privacy Considerations in Sections <xref target="I-D.ietf-rats-endorsements" section="8" sectionFormat="bare"/> and <xref target="I-D.ietf-rats-endorsements" section="9" sectionFormat="bare"/> of <xref target="I-D.ietf-rats-endorsements"/>; these considerations apply to this document as well.</t>
    </section>
    <section anchor="sec-iana-cons">
      <name>IANA Considerations</name>
      <section anchor="new-cose-header-parameters">
        <name>New COSE Header Parameters</name>
      </section>
      <section anchor="sec-iana-cbor-tags">
        <name>New CBOR Tags</name>
        <t>IANA is requested to allocate the following tags in the "CBOR Tags" registry <xref target="IANA.cbor-tags"/>, preferably with the specific CBOR tag value requested:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Tag</th>
              <th align="left">Data Item</th>
              <th align="left">Semantics</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">500</td>
              <td align="left">
                <tt>tag</tt></td>
              <td align="left">Reserved for backward compatibility</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">501</td>
              <td align="left">
                <tt>map</tt></td>
              <td align="left">A tagged-unsigned-corim-map, see <xref target="sec-corim-map"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">502-504</td>
              <td align="left">
                <tt>any</tt></td>
              <td align="left">Earmarked for CoRIM</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">505</td>
              <td align="left">
                <tt>bytes</tt></td>
              <td align="left">A tagged-concise-swid-tag, see <xref target="sec-corim-tags"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">506</td>
              <td align="left">
                <tt>bytes</tt></td>
              <td align="left">A tagged-concise-mid-tag, see <xref target="sec-corim-tags"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">507</td>
              <td align="left">
                <tt>any</tt></td>
              <td align="left">Earmarked for CoRIM</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">508</td>
              <td align="left">
                <tt>bytes</tt></td>
              <td align="left">A tagged-concise-tl-tag, see <xref target="sec-corim-tags"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">509-549</td>
              <td align="left">
                <tt>any</tt></td>
              <td align="left">Earmarked for CoRIM</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">550</td>
              <td align="left">
                <tt>bytes .size (7..33)</tt></td>
              <td align="left">tagged-ueid-type, see <xref target="sec-common-ueid"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">552</td>
              <td align="left">
                <tt>uint</tt></td>
              <td align="left">tagged-svn, see <xref target="sec-comid-svn"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">553</td>
              <td align="left">
                <tt>uint</tt></td>
              <td align="left">tagged-min-svn, see <xref target="sec-comid-svn"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">554</td>
              <td align="left">
                <tt>text</tt></td>
              <td align="left">tagged-pkix-base64-key-type, see <xref target="sec-crypto-keys"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">555</td>
              <td align="left">
                <tt>text</tt></td>
              <td align="left">tagged-pkix-base64-cert-type, see <xref target="sec-crypto-keys"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">556</td>
              <td align="left">
                <tt>text</tt></td>
              <td align="left">tagged-pkix-base64-cert-path-type, see <xref target="sec-crypto-keys"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">557</td>
              <td align="left">
                <tt>[int/text, bytes]</tt></td>
              <td align="left">tagged-key-thumbprint-type, see <xref target="sec-common-hash-entry"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">558</td>
              <td align="left">
                <tt>COSE_Key</tt></td>
              <td align="left">tagged-cose-key-type, see <xref target="sec-crypto-keys"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">559</td>
              <td align="left">
                <tt>digest</tt></td>
              <td align="left">tagged-cert-thumbprint-type, see <xref target="sec-crypto-keys"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">560</td>
              <td align="left">
                <tt>bytes</tt></td>
              <td align="left">tagged-bytes, see <xref target="sec-common-tagged-bytes"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">561</td>
              <td align="left">
                <tt>digest</tt></td>
              <td align="left">tagged-cert-path-thumbprint-type, see <xref target="sec-crypto-keys"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">562</td>
              <td align="left">
                <tt>bytes</tt></td>
              <td align="left">tagged-pkix-asn1der-cert-type, see <xref target="sec-crypto-keys"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">563</td>
              <td align="left">
                <tt>tagged-masked-raw-value</tt></td>
              <td align="left">tagged-masked-raw-value, see <xref target="sec-comid-raw-value-types"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">564</td>
              <td align="left">
                <tt>array</tt></td>
              <td align="left">tagged-int-range, see <xref target="sec-comid-int-range"/></td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">565-599</td>
              <td align="left">
                <tt>any</tt></td>
              <td align="left">Earmarked for CoRIM</td>
              <td align="left">RFCthis</td>
            </tr>
          </tbody>
        </table>
        <t>Tags designated as "Earmarked for CoRIM" can be reassigned by IANA based on advice from the designated expert for the CBOR Tags registry.</t>
      </section>
      <section anchor="sec-iana-corim">
        <name>CoRIM Map Registry</name>
        <t>This document defines a new registry titled "CoRIM Map".
The registry uses integer values as index values for items in <tt>corim-map</tt> CBOR maps.</t>
        <t>Future registrations for this registry are to be made based on <xref target="RFC8126"/> as follows:</t>
        <table anchor="tbl-iana-corim-map-items-reg-procedures">
          <name>CoRIM Map Items Registration Procedures</name>
          <thead>
            <tr>
              <th align="left">Range</th>
              <th align="left">Registration Procedures</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0-127</td>
              <td align="left">Standards Action</td>
            </tr>
            <tr>
              <td align="left">128-255</td>
              <td align="left">Specification Required</td>
            </tr>
          </tbody>
        </table>
        <t>All negative values are reserved for Private Use.</t>
        <t>Initial registrations for the "CoRIM Map" registry are provided below.
Assignments consist of an integer index value, the item name, and a reference to the defining specification.</t>
        <table anchor="tbl-iana-corim-map-items">
          <name>CoRIM Map Items Initial Registrations</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item Name</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">id</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">tags</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">dependent-rims</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">3</td>
              <td align="left">profile</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">4</td>
              <td align="left">rim-validity</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">5</td>
              <td align="left">entities</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">3-255</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-iana-corim-entity-map">
        <name>CoRIM Entity Map Registry</name>
        <t>This document defines a new registry titled "CoRIM Entity Map".
The registry uses integer values as index values for items in <tt>corim-entity-map</tt> CBOR maps.</t>
        <t>Future registrations for this registry are to be made based on <xref target="RFC8126"/> as follows:</t>
        <table anchor="tbl-iana-corim-entity-map-items-reg-procedures">
          <name>CoRIM Entity Map Items Registration Procedures</name>
          <thead>
            <tr>
              <th align="left">Range</th>
              <th align="left">Registration Procedures</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0-127</td>
              <td align="left">Standards Action</td>
            </tr>
            <tr>
              <td align="left">128-255</td>
              <td align="left">Specification Required</td>
            </tr>
          </tbody>
        </table>
        <t>All negative values are reserved for Private Use.</t>
        <t>Initial registrations for the "CoRIM Entity Map" registry are provided below.
Assignments consist of an integer index value, the item name, and a reference to the defining specification.</t>
        <table anchor="tbl-iana-corim-entity-map-items">
          <name>CoRIM Entity Map Items Initial Registrations</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item Name</th>
              <th align="left">Value Type</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">entity-name</td>
              <td align="left">
                <tt>text</tt></td>
              <td align="left">Name of the entity responsible for the actions of the role.</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">reg-id</td>
              <td align="left">
                <tt>uri</tt></td>
              <td align="left">A URI associated with the organization that owns the entity name.</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">role</td>
              <td align="left">
                <tt>[ + role-type-choice ]</tt></td>
              <td align="left">A type choice defining the roles that the entity is claiming.</td>
            </tr>
            <tr>
              <td align="left">3-255</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-iana-corim-signer-map">
        <name>CoRIM Signer Map Registry</name>
        <t>This document defines a new registry titled "CoRIM Signer Map".
The registry uses integer values as index values for items in <tt>corim-signer-map</tt> CBOR maps.</t>
        <t>Future registrations for this registry are to be made based on <xref target="RFC8126"/> as follows:</t>
        <table anchor="tbl-iana-corim-signer-map-items-reg-procedures">
          <name>CoRIM Signer Map Items Registration Procedures</name>
          <thead>
            <tr>
              <th align="left">Range</th>
              <th align="left">Registration Procedures</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0-127</td>
              <td align="left">Standards Action</td>
            </tr>
            <tr>
              <td align="left">128-255</td>
              <td align="left">Specification Required</td>
            </tr>
          </tbody>
        </table>
        <t>All negative values are reserved for Private Use.</t>
        <t>Initial registrations for the "CoRIM Signer Map" registry are provided below.
Assignments consist of an integer index value, the item name, and a reference to the defining specification.</t>
        <table anchor="tbl-iana-corim-signer-map-items">
          <name>CoRIM Signer Map Items Initial Registrations</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item Name</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">signer-name</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">signer-uri</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">2-255</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-iana-comid">
        <name>CoMID Map Registry</name>
        <t>This document defines a new registry titled "CoMID Map".
The registry uses integer values as index values for items in <tt>concise-mid-tag</tt> CBOR maps.</t>
        <t>Future registrations for this registry are to be made based on <xref target="RFC8126"/> as follows:</t>
        <table anchor="tbl-iana-comid-map-items-reg-procedures">
          <name>CoMID Map Items Registration Procedures</name>
          <thead>
            <tr>
              <th align="left">Range</th>
              <th align="left">Registration Procedures</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0-127</td>
              <td align="left">Standards Action</td>
            </tr>
            <tr>
              <td align="left">128-255</td>
              <td align="left">Specification Required</td>
            </tr>
          </tbody>
        </table>
        <t>All negative values are reserved for Private Use.</t>
        <t>Initial registrations for the "CoMID Map" registry are provided below.
Assignments consist of an integer index value, the item name, and a reference to the defining specification.</t>
        <table anchor="tbl-iana-comid-map-items">
          <name>CoMID Map Items Initial Registrations</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item Name</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">language</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">tag-identity</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">entity</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">3</td>
              <td align="left">linked-tags</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">4</td>
              <td align="left">triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">5-255</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-iana-comid-entity-map">
        <name>CoMID Entity Map Registry</name>
        <t>This document defines a new registry titled "CoRIM Entity Map".
The registry uses integer values as index values for items in <tt>corim-entity-map</tt> CBOR maps.</t>
        <t>Future registrations for this registry are to be made based on <xref target="RFC8126"/> as follows:</t>
        <table anchor="tbl-iana-comid-entity-map-items-reg-procedures">
          <name>CoMID Entity Map Items Registration Procedures</name>
          <thead>
            <tr>
              <th align="left">Range</th>
              <th align="left">Registration Procedures</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0-127</td>
              <td align="left">Standards Action</td>
            </tr>
            <tr>
              <td align="left">128-255</td>
              <td align="left">Specification Required</td>
            </tr>
          </tbody>
        </table>
        <t>All negative values are reserved for Private Use.</t>
        <t>Initial registrations for the "CoMID Entity Map" registry are provided below.
Assignments consist of an integer index value, the item name, and a reference to the defining specification.</t>
        <table anchor="tbl-iana-comid-entity-map-items">
          <name>CoMID Entity Map Items Initial Registrations</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item Name</th>
              <th align="left">Value Type</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">entity-name</td>
              <td align="left">
                <tt>text</tt></td>
              <td align="left">Name of the entity responsible for the actions of the role.</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">reg-id</td>
              <td align="left">
                <tt>uri</tt></td>
              <td align="left">A URI associated with the organization that owns the entity name.</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">role</td>
              <td align="left">
                <tt>[ + role-type-choice ]</tt></td>
              <td align="left">A type choice defining the roles that the entity is claiming.</td>
            </tr>
            <tr>
              <td align="left">3-255</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-iana-triples-map">
        <name>CoMID Triples Map Registry</name>
        <t>This document defines a new registry titled "CoMID Triples Map".
The registry uses integer values as index values for items in the <tt>triples-map</tt> CBOR maps in <tt>concise-mid-tag</tt> codepoint 4.</t>
        <t>Future registrations for this registry are to be made based on <xref target="RFC8126"/> as follows:</t>
        <table anchor="tbl-iana-comid-triples-map-items-reg-procedures">
          <name>CoMID Triples Map Items Registration Procedures</name>
          <thead>
            <tr>
              <th align="left">Range</th>
              <th align="left">Registration Procedures</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0-1023</td>
              <td align="left">Standards Action</td>
            </tr>
            <tr>
              <td align="left">1024-65535</td>
              <td align="left">Specification Required</td>
            </tr>
            <tr>
              <td align="left">65536-18446744073709551616</td>
              <td align="left">First come first served</td>
            </tr>
          </tbody>
        </table>
        <t>All negative values are reserved for Private Use.</t>
        <t>Initial registrations for the "CoMID Triples Map" registry are provided below.
Assignments consist of an integer index value, the item name, and a reference to the defining specification.</t>
        <table anchor="tbl-iana-triples-map-items">
          <name>CoMID Triples Map Items Initial Registrations</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item Name</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">reference-triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">endorsed-triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">identity-triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">3</td>
              <td align="left">attest-key-triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">4</td>
              <td align="left">dependency-triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">5</td>
              <td align="left">membership-triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">6</td>
              <td align="left">coswid-triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">7</td>
              <td align="left">(reserved)</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">8</td>
              <td align="left">conditional-endorsement-series-triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">9</td>
              <td align="left">(reserved)</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">10</td>
              <td align="left">conditional-endorsement-triples</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">11-18446744073709551616</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-iana-comid-measurement-values-map">
        <name>CoMID Measurement Values Map Registry</name>
        <t>This document defines a new registry titled "CoMID Measurement Values Map".
The registry uses integer values as index values for items in multiple triples' representations.</t>
        <t>Future registrations for this registry are to be made based on <xref target="RFC8126"/> as follows:</t>
        <table anchor="tbl-iana-comid-measurement-values-map-items-reg-procedures">
          <name>CoMID Measurement Values Map Items Registration Procedures</name>
          <thead>
            <tr>
              <th align="left">Range</th>
              <th align="left">Registration Procedures</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0-1023</td>
              <td align="left">Standards Action</td>
            </tr>
            <tr>
              <td align="left">1024-65535</td>
              <td align="left">Specification Required</td>
            </tr>
            <tr>
              <td align="left">65536-18446744073709551616</td>
              <td align="left">First come first served</td>
            </tr>
          </tbody>
        </table>
        <t>All negative values are reserved for Private Use.</t>
        <t>Initial registrations for the "CoMID Measurement Values Map" registry are provided below.
Assignments consist of an integer index value, the item name, and a reference to the defining specification.</t>
        <table anchor="tbl-iana-comid-measurement-values-map-items">
          <name>Measurement Values Map Items Initial Registrations</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item Name</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">version</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">svn</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">digests</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">3</td>
              <td align="left">flags</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">4</td>
              <td align="left">raw-value</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">5</td>
              <td align="left">raw-value-mask-DEPRECATED</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">6</td>
              <td align="left">mac-addr</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">7</td>
              <td align="left">ip-addr</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">8</td>
              <td align="left">serial-number</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">9</td>
              <td align="left">ueid</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">10</td>
              <td align="left">uuid</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">11</td>
              <td align="left">name</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">12</td>
              <td align="left">(reserved)</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">13</td>
              <td align="left">cryptokeys</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">14</td>
              <td align="left">integrity-registers</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">15</td>
              <td align="left">int-range</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">16-18446744073709551616</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-iana-comid-flags-map">
        <name>CoMID Flags Map Registry</name>
        <t>This document defines a new registry titled "CoMID Flags Map".
The registry uses integer values as index values for items in <tt>measurement-values-map</tt> codepoint 3.</t>
        <t>Future registrations for this registry are to be made based on <xref target="RFC8126"/> as follows:</t>
        <table anchor="tbl-iana-comid-flags-map-items-reg-procedures">
          <name>CoMID Flags Map Items Registration Procedures</name>
          <thead>
            <tr>
              <th align="left">Range</th>
              <th align="left">Registration Procedures</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0-1023</td>
              <td align="left">Standards Action</td>
            </tr>
            <tr>
              <td align="left">1024-65535</td>
              <td align="left">Specification Required</td>
            </tr>
            <tr>
              <td align="left">65536-18446744073709551616</td>
              <td align="left">First come first served</td>
            </tr>
          </tbody>
        </table>
        <t>All negative values are reserved for Private Use.</t>
        <t>Initial registrations for the "CoMID Measurement Values Map" registry are provided below.
Assignments consist of an integer index value, the item name, and a reference to the defining specification.</t>
        <table anchor="tbl-iana-comid-flags-map-items">
          <name>Flags Map Items Initial Registrations</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item Name</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">is-configured</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">is-secure</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">is-recovery</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">3</td>
              <td align="left">is-debug</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">4</td>
              <td align="left">is-replay-protected</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">5</td>
              <td align="left">is-integrity-protected</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">6</td>
              <td align="left">is-runtime-meas</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">7</td>
              <td align="left">is-immutable</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">8</td>
              <td align="left">is-tcb</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">9</td>
              <td align="left">is-confidentiality-protected</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">10</td>
              <td align="left">is-runtime-updatable</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">11-18446744073709551616</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-iana-cotl">
        <name>CoTL Map Registry</name>
        <t>This document defines a new registry titled "CoTL Map".
The registry uses integer values as index values for items in 'concise-tl-tag' CBOR maps.</t>
        <t>Future registrations for this registry are to be made based on <xref target="RFC8126"/> as follows:</t>
        <table anchor="tbl-iana-cotl-map-items-reg-procedures">
          <name>CoTL Map Items Registration Procedures</name>
          <thead>
            <tr>
              <th align="left">Range</th>
              <th align="left">Registration Procedures</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0-127</td>
              <td align="left">Standards Action</td>
            </tr>
            <tr>
              <td align="left">128-255</td>
              <td align="left">Specification Required</td>
            </tr>
          </tbody>
        </table>
        <t>All negative values are reserved for Private Use.</t>
        <t>Initial registrations for the "CoTL Map" registry are provided below.
Assignments consist of an integer index value, the item name, and a reference to the defining specification.</t>
        <table anchor="tbl-iana-tl-map-items">
          <name>CoTL Map Items Initial Registrations</name>
          <thead>
            <tr>
              <th align="left">Index</th>
              <th align="left">Item Name</th>
              <th align="left">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">tag-identity</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">tags-list</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">tl-validity</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">3-255</td>
              <td align="left">Unassigned</td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-iana-media-types">
        <name>New Media Types</name>
        <t>IANA is requested to add the following media types to the "Media Types"
registry <xref target="IANA.media-types"/>.</t>
        <table align="left" anchor="tbl-media-type">
          <name>New Media Types</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Template</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">rim+cbor</td>
              <td align="left">application/rim+cbor</td>
              <td align="left">RFCthis, (<xref target="sec-mt-rim-cbor"/>)</td>
            </tr>
            <tr>
              <td align="left">rim+cose</td>
              <td align="left">application/rim+cose</td>
              <td align="left">RFCthis, (<xref target="sec-mt-rim-cose"/>)</td>
            </tr>
          </tbody>
        </table>
        <section anchor="sec-mt-rim-cbor">
          <name>rim+cbor</name>
          <dl spacing="compact">
            <dt>Type name:</dt>
            <dd>
              <t><tt>application</tt></t>
            </dd>
            <dt>Subtype name:</dt>
            <dd>
              <t><tt>rim+cbor</tt></t>
            </dd>
            <dt>Required parameters:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Optional parameters:</dt>
            <dd>
              <t>"profile" (CoRIM profile in string format.  OIDs MUST use the dotted-decimal
notation.)</t>
            </dd>
            <dt>Encoding considerations:</dt>
            <dd>
              <t>binary</t>
            </dd>
            <dt>Security considerations:</dt>
            <dd>
              <t><xref target="sec-sec"/> of RFCthis</t>
            </dd>
            <dt>Interoperability considerations:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Published specification:</dt>
            <dd>
              <t>RFCthis</t>
            </dd>
            <dt>Applications that use this media type:</dt>
            <dd>
              <t>Attestation Verifiers, Endorsers and Reference-Value providers that need to
transfer unprotected CoRIM payloads over HTTP(S), CoAP(S), and other
transports.</t>
            </dd>
            <dt>Fragment identifier considerations:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Magic number(s):</dt>
            <dd>
              <t><tt>D9 01 F5</tt></t>
            </dd>
            <dt>File extension(s):</dt>
            <dd>
              <t>.corim</t>
            </dd>
            <dt>Macintosh file type code(s):</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Person and email address to contact for further information:</dt>
            <dd>
              <t>RATS WG mailing list (rats@ietf.org)</t>
            </dd>
            <dt>Intended usage:</dt>
            <dd>
              <t>COMMON</t>
            </dd>
            <dt>Restrictions on usage:</dt>
            <dd>
              <t>none</t>
            </dd>
            <dt>Author/Change controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Provisional registration?</dt>
            <dd>
              <t>Maybe</t>
            </dd>
          </dl>
        </section>
        <section anchor="sec-mt-rim-cose">
          <name>rim+cose</name>
          <dl spacing="compact">
            <dt>Type name:</dt>
            <dd>
              <t><tt>application</tt></t>
            </dd>
            <dt>Subtype name:</dt>
            <dd>
              <t><tt>rim+cose</tt></t>
            </dd>
            <dt>Required parameters:</dt>
            <dd>
              <t>n/a (cose-type is explicitly not supported, as it is understood to be "cose-sign1")</t>
            </dd>
            <dt>Optional parameters:</dt>
            <dd>
              <t>"profile" (CoRIM profile in string format.  OIDs MUST use the dotted-decimal
notation.)</t>
            </dd>
            <dt>Encoding considerations:</dt>
            <dd>
              <t>binary</t>
            </dd>
            <dt>Security considerations:</dt>
            <dd>
              <t><xref target="sec-sec"/> of RFCthis</t>
            </dd>
            <dt>Interoperability considerations:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Published specification:</dt>
            <dd>
              <t>RFCthis</t>
            </dd>
            <dt>Applications that use this media type:</dt>
            <dd>
              <t>Attestation Verifiers, Endorsers and Reference-Value providers that need to
transfer CoRIM payloads protected using COSE Sign1 over HTTP(S), CoAP(S), and other
transports.</t>
            </dd>
            <dt>Fragment identifier considerations:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Magic number(s):</dt>
            <dd>
              <t><tt>D2 84</tt></t>
            </dd>
            <dt>File extension(s):</dt>
            <dd>
              <t>.corim</t>
            </dd>
            <dt>Macintosh file type code(s):</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Person and email address to contact for further information:</dt>
            <dd>
              <t>RATS WG mailing list (rats@ietf.org)</t>
            </dd>
            <dt>Intended usage:</dt>
            <dd>
              <t>COMMON</t>
            </dd>
            <dt>Restrictions on usage:</dt>
            <dd>
              <t>none</t>
            </dd>
            <dt>Author/Change controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Provisional registration?</dt>
            <dd>
              <t>Maybe</t>
            </dd>
          </dl>
        </section>
      </section>
      <section anchor="coap-content-formats-registration">
        <name>CoAP Content-Formats Registration</name>
        <t>IANA is requested to register the two following Content-Format numbers in the
"CoAP Content-Formats" sub-registry, within the "Constrained RESTful
Environments (CoRE) Parameters" Registry <xref target="IANA.core-parameters"/>:</t>
        <table align="left">
          <name>New Content-Formats</name>
          <thead>
            <tr>
              <th align="left">Content-Type</th>
              <th align="left">Content Coding</th>
              <th align="left">ID</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">application/rim+cbor</td>
              <td align="left">-</td>
              <td align="left">TBD1</td>
              <td align="left">RFCthis</td>
            </tr>
            <tr>
              <td align="left">application/rim+cose</td>
              <td align="left">-</td>
              <td align="left">TBD2</td>
              <td align="left">RFCthis</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9562">
          <front>
            <title>Universally Unique IDentifiers (UUIDs)</title>
            <author fullname="K. Davis" initials="K." surname="Davis"/>
            <author fullname="B. Peabody" initials="B." surname="Peabody"/>
            <author fullname="P. Leach" initials="P." surname="Leach"/>
            <date month="May" year="2024"/>
            <abstract>
              <t>This specification defines UUIDs (Universally Unique IDentifiers) --
also known as GUIDs (Globally Unique IDentifiers) -- and a Uniform
Resource Name namespace for UUIDs. A UUID is 128 bits long and is
intended to guarantee uniqueness across space and time. UUIDs were
originally used in the Apollo Network Computing System (NCS), later
in the Open Software Foundation's (OSF's) Distributed Computing
Environment (DCE), and then in Microsoft Windows platforms.</t>
              <t>This specification is derived from the OSF DCE specification with the
kind permission of the OSF (now known as "The Open Group"). Information from earlier versions of the OSF DCE specification have
been incorporated into this document. This document obsoletes RFC
4122.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9562"/>
          <seriesInfo name="DOI" value="10.17487/RFC9562"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC7468">
          <front>
            <title>Textual Encodings of PKIX, PKCS, and CMS Structures</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="S. Leonard" initials="S." surname="Leonard"/>
            <date month="April" year="2015"/>
            <abstract>
              <t>This document describes and discusses the textual encodings of the Public-Key Infrastructure X.509 (PKIX), Public-Key Cryptography Standards (PKCS), and Cryptographic Message Syntax (CMS). The textual encodings are well-known, are implemented by several applications and libraries, and are widely deployed. This document articulates the de facto rules by which existing implementations operate and defines them so that future implementations can interoperate.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7468"/>
          <seriesInfo name="DOI" value="10.17487/RFC7468"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC9090">
          <front>
            <title>Concise Binary Object Representation (CBOR) Tags for Object Identifiers</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="July" year="2021"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR), defined in RFC 8949, is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation.</t>
              <t>This document defines CBOR tags for object identifiers (OIDs) and is the reference document for the IANA registration of the CBOR tags so defined.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9090"/>
          <seriesInfo name="DOI" value="10.17487/RFC9090"/>
        </reference>
        <reference anchor="RFC9164">
          <front>
            <title>Concise Binary Object Representation (CBOR) Tags for IPv4 and IPv6 Addresses and Prefixes</title>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="December" year="2021"/>
            <abstract>
              <t>This specification defines two Concise Binary Object Representation (CBOR) tags for use with IPv6 and IPv4 addresses and prefixes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9164"/>
          <seriesInfo name="DOI" value="10.17487/RFC9164"/>
        </reference>
        <reference anchor="STD96">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="STD94">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="STD66">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC9393">
          <front>
            <title>Concise Software Identification Tags</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="J. Fitzgerald-McKay" initials="J." surname="Fitzgerald-McKay"/>
            <author fullname="C. Schmidt" initials="C." surname="Schmidt"/>
            <author fullname="D. Waltermire" initials="D." surname="Waltermire"/>
            <date month="June" year="2023"/>
            <abstract>
              <t>ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles. SWID tag representations can be too large for devices with network and storage constraints. This document defines a concise representation of SWID tags: Concise SWID (CoSWID) tags. CoSWID supports a set of semantics and features that are similar to those for SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory-efficient format.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9393"/>
          <seriesInfo name="DOI" value="10.17487/RFC9393"/>
        </reference>
        <reference anchor="RFC9597">
          <front>
            <title>CBOR Web Token (CWT) Claims in COSE Headers</title>
            <author fullname="T. Looker" initials="T." surname="Looker"/>
            <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
            <date month="June" year="2024"/>
            <abstract>
              <t>This document describes how to include CBOR Web Token (CWT) claims in the header parameters of any CBOR Object Signing and Encryption (COSE) structure. This functionality helps to facilitate applications that wish to make use of CWT claims in encrypted COSE structures and/or COSE structures featuring detached signatures, while having some of those claims be available before decryption and/or without inspecting the detached payload. Another use case is using CWT claims with payloads that are not CWT Claims Sets, including payloads that are not CBOR at all.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9597"/>
          <seriesInfo name="DOI" value="10.17487/RFC9597"/>
        </reference>
        <reference anchor="RFC8392">
          <front>
            <title>CBOR Web Token (CWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8392"/>
          <seriesInfo name="DOI" value="10.17487/RFC8392"/>
        </reference>
        <reference anchor="RFC9711">
          <front>
            <title>The Entity Attestation Token (EAT)</title>
            <author fullname="L. Lundblade" initials="L." surname="Lundblade"/>
            <author fullname="G. Mandyam" initials="G." surname="Mandyam"/>
            <author fullname="J. O'Donoghue" initials="J." surname="O'Donoghue"/>
            <author fullname="C. Wallace" initials="C." surname="Wallace"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>An Entity Attestation Token (EAT) provides an attested claims set that describes the state and characteristics of an entity, a device such as a smartphone, an Internet of Things (IoT) device, network equipment, or such. This claims set is used by a relying party, server, or service to determine the type and degree of trust placed in the entity.</t>
              <t>An EAT is either a CBOR Web Token (CWT) or a JSON Web Token (JWT) with attestation-oriented claims.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9711"/>
          <seriesInfo name="DOI" value="10.17487/RFC9711"/>
        </reference>
        <reference anchor="I-D.ietf-rats-msg-wrap">
          <front>
            <title>RATS Conceptual Messages Wrapper (CMW)</title>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Ned Smith" initials="N." surname="Smith">
              <organization>Independent</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <author fullname="Dionna Glaze" initials="D." surname="Glaze">
              <organization>Google LLC</organization>
            </author>
            <date day="11" month="December" year="2025"/>
            <abstract>
              <t>   The Conceptual Messages introduced by the RATS architecture (RFC
   9334) are protocol-agnostic data units that are conveyed between RATS
   roles during remote attestation procedures.  Conceptual Messages
   describe the meaning and function of such data units within RATS data
   flows without specifying a wire format, encoding, transport
   mechanism, or processing details.  The initial set of Conceptual
   Messages is defined in Section 8 of RFC 9334 and includes Evidence,
   Attestation Results, Endorsements, Reference Values, and Appraisal
   Policies.

   This document introduces the Conceptual Message Wrapper (CMW) that
   provides a common structure to encapsulate these messages.  It
   defines a dedicated CBOR tag, corresponding JSON Web Token (JWT) and
   CBOR Web Token (CWT) claims, and an X.509 extension.

   This allows CMWs to be used in CBOR-based protocols, web APIs using
   JWTs and CWTs, and PKIX artifacts like X.509 certificates.
   Additionally, the draft defines a media type and a CoAP content
   format to transport CMWs over protocols like HTTP, MIME, and CoAP.

   The goal is to improve the interoperability and flexibility of remote
   attestation protocols.  Introducing a shared message format such as
   CMW enables consistent support for different attestation message
   types, evolving message serialization formats without breaking
   compatibility, and avoiding the need to redefine how messages are
   handled within each protocol.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-msg-wrap-23"/>
        </reference>
        <reference anchor="I-D.ietf-rats-eat-measured-component">
          <front>
            <title>Entity Attestation Token (EAT) Measured Component</title>
            <author fullname="Simon Frost" initials="S." surname="Frost">
              <organization>Arm</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <date day="20" month="February" year="2026"/>
            <abstract>
              <t>   The term "measured component" refers to an object within the
   attester's target environment whose state can be sampled and
   typically digested using a cryptographic hash function.  Examples of
   measured components include firmware stored in flash memory, software
   loaded into memory at start time, data stored in a file system, or
   values in a CPU register.  This document provides the information
   model for the "measured component" and two associated data models.
   This separation is intentional: the JSON and CBOR serializations,
   coupled with the media types and associated Constrained Application
   Protocol (CoAP) Content-Formats, enable the immediate use of the
   semantics within the Entity Attestation Token (EAT) framework.
   Meanwhile, the information model can be reused in future
   specifications to provide additional serializations, for example,
   using ASN.1.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-eat-measured-component-12"/>
        </reference>
        <reference anchor="IANA.language-subtag-registry" target="https://www.iana.org/assignments/language-subtag-registry">
          <front>
            <title>Language Subtag Registry</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="X.690">
          <front>
            <title>ASN.1 encoding rules: Specification of basic encoding Rules (BER), Canonical encoding rules (CER) and Distinguished encoding rules (DER)</title>
            <author>
              <organization>International Telephone and Telegraph
Consultative Committee</organization>
            </author>
            <date month="July" year="2002"/>
          </front>
          <seriesInfo name="CCITT" value="Recommendation X.690"/>
        </reference>
        <reference anchor="I-D.ietf-cose-hash-envelope">
          <front>
            <title>COSE Hash Envelope</title>
            <author fullname="Orie Steele" initials="O." surname="Steele">
         </author>
            <author fullname="Steve Lasker" initials="S." surname="Lasker">
         </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <date day="15" month="November" year="2025"/>
            <abstract>
              <t>   This document defines new COSE header parameters for signaling a
   payload as an output of a hash function.  This mechanism enables
   faster validation, as access to the original payload is not required
   for signature validation.  Additionally, hints of the hashed
   payload's content format and availability are defined, providing
   references to optional discovery mechanisms that can help to find
   original payload content.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-hash-envelope-10"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="IANA.cbor-tags" target="https://www.iana.org/assignments/cbor-tags">
          <front>
            <title>Concise Binary Object Representation (CBOR) Tags</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.media-types" target="https://www.iana.org/assignments/media-types">
          <front>
            <title>Media Types</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.core-parameters" target="https://www.iana.org/assignments/core-parameters">
          <front>
            <title>Constrained RESTful Environments (CoRE) Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC7942">
          <front>
            <title>Improving Awareness of Running Code: The Implementation Status Section</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.</t>
              <t>This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="205"/>
          <seriesInfo name="RFC" value="7942"/>
          <seriesInfo name="DOI" value="10.17487/RFC7942"/>
        </reference>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="I-D.fdb-rats-psa-endorsements">
          <front>
            <title>A CoRIM Profile for Arm's Platform Security Architecture (PSA) Endorsements</title>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Ltd</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <date day="29" month="June" year="2026"/>
            <abstract>
              <t>   PSA Endorsements comprise reference values, endorsed values,
   cryptographic key material and certification status information that
   a Verifier needs in order to appraise Attestation Evidence produced
   by a PSA device.  This memo defines PSA Endorsements as a profile of
   the CoRIM data model.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fdb-rats-psa-endorsements-10"/>
        </reference>
        <reference anchor="I-D.ydb-rats-cca-endorsements">
          <front>
            <title>A CoRIM Profile for Arm's Confidential Computing Architecture (CCA) Endorsements</title>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Ltd</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <date day="26" month="June" year="2026"/>
            <abstract>
              <t>   Arm Confidential Computing Architecture (CCA) Endorsements comprise
   reference values and cryptographic key material that a Verifier needs
   to appraise Attestation Evidence produced by an Arm CCA system.

   This memo defines CCA Endorsements as a profile of the CoRIM data
   model.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/yogeshbdeshpande/draft-cca-rats-endorsements.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ydb-rats-cca-endorsements-04"/>
        </reference>
        <reference anchor="RFC9783">
          <front>
            <title>Arm's Platform Security Architecture (PSA) Attestation Token</title>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="S. Frost" initials="S." surname="Frost"/>
            <author fullname="M. Brossard" initials="M." surname="Brossard"/>
            <author fullname="A. Shaw" initials="A." surname="Shaw"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="June" year="2025"/>
            <abstract>
              <t>Arm's Platform Security Architecture (PSA) is a family of hardware and firmware security specifications, along with open-source reference implementations, aimed at helping device makers and chip manufacturers integrate best-practice security into their products. Devices that comply with PSA can generate attestation tokens as described in this document, which serve as the foundation for various protocols, including secure provisioning and network access control. This document specifies the structure and semantics of the PSA attestation token.</t>
              <t>The PSA attestation token is a profile of the Entity Attestation Token (EAT). This specification describes the claims used in an attestation token generated by PSA-compliant systems, how these claims are serialized for transmission, and how they are cryptographically protected.</t>
              <t>This Informational document is published as an Independent Submission to improve interoperability with Arm's architecture. It is not a standard nor a product of the IETF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9783"/>
          <seriesInfo name="DOI" value="10.17487/RFC9783"/>
        </reference>
        <reference anchor="I-D.ietf-rats-endorsements">
          <front>
            <title>RATS Endorsements</title>
            <author fullname="Dave Thaler" initials="D." surname="Thaler">
              <organization>Armidale Consulting</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   In the IETF Remote Attestation Procedures (RATS) architecture, a
   Verifier accepts Evidence and uses Appraisal Policy for Evidence,
   typically with additional input from Endorsements and Reference
   Values, to generate Attestation Results in formats that are useful
   for Relying Parties.  This document illustrates the purpose and role
   of Endorsements and discusses some considerations in the choice of
   message format for Endorsements in the scope of the RATS
   architecture.

   This document does not aim to define a conceptual message format for
   Endorsements and Reference Values.  Instead, it extends RFC9334 to
   provide further details on Reference Values and Endorsements, as
   these topics were outside the scope of the RATS charter when RFC9334
   was developed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-endorsements-09"/>
        </reference>
        <reference anchor="I-D.ietf-rats-evidence-trans">
          <front>
            <title>Evidence Transformations</title>
            <author fullname="Fabrizio Damato" initials="F." surname="Damato">
              <organization>AMD</organization>
            </author>
            <author fullname="Andrew Draper" initials="A." surname="Draper">
              <organization>Independent</organization>
            </author>
            <author fullname="Ned Smith" initials="N." surname="Smith">
              <organization>Independent</organization>
            </author>
            <date day="17" month="October" year="2025"/>
            <abstract>
              <t>   Remote Attestation Procedures (RATS) enable Relying Parties to assess
   the trustworthiness of a remote Attester to decide if continued
   interaction is warrented.  Evidence structures can vary making
   appraisals challenging for Verifiers.  Verifiers need to understand
   Evidence encoding formats and some of the Evidence semantics to
   appraise it.  Consequently, Evidence may require format
   transformation to an internal representation that preserves original
   semantics.  This document specifies Evidence transformation methods
   for DiceTcbInfo, concise evidence, and SPDM measurements block
   structures.  These Evidence structures are converted to the CoRIM
   internal representation and follow CoRIM defined appraisal
   procedures.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-evidence-trans-02"/>
        </reference>
        <reference anchor="DICE.Layer" target="https://trustedcomputinggroup.org/wp-content/uploads/DICE-Layering-Architecture-r19_pub.pdf">
          <front>
            <title>DICE Layering Architecture</title>
            <author>
              <organization>Trusted Computing Group</organization>
            </author>
            <date year="2020" month="July"/>
          </front>
          <seriesInfo name="Version 1.0, Revision 0.19" value=""/>
        </reference>
        <reference anchor="IANA.coswid" target="https://www.iana.org/assignments/coswid">
          <front>
            <title>Concise Software Identifier (CoSWID)</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="I-D.ietf-rats-concise-ta-stores">
          <front>
            <title>Concise TA Stores (CoTS)</title>
            <author fullname="Carl Wallace" initials="C." surname="Wallace">
              <organization>Red Hound Software</organization>
            </author>
            <author fullname="Russ Housley" initials="R." surname="Housley">
              <organization>Vigil Security, LLC</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>arm</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>arm</organization>
            </author>
            <date day="5" month="December" year="2023"/>
            <abstract>
              <t>   Trust anchor (TA) stores may be used for several purposes in the
   Remote Attestation Procedures (RATS) architecture including verifying
   endorsements, reference values, digital letters of approval,
   attestations, or public key certificates.  This document describes a
   Concise Reference Integrity Manifest (CoRIM) extension that may be
   used to convey optionally constrained trust anchor stores containing
   optionally constrained trust anchors in support of these purposes.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-concise-ta-stores-02"/>
        </reference>
        <reference anchor="DICE.cert" target="https://trustedcomputinggroup.org/wp-content/uploads/DICE-Certificate-Profiles-v1.1_pub.pdf">
          <front>
            <title>DICE Certificate Profiles</title>
            <author>
              <organization>Trusted Computing Group</organization>
            </author>
            <date year="2025" month="April"/>
          </front>
          <seriesInfo name="Version 1.1" value=""/>
        </reference>
        <reference anchor="DICE.endorsement" target="https://trustedcomputinggroup.org/wp-content/uploads/TCG-Endorsement-Architecture-for-Devices-V1-R38_pub.pdf">
          <front>
            <title>DICE Endorsement Architecture for Devices</title>
            <author>
              <organization>Trusted Computing Group</organization>
            </author>
            <date year="2022" month="November"/>
          </front>
          <seriesInfo name="Version 1.0, Revision 0.38" value=""/>
        </reference>
        <reference anchor="TNC.Arch" target="https://trustedcomputinggroup.org/wp-content/uploads/TNC_Architecture_v1_1_r2.pdf">
          <front>
            <title>TCG Trusted Network Connect TNC Architecture for Interoperability</title>
            <author>
              <organization>Trusted Computing Group</organization>
            </author>
            <date year="2006" month="May"/>
          </front>
          <seriesInfo name="Specification Version 1.1 Revision 2" value=""/>
        </reference>
        <reference anchor="TPM2.Part1" target="https://trustedcomputinggroup.org/resource/tpm-library-specification/">
          <front>
            <title>Trusted Platform Module Library, Part 1: Architecture</title>
            <author>
              <organization>Trusted Computing Group</organization>
            </author>
            <date year="2024" month="January"/>
          </front>
          <seriesInfo name="Family &quot;2.0&quot;, Level 00, Revision 01.83" value=""/>
        </reference>
        <reference anchor="IEEE-802.OandA">
          <front>
            <title>IEEE Standard for Local and Metropolitan Area Networks: Overview and Architecture</title>
            <author>
              <organization/>
            </author>
            <date month="July" year="2014"/>
          </front>
          <seriesInfo name="DOI" value="10.1109/ieeestd.2014.6847097"/>
          <seriesInfo name="ISBN" value="[&quot;9780738192192&quot;]"/>
          <refcontent>IEEE</refcontent>
        </reference>
        <reference anchor="W3C.rdf11-primer" target="https://www.w3.org/TR/rdf11-primer/">
          <front>
            <title>RDF 1.1 Primer</title>
            <author/>
          </front>
          <seriesInfo name="W3C NOTE" value="rdf11-primer"/>
          <seriesInfo name="W3C" value="rdf11-primer"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
      </references>
    </references>
    <?line 4769?>

<section anchor="sec-corim-cddl">
      <name>Base CoRIM CDDL</name>
      <sourcecode type="cddl"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

corim = concise-rim-type-choice
concise-rim-type-choice /= tagged-unsigned-corim-map / signed-corim
concise-tl-tag = {
  &(tag-identity: 0) => tag-identity-map,
  &(tags-list: 1) => [+ tag-identity-map],
  &(tl-validity: 2) => validity-map,
}
$concise-tag-type-choice /= tagged-concise-swid-tag / tagged-concise\
                                     -mid-tag / tagged-concise-tl-tag
corim-entity-map = entity-map<$corim-role-type-choice, $$corim-\
                                                entity-map-extension>
$corim-id-type-choice /= tstr / uuid-type
corim-locator-map = {
  &(href: 0) => uri / [+ uri],
  ? &(thumbprint: 1) => eatmc.digest / [+ eatmc.digest],
}
corim-map = {
  &(id: 0) => $corim-id-type-choice,
  &(tags: 1) => [+ $concise-tag-type-choice],
  ? &(dependent-rims: 2) => [+ corim-locator-map],
  ? &(profile: 3) => $profile-type-choice,
  ? &(rim-validity: 4) => validity-map,
  ? &(entities: 5) => [+ corim-entity-map],
  * $$corim-map-extension,
}
unsigned-corim-map = corim-map
corim-meta-map = {
  &(signer: 0) => corim-signer-map,
  ? &(signature-validity: 1) => validity-map,
}
$corim-role-type-choice /= &(manifest-creator: 1) / &(manifest-\
                                                           signer: 2)
corim-signer-map = {
  &(signer-name: 0) => $entity-name-type-choice,
  ? &(signer-uri: 1) => uri,
  * $$corim-signer-map-extension,
}
COSE-Sign1-corim = [
  protected: bstr .cbor protected-corim-header-map,
  unprotected: unprotected-corim-header-map,
  payload: bstr .cbor tagged-unsigned-corim-map / hash-envelope-\
                                                        digest / nil,
  signature: bstr,
]
hash-envelope-digest = bstr
$profile-type-choice /= uri / tagged-oid-type
cwt-claims = {
  &(iss: 1) => tstr,
  ? &(sub: 2) => tstr,
  ? &(exp: 4) => int / float,
  ? &(nbf: 5) => int / float,
  * int => any,
}
protected-corim-header-map = protected-corim-header-map-inline / \
                             protected-corim-header-map-hash-envelope
protected-corim-header-map-inline = {
  &(alg: 1) => int,
  &(content-type: 3) => "application/rim+cbor",
  meta-group,
  * cose-label => cose-value,
}
protected-corim-header-map-hash-envelope = {
  &(alg: 1) => int,
  &(payload_hash_alg: 258) => int,
  &(payload_preimage_content_type: 259) => "application/rim+cbor",
  ? &(payload_location: 260) => tstr,
  meta-group,
  * cose-label => cose-value,
}
meta-group = ((
        corim-meta-identity,
        ? cwt-claims-identity,
      ) // cwt-claims-identity)
corim-meta-identity = (&(corim-meta: 8) => bstr .cbor corim-meta-map)
cwt-claims-identity = (&(CWT-Claims: 15) => cwt-claims)
signed-corim = #6.18(COSE-Sign1-corim)
tagged-concise-swid-tag = #6.505(bytes .cbor coswid.concise-swid-tag)
tagged-concise-mid-tag = #6.506(bytes .cbor concise-mid-tag)
tagged-concise-tl-tag = #6.508(bytes .cbor concise-tl-tag)
tagged-unsigned-corim-map = #6.501(unsigned-corim-map)
unprotected-corim-header-map = {* cose-label => cose-value}
validity-map = {
  ? &(not-before: 0) => time,
  &(not-after: 1) => time,
}
concise-mid-tag = {
  ? &(language: 0) => text,
  &(tag-identity: 1) => tag-identity-map,
  ? &(entities: 2) => [+ comid-entity-map],
  ? &(linked-tags: 3) => [+ linked-tag-map],
  &(triples: 4) => triples-map,
  * $$concise-mid-tag-extension,
}
attest-key-triple-record = [
  environment: environment-map,
  key-list: [+ $crypto-key-type-choice],
  ? conditions: non-empty<{
            ? &(mkey: 0) => $measured-element-type-choice,
            ? &(authorized-by: 1) => [+ $crypto-key-type-choice],
}>,
]
$class-id-type-choice /= tagged-oid-type / tagged-uuid-type / tagged\
                                                               -bytes
class-map = non-empty<{
    ? &(class-id: 0) => $class-id-type-choice,
    ? &(vendor: 1) => tstr,
    ? &(model: 2) => tstr,
    ? &(layer: 3) => uint,
    ? &(index: 4) => uint,
}>
comid-entity-map = entity-map<$comid-role-type-choice, $$comid-\
                                                entity-map-extension>
$comid-role-type-choice /= &(tag-creator: 0) / &(creator: 1) / &(\
                                                       maintainer: 2)
conditional-endorsement-series-triple-record = [
  common-condition: [
        environment: environment-map,
        claims-list: [* measurement-map],
        ? authorized-by: [+ $crypto-key-type-choice],
],
  series: [+ conditional-series-record],
]
conditional-series-record = [
  condition: [+ measurement-map],
  addition: [+ measurement-map],
]
COSE_Key = {
  1 => tstr / int,
  ? 2 => bstr,
  ? 3 => tstr / int,
  ? 4 => [+ tstr / int],
  ? 5 => bstr,
  * cose-label => cose-value,
}
cose-label = int / tstr
cose-value = any
coswid-triple-record = [
  environment-map,
  [+ coswid.tag-id],
]
$crypto-key-type-choice /= tagged-pkix-base64-key-type / tagged-pkix\
-base64-cert-type / tagged-pkix-base64-cert-path-type / tagged-cose-\
key-type / tagged-pkix-asn1der-cert-type / tagged-key-thumbprint-\
type / tagged-cert-thumbprint-type / tagged-cert-path-thumbprint-\
                                                  type / tagged-bytes
tagged-pkix-base64-key-type = #6.554(tstr)
tagged-pkix-base64-cert-type = #6.555(tstr)
tagged-pkix-base64-cert-path-type = #6.556(tstr)
tagged-key-thumbprint-type = #6.557(eatmc.digest)
tagged-cose-key-type = #6.558(COSE_Key)
tagged-cert-thumbprint-type = #6.559(eatmc.digest)
tagged-cert-path-thumbprint-type = #6.561(eatmc.digest)
tagged-pkix-asn1der-cert-type = #6.562(bstr)
trust-dependency-triple-record = [
  domain-id: domain-type,
  trustees: [+ domain-type],
]
domain-membership-triple-record = [
  domain-id: domain-type,
  members: [+ domain-type],
]
conditional-endorsement-triple-record = [
  conditions: [+ stateful-environment-record],
  endorsements: [+ endorsed-triple-record],
]
domain-type = environment-map
endorsed-triple-record = [
  condition: environment-map,
  endorsement: [+ measurement-map],
]
entity-map<role-type-choice, extension-socket> = {
    &(entity-name: 0) => $entity-name-type-choice,
    ? &(reg-id: 1) => uri,
    &(role: 2) => [+ role-type-choice],
    * extension-socket,
}
$entity-name-type-choice /= text
environment-map = non-empty<{
    ? &(class: 0) => class-map,
    ? &(instance: 1) => $instance-id-type-choice,
    ? &(group: 2) => $group-id-type-choice,
}>
flags-map = non-empty<{
    ? &(is-configured: 0) => bool,
    ? &(is-secure: 1) => bool,
    ? &(is-recovery: 2) => bool,
    ? &(is-debug: 3) => bool,
    ? &(is-replay-protected: 4) => bool,
    ? &(is-integrity-protected: 5) => bool,
    ? &(is-runtime-meas: 6) => bool,
    ? &(is-immutable: 7) => bool,
    ? &(is-tcb: 8) => bool,
    ? &(is-confidentiality-protected: 9) => bool,
    ? &(is-runtime-updatable: 10) => bool,
    * $$flags-map-extension,
}>
$group-id-type-choice /= tagged-uuid-type / tagged-bytes
identity-triple-record = [
  environment: environment-map,
  key-list: [+ $crypto-key-type-choice],
  ? conditions: non-empty<{
            ? &(mkey: 0) => $measured-element-type-choice,
            ? &(authorized-by: 1) => [+ $crypto-key-type-choice],
}>,
]
$instance-id-type-choice /= tagged-ueid-type / tagged-uuid-type / \
tagged-bytes / tagged-pkix-base64-key-type / tagged-pkix-base64-cert\
-type / tagged-cose-key-type / tagged-key-thumbprint-type / tagged-\
                 cert-thumbprint-type / tagged-pkix-asn1der-cert-type
ip-addr-type-choice /= cbor-ip.ipv4-address / cbor-ip.ipv6-address
int-range-type-choice = int / tagged-int-range
int-range = [
  min: int / negative-inf,
  max: int / positive-inf,
]
tagged-int-range = #6.564(int-range)
positive-inf = null
negative-inf = null
linked-tag-map = {
  &(linked-tag-id: 0) => $tag-id-type-choice,
  &(tag-rel: 1) => $tag-rel-type-choice,
}
mac-addr-type-choice = eui48-addr-type / eui64-addr-type
eui48-addr-type = bytes .size 6
eui64-addr-type = bytes .size 8
$measured-element-type-choice /= tagged-oid-type / tagged-uuid-type \
                                                        / uint / tstr
measurement-map = {
  ? &(mkey: 0) => $measured-element-type-choice,
  &(mval: 1) => measurement-values-map,
  ? &(authorized-by: 2) => [+ $crypto-key-type-choice],
}
measurement-values-map = non-empty<{
    ? &(version: 0) => version-map,
    ? &(svn: 1) => svn-type-choice,
    ? &(digests: 2) => digests-type,
    ? &(flags: 3) => flags-map,
    ? (
                  &(raw-value: 4) => $raw-value-type-choice,
                  ? &(raw-value-mask-DEPRECATED: 5) => raw-value-\
                                                           mask-type,
          ),
    ? &(mac-addr: 6) => mac-addr-type-choice,
    ? &(ip-addr: 7) => ip-addr-type-choice,
    ? &(serial-number: 8) => text,
    ? &(ueid: 9) => ueid-type,
    ? &(uuid: 10) => uuid-type,
    ? &(name: 11) => text,
    ? &(cryptokeys: 13) => [+ $crypto-key-type-choice],
    ? &(integrity-registers: 14) => integrity-registers,
    ? &(int-range: 15) => int-range-type-choice,
    * $$measurement-values-map-extension,
}>
non-empty<M> = M .and ({+ any => any})
oid-type = bytes
tagged-oid-type = #6.111(oid-type)
$raw-value-type-choice /= tagged-bytes / tagged-masked-raw-value
raw-value-mask-type = bytes
tagged-masked-raw-value = #6.563([
    value: bytes,
    mask: bytes,
])
reference-triple-record = [
  ref-env: environment-map,
  ref-claims: [+ measurement-map],
]
stateful-environment-record = [
  environment: environment-map,
  claims-list: [+ measurement-map],
]
svn-type = uint
svn = svn-type
min-svn = svn-type
tagged-svn = #6.552(svn)
tagged-min-svn = #6.553(min-svn)
svn-type-choice = svn / tagged-svn / tagged-min-svn
$tag-id-type-choice /= tstr / uuid-type
tag-identity-map = {
  &(tag-id: 0) => $tag-id-type-choice,
  ? &(tag-version: 1) => tag-version-type,
}
$tag-rel-type-choice /= &(supplements: 0) / &(replaces: 1)
tag-version-type = uint .default 0
tagged-bytes = #6.560(bytes)
triples-map = non-empty<{
    ? &(reference-triples: 0) => [+ reference-triple-record],
    ? &(endorsed-triples: 1) => [+ endorsed-triple-record],
    ? &(identity-triples: 2) => [+ identity-triple-record],
    ? &(attest-key-triples: 3) => [+ attest-key-triple-record],
    ? &(dependency-triples: 4) => [+ trust-dependency-triple-record],
    ? &(membership-triples: 5) => [+ domain-membership-triple-record\
                                                                   ],
    ? &(coswid-triples: 6) => [+ coswid-triple-record],
    ? &(conditional-endorsement-series-triples: 8) => [+ conditional\
                                  -endorsement-series-triple-record],
    ? &(conditional-endorsement-triples: 10) => [+ conditional-\
                                          endorsement-triple-record],
    * $$triples-map-extension,
}>
ueid-type = bytes .size (7 .. 33)
tagged-ueid-type = #6.550(ueid-type)
uuid-type = bytes .size 16
tagged-uuid-type = #6.37(uuid-type)
version-map = {
  &(version: 0) => text,
  ? &(version-scheme: 1) => coswid.$version-scheme,
}
digests-type = [+ eatmc.digest]
integrity-register-id-type-choice = uint / text
integrity-registers = {+ integrity-register-id-type-choice => \
                                                        digests-type}
$$measurement-values-map-extension //= (&(psa-cert-num: 100) => psa-\
                                                       cert-num-type)
psa-cert-num-type = text .regexp "[0-9]{13} - [0-9]{5}"
eatmc.measured-component = {
  eatmc.component-id-label => eatmc.component-id,
  eatmc.measurement,
  ? eatmc.authorities-label => [+ eatmc.authority-id-type],
  ? eatmc.flags-label => eatmc.flags-type,
}
eatmc.measurement //= (eatmc.digested-measurement-label => eatmc.\
                      digest // eatmc.raw-measurement-label => bytes)
eatmc.authority-id-type = eatmc.eat.JC<eatmc.bytes-b64u, bytes>
eatmc.flags-type = eatmc.eat.JC<eatmc.bytes8-b64u, eatmc.bytes8>
eatmc.component-id = [
  name: text,
  ? version: eatmc.version,
]
eatmc.version = [
  val: text,
  ? scheme: eatmc.coswid.$version-scheme,
]
eatmc.digest = [
  alg: int / text,
  val: eatmc.digest-value-type,
]
eatmc.digest-value-type = eatmc.eat.JC<eatmc.bytes-b64u, bytes>
eatmc.bytes-b64u = text .b64u bytes
eatmc.bytes8 = bytes .size 8
eatmc.bytes8-b64u = text .b64u eatmc.bytes8
eatmc.component-id-label = eatmc.eat.JC<"id", 1>
eatmc.digested-measurement-label = eatmc.eat.JC<"digested-\
                                                     measurement", 2>
eatmc.raw-measurement-label = eatmc.eat.JC<"raw-measurement", 5>
eatmc.authorities-label = eatmc.eat.JC<"authorities", 3>
eatmc.flags-label = eatmc.eat.JC<"flags", 4>
eatmc.mc-cbor = bytes .cbor eatmc.measured-component
eatmc.mc-json = text .json eatmc.measured-component
eatmc.$measurements-body-cbor /= eatmc.mc-cbor / eatmc.mc-json
eatmc.$measurements-body-json /= eatmc.mc-json / text .b64u eatmc.mc\
                                                                -cbor
eatmc.eat.JSON-ONLY<J> = J .feature "json"
eatmc.eat.CBOR-ONLY<C> = C .feature "cbor"
eatmc.eat.JC<J, C> = eatmc.eat.JSON-ONLY<J> / eatmc.eat.CBOR-ONLY<C>
eatmc.coswid.$version-scheme /= eatmc.coswid.multipartnumeric / \
eatmc.coswid.multipartnumeric-suffix / eatmc.coswid.alphanumeric / \
              eatmc.coswid.decimal / eatmc.coswid.semver / int / text
eatmc.coswid.multipartnumeric = 1
eatmc.coswid.multipartnumeric-suffix = 2
eatmc.coswid.alphanumeric = 3
eatmc.coswid.decimal = 4
eatmc.coswid.semver = 16384
coswid.concise-swid-tag = {
  coswid.tag-id => text / bstr .size 16,
  coswid.tag-version => integer,
  ? coswid.corpus => bool,
  ? coswid.patch => bool,
  ? coswid.supplemental => bool,
  coswid.software-name => text,
  ? coswid.software-version => text,
  ? coswid.version-scheme => coswid.$version-scheme,
  ? coswid.media => text,
  ? coswid.software-meta => coswid.one-or-more<coswid.software-meta-\
                                                              entry>,
  coswid.entity => coswid.one-or-more<coswid.entity-entry>,
  ? coswid.link => coswid.one-or-more<coswid.link-entry>,
  ? coswid.payload-or-evidence,
  * $$coswid-extension,
  coswid.global-attributes,
}
coswid.tag-id = 0
coswid.$version-scheme /= coswid.multipartnumeric / coswid.\
multipartnumeric-suffix / coswid.alphanumeric / coswid.decimal / \
                                           coswid.semver / int / text
coswid.one-or-more<T> = T / [2*T]
coswid.tag-version = 12
coswid.corpus = 8
coswid.patch = 9
coswid.supplemental = 11
coswid.software-name = 1
coswid.software-version = 13
coswid.version-scheme = 14
coswid.media = 10
coswid.software-meta = 5
coswid.software-meta-entry = {
  ? coswid.activation-status => text,
  ? coswid.channel-type => text,
  ? coswid.colloquial-version => text,
  ? coswid.description => text,
  ? coswid.edition => text,
  ? coswid.entitlement-data-required => bool,
  ? coswid.entitlement-key => text,
  ? coswid.generator => text / bstr .size 16,
  ? coswid.persistent-id => text,
  ? coswid.product => text,
  ? coswid.product-family => text,
  ? coswid.revision => text,
  ? coswid.summary => text,
  ? coswid.unspsc-code => text,
  ? coswid.unspsc-version => text,
  * $$software-meta-extension,
  coswid.global-attributes,
}
coswid.entity = 2
coswid.entity-entry = {
  coswid.entity-name => text,
  ? coswid.reg-id => coswid.any-uri,
  coswid.role => coswid.one-or-more<coswid.$role>,
  ? coswid.thumbprint => coswid.hash-entry,
  * $$entity-extension,
  coswid.global-attributes,
}
coswid.link = 4
coswid.link-entry = {
  ? coswid.artifact => text,
  coswid.href => coswid.any-uri,
  ? coswid.media => text,
  ? coswid.ownership => coswid.$ownership,
  coswid.rel => coswid.$rel,
  ? coswid.media-type => text,
  ? coswid.use => coswid.$use,
  * $$link-extension,
  coswid.global-attributes,
}
coswid.payload-or-evidence //= (coswid.payload => coswid.payload-\
                   entry // coswid.evidence => coswid.evidence-entry)
coswid.global-attributes = (
  ? coswid.lang => text,
  * coswid.any-attribute,
  )
coswid.multipartnumeric = 1
coswid.multipartnumeric-suffix = 2
coswid.alphanumeric = 3
coswid.decimal = 4
coswid.semver = 16384
coswid.activation-status = 43
coswid.channel-type = 44
coswid.colloquial-version = 45
coswid.description = 46
coswid.edition = 47
coswid.entitlement-data-required = 48
coswid.entitlement-key = 49
coswid.generator = 50
coswid.persistent-id = 51
coswid.product = 52
coswid.product-family = 53
coswid.revision = 54
coswid.summary = 55
coswid.unspsc-code = 56
coswid.unspsc-version = 57
coswid.entity-name = 31
coswid.reg-id = 32
coswid.any-uri = uri
coswid.role = 33
coswid.$role /= coswid.tag-creator / coswid.software-creator / \
coswid.aggregator / coswid.distributor / coswid.licensor / coswid.\
                                              maintainer / int / text
coswid.thumbprint = 34
coswid.hash-entry = [
  hash-alg-id: int,
  hash-value: bytes,
]
coswid.artifact = 37
coswid.href = 38
coswid.ownership = 39
coswid.$ownership /= coswid.shared / coswid.private / coswid.\
                                                 abandon / int / text
coswid.rel = 40
coswid.$rel /= coswid.ancestor / coswid.component / coswid.feature \
/ coswid.installationmedia / coswid.packageinstaller / coswid.\
parent / coswid.patches / coswid.requires / coswid.see-also / coswid\
             .supersedes / coswid.supplemental / -256 .. 65536 / text
coswid.media-type = 41
coswid.use = 42
coswid.$use /= coswid.optional / coswid.required / coswid.\
                                             recommended / int / text
coswid.payload = 6
coswid.payload-entry = {
  coswid.resource-collection,
  * $$payload-extension,
  coswid.global-attributes,
}
coswid.evidence = 3
coswid.evidence-entry = {
  coswid.resource-collection,
  ? coswid.date => coswid.integer-time,
  ? coswid.device-id => text,
  ? coswid.location => text,
  * $$evidence-extension,
  coswid.global-attributes,
}
coswid.lang = 15
coswid.any-attribute = (coswid.label => coswid.one-or-more<text> / \
                                             coswid.one-or-more<int>)
coswid.tag-creator = 1
coswid.software-creator = 2
coswid.aggregator = 3
coswid.distributor = 4
coswid.licensor = 5
coswid.maintainer = 6
coswid.shared = 3
coswid.private = 2
coswid.abandon = 1
coswid.ancestor = 1
coswid.component = 2
coswid.feature = 3
coswid.installationmedia = 4
coswid.packageinstaller = 5
coswid.parent = 6
coswid.patches = 7
coswid.requires = 8
coswid.see-also = 9
coswid.supersedes = 10
coswid.optional = 1
coswid.required = 2
coswid.recommended = 3
coswid.resource-collection = (
  coswid.path-elements-group,
  ? coswid.process => coswid.one-or-more<coswid.process-entry>,
  ? coswid.resource => coswid.one-or-more<coswid.resource-entry>,
  * $$resource-collection-extension,
  )
coswid.date = 35
coswid.integer-time = #6.1(int)
coswid.device-id = 36
coswid.location = 23
coswid.label = text / int
coswid.path-elements-group = (
  ? coswid.directory => coswid.one-or-more<coswid.directory-entry>,
  ? coswid.file => coswid.one-or-more<coswid.file-entry>,
  )
coswid.process = 18
coswid.process-entry = {
  coswid.process-name => text,
  ? coswid.pid => integer,
  * $$process-extension,
  coswid.global-attributes,
}
coswid.resource = 19
coswid.resource-entry = {
  coswid.type => text,
  * $$resource-extension,
  coswid.global-attributes,
}
coswid.directory = 16
coswid.directory-entry = {
  coswid.filesystem-item,
  ? coswid.path-elements => {coswid.path-elements-group},
  * $$directory-extension,
  coswid.global-attributes,
}
coswid.file = 17
coswid.file-entry = {
  coswid.filesystem-item,
  ? coswid.size => uint,
  ? coswid.file-version => text,
  ? coswid.hash => coswid.hash-entry,
  * $$file-extension,
  coswid.global-attributes,
}
coswid.process-name = 27
coswid.pid = 28
coswid.type = 29
coswid.filesystem-item = (
  ? coswid.key => bool,
  ? coswid.location => text,
  coswid.fs-name => text,
  ? coswid.root => text,
  )
coswid.path-elements = 26
coswid.size = 20
coswid.file-version = 21
coswid.hash = 7
coswid.key = 22
coswid.fs-name = 24
coswid.root = 25
cbor-ip.ipv4-address = bytes .size 4
cbor-ip.ipv6-address = bytes .size 16
]]></sourcecode>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank the following people for their review and comments on this document:
<contact fullname="Carl Wallace"/>,
<contact fullname="Hannes Tschofenig"/>,
<contact fullname="Steven Bellock"/>,
<contact fullname="Jag Raman"/>,
<contact fullname="Giri Mandyam"/>,
<contact fullname="Jeremy O'Donoghue"/>,
<contact fullname="Michael Richardson"/>,
<contact fullname="Dhawal Kumar"/>,
<contact fullname="Spencer Gilson"/>,
and
<contact fullname="Sergei Trofimov"/>.</t>
    </section>
    <section anchor="contributors" numbered="false" toc="include" removeInRFC="false">
      <name>Contributors</name>
      <contact initials="C." surname="Bormann" fullname="Carsten Bormann">
        <organization>Universität Bremen TZI</organization>
        <address>
          <postal>
            <street>Postfach 330440</street>
            <city>Bremen</city>
            <code>D-28359</code>
            <country>Germany</country>
          </postal>
          <phone>+49-421-218-63921</phone>
          <email>cabo@tzi.org</email>
        </address>
      </contact>
      <t>Carsten Bormann contributed to the CDDL specifications and the IANA considerations.</t>
      <contact initials="A." surname="Draper" fullname="Andrew Draper">
        <organization>Altera</organization>
        <address>
          <email>andrew.draper@altera.com</email>
        </address>
      </contact>
      <t>Andrew contributed the concept, description, and semantics of conditional endorsements as well as consistent contribution to weekly reviews of others' edits.</t>
      <contact initials="D." surname="Glaze" fullname="Dionna Glaze">
        <organization>Google LLC</organization>
        <address>
          <email>dionnaglaze@google.com</email>
        </address>
      </contact>
      <t>Dionna contributed many clarifying questions and disambiguations to the semantics of attestation appraisal as well as consistent contribution to weekly reviews of others' edits.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y923bcVpYg+I6vwNBeKVIVEeJdEjPtTCZF2+zRbUQqXTVu
LxERgSCRQgCRAIIUrVSt/o1+64f5kp4/6S+ZfT1nHwDBi+2p7llrstYqi4Fz
P/vs+2U4HEZXB/FOFDVZk6cH8VFZTLI6jd+ls7RKi0kanxRNelFlzU38Kimy
WVo3UTIeV+kVNn538iqalpMimUPfaZXMmmGWNrNhlTT1cFJW2Xy4tRVNEhii
rG4O4rqZRpOyqNOiXtYHcVMt06hejudZXWdl0dwsYJiT47PvoihbVPS9brY3
N59vbkdJlSYH8dppOlniatai67L6eFGVywX8+i6dl00aH541sL6kgbHit1U5
SafLKj1diz6mN9B6ehDDegfxu8Oz00GcNK7tIL5Kq2yWpdUgrpeLRX4TTy6T
rIgiaFBMPyR5WaSy2kV2EMVxU04O4pu0hn/WZdVU6ax2f9/M7Z/Qcpoumks6
5GTZXJbVQTSMswJa/DCK/5pVHy/L/BdoyYf4Q1p8tL+W1cVB/F2VLIvLEq4k
Pj05g1/TeZLlB/ElNB6NpfFf8ORHcLpNMml0irNR/F1Z17BNN8PZZTlPavMz
TAE3+wsdxUH8MiuSqvRzcPORNP9LTp9H0Een+LdR/CKtLxdwUqmb5N/KC/gt
+BBOk1RzP8cNtR5NtfVf4CvsZK5TvB7Fp/OsuXTDv06n7hc6oRPotUjh/xWN
H7ZIp6MaW43waP5SLpu8LD/agX8cxW+Twg37Y5rJ3zToD8vkGn45SyeXRZmX
FxndqAx+neV5lsxHsGBo9JdLaktjI4Q3VTZeNnjXcSxzHcFtl9U8KXB8nfEo
qeomLYIvNPf7IgOgrLPm//6/mvivVTqHRmf/5wk1qAHg0uYgflvWzSyZXMY7
O5u7u5v0bQJv40A68A/lFOZ5Mdx+trP3XH5Zwvqg1fcpTnpDPy4uCcb/Zff5
cHd7a7i99Wy4v/N8e4s+ypYnybj8S/NLRrfPI8lG6Uq/pd/i9p58K7i0poyb
yzQ+evHiZVwv0gm8uglBRB3DxdO3k8PXh9inzqZpxd9G/hQPAdqqZJFW5hAP
i2mVXtvf6QgP8wYGsBtIqOFoSg3/ktB3urLVm5Gxgz3AIuHvCTzrQQwwO6my
BaMR3EINcxVNNqnjcobNphl+S/IYoLOsaryXBjZbx9dpnuN/aat4YE2wBDyq
6zT9CMgIkG2WXtOAJUxe1Y/iFIa1x/JiFH+fJ7+k5lRewCBFYn6mQ/m+LC/y
NH758sgezJTaXmDTv1xQizuORQa3x4KgFE/yBDDpTVZcxP9YAn51NzvN6mQ+
zi6WctsCCMFpGZQcJ4tFlUCf/Pc6qqhAcGzgVeGbfPfd0fO9/e2DeLnMpvz3
3vazzYN48TH7NJykVcM/Pt3dfyY/Nukn+fHZ/ha0nEynuYwEBAr+HpfVsMym
tfy4tb8rP2YL+On07MXz/QM6viH8XtZ8Kd8c8Ah729Jm17eBvqbNs+e7z7nN
vh8HaKFpsvP82b7MvvN8h2a51u0933v+FPDNj2cfjl4enrw6/XD05vRY9gMP
nT5Jy6dbWwdxmuBuT4YvRp6iz+uL4TU8Hhh5ft35Cj2G8zSpgeZOgfjPF4BR
ioZGGs4n2Bxe9ihPCgCCi3QIdL9JLoZVegFXiuio9QU6/OtoH0/26Ojk7Gz0
r/DvETAD23ZiPMfhZVJfDtPiKs1LZCC6vwE7Ucxa1/90b+v5Qfz3a73o57vb
Chg7O3BztKWkmlzKdLPpmLe5qJOhfcsAHq1fpMeN9phM2j3av+jBP9vh0Zry
I6Hv1gEHY3R+6ra/AhQKeGrYVEnhegQ/Qp8XJ0fHo5fJTVoxVAkniD/H9DM+
5kM4iKxJJw1cLrVSVobRAaGWM+TWABEcwdXDu4Re3yN7xiQLhklrvIWD+G9I
1+DVbo02gRmD9dBfm6MtJk9T4BYP4v+0hNe8vbnNVK1JqgukeJdNs6gPnjxp
eKqJzkR8IJKlJ9eLIaIGOI8ny0VeJtP6Ce5kqDsZ2p0Mq63nHxbL8WgxnSl8
8pvRt4Pg2TnXCTPJwyYZ1kDjU+Rk5Z96nohBusd5BL8yxUuRP51lOXEUv9Np
bpnjO1xUWY7nt/c7nZ9Z+lCXPryCSc350c4NRHYP4Nh/DEAqhtcJzOJVNvk9
DyQEr51n5nxel1fpfAz8NBzR9m8/orOj74dmbyGQwd6Gsrfh37aG73aemTM7
e300wtbBWa3BeG6/r9MGRR0UzQoYEXt0zw6ltAowXZWMs5zEo994iqeWObNA
5o9025znFkiH+F4393+Hw3x99MFu8MPV1oetD9W2ntjbV9ujt0nVbLXOTHb2
Nk8aRPbxq3K6RFYnG1dJdTOIsU8MlM2O/ZvP6btkngGmWtseba4N4pcpEJx4
MwC8rdGzHYvYkmIJy4m3dwcIfLuDBx4YoJtyWU3SJ81iPsx5b8OAlX6CCOv4
+Hj4bHN79AaYr0N4fW9ORluAYrc2nz/Bb8BFAC3d2h3tP9t9uvn8aRTBDaDo
gBzG8cvvUKb+7qi5zOq1KBoOh3EyBiKNgmWksnbTI2vX8TpK1xvA7CbjHNUI
OfGCePRwZMioJXWd1jUxf7RJgG2YpsDfkAUEDs4MDw9UxAKQqQG94gBT2Oo0
ja8vU/wZbisuygY/pMUFcA/AD8MFTfBhZPgoYM3EcF6DHBhnzSg6FgIIWwKJ
sLOISVLE4xRpJY6OF5Cnn2gVWRNnNUwPT3waL4sqTXLgXLIJLC9pYrh5uFW7
4RtsPkkWdBKwN9yyZ2vhB13JKDrzG8SxxssKPmD35mYBt5oDhJWzGT4PlqES
fJGksRhFJwWcAYhK+DvKG0vAEX6POt/A9IEz/scyw9vCkysLGH1Wobjuus2q
cg57drcwgCU1cZLXZSyQaVE5c/heZfS3JAfenweRZlVvGwQcnLKqUfECgizw
+CAPLEGoxceJP0+ROWRZGv6Cy54SJo3L6wK+48nhnZSTJdEUeQcpw5dj+gBE
01yWitiyShewX4R4uKq7NwIQdfTXN+9iHm3ED2KeAf8PnOVXiHurEo8d5/n8
FQDfMMOfvkR4r6RuChH258+nKbfeRTAYOlbzyxezgxohCgClKoHUDmARk3w5
NQu+60gJqmqAqOuSx4gThC8HULNlDlQ8h6sc3wRqrxhOv/wNV3LP9emcwfmv
p6OL0SBGqINbqpc5/AYzTBz3gacGiDTZ6L8q6T/NLnCEDRgDqAEeGj4aD88C
NxZA4M9lzYdhXgp24yeU+tdRpZMUBIlp55kAUsrgyFgnMIbluA9EmkURgFgT
3jw+3MQhGHsBg3gOG8/gd7kKUjbFefYRsEu8IGBDTIG3e8X7BnamchCzKDM8
S7jJJpvDTIc1XSXcVZH23DSA8sWl4AH5msAYFR2L4K3OQUO34OIIb5HIfY1n
BcDFkyD+hcP8BcHPnv/JNEUoHPC0pAroLuz6siQkCF/nJdznx6K8BoC9SAml
MsWC27hIKnoYsGqkM5NlnjDmJgGUD09Gv3MfiB5oL64/3JQuu4bjBiSfTKoS
KMUVs7oEiHDyhf7OF9QIAkxi4BRQ5cLNR9Frxbl+VKQ56VWZX6Utclek17GI
1ITfUEMOWDtlKgBkKv2EmAzgVjB04bADvNobxtjXSUH0ccEvjwatRY2ODyS9
wgZJI5qcWgijhWs4jwTulLAXQZcHroD+wBREvbMWOzrwqpvJDe0xmcACEvgD
B7pMPUpOFOzuxsvNCtyfEIYAkJkCMzZr33DvUAhZBeK6+xhAAM2Q6WODUCyb
QeyUsCp3L0Q8UNvJqEGxDJwV8Q+/wI0zcfn8eYgKHyABMGtJ8Fwvs4YgHfcw
qW4WTXlRJQsYyOMTh/JQ4QGdAGtnFwX9A8bBPtCIkSUJ/GJqYYTB7CX8o2AZ
A5D34VQVlvg4wxP2eM3hpwVMmwrn5pDmodfdwbQCdvT+008Jojtuv4DHkuH2
4ETwFz7HORwbsHHyetxEPQSKD1HABsa7BNi7SIu0XNY94ORgWdAvz0ZXBVDJ
C0FsP4FDgWtEET2Ycyr6+Bu8SVkQ4kjCO9SnaM/aAr1ecpgVcAO0FT2+mlg6
BB5oNaDHcVEyw5jEbtXECPN1ILABPwFQFe6xNWiLVcJ/Z3gxCKKojQU2AdEn
8w2wI3jqIUzrfATTnz8jn0Mmvi9fBu5P4IoAgnGj+kuTf/mirEidCjPulo67
W8AYiFZ5b8BbLInVqHnv+iBFmjtBEw+DGTzCVycvNgbdpyWv7+53P7DaZTvb
WXIBgqM89bOXbhIdmWwAywrGapBcTlCxGLNgVt8LeY0iPqBKfx+qDRLODy1V
KI2wyGBZRxGR3FhOCjhrt5ymTZLlSNCWlXmmoRCyQMGtFuoNe8sR0i/La4Uz
Bk7kG4HPyPBRAKFJkefAfwp3dUWQptwRW0Hw2QJjldLhoKUEWsMRJ1NvDuGT
JHDoPE+CPHoH2qONi4iyTRCL1X7BvFSCAhT3HGnpHBdfBy6b+XU9e7iOCbDt
X30Vn6XVPCOr343cH4lMfKEvRVPNDP7HFHACkMA6Xnv1/vRsbcD/jV+/oX+/
O/4/3p+8O36B/z794fDlS/ePSFqc/vDm/csX/l++59GbV6+OX7/gzvBrHPwU
rb06/Lc1PvC1N2/PTt68Pny5xhQ1OCsWnMdCl+Hc+Tqi4EX/9ejtf/9vW7vw
cP83EP23t7aeAyTyH8+2nu7CHyByi5GL+Bf+E074JgKISoHnQtQMbwlkXiBc
Ob+u+hIpK3I0o+hPf0awjof7f/42auOjJQIorG7O70UMbIgqZtCH+PJGpSkL
6KPIqapy4SR5FC+7rhJBBo5ZGnji9QalmIHcuRXm6RSTj8DnEWW6RYgDXPsd
oH5l7gGcL3I0n6MSqk5vlf86aJqPxW3qwxrKYSpErH2gdX5Y8yDufvcnR9ha
Z9z2M1rbAc180gKcgZs4pM00qXA90tS8PLzzm6Isbub1KD603JFD7apkSUjI
a5SFgX9nxPggHMUzorI3cIVzQh1urg2SCHkEaDnLSXyRMQBurtIbwTZuwTQg
ILumnJSIeoCkFxfpxijG9zu+QaaX+P2aRMWQp/OrJghASSWZA9HNSEF0ndyM
GA00BmMQhIRs3YDZQPx7Os2FSKINjn4q6xR/An4DGNg/RrBeL8oMeKRpllwU
JSmcirJxQmvvLT+jW+aJI6bG+ul7/kRrGBGaaz043GWSw75qjznpOBfE0cPk
ywL1EaMUjpu0akf83uOXadMwq/EVYNDvBeYFxeoT+LISwmdlnpfXdAO4qoMo
+nwQX9WLZJJ+s7a59iXyfOURECpY92kK9354dLpxEB0AqPmbInp2WeZT5AGu
sqosSC1P3eKz5SJPheZdJkC9xmnqDM7plGkpjEo2ZiCIdYev4p61dCTlMXDy
hKMcHhHSSvwhHK9f+9syzyYINO2feBPGoUDptfMi4EXD2c8AsuG/CR5YqFPk
k4E9qJ6HH7HIyqh8VZ6VDwPQ8zKf8jk48XpALCU0rFNS8JCG/lPDG78Agg/P
pUqnGQt3asuXwcti1NkaPm0Ub2tlo3A5maikeKic0cqymJIehSRw3Tbg+DRl
kr/WGZq4bGE+1vgZtDDqId9QQyd85k+DtsOrrvVAgpPTQ8pqaYaK31pY/kAe
Qx4AWfLsAl8CKlJACmNMwqMe9nRQLIiw8ok3AlLMcp6gRB34S5H7CK4ZdkMD
MqwssnRCPKFRZA1UoiYbCPGLMNeQ9ESAVLLKHKYhRKPtjioyxBv8/e/XDR7p
j8pdBdRCXqVnBgxP2CHCuNnC8sm8NWBGT17Q7gC7eV5/ps3dY+bby5DBACAC
BAUCGIjM2TxD7Y9tCC+4SWBio9EEeAAmn5CXQ+gwzPSakB9c9Xyc36w6qBFT
7TSho4iOmHAYmwVfTvd3kjaZbCTmM9sG43U/yc5op30bRPQSNshbSS/o1blD
7oV+OTIbEY0CVU1OcB1nhROSUUGICkEU/toLJF1Ze35E9i/KOWBJwV70b3ow
8SVcHHFq8JraaC3pPZ5CuByE6IbdfQDol3iJ5kKdq1hW2X2hqpzkEeh1mS1w
ZQJdU9GSCpUAooGuWU43WTv/I6PxIuialmQh6QL0iBg80WY4NnKq2iRUvbG+
PiVVNp51rxabV6w2HQeB0HaWVXP695zk3lHUngO/1UmmisA142q2Rqw5cebE
UtwgwdCdPapjy0LCWpvJJSJ0WBxeXS/WNUB2C/9o7oiPGn0m8fKJl6HuIpa1
VPHCZK6dkRXU3vUa8yDOX4zsoLgEYQydHhPoYYXXyDi9IoViWbG7HvS5uAyt
bTIhL4KNKivntNQC2Mc8nQgIBhjdYX1WtndW1n+ao60eCWAFyxKvHx+ddVgd
YVL4OQtsX6l+NPFKO/jaPd54kS9r3++VUTU/EdrXOxazgkTBhUfpjs3nDEtW
WV2ZKaXGqrdRLF93TptZK3G5hJFIRmFk3ksl+A33EYllkf1jmfKNJk0vebDU
ISUbP0BusSQvEcJY7nnqk1xBHrYC8mDOlK+OKTEQmXKS0dsnMqQWfA8390FQ
QPdhMKRtqwzq1Cx8a+X47+hHQnuyNz4hTlCUckAkEjgBBBF0m6DGDid524qY
pEmDOE+BbtzE0yV5jMGhVs1ygaS/WhZDNBaQ+uFCNpdOPsbr785OjjYGLWGP
1zdggnf09n3MLoK4/EO1hkx1F3C3ukBctsFyfRB5LJpSGnztAgSEtBis2VMQ
lhQ2mOUs9nR1hgy3TuAVzURgM2w5OQiubS0ygCB1BEJJEZGLQtTz0d5oD3tC
E+f5QpDVXlhA3uyz9UpynB0ecUYHWBGzzX+49QWYuWMm0bNhjusC37NxNiCd
NIvB3j+jJTuhS0RZVSWIpgT8ZG5dpaDpWQE9FqJZhLV1ajWKrrG2kawmIgqt
3ZPfHVj5ucuADXr54X5CeFahzYLvgwgN7MUbjNmeyspijJBwfNF3FfCh5Ou1
/u7FdxsxvakEVRd0dvRIVW1K6N7yO/Bwm2uSRwGP8dsgO1uhL0UdhxgJAM8n
+mRWkfYMZIfxr81btq6yhGQXkN4mZFI5KVhvMgDAQmN1DLsYiIpfGumEDZ0Q
jpcBC5VNMp4Gx0frF+szfEN4zujU/gQ/kf1R7Tf82frJGIuQyqPIkE1Tfafc
kUmLMR57VgB+7uIOy3Q6FD1LE7FUKOkIMUmbRyCpD9XiSFvM62+xA58///nH
naNRNZ1tbQ3ROoJGAdSqxO+tpYyUWg7r9CqyiQJ3fIGc2l8EUDiJJXkAzFhr
Rjq0qhZH/LYxeABAOWXKhRuEidD820GDDGZueR/TdEGcBjJDjfTCGYGJnjSk
TWZKPU7xDib4dj0UIC1Cs94RK6mQe33lVHtsoygAqU+AKcpYdBfXgXnyUVV6
E5ZO152pF39cS5QbWdsYeUWBx2OBxuLGaQv4RxV420cEe0dLIghAaBsBIXkQ
UohJBYDDFlHSyJNXyKRCrLZIpj3mEARtYYNWK8FEDzkvm+zKGyCFZ1OEoeiU
QegtA0JJoumMNT0aYeFW62zN6uBAbNqkZHJN2j72Pw1c7WBFwPw4O7E4APqA
EeWu1yy0relZik8RvPsWT3MgNIxEZhAS03wWr1uiusFnbX2WuIGaTuslNSLT
dIk7zZzhwKpcECeS9r8s7JTrwUWSsUAP3v3qNJqoRAyIIqnJrPTV4ggGVm8v
D0ph3+nM2KDOenKEfRTBsxldbMP2kYl/Js6c3j15Eq8r8VsT0g8LNmpYogzG
7kXKtWacDyfzilHSP+HmYQ3x2c0ijf8ZnzJR+2f8Q3kdgvz7xZRAXo/ln9AV
3eiC/w+/PX6s+OrxY/gZz1X0IzDVzN4EHgM65+G6pvw8B6w2kFeJqpzp1Aed
4bSExJOLC2W7/XgoF+vzH8lS2twHLYnhiJfmXzTys3W/q5TgMKE7wjTJgka4
qURkAhXFE96C3ezfkYlEKjYQOZQaAI0St4qmSnBfqK7QmwteQHJRpal3gtWj
NoxLsLfgpB+5I52ngGtUUcBeB+KEInuEHbVQHdwAOixdD+JxhbJC5fBwS6Gx
Ya5p0Lkju5n2TX0+iL9SoGRv8G/WegjFu9A5wxp014BUPn5donv2SUeOcPQz
Y39ZvqWpGE1CVrZnqV3xoaeRnInom5D1aEPu6DHh2SPjRoVkApHsGbo+I9fB
PsiowxsvM7R9sIsg42kbPadWgcBtnNEWGakIZyESiselXACRaaN2EMQlQI2M
Jv4NwnrD6r7QAUs3EQFewEUOzJjXifW4hMOoy1lDYqZwh3RHoc8US6hCOVte
NyjtL/TkXH/0vDM+K8OFUr4vX4xfEx8YMifFJMszHhA4MPiL2Ez0AyK/ilH0
pmAfTEIryLfAkTcuiDVgoTJ79gPbKbmCsZyLlzEZoYZrOa4BRklLQ+4bxAEC
ovUaJwSHK0R9+ARxBDYxEieIroIYWnElbCB9olvNzJO1hjhG/IzEgNsmNsyM
n+X5EmMAGjU24ptrdDk3Qg6IEEArYOj/GR+Lu9c/W8v2wyIiAtQPHa0bFo4x
uSwZ659npI0iA9STeDQaneOPX5+/Pnx1fC7bpLbnhNUmeUleQKvGwN4rurJy
0Xdaj7fib76Nqe8TEPjg37SKDV6BLoG69QwUjDBo9zd9uVPDJBSXGq7xnL4y
QtRGX+2PtrZ31qEtL4Y/D89bveYJLeNz7zK+6DTDc2jHi5jlyUWNXf6wHicH
8Rag7QPosuGbUotzg3Y9CCjyJRg4QxhgGWglzCLe/epeLpfqcSnAzX5nUXTo
HeIS1c2q4RQ3wgIKq9jn8HAJLWXsd82TrvC9HLmhRUYKLXtKmpK2BR8/JuyW
ckgEOROhh9EmyChzlAuKFAQ0WA1CO62JzXfOgY3Vlai4Z+XmzcAhKeZcgX4g
TWNNJLvIq05OvDEdd36GByG7gC9TxyqSM/EBUL6Oj90L9a3jU1wPvPs2VJXr
T5RIoZWFEIV4exp8bZkzEJf5aU8V4fPEpz/amYcciInzOo0bnFD3YOy5OBLi
TyWYUd37xLuvtU10WfS7xL1goA8L3nAq4v6Cy+SOxJEFXI9Y1TWLAXL1a+wk
uMa+1MpEtZ2phZ4yIkaMjs7a7PWtMM32HuYP0P2FvbLDZAot+5TbNukiD4sJ
qj5OKXSVTuB0g05ag1hx90iznH8jy+QqlyQM0nAKcMPySgR7o+0/OsaUFPJ4
VOmfqAbeaOvJXk4ql2VWXzrnVtKRUSSBOPW5Y0EgZltCUlU3LZ+RciFGQIVK
gmy0QcGZlJXT2vLRwsTkPEhclDgi3zhUIbNi9wXHupp19/ibOrc6YUx8VIkc
gNdkAIIRAgV3iUhCJ0g88R0ntXJWLaotlz+Ba4TH+AvPPkPlmTcgONUBqlaX
F3MJc/ID05D4bM24qMszHCEM7G5Uw0lKGpGFRjE4MWAKXNjNqP9jzI5Wd+wK
eT7NA+FOl82nzHLTKKKaw1tDqwP+iTpBRvJsp6mdqQDBtOFUIpJgACVnr643
fA+/FTJ5M2+nTnoBs4jbIrrKGt7HbMgBMRyI1AKefTn1K2dVp6j/0e7BDeg9
cxvPOkvwq3GypdFPDAx5lBo4pDt9ALziRSmskzLbbtgOn84qTGN+otiwUdQm
eELm1u058G+IHtgLhojfKfy4ZeNL0mI6bErUintNqeZ9CfY8in5EO7Uj4Ty8
aozLhp3aL1MWG+HN425ny4pwgxIA1oP0nZb4k+OgaDrKSVxAHIziT7BX1TkT
ZgPWam9zixiDoXBdi+QGQS48DOCZiChpZIWYmymwItEQVITcIs1FQ+SxlbwA
I3fAES2GOcUP09qgy7//+79zlhGaMP5GmZYhTm+4V8o41PchfvKNMI7DZcGn
6xd/WyfbFpcRka76VN33d2nXYpVqR/0DF0R6xywBnk+cC43ft72rUi/fMUgj
kXLxx1fAvBp2jw7cyDKh8KqAf+7anrPblhNrGPjht2opvmbAn0YOn8FbIaw1
1mtCHg/Bk5S1gnzEC14c6NgnNll0rgqnh+v6HMXxH9YxmcTmBnLdX/PHbBpc
HrZBYgDcNrX6Kf4XbKkpJi6Cu/kZmv8ZOrhsV3h70HXbdeU5hOrRQrSPYLGD
eIdXY7GaXwy2xBEUux3Eu9Rc/ybQ4WaKgQ7ivdb0rI5zsz+Ov/7aHczQUZbo
S9QFSwJzBVECvfDl+EeTIp8BzHSON5nOGdWRzn9BOPQ8m57HICJN009wAWiL
6+VBFJHojY7EJjdOMXNOGOoyREaUB29IDJLht2B49EUAHJXcdB2pgGkcKMeI
UjrwnEz/49vmwhY6W3jfbt5tmPeNmapOK3bVYkpBcOqeHmYacKyOGxAlEg1r
I4MYs0CU4AMTTL1YEfVjQUxXKRDllrezQR4ajjXrMlPu3RJra7klzJ2Htyl3
QurWgL2Ah0rOosAKldPQuOeUO9DvO6DonLSG9EeT8qJQDVLPcmhkDjz2kYl/
N1LlJY6EzatU8XQcn97OL9DZ2DflDmh3w2XaECrQYioC+r3yOjD4zA2ul6Gv
0022R29ARRnHPrA7IA+oSC0HgBhObibo5XILCPAz1wl73/g5etxmolcEnuNj
2ljOGaCTRBxDFaLYxIAp42DQ+ooVZSD5aTwacTMtSqCYZqCoX1Uq5CebsR4d
8+KxSEb6uKSqDaoHvrCUJBDIeE6d1qWLxM4tSVjZClAdMxvr3W8bjPu+ctTQ
BL5ZoggIybNupk1bg8BxsWo4Fh8qEySlLt5BlCGayjjBBLFcHORkbGl+OmGk
9FqtXCeRWRpUnXonCHK71VkIzRsBxcsmIhm9fy+iN63Tzw1Y6g0tz4nJ5pt3
ajLSK8ZPo7zir6iXMhP3BKC4+ismj6Pf/GWRtsVeEGFxgsdVRJ0ZFQVHUkgp
w8mHJpyvug5HrIVoaWXIW51JTKA1UT8qpDmhhqN1AP0Mh+cgtQWlxcL8bA/o
M394lyanHu5gXzK56XCFlgwxEMkvpPx0Cgh61akLGkaf4ZJO9RpD0zw59NRw
EHl/3ZQTXfAzcCHzgaAvaWPQ2TO9WuUO0RbL7FJRAFwsKwqZnF5lQL1uRpGL
36XPKAuLQZYlf+KKxGrx/t1LouAYTd1WQ/hluceHpisSHEmSVueg2gLFH79C
+wmINXE3rR++I+CL55Mo6nKcyvpeVulMmV+QA+MnxCLiv5QnbS5BcEcDS6Ps
Lw06kgQe3CH46WfgGu/LFkrSF8cZIsQxrcKVBcxhAud3Qk9FWbjEC4z4rQ4k
TtotOzsQ/JBh3ws5epwKFrOUbIbCObo9B/yji+KWjXLEg1sO/xrEZAGIyUZa
bflXYC8tY0JMgqRFBDLHHkXwsCSbG1luQtQVsjFRxC1J4JakHCnKt1k9F3fd
31uFRXRcuTRG4Op6Iw/Is5YYum6pF/uA81uxLpsw3GU2ztR9ScO6W8oubJl+
SitERdzwsrzu1XARmDA5uwFc8wnvIshqKo5qVlXWsb0FG311+G9ezaZM4VKz
LGD4VWEG5dABMhY6L9grCTEPx6RNTsW7uVkx2tKFQOpaO2cjVEQNdhQDRuTk
2B1Yp48ENpOhtrryBtzCrRkg7iIjRyg9PKf3lU24UcZWT8mhnctxnk0QczqD
anC0wTj0KCnnROHs2AZeybuNDyOIrcQ9z0n+UmOR807wgg+AITA15LiVNi4w
boH+8hWq2/hqOtooAH+8ITG6s9WKFZnEqaLDml9WACyGBzPRRUX8BvgAMWtR
UlrMKlARlqMYVMDBEmzcKwb1c496pOlU+4xQ6r0RLW8dyX7l44Cz4hC8UYwu
YjV0KdE4tdoZSPCNGcuUDBARVqGXRvGJtolfrOwivOL5srahD4hd5oCA5st5
aDYAsX092aAMAqGnJjtSinLJum3isp3HASpIOe6Y341Nive/pze1+qcOROw/
JTmXvc+i9TFP3B69HRrg/VFagSqjno2L5YnMJPxIbpwrNocRizMap65zuWZo
V4wtA76wR0lEnC/Q8JUfhZMrA+b4O6ZRmgEmwOqS4YHV7p0Eu45SHavIaomU
yKAWCI7ZVzMTB0sUdposMSK8tsBsMRWcwnpAI1Wq3XCxnuciAaCqPODcBfYo
HQJ+7CD4rpIyaS8yOleWc0iqxrLSYZ1E7dVpRrA2SNbL1el80dzo7FEwe1dL
abR034hWg//804r9DuLbVvRtFK3oh0Dxh/X2NpHju2cPVuKjmtPzfuftlZwb
s5Pabq9Lr+jw6Lo17jndHaueT9nswXdk4UxsH+YQrcjOovzWs3U0iQzJJMIf
ZMGnnJTJGzmNr83CZ8804EOP9Q273bvegDWOXVYn73bg8yygy4FqxzBT98Lp
dWBdH9hUY5Tt/s1oJzH7BOo0ua9+I0YI4cqkJZTYAV29KTGO407IYsQWncjR
SlEOOK1e7c2lHTMQ1uK4QJph2O3oNvuPiSdInE4obRKGmNCiAz9rzKylz9L3
6MczDserqd+wlUu9JVG3AQEg5CdUwOqGDmLMqBqPkEL7X2UlvFlRtS8L08n8
0ddWFAfB4Kv1T08k4237f0Hy9KHKYisaFxmmwXeOLzx19HMU9Y7yDX/+HUQ4
dw7nFG2Nz+VY7roDNc5i778ohHMWfO+3g84SrDIIoKoWVhm6vXVj/MCjo0pi
DLu85oWZK+KleZiPNR4RJflgLdTIeA/RDvkyYZAfJZ7XKYactRRYoiqdkEen
Dy1H06XCvaqVWIOJHiVZjvHAms22SVgyjW+bBG3aOg3JBiKizm6bjTfh9uTP
wv0Uj0GO/jhYmayGA+0FxzlptXP4VmVhTpWfnRw8gjvq/WpJk0vkAe4iTxPc
CEkC0Nsjgnj9GWEC/+rj9a29jSha/f4AuFd/HGYFJT9a9Yzkf7cM0CppcPdU
qoZJ8gvVrmRUH+cP66KIGnLJJTYIrlH6GckhDSP+C2IPTJBN6PJC0l8/5voK
IGSlOfaiv0iqib7cuqhg+SvWNqDfBP4+YI8P1GB771mwfG0BbHg2Ty7SD7Kf
D7yf7b3nt+/oz2YMVeVAt31WVZHS90Hb9k1hY+vrUWwAaeiiE2jiyTUwQARP
5sMGOpj2fNlQ7VowEM6BV6gfDmI+HYPzQzq3EfWMzaN48IZrYDOub2u4LSdl
hIgVoZ78xmvU7EsaRIvwDJHnWHOvJFNHLZt00vsUUk5UxmioLiId+NRT4g+O
EpMGjRfvpe8wjKaPWA+isuowBeesiUX+JU8vMD2pYQS8q2HHEMacQ4dBeoCt
GsA80AYecmjYhaMZVhD3CBS6YRzEJTp6HtNpDVzyh1uIBfnGnVskENpsKUyP
9EA2fFhC5l6dvDomKqlOpGv2eowVlqeHlb25fVWeujiJ64cE05ErshCDRquq
CzBcB5ZOOnzhzeOANjjjD37yh+XsVCaXslmuGbIXwZjxn/+a0wp8smwerKmG
JcIQQ5pX2/YuTjGXX8/+ZsvibnQ6lJKfdf1kDOB8UYHqzamt13XfG34ExzL5
tRyG9JNvI2CTBaDZ9IxvS8yAwmJ5D+KWziNR2Fhl+O4+6JHAtH/LMvuz333y
nof/wiXCQ0WeJn+h8JngRFC3ZxdJ6ZqYPZ0kYrlhqZTlIYnsURfjrAo9BlVZ
Sp7pfFXwbw6SDOZlM2u8fg7/ON8wSjVniNW8FMyyAdFGI/c5Li9cr4a4nBfj
mewn/QSi1FUQ7RZMTrNR3BR/c/jLeES05kHo8lTBUQRK+Udn65GNoTaCvRet
xEiGjdwQPhKWpwG0n7/yFE/1SP5rv6RHM92SuYQjfNlyIMBk3DjII4Jvtlbr
ew3gQzrcRDIRO78kzI/GYarGb2IJ3eiyGwqDdW6OGHh8VWZTyvrkMixz6TXK
uaJKkH4PUVRPSt5dfwS4145qRfz9fRY9BUX20IUubqqVDtF+zl9BOrkkCjt6
1aEr1gkDO1pi+Cmpl5FIQbgcWONNC9Shkf6wrLLz9lvnT4po6uU4dMNSlDts
w0WI50FO+8cyA7hPOSt7otSjm7K631/w3u/CXeBA3wSDMuaykHwFjLHp+RqP
pONPi0wivtF9uX1ePS/3VkckwhPGBwkT4I+l2slvHR6f8iuU1jrOooiYLetK
Mt3qV4vhEqooNC/YPeD/oOfb9SQVFt4JTKoKZVHFQqbxzOyeowpZgRvn/S3p
q16eKlCNJb3fdd0iR86SdbdbW8+j64EP8+7/1nKeC579KLqn79xXX6keuOtt
IsvpXJO/gdZFDbkYpzgAi7Iaf+txu/W4R2+Lyzt691k/TeBFS7f4uIXNzJW8
RvrumD2T44CuAw4Lb6w2vAdMiipxOyhhRCugkMOE9YlwnISdIvAM7Fv+OeKb
wFpM1yZhTYCaEv4kzpdyLyw34UW999o2eelGK2evzmpOmV2w13ibXlWu9FYV
gPgpKdy4AHWK5KVYgPzGJydWXWzLzsBfPZABJ+9arrOroIQkbDjv8xtJIapS
VcGOjCQiUR4ukfwc+UELmxY5Zatw1ug43QUaF0E5IDI4TVAs4zjDVqCDx7h1
+yhQfesTaJNl3ODBqcGUalV9c/j+7IeYqmFuKABbTCKSS5MG6CSIfWsYWVOf
IMMZkFqyfC7SVBQB7a2oUYUse+Q0Y9MveclJV9a61XVOkcxrXnUfsaAoGQnW
xG9AhgyXtOHitPpNWM6E4rIHdI1ko0hSHPh7AQaiIJpskjs5iVxnTD+xT6fp
Rz4tA3GSppJIlbpooBUcpE0K60MxNbdgUFjPC6mjgbyya8EExJU2ySg3Set0
yWAtdZh6Y27EM8uAmMTiEzgNY3LwrWt0ah2i+8d0g46G9eLo91b7oiCU9ad1
aoHwHGa9eFTbZEucphjFQjOONv0f/+W/mnQWvgwFbpGHxqSHtCYkpYhN9O2F
0fuNt/dj3nMYkJzHpykqslwEoLxJAhb1/GWxM2n6D9mhBM2j6Uuy0HFP4zwr
Pop11ftnYCISKe3gbkDlD9yICRLzWQE9hhlZ12cf2F1jIBIXuRK3YkRclAHY
kx/ZowAPlY12geEWTZrVyqYlWQ4HdaGHEIFufjPk9NXE2jn/O7IkEItUst5t
5tGO02NROp6eZCQ/km0Wa5i8+nGDDLnza6mTAs3dcuEreyKRsoxTG5PM4Hx2
CmIfr9nvz9lc9bYvk4VP1QFj+ZNYPZV1UjAnRxUrEEeg1/vB589/wDKRX74c
EII5Zy8rZ2MeBlDUmuWSA4hlOybBkIhDge7lTICWQ3w1ERXhOVWyOLtXoHOg
XQTqILxU8a0jCRaVMwOrRRD7+HmbTzBuXVrJxqupRZ6t6kBVk/oYaOdg7w6B
DqCwmjUnvas+oyf8sXAbTnrvDbk+VNF5D75zAKrJh+ZcZX1u55XkLmauaw86
t2oVMhue38vqch5gFYA8UryqxhbFfECxvEJ2pta7dYYhwf0Db5oPuaIvGwZD
am+PQJ0fgzoIjuIuO6CJ1ydUoAOoFCs30TahR9dPX/HFU9S4N6eOvdK666wA
Mnp5gcm7PClW7VZLgCBHPQMjzHKuffjAd7hG5qyel7eGVqV/wXrsnjH96eyv
LzBzB9W1CHwAnOkfvahNH82ugvY1Y/IJgAyfDuJEVCxxt1nJ7okaps+MBSfu
aaX/NqUZbCRwOMXAu2Iyt8WskPf6pGkx8Gbz3LnIIGiuYZ81+u0/nb55PRKC
aYrl4LS8aEVtkgqLwoCGGVEEUcQwBA6Efzh3QR7nYYPYu3c5KxO2RTQuxMlV
ygyjq3oOdppOciFiWcX5BDQkYZJ2w/9o8cxXOZ29xJ2XVECsu38i8HbvSbA1
OYVxah3MqR2KeefLqjjA1gfnH7glbXXIB/Lh3hOiZfW2uVq0hXY4cFNi7965
ZhbZm0CEc5sdm4+LPPmRzszgiK8TDGiiiLgEOJbil7QqTcrnCrE4EX2KrUhq
LU7seYCO3lIZgCm0LDhdkk0rNQc6N018wqbxspiSUUYgRg5KDKnCyWBlR1Kx
djxkJVyDkAcGXEffhP9Dje3xQfzoPz+KySOAXMJY6Knid98dxc+ePt+OW52+
iaIncRsfPWnho4PV2GgNcF/6bDLdHe6mu0+Hu/tbs+F4Z3druJ2Mk50k3Z2M
p8kaV9vWiebXGOvBeOtPf8JUTS2EBT9hoNxn8Z4AVDWF/7d5EF8+0ulwNpwM
57JTPRq4ThRl+gSLgP/0ZEWMEk20v/6nP312jhpPBGJFiqT+n40bh37XBe1s
7U1mk83tzWfTvd1nafp88uz588396ez5fvp0Nn72yPX9MrCTSC7bJ/Fue3xf
Jc43gql++ilwJqF2aB7F23qCGvpaGupfbpF7+5vrl48mm9P00caX/3y7S8r9
/me24tciRoInwXb48xwNkJ2j1K/qWTwrS/hruLu5e9CzyMtHfUvf33y+u/9s
b/ZsPH4+3n86TZLZzt7Tzafj6fZk5/nWbG9nP9mazrYn6d7WHvw0mTxqjfLl
y88/D4IL4HA6c/r7ndN/yIm3DusngJn958n+/rNnu3tb27ubsPCnu88398Zb
0+neLEmfzx79/PPPX758++3Gzx6aVQh4Eu/IcxTsMwL8Mdje3N57Ij9oKM+a
7xySFPhhG3ZkYR5jiATMzGLXHCXY20r2Zvs7O8OnW5PN4e7ebG/4bG8vHe7u
pM+293YnW88299fsPte0uL1Z5ZO79j36zcDJiMmN8vOXn4GF/PZbOse1e23i
t6OqA0UNOh9Oh7PhZHaue+IqjcGkqfYCZNWDju4CrUGnM5U6Jay/BWCxHTbQ
5FqkZ+YVrn2fTDFr5XeS5mst7OEQ53b7tes3HWsHBzs8enXcPxThlZJBfufA
rkV8lHEO0/5LuA7FKuMEG+5uP999vv90+/lea1W24S/yegf9Df6x/MQncPlo
9nQ/3d2a7ezubyf72+mzR7/iubrt6Hv9sgGQ6tTLnURtnWKoTpU8d4HhrzhN
mfd76HpLa6q2gcvTNuCUEjSLqbHjs3vhqCzIS1KNkxfOudVnsWO7MwhAJpWd
dHZVmTTLCmaWVjrHHJGsvA5VKyhg3ixE7+Qz19OKhcnm9Bojv391S9cK6S5U
XA2kLMKtCX5fC4LQDqm4cHYBHDem58FAa5++3ubmp/2zNswn4efC85I/v5My
XzbZyWLP/rT3SmHPV/jb0tfb8zX1xuvBLfnrB3HaTLReZX8UAIZfEBWU9HUa
DIV7eIX54xosGHJWxieapjVef3V2suF8TJxRPWzzBtqwsgRau9OjmE0sm0wW
BAwzTWpYcyftPQnrPflMe4qf9dd3OPYqAJ/yj1VSbo1NuDheLaxbeAR/GrRs
CkSii4e3M1vmppS8sPmH7flEKvYzvrGz+bhxb9nhgFLerSYVpzKPBLfYbp58
NClzg4gpv3RAHwAhpBqnEiJFioeaYLR6oGkBBiMvb7hohQVEnIikGbskF38+
gAc0z9h9e4qqv18YF+mvrP225cfwlLngBrszdMvEy0crDPbUkpe6US4MG6tv
kMuSSwDNYibHAfTUUrIJGYRTxPLOwOeS29HjTpmwvoWttRqtaaVNfay+2kCn
ztHqcmWaZGai11Pfsz7ZgvNUkloMlbNCEvq2Cq/Eb/XIVyMLSqC7LZuyBDZX
UqfUJarONeX2wGTmaWU2XFXdzJf4W1Jt1WnnEvq2gquQV88eY29aMLZqe6cp
5ZTo26WpzxZbhGIgz9XVVoUiYVV0itZ6N96D9T7Lfqyp809UdO2DuBDDW2+V
oaUL6PgHRD69Ano17Cao5QVPXSnDzuJUfJaVtSJl77Gyj+mNOSzlMShO90bc
zLp2JK3e4N6wsxk6G7QtpdhZdUIfhzC3rJtTqDrd3E3vXXPNp6AaoauqwxUS
XQHdMGmxZt9K+ym3Jc29y6WJh351CgZclXGeUpJMrPHTu+pyUWrFvv61rwNT
M9zQFL6hYl2yKneKOuJPVUYA7S2HMIxD4TyqDLohGnphsNpphTg+Hm9t1WLd
WvM0mQ7ZfQuG9+sJjrbvDPmChv6wHEoDVm0oKXaQy+OblnNUH2J+Bz3UgTCR
M6LLMG81z087zbJ/0pLGh5IhWF6RaZXLmd7TmZHAmbYnlwBvzTfJG5S2OOOJ
J/aGfbHG5trlLHO5GdZ90tRuZgjDm5C6m1S/NANrz7FyEjQxhhTKLhAdcRp9
ypHgZkKgmFyWWMEVyR3AxQcAkA8up3LAdr3VXs6B1U18E3KPNW5bgoDVWnGf
dJOB9pADSPoTT0Y28aTnfn5N4kkABEwrdhCYkUI1JhuQ0K0sT4qLZXLhvNDQ
1qNZJx1aVo8z+1tvqkebaRLnMkHkmtQHH0dKq6g1tgzb+59da1iDPiDOMil/
yszs+Bbsq+v3dqv3Ir9iZWJ7b4s9C/GQWtki8ZyQk9DzIylaQwjYY44eNWUZ
XnsprTAd4HKMTd9x4uGbNRQkdJBhTR+p9vplkHaNuBRnT8r9cFIVnhiwHBib
jMM4EJBwt2hQQM5KVnslVUaWRY4lvhLTBsYSOfTSxEdZPwi7VVzgEn2HKUGf
LhTAOPbePQqqdhZfb84Hg+MI4djxYY5hw+GqXXlYYbJ1Un0fJl2I91RigzPG
8HYOz2XqdCDdcmE8b4N7YDFiJgcTc4qeRX2IjALFu5jCm1ydoFGA16cP1QcV
+JBL3cM+FY1lkq1/JV5HOwE0RzUpa+z0KLeuTpkzeQ3+BbcCwzR9pF3Pefiy
z02FKtbU9HMTROgxpUHs0r3DSlcnHcVl+pmYJuL1MsoIPNhtTlRF8LZslj9d
l3OqKSnjaGqC/JgnGcToSHRgaqeRr3hQWbqlJ8HgUaclwSgEoSereJW+abns
Ip4LjqZVE26DLyX6I5eJ0DP+Ri2ogBhmqAxegfNh5g/OfVntsB3PZaMztoRE
fuIsML8CXXdep33Q3dy+VHGHlCidPL/3eabhAzXrD5CGU0nJxzZAOc5AVnnL
ZDKCdzqnK3uhBXw619Rz/j5HZf+3VobKQ53CVqLf2h+iq0iMheCrG3FykLSR
ip9t+QOV/SKrrfWHS3SNSp+00uoCAr/Iy7G5oZFm58XXJ+5T3EQaFFqlUqMx
XBwTYn2YAx1SgGmUEE4+g4hSjNXqSykDoupyRqkWWZYexHlZflwumD8Tfp7K
sdnsTqjhjlYcEMmc3T0mzKz1AGRkWncClMV1BE8PvVYp26NWy4QtT9OcaCm6
j3HKRzsaamBNjRl0GOgoevxFf4+ZVMU9ktn83Qizq274dQw0W9iJzRbmgPRv
Yh/ykKqw3MIqFgMAVlmiP88INp6gGmdTMIIZUHM2ceQzhyRKpWtbVcFhbczF
mZBvxVUmYQKRQALmjFZ9ulwWJppSZsN50MIB5hyNzBnbNp32mX37MzrCCqfh
iBJTmIvkNgki9uEm5IUqWFwWSAmsgXeSIEsRDIx1RgapOD1FVXHhXZxZ/uBG
sE2ypkQy7tQ51MoBsYSgZTdK8UufYngVieC8KjmiyAcrd9zk+A2rIdB5zvPI
Qe5m9YUcRHbtWO8Pff3xZQ20OWZhYwW8p6Z0JGxM4BQkjn2JEr5XzivCi6J6
OMZCyQfq8AuhCQqZZ6pa5tOo03xVOjHDBwWCVUvM6ebKwgb9ubLCrjZXlnGz
Qxhw6cB6c5adWw71PtnK+lYUpBVbtbDflFZsxcSczAuvwWX+2ty4vXErRdjq
hqirYQfcMDsYVTVxKFZ9mvGkhSMCDHvgCL0mXovXGZ6QpVCLsouPdWw0xZm3
eiBr4OLo0Y7iOsqT8/ydM+IFA/qNuDFRJEgKXbCUMpZci/q27zM6pU8mxpmQ
twV3w09L8mRuh28fYd1kM0h6mPmAg0XejT1onYKCy+WyaWdD6pEbXj92TRpS
mAUJtFrqAmVJzc93caYMc7Be5Um/lr+Ddr8fXxosLWBP369kSHnjKp75fL1d
ZhTWHTCi2BsgYur0xvhknV7SHTtrLUqRkWW6MKlDa+GjNsvZOjF+eGRQYVU0
P+eVLQGG8mSSUoET80AVjO7ImejeqZkweKetrS5Uhl5Rc4bEaRH1Oo9Hi86b
S6HaDbKD4LW35hXCBwBTVSAco3E1LGrQKQVmZuHyFnaZYRuhbzDKNKu5Zj3l
6SR+TOTbQMQTWVAQvtGqnXs/EFQmGVQhwwjZnmLO2QUFHgAvhrnIYwzcjrCT
/kQJtSSfs6AJYj2DtFqusdJobYmSf28iLvL9xkiBAi6obiiUQJwGugWwbpzX
SY8WROR9568hEXkd4y+07lQjxpKuWCaFWdUw5EBDNcQ/l+IgvUtInWR6Kqjo
feyCEx6b+rfOFqJfkRERW72tyKERDk6hzSjCJUXDgsDMjCKX6+MgcCjW6zHP
mqJfA9C0jNQSOgzlNDZGJcI3noH3YAPot0BmA/mAP6liueOVKuiYPJ5Q49tu
MEQX6GrqFMWqRfH9t4L+re/t7g4Fu+7bQffW93Z3b9vzA+wEA3RatIfwlrZh
qMh2Q7QtcisG8tYmP9BeMFDHLLVipNBT9SDeD0YJvna7OhO19XkZ1mTV9kM+
aw15j173ncoDwua9JumOjjYDA7jWXvDtr6D0BnMeCC1oAX1A6BUZGy1yS9K5
jxLPuY2orjh8JgEb0DNjSzl5nwnVeUMLZ4UPK1BS90zoXOON98B9ZvU+AZIE
rfMiA+1zz8ztNN3d7NmJc4yzlt/7rM7a/sMqXJPu+nbN+h7mCXCfpXTt+iI0
dNBGkGmlb0EPNPLfY3E9BnPNxWVRkVvZvlmZNZtrMeNeSzknCbp7MWow1xXc
B6MFmcJ6zgwjy8mvB7DCca/rjuSZRNaDQsnV7SSZYOAv1VoiJsGt535bKaay
0rv200EMm3fvZNLvw1TfvgNyq0IPxdTmob/nZtQ3SVWJgYMq86/2kXIGjHPz
E3OwwiapV4iTUWF515foHa7OHuSz5DxjIzOd6De7fhrCiqefkknjU1rxy6vl
UCK1S4r1esPncGs42YPz+hBv6BHtpPWBi4hRIBqCBipiB742F6yPE4oaoXEd
F40KKdRESwIXoC3lbKM7wSqVu9Qh8kPAtYbW13MOXPEZ1bl1yhWHqjmaZ8NB
w2oMjn9sXVwvD0lzuWxGOrEyeHIYTn7XH/qtUHRe6qHwNf3VbvhreIA2/Eny
TFxrQPtd4ug1+oaVviX6s7+mA+O7Wx8PDeSosmw+IP9u0r4K2/RieZpHtQOt
W2fURjopnWJA/1tKjETAFOuuqUs/m0wlcQd6MMC938w16VA9uUyp8Js8jVtW
Q0P34gv03K9DoZcPS5Sq9JWCSshpoOZEd2ztMPfCfrOmWh3FrouLtgVgW5Zc
XNrFg6M9pNpbNPxrAEwK4r1BBDeB4QN5csOoiTKfpp94HCktzz79WqTDlTuy
oFSlUbeCnXs6q1+Z1ZfpDz2viFfrzLicC5lkFFy+Pi/zO+1HHX2WnKKZXy8l
5t31v3+hEhE9U/dVDbmroTdt3tWSAuF/hbOQQ4Pmxbc1ey4Ep+7gfg72uE7z
fPixQHWKxZKBccoMzQYAcaGxqP8N2ufQbR+5jGGeFheARspFgk+erHoSnB5a
B+wJSGmD2w3l62QIxPW9r72NzIEf59BHiabScmYML2H+xd4Ue20FDfnwERPP
5Ad+E72ceWbdxypO7nmVJlOJJIB3HmSBEOYY4TVAXS/cfSdiZQJGgGMvuAIN
vskZDJajuutkFmHB3MWSfHL1GTNJpPo6qMzSz+pFdmOy4e1QKkrHp0ySBXlZ
cl4ByTiFqhuxXhvYQQsTMsB9ZjkQdDlhFWOGcVniW6Rah1O6n/RTOqGUAxpp
gb5RGvMjxQsnqdIUWGggxOiCNV+zGKMneYnYSDRoTnvlUP4GevHMvPnThbmk
AW9F0WM0Fq6UvbyCsk64DhhKLL9USZSN/pwp0bttK4zgslqnpMNOLtHPEz2k
iOZq8FcBgk5ZfeQsC7Nkwl54FTpiozfy65OjjQEjBPinuiDLmKSBDRZrTYoh
hTpRVs4SKUdfmbc1DI2UAZUnaU3fNvV3j2exp+tnoUcCKUVzRBjAL5fLYqpG
ox62N4zd4Yxb/zra23xuokKQidCwNq64Rl4VVFyXFk3hAnhwnosl1ShPl1r2
mzBssPs5lggjE7PkzpWrxoSRnUlVgekqRYy2KMmvyWzXLbLG4Hmf/eS44lsX
mXBTU0lc1NCJKY7B6RVvWfT2aGu03V043mNr+JV32bOBcTpJXBXQYIhwcSkv
iqYL6xPOuFiXu0bruIKFrzHxipT60Ix4nOwren+Mtc6RiAx+M7XqiT7kMM9u
UGJQDtiYr1YIDJaNSB0bcY/Gywc0ZrbjHg3p7lHq3t9l3dc9J7D9EHTu3ZEy
Vz5kJmrrypbefx5a1MP70caSutjCBJx+Z1oL+Kv//t8s/vue5A+LZFlsQHc3
lk20gnKfjOTNR+3X5SWbyAWrhKGy4vvsM8a4KBN8JZfZFKZRSx5SxUgEIaDD
ddqsfnldyR/HcwWwf+u7Cl5In5jcD/F3tDRc9lecltkEK/HtBKamKApaCJ0l
goEbTDXFImxHhSrKnykh8iZWHfUxM2ARJDkcxXtgrGAC0gRW5gO+vqyAAMyW
ZEg8eRNXEpHnew2ogmyW5BHaEuxwWImT4svJQylcM8c2pXGVXDtPYCnUi4gq
Qm1ZaAjuKmrQF996U/MhkS5Ril8Bf0N8k9bCwqPigpjRVCLJpzY2jIZSDk3H
MC5crM6hxIuccK+4yNPIDNDeps63UkdFUbni44YhAj6Q3UmyzjOFdWaP6lCD
GLHEHkS4JWTs9bHREgBhg/bq2IYL4BBkOJb19YzGO24XGvY8VBwoJaPQUSLR
EGj/MOlcgnmcUliSOInvBS8uVHm2Ru8nuP0zRFT9wTuvq5eksoJtKHNR1w4w
tKa3hzJ9kP4n2odRjyhX5tNe4sIt6CGNHtmXzVaZlso24OqDvVkZgpxGNcUv
JV7DuT3/7RfuotxsOQK2ePuAYkoVqilSbcZVF16r5nHclEh2+PO5tP6FsFzg
H2PWbryUSFsC+3bqFlc/XZbccVTCbEiqcrFjMlIxKtFgKTYa62tmihxZVwR9
v3rpLdVHa1uiAMEthV73ptJMCwhG0Wqt3lxMahiA057J+bPCa5AJQ5cKJqHl
shYhH04otIdett99j+o1NF6sXqixiYYwEBhEUagIOFJnDw1TVmOf7CqbokM9
OhaaMJ4N5UMiDQahTPftrMjBKXPuElh/R0Vg/VKsdw+0NRXhHbzUfBnOoybz
GYlJeGI+h7KEfwSAOTKVPxLSZFA9zozRRYL8EhJGQPyMib5qswNcGtkybAQR
yK+1Wqk/bFvl3MZdlBSwFSzs8s00l4pKZp2OGrY6nEzaRYdJWWbGiVZiTpvL
xqdLJxQWANqZ8UEPuT48xjdecEJlqRTaAX4uYNduwyS9WtR7djB83l09SJV7
97ioIHbcYHj/4nYVQAA+NYSA8370Z/zWbn3diYYBR4Hi6QUZ8DjbBGsBbjPh
kXcwgBoIAoPI0UIuFrdyeUlhLJGi/vKMhaUUwAa8xjSSrNsofW0GNxVRMMcM
SMZvYGVHAdOsilMibJxGnQJiyGEOnsIN0D6fMMblwQFA9KrnJH6XcmjAW+B/
b6zlAZVA3ofSJM+huqF1RjxqhFCqBcZxD2G7RLJuCO/nFiPer8Hcq+iqP+Ve
24aLO2NaqxEnphjKlQtKg3/2WDyEY1dqKn/ya+AWs9zEMtMfbvx1ye/1h3UQ
AnitavP42v0SBAZIhz/bLjBc/XH44vjtu+Ojw7PjF+L9FbcayJLieEO5jGQy
hEuqxM8r1r97dpktpOVTLqW5WNWwpsDFIUu1WltSgsbxO2pMDmKusOm1J/IN
MwOK85YJPuOPXApla6s9IFMiJETwdeceHI3alyTfx7CiSGu4eOi/q4VC2998
r2GFLvSu3qX7pXUW6EnWD4e/0alsBQpRc0oYc0ieHE6cUu9/pMiozmZDsqNH
Lc+DxZRNE7dYWG0MIjpZXxUdbsrZDjSIRvQdTWdVJG2LUqRtcWg0KCmTXGYa
wNCz+FtXDEt0/lj8UgNuzBnEiY+iBuu1Kx7SNxsancoLxmCOQ0RjVcrVy/tq
R/qSKIjscL0nDRdCpRu2KGRVBKjoZqSkZVM5py7CL4ERydutuqfqkuIjD15O
2WUr4Agtdm5BCJdBSMdL8r5KB5SjmLKb8Z9oaZst4YrZf520ImgKw9+5/AP/
mxzkb0wCdKwzXTbdlDwMjeSULtuU8DsX3sdEuLMrlqiXFQp++U2H7D8Yimh2
PXGHZQNLWABJklVqHXeFV4YleEwcYeo5Ud6eGAsNOeXjn5TMhczsrK769lJj
DJGBTqqsLqWyyLmwaUgF4D9mwaQMJB6U3A5QyYmNbDygGAqzxlVndOY1nud2
l5CQisGhhWfWJl2BB+KJmLPrMk9J1Ne6JCuXl3hlml1g/Dq9FlmG87nUl6TP
UjvH6gOiYAq6U+Ko0oTm52A5WahGYDHtDBwVQSo6fn8y3H0Wr1OZKkyiI9E8
JvvmLtcKx5b7u/GrwyPknNAsAgd5cnx8PHy2uT16A6zSIaYW7PMFeij8yvh6
JWLNXYQbeMobOHl7tYvLg//uu4X9v7eKgH9oVWElnrtd8FADlsQkH/MAQmZ4
TOQz3FBYdBftTL/DHhAD49i6dmRZQi9K1rr/PhMt/URBjbYtJLUJuyvdfyoO
Q1TWyQ+2Y5206luzqHmELQx61zIcRKUFOgMf7+xKOEnxDjyGQ+N5GZirA5SY
iH4wXAyWqwSJwCdoDQrXwNgupSf7f6eaLdAZoBl/kDOjP6GB+DNkjCRF6deK
BtLwozh+pS2yOgwRs2eBAw91LO+p1+E+/fXs0kNwTnNW9c8eoQ/SXt3qytdZ
hXOl+6oVwh8ygySHG0HKCN9we0mW16ayo8mDwf6GAqxRCKxOtPvjV1RdC663
mk2e7zzf4RJN6LYdRWZSF/HZEvCM4KCt2aNQhTwea/R1+PXXqEHtERys5M7N
IQhqs01l+oCrTmyFbi3bobP682Sm6wpfclkEfKdfh3OPYtTjIim7rhHeM545
FMpqRgW+FiShp3AkwnvgnJlo77zqKdyQhF+TTgzeaoH1T7MJB2zfp+WwXs5m
2SeK2u7tkOQLEBh02J0VrabpJJuj7nx3RYM6nV+hGLu1v/Osvw3mpHjCYGX0
VafKaetDec1Sj30vKIp0IYofSHOL5LROcpZPcwzYMJsv57e0hxZD7uPSTVNS
4FU9TBbupkomH23YuPcv1BJpWjkPrjxPrjDVJ7mVxZibEFMmkkMZansGHMPQ
MrayaXTDk5WOlDKK3sEBjXEhvmjkCuHQJPlSjT9COfa9gkWX1R8RYWAB48Gq
7dempCEACONSFD1O+icHYeCasHxWk/jjH1qPuxX57dYmCwiIIwDIKBbR0yQR
WuiPTelNSUR0IQg0aOtls5h6pmkWE76mvsmN0p2LMTXGXJbNU1OECVs5lbUf
uVWnzyzXlXKUVCqiT8WMhFWwLVh1RJl0bmI55CyQ+NGMRgFGPtyFMI5EmXBP
idOmlCC3Qn/ErLp7ArbSIa4X11cHG/G+WBy8MkbLh92oP0a4Qc4VTqZskzzE
TycOp2SQye/Y5opZGLf6IZPq7iNzm1gWdTJj37oC2ascL15TebQUmueBgch6
vidOQqIVYNUslZh0VeLIeGakKV4tAHynMWW+sb5gtedPZPvnWLF2b1sGoD92
zo1iJQ80vroTyRKEf8M/9ddIJrY/+TXCrzwX6no3onCt+nFnXX7YiFqnxoP6
Sh7BH9LJkobvUHcQEALWJsidOP1weBtT43zsPYYAz+Yp8QMdNQ4hKzuaQyoE
j5rtkF6tZLtpDcLgQ87no8iZHFAjlEkSINK+1PYpU0k8YNEJY7kiMcqpSvqO
QV+mBqqZmuLqfCFK8gosbLyRM/Hbnckp1CZA3te4xMXpgCwnamnWviFMumTO
w2XntgDn+vZaFbJ66BVeynriHP47E03lOsNvqkdTm0L4lTRuak5od0RN2tDJ
QmpLCFt51t403OsbblkgWSDPK7URtIaaz5m2q2Eg/NxMxmoCCD/Q6Uiwb2sh
z29ZCOmkebqt4FBR2+6u5Dcq2D1YMNceXGYYvsE9sANR62opJvRVOnXShhpd
qMXL7vmNdFYGkTA24iEzPqo9u4XGNkcv6rRpyDGODJVLLhmCTaZubgXBQDv+
4P1mhdMJU/ySG55gOAx1+BVjq/ZZFh9O0X4LYZzCA2eLvHqB3IgqZUiB+Gte
NedcGFN909qtpOe9hWrO37iYZeHdS8Rs40/BPOFANfng83aSOcecjlMui5hM
1ReQHSX9rhU1BArFh1+zDuMGBqQS6AUfPGTCgfXplDxNlqRjQkfoUfDc+7BT
oER80LxRJo/RD2usGnE7fmLl8i1XJp6pEQuLBRZZunL8E2fsx9Q5CctmqHCy
D7yNUkPF5cM2Jzq8WqBCTIcoX8A0JFo4zyyu2Czh5DdwC/CYUpIXVSHIvTGp
Z4MVZVIQNibNSL1DyeUBR5R6TyLpgVC39hK3r5W/4kNkEwmhrsXrL787JB37
ZdZgYutI5kAXi/kimdCPMrFEZtLOLdc1SRaJZLy/xRz4xyjDKLOU2azxDTo2
pfmM6uJItiEslM7Tk/PuhOxSZPTC8Dh2NHGKtncgW4rDyxk5/VjGsW1biaJ3
zvoR6gGr1MiSzrrE+p62vDG5TCcfWanrCgFFotpB2KPCFWisHZjkqd0QMSo6
z77lcD9upFF8GPBmnIs/8vUZSJfpfFNdED3sxxeScUYeqtJlLXBm2xylX9j0
BAN5/hx84i1wKDmckwv6+ejWklQAEygO7G+ypKMJnqq+Y6cD0MGtm3s7CWPX
wf7Qe86ITEp3r5WnqRgDFoXu9xE5JwiuU+uAI5escf02Bud8jHV1a84GRUUF
uFhMbm1pND9rVLh9DGx+7a9VTW3Gmd09ecogit5IWiA7q7SoOFVIM/MgqSQr
WWjGbBUwJxOlZP5k+x+8MUqfhqBItkBv/IunS0Y3xoMJHy+ZOVf7GBkrgun5
psi5nV8yTUfSKyVxwyhV2ufZu/fHPMtYnBt1RdOeJbHwd4tZFK0Rq7zHyMQA
bMiEQ03HhGYlXRzVCQZOhasV0woaKa4hoE6Rn1wsWzRKWKhYMoglwB9S3KnJ
kdsjvgWq3l6g7IY23dWsbYyNoh5/JhC/eLgVnUR+399Z/0kDQw+kR8y3o3/+
vGGl9EMxdHaRbmi1vL2CHXXGG9h9NgQoIOlyf5f+iWbeIO7sO7KxqoUV9WkZ
XqNzC1nTJX1HZrK1lhMoF6GjIqOYQ8frU/Sp663ii5M4CB7BZkDhaA5dROBT
1+MbBoebLjPYm/uAJTmXGWzR/RK1W3yjpeWxOlu8H7Xat74/i1omn639XTL5
8EajqMcTDWFIvo+yxdWuXtk92u67tj4U6YhMdYHbsTFkIv7qRhRqPFLhPDy8
9ClmTpc/dlUQ3/lB/Pb4lRRznGJdEFS7v6VITVjMSTErV5pttnZ8XCjaJkwq
0JWxf635OH7XBIaa0NeV8+49bFrARZc6dydeWBI1akAvI2i2auFnn4CGgjCK
m57Vm9Eoo7tkviATFo5kP5syITI8b44j5muJkSGFwTTDZJ25OxJCJqRCKyhD
5SQVHs5vPQiahN3Sq9TFHr05Pf6ADuuAAvTfp2mz8pSfqkku7TvgTujjOboH
CNXGMMPT16Ot+MXxu9921bvdyOPepyAxww99ET1Bo7wPHu9czU840ukPh8Nt
cqzaYG01UmcbOd2JcZBFMYlouf7nJUFfEhyITb+aSPL/WOTS9znII0mTaqZ4
Ywgi9wTyx2beqV5O0OWPdS6I54AYclp9xxs4xB2yExwaZSGqJzw2PCFOGhZe
5Vl7863YqlkmVkX7ELPZ7QfQXhU/6wcsDeEJO/3qFWLnhyyT+fCDbiA+nX5B
Sh11jOBaW0uGevZB6/dIcEENVMiuIIqKKsZmPsHMNf3+yHcFcj+om4njfng/
h4zv0bkVA36/ybox2Xd37I0dv3t5vaHj9+vWB7z36BtwoX1XqZak3XUMbtno
a+oORtvu3dHWXZl22A879Jyetny6ToA54qfmegQXq22frStV8u16TlibP18x
9KrTVR59q79fP+xop+31Me3Y82snzm34nXoutZKodD2bKOK1ryNaeMjbqvZu
3t14a8ASa+wVUa+NuMi5+2CKpvVlEKBCTWZA47IlfuCjyPuKSuVGLr6zLChU
b6oVTyhkyPhIWmsWHdkck5JWLsFauz9wb+zG0ICobZLlWLfLtb01UX3w4siP
IPRY9+XPW3oO66wepBHo3kg7UYAUfxFHm54OtTh8/UtP8EZnsFaUjvh2qVTU
ujm2NKyGDin7DJxChiyh5GUUGtVKt8TRYa7CMs3GFR+zynu7HBY37ni7EWpt
wDLiW2F8FqSEsSpVufGIPUfgR1YzOw8PNx17UqJvhXikdEbMalXhYJHxobjd
tngsDqkPubyeA+QSlCR/TbPkIsIb3DyIf4L/2xzEl482Nx/FP8c/Y9DTlvl5
awt+HsBfW/TXNjXSayR79rhsLgXAuoP7od3AflgdBhPMr1hcT3+/ENe/6p4d
pxfoglGLAaXUY3R4b4/eiaHr7O0rquQJ/x14eMJYPWoYJuphRxwenb3USRfK
IfdY9YEUk6wGHjpVaxvuYbEOocbvyMGqhUY58ImRJz5P+tMqzXuLMcluQ4YX
61MllX8vhHc6mZ9G4UyZUV7oQIIb58nfS8F6m4Rb/d9bOELdwj/dGK7Y+fYx
GXKNfHNo8tM8Kw6kYZFeUMQzNJ0NYMZP+oGqGsuHn6P2eErJdn102UZku6CL
AQgMkR1ff3PW7RYq55Hd6YiPhVzJJF/WaCvhRlLrUw4O/YzYwwc2oM5GMww8
RtoUnDcW/8BFnLcgcqBpvKgbhWEXKYo9SZWhqfmTzC8lKDoFFTgdQ09JCs1s
HkUr+nhX69DVw6mV+RmS+FG4/B0AVYg8bwRrsSo0Y7vVwDbk/HgLNr3iQ0XP
bY5b83JtbR774crNuUIj7QTvWDZD85Ov8OMbYXGLpON6zmekpS5aOSD7s78N
DG3wXtp+Sbc6k/eyQS4IWYT8YDKligBCHLCFY6aVpj3hw/P0jLzV9biZ+Mio
fWdCr2DVcV9KOT9PjVzFO1sGeVXJCXjnEVZKnWGG6QOLkSSSFz9NKNjggKJP
25k9fo5+pqf6+SD+Soe+AgBr8vSbtVWLJrULGXDW1DtsxQLPezYIyBVYEaGy
XHoAV3/eSbDZE7UhzXlH5yaYzd75CjBRjqNn2FYRcjL/SQ0Xx4ms3iJyjhk+
K+KvV7ezRlu/xpAd6kuEGFY10uMaRS+cu2trtFrySfQMpspEX2iY/VDrFK+l
udc2MaXGJ2QgMpcHCAMnEG+TDd0ZGa85+I+iorhyn1rrrKervVHSSwDPKiai
ZUWof0qeftEpGXU1LdLqhSIdd+iWkKCzH6zCNO3rIDXQNL3KJqmmw6Jc/p4t
1aPvjohGtzwPKAsq2BaYuQs4L2RO7wFVNSFT5oyu4QcQjlbvOMm5JhF6hw+U
S5EMU0L5AvrTB32J+Eh+kn2PpIwfVgeS/M1zrPrQKKOOFnWkL3FQ+kyekNbh
NNn4bR4S8nkQa7tn9HxYiBuAoYdXUeoklMsOk6nBoQgppTJ+0P/vy4L1YUQJ
jsqzlxsIbwLuEmfUZNWKK28fgUNuDkCp2X0gUBGIxUxdTOHGJfHTFqZbDZYO
9joZW0yeFkefSnLCz++mU4c1l+WTWN4abryZLAGeKJdHKxGSGDEXSdabPVCc
2x3fCJyY8RNHx+m+YLKBsuBqO8SbI1OAfzCC4OoMf0moIhl5XJ+VGraO6txV
NzPwGAdxKC/FXoPLlRWYxQmYjpEvwrtwt/gdbL4ZmOE0PgUjOcLSVEZ/70L0
zIC2hAuAXDHoYkbRepDPE5fYqoxkRgxfcoG0kPkTN3iHBkqQYDvuUhyr2uum
wBfg0mvnlO03wDCb1d7xg9wcyulNkDWSrmwgNEOYKQmATCpltayBoc1ASgH5
6lFtk2H/FZ/LkHsHx6nbo/E6PAyDJk3zt7d2xEHLz+KqzKbsG8ddOiP5SmEs
SjFLT7vdaIHMugTa80dX7gwobt3KzwS4QTu1M1K53TqqDTuwOd/oqlxKsTW0
05TjsiLOWEddC/Lo2mUhBnVzXyc1ZwqyOAUGXCwdB83HF+7b1aANys7dIjhJ
haYo6u9S+4CaaX9Zl2HMubv5mSDGpIhadGKxextq8l9XgWeV+FKsWP3vIL+Y
hevlKt/3W8SRYKN9kbWyaCFnKy7nnpLIiuJ1LIg4ct8nihg4v7cskjpZZMWq
e0SR/hXeRxJxywfJ4jTAgxq4xCicCKU+lUHc+84GpvwiQ2qAbX39M/wb5jvs
hW+XDa9F31bscUDp6sw+OPLQUjEH/3euH6HQbmAFiWD1TYtEmL116IPSBcS9
FnLJG08eA0fUhfieMMtRf3mnWzCMLdGEgt5t/VFNA4ikSgOuzSTb5ECj0lAZ
TC5TAyvC6tDlxdxkfli1U/cw+2767DKYUbT4Iqxh8Y1zLVY1tG9MxQZ1PGSO
oE86IUbCIXpkm1mx0+Y2R1rI+9YTvyfauF+lwxYWEZ3FLfulrFmWgB7cXmHz
5yi6bTSe33zo4DFUrDOpGebwkO6NyNAbmRHZHefZg9DudXYPwm91B8ElIX57
KHJrI7R6JUbr4rJ7bq8JjqI+7+HQf3fc1sv+hvtUaWAFK9uHytjh67p9Kreh
t1Oub3cHlpOqere/23CozNZF8bxPBQxgwd7KjEiEXenkMV63op/L37BBrr4m
JtvXw6EKNMJNBkgOAHVAx2JFA6IbSd06qnZQikZWb402vRjPfi5s3T7inNV/
W+aoEpFgCYKBT8C/ohfx+tHfjjfYQ1lH24bRNGBi4GsM+lBmrpqhcr5PXvFN
vAYrWZPC8I5zBei9SukrzPXh7cvDo+Mf3rx8cfxubRQfSv34h8yxfeccr9+8
Pl4jwb4usUZ4HZ67j7xViYl1DnPR8psLErk8uyjKSgP97wlhhJauucZeWKER
aBXMWNZp3JNcnFQWPBAiWmBs0rn6DQRdbLbwhNPdT5Y52rExhEez1qYssTNx
pTla4KcK0GmMkQEK52YB3RwiDzyDX08ke2sOK60kDwbDeP9EmTRvo2HUoEXE
HvcQMU7n2UrNfVcKy5+pLBOu96BT4lj2Yanx6s8diaKH0uJkCvoPIMX1XbQ4
vL0HkOS+m7ofZQ6vEciny9PUYj9b7ySlvIZ9sH7UgXMNVOnUfhzE65q5Z4PK
tilonDOptF87WeMlNxq5LR7yW8E8gCtv9lzeMhcMY4ss/PDIoj0XXGAy5s8C
VdbABV5RkzwZp/m6jxjZ0Pzd/aEpjOmlknxWuJitzuW2Vt69SbUrdiVIukB7
/LzhW3dlfHDoYAQB4fkM2jQ1damSpZCGaUwRe0nmOCNM/aEP5dw2lCzwU7dq
VTqVPqBL8qS7Ea18yZQDjUJKgTrkW8W+o9NYnrZTIHbhfmRh89ynWdceR5JG
hxMfRMQKuPC/RmWxgTwLeyIeuMgGphowugqr3CYb1R8N30IWJHxbqRAw21pr
kVOwjTV/USk9ivef0mkuue6gJv8vujUCUCtIy7UcJfmdoJV5SV5akhhnXsIj
Q39+rNLCDBp6AOBiuMYYKqbp5eYwya1Nc/jOdJE7dTgQmlSuOeYcd6yB54bu
LlVpZUV/8RzowkK/YEzrINWWybORFsSgcZADL5vCK8ghxwW0SqIlcZPTtG3k
rMNIXCLbSOnp8uy5RLeURuSgUw6BMu21QTRuqF4Ah1OQuFxqyuL+/g62mcd/
wWbFE62msJqpd4Xko6i/U62n7UED8a/691+nmrUKLXWkSUXu0d8D+wT2GoNW
W0zj9aRd4yV4tGxUITjfCEzpgU6lk76RgZBEuFRq7LGik7aS1V64yqzyra2V
7xFNJSKWDtDVsHD1WygIYpxqmlrkIpfoqtew5tWCqw4iWaIAQV5yll+E2LS6
YkNqTumWOJvRqmvLxHMfOFZncMCMDWlFpajR95/SvDCsU+Az7IyQAPk6XZUT
qe/UjVUI4wKoshZNoT3Y8oqZb2akvecyd04CllqBGkE01eKYSRh5gVdSLyWO
U/txMaFgRU7q3Ri0giPcemEs2SwKexMkEeJk5IN69vvLCbrDO/3hzfuXL3in
crlByEX7IsROHYY0h1kgL8trCcNAY4h9PRIR75JdCDC0jDOB8levbpXmtiZg
MdUccF4OP0KNxgD7qlUUH9wKFvy8ZcTClVGyAs8yACCTz7gLJ1IAudFrRGfQ
mWwdGZ5lnVy0kDIri7J51hBjQMS07LwxQMo5FnPTHGzt20qxgNiEQWfZwvuw
CGZqXGBSAMYs5xOsAo7FUyB2FSOuXr6UlLt9+lXPQq8iSNSOC9ndaqT8O3nj
eaWO8ysTBco6Oy1w0RqfFFHPoAW/rw7/DS06GK1Dj99uVRXMNvIb+MOqAjjk
PhSrJp4Pgf+o3ESv6HiHiKhnerfI9+dAYxsmnXpg1aiB69ISO7furp8QQ98v
33blvWmm4t4KyhvKd49DakappjsCUyiq9BTmEaqpWna4qRahGgUZiK0HgIZO
OqAOxKpVD9+kQDa2SbYFuFzEzNVLduFpuIRW4SRXGSush3V+6/XdeS49jioP
Paqw2Fa3hlW43l95bsQmytPWPMweBxCr53HOvTeiWl7GNlQJajXzl1CjoZSQ
avfo4fwewvL15rAmz77+7Nb/n2T5+AQZh97C7iGGDm7tnrxdz538B7N1bqgH
M3X/U3kxc3D/q7BhmF7nfyH+6/7sV235LwfECNK06odzXYFtBavIuQwKo63R
3miHY+1fnBwdj/jyN/5/Tu134NQ8tv+fw6vF/8HM2gpeLfmovFqXRoZsWpsh
aKtMuI5D0sEqQoIVY2OjaYkWL37ezLtYcsxfOZ+KtKRcXULIaGR0rV54YD9C
82ONgUmmEq/XH2YNpwOHdWKi7dA7w0fGTmQUXj7Qc9Z5XmYLJXBeC01Z7318
gawTT9wCGf+sUcptMKKIrRfc05mnOIWTy7Lh9sCZRohG3EwwGQUdRx2vvzj8
fkNXQi7zlMMUV81bwwSHsSbgndwYd0y/Gw4TwGfqyANpgWVxr/yQq9kn2auf
ni5w5QjrL16dbWCw30e8W71nU0+9pGuTjKz2xhg9uPLPzkFQSnV1RvJZirnP
//gv/7VWT8GcMigmLt63M5llnHloAYWVG0vwUOvAtG9t9gMfQYzVGshZnhQ7
ZFUOyqW6FP2mSoaB0VbsWkyGd1/gBD+3jy2r3fJg3kWZlxe9D8qMyhKMd4gC
WoyXxmkb0RWkaOkqtRZAjtEXOsyG3ucELmManrD0sJwr3OnQlebeYPVIQFl9
5RbYRDa5UUtA3b0Xpskrr8tUOBCf7sKSPO+iZU/eUTpRpttvNi7ScNEjDFU0
hYrknTD+grdA/A5jPsliqxEJIFpQjGbAjgqhI9T7qNbLvPG8rUWKIoZLjVrl
L3ZGnBqKfKLRCQdYi4HYzJz3P2XtH+bpVZq75WnywYuLCuNQU1cB/jK7uGy1
lhQBgh5llS4oSnBZD8r0aKSXPEsrLBJpcCwmcuN+TJfttz7D9HTuFBWrwCOk
gdLMoFgNvyFhv0qKGllYdyIc9VwxOQkCcOUuEItSN4M+sWQw6sPVWMIOOT2V
g/A77MEV44E1I65/4XH9amxNZGHoyQIh61X9189edHE13TjwgghDjzmNbvpY
YQTtGR3K04QvjkvVOyRJqVuRkxQ+tNuf5FbMLNtcoziJFesw2bLzPaJZYaku
p72qY7x30npLpnZwdL4hM1GeeSkeSB5CfvhOb9l1DZ1nLA8uMCmIT999qEY7
OCNYWCe+P4gRa+1XurncuOTI45aSOI4I/Q6QmyYLfldvZhVCtj+wBpTNhLKD
hGOL/UGuEtHvWfsq5pQiX5PYBmmJsQhBwSF4nNxKUiyj35jF8XJ4QSyOURaI
zVAyaHBkBNMi6ngNrP3lDZ7wBLOJUhLdVcswC3Dn3J44a+z9E6QNVq7GVXXu
W5Ex7UIbgIpLKqNss4fa109EZwijDsWXGZ8/O6GhmdVVOXPlN62zHedj9nOf
umIynlQCF0E1VatWhWZTYJmng41wVjzJrZXkmHbRj4+JLOsgb4g7Tf+dmUg+
YKUXDtu7QxxzPOOq/ibsQ5CNvBtd1ZRT1GrdnEEXV/jMM1STIk31rlrk+dCo
rN6pX/ksOCp8iFSWNMFk7+TALevwVSfty6p6AELq6CSEtFIWiX2JbfFT6Twy
uhaCxXbiOmrK2WgE3aBfDiOK9TenCkE8GNUq9yuiVO3GXv/mVAs0Ubb6ztGG
TXzSdEfW3TjwHHMid1yWxa4TVXLZ4pLiY8VqddsSHQ5lFNjpDCzPeMlaLkzA
rzqD8DcRCSR4dtWyO2PjjQmuJkcHyjrpCdsJF/8cEKUxj4ifPKsYlYQZ+sKO
sTnGJN8ITqGcMMorqMeOPA2Uo1Ew69AEQTCriKu+m/WAtLUU7SLnyDkYZHSH
QPdFanORU5bQPiuNqVTlCaMIWF56MlombdT/5INxV8RlKY/gESsaHsyZS40b
rUXj8lAHHci44FZsedE2k/QwVlSHZF70Dla0mSoruooJCzlRTFGlocXI8Swl
Q1V475RSzH0x7AqhZPKYGrv3oBKJy4wA44rcl7Hr4zj1PGkfVyAqCU54RJy9
dxoMHwPN//rNWSsFVgtwkGiJ/O1eL0v8TZVyxnemjksHj0op8J4RvXBS2CRe
q7CwgBKnNYnL7bwi4ajOWqPWqsoljiBpJeS0qlS+zlHk06Gj+hJRPeEU9g0M
hddMyumRDYGOAQPIJ6I4Vbgph7pD5MOlqkjnBnxqf2GWsxnls+kkWpUHmJIX
5aE7PTGc1NSp3zKlytRaNGSrs9OA3IAu/iqRdkqwDvQnpz13lAkhIqPqGL84
MkAweTzwFgkKKj1G41uVcmAquduSC2+3WK1Le6UFCoaubh+mbMVSwaPgLLhc
oSmW7juQ2ytbqhZILKUcIvdgHz5KPkFYqqyyC3Hhc4n07FtohSn6BWR1wOzh
82T3UHkSRUtAaRsM/Ry9oPJ7Sa4OSz5McG2mKrhykonhUXn648mL+KVol24L
vaEKpPj8pY+QCQLIdGXaosAmZkURHqWOVmVZoky0DwlEjoQQ2kkk4SPmXzfZ
3hGwXRSVrMPFI0e3xiOryZfM/Jp8QmQ3dwIb0T1T8ty7tC7/9y6jidhJOCCB
6ujCxgEUe+MDJrmPD1gNCSEBxKB3Lu4l0UUMKKn9TYIHME+qZDSZlpMloSZj
ewjKMkv6E9TuYxJ9OI0vX2KbrC7V6u2c56bx4TCkWYUP5A5fx1Quj6rRuCJk
8mmtY01w+nfXVGJkXEVsuGfagbyYV8lCt09e2fi36asx/MFp6GiIrPg0MF7D
GR4wgAG3PfdDST9VRybSTYu2NOpvTSBlTlmMI3rC3YHdUUhGbDqMah6fr3/9
9evDV8e+btvGuUhHa/j7mmr5qcS5Ft9J2NLx6OuvHzEpmbGfdGsfQNaVOg5a
i3Ha48SkxJEAJFcSA+ZkywlynpqrYpoO+SvVZxhFP6Z5PuSr911rtZQTI8Pp
VyqjqxV4R4DjxwVNEDm+LouhpvrzqV05MwW5SLAz6Mnh60PhINCzQjmui7wc
42bVCzppEipiEQAO/UpMaXjnPu6Cr4VuxRgUV9wLjcT15+lG7IV0Z0E38PQ6
nrbXgCAsDBexp/xmRTEBnFGeSfoMoFAkKepwAXzWUjMVyJ7Tt+nzl8JHxGdM
l3gbzujm14AHRxmNHBFqcqE6BXn3nwEuf4l86jrnPWrnYZWIGq74Kqg3sn4q
CVemSq0jOdZAHXn1jdg3TLV7VQThnAoNBL7Ik/+I9Lf7RRIxIvHxuneemxWx
vE8RPrl2l2H1XZkQLFgq6xTKQ/26YyYNUGx6ayMMP0V2Eifvm1SEtOQqyXLK
kCrSsB6BJjigJFLao0r/zgXTGJX6Qqi8d903vzjOHoXoL7+RWhJAtkRdwiVz
tDxp4e/nzXVBJiBva3rLd4E36cw6MKGVBRxHT7EkMwCleFrR9FJWSBJeaTws
8IXLyqEyVQmpQ3C4FomtFYggPOTCMWTDtP2Br6NL2+dXgdET2ZWevI4s2Wn1
VrI5sIAZVTAQ6zGX3OASqCQ0hZWKfPFpp8oq/LJlzpqXIPyv2pbaqTuValW1
jRbHOmEnBaNKmoIig5dUq6mK1x1Xb5wHPWLNnJ21BkaI1wm0Hh+koBMxvWrw
BYGXfZiJhXxgAedZ03jfGHeK/BiUAHJ2X8z7VFbuxiUtXGPPzJnZOq6PvC55
yI3xZhKCIklJ2YPwNgClqYCJJIyJrl1uTo8lWqK9tXl7nxzkuE6VWZBYXCTr
YcEjZTAxCgdx5LDJsarZuaPSxkEEbmYOohdZoE0kV+1rEjtPT8w7ruWm1H6p
SIfZKA2bI3WdyJDqr0fqB77ahEVfxghUT7sVD2wWLYnE/7DOrCsbW9VRx/4m
zC411Ahf75LTbsnJoqFxPqQF0qBc3lf/pgG/PLxgbc+hu2IXbg1B4drD8Jvz
tdbEsyy1wHpVZtEizQX76tk7xxPmIjEdiU/kN5rJVKqRmFdb1/aNEZk6S6vP
nTELFieldjhFIcKWSoP4VplnF6cfQ2EHnL4K45i9XlDMmNa1bMjC5NTulMsF
BSsfp8jBYtWfPPvIiASpPVv4MUYuq+de7A9IkPOUkMTpwpSgqwStzjMKxHEK
Rqo9OkL3PrMUvAYkIPJmFAHgWO34O5/xKnG1MUndQFR7FBO9D2m9mQlG7BJ8
Kl/sy7m7D3LXHtaDOsKnzlJLei9pQjr5cqpgfTtcYaygdmSNgmafaFVsowKL
rlRbx5mLZTBBzPUlJTkBUkkIfcBANhAow+UgOkT+/Bi9+WQS592nUevuh3NO
DopJE5DPNU4nPlEmKbQRP0hOZcz1KV71kepmWW/bSJSphpebUkrSkKV5wWre
6fDVt4DT1l9txCMKMv8M2Ak5M8A8+J8vVDvj31m25oCN4PBcbCTtzSIM9s+z
OzQOaWijqi7gJfzifDZRaUY57ABmI+aKuAgkm3vm0HgGfDtQfinwjDUjm0wZ
R35GJIxdl+3QfqwCWuZpy0lYQ+q4PKRoFLGdnDztJnPGCER4dlLaEyUZRY0l
TYNBKioqDOty8jFtzDxMGunXQH3grx0FZ8FgSdPAWS25NFmYTa61ru6quDQB
J4rTC/lT+wAGcXup3zriJt1QaHNOqOY3O4yUYQfplMwdTOKWVUbj4JxKx5Ds
tddALqiPOwsBMhetmo+K6mCZjwcTQgOcI4kwcjME9O/MKBMkSIktuiRjBIDq
8GVZrNcbLf90ctUqcwqdOV+1n/PQLQF2hs3fsFbaslHsKGKUK6uHDGN1sqRI
mNgqleXLCkjsYfz+3Ulv3sLgnbLy+rrwSXwbLmoiA5emUvQ2DcuvhK+O1T/i
aWoemhkL4yPwOVGFPCatbGCvlcGfsvHGvfBYBqA60u2LdgiohTEEANpvFRds
X6kLRp5OKSuS5XC8kkw5/xaEHbNlnp4pMtn3XZtzbCBvkqyIXJ2cKpsrwv3C
hrx1y0q5T0yJ/qaUM0DYjixSbWTLXJ63lRR0oqRQuUJDOMfuu1I14qofXSdV
xWmqSEZpOPE2WhlIE22PzLusonuFT2LK1SlUQe54IEX5Gyo6hcsdUB2XOJWC
JYwJZbFS1byUzFXpopxcUm2saYRuQU9oawmVUwi8H3dH21w9cVxW9FocwbRT
C55EvAdy9pA1JE4IgKEJ+eGnBKT9SrEifREO/jEyAto1wD5kF6cs0UX7sKfu
SNpsEUw4Ti8y1N7JyDRz8MR/7cB4wARQ79+jQtIC03JJNpf38kxIkqLChVoQ
ip4qUPykuqHuo+iWapE0WnDo+Etf3detfa2TYlt8tT/aebrufnFVv+L3x52F
p3cv/H2RYaYvykpEuAkG4WiXdRxwY9VeRtujLdoPCJ2t7aT921l/Ohrt7LiS
ZrYZlUzbXHc/+U29ae+pvHtLeOF/1dKe+Nvnz/862n+++eWLOA8n47rMUTTi
txgZl3mtH4xK7nBbZWtXuo8y2MbW1tZ62dnFC67lGGzEVAKjeA9u0kJOrjx7
QqU9Sbp3DkKuGJujYtgmTvILVKhczgmx99ZyNyWVXTlKYV7771pvejif4Km4
EuBUwrUmE7IST+Hwf0V5SFuQDO1qmF3TFMOLf5YaZUFWHK2pOhYDJ5uxvNYo
PBJylG2Vamvxp2Klb9cF0wQzbqIxVTFjZnzldOTddSmpf7JisWwkIX/K+cwL
ewe6IBJ1xN9CbKfnMOS5Sx2FDs9ct/6v9L7IthFKe6YgI9emKhfJP7BWPLrh
oa55iNkSAGzM2xlFJyG3jpFKbmckqHzCtKeJlFBCYk6JL/OkJi8DcqsN6nCR
n17HNfePjDF9/Xh7oaS4XVXmHZdYGxdHqm0f8qKyTl+OKSNJivgMFmOlIVUr
qDTXkzGfjNiWoOn1kzA6hyITPHuMts8J6lmVt3Ohj5RLiO+P/DuD7Oa8RmUm
et6MvUGtjrW5Tn8qXrHRyaoxYSjwNQkkAL9yRdpVBlw2OddnRwMmqnIydNkl
TLPmTgM1JmW1ZpfutKst1coUdzsBLimTvIZyyu8Oz0798tZNAefRbicIg1kg
PmLkraYq2PiVi+8tBodF1vmA4zIH9rch07GzJXnyHx+dbQyiQ5eCP/LKY3HG
OQVeeP3w6BSaYeW7tnI5clUQHL4Vg2OrAj3ewEVeYkUW0ct8ZTTVLyXy6C17
R/OFucMcstP0F0k3lie+XEDfgVOtSqpUyN4rdUolOGINb+LRUA54TPPFW48f
H8QniIiYc05ciPeZesKIB3/0QtNYYeTzJanw0SbgrVVoDEwXFAb0CuvPXKSu
eKKo02dGFV0WQoqy4qrM0TRCHqOMPi+yBjNzkXlChQ0fqZxVvqIlq9I1bRId
Dj01Ebi4NAHahQAGJbS8oPrFs6wSKzaOJw5NE2dzmywrQnPGynMysyH0Mwzp
HAgDjufX3b6UDoVXgBXWW/0pZjmdyhD9na03EqlOMXAM5bc+d6SOuxLQU01r
tsKFSYweZC1gMieGwgIJNIfdsg7Y+XasoRe9+M0la5ryO5loJAaasMkBAu+6
9l74Hc2rVIMXONxGOHS45JADAG6BvHaliiBYOzFBpEb9Ro7F/enfBv9Pe+++
3saR5In+j6eoZftrETYAkuBNYrfsQ1OUrbF1GZHdvT1urVkAimSNcGsUQIqW
ON++xj7BeY/zKOdJTsYtMzIrqwBScrvntLQ7baIqK6+RkRGREb9wTirsfiwz
V4cpiPvexgceKrx4GdY2DKuUvePIIkPLZls+4PCKUPWrIleMpHkQkzsOqqKa
eIpAlxlQT51Fdqicy9DXjVtvAUl7SQGDllp11RLUfzzFyNrKq4U/wnD8qqQv
aiF3kD6DRBArkGnwBXKKQl8rhRCr3krEM/25ONeZ54ZcA26t7hpliqxVwqsu
nLXKiY3BjPs7QIXg0NkGU/gt+VXQRQ/bxMuRJy196QMXEZig4WKiGYqLJqo4
DDuNIFTkMkDHEGwUC+LZv2mpg8WP4bcWAoprkHnhKAeojhAYkH2uMtvkWnL3
+ZYh+POtHLrU1KVoO1ziuCE6CewRjwRxF+czPNvhRm3sfvoJliyGfRGnPmIq
2DBMFNgVJb9e9fzcZU5KO1pNEjqMQMKsMU0PivqLeX9Cpm5HOHIRyFegtiMO
fx5PUdD98Izxg8iIEU9zOam9sdD2pePZtA3Sgj5GOd8dtcP8MlKMghhw2mR8
9m7WzHOK3mP2QI95MleJDsUip5TMjDReLEYUAo8eMt5AWWirFEIKNXK9pU0P
SawJYq8fxsX+V3Cvh4Kb4K0zioYZTRCjX+YJOYTG3kxkPc2yZFZtEMc3nPMb
plH0cjQ1U/TZxGV+GqNWeJVn17WMBpfPV5Ji3t5ky7ZFbm/VViNzjeGl50xn
52k/sxG+fAg5Gi2PWSFkzNm7agGUgRsITQS2k69sJ8VI4PeLdUPrI2jUefMH
H1CWufgSIqeeJPsAJZBEmFwd2zsmbeJK8WGrarY8rS6xVi+dr9TxNbgiGA7B
XRElFLlowB0AyvM8x+BIraiqhaMZs/Rk16ekdd12SngLZG7L0JLje1IXLVbd
Xx8fvXz+/PjFk+MnVqOn67qCBmntQeyQ+n1+cdn+EbEC/mxIjdP2eooyAf/W
AZF5YFOcm6Ge76cij5AZhPGQimgkqClLHKnTeP/+PL+whoS2qBaGmmNLEm6L
cwSOkji/axCzgqGiDQZwtegMBwtImhZXFwj5s8K/Tjv+r7NqBR/gf0pCu3l+
pwrCPC93qeCB6vZX6u8Hq1bg9eYuH3Uira48cfC5/pA/X70H8c+/Wn3cMPNE
cWC4g8vp5C6fu3l3/bjHnFeNt4oyzb8PqxHrh2Cv+O9W68aHmp5409+preND
6TDhf1elkjV1BP+CfnXuUccHbcj6fSIF7ljHMzGYAFRN5351+Ba0+9RhCZLX
5YEr2SivYSdeh6o/aK1Bz+yBYDtRWUdsbYM+Yi9LdcQJrhPOx4eg9vIATlgg
PgSBWPV45To6irLk71IdV/V1IH3YBaW/XR0RIo7WYUgL+tPp2L9tHTEijtTx
QFGF/K3qKBNxqQ510qi9/8DVUSbiu9KYtPGVq5zrcBPVUV/V8Y/y2n7Qiwj/
IpUGe06frvDva5j446NT879f8e/yiJbt2w96AegpKNR3rCNBclA8izK5/P4u
dfjzAf0gM9Vd6pD5+PBHXLlPMB9q1h8kK9chk1hJcEvreGBJ70G01Cp1yJ91
/2rrCLdA/B9ujEq+Lv+uoo14DRJfd8K/G0iZDWtGqBukOpTakNjNUTLs4Rvz
QisONNSvqRp9wkhXwl0oC/TB6hxuWktlH9Svx4NS4QqJrNyJ6tVpmDp+zC6y
8eBg6RLYCe24v0mkA3p+nETvGvUSilhFs4WxiTQG2JePk9KtZsHXmuHAHri/
SZCFwwoOm8f+6eBMODYmOarlGe0MkGnets3xdDF+vNaHcMTZmotaViIhHNNP
jda7ZtNC+qogwb4UZVWrpDqxCo/WWoxsC/TuFNDH4S7SqciJxWdBiBkMZp0p
hD6sA91OzKjZ9GXOOAEFlVPP4TZT7r/AqsNp1LlNggEAq8G3DtbJ2R3IlcJI
L3RxGrsuHQE0QS9LerPJWwiYwzspMxtmfS7Tqes9J2GruNYjg1Tlnd/kfIUp
x6Dr+cRGDnqGyOksn1DYph0coVRQ6xYYaF7dDQTltJmAXRSARbvInPn30Ck8
MIfoCmPdcYoc/kzHGSDgMfh4ESYrsxCa7G5jLbMUSKgKsrnZtUiOG2z8UrmL
8SKHUZ9L7sMIi9Ln6iRmtPYSFt00xRRf67RA/QM+kEtWzRmbvty1p0ynS9WO
bqNiQh+rTGjKYs/erm5V2Wkj2Llxg6fzMwPwkoJT7bmIH01AcAto6ob/oKmK
7ynI04MDVm2/2rarswUGM18AfBJdF5hpKNQVo7XX2XRjDhq8ZW85zOM1xpjL
BuTNUrotlbyklKnuJdrLZB1xYJLyUA/LweTZa7mW9fwt3d8h38KbLbPRJoOK
yW6RA/65u53X1yKenRd3Bxr/e2RMBoq6IiNs/Cr+kuJIhceV7IUq6xleU0cs
g9QBzgVgyC3tv+UZMR8wno0OvLeRk0XgguTbwn16dkCZUXIk0E/YEox90Z/z
mVO1kxhRZqZ2pUWVddFW0IyL+3w214zKWrXT5Dyj2GWIwV3DVtaawX0BhNMr
PKB0OBlfYJJIB73DNzjEL4CuIVYFTgg+etSlcXDH36JbH4t4ZH0SkZopKtDh
Wbt7Jtw87FiI7MHiFaTiW3hqnU7DWP45g7GUeB/WH3UztTHajM8AoVZYwsy+
YDUAJAeuE/Sl+APYzjFMpPDi44gRIII6wwGQlz75v0IslKpE7sTQ67KD3o9A
KutkyAZauW1av1EXQKYy5lIf2aOV820et00lZ4Ylc14ZYM0HEb5babMPz1y3
mLG7CQHBx+7+AXvwnHtQhuyt6sughNpb2ybDJqkmT7nJEjRbVYslXLE7NvgD
Nwhg/FVt2KRKIYsCtKuKliArADajfSxZtoYmkw3WGJ57v069X9g5T16GM59F
YSg48IB6/mLh12tkIsq96hEcQWUWJDVCtQE9UowmcRsXP9dPp8CU7IlxZr5k
d+Az9sx1O4Bf0N2rng9+AcGSGPuxJBvENy7XxSoJIdjB9iD5gv/yYuya4dRK
Z9QM8xM37mgerWc+6qNGZmOMAblVJbCqc8fiBkyxeKUJKM1uu8t9HzqgEoyU
5vGGRl3AieTqxUh7dK0GoZp3blAXY8lX1kXI8YIiSeAmQ4rvwlp5r+gqK+tC
QDjdp+FQwCX83BCzTIOqkZYUuHy3Yj7fhZcoa35TXg3evA7sga645wuED4QD
yMufIiAmIgA7nL8CfBjygrLJzwD1EEX7wJdUZGw+pp4i8o2MI9Xl+AD3MxF4
0CnUc5uDlQQGdU7jOAizC49iN+/Qe0gqJEc1zp0TDkOoQZwcDlqaa6/rSLUI
4wJIKwMRWTTSL3s4Qv4YAfsDscpV4SZ7nTxlPVCXmRnsGObKCji4TnJ8WnCe
AeKe09qIC5YQo23hQZG8+uHZ/9TZPcUnuKBIuAF40t+47c3OqWaYRFbMNs4o
fNXCcZEX07l1aHc4t8h5zWw4hos38pbYqG3kl1K3at0TDAVXgWUtdNohgMNh
dNFNveGqq9GqxHHR0Rq9ZjyxI2Q5tOUzffSvJFwWh2uA0hO5iOYFxPosbAQq
xquwdAQSpoc2YmMs+cM2fmgh9n+nOaGI3UpGITFLFVlniamphej7i0neOdWm
kxvCE92ZRecVd8mlKJIniD9CaYlGcOocmP8SYK3puy4kYY/yDAK+a5MTQfQg
P6V89gcVqeChJW7UtPJ7OGFVpAYWO0g2KRjRWmYOki14wtN1kHTDc9ITQtwC
rJXAHnyFywoV6E1mU3KQ6IArx+HDakbLzJyd5+xx5/aHBWGKwKO6zEMhCLqI
iygWOeMbZUw4U8t0hgBA3hPMKIe52PNRPkzJYFVOft5yqsuZW2NOLOgv5FnA
DiUEmjKrUyZCs25nLQwJAr0W0L/pEJsW2WIwEbzU9+/BXNIejQDPFjJdBKsx
96/dkJGUeg7+DaYL3qDXMU2BWSei6vIKIbWhEbUUceCDtKpjOFlf4m+k3IpE
gnTjbTz904ujZDT6eT75ORutj0b+fjC9bibtr72NSSnBslFy8Fg/Pzh4cfyX
9WaDLNlPTZ0dTBlmrfvZqOOW0OwpLtBoBC9pObmAWTEq8Pr49E+vX5hysDG5
0wX1ujDdZvzqoO/JG+x9ibXYMRQwiNJrbyhPX74+Pjz63jSXPHsBjeoRwedq
8prqVXFwcPjq1fGLJ+vZqBmMoeCga+ALHq05eG0mMbP+LtzueToFskI7s3AP
eoaS9ZekV78Avbrz5ZdigoJgZzlQPdm7pfK3qs3VYhPklLIrEmvAPV7acRTQ
7oNdKjncWhtUcKy1wNqNiiCX/IUyZEDs73yCdwo61GAl40VguCDk6vGNMjy0
IsaLjzJcfPnl88zwzuQ1VAKzj9bO64k+ZxWQKAaZBqshbKGlRXLiXFbeIfdh
ZMc+txeXbtMHkO/MYAeGO6Dc5nJbTGeLMaERXgesyYt7sF8iOihjuUE/kBkj
UM/fF7lZ0mw89+JBOe7W4qb3XI/ITRxREM7PhfviBDkDP106pSq8Bbmeyovh
wtWKDPA25pkgh0bzwDnxR1kv4gnfSAx6XicGVVlorCewztWC8n1gNsXkeF7K
Pvtp6hB6x3wMoaXbtcWYyUoJ9cjHJag8o4/OsCILMTaaGknRE7m1lPa8Skrz
MlUFNgUjot164s1AizfRKf4YQee5EnT4XaWME3zLKwfo+s7oEpvFjiIOziPq
2TblgPbW0CLGcI0uHaSNETJ0hFsfN5DLMBcQTGh2ILHHS6hs1YkY6/UsvAHP
pdFAnxiERExPMpXKTlPHzlz/lnGzlXiYa/0O3Iv3e8zQydud0N5lt7uCrtw6
20sr9nqFbfRX3OrcImc7WXmzu1wUldudakaziN7zp1V73k8JsmzTz/Wmjy3J
x+z5U7Xn7UgrFRttFMN56GUQSsTgTJRmQ88GqwiVjIBG86vygViaL+YE1Po/
jhE4SlqNE9j+fRJGoFq/Oydgqypvfrk/gCWUN+t8W1Gx3WuvKfSm+aHanAHN
rmJ/+OZOeZnl6YH9CxQg+VtMEy5PNBklLBwpPtkKzBBv9ZblGfqYXfqD2qU0
C/4e1RwPZOcphE+xYuGTtd1CaPv2M4NH/Dk60mKtwQPrCm9Dg+0EyGWiDQ1v
mnYctgVW2I9zVAbO3ISfgYJ9pifc0PxA54xXluayFm/IUS7SxNTdiehyTMoh
L9KpO6LDLHEOzyGLJkkAWmzoNxO9f2ERqclNDIU/Wm2SJ09feX0yNqUIQmqP
cqkXE+Ii4pgy0zZUSqzEYxMfhQqnO+YqeQmXxW0QCaiyDgMYCVKFuaFN/ioI
LuLIkxeV15EQR6ndkvrUGEzfmj2VLAYENLGYjX1vJmDdQXSyfIneOeLgwfiG
a9bpZw1ZKt17eMei81sy7B7uLxRSE+IgIJZSnmm3oBY5XHDSqXGyJhHaqhUw
wk+nlNFEoQZwqky3rLaHEt/csRe77vKAryXt8FpJAfHGdtIYixyU0qQYQvo/
o6ha3yPbxIb00xz3c1gjd2FgxI4UMI7nEMWaEccYTDwE/FT1leEFrZGOr5ts
umjONj2ZXkIGnj7FFJdmWvBboRUvF3YxGYKqfWXKRFo9kgeIKucs+SeYErbZ
afyxP8vOv278dPryycs3Ddpl/8//DYhysOfhr26HIYKHkugHUixzgmUjh477
lMOJ8zYMsuEV3VDyUpIHgCHFP25QW3KJIRdpsgGtMyefVau4LzrwtDQ7s4us
j/RUAMzSrA3uY+bgbcifdNDLSjsUlLY8Qi8DXyBOMzlatSBhO/SauyAH7plU
xQDFlFLunASrKGrI+hl374xszDppKaRjkbDsOYZMY+IKBF23zYzLE+JS4Nkj
2NK3nk5xUALnuL4iHeA+rpR17WUfZRDVyJ8hzci1IykuKeTW3gwOcLsjYx5T
38i9T10lxSYfvB/e+1mdYs4Py++a7uAcIZdS3RUcJW6bSYeZ/HHJJSX1LoRe
hRMhA5ZUiuLXpJGYMU0D38VapzQrYlvbWMmp2O4ps+PMwbt8R5VqcDtrduUI
iRPukL14dkV0qiy+Bd/0uMs0L0eXl9lydsU7k+uBnSl/0s60JKiQfNrYv7Zz
UYVZ15s4LFmzl00PeHFKwy/tY28WvK3suqLOjHwmV2emhEVzZqdOPOcIMdK6
zeotHPgxrNnZXCO+QR6yhe+PQH6LpUcsk7QpeZsWHF//+ZVyORDAOMs+LN8C
erUGCTZio/ANF2DhrekZCXu6QduLMuIKTjs8UTn5ZleGf8D+sBjGMPUiWQTA
O8x3DNmQk9J4UMF81HU4SYelFbfzr2m0luw+GXO6g+9WLcNR01DJdUrjXrdj
wnsmb0LNit17PoWA6qbzHqx+FceCezD7zY9l9m7G7jD1Mn6c+cPCCrJOrrZI
W3jzpjZ2Cw1Mw/QG4HvgK1RRwecHN1g659u6s+i5ytsUr8jkhqavrr0EYlWg
7PVdVMTmI1xBm5a+zyQ9uy5OWmBe2C4KJzJjvKQ8I6w7OFf9kPfYOsrcx6vm
TARKM9qnhHo0sjnj/TEhDjznmcop/QNHMRAqOodnOAC9ltfSNZu6xBAQAAha
WbguakgS2udzSQCS9qCE8/oJEM2c3DwerHTGhxW4Iz67EqeLq8Idc4W+16Mk
2iK5+oBpsYAWm9xl4IGskeOTzFcUtaojyT30iSsOs1eIRC9BK5PSmNaP/9zk
DClxzWf96LipXPIta8pEGsmcNJJVSSNQTlUaHAtvPHkkLOvxvNDcnlmJJBxY
SSDxpocVcFGBRQt0Wga5mQXhOhJWY09oSQHgtHdPVSif5PlcqyR2G/idywsR
/I//zFPPYGAlBwXejGMM0PDHwin6gDX+AWQDwFdtKchebOPoWK0tT1MRI6Mi
oKN6RRmo5qTJSWADsiks3RSKcApNOQVWQqRAf0tJs5j6AaWw/XUI7U1AaEUV
pfGQIwRX3I3imNCsieHbozecrg/RKIcUhYaOs2O/GjqdNNoY+ICMH8zN9IEb
zYT5M9oXIFyJ/LWcjWE14s5K+N+0GCTaa3mdOuQS99hK54TgqmFA9Q6be19Z
a46Hz1ezvcQU5gDysHsqNgySJSxrCbZNYYoXoKu39Nd4nmUDm1FkDFDYeg5w
cqyYbfjhaiI2bHWPquLSdTVlfzpZ8FPJ1jz2am0+2EXKdzbcWejYVyF4m2bM
Kt5nhu3iV82wLfBPqbvQwD/l9Nrx+tO7kk5Tnt6YOlPJbX9Dq9XWxyoyNEWf
ciE8Lcde6SoBFm6klouvpBHgtQ40+sRI92bs9m6Xz30l1UK15bP/rTn5W2TH
6t2wJQtvtGKmLDbvo83S3gkGNq2EjZr2krDa5IWXeCQuSJMgLti/S4KmGWyN
qQve1pi33qpLYP88963+J3z5W0TvP+geiVLPcKQuOFeUDfollzC1wuygN8pG
y9e57FqmUqSMygs6GEVWlBussk+6/nAbNYs2GPGSqToTX5oajKr94vS8uzpV
VaVFpzpq1p0L1Cz9YER1+716Zh45XuicJmtOdecQhru/PDynv+k5iw1BuOIS
p8M7cb07cLrnJU4XTEAlyysPOji6bRIe3+HNaiWiH7dQFCtdtXvqf50zEPoa
YbpNBXVMsZhOuiotbuWBt3Rtre4eWdp7nHefcF2Xu66uuPB1R11k3SNHWeAU
l2vLDDkqDrLpcq5X8q1zTG8+KDO9+SDC9OaDSoZne8LV1/C7+YD5HVcX8Lr5
oNIdMMrqpJYSm8PP2+7zGoZXKlrD+qS9qk76THA+WMIAJfAeCKJUV5z51Q/s
t9gsS30+3W45Le0WNUWVW6U0MwGH/HYi3krKExANjh6nizHNTrBUleysdqWi
rKyWrP67rlMdRysvk8fQFHaWz3TywrdJaChQTgMVelRfzNIpZvxyflTi34mZ
G6gyzs2lsm+l7F0Nfkn9m/4w71NVZLBM4BFl98nmWKoV6a6OUKnpN1lVcnX1
JynDzHfDycWFFyYMwOjoslMY9mJz8Z4hmf5sqvqZcY3OFBxTgFlGwWDwQdt8
0OYPILA3ArqvYIPqwcTRoclI8AOy9BCIPuCJR0GD0NAFYzbtoRt0aeUqV105
ZfG+de6VYG3jvV1A6Ng7tKCVwlyIKpz3EsMKVcv1nsmaHPnMn3SaQn+4bNpH
g27ZxQYnUzn+q5ulMMsNoZVwED30DMA/ANoswCGYLGZwVRYGZtrcNZ5OPCua
KsETD9cBGzleROiEaMNFc63nSNK3xlpTzLkWqVs4HbiOwgDUouLtwNKKWFPU
ffQcZEgUP/sFWj9mHKJFzvajdJBR18ElEL+PpA3puEVBx0YBk6tIjoSJBAqy
n04n08XQebUug8iTKq7QLy5L1sgYTOnIcEutqT3IWS9AIotsvaZLplCHcvWS
cA1LoGPsCDWYpTrxYQlHzN0bArLf1N2OeRhieVEDHSb5457x/r1ObxysWoAQ
FbT/QDIIuPQWvFiUKIJvYY99QDe5cEEgMYjFhKtITpmH7qRFVfOGnf7nYmwz
3COwiWAPDQacegjojEzvzF2QZSBzBoO3JOke4CTjzINbMUUXUv4EcC9BT0OI
Yr9hx6RhkQmf0MyehustHnOOIi0xjvml9heNxp3r293IZSI3jUjZdKfzTTK7
apHJ2v63aEkMAP81GPF/B63guqZIhQHoUYnnmOss7Fy5VcPkmWS+YuAWzdmF
I8bA9OgwKChxs1TBV9u4TETAlvwd0h/owW5qGHxuhSSHyTonRWyy8oTk3t4K
nbI5PUxRk5SGKxLf6GvKnzHE/YkHK7ivJuS+WpN/pCUurzArJQ/wKudvUxiY
YQ0nsanKMscj+TKGEpfJqRPLS+igL+2ZciAoc+lFoXkdpmg3pP0H8/7kL0EB
87a4tq9Pf4x8PR/iWxJn8dg2kphKoujB2KznYzBLIFBkep1MFz2Q2wgEDMIy
Nc4Ms37gRIZEIJghOTrUBSh6qzCN8z1+HyyTJLoejo2sPDNbezLDW9nJ6UnT
DmqethE3Fa929RyJHwMlmeZ8OZBaV5LVpHM77bARnAe7YsAuRWKYzgbPRYqs
YcCJWT6CDOQXE/CdZaAbLIxHni/2AnscZ0AfKd5Duj0BTMmm+AySOnqpHF8S
LqpHTTnhQw4zSAs4nti0Xxo+FQOyAVNqbCaC7iIjuSLx/t7UDvBOwluJrk/k
hoXYkM5Hal4XRFXBSjQYwgdeiUJgM3WyeHlDIWdmAwIcKQI0yQu5zwwjYQBP
QFKR2lyjLCD9gm7yJPaoqhxk6Cy7mry12CalryhQjfptNgfGTGB6Ln9zjDJD
uGaaRkwQ4PWud0xptLByuCaRe9vnh39lz+8hOlh7+fRYCHdQVASgbNaJcmli
IrwrwtXipSDYsNQHahKXCg8INfUhf3vA9dJBjo5iruPsTxXrungvUdflxHQI
XSgnmNZB4pvxfvPpSu/1AiMSFdGgcIp4XAzw6lLVygzzpFu0NKHsidmYmA4O
60+pfkW23FUnnp+qX9FIz9Sri2Cb6TMjn7nE1+TqFDRLnqxXOcAmO8db3Vxl
KjUPH8Ne/9MkwWueHiMZFZeTxRAqR7MxTrvRNOeoD2iey/Ei5rCUWFrUy97t
IjO2UQVHL0+Ok0tDD9msmXAwsmdqhEJwNIAHtLPlWDBaPMx1uzrDOi6bekue
1GA4mmh0UJVh0JtRoaFToJLjd0YO6VtpwwkfjQBjmsoxr3KQyRlrbLR9Wok7
4PC4bfGp2sLjs8Un1elJJ6geh8f7BjFKsBni++KZcTOeQ08ZQHZmQ/bwN85J
p3E0mxSFSyZuhU5L8p4IZhYE8jpjhK2FgMPw6H68HpJ/cWRtFheMwPSW8Nix
QDSnnpEwxI4sAoXbyEaqcIvQaKx7chxzHuQRfdx7eZDtTZ1EZPOwKDASNwVN
FJ0mnCjmDzepRtoT97F85rKHTk3NhsPFuLC3ZOJdXjBUvFc3kShrJ/OcAh0j
idjx9AEYFBJ4UEZ3c25oACRBHUUKtAHp64cIGTc2Mj+F5vFZxJsBZiKXbL2O
yMxZwQYgQEdmaismLgzTsTjoGA2Cpq9xAkYBqTgZTQbZUBn0dAS8g0fwWscs
n1ahtRIywjUCCiVtDl4YC/Dp2FmWOAQWSRDpnXaIuT+doNltQJf+QSbL7c52
KZMlkNgwf4swNBhERVvDAzKzSPayywkClsAe8Sh06DUyHtTACbUbbWit2GyM
kPkzprX3Xi2QZQdCKNymtPSgYNlc0ingjhkWExJavK/sipG3cWZkkrlvuLA9
gJoc0I6lcTwtatgV8miKPgwbT7EGiwVuDT0k9OU2xhZdqIbiqOykjMlotBiz
buAl9sYT5YL8rKXaTuOJ6d8E0eX03hOzHMau8VR0GtKI5AlGn0NKSXGDOefN
TMwnplcuzTqKKO/QjspYqjee770yoKn06548RlnpJ4b3seCuUtkzbpdYBHUi
hnlV8tiqa0OlsOnwSbgYHKVv2TbiZZityAV/ivYXMxY7HyoEAbvqdZQ3cq1M
wseAJyErE4BeOk6FShcnIrvpaNBnfsIKT+xGjqkEnrxQ4h/HpFLC5zvMbKfU
JlB+dbts9QqJKpxEaJg3meS5JZ7JeRdQucCk0sJjGBAY66/SxPVUKssNiTFU
oSkDbMyyikhfzZC/n1wHrThIXtUeJKEpSi3J9rFd6bvtP8rMKTbA2Qg1mXHy
5NnRcYs0EzMS8/+HYKsCBEq8paCoNKQ4TkWDMK8gY4rXcGg60Pg6a6bfabGm
CzVZYKZ7HZ2lInWbJSKFwoEyQT0RYJaDU7CsBvgB/CJOaf3eTxYApcinzUhf
Hi7vidnlctQ96kBstpml9+9h4jo/pjfZjLPlpvYICG0uNpCllfzPzu7mI++d
WlowU1BqdpSLDhHcI8ObXy+ZOwX+yuRYa0+CYfETen0DJplpkbbnkFDn9tbb
TqWJVLl6mP861e1skQHcBNqQfS/uVyeHbFpuFxA4YiaBh4mKyokh3y2/s8EI
X2cX5qgbArVNzn1CdunoYYuUKTkUwuTOkRlrkA5JjOlaTLd8ykFUwLkRWEbZ
mQRecZajTwRUofnhYoo5jcB4CVXWZvsohe5jRZpfu6H7Q8nHV6CXwGE8nXrZ
NJAfa7gTF7YGd/pF3VGH4iXdK5hOjyw0rItgFcO+hJ47nICqntrro0LMGQCq
0ibzCuvKVTmomi1GwLbCEc8iGl48Iysn/7aeAPQ1WvrYejK4GacjOm1W6q2S
s+l4potqL/06smBHiUFtDqqCaJqDkQk+hMiKAvBQnuAgCwcY7i+cFxGIxq7r
XGTmMIsRtjbLMA+AFqeWRbkT+YWhgLeNRqn8MnIMb3RFyUbqFJHBjwT36ZKj
7SGXwzGFyFfEwcPtkzy5Ym0lJp+4GPt1CcxF63YRdS0whW0lcCask6yJuW6c
O5lD1j0zShHf0+ERVIJGBu06hihsW1lH5NvTg6RioC18j2LSbImDDBVdkpcC
8H4FI4BQfvHPg8fy1AP3RYgJ67hPHvLJ4xLSd6ywTtvwODntmG/a5pkr6Vwu
q4pGyyqXf8RAtiDH9B0dZtHuu1D9xzyhFoxZJs3iE/tfCut5LAU9vGIoGwIW
a0KqgEjgYLjgtIIbSQ+iBLeARRQWm5fhTMo0rF3NjbSTs8p6g6xX2I9pBg4u
HXWbm1k1PAIONo5Xht3YQsZkxRVtqzK7qo31kO9kZrFnr9N8rm5BvKBDGznF
1wM6CFsUjGtKw2CGdcPskFKY9YPUZt630dHXxvryQcvvHKMLSy89dv/cgkhJ
NFoen0TYHMZvAvCZHw8cnsIUd4yZaw7BJYj7VcnqslpWlwWsLqtjddlvx+ri
4/w1OF0W5XRZhNNZB82Dx9XxovKF/qDEvewXEfblMM/5a9U6uB0GjWtvyrBt
825J07ZUDctU2Rn8qi2v1/kbvBIRdlrFTeWTCj7qMVtviszD5lJem0V4bRB7
VslqDxVsTDpsq8FWb0KUmj/NJhSZ9zfYhCsN+7fdk5JaoDDn1bMXmr4Lj7ZW
3rNcPtg3pnr9xC9ZuXfgK9ac4WXTFx2iOz4YVjbnYXkpUuoGVsUP4uMy9Qcc
Yfmo4JsST5DPqnmClKjgCVV8QT4r84WoHBaZyxq2oPeWy/EcBymo5A+khFTt
FUYeqOEURT2rKEJeUdQyiyLCLVRulqU8Q7TqWBIX4BzoFHu3wbJ0WXjYiWKw
kZx3E1RzOSweU9CyeheDDsCbVK8X3LI0iTccCvXE3a7QZRMIaFfO7zXET5kp
ExVKkIDrQeU79UFGhNOkYf3U/Ej3IcBTkF6WQ5wxHBx7so7oakVE53BaTHeG
7JyDEjretblJJbeJKssGpzqxeBN+Y3xvFFap13QCuYhMB85vSle9MONKskUU
MiDuWTZ0aRnvfyTFKO/XOZkKfTSZn+50KrzjSbPxfgE+YYaNM0iJ8K6NDXLN
8RUieWurVuglAUsvlqjJ0TfysdljW6Gw5z6IHVyl5vxDAipUlXcptY+t3cyC
+3alOlX+n6JrvzDHhO6ocyVr9268gyOsWh89lTVIBcc/nhz/bJqCXtMCfHSb
y6uKEoawA3/GKq0oy9Z8Oymtig1QqmqitM7bFSXt+X+mBYCzitLVskCFKBB8
XykU8L78KR8Psnftyfk6/my+wXZAEFCCAZctywbF6sIBgzFUyggOkKHRQKCA
ZdaDFXEYlNEUARYqjaaI/kBGhFqYBSeYpIDhsAR2QRUf5JVijIZ+UPgQVTIM
9UrJMCseDVWDSjaSePeJ6TO+7ic7ISzOhK+8yOMwx9vpX18dv3y6ftpMHj+u
HEKV0VHlMHCfVmgZNYWPfww7Ep+wFbqhQfxX6IhXfBW7b8jS6lmhLh2rXYDw
sbD8cEujlMkgEV+kHkzIV/qkZsYqPoi2XnHerHa+BZ8vs3vLhvj1LN/eDtdJ
NFYwd1OKBovfhW7VdErqLMru/jxzN6plqIHoLTAZgD0wlSeltGUB/zZsu4jU
77FpL/4yNPOq5pBLv5rlE8roycFckdRpDnh8BbAVzapHNazaw3TxgkSdr0C5
K5UaBfN0r3f34u5LxvcriPoaPsbn5eqNlseD3SgpXmAv8t+rXIJJ5YNI2ViV
9Zv5177EqljYaqSe8t4+cQE3oGv7lBQnNz8WzzlaVpLoVKuhmjqtLjoYqdzP
pRD+Gkah4UfKu7Yy8LtVbkS4xTIcEbWVEaGk5GhC7EZH64fsxnXa29il3i7b
15Ge3n1r60rCwf4aOnyp01YjkA1+qq2nq4glkU37L8YIqimhEiTmbqygAgJj
OSsofbKMFcxViIWLQzxil7lnfgggsQIX2tqfv2tDlCBcHLn4ahcyi2ZOllA4
LoYD6ZxHrQ3BGk7SgbIGr5Uc+NZaYkzEEIdzGy1uwUxVyHGnFjtAvIx8pNQ8
gjV8EN/YUOPPab9YT83uSzPcatDYe88Uhlvs2QtTwNGe+chaejw69C34plhI
ddBmgNwQLJAAOXix1+gciVNLicxmVwC4nvH/FpyXC/8LQhuC6HjstEUTg5nI
BhZjIjoj3PDP0DCxvNnVAQeqg6HigIPV0WhxIBHrCQq6BzZuPUkGowOOXTd/
DwzXNLwR51jHwdNcFykwMfU8VDpnV1TMzvrsqinvoEfeu0y/M13y3xX2JXVY
vYQH9i103/t0MLLv5oPg3Ty40i3S6MLHA/YjBMCIJskhIVLoaPgi6baSbVzi
HYmLL0NYVHqDzpdBYwDbmk0WF5cuSlG24GJK2z0f9yn5M7q7Y1LF86E46Hno
KbLBOXQDk4pJBpDeDXmivp4gHih5ZzuA/yoglZYHpAKqx3eZOSgIfsK62ejB
Wedba7SaLoZDDEu3vNjF+OltB76nPQSkxv2jchriLpKs6YxzT6FlGrr+Am6R
aFr6ixlFDHnzAoyvD2KDQpGw9VESO7nfsrcjzk+VIjxnHKiH3/ng0ZYdiuuR
NbbFAKVbVFvvhuMQKFSkMFxcUeFayWPTHUmjyVVGvv8KONp1F+KldVWFalt7
558p9nqWTKZmceXuqBotqWlj+CCDfN7vUJCTHBJupWPQFi7o257HcW9UswjX
6WxQsAJ/wQgxMAAfmKUUUoPBvQX6lqFrd4z9llCj1mEmaGkMs9EMsuKwMsOE
s8oUtmdVeI6ZIv5lteFnOOHPD0+Pvl/3RcGmX1QXP/r++OiH4PQrl/74E7O0
1sJCn9t9zlwyORRKdGBIdmCakIIolTCxL4kddhsOAd3Gbb+wNMGOKaswhqPY
jKrMgSlrBncIp87r0MRdshKEIICh8Tf496/TkfIew0jCFeYHL8Iphhx5Kt2j
3nDKRhte73sxnupH9PkMAcigt/nYTsAcgb2S5HBg7y6A1EsTBM2MIFkjbHu7
s1AMfgn8mUVMAaAsNLyRjcLHq3vJyVklnIP8OZpOZnPEO3ql5HE3/RRLKMOB
Do8mAxtjIjf1BFXk8fleZvhPPlkg5tIEPVn9ZCvWMkg8zsMJGWtoNhuOnkay
rxC+jw3xPMfz2Hzut0jVUs+Bmc9gxcDpAEdEvg2CreHjNOpz0E/agCFbCBph
6DbPrujwNyxxLsXdvLPvrJdTx5BjaosqZQjCGfw0njSq0txj9AQpWDRaFxtB
E1wPFrYiYB+INouRQL+4TrnTZT6ZToYCloUTYOqcig0GJHwvSWaITKUFSbK6
xiMgjmyCqJyRDiJyZLJtUZU4wRrEzOsP80JPOMy2IOFBpywGFMl7VsQjAWc9
LcSNxjEjsy5NoQTPgTocgbVrqZ2GERZ2K/tdR6eMSGgHZUok0YdiiJmGgbRN
u4BNIpRFMi85p19RdBCHJXJaQ0o3d9Py6ZsylRQu24cIfbxj4DXpbJKoqiuy
jstE1aTQUmS21xMtyTn+DS/MBE+ZNUm4mtFttzoJsnQ/XQ6LmDJ86Qt2VfvZ
xz/zOTe3oB/GcCA7vps/RLdl16Q8gPABUCkFeB7lSP4pecYH/cyUM7yEU1tI
MZ1AsOYipUp1sMHogWd8bHfsNJUHvXhe6XLl3cE2VIEyLGEhhtCShIDIiowa
hY5mcJqTvDZydNCNqSE7dqGC7Y5hnGBLdjTqsWavD6yWmOUIcm47aE1/F2ZV
uzCTXRjLBRFxQxh85CbNIps0W3WTygkW36GbrWQLTgy7U8PYoJbnLQpFhWyb
nYqNvMLeic52UTndBc/3KeoptW4ePsSfb3FM5bAfRGFrrZ8l2+Or9S/y+js5
fv3s+KRNygRw++GwSOSXroN9xGJVsah4ns+Kuee5R7KJ5DnFowjxIQKZwKlh
vnumk+sx5p5YUiTJ+D+bemZGgZEUj/3ZNa23yAxOw4yoX1rt4lpiCheNL6xc
hsZ5yug12cDM6CrT3PhDLmRggSdhoHYWtXqnWNU8zTFUFKsIyprciBaWqI3l
PUgJY5QSgf5QyqAgeCA+SgLe+7MkyPnfnToDYfFeBDqe7B2u+54ckToa8kR6
+gm4os8SlzLAG+F+LKqE6iiKMlaZ1cgNXv/OxMvljCSdPxOKwDyAeFB4b7ZO
D+ogRIXIGcChE1QKqH92TUyNH1sfASCAZ6Tpm1nBvlYGZz4CHbR0JteEZxg/
B58TwrLGCJimhTjFGzHjim0EhFyR5gPGNlKJ2I0mbU1h8pgptBxvaOQUN+vi
bl4+xDx+Wd42cA8RPbkGykHleeyK3GYQpSsnC65ndSczcRiwibs3MDF3pO57
byPoOAy9FTMVihXDWcCaZL3xYOkjthzpZ5AUUa6rtKsNx+IjzQ1GrHOvY8KS
5kpb2OWnwp2sMphRmAG5vLqtLFsXtX2dAIYb7SQA5Emas01HaDacUdQHpLkI
bXGqmzOdpaCIb2yG97Oiqcr4aHOMnmmCO4uLTZ6tzk4XCjoLD0bFvCPe6NnN
x1ZKU0IEGbK1FVsqNv3Keaw2HeS7y5QAVhi9nPAgUoJXF7hVoTaBEaIOpDNt
rDcNytDHanM7QwTFS1BCYhuYzNXAQCa6Opoa72MrMg1sVtaqr7kzHb5IUiEX
pL8DnvQot0hGMki8JDFTOFQDttCkSOWyAWN2eLkE1hsVfUVidpP13mQ+N2u7
mLZokYdZyssGSDdNtjx5CFQOL5CwKTK0gKnQGcdjxDxlRx7lcnDJGuVy8wGL
5gQvDDkCDAfQN/nlbBoOJAdZPiUiHVzwtFYk01g/ffJdE1XkNEAld5+WHZL4
2yfPv4N5evKdht2NJdooTNlD007PJgO5sTa98paE+jCKnqDhzNgmhrqgFsjk
9vw7Txb33RrIuFkkDioAZomMtEamX/BNmGUMOh8q0C/Yr8uHC3GtIWDW3kTt
UkwskQ6Jnj9cXLTzsU3xYdhtOgJzWHIGnXPxmWhC8S4eIhFqsWwfUZ3DdE1E
5JWTJKHy0ZtMhoEoLunfjDAOIzYl1zv90ePHRBZNTzSv8Bx6LJXox76sLq1x
1hpozVVmU9nErpX+B789OHhmtJDj598ev16X5ph0K26YvjVN/mD++7ukZ5b4
rZlpwFscTiaGNcBpkI7p8OLaYrrF6es/HXua0dPDH0+OfQ2Dd69zHVIpddAI
VPIYKt1I4XqK4OBiGD+BBKGZSUc1lrD6p5pDiz4diW1PpfJlusC56TJjXdll
mJAulzqLu79gOVRDa53EwMoFMp3z7Eh+ZWyGp5R29Hc4NWJhpTshsVhr2EQF
ps5UyEzMsgiLBRmAis7T2UU21+KLYbDH7a2mRGhGmxMsTqEzabWitq4R4xiC
mbsJD6ljl2lR0QqzXugNiXyYD32GcL2muWtzXl2CddBqmZiPo3xs0I0ZnXmI
LDqfZeMLMzhDX5ZEWGfFLmOOKNOqxGIG9WEAJcQSwRh4WCLc5eN8tBjFm0gL
rpVvMdDbYQKo3iDLmiNDfNX69kEbXSJug8MDgWDHShf4uNQvZhPl5MYAcwNi
wmxAuO8Zh73a/pGHBuZdwnyop4joLX4bU3Sk8+9Q2dheMPqkyO2dRlVCizG5
E175ic8lH4ltnzvFcrRtxeLiqQzt1j1lHc2aMzq8zWoctZGhyAlnVj/NxzYV
DIqP7+a8EcK0MGFd5tlKtZnV/4tLlk5yEfbDc56xCoHzxCDpEtbpKiPEMU9o
hKU3GuFoOi/8xPBUuQsMtreaZgluppLGhvisXefcoRzjoAQVEJLP4MqyJqVU
LUlxoPUy/bqFoXJYEN/ZXxg9Z1UwfqsemCn7fnKdXYH7kXTGARIjXhxKZnAz
CljUBSZXk37k57GxCSYlR1A7eDYbxI/QLvASzbMnflg0uKKTVOYBi8Mqt1Qw
uHddjP0+e85AfuiweCw/1MRhaghBKpSVcVTQn2WEpc17Hi6QiATWcLtCvZJH
CszAznNUU4szKzsSATNWi++TAY2fdQFS/QIdxpJn0AfsAmM8Aily94kErRlb
ztsjgF+dFRmMMj+vq69Ul9Jq5s5lz10qUikFayDu0qJwyW8SVfG63zFMggig
ZEEgmU4n+XgergSqD4j06SmdCvNQt5OPFQmKYx5ZYjB7ADdiL1N800F5IK2k
x5dtdiQyJdSD2Iggp0HeN7QxW3FYchpUuQZ4iIqaLS8ZJPn7Oqhp940VnSqO
E8vW6TixdzuIFXxBfpHhkDDPjRhldWOWDfh+HX76INiVbfWe42IBCBP+i0aE
glOHw6EZbUAPwe0F02uPgWJHiaKxU949daxXqgBiuSkO69VkjZutKlURP5jL
eaA+tamcQ2gICjmjHFaBElBfo0t9GlaJsTIdlZf926M3jSMQr1tlb1DPY4Z4
rrtR1osA2RVuVJp2xCyhA63IvJI8r2TH8nIJOp6iT2k8DkvlWBLoaDOhOmDU
FWmUL7pvwXvUfTeYOIa3nBW2fRg9J45XCJs+iTc4f5PHFLggrYIbNTuVlVKp
Ye/Asu7tLTyOiMFpy03VJJa+pyvcXj6GLFFu7TqStJW3uVz9lwqGvIE1MEQC
n83DtTKd6UHK3uAg50hMvuSBozTLJOfgty9fw9gy5zpUGJ5LzgbkgW31jFJw
vaBb73S6mMihb1QiNJTEKYmh92dZdOpDpkZovWdAvIB43gYsabh+uZhNFlP4
1XTKYlAfL4bNYMGzSveAfWG4cP/vWcGRIEve014RTdSIfKBIPhEAoorewAEI
H3uDBr9FstM7I7wjEt4Ph5ZPVO4Gy0puJVWBLSiCcepIXKUgJVBgnKmxpuJS
kRzdo+l+sDgAASjDbA4emhKvpPpYuEXvZp61ezdt+C+KofozmSL1ITtl8O88
q1oeXSJYHTTu6lSZnicpXb6qnlrGpFxA2V10EgrlZa0IqOmsIpJQzKN4Jvzd
yMn5vCQoI8uag7QML0Yw11iUJc18FmxQ3Lh2l4KOQESOHzlOysf1j3AVUs1K
9bkMl5qOF3pHuqylUMrpUblMru6a5M0onZ4VZT5brrvmM81g9Ye8C72PluzE
cuOxrfmgWLY5Tz0F31o7gv6ns6o0TN7cm8IqXFjW7Xk6Xb5s8Cl7GYXDw9kI
ly1SxKxaz+Z6lzfAcSnbOz8QPGC7wYDmVWnRDJ3dS4QOnQeQLz+xvckon885
VyA+kBXDczfk2xVnVPEpT1N/9Ppo/QefocuoS4Mz19DX6EqHoT/PUjBnIm2x
d18ticHXFaTlEUMFbUmZ/Jx8Q459USzkCCPXO/bjY+os6o75mi8xF6l1jrXt
sreokHF44PPeYxToyKESWRZ7qVo5CNd8xYqRrdOI8m2red6Kv9Pv9BIhxt8J
NVexoIe2MR1/6NfdCK6fF+quGO90ze7mmcIWVxhZEJdiX0DOP3McdkI53V5C
UOI+ucKw/ja+QQDekpHDVqwz/IH+kb2bZ+OCnVRUMgdIzCDO/Gh+QE/ocXuc
XZDt1k5LodLOW3PCIJ2nAS6jxP64ZVHpHLi3haz1ubvM1AaIdQu22JfYCiNc
oZeHeUM3Fd7tOCR+m4w8oToFeSy0L4qhmykNXa9sXgvgVvOUjRz4udEkh1k6
I41/kBuO3csvFnJR9aJ2jgQTQQZZPVVVpihLPWNzUlgOTdavIF1sydKEAZ5o
jeMGW44jwxhJdPUJLLZkzhKnDNiQkkwSjApnz4RGJQFirDYxtWoyncv9Pd28
wMlhPZpWUIzJ39Y558EtXX+uCL1yaM7Cv3wDF745sCI9mM+NoHYwi8KKsBmU
ektzj0mVJBigsgeWtJJNzFR2TrR4xhVjIbiczDE5bm5NZ0nbEUb2DqzQfPly
VmSjK/BzajvBA1JbTcxJDIkHqF62LPfTMWb54Ru3CYemtUio130Qhgj2+8l4
eOOZ7rV4XzlVxdUnmaYtCim2mcJkBcYLMH+5CTTNeZqII3R1eoaFGA3XPCaV
2+yki2zQxt8SGrPIQUtHMy3/fT2D22dic2br7e7CLaqiSLtQXD7Ug5V22Wh8
mXiWcauC6oGVOtdCxZJXILhCcYZaPpy4F/ZusszQObPNfDGD/H4Lm+yUv7xy
0RGidC3tNXfWMBLpsL2CrejuvXpVmltMlYXxKkKj4jHglXf8ZjUiCccTUEeJ
Irab7Dt3L7LACY7NMLrlrrhnPglVB7xW0uJCL9nLUK/SuRFeM6/z/m3J3QeR
3mvmV9gcn2APHFqKPvnzCyR+4JNmYBCUCHmr0A2D7T80dHR1pCSQ+EYHdSXW
d4MymEbdSzUIuBGDyAMObCmkoOkOceuYNRMjrFpeOJd5jfeyl4z30AuviM3p
6Fg8ijUOCl0O2ohXaHHJGd7puhbqhHWrdCvjRgnepf+zOesPkmAHEnBL2i+i
bxuhk9mzp6YfP0+NUjP+2ZRd5w99rzKvRD94r3yvLrI5FPkZl4gLgvOZ/1ya
sDUAAvLq9f2xtj6/rjv0HbfjPbtUPUSJ0fFfX5XWBZcFNo9bFsZJvcLqTXHX
He7KVQlTlco6Dlb65L+WfMN8I/adjMSbz4qBKPoSN71gMImRxCs6reKD9J6w
4UBmtzrhaS2qCsOOG+SQ/7Cwd/BswTCV8RvKuMI/ONLGXVHr9IVchjNKEzMW
YxLaschXuEPGX5uHWnrAkATgGTRoye0fKyaFl5Y67YOsSqm9LZtgrsb3dmiY
hpOYdUTw4gIAZ8peLU44FcOi9OTSs4gFsFzcWjAyByHgLg1tJxlXbJGFXvJ2
NpTmkVuPFZ2D/MheznBn6ECFm4ECExQIrxVvF1eh+EDzYXPK2WDnaBu6yjAb
+fX4YpYOULFMLUZH3NB+PdFcmsLEMO10YH2/IX85Ox2+nU8s72zuw8tQNGZy
puILTrSOnnxkD/QyPGgbgWiOGuwpw9OSrjjQn4a9yKw/pqjS0liYFdn0pzTn
+JEjSNC9nabor3lLe6HwLFplFUAVL8b5Ly53HClbUg0PIC0tDModk6LIe0Mx
DFXIHciwRfDw7z0mErfg7wJPhuQxybhZ5PDI24lXiGOHd739MKG96YAhjuGA
45ZyDmedecZtqPJ6NgGe4QxeK40rup3tNNt0nuMbYTcrVs7m9kr+Z/cty3Ie
DRi569Kzkvh7yffxiw0DAsFuCDujLx7DvK39ur3tF70pthcUjpZDtWXFyXYh
NX4fljOs+7QmV6yBLQtWctlM+IRMu1VBoTnFIcKoy7XEHD1EgI8a2pYtk/Lt
0D63OAUFqguVZpBZek0KjjOGmDPaPi1RKfNYsC52PsZusoPxNu4YtJhk5cYF
3EKKiMqF59RZdS/UNlilP4BKlCqXcO6NyGlp8db8p6pvbJ7LWKnhSEx1p59A
BaGf4WrzVDZb0MjtcWDj8yKT4GraDS/dWDEz+p45Zc0WAadP3JI1g3ZGAn6A
nDi5nAwHnnyGIKYobOHgz6CmM88beEh+7mnhyL/lnE57AKeHOclhca39X1F3
LK2Vb9U380rRidoQ3YteUHrXyXDY9MzBSPh1+Gqe93JyFsh/tfUjErnf6v16
S6aL2RLo2297dofDlRbduoX7MrDbLaFdCQUzEZHu35y4zZlZttLzSnWLXIef
epcQtPuRWt2NHTF2eOpQJQuUszZJCEM6hfS7fTy0bQSf79umvvdlJucOUe6v
ZvpmGtj/ER2EoD4j6HnpxbBj1y4JGtS91Yp3xrm1RaxN8dOF3HAwfD7QCu2L
tlzdyv227FReNMI2iTk3uTpEvCnFd8+XVBjQoVclK1fPzr1a9GE7VuqSgp/S
bVoR4UgRuhfv4Plj2U6vVqm3f2xXsSbScAqF8ao0RIxfxhnjVaEVx/htlrHs
24pZxbLWv8+V9oSasC7rPQZvEQHWi8ItxQq4z1tVCx93RosUDNwH4vT6DBQ3
vMd5nV1AnN5MmzFyedueydtbhUBQ/jhCtlEfc3sF66Q/JTWKRbncfDsfeFcB
TRLwJ2+TxZS3N7tFLOubFkkl0F/WBCkA46NKImbEuv5sbGpP6S7YuRd6FbAx
RNWD8wEuCGnhBwGHFqRbDjQBRx6zQTHcz9qkTYm0N8yLS4zJVmDBQRLz0iLe
dhQcW24jUdhdiI0B8YgWojQyUKPjxoAsVTKDB97Jc6Mu7NEcn9INsvVsHGA2
sAdwsc/LVEzTPk5rcvrqOURiDFO8e03x99rfF6bja1L1ZIa3H8mro9fYQwmJ
RDEVTEI2wAViDy18iO4FfFq5P2wGeP/q1D+e7nyFussXDvCDaqeK4PrYthje
nh6xdxslMYM7EL8XYEgZJMcvTl//lUL7V+gJ+zpv7TYTzynDOpdSQxa40OGH
kI/Imb21Gquen3Ffjl6+ePLs9NnLF/YKyj7hCaDvyU6zwgUqhcrBCGtrlF6s
2wNkd2+nae1BNOPovlNQ3OP9b6RSDLwxdK28T90hpgG/KeKYMwV8peZmlGO7
Z+PFcIhzyUtYJBcYwjYrX596H3fKNabvKmqM38Z6X0YoLT6fvybZBQ0L/UWo
T4pM1L64E/UpweYOa01EOMoJQ5V/mWlHp3+QGCOT+9EkCzxrMZrOa4hWg6W7
u0lF8QPy3FL+dcLjb6hY87ele3msmAN5VK+2GVbcC/K41MpqG8SCvZADmsCi
VDqzslcZXgeJhxnOqjj+VLtPgRbiIe+cfXFm6jMiwztsEUDoj548+VH7yF1b
lasC4QZOZDoII/FBbGgtd/Jycu15aSoJ/cLZfvzY7AD3VQuCcIJLXSV4XjY4
cy6FYhLuT75/ePESDWR4nX6+YLUs+d5Q5+T8vPFJcP6h0YUg+SPKEgDFkPxj
6AScAsgGzV4tgscNi3e+mCGjUngWpm0FQknoFqX4cm4KsdwobN7oscO8D0rF
BbncpXPyBcQIZ36JivpgARJifnHZHhoteJj0L1NMzDPDKyNniRD0WKtbmb3L
n+RjlyarBhHHK5aOiVfBFZmDi7UwtVTqNQW1iOsbipAgNBkBasJOoq+z4Q3M
06t0NrfGRku4iBxkhgk4WnZhB5np4RCXlYJuMKr/baYQLvp5Yb0Ik2OOQ7f5
kEIfRwlU91OjuLwN6JT86uTQTeL79+1pkbZB9RpDwLvM6TmA+pmhLwpDGOBd
kqwd9keZ0U76nTUZnc1ib1NKcJgymfVEM8AWNLaiy+z0bGxIlD4v+N4WNn8/
M5s7nxBN2STmkx4ZtuEOklqE5sS4bx7qy+I5JKeQ/bKA+FAgqHyMjnKnVn4H
zKzFOcAHz0B/s2Nskh/8l8mh4CHC6yP7J5bRWM4C8DJQykE5DwrMvVQyMOO8
NBNicaNcRx4UPEAVFc5XzUeT58+esHJvhlziP5K/jgNvs3esTM2uMKyZKUPC
r9SlOrKi0i7jdFVCLnnh1F0bAN8fmu2unJKfAQ06NGfbXWv7P9vb2tvudLY3
t7fOIKcJN86AX6xzgkrxKO3udzoP99L0zN7ZrL16PTldc06I7qqVZKtSJen2
edbp7G7u7Z6xyZiYaojdwd7BZlEz0vUJ+t6dAN6SkKknL3hB4HtI7qZzngUr
qqA2NeGYvX65GPWms5zAXs52HnZNf/cf9rbP2NMJAlzMYZ1eNDagecMTsjas
KUhbG+hLAs/Nk4550pZ0vubhVnLAriZ+AfNz07xaSw25d5hpbFzkv4wm7aut
NfCSum2pWm193QTS//k10ss2iK5S7eHR82PmFF5RoylT49Cv7e762uV8Pi0O
NjZ0P9aawUeTYWab3kzemL9hEHirb9ZyAzpLeQftGHkLbCQ7pfE71GtXahOr
/on9ejZ0+CrI/zzF8pbqIZqnb98rXyjvvZ1pz1lqI9F3C+bn7t7megABdvkA
tsjeYG+3O9h7tDfY39zr7+3C771sf2dva3+nhBlmip3vZVh8pzswe8v/f1sP
vC+cg9kt/3Xb4j9+UoPVGlE4FW6wkDJZ1t7w+k4xOZ9fg/hoN+laK/aZ4QYe
kYYFxElIVv+nYNAbeNPaNoInzfRacZm2u7t7XmuqIHEf8+MBMJat8276aGuv
t9nby7K9ftbvdXe6e+ebve3uZmXOH5ns7Hxzf2fXbNJsd3fwqNd/tHO+d24Y
zXbaA3blT/YbyYvp+sPbZQsGTxwtLKEM8qbcNk4AUMrlg93t/Yf7j/a2N/d3
t3cH59tZ/+HgYW9rN+0u67b9Z+ikb/S0rZ2tR/1tQyx7m33T9253++HKVfQ3
z9NH+9vn+2m6/aCZvFEf3paIi97yLHzeaf9COw1O30fnhtJ2H+71Nwfb/bTf
y7Z7e4+6m+nmo8FSetvfepjtbm73+mm3m3VNZecPH3a75sH5/h6c6Z93mv8X
7zT8761yF9WCoLiLij7xXMvAKM+s2RwMINxYrcCJwkowrcrTQAcsiU++QmLF
yevLSXKdgokkHYvobONzfBzys63u9s7u3v7DR5vmr6Sd4O+zkpzbzyjbAip6
tiEQtMpiqZZDrRTJkmPMvScUPdE+o2TUjnie0tBbdePJVUQgXIIgCopTkc7k
HgCrI8hFkbylBqXFRmpzpqxfXYy0ZPEryJK+yrWqQFnq0a8rVfbdFtCKLsuY
0D+UMSNsXxkcNzyuu2FtQxq2Jyi07Ax1rdSdpJFS8fNUCi4/VenfPc5W+ne3
E5b+NYNnt97v2xLTx1B1BLMoTery89ifsjueysHHVWezX2zZCS2lVzynveKf
Ti6mf3eTjulf6eSWHi47v+00/ZqnOP37BGc5/as50enfbS0x6/LubzV/G34q
k5CzSLiY4081TOUzQ+F/tQzl0zIQT1T4GN4hlbXHixEeQ9hEVJRa+zRE6Iuh
VUKokdJCIdQd9FYC/Qfa6qzAcAdD3f7ew/NOZ3+3B1ZMbc8WXw6SoUv2a4t+
jXJ1YJC3OW5BtAsxTzxbPTpGUt0F3rb5uZqs94x4UOYDF2SPXkYzkNhf+7gT
jcZhCW8HwRvhvqe9dXvbSib6bmptll6vmWJm2OSO6q6jsMkUoYrwvZGK03Fh
ZVZG9DWyrfhy1tqzrQ5SspPDklJaHIzfJUt7yWXtbHaFuPBniP9rCJF/05i8
J10wlDvSCLtdTn1gPrSFLBAROS9S9w9CARx265qV/dZk+64pvrvm9vSm3t7m
Bx1rd2eFS7mgsDza6czi1jTw15oTY12X1hwA1NoqItCaD3a05nOv7kHATUPe
WinU3EN+uaMhT/M83frWVkw42dpeRQghqaLi4IoJG5XSw623fG9E9VqTa/h/
cjqzwIKKyHZ3H6279Y+s/OUDuC952H2UDsz/9feydC8bpN3Bzv5ga/BoO93U
a97tne+Yp4OHD/e3NntmErv97b1s99Hm9sNzuHCR1X5DHeQlXqPkUqZXm/yA
bzrXSOk00stBOoNMf6NWd7O7e2A2wO+2OpudzbVm+QC0fEcOwKfIKGZXNudO
8sy8FwuMYb4TsEx85iP/SD5yZ6vlHc2Un/nIZz7yifhI1+UCRU4RYyTsyeRD
v7Kk6eU/nHAYNoKvtlRQKbgcgw+Xupymi3cnZYmPgy8lR0Q2EL7R2c7J2Z36
lL+sp5bt0A+UTO/kPxSGfekvY+mPhT/+WSfoReQ8vDXWct4SZkwE955ogUmi
YsuUtg09CPbEfTfSXfaS209Kya3i3YnX47vy72UcPKmwdf2GAmBopao0S320
Beo+xqZ73BTBrzchdxfCXUazmyEBe127N7XegVY/HaVW21yWEenW5uYqRpXI
CthOx46s8NCqoPvLB2CHON98tLVrKDdN+4P04e5+v7e1v5uddx/1zx95nR10
t7NzQ1EP+3uPsvNB79wIKbs75r8DQ6K7PWUJe9MsddMeYFv20Z2OMCY3/yBj
XuyLw+vip91MslUOtJvYcdZymQvk/FI2m/D8KqoPMH3exE8v36Yjrn7ab86e
HHikzMUx2Dul0oxPqdUOpYhjZVxD+OcV3ISOjNy7uwuNbW6F1e300+1s53x3
09DqzsP+9iNDqJvdzQFQ/WBztx+WN0LZ3v7+7pYpvrez208fGXF8dz99ZDh8
38h2ew8cJf73Uko+Gzfcf9/Uyvo762tt+Pft8XfPXiSv/vTtj8+Okh+O/4oP
G8+fvr0+vv7r9z9M/uPZL/+5eXT47399xn8/Ofz3/pN/vzg8Ph3u5Ef/sbP/
y+x17/V3m6d/Pt8cXO//+enw+/lVY+vh98/Gf70cj56/uOlNvjrcul4cH938
+e+zJyejH+c7//7vv/zHq2+Pj/788PDF9ye73198d3R0Mts/3vjx4vHjBvbh
+MWTUrfWKpSF7idQFpixCI/ln/WcNM5AYfI6HRjJWjUHFb5n2OWr4+dt8as/
efXDMzFAKx/2uMXZeq23+/N37Xycz8FQ6/uzI8zBO/TD6E0m82LOGI69m2Q4
SS0aguGrZzCc9aLpWC8mOBOnj7PZlQD3X515ARdc+oRDLg4xX7rRVcYtyhZK
ORaFOVcglHvZGDmA4CIfe5Zim/SIE4xKMAc6mZjutcre5JKUsWyth1RLRkE0
dVp7tAuq8qLrrV28bBZvJpI9GFxK/PAYIgzTpzndrEBWvlbEXR2Vyh4HYtiz
0R101Cj/ZMcd856I/yyM+jcNdZN1m9tdkSeiUw7JH50APJy9X2IvOMCeBsKA
dHO+d9CB/i0OLKZEk/ZKyctqIyhadvbc9AagR9zs+tiLJpIcPdWYQzqVhjm5
Uog8dwHPAa6/7UczSB6voPIuMxW9DRQ0u/HTSMIu5rTefrIPyBYBVgH4UThc
LYt+R2VbjE4B1zHAFigXACYcwjA/ABPnmP5TgRxt2Yskl/l0BhBZeUpmB7Ml
Cow1UDuVZ9wzXOQFJ/INoE6/ldzeuYtGI7IeZEF+Q85h4Ig0srYIsDDNXSO2
zlKKFY62TiDgx+4LIDXKlAlQg+hYZmndp2xGvyObTrnwJmcnRVd29N/giFSV
Z7dQ29zW4MW7OJ7P+7Bf4MYn00YDDtQNd10J87zxWYD8LEB+FiD/BQRI8n0M
7uP/OXkAbcf/frdMn/ej+2/9fvz/weXNG08fg4NWtDGQEk4wAJIQc47sEZ4T
iDOIEoEgR3h5pC3M3TVxlTTfxdyxfcizirHcJMaJwBpGvlP0OTxteRJptbxC
GuKQ0AR0lid2xCf1oCRFM0CX5DmmKFDtyB6Kt5HkeSQPryvXfQb9lCAASkhI
kfmmbHsylXwWHOZvNEjqm6f8EdguqpNWJNRaIA5TxcffUTvLrHZWo5wpK2jN
DVZeME3EVTVqgTCMXBIepWVg7GytONqRfL2orqZ9joSPDEeQmAqlgnB3rLwq
EB5Flo087GDJ36vyRAqYgXZIFaLIyvK5S7SbzkPlcV1R9KdWv6QrTWdSiKhg
v5H2JbkbPoHyld1J+arQgS5nWbaqFiSMban2I7aACv2nRvcRXcvoiLOYqrVl
eqRs7E25FR8MCmvoD2J7HFFJ5g4vP4dNekGGLFA+FXkTjru6cYhpad3PWtpn
LU2W4V9VKvyspX3W0krlP+/Hz1ravbU02k7HclzfdzepcdxzX/0Dt1WV40v9
jlrJ6eWTEs8d3FxWdXKpIp6tT6Tid6tU/GMdnneo7hBB3T/kOzUExWtVw8B5
2mgUBs7K7Sjg/2x+/szXkGdKLVln98bIXWUzIfh0kKZbDKWokfgFXw5udcMA
exjvAmFnXcAW5r6ZseBcYAFQ0wAVzYjN3vf2js2MZz7pT4aN2kSrCV+sgaUB
vpxOirlNd2MKU8BTNm8/mZklaDUwF0qR9NKC8lum0I75CFOmeyr766dH+492
jMDdYdwweCtZUxthpyW3gQwY4ebmVjdKiyJn1fzZ8elTKJ5jhnMCemvI4mFF
5sfFjM0LA+g2ao6mP0UnSV4NM9P3xL9WhH3Po07HNw0Arjd6AWZl8hcHEcYt
Oh28vNExowLtBX3sNJ4SGuAIdcbxJMnOzwG+2KI5m4UYo3cAhqPdsIbtnJac
PQeabWBvAfYBcdkYSAxnA3REBBEz/TBDlFxV2EWZxLQguh4BQJ5508B8g0af
ny1oinsIuWyoIh1OLgibOL1K8yGaPUo0NuNosfMsBb3QKNuvs3SACa1Adx5c
5Yxk6CaacMbCmgAVMnuXw81y49CHtLYU1ErWkDgoZBHTUM+MtptdY3ug5k5m
aKC7mE0WU1jtBhDMxTgZLGiUgG5r3QQEaI/tHTbhVi8bm62CBpDZYkzeapNB
1mqQ5go9LbIZ5VS2eqMpjBB2MEuQFmWWO2qBrp1n2QBybbi2GnCJSostc0HZ
wnG7FgReP8JpNYv5DI0ngHY+YQKxtMmjbthRM8x6ANVICUig76DVz9fQlQTC
K1NA1gRcv5ezi3Sc/5IyqwGnFEyWZTVuf9EO7McAiQpp6lrJj/l48c5w86dw
+Y+lMEet953Rya+zXjJNLxAd9idBnbgw7HTRg/Nh44or3jCEkI82Xh8fPnl+
3BkN3qwvL9wbTnobEPHqPmtCJ76d5dm5TeOs+NBBcmozBpB1hcJfh3lvliIE
OiF8T2mQdtQAwLzVSX6i0heTYWoohT66WaGjzYR8NbDT+L/sQyNPRvngzMxS
/62ZqMK0xYn+zO7ktg5fPcOlcQieI7N+0wVbYA1JHhFOidNwTDUOIf+5KX0O
Jt91HEITm5dPnk8GC7P0zxQ8P8YKNDE5hKnHWdyGNzAVXTsVCL65+kS0Z0VT
DQ6/DvitOSkSXpUgP3iSbNt2XwnG7LJGzZ+2RfC24b4S/L2G+7Tb27BYZawm
xE3YUZPFfBiA+OOQLNzt7a2Lug4ym8NSOEsg72s4UXmkPwr9kdH1p/6kP8yF
IJYN0RRtOoRRRTCUKnY9hU2Ikd9QwPQFick6b9iaimtFhU3KeygrZaqfYdIu
oBuYBlMNHDSz87RPTEMYMhrlcFQtCTlGUjv5y7MnneREJgaBcHPBBTe1SfLB
lvgNt/iQxD8HeTEdpvT3Ysoua3y8TYBrnmTZcgZjZmp1BuMVbnpgvwxH24ky
PNqehhKQoZvNd2AGOb1MsfQRECRwQ5z760sA15FzACUgdz60GM0boXJPDttC
U2aY2TtzxFOO+SrQ2C+Bdznse0n2dGAftzf3bIIGkJjgkx/zPtQLGR4ODR2Y
V93O5mp827HiH58dHb84Ob4b/+aPmuUZ5SMWtuZBMt5IaRbNy/5cn3ne8SLN
dH5ZDPNp3xzD0LrrUfw9Nv5jaljSYorh+CseWbAtjGiKA1ll1Lp8c6UmDNtU
X4G/6MZqzDb8aoXmzJ9eD5e2VPrAzKPRcU4EzQv26KtZfpX2b5IjLZhJGhrz
f7cqLsBxZbgtsUmkMhbVk9eHpyduz5wb9tFKRtkgp9SloAMiY0r71IbkWhRP
20J0PSPKaiTqPONsrhaFApwlz8/l3IM0JfMQ9Ld4gLUF9TwgUOpswJof5poC
Zr9+evRts9M4NKMYGfkXAKwlGMMOGo+TwWJGV50LvCdmHcP2jFKdoBRrQdOA
c/CBU1ByUbm6Qz5LnxhNyF48FYveFfMCnFmEOC7o3mwGM8vJ6Ox9EaLzwxlq
NsyYuf7ULKzR+yF5SmGYupx36uZMd/z//d//p0ABm92hx+f5xYKIoZWgjJFj
lsI5XtBJhjOBzKZTtsWpO/MRHON2+ICjLuI9KjyAfL/Ih3M6IwxdsmttWtBH
sKRpKUss0BXro9y8nfTipgDH8OISZ7LntAyE4zMC+YV5M0clFeSoGeiYhnpu
+oBvh8etkUBAQzHzP5nyHrA465y3Ae/hLEp5imJXcdBotJPnkGc+/wWdEnwG
CUQ2NAoVXHuBxJ8OC9ClTngce50tGEvbNFgE50TzD6biP6GcM8rMOXrTLtLz
jLTpdISZBEGYWIBU6orS9EGATQruAn/wO4fUTEl4iwWJB4D6fjXJ8SQzWlYG
C4kyGGuS4o/J82oY/nCSM91TVYZOoZlDQCeXRiDuqI/RrmZ0oOLPFTUKjeOa
mUMZ5JdYT6cTyP6Xk9oPR4qpy9JUbwY5sEz/ejduzmkGDDOwkvdgIVHCNous
GOApiYYstmklnfUvc6AwM27ozhHtcUrcfGHEeaBvo9WPEE8xNac/o8WQ9mtN
PTQwIyst+phv0hzbkk3cTCWO9oGbjoK9ttF7YHhjd569sIZUA4YpjbNr2p7W
YIE94GLAowy3x2UBkCG8x4YMB8T1YDhPjVjkSGRoIyQofbbpezabAdw82HeA
IpB2zdbIbRSXnXxvoJBkFLViuHYH6TGR9Agh12RrBHSbMqDj3JnXZpppn59e
Zgryh9M+YjlIACu5rrJ3piNil6L8p4a9gqkAs7SbI4HTEEoGZ38FfJ4urJTT
C2LVNntCStkToLNybLjG9XX3+unxMVxlsz2LKILsmyuctai1ME8okodY9FEV
Y/gDVFsEhhT0XRje0N7SSUlZwSDT5uGLw/gxn6fjtA0V3qI14oXp+9HLk+Pk
e7QiwdmZjiAHZdFw7yH3yCkkKNRVQMQeKKamHmwNPZf+vshw6oCyhioftEo3
CPUwPa7Zmtc4K5lhR+/f/w+or+MauG2BRc7o02Z1dNZ6lsRd9kLyVrC9MAz7
A5rNTQvJh+QJ0BUEZKpriw9m0Ywyhfk67vPvg7rK/MCttdtt87wt/7zSsad3
ac19L63tbm6a55Cj9SzSNzSbkYeb5J31NZFoK+/f//7k+MenRpN2rWxBK5hd
Kix9KHB4izHBlLFGbgq3EkK7dWq6eWiqrWltd7Pb3t3cgdYMLyy3dpwaVWP2
lgdFUsldZjA2tl1ojTLnVo1N8GdBOweqLI+MSHWF1vZWb210h8YqWtv/h87k
w9XHNh/ef2i7m4/auzuP/pFD2920Q0s6Rf6LUSP2O53t7eaZeS4bIOOsmf6o
IMc6vguHVdteF9pbYM6soDS3VlyNg3ZyfFjRSn1r28taM2LofVqMt4bbGyIh
q1qbvs3ftUFZ29tpv81uypOK0IHwyqOVeGu7d2kN0SdXay7e2t6dWzPc+HJ5
k/HWcHv/ZNZtY45uwUigbxRN4uxZgIAq6kRY3Qxy0/H44q3h9gZx4ecfMr3t
PrjNbXb2HRasdiZxf5OP9JlfWlrDtaoZ3B2oZM/tb3/hPnhor5G5069XHdve
1kpjI8q4ywDjrXWXjQ1pMi3GW0YGvMMWiLe2zQJJPGm84yjBqzJrsa+wN9Bu
vEGSFiCZc8XwbN7Hchv2VZSJlQ6evd327qN/zMHTQJGbrBUpo+SvRRpYkwxv
Rk8uGCgWLqhBKHfuAgNM8GXvG1S1aNmd2ytHJ+2LSE73ljSY5+mU8zyDqK41
CnN237LzhFVJyAMCjFWg01oRH51MBkb8lyrXSB+0BRbkUGC0Q6OSSEp4zGuf
vZPflLORPPL5Co+yn+IAzF9wMfB0ASq+VMyKEI00dwOki0gMY8crYjtr799/
8/rp0cOt7h7g10rW9AIVi9eY6tNfvteqHbocQ2W48QEcKT8km+2t7j6VPJkb
zS8Fz5JD1AXN263uw3bXHFbw1vMUec3JotFTZ94bqhmHEaOHewE5p9tK/2ZH
Hrdqz3CuKnqIbjzDoVmmixRd+mXScfKUFoFqrVHq/gQJuRvPxjlabWLzm+n1
9aeaL7TAzGSms9M4RLIlzwDUdSkTGuVtRhpQK88BEaDHAdS6eMO7aA02OiHt
oRUkuAX8kDzD2j6QMvgC8NqDKbcLZl7kA70vYZ2IrxTBY+Cx1hrTnkE0g18A
2KKkHPTfAP+CxRTQ4+A1yC+YaQLsW0GdSDEfkj+NZevXEkkVVcg6aupAmrD7
/pjSYNRu/zanwwAd716cwDXyqRiC69G/GF9wA1+BPajF/c24hFr7f35mQX62
p4DbUck5aD0zlSHG6gUfqB6XEhpGHnP/kdszLglJYDooh2xx9ZxQhn+dLWb5
GSnbf3r9LJoSaKI9jsg77Hpc6H5AV6mRrjQC1+OWls9+Sr7CRyiUtfuXExAs
UOU4JCgTfmTnVLpeJAqbBNsCUzI460LgJTa5Gj8LiXsJNS/nbifQ1GwJd8P+
zO7P3Vwjn4q7uR79i3E3N/AVuJta3N+Mu6m1/+fnbpWiEE87MrMkKUtF/N5w
oaT0vkur7BFO/S4PF3nJqlbuctrm4AJVvb+NJnj3Tc1Vford7Jl7/4U2M4x4
+S6WtftNtq+s8n/jfSveA3FFxmXOKys00RegyAzzMRhvInoQKDOSBCXQY5Ye
7h45VK1//XEOZZcqK9DOZ2Xln4YDrKysBIv7m/GDz8rKZ2VlFWUlRtxLqHk5
dztl5lrF3pj53o+zBQ18NGtD33bVI8XZ4qIPuAFhIGGy849mfavwQGB/m93t
is9iDHGzu9Pe293d3o2Vj7PIDwl8sNfeerizs7e/s7O5v72/+Wh3d2tvC24X
CXHcUJeAhRAzixGfmvkVWKumrN+Mt2rq+2dnrrX/wuX9ELJbBwkj8lJFPe5W
CH8rlhpkxqxyYopVIQxTpL97VLHNb8h3ju59ayqJVbHDb8Ry3r97Fbv8ZpSN
etmsuMynd65ij9/0J+TfUzsT8Sr2+c260H+z8vOqKh7aXsSzMxcQgFG0I8K1
reLRx/dia7O+F8HkRKvYqmJd7qg0Pz74HKvEq5Yxp+VH5XOX01TyM9YrBToJ
KvG0+x+j8cY/+kQdLYZzSlRPE/LAAdBJ2MHnY/Mjj804GaxipYgT3G9nuIjT
4H+3c3XpUSohNCuyOH5TXMW+qPpKDkzJbL7aV3JGng/BVLJqW3IsWg+Ylb7a
Db9CH5v2k+NXr4+PDk+Pn9QefqO0304Hg9lqPZTzzpy28Y9qjzg4ysy5Ml7A
kb30KznVwIcyOoW1B9licaevtujNuFK+i37VpTfV5270q216o1LBr/LVDr2x
0RNt2s0QVFfz1a79ivydVhtXJTetO8mXM1HhmrX8cvn5/hQ3Vf2Rjhvv/qe4
beLjrXzxCdEq7/bns/ujz2673isc145+Pp/QH635Lj2k86KtQt5W4T7uQ452
jDZbo9vC8mNsdCTQpe60Nh8Ost7iooLoqw9sbBEwEtocw6pHWndmmw8dQw+/
rTu2ocXFGGCkkOMu7+q+anE0WlDM2ypjfOg+nPd70ampP7+FAAYU7OmPtO4I
V2NEUACvy59OA40yEJvnL+AV9afT6Y81x9J8ePeziCr86EPogR9+8+Bf56LJ
DHj5ocDL9pucBrzC/+ycv+aeueYyWZxmEekxeAcXzWZ1Krxfl92y6HWtWMi6
rQoBrs8BtwJvyLwQV4Sz4NCDqiDXwSCIb8WP8GrJZpdbU/WvNUqBrrqZW5x0
nufTbGROknmWhFGms3z0FYTHgul1avEmNtRjO4EtQEvExG7ok4xhuwCTaKsB
iIdINfS4uhrznqqRtXCjSMw6Xowfrw2z8/marEgwzTT5v3MjoWnXnWyYqjFU
tT+/beDtJdDwQeMgOVO9PWs0Tha9ufdaKjXvhBlAdDzHNUMRBLB5OWU0AP+d
BdFkkC7rs224p1k3WGOCu+kkyctnT8yR8KeTUwaAA4jCuSGNNuAjjtJhIwEY
PtpNzUbjGPIKErqdjsyGVnv5OJ3dmMFIDHm5CC0AwLQgwpXbIw3EikR8Aw7q
LX+MI3616JntBykXvI1OldvaDt3sFhbIgI4AR9zwDcGvEHsUfI6iJVihDPFi
KbdN99DM0GZcNee6MxNFiWMNA1uMnVDAK5DeANZUkYAkl3x/evpq/aQJuFaH
9AfCOwAklFQznczmeKDN0gtKweBA1Srm5nl6kfcTMkisF00kpCePks2t5Omu
IaSnOcIMMuATF+ig3wZ824fEi8VlgoRC98pGqeNiNPdmyIxMmI3SfAisA7Ay
gUn0GUhJg1t5oEoHBLfzl+8AQgWhHZCNrgNmwP+VZ/PzzmR20SRCQNDJRYFY
fwfJ0cvnz1++gI0AtCs39GNXYDwZZ2bNEeJ24+gSj2nGnhlmMygBSJem/7Bu
BW0YfYR9Y0o8T296mdrQwDz8DQ3s4iM3tKmidkMn6xh8iF9igkVCihjeIBwn
QHcaokCQ2YITYyDIYDGfTBiGM1nDGuCQ2VprfmYQ/6wMImAKjltQFmqEswD3
0K1/OL/oJg93PjOLFZkFrgeCyIFB7CkOwBe6K4QuMXcSfvL1RElffm28POKI
0liLtbgGEFxtkcpa6H1k8UkQp5cQq14fn5yeL4Zmj6qEUMABjpsKNWVNqXwC
ZDKZZW3HQjDn+QfbC/bL4p/mv7j/P0BenEDsIzm7QuADyJHTb59sedrwh1h5
kuy4fDco//6gUnoLp80wAsAhAVgRQJz51sFoHj158iPzf3Js7A8GoPFionfz
Z+Ox/y958fL0+CB58LcHiGmZXENWZJgFw7AAPTp5uP+omwQfPW40sPLkcSIq
LaJHODevRsXzZONxNWJJspHoRw1fXTaNAab879e1pnOQbDaTx1972g+Cn0hJ
UnoOki0s9tNXpZJvuKjTgQ6SLhaW31TfbeML2x9TRXxMIVKJGZH/5m8VaRaC
f+KSVfqe56IROq2ayXE//vgFgx8Gvnet5At+s2I31D/lSWeZ69cNro6RN/R8
mF1oOg/XP/iKO4yoRJMZ95iW89KoxLKMEL2wAatk/sCF+QaWxsbgyzJm6XzU
73AGNyyvn7yBxXJEJe3kA2kl2mtHMYpYqpbc9s0POhXKMV+Wxms/YYnlINmm
zvDvsC9QVMelHiQ7EaqkchKgepDs+u0HZP6lJQBvHWG+IrvxcWL/lunM5qk3
pxQmIvMaho5I9yjafTHL1GC2qrZYjHCBon6/PmIA5zbCME5mWMmGfnF3slb/
ZCzdZiMcSDBedNK1xKQcd2Nr6OJyZNDmT38xVLCNtyYgTLVRmGoLu/2JkLFJ
5jKCKWwzROtyT3kFLxFTTJZB6XUH+ke0MEt3XvV1TJsBTK6yoRFzP2IR7IYe
50Poh6Ub6kmr8abhN8UfPMbXjdhOAsohpsIDmFiGdC3JShyHKOzen2N7vIKL
nmxs/dgoObIn4fpwA3BY07m8HffOZTcGb7/EB+Z5Or6BVa5eC9Ox6pftfIwH
9kayZMJrqvBms6Yj0pZMVDq8kImCrCP4rM8iCuofzNvWYgIT5mlBToIQ/jQl
qPwN0142JEZScKq++gnyB1DbPabpn+GLn7FAd/dhvMh0lhn18CL7mYf0Mw2p
u/toyaC+UZUg5weVIOnubXq0c5ehu7JmcOvrdqEVOxZZxmW/+SZxtF16bTjm
Rux9sxGpExqFlZUXBwlNmeIL/sHQbESqplqO/nLaPsIXZm1oY7iyzYZmK+aD
3+11th6uhwyw2aiSs/CL3c3ddQYJ477B+05YuFTLyK9kL6jEK1T62Aqn+O3D
6LdUxn4aPWvx86318rtmo45fA9FX09BtQ5+wvEGQPU3m7R7CE1sJGrLu4j6A
d5h5yDJDfHXbKM+XVCdBbrYywMOKCOtblcK6L8YoMcoP47BSlIqBE25jirun
WrQnX01h1srV1R3D3sD8U7jkYN2mvER8Git40gP9Q+qH70gFQXnSIjlFxEnr
9Vugtt/ORtP5zR/fe+wdxj4yn1vxgx1bzCRxBq5ABvE/5XRavyBmlifoVnXs
9ms4d78w+7QoYoK+f6y6g9aK/vbRR0ln8I9gvhrUFaLncJpgjNJVJ+5H+t6y
xa/QwTo8+HmmJ4NsGB7+QvI3sEOI9BZ8iNArvAUUcqNXt183QlIuqWyIuhVV
2eDNJ1TZYg2RiA3Eb6XrTZKuQ2n73stoEchFyF7B097fawz6Zr/UiRqX7UP6
x0cTb8gvE+0WJhyD/n2TBHuldpfgh9TzA+JbbnA8IBoJlG1UvrXjdAP8KtpH
SaRSUeBNQ4ACmUlvCQGbJWRa/SbpyllOP7djZXbEbGKfM7Pa1R/XSzH6HUvD
UF3DlTLPIQWZFwJSyWZlRXGa8YSnA+UNMaroEilWFYO3dGwL3v6tUQKk9AvE
ESS1saYAPSheexnqz70PACP/1gjqjWAuBm9D1ML77Fa/WmK6dZNHwsvuzjqs
ajNW1A2Vy+4uKesmlT/Y8z+IIGtKyf11bQxS8ppCx5SyJGLCPnHlYnPMxR9V
VF0FF8nf7W3Fv6ugBv6ou96jEQMiersUo+Vvj8EEuCseevwnYkjiHQsAqjNb
Uu9wt/DvUvTWqpXzh9G662OYKhgeVQX3Vtn5Ar5zu97yz0QnH6QPglA8zWtV
t/DE9dhII/5hmQ1H2I/qRCUXVgd8+WS3h3K7mPTfZvOvmVcnIgrfrGxoYnMh
xngHZiaoDdpWQnXYFT71viz1CE1yFc0iRzUfNIKpqRPKrKFQJDgtM1GmFun9
F/KgUm5DtVhG9QX+KpU1Ypf1KKzomOcYKx3sTSbDli5CLrDSudJrcXSV7pQK
oEOrSIuRz32vVZEdSwUjXqpiZSpXqhxTD5K9igrFCfUg2Y+XmPd7Vu0P31U6
lB4kj+o7ZT1JzZSGUw4amfMD1bqYkV5j66wvlUpaB59fQaTtv6QOV7Gl9PRl
tXrc3xp6TuMyUYXQow53I15FxKXyd7Ez3r6MyDX10lH8sG1wCFU4H5gAI592
8unVTlscADb04z153LBRPV4lVtINUJBdcSa+UW7OFyorXq2m9Dker+k7eTWd
FLl79aYRVitSw866fdRs6I+A/S2Gw4ZuQ575ZhNrR1WPlTZNP6NXZ2ZXDS0D
598BQ25IpFswWdki33noXpgRmyd7O+5JIyzxONEJAfYaQfng/cNG7S5b0ZRx
fxPGBhoCRPMJZAVlSbsTXzDFjfokMx4PcRKDWcA1uitwjUa8xoqDlMNApfP8
0z/li6ux9Nb8GT/XOcRTusg/rchJhfB8kPPUHhbyfj2yTEYKkshMOV6/8DHO
owzXsd3KwE45gV2Bj7J0Ye1utPSvqWxSvIHkTI9tKHXmTrkwHe8RdqdWRweG
yqEvplwqAgeEHO4u44Z7vUD5ky/zF6X3JM9ubUVqdnGYpsD2cuq0AyxHYpoK
7L1c+M77kPikvY+IMnInk1TEVPoCitsZz0Gef550wJFs/f1XmF2Mbv1umw3L
ZJhLNULmQ1cgW1vr8qTZiJOr4lzBqRxi/DcCCo61H34jx8r2OlnaeP9QOoaG
kKt98KbZCIFVfEnLvAWlLiplwbs+3xBV6FM1iuGKopxvAKxo5crqi8C04bf5
U542OBuLfuSywoipoAu8zmr67hN8ub3OD5qNgA1SpW4NvR/8USNyBEd9bsJ7
lsCDasmJ/g0XtHzdXd4Ib6fNfduInfVkUAbX36Eo6mxQRm2nn+FdeyOsjuc8
6XBuxWTTlzmZHjfpng2sI/Y2p+JcKiH9yLhBE44Tq2IvIciPkrcrjQ6WwwTo
PurUjasj6tsyrI+65qq6klLflzF95NQDY26tSUnVUob1US5GS4xHH33dA/9U
X3x8IDn9rBG4cgyrIfrIcefb7lcZw9LLixX64ohrM9KLO8kTlaa2N+4k02g/
/vHlFEBffF7fTzqdZHvb3WFn3km1u7u5bh81G05i9qvZ2muUZGr8fnt/3T5p
NpTsaHlWIF6K8KAkz3bRv8xG1kjDdwNf+G+BXWmREo6NwH2wURYbQm772Erz
YAGLgUGYbn8VkT9KFX39ETqFHodhwksFlGRjA10xIFs6asBG0gOSoxmFp/fu
i1THC6hbkGmGqUo6ZiKyd9Nk7afN9qM377e2b5N2Qn/v3q41aB2s2gMRK5Mx
uGYTFdBr+xQm0145ld+17BdqYohm6DGrROBy4Oqx1CBvb2TN3uhvSecIWqeH
ciqW2qb517SW+UgdQXVVqyF+chtcDqS1aDV8RlaMB7RufGP+t/NvR3+kH/hN
u7e3s+CEZl83wsHVfPiQv9SPpAK9NiytkT7g9rLd5PQF/0RLun7AX6Pu6z6W
7S+txbe/VGV9B6EmdAhzO7olleuiSvQOa1Gv7jip7oXdIfiDhHI9iyV7RmnW
/Rr068gC2PtYr7dr+WCtlWx93VhOpMGHtug9WYhqwfSgKz2oIO2g8aCUqWD3
64Dq1R4PPlYlzIfbPrnHP8F3pvCOFB71MW7WrRH+quJm7qP/LJCYadnwx5Jv
NI83dDMZ3FDDG9JF6clG4jVS/Tm2qj+nB2VSGvU/XqLDvjXUZJ68fNF++eLH
v/7x30Bb/rekwwnRkzXoxpoqClgJVPQIih6pouiA2fCW6N9aCRaraGojiVds
N0qMd7hZ4veEBpjO5uaUM3JfHy3ktSXaxeL8PH9n2+di6XB6mepK/FnzynLw
YliFkfgg3m5DcbH6rpjJ2Vqts4+TbqO6u4+T7Ua0g4+TnUasi6bdve2HO40K
70w+6j3PDhH4zMDI9ZSFyZZf0J4OXwsgg9zJcEuz6aLQd0321TSd9y+jb5wC
mw51AXnNWe4Jt9uTS8MSqnelQgGh1Uiv6iOK96xtE/xyVW2Gk7QhGmUyy/4Y
K/pxhssEXc5mN1+r+REP4LousCbsvrXjgAuI+m+hROxLdsOG4hlEtI7JpkHO
nkhqSu+xvb0YTnpG3TLq9SzvLdCiddsIKDHZbMTXBq+NKhkDv/lbo5olxJlB
advfaY1quENkUk+BZZ5CRFX3y9M3jdjWSra6jWA/GVnE30bJo0Z09yRbW434
vknKL1SL242KbZJsWTbCm8FoM6WaaBMku9EXRDz2AkbWoD8H+Bhsa25OmSK6
zfpmncZs9YoXgNjYvy/AqF63+wdZ0Tca+bzqfUaGgPi7MYaJonAEV+rtmQTp
x7iZLv02u4nWeJGNIeAapJlqrus2GoyrmItUH6lvOpsMFv153bv2eTrKh/Hu
zDKKZo4zusVolM7iHy7GxbSAKNhBfHH4fWRhgEsERHJHZmEDH7r+E4/a/DeV
BwhnbnBsMB3ftNm5R4pA3oVaPvkFFPFZpLspV5+6XNQyEdLxO84Ase5kR/+u
2GuzeX6e+gQivZll5/GBr3AITq7HZJbUx6l9qGfP+qzSTGXDcgvVexzgF9TX
5qfMHA35jvMWObjIbOC/V03KF9FzgWZ8wx4jtk73vTyi1Wk2qjoJYTze4ZyO
L/xdo5bJfgZvbJ1RGXQF6bNK7oxInLWyZoStJzu2Gp+dJztKRC2z8WRn1zWv
2Heys2e3vLDtZGffYwNxdp3sPIyVQjad7NgjVbHnZNcedgEbTnbtvFr2m+x2
g2eW7Sa7dhIcu0123WwKm0127ag99prs7gXP3UTt7gc8kI/87S3XJotW226p
aasnGL1pyyGbS7ZtZ5GrKblLhS84yclycvfmb7aZi4sZ+MPo8gNAkADa1Q+H
ed9sY/3krqKyi36IimGaGyfbduYdP2ZLFT5Ih3R/x176+My/mbXCm+OuybZd
COKrybYlOMUrk21Lao5bqjkuLlMgVzsPUwbau/fEmH9pLx0P0OpQnhjkzsmO
k7rhgesO+LMV3lI5o7F9JJaCvzXsI/SFGw6RGdAZ4kaU9t+mFxmXyLw1NwzK
qxklXrx0t93F/ayeFFlmFqyY2CfBBIGQnME9oveRFpw3knZ3dw8uYBCnN5gg
fT4lO3ZT4bmU7NgdBSeTmreJ4CuFPR/ceyXhmmk0Ilib2EraoyvZCx7FxCIz
h5PFzBxLwH0zxMORg9V+dVepzB5+7uzwT7+VuuDkdqB7d5CyzaEtkZRKvr/K
0esyKkBIpHAogbqe3VX0woM52drVzNSWTJwsocN1QrkRevL1XbXNJFaTmZav
rQSgOXRM63PvuhEerc98xaU9MZP5tNL3FOdVpMd8TFUpnEy3zYxJddUyHPVM
31PZb4XpqBbKTEd1vcR21BCY7Xg7hxjP42TfcUpmPUojt8zHV8qF32h92XIE
NTAlnXTdM7fN1dgim4UlRtfjS3FkLFwAvNYF++BlW6vHcKGYyUc6UF+B7aar
ATZbpPf+vrMUTJs+2d51i+q2PV1mb4FvmfvA7f5k266f2/VJd9vtXLptYK0b
fI+qJy+UxwdmofqGMJdY22yx2BwiKlrt5wiw4b5sNsLVS7YeNmKL5bNWeVWp
9U6JWyo7LnJ+qfGOLNHRRrL1qESxkf6F6p5HI3dtXa0MeEDEF8JvH6a5uDEC
/QjBdUNjtaMF6OT7aiK5lc6r1u7Ye6KJZGu/USKB1fuMpiMVKO1RXK1xDITb
WgMFdeeuarZHf0nXDg7pLulaGma5qvuoER9luAvZqlayvMVOeamxZhvMJhPP
MNKMMgTooDvYcKqT7mYjOsVJ13J3mlp3gJCq2XUnmJsfe0pRh5KuYX+xEAn/
knqnEQuYSEo+Qf/1X/8FMHaH/bfjyfUwGyAOZNF4f7AYkzNyRhnCM47JLpLr
yWI4SIb5W8bRTsdvAyzoaTaZugSp+SwBzTa7RlxHOsDmiK8411DwB433798f
pbNh8hc4p/vZ7a3ZQebZ92AaKJLTon85Oc/G+YW8OJlnV9k4+TYz7fbfytN/
Sy+S1+koHcuD73KjzD43bd+kI1vIjGt0k7x88GQynlxcLmxjz/P+ZWoOgtfw
39mgmNhqnlym1+aE/mFh1HHbgylIibPku3woJU07+CabGXkiOQVYpNHk6hYR
rn/6X6jiZ28OknWEwWeUGwT7LBiMlYoMOgA8iACc5ompgeFVE7NKMI8NkvrB
mxPeYOpYAEMvikUGiKo//a/5ZDCBhl6YurOBbWpkimAmV1s9xLObKuRr4PuE
3z2fGbEom2Ft+MpUdxRWc4qFBklqFhBapZ9m55vC3rvG/wdhre23D5EDAA==

-->

</rfc>
