<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.3.8) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-tiloca-core-oscore-piv-enc-03" category="std" consensus="true" submissionType="IETF" updates="8613" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="OSCORE - Stand-in KID and Encrypted PIV">Stand-in Key Identifier and Encrypted Partial IV in the Constrained Application Protocol (CoAP) OSCORE Option</title>
    <seriesInfo name="Internet-Draft" value="draft-tiloca-core-oscore-piv-enc-03"/>
    <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization>Ericsson AB</organization>
      <address>
        <postal>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>
    <author initials="R." surname="Höglund" fullname="Rikard Höglund">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>rikard.hoglund@ri.se</email>
      </address>
    </author>
    <author initials="G." surname="Selander" fullname="Göran Selander">
      <organization>Ericsson AB</organization>
      <address>
        <postal>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>goran.selander@ericsson.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>WIT</area>
    <workgroup>CoRE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 92?>

<t>The security protocol Object Security for Constrained RESTful Environments (OSCORE) provides end-to-end protection of messages exchanged with the Constrained Application Protocol (CoAP). Messages protected with OSCORE include a CoAP OSCORE Option, where the "Partial IV" field specifies the sequence number value used by the message sender and the "kid" field specifies the identifier of the message sender. In order to reduce the information exposed on the wire that can be used for fingerprinting traffic and for tracking endpoints, this document defines a lightweight add-on method that obfuscates certain fields of the OSCORE Option, by encrypting the "Partial IV" field and overwriting the "kid" field with a stand-in identifier. Therefore, it updates RFC 8613. With minor adaptations, the defined method is applicable also to the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) that protects group communication for CoAP.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
  Constrained RESTful Environments Working Group mailing list (core@ietf.org),
  which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/core/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
  <eref target="https://gitlab.com/crimson84/draft-tiloca-core-oscore-piv-enc"/>.</t>
    </note>
  </front>
  <middle>
    <?line 96?>

<section anchor="intro">
      <name>Introduction</name>
      <t>The security protocol Object Security for Constrained RESTful Environments (OSCORE) <xref target="RFC8613"/> provides end-to-end protection of messages exchanged with the Constrained Application Protocol (CoAP) <xref target="RFC7252"/>. OSCORE operates at the application layer by using CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> and is independent of the specific transport used to exchange CoAP messages.</t>
      <t>Messages protected with OSCORE include the CoAP OSCORE Option, which specifies information for the message recipient to correctly perform decryption and verification upon message reception. In particular, some of the fields that can be included in the OSCORE Option comprise:</t>
      <ul spacing="normal">
        <li>
          <t>The "Partial IV" field, which specifies the sequence number value used by the sender endpoint when protecting an outgoing message. This field is always present in request messages, while it is typically absent in response messages, with a few exceptions mandating its presence.</t>
        </li>
        <li>
          <t>The "kid" field, which specifies the identifier of the sender endpoint protecting an outgoing message (i.e., the sender endpoint's OSCORE Sender ID). This field is always present in request messages, while it is typically absent in response messages.</t>
        </li>
      </ul>
      <t>Following a message protection with OSCORE, the OSCORE Option added to the message is not encrypted, since its content provides a recipient endpoint with information for processing the OSCORE-protected incoming message.</t>
      <t>However, the information conveyed in plaintext by the "Partial IV" and "kid" fields could be used for fingerprinting traffic from OSCORE endpoints, e.g., by giving hints about the order of messages sent by an endpoint, from which behavioral patterns could be implied. Also, such information could be used to perform trivial tracking of OSCORE endpoints across different network paths, by correlating the values of those fields that are observed in those network paths (e.g., following a network path migration, possibly across different network segments).</t>
      <t>In order to reduce the information exposed on the wire that can be used for fingerprinting traffic and for tracking endpoints, this document updates <xref target="RFC8613"/> and defines a lightweight add-on method that obfuscates certain fields of the OSCORE Option, by encrypting the "Partial IV" field and overwriting the "kid" field with a stand-in identifier.</t>
      <t>This method does not require in-band signaling and its use does not arbitrarily change on a per-message basis.</t>
      <t>Upon establishing an OSCORE Security Context, the communicating OSCORE endpoints already have an agreement about obfuscating the two fields of the OSCORE Option when that Security Context is used, for every OSCORE-protected message that includes the "Partial IV" field or the "kid" field. In the interest of specific use cases, such an agreement can be about always obfuscating both the "Partial IV" and "kid" fields, or instead about always obfuscating only the "Partial IV" field.</t>
      <t>Like for the overall protection of messages with OSCORE, this method is agnostic of how exactly the OSCORE Security Context was established and of how the agreement on using this method was reached. Nevertheless, this document also defines means that endpoints can use to reach that agreement. Absent an explicit agreement, the "Partial IV" and "kid" fields in the OSCORE Option are not obfuscated and retain their original values, in order to preserve interoperability.</t>
      <t>With minor adaptations to what is defined for the case where OSCORE is used, the method defined in this document is applicable also to the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) <xref target="I-D.ietf-core-oscore-groupcomm"/> that protects group communication for CoAP <xref target="I-D.ietf-core-groupcomm-bis"/>. In the interest of such a case, this document also defines means to align the members of an OSCORE group about obfuscating the "Partial IV" and "kid" fields of protected messages exchanged within the group.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<t>Readers are expected to be familiar with the terms and concepts related to CoAP <xref target="RFC7252"/>, Concise Data Definition Language (CDDL) <xref target="RFC8610"/>, Concise Binary Object Representation (CBOR) <xref target="RFC8949"/>, COSE <xref target="RFC9052"/>, OSCORE <xref target="RFC8613"/>, and Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/>.</t>
        <t>This document also refers to the following terms:</t>
        <ul spacing="normal">
          <li>
            <t>Ordinary Security Context: an OSCORE Security Context <xref target="RFC8613"/> or a Group OSCORE Security Context <xref target="I-D.ietf-core-oscore-groupcomm"/> such that, when employed to process a message, the method defined in this document is not used to perform/reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option. An Ordinary Security Context does not include an Obfuscation Key in the Common Context (see <xref target="sec-obfuscation-key"/>).</t>
          </li>
          <li>
            <t>Obfuscating Security Context: an OSCORE Security Context or a Group OSCORE Security Context such that, when employed to process a message, the method defined in this document is used to perform/reverse the obfuscation of the "Partial IV" field in the OSCORE Option. An Obfuscating Security Context includes an Obfuscation Key in the Common Context (see <xref target="sec-obfuscation-key"/>).</t>
          </li>
          <li>
            <t>Incognito Security Context: an Obfuscating Security Context such that, when employed to process a message, the method defined in this document is also used to perform/reverse the obfuscation of the "kid" field in the OSCORE Option.  </t>
            <t>
Unless a Security Context is an Incognito Security Context, the "kid" field (if present) in the OSCORE Option is left unaltered.  </t>
            <t>
The particular way to mark an Obfuscating Security Context as an Incognito Security Context is implementation specific. For example, implementations can use an additional parameter in the Security Context.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-obfuscation-key">
      <name>Obfuscation Key</name>
      <t>When obfuscation is enabled for the OSCORE Option, the (Group) OSCORE Security Context is extended with one additional parameter in the Common Context. The result is an Obfuscating Security Context.</t>
      <t>The new parameter Obfuscation Key specifies the encryption key for deriving two separate keystreams, namely PIV_KEYSTREAM and KID_KEYSTREAM. On the sender side, PIV_KEYSTREAM and KID_KEYSTREAM are used to obfuscate the "Partial IV" and "kid" fields in the OSCORE Option, respectively, when those are included in an outgoing message protected with (Group) OSCORE. On the recipient side, the same keystreams are used to reverse the obfuscation of the two fields.</t>
      <t>The Obfuscation Key is derived as defined for the Sender/Recipient Keys in <xref section="3.2.1" sectionFormat="of" target="RFC8613"/>, with the following differences.</t>
      <ul spacing="normal">
        <li>
          <t>The 'id' element of the 'info' array is the empty byte string.</t>
        </li>
        <li>
          <t>The 'type' element of the 'info' array is "OBFKey". The label is an ASCII string and does not include a trailing NUL byte.</t>
        </li>
        <li>
          <t>If the Security Context is used for Group OSCORE and the Group Encryption Algorithm in the Common Context is set (see <xref section="2.1.7" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), the following applies.  </t>
          <t>
The 'alg_aead' element of the 'info' array specifies the Group Encryption Algorithm from the Common Context encoded as a CBOR integer or text string, consistent with the "Value" field in the entry of the "COSE Algorithms" Registry for this algorithm <xref target="IANA.COSE.Algorithms"/>.</t>
        </li>
        <li>
          <t>If the Security Context is used for Group OSCORE and the Group Encryption Algorithm in the Common Context is not set (see <xref section="2.1.7" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), the following applies.  </t>
          <t>
The 'alg_aead' element of the 'info' array specifies the AEAD Algorithm from the Common Context (see <xref section="2.1.1" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>) encoded as a CBOR integer or text string, consistent with the "Value" field in the entry of the "COSE Algorithms" Registry for this algorithm <xref target="IANA.COSE.Algorithms"/>.</t>
        </li>
        <li>
          <t>The L parameter of the HKDF and the 'L' element of the 'info' array is 16.</t>
        </li>
      </ul>
    </section>
    <section anchor="sec-oscore">
      <name>Processing in OSCORE</name>
      <t>This section describes how the method defined in this document is specifically employed for messages protected with OSCORE <xref target="RFC8613"/>.</t>
      <section anchor="sec-oscore-sender">
        <name>Sender Side</name>
        <t>When a sender endpoint uses a fresh Sender Sequence Number value from its own Sender Context to protect an outgoing message, that Sender Sequence Number value <bcp14>MUST</bcp14> be at least 65536. Consequently, the "Partial IV" field of the OSCORE Option will have a length of at least 3 bytes. As an exception, this requirement does not apply to the special case of the EDHOC + OSCORE request discussed in <xref target="edhoc-oscore-request"/>, where: i) the Sender Sequence Number used can have a value smaller than 65536; and ii) the "Partial IV" and "kid" fields of the OSCORE Option are not obfuscated.</t>
        <t>When composing a protected outgoing message MSG, the OSCORE Option <bcp14>MUST NOT</bcp14> include the "s" and "kid context" fields (see <xref section="6.1" sectionFormat="of" target="RFC8613"/>). As an exception, this requirement does not apply to the special case discussed in <xref target="six-tisch"/>.</t>
        <t>Once MSG is composed, if at least one among the "Partial IV" and "kid" fields is included in the OSCORE Option (see <xref section="6.1" sectionFormat="of" target="RFC8613"/>), the sender endpoint performs the following steps.</t>
        <ol spacing="normal" type="1"><li>
            <t>Consider ENC_PAYLOAD the portion of the CoAP payload of MSG that starts with the ciphertext of the COSE object.  </t>
            <t>
Then, compose SAMPLE_1 as the first N bytes from ENC_PAYLOAD's start, where N = min(LENGTH, 16) and LENGTH denotes the length in bytes of ENC_PAYLOAD. Note that LENGTH is guaranteed to be at least 9 and is typically equal to the length of the CoAP payload.</t>
          </li>
          <li>
            <t>Compose the 16-byte INPUT_1 as follows:  </t>
            <ul spacing="normal">
              <li>
                <t>If the length of SAMPLE_1 is less than 16 bytes, INPUT_1 is obtained by left-padding SAMPLE_1 with zeroes to exactly 16 bytes.</t>
              </li>
              <li>
                <t>If the length of SAMPLE_1 is 16 bytes, then INPUT_1 takes SAMPLE_1.</t>
              </li>
            </ul>
            <t>
If the OSCORE Option of MSG includes the "Partial IV" field, move to Step 3. Otherwise, move to Step 6.</t>
          </li>
          <li>
            <t>Compute the 16-byte PIV_KEYSTREAM as below:  </t>
            <t>
PIV_KEYSTREAM = AES-ECB(ENC_KEY, INPUT_1)  </t>
            <t>
where:  </t>
            <ul spacing="normal">
              <li>
                <t>AES-ECB is the AES algorithm in ECB mode <xref target="AES"/>.</t>
              </li>
              <li>
                <t>ENC_KEY is the Obfuscation Key from the Common Context of the Security Context used to produce MSG (see <xref target="sec-obfuscation-key"/>). ENC_KEY is used as the encryption key for the AES-ECB encryption.      </t>
                <t>
An exception applies in the special case discussed in <xref target="sec-kudos"/>, where the Obfuscation Key used as ENC_KEY is the one from the Common Context of a different Security Context, from which the Security Context used to produce MSG was derived.</t>
              </li>
              <li>
                <t>INPUT_1 is the result of Step 2. It is used as the plaintext for the AES-ECB encryption.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Compute the ENC_PIV value, by XORing with each other:  </t>
            <ul spacing="normal">
              <li>
                <t>The PIV value encoded within the "Partial IV" field of the OSCORE Option of MSG; and</t>
              </li>
              <li>
                <t>The Q bytes from PIV_KEYSTREAM's start, where Q is the length in bytes of the "Partial IV" field and PIV_KEYSTREAM is the result of Step 3.</t>
              </li>
            </ul>
            <t>
For example, if the PIV value encoded within the "Partial IV" field of the OSCORE Option of MSG is 0x001122 (Q = 3 bytes) and PIV_KEYSTREAM is 0xffeeddccbbaa99887766554433221100 (16 bytes), then the bytes of PIV_KEYSTREAM to XOR with the PIV value are 0xffeedd.</t>
          </li>
          <li>
            <t>In the "Partial IV" field of the OSCORE Option of MSG, replace its current PIV value with the ENC_PIV value computed at Step 4.  </t>
            <t>
If the OSCORE Option of MSG includes the "kid" field, then move to Step 6. Otherwise, terminate this algorithm.</t>
          </li>
          <li>
            <t>If the Security Context used to produce MSG is an Incognito Security Context, compose the 16-byte INPUT_2, by taking INPUT_1 from Step 2 and negating its last bit. Then, move to Step 7.  </t>
            <t>
Otherwise, terminate this algorithm.</t>
          </li>
          <li>
            <t>Compute the 16-byte KID_KEYSTREAM as below:  </t>
            <t>
KID_KEYSTREAM = AES-ECB(ENC_KEY, INPUT_2)  </t>
            <t>
where:  </t>
            <ul spacing="normal">
              <li>
                <t>AES-ECB is the AES algorithm in ECB mode <xref target="AES"/>.</t>
              </li>
              <li>
                <t>ENC_KEY is the Obfuscation Key from the Common Context of the Security Context used to produce MSG (see <xref target="sec-obfuscation-key"/>). ENC_KEY is used as the encryption key for the AES-ECB encryption.      </t>
                <t>
An exception applies in the special case discussed in <xref target="sec-kudos"/>, where the Obfuscation Key used as ENC_KEY is the one from the Common Context of a different Security Context, from which the Security Context used to produce MSG was derived.</t>
              </li>
              <li>
                <t>INPUT_2 is the result of Step 6. It is used as the plaintext for the AES-ECB encryption.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Compute the 3-byte STAND_IN_KID value, by XORing with each other:  </t>
            <ul spacing="normal">
              <li>
                <t>The 3 bytes from LATEST_PIV's start, where LATEST_PIV is determined as follows.      </t>
                <ul spacing="normal">
                  <li>
                    <t>If the OSCORE Option of MSG includes the "Partial IV" field, then LATEST_PIV is the ENC_PIV value computed at Step 4. Otherwise,</t>
                  </li>
                  <li>
                    <t>MSG is a response and LATEST_PIV is the value encoded within the "Partial IV" field of the OSCORE Option of the corresponding request as it was sent on the wire (i.e., in its obfuscated form).</t>
                  </li>
                </ul>
              </li>
              <li>
                <t>The 3 bytes from KID_KEYSTREAM's start, where KID_KEYSTREAM is the result of Step 7.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>In the "kid" field of the OSCORE Option of MSG, replace the current KID value with the STAND_IN_KID value computed at Step 8.  </t>
            <t>
Unless the original KID value had a length of 3 bytes, this step alters the length of the OSCORE Option value. In such a case, the sender endpoint <bcp14>MUST</bcp14> update the "Option Length" field of the OSCORE Option accordingly (see <xref section="3.1" sectionFormat="of" target="RFC7252"/>).</t>
          </li>
        </ol>
        <t>Finally, the sender endpoint transmits MSG as expected.</t>
      </section>
      <section anchor="sec-oscore-recipient">
        <name>Recipient Side</name>
        <t>Upon receiving a protected incoming message MSG, the recipient endpoint has to determine the OSCORE Security Context to use for decrypting and verifying MSG (see <xref target="context-retrieval"/>).</t>
        <t>If a Security Context CTX is found and CTX is an Obfuscating Security Context, then the recipient endpoint uses CTX to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of MSG as appropriate (see <xref target="reverse-obfuscation"/>). After that, the recipient endpoint uses CTX to decrypt and verify MSG.</t>
        <t>The procedures defined in <xref target="context-retrieval"/> and <xref target="reverse-obfuscation"/> do not apply to the special case of the EDHOC + OSCORE request discussed in <xref target="edhoc-oscore-request"/>, where: i) the "Partial IV" and "kid" fields of the OSCORE Option are not obfuscated; and ii) CTX is specifically the Security Context established from the ongoing key exchange session.</t>
        <section anchor="context-retrieval">
          <name>Retrieving the Security Context to Use</name>
          <t>If the recipient endpoint is a client, hence MSG is a response, the Security Context CTX to use is the same one that was used to protect the request to which MSG replies. That is, CTX is retrieved by leveraging the CoAP Token value that is specified in the "Token" field of MSG and was specified in the "Token" field of the corresponding request.</t>
          <t>Then, the following two cases are possible:</t>
          <ul spacing="normal">
            <li>
              <t>CTX is an Ordinary Security Context. In this case, the client uses CTX to decrypt and verify MSG, as defined in <xref section="8.4" sectionFormat="of" target="RFC8613"/>.</t>
            </li>
            <li>
              <t>CTX is an Obfuscating Security Context. In this case, the client performs the steps defined in <xref target="reverse-obfuscation"/>, in order to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of MSG as appropriate, by using CTX. Building on the result, the client uses CTX to decrypt and verify MSG, as defined in <xref section="8.4" sectionFormat="of" target="RFC8613"/>.  </t>
              <t>
If the request to which MSG replies is an EDHOC + OSCORE request (see <xref target="edhoc-oscore-request"/>) and CTX is specifically an Incognito Security Context, then the client <bcp14>MUST</bcp14> treat MSG as invalid and discard it, in the case that the OSCORE Option of MSG includes the "kid" field but does not include the "Partial IV" field.</t>
            </li>
          </ul>
          <t>In the special case discussed in <xref target="sec-kudos"/>, the Security Context CTX* used to decrypt and verify MSG is different from the retrieved Security Context CTX that is possibly used to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option as appropriate; specifically, CTX* is derived from CTX.</t>
          <t>Instead, if the recipient endpoint is a server, hence MSG is a request, the Security Context CTX to use is determined as follows.</t>
          <ol spacing="normal" type="1"><li>
              <t>If the server stores at least one Ordinary Security Context, then move to Step 2. Otherwise, move to Step 3.</t>
            </li>
            <li>
              <t>The server assumes that the "Partial IV" and "kid" fields in the OSCORE Option of MSG were not obfuscated. Then, the server attempts to retrieve a Security Context as defined in <xref section="8.2" sectionFormat="of" target="RFC8613"/>.  </t>
              <t>
If this results in retrieving a Security Context CTX and CTX is an Ordinary Security Context, then the server uses CTX to decrypt and verify MSG, as defined in <xref section="8.2" sectionFormat="of" target="RFC8613"/>. In the case of successful decryption and verification, this algorithm terminates and the server continues processing MSG as expected.  </t>
              <t>
Instead, if no such CTX is found or if MSG is not processed successfully, the following applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>If the server stores at least one Obfuscating Security Context, the server <bcp14>MUST NOT</bcp14> presently reply with any of the optional 4.01 (Unauthorized) or 4.00 (Bad Request) error responses defined in Sections <xref target="RFC8613" section="7.4" sectionFormat="bare"/> and <xref target="RFC8613" section="8.2" sectionFormat="bare"/> of <xref target="RFC8613"/>. Then, this algorithm moves to Step 4.</t>
                </li>
                <li>
                  <t>Otherwise, the server performs the same error handling as defined in Sections <xref target="RFC8613" section="7.4" sectionFormat="bare"/> and <xref target="RFC8613" section="8.2" sectionFormat="bare"/> of <xref target="RFC8613"/>. Then, this algorithm terminates.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>If the server stores at least one Obfuscating Security Context, then move to Step 4.  </t>
              <t>
Otherwise, the server performs the same error handling as defined at Step 2 of <xref section="8.4" sectionFormat="of" target="RFC8613"/> for the case where a Security Context is not found. Then, this algorithm terminates.</t>
            </li>
            <li>
              <t>Compose SAMPLE_1 by means of the same method at Step 1 of <xref target="sec-oscore-sender"/>, with reference to the present incoming message MSG.</t>
            </li>
            <li>
              <t>Compose the 16-byte INPUT_1 by means of the same method at Step 2 of <xref target="sec-oscore-sender"/>, using as SAMPLE_1 the result of Step 4 of the present algorithm.</t>
            </li>
            <li>
              <t>Compose the 16-byte INPUT_2, by taking INPUT_1 from Step 5 and negating its last bit.</t>
            </li>
            <li>
              <t>Select a Security Context CTX, such that CTX is an Obfuscating Security Context and has not been tested yet during this execution of the present algorithm.  </t>
              <t>
In particular, if there are selectable Obfuscating Security Contexts that are not Incognito Security Contexts, the selection of CTX is first attempted among those, using the same retrieval process defined in <xref section="8.2" sectionFormat="of" target="RFC8613"/>.  </t>
              <t>
In the case that the "kid" field of the OSCORE Option is obfuscated, the time spent to select and later successfully use the right Incognito Security Context could leak information about the plain OSCORE identifier (i.e., the OSCORE Sender ID of the sender of MSG). Implementations ought to counteract and limit such information leakage, e.g., by uniformly randomizing the selection process performed over the Incognito Security Contexts. Further details are left to the specific implementation and are out of the scope of this document.  </t>
              <t>
If no such CTX is found, then move to Step 12. Otherwise, the selected CTX is marked as tested and the following applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>If CTX is an Incognito Security Context, check the length of the "kid" field of the OSCORE Option of MSG.      </t>
                  <t>
If the length is 3 bytes, move to Step 8. Otherwise, perform Step 7 again.</t>
                </li>
                <li>
                  <t>If CTX is not an Incognito Security Context, the value encoded in the "kid" field of the OSCORE Option of MSG is equal to the Recipient ID specified in the Recipient Context of CTX.      </t>
                  <t>
Hence, CTX is the Security Context to use for decrypting and verifying MSG, and this algorithm moves to Step 11.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Compute the 16-byte KID_KEYSTREAM by means of the same method at Step 7 of <xref target="sec-oscore-sender"/>. In particular:  </t>
              <ul spacing="normal">
                <li>
                  <t>ENC_KEY is the Obfuscation Key from the Common Context of the latest CTX selected at Step 7 of the present algorithm.</t>
                </li>
                <li>
                  <t>INPUT_2 is the result of Step 6 of the present algorithm.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Compute the 3-byte STAND_IN_KID value, by XORing with each other:  </t>
              <ul spacing="normal">
                <li>
                  <t>The 3 bytes from ENC_PIV's start, where ENC_PIV is the value encoded within the "Partial IV" field of the OSCORE Option of MSG.</t>
                </li>
                <li>
                  <t>The 3 bytes from KID_KEYSTREAM's start, where KID_KEYSTREAM is the result of Step 8.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>If the STAND_IN_KID value computed at Step 9 is not equal to the value encoded in the "kid" field of the OSCORE Option of MSG, then move to Step 7.  </t>
              <t>
Otherwise, the latest CTX selected at Step 7 is the Security Context to use for decrypting and verifying MSG, and this algorithm moves to Step 11.</t>
            </li>
            <li>
              <t>Run the algorithm in <xref target="reverse-obfuscation"/>, in order to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of MSG as appropriate, by using the latest CTX selected at Step 7.  </t>
              <t>
Building on the result, the server uses CTX to decrypt and verify MSG, as defined in <xref section="8.2" sectionFormat="of" target="RFC8613"/>. An exception applies in the special case discussed in <xref target="sec-kudos"/>, where the Security Context CTX* used to decrypt and verify MSG is different from CTX; specifically, CTX* is derived from CTX.  </t>
              <t>
In the case of successful decryption and verification, this algorithm terminates and the server continues processing MSG as expected.  </t>
              <t>
Otherwise, if MSG is not processed successfully, the following applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>The server <bcp14>MUST NOT</bcp14> presently reply with any of the optional 4.01 (Unauthorized) or 4.00 (Bad Request) error responses defined in Sections <xref target="RFC8613" section="7.4" sectionFormat="bare"/> and <xref target="RFC8613" section="8.2" sectionFormat="bare"/> of <xref target="RFC8613"/>.</t>
                </li>
                <li>
                  <t>The OSCORE Option of MSG is restored to be as it was before running the algorithm in <xref target="reverse-obfuscation"/>.</t>
                </li>
                <li>
                  <t>This algorithm moves to Step 7.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>The following applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>If, since Step 4 of this execution of the present algorithm, the server has performed and failed at least one decryption and verification of MSG (see Step 6 of <xref section="8.2" sectionFormat="of" target="RFC8613"/>), the server performs the same error handling defined at Step 6 of <xref section="8.2" sectionFormat="of" target="RFC8613"/> for the case where decryption has failed. Then, this algorithm terminates. Otherwise,</t>
                </li>
                <li>
                  <t>If, since Step 4 of this execution of the present algorithm, the server has performed and failed at least one replay check on MSG (see Step 3 of <xref section="8.2" sectionFormat="of" target="RFC8613"/>), the server performs the same error handling defined in <xref section="7.4" sectionFormat="of" target="RFC8613"/> for the case where a replay has been detected. Then, this algorithm terminates. Otherwise,</t>
                </li>
                <li>
                  <t>The server performs the same error handling defined at Step 2 of <xref section="8.2" sectionFormat="of" target="RFC8613"/> for the case where a Security Context is not found.</t>
                </li>
              </ul>
            </li>
          </ol>
        </section>
        <section anchor="reverse-obfuscation">
          <name>Reversing the Field Obfuscation</name>
          <t>Given an Obfuscating Security Context CTX that was retrieved according to what is specified in <xref target="context-retrieval"/>, the recipient endpoint performs the following steps, in order to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of the protected incoming message MSG.</t>
          <ol spacing="normal" type="1"><li>
              <t>If the OSCORE Option of MSG includes the "kid" field and CTX is an Incognito Security Context, then move to Step 2. Otherwise, move to Step 3.</t>
            </li>
            <li>
              <t>In the "kid" field of the OSCORE Option of MSG, replace the current STAND_IN_KID value with the Recipient ID specified in the Recipient Context of CTX.  </t>
              <t>
Unless the Recipient ID has a length of 3 bytes, this step alters the length of the OSCORE Option value. In such a case, the recipient endpoint <bcp14>MUST</bcp14> update the "Option Length" field of the OSCORE Option accordingly (see <xref section="3.1" sectionFormat="of" target="RFC7252"/>).</t>
            </li>
            <li>
              <t>If the OSCORE Option of MSG includes the "Partial IV" field, move to Step 4. Otherwise, terminate this algorithm.</t>
            </li>
            <li>
              <t>Compute the 16-byte PIV_KEYSTREAM by means of the same method defined at Step 3 of <xref target="sec-oscore-sender"/>. In particular:  </t>
              <ul spacing="normal">
                <li>
                  <t>ENC_KEY is the Obfuscation Key from the Common Context of the Security Context CTX that is used during this execution of the present algorithm.</t>
                </li>
                <li>
                  <t>INPUT_1 is composed by means of the same method defined at Step 5 of <xref target="context-retrieval"/>. Note that, if the recipient endpoint is a server, then INPUT_1 was already computed when actually performing Step 5 of <xref target="context-retrieval"/>.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Compute the PIV value, by XORing with each other:  </t>
              <ul spacing="normal">
                <li>
                  <t>The ENC_PIV value encoded within the "Partial IV" field of the OSCORE Option of MSG; and</t>
                </li>
                <li>
                  <t>The Q bytes from PIV_KEYSTREAM's start, where Q is the length in bytes of the "Partial IV" field and PIV_KEYSTREAM is the result of Step 4.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>In the "Partial IV" field of the OSCORE Option of MSG, replace its current ENC_PIV value with the PIV value computed at Step 5.</t>
            </li>
          </ol>
        </section>
      </section>
      <section anchor="special-cases">
        <name>Special Cases</name>
        <t>This section discusses some special cases where the use of the method defined in this document deviates from what is specified in <xref target="sec-oscore-sender"/> and <xref target="sec-oscore-recipient"/>.</t>
        <section anchor="edhoc-oscore-request">
          <name>EDHOC + OSCORE Request</name>
          <t>Two endpoints can run the authenticated key exchange protocol Ephemeral Diffie-Hellman over COSE (EDHOC) <xref target="RFC9528"/>, in order to establish an OSCORE Security Context (see <xref section="A.1" sectionFormat="of" target="RFC9528"/>). In particular, EDHOC messages can be transported over CoAP (see <xref section="A.2" sectionFormat="of" target="RFC9528"/>).</t>
          <t>When doing so, if the endpoint that sends the first EDHOC message acts as a CoAP client, it is possible to use the optimized workflow defined in <xref section="3" sectionFormat="of" target="RFC9668"/>. In such a case, the first OSCORE-protected CoAP request sent by the client additionally embeds the final EDHOC message, and it is protected with the OSCORE Security Context established from the present and still ongoing EDHOC session.</t>
          <t>Upon receiving such an EDHOC + OSCORE request, the server first extracts and processes the EDHOC message embedded therein, completes the EDHOC session, establishes the OSCORE Security Context, and finally uses the latter to decrypt and verify the OSCORE-protected CoAP request.</t>
          <t>When using this optimized workflow, the method defined in this document cannot be used to obfuscate the "Partial IV" and "kid" fields in the OSCORE Option of the EDHOC + OSCORE request.</t>
          <t>Therefore, the following applies for the OSCORE Option of that specific request:</t>
          <ul spacing="normal">
            <li>
              <t>The "Partial IV" field conveys in plaintext the Sender Sequence Number used by the client when protecting the request. That is, even if the OSCORE Security Context under establishment is an Obfuscating Security Context, the "Partial IV" field in the OSCORE Option of the EDHOC + OSCORE request is not obfuscated.  </t>
              <t>
As an exception to the requirement defined in <xref target="sec-oscore-sender"/>, the "Partial IV" field can have a length smaller than 3 bytes. In fact, it is expected to have a length of 1 byte and to encode the value 0.</t>
            </li>
            <li>
              <t>The "kid" field conveys the actual OSCORE Sender ID of the client, which the server offered earlier in the EDHOC session as its own EDHOC connection identifier C_R. Upon receiving the EDHOC + OSCORE request, the server needs to retrieve such an identifier as-is from the request, in order to correctly retrieve the EDHOC session and complete it, before establishing the OSCORE Security Context shared with the client.  </t>
              <t>
That is, even if the OSCORE Security Context under establishment is an Incognito Security Context, the "kid" field in the OSCORE Option of the EDHOC + OSCORE request is not obfuscated.  </t>
              <t>
Note that, if EDHOC is instead run as per the original workflow (see <xref section="A.2.1" sectionFormat="of" target="RFC9528"/>, the OSCORE Sender ID of the client is anyway exposed at least once, since C_R is prepended to EDHOC message_3 within the CoAP payload of a request sent by the client.</t>
            </li>
          </ul>
          <t>Furthermore, the following applies when protecting a response to an EDHOC + OSCORE request: if the OSCORE Security Context used to protect the response is an Incognito Security Context and the OSCORE Option of the response includes the "kid" field, then the OSCORE Option of the response <bcp14>MUST</bcp14> include the "Partial IV" field.</t>
        </section>
        <section anchor="sec-kudos">
          <name>KUDOS</name>
          <t>Two endpoints can use Key Update for OSCORE (KUDOS) <xref target="I-D.ietf-core-oscore-key-update"/>, a lightweight procedure for updating their OSCORE keying material by establishing a new OSCORE Security Context.</t>
          <t>Given the Security Context CTX_OLD to be replaced, there are two possible types of KUDOS messages that are exchanged during a KUDOS execution:</t>
          <ul spacing="normal">
            <li>
              <t>A divergent KUDOS message is protected with a temporary OSCORE Security Context CTX_TEMP, which is derived from CTX_OLD.</t>
            </li>
            <li>
              <t>A convergent KUDOS message is protected with the OSCORE Security Context CTX_NEW, which is derived from CTX_OLD and is intended to replace CTX_OLD.</t>
            </li>
          </ul>
          <t>If CTX_OLD is an Ordinary, Obfuscating, or Incognito Security Context, then CTX_TEMP/CTX_NEW derived thereof is correspondingly an Ordinary, Obfuscating, or Incognito Security Context.</t>
          <t>When using the method defined in this document to obfuscate the "Partial IV" and "kid" fields in the OSCORE Option of a KUDOS message, the following applies.</t>
          <ul spacing="normal">
            <li>
              <t>The Obfuscation Key to use <bcp14>MUST</bcp14> be the one specified in the Common Context of the Security Context CTX_OLD, from which the Security Context CTX_TEMP (CTX_NEW) is derived for protecting a divergent (convergent) KUDOS message.  </t>
              <t>
That is, with reference to a divergent (convergent) KUDOS message, the Obfuscation Key to use is not the one specified in the Common Context of the Security Context CTX_TEMP (CTX_NEW) that is used to protect the message.</t>
            </li>
          </ul>
        </section>
        <section anchor="six-tisch">
          <name>6TiSCH</name>
          <t>The Constrained Join Protocol (CoJP) defined in <xref target="RFC9031"/> specifies a "secure join" solution for a new device, called a "pledge", to securely join a 6TiSCH network where communications are protected with OSCORE. The Join process is assisted by a central entity called Join Registrar/Coordinator (JRC).</t>
          <t>As defined in <xref section="7.3" sectionFormat="of" target="RFC9031"/>, the following holds for a given pledge and the JRC sharing an OSCORE Security Context:</t>
          <ul spacing="normal">
            <li>
              <t>The OSCORE ID Context in the OSCORE Security Context is set to the pledge identifier.</t>
            </li>
            <li>
              <t>The OSCORE Sender ID of the pledge is set to the empty byte string.</t>
            </li>
            <li>
              <t>The OSCORE Sender ID of the JRC is set to the byte string 0x4a5243 ("JRC" in ASCII).</t>
            </li>
          </ul>
          <t>In the Join Request that the pledge sends to the JRC, the OSCORE Option includes the "s" and "kid context" fields, with the latter encoding the OSCORE ID Context.</t>
          <t>If the OSCORE Security Context shared by the pledge and the JRC is an Obfuscating Security Context, the following applies to protected CoJP messages:</t>
          <ul spacing="normal">
            <li>
              <t>If the "s" and "kid context" fields are present in the OSCORE Option of an outgoing CoJP message, the sender endpoint <bcp14>MUST</bcp14> remove the "kid context" field and <bcp14>MUST</bcp14> update the "s" field to encode the value 0.  </t>
              <t>
This step alters the length of the OSCORE Option value. Therefore, the sender endpoint <bcp14>MUST</bcp14> update the "Option Length" field of the OSCORE Option accordingly (see <xref section="3.1" sectionFormat="of" target="RFC7252"/>).</t>
            </li>
            <li>
              <t>If the OSCORE Option of an incoming CoJP message MSG does not include the "kid context" field and includes the "s" field encoding the value 0, the recipient endpoint performs the following steps in addition to those compiled in <xref target="reverse-obfuscation"/>:  </t>
              <ul spacing="normal">
                <li>
                  <t>Add the "kid context" field to the OSCORE Option of MSG.</t>
                </li>
                <li>
                  <t>In the "kid context" field of the OSCORE Option, set as value the ID Context that is specified in the OSCORE Security Context CTX to be used for decrypting and verifying MSG.</t>
                </li>
                <li>
                  <t>In the "s" field of the OSCORE Option, set as value the length in bytes of the "kid context" field added above.</t>
                </li>
              </ul>
              <t>
Unless the ID Context has a length of 0 bytes, this step alters the length of the OSCORE Option value. In such a case, the recipient endpoint <bcp14>MUST</bcp14> update the "Option Length" field of the OSCORE Option accordingly (see <xref section="3.1" sectionFormat="of" target="RFC7252"/>).</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="sec-group-oscore">
      <name>Processing in Group OSCORE</name>
      <t>This section describes how the method defined in this document is specifically employed for messages protected with Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/>.</t>
      <t>In particular, the following presents the differences that apply with respect to the case where OSCORE is used (see <xref target="sec-oscore"/>).</t>
      <section anchor="group-oscore-keying-material">
        <name>Keying Material</name>
        <t>When the Group OSCORE Security Context is an Obfuscating Security Context, it is further extended with one additional parameter Obfuscation Sender Key in the Sender Context (see <xref target="obf-sender-key"/>) and with one additional parameter Obfuscation Recipient Key in each Recipient Context (see <xref target="obf-recipient-key"/>).</t>
        <section anchor="obf-sender-key">
          <name>Obfuscation Sender Key</name>
          <t>Within the Sender Context, the new parameter Obfuscation Sender Key specifies the encryption key for deriving the keystreams PIV_KEYSTREAM and KID_KEYSTREAM, when those are used to obfuscate the "Partial IV" and "kid" fields in the OSCORE Option of an outgoing message.</t>
          <t>The Obfuscation Sender Key is derived as the output OKM of an HKDF-Expand step <xref target="RFC5869"/>, i.e., OKM = HKDF-Expand(PRK, info, L), where:</t>
          <ul spacing="normal">
            <li>
              <t>The HKDF used is the HKDF Algorithm specified in the Common Context.</t>
            </li>
            <li>
              <t>PRK is the Obfuscation Key from the Common Context.</t>
            </li>
            <li>
              <t>info is the Sender ID specified in the Sender Context.</t>
            </li>
            <li>
              <t>L is the length in bytes of the Obfuscation Key from the Common Context.</t>
            </li>
          </ul>
        </section>
        <section anchor="obf-recipient-key">
          <name>Obfuscation Recipient Key</name>
          <t>Within a given Recipient Context, the new parameter Obfuscation Recipient Key specifies the encryption key for deriving the keystreams PIV_KEYSTREAM and KID_KEYSTREAM, when those are used to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of an incoming message.</t>
          <t>The Obfuscation Recipient Key is derived as the output OKM of an HKDF-Expand step <xref target="RFC5869"/>, i.e., OKM = HKDF-Expand(PRK, info, L), where:</t>
          <ul spacing="normal">
            <li>
              <t>The HKDF used is the HKDF Algorithm specified in the Common Context.</t>
            </li>
            <li>
              <t>PRK is the Obfuscation Key from the Common Context.</t>
            </li>
            <li>
              <t>info is the Recipient ID specified in the Recipient Context.</t>
            </li>
            <li>
              <t>L is the length in bytes of the Obfuscation Key from the Common Context.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="group-oscore-sender-side">
        <name>Sender Side</name>
        <t>When composing a protected outgoing message MSG, the OSCORE Option includes the "s" and "kid context" fields according to what is specified for Group OSCORE in <xref target="I-D.ietf-core-oscore-groupcomm"/>. That is, the OSCORE Option always includes those fields in a request and may include those fields in a response.</t>
        <t>Once MSG is composed, if at least one among the "Partial IV" and "kid" fields is included in the OSCORE Option (see <xref section="6.1" sectionFormat="of" target="RFC8613"/>), the sender endpoint performs the same steps of <xref target="sec-oscore-sender"/>, with the following differences:</t>
        <ul spacing="normal">
          <li>
            <t>At Step 3, ENC_KEY is the Obfuscation Sender Key from the Sender Context.</t>
          </li>
          <li>
            <t>At Step 7, ENC_KEY is the Obfuscation Sender Key from the Sender Context.</t>
          </li>
        </ul>
        <t>As an exception to the requirement in <xref target="sec-oscore-sender"/> about the minimum value of Sender Sequence Number to use, <xref target="deterministic-requests"/> discusses the special case of a Deterministic Request where: i) the Sender Sequence Number used has a value smaller than 65536; and ii) the "Partial IV" and "kid" fields of the OSCORE Option are not obfuscated.</t>
      </section>
      <section anchor="group-oscore-recipient-side">
        <name>Recipient Side</name>
        <t>Upon receiving a protected incoming message MSG, the recipient endpoint determines the Group OSCORE Security Context CTX to use according to what is specified in <xref target="I-D.ietf-core-oscore-groupcomm"/>, i.e.:</t>
        <ul spacing="normal">
          <li>
            <t>If MSG is a request, CTX is retrieved by leveraging the Group Identifier value (Gid) of the group, which is encoded within the "kid context" field in the OSCORE Option of MSG.</t>
          </li>
          <li>
            <t>If MSG is a response, CTX is the same Group OSCORE Security Context that was used to protect the request to which MSG replies. That is, CTX is retrieved by leveraging the CoAP Token value that is specified in the "Token" field of MSG and was specified in the "Token" field of the corresponding request. The possible presence of the "kid context" field in the OSCORE Option can further aid the client, e.g., in the case that the group has been rekeyed and its Gid has changed.</t>
          </li>
        </ul>
        <t>If the retrieved Group OSCORE Security Context CTX is an Obfuscating Security Context, then the method defined in this document is used to obfuscate the "Partial IV" field in the OSCORE Option of every protected message exchanged within the group. Furthermore, if CTX is specifically an Incognito Security Context, then the method defined in this document is used to obfuscate also the "kid" field in the OSCORE Option of every protected message exchanged within the group.</t>
        <t>Consequently, within CTX, the recipient endpoint has to determine the specific Recipient Context REC_CTX to use for decrypting and verifying MSG (see <xref target="group-oscore-retrieve-rec-ctx"/>).</t>
        <t>Then, the recipient endpoint uses REC_CTX to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of MSG as appropriate (see <xref target="group-oscore-reverse-obfuscation"/>). After that, the recipient endpoint uses REC_CTX to decrypt and verify MSG.</t>
        <t>The procedures defined in <xref target="group-oscore-retrieve-rec-ctx"/> and <xref target="group-oscore-reverse-obfuscation"/> do not apply to the special case of the Deterministic Request discussed in <xref target="deterministic-requests"/>, where: i) the "Partial IV" and "kid" fields of the OSCORE Option are not obfuscated; and ii) REC_CTX is simply the Recipient Context identified by the "kid" field.</t>
        <section anchor="group-oscore-retrieve-rec-ctx">
          <name>Retrieving the Recipient Context to Use</name>
          <t>Given the retrieved Group OSCORE Security Context CTX, the following describes how the recipient endpoint retrieves from CTX the specific Recipient Context REC_CTX to use.</t>
          <t>If the recipient endpoint is a client, hence MSG is a response, the client is able to simply retrieve the Recipient Context REC_CTX to use, in the case that both the following conditions apply:</t>
          <ul spacing="normal">
            <li>
              <t>The request corresponding to MSG was protected with the pairwise mode of Group OSCORE; and</t>
            </li>
            <li>
              <t>The "kid" field is not included in the OSCORE Option of MSG.</t>
            </li>
          </ul>
          <t>In such a case, REC_CTX is the Recipient Context associated with the other endpoint for which the request corresponding to MSG was protected. That is, this client protected such request by using its Pairwise Sender Key associated with that other endpoint. Consequently, the client performs the steps defined in <xref target="group-oscore-reverse-obfuscation"/>, in order to reverse the obfuscation of the "Partial IV" field (if present) in the OSCORE Option of MSG as appropriate, by using REC_CTX. Building on the result, the client uses REC_CTX to decrypt and verify MSG, as defined in <xref target="I-D.ietf-core-oscore-groupcomm"/>. The specific operations to perform depend on whether MSG is protected with the group mode or with the pairwise mode of Group OSCORE.</t>
          <t>If the request to which MSG replies is a Deterministic Request (see <xref target="deterministic-requests"/>), the same as discussed for the case above applies, with the following difference: REC_CTX is the Recipient Context associated with the other endpoint to which the request was sent, although the protection of the request did not rely on the Pairwise Sender Key associated with that other endpoint.</t>
          <t>In any other case, the recipient endpoint determines the Recipient Context REC_CTX to use as follows.</t>
          <ol spacing="normal" type="1"><li>
              <t>If CTX is an Incognito Security Context and the length of the "kid" field of the OSCORE Option of MSG is different from 3 bytes, move to Step 17.  </t>
              <t>
Otherwise, consider ENC_PAYLOAD as the portion of the CoAP payload of MSG that starts with the ciphertext of the COSE object.  </t>
              <t>
Then, compose SAMPLE_1 as the first N bytes from ENC_PAYLOAD's start, where N = min(LENGTH, 16) and LENGTH denotes the length in bytes of ENC_PAYLOAD. Note that LENGTH is guaranteed to be at least 9 and is typically equal to the length of the CoAP payload.</t>
            </li>
            <li>
              <t>Compose the 16-byte INPUT_1 by means of the same method at Step 2 of <xref target="sec-oscore-sender"/>, using as SAMPLE_1 the result of Step 1 of the present algorithm.</t>
            </li>
            <li>
              <t>Compose the 16-byte INPUT_2, by taking INPUT_1 from Step 2 and negating its last bit.</t>
            </li>
            <li>
              <t>Within CTX, select a Recipient Context REC_CTX that has not been tested yet during this execution of the present algorithm.  </t>
              <t>
In the case that CTX is not an Incognito Security Context, the selection of REC_CTX relies on the same retrieval process that is used in <xref section="6" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>.  </t>
              <t>
In the case that CTX is an Incognito Security Context, hence the "kid" field of the OSCORE Option is obfuscated (if present therein), the time spent to select and later successfully use the right Recipient Context could leak information about the plain OSCORE identifier (i.e., the OSCORE Sender ID of the sender of MSG). Implementations ought to counteract and limit such information leakage, e.g., by uniformly randomizing the selection process performed over the Recipient Contexts within CTX. Further details are left to the specific implementation and are out of the scope of this document.  </t>
              <t>
If no such REC_CTX is found, then move to Step 9. Otherwise, the selected REC_CTX is marked as tested and the following applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>If CTX is an Incognito Security Context, move to Step 5.</t>
                </li>
                <li>
                  <t>If CTX is not an Incognito Security Context, the value encoded in the "kid" field of the OSCORE Option of MSG is equal to the Recipient ID specified in REC_CTX.      </t>
                  <t>
Hence, REC_CTX is the Recipient Context to use for decrypting and verifying MSG, and this algorithm moves to Step 8.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Compute the 16-byte KID_KEYSTREAM by means of the same method at Step 7 of <xref target="sec-oscore-sender"/>. In particular:  </t>
              <ul spacing="normal">
                <li>
                  <t>ENC_KEY is the Obfuscation Recipient Key from the latest REC_CTX selected at Step 4 of the present algorithm.</t>
                </li>
                <li>
                  <t>INPUT_2 is the result of Step 3 of the present algorithm.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Compute the 3-byte STAND_IN_KID value, by XORing with each other:  </t>
              <ul spacing="normal">
                <li>
                  <t>The 3 bytes from LATEST_PIV's start, where LATEST_PIV is determined as follows.      </t>
                  <ul spacing="normal">
                    <li>
                      <t>If the OSCORE Option of MSG includes the "Partial IV" field, then LATEST_PIV is the value encoded within that field. Otherwise,</t>
                    </li>
                    <li>
                      <t>MSG is a response and LATEST_PIV is the value encoded within the "Partial IV" field of the OSCORE Option of the corresponding request as it was sent on the wire (i.e., in its obfuscated form).</t>
                    </li>
                  </ul>
                </li>
                <li>
                  <t>The 3 bytes from KID_KEYSTREAM's start, where KID_KEYSTREAM is the result of Step 5.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>If the STAND_IN_KID value computed at Step 6 is not equal to the value encoded in the "kid" field of the OSCORE Option of MSG, then move to Step 4.  </t>
              <t>
Otherwise, the latest REC_CTX selected at Step 4 is the Recipient Context to use for decrypting and verifying MSG, and this algorithm moves to Step 8.</t>
            </li>
            <li>
              <t>Run the algorithm in <xref target="group-oscore-reverse-obfuscation"/>, in order to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of MSG as appropriate, by using the latest REC_CTX selected at Step 4.  </t>
              <t>
Building on the result, the recipient endpoint uses REC_CTX to decrypt and verify MSG, as defined in <xref target="I-D.ietf-core-oscore-groupcomm"/>. The specific operations to perform depend on whether MSG is protected with the group mode or with the pairwise mode of Group OSCORE.  </t>
              <t>
In the case of successful decryption and verification, this algorithm terminates and the recipient endpoint continues processing MSG as expected.  </t>
              <t>
Otherwise, if MSG is not processed successfully, the following applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>If MSG is a request, the recipient endpoint <bcp14>MUST NOT</bcp14> presently reply with any of the optional 4.01 (Unauthorized), 5.03 (Service Unavailable), or 4.00 (Bad Request) error responses that pertain to a failed processing of incoming requests. Note that, although such processing is defined in Sections <xref target="I-D.ietf-core-oscore-groupcomm" section="5.3" sectionFormat="bare"/>, <xref target="I-D.ietf-core-oscore-groupcomm" section="7.2" sectionFormat="bare"/>, and <xref target="I-D.ietf-core-oscore-groupcomm" section="8.4" sectionFormat="bare"/> of <xref target="I-D.ietf-core-oscore-groupcomm"/>, some of the corresponding error handling is inherited from Sections <xref target="RFC8613" section="7.4" sectionFormat="bare"/> and <xref target="RFC8613" section="8.2" sectionFormat="bare"/> of <xref target="RFC8613"/>.</t>
                </li>
                <li>
                  <t>The OSCORE Option of MSG is restored to be as it was before running the algorithm in <xref target="group-oscore-reverse-obfuscation"/>.</t>
                </li>
                <li>
                  <t>This algorithm moves to Step 4.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>If the application admits the dynamic derivation of new Recipient Contexts and the recipient endpoint intends to take advantage of that, move to Step 10. Otherwise, move to Step 17.</t>
            </li>
            <li>
              <t>The recipient endpoint contacts the Group Manager responsible for the OSCORE group (see <xref section="12" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), and it retrieves from the Group Manager a set of pairs P = (ID, CRED). Within each pair, ID is the Sender ID of a current group member and CRED is the public authentication credential of that group member.  </t>
              <t>
Depending on the particular realization of Group Manager, it can also be possible to retrieve a selected subset of those pairs, e.g., such that the ID specified therein is not part of a list provided in the request to the Group Manager. The realization of Group Manager specified in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> makes it possible to do so.</t>
            </li>
            <li>
              <t>From the set obtained at Step 10, select a pair P such that:  </t>
              <ul spacing="normal">
                <li>
                  <t>P has not been selected yet during this execution of the present algorithm; and</t>
                </li>
                <li>
                  <t>The ID specified within P is not the Recipient ID stored in any of the Recipient Contexts within CTX.</t>
                </li>
              </ul>
              <t>
If no such P is found, then move to Step 17. Otherwise, move to Step 12.  </t>
              <t>
In the case that CTX is not an Incognito Security Context, the first pair P to select (if present) should be the one such that the ID specified therein is equal to the value encoded in the "kid" field of the OSCORE Option of MSG.</t>
            </li>
            <li>
              <t>Check if either of the following conditions applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>CTX is an Incognito Security Context; or</t>
                </li>
                <li>
                  <t>CTX is not an Incognito Security Context and the value encoded in the "kid" field of the OSCORE Option of MSG is equal to the ID specified within the latest pair P selected at Step 11.</t>
                </li>
              </ul>
              <t>
If any of the two conditions above apply, then establish within CTX a new Recipient Context REC_CTX associated with the same other group member with which the latest pair P selected at Step 11 is associated. That is, within REC_CTX, ID and CRED from P are stored as the Recipient ID and authentication credential associated with the other group member.  </t>
              <t>
If the first of the two conditions above applies, this algorithm moves to Step 13.  </t>
              <t>
If the second of the two conditions above applies, REC_CTX is the Recipient Context to use for decrypting and verifying MSG, and this algorithm moves to Step 16.  </t>
              <t>
If none of the two conditions above applies, this algorithm moves to Step 11.</t>
            </li>
            <li>
              <t>Compute the 16-byte KID_KEYSTREAM by means of the same method at Step 7 of <xref target="sec-oscore-sender"/>. In particular:  </t>
              <ul spacing="normal">
                <li>
                  <t>ENC_KEY is the Obfuscation Recipient Key from the latest REC_CTX established at Step 12 of the present algorithm.</t>
                </li>
                <li>
                  <t>INPUT_2 is the result of Step 3 of the present algorithm.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Compute the 3-byte STAND_IN_KID value, by XORing with each other:  </t>
              <ul spacing="normal">
                <li>
                  <t>The 3 bytes from LATEST_PIV's start, where LATEST_PIV is the same one determined at Step 6.</t>
                </li>
                <li>
                  <t>The 3 bytes from KID_KEYSTREAM's start, where KID_KEYSTREAM is the result of Step 13.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>If the STAND_IN_KID value computed at Step 14 is not equal to the value encoded in the "kid" field of the OSCORE Option of MSG, then the following applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>Depending on what is specified by the application, the recipient endpoint <bcp14>MAY</bcp14> delete the latest REC_CTX established at Step 12.      </t>
                  <t>
If REC_CTX is deleted in this particular circumstance, then this deletion does not require the recipient endpoint to initialize as invalid the Replay Window of any new Recipient Context created later within CTX (see <xref section="2.6.1.2" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
                </li>
                <li>
                  <t>This algorithm moves to Step 11.</t>
                </li>
              </ul>
              <t>
Otherwise, the latest REC_CTX established at Step 12 is the Recipient Context to use for decrypting and verifying MSG, and this algorithm moves to Step 16.</t>
            </li>
            <li>
              <t>Run the algorithm in <xref target="group-oscore-reverse-obfuscation"/>, in order to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of MSG as appropriate, by using the latest REC_CTX established at Step 12.  </t>
              <t>
Building on the result, the recipient endpoint uses REC_CTX to decrypt and verify MSG, as defined in <xref target="I-D.ietf-core-oscore-groupcomm"/>. The specific operations to perform depend on whether MSG is protected with the group mode or with the pairwise mode of Group OSCORE.  </t>
              <t>
In the case of successful decryption and verification, this algorithm terminates and the recipient endpoint continues processing MSG as expected.  </t>
              <t>
Otherwise, if MSG is not processed successfully, the following applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>If MSG is a request, the recipient endpoint <bcp14>MUST NOT</bcp14> presently reply with any of the optional 4.01 (Unauthorized), 5.03 (Service Unavailable), or 4.00 (Bad Request) error responses that pertain to a failed processing of incoming requests. Note that, although such processing is defined in Sections <xref target="I-D.ietf-core-oscore-groupcomm" section="5.3" sectionFormat="bare"/>, <xref target="I-D.ietf-core-oscore-groupcomm" section="7.2" sectionFormat="bare"/>, and <xref target="I-D.ietf-core-oscore-groupcomm" section="8.4" sectionFormat="bare"/> of <xref target="I-D.ietf-core-oscore-groupcomm"/>, some of the corresponding error handling is inherited from Sections <xref target="RFC8613" section="7.4" sectionFormat="bare"/> and <xref target="RFC8613" section="8.2" sectionFormat="bare"/> of <xref target="RFC8613"/>.</t>
                </li>
                <li>
                  <t>Depending on what is specified by the application, the recipient endpoint <bcp14>MAY</bcp14> delete the latest REC_CTX established at Step 12.      </t>
                  <t>
If REC_CTX is deleted in this particular circumstance, then this deletion does not require the recipient endpoint to initialize as invalid the Replay Window of any new Recipient Context created later within CTX (see <xref section="2.6.1.2" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
                </li>
                <li>
                  <t>The OSCORE Option of MSG is restored to be as it was before running the algorithm in <xref target="group-oscore-reverse-obfuscation"/>.</t>
                </li>
                <li>
                  <t>This algorithm moves to Step 11.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>The following applies:  </t>
              <ul spacing="normal">
                <li>
                  <t>If, during this execution of the present algorithm, the server has performed and failed at least one decryption and verification of MSG, the server performs the same error handling defined in Sections <xref target="I-D.ietf-core-oscore-groupcomm" section="7.2" sectionFormat="bare"/> and <xref target="I-D.ietf-core-oscore-groupcomm" section="8.4" sectionFormat="bare"/> of <xref target="I-D.ietf-core-oscore-groupcomm"/> for the case where decryption or signature verification has failed. Then, this algorithm terminates. Otherwise,</t>
                </li>
                <li>
                  <t>If, during this execution of the present algorithm, the server has performed and failed at least one replay check on MSG (see <xref section="5.3" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), the server performs the same error handling defined in <xref section="5.3" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/> for the case where a replay has been detected. Then, this algorithm terminates. Otherwise,</t>
                </li>
                <li>
                  <t>The server performs the same error handling defined in Sections <xref target="I-D.ietf-core-oscore-groupcomm" section="7.2" sectionFormat="bare"/> and <xref target="I-D.ietf-core-oscore-groupcomm" section="8.4" sectionFormat="bare"/> of <xref target="I-D.ietf-core-oscore-groupcomm"/> for the case where a Security Context is not found.</t>
                </li>
              </ul>
            </li>
          </ol>
        </section>
        <section anchor="group-oscore-reverse-obfuscation">
          <name>Reversing the Field Obfuscation</name>
          <t>Given a Recipient Context RX_CTX that was retrieved according to what is specified in <xref target="group-oscore-retrieve-rec-ctx"/>, the recipient endpoint performs the following steps, in order to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of the protected incoming message MSG.</t>
          <ol spacing="normal" type="1"><li>
              <t>If the OSCORE Option of MSG includes the "kid" field and CTX is an Incognito Security Context, then move to Step 2. Otherwise, move to Step 3.</t>
            </li>
            <li>
              <t>In the "kid" field of the OSCORE Option of MSG, replace the current STAND_IN_KID value with the Recipient ID specified in RX_CTX.  </t>
              <t>
Unless the Recipient ID has a length of 3 bytes, this step alters the length of the OSCORE Option value. In such a case, the recipient endpoint <bcp14>MUST</bcp14> update the "Option Length" field of the OSCORE Option accordingly (see <xref section="3.1" sectionFormat="of" target="RFC7252"/>).</t>
            </li>
            <li>
              <t>If the OSCORE Option of MSG includes the "Partial IV" field, move to Step 4. Otherwise, terminate this algorithm.</t>
            </li>
            <li>
              <t>Compute the 16-byte PIV_KEYSTREAM by means of the same method defined at Step 3 of <xref target="sec-oscore-sender"/>. In particular:  </t>
              <ul spacing="normal">
                <li>
                  <t>ENC_KEY is the Obfuscation Recipient Key from the RX_CTX that is used during this execution of the present algorithm.</t>
                </li>
                <li>
                  <t>INPUT_1 is composed by means of the same method defined at Step 2 of <xref target="group-oscore-retrieve-rec-ctx"/>. Note that, except for the particular case discussed at the beginning of <xref target="group-oscore-retrieve-rec-ctx"/> where the recipient endpoint is a client, INPUT_1 was already computed when actually performing Step 2 of <xref target="group-oscore-retrieve-rec-ctx"/>.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Compute the PIV value, by XORing with each other:  </t>
              <ul spacing="normal">
                <li>
                  <t>The ENC_PIV value encoded within the "Partial IV" field of the OSCORE Option of MSG; and</t>
                </li>
                <li>
                  <t>The Q bytes from PIV_KEYSTREAM's start, where Q is the length in bytes of the "Partial IV" field and PIV_KEYSTREAM is the result of Step 4.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>In the "Partial IV" field of the OSCORE Option of MSG, replace its current ENC_PIV value with the PIV value computed at Step 5.</t>
            </li>
          </ol>
        </section>
      </section>
      <section anchor="signature-checker">
        <name>External Signature Checker</name>
        <t>TBD</t>
        <t>Editor's note: describe how to ensure that an external signature checker (see <xref section="7.5" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>) can still perform its intended operations, when the "Partial IV" and "kid" fields of the OSCORE Option are obfuscated.</t>
      </section>
      <section anchor="deterministic-requests">
        <name>Deterministic Requests</name>
        <t>This section discusses a special case where: i) a value smaller than 65536 is used as the Sender Sequence Number; and ii) the "Partial IV" and "kid" fields of the OSCORE Option are not obfuscated, even if the Group OSCORE Security Context is an Obfuscating Security Context or specifically an Incognito Security Context.</t>
        <t>The specification <xref target="I-D.ietf-core-cacheable-oscore"/> defines an approach for restoring cacheability of CoAP responses that are protected end-to-end with Group OSCORE. The approach relies on the concept of Deterministic Request, i.e., a request protected with the pairwise mode of Group OSCORE that any client in the OSCORE group is able to compose.</t>
        <t>When composing a Deterministic Request, a client effectively impersonates a Deterministic Client, i.e., a fictitious member of the OSCORE group associated with a dedicated OSCORE Sender ID. Also, each Deterministic Request is computed by using the Sender Sequence Number 0.</t>
        <t>Therefore, even when using the method defined in the present document, the following applies to the OSCORE Option of a Deterministic Request:</t>
        <ul spacing="normal">
          <li>
            <t>The "Partial IV" field has a length of 1 byte and encodes the value 0.</t>
          </li>
          <li>
            <t>The "kid" field conveys the actual OSCORE Sender ID of the Deterministic Client.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-agreement">
      <name>Agreement on Obfuscating Fields in the OSCORE Option</name>
      <t>If an endpoint does not have an explicit agreement with its peer(s) about employing the method specified in this document when using a (Group) OSCORE Security Context CTX, the following applies in order to preserve interoperability:</t>
      <ul spacing="normal">
        <li>
          <t>The endpoint <bcp14>MUST NOT</bcp14> obfuscate the "Partial IV" and "kid" fields in the OSCORE Option of its outgoing messages protected with CTX (or with a Security Context derived from CTX, see <xref target="sec-kudos"/>).</t>
        </li>
        <li>
          <t>The endpoint <bcp14>MUST NOT</bcp14> attempt to reverse the obfuscation of the "Partial IV" and "kid" fields in the OSCORE Option of incoming messages protected with CTX (or with a Security Context derived from CTX, see <xref target="sec-kudos"/>).</t>
        </li>
      </ul>
      <t>The rest of this section defines means that endpoints can use to reach an agreement about obfuscating the "Partial IV" and "kid" fields as per the method specified in this document.</t>
      <section anchor="agreement-for-oscore">
        <name>Agreement for OSCORE</name>
        <t>TBD</t>
        <t>Editor's note: expected means to cover include:</t>
        <ul spacing="normal">
          <li>
            <t>Pre-provisioning</t>
          </li>
          <li>
            <t>In EDHOC</t>
          </li>
          <li>
            <t>In the OSCORE profile of the ACE framework</t>
          </li>
          <li>
            <t>In OMA Lightweight Machine-to-Machine (LwM2M)</t>
          </li>
        </ul>
      </section>
      <section anchor="agreement-for-group-oscore">
        <name>Agreement for Group OSCORE</name>
        <t>TBD</t>
        <t>Editor's note: expected means to cover include:</t>
        <ul spacing="normal">
          <li>
            <t>The OSCORE Group Manager based on the ACE framework  </t>
            <ul spacing="normal">
              <li>
                <t>Messages to (candidate) group members</t>
              </li>
              <li>
                <t>Messages to external signature verifiers</t>
              </li>
              <li>
                <t>Message to/from an Administrator</t>
              </li>
            </ul>
          </li>
          <li>
            <t>A CoAP server supporting observe multicast notifications and self-managing the OSCORE group for its group observations.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-security-considerations">
      <name>Security Considerations</name>
      <t>The same security considerations from <xref target="RFC8613"/> and <xref target="I-D.ietf-core-oscore-groupcomm"/> hold for this document when messages are protected with OSCORE or Group OSCORE, respectively.</t>
      <t>The method defined in this document provides confidentiality protection of the obfuscated fields in the OSCORE Option against passive adversaries. Furthermore, the following considerations also apply.</t>
      <section anchor="minimum-length-of-sender-sequence-numbers">
        <name>Minimum Length of Sender Sequence Numbers</name>
        <t>As per <xref target="sec-oscore-sender"/>, a Sender Sequence Number value has to be at least 65536 when using the method defined in this document.</t>
        <t>This ensures that the "Partial IV" field of the OSCORE Option has a length of at least 3 bytes. In turn, this defeats possible attempts to track an endpoint or to fingerprint its traffic that leverage a transition of the length of the "Partial IV" field from 1 to 2 bytes, or from 2 to 3 bytes.</t>
        <t>The requirement above does not apply for the special cases discussed:</t>
        <ul spacing="normal">
          <li>
            <t>In <xref target="edhoc-oscore-request"/>, for the one-off EDHOC + OSCORE request <xref target="RFC9668"/>. However, the requirement does apply for all the messages that the two endpoints exchange after the EDHOC + OSCORE request and that are protected with the same OSCORE Security Context.</t>
          </li>
          <li>
            <t>In <xref target="deterministic-requests"/>, for a Deterministic Request that is intrinsically designed to be replayed, as intended to be identically sent multiple times by multiple clients to the same server(s) <xref target="I-D.ietf-core-cacheable-oscore"/>.</t>
          </li>
        </ul>
      </section>
      <section anchor="encryption-robustness">
        <name>Encryption Robustness</name>
        <t>When performing the steps in <xref target="sec-oscore-sender"/> and <xref target="sec-oscore-recipient"/>, using the same Obfuscation Key and SAMPLE_1 more than once risks compromising the encryption of the PIV value in the "Partial IV" field. That is, encrypting the PIV_A and PIV_B values of two different "Partial IV" fields by leveraging the same Obfuscation Key and SAMPLE_1 reveals the exclusive OR of PIV_A and PIV_B.</t>
        <t>Assuming that SAMPLE_1 is consistent with the outcome of a pseudorandom function (PRF), if L bits are sampled, then the probability that two SAMPLE_1 byte strings of length L are identical approaches P = 2<sup>-L/2</sup>, that is, the birthday bound. For messages protected with (Group) OSCORE, SAMPLE_1 has a minimum length L_MIN of 72 bits and a maximum length L_MAX of 128 bits. Therefore, P is at most one in 2<sup>36</sup> (when SAMPLE_1 has a length of L_MIN bits) and at least one in 2<sup>64</sup> (when SAMPLE_1 has a length of L_MAX bits or more).</t>
      </section>
      <section anchor="impact-on-endpoint-trackability">
        <name>Impact on Endpoint Trackability</name>
        <t>The tracking of an OSCORE endpoint that migrates to a new network path can be largely counteracted by using the method defined in this document, if combined with the use of new source addressing information (e.g., IP address and link-layer address). If addressing information does not change upon network migration, an on-path adversary might still be able to track an endpoint.</t>
        <t>Even if combined with the change of addressing information upon network migration, the method defined in this document does not prevent other properties of network packets, e.g., their timing or length, from being used to correlate activities of the same endpoint across different network paths.</t>
      </section>
      <section anchor="trial-decryptions">
        <name>Trial Decryptions</name>
        <t>Due to the possible obfuscation of the "kid" field of the OSCORE Option, a recipient endpoint could end up performing trial decryptions on an incoming message, when attempting to retrieve the right Recipient Context to use.</t>
        <t>Such trial decryptions will fail, when the recipient endpoint retrieves a Recipient Context that appears to be the right one to use, while in fact it is not and its selection was the result of a false positive matching of a (stand-in) key identifier.</t>
        <t>This could be the case in the following circumstances.</t>
        <ul spacing="normal">
          <li>
            <t>OSCORE is used and the recipient endpoint is a server (see <xref target="context-retrieval"/>).  </t>
            <ul spacing="normal">
              <li>
                <t>If the recipient endpoint stores at least one Ordinary Security Context, the endpoint first assumes that the "Partial IV" and "kid" fields in the OSCORE Option of the incoming message were not obfuscated.      </t>
                <t>
Consequently, the endpoint first attempts to retrieve an Ordinary Security Context to decrypt and verify the message (see Step 2 in <xref target="context-retrieval"/>). If a Security Context is found and the OSCORE processing of the incoming message fails, the endpoint proceeds with looking for Obfuscating Security Contexts to use.</t>
              </li>
              <li>
                <t>If the recipient endpoint stores Incognito Security Contexts, multiple of those might result in computing a STAND_IN_KID value that is equal to the value encoded in the "kid" field of the OSCORE Option of the incoming message (see Step 10 in <xref target="context-retrieval"/>).      </t>
                <t>
In the case of a positive match, the selected Incognito Security Context is used for the OSCORE processing of the incoming message (see Step 11 in <xref target="context-retrieval"/>), which fails unless the selected Security Context is actually the right one to use. If the OSCORE processing fails, the endpoint continues inspecting the set of Obfuscating Security Contexts.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Group OSCORE is used and the Group OSCORE Security Context is an Incognito Security Context (see <xref target="group-oscore-retrieve-rec-ctx"/>).  </t>
            <ul spacing="normal">
              <li>
                <t>Within the Group OSCORE Security Context, multiple Recipient Contexts might result in computing a STAND_IN_KID value that is equal to the value encoded in the "kid" field of the OSCORE Option of the incoming message (see Step 7 in <xref target="group-oscore-retrieve-rec-ctx"/>).      </t>
                <t>
In the case of a positive match, the selected Recipient Context is used for the Group OSCORE processing of the incoming message (see Step 8 in <xref target="group-oscore-retrieve-rec-ctx"/>), which fails unless the selected Recipient Context is actually the right one to use. If the Group OSCORE processing fails, the endpoint continues inspecting the set of Recipient Contexts.</t>
              </li>
              <li>
                <t>If the recipient endpoint does not find an eligible Recipient Context among the stored ones, the endpoint might proceed with the dynamic derivation of new Recipient Contexts, if allowed by the application (see Step 9 in <xref target="group-oscore-retrieve-rec-ctx"/>).      </t>
                <t>
After establishing a new Recipient Context, this might result in computing a STAND_IN_KID value that is equal to the value encoded in the "kid" field of the OSCORE Option of the incoming message (see Step 15 in <xref target="group-oscore-retrieve-rec-ctx"/>).      </t>
                <t>
In the case of a positive match, the newly established Recipient Context is used for the Group OSCORE processing of the incoming message (see Step 16 in <xref target="group-oscore-retrieve-rec-ctx"/>), which fails unless the Recipient Context is actually the right one to use. If the Group OSCORE processing fails, the endpoint can continue establishing and trying further available Recipient Contexts, as long as information to do so is available.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>Although the specific circumstances above are new and introduced by the method defined in this document, trial decryptions are in fact already a possibility in the following cases:</t>
        <ul spacing="normal">
          <li>
            <t>When using OSCORE, a server receiving a request might end up processing it with multiple OSCORE Security Contexts in sequence. This can happen, e.g., in the case of collisions with the values of ID Context and Recipient ID across stored Security Contexts.</t>
          </li>
          <li>
            <t>When using OSCORE, a client receiving a response might end up processing it with multiple OSCORE Security Contexts in sequence. This can happen, e.g., in the case that the same Token value is used for multiple message exchanges that are simultaneously active.</t>
          </li>
          <li>
            <t>When using Group OSCORE, a server receiving a request might end up processing it with multiple Group OSCORE Security Contexts in sequence. This can happen, e.g., in the case of collisions with the values of ID Context and Recipient ID across stored Security Contexts. For example, both the sender endpoint and the recipient endpoint can be in two different OSCORE groups under different Group Managers, with both OSCORE groups identified by the same Group ID and with the sender endpoint using the same Sender ID in both groups.</t>
          </li>
        </ul>
        <t>In either case, the recipient endpoint can attempt using multiple available Security Contexts in sequence, until the right one is possibly found and message decryption and verification succeed.</t>
        <t>Regardless of the specific circumstance by which trial decryptions occur, recipient endpoints still have to keep updated the status of their keying material, including after decryption failure. In particular, symmetric keys ought not to be used beyond certain key usage limits, i.e., after having reached a maximum number of failed decryptions <xref target="I-D.ietf-core-oscore-key-limits"/><xref target="I-D.irtf-cfrg-aead-limits"/>.</t>
        <t>Clearly, broadening the opportunities for trial decryption increases the pace by which key usage limits are approached, thereby increasing the frequency by which keying material needs to be updated, e.g., by using the key update procedure KUDOS <xref target="I-D.ietf-core-oscore-key-update"/>.</t>
      </section>
      <section anchor="not-obfuscating-the-kid-field">
        <name>Not Obfuscating the "kid" Field</name>
        <t>When using an Obfuscating Security Context that is not an Incognito Security Context, the method specified in this document results only in obfuscating the "Partial IV" field of the OSCORE Option, but not the "kid" field.</t>
        <t>This is useful in some use cases where such information is effectively still obfuscated by other means. In such use cases, obfuscating the "kid" field by using the method defined in this document would simply result in unjustified (performance) penalties.</t>
        <t>For example, the specification <xref target="I-D.ietf-schc-8824-update"/> defines how to use the Static Context Header Compression and fragmentation (SCHC) framework <xref target="RFC8724"/> for compressing headers of CoAP messages, also when messages are protected with OSCORE or Group OSCORE.</t>
        <t>Two endpoints using (Group) OSCORE and SCHC header compression can enforce SCHC compression Rules that include a Field Descriptor for the "kid" field of the OSCORE Option. The intent of such a SCHC Rule is typically to match with a protected message where the "kid" field conveys the same value specified in the corresponding Field Descriptor of the Rule. As a result, the SCHC compression elides the "kid" field from the message before transmission, and the field will be reconstructed by the recipient endpoint when performing SCHC Decompression per the same SCHC Rule.</t>
        <t>In such a scenario, obfuscating the "kid" field by means of the method defined in this document will prevent the intended SCHC compression Rule to match with the protected message to compress, since the stand-in identifier that is overwritten in the "kid" field of the OSCORE Option will differ from the static, expected value specified in the Field Descriptor of the SCHC Rule. In fact, unless other installed SCHC compression Rules produce a match, the message as a whole will simply not be compressed.</t>
        <t>To ensure that at least other fields of the message are compressed, the SCHC Rule would instead have to include the Field Descriptor for the "kid" field that always results in preserving the "kid" field as-is, without compression. Clearly, it is instead better to enforce the originally intended SCHC Rule, while not obfuscating the "kid" field through the method specified in this document.</t>
        <t>With the exception of such use cases that effectively achieve obfuscation of the "kid" field by other means, endpoints that support the method defined in this document and explicitly agree to use it ought to rely on Incognito Security Contexts and thus obfuscate the "kid" field of the OSCORE Option accordingly.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>TBD</t>
      <t>Editor's note: expected actions are registrations of new parameters that effectively enable the means defined in <xref target="sec-agreement"/>.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9031">
          <front>
            <title>Constrained Join Protocol (CoJP) for 6TiSCH</title>
            <author fullname="M. Vučinić" initials="M." role="editor" surname="Vučinić"/>
            <author fullname="J. Simon" initials="J." surname="Simon"/>
            <author fullname="K. Pister" initials="K." surname="Pister"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes the minimal framework required for a new device, called a "pledge", to securely join a 6TiSCH (IPv6 over the Time-Slotted Channel Hopping mode of IEEE 802.15.4) network. The framework requires that the pledge and the JRC (Join Registrar/Coordinator, a central entity), share a symmetric key. How this key is provisioned is out of scope of this document. Through a single CoAP (Constrained Application Protocol) request-response exchange secured by OSCORE (Object Security for Constrained RESTful Environments), the pledge requests admission into the network, and the JRC configures it with link-layer keying material and other parameters. The JRC may at any time update the parameters through another request-response exchange secured by OSCORE. This specification defines the Constrained Join Protocol and its CBOR (Concise Binary Object Representation) data structures, and it describes how to configure the rest of the 6TiSCH communication stack for this join process to occur in a secure manner. Additional security mechanisms may be added on top of this minimal framework.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9031"/>
          <seriesInfo name="DOI" value="10.17487/RFC9031"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9528">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9528"/>
          <seriesInfo name="DOI" value="10.17487/RFC9528"/>
        </reference>
        <reference anchor="RFC9668">
          <front>
            <title>Using Ephemeral Diffie-Hellman Over COSE (EDHOC) with the Constrained Application Protocol (CoAP) and Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="M. Tiloca" initials="M." surname="Tiloca"/>
            <author fullname="R. Höglund" initials="R." surname="Höglund"/>
            <author fullname="S. Hristozov" initials="S." surname="Hristozov"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <date month="November" year="2024"/>
            <abstract>
              <t>The lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC) can be run over the Constrained Application Protocol (CoAP) and used by two peers to establish a Security Context for the security protocol Object Security for Constrained RESTful Environments (OSCORE). This document details this use of the EDHOC protocol by specifying a number of additional and optional mechanisms, including an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9668"/>
          <seriesInfo name="DOI" value="10.17487/RFC9668"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-groupcomm">
          <front>
            <title>Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <date day="23" month="December" year="2025"/>
            <abstract>
              <t>   This document defines the security protocol Group Object Security for
   Constrained RESTful Environments (Group OSCORE), providing end-to-end
   security of messages exchanged with the Constrained Application
   Protocol (CoAP) between members of a group, e.g., sent over IP
   multicast.  In particular, the described protocol defines how OSCORE
   is used in a group communication setting to provide source
   authentication for CoAP group requests, sent by a client to multiple
   servers, and for protection of the corresponding CoAP responses.
   Group OSCORE also defines a pairwise mode where each member of the
   group can efficiently derive a symmetric pairwise key with each other
   member of the group for pairwise OSCORE communication.  Group OSCORE
   can be used between endpoints communicating with CoAP or CoAP-
   mappable HTTP.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-groupcomm-28"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-key-update">
          <front>
            <title>Key Update for OSCORE (KUDOS)</title>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Communications with the Constrained Application Protocol (CoAP) can
   be protected end-to-end at the application-layer by using the
   security protocol Object Security for Constrained RESTful
   Environments (OSCORE).  Under some circumstances, two CoAP endpoints
   need to update their OSCORE keying material before communications can
   securely continue, e.g., due to approaching key usage limits.  This
   document defines Key Update for OSCORE (KUDOS), a lightweight key
   update procedure that two CoAP endpoints can use to update their
   OSCORE keying material by establishing a new OSCORE Security Context.
   Accordingly, this document updates the use of the OSCORE flag bits in
   the CoAP OSCORE Option as well as the protection of CoAP response
   messages with OSCORE.  Also, it deprecates the key update procedure
   specified in Appendix B.2 of RFC 8613.  Therefore, this document
   updates RFC 8613.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-key-update-13"/>
        </reference>
        <reference anchor="I-D.ietf-core-cacheable-oscore">
          <front>
            <title>End-to-End Protected and Cacheable Responses for the Constrained Application Protocol (CoAP) using Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
            <author fullname="Christian Amsüss" initials="C." surname="Amsüss">
         </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   When using the Constrained Application Protocol (CoAP), exchanged
   messages can be protected end-to-end also across untrusted
   intermediary proxies.  This can be achieved with Object Security for
   Constrained RESTful Environments (OSCORE) or, in the case of group
   communication, with Group Object Security for Constrained RESTful
   Environments (Group OSCORE).  However, this sidesteps the proxies'
   abilities to cache responses from the origin server(s).  This
   document restores cacheability of end-end protected responses at
   proxies, by using Group OSCORE and introducing consensus requests,
   which any client in an OSCORE group can send to one server or
   multiple servers in the same group.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-cacheable-oscore-01"/>
        </reference>
        <reference anchor="AES" target="https://doi.org/10.6028/NIST.FIPS.197-upd1">
          <front>
            <title>Advanced Encryption Standard (AES)</title>
            <author>
              <organization>NIST</organization>
            </author>
            <date year="2023" month="May"/>
          </front>
        </reference>
        <reference anchor="IANA.COSE.Algorithms" target="https://www.iana.org/assignments/cose/cose.xhtml#algorithms">
          <front>
            <title>COSE Algorithms</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8724">
          <front>
            <title>SCHC: Generic Framework for Static Context Header Compression and Fragmentation</title>
            <author fullname="A. Minaburo" initials="A." surname="Minaburo"/>
            <author fullname="L. Toutain" initials="L." surname="Toutain"/>
            <author fullname="C. Gomez" initials="C." surname="Gomez"/>
            <author fullname="D. Barthel" initials="D." surname="Barthel"/>
            <author fullname="JC. Zuniga" initials="JC." surname="Zuniga"/>
            <date month="April" year="2020"/>
            <abstract>
              <t>This document defines the Static Context Header Compression and fragmentation (SCHC) framework, which provides both a header compression mechanism and an optional fragmentation mechanism. SCHC has been designed with Low-Power Wide Area Networks (LPWANs) in mind.</t>
              <t>SCHC compression is based on a common static context stored both in the LPWAN device and in the network infrastructure side. This document defines a generic header compression mechanism and its application to compress IPv6/UDP headers.</t>
              <t>This document also specifies an optional fragmentation and reassembly mechanism. It can be used to support the IPv6 MTU requirement over the LPWAN technologies. Fragmentation is needed for IPv6 datagrams that, after SCHC compression or when such compression was not possible, still exceed the Layer 2 maximum payload size.</t>
              <t>The SCHC header compression and fragmentation mechanisms are independent of the specific LPWAN technology over which they are used. This document defines generic functionalities and offers flexibility with regard to parameter settings and mechanism choices. This document standardizes the exchange over the LPWAN between two SCHC entities. Settings and choices specific to a technology or a product are expected to be grouped into profiles, which are specified in other documents. Data models for the context and profiles are out of scope.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8724"/>
          <seriesInfo name="DOI" value="10.17487/RFC8724"/>
        </reference>
        <reference anchor="I-D.ietf-core-groupcomm-bis">
          <front>
            <title>Group Communication for the Constrained Application Protocol (CoAP)</title>
            <author fullname="Esko Dijk" initials="E." surname="Dijk">
              <organization>IoTconsultancy.nl</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="10" month="February" year="2026"/>
            <abstract>
              <t>   The Constrained Application Protocol (CoAP) is a web transfer
   protocol for constrained devices and constrained networks.  In a
   number of use cases, constrained devices often naturally operate in
   groups (e.g., in a building automation scenario, all lights in a
   given room may need to be switched on/off as a group).  This document
   specifies the use of CoAP for group communication, including the use
   of UDP/IP multicast as the default underlying data transport.  Both
   unsecured and secured CoAP group communication are specified.
   Security is achieved by use of the Group Object Security for
   Constrained RESTful Environments (Group OSCORE) protocol.  The target
   application area of this specification is any group communication use
   cases that involve resource-constrained devices or networks that
   support CoAP.  This document replaces and obsoletes RFC 7390, while
   it updates RFC 7252 and RFC 7641.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-groupcomm-bis-18"/>
        </reference>
        <reference anchor="I-D.ietf-ace-key-groupcomm-oscore">
          <front>
            <title>Key Management for Group Object Security for Constrained RESTful Environments (Group OSCORE) Using Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <date day="14" month="March" year="2026"/>
            <abstract>
              <t>   This document defines an application profile of the Authentication
   and Authorization for Constrained Environments (ACE) framework, to
   request and provision keying material in group communication
   scenarios that are based on the Constrained Application Protocol
   (CoAP) and are secured with Group Object Security for Constrained
   RESTful Environments (Group OSCORE).  This application profile
   delegates the authentication and authorization of Clients, which join
   an OSCORE group through a Resource Server acting as Group Manager for
   that group.  This application profile leverages protocol-specific
   transport profiles of ACE to achieve communication security, server
   authentication, and proof of possession of a key owned by the Client
   and bound to an OAuth 2.0 access token.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-key-groupcomm-oscore-21"/>
        </reference>
        <reference anchor="I-D.ietf-schc-8824-update">
          <front>
            <title>Static Context Header Compression (SCHC) for the Constrained Application Protocol (CoAP)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Laurent Toutain" initials="L." surname="Toutain">
              <organization>IMT Atlantique</organization>
            </author>
            <author fullname="Iván Martínez" initials="I." surname="Martínez">
              <organization>IRISA</organization>
            </author>
            <author fullname="Ana Minaburo" initials="A." surname="Minaburo">
              <organization>Consultant</organization>
            </author>
            <date day="3" month="June" year="2026"/>
            <abstract>
              <t>   This document defines how to compress Constrained Application
   Protocol (CoAP) headers using the Static Context Header Compression
   and fragmentation (SCHC) framework.  SCHC defines a header
   compression mechanism adapted for constrained devices.  SCHC uses a
   static description of the header to reduce the header's redundancy
   and size.  While RFC 8724 describes the SCHC compression and
   fragmentation framework and its application for IPv6 and UDP headers,
   this document applies SCHC to CoAP headers.  The CoAP header
   structure differs from that of IPv6 and UDP headers, since CoAP uses
   a flexible header with a variable number of options that are in turn
   of variable length.  The CoAP message format is asymmetric, i.e.,
   request messages have a header format different from that of response
   messages.  This specification gives guidance on applying SCHC to
   flexible headers and on leveraging the message format asymmetry for
   defining more efficient compression Rules.  This document replaces
   and obsoletes RFC 8824.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-schc-8824-update-08"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-key-limits">
          <front>
            <title>Key Usage Limits for OSCORE</title>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="7" month="January" year="2026"/>
            <abstract>
              <t>   Object Security for Constrained RESTful Environments (OSCORE) uses
   AEAD algorithms to ensure confidentiality and integrity of exchanged
   messages.  Due to known issues allowing forgery attacks against AEAD
   algorithms, limits should be followed regarding the number of times a
   specific key is used for encryption or decryption.  Among other
   reasons, approaching key usage limits requires updating the OSCORE
   keying material before communications can securely continue.  This
   document defines how two OSCORE peers can follow these key usage
   limits and what steps they should take to preserve the security of
   their communications.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-key-limits-06"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aead-limits">
          <front>
            <title>Usage Limits on AEAD Algorithms</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="4" month="December" year="2025"/>
            <abstract>
              <t>   An Authenticated Encryption with Associated Data (AEAD) algorithm
   provides confidentiality and integrity.  Excessive use of the same
   key can give an attacker advantages in breaking these properties.
   This document provides simple guidance for users of common AEAD
   functions about how to limit the use of keys in order to bound the
   advantage given to an attacker.  It considers limits in both single-
   and multi-key settings.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aead-limits-11"/>
        </reference>
      </references>
    </references>
    <?line 866?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors sincerely thank <contact fullname="Christian Amsüss"/>, <contact fullname="Carsten Bormann"/>, and <contact fullname="Martine Lenders"/> for their comments and feedback.</t>
      <t>This work was supported by the Sweden's Innovation Agency VINNOVA within the EUREKA CELTIC-NEXT project CYPRESS.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1921YbWbLgO1+R43oo6JFkBBhj+nIOBlymChsacF3WmbO8
UlJKykJS6mSmjGkvf8vMV5yneZr+sYnbvmXuvICxy91d/VCNU5n7EjvuETui
2+2uvdsPttfW8jifRfvBZR4uRt14EfwQ3QYno2iRx+M4SgN4GhwvhuntMo9G
wXmY5nE4C05+DODVfBoFh8kiy9MwXsCvB8vlLB6GeZwsgvM0yZNhMgvWD5OD
843g7PLw7OI4OFvir2vhYJBGML887VrTnxwV5zz5cW2UDBfhHJY5SsNx3s3j
WTIMu8MkjbpJRv+3jN91o8WwOwvzKMvX1uJluh/k6SrLtzY3n21urYVpFO4H
P51crd1M9mHZMO1PSXodLybBd2myWq5d3+wHJ4s8ShdR3j3CedZgL/tBlo/W
stVgHmcZLD2/XcIyTo6vXqytliOcbD/Y2+0DIIfJCAbbD1b5uLu3thau8mmS
7q8F9L+u/H8AcIMvXvWCK9qDfszbexWmw6T4U5LCqBcnl8fBwXP9EIAeRbC6
kywc/5qko2wSAgiDrS39xjDOb/eDH+IsN0PBGvGsj7v93Z1gZ9N6vlrkKbx+
eRPB2evn0TyMZ/vBHJfVY6j/exr3sqi0LV7/98kUjz5a/f1/w17yPMuShbXz
GJEHtv+92cYq5S+rPqLNH6fxEJ/aAHjA7f0Kq+7NZeZ/j2Sy3jCZ+0/vohe8
/Pt/T2arxaiw/4v4OkxH5V9/+yNMaWW9aUILqzhE2t13veAymgENRmlhd9/9
/b9TWGDp1y9xRpMEpoY189TuIa0tkhSOL34XIbldvDh8srf7TP58uvVkS/4E
Mt00f26rP5/tqHefbW739Z/6s2dPtvbUn7u79OdJ96gXR0DnNgeaIBeB5cwr
37iObrvMNMqvDMPhNAoHM/UyvnFwfMn8w+UlBO7XJ5dX9G/h3wejd+FiGGnG
iTyYmCri4zqMtEFv0+RAZbfB1ubWNg8QphNEw2meL7P9x49HSdyDKR73N3u7
m1t7j3Gm3ouT88te/9lTXH8fF3/w+qB3eHZ53DuYwdHE+XSeVa4VX7ZmHwMP
iOy14ziBGce7qpubm14cLkJaWgiseLKYg5DKHg+TLKL/9N5P8/nsm9CMsxYv
xgXM2Hu6tVMGvj667iDOnJ/DIR+becMcj34pG06H3b29rZ3K07UQYBbP49xM
kuIr43TSDaNwpH9cQ/kLtANvXR6fvtgPHv0HLL77M/zvPx+trXW73SAcoNwd
gqi7AjGcRcMV7Po2WCq5ezb4NRrmQKzyA0DCEdYXx5dX49UM8OVdnCYMzGCd
BfIGDvMuHkVZEIFYzhMQrSMaGoZEzErGwTzKsnCCb7wfTsPFBIa8AbDfRSno
Ba/UIDK2GkT0gngxnK1GURAG+L6rQ3SCm2mURjTfI6OXPApAbZmNgmwZDVGD
yeiFLPqvFWgHUbBYzQeg1bwLZ6soWGUw3+CW3pDtwJvIX0gFoZGv45F/yNjo
SACN8hA9UCYA/XGwPAnSaLQa8mI1UgJAovfLBBeRsDJ1E9OGwjwYAp8dyArx
5MagWkTpMo1hTtBYALjjcTykZeLPiAmkysDUywReyjowTpwFoDit8GiDUQRD
wNLDYBZPpvlNhP8NwtGoC3PPI6DZEc+cDMarbIiKTTCM0hwOkbefqW0WTgHg
FwnLwYX5TwPXmbyL0htARf2aBVo69BAkomiBBrigKOExwyajThDngShdSMuk
d/WCn/DbeQwyALYTLnOCLO0/kl2P1AYBICGjIzDaANhQgmeTe+mHlMJ7UpF8
K7REYBUEzwLiJAGyktVC0QWPenDeY9Kex6PRLFpb+wb10TQBzKG3vgk+fBPj
g4+fh+Y/fBDJ+PHjl6F/nhEl9MePPYVXyTJK6YQBaDhWaH0/C2+BnADjVhli
0eHzswu9ZxAI+MyyHfCLdZQtMhHKdNgavgGIEAORLpFSgTgEs4XAh0hOi2yZ
pDkTIOCI2iQzIrV3OK+WHIyh4uNh8XBqcRabORBhW3wlhZeWMa4XFgTyBP6d
z+D0oxS/AVzXu8YtArXhXnio1ZKoXI8T0XvEopZIrMPVLEw7QZbMIwUMIXqb
G8lmRsr2c/aCKA38KQPpt/YHJFoPHyjvtx1zFqasmBty/oVGRzr0IFnlkwT/
ll0i34BTZvaCdD+7CW/xlKIMIQg7SHHaLNeHSYsDtgBMBt4HOw+ANwP4gqDV
XwBSLLLI/oQZ1zi6QRRhsGZgL4HeRSsDaS5zDqOeBozhfH6IlGVLEQL1mw/W
417U6/i+/DZTx3bJP5wcbXwRWMHuXySzWXJDa9YrtZiKRTcdD36BrGJatGkC
Zl8kuZJAEcATOMMwIrgPwVqPGFbMy0KLhAwu4axFsoNPhjCDElW8kK4hcZgj
mdvYtrb2MrmJgOY6JRkPy3gX3TLVLGfAFPPofa4w26ERJFsLN3AHKziRFnrA
OE3mClyWChD1Jj2S0JP4Hb4+xcdwSIAvNDurJzYzp+ODDwCp1DgdHp3xdBBN
w3cx2GIzYBw5OkusVcZzYNXRqAe6fJbASayG0wIk7O3ASSrWlaewPhhSqzGw
pOJugnCYJhloNPF4DAoBLHMR5TdJeo0LmWa0TWKKs1CrGMRJRHEBPcvhaSGo
Wgmga/pOMTR8wxkzWGcAji28tV8AQT1JQ2bkoMdl8QBJoGqZWTQhgbsByPJV
qYZKpbLlP379D6syonoEG5QljpKImQQyMYRivOgOcHS0IcOZUhqQYwBMzeth
OogBeGkMhyrCH7kQIm1XsZ9BmMXI2d6gfAUGCXplnE2FK2s+K9rYYUKkzxzC
UgDh7TKyz1KwB28DoLYIxwonaRTRaTH1KpAryACK1cGcJSYdVnE5yEIRlzqE
LcjCbsv8Tu2XRhA1IKs6OVFbrMMiRYMRHFgGChJYpNa2EOrDMEOpQizD2a5g
O+9aBJO9+UEiOmctJ+3gomJQSgGo1WMli5mHK/MO1tZO4+tI62SImSDxqnTi
gigzyIjSdbJIMlC58INpgnpDSHqcdWilM7oJM4NekRAHf046sgYX6noitsyk
+DWg03CKvPk1HjF8NIO1FjkBWUSK7OcRKMF84gYv8TjwvIhvwYjCS9X8wPpZ
AwiJgYHiHlu/dlqIPK9qibwaSVIzGoZAGhGvgfdjkGJpPImBnoXpd3AkzWNJ
lQFOzwhIJsYgngGE4Vz99iN+dUPYnmkrUh0+Iqt4H5Sar2iIdRPmO/IVrdCG
8m9jhX74UO+1BKbf3lAtjeZ40NCa8xE8ETdBrw3iJfAUOLSAFC0D4m2GsfIC
/fywHslgmBJvKxqygog0CWDJN98EV1GKaDJLJrfBN2iM5+aBmOTX0W1wg678
4NGrN5dXjzr8/8HrM/r74vivb04ujo/w78uXB6en+o81eePy5dmb0yPzl/ny
8OzVq+PXR/wxPA2cR2uPXh38Ar/QVs/Or07OXh+cPirjHlISQHYgJwN0QcSU
rQE/H6bxgPH1+eH5//s//R045f8BKsFWv/8MsIP/sdd/ugP/QHnCsxHT5H8C
vG7XALWjEJltgPxxGC7jHE4X3gXlEvjVIkC6QVPoPxAy/7kf/GkwXPZ3/iIP
cMPOQwUz5yHBrPyk9DED0fPIM42GpvO8AGl3vQe/OP9WcLce/unfQMGIgm5/
79/+sra2dgHyB/EYjwH4IyMgn8c4nANHAshpLwqiV0YwBhMCbUvk4rNQPhEy
1A6UDnKEIdjfwVGYh8ERElNMRHsKSL0iq/Dw6OjU+Hk27Y+eA+9Eyc+c5iIS
4y8UL8rzswv14bOdZ/QhOu0tv0pHkaWlRjKG2HyoBRtS6pvLHNJojIATRmk0
cgISuRzO0hHvoSg992uUMUfpRQngrtbzeiMXJTaHrLTDWlcEVlFyKwYP25XG
/m0tMVD8FcymxymK8oxNB80AWRO5n6AF8b2ohqNRjbVfHt625sXUAZ0WMJ/D
E/XlehZFADuQb11roRgP+fhxg/wiZxYDv9MBtji0z3Min3Ia4mqpPIIaYBj1
+wGhf7IYJhNgF0kF7OvW83mgS0R/VxBb5qEXtmtrQfBmMeMV+Qwh2Gs1KDql
SdbjsfKSbfg1VxhzFo2BdEEzRU1oRGtAVcH4XUE/v8VdzsP0uhHaYcMiybUN
J0AKN0NHGVq94AVaeO9D/LlTeMuo9iG52kh0kJcnDeG4olTtrzgh6kYlPETt
yIduoG0jithnF2OMATVho18X3AX4iJXZjUoSx1He5+jRFM9AAlK3bhsuiVCU
CX2Wq5nCg7pT6LG2t4hurIGLMHBdupGJSaCSiFsFTYDdcmi8ZxGOlJMKiYkh
4Rx0Jky7AO3q/OTHtz8c/3J5dXF88Io4+Q8nR+ZJLzhb2K7eLB7B8TZ8RCqI
oi9tV91TbnTI3Yt28DtYb0d5G9ChFqZu3MDnrS6ETtyz1rszvlveIO0YAGRB
zNlUA7MwHhM5zRIvzfiESD8u2YDsPX98oRcFnxBwPny4FIfAdm+r18fpLH1I
K3dGg1GewiH5yDlC8G08+jaIZmLT84K/Re/gt7DFNKTFEVbNl4CVg1s4OQAB
jGZGwES1xjEenT1/AQt/xPg/CwfRTND/4PLw5EQGZW9gSfijazEm/9nrN6e0
CJYlYy+f0CITIejIaxVr54dW8E6nhFTItRj91Vq8KbAD0HtPccNNmtpGp3AS
ZJXTKTCL/jacTd5iXkY9HF1Cr9kF+dE9+4CzT0aMZiEHNdE4m6BrHpCNZCyd
QwcNgSzOKKqhMenRj+jwKMi9CHOptFwsJNg8Av1+AsOkt4LOJG/VKkHF9ST3
kF7+hQ8Xse3rO+CD44OjFofqWXS/1aL/kdABgXhqyUCZ4eUPRy/0yX972siG
+rukRZybqFusFX6tShCkPopxmAlYldsi077QFrqlUogoZKnVVdz7vD6abxmL
7BKSGOolCKTCQrssjJXGE5YiuEAueL5jkJxTPY6KhL+2I+GEYRieQO+JvKmw
jHVsXKpPsnaUy79mdHK6oIc9B001zPJg98mT7d0e+RfpgxwlepWr3xtriGcz
CVzAkIsJamNjM/42iYoMDJ2M3cQSNhefoERpOGlJx2KAcG+1lxSPL5yxG1ZW
cHz08uww+J9qJSpePYqz4SrLGA8+fIhG00QfkLxDUhl9UvtBvGGJ9hK4iL+h
kixbY/Blc8AidDJP4RcC3R85nCSDNToi23i7e4JFmGKRZByINBha0qdeXX7n
C6Ar95qTlPIoM8viiPn7XC+vwMN2C+rMxgOdYeGUsvh9N4dHU6KyMzwC2BES
Lu8f/eyxhVCk6gPrbeP5pcSfuiyWpi17kyqUgZoV5A2w5iVKmz6TU4zfHL8+
fHt+8MvpGUgRfBvTjCy1lNx6y/B2loREXrhzIuIsh31lhs+D3glYyy4Q+RTZ
ekIOPJJwyJ0XHQW04PLg1fnp8ds+yhVaZpwC8F4zNTKTsdb2bcYzqjTL18Gf
MUiyfnr8+rurlx1g2RsEXf43sFs4YhGQQvMAXh4almcN3AteJ7lEEuVjOJTJ
CmQIIJ92h+rTfaYStkyWCWAXJgsk9mwe8AEQthDwvH38tb/bJV355PX5myuG
BB8WehABYFq/MYNqqJEln2VM6P1d3ltHDxVjKDHncMzgloz+7hINUDQf1Rh0
eH+LUiQJSirjyJ8arddmEWbqHFmCmj8Pr2FQ9SKPdOLjLoJTDUHcTjBP3lGo
4BJwGEyZ4AxeTG9ijN04P6Ho3mYwr3IXzAUTNINzBVgzqN3f/oy57t3jw+fr
iCnwXAN2g95mBi3gkVeVDQT/tNQVwDr8bQ4aFJAx/EZMhL6TodV3RXuvSpFL
KlRe7ZyiDE3mUfWeNnsF9HVY6RuQjdE+zc+8kwBdhJrlKqVWsbNazgrrul6N
kkwLPS8k1NoKAEM+WwOk0Mp5KbvOrByi1tC8CbUJrknDkFtuPDZIIoiLQO4n
eRG6JueqFrA7Lg4Txzr5kaU8paz8fHaBxEw0TKHvBCmCkbJLmrB+X6vwViCx
rfbE9ElKhDX0X2027dBOkVH/VcHGw4Yr1oEM1qVHP3i3+RRcLyKP+oBbx8k3
329u9vtbW8H6X4E3iMa44V/o5nvAumg0Gg4HgzB89mxv7+nTXdDEdna2t7e2
+v3NzWBdMc0N4Zo4t4aKOyLgIJy0kbNmZ6iXqckAEk90kPtu+0NnGeCkSlJc
pUQxZho9s4OCJMZXFKzN+TR27srk7axTgkKBj9ssnkPb7BG0zUGYE16s8gL4
iLjZqz6slNBbRHgg2pDwFOkTCTC5E0IsoonJtZ2hyjCI2aG7KIiqpwyxdtt8
6pdpBSeqI9Pc3ypl2tbvMu13mVaSaVsVTHf3E2TanovD24zCl1cHr4/enrx+
i3et7yLftm0hdHpwdXx5hQyqKIHML+xDZyLjxYu6rQ69+2k6KnExd7pWjNNi
AXohileZzHUyb0qDP4SUI/sNc5VxJjIRlMMCQBRzul8m6Xz4LiX/Sk4/prrm
mZ0Kh5bnRq/qnBymVDwql2P5ERC55jMj66zwZyshR3sVIacRzgi5MjKWD2yP
NyeRWyJblexnvppiZqdlM20bMwldfjgOhWAd5ci7AxqPNlzIWCvb/eRS4fxp
ho4McUrD18IpHAIG4NmDAVhwOmxrpwOn9uDhvsDtKk9ccRl0XwlvjhIWY66o
5Baxl9IEqXyOSh1X+yh5zHg/iAOTtpepeOXBeJk8lyqmIRm4mvbt/ZfYZE6B
fgmJ6rRwfYfpFv9lCSJxUsG68zSO4LAYQCdjX0z/8OpnROtxslqwnisPGgK8
lpro2R25bnGg5ijjPZJdhfmFlCWaJss0RuySzct0tiRmP9w4ZydkXnkm9qoF
zhaQcU4JhFLSxmgFbMD2onsBTwNUrCoYJV/ed/sg7lbjwRVscQIGXlFvJ2dr
fSJZsF8WFSB9gTCLqI4IUSaSJsFSpa36aONNxiRbBj8hfcVpkygbzmJKu55G
lhPVSLiOf07BEaRJkQgUZk8W4rVD6WSpNhR84FXwwVHmNCpFOCGKAQy5gWCi
ZOqOgqlsQ7nLMJ9+osBAXryr5DoSZszzmoMwzttH9JbFaIl0Fpzz3vx2pSBm
UlgUA4iYNEBXFQhr5M4P33i0GEtVAp0IUXRka4nCR9SCODt2FoKTZ7DX23F8
1L3CcuoSWapX5Li0yZHtzu6leTfr/gvxxo51I/jq517wfBXPRnyfw9JnPie4
tRVeRwJyHBXcTvi7n8tt2KLLYUbNCWsLe9+kr2CuTK7gGC+AwmKWjchxsVxI
nHcU+IlPE/Xd2ckQDFaelFG/psxX4u5k6lWxrv/1B82c/CdLRom26jSzNvzI
zxCFA+l7fi3TjO5z28XB7j86B96RLVrJSbQDRHyEId1w0l65KrlAd2FSj1wg
fGslFqrMur72DvEkwDqSlG/zm2hdJYf0Oaa2qmMP2xziuTKzhVm2mkeZQdn7
M5mbqByHDYxQUBPmOSZhZYwKjEI+RbSam2yVuQmDkIQksq6ML1RrTaFCzy2o
tw0wtvbwadywsH5lKCoND2woTOrA60k1FQo6BQec8cxlOpFEVot6ULxYcZKG
yhcp2z0IRYscFglbc45BgJcCtc8Zj1pGhE2aZSujq5RGVIgZ1uF7k6mhPtYh
eskqBj6D0uNWbrsudA5PspTE1p3eZj9Yf7Pgskvx36LRBm4LHm8G68/BJr5g
ot4IojSFH5Tu5z/ODKz9HQJ4+VwV6jvHhOSYaXrcUS4t28VqdueqFKhT8ppA
MR7xPdwHWpVBHg5OPsAJFZjSTtmVfL99Kh8H7atayfDdPfSnsCMaE3a3gc2O
iY/rGDMoU3wDT5WewA1IVpVabZ9XW053UimudF2HpIsYfqaYRNmNwMGUukB9
mzVt1ayJtcPQBMh9jq4dNbpaayHqUb3AhjjFk5o4BQUaLqMZZXB5+XrH3LBo
qdXTdOiCQVwYRMjsgQMAst1GoJGtUn0/OHoPX9raim/nxEidMjGsXaQcEcto
7XSVtW5NVtUFXFW10popUpqZe9WKaVPGikhcpB1J+kmQ/la6Wgchh7aS9R2U
u4hfn/Lb6PmMba8s7yKP56TScs2eTI4ZTgev8aWOkOFr1YiVVGah5oYHl9EA
3nXtFIwwZT0oOqCvJptaMlZVmGINmEKdGVaBNoBzFi6JJCtcHNUfWuEF0lDt
BwvXlSt+4CIpD1FXIlktYvwZBRt8B6zgb/rY9ImrExM+GnEhCHqpBm96wYsV
XmxHL2IexjO20en2je18wooDhQsyuAEqB7IypaCGyVIcVFbyqFbOfNqET0z0
XeXVbDPSqhre+pHADhOpUnfq9A3DB2oDq9NoeO1xd7f04asgjZuOBNNq17qz
1z1nq6q0C4cQgnACKNkrbYD8g813rtyYS3ynSARdDbITxow3HNC+5CIyv1ph
QLauCBgvUahpJ1aVz66NP7sjJ12jT/X75SCePxDdRkA+rRSQhUJg+w8SXOZK
zAQpjfPOUmoETmNQtO77Zw8V9fxDOZomocViHE1FHB8wRqgJ0LOKT47pYUSt
v2kSOVoE4Z7pWls2MX0KZfoYpqRoFJlmPS59IUKE/wQXK96ik5zxlTpDGwEn
sK7zl34WD8EDp3o8lBcQPruLsy0oKIq/ra/DpphP9mkIz/n6nRL2aquEP5af
AWGnE8t1hsWAqsoG6WqxUOTShqytSWs4BhJXX3yT1VA+GauChbYF2soyc+gT
jT2jLVPpN9CAmdaNk6OuQqjAi8IQRsRWU/HG3TweRXdHw+g+d4e1etwub7DZ
yVHK9fnSUKdEmFtRxvEajgPm7c8CZocBP23lS5JlTokwogU5+If5PSF89Qmo
UfKENaNGkydMxdqRmhWpvyD1xNZpMcjuo/i1te+A9y8avS46TMT11lQ4SSf6
2CXFHLvDm1pRmcdRd9foC6gcTBZ1WUFOFOhuIUM3hNEY2bxjnOghUtg8qrLO
ZfsUy9JKbnOGmdIt4M+c1ubBsi+X2bZ9F1xpuqi00zaLfafNlaU6q7rItra/
rHVdG6Qm1fc+jl7ngo26bXknMDxhMHgYmnXxr3WAOrevuCFbVXVRtXlKpUbC
Yb6idAjhjcSeG1ajYw4KBe5628fNMv7nvPGzI/c9Hu6eiws1zy2bkuPhiVy1
F8PwENOvilUAxE7MuIK9bUNmlqG4MjmHTVUCRtG7ONTgr5DaHlqXhEhveu1H
0UMKGUBiC5H64U3/gc3eJIUarKnyQ6yQRPKYM8GdRENdQ/R4OY3mWK42OAKD
N466L6PZbI7lAlA/o1vD67Qm1SfhydZe0Xuh8xvrSrEVmP2BZvY84kap3wBD
QhddkFq/uvuCcvxTOmBp8K3C4HJHfkQpl1h/XHiMyZKma9TwT/v+s7MEZCSZ
1N3AOVX+ZGyn/kTKr6RM3jkauFj283oMuphfB99Wi93d3ROJUJLCvKBS7WVa
iUoTU/XZSSXhnC5T5YqqWQwivT80xZ39daTSNe3GrXBhUXG75FYtQbCSdo4l
H1S6K09p8lwLSeWqxrM/Ec6xdxgisISUD4abkJA3Q256OKdHm6cmAUjysdx9
n0W587YsrGNtK6vbPgNtzPn37AkTz1rOtOFxMJnhKg5SYatVrLmMSu2K5QHV
cJz3wcp51Sdmc2qsasnj9SL5K7nxsEiDKg4nI9Z0DJHuCZnbPIEVoOoqHS6B
FLuFsJzjvZi05AhNvHhcSwgrvnah8EbXKmxxmaBt/ceGpHgxa53SIEGxCody
zjtlOGyu5M2RqFikVfFE9Aun5Imu5gIcbQxUqpilXd22VAumzyXLyNmZiOpk
hRM2fZ1SNCaQ2COFrzKKrfi2uZsnDCUhh+8INLp0FptigA5jYA8hV9vhH2Dm
hfBxK5p++PaiFxR4W/XJOXxtERGTtjIGFVO0xg+zbpzZ+akyji2WTRcgPZJn
P1RBmBkh5faK49PpV1CH9tk0TG05weCVKloPQj53Kbr5YFTjmiP8KdWH4TYB
qGKxg48lvbpypgV9WSMpKDz1qRbCnQgAt1gCVHX8sLyHGGpmTyVgG0ttblpF
hONIv7fbtu1RLCMT1mgQeLuMMyfmNSy91HPJXJTEUu1V8ny/ESm8N0lk5Cbs
0PESLzaYYervwTcPQN6QxhR2VO5/eHN0dqmv2HG0yqfAowKJZv4bdrGgwJQl
rNMQlQX7TRNRqq/t9GbRN7doPHpLaDvWw8P35K/DBCTcADZjcRqXUFnTitPq
KV9olQvi7dnpkQRaxPpjIEuyGN6fMWr07ZKNVIaZNgN0opgpyC++jFBe1e4M
0hwOwP4DrjqhG6b2UB41NwwweSxJQ93lxL+Nq+NX50p+eMJ/uM0ez01iqd3k
dWSAg74+/qlhTlULCfUgxQWUlW2Wxfk19L6bC96x9RTqidLoYlXAeCwL1Mui
Q4XDI0eRdYOKL6XcZ8aiTtys+j6Qrhu6J1ddNVICjQVPnZiDqpAeCYtFVHYA
t3fk4dE1lxdQRxOsy9lsOGjDbcwMuzZEsm5wdsPduivTy5m87UbpeB2a5u4I
yuKHgFJh8473syBRzP6QSe9exZeHL5lL62JzfPnVbqvyPbBrp2fl9+cbriIt
TaOx6r+uERoGjzJcbRT8Ct8/CrJkxq7XMZWqR+6K3iUU7ZhlgAI/eATK2WgS
Pepwmih+DXSE38OPslrVR4z9WU5fFrmO6KtZyRFo2olKq0SekFHdULKUwmCI
5UGBaLjpsFoVfSOVQcP08WFCTv0wh12sf39xiA6Xg4qUj6c97e8g6BQpapog
OTI8JiRPeP9anMP4pHXWd9LSdqP8DrqVKZJfy21jrhysctN5cqeDmDNwSXdT
XzjDVBdjrhoGt+mOYX0dbL7fCZ9s7WwH64/gRWrmQlWZN8xtOTkjuXSoMpVl
deLqStRUvpqQrmZUUwvSKl0tng8y2wqmgzmBnr6c3GBViCrqQYC2lnVZVzXE
T26X703H1n2riHFt6UsmKN0A0y83rIqr9iw1tSLAGk/ESPNMS8spRd4y9WuV
rRxwKso9goEFR85vV97iD5UxwHBhgsw2kCk46L9eWgHYEq7zTw4eC1DvFXyn
8vbijGWyw9siaHlTUkh1RhFFlbrBwWhUuX6h4sos0a4d3C5+7DugDnEdsG/V
BfvIZp+V9+1r1FdR+3UZ8LqUy8KaszuutCrQ5Tt4cgiHA6A6u/1HYb/FKPvm
P12UvVhd2ynSrsxVKkP+21bavnuzqEJMySVMYeF8blanBTEylzqNURpYKEKr
bPHnlENjQDF8v0Ell9BbWdYIVRuiXTa9u8r0VrXBcb76BkZtJCG7XcdyBaZl
MxRbRxftxGojVKg1LjsH1iVeY6kBx/U2Ws/jtMzAqSi8Xs6OsabTlGN6FqEa
X7F6hHthkdzl0bstxpjqVi7WwHfo6DJ12pI09GIpNUx5yECOrzd6ueGJffhO
3xOy01b5cpUHZz+8kgGxvn/3+P2SY3/AHMkSerK3S53h+JYZvv1n+83184sf
OnQ7rBOcbnR0/UNWkallAO1bMhHogWmz0GAnkgoBE9wxm4Y+wyWZOwRKRS9N
6KINfXnakHnRfhVFdHaJRGG0SwcaqZURVaKhJtx2Z/ni6P1Z8hNtfbEa3wtM
6F8Z5e+YtfjgiF9qouHITGHiWDv/44N0QWht8TYl7pZa3ZCC36iwGPeaR6fj
ntTWEq2u9UTouk4kLHqOzVO03VN+k2MX/5AtFCjDkI2qhkIDrrpnaXgcGlDJ
mZ26dEtL+GlE9XB7NdjTTx+sRcC+OsNM3/MGHhfPV3MxjDBnz58TwZ7XDoyn
qvbE2IBcJZhlWKtPZ9AR+AtV+rCdrPWh9ji175vCBtaXbZnir3zpcBcjUIXB
PFQBTF0eyW4K1mA8U/PFFpcFmlgMiyPl6SpXd2pRgI/Xe2KSEfjk1r+L8SYX
nwDNaMWrfBmwHoO85ipjr7xkVajQum9NvKEeoP86ZQq5laiKqLK1O4zqHCJe
+GNEWpmOYcxuKJVEw6UbvPXguAO7vjKURqAUyk0ozKABbKEfJYrbs+pVKqA2
E0ZLL7DqE9+6bW+NbVWPqIgDt+X+8XXt4wMnvyLW5Q/uVcrvXnukdroKJT7D
DtfWDp1+YfICla+pYJHeGsE6NbDsD7g4Pnxrccq25YIL/J4RDxl/d5i/Z1/C
lS7qVlU215r7Cxf8LSz/06r/Wtu4VwXgBlhK8nvzkluXBvarHYVr4VVKzWeu
DayAiXSMBWVu/faSCSvqWJc1r78McHkQqw5w/SHYCTp3YLNFv2nZ2+vBKTV+
pnNU7kbDvYcpYGwl0kl2vpyHkxPZtBiPiBskJQNjiPJXQu6IvNqYV1qFK6Zh
aNX0wZMLtAxjuqjGnT0AAe1jkvtA5TzY2Il4NSlUxUCEhbV+qIRZlgzj0Flo
wj5ldTTIek1eSvudO7Yv2qJSaVhDhlaqxtN1LFCVOFegssyr8kphcHepvjaW
LesbN3Ox+1+2bds9vqnChxxm+5LHjQKgXMajjUPDovkE4Co5Kah3SxWoEWWt
4uqAJdMJCS17qIKVSiaJtCWx2JykoQJzhUwRcVslS5TTAm0PhJCWQM5tdAoz
qiyEBgfF/oOQot6mvXfVPqSDQcsplmxjCEo2mJ3fqgTqiHgKZR0JCt2X4ojl
UFEQel4b/ixYyY06n6fScJvb4jqr5F5l0DyVYvwF0Prl/lJDX9dP1cPn98af
8W/V+POL1BPt11223v6EeqJ1fc/oZvtPlvWlik7WURceyQPXC3U1qbuV+3Nq
f6pFAm9CFi7cqaLGp5MC6qQkUsGZFtkENatvWDnrqK0Yi1Mp1NYD8F28ubjx
qeVDy4f9r1w1tASNzHJQ/BZ1Qy3RX1k79Fl16VDr889YPtRZzZOvvXin0oXd
Op2NOtbD1QjcK5eU+Dpqdbqxbh2UktKACkKl8oC15bBb1Ojcrvt+91+zM2FF
rRAAOXuDfm9MeIcipk+4ePodapjufpEapju1NUxr6O0LMam9yjKmn9Pn8eA1
TasByfCv84nc20H+j+sf+ZzVSj3gbF+59CELl1ZEvCvW+CCFTTvAhza3g/XL
KMVLXQH8+A60SHRFb3RaVj0lCQC4kKMGTtfspJCkBTu8aqkyEJRfyimppX09
pGFaX8ZVZVWf9LY7wdPeVkeKq+60sZE6XGPJKywKlR0pUwgON87VNdbWNV0/
W0nXZhZnFlDDR3e4zrjIHsJB4X3hiBqx4uPR7SKcA81TbqHmjJiO6TFIamiJ
b/vyVa7wGlOs34Vgg0wiVVGl6IjarC6FSE4qfOGqmm6p2A6uhVnIq3ABc2l8
pUyDQoEX5kmFxK/+Vht82tBFiQrhpPICQroJAmMir8uC8+DPwfrJUSc4vDg+
2tBeD9IQ8Y0O2gilvF5KZ1LVyISXRpSoRMUnYSj1zXI1gFO1S2xRqgTgHf4T
uIGqZ2OPIrL/iBi6JX2Mxg77DGfx3zQ+OHukPH7MxqCA/SByik5Z/cW00MtW
AwEKpwASaJTlbBrH4BIci0kcDZrXwvIYNLM4I9b7Lra0IcurXjoWhUrVm6pM
YAqHXM9Ao4O+UgF27XVEZG0DYATmcyKV2F8oHKHtD/LQKUPY37Q8XwgTwBYN
DV1++dz1emmg3t3vZar3CetygC3K+Ll9+dm1ZJmdxQtb6tR7LaQAufEpnNd6
E4Duq3nClqec+T38duxYFmgbh5UT58qm5Iey78m3QtIH09ilLvchlWOGlUUx
6VvyRWWk167a3cZ98kcQ/YX3G6GoZcCDukx8mGip0Yo4ilo0tTwQFLOQkjrg
WqDREa9bwTpTKdAgq1x7r/ZA+yJd3HSYDsdh0/SCCXo1bkPuu8v4Pbe8gXEc
kbTQIoCrbnKDK6bN0JMtTw7ASvFQHb7zCAzRJJiEmmAd66uJlQ0rtt1xswgH
ajfwF/SZ9XdtPraIHmLn1Kpj+zdyxD2EJ84ut6jReKvBG/dp7rj+zkP54z7F
IWeonpoVGO+cct/0Kqf4ZGcSEUz/yZ3cSf2dz+VPqjFxYfeOcllOEpcsM8so
qbaAD34BQFNhuNaIqDykCCmLVfAwJh/VUniHcTpczWEwcsnLBtUndLdYXeOX
CxBVywUAxyA5Y1Q1I7t7NfMpamDwU7wYJTd8a+u2QuwMsQN2pMJolpwqWDBb
vd1ev9fOjLFws4k7NTsHK1jAl+LI8J9/KhdhLSL/7ics+gm/Ukfhw7Y46v7u
KvzncBX+LhC/eoH4m3pyW4lkdI9c1XALbhp1N5/QZ+nQ9en9oJCetu5Cxg3N
uODHLJ4An8eSd86KH6BN12eHeGV3LoP0T7iaXQtH9qceTdupvtIOXg+OZQ/X
16uRWegmXz4v1c8mTfLuvb0aLk393ufrn6jPF2PK7x29fu/o1c7zZ3OW+Dft
2yXZ7g3MyrEiuHyF5tu2foss3NyRkdDOIJrErM21mcrq29R0O/ATGoS13Pbv
zcL+sZqFHb8HRoFW+KXWTCngB/KSiz7L0+6Qn2Kxw+dHa2vHI5BC6bekY0T7
+hYsX4LF6qvZKpXQKNVvkVmM/ivjFbnk096TViokhf65m5Jy+SA8dLl34xXS
RbXufa+5WCvFey8uI3hV3Iqr7MIWupe5zTXs6hIwmv2FTsJGoZjMZygU47Yu
+dQ6jGQNta7qINft9Qe0xKKrcAgMJUIfkUmOYOZNiyEfKLKcMbuJAH0pes0f
xTOcDSAhvaccL5JbMxzg3c2TbrTwFOJk21hP5V7FGWKbkiWxAS8KqepopnjV
Xa9CK4K71Ve9HZ2VHZ3W9W8RgD1PvbCKFSpZEkTjMWLzO7wIGc+B2rJEPJiF
Tw9VazjZGxxfjtHKVabi1C7+8SKLIeEQjnIkzfuKl2t6wcEM29iRQPFfWhVh
v5JK7sb/XVGKadPt3UWIf9PccsGoHepCS03hbS+HrwB8XeOvopps9Yxi8Wln
vX9yxyjf4VLV3INJGnFBrsSl/Bc15pOqpxuqjz/S/WQUGfrqq/LwcXMsFCbo
nYwBz/WMhCLI/5dRlK5nG3JZi+voFg6sUETILghjnXAYrBNhbdylFoQ6XNvk
JIRI30UkmlISS8xs9JGWXecPUc2UbhgUKv2Voh/kuFQxD48PodhZBVPFVE1f
7tgjNcn9+8Dy9/Nl/tks76Kt/bn2d8UqXK6vq5lSzyxe2Hgg5ltuXkS7D7lr
mUFZxtDEopNmOFhNthqRmVUVQ5Smb5Jfg9Nt6GQvKBzeUeM3skEJW89ByFLC
I3ZLgyVTFTLpZyV/W+cEb47jmY5qHBweA5zBsMLeHPL22auD4NRqy/QKwAQA
RfEqfwbrpzevtl5teHZjC77778nyubupmIMQlSwR3YXF020j3YUpCdbhrEcx
Ogw2nJSlrPyqRxVmV3DxbXj5MeEloM3BiDluik1FuJsS6Snid8xWS7ojjwbj
gLnNHOwNEJeAswAKrTJxfDGLZuPuHLdZaErBS0fYIvfgf/GA/DXxeZuI6Mq+
jKxYeSa/d4fO79I1hutVqiHcV1Q4S4etpExSo0MUu6SIdV1i55o1VDZ+CQq4
1FElzkm5EfJvqiUmecCoZizGsSS24RbLtSTse181/C2chNhgDxS+LIvfUS47
oEiYUvG9mjZ0BZhSejSlHTJHeCWlME+1vuBXgTKqvYnspuJmf1ilO7GiIUXL
7DoFbL60UKNcNkamExuUwmPvYjUXtSO9GrsfJ5ChcvvDQqIwt3oYixBjlS0N
h9eOdpKQkIe1A8tYpuRwwVfTcIy5CbRaqYWITnpq2BzbyFAotFHeFNFEHyfZ
Uu5PmJOebuFTtQ0lpUxdVM4F1OoTlxBTPii387f2QO0LY/7wwdtgG45dDZAA
m07G46pGktzxSXo4v0xuItWl3u21ioszCwM7UHDCbnCHT3KnLaDu3B1KObfK
fpacTlEy4dzU2eoWfgKL6rpp3JnJb3MoXyUsGRAjEzMXeAQwfh3H5VAUGteh
26xuoNos8WdkVBBTX8643EFGXkv1hK0ybVcIm0XpgOpws6Us3iBTyvwiGayy
HJSbTIxDyyFIM6hGLnfv7t6xyJ8PoFAEGz/W9UKQx7H7A83nII2zazbmgARi
PY5VhF1oyfi+Kh2HdlPjhU4Gk4/fHmh/3nMeiD0lgImmyE15zMxT/rR5k6ge
A6fmrbwH7YRY/tkFzlhYCxVFzlZyEOjOU4OQkbugfmXKJiJKXeVDyS4Jg2UW
gV7LtSGC8WrBkmn9/OLFBuUKnWJtFBaWsGrsNWUlWgLIB8pVwqQJwNDTWx25
CFLC2k5pMI3L2jkS8b2krT+B9vKX7unjrT89xr86im6YWwxiEHSj8DYYUBwz
eFHTEcW12DpmZSwDVBFota63r05e4zqfbsmeMUc9mIfvC28d/ExW9dYevea0
gqKbJLDaeSJBckA13tD2Lm8nWCd5V1iK4fq8ChyYiwU5IXc92u5O69FgtbQb
hBOsUTqunMyXWEoEjvpYSa4rlGVymiw8SLpJ1MH0kjMpNHgu83iSkpuHMqow
R0Z121uGsAa0eQaYDZRO0DFkqpgU/S4NYp9wEbB2QL9qVF5xmh1OmyWrdEhN
VFLdq8cURlnna10n5+oFqaKyuO4iu03V4w0KwFUMokWnSJsVlrxW22VAUIYU
saYu7V8pabf4+zQXDzUqQeJxK2kQcD7H4lYt71cmTiqXWLWkFiA221si91mo
+mRLclLkMbM7c7rD6yjX9+VyapQLYojQJRUUlE6cgwifqtK6lM02o9K6qFLH
amSTI6EQLBymoHRZ3NVGrYwR+YoaBh3ppBqQTkerSPcnVEqbz8XQEORmv6sn
63JFrc9GAGtHBtJCTHYPeXk9LTUk/CBapCRAOPU2q+oQ6dKfl3TvqzTfDaIW
ZupYEY7a2qO+jA3V3SkKU6WvmzUhD1I1P2+maMvH3LteeijxPS0uYW3KC92E
xaAXpl7OMjqeGK0q7Kk8nCpOE6xjft+oGy82qIGK012SlP+hfROOAiVxMfPf
ThTkBrSFblR1t4YpDsOmtISjpBR4VxfOUml6utqJZxxK0MtcFq7a+1ZcBDSV
Quk6U4iCvdLKuVNGSikP5Sbylf7HHKZy5c/isiwTyFytXVRvriLd29LtGdAS
WSYt0gty4s7e8BLlNelTNS4nK7XXCwYkmKywS/osGknpwFmSkBQkj1lNBCsz
FNoKL6qjW1gfUSny+n4yCxAhongh8Qv2TXtybpS18TAXbLygM0fW36w5M29m
fFgg/kKdrpqrnoqACxfpWxy1td5+9XpVYwZCjGBlcpH04rzRTZUn4eOWxawe
a60+9DOJ/WAmLqUNNa+A2GctEhKvc7vrFDhem0htDfzbV4dHKrC6x9XOa2G8
5/b214z7T1slK96PDDw10QvY7wD1TjSw127dzeTgXWQ7eqha/X2ooow2jYxY
a7ygEY9ICZ/FE9IXPSWFdZMnybuH7RSXyGgq0sNo7XepZsLdpVCL8V6/sM7v
2Z3wjhsd6GsYTDreJYjf82smuf6Th6c5gAXWybXuqXxO4uvvfiL1fSmiCxea
8ArYg9IkpWC67n+j7mR58RqsgFnCtX9ti1UVJ6H1qwHQp2UX4NaX+xy1Xt1u
T7lTI3eqztNktBoa4ml0LJQNKfJPiWGjsiJDsSXZ2VU2N9BtTs7yn0w4Q/md
tDFht8dSHmmmM2VPWhfKxGOnxWKF4CStP5OQS48v7OCpTdGIW/iaECXoWZjN
KGhrVcc2Lk2rvTPC1C3cwDa58EC/9uEFgaQJuSCQsoxfHgbaoCKPg92JyqZx
PW+xj4+VB5bF+Fa4iJJVhllrFCYsgsENJz4MPtSqU18ZVpCbNnpPDuSO6Q5S
7GRYd9mVHYm4YsfhbkeqkUHieOZXJ4Kv+grQ9O535U4zVq80KVdiYkSFVReC
FyZDCjOEcS6ehOv7S9Gc2vsGVMVKUmV4cH3ohsXWnngHIJHHs4IciHUU89Yy
lxVu192go8vB5B+4iCZhOiIxpHx2Pt6MYJRKM2W/2BBW3vFsPBP3KCV2gVy4
jkBS8r2LkWheYb5SE8dpwG3BA9UWvCOJHERQpO9Ye0LptkqjwgWETpDdzuco
d4fUl1cKblOpKXJ+ES8YRLdYA2Yol4fRKbUimFEZ7kznMtKcsHq+PowxDTuC
sFip7Ea5TmcDpSKrAWt88SQfP8orKb4yTifdEAST/hH7iM2iMEWPzSBNQkBo
hZUJJYOsFuxpJd2lcCYIN1ivamK5DO0DLO6WuJ4O2nA4KI0Gt2oQNe04ZWS8
dYayzwukdjRSXkY5Z7t0uR6KlsD3b3SDreCHN0dnl3Vw4y9UKPM1HOlZMbuK
VFHKR5SgpiT7NaQqK2W3ZXWv5kRDVrPRZTwj5aI2DazOZT1Y5bpOmtssi0QA
CzcsR4DMAoOAGEHhmD/fciiVlEed3krtZQq1UlYGql8J5VSZO1V64E55N5YF
cJcgUHBDfl/do0qZJqvFr6tM2Pe6uOSRCW0EIOvCGaI9AMARQTbjKiWPZ8Pp
sLu3t7WjUUgn9sl1BtUy4BLr2Q81XrwEiqRutfMlBWeElY7TcGJq369fHr48
3DDZY5Lg9HRrR65yDtXnAJUpjZjpRHQV6uxwHs89M5oQHZwECj6CQoYrBaRh
rbIIs66E215GiCXAKegd+8eL1UxpSKrLcii3S4/oXsgyx5QVMaKa7EFOoadU
iFxqalDuJs6KM7mNTuBwyKhTKZ7lXozmdlRVxjOJcbluUeww6tZiKG1KNoDr
6gUHUntcF0UpQSqaxb5LnvqWm1qz3OmndKF5TN92tLbE39xIYDHFemVZnq5U
jLVCybgp5HDQ2o4ie3Uqt5TVGgVvpzVaNgQKS+Okkcid63SNdE7XeCQKmavT
Rx+CF9cKh55PI8+xy+0G/A6Efqw6jqhQk923Q7F3zA29AXaeYzi2pfOCls4K
qDnGjNhEx+SfViBXFToZ2CN7Rbu0o3wBzHsxMRDvBVUAiDIj0CombUS7PBRo
KGngZprMIl6+MFiu7qkHI/XvqnCVS4e2aBnu/SE9fGoP0nF3JDwdNwBcRqt+
pju7Byo+zsHL4S7wSprGC5Vt70PKMOuqWoaYeW3BrBdoVSqWjC1e3SDKc87i
V7yP9CvQsOMFcR8XT3F/KlBqB9p8q8mnqfZ2tMnl/klhummFrnijEemcgG5J
b8yhxlhdQzjclekdS1BwXy1OL25FynTrRC5o4AIwY1tJUACu7m+jGqjVBMWE
4a2y4n2IJpq0LmFTxvLJweuDQrZyQ754ODSeoTSacOY1GzPsyAWLApik3D0v
AB04JCV7ELSQCzpVH9zbLqisdrvdYBAOr9foFs3wepHcAGWTBsFZ1aH77OPa
h322LaLRnx9RZP2RZFdzCaWM+R2BGBPnUOX4cDhNMT0Rk8nn2d//bwY2xMcO
/RCmmDAWPCctakGPOXvvwyvUQsGQPCUTF79QtBiTesBLJJUHNHvcg1I8SdGh
HhiMO0Y0Xd5g2c9vMRy6SMQ7fjAhu+HHk9evz348sC/7Hr+5OP4BDu/49Ork
sPv6+GesK5Vg/7bg8Jfzi+PLy97a/wfXzVZCohMBAA==

-->

</rfc>
