<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-nobuo-scitt-hardware-iot-cloud-use-cases-00" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="SCITT Hardware and Compute">Applying SCITT to Hardware, IoT Device, and Cloud Compute Resource Supply Chains</title>
    <seriesInfo name="Internet-Draft" value="draft-nobuo-scitt-hardware-iot-cloud-use-cases-00"/>
    <author fullname="Nobuo Aoki">
      <organization>The Graduate University for Advanced Studies (SOKENDAI)</organization>
      <address>
        <postal>
          <country>Japan</country>
        </postal>
        <email>n_aoki@ieee.org</email>
      </address>
    </author>
    <date year="2026" month="July" day="07"/>
    <area>SEC</area>
    <workgroup>Supply Chain Integrity, Transparency, and Trust Working Group</workgroup>
    <keyword>SCITT</keyword>
    <keyword>hardware</keyword>
    <keyword>IoT</keyword>
    <keyword>cloud compute</keyword>
    <keyword>attestation</keyword>
    <keyword>supply chain</keyword>
    <abstract>
      <?line 83?>

<t>This document describes how SCITT can be applied to supply chains that include
hardware components, IoT devices, firmware, cloud compute resources,
confidential-computing environments, accelerators, and related operational
evidence.  It gives use cases and scope guidance.  It also explains how SCITT
can work with RATS, COSE, TCG technologies, SBOM, HBOM, CBOM, and cloud
attestation systems without replacing those technologies.</t>
      <t>This document is informational.  It does not define hardware assurance rules,
cloud assurance rules, device identity systems, manufacturing requirements, or
payload formats.  Its purpose is to show where SCITT statements and receipts can
provide transparency for heterogeneous supply-chain evidence, and where other
standards or domain profiles should remain responsible.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://aoki-n1.github.io/draft-nobuo-scitt-hardware-iot-cloud-use-cases/draft-nobuo-scitt-hardware-iot-cloud-use-cases.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-nobuo-scitt-hardware-iot-cloud-use-cases/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        SCITT Working Group mailing list (<eref target="mailto:scitt@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/scitt/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/scitt/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/aoki-n1/draft-nobuo-scitt-hardware-iot-cloud-use-cases"/>.</t>
    </note>
  </front>
  <middle>
    <?line 98?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>SCITT <xref target="RFC9943"/> provides building blocks for registering signed supply-chain
statements in Transparency Services and for verifying those statements later.
Although SCITT started from software supply-chain problems, real computing
systems often contain software, firmware, hardware, identity, deployment, and
runtime evidence together.</t>
      <t>An IoT device is not only a software package.  It is a physical device with
hardware components, firmware, bootloaders, operating system images,
application containers, device identities, update policies, and operational
state.  A cloud compute resource is also not only a software image.  It can
include a VM image, hardware root of trust, confidential-computing environment,
accelerator allocation, cloud-region policy, runtime attestation result, and
operator authorization.</t>
      <t>SCITT can help by making statements about these objects transparent and
verifiable.  SCITT does not need to define the internal format of every
evidence type.  It can register statements from manufacturers, software
suppliers, cloud providers, auditors, device operators, and verifiers.  A
relying party can later verify receipts and evaluate the evidence under its own
policy.</t>
      <t>This document collects use cases and explains how to keep this work within a
clear scope.  It is intended to support future discussion of two possible
building blocks:</t>
      <ul spacing="normal">
        <li>
          <t>object binding and statement relationships; and</t>
        </li>
        <li>
          <t>composite verification over statement graphs.</t>
        </li>
      </ul>
    </section>
    <section anchor="working-group-context">
      <name>Working Group Context</name>
      <t>Recent SCITT discussions show both interest and caution for hardware and graph
use cases.  The OCP case study showed that software and firmware provenance can
be expressed with SCITT and that similar questions arise for hardware
components, HBOM data, device identity, end-of-life state, and circular-economy
evidence.</t>
      <t>The same discussion also made the scope question clear.  Hardware supply-chain
assurance can be outside the present charter if the WG tries to define hardware
rules.  However, hardware-related statements can still be carried as SCITT
statements when another profile or venue defines their payload meaning and trust
policy.</t>
      <t>The IETF 122 discussion is also relevant.  It noted that several organizations
can make statements about the same subject, and that SCITT can link things by
subjects and statements even though this is not inherent in the basic common
layer.  It also raised the value of statements about statements and reliable
locators.</t>
      <t>This document uses those points as design guidance.  It does not ask SCITT to
become a hardware standards body.  It uses hardware, IoT, and cloud cases to
show where a generic statement and graph layer may be useful.</t>
    </section>
    <section anchor="scope-position">
      <name>Scope Position</name>
      <t>This document is careful about the SCITT scope.  Hardware supply-chain details
can be outside the current charter if the WG tries to standardize them as a
hardware assurance system.  At the same time, statements about hardware can be
registered and verified as SCITT statements when the payload format and trust
policy are defined elsewhere.</t>
      <t>Therefore, this document does not propose that SCITT define hardware assurance.
It proposes that SCITT can provide transparency for signed statements about
hardware, firmware, devices, and cloud resources, in the same way that SCITT can
provide transparency for signed statements about software.</t>
      <t>The important boundary is this:</t>
      <ul spacing="normal">
        <li>
          <t>SCITT can say that a statement was signed, registered, and linked to other
statements.</t>
        </li>
        <li>
          <t>Domain profiles decide what the statement means and who is allowed to make it.</t>
        </li>
        <li>
          <t>A relying party decides whether the evidence is enough for its decision.</t>
        </li>
      </ul>
    </section>
    <section anchor="non-goals">
      <name>Non-Goals</name>
      <t>This document does not:</t>
      <ul spacing="normal">
        <li>
          <t>define how to design secure IoT hardware;</t>
        </li>
        <li>
          <t>define manufacturing assurance requirements;</t>
        </li>
        <li>
          <t>define HBOM, CBOM, SBOM, VEX, attestation evidence, or cloud configuration
schemas;</t>
        </li>
        <li>
          <t>define how a verifier decides whether an attested measurement is acceptable;</t>
        </li>
        <li>
          <t>define a universal hardware or cloud-resource registry;</t>
        </li>
        <li>
          <t>define a global device identity infrastructure;</t>
        </li>
        <li>
          <t>prevent authenticated issuers from making false claims;</t>
        </li>
        <li>
          <t>replace RATS, TCG, TPM, DICE, EAT, CoRIM, cloud-provider attestation, or
existing BOM formats; or</t>
        </li>
        <li>
          <t>define procurement or compliance best practices.</t>
        </li>
      </ul>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses the terms defined in SCITT <xref target="RFC9943"/> and RATS <xref target="RFC9334"/>.</t>
      <dl>
        <dt>Hardware Component:</dt>
        <dd>
          <t>A physical component such as a chip, sensor, board, secure element, module,
accelerator, or peripheral.</t>
        </dd>
        <dt>Device Instance:</dt>
        <dd>
          <t>A specific physical device, such as an IoT gateway, sensor, controller, or
embedded system.</t>
        </dd>
        <dt>Device Class:</dt>
        <dd>
          <t>A product model, configuration, or type shared by several Device Instances.</t>
        </dd>
        <dt>Cloud Compute Resource:</dt>
        <dd>
          <t>A cloud-provisioned resource such as a virtual machine, container worker,
managed node, GPU allocation, accelerator resource, or serverless execution
context.</t>
        </dd>
        <dt>Confidential-Computing Environment:</dt>
        <dd>
          <t>A trusted execution environment, confidential VM, enclave, or similar
execution environment that can produce attestation evidence or results.</t>
        </dd>
        <dt>Lifecycle Evidence:</dt>
        <dd>
          <t>Statements that describe a protected object during design, manufacturing,
provisioning, deployment, operation, update, audit, repair, transfer,
retirement, or decommissioning.</t>
        </dd>
        <dt>Device Lifecycle Evidence Graph:</dt>
        <dd>
          <t>A statement graph that connects lifecycle evidence for a Device Instance or
Device Class.</t>
        </dd>
      </dl>
      <t>TODO: Align these terms with TCG, RATS, cloud-provider, OCP, and existing IETF
terminology.</t>
    </section>
    <section anchor="relationship-to-existing-work">
      <name>Relationship to Existing Work</name>
      <section anchor="scitt">
        <name>SCITT</name>
        <t>SCITT provides the transparency and accountability layer for signed statements.
In the use cases in this document, SCITT registers and verifies statements about
hardware, firmware, device identity, cloud resources, and runtime evidence.</t>
        <t>SCITT does not need to understand each payload.  A hardware statement can use an
HBOM payload.  A firmware statement can use an SBOM payload.  A runtime
statement can use a RATS Attestation Result.  SCITT can provide registration and
receipt verification around those payloads.</t>
      </section>
      <section anchor="rats">
        <name>RATS</name>
        <t>RATS defines roles such as Attester, Verifier, and Relying Party.  It defines a
model for producing and evaluating evidence about a computing environment.
SCITT can be used after or around that process.  For example, a RATS Verifier
can issue an Attestation Result and register it as a SCITT statement.  A relying
party can later verify that the result was signed and registered.</t>
        <t>SCITT should not define the meaning of the attested measurements.  That remains
with RATS profiles, platform profiles, and verifier policy.</t>
      </section>
      <section anchor="tcg-tpm-dice-and-hardware-roots-of-trust">
        <name>TCG, TPM, DICE, and Hardware Roots of Trust</name>
        <t>Hardware roots of trust can provide device identity and measurements.  These
technologies can help create statements about device identity, boot state,
firmware state, and platform configuration.</t>
        <t>SCITT can make those statements transparent.  It does not replace the hardware
root of trust or the protocol that produces evidence.</t>
        <t>TODO: Add exact references for TPM, DICE, CoRIM, and other relevant TCG work.</t>
      </section>
      <section anchor="sbom-hbom-cbom-and-vex">
        <name>SBOM, HBOM, CBOM, and VEX</name>
        <t>BOM formats describe components, dependencies, vulnerabilities, or hardware
composition.  These formats are payloads from the SCITT point of view.  SCITT
can register statements carrying or referring to these payloads, but SCITT does
not need to define the payload formats.</t>
        <t>TODO: Add references and examples for SPDX, CycloneDX, HBOM, CBOM, and VEX once
the draft chooses the examples to include.</t>
      </section>
    </section>
    <section anchor="use-case-1-device-to-cloud-firmware-provenance">
      <name>Use Case 1: Device-to-Cloud Firmware Provenance</name>
      <t>A device manufacturer produces a device with firmware and identity material.  A
component or platform vendor produces an SBOM for firmware.  An audit report is
recorded.  A metadata service or signing service produces a signed certificate
or statement.  A final device or data center operator can verify receipts and
check that the expected evidence exists.</t>
      <t>SCITT can help by registering statements for:</t>
      <ul spacing="normal">
        <li>
          <t>device identity created during manufacturing;</t>
        </li>
        <li>
          <t>firmware SBOMs from component or platform vendors;</t>
        </li>
        <li>
          <t>firmware signing and release statements;</t>
        </li>
        <li>
          <t>audit reports;</t>
        </li>
        <li>
          <t>update authorization statements;</t>
        </li>
        <li>
          <t>attestation results from devices or verifiers; and</t>
        </li>
        <li>
          <t>receipts showing that these statements were registered.</t>
        </li>
      </ul>
      <t>This use case is close to firmware and software supply-chain transparency.  It
also shows why hardware identifiers and device identity may appear in SCITT
statements.</t>
    </section>
    <section anchor="use-case-2-extending-provenance-from-firmware-to-hardware">
      <name>Use Case 2: Extending Provenance from Firmware to Hardware</name>
      <t>Hardware supply-chain provenance can include hardware identifiers, component
source, device identity, identity management, end-of-life state, repair state,
and circular economy information.  A hardware bill of materials can describe the
hardware composition of a device, while firmware and software statements
describe the software that runs on it.</t>
      <t>SCITT can register statements that refer to HBOM or hardware provenance data.
It should not define the HBOM format itself.</t>
      <t>Example statements include:</t>
      <ul spacing="normal">
        <li>
          <t>a manufacturer statement for a device class;</t>
        </li>
        <li>
          <t>a component supplier statement for a hardware component;</t>
        </li>
        <li>
          <t>a device identity statement for a device instance;</t>
        </li>
        <li>
          <t>an auditor statement about a manufacturing or assembly step;</t>
        </li>
        <li>
          <t>a repair statement;</t>
        </li>
        <li>
          <t>an end-of-life or transfer statement; and</t>
        </li>
        <li>
          <t>a statement that links a device instance to firmware and software evidence.</t>
        </li>
      </ul>
      <t>The value of SCITT here is not that it knows whether a hardware claim is true.
The value is that the claim is signed, registered, and can be linked to other
claims and receipts.</t>
    </section>
    <section anchor="how-scitt-can-represent-a-lifecycle-graph">
      <name>How SCITT Can Represent a Lifecycle Graph</name>
      <t>A lifecycle graph can be represented without changing the basic SCITT
registration model.</t>
      <t>One possible pattern is:</t>
      <ol spacing="normal" type="1"><li>
          <t>Each evidence item is a SCITT Signed Statement.</t>
        </li>
        <li>
          <t>Each statement is registered with a Transparency Service and receives a
receipt.</t>
        </li>
        <li>
          <t>A relationship statement or graph manifest links the statements.</t>
        </li>
        <li>
          <t>The graph manifest can itself be registered as a SCITT Signed Statement.</t>
        </li>
        <li>
          <t>A verifier checks statements, receipts, and graph edges under its policy.</t>
        </li>
      </ol>
      <t>This pattern lets different parties issue their own statements.  A component
supplier can issue a component statement.  A manufacturer can issue a device
identity statement.  A software supplier can issue an SBOM statement.  A RATS
Verifier can issue an attestation result.  An auditor can issue an audit
statement.</t>
      <t>The graph can be discovered in different ways.  A deployment can use locators in
statements, a graph manifest, a subject-based index, or an auxiliary service.
The SCITT Reference API does not need to become a full graph API for this use
case.</t>
      <t>TODO: Decide which discovery pattern should be described as the main example and
which should remain non-normative.</t>
    </section>
    <section anchor="use-case-3-device-lifecycle-evidence-graph">
      <name>Use Case 3: Device Lifecycle Evidence Graph</name>
      <t>An IoT device can be described by evidence over time.  A Device Lifecycle
Evidence Graph can connect those statements.</t>
      <sourcecode type="text"><![CDATA[
Device Instance
 ├─ manufacturedFrom  -> Hardware Component Statement
 ├─ provisionedWith   -> Device Identity Statement
 ├─ runsFirmware      -> Firmware SBOM or Firmware Signature Statement
 ├─ updatedBy         -> Firmware/software Update Authorization Statement
 ├─ measuredBy        -> RATS Attestation Result
 ├─ affectedBy        -> Vulnerability Status Statement
 ├─ mitigatedBy       -> Patch, Rollback, or Configuration Statement
 ├─ repairedBy        -> Repair Statement
 └─ decommissionedBy  -> End-of-Life Statement
]]></sourcecode>
      <t>The graph does not need a single monolithic payload.  Each statement can be
issued by the party that is responsible for it.  A composite verifier can later
check whether the graph has the evidence required by a policy.</t>
      <t>This graph is not meant to be stored as one large payload.  It can be built from
separate statements and relationship statements.  Earlier SCITT discussion
raised the same idea through "statements about statements" and through reliable
locators that can be used as pointers.  The graph model in this document follows
that direction.</t>
    </section>
    <section anchor="use-case-4-cloud-compute-resource-integrity">
      <name>Use Case 4: Cloud Compute Resource Integrity</name>
      <t>A cloud compute resource can involve several layers:</t>
      <ul spacing="normal">
        <li>
          <t>cloud image or container image;</t>
        </li>
        <li>
          <t>host hardware platform;</t>
        </li>
        <li>
          <t>hypervisor or node software;</t>
        </li>
        <li>
          <t>confidential-computing environment;</t>
        </li>
        <li>
          <t>GPU or accelerator allocation;</t>
        </li>
        <li>
          <t>region or data residency constraint;</t>
        </li>
        <li>
          <t>tenant identity;</t>
        </li>
        <li>
          <t>deployment authorization; and</t>
        </li>
        <li>
          <t>runtime attestation result.</t>
        </li>
      </ul>
      <t>SCITT can register statements about these layers.  For example, a cloud provider
can issue a statement about a VM image and its host platform.  A verifier can
issue an attestation result.  A tenant or deployment controller can issue an
authorization statement for a workload.  An auditor can issue an audit result.</t>
      <t>A composite verification profile can then check whether:</t>
      <ul spacing="normal">
        <li>
          <t>the workload image matches the authorized digest;</t>
        </li>
        <li>
          <t>the runtime attestation result is recent;</t>
        </li>
        <li>
          <t>the confidential-computing environment is acceptable;</t>
        </li>
        <li>
          <t>the resource is in an allowed region;</t>
        </li>
        <li>
          <t>the accelerator firmware is covered by an accepted statement; and</t>
        </li>
        <li>
          <t>no statement revokes or conflicts with the evidence set.</t>
        </li>
      </ul>
    </section>
    <section anchor="use-case-5-device-repair-transfer-and-end-of-life">
      <name>Use Case 5: Device Repair, Transfer, and End of Life</name>
      <t>Devices can change hands, be repaired, or be retired.  These events matter for
supply-chain trust, especially for industrial IoT and enterprise hardware. These definitions are useful for meeting the industry's need for maintenance on a 10-year basis.</t>
      <t>SCITT can register statements for:</t>
      <ul spacing="normal">
        <li>
          <t>repair events;</t>
        </li>
        <li>
          <t>replacement of a hardware component;</t>
        </li>
        <li>
          <t>re-provisioning of identity material;</t>
        </li>
        <li>
          <t>transfer of device ownership;</t>
        </li>
        <li>
          <t>end-of-support status;</t>
        </li>
        <li>
          <t>end-of-life status; and</t>
        </li>
        <li>
          <t>secure disposal or recycling status.</t>
        </li>
      </ul>
      <t>This document does not define the operational policy for these events.  It only
shows that they can be represented as lifecycle statements and linked into a
graph.</t>
    </section>
    <section anchor="scope-questions">
      <name>Scope Questions</name>
      <t><strong>Question:</strong> Does this document ask SCITT to publish hardware assurance rules?</t>
      <t><strong>Answer:</strong> No.  It describes how SCITT statements and receipts can be used for
hardware-related evidence.  Hardware assurance rules, HBOM formats, and device
identity policy should be defined elsewhere.</t>
      <t><strong>Question:</strong> If hardware supply chain is out of scope, why discuss hardware at
all?</t>
      <t><strong>Answer:</strong> Because SCITT statements can carry or refer to hardware-related
payloads.  The useful SCITT question is not "how should hardware be built?"
The useful SCITT question is "how can a signed hardware-related statement be
registered, linked, and verified with other statements?"</t>
      <t><strong>Question:</strong> Should graph relationships be put in the payload or header?</t>
      <t><strong>Answer:</strong> This document does not decide that.  It lists possible placements:
payloads, protected metadata if later defined, graph manifest statements, or
auxiliary services.  A profile must say which placement is authoritative.</t>
      <t><strong>Question:</strong> Does a device lifecycle graph prove that the device is safe?</t>
      <t><strong>Answer:</strong> No.  It helps a relying party see which statements exist and how
they relate.  The relying party still applies its own policy.</t>
    </section>
    <section anchor="common-evidence-types">
      <name>Common Evidence Types</name>
      <t>The following evidence types appear across the use cases:</t>
      <ul spacing="normal">
        <li>
          <t>manufacturing statement;</t>
        </li>
        <li>
          <t>component provenance statement;</t>
        </li>
        <li>
          <t>device identity statement;</t>
        </li>
        <li>
          <t>firmware SBOM statement;</t>
        </li>
        <li>
          <t>hardware BOM statement;</t>
        </li>
        <li>
          <t>cloud image statement;</t>
        </li>
        <li>
          <t>deployment authorization statement;</t>
        </li>
        <li>
          <t>update authorization statement;</t>
        </li>
        <li>
          <t>RATS Attestation Result statement;</t>
        </li>
        <li>
          <t>vulnerability status statement;</t>
        </li>
        <li>
          <t>audit result statement;</t>
        </li>
        <li>
          <t>repair statement;</t>
        </li>
        <li>
          <t>transfer statement; and</t>
        </li>
        <li>
          <t>decommissioning statement.</t>
        </li>
      </ul>
      <t>TODO: Decide which evidence types should be examples only and which should be
registered in a future object-binding or relationship vocabulary document.</t>
    </section>
    <section anchor="scope-boundary-examples">
      <name>Scope Boundary Examples</name>
      <t>The following table gives examples of what belongs in SCITT and what should stay
outside SCITT.</t>
      <table>
        <thead>
          <tr>
            <th align="left">Topic</th>
            <th align="left">SCITT role</th>
            <th align="left">Other responsible work</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">Firmware SBOM</td>
            <td align="left">register and receipt a signed statement</td>
            <td align="left">SBOM format and tooling</td>
          </tr>
          <tr>
            <td align="left">HBOM</td>
            <td align="left">register and receipt a signed statement</td>
            <td align="left">HBOM format and hardware domain</td>
          </tr>
          <tr>
            <td align="left">TPM quote</td>
            <td align="left">carry or refer to an attestation result</td>
            <td align="left">TCG, RATS, platform profile</td>
          </tr>
          <tr>
            <td align="left">Cloud region claim</td>
            <td align="left">register and link the signed claim</td>
            <td align="left">cloud provider and policy profile</td>
          </tr>
          <tr>
            <td align="left">Device identity</td>
            <td align="left">register statements and link evidence</td>
            <td align="left">manufacturer, TCG, device profile</td>
          </tr>
          <tr>
            <td align="left">False hardware claim</td>
            <td align="left">preserve signed evidence and audit trail</td>
            <td align="left">issuer governance and legal process</td>
          </tr>
          <tr>
            <td align="left">Composite decision</td>
            <td align="left">provide evidence and result structure</td>
            <td align="left">relying-party policy</td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="possible-future-work">
      <name>Possible Future Work</name>
      <t>This document motivates two possible follow-on drafts.</t>
      <t>First, a Protected Object Binding draft can define how a statement refers to a
software, firmware, hardware, device, or cloud object.  It can also define a
small relationship vocabulary.</t>
      <t>Second, a Composite Evidence Verification draft can define how a verifier asks
for a graph-level decision and how the verifier reports missing, stale, or
conflicting evidence.</t>
      <t>Both follow-on drafts should keep payload definitions out of scope unless a
separate charter or venue says otherwise.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>Hardware and cloud evidence can reveal sensitive information.  Device
identifiers can identify customers.  Graph edges can reveal suppliers, cloud
regions, tenants, repair history, or operational dependencies.</t>
      <t>Deployments should avoid placing directly identifying information in public
logs.  They can use pseudonymous identifiers, salted commitments, encrypted
payloads, access control, or selective disclosure.  The chosen method should
still allow the intended verifier to check the required evidence.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The main risk is over-reading SCITT evidence.  A valid receipt does not prove
that a hardware claim is true.  It proves that a signed statement was registered
and that the receipt verifies under the relevant profile.</t>
      <t>Relying parties must still decide:</t>
      <ul spacing="normal">
        <li>
          <t>which issuers are trusted for each statement type;</t>
        </li>
        <li>
          <t>which statements are required;</t>
        </li>
        <li>
          <t>how fresh each statement must be;</t>
        </li>
        <li>
          <t>how conflicts are handled;</t>
        </li>
        <li>
          <t>how revocation or supersession is handled; and</t>
        </li>
        <li>
          <t>whether a domain-specific payload is acceptable.</t>
        </li>
      </ul>
      <t>Other risks include:</t>
      <ul spacing="normal">
        <li>
          <t>linking the wrong device instance to a statement;</t>
        </li>
        <li>
          <t>treating a device class statement as a device instance statement;</t>
        </li>
        <li>
          <t>accepting old attestation results;</t>
        </li>
        <li>
          <t>accepting a hardware statement from an unauthorized issuer;</t>
        </li>
        <li>
          <t>exposing sensitive graph data; and</t>
        </li>
        <li>
          <t>assuming that SCITT replaces RATS or hardware root-of-trust mechanisms.</t>
        </li>
      </ul>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9943">
          <front>
            <title>An Architecture for Trustworthy and Transparent Digital Supply Chains</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
            <author fullname="C. Fournet" initials="C." surname="Fournet"/>
            <author fullname="Y. Deshpande" initials="Y." surname="Deshpande"/>
            <author fullname="S. Lasker" initials="S." surname="Lasker"/>
            <date month="June" year="2026"/>
            <abstract>
              <t>Traceability in supply chains is a growing security concern. While Verifiable Data Structures (VDSs) have addressed specific issues, such as equivocation over digital certificates, they lack a universal architecture for all supply chains. This document defines such an architecture for single-issuer signed statement transparency. It ensures extensibility and interoperability between different transparency services as well as compliance with various auditing procedures and regulatory requirements.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9943"/>
          <seriesInfo name="DOI" value="10.17487/RFC9943"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="RFC9335">
          <front>
            <title>Completely Encrypting RTP Header Extensions and Contributing Sources</title>
            <author fullname="J. Uberti" initials="J." surname="Uberti"/>
            <author fullname="C. Jennings" initials="C." surname="Jennings"/>
            <author fullname="S. Murillo" initials="S." surname="Murillo"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>While the Secure Real-time Transport Protocol (SRTP) provides confidentiality for the contents of a media packet, a significant amount of metadata is left unprotected, including RTP header extensions and contributing sources (CSRCs). However, this data can be moderately sensitive in many applications. While there have been previous attempts to protect this data, they have had limited deployment, due to complexity as well as technical limitations.</t>
              <t>This document updates RFC 3711, the SRTP specification, and defines Cryptex as a new mechanism that completely encrypts header extensions and CSRCs and uses simpler Session Description Protocol (SDP) signaling with the goal of facilitating deployment.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9335"/>
          <seriesInfo name="DOI" value="10.17487/RFC9335"/>
        </reference>
        <reference anchor="RFC9942">
          <front>
            <title>CBOR Object Signing and Encryption (COSE) Receipts</title>
            <author fullname="O. Steele" initials="O." surname="Steele"/>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
            <author fullname="C. Fournet" initials="C." surname="Fournet"/>
            <date month="June" year="2026"/>
            <abstract>
              <t>CBOR Object Signing and Encryption (COSE) Receipts prove properties of a Verifiable Data Structure (VDS) to a verifier. VDSs and associated Proof Types enable security properties, such as minimal disclosure, transparency, and non-equivocation. Transparency helps maintain trust over time and has been applied to certificates, end-to-end encrypted messaging systems, and supply chain security. This specification enables concise transparency-oriented systems by building on Concise Binary Object Representation (CBOR) and COSE. The extensibility of the approach is demonstrated by providing CBOR encodings for Merkle inclusion and consistency proofs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9942"/>
          <seriesInfo name="DOI" value="10.17487/RFC9942"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="I-D.ietf-scitt-scrapi" target="https://datatracker.ietf.org/doc/draft-ietf-scitt-scrapi/">
          <front>
            <title>Supply Chain Integrity, Transparency, and Trust (SCITT) Reference APIs</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.ietf-scitt-receipts-ccf-profile" target="https://datatracker.ietf.org/doc/draft-ietf-scitt-receipts-ccf-profile/">
          <front>
            <title>CCF Profile for COSE Receipts</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.nobuo-scitt-protected-object-binding" target="https://aoki-n1.github.io/draft-nobuo-scitt-protected-object-binding/draft-nobuo-scitt-protected-object-binding.html">
          <front>
            <title>SCITT Statement Relationship and Protected Object Binding</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.nobuo-scitt-composite-evidence-verification" target="https://aoki-n1.github.io/draft-nobuo-scitt-composite-evidence-verification/draft-nobuo-scitt-composite-evidence-verification.html">
          <front>
            <title>Composite Evidence Verification for SCITT Statement Graphs</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="TODO-TCG" target="https://example.com/TODO">
          <front>
            <title>TODO - Add Trusted Computing Group references such as TPM, DICE, CoRIM, and related profiles</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="TODO-OCP-SAFE" target="https://www.opencompute.org/community/ocp-safe-program">
          <front>
            <title>TODO - OCP S.A.F.E. Program</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="TODO-SBOM-HBOM-CBOM" target="https://example.com/TODO">
          <front>
            <title>TODO - Add SBOM, HBOM, CBOM, VEX, SPDX, and CycloneDX references as appropriate</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
    <?line 562?>

<section numbered="false" anchor="open-questions">
      <name>Open Questions</name>
      <ul spacing="normal">
        <li>
          <t>Should SCITT define generic object binding, or should each domain profile
define its own binding?</t>
        </li>
        <li>
          <t>Should relationship metadata live in payloads, protected headers, graph
manifests, or auxiliary services?</t>
        </li>
        <li>
          <t>Should SCRAPI remain focused on registration and receipt retrieval while graph
discovery is handled by later auxiliary services?</t>
        </li>
        <li>
          <t>Which use cases require WG action, and which should be handled by other WGs or
standards bodies?</t>
        </li>
        <li>
          <t>How should this document describe hardware use cases if the current charter
does not allow the WG to publish a hardware-specific standards-track item?</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="design-notes-for-future-revisions">
      <name>Design Notes for Future Revisions</name>
      <t>This revision treats hardware and cloud compute as use cases for SCITT
statements, not as a request for SCITT to define hardware or cloud assurance.
That distinction is important for charter discussion.</t>
      <t>This revision also adds the IETF 122 points on multi-party statements,
statements about statements, reliable locators, and the limits of the basic
common layer.  These points support the Device Lifecycle Evidence Graph without
requiring SCRAPI to become a graph API.</t>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The author thanks the SCITT WG participants for discussion of OCP hardware
assertions, generic APIs, graph building over opaque payloads, and the boundary
between SCITT and domain-specific hardware or cloud profiles.  The OCP case
study helped identify the need to discuss hardware identifiers, device identity,
HBOM provenance, end-of-life information, and circular-economy evidence without
turning SCITT into a hardware assurance framework.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA61c3XLcyHW+x1N0qIvYWzMjUdLaXq7jDUVSEpOVSIuU1q5U
KoXB9MzAwgBjNEBqvFpXHsKXuciz5FH8JDnfOf0LzEirSlzrXRJsdJ8+fX6+
89OYTqfZgwcPsgfqjb57rO6b9n1Zr9SizZfdjJ5et3qbt3qhlm2zUd1aq7Iu
uzKvZMi0buZ9MzVF2XXTdd4u7mnwtGy6aVE1/WLaGz0tcqPNbLOY0HSY4Obs
8vZWmaLZapXXC7UpP+jF1HR5pze67uhZXu1MaVTddHoSXnl4dXatMBmN7Rc7
ms1U5UIbO0ndd9pM+JdWVzTZQhldLaetviv1PU9mZkrdXp1fqU3evtctvdlq
VellR3PdrzX98sML2t+271TTqkWzycuaJlvSX+pCy/Ba64VezJhpXdlV+kQd
nW631Q5sk611jXppWTFRl82tOicSCi20nYEv6qzZ0CqamG6avi1ohz3mUGdr
WtIcZfl8TnTT1DKjm05mkHePsoI2uWra3QnRvGyybNEUdb4hgr7saKaPHmWm
n29KY8qm7nZbmuHy4vZ5VvebuW5PsgWtc6IeP3r8q+mjX9M/WdHURtemNydq
mVdGZ0Tpk4ymz0/UzcVZBilatU2/PUn2pS5rIrgtu91E3bZ5bSBZdbETxty2
venUD1YAX+D17L3e0VyLk0xNhbf4we0FPxN38R/ekSqEMXiQd3TaJFG0Ifxq
hIoCVGR3uu41TakciTKxkp2nBCgSlbI6UczFfy51t5w17Yoe522xPlHrrtua
k4cPMQhPyjs9c4Me4sHDedvcG/2Q33+INctu3c9PVN68L6f18cMvOyqaAJJt
urC0nWgmE8/K5gun/MLhs3W3qbIs77t10+JciCSlln1Viei9xjzqlIjiPxAf
8rr8Cx/EibolVX7R5oue9qDe1sSt1pA0qCVp2+niLiclW6gbUu6SlO0XN1f/
evH6/PTylzxT0fR1B1n/l3yb1/xIy9nU/wEe0OFozYeT1U27oRXv+JDfPD97
fHz8jf3xN8e/fmp//Oabp09Osgyqkw7/5smTp+HHr8Pwx+7HR1/zj5fTcz5t
yzZTtPm2PGHSnGX4UvH/BQvjL8kuWKOjTq8vyR7wnHm70tHJk1rmXZsXZMmC
0JENsCc6ouzhmORWF7rcdmZaFMvptm2WZaXTDZydPScfwH/gYzq7urkg6uS1
/ytd+5Z3VMYCSX/qdEEWfdrM/0Q/TOdlvSAlHfCaTeWN9yNv4AVI7sy63DKL
r9006oqnUc9kmv3b+DmKdYiwLxgqCjXeM4xZQ9qhp+Q8FhCFKalLuSwLUab0
lNxgdWEHq3fRYD65IXtIEbfrA0f4c/b+GQK//A3HCXjo6e3Zi3SL7LenZCas
qmjnCL2xjj216Yu1yo26vX41UeeXZxcTGv3m8lWKD6zIHWCC/pBvtpWeEdkP
sbojjWDI9Ob0+cVe+oBRbmans+ezixkEbtXmm/3T39/fzwgC1dZrsZbQz5ue
8NXuYVNspyZfasgN5nCL3zy7ejV9iX+d0b8OsgjDJuol//uM//3u4g8TdXN9
/gcLQ3Zk2Gt9/ocE39A/W1pw25Y5AMbP4soDJaI1fXX5+u3txc30+DFZxwcx
YUATih5bGUxcrHolyO3IvvJzjMlGaxz7Q5qSXG9HMkQo5KGFgFjfChxBlq8f
PXn86NHjJ4+AcvaQ+nQ/qU///0l9upfUpxGpx8ePnh7/CqQeZ9lsNsuy6ZSg
zNxg1i7LbtcEismQ9qy/hHyLtpzTsa2be0tukddqrnGIVUnyTUA0Rj6GsHTe
EVgsqn6hM+fmGTeRLNSdEbi6YLhKvyzLdiMoNgFYJDKCWs0EUHAJXUZIMC28
Qur6rmybeiOT5kWhK93mXdMOEDopQMvKn1eZMwoE0i87Akp3tDXCHQz5BeRL
zLDqy0XuxxE7G6U/bCveoGdFBlYAh6p7smHqzentzYSdF/nesxeKTPG6bqpm
VWKfY23BarznLEKSyuzI7mwMT9lQkECxUZUX2C/9TpTGs86G50U/e6yB/Qr5
i0ZzoENMX5a19uCWdNH0Lbap2r5iTvMRDB/bw1JyBoSlLI0TAq51vyS56VsQ
2Oo/92Wr7YE0bbbNd1WTL5RQZJgao7Z9u8VOiFgID9gpgZEN2pz3MPYUxX9D
7jKyGzhA1UXQhh3PWpPYNytd66Y3ViCnLJDKHbkwXFZqKOBrM1qpXhAvTBSJ
OXMNuvoKy9sAzZD4mnJOVklUZlMuFpXOSE0JcrXNoi84EMhkEz/+aNHfTz8p
S7RR876s4I7VvGqK94YJb/WqNFBZemzKVY2IMqI+i7hBZMSQTt3olnWI94W5
2NHtgqhE70IT2ll2WkGoVuvA6rZzcbdplh1LRcI9Ip72jLOmyKtSXvsyJ6f0
lq7ped1huJsk1uu1j1OdAEGitlWzA218LFlLwLvcaH9YJBlk99agOTutI4uh
JGZXTU0WJw9Eb8km5iurrzQmV9s1BfgFkgjyIhRqvz0KpM6bpoPEatgQazdw
MLxXVW5oBdISNn0W9diN8wupmrDW91sEtmrb0AulSx3EBonPiKg+PWD+eC8w
P/s2zQTJlqEd1ujSiHev5G+B+aptMMGSVIeAzUR93qbSPoNJJRpIZploa6in
kFxiAG+NTtSdYGzLaBN9ZU9YNo2ZOKyz8drMKQxM6VpXWzXfkVVhfxgbgjlM
IckDSbVAWxPZgI4XEJiXQ0OtCw6GDwkVGBtrACXFRBpBJ2CNE1ijaYpdFkSQ
YnXPXK+oMVmsN8EGshC4w8lYjUp+Jkdr7QC7Jwo/xVFZmXHcsRIie6GhkIyM
HBlrNW2WjC+IYXW2+h4sJN7Ud3nFoS/26LfS17SuKmlMc09WlI9s5DyKpqqY
s6lDTPwe8fC91luand70ro8UPyffofNW3KfXQjCZlvYooWk7iuPBKrUoTdFz
Noil8r4hSTJsYLOBnaQA+it76soGNOKpfZjRRlGY+Zal4SvlIwEVBwCquYvP
UK04QiFekCFPgdgZabb+QJAIkSiNtCLlyTbiuubkS0SYSOzFp5OEu4BoHSfV
eK3McxeJQjokl3FUnHHkScEwoCiv6GzhrZViOdI1+2doPWExOiJa3dBrDESE
Urwjs5QbZI7Un3uikAnP29LohL4stocAKQpIc+T5J2QgKLhcTqtyaf2LxTFl
W/S0yFSTYWk2QYtYymhovkmOnE3aJl+InArmcvQpliTijs9IJh4xoBOLRMk0
mNLOBD6wLK/h2Ujkl/z4B0JjLRI+wQb4nTPGwWrEd5KNYDKnPsUbNB5LEpFV
hYWLvG0BgSmkETwYDSScQbusGWg4UKHYR9e9tjQAK+uS/mxh0kbntRNuNtOx
pmrlI5yIj847EKmk+XUnmoc8tDt87ImsXJwkMwxcycrqvTZWDsv0rHGTIEfB
UFdl/R4moF4RqNlldqhJtdLAntbKAg42GNZ3lzVAGOBqzevNc3LU0NcNAagq
3+k2gt1tXhreDOkxmTYNazGieoQZK3YEGfsssqojW9cb5j5Q0rYp+T2DaIcQ
2AD7ex+Sm/c+905KR+TC03oFD2By3ix28i6vso7T9BHqtyaWJosgcK6AYVti
R1yrsKZDMW/o4HaQPpp82VczGK4b1p9rWDvGoKOggCQVg6MzjgokhzSN+EHQ
phJpGehZ0bftZ/TMMaT8C7+y4cg/2xN7CLqCp4vED1hiMj7ogN+Ypsx5ZWhh
8JtBJdVQJdlIJGHJSN24BCMaSt6vMpqPRpSQ2Ni0XDBKwmQnI8hrcJAW9OVg
zDXLLv0LZqhhBwMdFyMMGJMFKQto1sfYQeZCVO2Uj7l9TyKVUnA41DpAgXdW
1lqVG3h7MkmkDz0EYccBH/GN/XnYqnFr55HM39MBykITFc5YdgLrI5BCwjgV
0TKjqc8HkdxCF9jIPdbgHftVYHCNDQsbsaWVeN9GzGPZYcJTlSIwmZAFis17
ArVoFl2zyQOzALkw3AjWfaBeN/X0RUOWbZRqsTLE3HFCI4jL2iWjCwAnxELu
tL8NY9NQPArho6A8Gh4nIm5C8i5G7yFwpo246ISihlXf2qIX2Q9S7DyeFyTn
Hr+OWEXnLUtodndEpHY2CtHGtoPZjqbLCbpyCYdcmFchR87UB0kiIu0ueXNV
NfMQ/vnkRVkv25wG9wzZ8QaBhjs2tBSZYFDBXr8kFqJ+a0E+I0OuRNLiebnh
TUtyRtvUz+3Zi0mcDb44vfUpYSHYhQAxnzlTogjD0Q6wBsCXTZh8iz/5HdHL
heMXWECIjdwczngO6LlFAg/6znJG6BV7ErhHAn6OOUrx/qyf7/UOAJ781dGr
tze3RxP5r3p9xT+/ufj928s3F+f4+ebl6fff+x8yO+Lm5dXb78/DT+HNs6tX
ry5en8vL9FQlj7KjV6d/PBJVPrq6vr28en36/ZGYo1ghcNIk/HMbqtEhdWzY
M5eUXOCdZ2fX//Pfx0/Vjz/+g63C/fST/QV1OPoFZt/G3Qif5Vc66B3ieIQs
iF4I0BX5tuzofCdwHnDJCEjZnH31b+DMv5+o386L7fHT39kH2HDy0PEsecg8
Gz8ZvSxM3PNozzKem8nzAadTek//mPzu+B49/O13FaRsevyb736XHcBLSD+2
G+O9I7FunO8Cq6EQ9uGTJ3QKxEWPMc5cqHGSnZBt9XkaH4L4ykpO+KLcEgzQ
tWlapGdojokzhAR5JYG0aRaE4SeomIeMBVstiqrL7RoAmAiQDgl1WQOZFFpW
N1uyUBQcDtNFk0CEpJ9WZBTITQZikPlpETK3ToM3JJMIdi2g8SueVWSO7WYl
UwiSdTVJ7SlTjKQDSR+3w8x3Hr4PaIeO72/ykGUiawPPo4Pjj3h7V7ZdT3Nv
cuJyrSchl8WRPe2LWxPqfEXv10TwRL24fptkguIMkVuBt2F0S4ST9yVv+IGO
y/qLQmJqUB/nn0KR7SLkn2Qnna3D+VmSFFWSxlLvXiE+Jet8Z4mQwJeN6563
BXVYtEWnovd6PyVb6yuAi+x7inuLHQWovggKMm8CFuI5nYVCFtLXg20GYyEO
Wnz6IIMOhvtDw+9JntSnDV1a0eaRgJC2eUliyFhtKQdH5tK6febFAgGLbb9B
RdgL53hHUrW16pEmSizLmrrmeK/y73puAfTkQ3EV/Yi1ASDx6vyKlqgAbSSz
J7aFUxjsSsWrpp5zgnzJxCamrMfkRiK8XHJhZMcOMKnMkx+5cKOR5aEBD2zM
bvOPPknPRi7GvFiK5BytIfm8rAAhJA7bC4YJ1QuuDkm0oWebWJvpcK2JQxfz
JdA+ysuM4D3HwYOsus+2jhKjnCDkiE1pMgcuROLEdBziWmGA0mCDFCdwsige
7vNU+4Yz1kyGWxqzPaPFi5xGSvmGFdHnd+NIyUJAGcclBUmLptm/vEUw4iJ/
IYMB0wNeLMt4SZeeIfMe1fmFEIjgOwtvhctvbHBwjeDAJg3sBHnGhp5FRYyM
y+/YPC3n3J3uSByVq73p+FmWlF97JEXyJWJvaJzbVs4hJQkAMlrP6S+2lD5x
3HSkc1DPEBenMuaxzaPYnHfZicsYxNRygLL97EB2unNhlxjRKLJLlkC7o92h
rbxFBUu87pJjjWQa9kURklHNO1u0M5kvy/pgcKIIsHeA19GjOOOufMqNRGII
6DHQw5g3TYN8+lJaRSJ807o/sO9KhHQYi3BX6XADZAqzuMobaiNFq5HaH4Xe
I2uAOpZNz2apPsomPBMSAJIUYzj+HdURo6LLID3mQiEcTsitxkUnhjeco226
pmgqL67wvSY2UtY1LGDjyTfG7SPQpP0NN5JqdYlQrsADxshJ7q++U8ibZVG8
FRx3nA4nH4wiRi0FvLu+IoQknoAfjLLokoVzR+nnliqlWJzQ6Wy9D3KQYBTa
iJ15yw6VnZB3ZovD0IRYw4iCrLi4UbcIiUHfRZWw7EAlbFilj/kfN+6wy2Vr
IscgjT6+yWcveynmKkiaaRVu1SI83zQulPCTETm2dMme+y3t4QwFkeMTixmm
XTMVuPvcCfO1L4Jk2alTgLgUFwQrjyvAwT2BQq+Irm2G620hEIHZdqpCyy2a
eFrrzMAKNylerwWVQSFQ7ioNPBEF2lr83UZ3OWorDJFLwZewh1zxtI8i0q2p
LHTbiRfTWdMOLDCdZMhzAOthetSs4Bxc2RXCtKdgmBVrXbwPVlp/2Apc9V6J
YZbZW6hNmheisii6djlvkVo7MV8LB4ET6Itsij8a8NXqyKfOwiQvOSbaAoDO
E8uFofG58ANbnU8q0sN3RuVsS5hNrirXd4FqrSs9egYjjSD9GLkrX8cJaWT8
EwfIQbdDjpy4rzid3KRiu79VI0atbJwzLqCABiTgdgHIyYkwyTzf8KBQYQjJ
kWFtK1XSxycErVHlZQgUSpPMJK+u0XWFyFMOO02isqazCHuJngSxyFzQOfKB
0W4Qwgry3lO+lODJecu4mKlsMTPuqUoR8RyVQDLbvuuOSfdehE580HEivgGv
5D7RcL/mxuf9B+y5nsWzhgEsWYShSRBrTldHarrPd8h4WHU+ExiwuEwdHQKs
CNco9uOxl8FvIsutqyWtfSEmPV7QniMbhDy10AHyS9Roj7BAgMi6l6SEpJti
9NK4o0deHfWs7V+stCEqv1S7xoy4+mZBeZpfxxTG6M28wsx6K2vGorRxlNSJ
0AED2Sg9GmftRlwB4YNCqcOMiT1sEAZld18xFaHgEqMtwkqbZqfe12IebH4+
4iey3FyzaXuaL0xXmuAu/KBDxRobrgxrNpJCTxr8pAfjpe8zPcsRi7iCfh4l
Kjg/Abcf8g+SnbCLte4t2xCBAyQbU6/EFLuCs9i1JG7kaI0IuUK63bajED7q
0CqkuHJ1PFMXCJBDvYc7w0JwdCMO26eEZtlj+0o4WxoeFS4ZluR7e/sCg+44
mlTKsWuWPZlJ8BWyHGEBkjLhCEkt8cg4SUrKX8TxpzNuQRmMZfPLKi3cDCXW
T23za9DjwyiGFXEyY+IPehJVtPVihQ5c356UtiY5zlca2LxcLqVtAJEm4iIJ
X6WHAun6aGfcUBd8hDMeUdAb25YETSUmKn5BlDAbWxR+LfXJg8UsVEzf4ITD
O8+wePQYdUTIshkOxsPgn63qJxqBjhE0PknKPnDyPt8Jr0Ke0adfXO+ESrpQ
kUhIxQVPbAfIlBSLl1joDxwYMXUfKFRC+deiWzElIkXJFaRxVsp3WeDul10W
A5ccSQpUygCVfMxy7mq9JSmc2/XOC5J1ZeCILyLlohZcM7YhCZtjmSNtA66b
eupvfqU46IkLVg5mVIedrO5sPCWEqEPWGW1qSIzx8QxnztKZeSqblR3F7ETm
X//6V8W9bIO8bKb+/rf/+vvf/jOW+cVzADc1/Z0aF2yCuvs3oxrDD7Bj/KZb
xmnK+DUgFg8O+X/02vMY/0N8wgOyNjm3DY6nEhC/eLZT7n/RVA+9Wr4VrH+a
YP3xbDYbE01Hsx3IQ/qXctKnohu89C5KFAgLerNvQUKEq2QD9O513hXriXrT
VNU8L96zLp3FqZp9LGXwMaRcEEky+m8YHdcD5B0afSFABWIWvULSE5uUVEsR
odYrkvUNQeUKvaBFlN4d+D3btMOWi8Vd0g/IGwocMXGjvW2gCLY8aua0BpMz
jTaEjbsxhNK1VW2vVLYXgpfOB75GXrHgCMnGzlafDRlBMRPEKVqxXeloh5du
V9zd33HYkxncZx9m6tyNlJG3Nsyoln3GsMk0i9rfuFOHdpLTby13mBx9ohHu
yDbuychRR1wofvlkspE0lHQdR7CAM9ij8vyyQa+MyaTgRVwtOtfj4m3i05ND
V9H9NVXAuAOd7xIF3jXVnfZ1UK68SAeRvMVt7tIO4YqX/AjQmwxh1DHmkgf8
l90Wzsg0nD1HbdP772+5dfhzzfEYhWIofNzeLnnpDuEOeZeRoY2xHO4wPyBn
KfN0CLg6H6lID4t3x0lywicYDjbbfzYAjFvphZvjSkHarx6XCvYERu6ugSTU
OiNsd9xm7Y11NvsMyHHs4JplACW+2J5gn+xA6sbGeMj/ukLTp8BT4N3Y0tjC
kWvhxcvoElKJ0WGBhI66FS1LNrDjNt3pSEUCrCTUK2ePwsjBwxSDWFh543jr
s5I5bqWyxRd/nQT9LrVvdRMhdeNiYfYRJvJQFj3CcNZ2/rju6QSzbpK2/Lvm
vaTIQDdZ286WdxOrbHSXmo2vPZR6Ywvbt66wzUJ2gWz/ktGQK2NL4oWDPKSM
as5+a+8T2YHy7yiKL3xunvu+DI6pk4JuNsio8V0ZzU0ixDBpgCR4S4+R7mE0
x3lx6VBCV72zNzO7xCI0XnEJQNp2eSJ7b9NeR+FJd/9oxK/y33O+PyEVdOK6
On403SEph/jVfFbTXRrWZiVkr1HXmkSKy4M5lFZP42YEDB3ly1luXD6DBrgk
9D1uRJGXw99t+sPd/zCMhKI/+GRc7xOotsOH/CDpInevQw8I+bpMcz9u6R7e
cgRXo5tW1t3b2CEcvvhwtIZlkil1uY3dvnRCHjc9DLy7zXHQmTUUqrPzlJyG
tGf/3l2/oDP5yv1y8hX6VbUZ9r5FveZq28+r0qwPXtv8DhOe1uae7BBN97px
Nejx3d1P3K30OABaMLoCEd2bfXmAjEmcErRB/jBktmcQh2HjNuuUO5fLqAEh
umgMqwQHhOsA4O+EU9wWOUW8Qha8GrDomS5yhLgjprARQXXNl9ZwAENuZL5x
QHCSVWmZzd9isVDyCNy3Gw55YwsXvzvKPjkBvwyifCHo8OWUtB1+YsUxqW7b
XJNUSsO2iYoB02+EXgGAye0qkI5vF5VpKz1fwcW9yQGnD6poITcJcltGrlBj
ilJuzj4R1AvlzNBL5Yto5dJ2G1hBmgxzWXHmggR7lI2Q9Ifz7huUqdGQLsF/
MJNwquK/Oxf771Fin6gdJiY5rR6ypuEqKz6/cEB/UWQznFSOe8+NdtmN+KIN
SnR80CQvGdsuEQ8roIMp+P6S3N837lJg1PcAtE7RXMhe3BJatl3DgvqTrhV0
LBpXLsqLls4wbYBiJ5Smz5MMeUjERdWHZMTBXP6oapj+yevb6C9x8DBYaj/y
Tkd9unCIEQdSBumguyRFIH5tUD2I4Gn6l321hsOVhUH7X5SJ3Js5GxxusNe+
Zi9XkfnmRJQmS2/kAGi6657pB2nEvEbB8B2FTXPU3HbeWkQ3m565GyS2vjQS
Rsa69nMOgcSl3PmY66rBTTXfrCxk576yRczYZe52Ew+htT+q22ZbFuqj69Zr
aIWP6sp2mYQsBd+C/Zh9nE6n/v/0dprM+hgQWuR4g1kPVvyj7yrwd5OahnEP
Zn35pZO9HEzmVcJ+7wCT3l6/Iq9DtpXGj73f3kiNRkYtmsOeKp71zHYkruRK
J+pEA8LtNULtmxzsoDT8lIYlAQ7x/OcDo/BxLwj263iR/phk+O2tDWth4vmf
812PQTnso9wwbe880aF7D32irK4I7SsaKjdI1Aqxk1g1pkavgEalS0845UNO
d1WI15GWsWR+bwjs7RXeNNv2qdh2y6eP0J1r502fiwpK42vqkTcNeTNilklu
YFvNmhIh3LYDsE3yLLn+Q1+4ch0+XACP7gLF8eASHQcMjz/9oQhXGvcXj8R8
hHwbdza4mz6Z2eACxwGDgjgJhXxAoYjV+z9idWAPPoFBwNxkklxgzz6tKIqo
wrlZHyzXVd1LtuNEsf1FVzexpOLdZS4ujj0qEfwMl8qHh+DMFV/Ad8ArDi9j
OKz6mrvv85CMdHc1/S1kAjpGwOB9aaSccd2SOJAAncG6LWzwZKKWjXCV0Aum
xJ93+DwI7kaUwEeDlonzOA6QvhPOwsjvhOgJdzUbyUW9iAqD8dSDzylkYlno
V0kYGd/JQQLeNe2OpScOAOM+Pu5/d57ecza/a0pujuQ2XUlqkptzZOJhtC84
FI7NiqxqVjYY2Pn62dboftHUuw2+SJM0r1BEC/Vhj9xZbEpktbttHFzI7Qpj
XO7L3qvAJxrAYEQ6VYNahQV5Beo+NaDxulnYHWUW60GQ/Fcv+IMMXjhJG10L
WJQgj2SRnDCicZjYoVTcurpZW1LAioCMpqXIJF+ED5VGkeMpGgjK4LDia7N3
OrOXQA80ILDq80Djr4sO3R16iwP+yPzNddla3A7ui87yJ9szas3/DN98CIgZ
gyUwYGZK7MKgVrCPuyjI7Tj2ugpMhE6LH4BS3/qXYhfVBsZL2vpeLcnSr4cz
MBFz7caEnBpmQNKrChMg9+a+eNFCeYhC7b8Z4AZbdBi6PwQVTMOtKGtmkqQi
GiQEBtGxpx0+cLUupXXfNnzRZdS6kg9Rq5ZG+LQDKE417+uBSXEyE8fIEno8
btpLB+X7LjVwxxqUt45StXK4nK36AM/BXZrOyNmCGAWivoOHhm98x5+758Fx
pJGYIO62Qns0MmDSHr3RyF+WZiMddpenr0/3aFzsvVHgqhsZmXP9xdivU6Fq
iEmuyORFmacfT+R7u3rxT0d8l/XoJ76MLeYvubDuvkOQfnhFjJAMZ+lMP5uV
Kfe6Cyvte9+FVRI37QP5SpyG2hftS2bB2NheLqVxdC/d1+OY/rt4T2/QMWDr
90viHHJcjcuYhvsi3kC0Gp8wIEtlG/PcoqGbICgQ8uGSf9hPxA+s6+EqkFVz
fCdBzmuyL4aKZ5dczQ8vjNyhMvFXJkpZ5GVIMHV7v94XBC66lLTc9x0HbNN/
78I7DXzVIaQhg+4EM+HJmvLHCbkp6jvI37lcXX+ND2OzUbRY9I2WvPIBkWQx
b+0YMRBxTi98QsPWDPP4o0X+Q6RJ24p8woPzKZxhi75XOv4oTACe0ecabqXS
iVtkhUvQha8cYDqHsEL9djbcCwPXfLGQHIn/pIv9CAla0MhalVOXqfH0x9+W
GZZ6J76865t23GdbkIralPY6iut8y+RTK8p9akUKFZYEl6bH6M80tLjmukzE
Wnw+q1vcu+PbdtiqnRZoOCThXklX64Hjd7kV2FHXuGa/lvlCnHJRbnNb5Rh8
SwofVPI3MtCl2XYCFJ1Jw+eOXaLQf2uKG26abU7CERkhx0X3DYtsrrt7reNM
wtBljmXI3TQafPApkw8+Ic+nFwELYzl/S2OYzk5w5LDl2d7F80m0tN05Qq77
v9kUEL07V1LVOiA5KWzsK0Ms23yj5bLN/wIDOVlT7F8AAA==

-->

</rfc>
