<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-sardar-rats-sec-cons-04" category="info" consensus="true" submissionType="IETF" updates="9334" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="RATS Security Considerations">Guidelines for Security Considerations of RATS</title>
    <seriesInfo name="Internet-Draft" value="draft-sardar-rats-sec-cons-04"/>
    <author fullname="Muhammad Usama Sardar">
      <organization>TU Dresden</organization>
      <address>
        <email>muhammad_usama.sardar@tu-dresden.de</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <workgroup>RATS Working Group</workgroup>
    <keyword>security considerations</keyword>
    <keyword>remote attestation</keyword>
    <abstract>
      <?line 148?>

<t>This document aims to provide guidelines and best practices for writing
   security considerations for technical specifications for RATS
   targeting the needs of implementers, researchers, and protocol
   designers. In particular, it discusses some of the 'bottom turtle' issues. This is a work-in-progress, and the current version mainly presents an outline of the topics that future versions
   will cover in more detail.</t>
      <ul spacing="normal">
        <li>
          <t>Corrections in published RATS RFCs</t>
        </li>
        <li>
          <t>Security concerns in two RATS drafts</t>
        </li>
        <li>
          <t>General security guidelines, baseline, or template for RATS</t>
        </li>
      </ul>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://muhammad-usama-sardar.github.io/rats-sec-cons/draft-sardar-rats-sec-cons.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-sardar-rats-sec-cons/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/muhammad-usama-sardar/rats-sec-cons"/>.</t>
    </note>
  </front>
  <middle>
    <?line 160?>

<section anchor="introduction">
      <name>Introduction</name>
      <section anchor="need-for-specialized-guidance-in-rats">
        <name>Need for Specialized Guidance in RATS</name>
        <t>Every Internet Draft needs to have a "Security Considerations" section.
While general guidelines such as <xref target="RFC3552"/> exist, the underlying threat model is that
the endpoint is fully trusted (i.e., all software and hardware components in the device may access the keys).
RATS <xref target="RFC9334"/> has a primarily different threat model in the sense that only parts of the endpoint (called Attester) are trusted (i.e., only specific software and hardware components in the device may access the keys), and the goal is to establish the trustworthiness of the endpoint.
In other words, <xref target="RFC3552"/> deals with a network adversary, whereas RATS deals with an endpoint adversary, which may have root access or physical control over the device with which it can extract keys from software or hardware.</t>
        <t>Moreover, remote attestation has several distinguishing features that necessitate a separate document.
One specific example of such a feature is the architectural complexity of the endpoint.
While network protocols typically have 2 roles, RATS has additional roles, which complicates
the picture.
Unfortunately, no guidelines currently exist for remote attestation <xref target="RFC9334"/> in RATS.
This document aims to fill this gap.</t>
      </section>
      <section anchor="needs-of-the-target-audience-of-rats">
        <name>Needs of the Target Audience of RATS</name>
        <t>Moreover, while the target audience of Internet Drafts is implementers, researchers, and protocol designers <xref target="I-D.irtf-cfrg-cryptography-specification"/>, RATS drafts generally do not fulfill these needs, in particular the needs of researchers and protocol designers.
On the other hand, in our observation, implementers generally find it hard to relate the abstract concepts of RATS to the real-world systems. In general, implementers and protocol designers of RATS are thus left with little or no guidance.</t>
      </section>
      <section anchor="inaccuracies-in-published-rats-rfcs">
        <name>Inaccuracies in Published RATS RFCs</name>
        <t>Unfortunately, many published RFCs of RATS provide inaccurate or ambiguous security and privacy considerations, which may lead to errors in design and implementation, and give a false
sense of security.
As an example, many proposed designs in <xref target="RFC9334"/> are broken.</t>
      </section>
      <section anchor="aggregator-in-coserv">
        <name>Aggregator in CoServ</name>
        <t>RATS has recently adopted <xref target="I-D.ietf-rats-coserv"/>, which has an ambiguous role Aggregator, for which -- in our assessment -- the authors have not yet provided a reasonable justification.
To the best of our knowledge and understanding, a malicious Aggregator breaks the security of the RATS ecosystem and invalidates the formal proofs for RATS primitives.
Surprisingly, during the three-week adoption call and one week discussion afterwards, one of the authors of the draft <xref target="I-D.ietf-rats-coserv"/> did not support adoption of the draft. Based on the above reasons, as researchers, we have genuine skepticism about this work. We request the authors to be transparent on this work and clarify the concerns raised at the adoption time (summarized to some extent in this draft).</t>
        <t>We will keep making good-faith attempts and requesting the authors to state the risks properly.</t>
      </section>
      <section anchor="motivation">
        <name>Motivation</name>
        <t>Unverified protocol designs, imprecisely stated threat model and security goals have led to high and critical severity vulnerabilities related to remote attestation.</t>
        <section anchor="sec-mot-example">
          <name>Concrete Motivational Example: Practical Exploits in Production Systems</name>
          <t>The formal analysis led to three orthogonal issues:</t>
          <ul spacing="normal">
            <li>
              <t>Formal analysis <xref target="ID-Crisis-repo"/> found <strong>diversion</strong> attacks when unique hardware identifier is not included in Evidence. For technical details, please see the corresponding paper <xref target="ID-Crisis"/>.</t>
            </li>
            <li>
              <t>Formal analysis <xref target="Intra-handshake.fail-repo"/> of several <strong>production</strong> implementations of remote attestation led to the discovery of <xref target="CVE-2026-33697"/> of <strong>CVSS 7.5</strong> for <strong>relay</strong> attacks. For technical details, please see the corresponding paper <xref target="Intra-handshake.fail"/>.</t>
            </li>
            <li>
              <t>Further formal analysis of <strong>production</strong> implementation of remote attestation has led to discovery of another class of attacks and will potentially lead to three CVEs (currently under <em>responsible</em> disclosure) <em>each</em> with an expected <strong>CVSS 9.1</strong>.</t>
            </li>
          </ul>
          <t>This shows the value of precise threat model and formal analysis in the design of secure protocols to find subtle vulnerabilities, which could otherwise be missed. This draft aims to provide the baseline security considerations that other drafts can simply refer to.</t>
        </section>
      </section>
      <section anchor="scope">
        <name>Scope</name>
        <t>To improve the situation, this draft presents an outline of three topics that future versions will cover in more detail:</t>
        <ul spacing="normal">
          <li>
            <t>Corrections in published RATS RFCs <xref target="RFC9334"/>, <xref target="RFC9781"/>, <xref target="RFC9783"/> and <xref target="RFC9711"/></t>
          </li>
          <li>
            <t>Security concerns in one currently adopted RATS draft <xref target="I-D.ietf-rats-coserv"/> and one proposed for
adoption RATS draft <xref target="I-D.deshpande-rats-multi-verifier"/></t>
          </li>
          <li>
            <t>General security baseline that other drafts can simply point to, or guidelines or template that other drafts can use</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="general-hierarchy-of-authentication">
      <name>General Hierarchy of Authentication</name>
      <t>Authentication is a term which is often ambiguous in RATS specifications. We propose general hierarchy of one-way authentication <xref target="Gen-Approach"/>, which can help precisely
state the intended level of authentication (in decreasing order):</t>
      <ul spacing="normal">
        <li>
          <t>One-way injective agreement</t>
        </li>
        <li>
          <t>One-way non-injective agreement</t>
        </li>
        <li>
          <t>Aliveness</t>
        </li>
      </ul>
      <t>Recentness can be added to each of these levels of authentication.
Details will be added in future versions.</t>
    </section>
    <section anchor="threat-modeling">
      <name>Threat Modeling</name>
      <t>This section describes "What can go wrong?"</t>
      <section anchor="system-model">
        <name>System Model</name>
        <t>See Section 4 of <xref target="Intra-handshake.fail"/> as an example.</t>
      </section>
      <section anchor="actors">
        <name>Actors</name>
        <t>It has both legal and technical perspective.</t>
        <section anchor="legal-perspective">
          <name>Legal perspective</name>
          <ul spacing="normal">
            <li>
              <t>Data subject is an identifiable natural person (as defined in Article 4 (1) of GDPR <xref target="GDPR"/>).</t>
            </li>
            <li>
              <t>(Data) Controller (as defined in Article 4 (7) of GDPR <xref target="GDPR"/>) manages and controls what happens with personal data of data subject.</t>
            </li>
            <li>
              <t>(Data) Processor (as defined in Article 4 (8) of GDPR <xref target="GDPR"/>) performs data processing on behalf of the data controller.</t>
            </li>
          </ul>
        </section>
        <section anchor="technical-perspective">
          <name>Technical perspective</name>
          <ul spacing="normal">
            <li>
              <t>Infrastucture Provider is a role which refers to the Processor in GDPR. An example of this role is a cloud service provider (CSP).</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="threat-model">
        <name>Threat Model</name>
        <t>See Section 6.1 of <xref target="Intra-handshake.fail"/> as an example.</t>
      </section>
      <section anchor="typical-security-goals">
        <name>Typical Security Goals</name>
        <t>See <xref target="ID-Crisis"/> as an example.</t>
      </section>
    </section>
    <section anchor="attacks">
      <name>Attacks</name>
      <t>Security considerations in RATS specifications need to clarify how the following attacks are avoided or mitigated:</t>
      <section anchor="evidence-replay-attacks">
        <name>(Evidence) Replay Attacks</name>
        <t>In this attack, a network or endpoint adversary -- with access to older Evidence -- can replay Evidence with stale Claims which no longer represent the actual state of the Attester, potentially resulting in exposure of confidential data <xref target="RA-TLS"/>.</t>
        <t>Replay of stale Evidence may be within the same connection or across multiple connections.</t>
      </section>
      <section anchor="diversion-attacks">
        <name>Diversion Attacks</name>
        <t>In this attack, a network adversary -- with Dolev-Yao capabilities <xref target="Dolev-Yao"/> and access (e.g., via
Foreshadow <xref target="Foreshadow"/>) to the attestation key of any machine in the world -- can redirect a connection intended
for a specific Infrastructure Provider to the compromised machine, potentially resulting in exposure of
confidential data <xref target="ID-Crisis"/>.</t>
        <t>In the context of confidential computing and TLS as a transport protocol, we reported these attacks to the TLS WG in February 2025 <xref target="Usama-TLS-26Feb25"/>. A formal proof is available
<xref target="ID-Crisis-repo"/> for further research and
development. Since reporting to TLS WG, these attacks have been practically
exploited in <eref target="https://tee.fail/">TEE.fail</eref>, <eref target="https://wiretap.fail/">Wiretap.fail</eref>, and <eref target="https://badram.eu/">BadRAM</eref>.</t>
      </section>
      <section anchor="relay-attacks">
        <name>Relay Attacks</name>
        <t>In this attack, a network or endpoint adversary -- with access to suitable binding material -- can relay an attestation request to a genuine Attester and present the genuine Evidence as its own,
potentially resulting in impersonation of genuine Attester <xref target="Intra-handshake.fail"/>.</t>
        <t>Note that <em>replay</em> is about <em>same</em> Attester while <em>relay</em> attack is about <em>different</em> Attesters.</t>
      </section>
    </section>
    <section anchor="potential-mitigations">
      <name>Potential Mitigations</name>
      <t>This section describes the countermeasures and their evaluation.</t>
      <t>To mitigate the above attacks, we propose post-handshake attestation.
We are not aware of any attacks on post-handshake attestation. Post-handshake attestation
avoids replay attacks by using a fresh attestation nonce. Moreover, considering TLS as the transport protocol, it avoids diversion and relay attacks
by binding the Evidence to the underlying TLS connection, such as using Exported Keying Material (EKM)
<xref target="I-D.ietf-tls-rfc8446bis"/>, as proposed in Section 9.2 of <xref target="ID-Crisis"/>. <xref target="RFC9261"/> and <xref target="RFC9266"/> provide mechanisms for such bindings. Efforts for a formal proof
of security of post-handshake attestation are ongoing.</t>
    </section>
    <section anchor="examples-of-specifications-that-could-be-improved">
      <name>Examples of Specifications That Could Be Improved</name>
      <section anchor="rfc9334">
        <name>RFC9334</name>
        <section anchor="unprotected-evidence">
          <name>Unprotected Evidence</name>
          <t><xref section="7.4" sectionFormat="of" target="RFC9334"/> has:</t>
          <blockquote>
            <t>A conveyance protocol that provides authentication and integrity protection can be used to convey Evidence that is otherwise unprotected (e.g., not signed).</t>
          </blockquote>
          <t>Using a conveyance protocol that provides authentication and integrity protection, such as TLS 1.3 <xref target="RFC8446"/>,
to convey Evidence that is otherwise unprotected (e.g., not signed) undermines all security of remote attestation.
Essentially, this breaks the chain up to the trust anchor (such as hardware manufacturer) for remote attestation.
Hence, remote attestation effectively provides no protection in this case and the security guarantees are limited
to those of the conveyance protocol only. In order to benefit from remote attestation, Evidence <bcp14>MUST</bcp14> be protected
using dedicated keys chaining back to the trust anchor for remote attestation.</t>
        </section>
        <section anchor="missing-definitions">
          <name>Missing definitions</name>
          <t><xref target="RFC9334"/> uses the term Conceptual Messages in capitalization without proper definition.</t>
        </section>
        <section anchor="missing-roles-and-conceptual-messages">
          <name>Missing Roles and Conceptual Messages</name>
          <ul spacing="normal">
            <li>
              <t>Identity Supplier and its corresponding conceptual message Identity are missing and need to be added to the architecture <xref target="Tech-Concepts"/>.</t>
            </li>
            <li>
              <t>Attestation Challenge as conceptual message needs to be added to the architecture <xref target="Tech-Concepts"/>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="rfc9781">
        <name>RFC9781</name>
        <t>As argued above for RFC9334, security considerations in <xref target="RFC9781"/> are essentially insufficient.</t>
      </section>
      <section anchor="rfc9783">
        <name>RFC9783</name>
        <t><xref target="RFC9783"/> uses:</t>
        <ul spacing="normal">
          <li>
            <t>3x epoch handle (with reference to <xref section="10.2" sectionFormat="of" target="RFC9334"/> and
<xref section="10.3" sectionFormat="of" target="RFC9334"/>) whereas RFC9334 never uses epoch handle at all!</t>
          </li>
          <li>
            <t>1x epoch ID with no reference and no explanation of how it is
  different from epoch handle</t>
          </li>
        </ul>
      </section>
      <section anchor="rfc9711">
        <name>RFC9711</name>
        <section anchor="inaccurate-opinion">
          <name>Inaccurate opinion</name>
          <t><xref section="7.4" sectionFormat="of" target="RFC9711"/> has:</t>
          <blockquote>
            <t>For attestation, the keys are associated with specific devices and are configured by device manufacturers.</t>
          </blockquote>
          <t>The quoted text is inaccurate and just an opinion of the editors.
It should preferably be removed from the RFC.
For example, in SGX, the keys are not configured by the manufacturer alone.
The platform owner can provide a random value called OWNER_EPOCH.</t>
          <t>For technical details and proposed text, see <xref target="Clarifications-EAT"/>.</t>
        </section>
        <section anchor="inaccurate-privacy-considerations">
          <name>Inaccurate Privacy Considerations</name>
          <t><xref section="8.4" sectionFormat="of" target="RFC9711"/> has:</t>
          <blockquote>
            <t>The nonce claim is based on a value usually derived remotely (outside of the entity).</t>
          </blockquote>
          <t>Attester-generated nonce does not provide any replay protection since the Attester can pre-generate an Evidence
that might not reflect the actual system state, but a past one.</t>
          <t>See the attack trace for Attester-generated nonce at <xref target="Sec-Cons-RATS"/>.</t>
          <t>For replay protection, nonce should <em>always</em> be derived remotely (for example, by the Relying Party).</t>
        </section>
      </section>
    </section>
    <section anchor="examples-of-parts-of-specifications-that-are-detrimental-for-security">
      <name>Examples of Parts of Specifications That are Detrimental for Security</name>
      <t>We believe that the following parts of designs are detrimental for the RATS ecosystem and without proper security and privacy considerations, they put the community at risk.</t>
      <section anchor="multi-verifiers">
        <name>Multi-Verifiers</name>
        <t>We believe this draft <xref target="I-D.deshpande-rats-multi-verifier"/> in its current form is doing <strong>disservice</strong> to the community by substantially degrading <strong>both</strong> the security and privacy of the systems, and not properly highlighting the security and privacy risks, and by implicitly promoting the blind trust in vendors.</t>
        <t>In summary:</t>
        <ul spacing="normal">
          <li>
            <t>From a security perspective, if one of the Verifiers breaks, it breaks the whole system.</t>
          </li>
          <li>
            <t>From a privacy perspective, the current design also exposes Personally Identifiable Information (PII) to all the Verifiers.</t>
          </li>
        </ul>
        <section anchor="security-considerations">
          <name>Security Considerations</name>
          <t>What's important from the security standpoint is the TCB of the RP, and not the Attester. This is because it is the RP who has to make final trust decision, and not the Attester. Verifier is -- in any case -- in the TCB of RP.</t>
          <t>Say there are two Verifiers; how do they establish trust with each other? Who verifies the Verifier - Verifier attested TLS? Section 7.2 of <xref target="I-D.deshpande-rats-multi-verifier"/> falls apart on this.</t>
          <t>Hence, we believe the security considerations of multi-verifiers <xref target="I-D.deshpande-rats-multi-verifier"/> must say:</t>
          <t>Compared to a single verifier, the use of multi-verifiers increases security risks in terms of increasing the overall Trusted Computing Base (TCB) from the RP's perspective.</t>
        </section>
        <section anchor="privacy-considerations">
          <name>Privacy Considerations</name>
          <t>In addition to revealing the PII to the Lead Verifier (which say is kind of equivalent to monolithic verifier), the current proposal in draft reveals the PII to all those Component Verifiers as well.</t>
          <t>We believe the privacy considerations of multi-verifiers <xref target="I-D.deshpande-rats-multi-verifier"/> must say:</t>
          <t>Compared to a single verifier, the use of multi-verifiers may increase the privacy risks, as potentially sensitive information may be sent to multiple verifiers.</t>
        </section>
        <section anchor="open-source">
          <name>Open-source</name>
          <t>Besides, the rationale presented by the authors at meeting 124 -- appraisal policy being the intellectual property of the vendors -- breaks the
open-source nature of RATS ecosystem. This requires blindly trusting the vendors and increases the attack surface.</t>
        </section>
      </section>
      <section anchor="aggregator-based-design">
        <name>Aggregator-based design</name>
        <t>Aggregator in <xref target="I-D.ietf-rats-coserv"/> is an explicit trust anchor and the addition of new trust anchor needs to have a strong justification.
Having a malicious Aggregator in the design trivially breaks all the guarantees.
It should be clarified how trust is established between Aggregator and Verifier in the context of Confidential Computing threat model.</t>
        <t>The fact that Aggregator has collective information of Reference Values Providers and Endorsers
makes it a special target of attack, and thus a single point of failure. It increases security
risks because Aggregator can be compromised independent of the Reference Values Providers and
Endorsers. That is, even if Reference Values Providers and Endorsers are secure, the compromise
of Aggregator breaks the security of the system.
Moreover, if Aggregator is not running inside a TEE, it is relatively easy to compromise the secrets.</t>
      </section>
    </section>
    <section anchor="security-considerations-1">
      <name>Security Considerations</name>
      <t>All of this document is about security considerations.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="RFC9781">
          <front>
            <title>A Concise Binary Object Representation (CBOR) Tag for Unprotected CBOR Web Token Claims Sets (UCCS)</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="J. O'Donoghue" initials="J." surname="O'Donoghue"/>
            <author fullname="N. Cam-Winget" initials="N." surname="Cam-Winget"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="May" year="2025"/>
            <abstract>
              <t>This document defines the Unprotected CWT Claims Set (UCCS), a data format for representing a CBOR Web Token (CWT) Claims Set without protecting it by a signature, Message Authentication Code (MAC), or encryption. UCCS enables the use of CWT claims in environments where protection is provided by other means, such as secure communication channels or trusted execution environments. This specification defines a CBOR tag for UCCS and describes the UCCS format, its encoding, and its processing considerations. It also discusses security implications of using unprotected claims sets.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9781"/>
          <seriesInfo name="DOI" value="10.17487/RFC9781"/>
        </reference>
        <reference anchor="RFC9711">
          <front>
            <title>The Entity Attestation Token (EAT)</title>
            <author fullname="L. Lundblade" initials="L." surname="Lundblade"/>
            <author fullname="G. Mandyam" initials="G." surname="Mandyam"/>
            <author fullname="J. O'Donoghue" initials="J." surname="O'Donoghue"/>
            <author fullname="C. Wallace" initials="C." surname="Wallace"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>An Entity Attestation Token (EAT) provides an attested claims set that describes the state and characteristics of an entity, a device such as a smartphone, an Internet of Things (IoT) device, network equipment, or such. This claims set is used by a relying party, server, or service to determine the type and degree of trust placed in the entity.</t>
              <t>An EAT is either a CBOR Web Token (CWT) or a JSON Web Token (JWT) with attestation-oriented claims.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9711"/>
          <seriesInfo name="DOI" value="10.17487/RFC9711"/>
        </reference>
        <reference anchor="RFC9783">
          <front>
            <title>Arm's Platform Security Architecture (PSA) Attestation Token</title>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="S. Frost" initials="S." surname="Frost"/>
            <author fullname="M. Brossard" initials="M." surname="Brossard"/>
            <author fullname="A. Shaw" initials="A." surname="Shaw"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="June" year="2025"/>
            <abstract>
              <t>Arm's Platform Security Architecture (PSA) is a family of hardware and firmware security specifications, along with open-source reference implementations, aimed at helping device makers and chip manufacturers integrate best-practice security into their products. Devices that comply with PSA can generate attestation tokens as described in this document, which serve as the foundation for various protocols, including secure provisioning and network access control. This document specifies the structure and semantics of the PSA attestation token.</t>
              <t>The PSA attestation token is a profile of the Entity Attestation Token (EAT). This specification describes the claims used in an attestation token generated by PSA-compliant systems, how these claims are serialized for transmission, and how they are cryptographically protected.</t>
              <t>This Informational document is published as an Independent Submission to improve interoperability with Arm's architecture. It is not a standard nor a product of the IETF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9783"/>
          <seriesInfo name="DOI" value="10.17487/RFC9783"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC3552">
          <front>
            <title>Guidelines for Writing RFC Text on Security Considerations</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="B. Korver" initials="B." surname="Korver"/>
            <date month="July" year="2003"/>
            <abstract>
              <t>All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="72"/>
          <seriesInfo name="RFC" value="3552"/>
          <seriesInfo name="DOI" value="10.17487/RFC3552"/>
        </reference>
        <reference anchor="Tech-Concepts" target="https://www.researchgate.net/publication/396199290_Perspicuity_of_Attestation_Mechanisms_in_Confidential_Computing_Technical_Concepts">
          <front>
            <title>Perspicuity of Attestation Mechanisms in Confidential Computing: Technical Concepts</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <date year="2025" month="October"/>
          </front>
        </reference>
        <reference anchor="Gen-Approach" target="https://www.researchgate.net/publication/396593308_Perspicuity_of_Attestation_Mechanisms_in_Confidential_Computing_General_Approach">
          <front>
            <title>Perspicuity of Attestation Mechanisms in Confidential Computing: General Approach</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <date year="2025" month="October"/>
          </front>
        </reference>
        <reference anchor="GDPR" target="https://eur-lex.europa.eu/eli/reg/2016/679/oj">
          <front>
            <title>Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)</title>
            <author initials="" surname="European Commission">
              <organization/>
            </author>
            <date year="2016" month="May"/>
          </front>
        </reference>
        <reference anchor="Dolev-Yao">
          <front>
            <title>On the security of public key protocols</title>
            <author initials="D." surname="Dolev">
              <organization/>
            </author>
            <author initials="A." surname="Yao">
              <organization/>
            </author>
            <date year="1983" month="March"/>
          </front>
        </reference>
        <reference anchor="Foreshadow" target="https://foreshadowattack.eu/">
          <front>
            <title>Foreshadow</title>
            <author initials="" surname="Jo Van Bulck">
              <organization/>
            </author>
            <author initials="" surname="Marina Minkin">
              <organization/>
            </author>
            <author initials="" surname="Ofir Weisse">
              <organization/>
            </author>
            <author initials="" surname="Daniel Genkin">
              <organization/>
            </author>
            <author initials="" surname="Baris Kasikci">
              <organization/>
            </author>
            <author initials="" surname="Frank Piessens">
              <organization/>
            </author>
            <author initials="" surname="Mark Silberstein">
              <organization/>
            </author>
            <author initials="" surname="Thomas F Wenisch">
              <organization/>
            </author>
            <author initials="" surname="Yuval Yarom">
              <organization/>
            </author>
            <author initials="" surname="Raoul Strackx">
              <organization/>
            </author>
            <date year="2025" month="October"/>
          </front>
        </reference>
        <reference anchor="I-D.irtf-cfrg-cryptography-specification">
          <front>
            <title>Guidelines for Writing Cryptography Specifications</title>
            <author fullname="Nick Sullivan" initials="N." surname="Sullivan">
              <organization>Cryptography Consulting LLC</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare, Inc.</organization>
            </author>
            <date day="7" month="July" year="2025"/>
            <abstract>
              <t>   This document provides guidelines and best practices for writing
   technical specifications for cryptography protocols and primitives,
   targeting the needs of implementers, researchers, and protocol
   designers.  It highlights the importance of technical specifications
   and discusses strategies for creating high-quality specifications
   that cater to the needs of each community, including guidance on
   representing mathematical operations, security definitions, and
   threat models.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-cryptography-specification-02"/>
        </reference>
        <reference anchor="I-D.deshpande-rats-multi-verifier">
          <front>
            <title>Remote Attestation with Multiple Verifiers</title>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>Arm Ltd</organization>
            </author>
            <author fullname="zhang jun" initials="Z." surname="jun">
              <organization>Huawei Technologies France S.A.S.U.</organization>
            </author>
            <author fullname="Houda Labiod" initials="H." surname="Labiod">
              <organization>Huawei Technologies France S.A.S.U.</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <date day="7" month="February" year="2026"/>
            <abstract>
              <t>   IETF RATS Architecture, defines the key role of a Verifier.  In a
   complex system, this role needs to be performed by multiple Verfiers
   coordinating together to assess the full trustworthiness of an
   Attester.  This document focuses on various topological patterns for
   a multiple Verifier system.  It only covers the architectural aspects
   introduced by the Multi Verifier concept, which is neutral with
   regard to specific wire formats, encoding, transport mechanisms, or
   processing details.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-deshpande-rats-multi-verifier-04"/>
        </reference>
        <reference anchor="I-D.ietf-rats-coserv">
          <front>
            <title>Concise Selector for Endorsements and Reference Values</title>
            <author fullname="Paul Howard" initials="P." surname="Howard">
              <organization>Arm</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Shefali Kamal" initials="S." surname="Kamal">
              <organization>Fujitsu</organization>
            </author>
            <author fullname="Giridhar Mandyam" initials="G." surname="Mandyam">
              <organization>AMD</organization>
            </author>
            <author fullname="Ding Ma" initials="D." surname="Ma">
              <organization>Alibaba Cloud</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   In the Remote Attestation Procedures (RATS) architecture, Verifiers
   require Endorsements and Reference Values to assess the
   trustworthiness of Attesters.  This document specifies the Concise
   Selector for Endorsements and Reference Values (CoSERV), a structured
   query/result format designed to facilitate the discovery and
   retrieval of these artifacts from various providers.  CoSERV defines
   a query language and corresponding result structure using CDDL, which
   can be serialized in CBOR format, enabling efficient interoperability
   across diverse systems.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-coserv-07"/>
        </reference>
        <reference anchor="Clarifications-EAT" target="https://mailarchive.ietf.org/arch/msg/rats/4V2zZHhk5IuxwcUMNWpPBpnzpaM/">
          <front>
            <title>Clarifications in draft-ietf-rats-eat</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <date year="2025" month="April"/>
          </front>
        </reference>
        <reference anchor="Sec-Cons-RATS" target="https://mailarchive.ietf.org/arch/msg/rats/jcAv9FKbYSIVtUNQ8ggEHL8lrmM/">
          <front>
            <title>Security considerations of remote attestation (RFC9334)</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <date year="2024" month="November"/>
          </front>
        </reference>
        <reference anchor="RA-TLS">
          <front>
            <title>Towards Validation of TLS 1.3 Formal Model and Vulnerabilities in Intel’s RA-TLS Protocol</title>
            <author fullname="Muhammad Usama Sardar" initials="M." surname="Sardar">
              <organization>Faculty of Computer Science, Technical University of Dresden, Dresden, Germany</organization>
            </author>
            <author fullname="Arto Niemi" initials="A." surname="Niemi">
              <organization>Huawei Technologies Oy, Helsinki, Finland</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>Department of Computer Science, University of Applied Sciences Bonn-Rhein-Sieg and Siemens, Sankt Augustin, Germany</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro, Lausanne, Switzerland</organization>
            </author>
            <date year="2024"/>
          </front>
          <seriesInfo name="IEEE Access" value="vol. 12, pp. 173670-173685"/>
          <seriesInfo name="DOI" value="10.1109/access.2024.3497184"/>
          <refcontent>Institute of Electrical and Electronics Engineers (IEEE)</refcontent>
        </reference>
        <reference anchor="ID-Crisis">
          <front>
            <title>Identity Crisis in Confidential Computing: Formal Analysis of Attested TLS</title>
            <author fullname="Muhammad Usama Sardar" initials="M." surname="Sardar">
              <organization>TU Dresden, Dresden, Germany</organization>
            </author>
            <author fullname="Mariam Moustafa" initials="M." surname="Moustafa">
              <organization>Aalto University, Espoo, Finland</organization>
            </author>
            <author fullname="Tuomas Aura" initials="T." surname="Aura">
              <organization>Aalto University, Espoo, Finland</organization>
            </author>
            <date month="June" year="2026"/>
          </front>
          <seriesInfo name="Proceedings of the ACM Asia Conference on Computer and Communications Security" value="pp. 547-560"/>
          <seriesInfo name="DOI" value="10.1145/3779208.3785387"/>
          <refcontent>ACM</refcontent>
        </reference>
        <reference anchor="ID-Crisis-repo" target="https://github.com/CCC-Attestation/formal-spec-id-crisis">
          <front>
            <title>Identity Crisis in Confidential Computing: Formal Analysis of Attested TLS</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <author initials="M." surname="Moustafa">
              <organization/>
            </author>
            <author initials="T." surname="Aura">
              <organization/>
            </author>
            <date year="2025" month="November"/>
          </front>
        </reference>
        <reference anchor="Intra-handshake.fail" target="https://www.researchgate.net/publication/408219182_Intra-handshakefail_CVE-2026-33697_High-severity_CVE_in_Attested_TLS">
          <front>
            <title>Intra-handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <author initials="V." surname="Dubeyko">
              <organization/>
            </author>
            <author initials="J.-M." surname="Jacquet">
              <organization/>
            </author>
            <date year="2026" month="June"/>
          </front>
        </reference>
        <reference anchor="Intra-handshake.fail-repo" target="https://github.com/CCC-Attestation/formal-spec-KBS">
          <front>
            <title>Intra-handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS</title>
            <author initials="M. U." surname="Sardar">
              <organization/>
            </author>
            <author initials="V." surname="Dubeyko">
              <organization/>
            </author>
            <author initials="J.-M." surname="Jacquet">
              <organization/>
            </author>
            <date year="2026" month="June"/>
          </front>
        </reference>
        <reference anchor="CVE-2026-33697" target="https://www.cve.org/CVERecord?id=CVE-2026-33697">
          <front>
            <title>CoCoS attested TLS is vulnerable to relay attacks via extracted ephemeral TLS keys</title>
            <author>
              <organization>CVE</organization>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
        <reference anchor="Usama-TLS-26Feb25" target="https://mailarchive.ietf.org/arch/msg/tls/Jx_yPoYWMIKaqXmPsytKZBDq23o/">
          <front>
            <title>Impersonation attacks on protocol in draft-fossati-tls-attestation (Identity crisis in Attested TLS) for Confidential Computing</title>
            <author initials="" surname="Muhammad Usama Sardar">
              <organization/>
            </author>
            <date year="2025" month="February"/>
          </front>
        </reference>
        <reference anchor="I-D.ietf-tls-rfc8446bis">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
        <reference anchor="RFC9261">
          <front>
            <title>Exported Authenticators in TLS</title>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes a mechanism that builds on Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) and enables peers to provide proof of ownership of an identity, such as an X.509 certificate. This proof can be exported by one peer, transmitted out of band to the other peer, and verified by the receiving peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9261"/>
          <seriesInfo name="DOI" value="10.17487/RFC9261"/>
        </reference>
        <reference anchor="RFC9266">
          <front>
            <title>Channel Bindings for TLS 1.3</title>
            <author fullname="S. Whited" initials="S." surname="Whited"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document defines a channel binding type, tls-exporter, that is compatible with TLS 1.3 in accordance with RFC 5056, "On the Use of Channel Bindings to Secure Channels". Furthermore, it updates the default channel binding to the new binding for versions of TLS greater than 1.2. This document updates RFCs 5801, 5802, 5929, and 7677.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9266"/>
          <seriesInfo name="DOI" value="10.17487/RFC9266"/>
        </reference>
      </references>
    </references>
    <?line 437?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The author wishes to thank Ira McDonald and Ivan Gudymenko for insightful discussions.
The author also wishes to thank the authors of <xref target="I-D.ietf-rats-coserv"/> (in particular Thomas
Fossati and Paul Howard) for several discussions, which unfortunately could not resolve the
above concerns, and hence led to this draft.</t>
    </section>
    <section numbered="false" anchor="history">
      <name>History</name>
      <t>-01</t>
      <ul spacing="normal">
        <li>
          <t>Concrete text proposal for security and privacy considerations of multi-verifiers <xref target="I-D.deshpande-rats-multi-verifier"/></t>
        </li>
      </ul>
      <t>-02</t>
      <ul spacing="normal">
        <li>
          <t>Introduction and motivation</t>
        </li>
        <li>
          <t>Defined replay and relay attacks</t>
        </li>
        <li>
          <t>Added mitigations</t>
        </li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8Vc63Ibx7H+v08xoX+YRAGgQFIUyZPEoUhKgi1KDElJcVIp
1gA7ANZc7MA7u6Rold7lPMt5svN198xeQECRHeecVMoCFnPp6enL15dlr9eL
iqRIzZHaeFkmsUmTzDg1sbm6MuMyT4oHdWIzh19yXST4pOxEXR5fX21EejTK
zR0m0td1wzeisS7M1OYPRyrJJjaKYjvO9BwbxrmeFD2n81jnPQx3PWfGvTEm
9Z7sReUixkR3pA53d/ciV47miXNYsXhYYO7w7PqFUt8onToLCpIsNguD/2TF
RldtmDgpbJ7olL4Mj5/jHxxoY3h5/WIjysr5yORHES1/FNF2JnMlNiry0kQ4
z26EdXOjj9Tx5dlxdG/z22luy8URn1t9wPckm6qX9Cy6NQ8YEB9FqqdcYMG4
xQL6KTdzWxilCxyp4MfRnclKEPCNUn71Dy/pi5yvvQkez3WS0pC/mI96vkhN
f2zn9Fzn49mRmhXFwh1tbzd+3MZyWDopZuUIHJqXMz2f67hXOj3XnuvbLa5v
YHxKPC8wPqy4cl5flu0ntr3C9vor7c+KeboRRbosZjYndmE3pSZlmoo0bJz7
ndQ72kld8SIbPMrmU50lvzDfjtT1O3WaG4fL5h+NsKY64Q1T2hci/lKUvVgG
92OD/TObz7HOHTiv1OWLE5KuI5VPxixm8ujZwUAe4UN4NAiPBtWjg90wajeK
SLbbKx/s7e3zAPogj3afPt3hR/QBj67NeNaDvozNonBHfBoVtPHC5G6RjEuS
J6jccS056hzTwA83d1Ap0rdJQpIPeceX+aIsIDlHvHiWjPmh7CDMVCz46u24
sNADtfNk52nXb63zqSlqabq/v++Dd4ZkbIpJ/cwU24tylGJVImR793B/cHi4
c/jkpkHtjZ3cNKi9qam9SbKbJrU3FbU3FbE3gVghqRIX/l8P54WinvfVu74X
EPzy0mS948Uitxqq8DszEWtDjVMV1v9PsPApRO/Jwb/NQk/qTSD1VzDw9OJy
iXGXZlqmwqjNs3dbOOJgf3v/2SFxsZgZdVbmdmF0pi50niZQ4KxQOovDzye2
zMZJSl93noF5OT7TEgrr0e+gsDBjXh5DMl2UxOQFOEAe5h7WBRZzCvpUYcOE
sYH9h0nEBBmIGbgHLfvKupPcGDW3d4YJwkhXjmc8qsvDcngJndIqp0lOBNwZ
dfh0e29/++xEbYbLPqVVL2oSa2Zsqc1r87EQCs/OjrFgau40JHarJRnn+kHt
dfnIawTDlHkvNR/7hhip8c82XO82Dr0dWL1tf/rCFVYXAAHwnhEDTi3I6f2o
7dJ1vhX2VA6KeMhCqOC/+Dbs2KZu6QyQWTU4PNjtfoGO075s2n563FcgAs9e
WEj/TMf2fomi+odfq1KTaia8qR7fEu++QOD3Vr0Hm56X6fh2SQt0nmRanScZ
XG37p7eTJFcfDPhqlo4LNTQpmYVHc55jOad+0C65HSftn17kOrtVFwkk2GTu
ERW36ipJcWpXmOVFr2d2rp160Qc1MABBq8PPP5Z3kNcfdQ4w0PrhUtsyVVdF
DgZ9xE/D3mk/yYtJbzzJp71x/rAo7DTXi9lDzy3MOJl4e3Tkx8Zg8QIaY8SL
z8u0SHp3JsdAk4dBicGC/PvYOpPf0fOTVOfVaq53dny9dPHtAWR7BTTUixld
tGRiMKgsyFqhIAxA8gqFZrL6gAzb9GB77qYMUrb33u/88vdXs9unw/Lj/fjd
+ZsPi4vni+yXhT5fJT+rTSVQLjls1yMouHSyq9Xwj5TtMfxTmx58tA3HzlP1
hsyX14G9337cn8bHd4cvfhj9eDV8X7x789eD6fTs1euDNJ//iuNeHveuX/tz
hmNeQ/Hy2EGr0iTWwYZjmBr0d0nh5xDJc4tQgk3u+zIlqzpK0qSAAtCFD7PC
pN86vzpbWjI/wgh/57ur+PDrvevB092Dvd0nhzee6puaanKy2P5msHsjRN8w
0Tcg+maJaPK6nugbIfomEB19rZNtW8c3iZkvGYlXfXUNBbcTKPp0yQr0wVfn
QDZp3mnvBJYmIWv0dtgfPOkPBntPt3efPTvceXLQ331GZ37WHNiD27PtSxwy
fqBojUd8CQL5Gz2Gv32goRWOMjHdevPWmlf2dPWV+ciBApSTk5NeA+VsM4BO
2R71khhGiij7LfzFL+e2xLIT/YiPx0AaxJsMprEHUBXDldya/oRiiDaHVoxQ
myfvz3o43H5vd3f/8NkWbi2ZzhDkkGkkbr4/I1au48/3ZWaIN/u/UZz3nhzs
DA4HBzs3S9QRcTdt2m5alNGPJMWBMpL838La93D35cg83NolL9vDnO/1+OfS
FGvYu0oK/+95/JXy98Pz/yR72ic8WoVeOOg9opEtJ3NiT+yV9yNydgWVvPPm
KjWEl4FJAT8FHOG3RCtAVgABmmAWM2BjArk0FeDPrY9bxnAu5FdAw6UZ2zz+
Lon/1Cb9MV6k32rHUVuoJ4fbxycnZ1dXfTLn/d09RNIHFHBztE+Dezv7L8xo
5+mSVx3OPdpnTxNOhY8BtdYQYiI2slekrtdytZW1G1fWrik+W5zvWm3/2t55
X4HEvNT5w28HI6Bu+/uPNw8X9scP58Mf9M9/m1+4h+KHvz8//Xln134Jy65M
kTTBGJ3cZxxGiQspjp19n7zAh+rRfni0H0X9fj+Ker2e0iPHkhJF1zPwKbbj
UkK7BGEyRAs8vwOP1LROFZKPH4GV+A0Tk7HPHt5DV8E+on9NWoyHFVWSogVD
5UfCWFHFX4raKIjJjInZCyWU6iLyIB9dFQwnfyGiFg0PDTibTKEirg/TpBY6
B6EI6fKuSgoVA1eXQOZOOTs3IYT9dmSLws4VQlMI4rdQM1cazGfG4P9aUWKw
l2Q9bDTF7n5bmovz5sQ2WCwKzCh5l6UUZ4HGrCCeKVsWxL+wW2ER+oPFM12o
SYk9TZjMCnqfpCnYh0cku3NEQDhSATHDvXUgrHkuoSqLNnsMN4Nsc74S1+0w
qIlOxyaXocW9lUGsQDQsxMDVpdVX3VUj7fgjp1MLA/5DLeqrYhGaJ3Gcmij6
hp2AjUsmDN+/UW9wc5JaprsGEPsF3ynrTAE0kcOrnOGUD4wRc/g/dUqU+UuH
BM40QnbdANtL6WYinD71ow+zBPZw6s/TkFjOCSCo+vSp51Nxnz/DRCau6PJd
lAh78vRB5C1HNAKGE5pN5H4iGmOyeGETXDEeUg7zgbLHbE82k77pQxRwYc5O
CqBOw3Ixg7LyF7iehc1YDhIJy2NzB72BlMBqjynNwU/JOG/1I74eIZXCBZA6
0yR9iIjmiKSwc5xMJoblrU1uiPkzZ0SwLAshhN8FsauOsQkVTEG9N4v5FmXA
l8/E84Oe/h6nqzVmarUw2Coy2yzAohhEAjStmNHdPSK8H0GfLZ7kpI4xZLR1
q7HRqc8nacgQLXSrdEyqBRveVfeYaLTzOtAYnNWsaQ1PIDp0EhbD3NoinAlS
jWDasSmDhkHyU8X62mABLy1rwOyMaRNxzMwNNUEUX3MVCwamQsnPofK0XHdV
KEkCwfCIMmIQY0huCf6RAE8M5daMtyyZ4SRaQVqrMQWyQB+Dme9Hb2GRqgv2
xYQqjabDaqIJhmsPCSXJOHtHN59CjSS91L4k0cVwAVW+iYodxLHUM3QHLE3J
0PB9sJzHcUJnxPr+J+Efb0bOwjjWRyxDlPWjd5SHL0rABZPixjLb1Hxvl7Ed
qzvbohX8bGmbN0v9NR5xQpa5oJ+metGvzFwlqNfsuxB2xIkhK+erZ40LvWfe
sKzLWN0Y2zaD7Hi+0u3VPg/n+dr0z+fP3aY/CNaTjIwFL8k3pf7E2Fescpd9
TuVS2z66Qd4a6kjoeI5oMQUDvKItc2VHlFZiyrqtczcImyRYFuo089liQr+F
8DOgGXF5i6KqXYasMnQ/7UEk01i5B1i6ueADv/jSlmuYG5ZkezkrnUrNxCeI
06QoUtZkL4bk50RGhhnsBtRm7FMiFyt89pIoz3X20PTtGFJtHnBZ4pcteFc9
HyXTEpFw7c3lEMmdHi/DsaZ1S41mXpo8t7nk6Pi8PL1iir8XejZN2CtPYEBN
JB6HrIbftR8dM+bxBiUcJbcL63ASWZu3aWkecXSU21uTCc+Op1MqChQ2l3TF
FWQjqiwFEJCoto7tgpyWl/qlHCVJuByUzUvWYBIZmMYmXcGxPLbXCyKpCSg6
NgF4yFLGSN2JBSMdeTBFuJAYTCEHAwNGwdlP8GWVrsGiiBQyega7aPnbzN7D
D0/FqzISgVXKYthycBqMg9FLiNgGM0bY4dY9SvDTd+YOYjeRbrm+7E5SYEam
SNRLBNtJDbsZXiRUH4GCXpX5ggKnbEpyGGMHD8UJb5jevTG3wnUynmTOfUkG
Ho9+8viaw7cJVIkTcV3+3ZMZWOi/svFZe39YL2Y+u3KxgILUWzen99VzTcLl
C0N6ZO+MvwoylK5tOO+NXB80vyRU7m5hLsBpN6eZZSEWnpwXJeIxF4G8K1q0
Q11GBFd05mAMufyU1dOYI2NOfT9IiBBQeK4TolP71cJZigShyKYr5wTyCCdj
fQ5PABlo8cQvzocFTIw+GIkSbo1ZQE64e2BqbdybaEY0BeH1wvkyGNMfrrFx
BFcE44kLh1CRkhIYFg08t5AI6V54l/lqwCOj6NhuQh1xLsKLtGLchqZEQx1g
WIJdzP5UzjlLpjNhGAWRHByG5M/dUjZZrL03/MuOnIn+hsvfucFPNflY8kyM
0ZG6kLiVHy1SmwhyvahCF3UlriH6dKS+oXYGbNML2OgzRcqVEumQI/UHYf1Q
BF7tlDeVIPIIkVJIq1ZTIO6tfC0EfWJhAFSnEyc+Fux0qgQIkGsG+5DgImvw
LekLKtEQUCAdSbJxWpIdwpHOyCKRB6K9G5G3RJK4NhwIOgNmGy+iQEsOaJ6s
Dzw8BKFJ5efP/TXnWJf8w5HYKwhS7XQWFY9xsLZbWVc1qRhr2KxYjhUx9NOn
dmJKtup0Tt5fXaln/afYgExbp8PJsZqP/yYvVpw0sKXMGc8sSwZT9YWDrzk3
OSt/9ta5dSawCaZFgqMgH6Q+bA8WtpCcVlr7dZFLcMwh8KswMXsb1ZFzugQO
q8ObpdYBWm+pjtHjWacOkD4COZLueS4f9gedTt9njtzM3ot/gbcp2dB7k/DY
EiyzqIobGXIEHGGaYYMV2OfKEQGsJaNQxwglgB3z5542hnmmSrmJfRJH3Mxy
aos9ss9zrE1dSTjNnPdImaI5R1f5gOubUNxnxWZejWFBydWTUSQnxH46KUoP
n2orvj4/RLf1hQzR+vTQ0delh1q4K4TQ1P3U+rZLmCyLqwcD/LwusUTOvZas
AMnq0GK9dw/QoYKHEI+ocouPVvhioZrpe5TRqm73i7cowX9hOdfViCGbma/V
C5TAwJT/gt+5I9UjvtOpTg2ENpGWQPYa1HvBWQu1cf7u6pqaFelf9eYtf748
++u74eXZKX2+enX8+nX1IfIjrl69fff6tP5Uzzx5e35+9uZUJuOpaj2KNs6P
f9wQ6L7x9uJ6+PbN8euNGlNUQW5uPK5JKAZakBcFVHERuA7fPBK/8vzk4n/+
e7CHC/kDhGlnMDjENcqXg8EzQvLkrLr+ZsFa+Qq2PUR6sQAKo1UINo71Iil0
KgCNTAgMn+H8R+cfxJl/Hqk/jsaLwd6f/QM6cOth4FnrIfPs8ZNHk4WJKx6t
2KbiZuv5Eqfb9B7/2Poe+N54+MfvWC57g4Pv/swiFGT3FYSZwKp0sQGukVxJ
GBG1v0pqGpc1D5kmcgtwAY1Ax6c0llLujGy91lVp01lzY6hl757SeO0dP31q
duDVARbpwsykC1WBwaiGlyRQGQGTFHCAG8WWVt3kqHNMkJ27vnJY3y22Z289
GUn2k2/h0oiF2IU2fs1s1ls94jjFE0omRtElB42cWCRqRwTAY3Gz5Ox8ROGM
UOkek9mPTgUxiA2uFgDxS0aavAH8Dvs+bjSg6oj4St9mFpQK5uADGRaiaGrV
fW6z6Xcb4kwkjuP50RW8wpWfuycgaDUgUboZfvtgeozQ0UXDgqHFyFK6AvGk
eOQaD1HtbSE89Gj6NY9qPKcr4Y45eGNiN0tgVmFRDnzbHX5qE1vGZA2FU8eU
O8KoPbU52KKDUEMiiRX++fwZwU1HbdIOW2RSKbOawuCuX+PZijUo5aCnvlzl
87MEojWdHzYodB22OwuxTNw4WYOQC+lHtF+i42AVHdiA8I6ThZttjSR+M51O
qjCWBoyrA3v2X6+6GrqCYTbJtStKzoMSfYRmcjEHnNkQpWRw4gKGro8B0onE
vjrOmolf9gc8nRcCFiwpdMs5n70Im2yeXF1siVw1Jbwlofv9wa+SUV5M0sM1
xHhJsSIv2wpEHgs4FTIIB0fRuq6s1UaQM5fEnRCrwwn5NEma2nu6qAphU+nj
znKWBwykbAk1bcRHTPpmiLa21KVZUEE+UDT0XlbW6TYKE1jlcdWB0kwCuX3x
xCqbEtPDBjSATEUu21SPeRIMLu7uJGWUKxKQWZXCohhKfXvEKVkASA7BJDbR
XgZDOajbCiMwiWAWeJFwGMDxAU0ZN0voLL+fPkknAEdFnhGE6JmsilTKOY6E
4lC10nPOkWShSzgHfbnF+RnhkXTWvzoRvdMQJn8Fqx+zt2qdJRRSJxg+fap+
8ODU38Om6U/7XWqviOpeVgyvv5C6ez1rhnKE+jhye8C5x1TWChGPZKKr64y5
RVnpJh+C24womtV1rcZrf76s/n5/Kpfkds6ZJr/p111ptOpK2ymAYRYSWgW1
Ri+LwTh0UjDzqOuEy5eSKKP0XQjrOAtHaYJc8kXkdoOu+WPQ7A8vicRWGwZI
etRFAtLUcSu5yRbsjloz4JGilekWhOs+bA/ZQSIaaBfO3y64RKauEpJYoZMT
aNaT1V2imTNaI2Oy0BlBjI6M5JjEWfzj+uyM7d8/N0PvSGHEIm5vddU/PkAC
Cr1YGnLfeLrta6j/eK7jy+PzetBIIyKZU2+0N8yX5vc1Qq5MCvbto0SSInPY
DXrnqhZgbkPKWsJfZU4ttgzZ1mBlfHWiNklhQGUoIDqUn0Ng0I3Wim/S6hjC
xT/a5wuZmzc2xHUdMagdlhtOAnfIKnXqZaRy51NKnpWN0VVdvp4iKPAiUK7O
xWlwSLgGC4pulRR/zYGFuZjrq+YJrorSKyHZeW0rL9RIent5ZPUK8B7/KerT
t3OmHwy7NsoeaqlEi7Fqtl6tn47DrfstYm/pgqMK640eEDGzfaDXN9ysJS+Z
5YRlXS0NXpwmeGMibQKPzUlSKL9jlUD12e/G9hG2DxLML7YEUfMmp9EMQtvV
prhb9ZEI9WcfveX6wfDo86AOm2c/nG9FjXxHu0mL4iXt6nQHBDhApsP+jodM
DYMb0i87+4N2PmZnfx8PQhprXr/eRHaNafXnRKR3NqHSovykW1YyatTtOGu3
9jpZSgAkYCmmLNY+o85R0lUbVV2TQp1wPu65UUPJhMVil6QNXtDtu8y/GQRG
hJsA6wJDnvU5zmn3wgBvfTr6ucS0z9GfFYz+mPIuD9xTVJUmWKM9b9xyqCll
scJM+dCNd5N8TFg6jwl54YaI0KIUX1cpxrJBvwcIXKmiWnFMhvidl/TfjcZa
DEMHvogDSRdEK/odyBYdmEu3X5q2xGNV0eWM3nIRw+zTm40KJaQSEl4ugn5x
fw9ON55RLBXOUlU0ELaVE82gJt9a06/Rj17RuVa2xhiYYA6RuP3OszazzUsO
Wa8x5ftDP1Kj/U3DtMArC+BPqSoKyWXqrauA8qr7pFwX9xNw7kISaRkixUI6
fR5T263viJNbo+pFOewoVgbQj7teYmkZYm7S8xG5nlUsXccyVrfzxPlV68xk
qwRfOu+BOKHkX82kKOEcKIDj6SQLWTv/fi7jBPJ/UjpsrL206SX18zDDV6xL
AW1o2r0qF4s08fCA3H+7GDOuZ89ldj2VRcjvR7NDdNdM9Cx1MlFo2Xovl2BB
p/Xq6MmMmuWyKeORFdtXzYq/dptgD+m9Y+6ZyKclJVzZj3NpXoxld21hou6h
4Ow9M8DU+khtxOUEdjnhdq96v92oleane+dc2+5HBaTL3RJZDLCz6d/NZGAj
XrI2z4Mn4rCaPRyAz60Bu+0BW3ULnhwNzKMyBgtea2fYLJzgD6BpEGgangoo
zWyDIr5mSzFMqmsISGF8QlZP3hSoOiZZE5v71DwZDEReh42emgVEmZpZV7sk
roiscElUYmypeWiAlByCc3acsE5LyB5iOukaFBWR1kqEVVOITkyYqWqrrA2k
60tdgXemLN5HtvONpiBa6iexDuEwVbMe/80ELDEsKPVOrnrBXAXI5+icrMgd
1WOIZdxc8uKkT7Fv3ddD2OXl35bOR56kTTr93KQbF2sz02faqbBCeIQwPtU1
dVZBGq1giWNsLiVF37H69sObs8ubs4u3J69w/JXV3NC6JQCL2NLlwu6nT4/f
VvRq2Lr2C98w1W41bkrBwb+UAj4co1lKLSVzuphR6FDR/kilK6XZDsiRWC2G
Gw82YVBp67qzkswbAYoQWfQkY0/3LrvE1kgLQMW+7CFA74b3c4lAgkZ0JDw3
1YokLBUYY/AwT6azgheHhKSUpGgmkCRHzXmkrhqVlMFYaGpxojvm5J1PibDP
Qmwstm3tSXQhNqZ+8ZIv6QV7tqXzdP0cL8Ednd7rB9ch+X3M1ElTdr1cIkxm
+H6hc2FwG9dehO7pVQCXpP3UFHnC1fy09VdUuEFnZODH7jwCa2cVq7bs0A2n
pYjbWmxNS9eSx/2qZj+qvqlFWYT00LzMeErBjT++3YeLqe99MdW1T1BVrb+q
DstxeVF14HLIobjUSIenFhfns8qdTiNp5anC3bhyRI1w3o3FwME6lqlUu6BJ
TdTWPLlXGd/g2fUOInCLWo8hzSlJdIgBVy7D/VAyG+Qk3H6cFAIrIVBh7iil
xgSBYDjznYHFYsMMHCjdXA/sWF+QFdX1Vo1sPuzopNkdV12Ax9Ec2TYg9f2M
8vNyvn69dCC8tXLz7ZTQ05k6Kyk/iPiFr3/gXMNmAWcY/rwJVW8uhkPObGpp
BK4J9KZzzbsZEVW1vuUGZgSfOnjfFse52bF6s4JzfifPq27Gi/r2mharfiln
ZMYa0EFcvZ9D/OEiFyieUwwLPAp9kiuKqTJZtbE+XjgcjZaTJlAyoxwqyNcG
iZcXZN4025Fckij0fk3Fnf9iFBJb0b3Gaw5MCft+KTrS/O/UB5DtFci12Kx6
9cfmm4DfqRqUhMTBV2jmBNcIc0MGKLQs4hw+pLpvqvz6fhhs1l7XfeXmczq6
06QT9MqdzgUsa8XdpiYwIPdv5kjAtbxVknGZ2DT6nKV7ke7HULGNsr9ZVUvm
bnNuQkvVtX/FpXrhj/tG1SbudKsBdS4gt49roWuAAVQ9vLcgjYl3/o+OcMlt
OAwG7jW1Y1VXuSnlGUeVbaduE/lrKubnEnuknBGF/NrMplQlGVec2WortcAc
Xb8V6bd3zc1FcSl8PQmv6zSsDFTl3qRpf8llmTW+5P/58ufcCSAC0KIyGGzX
KnRQczr3NaukYdJ8AcoFNoca092SZXu7MFnP2TIHEnpuiAniSlXu20pNyF/X
SDd01xJuMvIa42Bnj8yHXiyo+5dSb7jVMZEQpIRSPSkhq1ISc5C9uqvbOxVa
onYDka1pk3p79bJJDRe8paQsfEKJZPZW4eW1sHdYXlJOQbUamM2VOaB7aCSo
GtF7gmfFrUTtbv217V6Jr9yKO23nLkIyplIm+ltB5r49aPnNQFdQv8Ryq/0r
fSeJt5Ud9O2OQ2CuOxEWz93g5+pcUDNKGhlfLKZeaC4Xi/N3tYknYTDFPdWC
GrvyX8eo/MujKtrq95Fb7ZM+3qM4SjBlY/UZ5yZYhpalncSiipffU+Thqoqh
XPsZSwBhPvKYjlPpEpiS55TXlKpm0/AWX+lq1RUXjiFUWKEXs9SwWGGnI7HT
wW03yPep12bhsvFH/ipE8MVjRNUx+gLQE2grjFlGAOtrOcB+XDpQu0u1VMqV
f917GAGc1XWMpDXVd2vnZZZJEctJwHt9dtb1YIY73SWRCR4+SD46UBI2zU3h
uHdiLQaLjtO0auyoGv2qotUaB09r0hu9x2+OHy3Yfi+OxC6zMlJX1Xl+M5hy
lNyaMQ5vudAM6quXP8lo4j9t8BtEG76rXiwnkBE0yNeA6e8oDXOtzsenZG5j
vqvhHYTlZRk/YL1by5EScRCIflKmjddPXL+5LOPe5bWbBrtCUCvM1mb7nTf5
M02R/yMtTNSFxt6v+K/OSOK68YZmoCd0ypXNN71837JE186m4nwjSQKGHlvR
uRnLb9UTH0IyjlpfJQ6S9bCau70nA+kM9m9GsM2poINQ+y+DyN/s+Gn/HelZ
qt8Q543m9QsmHemX5YBd6oWPSncddczZ1Xmjivq/GUYyv9FUAAA=

-->

</rfc>
