<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.34 (Ruby 4.0.2) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-wendt-stir-tn-domain-binding-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="STIR TN-Domain Binding">Binding a Domain Identifier to Telephone Number Authority in STIR Certificates</title>

    <author fullname="Chris Wendt">
      <organization>Somos, Inc.</organization>
      <address>
        <postal>
          <country>US</country>
        </postal>
        <email>chris@appliedbits.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>Applications and Real-Time</area>
    <workgroup>Secure Telephone Identity Revisited</workgroup>
    <keyword>telephone number</keyword> <keyword>domain</keyword> <keyword>right-to-use</keyword> <keyword>service provider code</keyword> <keyword>delegate certificate</keyword>

    <abstract>


<?line 44?>

<t>This document defines a mechanism for binding a domain identifier to telephone number authority within a STIR certificate. A certificate produced under this mechanism carries, as a co-validated pair, the telephone numbers or service provider codes a subject is authorized for in a TNAuthList extension and a domain the subject controls in a SubjectAltName dNSName entry. The binding is established at issuance by requiring proof of domain control and validation of a TNAuthList authority token within a single certificate issuance, such that the resulting certificate attests that the same entity holds both. The mechanism applies to STIR certificates whose TNAuthList contains telephone number entries, service provider code entries, or both, allowing a domain to be bound to the right-to-use holder for a set of numbers or to the provider identified by a service provider code. This document defines the issuance conformance requirements and the relying party verification rule that together make the binding meaningful. It does not define telephone number or service provider code authorization or domain validation, both of which are specified elsewhere and referenced here.</t>



    </abstract>



  </front>

  <middle>


<?line 48?>

<section anchor="introduction"><name>Introduction</name>

<t>The STIR architecture (<xref target="RFC8224"/>, <xref target="RFC8225"/>, <xref target="RFC8226"/>) establishes that a signer is authorized for the telephone numbers or service provider codes carried in the TNAuthList certificate extension <xref target="RFC8226"/>, validated through the STIR certificate chain. This authority may be held by an entity to which numbers have been assigned, including through delegation <xref target="RFC9060"/>, or by a provider identified by a service provider code. However, STIR does not establish a verifiable identity for the entity that holds this authority, nor does it bind that identity to an Internet identifier that a relying party can recognize across contexts.</t>

<t>A domain name is a stable, globally unique Internet identifier for which well-established mechanisms exist to prove control. If a STIR certificate could attest that the entity authorized for a set of telephone numbers or service provider codes is the same entity that controls a particular domain, a relying party would gain an independent, corroborating identity signal bound to that authority. For a certificate carrying telephone numbers, the domain identifies the right-to-use holder for those numbers. For a certificate carrying a service provider code, the domain identifies the provider. In both cases the value of the binding depends entirely on the two facts being established independently and then bound together by the issuer, rather than merely asserted by the subject.</t>

<t>This document defines that binding. It specifies how an issuing Certification Authority co-validates the TNAuthList authority and domain control within a single issuance, what the resulting certificate contains, and how a relying party verifies the binding. The mechanism reuses existing components without modification: TNAuthList authority via authority tokens (<xref target="RFC9447"/>, <xref target="RFC9448"/>) and domain control validation via existing challenge mechanisms such as those defined for ACME <xref target="RFC8555"/>. The contribution of this document is the requirement that these two proofs be bound together at issuance and the verification rule that relies on that binding.</t>

</section>
<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

<t>This document uses the following terms.</t>

<t>TNAuthList authority: the authorization for an entity to use the telephone numbers or to hold the service provider code carried in a TNAuthList extension <xref target="RFC8226"/>, established by the authority responsible for those entries, such as a numbering authority, responsible provider, or service provider code authority.</t>

<t>TNAuthList authority token: a signed assertion of TNAuthList authority for the entries it covers, validated during STIR certificate issuance, as defined in <xref target="RFC9447"/> and <xref target="RFC9448"/>. For telephone number entries this attests right-to-use of the numbers; for service provider code entries it attests holdership of the code.</t>

<t>Right-to-Use (RTU): the case of TNAuthList authority in which the entries are telephone numbers, representing authorization for an entity to use those numbers.</t>

<t>Domain identifier: a DNS domain name controlled by the certificate subject, carried in a SubjectAltName dNSName entry <xref target="RFC5280"/>.</t>

<t>Bound certificate: a STIR certificate issued under this document, carrying a co-validated TNAuthList and domain identifier.</t>

</section>
<section anchor="overview-of-the-binding"><name>Overview of the Binding</name>

<t>A bound certificate asserts a single composite fact: the entity that controls the domain identifier in the certificate is the same entity that holds the TNAuthList authority in the certificate. This composite fact is established at issuance and is not derivable from either proof alone.</t>

<t>The binding rests on two independent proofs:</t>

<t><list style="numbers" type="1">
  <t>Proof of domain control: the subject demonstrates control of the domain identifier, using an existing domain control validation mechanism.</t>
  <t>Proof of TNAuthList authority: the subject presents a TNAuthList authority token attesting authorization for the telephone numbers or service provider codes, validated by the issuing CA against the authority responsible for that token.</t>
</list></t>

<t>Neither proof is defined by this document. What this document defines is the requirement that both be satisfied within a single issuance, and that the issued certificate carry both results as a bound pair, so that a relying party validating the certificate can rely on the composite fact.</t>

</section>
<section anchor="binding-process"><name>Binding Process</name>

<t>The binding is produced by a three-phase process. The first two phases each establish one proof using mechanisms that already exist; the third phase binds the two results into one certificate. The phases are described here to give an operational picture; the normative conformance requirements are stated in <xref target="issuance-requirements"/>.</t>

<t>Phase 1 establishes control of the domain identifier. Phase 2 establishes TNAuthList authority for the telephone numbers or service provider codes. Phase 3 is a single certificate issuance that requires both proofs and binds their results. The following diagram shows the process at a glance.</t>

<figure><artwork><![CDATA[
   +-------------+                              +-------------------+
   |  Subject    |                              | TNAuthList        |
   | (domain +   |                              | Authority         |
   |  TN or SPC  |                              | (numbering auth / |
   |  authority) |                              |  provider / SPC   |
   |             |                              |  authority)       |
   +------+------+                              +---------+---------+
          |   Phase 2: request authority evidence        |
          | --------------------------------------------+
          |                                              |
          | <-------- TNAuthList authority token --------+
          |          (proves TN right-to-use or SPC holdership)
          |
          | Phase 1 + Phase 3: single issuance request to CA
          | (CSR + domain challenge + authority token)
          v
   +------+-------------------------------------------------+
   |                  STI Certification Authority           |
   |                                                        |
   |  Phase 1: validate domain control (e.g. dns-01)        |
   |  Phase 2 check: validate TNAuthList authority token    |
   |  Phase 3: bind validated domain + validated TNAuthList |
   |           into one certificate                         |
   +------+-------------------------------------------------+
          |
          | bound certificate (domain in SAN + TN/SPC in
          | TNAuthList)
          v
   +------+-------------------+
   |  Bound certificate       |
   +--------------------------+
]]></artwork></figure>

<section anchor="phase1-domain-control"><name>Phase 1: Domain control</name>

<t>The subject proves control of the domain identifier that will appear in the SubjectAltName. This document does not define a new mechanism for this; it reuses domain control validation as already deployed for the Web PKI. The challenge types defined for ACME <xref target="RFC8555"/> are directly applicable:</t>

<t><list style="symbols">
  <t>dns-01: the subject provisions a DNS TXT record containing a key-authorization value under a well-known name in the zone of the domain. This proves control of the zone.</t>
  <t>http-01: the subject serves a key-authorization value at a well-known path under the domain. This proves control of content served at the domain.</t>
</list></t>

<t>Either challenge is sufficient on its own. The choice follows existing ACME practice and is operational.</t>

<t>Domain control verification is an explicit, cryptographically demonstrable signal. The operational act of provisioning the required records in public DNS, or serving the required content under the domain, demonstrates current authorized control of the domain by the party performing it. This is distinct from the broader entity verification, often referred to as know-your-customer (KYC), through which a provider or authority establishes the customer relationship that associates a real-world entity with its domain. That verification is out of scope here and is neither defined nor replaced by this document. This document relies on domain control and telephone number authority as explicit signals, and depends on, rather than specifies, the entity verification they rest on.</t>

</section>
<section anchor="phase-2-tnauthlist-authority"><name>Phase 2: TNAuthList authority</name>

<t>The subject obtains a TNAuthList authority token from the authority responsible for the entries it covers: a numbering authority or responsible provider for telephone numbers, or a service provider code authority for an SPC. This is the same authority token construct used for ordinary STIR certificate issuance (<xref target="RFC9447"/>, <xref target="RFC9448"/>). The token is scoped to specific telephone numbers or service provider codes, is verifiable by the CA against the responsible authority's credentials, and is consumed within a single issuance rather than held as a long-lived bearer credential. The authority issuing the token and the subject are frequently different entities; binding the two proofs is what makes that separation verifiable rather than assumed.</t>

</section>
<section anchor="phase-3-binding-issuance"><name>Phase 3: Binding issuance</name>

<t>The subject places a single certificate issuance request to the CA that carries both proofs: a Certificate Signing Request naming the domain identifier in its SubjectAltName, a domain control challenge response, and the TNAuthList authority token. The CA validates domain control and validates the authority token, and only if both succeed issues a certificate whose SubjectAltName carries the validated domain and whose TNAuthList carries the validated telephone numbers or service provider codes.</t>

<t>The reason both proofs are evaluated within one issuance, rather than assembled from separately obtained credentials, is that the trustworthiness of the binding depends on a single party having confirmed both at the same time. If a subject could obtain a domain credential from one source and a TNAuthList authority credential from another and combine them itself, a relying party would have no assurance that the same entity legitimately held both. Requiring the CA to validate both before issuing makes the certificate a first-party attestation that the binding was verified, not merely asserted.</t>

<t>The following sequence shows the issuance in full.</t>

<figure><artwork><![CDATA[
 Subject             STI-CA              TNAuthList Auth
    |                  |                        |
    |  (Phase 2 done earlier)                   |
    |  request authority evidence ----------->  |
    |  <----- TNAuthList authority token -----  |
    |                  |                        |
    |  1. issuance request (CSR w/ domain SAN + token)
    | ---------------> |                        |
    |  2. domain challenge (dns-01 / http-01)   |
    | <--------------- |                        |
    |  provision TXT / serve resource           |
    | ---------------> |                        |
    |                  |  validate domain       |
    |                  |  3. validate token --> |
    |                  | <--- token valid ----- |
    |                  |  4. both OK? yes       |
    | <----- bound certificate (domain + TN/SPC) |
    |                  |                        |
]]></artwork></figure>

<t>If either proof fails at step 4, the CA does not issue, and the subject receives an error rather than a certificate.</t>

</section>
</section>
<section anchor="issuance-requirements"><name>Issuance Requirements</name>

<t>An issuing Certification Authority that issues bound certificates under this document <bcp14>MUST</bcp14> satisfy all of the following within a single certificate issuance.</t>

<t>The CA <bcp14>MUST</bcp14> validate control of the domain identifier that will appear in the SubjectAltName dNSName entry of the certificate. The CA <bcp14>MUST</bcp14> use an established domain control validation mechanism. The challenge-based mechanisms defined for ACME <xref target="RFC8555"/> are suitable and <bcp14>RECOMMENDED</bcp14>. This document does not define a new domain control validation mechanism.</t>

<t>The CA <bcp14>MUST</bcp14> validate a TNAuthList authority token covering the telephone numbers or service provider codes that will appear in the TNAuthList extension of the certificate, in accordance with <xref target="RFC9447"/> and <xref target="RFC9448"/>. The CA <bcp14>MUST NOT</bcp14> include in the TNAuthList any telephone number or service provider code not covered by a validated TNAuthList authority token.</t>

<t>The CA <bcp14>MUST</bcp14> treat the two validations as a single atomic condition for issuance. If either the domain control validation or the TNAuthList authority token validation fails, the CA <bcp14>MUST NOT</bcp14> issue the certificate. The CA <bcp14>MUST NOT</bcp14> issue a certificate that carries a domain identifier without a corresponding validated TNAuthList authority, nor one that carries TNAuthList authority bound to an unvalidated domain identifier.</t>

<t>The two validations <bcp14>MAY</bcp14> be performed in any order within the issuance, and <bcp14>MAY</bcp14> reuse a recent prior domain control validation for the same domain identifier and the same subject account, provided the reused validation is within the validity window permitted by the CA's policy. Reuse of a prior TNAuthList authority token validation is NOT permitted; a token <bcp14>MUST</bcp14> be validated for each issuance.</t>

</section>
<section anchor="certificate-profile"><name>Certificate Profile</name>

<t>A bound certificate <bcp14>MUST</bcp14> conform to the STIR certificate profile in <xref target="RFC8226"/>. Where the certificate is a delegate certificate, it <bcp14>MUST</bcp14> also conform to <xref target="RFC9060"/>. A bound certificate <bcp14>MUST</bcp14> contain the following.</t>

<t>A SubjectAltName extension containing exactly one dNSName entry carrying the validated domain identifier. The domain identifier <bcp14>MUST</bcp14> be a DNS-resolvable domain name controlled by the subject.</t>

<t>A TNAuthList extension <xref target="RFC8226"/> containing one or more entries, which may be telephone number entries, service provider code entries, or both. Every entry <bcp14>MUST</bcp14> be covered by a TNAuthList authority token validated during issuance.</t>

<t>A bound certificate <bcp14>MAY</bcp14> additionally carry the JWTClaimConstraints extension of <xref target="RFC8226"/>, the EnhancedJWTClaimConstraints extension of <xref target="RFC9118"/>, and other elements permitted by <xref target="RFC8226"/>; these are out of scope for the binding defined here. Issuers <bcp14>SHOULD</bcp14> issue short-lived certificates as described in <xref target="I-D.ietf-stir-certificates-shortlived"/>.</t>

<t>This document associates no new semantics with the Subject distinguished name and does not require organizational identity to be present in the certificate. The domain identifier in the SubjectAltName is the identifier this document binds to the TNAuthList authority.</t>

<t>The domain identifier is carried in the SubjectAltName, not in the Subject Common Name, consistent with current PKI practice of conveying domain identity in the SubjectAltName rather than the Common Name. This binding adds a SubjectAltName dNSName entry and neither relies on nor alters the Subject distinguished name. It is therefore compatible with certificate profiles that specify Subject Common Name content for their own purposes, such as the SHAKEN profile (ATIS-1000074, ATIS-1000080, ATIS-1000084), which uses the Common Name to mark a certificate as a SHAKEN certificate. A certificate may carry such Common Name content and a bound domain identifier in its SubjectAltName without conflict.</t>

<section anchor="examples"><name>Examples</name>

<t>The following examples illustrate the two principal cases. The certificate fields are shown in the textual style produced by common certificate tooling, omitting fields not relevant to the binding. The TNAuthList extension is identified by the object identifier id-pe-TNAuthList (1.3.6.1.5.5.7.1.26) and its value is the DER encoding of the TNAuthorizationList structure defined in <xref target="RFC8226"/>; because most tooling does not decode this extension natively, both the decoded contents and the DER octets are shown. Values are illustrative.</t>

<t>The first example is a certificate issued to a service provider. Its TNAuthList carries a single service provider code, and its SubjectAltName carries the domain that identifies that provider. The Common Name marks it as a SHAKEN certificate, illustrating coexistence with the SHAKEN profile.</t>

<figure><artwork><![CDATA[
Certificate:
    Data:
        Subject: CN=SHAKEN, O=Example Communications Inc
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:example-comms.net
            id-pe-TNAuthList (1.3.6.1.5.5.7.1.26):
                TNAuthorizationList:
                    spc [0]: "1234"
]]></artwork></figure>

<t>The TNAuthorizationList DER, as it appears in the extension value, with the EXPLICIT context tag on the spc CHOICE alternative:</t>

<figure><artwork><![CDATA[
30 08 A0 06 16 04 31 32 33 34
  30 08            SEQUENCE (TNAuthorizationList), 8 octets
     A0 06         [0] EXPLICIT (spc), 6 octets
        16 04      IA5String, 4 octets
           31 32 33 34    "1234"
]]></artwork></figure>

<t>In this case a relying party that validates the certificate learns that the entity holding service provider code 1234 is the same entity that controls example-comms.net, because the issuing CA validated both within a single issuance.</t>

<t>The second example is a certificate issued to a business entity that holds the right-to-use for a telephone number. Its TNAuthList carries that telephone number, and its SubjectAltName carries the business's domain. While a TNAuthorizationList may contain more than one entry, a certificate scoped to a single telephone number is <bcp14>RECOMMENDED</bcp14>. Telephone numbers in the TNAuthorizationList are IA5Strings restricted to the digits and symbols permitted by <xref target="RFC8226"/>, and do not include a leading "+".</t>

<figure><artwork><![CDATA[
Certificate:
    Data:
        Subject: O=Example Retail LLC
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:exampleretail.com
            id-pe-TNAuthList (1.3.6.1.5.5.7.1.26):
                TNAuthorizationList:
                    one [2]: "12015550100"
]]></artwork></figure>

<t>The corresponding TNAuthorizationList DER, with the EXPLICIT context tag on the telephone number CHOICE alternative:</t>

<figure><artwork><![CDATA[
30 0F A2 0D 16 0B 31 32 30 31 35 35 35 30 31 30 30
  30 0F            SEQUENCE (TNAuthorizationList), 15 octets
     A2 0D         [2] EXPLICIT (one), 13 octets
        16 0B      IA5String, 11 octets
           31 32 30 31 35 35 35 30 31 30 30    "12015550100"
]]></artwork></figure>

<t>In this case a relying party learns that the entity that controls exampleretail.com is the same entity that holds the right-to-use for the telephone number 12015550100. A relying party <bcp14>MUST NOT</bcp14> extend that conclusion to any telephone number not present in the TNAuthList.</t>

<t>A certificate <bcp14>MAY</bcp14> carry both telephone number entries and service provider code entries in a single TNAuthorizationList, in which case the domain identifier is bound to all of them, as permitted by <xref target="RFC8226"/>.</t>

</section>
</section>
<section anchor="relying-party-verification"><name>Relying Party Verification</name>

<t>A relying party that validates a bound certificate, in addition to the STIR certificate validation procedures defined in <xref target="RFC8224"/> and <xref target="RFC8226"/>, <bcp14>MUST</bcp14> apply the following.</t>

<t>The relying party <bcp14>MUST</bcp14> validate the certificate chain to a trusted STIR trust anchor. Where the certificate carries an embedded Signed Certificate Timestamp, the relying party validates it as it would for any STIR certificate.</t>

<t>The relying party <bcp14>MUST</bcp14> treat the domain identifier in the SubjectAltName dNSName entry as the identity of the entity holding the TNAuthList authority in the certificate only when the certificate is valid under the above checks. The domain identifier carries this meaning by virtue of the issuance binding; a relying party <bcp14>MUST NOT</bcp14> infer TNAuthList authority from the domain identifier independently of the TNAuthList, nor infer domain association for any telephone number or service provider code not present in the TNAuthList.</t>

<t>When a relying party obtains the certificate by retrieving it from a location under the domain identifier, the relying party <bcp14>MAY</bcp14> treat successful retrieval over an authenticated channel for that domain as reinforcing the domain control evidence, but this retrieval is not a substitute for the issuance binding established above.</t>

</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>The security of the binding depends on the issuing CA performing both validations within a single issuance. The central guarantee is that a relying party need not trust the subject's self-assertion of either domain control or TNAuthList authority; it relies instead on the CA having validated both and bound them in a single issued certificate. An issuer that issued a certificate carrying a domain identifier without a correspondingly validated TNAuthList authority, or vice versa, would defeat the guarantee; the requirements in this document prohibit such issuance.</t>

<t>Domain control validation establishes control at the time of issuance and does not by itself attest to the legal identity of the organization controlling the domain. As described in <xref target="phase1-domain-control"/>, the broader entity verification that establishes the entity-to-domain association is performed under the CA's certificate policy and is out of scope for this document.</t>

<t>The binding reflects the state validated at the time of issuance. Its currency over time is maintained by reissuance rather than by ongoing monitoring: each issuance re-checks domain control and requires a freshly validated TNAuthList authority token, and short-lived certificates as described in <xref target="I-D.ietf-stir-certificates-shortlived"/> bound the interval over which a stale, mistaken, or compromised binding remains usable. The lifecycle of the underlying entity-to-domain association on which domain control rests is maintained under the CA's certificate policy, as described in <xref target="phase1-domain-control"/>.</t>

<t>The reuse of a recent domain control validation permitted in the issuance requirements widens, by the reuse window, the interval between domain control being demonstrated and the binding being issued. CAs <bcp14>SHOULD</bcp14> keep this window short consistent with their policy.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document has no IANA actions. It relies on certificate extensions and token mechanisms registered by the documents it references.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC5280">
  <front>
    <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
    <author fullname="D. Cooper" initials="D." surname="Cooper"/>
    <author fullname="S. Santesson" initials="S." surname="Santesson"/>
    <author fullname="S. Farrell" initials="S." surname="Farrell"/>
    <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <author fullname="W. Polk" initials="W." surname="Polk"/>
    <date month="May" year="2008"/>
    <abstract>
      <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5280"/>
  <seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="RFC8224">
  <front>
    <title>Authenticated Identity Management in the Session Initiation Protocol (SIP)</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="C. Jennings" initials="C." surname="Jennings"/>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identity and for conveying a reference to the credentials of the signer.</t>
      <t>This document obsoletes RFC 4474.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8224"/>
  <seriesInfo name="DOI" value="10.17487/RFC8224"/>
</reference>
<reference anchor="RFC8225">
  <front>
    <title>PASSporT: Personal Assertion Token</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>This document defines a method for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representing the originator of personal communications. The Personal Assertion Token, PASSporT, is cryptographically signed to protect the integrity of the identity of the originator and to verify the assertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal-communications applications over IP networks and other multi-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8225"/>
  <seriesInfo name="DOI" value="10.17487/RFC8225"/>
</reference>
<reference anchor="RFC8226">
  <front>
    <title>Secure Telephone Identity Credentials: Certificates</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="S. Turner" initials="S." surname="Turner"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>In order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8226"/>
  <seriesInfo name="DOI" value="10.17487/RFC8226"/>
</reference>
<reference anchor="RFC9060">
  <front>
    <title>Secure Telephone Identity Revisited (STIR) Certificate Delegation</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="September" year="2021"/>
    <abstract>
      <t>The Secure Telephone Identity Revisited (STIR) certificate profile provides a way to attest authority over telephone numbers and related identifiers for the purpose of preventing telephone number spoofing. This specification details how that authority can be delegated from a parent certificate to a subordinate certificate. This supports a number of use cases, including those where service providers grant credentials to enterprises or other customers capable of signing calls with STIR.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9060"/>
  <seriesInfo name="DOI" value="10.17487/RFC9060"/>
</reference>
<reference anchor="RFC9118">
  <front>
    <title>Enhanced JSON Web Token (JWT) Claim Constraints for Secure Telephone Identity Revisited (STIR) Certificates</title>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <date month="August" year="2021"/>
    <abstract>
      <t>RFC 8226 specifies the use of certificates for Secure Telephone Identity Credentials; these certificates are often called "Secure Telephone Identity Revisited (STIR) Certificates". RFC 8226 provides a certificate extension to constrain the JSON Web Token (JWT) claims that can be included in the Personal Assertion Token (PASSporT), as defined in RFC 8225. If the PASSporT signer includes a JWT claim outside the constraint boundaries, then the PASSporT recipient will reject the entire PASSporT. This document updates RFC 8226; it provides all of the capabilities available in the original certificate extension as well as an additional way to constrain the allowable JWT claims. The enhanced extension can also provide a list of claims that are not allowed to be included in the PASSporT.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9118"/>
  <seriesInfo name="DOI" value="10.17487/RFC9118"/>
</reference>
<reference anchor="RFC9447">
  <front>
    <title>Automated Certificate Management Environment (ACME) Challenges Using an Authority Token</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="M. Barnes" initials="M." surname="Barnes"/>
    <author fullname="D. Hancock" initials="D." surname="Hancock"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="September" year="2023"/>
    <abstract>
      <t>Some proposed extensions to the Automated Certificate Management Environment (ACME) rely on proving eligibility for certificates through consulting an external authority that issues a token according to a particular policy. This document specifies a generic Authority Token Challenge for ACME that supports subtype claims for different identifiers or namespaces that can be defined separately for specific applications.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9447"/>
  <seriesInfo name="DOI" value="10.17487/RFC9447"/>
</reference>
<reference anchor="RFC9448">
  <front>
    <title>TNAuthList Profile of Automated Certificate Management Environment (ACME) Authority Token</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="D. Hancock" initials="D." surname="Hancock"/>
    <author fullname="M. Barnes" initials="M." surname="Barnes"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="September" year="2023"/>
    <abstract>
      <t>This document defines a profile of the Automated Certificate Management Environment (ACME) Authority Token for the automated and authorized creation of certificates for Voice over IP (VoIP) telephone providers to support Secure Telephone Identity (STI) using the TNAuthList defined by STI certificates.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9448"/>
  <seriesInfo name="DOI" value="10.17487/RFC9448"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC8555">
  <front>
    <title>Automatic Certificate Management Environment (ACME)</title>
    <author fullname="R. Barnes" initials="R." surname="Barnes"/>
    <author fullname="J. Hoffman-Andrews" initials="J." surname="Hoffman-Andrews"/>
    <author fullname="D. McCarney" initials="D." surname="McCarney"/>
    <author fullname="J. Kasten" initials="J." surname="Kasten"/>
    <date month="March" year="2019"/>
    <abstract>
      <t>Public Key Infrastructure using X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. As of this writing, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8555"/>
  <seriesInfo name="DOI" value="10.17487/RFC8555"/>
</reference>

<reference anchor="I-D.ietf-stir-certificates-shortlived">
   <front>
      <title>Short-Lived Certificates for Secure Telephone Identity</title>
      <author fullname="Jon Peterson" initials="J." surname="Peterson">
         <organization>TransUnion</organization>
      </author>
      <date day="6" month="July" year="2026"/>
      <abstract>
	 <t>   When certificates are used as credentials to attest the assignment of
   ownership of telephone numbers, some mechanism is required to provide
   certificate freshness.  This document specifies short-lived
   certificates as a means of guaranteeing certificate freshness for
   secure telephone identity (STIR), potentially relying on the
   Automated Certificate Management Environment (ACME) or similar
   mechanisms to allow signers to acquire certificates as needed.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-stir-certificates-shortlived-06"/>
   
</reference>



    </references>

</references>



  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA70863YbRZr/9RS15gfORhK+hqAwzCq2OXgJTsZ2Bjic+VHq
Lkm9aXVrulo2IoRn2WfZJ9vvUte+yPbMnDEckOWuqu9+rx6NRoM6q3M1EXuv
syLNioWQ4rxcyawQl6kq6myeqUrUpbhVuVovy0KJq81qBt9NN/WyrLJ6K+DZ
m9vLa3GmKnw+kbXSewM5m1XqDjamv91ejcy25py9AT63KKvtROg6HQzSMink
CiBJKzmvR/eqSOuRrrNqVBejlNaOZrx2dHAw0JvZKtM6K4t6u4ZVlxe33w4K
Am0ySGHrySApC60KvdETUVcbNQBgjgeyUhKAmq7XOUIK67WQRSqulcxHt9lK
7Q3uy+rDoio3awReJZtKBdgzVQDra3WX6axW6d7gg9rCmnQyECNRuycZGPyO
ocdPVbZY1qO6HG20wt+1qu6yRIl1Vd5lKVA1KVP6QwrbLAALkXiiDgaSaI7n
DAT8zDd5zjQ7W1aZFj8izegvZbWQRfYb4TcRN+Wq1ENxWSRj+qsCcHJALsFV
/yWRFCqdZbUeJ+Vqjx5Jyk1RI2/e3wwGRVmtYKs7oKkQ19+eHR0efmU+vjz8
8sR8PD16eWC/PTo68R9P/ccX5uNXBy/ss18dHr60H09OvvQf4dtBVswbZ788
PaX9Lkfn40zVcxaRgEp6pIFGdQ5LgCOD0Wgk5EzXlUzqweB2CWQCSdusgItA
5HlWKOC/WKlkCQTTKwHniZlTBeacyCJVaLJYSKcK91m9hOclK0QA1VhMw1+R
4ekmUanYFMj2GuHyQCSyqjIFLJMIXFKO7mSeoVCnYi2zagjPqxYYGrjeLVC4
CejL/6ikFnCOAfc32A2xJXhvr1Cf32S6FurXGrQGBIf0wtEAj7SbgGbVVZlr
XnvD307z+gqEUaRXN/R/hQI0FrewzhIUDle6lrM800s4XSI4eiMLAHi2FZX6
+yar8DmAvpwL+Necbc4jgAwpED54IILc86EuP6jCc0PDpnmkS+7gISCVLAE7
AAZRrJTe5DUCET4taxCsWvvHtMEQD1uWearFrKyXjK3nI6uWRqFpCoQW98tS
qxB8xBKw1W0BQ1KSPHSy1/8ZZRfAALnJ8/I+EmEAYQZUBrVOSYYR1cAYERKw
HwoE0EvVSNxArswSd67TiBQ5J7sBQ3J06Rvu5BgPWJOO42eWAIUPs1VmjuRb
EgpZAbHvVMUURAGoNsBV5km5UPBwJVbyg6JlVuZWCnhRLMBWjsUlwFACAEVp
gWnTuk+JnNoY2assZb1ADon6SLn7ZQZCBb5G6LVKmE4q1+oeQFSEWaXm8LFA
E4DfjdlSrbI0zcHQfwbGuiYTgfui3VIsQbJKluB0khq90v7Hj8bYfvo0FPaX
0/CXF58+PQt0zkgwasSiQDa2rMFTLQubqlQYCxGKc6A/3qYEgA2FN2v1Ehzu
Ykl7NFVFgDplhREmr+MruUWRXqqcZbCw+giyyvS30C/lHciDAosgNSGeDgHe
JN+QgNijjct1QKKPQiBRqVDEnyr735X3CqR1yPg4uXPMgJUszPCrMpsC9JYJ
FhnkF1uYOsJ/CLtVvG1Wk7Tzs24jIAPQBORIVYWqIx/GMhArVgIPVyopFxA3
gIgmVak1mSTgnQbxnFp5x4iDBEcQJmBBF3k5A4uzBWeW/X2jOs9EtJgr9yrP
R6EbcPYSvMOvKDkAOdJSWbsPijvv8KkYpOSpsc3eNBv0G3LtjNpThDvTLWNP
xzj/J4l4WbLJpbUHwxZl7wnMBdIOaAyMUmsI1GC/IWxUVeWsrCR5HMc6FFKZ
h9ZaBt5tLL4lhCJSgBrSkS30OFhoBjJ6pweoyTWZDXYe1yP9uw61DwJXCzaY
idTmb2AQQH6QS4EFZ3pp4gBSVpRsa+r7UswhrAPfq/C5UKYCKudb60oKR1Hj
LGZb54tQUYENS1aPAoSSjgKDAWizpgcR0LgvlCROGcDJ31j7D1aovCf+w2EI
rc+W0OL4bCqI9nTTpHrjhxg1gqNmtOMjnPvdwY2NO4a0K4HZ6XQNPA67ONap
1Aa5SBpMJ5SrNYghenKErNzUYlWmDuNJN153mWyGcdr4OcwOnGvD/ABdWwcd
ggARd/MALcFGqWKhQoNDwZ/URuKZi2wwpmc/XBhvBSnHp0+MLx2SzTY2/qwj
KTD2IghjnFnSLK8U2eowFDOiGMbCNvLpiXWAN8gL0oJA2jBqOCuLO1QTm9We
I0IZ/c5BBKSqAnNVLfZ+eH9zuzfk/4urt/T5+uIv7y+vL87x88130zdv3IeB
eeLmu7fv35z7T37l2dsffri4OufF8K2Ivhrs/TD9eY9FbO/tu9vLt1fTN3sc
NoQkxJiJY9UMvci6Uqh9Ug/AHidAeQ41Xp+9+7//PTwB/vyHyUc/fTK/YEYK
v0CkVfBpZQF6zL8CUbcDCMqV5LQnz8H2rLNa5pxrQeZ4X9h47D9/Qcr8bSK+
niXrw5NvzBeIcPSlpVn0JdGs/U1rMROx46uOYxw1o+8blI7hnf4c/W7pHnz5
9Z9zDINHhy///M2gadU21i7PS5tQAE9WGA50ae+Eno3jZPK9YWiGrqY3yIS/
oxtiU9sZhQfxZk/WGkWYoU8wJtybFzCHYKJ0hvGXd3s+2TK2QRoIyd/58Ctc
bWEcPpg+gPvuJh4bu4mNzVPjeoyd6VwRhIoIMcaBCYRN6PN9ZJ1uCPBW8OTd
A6BoDV9WiMDWkvoE5pYjgb7s1MSnJlOOQgvj0A2jXxHgO1NZRMXuxHGJXmZr
uw/F14PBtT3iPRyxf337/hkLIIYTvTQDDDkMDQlHRqcdOFUKzI9G0fWc3y3W
Ydg0GJw3q0fI3fOrmyiSNm4r9wIacsnEG8NY7ndVXJhhWIwDhg0Gr8nNBFtO
uiJpioCiYpS1AcMw1osqUSF5vRf2yJJDenuHbFb3lnWm+ovpxKwJmZF4HRRs
MIbAIivFeZNWXuTi8K5os7I5aYxod0RvM6yecKu9k0lHYwh3FbiQRpktPVTZ
HWV986pcCZVRBMBFL5mDCI7ZWdsAuCI9QH8PEUQQ2ZpoYjIYHI7Fu+6a2SQq
3KVqBSarrii4tAGTYU2LfkMQauJ74YOo/ljLBVXjwVEATb+fsDAZHdO7a3ls
DboV8Yk1i9A6BhkABeVTITFR0/WDroKKTgAZ8Ooq4mDmzSntHijTWPzI4WBX
6tAXPFKKNEOZrTNNVYf+SF/aKoBLa9J23sY7ci6g2cGxLnJtWdt8s5kEGF5T
yUQ1ti1EmJnFWkGGwLaXQDASpXUs4IC6K4hTSaVeVkqN1ku05GtewfH3PKuQ
NxhJLylrVBJsua+poAAwG1h2g1CfkcorJdMtC/QrlpxlVqW8HQGkXXJpSQSR
aEk7N/RfWSDQf/j4lGp8sGKR3aHai3KtKhJWSOnXGZXu+GTXV9lRBMUSYk2i
Sr7ZsnoUPkWG/h0hcBgV+x7ScNBTWnUUrdoZazxBz+zux6Za1F+Et3kNocSl
dJspoUQ7rmSV5YmRBheWpplcVHJFEbwrM6DYCJLkRY7HAJX++OMP7G89H4U/
z8XOn/hhswR3+V1YTyz4t10/v4d0td/xLvuGMc8fs4uvFDR2gf2RFzfvzh6x
y34c0oov3C6O5c8e3sUz/As+1+0SP/bALsGRAUaG7M+fyKPnMY8CIIysT0jQ
VCTdCrFAQQwBcEs7+N/70zz0CT/xoV/bHXd5xQdO3acyKmp0Ix5nMfGR9bNB
HxjWrDy3yjxpeh1HTjB5Z9No8f7ZzTWstEGDK8A8byISnn/XZv5T6d9BeAh5
e0tuDdyfyLb2akOziYszmmHTvhovxiIt9Ojg8Fn36iMgl0o+BHvsEIPWauAS
dQSCNNCamM4AvoV3l8vbjfc/x7FwJ/u5I0OwlhJHTqZXgM3t1RcoyThdESz0
mD1FsKzotFKmDjS7EUHvMvjsMy8A5zHfP35GAcOhnWcx33/iaMgHxKS0Dzlv
dpr3WZ4LX9Ki/lmUHbaasI0GqBQFpGfxAAQGqK8wBzdF3f6oH6NHE1JBWpKX
26CN+KOaiXffX5rCqVN+nNfRO0utHE9BKJBQ8Z5HdSDyxnEOozXNFKLEYRyq
elKCffvTLTWzILAz1W1OYD+o7SjOH7jjwImv5N7UhwKrgNzmYor+hpoQ8cFQ
tZtVv1EKNxLLul63YMVYiSYy+mChgCUAZC3BP9vM/MHzqWNXmGMoAw0WDQYX
nKl4bmRYA5+DnGe4CoDIMNW8LyzXSozrOM4KivvEsTXO1GQ+tQ3iXF/8cDIT
1rIxHsSkEhmbYYmh2q7rEgK49RIewU6iS1Qx4eJ2GEMUBtOYcQPKjvs2NTGB
ZGpEgMZU1hsIbxMUDl+jaz5uadck9rCRN2+qikrVvsPYrasmueT0CeDGEJ/S
ndqwD/WSKAqIUCmA+itVKVMuq2WNgQcAfQ4Q8vAAQow9Xi1QTkbbclONko2u
yxUs3v/+57NnQ9fbNvMIPl4rw6mleD4AuG53gZyOR+Sw+Mb5k9ZlkhEZMD+U
+ei+rPLUAouZKUmQl1JY1OQ99oKAUjoBZgo3EYHFEZNIW+OAHe4KzIpMOpPp
2LD5tkjH1NCOmS2pnSQaSTOdMNt3RLqHrUHX0huGBakISWw0UNkGFo8Dl3DU
3faK7X854zGgnfUQJy67ahQdpeFJdzlbEKXbBW3eqF0aNR31nYVuWyQFB+3l
3VXfmgglpGCbhLoO7BdAd7NCVtv+4vWO1iCbC94bjRwKGymMYV/ytJIRbBFM
axjNbpSLQgI69D4HgwGqilLiJIsKh4UGue0v5kQiR0MuVKnJy2IxouFGMQOf
jwC63RnloGppqlq1I4TtLFpRQ0c7p/id+uRpNqeppJqFGgTnlavR2KKIycsz
zW1lnLcytRWtwNIZT+ZJFaIB1gNxDjUCItXXrgrEmDeiIdT+h+oHQQpi+ML1
YZ6jDAsKKP/BoLK4AY3Hw6/NDuD2LbadBWU0bnGANfRDdtbiePdqRMKV5naF
8cw+gN33//vnH42pbmwRdDyzOaOtN0misHyE1UDdmOPgGcRGO8FSzQxkxAkE
7t+eXOxc8ZRSEfMcHIoui7j+AxKqMDCiLY2y4J6+6NmQMLWaYTOFDKQRSSpN
klVFXx1qYxbMdIL10SDhFR6BlaOeMZQyUFZ27Ut5xxMPxTyrUKcJgXBStM4w
EKcpJj9Di1NBDFUgQQ44RgAx1eDZTZTV4xKaqyTE9zRUgHlMuZrRoONSrVB6
VT7vG1GiObmiJDWtfF2u2TDJ1QJsw4rJyuN3NPt67eZ3rQ6WPns1VWww677a
bm1HrNSSi7wjhozr/tarGmgsS+6ltco40odJTWNsx8iVrxNqsnWAmS8UOiMC
5MeJelslDEp77gcc0QgQi34CjuCHgRCdJYTeqsLvdsW+zfxT5DoYd4hnqme7
VuwoZAV56TfBCq4qPVhSClY8HY/DcdswUyXo/gsr5py8B6WfVpHtm0ccdDRu
l5b2OT8UX9js61mw4uvGIY84wyUXlFN+wXkVmnVWyvaKfwCPDhI3K0cPrzge
+0WWk9/sWoHEME/SQsP5XWecjFmP337/Z7EF1Y2hMrLVX7Wx5Zpn/5B0UXEF
TGjUbJvLLKcav67VWpwMrelxVQ5ye8NW4AOZocooD4c8tKow+g29SNTpoXFs
K9DXYXfm42fd/ZjBYPrwoB9P67JXbtFMd/XiBc0fcR9wS9NLxkV5+/aYKw/G
KAKVaD8nNf+iglNjHMHObDRbZ/Z4rEcjE4K2+WOazHFRaTSTOp4kfrC+BMyh
8WW+/eUHqB5XL3tUH7ybzDvTOkrSXLj9hFHlPt50jki1eTKkwZIEyyUk5pTI
7xwFCnHDGTQeqFcd58pi+4RrFkhqooLtBXdPnDRC55jWNQSStctYPHNMt9vo
hqzLFaSBwMM0c7METkmENzWBNnQw3GTaO5gaPEz2ylkpTzw0A7v1xD8Wh/BR
otN1Y81O30qaNqd8hIKn3XTl6wVl0TigE0s3pw56vClaKUM0EnTbwZQfpj/j
gIOpkJkhpwJrEqmB3whVPOiAy6hATeFswgMxmb+Y08ErWxahcLZNKucl8M8u
R07oMuTQyqm9lURlimDvTIeg0h+4JFak5T0it8rqYOTkbPq5Fusyz5Iths5m
TE4aFB4nTXAkioXb+xWOTtBDJDKzMBtD1GlYInADn0Wp8LuqnGd4+6hrNos2
NGMKNs1ulWXWvIMbI+QpTJx6oZGI9iyW7LzoOsRyFR0IOVoZnhpczMEblf1g
1vbKonONdIWl4am8RQy6BOpXSX0HlP3YlflLFl2ZcThWcdvpPy1TqEcxwhgy
5zGw3fOA/s7B9MGJ1xARalpUYoUplxtq5UqwuTv1z140HIsLMNRbQx6LXmS9
HxZkP6MaSGYnb0HfZcq2mpoEPM2EJPrvH2/PcpmtzrhKn2FwFrm7aCgYV1wU
SzwqfdxKvKSMK6m6Qj4BKMcxYKTYwTE04oO2CagfFbytDfJ1BY5UaOycAk30
9GYKnC0+3Wg2Vb8oSKTR3WAu/uPHR92LpoGhOMwJCvtFSSGOVisJkpuwWQsD
PdO0WGw4XCOx5RFQEyqZYDi6hi7z6Goa2nse/OsZrtwx0NnQYlNVjgLVEDUz
PlT2umnjljrOa91vbJb+KMWI/iTOytUKRIf/jmVeOAvBICra3tG77y99/4zb
dndqG0xYOlp14xxmK+RN/KEmgHWX2NNUPzQyjMyzvRffRsEAQOY1SuNu5tNF
J+ZCxRUeHAAErqNtY7TbTsIWjakav+2inuvHGY3JKkH90E21LnU4oE/QfTf9
/uLKeaD96e3lzejwAH6+hKzQ//byIPrt5Jk1ie6uQwgBCM1KVh8aIRcFkebA
HXf80ciyiSJAuzDjmh6bukeWm108h24Rooeaq+kXv8rVGqjaLHgp872A1GDD
HcyglA9Be7aWOd/AMzlVgAFAgWPRlC7R1RgjjHgndAPLdL3Ng3cZzPD2GiEZ
BaglBDnFApwG2kmEyWzLliJXd7Jwlfvoclmns8M2UnQBF5eV5uUGAe3S0VqN
gh32D8fH4xfjw/Ep/PMl/P/oBV8fQxJz590YkvOLa9ALcHjkROeB2XCtetqR
21WbSrWuT1gPMFOJxMBuVVJvgugQJpTkVMlYefwKmgjNt+YyOeUe9KDrT/ur
8QhpmdSqDng0Fn9FZPgbx3TY0tZCaYLWiAXHYB03ATCYbwUBqOe6q+7vUqqe
y6CWzDsaDe4tE7KOL4zKOjj/tqGfqJx8WaRbJYcBBahCTxMMymW4bcthqr9B
XDyhWtW5rOXEDRMZRCbi7OpPvH4o3v7J6CBBuCnc62Uui8Qt/On04Ku7Y89u
PRmEVS7zZ2sMp2h9WSAI3/hhAuvqZmJ4OULd0+NC1dFTj1KE9sYdAt9+CH/0
OhG/HPxtIvYOj45P9rhMd9ujMiCwdN8IOUZlCm1NilcA0sWh58/FT+/eXJ5d
3trL6KKWCztojoeffff28uyCPVVhXhVDUBwfiIOXYgr/fSEOX4iDE3F8KI6P
xPGxOD4BXPjvwc/NxV/eX1zBXvsdsIOjeGmUjenAG9sfIIGHdB/ggudfRM/D
D0NBP5fT05u6Irt40nwMfgJI8deQtpfmyiRdc2o2ckhf4hZhqN05kLwIWl7B
G0y4O9IV9ePZD1+Fb0nh0Jk/m7qbGxbB7Qu0cH0NcGOvtMICzeMM1gyH/rF1
1321J5qB5ZcCNDOgXhPHJGs8/SjLZoH63E/F/LjEGEV2qghFDSaBpdSNYjzq
CGGsNmyg7+caHAFbWR3QLC5wtuqKUdEuhgfdiBNWTUMtFUQdyr1GJs0WmfFJ
eruaoSz05URmrqY0YTMXDCVKJYnf3vO9J5pfb3OvFVAsF2/enP07bG1Fp+Hr
sv6tthZZ9ssR29qDw9PT0wOIYgOTGxf4eg3wo0xrS4p22tlvxfRIHJyThXtt
rdcBfTi1//Kv8N8DY3y/fYrxPTyNrS8d56zvUWh9AWhccNxlfl+3zO/hYb/9
7cXAGOUmE3ba5h7j22lGvYA94spiy6518i+AFjOVGDZXYiZtSR1QoKLklKm4
21HGR0Vu5PFe/KmO06zgBFfQem8Sky3ZfT84cBgd8jL093yJFT3jPDooXbtu
2ooilD4TRlXTa0O7d0S7vwaTf4jxTo8s24Ut7r2YwlZvbTUo+9LVpnRTqfbF
bX4ZlO/WWLvL1dT1Ot+2qqI8eNMSBt9MbsQQ9DYmdjg0MQOnE7D0C5ycACv6
Sr4uYSiEAo6nmNXc8HX3sBKN72HUNSjC0NTaO+4hKhv3w395fIXHDdvTgv04
+j7RY2tNjbpJWHmqXa+zEVX1doc67ie7l1V0Vcu5Te+nk+WMXpKE90R0X8nM
RyL0hkF6FxqK9F1W1f5VO/41fJx/v2oZr6DPN1c9/Qk3k9pFzfB9PFFSzfpa
0JsIcWs7aGYKkv62/VO7iLvs0o9I4iaOdvC2SXp6NyHanTue3jZDViIvTVO/
OTAeXaJuSzCaQRY9Gs7Ter7J7QkSzNAdtaKIsLhNQrEydpULlfvbx45OsJTe
k5k0Bhdt/8vOBEFAvjGXj/1h5ko6zaVpENtN7V1IUyriu+0ofGQN6R2pyH+s
oSMLZPDCGW3/2D9N10gPgkF58hJhp7A3VzClK0AYcFpsZCUhoFFuvK/J6ULR
dHltjFbQZYEoHUfkRtHbN+xYekzXnjaduTiTs5sC+yhTiyVgZ2YFGzkQ3XJl
V0Rjeg0U47I/eO/CvLMqGCJJ+1/R9eiecL59sCsMSJO64Sy5HBrLC17IGlJH
+1dG8INxmdbLfkBnl9ksq7lAGiR+zcsj3vd1XW+2vX7wGoIu4AevXHDVNlBi
nn50L4xjR4vtx7xlwsPOhWvJxfoFbGh1X7qvd5mW046LHczH5j0MfhADuw6b
mOmgYe4NELWVo3I7tZjdHZ12Jyq8UtF878Q8V0lt4s86iEL8zaIm0TmB5jYH
HEu2jJ5B94PtNWnfjABWq2vUfYad10VJ86FlkdUlRumTuHUNa0fs9rompN09
comz7Xr5oFSHs9P/+labV2x+pZUz8fZSDlAW36K4ApgkwVFW1EABJ5PhjIFn
x4rc00Zj05hNXp7NVbJNcufJSRLY1O0Un9LGxw0C8rtGYmY9KF3DDur0qIIL
xtzAgxnd6B/a8KF4Ywwkti73qMN6aFsCfAJPXwxj6s9UfY9vA20cyW8RDK56
pa7QblnAj7C9HQM1XJ/2g1Jr1iUz70ES0Gr/cRfLTH3QXOH0atrhN0MjCXTE
liw9Kel9sJoabr5R1/mmVdMloE57MBdXqQUCVPneiT1Is98yr6XV48H/A1pS
w+keXgAA

-->

</rfc>

