<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-wimse-identifier-03" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Workload Identifier">Workload Identifier</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-identifier-03"/>
    <author initials="Y." surname="Rosomakho" fullname="Yaroslav Rosomakho">
      <organization>Zscaler</organization>
      <address>
        <email>yaroslavros@gmail.com</email>
      </address>
    </author>
    <author initials="J." surname="Salowey" fullname="Joe Salowey">
      <organization>Palo Alto Networks</organization>
      <address>
        <email>joe@salowey.net</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area/>
    <workgroup>Workload Identity in Multi System Environments</workgroup>
    <keyword>workload</keyword>
    <keyword>identifier</keyword>
    <abstract>
      <?line 46?>

<t>This document defines a canonical identifier for workloads, referred to as the Workload Identifier. A Workload Identifier is a URI that uniquely identifies a workload within the context of a specific trust domain. This identifier can be embedded in Workload Identity Credentials, including X.509 certificates and JWT-based tokens, to support authentication, authorization, and policy enforcement across diverse systems. The Workload Identifier format ensures interoperability, facilitates secure identity federation, and enables consistent identity semantics.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-wimse.github.io/draft-ietf-wimse-identifier/draft-ietf-wimse-identifier.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-wimse-identifier/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Workload Identity in Multi System Environments  mailing list (<eref target="mailto:wimse@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/wimse/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/wimse/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-wimse/draft-ietf-wimse-identifier"/>.</t>
    </note>
  </front>
  <middle>
    <?line 51?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>In modern distributed systems, workloads such as services, applications, or containerized tasks require cryptographically verifiable identities to support secure communication, access control, and auditability. As systems scale across trust domains, administrative boundaries, and heterogeneous platforms, the need for a consistent and interoperable identifier format becomes critical.</t>
      <t>This document defines the Workload Identifier, a URI-based <xref target="URI"/> identifier intended to uniquely represent a workload within the context of an issuing authority. The identifier is designed to be stable, globally unique within a given trust domain, and suitable for use in digital credentials such as X.509 certificates , JSON Web Tokens (JWTs, <xref target="JWT"/>), and other security artifacts.</t>
      <t>The Workload Identifier format is simple yet expressive. It enables organizations to define trust boundaries, delegate identity management, and identify workload instances and logical workloads in a uniform way across service meshes, cloud environments, and on-premises infrastructure. This specification defines the Workload Identifier used by the Workload Identity in Multi-System Environments (WIMSE) architecture <xref target="ARCH"/>. The format is defined in a general manner so that it can also be used by other systems that require stable, URI-based workload identities.</t>
      <t>The primary goals of this specification are:</t>
      <ul spacing="normal">
        <li>
          <t>To define the syntax and semantics of a Workload Identifier.</t>
        </li>
        <li>
          <t>To establish requirements for issuers and consumers of such identifiers.</t>
        </li>
        <li>
          <t>To promote interoperability across different identity systems and domains.</t>
        </li>
      </ul>
      <t>This document does not prescribe how identifiers are issued or verified. Instead, it focuses on the identifier’s format, uniqueness guarantees, and its relationship to trust domains.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The following terms are used throughout this document:</t>
      <dl>
        <dt>Workload:</dt>
        <dd>
          <t>Software executing for a specific purpose, potentially comprising one or more running instances. This may include microservices, containers, virtual machines, serverless functions, or similar components that initiate or receive network communications.</t>
        </dd>
        <dt>Workload Identifier:</dt>
        <dd>
          <t>A URI-based identifier assigned to a workload. A Workload Identifier <bcp14>MAY</bcp14> refer to a logical workload consisting of multiple instances, or to a specific workload instance, depending on the policy of the trust domain. The identifier is intended to be included in Workload Identity Credentials and interpreted as a complete URI according to the applicable URI scheme and policy of the trust domain.</t>
        </dd>
        <dt>Trust Domain:</dt>
        <dd>
          <t>A logical grouping of systems that share a common set of security controls and policies. A trust domain establishes its own rules for identity issuance, validation, and policy enforcement.</t>
        </dd>
        <dt>Issuer:</dt>
        <dd>
          <t>An entity authorized by a trust domain to assign Workload Identifiers.</t>
        </dd>
        <dt>Consumer:</dt>
        <dd>
          <t>An entity that evaluates, verifies or uses a Workload Identifier for authentication, authorization, or auditing purposes, typically after obtaining it from a validated Workload Identity Credential. This includes relying parties, verifiers, and policy enforcement points.</t>
        </dd>
      </dl>
    </section>
    <section anchor="workload-identifier-specification">
      <name>Workload Identifier Specification</name>
      <t>A Workload Identifier is a URI <xref target="URI"/> that uniquely identifies a workload. It encodes both the trust domain and a workload-specific path, enabling unambiguous identification of workloads across administrative and organizational boundaries.</t>
      <t>The identifier is designed to be stable and suitable for inclusion in digital credentials such as X.509 certificates and security tokens. This section defines the format, structure, and associated requirements for Workload Identifiers.</t>
      <section anchor="uri-requirements">
        <name> URI Requirements</name>
        <t>A Workload Identifier <bcp14>MUST</bcp14> be an absolute URI, as defined in <xref section="4.3" sectionFormat="of" target="URI"/>. In addition the URI <bcp14>MUST</bcp14> include a non-empty authority component that identifies the trust domain within which the identifier is scoped.</t>
        <t>The scheme and scheme-specific syntax are not defined by this specification. The URI format allows different schemes (e.g., <tt>spiffe</tt> as defined in <xref target="SPIFFE-ID"/>, <tt>wimse</tt> defined in <xref target="wimse-scheme"/>) depending on deployment requirements.  Example identifiers:</t>
        <artwork><![CDATA[
spiffe://incubation.example.org/ns/experimental/analytics/ingest
wimse://trust.corp.example.com/workload/af3e86cb-7013-4e33-b717-11c4edd25679
]]></artwork>
        <t>A Workload Identifier URI <bcp14>MUST NOT</bcp14> contain a query component, a fragment component, user information, or a port component.</t>
        <t>Implementations that generate, parse, or otherwise process Workload Identifiers <bcp14>MUST</bcp14> support identifiers with a total length of at least 2048 bytes. Workload Identifiers <bcp14>SHOULD NOT</bcp14> exceed 2048 bytes in length.</t>
        <t>Individual Workload Identifier schemes <bcp14>MAY</bcp14> define additional syntax or processing requirements, provided they do not conflict with the requirements defined in this document.</t>
      </section>
      <section anchor="scheme-specific-portion">
        <name>Scheme Specific Portion</name>
        <t>This specification does not define additional structure or semantics for the Workload Identifier beyond the generic URI syntax and the trust domain carried in the authority component. Trust domains are opaque strings formatted according to <xref section="3.2.2" sectionFormat="of" target="URI"/>. A particular scheme may define additional semantics and constraints for the trust domain. The same trust domain may have different meaning within different schemes.
The structure of path component can be constrained by the scheme. Its contents are deployment-specific and are interpreted according to the scheme, policy of the trust domain, as implemented by the issuer or issuers authorized for that trust domain.
The issuer defines the granularity at which identities are assigned.</t>
        <t>A Workload Identifier <bcp14>MAY</bcp14> represent a specific workload instance, or a logical workload consisting of multiple instances that share the same identity within the trust domain.</t>
        <t>Multiple instances <bcp14>MAY</bcp14> share the same Workload Identifier when they are intended to be treated as the same workload for the purpose of authentication, authorization, and auditing.</t>
        <t>The path component of the URI <bcp14>MAY</bcp14> be an opaque value that is only meaningful to the issuing authority, or it <bcp14>MAY</bcp14> encode structured information used within the trust domain.</t>
        <t>Some examples of these concepts are given below:</t>
        <ul spacing="normal">
          <li>
            <t>Opaque identifier</t>
          </li>
        </ul>
        <artwork><![CDATA[
spiffe://prod.trust.domain/89a6ec51-f877-44c0-9501-b213597f2d1d
]]></artwork>
        <ul spacing="normal">
          <li>
            <t>Application role</t>
          </li>
        </ul>
        <artwork><![CDATA[
spiffe://prod.trust.domain/ns/prod-01/sa/foo-service
]]></artwork>
        <ul spacing="normal">
          <li>
            <t>Specific instance of application role</t>
          </li>
        </ul>
        <artwork><![CDATA[
spiffe://prod.trust.domain/ns/prod-01/sa/foo-service/iid-1f814646-87b5-4e26-bb55-1d13caccdd8d
]]></artwork>
        <ul spacing="normal">
          <li>
            <t>Specific code for an application role</t>
          </li>
        </ul>
        <artwork><![CDATA[
spiffe://prod.trust.domain/foo-service/sha256/c4dbb1a06030e142cb0ed4be61421967618289a19c0c7760bdd745ac67779ca7
]]></artwork>
        <t>Other concepts may be represented in the Workload Identifier depending on what is important in the system and what information is available when the identity is issued. The path component is interpreted according to the policy of the trust domain, subject to any syntax or semantic constraints defined by the URI scheme.</t>
      </section>
      <section anchor="trust-domain-association">
        <name>Trust Domain Association</name>
        <t>The authority component of the URI defines the trust domain which is responsible for issuing, validating, and managing Workload Identifiers within its scope.  The trust domain <bcp14>SHOULD</bcp14> be a fully qualified domain name belonging to the organization defining the trust domain to help provide uniqueness for the trust domain identifier. While IP addresses are allowed as host names in the URI encoding rules, they <bcp14>MUST NOT</bcp14> be used to represent trust domains except in the case where they are needed for compatibility with legacy naming schemes.</t>
        <t>Workload Identifiers are interpreted as URIs, including the trust domain carried in the authority component. The identifier denotes the workload identity at the granularity assigned by the issuing trust domain, which may correspond to a service, workload class, deployment, individual workload instance, or another deployment-defined concept. Consumers <bcp14>MUST</bcp14> compare and authorize Workload Identifiers using the complete URI, rather than relying only on individual components such as the path.</t>
        <t>Issuers within a trust domain <bcp14>MUST</bcp14> ensure uniqueness of all Workload Identifiers they assign.</t>
      </section>
      <section anchor="wimse-scheme">
        <name>The "wimse" URI Scheme</name>
        <t>A Workload Identifier using the <tt>wimse</tt> scheme has the generic form:</t>
        <artwork><![CDATA[
wimse://<trust-domain>/<path>
]]></artwork>
        <t>The URI <bcp14>MUST</bcp14> satisfy all requirements defined in <xref target="uri-requirements"/>.</t>
        <t>The structure of the path component is deployment-specific and is not interpreted by this specification.</t>
        <t>Examples:</t>
        <artwork><![CDATA[
wimse://trust.example.com/service/payment
wimse://trust.example.com/service/payment/instance/1234
wimse://prod.corp.example/workload/89a6ec51-f877-44c0-9501-b213597f2d1d
]]></artwork>
      </section>
      <section anchor="stability-and-uniqueness">
        <name>Stability and Uniqueness</name>
        <t>Workload Identifiers are intended to be stable over time. An identifier assigned to a workload <bcp14>SHOULD NOT</bcp14> be reassigned to a different workload unless explicitly intended by the policies of the trust domain. Multiple workload instances <bcp14>MAY</bcp14> share the same Workload Identifier when they represent the same logical workload within the trust domain.</t>
      </section>
      <section anchor="workload-identifier-origin">
        <name>Workload Identifier Origin</name>
        <t>A Workload Identifier Origin is a specification of a namespace under which a Workload Identifier is meaningful for a given use case. An origin consists of the URI scheme and trust domain components of a Workload Identifier, omitting the path component.</t>
        <t>Workload Identifier Origins serve as hints about the set of identifiers an entity may present in a particular protocol instance or usage context without revealing specific identifier.</t>
        <t>Examples of Workload Identifier Origins:</t>
        <artwork><![CDATA[
spiffe://prod.trust.domain
wimse://trust.corp.example.com
]]></artwork>
      </section>
    </section>
    <section anchor="identifier-interpretation-and-mapping">
      <name>Identifier Interpretation and Mapping</name>
      <t>Workload Identifiers are carried in credentials and tokens and are used for authentication, authorization, and auditing. However, the identifier itself does not define how a workload is reached over the network.</t>
      <t>In many deployments, workloads are accessed using external handles such as DNS names, service names, load balancer addresses, or routing paths. These handles are deployment-specific and do not necessarily match the Workload Identifier presented in credentials.</t>
      <t>To enable correct authentication decisions, implementations <bcp14>MUST</bcp14> support a deployment-defined mapping between the external handle used to access a workload and the Workload Identifier expected for that workload.</t>
      <t>This mapping is outside the scope of this specification and <bcp14>MAY</bcp14> be provided by configuration, service discovery systems, orchestration platforms, or other local policy mechanisms.</t>
      <t>Consumers <bcp14>MUST NOT</bcp14> assume that the Workload Identifier can be derived from network-layer information such as IP address, DNS name, or request path without such mapping.</t>
      <t>Deployments using Workload Identifiers with the WIMSE credential formats defined in <xref target="WIMSE-CREDENTIALS"/> <bcp14>MUST</bcp14> ensure that a consistent mapping exists between workload access handles and the Workload Identifiers contained in credentials.</t>
    </section>
    <section anchor="usage-in-credentials-and-tokens">
      <name>Usage in Credentials and Tokens</name>
      <t>Workload Identifiers are designed to be embedded in cryptographic credentials and security tokens that are used to assert the identity of workloads during authentication, authorization, and auditing. The representation of Workload Identifiers in WIMSE credentials formats is defined in <xref target="WIMSE-CREDENTIALS"/>.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>A Workload Identifier is intended to be used as a stable identifier for a workload identity. It is not, by itself, verifiable; instead, it can be carried in cryptographic credentials, such as X.509 certificates (<xref section="4.1" sectionFormat="of" target="WIMSE-CREDENTIALS"/>) or JWTs (<xref section="3.1" sectionFormat="of" target="WIMSE-CREDENTIALS"/>), that bind the identifier to key material. Because such credentials rely on correct interpretation of the Workload Identifier, identifiers need to be protected against spoofing, ambiguity, and misinterpretation. This section outlines security considerations for issuers, consumers, and system designers.</t>
      <section anchor="uri-parsing-and-processing-considerations">
        <name>URI Parsing and Processing Considerations</name>
        <t>Workload Identifiers are encoded as URIs and therefore rely on correct and secure URI parsing. Implementations <bcp14>MUST</bcp14> apply a standards-compliant URI parser.</t>
        <t>Incorrect URI parsing can result in misinterpretation of identifier components, security policy bypass, or inconsistent trust domain evaluation across implementations.</t>
        <t>Implementations <bcp14>MUST</bcp14> enforce the URI requirements defined in this document, including the absence of query, fragment, user information, and port components. Failure to validate these constraints may allow identifiers to carry unintended or ambiguous semantics.</t>
        <t>Implementations <bcp14>MUST</bcp14> also take care to handle Workload Identifiers of the maximum supported length without causing excessive memory allocation, resource exhaustion, or denial-of-service conditions. Parsers <bcp14>SHOULD</bcp14> impose reasonable internal limits and reject identifiers that exceed implementation-defined constraints, consistent with the length requirements in this document.</t>
      </section>
      <section anchor="identifier-authenticity">
        <name>Identifier Authenticity</name>
        <t>Workload Identifiers <bcp14>MUST</bcp14> only be considered authenticated when presented in a credential or token that has been cryptographically verified. An identifier received outside such a context, such as a plaintext string in a request, <bcp14>MUST NOT</bcp14> be treated as authenticated.</t>
        <t>Consumers <bcp14>MUST</bcp14> treat a Workload Identifier as authenticated only when it is obtained from a credential or token that has been successfully validated according to the rules of the credential format and the deployment policy.</t>
        <t>Validation requirements for credentials carrying Workload Identifiers are defined in <xref target="WIMSE-CREDENTIALS"/> and in the protocols that use those credentials.</t>
      </section>
      <section anchor="trust-domain-validation">
        <name>Trust Domain Validation</name>
        <t>Consumers <bcp14>MUST</bcp14> validate that the trust domain in the Workload Identifier matches an expected or explicitly trusted domain. Failure to do so may allow identifiers from unauthorized domains to be accepted as legitimate.</t>
        <t>Where appropriate, consumers should maintain an allowlist of trusted domains or trusted issuing authorities.</t>
      </section>
      <section anchor="identifier-reuse-and-collision">
        <name>Identifier Reuse and Collision</name>
        <t>Issuers <bcp14>SHOULD</bcp14> ensure that Workload Identifiers are not reused across different workloads unless such reuse is intentional and well-scoped. Reassignment of identifiers to unrelated entities can result in privilege escalation or confusion in audit trails.</t>
        <t>Consumers <bcp14>SHOULD</bcp14> assume that identifiers are permanent within their domain of interpretation and treat unexpected reuse with suspicion.</t>
      </section>
      <section anchor="information-disclosure">
        <name>Information Disclosure</name>
        <t>Because Workload Identifiers may encode topological or semantic information, they may inadvertently reveal deployment details. Issuers and system designers should take care not to expose sensitive naming conventions in externally visible identifiers.</t>
        <t>Descriptive identifier paths are allowed and may be useful for auditing, authorization, and operations. However, deployments that use descriptive paths should evaluate the information disclosure trade-offs and avoid exposing details that are not intended to be visible to relying parties.</t>
      </section>
      <section anchor="wildcard-and-prefix-matching">
        <name>Wildcard and Prefix Matching</name>
        <t>Consumers <bcp14>SHOULD NOT</bcp14> interpret Workload Identifiers using wildcard or prefix matching unless explicitly specified by policy. For example, treating all identifiers under prefix of <tt>spiffe://example.org/ns/db/</tt> as equivalent may lead to incorrect authorization.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="uri-scheme-registration">
        <name>URI Scheme Registration</name>
        <t>IANA is requested to register the "wimse" scheme to the "URI Schemes" registry <xref target="IANA-URISCHEMES"/>:</t>
        <dl>
          <dt>Scheme name:</dt>
          <dd>
            <t>wimse</t>
          </dd>
          <dt>Status:</dt>
          <dd>
            <t>permanent</t>
          </dd>
          <dt>Applications/protocols that use this scheme name:</dt>
          <dd>
            <t>any application and protocol interacting with workload identifiers.</t>
          </dd>
          <dt>Contact:</dt>
          <dd>
            <t>IETF Chair chair@ietf.org</t>
          </dd>
          <dt>Change controller:</dt>
          <dd>
            <t>IESG iesg@ietf.org</t>
          </dd>
        </dl>
        <t>References:</t>
        <t><xref target="wimse-scheme"/> of this document.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="URI">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="WIMSE-CREDENTIALS">
          <front>
            <title>WIMSE Workload Credentials</title>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="2" month="July" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones up to complex multi-service, multi-cloud, multi-
   tenant deployments.

   This document defines the credentials that workloads use to represent
   their identity.  They can be used in various protocols to
   authenticate workloads to each other.  To use these credentials,
   workloads must provide proof of possession of the associated private
   key material, which is covered in other documents.  This document
   focuses on the credentials alone, independent of the proof-of-
   possession mechanism.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-workload-creds-02"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="SPIFFE-ID" target="https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md">
          <front>
            <title>The SPIFFE Identity and Verifiable Identity Document</title>
            <author>
              <organization/>
            </author>
            <date year="2025" month="January"/>
          </front>
        </reference>
        <reference anchor="JWT">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="ARCH">
          <front>
            <title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The increasing prevalence of cloud computing and micro service
   architectures has led to the rise of complex software functions being
   built and deployed as workloads, where a workload is defined as
   software executing for a specific purpose, potentially comprising one
   or more running instances.  This document discusses an architecture
   for designing and standardizing protocols and payloads for conveying
   workload identity and security context information.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch-07"/>
        </reference>
        <reference anchor="IANA-URISCHEMES" target="https://www.iana.org/assignments/uri-schemes">
          <front>
            <title>Uniform Resource Identifier (URI) Schemes</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
      </references>
    </references>
    <?line 316?>

<section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>Authors would like to thank Evan Gilman for his review of the initial text of this document and his guidance.</t>
    </section>
    <section anchor="changelog">
      <name>Changelog</name>
      <t><strong>RFC Editor's Note:</strong>  Please remove this section prior to publication of a final version of this document.</t>
      <section anchor="since-draft-ietf-wimse-identifier-00">
        <name>since draft-ietf-wimse-identifier-00</name>
        <ul spacing="normal">
          <li>
            <t>Defined Workload Identifier Scope</t>
          </li>
          <li>
            <t>Replaced specifics of usage in credentials and tokens with a reference to s2s-creds draft</t>
          </li>
          <li>
            <t>Added URI requirements</t>
          </li>
        </ul>
      </section>
      <section anchor="since-draft-ietf-wimse-identifier-01">
        <name>since draft-ietf-wimse-identifier-01</name>
        <ul spacing="normal">
          <li>
            <t>Changed the term "Scope" to "Origin"</t>
          </li>
          <li>
            <t>Added wimse URI scheme definition</t>
          </li>
          <li>
            <t>Added more alignement and reduced overlap with draft-ietf-wimse-workload-creds</t>
          </li>
          <li>
            <t>Clarified separation of specific workload instances and logical workloads</t>
          </li>
        </ul>
      </section>
      <section anchor="since-draft-ietf-wimse-identifier-02">
        <name>since draft-ietf-wimse-identifier-02</name>
        <ul spacing="normal">
          <li>
            <t>Soften Information Disclosure considerations</t>
          </li>
          <li>
            <t>Clarified various definitions</t>
          </li>
          <li>
            <t>Synced up terminology with other documents</t>
          </li>
        </ul>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA61c63LbRpb+z6fokX9s4iIpUZIlW5vLKJI8USq+rCRPNru1
VWkATRIjEI2gAckclVL7GvtvnmUeZZ9kz62BBgjKTmr/2CQI9OVcvvOd0wea
TCajKq0yc6J2frLlbWZ1oi4Tk1fpPDXlzkhHUWnutv0a68osbLk+Ua5KRqPE
xrlewVhJqefVJDXVfHKfrpyZpM1Dk72DkaujVepcavNqXcDtlxc3r5V6pnTm
LEyV5okpTI6P7IzVjknSypapzvDL5el38J8t4dPVzeudUV6vIlOejBJYycko
trkzuavdiarK2oxg4QcjXRoNo+6M7mELi9LWxeZ2qrVKc/WmzqpUXa9dZVbq
Ir9LS5uv4Ge3M7o1a3g8ORmpibqXZ/Fzu7HRnclrWINSf3QOpVgcO/hxpdMM
PpL4/oySnNpygT/oMl7CD8uqKtzJ7i7eh5fSOzP1t+3ihd2otPfO7NIIu/jk
Iq2WdYQCJsUsWDe7TygLn8pAsq4KZuw8PeVBp6l9apynfpsuq1W2Mxrpulra
EgUMkyoQFSjx56m6ss6u9O3S0lU2r591aV2m73o/ws51nv5dV2BYJ+o/XKwz
UAv+Yliaa3kO/v3zAi9NY7vqTPjDVF3rzN6bdTDdD9Z0rnbneQ+/qNOssuqt
qdA0XDjl36z5s+Nnp7mpRqPclit48g4sZZTm8/abUtfvL1+/vphcnp/QCN4v
b5ZGfmoNSeeJ+qspQYA6ykx7/dzGNVrTDo+gy4UB1XnNia5g07uuSOdz4/+L
MhuhJeW7roKhdZm43WY101VCo5GLqR90Xutyrfb39l+MRqPJZKJ05KpSx7C5
m2XqVCJrUImZp7lxSqtY5zZPQR+BvyjYe+NKbqxKMzdlaRIFktROVbDrAcyZ
qtOhyyrFaT5cXcJzulJ1nv5am2zdToc/+8nUPcgBXBGnAMSozMdK2Tnc4AoT
w80xgoeD9VsUyVTRroKFw25UZEDDkUkSWDAMtenqZ7AV/AiYNoY74qxO0nyh
/n36Yu+Vik2JYyF8OtLlDz/dTCLtaPe3gGBjlIKri8KWlULPwKFisrixYk8R
AxzT84XN0nitDBpUbEj6OgYzB22AcZXOKEeI43A3g4JVbIoK4bOEVaUgl9IW
ptRRmsGGxmquY/xEa3YmhrtEKLDbOWy2DNZjcrRLh+J1KUwM62nudeAauBs3
FftZpUmSmdHombrMq9ImdYwDjUaXuVpZGDeHTYCFpVFdgYBkI+PWdkBQ8RJt
xpnyLo0N/KaLIhN5OQoXqGdQJrjM31HI2t06sLhf6xR2EZfrorKLUhdLtFEw
m7vWtWTZaEGBSmT/4EmrOm8VE8PktGnYRsaS0KD3SmQIxuv8+hXBk9dSaHC4
/GSV5rhnwgYV2RqdMqWdwZhLg7pZmNzY2qkCEBqVh0YDus0NbBB9S4fSx8cC
lTYbC1UfGdgPKq1M0diy6TaH3uKbY3ZBMeSHhz/Bl6+vXp8dvHp59PgYTogr
yRP29cZXS1OA4dFiP+mqOTi8q9GhxBlQuGjZaQcSEuPSRc7zgMcCuMHOx2oB
cEd65rn9JBoiJATxjjJY4DAVPUpyrcGbUrRJgFNAtLh19MYQB7x8rH64fvdW
/WQidUMurr4ApwedPTx8Cx9QTscvZq8eH7/kKS1suWQ7I8DHoQBjHSnlSQ+G
fbt0VcBq1wb8+SNK1SE9UJdV45hhDCPLZt3K3kODS0xmFrCF1oHBffWCQIaX
KjJft1oDI4Y4Egu4ZXZB2N86LAkbhI8rVvd67d1AHFiBFS5x7jizNYJJy5JE
OPkEdgUckoBqXmpwFUANcElBa4/ktL9P2S1qNFHReuj3gLRNBkib+uKnyzfX
F18SK0srQ2tAlZ5enX3/9eXkfBpwHrzn8ZHttNUVLy5hmaBPlyAqEHGO6rcc
z9KKgg7yY7Rjv16xEQEUutNjmjf11h9b5TSIJrZUlOkKQ/rCog2De1WbIgQS
DYRlArbbWMoSgwqg6kd2EY/qHEqHQjc/bmhpqVv6tbIg0bPQpyFY0XiIXYA6
JY1HftW6tpOhitKuLFpmL1a1sQ/ITdkNPiIsnELgdhPmLNhKbiuFngNgCBJf
2vtwfhQHrzbB4MLhwiTgYWD4Ridj1NgcxkMDtQxf7eP/+9//48QAxgJBOcaN
BRArkKHxMJ9WGKMy9tFlWqCbdgLFFGPmmc3vcGT0Y3zqHNWT0ndWL6QuqHxw
u503H65vMIvC/9Xbd/T56uLfPlxeXZzj5+vvT3/8sfkwkjuuv3/34cfz9lP7
5Nm7N28u3p7zw3BVdS6Ndt6c/rzDe9l59/7m8t3b0x93FMF5KG8UJgM0KRKk
jnFeu1Ei4ifn+O7s/T//MTvEuAJYuT9DrJQvL2fHh/DlHliSxwcAd/4Kol+P
gA4YXZKLZYDYukDkRimDmYNqc4ioAB2j0fP/RMn814n6KoqL2eE3cgE33Lno
Zda5SDLbvLLxMAtx4NLANI00O9d7ku6u9/Tnzncv9+DiV99m6MCT2ctvvwEK
BjZ0Y0ogHBaAes02M7cZ5CwYX0EhK7Z3Qp1qCcntYmnrqqtEAAfv8vDxRF3b
eXWPT5mPEMIqHIk5ScOxi7osrAOIKmzF8RN0BgQE0Mjh7RaWCE+sLAxS1nmO
15q4IjC/0mvh1hAzUnT6hgE2hA8+A15XNaEqgHSOv+J9pszQ6+Z1Hrc8ESIn
5tO0EFgBIhMjMLoURkG4pzSxQVqWc77XZYHolAPgR0I5DeA4ICratSylpT7b
Mh1QMOdKfHs/uHrSRyKcqxVGLuQCjehom/Roo4qNuI1RHyswrAeCL8kwKDqY
jQSpT7xCgkd+TTr6dKrU8tQGBYjHIp0B4WOCByQbwIxM09JahOsjPcPfXbyE
kBJmRUNrBjOnr+f0VbTjZUkFHBFgJ7q6JZo0LWgFcnGG2GhD0oT4u3ZyDLIw
cDh1GwCRvIB9If6UNZIyioEN7YDwwrq401maPJnswXYuKXbyRmAOKRNIpsh0
QXfXQXk2Wt6QmaEZn0kI7g1KkjCwqBqJ7dhHP+SUigLeYPRn9386k6U7IF1C
0Qs8YFKzLiQt03MwDGUjdGyCAwiyQAFgQhER7PMp8/KpPFsjBdc1zYXsOthK
6bZm1YUF6+TAO7TJ65A0jUafqFU8PMC/ELg+o2Yh5D22uO4IiN+GSXO22Tww
aYFWV8sxE3/cbJ3rVZQuakwd/VRC8sCWW44uHKqXilJ0DXIH8JY2WRA++Rk5
2GZWRUrBkvAfyK2Yf4oTcgHF5wEm3sgAPPNqcgZJ1J2zcUo2tEFMtzjIs2f/
/Afq8Sq8/+EZrGMSDvG4zRCIW0QoDKyh2axmiCNeEqQFDw/Xso3D6QEqiawG
ySZoJyGqRxvDpdCQPiRqYLH5xKyKFgqqdRvaJLK15rZhUpIY3y/TeNkjsZRm
xkC6E9F6gLv8sbVAnyYAdiKt9lujjKufaXA0wa1IiqSRiYRcnkeH1MtMF9Ox
+oVrmL9sCs0XMB8f4S5KwX7p3sFpGY8HiXc36MGXzK7J6UNlTpW6+KgpvQ4S
AoDI3377bcRLwRp5HtcR78fw3VSXz90u5OMAMjiUznYhkc7WmDTBAwuICyNa
ETxPWphCoCua57Fq671zV88PzMujOJoc780OJofm4GASHc+OJ7NZfGiSZP/F
0fErWtEWy2tMBamkUCUwFwCgMjAQLOhAcr0gIQRXAeXRYaV47ZFbUWWsuQ1j
Ei6ctiplBrQ3TnErJH66RP4Hz1Iiew/pPKZ0VEMb8jhesS/BhekY2imGN4ug
kZl8AV8xDa3giwZz3t87fAnmVmE0Hhy5JeBAWGOsoLWPoK3wmLglsI+7NEE2
OSRXb5tI0iRP9i4KT4gfwIZlm2hqoXGN8QcYnog2pG2JJYcBBc0hElW8T/TD
DkIFNt3h5IRQ6pr90kcm9R6ER8FpqFDiM9+BtXu0JJbcJPuIjtvKKpFZ25x2
wkqHyYmgtUWDDcCJdQmBRLZihkAL8CFMgQlUbKGxjIc14nzhU2tijyFXbGH0
YLo/3Q+A9JQZQFwj8xccw9RiQArNxn2NAgJj6sPEMDN2etXbJY691BBNW1Bb
GU2URhB3A+2mjLGtEuYU1wMwl1OJZk1tSYuHQAbBtWkyGpRbC3EtVlMoLHup
eJ9y84jjJwg2xbDU+3+7Fi7xqLDY03JUliF4bZeq37TPhXF8UeocNUZEt5Ig
FZTriapLajXdGoIpm2oLz0/lRARyvzvfCjOHyptDw/KD+nYvP3mzORIutjfQ
0J6w8MH44RUZpGJVabQkVs0gzV68EQv5Jgz99OGT5+y+nNi1SzEOijiwfqY7
4rGYRBihIY6rNuII8zrzxrZR6SdNAPfH4ZgSt46RhHGJSxbbRXxtV1igoPgq
hU+wA9RobArxET4SiAyQEAjyz9U7Xnlw7t+N/ADgyZTDN8+z+/KVPjLxi9lk
/vL4eHJ4GO9NXr3Ym02i/dnBi1fH8/1klnCsfq5O23MrBZmk+eTgwCjw4mRv
tuv07tzaiZRA/IgN7nszIqX+v02zm6bJZDZ/OTs8OjyavDyOXgAb2T+aRNGL
F5NZMjuIATyS5GWysR7SGyWF+e9fT7gC8AjgO7vxYRJFM713tHewZ2aH+3G0
Z5LDyBzB59mro+Oj2ct9UMXsVbwXHx8f7UVJcnz4QsdHx8fHr2J9zAt8RyX1
xgIQqSPTIkQbmoYcr8Mf78WqAQQh4mosQudSNKdjBPQcvicwWEwN77CjA9Mi
78dhTUCqzhxZep4mdZetqP0UWrs6+htERyoK5OuAqfiI1wl2HQYfll2YcoSl
FXUqeZVwjsGgHoJECPHdZIQBHtN2VyDoNqkjA0RbKMHPKF46qEIBDHI+wQUs
wVAiA8z+pj+n8EIELQWQBPj0K1A/Kvb7W7BHhPAhXwSyDnNk3hL92B8f7l6a
rPC0LzwNGCIUAewAkV2m2PrxHvkJHvH5kIf5EgP80sKTuD7nbQ8FTJBJzBOL
Tlwhb5MBf7wEK2vjYufUgRhy0ZhzrB2ZKkcljjl4Bi3xHHUMUpCDGSKweJ4I
dggLw1U0BGeobOo2uYjDTXR6Kv4Yi+xms/DJVmJ1/ZMyohcbjMMXbQNiQ4vp
uBXbLKII+CLbrZR5Bb3GAZHIYMxxQMpwj022sYWP5HwGGDA575uCYVN11pyk
kZJJIaWRyC3ca9hDaufFG1ZgxwrSN5wU4nbe1NAoeFP1pllyUEP3xZtKUKsp
WLr28L2jQloq96KEToGxKxtMvZxYH6lFYAgm4wa6HTJ8yYQennXy/m3MsN28
rx1IZrCUfficBtFb8n+fvn9Fe5nwXr7Z/Qq3/A0HGF/d4FwWPMPN17SnbSnd
w8NGPenRl1zCdKAaDAjbKH7KeV7oWcPlmNFIyh2ut0eOx2F1wgfkQtOEn3/n
rrfp3dn+wWHzHIX9sAbS1j8+n1NhBlw158Kw8w+NNX0CcQLSLEVLe4dWn2Iu
dZp/+gQnrCoQieje1uZ4zQN1TkdS5iPSobTCYrBfiMCMP1UYPohpcoaBTozf
nTwE8O8f2Eh+tnPrZ8MF8ndlCmFym8/xr1wg71YmqKmAQlmhY4SEhNaK6Dp8
3ICng20qwWePzOWxfweDFinR8oySxLmQiAQFzW50aWFtW6sDYPMqrSoPIF23
HI50snfugTEUvYlq6YjPWo0/beq0ITSHMhhivLoITYOKBvhRZWObBSkAwpte
tD1VqEecpzR3RtMxQYMWAeVosQAX8sQm+uXQDQL/iUKnuG448qVHKulHAa28
gbQBlvqEGwdEIO4dMvIxQVPuIM7zGUdUnXxXfQ9M6w7V3a+NV85k841yGnaR
BPBAVFaDlSWCLMvmTHnK3Y9IxVsE7/Q8UginfkN4nGMVKNKUWKWCuJygknzU
PX97zb4zbjqs5CutI9IZWkXZEkniFqXlc3u0Xu4bdaYZ+qnykVQtc4OrA7aE
Wb2u5ARhyGo6yVWgKAxzVlrWmEDF/W5YWEScOj6+T3vl5k65WA9xpBVbEKBz
dW8k2epJsWHD0twZ6M9XMIe2hGX+uAprWs1JnlRe/dxY+Kgrh+yfS2uQimxr
wkKj5xpKUyeO6Nh5ni5q33/rVZykMNYdFvSblllbgrXxWR4MFzSO+ho8GATi
u2SKKxODEFK3Ck+DXZsrQDyrV1K/2SYIKUsCXAP4JnxeK0Y+yfS6e5DQWGyb
1Ywb62WjBB4EO2BI9ahFT4k8YaXnrceIZ2zN/3jZ2MIX2J0UkHss7E902+Ts
6uL84u3N5emP1/3+vuboFYcCltYhsSSkTkuuNwDzkSKPt8HWvNjgGo/bbm2u
6XYZ8KBn6gNBPfzQb7TgRtQn8LN3dht2vHeapjfQtXcaK7svA28CmCmrbnWj
c/yc1KUv+n02HN8sg1JNwxsGd4eNKD21u0bvaU/1G5onBg7E0u8SfSP1HfDu
iXP/Hq8kaVCLizDM3usRejMXpUYAZu9jdH4ONeOgZf1fKc77LkR/LBBGwi2a
Gz91xv5FeAo9I7luSuVLdFFsaw5vP9h++5gNI0rFtoPtg4CwcRH0YUpq3fjO
xBqpG60x1BpmoJh5+gCRdpmCMLpBlhZyKeqbZ7UgYWL01guseADCFNbOua5E
zRNUhaYSEzarhfP1Gg8AnjIqZ4VNQoGthH2v47bpVdrOuVIoXigtB8RN3+uS
gA3vet+eJfbtcKtjc9m8qaZ4cCnNnNrtehJtPJqJccGTgyUOBVys5a7ZovlN
ogkVD1KsgPqniUte5n78YFCyV3BgSGTQVjfE22XAARcftxKW6BWtCyqocHNJ
i7vdZizuY6Loyg0vPRYxcIwtsE5NQU228Fknsv2qlY4AqbgkT0fv4+a4feiQ
nVuSwjN2oGWvdZrV3EDrm6DaY4ymYIvpARUGOyYPzyAu0HsQHpgQdZr+oPBV
nWFlY0d6pW8JYGgRwpoGLU9ccaU/pqt65akZTCpH9j6eo6NzZIz51QVgIitb
8hZ8JAAjsTVqwHxcwv1NHwLMB7AwsXN/QICC4ANcENd7sr7mwB+L845Tc8s0
k8wN6V+WrrA0jEIvDdXGO6KjJjhuFehaTFiA8/Ifh3G/4R2y647lDJ/hB0Hk
1AdEsPQtDk6aoXqcnAcjJJgkjKV4LIaJfod565ADUZPoLXFi2CnWvCJkJ9ve
lcIjiW5NRLpkk4bdcnDxKWcbbDQS0ZTzUD7C58UI1Rt3atPB8WVnO5sEle7c
UhzoP902jGPIREYeCZ2S/sJPCwZ2g8bKhwRtO+LGIQx3eoonbHDOhuUF3UcM
Z7DBvzZ9oJsdamFAJJ/eSnuZ1z3NbqQNl4sXUj0Qm8cQDF7qTJ9m9o592sVu
aCbAKUkcumcc2w/YKI00XPfwCZYtw3oZjdQcznTgEdJSAKthJCQ113nQi+AP
O5gRIBcvxO4yswA0QWKClRw6+ICYV9qiTKmtqX1zxQGaZZhlptJglfPUGSAB
mUBnsdRA6y/1D725u7ILBVcGlYGqOrNZRllwW1YXgAuzj63mgNl6aZiM9t+c
aRm5FCfJbenuhtBKcwydaJosm0hfICyQK54rOeLrxZ46p7dbTMJFLKxqdqM/
SPQuBXEDxuPbkkIA6Hh23vSKEv1XCLRZN00VCYRJav8VnsKA0+UelNnw0tIb
Iq54s+rEuFLnjQGyLAjVXe0KMEQrBdDLILM9h2w8s6iM0chT2UGFoIFKV0Nl
C+tLruFRbIcVUK2WX4TQCYAx6oPepsRKXogjCewCZaQug9es+hTT22wb09E4
QFmwXXR6/PMKKXUCy/FdHLx+hHxKqicIgikf0Xbe24LkHN/pKWiIIFpQkal7
fkkHuGtJk5oiriR7g5kgvQImgb4pzQX1sxbBkmAVPLXs2/e1czoS6C9p9Ie2
lhggGHMpH97ZNGH5oEBEzG3K689ZgrzPi4YOWTs96FI5T7MEhJ8Ivwe0/qje
IPZRuXPDxDE2Npb61FHevR+XWhBp2JUMO3D2IMUnLjJJFFKvCW+pUjtmXyCY
yrKOc3F9XqYAP/qlKQX32mGTaJc6dzGegei5LrLGtk2SVZqHZb9G3ZR9X56+
Pd3IeCQ/kqO+K4BqX+4CaMQHUueJhT/kxluk+upPC6X0LyF7px3R7cgDQEYf
Hr7FESfw6/XZ9xdvLq6/xu9TPK6TQ+3Hx5PRSNZCf0sC36SgOeAyYErt6EoD
Q6NR0ABELTeboZf6rrsjYpk4bKGhRKEt+sPudFz57sJ+SSF426OC22hA+oMs
Z0sNWBjjv80fIIHbgODLwUEJUUfeDrm8uP6LAvNdBHdeGQohMZ0c9putmwpn
QHTxbwFEOr5F5Z7GtzkESpNQNoQlFdK/g9Wjm2bprahH57fq4g7Cxl/SDIRI
ILEkJd+l5t4TLX59K1P+BfLeC4j4Tn2KL2ACL4EF83uVtFGA39Ho+fOr12fq
gv4Ozb849dZW5uT5c6XeY3cxZg8re+dVI3k/hC5+zaqoo6xziAXMCxaCf5Sh
qU5s8H1wVizgPvVXdPawmepceNzgqygYhOGeK8A/HeMfTpBaMrHP2tcEt5yL
SEd16XVIf/xg33Fpk1eG7WpUDeynv5+7hRlugcUsrcDgB2qHFr6DE+7wcdJO
MxONER7OJc3Lrs099MIgMEwIZ41yYdF1LMcsmS54dxtr69ZvcW3Y60EA6Azg
c6PE7U2iW154/1yJ7FOHnJ1DsNhCHnrlo84i7+ADZu1J8AYwDLfOcet1QeKV
tzxZAtI7IqbnRv8HnLAOPA5KAAA=

-->

</rfc>
