<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.31 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-sullivan-tls-signed-ech-updates-02" category="std" consensus="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.31.0 -->
  <front>
    <title abbrev="Authenticated ECH Update">Authenticated ECH Config Distribution and Rotation</title>
    <seriesInfo name="Internet-Draft" value="draft-sullivan-tls-signed-ech-updates-02"/>
    <author fullname="Nick Sullivan">
      <organization>Cryptography Consulting LLC</organization>
      <address>
        <email>nicholas.sullivan+ietf@gmail.com</email>
      </address>
    </author>
    <author fullname="Dennis Jackson">
      <organization>Mozilla</organization>
      <address>
        <email>ietf@dennis-jackson.uk</email>
      </address>
    </author>
    <author fullname="Alessandro Ghedini">
      <organization>Cloudflare</organization>
      <address>
        <email>alessandro@cloudflare.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>TLS</workgroup>
    <keyword>TLS 1.3</keyword>
    <keyword>Encrypted ClientHello</keyword>
    <keyword>ECH</keyword>
    <keyword>Key Rotation</keyword>
    <keyword>RPK</keyword>
    <abstract>
      <?line 44?>

<t>Encrypted ClientHello (ECH) requires clients to have the
server's ECH configuration before connecting.  Currently,
when ECH fails, servers can send updated configurations but
clients cannot authenticate them unless the server has a
valid certificate for the public name, limiting deployment
flexibility.</t>
      <t>This document specifies a new mechanism for authenticating
ECH configurations.  Servers include additional information
in their initial ECH configurations, which enables clients
to authenticate updated configurations without relying on a
valid certificate for the public name.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-sullivan-tls-signed-ech-updates/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/grittygrease/draft-sullivan-tls-signed-ech-updates"/>.</t>
    </note>
  </front>
  <middle>
    <?line 59?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Deployment of TLS Encrypted ClientHello (ECH) requires that clients
obtain the server's current ECH configuration (ECHConfig) before
initiating a connection.  Current mechanisms distribute ECHConfig data
via DNS SVCB and HTTPS resource records
<xref target="RFC9460"/><xref target="RFC9848"/> or HTTPS well-known URIs
<xref target="I-D.ietf-tls-wkech"/>, allowing servers to publish their ECHConfigList
prior to connection establishment.</t>
      <t>ECH includes a retry mechanism where servers can send an
updated ECHConfigList during the handshake.  The base ECH
specification instructs clients to authenticate this
information using a certificate valid for the public name
<xref target="RFC9849"/>.</t>
      <t>This forces a tradeoff between security and privacy for
server operators.  Using the same public name for as many
websites as possible improves client privacy, but makes
obtaining or compromising a valid certificate for that
public name a high value target for attackers.  It also
restricts the usable public names in an ECH deployment to
those for which operators can obtain valid certificates.</t>
      <t>This document introduces an alternative authentication
mechanism for ECHConfig data which does not require the
server to hold a valid TLS certificate for the public
name.  This allows server operators to partition the retry
configuration between different domains, as well as
enabling greater flexibility in the public name used.</t>
      <t>The mechanism authenticates updates with bare signing
keys identified by the hash of their
SubjectPublicKeyInfo.  A server's
initial ECHConfig lists the SHA-256 hashes of the
SubjectPublicKeyInfos of one or more public keys
authorized to sign updates, and each ECH Retry
Configuration carries a signature from one of those keys.
This replaces the need to authenticate the ECH Retry
configuration through the TLS handshake and ECH Public
Name.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
      </t>
      <t>This document assumes familiarity with TLS 1.3
<xref target="RFC8446"/> and the ECH specification
<xref target="RFC9849"/>, referred to here as simply "ECH".</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <dl>
          <dt>ECHConfig:</dt>
          <dd>
            <t>An individual ECH configuration structure as defined in
<xref target="RFC9849"/>, which includes fields such as
<tt>public_name</tt>, <tt>public_key</tt> (an HPKE <xref target="RFC9180"/> key),
and extensions.</t>
          </dd>
          <dt>ECHConfigList:</dt>
          <dd>
            <t>A sequence of one or more ECHConfig structures as
defined in ECH (a byte string that starts with a 16-bit
length and may contain multiple concatenated ECHConfig
values).</t>
          </dd>
          <dt>ECHConfigTBS (To-Be-Signed):</dt>
          <dd>
            <t>A fresh serialization of the ECHConfig structure including the
<tt>ech_auth</tt> extension, but with the <tt>signature</tt> field
within <tt>ech_auth</tt> set to zero-length.  The <tt>ech_auth</tt>
extension data length, ECHConfig <tt>extensions</tt> vector
length, and ECHConfig <tt>length</tt> field are computed for
that zero-length form.  This includes all ECHConfig fields
and the <tt>ech_auth</tt> extension's <tt>not_after</tt>, <tt>disable</tt>,
<tt>spki</tt>, and <tt>algorithm</tt> fields.</t>
          </dd>
          <dt>signed ECHConfig:</dt>
          <dd>
            <t>An ECHConfig that contains an <tt>ech_auth</tt> extension with
a valid signature in the <tt>signature</tt> field, allowing
clients to verify its authenticity.</t>
          </dd>
          <dt>public name:</dt>
          <dd>
            <t>The value of the <tt>public_name</tt> field in the ECHConfig,
i.e., the authoritative DNS name for updates and
validation associated with that configuration.  RFC 9849
recommends using this name as the ClientHelloOuter SNI,
but this document does not require it for signed retry
authentication.</t>
          </dd>
          <dt>retry_configs:</dt>
          <dd>
            <t>The ECHConfigList sent by a server in
EncryptedExtensions when ECH is rejected, as defined in
<xref target="RFC9849"/>.</t>
          </dd>
          <dt>outer SNI:</dt>
          <dd>
            <t>The Server Name Indication value sent in the outer
(unencrypted) ClientHello when ECH is used.  This is
typically the ECHConfig's <tt>public_name</tt> or another name
that preserves client privacy.</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="mechanism-overview">
      <name>Mechanism Overview</name>
      <t>The server operator adds an <tt>ech_authinfo</tt> extension to the ECHConfigs
it advertises via DNS or other means.  Each <tt>ech_authinfo</tt> extension
carries a set of <tt>trusted_keys</tt>, each value being <tt>SHA-256(SPKI)</tt> of a
public key that is authorized to sign an ECH retry configuration.</t>
      <t>When providing a retry configuration, the server operator
adds an <tt>ech_auth</tt>
extension holding the signing key (<tt>spki</tt>) and a
<tt>signature</tt>; it does not carry <tt>trusted_keys</tt>.  The client
validates it against the <tt>trusted_keys</tt> it recorded from
the initial configuration's <tt>ech_authinfo</tt> extension.</t>
      <t>A client receiving such a configuration (e.g., in
EncryptedExtensions) extracts the signing key's
SubjectPublicKeyInfo (SPKI) from the <tt>ech_auth</tt> extension,
checks that its hash is one of the recorded <tt>trusted_keys</tt>,
checks that the configuration has not expired, and verifies
the signature using the signing key.  The normative
requirements for this validation are specified in
<xref target="client-behavior"/>.</t>
      <t>A client that successfully validates a signed retry
configuration uses it to make a new connection attempt, in
line with the existing rules for ECH retries laid out in
the ECH specification.  Alternatively, the server can
indicate that ECH should not be used by setting <tt>disable</tt>
to <tt>1</tt> in a signed <tt>ech_auth</tt> extension, in which case the
validating client retries without ECH.</t>
    </section>
    <section anchor="benefits-of-signed-ech-configurations">
      <name>Benefits of Signed ECH Configurations</name>
      <t>By treating ECH configurations as signed objects, this
mechanism decouples trust in ECH keys from the TLS
handshake's certificate validation of the origin.  This
enables several important capabilities:</t>
      <section anchor="distinct-public-names-without-ca-certificates">
        <name>Distinct Public Names Without CA Certificates</name>
        <t>A server can use many different public hostnames (even
per-client, per-connection unique ones) without having
to obtain certificates for each.  This was not possible
under the original ECH design, which required a valid
certificate for any public name used
<xref target="RFC9849"/>.</t>
      </section>
      <section anchor="isolating-privacy-critical-key-material">
        <name>Isolating Privacy-Critical Key Material</name>
        <t>In a large CDN deployment, the ECH specification requires
many endpoints to have access to key material which can
authenticate a TLS connection for the public name.
This raises privacy and security risks where compromise of
the private key material in turn compromises the privacy
of ECH users and the security of normal TLS connections to
the public name.  The mechanism introduced in this document
avoids this sharing of private key material,
reducing the risk for ECH operators.</t>
      </section>
    </section>
    <section anchor="wire-formats">
      <name>Protocol Elements</name>
      <t>This section specifies the new extensions and data
structures in detail.  All multi-byte values are in network
byte order (big-endian).  The syntax uses the TLS
presentation language from <xref target="RFC8446"/>.</t>
      <section anchor="extensions">
        <name>ECH Authentication Extensions</name>
        <t>The information for authenticating retry configs is carried
as an ECHConfig extension (<tt>ech_authinfo</tt>) inside the
ECHConfig structure and conveys authentication policy.  ECH
Retry Configs include an <tt>ech_auth</tt> extension which
carries the signing key and a signature, allowing clients
to verify the provided config independently of the TLS
handshake.</t>
        <t>A single ECHConfig MUST NOT carry both extensions.
Initial configurations (for example, those published via
DNS) carry <tt>ech_authinfo</tt>; signed retry configurations
delivered in EncryptedExtensions carry <tt>ech_auth</tt>.  A
client MUST reject any ECHConfig that contains both.
Because a client performs at most a single retry per
connection attempt (per <xref target="RFC9849"/>), a signed retry
configuration does not itself need to carry <tt>trusted_keys</tt>
for authenticating a subsequent update; on later
connections the client re-fetches the initial configuration
and its <tt>ech_authinfo</tt>.</t>
        <t>The <tt>ech_auth</tt> extension MUST be the last extension in the
ECHConfig's extension list.  This simplifies ECHConfigTBS
construction: the signature field is at a fixed position
relative to the end of the serialized ECHConfig, so
implementations can set it to zero-length without parsing
earlier extensions.  Implementations MUST place this
extension last when constructing an ECHConfig, and MUST
reject ECHConfigs where <tt>ech_auth</tt> is not the last
extension.</t>
        <t>The <tt>ech_auth</tt> and <tt>ech_authinfo</tt> extensions have the
following structure:</t>
        <artwork><![CDATA[
    opaque SPKIHash[32];

    struct {
      SPKIHash trusted_keys<32..2^16-32>;
    } ECHAuthInfo;

    struct {
        uint64 not_after; /* seconds since the Unix epoch */
        uint8 disable;    /* boolean: 0 = false, 1 = true */
        opaque spki<1..2^16-1>;
        SignatureScheme algorithm;
        opaque signature<0..2^16-1>;
    } ECHAuth;
]]></artwork>
        <t>The <tt>signature</tt> field in a wire <tt>ECHAuth</tt> MUST be non-empty.
The zero-length form is used only when constructing <tt>ECHConfigTBS</tt>.</t>
        <t>The <tt>disable</tt> field is a boolean.
When set to <tt>1</tt>, the client MUST NOT attempt ECH on the
retry.  The ECHConfig to which this <tt>ech_auth</tt> extension is
attached is then used only to carry and authenticate this
signal; its other contents (for example, its HPKE
<tt>public_key</tt>) MUST be ignored.  On successful validation the client
SHOULD clear cached ECHConfig state associated with the ECHConfig source
used to bootstrap the connection and retry without ECH.  Senders MUST
encode <tt>disable</tt> as <tt>0</tt> or <tt>1</tt>; clients MUST reject any other value.</t>
        <section anchor="signature-computation">
          <name>Signature Computation</name>
          <t>The signature is computed over the concatenation:</t>
          <artwork><![CDATA[
    context_label = "TLS-ECH-AUTH-v1"
    to_be_signed = context_label || ECHConfigTBS
]]></artwork>
          <t>where:</t>
          <ul spacing="normal">
            <li>
              <t><tt>ECHConfigTBS</tt> (To-Be-Signed) is a fresh serialization of the
ECHConfig structure including the <tt>ech_auth</tt> extension,
but with the <tt>signature</tt> field within <tt>ech_auth</tt> set to
zero-length.  The two-byte length prefix of the
<tt>signature</tt> field is encoded as <tt>0x0000</tt> and no signature
bytes follow.  The <tt>ech_auth</tt> extension data length,
ECHConfig <tt>extensions</tt> vector length, and ECHConfig
<tt>length</tt> field are recomputed for that serialization.
This makes the signed bytes independent of the final
encoded signature length.  This zero-length encoding is
used only when constructing <tt>ECHConfigTBS</tt> and does not
appear on the wire, where <tt>signature</tt> carries the actual
signature.  <tt>ECHConfigTBS</tt> includes all ECHConfig fields
and the <tt>ech_auth</tt> extension's <tt>not_after</tt>, <tt>disable</tt>,
<tt>spki</tt>, and <tt>algorithm</tt> fields.</t>
            </li>
            <li>
              <t>All multi-byte values use network byte order
(big-endian).</t>
            </li>
            <li>
              <t>The serialization follows TLS 1.3 presentation language
rules from <xref target="RFC8446"/>.</t>
            </li>
          </ul>
          <t>The <tt>not_after</tt> field is the number of seconds since the
Unix epoch (1970-01-01T00:00:00Z UTC, excluding leap
seconds), and bounds the replay window for a signed
configuration.  Shorter windows reduce the replay
window but require more frequent signature generation.
Longer windows allow pre-signing but increase exposure to
replayed configurations.  A window of 24 hours is
RECOMMENDED as a balance between operational simplicity
and replay resistance.</t>
          <t>The <tt>spki</tt> field contains the DER-encoded SubjectPublicKeyInfo of the
signing key.  The client MUST compute the SHA-256 hash of <tt>spki</tt>, verify
that it matches one of the hashes in <tt>trusted_keys</tt>, check that the
current time is before the <tt>not_after</tt> timestamp, and then verify the
signature with the public key in <tt>spki</tt>.  The <tt>not_after</tt> field is
REQUIRED and MUST be a timestamp strictly greater than the client's
current time at verification.  Because this check is strict and uses the
client's local clock, operators SHOULD provision <tt>not_after</tt> with enough
margin to accommodate reasonable client clock skew (on the order of
minutes).</t>
          <t>The <tt>algorithm</tt> field is a <tt>SignatureScheme</tt> value from
<xref target="RFC8446"/>.  The client MUST verify that <tt>algorithm</tt> is
consistent with the key type and parameters of the public
key carried in <tt>spki</tt> (for example, the curve of an ECDSA
key), and MUST reject the signed ECHConfig if it is not.
The signature is computed and verified according to the
rules for that <tt>SignatureScheme</tt> in <xref target="RFC8446"/>.</t>
          <t>Implementations MUST support <tt>ecdsa_secp256r1_sha256</tt>.  Implementations
MAY support additional <tt>SignatureScheme</tt> values.  A client that receives
a signed ECHConfig with an <tt>algorithm</tt> value it does not support MUST
treat the retry_config as failing validation and continue to the next
retry_config, as described in <xref target="client-behavior"/>.</t>
          <t>The SPKI hash uses SHA-256 (value 4 in the IANA TLS
HashAlgorithm registry).  Allowing multiple hashes enables
seamless key rollovers.</t>
          <t>Note: While TLS 1.3 moved to SignatureScheme and does not
directly use the HashAlgorithm enum, we reference the IANA
registry value for clarity.  Future versions of this
specification could add a hash algorithm field using the
TLS HashAlgorithm registry if algorithm agility becomes
necessary.</t>
        </section>
      </section>
      <section anchor="tls-behavior">
        <name>TLS Behavior</name>
        <section anchor="server-behavior">
          <name>Server Behavior</name>
          <t>When a server receives a ClientHello with the
<tt>encrypted_client_hello</tt> extension, it processes it per
<xref target="RFC9849"/>. Depending on the outcome:</t>
          <ol spacing="normal" type="1"><li>
              <t>ECH Accepted: If the server successfully decrypts the
ClientHelloInner, it completes the handshake using the
inner ClientHello.</t>
            </li>
            <li>
              <t>ECH Rejected: If the server cannot decrypt the
ClientHelloInner, it SHOULD proceed with the outer
handshake and include a signed retry ECHConfig in
EncryptedExtensions.  This allows the client to
immediately retry with the correct configuration.</t>
            </li>
          </ol>
          <t>The server sends a Certificate message as part of the outer handshake,
but the certificate need not be valid for the ECHConfig's <tt>public_name</tt>.
The server MAY use any certificate, including its default certificate or
one for the origin server name.  The client does not rely on the
server's certificate to authenticate the retry configurations.  Active
authentication comes from <tt>ech_auth</tt>.  The outer handshake only carries
the signed configurations and protects their delivery from passive
observers.</t>
          <t>The server may indicate that the client should attempt to
retry without ECH by setting <tt>disable</tt> to <tt>1</tt> in a
signed <tt>ech_auth</tt> extension.</t>
          <t>A server that wishes to allow
authenticated updates MUST include <tt>ech_authinfo</tt> in the
ECHConfig it publishes via DNS or other means.  The server
MUST list, in <tt>trusted_keys</tt>, the SHA-256 hash of the SPKI
of every signing key that might sign an update before the
next ECHConfig change.  Multiple keys MAY be listed to
support key rotation.</t>
        </section>
        <section anchor="client-behavior">
          <name>Client Behavior</name>
          <t>When a client retrieves an ECHConfig (e.g., from DNS), it examines the
<tt>ech_authinfo</tt> extension and records the set of <tt>trusted_keys</tt> for the
duration of that connection attempt only; these are not cached across
connections.  This is distinct from caching the ECHConfig itself: a
client MAY cache the initial ECHConfig for reuse on later connections,
but it MUST re-derive <tt>trusted_keys</tt> from that ECHConfig's
<tt>ech_authinfo</tt> on each connection attempt rather than reuse
<tt>trusted_keys</tt> recorded during a previous attempt.</t>
          <t>The steps below apply only when the selected initial
ECHConfig contains <tt>ech_authinfo</tt>.  Otherwise, the client
follows <xref target="RFC9849"/> without modification, including
Section 6.1.7 retry_config authentication.</t>
          <t>During the TLS handshake, if ECH was not accepted by the server as
defined in 6.1.4 of <xref target="RFC9849"/>, the client follows the steps described
in 6.1.6 of <xref target="RFC9849"/>.  However, rather than follow 6.1.7 of
<xref target="RFC9849"/>, it follows the steps below to determine if each provided
ECH retry_config is authentic.</t>
          <ol spacing="normal" type="1"><li>
              <t>Validation: The retry_config MUST satisfy the requirements in
<xref target="extensions"/> and <xref target="wire-formats"/>, and MUST contain an
<tt>ech_auth</tt> extension; a retry_config that does not is treated as
failing validation.  The client computes the SHA-256 hash of the
provided <tt>spki</tt> and verifies it matches one of the entries in the
<tt>trusted_keys</tt> recorded from the <tt>ech_authinfo</tt> of the initial
ECHConfig used for this connection attempt, then verifies the
signature using the public key contained in <tt>spki</tt>.</t>
            </li>
            <li>
              <t>Validity Checking: The client verifies that
<tt>not_after</tt> is strictly greater than the current time.</t>
            </li>
            <li>
              <t>If steps 1 and 2 complete successfully:
              </t>
              <ul spacing="normal">
                <li>
                  <t>The client treats the retry_config as authentic
per <xref target="RFC9849"/>.</t>
                </li>
                <li>
                  <t>The client MUST terminate the connection and retry
with the new ECHConfig or without ECH if indicated
by the server.</t>
                </li>
                <li>
                  <t>The retry does not consider the server's TLS
certificate for the public name.</t>
                </li>
                <li>
                  <t>The client need not validate any other provided retry_config.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>If steps 1 or 2 do not complete successfully the client should
process the remaining retry_configs (if any).</t>
            </li>
            <li>
              <t>If no retry_config can be successfully authenticated, the client
behaves as though the validation process described in 6.1.7 of
<xref target="RFC9849"/> has failed.  The client MUST abort the connection with
the appropriate alert and report the error to the calling
application.</t>
            </li>
          </ol>
          <t>A signed retry configuration validated by these steps is valid only for
the immediate retry attempt.  Clients MUST NOT persist it or use it as
an initial ECHConfig for later connections unless it is revalidated
against a freshly obtained ECHConfig that contains <tt>ech_authinfo</tt>.</t>
          <t>Note: Regardless of validation outcome in an ECH
rejection, the client will terminate the current
connection.  The difference is whether it retries with the
new config or ECH disabled (validation success) or treats it as a
certificate validation failure (validation failure).</t>
        </section>
        <section anchor="mandatory">
          <name>Backward Compatibility</name>
          <t>ECHConfig extensions, unlike TLS extensions, can be tagged
as mandatory by using an extension type codepoint with the
high order bit set to 1 <xref target="RFC9849"/>.  A client
that does not understand a mandatory ECHConfig extension
MUST ignore the entire ECHConfig.</t>
          <t>The <tt>ech_authinfo</tt> and <tt>ech_auth</tt> extensions are mandatory.
The codepoints assigned to them (<xref target="iana"/>) have the high-order bit set.
As a consequence, a client that does not implement this specification
(a "legacy client") and receives an initial ECHConfig with
<tt>ech_authinfo</tt> ignores the entire ECHConfig and does not attempt ECH
with it, connecting directly or using another compatible configuration.
This is the intended behavior: a legacy client would otherwise attempt
ECH and then be unable to authenticate any <tt>retry_configs</tt> delivered on
an ECH rejection (because, in the deployments this document targets, the
server may hold no certificate valid for the public name), causing the
connection to fail.  Marking the extension mandatory ensures such
clients degrade gracefully rather than using a configuration whose retry
path they cannot complete.</t>
          <t>Servers wanting to support both legacy clients and clients that
understand this specification should offer multiple ECHConfigs, one with
<tt>ech_authinfo</tt>, one without.</t>
        </section>
      </section>
    </section>
    <section anchor="example-exchange">
      <name>Example Exchange</name>
      <section anchor="initial-setup">
        <name>Initial Setup</name>
        <t>Consider <tt>api.example.com</tt> as a service protected by ECH
with public name <tt>ech.example.net</tt>.  The operator publishes
an ECHConfig via DNS HTTPS RR with the <tt>ech_authinfo</tt>
extension containing, in <tt>trusted_keys</tt>, the SHA-256 hash
of the SPKI of an ECDSA P-256 signing key (using the
mandatory-to-implement <tt>ecdsa_secp256r1_sha256</tt> scheme).</t>
      </section>
      <section anchor="successful-ech">
        <name>Successful ECH</name>
        <t>This flow works identically to existing ECH.</t>
      </section>
      <section anchor="ech-rejection-with-recovery">
        <name>ECH Rejection with Recovery</name>
        <ol spacing="normal" type="1"><li>
            <t>Client connects: Uses outdated ECHConfig</t>
          </li>
          <li>
            <t>Server rejects ECH: Cannot decrypt inner ClientHello</t>
          </li>
          <li>
            <t>Server continues outer handshake:
            </t>
            <ul spacing="normal">
              <li>
                <t>Sends signed ECHConfig in EncryptedExtensions</t>
              </li>
              <li>
                <t>Uses TLS certificate for <tt>ech.example.net</tt> (the client
does not validate this certificate; retry
authentication uses the signed ECHConfig)</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Client recovery:
            </t>
            <ul spacing="normal">
              <li>
                <t>Validates new ECHConfig via the signature it carries.</t>
              </li>
              <li>
                <t>Closes connection</t>
              </li>
              <li>
                <t>Immediately retries with new ECHConfig</t>
              </li>
            </ul>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <section anchor="passive-attackers">
        <name>Passive Attackers</name>
        <t>This mechanism preserves ECH's protection against passive
observation.  ECHConfig updates are delivered within the
EncryptedExtensions TLS message, preventing passive
observers from learning about configuration changes.  The
mechanism ensures that even during retry scenarios, the
client's intended server name is never exposed in
cleartext.</t>
      </section>
      <section anchor="active-network-attackers">
        <name>Active Network Attackers</name>
        <t>The security of this mechanism fundamentally depends on the authenticity
of the initial ECHConfig.  If an attacker can inject a malicious initial
configuration, the client's privacy is compromised, but their
connections remain properly authenticated.</t>
        <t>On ECH rejection, the client sends no application data over the outer
handshake, so an attacker that presents a forged or unvalidatable retry
configuration extracts nothing from the client beyond what the rejection
itself reveals.</t>
        <t>Initial retrieval of ECHConfigList via DNS is unchanged by
this mechanism.  This specification does not attempt to
authenticate the initial DNS fetch.  ECHConfigs obtained
via HTTPS from a well-known URI benefit from Web PKI
authentication.  Pre-configured ECHConfigs in applications
derive their trust from the application's distribution
channel.</t>
        <section anchor="retry-configuration-integrity">
          <name>Retry Configuration Integrity</name>
          <t>ECHConfigs delivered in EncryptedExtensions are carried inside the TLS
1.3 handshake and are hidden from passive observers.  For signed
ECHConfigs, retry configuration integrity does not depend on
authenticating the outer TLS server identity, because the client does
not validate the server's certificate chain for the public name.</t>
          <t>Instead, the client verifies each ECHConfig against the trusted keys
recorded from the initial ECHConfig.  This authenticates the
configuration to the trust anchor that authorized the initial ECHConfig,
but, unlike a CertificateVerify computed over the handshake transcript,
the signature carries no connection-specific input.</t>
          <t>The <tt>not_after</tt> timestamp ensures configuration freshness.
This temporal bound prevents clients from accepting stale
configurations that might use compromised keys or outdated
parameters.</t>
          <t>The requirements in 6.1.7 of <xref target="RFC9849"/> already require clients to
ignore any session tickets or session ids presented by the server.</t>
        </section>
        <section anchor="replay-and-freshness-of-signed-configurations">
          <name>Replay and Freshness of Signed Configurations</name>
          <t>A signed ECHConfig is authenticated as a detached object rather than
through the connection that delivers it.  It is therefore valid in any
connection until its <tt>not_after</tt> time, and a party that obtains one (for
example, by requesting a retry configuration as an ordinary client) can
present it in other connections within that window.  This is an intended
consequence of the design: detaching the configuration from the
connection is what allows operators to sign updates offline and without
a certificate for the public name.</t>
          <t>Replay is bounded.  An attacker cannot forge a configuration that was
never signed; it can only re-present one the operator actually issued,
and only until that configuration's <tt>not_after</tt>.  The <tt>not_after</tt> window
is the freshness bound on a signed configuration, so operators SHOULD
keep it as short as their signing cadence allows.  Removing a key's hash
from <tt>trusted_keys</tt> prevents acceptance of configurations signed by that
key once clients refetch the initial ECHConfig.</t>
          <t>When rotating away from a compromised HPKE key, operators should note
that retry configurations signed before the rotation remain valid until
their <tt>not_after</tt>; an on-path attacker can replay one to steer a client
back onto the old key during that window.  Rotation is therefore not
complete until the last signed configuration referencing the retired key
has expired, and operators SHOULD choose <tt>not_after</tt> with this in mind.</t>
          <t>Validation checks only that the signing key's hash appears in
<tt>trusted_keys</tt>; it does not bind a retry configuration to the initial
configuration it updates.  An operator that signs configurations for
multiple independent domains with a single key therefore allows a
configuration signed for one domain to validate when presented during a
connection to another.  To preserve the isolation this mechanism
provides for privacy-critical key material, operators SHOULD use a
separate signing key per isolation domain.</t>
        </section>
        <section anchor="key-management">
          <name>Key Management</name>
          <t>Servers MUST protect their ECH update signing keys.  If a
signing key is compromised, the server SHOULD remove its
hash from <tt>trusted_keys</tt>.  As clients do not cache <tt>trusted_keys</tt> beyond
the lifetime of their initial connection attempt, this removal takes
effect as soon as the client is aware of the new ECHConfig, e.g.
via DNS.</t>
          <t>Servers SHOULD include multiple
keys in <tt>trusted_keys</tt> to facilitate key rotation and
recovery from compromise.</t>
        </section>
      </section>
      <section anchor="implementation-vulnerabilities">
        <name>Implementation Vulnerabilities</name>
        <section anchor="failure-handling">
          <name>Failure Handling</name>
          <t>ECH connection attempts with signed updates are handled
identically to existing ECH connection attempts.  The only
difference is in how the server authenticates retry
configurations, not how it responds to the success or
failure of that authentication.</t>
          <t>Algorithm agility is provided through the TLS SignatureScheme registry.
As specified in <xref target="extensions"/>, implementations MUST support
<tt>ecdsa_secp256r1_sha256</tt> and MAY support additional commonly deployed
algorithms.  An unsupported <tt>algorithm</tt> value MUST be treated as failing
validation, and the client continues to the next retry_config.</t>
        </section>
        <section anchor="denial-of-service-considerations">
          <name>Denial of Service Considerations</name>
          <t>The ECH specification allows ECH operators to decide which ECH
extensions to attempt to decrypt based on the public ECHConfig ID
advertised in the ClientHello and the public name.  Deployments of this
mechanism that vary the public name (for example, per-client public
names) weaken the public name as a routing signal.  This is an
operational routing tradeoff rather than a protocol mechanism: an
operator that chooses such configurations must select candidate
configurations using the remaining signals, such as the config ID, and
accept the processing cost of decryption attempts that do not succeed.</t>
          <t>Attackers cannot force servers to send signed ECHConfigs
without establishing TLS connections.  Standard TLS
denial-of-service mitigations (rate limiting, stateless
cookies) apply equally to this mechanism.</t>
        </section>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>This specification introduces no new privacy risks beyond
those already present in TLS and DNS when used with ECH.
ECHConfig updates are delivered within encrypted TLS
messages, preventing passive observers from learning about
configuration changes.  Server-directed ECH disablement
(a signed <tt>ech_auth</tt> with <tt>disable</tt> set to <tt>1</tt>) could
degrade privacy if signing keys are compromised, similarly to how a
valid TLS certificate for the public name could be used to disable ECH.</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <section anchor="tls-echconfig-extension-registry">
        <name>TLS ECHConfig Extension Registry</name>
        <t>IANA is requested to register two new entries in the "TLS ECHConfig
Extension" registry, in the "TLS Encrypted Client Hello (ECH)
Configuration Extensions" registry group established by <xref target="RFC9849"/>.
This registry operates under the Specification Required policy, and both
codepoints MUST be assigned with the high-order bit set, marking the
extensions as mandatory ECHConfig extensions as described in
<xref target="RFC9849"/>.</t>
        <t>The first entry registers <tt>ech_authinfo</tt>, which conveys the SHA-256
hashes of the public keys authorized to sign ECH retry configurations:</t>
        <ul spacing="normal">
          <li>
            <t>Value: TBD1 (assigned with the high-order bit set)</t>
          </li>
          <li>
            <t>Extension Name: ech_authinfo</t>
          </li>
          <li>
            <t>Recommended: N</t>
          </li>
          <li>
            <t>Reference: This document</t>
          </li>
        </ul>
        <t>The second entry registers <tt>ech_auth</tt>, which conveys the signing key and
signature for an ECH retry configuration:</t>
        <ul spacing="normal">
          <li>
            <t>Value: TBD2 (assigned with the high-order bit set)</t>
          </li>
          <li>
            <t>Extension Name: ech_auth</t>
          </li>
          <li>
            <t>Recommended: N</t>
          </li>
          <li>
            <t>Reference: This document</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="deployment-considerations">
      <name>Deployment Considerations</name>
      <section anchor="size-considerations">
        <name>Size Considerations</name>
        <t>When sending signed ECHConfigs in EncryptedExtensions,
servers SHOULD be mindful of message size to avoid
fragmentation or exceeding anti-amplification limits.</t>
      </section>
      <section anchor="key-rotation">
        <name>Key Rotation</name>
        <t>Operators SHOULD publish updates well in advance of key
retirement.  Include appropriate <tt>not_after</tt> values for
each signed configuration.  Consider overlapping validity
windows to allow graceful client migration.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC9180" target="https://www.rfc-editor.org/info/rfc9180" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9180.xml">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="RFC9460" target="https://www.rfc-editor.org/info/rfc9460" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9460.xml">
          <front>
            <title>Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <author fullname="E. Nygren" initials="E." surname="Nygren"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9460"/>
          <seriesInfo name="DOI" value="10.17487/RFC9460"/>
        </reference>
        <reference anchor="RFC9849" target="https://www.rfc-editor.org/info/rfc9849" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9849.xml">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9848" target="https://www.rfc-editor.org/info/rfc9848" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9848.xml">
          <front>
            <title>Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <author fullname="E. Nygren" initials="E." surname="Nygren"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>To use TLS Encrypted ClientHello (ECH), the client needs to learn the ECH configuration for a server before it attempts a connection to the server. This specification provides a mechanism for conveying the ECH configuration information via DNS, using a SVCB or HTTPS resource record (RR).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9848"/>
          <seriesInfo name="DOI" value="10.17487/RFC9848"/>
        </reference>
        <reference anchor="I-D.ietf-tls-wkech" target="https://datatracker.ietf.org/doc/html/draft-ietf-tls-wkech-12" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-tls-wkech.xml">
          <front>
            <title>A well-known URI for publishing service parameters</title>
            <author fullname="Stephen Farrell" initials="S." surname="Farrell">
              <organization>Trinity College Dublin</organization>
            </author>
            <author fullname="Rich Salz" initials="R." surname="Salz">
              <organization>Akamai Technologies</organization>
            </author>
            <author fullname="Benjamin M. Schwartz" initials="B. M." surname="Schwartz">
              <organization>Meta Platforms, Inc.</organization>
            </author>
            <date day="3" month="May" year="2026"/>
            <abstract>
              <t>We define a well-known URI at which an HTTP origin can inform an authoritative DNS server, or other interested parties, about its Service Bindings. Service binding data can include Encrypted ClientHello (ECH) configurations, that may change frequently. This allows the HTTP origin, in collaboration with DNS infrastructure elements, to publish and rotate its own ECH keys. Other service binding data such as information about TLS supported groups is unlikely to change quickly, but the HTTP origin is much more likely to have accurate information when changes do occur. Service data published via this mechanism is typically available via an HTTPS or SVCB resource record.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-wkech-12"/>
        </reference>
      </references>
    </references>
    <?line 719?>

<section anchor="appendix-a">
      <name>Client Retry State Diagram</name>
      <t>The following diagram shows client behavior upon ECH
rejection, when the server delivers retry_configs in
EncryptedExtensions.  The client validates each delivered
ECHConfig against the <tt>trusted_keys</tt> recorded from the
initial configuration, using the first one that
authenticates.  "ech_auth" refers to the authentication
extension within a delivered ECHConfig.</t>
      <figure anchor="fig-retry">
        <name>Client Retry State Diagram</name>
        <artwork><![CDATA[
    Receive retry_configs in EE
        (ECH was rejected)
                |
                v
      +------------------------+
      | More retry_configs     |<-------------+
      | left to validate?      |              |
      +------------------------+              |
         |                  |                 |
        yes                 no                |
         |                  |                 |
         v                  v                 |
   +----------------+   Treat as certificate  |
   | Validate next  |   validation failure;   |
   | config:        |   terminate connection; |
   |  - ech_auth    |   abort with alert;     |
   |    present     |   report error;         |
   |  - SPKI hash   |   do not retry.         |
   |    in          |                         |
   |    trusted_keys|                         |
   |  - signature   |                         |
   |    valid       |                         |
   |  - not_after   |                         |
   |    > now       |                         |
   +----------------+                         |
      |        |                              |
     no        yes                            |
      |        |                              |
      +--------|--- (try next config) --------+
               |
               v
         +-----------+
         | disable   |
         |  set?     |
         +-----------+
          |        |
         no        yes
          |        |
          v        v
    Terminate     Terminate connection;
    connection;   MUST NOT attempt ECH
    retry with    on retry; SHOULD
    new config.   clear cached config.
]]></artwork>
      </figure>
    </section>
    <section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors thank Martin Thomson for earlier contributions
and discussions on the initial draft.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAIsvTGoAA8V963bbSHbu/3qKivyjpRlSY7mdnh6pZyay5I51pn2JZfes
nLNOrCJQpBCBAAcFSua4fZ4lz5Iny77VDQDdzsqP49VrNUUAhapd+/rtXZvz
+Vz1VV/bU31wvu1vbdNXheltqZ9fvNAXbbOsVvqycn1XLbZ91TbaNKV+2/YG
/zhQZrHo7P3kw+83JXw+UPjNqu12p9r1pao23anuu63rnzx+/IfHT1TZFo1Z
w/vLziz7udvWdXVvmnlfu7mrVo0t57a4nW9pNDeHJ0xnzam+tsW2q/qdemi7
u1XXbjen+t1P1+rO7uCb8lRpPccv9Mnxt/T5eVN0uw3O7qKuYKovbF23fOXi
Bf3/L3YXlkZfvH3zF6UMrKzteLwlzI5n+6oq7vS1TBauad12K9NUf6enT/UF
vqtddWZzu0M6wrr6qlnpn366oLvt2lT1qW6q4ratjTv26/5tZfvlP63w6nHR
rgdvvbRNUzn9v0xx59qp175s/17VtUlfQQOW9OD83/nB4+3dYODz2joHW9u1
+p9vbVk11dSa6nZbLmugfzq+CY/+UxFuoLmrpu3W8Oy9Req9/fHiycnJH+Tj
9ye/f+o/Pn36nXz8w8n3j/3Hp9+Fj98/hcdU1SwH48GF7/Hj1fzyGJdJTPNw
B/wCt9/bZks3Jsyhdb/bwHL/CjyDu/HPeAlvqfrb7eIUbq36frcCBnP2d1/F
kErN53NtFiAhpuiVmuQyfQgsdqQ7+7dt1VmnC7rkdN/qW3NvNYiOcra7t903
jmSnIMHbdkR4vbCwcItfNrZALjrW+mLbdTBGvZupBxA8emoJ++FmmkeCt5gG
PoO48lTLfFSnQaCVnwnc27S9NokU46zWetvg9uJnGRdm7LRR96auYETb9dWS
b4c50m2b7aKuCo18NdN1ta6I70u7qdvdGgZXy9p+rBZVDcJ7rNS7W2BoUAJb
vKbdxhYwINDI6MY+6DWQGjjQrWn4ZHowphpRygFhrmX1VVPU29JqU5YVXjO1
DgwEolM1ONmqgy/hMlwcDzbTD7cgnto2ZlHHXVOwaxmd9pD3AXiq3faw6/UO
KYC68+vIdsxMta7KsrZKPdJXTd+15bagmavLQErdLknFfRXT9bemD2toF71h
EujAeAWz1AQD4khsC46EGRWTjbbWBM4EzRI4M24dbK83IFaHkTQQDehRGX35
6lpf/3zxjEzLi3fv3lzDpF277QoLHwpQ5k59+vQPohM+f/70SUT/82dQUPLE
Ayx5fte0D41+//YKHxgrhc+fZ6Ct6vYBZ+2lBHaTSO9uhSHCDH+CWatNV+EG
tckatXW9oSdwD2CzkGDCbsi3ne27XcK5IJ+dHUslmA3POdkrdQl2DSaIewMj
lO7W3Fmg6zv4ewF6icyVyEnB+1M1QF9gj0yzDGS5cirhf711snUJKzJzTjCk
Jz/o4c+fvczCfQWtFzRfadvlElijf7AWl8emmTYUCHhvih3eLjpOtxsLjNV2
KK7vnV+rgxelL2WJd3ptGjDyduGqHl/n9KZ1rgKJ1NV607X3QTL9q2ao2eCx
O+v5nMSvgy3EB9aVLH2fLBrY9WQaRt9Wq1u8ewt0NN3K9jy1vgdramkVV6A6
a9cq4FtgdNwIXNHWoeJI14RqCahCIhY1IuyWAl3heAKsdAKNiGFEXEczdiMF
WomqQFLBq+redg2ZzEx5ghrJNWsuljKHsoVR0CyIDknsFJmuti4DGVEN7Vdr
itQa8jDMlUTQ6SEzkCQaGIH4E58lQVJDW8g8VlbLpSU9U7bgh6C2BtZALQD/
V6SycZfRlAMJdGJztOi9dI+3zpZESpvIbSpATrQ8q3WQQ5RocAbQDIHHCfta
4q1guUq92InsgkoBBU1aRV1vF/8O6uMNvRQczSuQRSDIeVC/KjFEshWgYoST
rl+cz5/843c0JsyBR50cky62jUV+X6PXIMvESYorW/0dJgnExvn7Zc1IVq2B
XUfefEuUv8goX5iuY8OMD5p+C4MvQZz4bTgj5GB8zzHzZAcMbgrLK2gsv3To
YSSvyze6vwXfbEVKmZgrqEKaKT7F61av2GI+Qi/7HodG44v3XNol0RT+5q2F
uWmMDZw+ePn++t3BjP+vX72mz2+f/8v7q7fPL/EzEPynn8IHJXdcv3j9/qfL
+Ck+efH65cvnry75YfhWZ1+pg5fn/3rAND54/ebd1etX5z8dMCOmwotcBTRa
WBRj221AAIBqwM9gWAowoPAHPPPs4s1//sfJU81KGX1qMIT8B3rV8Ad6hPy2
tql38icQcqfMZmNNR1oIJKUwm6o3NcuOu0XjibbqWP3wZ5Aeq+ff/flPaqhh
jHNb1GRLswZ5MqToSSh8sCVTAa8epoKT8NucGa3MpsyAWUCcO+YRspc4I1Dw
MP0DePYAd/iRfme7ddW0dbvakdllDj1VEMCgFSyr+6rcTjlzmg3klgcukTOI
mOD75/NgzResOQh0DfzitvAl7IPWNyxPH1Bt3MzCn8BaN/oQNO6LN3957oeE
YAYoAJeOZvAkCdjH3jaOPNVk/mj1aQ2gDP62tU1hh0IcdUJYh+P5xKXQog8N
qB+QLDRDZFfB5wNvpetFcRl98t18UfXwZG2bFX4D01qbHZKLbMwaA9VNTeEG
CmmTeyjwIFlCd5Su4N2za334rp0/s/NrCpGOeD1LmOctqjhQbBJGivKaWpKQ
XRwCJDbo4g+oMW4i5di602JwmJugjG54s+AxvAgrSZ52Fo2s/rvt2jmvWxyq
eA88F97BRpBvnCUzvYn7d6PvQfWCT6PDfaKX/L38tcyKRBv9jy1Sc0nP0eYk
U8Kv195IRn+yTk0C86NwU58tIE4ffPkbMNsfIHy1HTIp+N/oidwgG964zV11
w7O9MfUK7EF/u5ZpIltyjKuH0hXnwIEEswt5GVNzoE3AeYp/EG2GmN/RxkXf
HB5L/FiwjtUSrDb8FYwHh46JBcdJ4n6ylyYslsmq7IO8PawGSVId22PSj1oM
ZM8eEwYmwRP19h/oxjJQlczPoA/boiIpEa5k8kTlc0xghUYVA49iSLMGTQpq
ZSvOL+w3u5psK5Mg7vUWvZfrV1c4T2T83GCMPLSKfVPZQ3ag9MD1A8rRhQ88
Sedpl0chDscHV8Z4R42UZYg0nwdJ0AF/IJuPHoktZ19UszCD1i/Mv53jdo3W
HOLd0oc2vKGOXVuiDj0JAx5uG+tnc5QFvumEyLPzMuUYAIKx63qX8wHKTMYu
6OEDZcEWcQgk8go2megxDDrIA3kZfMfXsJb7yj6w4zFwdRGTyAUHI7NUeIDt
s9mBdwiGt7xHB9vBu33YDGPxFNfWEPrxHD24fcOqxIWzBB7cEBJrS7RfDpQC
OYBM8oVF3rwRz/Pw+s1fro5u8BmjokvJNKmcnvAsJczhaDiXB6X+iluE0VtV
cjA2cdssRZ087dSIdjcq0g1DkhBPsntO0zxkrXdEWs+oRPecocgEMUIC7QZU
EUvB261E8DGSgx1ZoQrsWdlkD+FVxi5Q3YOXrPAe7+Jny0TO27NhQKhzz2cw
mgX3BpELckaGEI09XoESA1GbENEjHBLxSTekDMQdU1GE5v1m/36fmZmp4tYW
d4IsoX6mkAe4IUQENhJhwGrZs3hjvhwEGXFD7McNqLWSzRVZAuBf5RfBBmXr
JrZcdi0g0Eo05JrMCkenMNNUj2NIJ/Aj6axPn5j084W9NfdV25HiChvCvtW2
gAjHIZC+05E3TK6B87VtHXMPCMqa4hlCOhN8yfS9XW962k3yw4O3A0GsI8yt
2yIiKZE7vQXlujZgaRFzhAcnnW6MOCMkUO8yESsMwqKlD80MI4EQFmzBbuJm
LDhQRqsA+oPmEVwLREVvTm4osvCLn3bf4A52sgsEs9DR85sA4wVm5wV5DBUm
Qgr2mW3ApvQU5F4HP0VngSoEe89AMWHgjyOOcV0OLejhlljfzRgfi6F/CVy7
3SCJiWu9d02RfpAJTCiEqBTx0yGUlvm7oB1XVSOmSHlM2VmgPELT603b9aZB
FbQxBFTA+k8p6LmkPS96CXjJRDr9VyHNxbm+SAAhZNC4n7hfBKAleIlob4jW
e4akDmEOjQL9OmfqzzR9jvy4baq/oVfVgNcftgRFAlw12HYBp1JYijgTjYk3
vQ8izx67U9umtF1CGAnawOOFnfFhmMhsQJnUEGHClQ1xnCFYCRS8cm3N3PCG
rfX8Apw8dAMo5/cSISLQy0pdIffWiPHpi8tXCUQ3mw5iA7quiMjg1G3aKs3s
GFIP+CeaobW8KAhAozI8xDCMFik/mRxgcMWQI+DRVVSPAXbtKnfnBHYOmCdq
ZFIK9Ehv8wmhb7XtmuR2NhUyvgImxsUDfTsXYo/wQrhKirYezN8xspnPnxVz
lLWAWJYjQESZ+7YqHX8JYkYxLbxsagkz0PAwijcFSIOgHyPgjErkTdf2bdEC
w9ViDj49eoBNnDM67j4L4uFkE2JOioGshySMJ1pQJiMJzGEZpe0xg4vqtuaQ
ek5xOcfOZGvgrsb2mL1WdAnNZKcPF9VqDnxUmeZISOV2EGp9ZLPh9Q65oQ2n
qoFhm9XWrASOS+EXZn8kwXkWAujEff/0KC7nM/uraaJgnHfLfDX0qgUaLJVx
4vVJpBgds8PcxTnClEVVsvqfQgKQrAXieTs3iF5AhQAroX3HPAghh6L/k5zf
vpgUxS54wUMnkXzD6FckuaIk8yfRKMsGuq8h8Yf4k93A1lFa1qv9zEiQ+4De
Sp3iHx6DFO9zAR59BhRdTXmNoLZJx340a7BTM0FfJZMFc4IIQUGEcORd2oz8
Z5l7MhhYlbYG56ATUGki4BsMiR7yuWSSeTEcBZJ23gcb4CqP1TNbGDRRJkRT
tkPWg03v9RosFG0I0YunCtfV2FPSh/B9FmEezb7sgwWPH5wJWy8DPD0VAKgJ
EYDBtwtG63qBBs40iWKfzZC5LHg186Xti1vhvcloQCEXooeT75gkJya5mki+
YDS9Nq5PLnHIrNIoN17E9IK3zwS1spJLQT1cCQslFYDkfrcAKrRXBv76CCQE
+06IOyjjmkEUCWUx4yki4eHAFGSaadcqnANpZOFwTpX24iunSJl3QjamQ/ZQ
1nRA4i4VG62vBsMRnSglwe5eQgmkGqEGcb24yU06QdwYHEIJd8fgXExtsjkV
M5ffEZVGdIN9JBxuT/znYnnIsg2Ja68kwTv8f/CPC3U2Bl00jNpeQBD2f759
8n/PFF3h2/Un+kOHO3TK4j98++T4+Mm/nXw3//bJn87ozs+4PjQaGA5OD6X1
Fmz3d091wBrP9O9+g2azRXALNqZgpnzfVB+13bTg8vzmd9nD32uJH87wG3h4
0ba1NcBqj/Uf9dLUDlTbCXyEN9v0YVkvRvU/nMjcT2TqtEzPpdcgboiseaDz
bDSEv/OHx4NxAgnOmM68c0PYkiMe9B/0jdx/E0SyaZs5KqjdMT08BHs9QBXT
NDkD3qSyGHSAD7kSAfR0O2ZgReBuiMdmqf4JhsarTfKNWEWQkhSHI9HZrbiq
5IFNah8QJMqEo9GpSLE1yZqCSiXjOqpIIGLWZ6TwGMhCA0E+WW7e8AZMrag0
4XIU6AzDtB0Bfa+bJCZPw7BIByXJu6LGVFjBU0+dEHLFR6hulrKg6hRF68SE
Xdv2WAC28UhGsE+Nt7FpJItFShj+sEqCWLBoy3RfwY26eUwIJOzgWcDCh6aV
CUYeJfl5jyLXg0eEqQa2KAxBRvzdxUREey9BWEz2oKJPFAvtx8f+Q20WtgZB
PACHZg6LmJ+/f/difn9yQHf17YeF/SD29o+Dh375JbcpLEykM+FN8wGXD/JI
zN7780hK/3omaQ96pX8lk7Q3jwRPjjNJ4Mmziy/yDR46mMQ4ywnFAcaYtr7k
Hf/4GP6xQWjauGE4zx3H1GgCRomrPWmrjDATiavptBVOdJy4opRFSF0J8pVu
xrESP4KqboKfQFgRYaXRNfZewBJjfky6CQkigyZkhRFTnUn34qYSkv/1mpOj
NHH5MB/CWXDRCqi7Z96GJ7uUxgkG2IqmG67D/AYv+f+WspvviTLRs5YQU8cQ
E1MnaZAJj79LvDIf9XGRjuT09WS8icksxiEn4k5i0rikyPMURG/XCwT1l2Nv
QSXewuHJH37/eP74BP579/jxKf33v/X7dxczoJwXcNDiGyXDHDGRFu22KZ3g
z+DxofptyvaBg1lhzTwiQKV823aYlOJ7MZeFqEQyipJRFtuYcKP0/LKTSCAy
8co21mc7fmqbVTIuhZVI0bmPPhcE2RZUdoyQd+u2VAmi+L2j2lIqHJLJAA2f
PNVgWzpKcCV1J6hVwDMwsF2FDYVTjIVwQSx7/ZhNVWypiFaw1RAZ4EN+G4n/
ZAdDBId0uXz+du4FeDKPIOpvDMynLokol1GlE2WohPc57laSakDUh+KoJNMg
tVGosAdZLUo1hEyD8nWufbUmayjl1f2AYfEykGG9mXnJbZLoX8WtDhYkyYvh
LGjmXl1PSILyBUchtEBXxsQXay4mBAXny9hgDakn843LFwML5BxJQPt9gE3+
G9MBoz0al17rUSXlR9R1i7hoAf+7myXVeeI0EehBxiZdEpHANliwpdamW1WU
wjQFZrpbDI418nZLoLffenqDdnf2QR+KJmYIrF2qddUAQ1CNCVFvqPTYK7gZ
ePk3krqkfFumjsY8F3YSaJYOD9uChgQEAG8NW0u5zt2GgSmIOs3a9ujACe9J
lSPeJVhY5IARUGOx0vqe+JYizMvrc0VFQpEPxMtL7Gi0J9USBYAjzOMv+HZJ
xqykrejYH2rZ3w8JJCbBiJQw/4FGn4yn3XaDmQs0aqUzH0APb0B8u5MP7tbA
h5txHK5env9reCypzt+zm6zs0pwbZ0ItxB1j4nCRU5NtKTNFmub1byf3mzJF
sd5UqiJQeeJ5CiRZmiRkXBJ8jG2ANhqw4llFhRQ/JCV706lEKnuAeJyVHUmi
V3+HPOmnvujh6vzVOWGJGLuf+7XBjFdYWr87YqSZAYJQwSUaUXJNYCPNmg5z
IJt2aOCxIB3m8art8UzMbVXbYPDXcJFim1EknbpSJZhAUlCsY6zOp2fBzoNn
Zbm6z3o8ABej/NS9zGJ9dk3VhLCWH7fEzjg/YjUSM4wXs+RLQZlJYCGs0UYS
hk0XLREywwqXNU06lKf4nFlxjfACPV6gGQRyeLqp20n9IQzzTLZQQi7OtcUv
KQAPRTOeV+GbrEJF9Iq6CSUsH5hDPtziDXnCFItMWpwH540RA81yXPqSnGs5
ZCI1Mjh/CK9Ojhn+h5AY33KqrwIIh/PL8telpbk4iVjSGV9BSNvRVFC/1LYX
vzhW5UZaw5MV3p4+D+R7ciy1vlwhNJyJnECSOXxxCtEUFTaNz31l0KBWOGQF
ctQ70ah0km4C6R5UrCdQCgWBulqvbYkgQb1LwnwJqDsUjVHhS1IO5KgGzKTp
W71GbltRJRjWwofkMVVLhWXNFJeC2SznTBi25Onzoxx7q5yO0/mgXiYwvtml
486SYBphmNIuDWiY7NXA+OiJ+fdxStePm2T9hHpJ2RpmShiBiueQkoGnKsan
khao/wqq8xhki0iMOUDJEhbvxlTlWFKivlBjMj7YxadaQGdKPU3VaUmZ7PhF
G+McTqVdyKGffN+x2javs0gYS8otPEJHMcAAP5qsv9BJ/YUv4ZwKNI+TAgF6
90NFRgIJjVyeJaTLUPVItt4L0gCuHiYZSEdJIuoLpWqRIopGx3TEbMp9nwoL
ejGdmJi2RPk0k0cLW1er2z6UovFCEl9fodlOlACmo1fIpy+9+aRqDxQKkCec
HNlD5X0HNqK9l2u0Baysgi3Qnx4NrX4wD1mdy70d5E2lmIuYCZN4pPXQg6wa
8db3Vg5yHEeH5kS7ThT6eUFVpc+HEUk5PzfMraFUnOHdqBo6K3VyBJqaomud
S9NdsdSSDv1R2QotA5/wcFzKKZh9OwWW9b45kJsGzzJkCZjSok1FLeWTbWm5
AevFKmQh5xBOYA5quHqu4DF9qhiHJMVzflgNOUERoNmtD8ZoMmrwglD0Jkf5
DEb7wABb58fwGqG3GwxAERAwmw0pQ49n8e7VZCw9JRIhC3H4IFGo9WucHYi1
TcF/5RGd1HMIWgWCtOBWJfpeXcvKvzs+Of79wD8e1hRfxmOL2XmdGXpYqLZ8
DZARX8QflBJtRMdcwmEGfONTZMv8eEaiKf2C+kDH4HIrGeC74QBAnRftAyqM
WbaLPJYsE+LP/KXV1Mt400BtlhgJomTiOollfGGACvWvnmhVUs1wTM7ZzyG2
4DLo7HaOsOCqk5KDrIiR3ZZPn5LyDT5v8+lTVs7yOQks/SkP7lkwZSDOfDGu
nwQJSsyXOy6t43NJMMY4SMptvcSj43NsERqPlRQSMafFnnvQHhiawFkxPriY
PTI4rmEVAV+mOoY8wCBcBC2HItGp0swIBwlEjANM1aQmoJAQPwUH2C8mJsCw
4wIRGnjyNKVg8hbT00oT5CWgOZMoUQIOwZu+PUafm9n3hIj8JLjzWSRwyknS
36SzoF33mGoeJweW9rlVrsZIivDGwxE3suB4v24qb+ZHDH41ll/FfcLjsolj
hNCIOFalfzJTMtlM2LGKtd8tlSR1ye3fOOkaQf9+9dT+eJXBJfelwUniLjB9
Sk7YpafZLsF7nsAcZYYTezV2HkWiCt+3ocNGHU0o3PLHPvQhRr7NDkG2f6R3
Nm2+tVh/sRi8LXMPMwODtEY/hw9p46bI6c0EPvHTysCRoHV1fkqEisBRvcgJ
jpx3zAK9sAHfyKEjTtls4G2briKq17brhas2/jnbdXy0nwYB75ePHpEhjmbt
/Au1UmFbvS1z3jr40nK253jei3SNjxdlMO8M+DjXxRT9BqEPR84MHj5yBGCB
xjXNHq9o5Az51h0MFoL/4eeq/LEFyaui17EQxbSvXGtUjcSY0Vu7Ml1JrwF1
mhY9MwARj7tL1Uw41iFb+VDV9VANsNJKvErZfV/CXBDOCT4SiVGVV4uLa//g
i/KkAlTCpJKANT9JYewjvEnUGxEZ3dHpWm7kRlTvh+PvjiQIeGaKuwcgCqXg
4Q45dP7p0RrYD6H03efk4GRS6zPDDavu2HtKvxYx7M1qxTWWYSTkOmnk0KSn
hxCoxqQMFSNHslAfA8bYF1Xvq0ROhh6SR1tVbvmpYhvzQgi3xSlMLIXjOa7J
8Ma6Sk+xDqug2CBnlVBZFRSGHeGNjFmE5aG2EQllUV7rw0+fKtOYz5+PQv0U
9XCYZ2s/VueOj9H4U7ezGJgNnB6PYLM/kJ9jPjT6oAY5KHby8MGRj8IE+psS
WdJUw0CaKOYmSZbhrmkBj6LtrcAlKUJ/IB1wWdIdzCC+voa5srZDaMrHbewU
9ZitL7WPXE+xLj5dpH4gnKL1sYafEvm8IV+GJ0Y46TMEctAO3mT26EbHwlOq
g5SjLaI29OGCc1kzj4nH6nypEA/HIrlLBx3rCA0rEHWhjhVg5b6q6ckRSl5E
NRMrA2tZcnX3S8N9pGjHgvxF4YAvqCIcj2yFXkulXWHHFHDXTGHZqqaxSOjM
klmaB6rvZZ8INpAEeudBU+8YgFz59kcPpukl3eMRCyoszjaRsaxw1hbdy0TK
x7zu0akWFXHMM8RKyBm56BO8HS+AZaAq/OecEIP/M/LCBzVETq5tv90obEDB
LtmN2VTHkkLD1mI3nNvGra0K69E4NsNBJtKDITibMEBj+wAB+iOZAbBSGRLj
0StuMvT2bVIulK0vKSYVmwnE/yo0SyVoVpoS1G/oluwUY+TGwGLzvp1H9bQv
C6cdJW/YRunrWCCHxJJ2PhjOYqmI72Uih2TbeOhMTmE9SnB873TBnwWmk3YU
1F740I9Exp3q95i6gJ0ftDvC2OfaJ0roJBZeO9UXeS5glE3ASEae88k4N0Rz
KYaZU6Wdm0iiTla28yM02al+NiMm0oe5/6ujhg4OP0eQcaSzNLAZgNXhiMdw
vkcYFVyEg6BEaVngz+HQYR4aIef6oSQ53Htw+5gfvahbfGHUbPz11SCrEVyr
7AUow74Ho/aCKgj5p0f+aNBn4pc3DIjrc98ySXguHgKKx6rhBd84L9EUC4q3
mqPqHmlIYnZ/QL+ziSWRGj4CqCeOMuA2S85lRiCdZbU5gvAZRsCKURJHiD62
g+SOIMgCbSeHCb0RIJ8C3+BhQQ4CXGEb01WtmKtQhxFscJJGobQ/wldcJcTn
VKmOFestWTg5D6JfSeFXRvP8zFaf78ESdL+hPD0nAzckOpJRTFsvqBw6Sfw6
jWGkaUJvLPJdq4ZLVsEuYrERoqAedMkImAYG38SjbVLTwKfSypl0QcCeSmmw
w0Eu8g1o9GGcCoR5PXAnsiiEM3HgGCShHxdThgJZzi0moKZrs4XG5gBkVlFf
rNCRAf+rEV1AftDUYZRwOBt9NGSMAFnJ/BZ214JBfrgNhQqyCiXHV5BxTY15
Jm9BJbMAn/jo3kXs7OBtGhafN8y0aDhVzg7hZEjmAIw80L5VowSd5wt8CR14
SeXUhWCTmv+xYaUFm0ETP1g2nfblq3+1C40JnwHurPWbzs49PVOdyb3W4oYi
vEzZAE7Z8cHeQOnkxm+ShoVIYyRIY2uJ79ITZ34Dr0BUV9SMViWv/9VzVNQT
JpQL+fNwBDlhCUaexcabb6sSTHOWZNQxyaj1j6H1h0p9sinkovJTjlvKEk++
d37YKfA/qUvfDoSchB677YUasyzBqwZmMO00mRhWoG6156ArMDN4TiaDmSIa
6puV+fgo6cUgLhc3PRsDwVN6i/P8Wcc38frTnmRtHB42pbj15VNp+4upF1Bi
KgT4Wcr/Zy5EG5fkx+0H7dAgXrbpZ4PWB75EuUn7U869yMI8Ntt+ohY3Vhh6
25Svk2ChBsyiRIUo6i0eU6fCWm8nY7dJFl9K6/AJJVMPSOfSnCwyS6LSOdGK
+WFxEFUssJPJD/IeATLM8UJTd8Atu1CbG5sIKQEjMOoEl4dRkgoUd08v9l/h
WWPR4cP0VJB+KpFFgfzREylpRpCpBZeAh4nnmbNZyZEMnhemlCp3JEgDQpV2
wkujUIIoWMcgcMVtKDmA7zjNzbEtYXC7NIDdwstrPmU44IqZnILF4hPJo7O6
5uQLljKqUMq4YFJb1+/t4aL5SDDVHprOx51HdPRdKE0AZROP/wSTHlw3qlLA
Yucku2ya4CCpBMLxWR3uI3AqdPVKbMjlrA9SyhCwiALN6b6sOWXaLxFDYGrN
geSSsFaZr2jsKwyEZccoSwRtn+cOE+pNch9GIACTwmBZGhUQEW+dsWPfMNQM
xtDTFTesT2NcPsRQ49vdFlwpFToEMkOMO1flxxImapl5X5TARkFviKJok2Yg
A1cP3KdhbbG6s3YjCKy7pepQX1/jo+DClLTLvD3YV8uu23vmPupmwyE1l/vk
+cCgtFhPGWGWgZYKp1YYDcGou8U7vSrBQsa+uN1jRqS8g8tCcFIPZud9m1Th
UZNAGDutr459VqySMtdxmVOYXyxZ9zUo3gNmmacNVUy8ZL/OSBibOSFImZMu
tf/EMy0mMTAj70PbBdwHl8T8IYiGhAl9ilP59P3zc0WEtaIhe+WZTU4rT/FH
KBgN7RxsT41A4L0K00JZX6BRkToYZkTLRhXqPXfWAzPUYEwQc+9auhHxmUXv
Zmd9kqTClE4OUe4956+8j9SiIi06pRCFiJMREI4hCobVQhBdPnIF83FDjkCN
HJC49JyV9MX1fR/lGD2XR/l9ETVnBtOQLUENhgzBI1EvPu/OPXD/Lm8qfZ3L
ACUV0Bn1RhtCfF4+d2Rpm0EQqiQryqXpEgLOC9+tJWv4Md53ql5UzqL/0OfN
HTAlHV/KKxKbzi1gGrMi/yJCqHxenIEI0UPUA4UryZLBncS96TGXUdgaXQk/
2w51F8IyThFvTWgt5ILoZvk0MNVHDdQbh4jkHtYV6Cg8DuKbD6edBiYKGSg7
CFOBG3pqmm2XSwrYQd20bMIT/xtt7wMGI2JpM1BoprFyzXd1T+BoWbKvIPQM
K72ThygpI+wFZs58m5eg5rD/oofApLQskFm6/WTnDfTP2xqPYvmeSrznP0oi
7wUMR3lf/2MCA/qI+IhApBATuuc1lhrtB0unxvO4MygalSc0K2xf95DySR6O
TCAHENshQ+BjlAZ1GzpLJypG0ptYnOvzlr7Mb1S8dT6qgK9crFAY9mIengnw
tfSUUkt7qA2qk2Z62OIhPUOi9qLXVL40fWqEThg1jFfV7Q4TpH4pokO3jTxm
y4ljIaF5Rihq8hVNKuZ4wwmwWNTkUefkDMiwkAP57NI2FWMw15KryKFSDm/G
faVEMWfNi7jYrECYgA/lI3ifZElR4QZUJoDn+JMBpUfxxBeN0cjVpQptJUNz
1PSkgl943sHpMkm9+bMZEUgkFrtHd3/w5OAoVGw5lraJxx5jFvTQuEs7RUrA
iRxkUuuALCJQ6dlGf1/4dYI0x2ZIr1MTqDDt0ziCN7jsR0j754HdXW+pSWpN
Rf5AJbKLw6A3loHFIhyeOP5OCzeVTiIT2A5iNcU+KhOAS2bI+8WGOEBu2dpM
TUnCWo43FXgwAsXag79JXFHE36JATw8hn2GQ6pSvqgo/dYHvHzT3wiOzmCjE
YgfErEri9Xm7nPu8HP72y8q3KyKT7H8PZsZtFrByBGjW3lW47VwBC5GcV6YD
RJKbdzEqPBajEVaZ/BRC05Kd8pAyN0gLJhN9RY8dhKC0oeVSH/lX1+zvUFUg
2QPKhH1l6iGc8CEiSbLBTWUb9BezDQMfLWYb2MbOOecvHRGl3oUcmsOphoy0
jHh6IHYMOeJjVcpnqQMMv8xcntDQOjg4Dra2Nh3vHJok/2s3X/5pCBZtPsrl
G0yi+uKZhc6PdABulGaiMo9wMituSABZsUKJTJNSNAL5OgRZ8GvYcqFaeGAW
yetKqd1FkvMK4x4EmzfLbx38Eo9Ofopn8HsKEQiOg/FvVUWp41A0b2gov60g
D7DCwsP+oaHidSYFb30PRe6b5g/I97cqKaEJh499KU1Ic4/rZmbggYeqh9T+
ZJVJUxVOw2OR45+VwbYQHXawanBtfnOG5We+PWQhDeKSlLrKfiEj/fGLqRbF
e/oTO2pL8jP6B6f63bPLE334NYQ5goci472i31VL5w2X3/re33j+7RV9IR7g
qc5+ZSEk6zDvs5cak5QYtLRLDqpzx8x9qx4s+sn/fNH/vQU/SryKsaTHYp95
kV1j8b+GfR3ZBOmFxCcjRzZuT1Zmplwesyws4QVYLQFc5Q/oOXwhelzYoVIt
O7OKEQf5OGiBufCqr+aGu6uJSJIRdBysZL85qF6PjtvLT1OFX5/BH7hBQLe8
9wgWQiIMj9DPUUEo6s87JgWwKRQi3UEIysUcyhQAgyWpvvgGQ60aBgtV/vSr
i9LMwp8bC9VM3kVeV6tw6BF/zQwxJPqVFr7MabRriu8uKwP3rmGXEV6B7fo4
N9KJMrY9K+Um/JkSFxOjctRqu2lHZabJKRoKpwJWnpdBT7fMziuOY2dnoliw
8Wo6//RrRxHUZOu/WeIushpkBNf0WYoVp3bgReyAkbIQhwx+5Cn/OQbqVBb9
kxS3DP2e3nLV4ohG+vnz0Dnt0J/m8d3+j8Il/++X0Tf38s1v53v+/VZu+EW/
bLvhBOjCD3vur+2yT9GpP/sLk1PaP4G9SxiMNP1VvH9n3egqeKB77//vjq/v
x/ePv6L7R4vFRb6jjgcmz8Py/b+EeiIOaWke42LnMx3u5x06Tecd67ljtHDm
79fzYB/8/VzKzzglFuqfxfkTGbxP7u+XGn6q3z/L10vjx54KfL+ERb7F3eB+
PK3+JbqP70+l+9fvnyf52q8bn93mr53PPPZf/Mrx/wRPPHzd+JP884X70xH3
D53eHwVjSmz+5+PHJfyCZugQzQ6xNjPukR7qk9EA4d99/CKly29TQfZxy1C+
wVX683DUPYMkK4xfZmT6lXujMuAZvwvymP+VSKfv9RekVU92i6Tbkk4H8I+S
NfDFmc/i0WzDAQyUt6zRoofHyOJ8OtWP4K85D0k/RP3Hg/0ewgE6e/q8wBKh
2pbkcgmExt494SDNHdZl9xjB37ZrJz2sfYtYhO58aY+jDChsWbF10mikyVJ7
9BPAx+q/ALnA61gmewAA

-->

</rfc>
