<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-nobuo-scitt-protected-object-binding-00" category="std" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="SCITT Object Binding">SCITT Statement Relationship and Protected Object Binding</title>
    <seriesInfo name="Internet-Draft" value="draft-nobuo-scitt-protected-object-binding-00"/>
    <author fullname="Nobuo Aoki">
      <organization>The Graduate University for Advanced Studies (SOKENDAI)</organization>
      <address>
        <postal>
          <country>Japan</country>
        </postal>
        <email>n_aoki@ieee.org</email>
      </address>
    </author>
    <date year="2026" month="July" day="07"/>
    <area>SEC</area>
    <workgroup>Supply Chain Integrity, Transparency, and Trust Working Group</workgroup>
    <keyword>SCITT</keyword>
    <keyword>supply chain</keyword>
    <keyword>protected object</keyword>
    <keyword>statement graph</keyword>
    <keyword>transparency</keyword>
    <abstract>
      <?line 77?>

<t>This document defines a small common model for relating Supply Chain
Integrity, Transparency, and Trust (SCITT) Signed Statements to the supply-chain
objects that those statements describe, measure, authorize, revoke, or audit.
The model can be used for software artifacts, firmware artifacts, hardware
components, device instances, cloud compute resources, and other objects that
appear in supply-chain evidence.</t>
      <t>The document also defines a relationship vocabulary and an optional Statement
Graph Manifest.  These parts help verifiers connect heterogeneous SCITT
statements without requiring SCITT to define the payload formats of those
statements.  This document does not define SBOM, HBOM, CBOM, attestation,
audit, vulnerability, or regulatory payload formats.  It only defines a common
binding and graph layer around SCITT statements and receipts.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://aoki-n1.github.io/draft-nobuo-scitt-protected-object-binding/draft-nobuo-scitt-protected-object-binding.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-nobuo-scitt-protected-object-binding/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        SCITT Working Group mailing list (<eref target="mailto:scitt@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/scitt/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/scitt/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/aoki-n1/draft-nobuo-scitt-protected-object-binding"/>.</t>
    </note>
  </front>
  <middle>
    <?line 93?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>SCITT <xref target="RFC9943"/> defines an architecture for trustworthy and transparent
supply-chain statements.  A producer signs a statement, a Transparency Service
registers it, and a consumer can later verify the signed statement and its
receipt.</t>
      <t>Many supply-chain decisions need more than one statement.  A device can be
covered by a device identity statement, a hardware statement, a firmware SBOM,
an update authorization statement, an attestation result, a vulnerability
statement, and an audit statement.  Each statement can be valid by itself, but a
consumer often needs to know whether these statements refer to the same object
and how they relate to each other.</t>
      <t>SCITT intentionally keeps payloads opaque to the common layer.  This is useful
because different ecosystems use different payload formats.  It also creates a
small gap: a generic verifier can verify that a statement was registered, but it
may not know what object the statement is about unless it understands the
payload.  That makes graph discovery, evidence packaging, and cross-domain tools
harder.</t>
      <t>This document fills that gap with a narrow binding model.  It does not turn
SCITT into a hardware or cloud assurance framework.  It also does not ask the
Transparency Service to understand every payload.  Instead, it defines a small
set of optional common fields that can be carried by a profile, a payload, or a
future envelope extension.  These fields say which object a statement is about
and how that statement relates to other statements.</t>
      <t>The model is intended to support the following tasks:</t>
      <ul spacing="normal">
        <li>
          <t>linking a statement to a software, firmware, hardware, device, or cloud
object;</t>
        </li>
        <li>
          <t>referring to a SCITT statement and its receipt in a stable way;</t>
        </li>
        <li>
          <t>expressing common relationships such as <tt>describes</tt>, <tt>measures</tt>,
<tt>authorizes</tt>, <tt>supersedes</tt>, and <tt>revokes</tt>;</t>
        </li>
        <li>
          <t>building a small graph of evidence for later verification; and</t>
        </li>
        <li>
          <t>keeping domain-specific semantics in domain profiles.</t>
        </li>
      </ul>
      <t>TODO: Align this document with the latest SCITT Architecture terminology before
submission.  In particular, confirm whether the term "Protected Object" should
be replaced with "Supply-Chain Object", "Artifact Subject", or another term.</t>
    </section>
    <section anchor="working-group-context">
      <name>Working Group Context</name>
      <t>The design of this draft follows two points that have come up in SCITT
discussions.</t>
      <t>First, SCITT is already able to carry statements from more than one party about
the same subject.  One party can publish a statement about an artifact, and
another party can later publish a counter-statement, a fix statement, or an
audit statement.  This draft makes that pattern easier to use by giving tools a
small way to name the subject and to describe the relationship between
statements.</t>
      <t>Second, SCITT is content-agnostic by design.  This is important.  It lets SCITT
work with many payload formats.  The same design also means that a generic tool
cannot always find the subject, the graph, or the latest related statement
without help.  This draft provides that help as optional metadata and graph
statements.  The signed statement is still the SCITT unit of registration.</t>
      <t>The IETF 122 discussion noted that SCITT can link things together through
subjects and statements, but that this is not inherent in the basic model.  It
also noted that reliable locators in SCRAPI can be used as pointers, and that
"statements about statements" may help describe messy build or update flows.
The IETF 124 discussion raised the same design question for software, hardware,
and other artifacts: where should graph information live, and how much should
the common SCITT layer expose?</t>
      <t>This draft takes a conservative position.  It does not change the basic
Transparency Service function.  A Transparency Service can still register signed
statements and return receipts.  Graph support can be provided by profiles,
graph manifest statements, protected metadata if defined by a future profile, or
auxiliary services.</t>
    </section>
    <section anchor="why-this-is-still-about-statements">
      <name>Why This Is Still About Statements</name>
      <t>A likely question is why SCITT needs an object binding model when SCITT already
works with statements.  The answer is that this document does not make objects a
new primary SCITT resource.  The signed statement remains the unit registered in
SCITT.  The object binding is only a common way to say what that statement is
about.</t>
      <t>This distinction matters for scope:</t>
      <ul spacing="normal">
        <li>
          <t>A Transparency Service can continue to register opaque signed statements.</t>
        </li>
        <li>
          <t>A domain profile can decide whether the binding is placed in the payload, in a
protected header, or in a separate graph manifest.</t>
        </li>
        <li>
          <t>A verifier can use the binding only when it needs cross-statement analysis.</t>
        </li>
        <li>
          <t>The truth of the payload remains a domain and issuer matter.</t>
        </li>
      </ul>
      <t>The binding is therefore an aid for statement discovery and statement graph
construction.  It is not a new guarantee that the object is safe, compliant, or
correct.</t>
    </section>
    <section anchor="scope-questions-and-answers">
      <name>Scope Questions and Answers</name>
      <t>This section records expected scope questions.</t>
      <t><strong>Question:</strong> SCITT handles statements.  Why define Protected Objects?</t>
      <t><strong>Answer:</strong> Protected Objects are not a new SCITT registry resource.  They are a
small way to identify what a statement is about.  The registered item remains a
Signed Statement.  The binding only helps a verifier connect several statements
that refer to the same object.</t>
      <t><strong>Question:</strong> Does this draft make SCITT a hardware supply-chain standard?</t>
      <t><strong>Answer:</strong> No.  Hardware-specific assurance, HBOM formats, hardware roots of
trust, and manufacturer policy remain outside this draft.  This draft only says
how a signed statement about such material can be linked to other SCITT
statements and receipts.</t>
      <t><strong>Question:</strong> Does this draft require SCRAPI to become a graph API?</t>
      <t><strong>Answer:</strong> No.  SCRAPI can remain a registration and receipt API.  Graph
discovery can be done by a later auxiliary service or by exchanging a Statement
Graph Manifest.</t>
      <t><strong>Question:</strong> Does a valid graph prove that all claims are true?</t>
      <t><strong>Answer:</strong> No.  A valid graph proves that the statements, receipts, and
relationships satisfy a chosen verification policy.  It does not prove that an
issuer told the truth.</t>
    </section>
    <section anchor="scope">
      <name>Scope</name>
      <t>This document is in scope when it defines common building blocks for relating
SCITT Signed Statements and receipts.  These building blocks are useful across
software, firmware, hardware, IoT, cloud, and other supply-chain domains.</t>
      <t>This document defines:</t>
      <ul spacing="normal">
        <li>
          <t>a Protected Object Binding information model;</t>
        </li>
        <li>
          <t>Statement Reference and Receipt Reference information models;</t>
        </li>
        <li>
          <t>a small relationship vocabulary;</t>
        </li>
        <li>
          <t>an optional Statement Graph Manifest; and</t>
        </li>
        <li>
          <t>common verification and security considerations.</t>
        </li>
      </ul>
    </section>
    <section anchor="non-goals">
      <name>Non-Goals</name>
      <t>This document does not:</t>
      <ul spacing="normal">
        <li>
          <t>define the payload format for SBOM, HBOM, CBOM, VEX, attestation evidence,
audit reports, regulatory reports, or operational logs;</t>
        </li>
        <li>
          <t>define whether a manufacturer, cloud provider, device operator, auditor, or
regulator made a true claim;</t>
        </li>
        <li>
          <t>define a global registry for devices, hardware, cloud resources, or supply
chain objects;</t>
        </li>
        <li>
          <t>define best practices for designing a software, hardware, IoT, or cloud
supply chain;</t>
        </li>
        <li>
          <t>require a Transparency Service to index or query graphs;</t>
        </li>
        <li>
          <t>require a particular identifier scheme for devices, hardware, or cloud
resources;</t>
        </li>
        <li>
          <t>define an authorization policy language; or</t>
        </li>
        <li>
          <t>define domain-specific compliance rules.</t>
        </li>
      </ul>
      <t>TODO: Decide whether this document should stay Standards Track or begin as
Informational until the WG agrees on the boundary between generic SCITT metadata
and domain-specific payloads.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses CBOR diagnostic notation where helpful.  JSON examples are
illustrative unless a profile states otherwise.</t>
      <dl>
        <dt>Protected Object:</dt>
        <dd>
          <t>A physical or non-physical supply-chain object about which one or more SCITT
Signed Statements are made.  Examples include a software package, firmware
image, source repository, container image, hardware component, device
instance, virtual machine, confidential-computing enclave, GPU allocation,
cloud service, or integrated product.</t>
        </dd>
        <dt>Object Binding:</dt>
        <dd>
          <t>A data structure that relates a SCITT Signed Statement to a Protected Object.</t>
        </dd>
        <dt>Statement Reference:</dt>
        <dd>
          <t>A stable reference to a SCITT Signed Statement, a statement digest, a
Transparency Service registration identifier, or another identifier that lets
a verifier retrieve or identify the statement.</t>
        </dd>
        <dt>Receipt Reference:</dt>
        <dd>
          <t>A stable reference to a SCITT receipt or receipt bundle that lets a verifier
verify registration of a statement in a Transparency Service.</t>
        </dd>
        <dt>Relationship Edge:</dt>
        <dd>
          <t>A directed edge that states how two nodes are related.  A node can be a
Protected Object, a Statement Reference, or a Receipt Reference.</t>
        </dd>
        <dt>Statement Graph:</dt>
        <dd>
          <t>A set of nodes and Relationship Edges.</t>
        </dd>
        <dt>Statement Graph Manifest:</dt>
        <dd>
          <t>A signed statement that commits to a Statement Graph or to a useful subset of
a Statement Graph.</t>
        </dd>
        <dt>Subject:</dt>
        <dd>
          <t>The main node to which a graph, manifest, or verification request applies.</t>
        </dd>
      </dl>
    </section>
    <section anchor="protected-object-binding-model">
      <name>Protected Object Binding Model</name>
      <t>A Protected Object Binding identifies the object that a statement describes,
measures, authorizes, revokes, audits, or otherwise relates to.</t>
      <t>The binding is meant to be small.  A profile can add fields, but it <bcp14>SHOULD</bcp14> keep
the common binding stable enough for generic tools to compare objects and build
graphs.</t>
      <sourcecode type="cddl"><![CDATA[
; This CDDL is provisional and needs WG review.
protected-object-binding = {
  object_type: tstr,
  object_id: tstr,
  ? object_digest: digest,
  ? object_locator: [+ tstr],
  ? object_instance_id: tstr,
  ? lifecycle_phase: lifecycle-phase,
  ? object_namespace: tstr,
  ? issuer_scope: tstr,
  ? object_attributes: {* tstr => any}
}

digest = {
  alg: tstr,
  value: bytes
}

lifecycle-phase = "design" / "build" / "manufacture" / "provision" /
                  "deploy" / "operate" / "update" / "audit" /
                  "repair" / "transfer" / "retire" /
                  "decommission" / tstr
]]></sourcecode>
      <t>The <tt>object_type</tt> field identifies the kind of object.  Initial values are
listed in <xref target="initial-object-types"/>.</t>
      <t>The <tt>object_id</tt> field identifies the object within a namespace chosen by an
issuer, a domain profile, or another recognized authority.  This document does
not create a single global identifier system.</t>
      <t>The <tt>object_digest</tt> field binds the object to bytes, measurements, a canonical
descriptor, or another profile-defined representation.  Some hardware and cloud
resources do not have one stable byte string.  In such cases, a profile can use
a measurement digest, configuration digest, or other fingerprint.</t>
      <t>The <tt>object_locator</tt> field gives one or more locations where an object or
object descriptor can be found.  A locator <bcp14>MUST NOT</bcp14> be treated as stable
identity unless a profile says so.</t>
      <t>The <tt>object_instance_id</tt> field distinguishes an object class from a specific
object instance.  For example, a firmware digest can identify an artifact, while
a serial number or attested device identity can identify a device instance.</t>
      <t>The <tt>lifecycle_phase</tt> field gives coarse lifecycle context.  It is not a full
lifecycle model.  A domain profile can define more precise values.</t>
      <t>The <tt>issuer_scope</tt> field can be used when an <tt>object_id</tt> is only meaningful in
the issuer's namespace.</t>
    </section>
    <section anchor="statement-reference">
      <name>Statement Reference</name>
      <t>A Statement Reference identifies a SCITT statement that is part of a graph.</t>
      <sourcecode type="cddl"><![CDATA[
; This CDDL is provisional and needs WG review.
statement-reference = {
  ? statement_uri: tstr,
  ? statement_digest: digest,
  ? registration_id: tstr,
  ? transparency_service: tstr,
  ? content_type: tstr,
  ? issuer: tstr,
  ? issued_at: time,
  ? attributes: {* tstr => any}
}
]]></sourcecode>
      <t>A Statement Reference <bcp14>MUST</bcp14> contain enough information for the intended verifier
to identify the statement.  A profile <bcp14>MAY</bcp14> require a digest, URI, registration
identifier, or a combination of these values.</t>
      <t>A verifier <bcp14>MUST NOT</bcp14> trust a URI by itself.  When a digest is present, the
retrieved statement <bcp14>MUST</bcp14> match the digest.  When a receipt is present, the
verifier <bcp14>MUST</bcp14> verify the receipt under the applicable receipt profile.</t>
    </section>
    <section anchor="receipt-reference">
      <name>Receipt Reference</name>
      <t>A Receipt Reference identifies a receipt for a statement.</t>
      <sourcecode type="cddl"><![CDATA[
; This CDDL is provisional and needs WG review.
receipt-reference = {
  ? receipt_uri: tstr,
  ? receipt_digest: digest,
  ? receipt_type: tstr,
  ? transparency_service: tstr,
  ? registration_id: tstr,
  ? attributes: {* tstr => any}
}
]]></sourcecode>
      <t>A Receipt Reference <bcp14>MAY</bcp14> identify a detached receipt, an embedded receipt, or a
bundle of receipts.  A verifier <bcp14>MUST</bcp14> apply the receipt profile named or implied
by the receipt.</t>
    </section>
    <section anchor="relationship-edge">
      <name>Relationship Edge</name>
      <t>A Relationship Edge connects two graph nodes.  The edge states a relation name,
the source node, and the target node.</t>
      <sourcecode type="cddl"><![CDATA[
; This CDDL is provisional and needs WG review.
relationship-edge = {
  from: node-id,
  relation: relation-name,
  to: node-id,
  ? asserted_by: statement-reference,
  ? valid_from: time,
  ? valid_until: time,
  ? confidence: tstr,
  ? attributes: {* tstr => any}
}

node-id = tstr
relation-name = tstr
]]></sourcecode>
      <t>The <tt>asserted_by</tt> field can identify the statement that asserts the edge.  A
profile <bcp14>SHOULD</bcp14> use this field when edge authority matters.</t>
      <t>A verifier <bcp14>MUST</bcp14> apply a policy that states which issuers are allowed to assert
which relations.  A valid signature alone does not give authority to assert any
relation.</t>
    </section>
    <section anchor="initial-relationship-vocabulary">
      <name>Initial Relationship Vocabulary</name>
      <t>This document defines the following initial relation names.  Relation names are
case-sensitive ASCII strings.  A profile <bcp14>MAY</bcp14> define extra names using a URI or a
registered extension value.</t>
      <dl>
        <dt>describes:</dt>
        <dd>
          <t>The source statement describes the target object or statement.</t>
        </dd>
        <dt>identifies:</dt>
        <dd>
          <t>The source statement provides identity information for the target object.</t>
        </dd>
        <dt>partOf:</dt>
        <dd>
          <t>The source object is a part of the target object.</t>
        </dd>
        <dt>contains:</dt>
        <dd>
          <t>The source object contains the target object.</t>
        </dd>
        <dt>builtFrom:</dt>
        <dd>
          <t>The source object was built from the target object.</t>
        </dd>
        <dt>derivedFrom:</dt>
        <dd>
          <t>The source object or statement is derived from the target object or statement.</t>
        </dd>
        <dt>runsOn:</dt>
        <dd>
          <t>The source software, firmware, or workload runs on the target platform or
compute resource.</t>
        </dd>
        <dt>measures:</dt>
        <dd>
          <t>The source statement reports a measurement of the target object.</t>
        </dd>
        <dt>attests:</dt>
        <dd>
          <t>The source statement attests to a property of the target object.</t>
        </dd>
        <dt>authorizes:</dt>
        <dd>
          <t>The source statement authorizes an action concerning the target object.</t>
        </dd>
        <dt>observes:</dt>
        <dd>
          <t>The source statement records an observed state or event concerning the target
object.</t>
        </dd>
        <dt>supersedes:</dt>
        <dd>
          <t>The source statement replaces the target statement for a purpose defined by
policy.</t>
        </dd>
        <dt>revokes:</dt>
        <dd>
          <t>The source statement says that the target statement should not be accepted for
a purpose defined by policy.</t>
        </dd>
        <dt>conflictsWith:</dt>
        <dd>
          <t>The source statement cannot be accepted with the target statement under the
same policy unless that policy resolves the conflict.</t>
        </dd>
        <dt>aggregates:</dt>
        <dd>
          <t>The source statement groups the target statements or objects.</t>
        </dd>
        <dt>dependsOn:</dt>
        <dd>
          <t>The source statement or object depends on the target statement or object.</t>
        </dd>
        <dt>audits:</dt>
        <dd>
          <t>The source statement is an audit result for the target statement or object.</t>
        </dd>
      </dl>
      <t>TODO: Decide whether this vocabulary should be an IANA registry, a closed list,
or a profile-specific registry with expert review.</t>
    </section>
    <section anchor="initial-object-types">
      <name>Initial Object Types</name>
      <t>This document defines the following initial object type strings:</t>
      <ul spacing="normal">
        <li>
          <t><tt>source-repository</tt></t>
        </li>
        <li>
          <t><tt>software-package</tt></t>
        </li>
        <li>
          <t><tt>container-image</tt></t>
        </li>
        <li>
          <t><tt>firmware-image</tt></t>
        </li>
        <li>
          <t><tt>hardware-component</tt></t>
        </li>
        <li>
          <t><tt>hardware-platform</tt></t>
        </li>
        <li>
          <t><tt>device-class</tt></t>
        </li>
        <li>
          <t><tt>device-instance</tt></t>
        </li>
        <li>
          <t><tt>cloud-image</tt></t>
        </li>
        <li>
          <t><tt>cloud-compute-resource</tt></t>
        </li>
        <li>
          <t><tt>confidential-computing-environment</tt></t>
        </li>
        <li>
          <t><tt>accelerator-resource</tt></t>
        </li>
        <li>
          <t><tt>service-endpoint</tt></t>
        </li>
        <li>
          <t><tt>integrated-product</tt></t>
        </li>
      </ul>
      <t>TODO: Decide whether terms such as TPM, TEE, GPU, and IoT gateway should be
registered object types or examples under broader object types.</t>
    </section>
    <section anchor="statements-about-statements">
      <name>Statements about Statements</name>
      <t>A Statement Graph can include a statement that is about another statement.  This
pattern is useful when a later event changes how a previous statement should be
used.</t>
      <t>Examples include:</t>
      <ul spacing="normal">
        <li>
          <t>a vulnerability statement that refers to a previous SBOM statement;</t>
        </li>
        <li>
          <t>a fix statement that says a reported issue has been corrected;</t>
        </li>
        <li>
          <t>a revocation statement for a previous release statement;</t>
        </li>
        <li>
          <t>an audit statement about a submitted statement;</t>
        </li>
        <li>
          <t>a supersession statement that says a new statement is the current one for a
given purpose; and</t>
        </li>
        <li>
          <t>a graph manifest statement that commits to a set of statement references and
relationship edges.</t>
        </li>
      </ul>
      <t>This draft does not define the payload format of these statements.  It only
defines references and relation names that allow a verifier to build a graph.</t>
      <t>A profile <bcp14>MUST</bcp14> say which issuers are allowed to assert a relationship about
another statement.  For example, an arbitrary third party should not be able to
revoke a manufacturer statement unless the verification policy grants that
authority.</t>
    </section>
    <section anchor="statement-graph-manifest">
      <name>Statement Graph Manifest</name>
      <t>A Statement Graph Manifest packages a set of nodes and edges.  It can be used
for offline verification, for evidence exchange, or to commit to a graph digest.
The manifest <bcp14>MAY</bcp14> itself be a SCITT Signed Statement.</t>
      <sourcecode type="cddl"><![CDATA[
; This CDDL is provisional and needs WG review.
statement-graph-manifest = {
  graph_type: "scitt-statement-graph/v1",
  subject: node-id,
  nodes: [+ graph-node],
  edges: [+ relationship-edge],
  ? graph_policy: tstr,
  ? graph_digest: digest,
  ? generated_at: time,
  ? expires_at: time,
  ? profile: tstr,
  ? attributes: {* tstr => any}
}

graph-node = {
  id: node-id,
  node: protected-object-binding / statement-reference,
  ? receipt: receipt-reference,
  ? attributes: {* tstr => any}
}
]]></sourcecode>
      <t>The following example is illustrative.</t>
      <sourcecode type="json"><![CDATA[
{
  "graph_type": "scitt-statement-graph/v1",
  "subject": "device",
  "nodes": [
    {
      "id": "device",
      "node": {
        "object_type": "device-instance",
        "object_id": "urn:example:device:gateway-1234"
      }
    },
    {
      "id": "firmware-sbom",
      "node": {
        "statement_digest": {
          "alg": "sha-256",
          "value": "TODO-base64url"
        },
        "content_type": "application/example-firmware-sbom+json"
      },
      "receipt": {
        "receipt_digest": {
          "alg": "sha-256",
          "value": "TODO-base64url"
        }
      }
    }
  ],
  "edges": [
    {
      "from": "firmware-sbom",
      "relation": "describes",
      "to": "device"
    }
  ],
  "graph_policy": "iot-device-integrity/v1"
}
]]></sourcecode>
      <t>TODO: Define a canonical graph digest algorithm.  The algorithm needs to handle
node ordering, edge ordering, duplicate edges, and differences between JSON and
CBOR encodings.  The IETF 124 discussion noted that deterministic encoding is
an open issue for graph work; this draft should not claim that problem is
solved until the WG agrees on an approach.</t>
    </section>
    <section anchor="graph-digest-requirements">
      <name>Graph Digest Requirements</name>
      <t>A graph digest is useful when a graph is exchanged between tools or registered
as a statement.  A graph digest can also help a verifier detect that a graph was
changed after it was prepared.</t>
      <t>A future version of this document needs a deterministic graph digest algorithm.
The algorithm should define at least the following:</t>
      <ul spacing="normal">
        <li>
          <t>the canonical form of each node;</t>
        </li>
        <li>
          <t>the canonical form of each edge;</t>
        </li>
        <li>
          <t>how node identifiers are sorted;</t>
        </li>
        <li>
          <t>how edges are sorted;</t>
        </li>
        <li>
          <t>how duplicate edges are handled;</t>
        </li>
        <li>
          <t>how missing optional fields are handled;</t>
        </li>
        <li>
          <t>how JSON and CBOR encodings are compared, if both are allowed; and</t>
        </li>
        <li>
          <t>how profiles add fields without breaking the digest.</t>
        </li>
      </ul>
      <t>Until that algorithm is defined, implementations <bcp14>SHOULD NOT</bcp14> compare graph
digests across independent implementations unless they use the same private
profile.</t>
      <t>TODO: Define or reference a deterministic encoding and graph digest method after
WG review.</t>
    </section>
    <section anchor="placement-of-binding-data">
      <name>Placement of Binding Data</name>
      <t>A binding can appear in more than one place.  This document does not require one
placement.</t>
      <t>A profile <bcp14>MAY</bcp14> place binding data:</t>
      <ul spacing="normal">
        <li>
          <t>inside the payload of a domain-specific SCITT statement;</t>
        </li>
        <li>
          <t>in a generic graph manifest statement;</t>
        </li>
        <li>
          <t>in a protected header if a future SCITT or COSE profile defines such use; or</t>
        </li>
        <li>
          <t>in an auxiliary service response that is verified against registered
statements and receipts.</t>
        </li>
      </ul>
      <t>A profile <bcp14>MUST</bcp14> state which placement it uses.  A verifier <bcp14>MUST</bcp14> know which
placement is authoritative for the profile it is applying.</t>
      <t>TODO: Coordinate this section with any SCITT list discussion on whether some
metadata about opaque payloads belongs in a COSE protected header.</t>
    </section>
    <section anchor="verification-procedure">
      <name>Verification Procedure</name>
      <t>A verifier that processes a Statement Graph Manifest <bcp14>SHOULD</bcp14> perform the
following steps:</t>
      <ol spacing="normal" type="1"><li>
          <t>Parse the manifest and validate its syntax.</t>
        </li>
        <li>
          <t>Resolve each Statement Reference required by the applicable policy.</t>
        </li>
        <li>
          <t>Verify each Signed Statement according to COSE and SCITT requirements.</t>
        </li>
        <li>
          <t>Verify each receipt according to the applicable receipt profile.</t>
        </li>
        <li>
          <t>Validate that each required statement is bound to the expected Protected
Object.</t>
        </li>
        <li>
          <t>Construct the graph from nodes and edges.</t>
        </li>
        <li>
          <t>Check that each required edge is present.</t>
        </li>
        <li>
          <t>Check that each edge was asserted by an issuer allowed by policy.</t>
        </li>
        <li>
          <t>Report missing statements, invalid receipts, stale statements, unresolved
references, and conflicts.</t>
        </li>
      </ol>
      <t>A verifier <bcp14>MUST NOT</bcp14> treat successful graph verification as proof that all claims
inside the statement payloads are true.  Successful graph verification only
means that the statements, receipts, and edges satisfy the selected policy.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>Object identifiers and graph edges can reveal sensitive information about
customers, devices, cloud tenants, locations, supply-chain partners, and
operational dependencies.</t>
      <t>Profiles using this document <bcp14>SHOULD</bcp14> minimize public identifiers when public
Transparency Services are used.  They <bcp14>MAY</bcp14> use pseudonymous identifiers, salted
commitments, encrypted payloads, access-controlled graph manifests, or selective
disclosure.</t>
      <t>A privacy mechanism <bcp14>MUST</bcp14> still allow the intended verifier to confirm the object
binding and relationship semantics required by policy.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This document introduces graph-level relationships that can affect verifier
decisions.  A wrong or malicious edge can make an evidence set look complete
when it is not.</t>
      <t>Implementations <bcp14>MUST</bcp14> verify signatures and receipts before using any edge.
Implementations <bcp14>MUST</bcp14> also apply an authorization policy for relation assertions.</t>
      <t>The following risks need attention:</t>
      <ul spacing="normal">
        <li>
          <t>Confused identity: two different objects are treated as the same object.</t>
        </li>
        <li>
          <t>Graph injection: a presenter adds irrelevant but valid statements to a graph.</t>
        </li>
        <li>
          <t>Omitted conflict: a presenter omits a conflicting statement.</t>
        </li>
        <li>
          <t>Unauthorized revocation: an issuer revokes or supersedes a statement without
authority.</t>
        </li>
        <li>
          <t>Stale graph: a verifier accepts old evidence as if it were current.</t>
        </li>
        <li>
          <t>Privacy leakage: a graph reveals sensitive operational relationships.</t>
        </li>
        <li>
          <t>Ambiguous encoding: two implementations compute different graph digests for
the same intended graph.</t>
        </li>
      </ul>
      <t>TODO: Add a formal threat model aligned with the SCITT Architecture threat
model and with RATS terminology where attestation results are used.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests no IANA action yet.</t>
      <t>TODO: The WG should decide whether to create registries for:</t>
      <ul spacing="normal">
        <li>
          <t>SCITT protected object type names;</t>
        </li>
        <li>
          <t>SCITT relation names;</t>
        </li>
        <li>
          <t>SCITT graph manifest media types; and</t>
        </li>
        <li>
          <t>graph verification result codes.</t>
        </li>
      </ul>
      <t>If registries are created, this document should define registration policies and
initial contents.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9942">
          <front>
            <title>CBOR Object Signing and Encryption (COSE) Receipts</title>
            <author fullname="O. Steele" initials="O." surname="Steele"/>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
            <author fullname="C. Fournet" initials="C." surname="Fournet"/>
            <date month="June" year="2026"/>
            <abstract>
              <t>CBOR Object Signing and Encryption (COSE) Receipts prove properties of a Verifiable Data Structure (VDS) to a verifier. VDSs and associated Proof Types enable security properties, such as minimal disclosure, transparency, and non-equivocation. Transparency helps maintain trust over time and has been applied to certificates, end-to-end encrypted messaging systems, and supply chain security. This specification enables concise transparency-oriented systems by building on Concise Binary Object Representation (CBOR) and COSE. The extensibility of the approach is demonstrated by providing CBOR encodings for Merkle inclusion and consistency proofs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9942"/>
          <seriesInfo name="DOI" value="10.17487/RFC9942"/>
        </reference>
        <reference anchor="RFC9943">
          <front>
            <title>An Architecture for Trustworthy and Transparent Digital Supply Chains</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
            <author fullname="C. Fournet" initials="C." surname="Fournet"/>
            <author fullname="Y. Deshpande" initials="Y." surname="Deshpande"/>
            <author fullname="S. Lasker" initials="S." surname="Lasker"/>
            <date month="June" year="2026"/>
            <abstract>
              <t>Traceability in supply chains is a growing security concern. While Verifiable Data Structures (VDSs) have addressed specific issues, such as equivocation over digital certificates, they lack a universal architecture for all supply chains. This document defines such an architecture for single-issuer signed statement transparency. It ensures extensibility and interoperability between different transparency services as well as compliance with various auditing procedures and regulatory requirements.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9943"/>
          <seriesInfo name="DOI" value="10.17487/RFC9943"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="RFC9335">
          <front>
            <title>Completely Encrypting RTP Header Extensions and Contributing Sources</title>
            <author fullname="J. Uberti" initials="J." surname="Uberti"/>
            <author fullname="C. Jennings" initials="C." surname="Jennings"/>
            <author fullname="S. Murillo" initials="S." surname="Murillo"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>While the Secure Real-time Transport Protocol (SRTP) provides confidentiality for the contents of a media packet, a significant amount of metadata is left unprotected, including RTP header extensions and contributing sources (CSRCs). However, this data can be moderately sensitive in many applications. While there have been previous attempts to protect this data, they have had limited deployment, due to complexity as well as technical limitations.</t>
              <t>This document updates RFC 3711, the SRTP specification, and defines Cryptex as a new mechanism that completely encrypts header extensions and CSRCs and uses simpler Session Description Protocol (SDP) signaling with the goal of facilitating deployment.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9335"/>
          <seriesInfo name="DOI" value="10.17487/RFC9335"/>
        </reference>
        <reference anchor="I-D.ietf-scitt-scrapi" target="https://datatracker.ietf.org/doc/draft-ietf-scitt-scrapi/">
          <front>
            <title>Supply Chain Integrity, Transparency, and Trust (SCITT) Reference APIs</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.ietf-scitt-receipts-ccf-profile" target="https://datatracker.ietf.org/doc/draft-ietf-scitt-receipts-ccf-profile/">
          <front>
            <title>CCF Profile for COSE Receipts</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.nobuo-scitt-hardware-iot-cloud-use-cases" target="https://aoki-n1.github.io/draft-nobuo-scitt-hardware-iot-cloud-use-cases/draft-nobuo-scitt-hardware-iot-cloud-use-cases.html">
          <front>
            <title>Applying SCITT to Hardware, IoT Device, and Cloud Compute Resource Supply Chains</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.nobuo-scitt-composite-evidence-verification" target="https://aoki-n1.github.io/draft-nobuo-scitt-composite-evidence-verification/draft-nobuo-scitt-composite-evidence-verification.html">
          <front>
            <title>Composite Evidence Verification for SCITT Statement Graphs</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="TODO-SBOM-HBOM-CBOM" target="https://example.com/TODO">
          <front>
            <title>TODO - Add references for SBOM, HBOM, CBOM, VEX, and related payload formats</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
    <?line 758?>

<section numbered="false" anchor="design-notes-for-future-revisions">
      <name>Design Notes for Future Revisions</name>
      <t>This revision reflects four working assumptions.</t>
      <t>First, the generic layer should not need to parse every domain payload.  A small
binding layer can help tools build graphs even when payloads remain opaque.</t>
      <t>Second, graph support should not delay the core SCITT Reference API.  A graph
manifest or auxiliary service can be developed outside the basic Transparency
Service registration path.</t>
      <t>Third, statements about statements are useful for build failures, fixes,
revocations, audit results, and "latest statement" questions.  The relation
vocabulary should support this pattern without forcing every payload to use the
same schema.</t>
      <t>Fourth, hardware and cloud examples should be used carefully.  They motivate the
generic binding model, but they do not turn this draft into a hardware or cloud
assurance specification.</t>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The author thanks the SCITT WG participants for discussions on opaque payloads,
relationship metadata, graph building, and hardware supply-chain use cases.  The
SCITT and OCP case-study discussion helped sharpen the scope boundary between
SCITT statements and domain-specific hardware claims.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA61d65LbxpX+j6fAjn5s4pCjq52YSuKdjGR7spZG0YySTaVS
UhNoksiAAIMGZkSrlGfZZ9kn23PtCwjKdpKtLYeDS6P79Ll859JH8/k8u3fv
XnYvf21vH+V3bXdTNeu87MyqP4Wrrzq7M50t81XXbvN+Y/OqqfrK1PzIvGmX
Qzt3RdX3813X9rbobTlvl3+DH/Nl1ZQw2um2nMFQ+PLV+cX1de6Kdmdz05T5
tnoPj7ve9HZrmx6umXrvKpc3MNSMHqFX7l+ev8q31vYwHAxVVq4YnKvaJt/C
qx3M5zTPry+fXcLf3Y3tXA6Tzmu76vO7jYWff/oGJr4b+hzHtra05Smtu6/6
2i7yE57YlZ/Ia1ubHsZ3m2pH03ili8svaXH573hxJ5lZLjt768cY3y5gyHXb
7Re568ssK9uiMVv45I+n3/zBg8wNy21FK+73O3j74vn111kzbJe2W2QlfGKR
P3rw6Iv5g1/C/2cFTNw2bnCLfGVqZzOY3uMMSGIW+dXz8wy3ed21ww7+HHa7
ep+fb0zV5BcNzLWr+v0sv+5M43Drm2LPG3HdDa7P/yQc8g2+nt3YPYxVLrJ8
zhuFPxwPWeCQ+LdfV87romc8pded2W3wUh99Mbu1zWBh2FynyYPnvPp0Ejls
elUDfZGK/1XZfnXadmu4bLpis8g3fb9zi/v38SG8Ut3aU33oPl64v+zaO2fv
0/v38ZtVvxmWi9y0N9W8eXj/x28VvAx8Y10fPiuDnPKgp1X7E4b7CY+ebvpt
nWVm6Ddth/sBU8nz1VDXzG4vcYz8DCZDN2Dtpqm+Jx5f5Ncgmt90phxg7vmb
BijUOeCCfNV2+Vl5a5oCNu+qH8rKuvxnV5f//fzls7OLn9NIRTs0PbL3783O
NHTJ8n40b3HtsCHW0oZkTduBuMLouLGvvz5/9PDhl/LzVw9/+UR/fvHwgf78
8ok+8OWDzx/pzy+fRD8fL7Ksalajob98/PhJ+Pk5/ryYP6N9F0K6AhivWtCE
vRb4icLwM2LLn4O2WFm8afOzVxfuhMc03dpGfABCaoDFC9BOgf1AG8geH8zs
/uGUO1vYate7eVGskBFWVW3TBZyff42aCm/Q5p1fXj2H2fFr/+q8pj6vs4xZ
dGO68g6INa/afl7U7VDOB2fnhXHWpdM9Q3KjILPq7Nv8W3l3ll+01/kze1sV
YgfOcaD8vN2CFrewJtcOHRA83rIjK/wxEvipOf/Ex1kSD8lSwNRbECs7h1WV
yC1zkLNqVRUshelG6sP5c3k4/2P0MG3u2GZ9g5r0X6DBD0zwp7+hlEDDPL/6
3eWL+bf4n3P4T7pastxzUDVl3qkoOV4jPDvLv6X/ntN///j8f5ghOjTRoJd2
Zl+3psxZBRxZv31vtrvansKM7+PX4KF7RL/5i4uXb66fX80fPiKlci/MCm1s
DpeF0InRyV9UDfAhfe3ejxQqwS/3Ycj7Clvc/S0PhN8XqoIh//zB40cPHjx6
/ABt/8RUn0xP9cm/f6pPJqf6JJrqw4cPnjz8Aqf6MMtOT0+zbD6f52bpcNQ+
y643gLlAoQzEpKVdVQ1srsnd1tQ1mI/tFmFcW9qadpy2lXRCJNnZT1DGV9W6
IXMlcuFQryD4ZFwyZ1zC1hPubUwP/2mdDZgEpmtBCVdLUD1ba9yA+ogta/U9
/AS4197A/8JsDdhEAMpoQHkJhWnypc1BGxBH5q5d9agpAIz01QoI4mb5quq2
42uqUTKSqQZnMYNpoP4D5ApTQ5GY5aRrkGikBTvRgo7p0MIquzxeWWZ2O2s6
GCFZfa7ieprR1P3uwC630RZ1MQq+bQuzHABC7eljsM52hzfBF/C0zkgH5S8A
W6wABSEo31ggLWwXzGhjaxiGFARCdECpDULljQUGa9e2se3gBOlFe3EHKqsF
5N7Zvw9Vl1gLnilt7kgL5O2KdzUaiWaT8GJrydPQcQ6VjekRzBENZhnt9Sy/
HerGdmZZ1cSOxLJroEsPIH88DfjkRZ+3DfBxoCqzfCbAjYhJIBig4x72z4DQ
qt8T8yTrPDbBImTbqixrm4FHBPLRteVQ4EyzjN/98EEQ0seP4esNoeIKMSSw
NbFoj+IDML7f8M4GIN5nCdckpDxDXA9fhBk7kDiSaL0PhEvENL+yHXJyBpSq
XI+bj5QkNkI2cLAfHYkOqvSOeWTPQsvSHLuIJbzsMiEFUAK4bZ+yd2mLCn0l
9vVAMjtkEuTYJhJzWoSIGIstCB98Gt5YAiW89IGk9IiGk+WpvKZXvWQTK2Uw
6LBD78xrD7be8TtNzGQo0UNNQyVsliVvkPARNyaLeW6KTUQo0US3pq5oQUA0
W69m+RJkyWSe6qCfbEN0IkV507R36DOTKulJeCMeJOvs9Sk4FurS4aQ28CZc
34tlxscsTonU0qlyZQWavGG9AVJxY+3OqdSA1O7M3werHxDbQGKhwgv/D7oV
/JpsaQsDP/OyWhFk6HNbtG4P7LWlZ6Ibk1JJuq4An7hHucjYHK0NOJsmR2XU
VYVXVkRMz5VgMSJmz+8MEoYZ25ZM4KrPtmZPykUoCi8xrZh2/m1YkFmifhua
2joUDPhVgoiAysct2dhMpk8kgGG25gZmzCoDIyHIs6CIVKfDaosbswbVwrxS
dK1z87LdomT0bVu7DJmXtiTVhwDoa7GIQAdSvLDQxnTgH+eqrsjMMQW9/gRV
0oTtbWPxAP3CNss4sKNoxfJVB4yDIYhoH/xQxt3QmqfUB/JFoA0s2AaNi2OB
mbQGNqA6gBmZsz2aBG+xhLVgb+tSlizyUsByK1UB4uWgPMp32Opnq4HUp21u
bY3BLPseuBpVjjd5MrQDLrjbVCgGvPtmYu8j8TGRTIsgkVyybY80cBaBDpQL
FKsS5g3Poi4EdU6Mtmrrur3DjeuBtOB/ZZ/lddUQPIynQrumYCVAlABMFI3M
/JYCnuQ1PYUxSTOQdaaRRtZLtbYaMAQk9PUlOKp3Zo8j2Pc70H4Oh5DdieEH
UHIAIoKovVNw5t7N8neCz+A3TOedB2l0D+gAvGJL+gtn8I6Rm3uH31sOVV0K
GVj2SaKAS7wkoXWMLJK4NU9xLBgAdRcFS0m05m4HVgeeyZ3dGtBwBW6K3FRG
om0D92ORn9Vg2GCHYvkjgcNN4xiSEPEsttcwF0Dhbd2u98CsMD8bhQZJBghr
VQUCtRnaVtzJWKHTEPnJOJ55kjtAWXUJahXovqsNhnxoQhIVmXNURJ6egfMu
4BWAul5D0WiYU/ErsFiAJqkzct4Co77vBXdaNO+M1ZAQ6GAKxwLT37X5rq0a
Bekbc0smAcD1DinLQDGEgpG2X1egG2ZCOJSuGvR7CZKMfAaMicK9jw0ahbVT
fID024tcejPneI1A4Uv/CCqM3bCsK7dJRInVOSEtphAxX6aUCS8za4UhKJRm
u/kIUryP8QKRODs0/teBgGwfiGY7xBYd4H3jKjbcaBhBta2rW5ZVMAfe+IEg
4iMYMBSHSVRWUzLaZrmje4lrsLT9nbVNlqinKzDHTRltRtGS6Z+bddM6YFGc
B3NAZNyrLaouQ2sC41DbXl0CtBjMkVsEfIc2/Vo3S9iKDAvoh8apzVazjsvO
YAfI4NSwbGCEChcZFj2jP0glENEjsdTAg19tpi4KOjjpXoDcozJRFkYHyLhg
hra2N+iABydg7K9MIGAYHMgH+xUyKkNTkX1jGNJx9IVlzEcxoqQJZldKnhK/
T9wIVgHlsFmjwVmrwgCpXW8yoQp7IWGKDHbEh+YNRJpWzYaBFyIOmMMS2K+I
kENGWxPNAkhakYzW4GSCI+VYwF+fvbpIPGqgHakEUOus0cnJPYm9JBK+cOEk
RxxGhPf8uwUzs2f9j1srEH2FWuc0ptmTmGadqZwtA/AVJgO46nxELthPbzWz
4Jh7b38hSSnWuGJ3fAwbEW91K1FPBAVbNHyinSNYzDvHPiPYTvB1v1JAR6zX
kxpg/wrwE0XHcwrXiamIABy4Tc3ahr2ahl+roSnk5bNJ/472inlTAbGwb+zQ
syOLmDH4szlHLz10kU0X8SE0piZ0ljHBthJkSNgx5Jq8aFUrQYOC6QS6eWjX
dqBO34ObhZENxwtB/QWWCxxiIugF6CBa1RlxVwgtZdkZbNaNBU/GMwI8fwcv
8vawX4WWhVVpgqKRDXQfxVKRluOYR36gCYDgd0DRykUSdxjMQPXvg0Ama+wd
rLXa4ur4Uxo1OqZfOszfkNK0rFiCcwNcyjhf3h2tCuZDsQ6NcahFYRBs+jG+
rVxG8uo9EfhMxTyGiV0KFJBcYcKYoOsn+A7NS9Ww9+i5TxzK8Rphf3GsFJzR
KBg6KG0CmKLVCS4SteZdAkSzAD8D821gL21HhoORLmbRUcmkrMuzSJxMtM/x
R4mexCewEcxN7NAdJs1xNNyUvgMUzKAqxMV0U40umhA5+GTwXSa12ItotUgB
wpgEZioJaPrvet8zNQpix1DtwEyKoG3EOIBHCSy5HoAgoMit8rJnJjRvZmVn
FOUEqWTUA+N1HSIwwpRXVEHwBxE5VilnJB1OWMnZQgIq8CIQDTQkbw0XH6i0
oqB/9pkOtPjsM5ER0Icl6JpUBlEfSKhwDJ/dVzgOTwFHObhPBQlh+SqJZK73
I5Hc08MjVMZhqJUI0pQXKTIZSys8EXY+G0fG5YWE1dBSIpcEppQorUN3GyBL
oEgmpns6JHRA2GctwaAEpqryi8Jpo4BjU8KdEXFftjBzzRQGv8tHGDiGq8gw
GOO8a1sKDWcU8mQLC7I4oFUGmwBYvK2rYi8ky4GmDpVBmHQK7ohgoNtchmba
TMQqGYyg/dYsilo2RFvsrTM4OAh7j8K9n6Ylx8atQiYYdWnJVTKiceDqFBEj
iCVrNgmGjGeBY6idzoLsy3pKdJ3IvrJXc2BSURfCffuesAb73UfzBpPrNRLL
5BUhNBDlQXmk2lRbljLYXDu12LPD913QPjGKULqz4zYKQ8BvtyIbh/mFJgkN
CAON0FU81SYTpdu3NaNJUtenXquNg3IU2xGtpXZAo1tiZX0kYwnw+cYlaTQJ
yx0mxRL+0qDVeCQkJ4dbc0NmJ/t0iOiivZYcVZyRSmPzZH7cQfBR1kRW3hwt
t0pgMoEoDOXEdVtaiYGfl8qH6OrB6+4pfY9V7ZF8Fz0yle7KU7bVwJBsS8IY
ZCJtMWAOkyA5KBaWMcaaL9tm/k0LftEBXYSLiDBHE16fTJZH+QUNbWG0jIMI
nUXATUzvs1j+WosISuYJC6/bNdFLpqEgySRKVJOUgt07n8bkkdpuxl9uCR/B
PPyHYZgSVRYKMAt09DHQZHW7NHUwmrhkHtrFPMhfj1KjrXIgfIt5UNBxNPoS
HYkdJqwrLT1gB08ChIeOHfN6FAuNy944Iso6eToVRia9Ke17HALQCKyH9JJL
Xw3BPAUAaJNdsQH+O0aAaE6eCjEhm1E2SoxeDWp5MGv7FHfFPz0ObioogxV0
QxzQfDYGzjETi6cLXLhH6SGj7pAuxQ3ZBdhSmJXLLoJ4wk4PsF6Ocvzpm9ys
O2vRv2B4jDlStC4SevKhHVZ36vyR9z1egmabSO7O2+aW81GsEp/hsslFdoyH
bwCO3RGEPHnx5uoaI5/4v/nLS/r9+vkf3ly8fv4Mf199e/bdd/5HJk9cfXv5
5rtn4Vd48/zyxYvnL5/xy3A1Ty5lJy/O/nzCevTk8tX1xeXLs+9O2PeIaUsm
Dw0+5QC6HbjWFCnJNN5B/srvzl/93/8+fJJ/+PAfUnn38aP8gbV38AcaF9Ha
6nNQEGwfFRGQpTW7qgdFNcNoDGzsXZOjn4A2+y9Imb8u8l8vi93DJ7+VC7jg
5KLSLLlINDu8cvAyE3Hi0sRnPDWT6yNKp/M9+3Pyt9I9uvjrr2oUjPnDX331
22ysrcFYOtS9r8E78nFO0N4saRz2QYgNFhWM7u+vLl/mUppExjar6npg8HVr
NSPo01CMURxb1bvKIc3HhnKRLTA1vwGHsAARAuFqwLL4vxNTrBkpQqmSpGoI
qFFEXGtuJ7AD3EVdjUlnnT347fVA6tuXvHAiMoIKMFi1pStSvYeGxqEp2FOu
oodZYYCDn/Gw3ZfEqCnBcaQmZpbfVl0/YCzVFBt4XZIepCxNPedSGdTioH1r
g3G1b169QUZuC6nryMVkCFAVrx3rjbi+jAsrgNYpFGFKU4iJHd2hsz6ayUnl
fBp8cYpsvHMYMj/EMfwVyZT54rg4yTYefZY4h2W1tuTqYB3elB1K4H6wMUky
JzI9tECMyiOACF4iKJ2uAg+RaKeeagKrYXkHcOyHF6e+ByFa/rkc0DUPE4mm
AXOSJH2yqnaV+svNEZtMU4wQ4PNyLVMsq463ypZrG0WxHGdt7zCYXbIIa3qA
HA68qh4S7sB4z2exExTowsQ/hK8JixD2FApydlvmQMB3tAx3+KqHrTLG2Hnl
pDhA2YpL6MwB7m07vi4eghuWPBFijdHD+P3BayhKXaMKIgLBIKx9jCZcNEBG
hEhwNEIjxGpgk+pK4rRHnYUXiPAxRnvcnVDOdnEI6qDEw6ecZ5kmnKOKQKcl
gU6grSBnVdNRHv8wyIYJql4MOHkhWlvlQ5KmLKWaQGtLcrF4mIGOUwI6rEiU
bTB3QzAxznzRbqJepPqMKK9D3h9H15Gw//jHP/KiLOvsKQc9zp89+46CoAjs
HUM0fI2jkgDRgAiVvTvNjp1RyH+Tf/BFA2/5KEcPUjoLF6syXPpKL7IOW6gu
i29JvmiR/+UX9N5fk7tqJEbD1sBbxb6o7dvdxjiYhL8wpwvJGJgNBUVR2HgE
9uHfclz6cMLgcQG3YK3sIv/wGd3Pf/NbINb+Y/Yxy3gdQg1Tr8MIt6YeYMDl
Hl7FJ0cTg1dO2C05ye/nJ7Rf9Cvyv+hvv0XwF9VDp/8Hg+zqdk+PslfGr3Em
jH4SHx95G8+EVR09RrWCoJ3oDzACFU1g+pOkS5zMipaMLMYC8S5iinfM7WPZ
vMEMLdbwaCb+Qk6iEdEYPtUY+SS8++GDHFRTHsSR3cePp+n3qvLI10QTYCKG
7IVnAw37YKxLgzmzEFaP0krefGIMGjzJ7xGWs87o95PFqBnl4qgkjcKJzRqk
WNze2P2jIrfRSpipdDUocalKa5mrfEWzhLoMqpi2QXAoDsNOPHM/fVnSXLNo
sP2g/+B1I7H9K4w0erRGNWfkf3rvExZHgTAq4ZAaTFRQOCMET3h+iWpXKFRK
pyhmEeyVvEhm4rl7ZENwbz2Irderqn8xsb9Gr6hq+hHFRHcoydbVLfmXAQAr
RHQC3EMaDzxk+RVopnZ+ha4pKXH5QK5OEN7taXcpk81EyHx96SHcx8IE145Z
Nig1nTrnzdZD5TY2zjYC4HVS4wLsJP6vzlzHgal+3XbqhiRVrKKocGEe1CV1
LWC2a9wXx7FtPpBIvEMxJ1jnuIg2HWtc4a5LHWnodIuK1nTOBqXNhSXv+1GW
Cc++BQXqqw+OZP0o2EG7DsxdoNFmtaIzijW+TieuTKDQLPwdKxZNh6KJh+1B
jFQ1ZK95tP90Qa1wAPgQCiJ6mQpvRurqsNqO8AtaatgpRr9rwWD/tE33g88D
TmcD9lX48Nuhq2JzGG5MmfAYo48sdHwW9K34ZfF9KSUaYQi1ywdXSrDIcLHa
imn/tH0mozRNdZJkcVQVXsUh5ZVUCvlqTO+ZxBm81C+K4d6Lsz9HwT/VZW9e
X8wSamVjPw3hHKh87+5w4bbn4CjH7HURpcDgTRg8VIdTkhMZWUWfWIOUPcWC
MvXzYkeBhgQCFFy8yG+GkXzJ52iodEpRyb++QKW+dIXAfiFeIt8UipHYHPhJ
uOKJ2H8sMjrOisgXe6n/tIjIkBMCInfG4qGXp4WD7405/Ick4xNC9aO4/pBs
yJOJxu5NsbE+eURHGCzo/bKML1KVtLjqVJjmM01jZjQUNo83XqUBlSNVaFUY
c7Zltkyek70febq8iNFFzWJzVSknAMlblhQ4ufXi0YdjTzSBGReBcrwK39HC
MytH6ejiv8Y3YbZzmgnzDdrtBY0+r8oZRfNrObCtv+Y8wxzgXfLkV5gMtx0Y
4LdL6jxwoLz5KUqIvuUPBfXIVyn6Hl/WuFrKcD/g68ikYEkE+JOJ68XgBUSz
jo3stOYUN51eYayLxEMOy5SDxE/moprKyZBkq4nQHo5rudGEsmT+NJomiYM/
HLVgo8PBH4wr3nFenyeW8TN+j6M8NPpxhqKGpm4p1SL5YoQ50dT8WEhUT8FT
PvbFLlDC8H/0ictjhy/TgwHa0SNhe5zo6+QCOViIzefYW6KiCPUZII8LQfDu
wJIJqgJo1okDBTvBCTW0OqQiomoVf4aCDRcs0IddNGYkYjgRmIkF0oP0RK8H
9X90NF+t6+HqlHFPvgIDI8q6XI0GDcVMxsOwqZcFTIznpABe7k6+iu5//zXK
7uS7eCyJHgm9W8YjgH2FXSyPj5HUeyEn8QtHRhxTvBsad9mMqT1RQADvYd0j
F6rBS5rlk9F3wIa4DZwuHh9+hQ9pTO7oxkpCO089yCNbwr7L8cHkPsc+gWV2
Fgv6jw3mg4THx/OPkHPFdWuw84XtKP08NWy7RNv/yRVz3Rs5g/SsQDYktr2l
A4JTn/ChOPhIOD/zKcJiSWTCoOEug6vd0GF1clSFi7WSXCgDTMKR06NfICfY
V+kcfEIyy6g2McZeFHbX89FrikIffjt8Ge0Z/Ozdn6p+c/T7ckwgHtyf0zmY
jYesWA+AFk6Mhrj2fCZDa8xcW98K5XQqyDDrNehENC9Hp0Q9caZJ7ijwwTFd
EvAd+CETQujH8o/n8uxI9iaeJK7GKPfRQSsXTqjyidax8pwe9nglQXT4XHZ8
SfGYi7OXZ74ihKJZdYvuOAYCZxmzn4SvfP7fF5DQPmJhaNd7MBYZVUkVXGPg
MP9wbzKe+NMsrMbi4FU1mlTW844pOA/p0Hd8lVXlXBKpdNGnSeeUJqVrqkmj
S75DiU+eppdVp9JVjsLMKVwUX9CwDH+Y2pyEL/Dfoo3nqo11jhMZ2Lltbquu
bbY6GRSommuC0vfFr4EXSjruQRdDSnYuKdl3xzjGdttwXvD61YtZfv38OSV+
GbxjbxkUMSyt9ewUQ5Foo0iifI6eBXzZtVjfnTwmhcnjkyjpWYFxBo3AbUic
HwRw9CjZ6PSnBI8zPd7lD0VLGEpqMEXN09kOzlSiNMDWYp+FAxUKFMBIFqxj
nNOXmrzkRPp4suRYeJso38CCtPAgV9ol59kETaOKN2KkrZSl5xvEL1jaI5Xf
tuQB0GAUo3P0amn0wwBlrYmPrksJ3+jcnNI3pzOUfXKoS+oC2QTyEaDpaWM5
d6L6SKEPHR2AQlxPc6O2YrAfapG0VtDkx06zTCRgJc8bm1/fLQeHCy4iOQJW
Er9RyfK45cVEJaEPHyW179LGIlMFl3555Dv4slxiOe9OYQ6CDl2FeGTkMKCv
FU5Lf9KpGrcm0UPUh2KSRrYxdL2swBvp0I+rulIOY45ABB8WFWQyqm5MjL0Y
dTtVA4xLbHwbFp/2ScO8aSJ+SkPoPS2mcYENQrqfN5o2KYpJZ8h47WpF5Urx
DGfEkv6Us5RkMw7n1DCwHHOcdhmgkB6fONcJUVyIooZEtCPVKP+emDNNY+4/
zfERuigBshNpnZa+cf/24cmMSjO58iAOkRD1KG/Mg+PflD0mYtKNg8CMZJf5
w7zNcSiEr09F8yj9jqZrFIgG8FGB5Rtd1dZuPz7KEpYgtMHI32ixi/xoXv7+
8QiRxNoW+UF080cHFa8TLCTSSHXtUbGb8MnfXNtkuICTsLsnP7S9J7K/+CAj
F75MWwwX/0L56A+SlT6pytGDdBUfhuv6FFyJUtLhBY+J/JvhSR546JqFLHLB
7ywEa8wfPnr85ERe+0j/+3E2NTeP59yy3X5qiuMES3IX7pt6TdTbmPmjz7+I
pgz3KMhyIt3X5kswl188Gbr6xD/zMVphnHDBdyQiT33hZLHzZNa/wJ30a/VL
EC5KV5HGwf+9a0ipDf8lGT4hIT9kDYxrfGIDVCEwO0jkKdzu24ixRh+MdQY+
hY0DPUdJbzPkZy80Amyl9t0n6RONjMUjaFY2Wz0hqn+Hhj58ko3isKDfMYCD
jWEo+hn+LAfeTg6hytlq7Z+DNl7LrKliFaEG1bjCvbaU0N+xc9PRKe/ScvuK
iqpi9WU6BYqnK/BsCyE/KliiZWJU6Gl80Cmy1HRAQFzqrgWbvcWRyKkuj5WO
IwLYwdOm2DBeZyP7jKn5mjNvHq0npD7A2HJs23n7WXoqcZUVdwYTlyIzSYcs
ipUm41OlFx6L5yYBATUh1UJNmtDFuEw/CmTBEk0O+O2kXzNBKznpTN1c26jN
hjqrcjh5tC9HGCxL+Us2Qs8UYCmmcaOWM+Q3EBr23MthvBU3hkKefPrpR5Ad
8RF0XoiFQ+aTsaEjl0EfIe6duD7ib3qCBcM/QqVJeApST/lIA5+JR1UI8lQI
cq1VNtQGqgJc1GIHpYBgFfTjIHqcPSrv863ulp01NxqXU/CVvRGeNtG2cFCW
YlszSpMRd0nVSqiL9+V+azm9t6YIJp/ponMoGPsh/2U0RgC5e382mSNbXXUL
BM1CIjZRWcT8/izWMdEPve+E37bgwbfC01kEBbHKEwONGrfV+s1neMgDWF2R
TMESLscVRo1dcIDjTQA17w6PZjv9VuqiAOKlO/5zWP1NXF41clI0uFNUdzE+
ezKq1HhKr0adSY45g/7B8RlzZDPf04BH176/Om112SggMjg94FOxOjw4pwl4
dIctI3wQQjQR7MoacxFxPwDE1kePrI59O4o+s3fn6UvtzpydygtL3zR4PIse
dz4xxmckNK6on6r4GWks7LnyvAVjhwUSkgjU4+Hc46zR1ggYNoyNF5/ZYK+y
3dos9GuhwIF0F/Dt65a2blER0E7pHiTbRZycdPJ91bWFLWH3ksyjmjWwvY5L
fI75hSLkO9uR4sTYcwDbsEs7DDE+PM1fUdFUH3twuF+UikSyYJDB7UHu359m
j06pwTJYUtbCU6UwIi4UUh/VaGiE/fEpL3Uvo4yPQZiioF2hnmFELt/wX4eX
Zg1P0pG0UCAZ4IcKRT6HMXSxRF4ZSpaRhHDoeJkO6lsH+CpyxHZ6aOOLUzxD
xidA6HEWYcqQjT307Jfw8MYWN1MTIEgWimROs18dPkzPoJ3XRDmXoWojBw2U
RFmOL3ErqaWKGrj4oHPVcCo6HHiGu7VNnhkaSVXQskPcR7oLahLlaJmRNXQE
HjkZ0ROTJz0bS7EAgifJae4s0qpRklalTc96YwXqJ8enwFXUCOqTx70FIegx
b3rW1swAPnWEZw7A/BV72vtwlNefEUpgijdyPDSftr+1eBzLZ9LjRDOHs0AH
9aBzOt8H2Lf/BU/M0MR9geosPdiFUa1GeyRl8QleNfQFn514pSCE8/IpPBTN
glZ7W31vuVFZkSyNoDBfn2wZ5E+Ql9rZAm0o4oids0PZNvsthmujIWElpkYR
4yiU7BCM2e13UbdvXBpt+Rw90w4Uni1HxlNO/tLeAYWpZUHdYvJXbBNv4NYi
kK7cVq0U9vnh0OVkJR9HyLitXqivTrr5JrHJ0A0w1pgRJ13pqfAxK436AEiH
X239Oa+BhdIj61EjSwOuG7ChLz/0HXHJ0N51LSJdPHAN06CIOWkWfJPacphw
UpyijXXb3vDRX8BxmbYh4FJbWMTFCDTGFX2+yiXFB9K9UAtCwAJT8c70UOQX
SR3OkdPLoecBKRTUjnK2Pg0/dZW7kbbAmDxpuPU+wCGg/ooqebX2Y0G1YqGJ
rD8p0yVV3AdtTz4TC101f2OQseDMBCp11NElqK6qwwzFLZ78wRM9Ug8UkFSI
veJ4l5KbUF2bDthSfsD4u4mOx9ffNL7CoIyyJ4vIcEgSXo7KS9I/bXLLrgm1
DfCxbOq8UIvJW8ROK+fKYcC6DJwE1AK0ip4qVtNLigRHUWUKPiTGuBfez2U1
6SI9GSuzhPepl9J2Wa0HYmfxMHgTx06NlpCEzY2dECfVA35nvQ7QrIW08Cwx
k0FqG90yMnTc18vUDHV8ocBUJ096IZMXGnn49dn1VdLkU04eHLSIjjQr5awx
D/5pBSIn51Bm+XGpNNnbkHq/5oCJd+7TtKq2S9YMesWdEkh8eIXjf+qHU92U
E3rqH0pzReH6yPfZ2rIynFtVv3nCtkt5QUHFnKCJVvHkyCFnUZ1NdySQ+EVy
XJQ0SiUpNU3dSwBUO68vTXGDdH/GXQBftr10jfiaPbHXllMbLvuw4FMRtvzN
Cf1jTCdaNNDJM4ipalItq3bo/L/Bhe2MtjvVYtLZlACm+Irc+i+KiJFWg13a
EdTn9sh62MF3ST6TjshqsHgU1PwUeOLQFafp+CQgpZHF0iv00gZJ5P9EvT7X
SRO/aGrA5GYvpS7eUU3+2ZwQEcs8C7RTfYS04ZDl1stl1KZJO03GUCSbPOi8
M9Rz5xqTgLPEhx31j4xb4OD+MmVWpqr5EOiqeo+nQoNa1TOgKqfSwEF6h/qB
T6IWZNq3i8UiO6x1CQ2d6VAHJ/01WASzKiixErfD1lav6A5yA1tsGWKQkYDH
+s1s4rxWqHIIJTZkEQt4DE/T7BXEbduegj80vLJj0tpQG4PavZ79on6PUST3
WKPwLDQK16hJqHc9KzAqAFhvzUHaI8Kl1bMU+7lxkQoG5cYtVaodZWephUpo
IYwO/8ipnyX12b6ziPK6dkySdp2TbcxwI/ifBiL6SUsmfB7/WTsuqe2Hch9H
HlAY0SuFETEwTraIekCNO59kk/9QxDjuFHopkGd1mv0/N1ySyflvAAA=

-->

</rfc>
