<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-liao-ace-est-c509-00" category="std" consensus="true" submissionType="IETF" tocDepth="4" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="EST-C509">EST for C509 Certificates</title>
    <seriesInfo name="Internet-Draft" value="draft-liao-ace-est-c509-00"/>
    <author initials="L." surname="Liao" fullname="Lijun Liao">
      <organization>NIO</organization>
      <address>
        <email>lijun.liao@nio.io</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <abstract>
      <?line 49?>

<t>This document defines Enrollment over Secure Transport (EST) protocol operations over HTTPS for use with C509 certificates. The operations specified in this document support CA certificate distribution, C509 certificate enrollment, C509 certificate re-enrollment, and server-side key generation using C509 certificates. This document also defines operations for Certificate Revocation List (CRL) distribution.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-liao-ace-est-c509/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Authentication and Authorization for Constrained Environments Working Group mailing list (<eref target="mailto:ace@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/ace/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/ace/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ace-wg/xxx"/>.</t>
    </note>
  </front>
  <middle>
    <?line 53?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Enrollment over Secure Transport (EST) <xref target="RFC7030"/> defines HTTPS-based operations for X.509 <xref target="RFC5280"/> certificate enrollment and CA certificate distribution.  Payloads are DER-encoded and wrapped in CMS (Cryptographic Message Syntax, <xref target="RFC5652"/>) structures.  C509 <xref target="I-D.ietf-cose-cbor-encoded-cert"/> defines a compact, CBOR-encoded alternative to DER X.509 certificates.  C509 certificates are substantially smaller.</t>
      <t>Although C509 was developed with constrained devices in mind, its benefits extend to unconstrained devices operating over low-bandwidth links and to large-scale deployments.  Smaller, CBOR-encoded certificates reduce bandwidth and storage requirements, accelerate TLS handshakes, and lower parsing and serialization overhead even on powerful endpoints; because C509 does not use ASN.1/DER, implementations can avoid complex ASN.1 parsing code, which reduces code size and complexity and lowers the attack surface for certificate parsing libraries.  In complex systems (for example, connected cars) that contain diverse device classes—microcontrollers, sensor chips, and SoCs—using a common certificate format wherever practical simplifies integration and provisioning.  Using C509 consistently across device classes simplifies provisioning, interoperability, and over-the-air updates, and can reduce overall operational costs and latency.</t>
      <t>This document defines EST operations that carry C509 objects in place of DER X.509 objects, following the same HTTPS/TLS transport and URI path structure as <xref target="RFC7030"/>.  For environments where HTTPS/TLS is impractical, EST for C509 certificates over CoAP with OSCORE is defined in <xref target="I-D.ietf-ace-coap-est-oscore"/>.</t>
      <t>A key property of this design is that EST clients do not require a CBOR parser or generator:</t>
      <ul spacing="normal">
        <li>
          <t>For non-KEM-only key types, the C509 CSR is typically pre-provisioned as an opaque binary blob by the device manufacturer or a provisioning tool; the EST client sends it verbatim as the POST body of <tt>simpleenroll</tt> or <tt>simplereenroll</tt> without interpreting its contents.</t>
        </li>
        <li>
          <t>For KEM-only key types, the EST client needs to communicate with the key device to get the public key (<tt>C509PublicKey</tt>) and the certification request (<tt>C509CertificationRequest</tt>) after receiving the KEM challenge object (<tt>KemChall</tt>) from the EST server; in this case, the EST client considers the <tt>C509PublicKey</tt>, <tt>KemChall</tt>, and <tt>C509CertificationRequest</tt> opaque binary blobs.</t>
        </li>
        <li>
          <t>For all key types, the C509 certificate returned in the response is stored directly to persistent memory without parsing.  This property makes the EST client implementation extremely lightweight.</t>
        </li>
      </ul>
      <t>This document uses <tt>C509CertificationRequest</tt> as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/> as the C509 Certificate Signing Request (C509 CSR) format.  An EST client uses a C509 CSR to request issuance of a C509 certificate from an EST server.</t>
      <t>The operations defined in this document are:</t>
      <table anchor="tab-ops-overview">
        <name>Operations Defined in This Document</name>
        <thead>
          <tr>
            <th align="left">Operation</th>
            <th align="left">Category</th>
            <th align="left">Client Authentication</th>
            <th align="left">Request Media Type</th>
            <th align="left">Response Media Type</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">
              <tt>caps</tt></td>
            <td align="left">Capability discovery</td>
            <td align="left">No</td>
            <td align="left">(none)</td>
            <td align="left">
              <tt>text/plain</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>cacert</tt></td>
            <td align="left">CA certificate retrieval</td>
            <td align="left">No</td>
            <td align="left">(none)</td>
            <td align="left">
              <tt>application/cose-c509-cert+cbor</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>cacerts</tt></td>
            <td align="left">CA certificate chain retrieval</td>
            <td align="left">No</td>
            <td align="left">(none)</td>
            <td align="left">
              <tt>application/cose-c509+cbor; usage=chain</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>crlinfo</tt></td>
            <td align="left">CRL metadata</td>
            <td align="left">No</td>
            <td align="left">(none)</td>
            <td align="left">
              <tt>application/c509-crlinfo+cbor</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>crl</tt></td>
            <td align="left">CRL retrieval</td>
            <td align="left">No</td>
            <td align="left">(none)</td>
            <td align="left">
              <tt>application/c509-crl+cbor</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>csrattrs</tt></td>
            <td align="left">CSR attributes retrieval</td>
            <td align="left">No</td>
            <td align="left">(none)</td>
            <td align="left">
              <tt>application/cose-c509-crtemplate+cbor</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>kemchall</tt></td>
            <td align="left">KEM challenge issuance</td>
            <td align="left">Yes</td>
            <td align="left">
              <tt>application/c509-pubkey+cbor</tt></td>
            <td align="left">
              <tt>application/cbor</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>simpleenroll</tt></td>
            <td align="left">Certificate enrollment</td>
            <td align="left">Yes</td>
            <td align="left">
              <tt>application/cose-c509-pkcs10+cbor</tt></td>
            <td align="left">
              <tt>application/cose-c509-cert+cbor</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>simplereenroll</tt></td>
            <td align="left">Certificate re-enrollment</td>
            <td align="left">Yes</td>
            <td align="left">
              <tt>application/cose-c509-pkcs10+cbor</tt></td>
            <td align="left">
              <tt>application/cose-c509-cert+cbor</tt></td>
          </tr>
          <tr>
            <td align="left">
              <tt>serverkeygen</tt></td>
            <td align="left">Server-side key generation</td>
            <td align="left">Yes</td>
            <td align="left">
              <tt>application/cose-c509-pkcs10+cbor</tt></td>
            <td align="left">
              <tt>application/cose-c509-pem+cbor</tt></td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="conventions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The following terms are used in this document:</t>
      <dl>
        <dt>EST client:</dt>
        <dd>
          <t>The entity that contacts the EST server to obtain certificates or CA information, as defined in <xref section="1" sectionFormat="comma" target="RFC7030"/>.</t>
        </dd>
        <dt>EST server:</dt>
        <dd>
          <t>The entity that processes EST requests, typically acting as an RA between the EST client and the CA, as defined in <xref section="1" sectionFormat="comma" target="RFC7030"/>.</t>
        </dd>
        <dt>CA:</dt>
        <dd>
          <t>Certification Authority.  The entity that issues C509 certificates.</t>
        </dd>
        <dt>C509 CSR:</dt>
        <dd>
          <t>C509 Certification Request.  A CBOR-encoded certification request used by an EST client to request issuance of a C509 certificate.</t>
        </dd>
        <dt>PoP:</dt>
        <dd>
          <t>Proof of Possession.  Verification that the requester holds the private key corresponding to the public key in the C509 CSR.</t>
        </dd>
      </dl>
    </section>
    <section anchor="c509-csr">
      <name>C509 Certification Request (C509 CSR)</name>
      <t>A C509 CSR is a CBOR-encoded certification request used to request issuance of a C509 certificate.  It is the C509 analogue of the PKCS#10 CSR <xref target="RFC2986"/> used in standard EST operations.</t>
      <t>This document uses <tt>C509CertificationRequest</tt> as defined in <xref section="4" sectionFormat="comma" target="I-D.ietf-cose-cbor-encoded-cert"/>.  An EST client sends a C509 CSR to request certificate issuance or re-enrollment. The media type is <tt>application/cose-c509-pkcs10+cbor</tt>.</t>
      <t>For server-side key generation requests (<xref target="serverkeygen"/>), the EST client does not possess the private key and does not know the public key that the EST server will generate.  In this case, the <tt>subjectPublicKeyAlgorithm</tt> in <tt>TBSCertificationRequest</tt> <bcp14>MUST</bcp14> be set to the integer code for <tt>empty-publickey</tt> (see <xref target="empty-publickey"/>) and <tt>subjectPublicKey</tt> <bcp14>MUST</bcp14> be an empty byte string (<tt>h''</tt>).  Because no private/public key is available, no PoP signature can be computed/verified: the <tt>signatureAlgorithm</tt> <bcp14>MUST</bcp14> be set to the <tt>id-alg-unsigned</tt> integer code and <tt>signatureValue</tt> <bcp14>MUST</bcp14> be a zero-length byte string.  EST servers <bcp14>MUST</bcp14> accept C509 CSRs using <tt>empty-publickey</tt> and <tt>id-alg-unsigned</tt> for <tt>serverkeygen</tt> requests and <bcp14>MUST NOT</bcp14> verify a PoP signature in this case.</t>
      <section anchor="empty-publickey">
        <name>empty-publickey Algorithm</name>
        <t>This document defines a new C509 public key algorithm, <tt>empty-publickey</tt>, to be used exclusively in C509 CSRs for <tt>serverkeygen</tt> requests to indicate that no public key is available in the CSR.</t>
        <t>The <tt>empty-publickey</tt> algorithm code (TBD1) <bcp14>MUST NOT</bcp14> appear in C509 certificates.  It is only valid in the <tt>subjectPublicKeyAlgorithm</tt> field of <tt>TBSCertificationRequest</tt> when the corresponding <tt>subjectPublicKey</tt> is an empty byte string (<tt>h''</tt>).  EST servers <bcp14>MUST</bcp14> reject any C509 CSR using <tt>empty-publickey</tt> in a <tt>simpleenroll</tt> or <tt>simplereenroll</tt> request.</t>
      </section>
      <section anchor="change-subject-name">
        <name>CRAttribute ChangeSubjectName</name>
        <t>The ChangeSubjectName for X.509 PKI is defined in <xref target="RFC6402"/>. The corresponding definition for C509 certification request is a CBOR-array consisting of a <tt>subject</tt> and a <tt>subjectAlt</tt>. At least one of <tt>subject</tt> and <tt>subjectAlt</tt> <bcp14>MUST NOT</bcp14> be <tt>null</tt>.</t>
        <sourcecode type="cddl" name="c509est.cddl"><![CDATA[
ChangeSubjectName = [
  subject     C509Name / null,
  subjectAlt  SubjectAltName / null.
]
]]></sourcecode>
        <t>This CRAttribute <bcp14>MAY</bcp14> be included in a <tt>simplereenroll</tt> request to change the <tt>Subject</tt> field and/or the <tt>SubjectAltName</tt> extension in the newly generated certificate.</t>
      </section>
      <section anchor="proof-of-possession">
        <name>Proof of Possession</name>
        <t><tt>simpleenroll</tt> and <tt>simplereenroll</tt> <bcp14>MUST</bcp14> verify the PoP signature in the C509 CSR before issuing a certificate.  The <tt>serverkeygen</tt> operation does not require PoP verification because the EST server generates the key pair itself.</t>
        <section anchor="c509pubkey">
          <name>C509PublicKey</name>
          <t>A <tt>C509PublicKey</tt> contains a subject public key in the C509 encoding.  It uses the same field types as <tt>TbsCertificate</tt> in <xref target="I-D.ietf-cose-cbor-encoded-cert"/> and is defined as:</t>
          <artwork name="c509est.cddl"><![CDATA[
C509PublicKey = [
  subjectPublicKeyAlgorithm : AlgorithmIdentifier,
  subjectPublicKey          : Defined
]
]]></artwork>
          <t>The <tt>subjectPublicKeyAlgorithm</tt> field uses the full <tt>AlgorithmIdentifier</tt> encoding as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, without limitation.
The <tt>subjectPublicKey</tt> field uses the same encoding as in C509 certificates: for most algorithms it is a CBOR byte string, but for RSA public keys it is encoded as an array of two unwrapped CBOR unsigned bignums <tt>[~biguint, ~biguint]</tt> when the exponent is not 65537, as specified in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
          <t>The media type of <tt>C509PublicKey</tt> is <tt>application/c509-pubkey+cbor</tt> (see <xref target="iana-c509-pubkey"/>); the corresponding CoAP Content-Format is defined in <xref target="content-format"/>.  The "magic number" is TBD2, using the reserved CBOR tag 55799 and Content-Format TBD3, as described in <xref section="2.2" sectionFormat="comma" target="RFC9277"/>.</t>
        </section>
        <section anchor="pop-kem">
          <name>Proof of Possession for KEM Private Keys</name>
          <t>Some public-key algorithms are KEM-only (key-encapsulation mechanisms) and do not provide a signature operation suitable for the traditional PoP signature carried in a <tt>C509CertificationRequest</tt>.  For CSRs whose <tt>subjectPublicKeyAlgorithm</tt> is a KEM algorithm, an EST server <bcp14>MUST</bcp14> obtain explicit proof that the requester holds the corresponding KEM private key.  This document specifies an interactive KEM challenge–response PoP mechanism.</t>
          <t>The recommended KEM PoP flow is:</t>
          <ul spacing="normal">
            <li>
              <t>Challenge issuance: Upon receipt of a KEM public key (<tt>C509PublicKey</tt>) in the <tt>kemchall</tt> operation, an EST server returns a CBOR-encoded KEM challenge object (<tt>KemChall</tt>) with media type <tt>application/cbor</tt>.</t>
            </li>
          </ul>
          <sourcecode type="cddl" name="c509est.cddl"><![CDATA[
KemChall = [
  keyId         : bstr,
  encapAlg      : int,
  encapsulation : bstr
]
]]></sourcecode>
          <t>In particular:</t>
          <ul spacing="normal">
            <li>
              <t><tt>keyId</tt> is the SHA-256 fingerprint of the CBOR-encoded <tt>C509PublicKey</tt>,</t>
            </li>
            <li>
              <t><tt>encapAlg</tt> is the encapsulation algorithm (TBD: define a new registry or reuse a COSE algorithm), and</t>
            </li>
            <li>
              <t><tt>encapsulation</tt> is the KEM ciphertext produced by encapsulating a freshly generated one-time secret key <tt>S</tt> to the client's KEM public key.</t>
            </li>
          </ul>
          <t>The server <bcp14>MUST</bcp14> retain the challenge state (at least <tt>keyId</tt>, <tt>S</tt>, and the lifetime) for the duration of the challenge.</t>
          <ul spacing="normal">
            <li>
              <t>Client decapsulation and response: The client decapsulates <tt>encapsulation</tt> to recover the one-time secret key <tt>S</tt>.  The client computes a MAC value over the CBOR-encoded <tt>TBSCertificationRequest</tt> with the key <tt>S</tt>.  The client then submits a follow-up operation as usual.</t>
            </li>
            <li>
              <t>Server verification: The server computes the <tt>keyId</tt>, retrieves the challenge state for that <tt>keyId</tt>, and verifies that the state is still within its validity period.  The server then derives <tt>K</tt> from <tt>S</tt> and verifies the received <tt>mac</tt> against the saved <tt>TBSCertificationRequest</tt>.  The server proceeds with certificate issuance as for signature-based PoP.  If verification fails or the challenge has expired, the server <bcp14>MUST</bcp14> reject the request.</t>
            </li>
          </ul>
          <t>Implementations <bcp14>SHOULD</bcp14> use HMAC-SHA256 (with integer value TBD4) by default, unless constrained by the KEM's security requirements.  Servers <bcp14>MUST</bcp14> enforce challenge timeouts and retry limits to mitigate replay and denial-of-service risks.</t>
          <t>IANA is requested to register MAC algorithms to be used in <tt>C509CertificationRequest</tt> (<xref target="iana-sigalg"/>).</t>
        </section>
      </section>
    </section>
    <section anchor="est-url-structure">
      <name>EST URL Structure and Path Components</name>
      <t>The operations in this document follow the same URI path structure defined in <xref section="3.2.2" sectionFormat="comma" target="RFC7030"/>.  Retrieval operations (<tt>caps</tt>, <tt>cacert</tt>, <tt>cacerts</tt>, <tt>crlinfo</tt>, <tt>crl</tt>) use HTTP GET:</t>
      <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<operation>
Request target: /.well-known/cest/<label>/<operation>
]]></artwork>
      <t>Enrollment operations (<tt>kemchall</tt>, simpleenroll<tt>, </tt>simplereenroll<tt>, </tt>serverkeygen`) use HTTP POST:</t>
      <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<operation>
Request target: /.well-known/cest/<label>/<operation>
]]></artwork>
      <t>An EST server <bcp14>MUST</bcp14> return HTTP 405 (Method Not Allowed) if a client uses POST for a retrieval operation or GET for an enrollment operation.</t>
      <t>The optional <tt>&lt;label&gt;</tt> path segment follows <xref section="3.2.2" sectionFormat="comma" target="RFC7030"/>: an EST server <bcp14>MAY</bcp14> use an additional path segment before the operation name to distinguish services for multiple CAs or certificate profiles.</t>
      <section anchor="cbor-transfer">
        <name>CBOR Transfer</name>
        <t>All POST request bodies in this document are CBOR-encoded.  CBOR-based response bodies are base64-encoded for transport.  The CBOR encoding <bcp14>MUST</bcp14> be deterministic as specified in Sections <xref target="RFC8949" section="4.2.1" sectionFormat="bare"/> and <xref target="RFC8949" section="4.2.2" sectionFormat="bare"/> of <xref target="RFC8949"/>.  Servers <bcp14>MUST NOT</bcp14> include a <tt>Content-Transfer-Encoding</tt> header for CBOR payloads.</t>
        <t>The media types used in this document are:</t>
        <table anchor="tab-media-types">
          <name>Media Types Used in This Document</name>
          <thead>
            <tr>
              <th align="left">Media Type</th>
              <th align="left">Structure</th>
              <th align="left">Defined in</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>application/cose-c509-cert+cbor</tt></td>
              <td align="left">
                <tt>C509Certificate</tt> (single certificate)</td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">
                <tt>application/cose-c509+cbor;usage=chain</tt></td>
              <td align="left">
                <tt>COSE_C509</tt> (chain of <tt>C509CertData</tt>)</td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">
                <tt>application/cose-c509-pkcs10+cbor</tt></td>
              <td align="left">
                <tt>C509CertificationRequest</tt></td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">
                <tt>application/c509-pubkey+cbor</tt></td>
              <td align="left">
                <tt>C509PublicKey</tt></td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>application/cose-c509-cbor+cbor</tt></td>
              <td align="left">
                <tt>KemChall</tt> in operation <tt>kemchall</tt></td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="left">
                <tt>application/cose-c509-crtemplate+cbor</tt></td>
              <td align="left">
                <tt>C509CertificationRequestTemplate</tt></td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">
                <tt>application/cose-c509-pem+cbor</tt></td>
              <td align="left">
                <tt>C509PEM</tt> (key + cert)</td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">
                <tt>application/c509-crl+cbor</tt></td>
              <td align="left">
                <tt>C509CRL</tt></td>
              <td align="left">
                <xref target="I-D.liao-cose-c509-revocation"/></td>
            </tr>
            <tr>
              <td align="left">
                <tt>application/c509-crlinfo+cbor</tt></td>
              <td align="left">
                <tt>C509CRLInfo</tt></td>
              <td align="left">
                <xref target="I-D.liao-cose-c509-revocation"/></td>
            </tr>
          </tbody>
        </table>
        <t>The <tt>caps</tt> operation returns <tt>text/plain</tt> with a list of capability keywords.</t>
      </section>
    </section>
    <section anchor="caps-section">
      <name>EST Server Capability Discovery</name>
      <section anchor="caps">
        <name>caps</name>
        <t>The <tt>caps</tt> operation allows an EST client to discover which C509-specific operations the EST server supports before invoking them.  EST clients and EST servers <bcp14>MUST</bcp14> support <tt>caps</tt>.</t>
        <section anchor="caps-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the server's C509 capability list.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/caps
]]></artwork>
        </section>
        <section anchor="caps-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>text/plain</tt></t>
            </li>
            <li>
              <t>Body: A plain-text list of capability keywords, one keyword per line.  The EST server <bcp14>MUST</bcp14> terminate each line with <tt>&lt;CR&gt;&lt;LF&gt;</tt>.  The EST client <bcp14>MUST</bcp14> be able to parse lines terminated by <tt>&lt;CR&gt;&lt;LF&gt;</tt>, <tt>&lt;CR&gt;</tt>, or <tt>&lt;LF&gt;</tt>.  Keywords are unquoted and case-insensitive.</t>
            </li>
          </ul>
          <t>The following keywords are defined.  An EST server <bcp14>MUST</bcp14> include a keyword in the <tt>caps</tt> response if and only if it supports the corresponding operation.</t>
          <table anchor="tab-caps-keywords">
            <name>caps Keywords Defined in This Document</name>
            <thead>
              <tr>
                <th align="left">Keyword</th>
                <th align="left">Description</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>cacert</tt></td>
                <td align="left">EST server supports <tt>cacert</tt> (<xref target="cacert"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>cacerts</tt></td>
                <td align="left">EST server supports <tt>cacerts</tt> (<xref target="cacerts"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>crlinfo</tt></td>
                <td align="left">EST server supports <tt>crlinfo</tt> (<xref target="crlinfo"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>crl</tt></td>
                <td align="left">EST server supports <tt>crl</tt> (<xref target="crl"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>csrattrs</tt></td>
                <td align="left">EST server supports <tt>csrattrs</tt> (<xref target="csrattrs"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>kemchall</tt></td>
                <td align="left">EST server supports <tt>kemchall</tt> (<xref target="kemchall"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>simpleenroll</tt></td>
                <td align="left">EST server supports <tt>simpleenroll</tt> (<xref target="simpleenroll"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>simplereenroll</tt></td>
                <td align="left">EST server supports <tt>simplereenroll</tt> (<xref target="simplereenroll"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>serverkeygen</tt></td>
                <td align="left">EST server supports <tt>serverkeygen</tt> (<xref target="serverkeygen"/>)</td>
              </tr>
            </tbody>
          </table>
          <t>An EST client that receives an HTTP error response to a <tt>caps</tt> request <bcp14>MUST NOT</bcp14> attempt the operations defined in this document.</t>
          <t>Example response:</t>
          <artwork><![CDATA[
cacert
cacerts
crlinfo
crl
csrattrs
kemchall
simpleenroll
simplereenroll
serverkeygen
]]></artwork>
        </section>
      </section>
      <section anchor="csrattrs">
        <name>csrattrs</name>
        <t>The <tt>csrattrs</tt> operation returns a <tt>C509CertificationRequestTemplate</tt> that an EST client <bcp14>MAY</bcp14> use to construct a C509 CSR.</t>
        <section anchor="csrattrs-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the CSR template.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/csrattrs
]]></artwork>
        </section>
        <section anchor="csrattrs-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-crtemplate+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509CertificationRequestTemplate</tt> as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
            </li>
          </ul>
          <t>An HTTP response code of 204 or 404 indicates that CSR attributes are not available.</t>
        </section>
      </section>
    </section>
    <section anchor="ca-certificates">
      <name>Distribution of CA Certificates</name>
      <section anchor="cacert">
        <name>cacert</name>
        <t>The <tt>cacert</tt> operation returns the issuing CA certificate for the requested EST service as a single base64-encoded CBOR <tt>C509Certificate</tt>.</t>
        <section anchor="cacert-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the CA certificate.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/cacert
]]></artwork>
        </section>
        <section anchor="cacert-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-cert+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509Certificate</tt> for the issuing CA, as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
            </li>
          </ul>
          <t>The response body contains exactly one C509 certificate.</t>
          <t>Successful <tt>cacert</tt> responses <bcp14>SHOULD</bcp14> include HTTP caching metadata.  EST servers <bcp14>SHOULD</bcp14> include <tt>ETag</tt>, <tt>Last-Modified</tt>, <tt>Cache-Control</tt>, and <tt>Expires</tt> headers when the certificate lifetime provides a meaningful freshness bound.</t>
        </section>
      </section>
      <section anchor="cacerts">
        <name>cacerts</name>
        <t>The <tt>cacerts</tt> operation returns the CA certificate chain for the requested EST service as a CBOR sequence of C509 certificates.</t>
        <section anchor="cacerts-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the CA certificate chain.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/cacerts
]]></artwork>
        </section>
        <section anchor="cacerts-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509+cbor;usage=chain</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>COSE_C509</tt> representing an ordered certificate chain.  The first element is the issuing CA certificate; subsequent elements are intermediate and root CA certificates in chain order. If a Root CA key update applies, the EST server <bcp14>SHOULD</bcp14> include the three "Root CA Key Update" certificates OldWithOld, OldWithNew, and NewWithOld in the response chain.  These are defined in <xref section="4.4" sectionFormat="comma" target="RFC9810"/>.</t>
            </li>
          </ul>
          <t>Successful <tt>cacerts</tt> responses <bcp14>SHOULD</bcp14> include HTTP caching metadata.</t>
        </section>
      </section>
    </section>
    <section anchor="crl-operations">
      <name>Distribution of C509 CRLs</name>
      <t>The <tt>crlinfo</tt> and <tt>crl</tt> operations provide C509 CRL access.  The C509 CRL format is defined in <xref target="I-D.liao-cose-c509-revocation"/>.</t>
      <section anchor="crlinfo">
        <name>crlinfo</name>
        <t>The <tt>crlinfo</tt> operation returns metadata about the current C509 CRL for the target CA as a <tt>C509CRLInfo</tt> object without the full revocation list.  This enables an EST client to check whether its locally cached CRL is still current before requesting the full <tt>crl</tt>.  <tt>C509CRLInfo</tt> is defined in <xref target="I-D.liao-cose-c509-revocation"/>.</t>
        <section anchor="crlinfo-request">
          <name>Request</name>
          <t>The EST client sends a GET request for CRL metadata.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/crlinfo
Request target: /.well-known/cest/<label>/crlinfo[?crlnumber=<n>][&crldp=<dp>]
]]></artwork>
          <t>The optional <tt>crlnumber</tt> query parameter carries the decimal representation of the CRL number the client is interested in.  When present, the EST server <bcp14>MUST</bcp14> return the <tt>C509CRLInfo</tt> for the CRL with that exact <tt>crlNumber</tt>.  If no CRL with the requested <tt>crlnumber</tt> is available, the EST server <bcp14>MUST</bcp14> return HTTP status 404 (Not Found).  When <tt>crlnumber</tt> is absent, the server returns the <tt>C509CRLInfo</tt> for the most recent CRL.</t>
          <t>The optional <tt>crldp</tt> query parameter carries the CRL Distribution Point identifier.  When present, the EST server <bcp14>MUST</bcp14> return the <tt>C509CRLInfo</tt> for the CRL associated with that distribution point.  When both <tt>crlnumber</tt> and <tt>crldp</tt> are present, the server <bcp14>MUST</bcp14> return the <tt>C509CRLInfo</tt> matching both criteria.</t>
        </section>
        <section anchor="crlinfo-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/c509-crlinfo+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509CRLInfo</tt> as defined in <xref target="I-D.liao-cose-c509-revocation"/>.</t>
            </li>
          </ul>
          <t><tt>C509CRLInfo</tt> carries all CRL fields from <tt>C509CRLInfoData</tt> — including <tt>crlType</tt>, <tt>signatureAlgorithm</tt>, <tt>authoritySubject</tt>, <tt>authorityKeyIdentifier</tt>, <tt>crlNumber</tt>, <tt>thisUpdate</tt>, <tt>nextUpdate</tt>, <tt>baseCrlNumber</tt>, and <tt>crlExtensions</tt> — without the <tt>revokedCertsList</tt>.  An EST client can use these fields to compare <tt>crlNumber</tt>, <tt>nextUpdate</tt>, or compute a freshness check against its local cache before deciding whether to download the full <tt>C509CRL</tt> via <tt>crl</tt>.</t>
          <t>If no matching CRL is available, the EST server <bcp14>MUST</bcp14> return HTTP status 404 (Not Found).</t>
        </section>
      </section>
      <section anchor="crl">
        <name>crl</name>
        <t>The <tt>crl</tt> operation returns the C509 CRL for the target CA.</t>
        <section anchor="crl-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the C509 CRL.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/crl
Request target: /.well-known/cest/<label>/crl[?crlnumber=<n>][&crldp=<dp>]
]]></artwork>
          <t>The optional <tt>crlnumber</tt> query parameter carries the decimal representation of the CRL number.  When present, the EST server <bcp14>MUST</bcp14> return the full <tt>C509CRL</tt> with that exact <tt>crlNumber</tt>.  When <tt>crlnumber</tt> is absent, the server returns the most recent CRL.</t>
          <t>The optional <tt>crldp</tt> query parameter carries the CRL Distribution Point identifier.  When present, the EST server <bcp14>MUST</bcp14> return the full <tt>C509CRL</tt> for the CRL associated with that distribution point.  When both <tt>crlnumber</tt> and <tt>crldp</tt> are present, the server <bcp14>MUST</bcp14> return the <tt>C509CRL</tt> matching both criteria.</t>
          <t>If no matching CRL is available, the EST server <bcp14>MUST</bcp14> return HTTP status 404 (Not Found).</t>
        </section>
        <section anchor="crl-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/c509-crl+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509CRL</tt> as defined in <xref target="I-D.liao-cose-c509-revocation"/>.</t>
            </li>
          </ul>
          <t>Successful <tt>crl</tt> responses <bcp14>SHOULD</bcp14> include HTTP caching metadata.  When present, <tt>Last-Modified</tt> <bcp14>SHOULD</bcp14> reflect the CRL <tt>thisUpdate</tt> value, and when <tt>nextUpdate</tt> is present, <tt>Expires</tt> <bcp14>SHOULD</bcp14> reflect <tt>thisUpdate + nextUpdate</tt>.</t>
          <t>If no matching CRL is available, the EST server <bcp14>MUST</bcp14> return HTTP status 404 (Not Found).</t>
        </section>
      </section>
    </section>
    <section anchor="enrollment-ops">
      <name>Certificate Enrollment Operations</name>
      <section anchor="enrollment-auth">
        <name>Client Authentication</name>
        <t>The enrollment operations defined in this section (<tt>kemchall</tt>, simpleenroll<tt>, </tt>simplereenroll<tt>, and </tt>serverkeygen`) require client authentication.  The client authentication requirements are unchanged from <xref target="RFC7030"/>.  EST clients and EST servers <bcp14>MUST</bcp14> follow <xref section="3.2.3" sectionFormat="comma" target="RFC7030"/> and <xref section="3.3.2" sectionFormat="comma" target="RFC7030"/> for client authentication, respectively.</t>
      </section>
      <section anchor="kemchall">
        <name>kemchall</name>
        <t>The <tt>kemchall</tt> operation requests a KEM-based Proof-of-Possession challenge for a submitted C509 public key whose <tt>subjectPublicKeyAlgorithm</tt> is a KEM algorithm.</t>
        <section anchor="kemchall-request">
          <name>Request</name>
          <t>An authenticated EST client sends a POST request containing a <tt>C509PublicKey</tt> (<xref target="c509pubkey"/>) to request a KEM challenge.</t>
          <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<label>/kemchall
Media type: application/c509-pubkey+cbor

<Base64-encoded C509PublicKey>
]]></artwork>
          <t>If the request does not contain a KEM public key, the EST server <bcp14>MUST</bcp14> return HTTP 400 (Bad Request).  If the server supports KEM PoP for the submitted algorithm, it issues a challenge; otherwise, it <bcp14>MUST</bcp14> return HTTP 501 (Not Implemented).</t>
        </section>
        <section anchor="kemchall-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>KemChall</tt> (<xref target="pop-kem"/>).</t>
            </li>
          </ul>
          <t>A client that receives a <tt>KemChall</tt> uses the recovered one-time secret key to produce the PoP MAC and then proceeds with a normal enrollment request (<tt>simpleenroll</tt> or <tt>simplereenroll</tt>) including the computed MAC in the request (see <xref target="pop-kem"/> for the PoP flow). The EST server verifies the MAC using the stored challenge state and issues the certificate on success.</t>
        </section>
      </section>
      <section anchor="simpleenroll">
        <name>simpleenroll</name>
        <t>The <tt>simpleenroll</tt> operation requests issuance of a new C509 certificate from the EST server.</t>
        <section anchor="simpleenroll-request">
          <name>Request</name>
          <t>An authenticated EST client sends a POST request containing a C509 CSR (<xref target="c509-csr"/>).</t>
          <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<label>/simpleenroll
Media type: application/cose-c509-pkcs10+cbor

<Base64-encoded C509CertificationRequest>
]]></artwork>
          <t>The <tt>C509CertificationRequest</tt> <bcp14>MUST</bcp14> include a valid PoP signature.  The EST server <bcp14>MUST</bcp14> verify the PoP signature against the public key in the C509 CSR before issuing a certificate, as required by <xref section="3.4" sectionFormat="comma" target="RFC7030"/>.</t>
        </section>
        <section anchor="simpleenroll-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-cert+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509Certificate</tt> issued for the subject in the C509 CSR, as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="simplereenroll">
        <name>simplereenroll</name>
        <t>The <tt>simplereenroll</tt> operation renews or rekeys an existing C509 certificate.</t>
        <section anchor="simplereenroll-request">
          <name>Request</name>
          <t>An authenticated EST client sends a POST request containing a C509 CSR for re-enrollment.  The request Subject field and SubjectAltName extension <bcp14>MUST</bcp14> be identical to the corresponding fields in the certificate being renewed or rekeyed.</t>
          <t>The <tt>ChangeSubjectName</tt> attribute defined in <xref target="change-subject-name"/> <bcp14>MAY</bcp14> be included in the CSR to request that these fields be changed in the new certificate.</t>
          <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<label>/simplereenroll
Media type: application/cose-c509-pkcs10+cbor

<Base64-encoded C509CertificationRequest>
]]></artwork>
          <t>Re-enrollment processing follows <xref section="4.2.2" sectionFormat="comma" target="RFC7030"/>.  The EST server <bcp14>MUST</bcp14> verify the PoP signature in the C509 CSR.</t>
        </section>
        <section anchor="simplereenroll-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-cert+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded renewed <tt>C509Certificate</tt>, as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="serverkeygen">
        <name>serverkeygen</name>
        <t>The <tt>serverkeygen</tt> operation requests server-side key generation and returns the generated private key and the issued C509 certificate.</t>
        <t>As discussed in <xref section="9" sectionFormat="comma" target="RFC9148"/>, transporting private keys generated by the EST server is inherently risky. The use of server-generated private keys increases the risk of digital identity theft. Therefore, implementations <bcp14>SHOULD NOT</bcp14> use EST functions that rely on server-generated private keys.</t>
        <section anchor="serverkeygen-request">
          <name>Request</name>
          <t>An authenticated EST client sends a POST request containing a C509 CSR.  The <tt>subjectPublicKeyAlgorithm</tt> in the C509 CSR <bcp14>SHOULD</bcp14> be set to <tt>empty-publickey</tt> (<xref target="empty-publickey"/>) and <tt>subjectPublicKey</tt> <bcp14>SHOULD</bcp14> be an empty byte string (<tt>h''</tt>), because the key pair is generated by the EST server.  The <tt>signatureAlgorithm</tt> <bcp14>SHOULD</bcp14> be the <tt>id-alg-unsigned</tt> integer code and <tt>signatureValue</tt> <bcp14>SHOULD</bcp14> be a zero-length byte string.  EST servers <bcp14>MUST</bcp14> accept C509 CSRs that use <tt>empty-publickey</tt> and <tt>id-alg-unsigned</tt> for <tt>serverkeygen</tt> and <bcp14>MUST NOT</bcp14> verify a PoP signature in this case.</t>
          <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<label>/serverkeygen
Media type: application/cose-c509-pkcs10+cbor

<Base64-encoded C509CertificationRequest>
]]></artwork>
        </section>
        <section anchor="serverkeygen-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-pem+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509PEM</tt>.</t>
            </li>
          </ul>
          <t>The <tt>C509CertData</tt> field in the <tt>C509PEM</tt> <bcp14>MUST</bcp14> contain only the issued C509 certificate for the generated key pair.</t>
          <t>The EST server <bcp14>SHOULD</bcp14> delete the private key from its storage as soon as the response has been transmitted successfully, unless the deployment policy requires retention for key escrow or disaster recovery (see <xref target="security"/>).  The private key is protected only by the TLS channel; no additional encryption is applied.</t>
        </section>
      </section>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>The security requirements of <xref target="RFC7030"/> apply in full to all operations defined in this document.</t>
      <section anchor="transport-security">
        <name>Transport Security</name>
        <t>All operations defined in this document <bcp14>MUST</bcp14> be carried out over HTTPS (HTTP over TLS) as required by <xref section="3" sectionFormat="comma" target="RFC7030"/>.  Implementations <bcp14>MUST NOT</bcp14> fall back to plain HTTP.</t>
        <t>EST clients and servers <bcp14>SHOULD</bcp14> use C509 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/> for TLS authentication when both peers support C509.  This enables end-to-end C509 usage, including the TLS handshake itself, and reduces size and parsing overhead consistently.  EST servers <bcp14>MUST</bcp14> continue to accept X.509 certificates <xref target="RFC5280"/> for TLS client authentication for interoperability with clients that do not yet support C509.</t>
        <section anchor="tls-certificate-type-negotiation">
          <name>TLS Certificate Type Negotiation</name>
          <t>When C509 certificates are used for TLS authentication, the client and server negotiate the certificate type using the <tt>server_certificate_type</tt> and <tt>client_certificate_type</tt> TLS extensions as defined in <xref target="RFC7250"/>.</t>
        </section>
        <section anchor="client-authentication">
          <name>Client Authentication</name>
          <t>The <tt>caps</tt>, <tt>cacert</tt>, <tt>cacerts</tt>, <tt>crlinfo</tt>, and <tt>crl</tt> operations <bcp14>SHOULD NOT</bcp14> require client authentication, consistent with <xref section="4.1.2" sectionFormat="comma" target="RFC7030"/>.  The <tt>kemchall</tt>, <tt>simpleenroll</tt>, <tt>simplereenroll</tt>, and <tt>serverkeygen</tt> operations <bcp14>MUST</bcp14> require client authentication.</t>
        </section>
      </section>
      <section anchor="server-key-generation">
        <name>Server Key Generation</name>
        <t>The <tt>serverkeygen</tt> operation delivers a generated private key to the EST client over TLS.  EST servers <bcp14>SHOULD</bcp14> delete the private key after successful transmission.  EST clients <bcp14>MUST</bcp14> store the key material securely immediately upon receipt.</t>
        <t>As discussed in <xref section="9" sectionFormat="comma" target="RFC9148"/>, transporting private keys generated by the EST server is inherently risky. The use of server-generated private keys increases the risk of digital identity theft. Therefore, implementations <bcp14>SHOULD NOT</bcp14> use EST functions that rely on server-generated private keys.</t>
      </section>
      <section anchor="c509-certificate-validation">
        <name>C509 Certificate Validation</name>
        <t>EST clients <bcp14>MUST</bcp14> validate received C509 certificates against an independently configured trust anchor according to <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.  The trust model for C509 certificates differs from classical X.509 certificate chain validation when C509 is used in the HyPKI trust architecture; in that case, validation uses the cosigner-signed Merkle tree or signed allowlist rather than a certificate chain.</t>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <section anchor="iana-well-known">
        <name>Well-Known URI Registry</name>
        <t>IANA is requested to register the following entry in the "Well-Known URI" registry established by <xref target="RFC8615"/>:</t>
        <table anchor="tab-iana-well-known">
          <name>Well-Known URI Registration for cest</name>
          <thead>
            <tr>
              <th align="left">URI Suffix</th>
              <th align="left">Change Controller</th>
              <th align="left">Reference</th>
              <th align="left">Status</th>
              <th align="left">Related Information</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>cest</tt></td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
              <td align="left">permanent</td>
              <td align="left">C509 EST operations as defined in this document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-pubkey">
        <name>C509 Public Key Algorithms Registry</name>
        <t>IANA is requested to register the following entry in the "C509 Public Key Algorithms" registry under the registry group "CBOR Encoded X.509 (C509)" defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>:</t>
        <table anchor="tab-iana-pubkey">
          <name>empty-publickey Registration</name>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Value</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Value</td>
              <td align="left">TBD1</td>
            </tr>
            <tr>
              <td align="left">Name</td>
              <td align="left">empty-publickey</td>
            </tr>
            <tr>
              <td align="left">Identifiers</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">OID</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">Parameters</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">DER</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">Comments</td>
              <td align="left">Exclusively for use in <tt>subjectPublicKeyAlgorithm</tt> of a <tt>TBSCertificationRequest</tt> for server-side key generation (<tt>serverkeygen</tt>).  <bcp14>MUST NOT</bcp14> appear in C509 certificates.</td>
            </tr>
            <tr>
              <td align="left">Reference</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-sigalg">
        <name>C509 Signature Algorithms Registry</name>
        <t>IANA is requested to register the following entry in the "C509 Signature Algorithms" registry under the registry group "CBOR Encoded X.509 (C509)" defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>:</t>
        <table anchor="tab-iana-sigalg">
          <name>HMAC-SHA256 Registration</name>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Value</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Value</td>
              <td align="left">TBD4</td>
            </tr>
            <tr>
              <td align="left">Name</td>
              <td align="left">hmacWithSHA256</td>
            </tr>
            <tr>
              <td align="left">Identifiers</td>
              <td align="left">id-hmacWithSHA256</td>
            </tr>
            <tr>
              <td align="left">OID</td>
              <td align="left">1.2.840.113549.2.9</td>
            </tr>
            <tr>
              <td align="left">Parameters</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">OID</td>
              <td align="left">06 08 2A 86 48 86 F7 0D 02 09</td>
            </tr>
            <tr>
              <td align="left">Comments</td>
              <td align="left">HMAC over SHA256</td>
            </tr>
            <tr>
              <td align="left">Reference</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-cratttype">
        <name>C509 CR Attributes Registry</name>
        <t>IANA is requested to register the following entry in the "C509 CR Attributes" registry under the registry group "CBOR Encoded X.509 (C509)" defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>:</t>
        <artwork><![CDATA[
+-------+-----------------------------------------------------------+
| Value | CR Attribute                                              |
+=======+===========================================================+
|  TBD5 | Name:            CMC Change Subject Name                  |
|       | Identifiers:     id-cmc-changeSubjectName                 |
|       | OID:             1.3.6.1.5.5.7.7.36                       |
|       | DER:             06 08 2B 06 01 05 05 07 07 24            |
|       | Comments:        RFC 6402                                 |
|       | attributeValue:  ChangeSubjectName                        |
+-------+-----------------------------------------------------------+
]]></artwork>
        <section anchor="iana-c509-pubkey">
          <name>Media Type application/c509-pubkey+cbor</name>
          <t>When the <tt>application/c509-pubkey+cbor</tt> media type is used, the payload is a <tt>C509PublicKey</tt> structure.</t>
          <t>Type name: application</t>
          <t>Subtype name: c509-pubkey+cbor</t>
          <t>Required parameters: N/A</t>
          <t>Optional parameters: N/A</t>
          <t>Encoding considerations: binary</t>
          <t>Security considerations: See the Security Considerations section of [[this document]].</t>
          <t>Interoperability considerations: N/A</t>
          <t>Published specification: [[this document]]</t>
          <t>Applications that use this media type: Applications that employ C509 public keys.</t>
          <t>Fragment identifier considerations: N/A</t>
          <t>Additional information:</t>
          <ul spacing="normal">
            <li>
              <t>Deprecated alias names for this type: N/A</t>
            </li>
            <li>
              <t>Magic number(s): TBD2</t>
            </li>
            <li>
              <t>File extension(s): .c509</t>
            </li>
            <li>
              <t>Macintosh file type code(s): N/A</t>
            </li>
          </ul>
          <t>Person &amp; email address to contact for further information: iesg@ietf.org</t>
          <t>Intended usage: COMMON</t>
          <t>Restrictions on usage: N/A</t>
          <t>Author: COSE WG</t>
          <t>Change controller: IETF</t>
        </section>
      </section>
      <section anchor="content-format">
        <name>CoAP Content-Formats Registry</name>
        <t>IANA is requested to add entries for "application/c509-pubkey+cbor" to the "CoAP Content-Formats" registry in the registry group "Constrained RESTful Environments (CoRE) Parameters".</t>
        <figure anchor="tab-format-ids">
          <name>CoAP Content-Format IDs</name>
          <artwork><![CDATA[
+----------------------+---------+-----------+-------+------------+
| Content              | Content | Media     | ID    | Reference  |
| Format               | Coding  | Type      |       |            |
+======================+=========+===========+=======+============+
| application/         | -       | [[link    | TBD3  | [[this     |
| c509-pubkey+cbor     |         | to x.y]]  |       | document]] |
+----------------------+---------+-----------+-------+------------+
]]></artwork>
        </figure>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC5652">
          <front>
            <title>Cryptographic Message Syntax (CMS)</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <date month="September" year="2009"/>
            <abstract>
              <t>This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="70"/>
          <seriesInfo name="RFC" value="5652"/>
          <seriesInfo name="DOI" value="10.17487/RFC5652"/>
        </reference>
        <reference anchor="RFC6402">
          <front>
            <title>Certificate Management over CMS (CMC) Updates</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="November" year="2011"/>
            <abstract>
              <t>This document contains a set of updates to the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS). This document updates RFC 5272, RFC 5273, and RFC 5274.</t>
              <t>The new items in this document are: new controls for future work in doing server side key generation, definition of a Subject Information Access value to identify CMC servers, and the registration of a port number for TCP/IP for the CMC service to run on. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6402"/>
          <seriesInfo name="DOI" value="10.17487/RFC6402"/>
        </reference>
        <reference anchor="RFC7030">
          <front>
            <title>Enrollment over Secure Transport</title>
            <author fullname="M. Pritikin" initials="M." role="editor" surname="Pritikin"/>
            <author fullname="P. Yee" initials="P." role="editor" surname="Yee"/>
            <author fullname="D. Harkins" initials="D." role="editor" surname="Harkins"/>
            <date month="October" year="2013"/>
            <abstract>
              <t>This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7030"/>
          <seriesInfo name="DOI" value="10.17487/RFC7030"/>
        </reference>
        <reference anchor="RFC7250">
          <front>
            <title>Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="P. Wouters" initials="P." role="editor" surname="Wouters"/>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="J. Gilmore" initials="J." surname="Gilmore"/>
            <author fullname="S. Weiler" initials="S." surname="Weiler"/>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>This document specifies a new certificate type and two TLS extensions for exchanging raw public keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The new certificate type allows raw public keys to be used for authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7250"/>
          <seriesInfo name="DOI" value="10.17487/RFC7250"/>
        </reference>
        <reference anchor="RFC8615">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9277">
          <front>
            <title>On Stable Storage for Items in Concise Binary Object Representation (CBOR)</title>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document defines a stored ("file") format for Concise Binary Object Representation (CBOR) data items that is friendly to common systems that recognize file types, such as the Unix file(1) command.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9277"/>
          <seriesInfo name="DOI" value="10.17487/RFC9277"/>
        </reference>
        <reference anchor="RFC9810">
          <front>
            <title>Internet X.509 Public Key Infrastructure -- Certificate Management Protocol (CMP)</title>
            <author fullname="H. Brockhaus" initials="H." surname="Brockhaus"/>
            <author fullname="D. von Oheimb" initials="D." surname="von Oheimb"/>
            <author fullname="M. Ounsworth" initials="M." surname="Ounsworth"/>
            <author fullname="J. Gray" initials="J." surname="Gray"/>
            <date month="July" year="2025"/>
            <abstract>
              <t>This document describes the Internet X.509 Public Key Infrastructure (PKI) Certificate Management Protocol (CMP). Protocol messages are defined for X.509v3 certificate creation and management. CMP provides interactions between client systems and PKI components such as a Registration Authority (RA) and a Certification Authority (CA).</t>
              <t>This document adds support for management of certificates containing a Key Encapsulation Mechanism (KEM) public key and uses EnvelopedData instead of EncryptedValue. This document also includes the updates specified in Section 2 and Appendix A.2 of RFC 9480.</t>
              <t>This document obsoletes RFC 4210, and together with RFC 9811, it also obsoletes RFC 9480. Appendix F of this document updates Section 9 of RFC 5912.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9810"/>
          <seriesInfo name="DOI" value="10.17487/RFC9810"/>
        </reference>
        <reference anchor="I-D.ietf-cose-cbor-encoded-cert">
          <front>
            <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>University of Glasgow</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>IN Groupe</organization>
            </author>
            <author fullname="Lijun Liao" initials="L." surname="Liao">
              <organization>NIO</organization>
            </author>
            <date day="30" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a CBOR encoding of X.509 certificates.  The
   resulting certificates are called C509 certificates.  The CBOR
   encoding supports a large subset of RFC 5280 and common certificate
   profiles, and it is extensible.

   Two types of C509 certificates are defined.  One type is an
   invertible CBOR re-encoding of DER-encoded X.509 certificates with
   the signature field copied from the DER encoding.  The other type is
   identical except that the signature is computed over the CBOR
   encoding instead of the DER encoding, thereby avoiding the use of
   ASN.1.  Both types of certificates have the same semantics as X.509
   while providing comparable size reduction.

   This document also specifies CBOR-encoded data structures for
   certification requests and certification request templates, new COSE
   headers, as well as a TLS certificate type and a file format for
   C509.  This document updates RFC 6698 by extending the TLSA selectors
   registry to include C509 certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-20"/>
        </reference>
        <reference anchor="I-D.liao-cose-c509-revocation">
          <front>
            <title>*** BROKEN REFERENCE ***</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC2986">
          <front>
            <title>PKCS #10: Certification Request Syntax Specification Version 1.7</title>
            <author fullname="M. Nystrom" initials="M." surname="Nystrom"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <date month="November" year="2000"/>
            <abstract>
              <t>This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2986"/>
          <seriesInfo name="DOI" value="10.17487/RFC2986"/>
        </reference>
        <reference anchor="RFC9148">
          <front>
            <title>EST-coaps: Enrollment over Secure Transport with the Secure Constrained Application Protocol</title>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
            <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="S. Raza" initials="S." surname="Raza"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>Enrollment over Secure Transport (EST) is used as a certificate provisioning protocol over HTTPS. Low-resource devices often use the lightweight Constrained Application Protocol (CoAP) for message exchanges. This document defines how to transport EST payloads over secure CoAP (EST-coaps), which allows constrained devices to use existing EST functionality for provisioning certificates.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9148"/>
          <seriesInfo name="DOI" value="10.17487/RFC9148"/>
        </reference>
        <reference anchor="I-D.ietf-ace-coap-est-oscore">
          <front>
            <title>Protecting EST Payloads with OSCORE</title>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>RISE</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>Nexus</organization>
            </author>
            <author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
              <organization>Inria</organization>
            </author>
            <date day="2" month="July" year="2026"/>
            <abstract>
              <t>   Enrollment over Secure Transport (EST) is a certificate provisioning
   protocol over HTTPS [RFC7030] or CoAPs [RFC9148].  This document
   specifies how to carry EST over the Constrained Application Protocol
   (CoAP) protected with Object Security for Constrained RESTful
   Environments (OSCORE).  The specification builds on the EST-coaps
   [RFC9148] specification, but uses OSCORE and Ephemeral Diffie-Hellman
   over COSE (EDHOC) instead of DTLS.  The specification also leverages
   the certificate structures defined in
   [I-D.ietf-cose-cbor-encoded-cert], which can be optionally used
   alongside X.509 certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-coap-est-oscore-11"/>
        </reference>
      </references>
    </references>
    <?line 701?>

<section anchor="flows">
      <name>Message Flow Diagrams</name>
      <section anchor="flow-caps">
        <name>caps</name>
        <figure anchor="fig-caps">
          <name>caps message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="320" width="432" viewBox="0 0 432 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,304" fill="none" stroke="black"/>
                <path d="M 384,48 L 384,304" fill="none" stroke="black"/>
                <path d="M 32,96 L 376,96" fill="none" stroke="black"/>
                <path d="M 32,288 L 376,288" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="384,96 372,90.4 372,101.6" fill="black" transform="rotate(0,376,96)"/>
                <polygon class="arrowhead" points="40,288 28,282.4 28,293.6" fill="black" transform="rotate(180,32,288)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="360" y="36">EST</text>
                  <text x="404" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="268" y="84">/.well-known/cest/&lt;p&gt;/caps</text>
                  <text x="64" y="132">Status:</text>
                  <text x="112" y="132">200</text>
                  <text x="140" y="132">OK</text>
                  <text x="56" y="148">Media</text>
                  <text x="104" y="148">type:</text>
                  <text x="172" y="148">text/plain</text>
                  <text x="60" y="180">cacert</text>
                  <text x="64" y="196">cacerts</text>
                  <text x="64" y="212">crlinfo</text>
                  <text x="48" y="228">crl</text>
                  <text x="68" y="244">kemchall</text>
                  <text x="84" y="260">simpleenroll</text>
                  <text x="92" y="276">simplereenroll</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                 EST Server
  |                                            |
  | Method: GET                                |
  | Request target: /.well-known/cest/<p>/caps |
  |------------------------------------------->|
  |                                            |
  | Status: 200 OK                             |
  | Media type: text/plain                     |
  |                                            |
  | cacert                                     |
  | cacerts                                    |
  | crlinfo                                    |
  | crl                                        |
  | kemchall                                   |
  | simpleenroll                               |
  | simplereenroll                             |
  |<-------------------------------------------|
  |                                            |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-cacert">
        <name>cacert</name>
        <figure anchor="fig-cacert">
          <name>cacert message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="224" width="456" viewBox="0 0 456 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,208" fill="none" stroke="black"/>
                <path d="M 408,48 L 408,208" fill="none" stroke="black"/>
                <path d="M 32,96 L 400,96" fill="none" stroke="black"/>
                <path d="M 32,192 L 400,192" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="408,96 396,90.4 396,101.6" fill="black" transform="rotate(0,400,96)"/>
                <polygon class="arrowhead" points="40,192 28,186.4 28,197.6" fill="black" transform="rotate(180,32,192)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="384" y="36">EST</text>
                  <text x="428" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="276" y="84">/.well-known/cest/&lt;p&gt;/cacert</text>
                  <text x="64" y="132">Status:</text>
                  <text x="112" y="132">200</text>
                  <text x="140" y="132">OK</text>
                  <text x="56" y="148">Media</text>
                  <text x="104" y="148">type:</text>
                  <text x="256" y="148">application/cose-c509-cert+cbor</text>
                  <text x="96" y="180">&lt;Base64-encoded</text>
                  <text x="228" y="180">C509Certificate&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                    EST Server
  |                                               |
  | Method: GET                                   |
  | Request target: /.well-known/cest/<p>/cacert  |
  |---------------------------------------------->|
  |                                               |
  | Status: 200 OK                                |
  | Media type: application/cose-c509-cert+cbor   |
  |                                               |
  | <Base64-encoded C509Certificate>              |
  |<----------------------------------------------|
  |                                               |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-cacerts">
        <name>cacerts</name>
        <figure anchor="fig-cacerts">
          <name>cacerts message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="224" width="480" viewBox="0 0 480 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,208" fill="none" stroke="black"/>
                <path d="M 448,48 L 448,208" fill="none" stroke="black"/>
                <path d="M 32,96 L 440,96" fill="none" stroke="black"/>
                <path d="M 32,192 L 440,192" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="448,96 436,90.4 436,101.6" fill="black" transform="rotate(0,440,96)"/>
                <polygon class="arrowhead" points="40,192 28,186.4 28,197.6" fill="black" transform="rotate(180,32,192)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="408" y="36">EST</text>
                  <text x="452" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="280" y="84">/.well-known/cest/&lt;p&gt;/cacerts</text>
                  <text x="64" y="132">Status:</text>
                  <text x="112" y="132">200</text>
                  <text x="140" y="132">OK</text>
                  <text x="56" y="148">Media</text>
                  <text x="104" y="148">type:</text>
                  <text x="284" y="148">application/cose-c509+cbor;usage=chain</text>
                  <text x="96" y="180">&lt;Base64-encoded</text>
                  <text x="204" y="180">COSE_C509&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                       EST Server
  |                                                    |
  | Method: GET                                        |
  | Request target: /.well-known/cest/<p>/cacerts      |
  |--------------------------------------------------->|
  |                                                    |
  | Status: 200 OK                                     |
  | Media type: application/cose-c509+cbor;usage=chain |
  |                                                    |
  | <Base64-encoded COSE_C509>                         |
  |<---------------------------------------------------|
  |                                                    |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-crlinfo">
        <name>crlinfo</name>
        <figure anchor="fig-crlinfo">
          <name>crlinfo message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="240" width="456" viewBox="0 0 456 240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,224" fill="none" stroke="black"/>
                <path d="M 408,48 L 408,224" fill="none" stroke="black"/>
                <path d="M 32,112 L 400,112" fill="none" stroke="black"/>
                <path d="M 32,208 L 400,208" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="408,112 396,106.4 396,117.6" fill="black" transform="rotate(0,400,112)"/>
                <polygon class="arrowhead" points="40,208 28,202.4 28,213.6" fill="black" transform="rotate(180,32,208)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="384" y="36">EST</text>
                  <text x="428" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="280" y="84">/.well-known/cest/&lt;p&gt;/crlinfo</text>
                  <text x="168" y="100">[?crlnumber=&lt;n&gt;][&amp;crldp=&lt;dp&gt;]</text>
                  <text x="64" y="148">Status:</text>
                  <text x="112" y="148">200</text>
                  <text x="140" y="148">OK</text>
                  <text x="56" y="164">Media</text>
                  <text x="104" y="164">type:</text>
                  <text x="248" y="164">application/c509-crlinfo+cbor</text>
                  <text x="96" y="196">&lt;Base64-encoded</text>
                  <text x="212" y="196">C509CRLInfo&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                    EST Server
  |                                               |
  | Method: GET                                   |
  | Request target: /.well-known/cest/<p>/crlinfo |
  |   [?crlnumber=<n>][&crldp=<dp>]               |
  |---------------------------------------------->|
  |                                               |
  | Status: 200 OK                                |
  | Media type: application/c509-crlinfo+cbor     |
  |                                               |
  | <Base64-encoded C509CRLInfo>                  |
  |<----------------------------------------------|
  |                                               |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-crl">
        <name>crl</name>
        <figure anchor="fig-crl">
          <name>crl message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="448" viewBox="0 0 448 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,240" fill="none" stroke="black"/>
                <path d="M 408,48 L 408,240" fill="none" stroke="black"/>
                <path d="M 32,128 L 400,128" fill="none" stroke="black"/>
                <path d="M 32,224 L 400,224" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="408,128 396,122.4 396,133.6" fill="black" transform="rotate(0,400,128)"/>
                <polygon class="arrowhead" points="40,224 28,218.4 28,229.6" fill="black" transform="rotate(180,32,224)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="376" y="36">EST</text>
                  <text x="420" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="264" y="84">/.well-known/cest/&lt;p&gt;/crl</text>
                  <text x="168" y="100">[?crlnumber=&lt;n&gt;][&amp;crldp=&lt;dp&gt;]</text>
                  <text x="72" y="164">Status:</text>
                  <text x="120" y="164">200</text>
                  <text x="148" y="164">OK</text>
                  <text x="64" y="180">Media</text>
                  <text x="112" y="180">type:</text>
                  <text x="240" y="180">application/c509-crl+cbor</text>
                  <text x="104" y="212">&lt;Base64-encoded</text>
                  <text x="204" y="212">C509CRL&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                   EST Server
  |                                               |
  | Method: GET                                   |
  | Request target: /.well-known/cest/<p>/crl     |
  |   [?crlnumber=<n>][&crldp=<dp>]               |
  |                                               |
  |---------------------------------------------->|
  |                                               |
  |  Status: 200 OK                               |
  |  Media type: application/c509-crl+cbor        |
  |                                               |
  |  <Base64-encoded C509CRL>                     |
  |<----------------------------------------------|
  |                                               |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-simpleenroll">
        <name>simpleenroll</name>
        <figure anchor="fig-simpleenroll">
          <name>simpleenroll message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="336" width="552" viewBox="0 0 552 336" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,320" fill="none" stroke="black"/>
                <path d="M 448,48 L 448,320" fill="none" stroke="black"/>
                <path d="M 32,192 L 440,192" fill="none" stroke="black"/>
                <path d="M 32,304 L 440,304" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="448,192 436,186.4 436,197.6" fill="black" transform="rotate(0,440,192)"/>
                <polygon class="arrowhead" points="40,304 28,298.4 28,309.6" fill="black" transform="rotate(180,32,304)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="400" y="36">EST</text>
                  <text x="444" y="36">Server</text>
                  <text x="56" y="68">[HTTP</text>
                  <text x="104" y="68">Basic</text>
                  <text x="140" y="68">or</text>
                  <text x="180" y="68">Digest</text>
                  <text x="228" y="68">auth</text>
                  <text x="280" y="68">header,</text>
                  <text x="60" y="84">or</text>
                  <text x="88" y="84">TLS</text>
                  <text x="132" y="84">client</text>
                  <text x="212" y="84">certificate]</text>
                  <text x="64" y="116">Method:</text>
                  <text x="116" y="116">POST</text>
                  <text x="64" y="132">Request</text>
                  <text x="128" y="132">target:</text>
                  <text x="300" y="132">/.well-known/cest/&lt;p&gt;/simpleenroll</text>
                  <text x="56" y="148">Media</text>
                  <text x="104" y="148">type:</text>
                  <text x="264" y="148">application/cose-c509-pkcs10+cbor</text>
                  <text x="96" y="180">&lt;Base64-encoded</text>
                  <text x="264" y="180">C509CertificationRequest&gt;</text>
                  <text x="484" y="196">Verify</text>
                  <text x="532" y="196">PoP,</text>
                  <text x="480" y="212">Issue</text>
                  <text x="524" y="212">C509</text>
                  <text x="476" y="228">cert</text>
                  <text x="64" y="244">Status:</text>
                  <text x="112" y="244">200</text>
                  <text x="140" y="244">OK</text>
                  <text x="56" y="260">Media</text>
                  <text x="104" y="260">type:</text>
                  <text x="256" y="260">application/cose-c509-cert+cbor</text>
                  <text x="96" y="292">&lt;Base64-encoded</text>
                  <text x="228" y="292">C509Certificate&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                      EST Server
  |                                                    |
  | [HTTP Basic or Digest auth header,                 |
  |   or TLS client certificate]                       |
  |                                                    |
  | Method: POST                                       |
  | Request target: /.well-known/cest/<p>/simpleenroll |
  | Media type: application/cose-c509-pkcs10+cbor      |
  |                                                    |
  | <Base64-encoded C509CertificationRequest>          |
  |--------------------------------------------------->| Verify PoP,
  |                                                    | Issue C509
  |                                                    | cert
  | Status: 200 OK                                     |
  | Media type: application/cose-c509-cert+cbor        |
  |                                                    |
  | <Base64-encoded C509Certificate>                   |
  |<---------------------------------------------------|
  |                                                    |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-serverkeygen">
        <name>serverkeygen</name>
        <figure anchor="fig-serverkeygen">
          <name>serverkeygen message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="384" width="544" viewBox="0 0 544 384" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,368" fill="none" stroke="black"/>
                <path d="M 408,48 L 408,368" fill="none" stroke="black"/>
                <path d="M 32,208 L 400,208" fill="none" stroke="black"/>
                <path d="M 32,336 L 400,336" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="408,208 396,202.4 396,213.6" fill="black" transform="rotate(0,400,208)"/>
                <polygon class="arrowhead" points="40,336 28,330.4 28,341.6" fill="black" transform="rotate(180,32,336)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="368" y="36">EST</text>
                  <text x="412" y="36">Server</text>
                  <text x="56" y="68">[HTTP</text>
                  <text x="104" y="68">Basic</text>
                  <text x="140" y="68">or</text>
                  <text x="180" y="68">Digest</text>
                  <text x="228" y="68">auth</text>
                  <text x="280" y="68">header,</text>
                  <text x="60" y="84">or</text>
                  <text x="88" y="84">TLS</text>
                  <text x="132" y="84">client</text>
                  <text x="212" y="84">certificate]</text>
                  <text x="64" y="116">Method:</text>
                  <text x="116" y="116">POST</text>
                  <text x="64" y="132">Request</text>
                  <text x="128" y="132">target:</text>
                  <text x="260" y="148">/.well-known/cest/&lt;p&gt;/serverkeygen</text>
                  <text x="56" y="164">Media</text>
                  <text x="104" y="164">type:</text>
                  <text x="264" y="164">application/cose-c509-pkcs10+cbor</text>
                  <text x="56" y="196">&lt;CBOR</text>
                  <text x="100" y="196">C509</text>
                  <text x="136" y="196">CSR</text>
                  <text x="168" y="196">(no</text>
                  <text x="220" y="196">pubkey)&gt;</text>
                  <text x="452" y="228">Generate</text>
                  <text x="452" y="244">keypair,</text>
                  <text x="440" y="260">Issue</text>
                  <text x="484" y="260">C509</text>
                  <text x="64" y="276">Status:</text>
                  <text x="112" y="276">200</text>
                  <text x="140" y="276">OK</text>
                  <text x="440" y="276">cert,</text>
                  <text x="492" y="276">Delete</text>
                  <text x="56" y="292">Media</text>
                  <text x="104" y="292">type:</text>
                  <text x="252" y="292">application/cose-c509-pem+cbor</text>
                  <text x="432" y="292">key</text>
                  <text x="468" y="292">from</text>
                  <text x="516" y="292">server</text>
                  <text x="96" y="324">&lt;Base64-encoded</text>
                  <text x="196" y="324">C509PEM&gt;</text>
                  <text x="52" y="356">(key</text>
                  <text x="84" y="356">no</text>
                  <text x="124" y="356">longer</text>
                  <text x="164" y="356">on</text>
                  <text x="192" y="356">EST</text>
                  <text x="240" y="356">server)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                  EST Server
  |                                               |
  | [HTTP Basic or Digest auth header,            |
  |   or TLS client certificate]                  |
  |                                               |
  | Method: POST                                  |
  | Request target:                               |
  |            /.well-known/cest/<p>/serverkeygen |
  | Media type: application/cose-c509-pkcs10+cbor |
  |                                               |
  | <CBOR C509 CSR (no pubkey)>                   |
  |---------------------------------------------->|
  |                                               | Generate
  |                                               | keypair,
  |                                               | Issue C509
  | Status: 200 OK                                | cert, Delete
  | Media type: application/cose-c509-pem+cbor    | key from server
  |                                               | 
  | <Base64-encoded C509PEM>                      |
  |<----------------------------------------------|
  | (key no longer on EST server)                 |
  |                                               |
]]></artwork>
          </artset>
        </figure>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors thank xxx for reviewing and commenting on intermediate versions of the draft.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1963LbyJXwfz5Fr1y1kWKCkmz5pvE4oSk5o7JlaSU586Vc
rhAkmhTWIMAAoGTF1lbeYfcB9ln2UfIkey59BUCKpMfO5Kt1UiMSRHefPn3u
ffp0EAStq33xsNUq4zKR+2Lj8PxCjLJc9B7tPBM9mZfxKB6GpSw2WlE2TMMJ
vBTl4agMkjjMgnAoA1mUwRBeDxJ8r2yFg0EuoVfoKsBuWi3oYF8UZdQqZoNJ
XBRxlpY3U+jp6PDiFfycRXE63hezchQ8bbWm8X5LiDIb7osbWcDHIsvLXI4K
8/1m4n6FNyM5LS/3xV6rdSXTmcT24zybTWFC3Vl5KdMSJwHDijCNBD7K8viv
/IRmm6VFmYdxKiNxmF7FeZZOoBFMGronSDd+zvKPAKX4A/aLzydhnMBzwMDv
Y1mOOlk+xsdhPgRINi7Lclrsb2/jW/govpId/do2Ptge5Nl1Ibeh/Ta2G8fl
5WzAHQbX4+1Pnz5ttFohgYrzCQQj/03877MU/htm8FAI6G5fvD06oS+SYUrw
lQ6uz+/TOOvEWauVZvkEpntFqDl71Xv04OmO/vj40QP18fHejv74ZOehfuHJ
g0f649PHu4/0x2d7z9THZw+ePNEfn+7Su0fBAU03GGaFDIaDLA9kCusso2AI
RKVfIRriV5CAgGwyXqf9VitORxWgHzx7+liPs7v31BsHsTbMwilRY1YMsxxa
tYIgEOEAl3ZYtloXl3EhgIpnuLYikiNY7wLWO8+ShB5lVzIX53I4y6W4yMO0
mALliU0g5C0xzTMgtCwR2VTmBGPB7/90cXF6TlQ0K6S4hmVk5hk6zNMRF5fS
bVlM5RB+BHKLU1F6cBWzKQ3b67pdiCiGacSDGbZv10YQ0syi4cccmNT5HXmg
kDkAHxRxJMVHeSPGMlXAwTSQzhvn4MIZJkVmkOhMjfjJGfzMLCpQbQHo7J29
2fKm0+GFmsRRlMhW6544Sss8i2ZDavT5Xoxfb1utJVfq82dFv7e3Bj5apGAQ
FoDxCqz/r4MzpUbIFdCoGa+EtgWL0hHiNLxJsjAqQAhIcXB4pmmeml7n4XTK
C947Pgc05DfTMhvD08t4KI5lUYRjKc5v0jL81FbwAGve3m6B6MwBGTBXWARe
mM+f7+AwZ+6hGGaTKXAAUMbLEweopJR5SgwGMhThVbjwV71OCTQ9EOVFGYJg
DZPkRhQT+CNzWMluAhJrNlZMcB0CxcgrmWQ4dWKOoSNr4ad4CB0CTiZxGrVF
XBZiAKQ4wg/yUykBcQDbLG1qpRYSiJXIIcmuYYXT6DqOYJgkTj8WhHhoDyJ4
LINiGCawZnKaZDck3mFy5wx4BTXebHMJpCiF7Zr4p8xyXK9c/mUW55K6A84a
DmWCQAFVvjkXl/BmcRl+lAUzHUAIcE7DnDhMsSEgUKsinMalDCMBGINvqZhi
g9EsATKMphnwQfEDoGcYoqQh/EYZAJhmJcme7vnbzu42rCPgcTJNCChF6MMQ
VN9VFkdEC4n8xC8bWHDabXENlHip5lvQM1HEf5UEqWoXlzd2KgWILvi1LMPh
RyCIfARSmHjK5RE9RBIP8jCPiaSOUgNHcVOUclKITWwnP4X4tI1EksphiUsB
zbdgnLDEhyVQAHAd4KmQig7EMAmLQhZ//9t/TeJhnuFbyLPwShvwmxYIz2U8
VWtwnvXwVRZyxBoTQLQLMKsdQIYEfYTrhdoDfkoAGQAdim2k2FKOc2tTgHq4
itGwgW5hgu8cGQr4BzEBawF8EgKARVGB3O3X7adNo+RE5oM4AdTzFJBMAsB8
EMagdKYRUin/gsusyBVfAtK20g7gB1FRMk+gqZYObzpzlSKYgY6cZPSHeX7D
c8oG/w6rQ3w7TXDRs5EjP9SvbcBkAnSCmEA6KcB+YUG8jcxRGrGNAL07OwJK
AeYysk6A6HBEOSD1FVKIY53xEjldwkwAk3q52sIzZj2eJoHRy7qnLJNOznsn
Z4fYnhFAUtqRsQ3WBUAEwo5055SWCBgDsMC6XBbxOMXuCHEIxjCJCeQoI3ZV
YgMIEOUO8QgABKAqPYw2XyugGadZGrw+PA6yFOgHh0ODFJCLKGUr/fyMhrqZ
4qwThEcGho5Q0OOaw3KGf5mBGIvTEJZxkGQDMbihXhQ1TsJ0BhyMuCdQQo8Y
QYxmyQ/0vp0P8heou7gUgM8BEMsEB8N3Tk/gpUEWEVL6ROCSdWkf+1ZPcvMM
lyGblUzxMAES66gEkJ1JVmt8zMOFA1UqJUAFch+5e5YyW9NC44vYTk0ZXhnL
kp5OZ4ME9DD+uNlHvJ7Sg9fypr/FagResjSEfI+LKNGiofd77m9n/BM2HcGE
4NWhjK80J8AUQCSh4klBhTC7QC+v5aSHT6HVKM8mZlZsq/1gTMUhmDG1OZOY
ibRMrsygLWznLCnmg9xAKBb5KFGaaNC3NoGEUm3a4ndg8xTkNYCOahM1OND+
EOUhLACwjpKPYiInGQypaUFpDuB8ElKGzSaoUavz9zUe2g6olWGIJB5fltcS
/1sTdzOUvgtQEc4TCHONLkX+VfdZnINAwOU/0zSjWXdL6RuYZTd1J0SwhZbF
AVWa4MCFnoUpi92wvgBEPGHq0A5N3HNAnGn57kdIjtMXcaLfFerfF9GDzse4
QPV/8CNDXXG3v5gJH8soDsUF0A09VCThPm192Q+q/xoe1X6sv9PUEUypPwyn
Rd+HOpwq1Yq2/BDVwo358W1GfzZBAsst+NAvgaq2QeHFKfWi+kTU990+u1V2
AKvnCtRvY5/gFCQKW9vWE8YO7iN99d1RGPjaCCBK4tQZZ9lRaIAfgNDAkP2R
OtGj5Ql6331nTmdvgDvLEGyNsLb0i0ej6XCH3ozypO93g2O4yFp9DK//Asi3
zM16fyEmwkfor5FZv8665GCsTtF6csf6KCckzu1YvoQ3/Mo//glGb5wC6CAQ
rrrnygt2OF+b0tSaPdYFw5kZTT8Oi92dOWPOpceq+vZB8OIN3wwEkmyALzCZ
GAvn82MavwwIUzkxEHzeF/fKcBBk0yJAsXEVy2tBUdQfN06snD2wcpZUz4GS
sxu3GOjoZekVSkt8E7UyvR3z98/3hvbXWxbgOKvrLAfjZuP43fnFRpv/ircn
9Pns8N/eHZ0dHuDn85+6b96YDy31xvlPJ+/eHNhPtmXv5Pj48O0BN4anwnvU
2jju/mmDTYeNk9OLo5O33TcbjdoDFdVAWkOODNAWmMRD4DzGxMve6f/89+4e
KNR/wbDe7u4z0Jz85enukz34ApZ9qpwdNPX4K2iWmxYGUcIce0FbBCR6XIYJ
uj9gXFxm16lAnwD03W/fI2Y+7Ivng+F0d++FeoAT9h5qnHkPCWf1J7XGjMSG
Rw3DGGx6zyuY9uHt/sn7rvHuPHz+OxCsUgS7T3/3osU04jhdMp9wsGZWNKh6
UPPW3Nhv7VOMEumtvHH8bXTzfEMUFzgbkCfu+1Q5KiYTtsUwZdV+Ut5cG0N3
xJe75EbZvpvAALtvKMlPxveUDYTGp3F40OFDb578nLMukB8YfDKtmojaiu91
l4as10WIPONQbx+UN2SY+rCipAdA68FT6EoZctShbx5ir8pOQjNwXizK9Tlo
RQc32sxTM1zaRgR4TrNTBOU0z+AN+P9phjguOJL5R5nbMWlmbMlT30ACl1kS
MV1M8/gKZT6KJvCL2diP2GGsOlbKIdCY6JAInIsK10YGYUg6oMhv0et2/d5w
aXQtjx0hjkp23xW0YRom2Xgm2cUH9/Z17/ze7g7BQMSDexMgtzSjYWg0CvOo
Ekj51g6IJd89ipj4HgU7680uhWtPWuTkvirnbYwJ2ezoASKKllCoMGv0HRds
OWimFpufP7t6/fZ2q+bompDnlAm2RoXI5ualj2l2XSVDQ8+OTLuOQZsoiCRH
KCu+dr+YkaNuvOpuMkYxcDnp49r0L16eN68hqR3QiIUsNU9Q9BBGpRArRqj6
YFWWNwEDCTD2xWYhJSx45TnuBpD7XgXGDgMSgRqBdACE4P4E8OJm//I3v+lv
wcReqvBxmmmkbbscCvRxhVuWA4zCwjsgJQQGs0IKyWF8EYbA2C3Y0NH2FYkJ
Ge0rDOkXHdQ0zL4fR0GYjINZig1k1PfxwfPTXf0xTGbSmZ34q8yzAO3q8tKd
IkzNLmfB72M4floaei/U1lYd2TRkDSpaGN/MNISKLbQ9IQgNQHgVbLnxGpR1
90RlYGHwBAKuutLzQrOhSMHSpDk5Cxfqntr16bWVSUbCSX4aJoCGKwyN4FaU
wc2i2UL7GIQ6SQfiHqSeZqoxQp7kO8qLBnSbadOCb168PNjdsui0Jl7DJqSS
zGQWgvMWmzDTIv4EGk0iikTO5VI0MTnG5ymxBkaLi7t4rEaIuaQQX5jeWOE7
jxbRsl0mYqoWhwmrd9bVnq3oXYbgdJ4z3G8x6A7ak54FajIBphIol6L+tt0U
PX19VIuJqzQBVC8XNWxFxn9piru7Ctkq7jDPwxu9S0KbeSNCAEPEvGm/d5Oy
3xHdUiQyhG7AW+cAs/u2+66lKmCAfjoDzAHG/sP+G0ZR0qoj4UfxHjNN+Ak5
0jgZ+mlbYDdt+zOMI8S5+ey81Gl9cMdCp7HIZvlQIt3TKvy4geoS1xEB2dBc
764nuAHsUAHjRrwM4VxyoKg3zYaZ4lwjhlkA0LMNC+P+pCDu83Yr2n+ao0DO
JEZN+7uiTHUNtmOrVSFdJc19YGlRlNQkc6ouN53NjYEEYmKzRG3aeaYayRhf
cBmLyxoCescFh7pyrVu9n1oxCPS0C7NnMMXttrgsZDKi6bPtagSDslE5hkNW
aiUIr/cvkfI1Yc0xjsmmY6V2pIxEs4PGC0kBeDQP+xeDwom99JcOVMO6OLwd
FvseW7T8uXnsUJewYt+qsqMIHSKAMm83NLExvX0dG1mLR5aR9wZvI2BF0W+A
sG8wvXqov232KZJ4EvO2Q6cZshpAtJDu0E26bp9k6CQrSqswaa/NyE5X/bQF
CAtqcXbedehKtzBZH6S9WOiiM3ON2RU6N4U61QaQGMCfGQzZf/8f8BF4D/wL
/emDozHlJ5D/tAfDrPb40aOHTzgi46Y5LYFTZTE4HgYK9wob1ZyOWuhU2c4x
eG2B8ysYzz80qHjaBu7xNmPwijf/q1pP7UIGHNsg3woB3ZiEY0AzYGkg8w1s
BabMg7bS7WrzC+WJQm0ZjsWjR0+ePeNkIn9MaPpQBSacWBlpXMyws77dg84D
QtW9ZhFMRIAB6FPlFL1GKvh8b5pNg49yAuxznk20QxR4xiNHi8wO6yb8iCsU
TotZwtJyIlG7xMWk2FKOFvtiuFOMtrsjxq0QBrldkm04UrqnzMMoVkkJVQ8j
z2Oj5OY6xiobgAzX60ugpsXuGTIMYsSxkr39MVZIKqgF5Aw9xDQpcvcXRD98
SsIhHE9Ub1za1D7FDsSCFCDFyNVVZUP473/7T7NlisgxKFfckUvc1gZfHtBE
ywzvjBJwc+OCkgZ6tX2HffFuSrbXUMbgD5GBRbAu2vPWZrXd3DALWsUe7/jW
QjF3b3PTnrzD7fUdjwZjTbdXSgmgP4ocrYLpnqh5iG6BCPRzFF/6sSFnfn0N
DXSU4vZ0GQ+hJ87V6BMgfR02Ov+pGzx49BgkP0w+B6pISx088pBU3amnrjTs
pjcfaus/oeu0r0SV8gxzOcasxBuO3qBlA8tycn5oW21RZN0OpPs1o9HCxdNL
4DwwCpEPMKWI4o1OAzLFRkCql56VCKogKOMJevxDIAyirv55Xzv/HMX5TVEh
QEXbLjtC41ARoaWiokTm2gy1A6Cw3sYh2ibCm8QjiTBsGYkTzZQsUmtgeqTU
BrV5HUkPy9CZZkSOSg+rr2HwroJCiqnRRjKNMwcbSn+Y3A2KpyADHXd76NbO
OIGrgVzmO7BufkttCNyVF5R+j8ELtUkQzKaOlA4xPjILE8II76V5ljLjQK2Q
AVnJCF4EtaeqHldXjdcidBYNUaxiSIUVtPw2ZYtgVA4nBnSAgJPDj8F2ADrO
IjVFvS2BU4zgBxy//7rPeRBIepVhpErHQXROwiH8PkazXA0eXi1Csz8kbU1g
rhFntjbFUEOOrBgNp5KQQWijcT/yfZFRGCe0keKj7zLEZNgpuC8RxyJ9NiG5
6mgoWMCjSv6n2pVCafATkFgA0gmF0ybBraNvTHcgUfa2kNVBqoSzBGy+WZpg
nNVNwVWZY8DDwMkF5mHjqrjJsJhb64ZAJO4LDd1ZIVuA+VwoRkORRZY0hZvg
bzzmveRpEqqgrkzjMAmyUYDzx/ytPC4+YlD9qPu2iwSjVbSK9aMgRDQBTzkm
jhMMw7jt/OD7pjIhYe2gOViPtGGBeu/d2RtxbhMVAbZTzF3sAVOQJYzmFqYK
zvIkMAmNt7UknNr2KbOldREasiIX71o97LBxKMSZSW9wBtzkFJi2SVtp29SS
ts374I+gn4leLi5OxR8OL9g/bB1LcHqifXzS0hs1JaZXl/tiu3MtkyTAmDuo
b/hl+7kZ/MUybyfhQCYvvFY4ppf5787G2CZt4UUd2rWQQ7sSInDmhqmKlcnh
o+83u27dFGWLiuHb23kkNhky8RZs7S7SiIzAQkM7zs0Wo6TLEaVu5vXlR7kC
q8YvpG6eiHnF5Ikp27yvYO4rKpRjh0yLBQS4X7Wvu38ihKPrGRnT3+tURXlK
l0XozBMybMSxwVlcXArF/CxXJyChYlho0euS4PQyz/NsFCe0+YrBGnTA6KzI
CAD6fI/cz1J9x3gNqBpCoI6kDcA7lw1Mii6Sq5PxiAR+ZcFuTHfVHN/GXx7v
GR1OelBnPyuFQtCZiIDe7Ygk7uHHKc5+2OBQq3NYBv2F2AP875JE2jOiwJPD
GApVoUTysJQPqhETHCoY+gJPIgCmKJDLScp8uqXmpBfN+QUmldBL/bNi84ub
HKOy/5z/tJbJBDIJVxUxLjEIALNI3JxdSuxaJjY2f2xOmfMz5mBsMK//jADA
qJyMp8MWCNFBWIb9rx/az1FqnrarvdYdrxZNcdPwqrGYL5UlX7Rq0Flt1Ywv
iDRg2d5xOlcZoZqctwhBF+rV9RHVkBZWRdThcZ+CKOI+keH6ROAnOFZyI3mO
Z2/sVOaeq1zUuZOh2dD5ESWELjeAzo0jERGwiFCpcVYWFOJdMScxjoKonKxr
aUIHGbwsXLJfQ7AbC/KuhzadF7BOmXLGZlMejZPxe2AyfkEbwGhgVpIUvSV9
gU/UD/NAClkN1nJwdCqxOlCFGAyU5B76x2q8LQd18rMwGx7pVfZRBRInaltR
nyNBCV/bZtRHRxlQFSHUhomao9JuakoN2SFoImgVqL1nHuU3OrHJohARD5C9
zVytSRvCBeWLiAt/ijY7zmzI6OQsP3GcR44LzzZZw/5UNhdOnY0tRonS0QYn
/B2QcoJe8hDzzdrV5bFRrgc7O1bPIwlSAOjYKMR9j0jhp5eAlH3RFfQgoKDK
ApJt07am+oauLh5mlHVk0pqzgUCJv+GQjj2qoy79572zF8/fvHrRd1oqZJts
CgzK4hkMPH9EbQvbIXl5tpc2f4a/uButO36tYOY0w/Qvs6xU510x6yEAtxr3
FDHI2ammJ350myq3xuYsuXO09opGig5OMkfaEyYjmzMKn+PS8lQ9WutS1hc9
EVf0HVAcfsoJxK2KaVLP+2/iZPMa+JL8ETN4ain9d3ZQOD0Utotann5zF/o1
7II/u114+mR+F7q5bVrLsG9ual7D9uqL6aSeOt/YiX0NOtFfTCf1hPjGTvzX
MNXMeVDpzE1tX9BZXu8ur3VYS1Rv7tB7rZ4I5+hVElqGfZRmJX1l2HFR3rmf
FUhhNxUQI11GTqfMc4ofK8YCGRFablMneky+Tol2V+m7bvOPGGHCL5/zteFV
lu1M3+pP0VK0in9bmnBaevFb7uK1fNS3XNRpsS90Fyj1NRlqxW5otG5vLNiG
sjYkIdG3A7TLS8cQUw7gOMmXde2sYFhPQ1M6pwLnn0Ih6/VsVMoWFb+4Yl7O
dXB0dsV5X4IYVk4l6BBPEt8Z6CkzDuyDBzt7qHD34I9OwVOh8sp5JtSiuBVr
MvHI8j1wKlRgd72uV9WHLKDAzTrQxi8+o18JRGMAszarcwlltaoEncrxNE2i
Njir1y7m+DhuGpOrXkE1RR1qjn2DWYujrck23Uoy0a+fcVhGNtuyChHfi2lM
HGZpdpF9g3pLLfXTGMsmirjBthubXyU/hXS6GM3ohpMP54wSrKthKFr3ZLZK
tM1JXAlvXSKs+ghkJcez0qR/eBGO0V5+ExZlcJxFFLHDBz3oRwY9rlChT2If
0s5OoQNuhZOK6nCR3tLUqRa4chMZ4qFinAjtw6a4TTPIZmnUcbi4MKRR+Hzc
qO7qXKHOly7BxsSwBf6ujlY0nYNpYt51lV4DnP88PDzPIdUI+T5cXI9oLmJm
G+jM5RRzm1LOA8DNBaBdP0nULAj5fXEOuJG8K6kTDZo1xg9UXIjIyLRg/UY5
MxRVKnnbLc+yaqUsitirKCzC1MFd1lCcqTcxGsc1UwThQ9aRWmFnSli6BNtS
bOhOMJHxHXWy4Q99kkQ/A+7hT1t/fiuvmdHhg/qtVhnBQRRukjRs82FhNed0
T2ePZGBdkhUri7JGK4GM1LM3JDryJLBWvZEg2qckEUbuoWP663Qw3Q+dxCgK
vdehn46ak+3uCDAq2cYAMIDk0lYhq8s2c4I9HGDeJonYWZ4jmbkw8YoTF+Ni
h9YH0GFQlcukE0BNjqkFU0fGyPmSKdpjDYFC0AbDjyjvoQfKLRZJxkcacZnQ
BAKITCKEhlWFB5WM05mGnOSKKwHD+uCug2BPSDNKVxfSbtmAfwrBrDzOlVu8
/x184DTQH5+nLz68/1f4Hk1/fB5NX3xgOe9vrJrX+wKGyjG7PA8nuN2nUiBZ
QEZyGE/CxEpbL4kJ0cu9OKlVVAUJ5SQraZIrP6NFoXqoiTt3w5mCah7tGF0L
Y6kUI2BZsrBoFm95FpzMkmbue66t4E7YP2S2ABoSWJgNNCvIAdrE7e9XaN9s
6UlV+x3YKVZU5PypUYo1RkBQDpy9qW2C01IuXiectSdET7Fam4hNpvkvtwhh
UWTDmOKzdj3cQoSCKsXpAQcZxoIdLGmBjVNCTeNBtBQ0ILNZh1DfwzwusYpd
p27KGLHxbU2Z2v7VXe6InkiT27FYLvrtNQVgMirpDszyL1TemfMm7QCLv//t
v5QqpoNfADFug3GuSu3cJDwN9TlzfYbHffYaM+jMMYa2y4rwBUUi2yf4LZWf
SvsNMdJzXtb0cKiP/xQMqqvc+oiGjzJCR67AKp792uFiPBqqjtEUUmOCS3BN
kcx8AD2QMpNOqBNKyZFh5ahz84xyZNWolSAKSMKnVqK4/QZSGjMVHLVodkiv
4lApyVaLBZahZqVrv140afuEWcCxS+b6W3ONjyZVvKavpMb4J1HDq739j1a/
q0r3ClEu1qtr6Llfo0arzPnXotIWqLNvKR+qivJ7KcllFeQ6ytHzRvNkjaCa
T1CV+JnuJJejRGc845q42o5zmFmpURjN1TSCigjqzk3YrdKt0524L5zm35Yi
vAJaTr6rU0vq8z2bs4l1pzhU31x4z3sXpbXSFk1Zn/WtOpUIs2KGLR/19bNs
F+oN/4hCRae4yeQqu4APNkdsYPm1Ye/MjVGp1XNSVh+qE7GNPz/EPEqua9wE
aZvoXNJJruSGtb9GG6yD2a1WdkDDeSqnrAQdvlNHBPD4GWa7O0f7bPY8p/ny
iQ4UnNWCEOuciqtZGxpWx+QAq8+ZvooCV+wPL41WReX5uFA1fxBTAuyh6dst
tyRN6B8g66yXoq2MBLNt7ErIRXmPrdbzl5XtKBd0lbp9NHL9XHvaXJeqrp6z
u1tC7IFc33wJxqua2xZ71o4mMykD5vCfztIyxOCcc4xNUarQ4vIHkaGxfB1j
cZu4rEPxaGeXBZQ5SCKbFJdDH99We92htGwaKRCUPudK5zW6c9Ic3DbmWLY6
uDXnEBvmSfFJOHoZMU8nS/jMWVo5DBQKunMjcSWuLRh8Z3mPLcdV5NQlLrlD
Q5rwseqOjzubeRuC0CdDtzpVy947DYVd2hPLqkRv9fAW1wsgQqpuTWVmxQHh
KP3c2QGVeGk2+vC+j4C6JPQrdJmSN7U6tz6J1SSYO84vJsVMZQolvqguGZHb
V0goL59lrpRqygZvFlVNOQovrC+0IHO8knPHVXa8Y9pzchHnVvRwD9jNrwe3
sNAHbRIrm4AyExtV9Z4TvTZSqkIDv+rdcWKxyBXptNNQwdR6O+aGM/Mqb+aN
3Jk38iewYsFni6m6BJ4k+qQq9zTstTdxY/7N+HFUr1gnLhxJqSJpthhOtWyP
rYGjU2TZ4cW4kz7A7CWRqkBXXN+wH0j8nfCFCkUhTEa6Klat5lDfZvNUik80
FG+6bSoLVOpEMGtE6UO1NiY3kELb0bbOT2XVvlqM5d9HkJ15hYZVoVBalvkn
1Oy5qJVEWEPtyiYpk/8q5Yymwpq8WV+QOG4eTt7NVdVCZE5JJqPiFxSEVEeC
TUDLlheoVnrUaQTaBfIJuVvQYYxZUbh76bt7Ty09PMNSPuY4HhKPM0ThjKzO
PDurRzttWG+Y7nbBw8g3bGlhIBzsFjXBRuCxKZiWobE9oTW2ieIxVjRWcofq
ysoRV97MST3WL/dxwrQ4MN16As6yPmNCdi9lQy0GqC6tnQX8xWW1Kdy1sKqm
Zx6oedpikg1VM1epmGn7W1TPr+1VCLOFwBaShpldQ0VMOyzFIdcohukA/lXl
MIk2cGZfURFzjUKYX6Nd3MTub6tbquLdZ4bvJNzN0cI7bEg8adipGPa868im
TuwEvelUIi2ZjlLQeZkFgtSYo5biNR907CaUv2kUyUSWTOKuyCafDffy9AVq
eKg54+ojpZsShTUvBlTEG0WzimsUJsKc3Ji6FLxRoy91E9MM8GhqUdA9DzI1
u1QIAx7rya7RJAPdEBbqfh4+Cah8aV3SAr06ZmV3EnwZTckXlBHylADAS6jQ
uEpl8gNGip2z7rBceOEfwoGBN0o9ozRNvsYQJX1PXeFjwr0GCl0cp6HOBuoM
98ZD7Jk8K9pvwXMbSbLkqQwgeHuXooaKD8Yvc3OMtph1CS/cPHZuyNykwBI9
ADRtLePOkZVWLWVihM0IZzbAq+cwMoMn62ikjlvWvnAuu/SqoNQyU5c6mIsU
hGtcCVVfm12pqcRxzBWeMEg1BwwUZFBmAV5sSDBQ5mW7Eu3xLg9UNSfbyiji
y/nMvXz6ej1zd6B731yTFkCmj9MZn+lhjVC/9tG7D1PPev7eb/WeOlUPRy0B
b+dxobgbWfroYUGL3bsbIFQs4K0cZ2VMo7RatDVUXzVzu0Hz0rTdxChLCuDy
cNey5rZRHTIbDVPa7s/OK3/GV/SmI/Xc8CuCYpzJovG6gQePdky0onETxz11
fHfJlsZEzGV38NsO2fDiNXpOu47n5G4N9dfYG3LBVPHnRVtFJJ7UGW5Mv/2D
cRbucDdAEdF9kaCGm70I5dc7VqwWUs1p/nM0G1/0ZjWUVlz6SgVXKPFp7VLX
O8Hmk5C2nROW8lSde6IynRPMWLb1+/7PrVndralfyPZHjGoq+qktzRX/6BQK
a5A8KqZJpRzB/sCCjIQw4KRRPJ6hXivzGb0xvMTduuEwy/XNGMs42sxn3McE
fkjmXGYZxaMR0ifZVnSnKMWralJdZcVfmZmz4qIOY7eIixQ/3WDtbwU+Xl+O
xg5MSV1CSLeB4t6R05fZRYH5oLuAjj2VkT0GrsRj5phBryqh0RZVkl3TIXhY
MkrcusTiQA3nB+hGaCzwVbOPsDoXb4L/jP7Ca/QXqGbWma6ByO8E1p24vatY
GKWqmDPqsKK5iVNv+KNsCFNqEboB7R4Xl44tg3el395SARwE6Xw2GsWf8KIs
rs7dM9fU0n14I2S3IRfIoRQBfJgQMR/ZG3UayuRUTqWr0i9Hhxev4I9ffvQL
1hKYhCl/pmWv3PMaLjDv7PHjCkr1AeTmNbBGAsK2cWu5kT1xEuZdW52tunSm
nvb6yzZ/NGcJZ2kk9QEn9WicZ7MpNMdTTYfK22KmoptptjZWjJwRLbwif+yL
IFe+VlZAPcUifLt0epyi0l9qF0fgTzb/E6nl7XaXnp4cHTjfTnVul/sK3tRr
v/WomGyJLxw6d0PoC+2xRN6CGA0X659blHK0+N6XzUq6CIi85W6BQMBdprlY
RKpMQppMq6h06dQlz3MTvlhAnao04FdTZ9Ngv2bi3HOJ83ISDvFkkyoqWafN
OAoa3mFKBZOy83Rvp7O7+/DR3jP48mw+4XKLncdi56l40BVPH4u9p/jfV0/E
zoHYeSB2nlVJGqtdsj3njLw05fDyaspxK2fOo5remejaM9lVchniuXZ0EL6e
YryBvjupYITsvrpa9X6w/r/7Dlm5MxIr/fvSuv8j/9N/1/mHsCBtPxJM2fvu
EL3jntbcehORqL8Bli+mlInDBdwZMMJwMgyGtetGFvUCVO+BAizzsPMYfLFH
8L8n8L+Hj+fixfYCQt/vRbHRS/qwK3Ye0f+f4P8f7M3rRXOW6QoMHYH3wcyB
oLkXs89JSw991e9fmdvLL0N1JsLr1CZclA1mGNi5TUDFJChKsLiCnn9jGtrZ
HJdQFRU5E6+aGmdKvmKIFZumRJPOSJhxOyjtT/UUtjMdYDM53rByIE1brROd
C177RReANDeKs224ry4Eh0F1GLL6wrlkd3ZeQFNnlYLN8P69Z1x++IDJtdUg
UrV/Ao8wRIa2rqimilPXugQ32eLK2eyg1yZO7L3+GpbyyG6qOZXoSr7KQy5X
ahPhm+Hs2tCvcyUmiM7figM8TcBbZ+A+gc2Ny1fYQxQMFfbyW3HsXDCxWWzt
0wUT8PxVnDjZCvRLB9efmgzjtMyKS4HVT5nsUHzTS4xDWG1Yh3+FeYZxglHq
nALpmb7yk2AZzXJyzFzwRSyL8e9RO3SyfMxrRhcRUBhzX+BFpidvkfBwG0r5
6uQc0s+MGTrDtM9F6X/+Q0vdvkRjs0e0T/4LK9X65RyeWq1czDFHrcIMSYfG
Cs0bi/h1Q0eENpoGd1StScOr6FmnTvYZOFgYCzpMr+I8S9kq2exlZ4dbjomz
4d9y0Joj2+43fLKfvUb3yQoiwCsC1DzWdVn5KVhW9NeaRiSx1dUk9T5IQqD5
hNSlnvp/tbyeo2wbPtnPXiOci7teDhyB+fT+fRKnH/kzXqTCz4idtPapyXQf
2i+47J86Nx8+uHOx4sTRPV+zLpWLJsjWZOINYlvMq+lOmqODAi1N6IV2PTAs
cgxsi5torzC1/SAOx0BRGBjBpE9TyWeqnwSqliUMHYbF1ZjiXiryfNc/W0Gz
VVniu/59oQbOQbDlGiyxJzzluo7cYIG6r/578WW9OXBkZp92c09eLzVpq2Rs
QcgFDVYGSdVpWrVBsUIDVWdhlQZLwWMamLMSyzbw0ouXb5Av04QaPF+BmNZY
OM36o3hMLOlV8JsolkaG3agU41JMrCpyrcPG4ms4WazBzGJVfmZ6XpWl1+Jq
sQZjiybeviMxT6zB3qbN4qwV+aKhzSrkuw4FizoR06oZMqZvcwm58Cl5XY3E
/76KmtVUVidpp+EqdF04DVdbo/Up3AF1NTL3kHMHrdeKSK1F8M6INarXhade
LG64IumvTf9qxDoTFD4XNMtzU7qI2cDUL/r/UqKryWosLzyq3zTOd+CRb6AF
qjVJnDbrwNaoBbi4SANH/IO0gFppzQDqazMDOMS/NuH/2uneabMG3a8zn+/G
K6sxi2pzF7NYRvkaHIh5zNKsOv5hvOLwSROPVM5QErNUDlKubTX9UkbTe0rp
BGzjtRa5OIjHdG57Vl6qWqbtOQ2F8FMKnc3dKi9UG64JqptvvlLD5bjdW61l
HQQnO/0XmePSCe6VhqsRvxId4o+c63+anbbXBlscYcI5Abp+H1QP+dvat54v
5zRcB941vDrb8B9o33okrmSX96xJiPmnxFiI+UfF1hJiv4DmX012rSO21tdg
qwmrZjm1TBvn3xyx5q7fOmLtKyxeSlewJ+3TTHDsfmsuc6wqwtaBTecdy7Ua
A/h4aGYdgVmTlSu6K0SsbXFAycvLrqQ6fWSA5xTTYm3OE3OF3+nh8RzXfn0D
jW5eA7pJMryCG7chbZLzVvM4q07Il5Aut2gJ6T6rSUjRHSLHJTIaq9M8n++F
lUe30P8sZc9BRuooENeBpN3q9KP49OmTOvp+FctrLsiNB0EoV4MOh6R+6WxM
Z+etWa4sE+XhqOy0/hf4s9n/D6oAAA==

-->

</rfc>
