<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.34 (Ruby 4.0.2) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-wendt-stir-vesper-08" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="VESPER">VESPER - Verifiable STI Presentation and Evidence for RTU</title>

    <author fullname="Chris Wendt">
      <organization>Somos, Inc.</organization>
      <address>
        <postal>
          <country>US</country>
        </postal>
        <email>chris@appliedbits.com</email>
      </address>
    </author>
    <author fullname="Rob &#x015A;liwa">
      <organization>Somos, Inc.</organization>
      <address>
        <postal>
          <country>US</country>
        </postal>
        <email>robjsliwa@gmail.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>Applications and Real-Time</area>
    <workgroup>Secure Telephone Identity Revisited</workgroup>
    <keyword>telephone number</keyword> <keyword>domain</keyword>

    <abstract>


<?line 50?>

<t>This document defines VESPER (Verifiable STI Presentation and Evidence for RTU), a framework that composes existing STIR mechanisms into a system in which a relying party can verify that a telephone number was assigned to a specific entity and that the same entity controls a specific domain. VESPER builds on the telephone-number-to-domain binding defined in <xref target="I-D.wendt-stir-tn-domain-binding"/>, the STIR certificate and PASSporT specifications, ACME-based authority token issuance, and certificate transparency. This document describes the roles, the certificate usage, a domain-hosted certificate repository and discovery model, a PASSporT usage profile for SIP signaling, and a portable Right-to-Use Token for use outside of SIP. It defines the framework and its composition; the new normative binding it relies on is specified in <xref target="I-D.wendt-stir-tn-domain-binding"/>.</t>



    </abstract>



  </front>

  <middle>


<?line 54?>

<section anchor="introduction"><name>Introduction</name>

<t>The Secure Telephone Identity (STI) architecture, based on STI certificates <xref target="RFC8226"/>, PASSporTs <xref target="RFC8225"/>, and the SIP Identity header field <xref target="RFC8224"/>, provides cryptographic integrity protection for calling information in real-time communications. These mechanisms verify that a telephone number was not modified in transit and that it was signed using credentials authorized for that number. They do not, on their own, establish that a telephone number is being used by the entity it was assigned to, or carry a verifiable entity identity that a relying party can recognize across channels.</t>

<t>VESPER addresses these gaps not by inventing new cryptographic machinery but by composing mechanisms that already exist. The one genuinely new element VESPER depends on, the binding of telephone number authority to a domain identifier within a single certificate, is specified separately in <xref target="I-D.wendt-stir-tn-domain-binding"/>. Everything else in this document describes how that bound certificate, together with STIR PASSporTs, ACME-based authority tokens, certificate transparency, and the existing STIR certificate profile, fit together into a usable trust framework.</t>

<t>The result is a framework in which a delegate certificate serves as a single, auditable trust artifact: it carries the telephone numbers assigned to an entity and the domain that entity controls, and it is recorded in a transparency log. This document defines the roles, the certificate repository and discovery model, the PASSporT usage profile, and the portable Right-to-Use Token, and it points to the binding specification for the underlying credential semantics.</t>

</section>
<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

<t>This document uses terms defined in <xref target="RFC8226"/>, <xref target="RFC9060"/>, and <xref target="I-D.wendt-stir-tn-domain-binding"/>, including TNAuthList, delegate certificate, domain identifier, and bound certificate. The VESPER delegate certificate referred to throughout this document is a bound certificate as defined in <xref target="I-D.wendt-stir-tn-domain-binding"/>, used within the framework described here.</t>

</section>
<section anchor="framework-overview"><name>Framework Overview</name>

<section anchor="the-vesper-delegate-certificate"><name>The VESPER Delegate Certificate</name>

<t>The VESPER framework is built around a delegate certificate <xref target="RFC9060"/> issued to the entity that holds the right-to-use for one or more telephone numbers and that controls a domain. This certificate is a bound certificate as defined in <xref target="I-D.wendt-stir-tn-domain-binding"/>: its TNAuthList and its SubjectAltName domain identifier are co-validated at issuance, so the certificate attests that the same entity holds both. VESPER uses this bound certificate as the anchor for all of its trust assertions.</t>

<t>The VESPER delegate certificate is telephone number scoped: the telephone numbers in its TNAuthList represent the subject's right-to-use. It is delegated from a parent certificate held by the authority responsible for that right-to-use, typically the subject's TNSP or a responsible provider or organization that is authoritative in the telephone network and identified by a service provider code (SPC). Following the delegation model of <xref target="RFC9060"/>, Section 4.1, the parent certificate may be SPC scoped, and the telephone number scope of the VESPER delegate certificate <bcp14>MUST</bcp14> be encompassed by the parent's scope. The chain therefore expresses that an SPC-identified, network-authoritative provider has delegated the right-to-use of specific telephone numbers to the subject of the VESPER delegate certificate.</t>

<t>The certificate carries the following, all as defined in their respective specifications:</t>

<t><list style="symbols">
  <t>Telephone number authority: one or more telephone numbers in the TNAuthList extension <xref target="RFC8226"/>, representing the entity's right-to-use.</t>
  <t>Optional self-asserted TN attributes: a VESPER delegate certificate <bcp14>MAY</bcp14> carry the TN Attributes extension <xref target="I-D.wendt-stir-cert-tn-attr-ext"/>, through which the number holder expresses self-asserted attributes about its own numbers, such as the originating providers it authorizes, do-not-originate status, and text-enabled status. These attributes are carried in a dedicated extension, are distinct from the telephone number authority in the TNAuthList, and do not extend or modify it.</t>
  <t>Domain identifier: a domain name in the SubjectAltName <xref target="RFC5280"/>, bound to the telephone number authority as defined in <xref target="I-D.wendt-stir-tn-domain-binding"/>.</t>
  <t>Optional claim constraints: JWTClaimConstraints <xref target="RFC8226"/> or EnhancedJWTClaimConstraints <xref target="RFC9118"/>, authorizing additional PASSporT claims such as Rich Call Data <xref target="RFC9795"/>.</t>
  <t>Transparency: an embedded Signed Certificate Timestamp as defined in <xref target="I-D.ietf-stir-certificate-transparency"/>.</t>
</list></t>

<t>VESPER deployments use short-lived certificates as described in <xref target="I-D.ietf-stir-certificates-shortlived"/>, convey the certificate chain inline using the <spanx style="verb">x5c</spanx> header parameter, and include the <spanx style="verb">x5u</spanx> header parameter referencing the certificate at its domain-hosted repository location.</t>

</section>
<section anchor="domain-as-a-corroborating-trust-credential"><name>Domain as a Corroborating Trust Credential</name>

<t>Prior STIR specifications establish telephone number authority through the TNAuthList but do not bind that authority to the entity to which the number was assigned. VESPER relies on the binding defined in <xref target="I-D.wendt-stir-tn-domain-binding"/> to add a domain identifier as a corroborating signal: a domain the entity controls and for which it holds credentials. Because the domain identifier and the telephone number authority are co-validated at issuance, a relying party that validates a VESPER delegate certificate obtains evidence that a specific entity, identified by its domain, has been assigned the telephone numbers in the certificate. The strength of this signal comes from two independent trust chains, telephone number assignment and domain control, corroborating the same entity.</t>

</section>
<section anchor="scope-of-entity-verification"><name>Scope of Entity Verification</name>

<t>VESPER binds two mechanically verifiable facts: control of a domain and authority to use a telephone number. Entity verification, often referred to as know-your-customer (KYC), and the legal identity of the entity are out of scope for VESPER. Whatever real-world verification a certificate authority performs at issuance is governed by CA policy and reflected in the domain identifier; VESPER neither defines nor replaces it.</t>

<t>A relying party does not inspect any provider's onboarding process. It verifies the cryptographic binding of domain control to telephone number authority against publicly auditable infrastructure, as the Web PKI does for domain-bound certificates. The domain identifier serves as a persistent, publicly verifiable network identifier to which telephone number authority is bound; the association between that identifier and a real-world entity is established and maintained outside this framework.</t>

</section>
<section anchor="user-identity-and-delegation"><name>User Identity and Delegation</name>

<t>The VESPER delegate certificate authorizes the entity that holds it to use the telephone numbers it contains. Within that entity, individual users or automated agents may be further authorized through the entity's own governance, without being identified in the delegate certificate. A single telephone number may be authorized for use by multiple users or agents, as is common in shared lines and call center deployments. Where caller identity at the individual level is desired, mechanisms such as Rich Call Data <xref target="RFC9795"/> or other PASSporT extensions provide optional paths for conveying that information.</t>

</section>
<section anchor="certificate-repository-and-domain-controlled-discovery"><name>Certificate Repository and Domain-Controlled Discovery</name>

<t>An entity that holds a VESPER delegate certificate publishes that certificate at a stable HTTPS location under its domain. The specific path is not prescribed; any HTTPS URL whose domain matches the dNSName SubjectAltName of the delegate certificate is valid. The TLS certificate on the hosting server matches the dNSName SubjectAltName of the VESPER delegate certificate, validated through standard Web PKI TLS. No cross-signing between the STI delegate certificate and the web TLS certificate is required or defined.</t>

<t>Because the domain in the delegate certificate and the domain hosting it are the same, retrieval of the certificate from its domain provides a convenient discovery path and reinforces the domain association at retrieval time, as described in <xref target="I-D.wendt-stir-tn-domain-binding"/>.</t>

</section>
<section anchor="token-representations"><name>Token Representations</name>

<t>This framework uses two token representations derived from the delegate certificate: a PASSporT as defined in <xref target="RFC8225"/> for use in SIP signaling, and a portable Right-to-Use Token, a JWT <xref target="RFC7519"/> that provides portable proof of right-to-use for contexts outside of SIP signaling, such as cases where evidence of telephone number association is required. Each is described in the sections below.</t>

</section>
</section>
<section anchor="vesper-roles"><name>VESPER Roles</name>

<t>The VESPER framework uses the roles defined for the binding in <xref target="I-D.wendt-stir-tn-domain-binding"/> and adds the operational roles needed for the framework.</t>

<t><list style="numbers" type="1">
  <t>Domain Operator: the entity that controls a domain and holds the right-to-use for one or more telephone numbers. The Domain Operator is the subject of the VESPER delegate certificate, publishes the certificate at a stable HTTPS location under its domain, and uses the certificate's private key to sign PASSporTs and Right-to-Use Tokens.</t>
  <t>Right-to-Use (RTU) Authority: the responsible provider or organization, authoritative in the telephone network and identified by a service provider code, that allocates telephone numbers and issues RTU Authority Tokens, as described in <xref target="I-D.wendt-stir-tn-domain-binding"/>. The RTU Authority holds the SPC-scoped parent certificate from which the VESPER delegate certificate is delegated, and its scope encompasses the telephone numbers in the delegate certificate per <xref target="RFC9060"/>, Section 4.1.</t>
  <t>STI Certification Authority: issues VESPER delegate certificates as bound certificates in accordance with <xref target="I-D.wendt-stir-tn-domain-binding"/>.</t>
  <t>Transparency Log Operator: records issued delegate certificates and returns SCTs, as defined in <xref target="I-D.ietf-stir-certificate-transparency"/>.</t>
</list></t>

</section>
<section anchor="certificate-issuance"><name>Certificate Issuance</name>

<t>VESPER delegate certificates are issued as bound certificates in accordance with <xref target="I-D.wendt-stir-tn-domain-binding"/>, which requires that domain control and telephone number Right-to-Use be co-validated within a single issuance. The telephone number authority is established through an RTU Authority Token issued by the RTU Authority and validated via ACME mechanisms (<xref target="RFC9447"/>, <xref target="RFC9448"/>, <xref target="I-D.ietf-acme-authority-token-jwtclaimcon"/>). Where additional PASSporT claims are to be authorized, a JWTClaimConstraints Authority Token <xref target="I-D.ietf-acme-authority-token-jwtclaimcon"/> is presented during issuance.</t>

<t>A VESPER delegate certificate is recorded in a transparency log and carries an embedded Signed Certificate Timestamp as defined in <xref target="I-D.ietf-stir-certificate-transparency"/>, so that VESPER delegate certificates are publicly auditable. Transparency is a requirement of the VESPER framework rather than of the underlying binding, which is defined independently of it. The certificate profile is otherwise that of a bound certificate, which conforms to <xref target="RFC8226"/> and <xref target="RFC9060"/>.</t>

</section>
<section anchor="passport-usage-profile"><name>PASSporT Usage Profile</name>

<t>This section describes how VESPER uses PASSporTs in SIP signaling. The construction and validation steps below apply the procedures of <xref target="RFC8224"/> and <xref target="RFC8225"/>; the one verification step specific to the telephone-number-to-domain binding is defined in <xref target="I-D.wendt-stir-tn-domain-binding"/> and referenced here.</t>

<section anchor="authentication-service-behavior"><name>Authentication Service Behavior</name>

<t>When originating a call or message, the Authentication Service:</t>

<t><list style="symbols">
  <t>Constructs a PASSporT containing <spanx style="verb">orig</spanx>, <spanx style="verb">dest</spanx>, <spanx style="verb">iat</spanx>, and any optional claims authorized by the certificate, as defined in <xref target="RFC8225"/>.</t>
  <t>Signs the PASSporT using a VESPER delegate certificate whose TNAuthList authorizes the <spanx style="verb">orig</spanx> telephone number.</t>
  <t>Conveys the certificate chain inline using the <spanx style="verb">x5c</spanx> header parameter and includes the <spanx style="verb">x5u</spanx> header parameter containing the HTTPS URL of the certificate at its domain-hosted repository location.</t>
</list></t>

</section>
<section anchor="verification-service-behavior"><name>Verification Service Behavior</name>

<t>Upon receiving a PASSporT, the Verification Service applies the validation procedures of <xref target="RFC8224"/> and <xref target="RFC8226"/>, namely validating the PASSporT signature, validating the certificate chain to a trusted STIR trust anchor, confirming the TNAuthList authorizes the <spanx style="verb">orig</spanx> telephone number, validating the embedded SCT, and, where claim constraints are present, confirming that asserted claims conform.</t>

<t>In addition, the Verification Service applies the binding verification rule defined in <xref target="I-D.wendt-stir-tn-domain-binding"/>: it confirms that the domain in the <spanx style="verb">x5u</spanx> URL matches the dNSName SubjectAltName of the signing certificate, and treats the domain identifier as the identity of the right-to-use holder only as bound to the TNAuthList. The PASSporT is rejected if any validation fails.</t>

</section>
<section anchor="connected-identity"><name>Connected Identity</name>

<t>When VESPER is used with Connected Identity <xref target="RFC9970"/>, the destination party returns a PASSporT of type <spanx style="verb">rsp</spanx> in a SIP 200 OK, signed using a VESPER delegate certificate authorized for the <spanx style="verb">dest</spanx> telephone number. The <spanx style="verb">rsp</spanx> PASSporT includes the original <spanx style="verb">orig</spanx> and <spanx style="verb">dest</spanx> values and a fresh <spanx style="verb">iat</spanx>. The originating party verifies the <spanx style="verb">rsp</spanx> PASSporT using the same validation steps above, applied to the <spanx style="verb">dest</spanx> telephone number and the destination party's certificate.</t>

</section>
</section>
<section anchor="right-to-use-token"><name>Right-to-Use Token</name>

<t>The Right-to-Use (RTU) Token is a JWT <xref target="RFC7519"/> signed by the private key of the VESPER delegate certificate, with the certificate chain conveyed in the JOSE header using the <spanx style="verb">x5c</spanx> parameter. The delegate certificate is the trust artifact; the token signature demonstrates that the presenter holds the corresponding private key. The token provides portable evidence of right-to-use outside of SIP signaling.</t>

<t>The RTU Token includes:</t>

<t><list style="symbols">
  <t><spanx style="verb">iss</spanx>: the entity's domain identifier, matching the dNSName SubjectAltName of the signing certificate</t>
  <t><spanx style="verb">iat</spanx> and <spanx style="verb">exp</spanx>: issuance and expiration times; <spanx style="verb">exp</spanx> is set to a short validity interval to limit the replay surface</t>
  <t><spanx style="verb">orig</spanx>: the telephone number being asserted, consistent with the TNAuthList of the signing certificate</t>
</list></t>

<t>The token may include additional claims authorized by the JWTClaimConstraints extension of the signing certificate, such as Rich Call Data <xref target="RFC9795"/>.</t>

</section>
<section anchor="delivery-outside-in-band-signaling"><name>Delivery Outside In-Band Signaling</name>

<t>The VESPER trust artifacts defined in this document, the PASSporT and the Right-to-Use Token, are independent of how they are conveyed. They are signed by the VESPER delegate certificate and verified against the same bound certificate regardless of the path they travel. Where in-band signaling does not carry the artifact end to end, or where there is no in-band path between the parties, the same artifact can be conveyed through other mechanisms, including out-of-band publish-and-retrieve delivery. Such delivery mechanisms are specified separately and are not required in order to implement VESPER.</t>

</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>VESPER provides verifiable evidence that an entity identified by a domain identifier, and validated as holding the right-to-use for one or more telephone numbers, produced a signature over a communication. A successful verification establishes that the PASSporT or Right-to-Use Token was signed by a delegate certificate whose TNAuthList authorizes the asserted telephone number, that the same certificate binds a co-validated domain identifier, and that the certificate is recorded in a transparency log. It does not establish that the content of a communication is legitimate, and it attests to the identity of the entity only to the assurance carried by the domain identifier; the strength of that identification is the strength of the domain validation performed at issuance, as discussed in <xref target="I-D.wendt-stir-tn-domain-binding"/>.</t>

<t>The assurance rests on two independent trust chains, the delegation of telephone number right-to-use and the validation of domain control, co-validated into a single certificate. Because they are bound at issuance, an adversary cannot forge the association by compromising only one: a delegate certificate for a telephone number does not confer control of an unrelated domain, and control of a domain does not confer right-to-use for numbers that were not delegated. The security of the co-validation, and the prohibition on issuing a certificate that carries one without the other, are defined in <xref target="I-D.wendt-stir-tn-domain-binding"/>.</t>

<t>VESPER requires delegate certificates to be recorded in a transparency log <xref target="I-D.ietf-stir-certificate-transparency"/>. A certificate that improperly binds a domain to telephone numbers, through CA error or compromise, is therefore publicly observable, allowing the affected domain holder, the number authority, and independent monitors to detect it. Transparency does not prevent misissuance, but it makes covert misissuance impractical and bounds how long a mistaken or malicious binding can go unnoticed.</t>

<t>VESPER inherits the security properties and considerations of the mechanisms it composes. PASSporT signature and validation, certificate path validation, and handling of the SIP Identity header field are as defined in <xref target="RFC8224"/>, <xref target="RFC8225"/>, <xref target="RFC8226"/>, and <xref target="RFC9060"/>; certificate issuance, including validation of the RTU Authority Token, is defined in <xref target="RFC9447"/>, <xref target="RFC9448"/>, and <xref target="I-D.wendt-stir-tn-domain-binding"/>. VESPER neither weakens nor overrides these, and a weakness in any composed mechanism is inherited by the framework.</t>

<t>Replay of a captured PASSporT or Right-to-Use Token is mitigated by the freshness of the <spanx style="verb">iat</spanx> claim, by a short <spanx style="verb">exp</spanx> interval on the Right-to-Use Token, and by the STIR replay mitigations of <xref target="RFC8224"/>. VESPER deployments use short-lived certificates <xref target="I-D.ietf-stir-certificates-shortlived"/>, which reduce reliance on revocation and bound the interval over which a compromised key or stale binding remains usable; relying parties enforce certificate validity windows.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document has no IANA actions.</t>

</section>
<section anchor="acknowledgments"><name>Acknowledgments</name>

<t>The authors would like to acknowledge Jon Peterson for valuable feedback on this work, and the STIR working group for the foundational specifications on which VESPER builds.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC5280">
  <front>
    <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
    <author fullname="D. Cooper" initials="D." surname="Cooper"/>
    <author fullname="S. Santesson" initials="S." surname="Santesson"/>
    <author fullname="S. Farrell" initials="S." surname="Farrell"/>
    <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <author fullname="W. Polk" initials="W." surname="Polk"/>
    <date month="May" year="2008"/>
    <abstract>
      <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5280"/>
  <seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="RFC7519">
  <front>
    <title>JSON Web Token (JWT)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
    <date month="May" year="2015"/>
    <abstract>
      <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7519"/>
  <seriesInfo name="DOI" value="10.17487/RFC7519"/>
</reference>
<reference anchor="RFC8224">
  <front>
    <title>Authenticated Identity Management in the Session Initiation Protocol (SIP)</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="C. Jennings" initials="C." surname="Jennings"/>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identity and for conveying a reference to the credentials of the signer.</t>
      <t>This document obsoletes RFC 4474.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8224"/>
  <seriesInfo name="DOI" value="10.17487/RFC8224"/>
</reference>
<reference anchor="RFC8225">
  <front>
    <title>PASSporT: Personal Assertion Token</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>This document defines a method for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representing the originator of personal communications. The Personal Assertion Token, PASSporT, is cryptographically signed to protect the integrity of the identity of the originator and to verify the assertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal-communications applications over IP networks and other multi-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8225"/>
  <seriesInfo name="DOI" value="10.17487/RFC8225"/>
</reference>
<reference anchor="RFC8226">
  <front>
    <title>Secure Telephone Identity Credentials: Certificates</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="S. Turner" initials="S." surname="Turner"/>
    <date month="February" year="2018"/>
    <abstract>
      <t>In order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8226"/>
  <seriesInfo name="DOI" value="10.17487/RFC8226"/>
</reference>
<reference anchor="RFC9060">
  <front>
    <title>Secure Telephone Identity Revisited (STIR) Certificate Delegation</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="September" year="2021"/>
    <abstract>
      <t>The Secure Telephone Identity Revisited (STIR) certificate profile provides a way to attest authority over telephone numbers and related identifiers for the purpose of preventing telephone number spoofing. This specification details how that authority can be delegated from a parent certificate to a subordinate certificate. This supports a number of use cases, including those where service providers grant credentials to enterprises or other customers capable of signing calls with STIR.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9060"/>
  <seriesInfo name="DOI" value="10.17487/RFC9060"/>
</reference>
<reference anchor="RFC9447">
  <front>
    <title>Automated Certificate Management Environment (ACME) Challenges Using an Authority Token</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="M. Barnes" initials="M." surname="Barnes"/>
    <author fullname="D. Hancock" initials="D." surname="Hancock"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="September" year="2023"/>
    <abstract>
      <t>Some proposed extensions to the Automated Certificate Management Environment (ACME) rely on proving eligibility for certificates through consulting an external authority that issues a token according to a particular policy. This document specifies a generic Authority Token Challenge for ACME that supports subtype claims for different identifiers or namespaces that can be defined separately for specific applications.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9447"/>
  <seriesInfo name="DOI" value="10.17487/RFC9447"/>
</reference>
<reference anchor="RFC9448">
  <front>
    <title>TNAuthList Profile of Automated Certificate Management Environment (ACME) Authority Token</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="D. Hancock" initials="D." surname="Hancock"/>
    <author fullname="M. Barnes" initials="M." surname="Barnes"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="September" year="2023"/>
    <abstract>
      <t>This document defines a profile of the Automated Certificate Management Environment (ACME) Authority Token for the automated and authorized creation of certificates for Voice over IP (VoIP) telephone providers to support Secure Telephone Identity (STI) using the TNAuthList defined by STI certificates.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9448"/>
  <seriesInfo name="DOI" value="10.17487/RFC9448"/>
</reference>

<reference anchor="I-D.wendt-stir-tn-domain-binding">
   <front>
      <title>Binding a Domain Identifier to Telephone Number Authority in STIR Certificates</title>
      <author fullname="Chris Wendt" initials="C." surname="Wendt">
         <organization>Somos, Inc.</organization>
      </author>
      <date day="6" month="July" year="2026"/>
      <abstract>
	 <t>   This document defines a mechanism for binding a domain identifier to
   telephone number authority within a STIR certificate.  A certificate
   produced under this mechanism carries, as a co-validated pair, the
   telephone numbers or service provider codes a subject is authorized
   for in a TNAuthList extension and a domain the subject controls in a
   SubjectAltName dNSName entry.  The binding is established at issuance
   by requiring proof of domain control and validation of a TNAuthList
   authority token within a single certificate issuance, such that the
   resulting certificate attests that the same entity holds both.  The
   mechanism applies to STIR certificates whose TNAuthList contains
   telephone number entries, service provider code entries, or both,
   allowing a domain to be bound to the right-to-use holder for a set of
   numbers or to the provider identified by a service provider code.
   This document defines the issuance conformance requirements and the
   relying party verification rule that together make the binding
   meaningful.  It does not define telephone number or service provider
   code authorization or domain validation, both of which are specified
   elsewhere and referenced here.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-wendt-stir-tn-domain-binding-00"/>
   
</reference>

<reference anchor="I-D.ietf-stir-certificate-transparency">
   <front>
      <title>STI Certificate Transparency</title>
      <author fullname="Chris Wendt" initials="C." surname="Wendt">
         <organization>Somos, Inc.</organization>
      </author>
      <author fullname="Robert Śliwa" initials="R." surname="Śliwa">
         <organization>Somos, Inc.</organization>
      </author>
      <author fullname="Alec Fenichel" initials="A." surname="Fenichel">
         <organization>TransNexus</organization>
      </author>
      <author fullname="Vinit Anil Gaikwad" initials="V. A." surname="Gaikwad">
         <organization>Twilio</organization>
      </author>
      <date day="18" month="May" year="2026"/>
      <abstract>
	 <t>   This document describes a framework for the use of the Certificate
   Transparency (CT) protocol for publicly logging the existence of
   Secure Telephone Identity (STI) certificates as they are issued or
   observed.  This allows any interested party that is part of the STI
   eco-system to audit STI certification authority (CA) activity and
   audit both the issuance of suspect certificates and the certificate
   logs themselves.  The intent is for the establishment of a level of
   trust in the STI eco-system that depends on the verification of
   telephone numbers requiring and refusing to honor STI certificates
   that do not appear in a established log.  This effectively
   establishes the precedent that STI CAs must add all issued
   certificates to the logs and thus establishes unique association of
   STI certificates to an authorized provider or assignee of a telephone
   number resource.  The primary role of CT in the STI ecosystem is for
   verifiable trust in the avoidance of issuance of unauthorized
   duplicate telephone number level delegate certificates or provider
   level certificates.  This provides a robust auditable mechanism for
   the detection of unauthorized creation of certificate credentials for
   illegitimate spoofing of telephone numbers or service provider codes
   (SPC).

   The framework borrows the log structure and API model from RFC6962 to
   enable public auditing and verifiability of certificate issuance.
   While the foundational mechanisms for log operation, Merkle Tree
   construction, and Signed Certificate Timestamps (SCTs) are aligned
   with RFC6962, this document contextualizes their application in the
   STIR eco-system, focusing on verifiable control over telephone number
   or service provider code resources.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-stir-certificate-transparency-02"/>
   
</reference>
<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC9118">
  <front>
    <title>Enhanced JSON Web Token (JWT) Claim Constraints for Secure Telephone Identity Revisited (STIR) Certificates</title>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <date month="August" year="2021"/>
    <abstract>
      <t>RFC 8226 specifies the use of certificates for Secure Telephone Identity Credentials; these certificates are often called "Secure Telephone Identity Revisited (STIR) Certificates". RFC 8226 provides a certificate extension to constrain the JSON Web Token (JWT) claims that can be included in the Personal Assertion Token (PASSporT), as defined in RFC 8225. If the PASSporT signer includes a JWT claim outside the constraint boundaries, then the PASSporT recipient will reject the entire PASSporT. This document updates RFC 8226; it provides all of the capabilities available in the original certificate extension as well as an additional way to constrain the allowable JWT claims. The enhanced extension can also provide a list of claims that are not allowed to be included in the PASSporT.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9118"/>
  <seriesInfo name="DOI" value="10.17487/RFC9118"/>
</reference>
<reference anchor="RFC9795">
  <front>
    <title>Personal Assertion Token (PASSporT) Extension for Rich Call Data</title>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <date month="July" year="2025"/>
    <abstract>
      <t>This document extends Personal Assertion Token (PASSporT), a token for conveying cryptographically signed call information about personal communications, to include rich metadata about a call and caller that can be signed and integrity protected, transmitted, and subsequently rendered to the called party. This framework is intended to include and extend caller- and call-specific information beyond human-readable display name, comparable to the "Caller ID" function common on the telephone network. It is also enhanced with an integrity mechanism that is designed to protect the authoring and transport of this information for different authoritative use cases.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9795"/>
  <seriesInfo name="DOI" value="10.17487/RFC9795"/>
</reference>
<reference anchor="RFC9970">
  <front>
    <title>Connected Identity for Secure Telephone Identity Revisited (STIR)</title>
    <author fullname="J. Peterson" initials="J." surname="Peterson"/>
    <author fullname="C. Wendt" initials="C." surname="Wendt"/>
    <date month="June" year="2026"/>
    <abstract>
      <t>The Session Initiation Protocol (SIP) Identity header field conveys cryptographic identity information about the originators of SIP requests. However, the Secure Telephone Identity Revisited (STIR) framework provides no means for determining the identity of the called party in a conventional telephone-calling scenario. This document updates prior guidance on the "connected identity" problem to reflect the changes to SIP identity that accompanied STIR. It also considers a revised problem space for connected identity as a means of detecting calls that have been retargeted to a party impersonating the intended destination and preventing the spoofing of mid-dialog or dialog-terminating events by intermediaries or third parties.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9970"/>
  <seriesInfo name="DOI" value="10.17487/RFC9970"/>
</reference>

<reference anchor="I-D.ietf-acme-authority-token-jwtclaimcon">
   <front>
      <title>JWTClaimConstraints profile of ACME Authority Token</title>
      <author fullname="Chris Wendt" initials="C." surname="Wendt">
         <organization>Somos Inc.</organization>
      </author>
      <author fullname="David Hancock" initials="D." surname="Hancock">
         <organization>Somos Inc.</organization>
      </author>
      <date day="30" month="June" year="2026"/>
      <abstract>
	 <t>   This document defines an authority token profile for the validation
   of JWTClaimConstraints and EnhancedJWTClaimConstraints certificate
   extensions within the Automated Certificate Management Environment
   (ACME) protocol.  This profile is based on the Authority Token
   framework and establishes the specific ACME identifier type,
   challenge mechanism, and token format necessary to authorize a client
   to request a certificate containing these constraints.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-acme-authority-token-jwtclaimcon-03"/>
   
</reference>

<reference anchor="I-D.ietf-stir-certificates-shortlived">
   <front>
      <title>Short-Lived Certificates for Secure Telephone Identity</title>
      <author fullname="Jon Peterson" initials="J." surname="Peterson">
         <organization>TransUnion</organization>
      </author>
      <date day="6" month="July" year="2026"/>
      <abstract>
	 <t>   When certificates are used as credentials to attest the assignment of
   ownership of telephone numbers, some mechanism is required to provide
   certificate freshness.  This document specifies short-lived
   certificates as a means of guaranteeing certificate freshness for
   secure telephone identity (STIR), potentially relying on the
   Automated Certificate Management Environment (ACME) or similar
   mechanisms to allow signers to acquire certificates as needed.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-stir-certificates-shortlived-06"/>
   
</reference>

<reference anchor="I-D.wendt-stir-cert-tn-attr-ext">
   <front>
      <title>TN Attribute Certificate Extension for STI Certificates</title>
      <author fullname="Chris Wendt" initials="C." surname="Wendt">
         <organization>Somos Inc.</organization>
      </author>
      <author fullname="Robert Śliwa" initials="R." surname="Śliwa">
         <organization>Somos Inc.</organization>
      </author>
      <date day="6" month="July" year="2026"/>
      <abstract>
	 <t>   This document specifies a non-critical X.509 v3 certificate extension
   that conveys a set of self-asserted attributes describing the
   telephone numbers identified in the certificate&#x27;s TNAuthList.  The
   attributes are declared by the holder of the certificate about its
   own telephone numbers and require no separate authority token,
   because they describe or constrain only those numbers and grant no
   authority to any other party.  The extension defines an extensible
   framework with an IANA registry of attribute types and seeds that
   registry with four types: a PASSporT Placement Service (PPS) URI, a
   do-not-originate indication, a do-not-originate-messaging indication,
   and a set of authorized originating providers.  Relying parties use
   these self-declarations as policy signals, treating communications
   that do not conform to them as candidates for blocking.  The
   mechanism is backward compatible with existing STIR certificates.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-wendt-stir-cert-tn-attr-ext-00"/>
   
</reference>



    </references>

</references>



  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA7Vc624bR5b+z6eolYGNsyAJyyOPbXkwM4qsIJo4llaUJwgW
C6jZXSQrbnZzqrpFcwZ+l32WfbI9l7p2NykpyAYBTDWr63Iu37kWJ5PJqFFN
KU/F0d8vZtcXN2Ii/i61WqhsXkoxu70U11oaWTVZo+pKZFUhLu5VIatcikWt
xc3tp6NRNp9ree/nOBrlWSOXtd6dCtMUo1FR51W2hkUKnS2ayVZWRTMxjdKT
e2k2Uk9evBmZdr5WxsAizW4DQy8vbr8fVe16LvXpqID5Tkd5XcFOTGtORaNb
OYIV/zDKtMxg5bPNplQ5bdLQLm9kVk5u1Voejba1/rzUdbuBcTOZt1qKW1nK
zaqupLiEswAJdvDCvTKqkcXR6LPcwTvF6Qio0fiRvBl8VtTrTFWjUdY2q1rj
sJGA/xZtWfI5z1daGfEznpO+qfUyq9Q/aXunYlavazMWl1U+pW8lzFbC3nJ8
668ZnkQWc9WYaV6vj2hIXrdVg/T8NOuvdlPPxb8/+/Li+NXZu1Jts8cvqev5
rwZf+esSH+B6veVGVa3XMM09cECIm+/PX71888J+fP3q+K39+Obly5Pw8VX4
+Ef78e2LP7rX3p6cvA4f3+DHy8n7aSQXTTVhIk/mqipUtXRjlGwWPCSXugE5
RVGbNDqrzAZEocp3p6ORqhadPb89Pn7jPr5+63b39u3rF8nEWb6WE+YqiMSk
qT/LavLrtsnLTK1B/A7uwkwMvNeUsGoxcCQciefKmkZP5JcG9jmZTEQ2N7D7
vBmNblcgM6Aq7RokUhRyoSpphFXL50/Vym/HIhMLDQKC4i+aVdYAW9eb2sCk
8ouCPVVLnOpGrGW+AlkxayNU1dTwntmZRq7hL7FdqXwFT7Qsd/gCEBl0Jc8q
cY8b2vHEWU9NxDYDPQR9XlayEDzpRuZIKmEVDndNbzcrKQxs1H0BhG50XZr4
HZaGqSPHvFVlYQScHV/2i094cWCcFR9hxceSs8Aj/etfDwnb169jmpeoE3GY
tnx9Npttan3r98agMxZn5z9dTOaZgVW8CAkSIQHA1mbAnDHNEM8YS+5UdEXA
5FrNgV+4GaCINLyveILWZEuc11JosqqBdekaWgLXVQN4TMsXyuQ1cG8n1nUh
S3zXn4lmExtdL1TJojS7vBbIxawEwvD+MwFjGxLFG7VcNUjuTwZAlc6KL7Xw
V902BkRS1AucYyoug0zjGYJo4pQAdlY6FVLzHQ2p5FZ48PGcVA0Ko5LEfSCX
ZcPjeTtlxVuroijlaPQMUBHErWhzXBnVEBi/10o8B5n4VmQ6X4GpyBsYNRbM
c9gNKmYMCLAdi4EoUY7I4fErfMxqIInQfpmVzApQIjhWWfjhJzgceIOaDuTS
u01TL3W2ARVFxZVLkjgYgDtDXEBW5FlZEtkcJiLVKiAhmMcGzCOSfd1WToxR
BgFZYkx4hKJXdYPC5NlAUg2M8ioOn3GchYPW4I5yLem4GWo6K8w/4UvcNL3D
89OGdiDduMjYarzSot5WYyENiqEyq727AwGZS1ytRR7Nd0RqS2S7qQilYH6k
mEZN4XMz4roXHHvsan1Q1DKvl2B2ASpyXRvgElCxkqUBobPQlRUFYLdhNQBK
L7MNExA2p6p7XAGmRNlPObzOQOYqVNt5S4OtvsDgiFm8sxLYW+wY5omAAkmy
lFULM5Q7mh0oRShjt1XIDWgNKhVjjFM3UN8eUWN488hjqQMiADKhGtgr4jdM
USaANU511kggHjwud49WXzB1QAVcYAmHAAqiwO0BzlW9ZZLMwaMp0n0AaSWc
lHfLWO9V9BCaw5f7EDxoc2ph4/EWXMeg3E3YgzW8gL8ob+DemiZA5JRRCcSm
LRukX2zZIyMNaC6XuEa8npEavGyRGc8O2GVbqCZaKcPh4IScok6g/CuL0l3W
d2x6ldpy6USBSN6x5mML9Lh/VBNdMFZkCQVFWS/7djCYjT1W8CETh+OHjVxg
2QGj5ve+qYFRBs8e60jiCVgAA8tcAYQzQASoA3asM/iUIyI8E+c1a7yLWt7j
UckEGuY5hCICYxEjjn76NLs9GvO/4uMVfb65+M9PlzcX7/Hz7IezDx/8h5Ed
Mfvh6tOH9+FTePP86qefLj6+55fhqUgejY5+OvvliA9+dHV9e3n18ezDUV/X
gG1IjrkkE6Q3WqL7kZmRU0Ji8nfn1//7P8cnoOD/Brbs5fHx269f7R9vjl+D
YQMZdmSuKwAD/hPIuBtBQCQzTaJSliCdGxBdEifAEdDvCoyllkDN//gvpMx/
n4o/zfPN8cmf7QM8cPLQ0Sx5SDTrP+m9zEQceDSwjKdm8rxD6XS/Z78kfzu6
Rw//9Bcw51JMjt/85c+jbtDQklmRGgxB4vBGXgj9gbGY8z0e5w6rKi9bEvbb
j2eAhx8A3saDgDPu2wNeqAfBbJm8/RnALi0XUmsGm2YFIfxyBW5lRwIJD3uT
o3g82eknJ8Ear9RJDdJspe2Z+N5/eQVQc6/kFp4+i8/03p3pPOyL1doOiFDc
UEyD+kQn2QPmEfcoqHCk8S4KIe+qxuCI4NJBGXrkCEwI5fDPutaD4O78tSgE
c5EXSVq8l9+N7qfk/ge58hHBrJ3/Cq7sWdl8xPCw72cg+OT15B6CE0wRAdma
KNYydc9OQPANPqMZjjuZbPO6Wfk4kxUKTz54UJwB1gLvgIiL+AT+Em7d2lXw
8zT71QnfB3mrTN/TAjO2kcXpHluMxEgpB3aQEwN8OKbfNyaRAwrFUIHsJsDl
1vUaozo0wU2ypxXGH9ZrDm4QLLGBM6m5jRGJmvESgNy7jcLQY9fZyO3H2TUK
YJZMYoMajd/EiSsbPPj4oOFQUFVdgsgmhJJOPGjjGfk/Ko/WyMElgDju+vzb
qfi+Lst6i7BG3gtTBBcmvwGZmeDlzAZWJ9Nj9ikGSLbOdmgNYX7LveBhDLOX
XOwHZIMM2RwlFb1+FCvPFt4CkJYmY0yFcIBpBACKmi6/bHzMgfFBhdubBEqN
HQUnKaE9zVZZLC89ZIET+ExNX0wtQlkheMRxrbLEBIid0oVj2pg0LgUcjg5R
uJBXcIY0TXMKfkIU13cDmtMHANJKXqRx8ksDIQEKRWJmvSI62WKM6aoibOZq
gxsjz7BcTBgx4Ci3HxGswOS0gFinIMcHxePsFxu28u7EmX812eADKUnOe5GZ
tTEFpWGYRoiO8E8QpXS/YbMim6ORRmRC78ySDuC4xSCFWQjEXqoqI+o4ITPo
YPtEgEE/YgJx8cSNBVaCWLY2kGhgvxNZocNe2C9c7iLeinaiY2MNCDqIZEWg
y5hGFRSv5Q2D4aC2BgDsiQHviZMUPHPBUlRg6kQ1yOj3XfN1GmJnTOS7WTtW
j8QKc+7IHbZCVqEObPDpRjgRRcp3oxOAuWmMeE7F336+Pcen5+FhLPF42otq
hYa32DsUs/DkdlomI/ezolB2VR+g0fLGC8wNSuI5qvr7rMnsVK/fvuJN38a5
fwpJgRYFBpczDlQj50tgQQiEZb0ZpNDDxQXKHoaMSVnv0AU1lPCk7P+E0v9p
FpCWioKhA4vFNQSkVI7x4a7nxjC+q4pCAc6m4ZC7L6/yO5c7xLzKGoIx632z
Ay/duLY/jr1tOKWbLnWcSKHTJHMUdZc1A+yUfGAr6pRzOK+1rue1ZmW/Jb/o
3MfDo9G1VphmxjRJCtVxdu9ABsriVQeWMUdm1RFF3Nq9OG8VO811H+7izKB3
B0PiOQ7/n6hplDkpisHEGVEsTyjGyfcIK6KNBze94sQpH0O5ECBKsU7FdzLP
UE6jPE288j4fJQKVg952Nx1KFHdjzQMGrJ43sB9guati2Qxrp2Y07nh3QSTH
5KLMpayiDNU+p7kj3OwzAVTJatms2D9RxhIe06ywfbYK2xpe50wp+dgkzKSM
mJPqUY42wlkSsg5Ec8uzcYfNnWCE9Wjm/MML5jcXAVk/PA6hYBnam80Ds98d
pa8xtQcQblfG+bwwUT0nVguUkH4efep2cB/tYAwzgaVLonRgwueq3k52dQvA
BuQB6mnx/Mdfzr8NfjAKQBmy6dYhdKlETbUj8inp+CjXfNSp+BnEQt4TVmXl
BDxWCE/iLaH2xKjlT7aRGusfJpZZDCyWmCasWJrOz8SmLlXOOUQ4VQlm2HuV
fZ1550S6koqSuC5RWdW4wU2Z5dKQ8R+ddZSjqCUn/UFy0FGFFXfeEfoGEWZe
Z7qw7hFMYyhq46NaNzgtD0T5+lTQCOsOKPUSpbcRmxagNge5CblhVS10BmrR
2jqX9d1+lnNx/eMlnwGZ4wCuGyGzQzaANXFKGhhjALDhu3HYQyS7LrSLXg9w
fcBDsxE7VxJBE+tcsYTMYUKECQ4tUwDMYrlyRZ/IECHmwTA8D+IVVv1slZMQ
I07Yg/Z+gnOGkh6nd12A+XA6IHjCe/I7VD4QDtEHgI7TOMheUByX1PKJeczp
FQoErgVdhFngjZooCOwicF+SZ2PD2UWrScSjQl1seX10gx4/6xRbBUymoTZz
ES5Cb6dUQ+GfOHOFox6H7XY69UIkAijwui0btSlldBw6BImuogrzmsufZpUh
YJWkrlSTp9yyxBR27Ngh4kiKIcoSqzSemZxgiShYAiyVnFYxSmNIHVXlHvZk
KfNBFPZesA9QjEMGUTsHfZM1K1Y+9hDZgqBAhzIvC2Hs/d6kVRL20ibnjBMY
R713dRNArGpA5A4bcVJfUBKbZei4j5kwDCs/3N5ez7zDyGWSyJJba+wMP54U
yYpgiZEnu9HvCDB5pk83HwAPauORBo6fr6zaFB9nFEV1giprcvbl4cht4Y3c
fpilngrLLXrA5J0hlOknLHmAgGMRXCunXECzqgBL4FEX9jMVH2tB5eUJOhi4
jQBq3B40jCjW/G5hqu6xqCj3jxYlF0XRurQgQkNe437V7RYCHZmULRRZJwfz
IxCjSzivo0s8CTlbQSJCz0PG4l4pKgv6Ih/JCNtskv/cccKFIQH9MVHpl8b+
h/Ge8OzBHhJM9VPDy41L9WS+bhfbAptDBveMe4F0OhzW1hQy+rzDEF1P4yad
bujqm0k8FsLjp/btoAMPgTtPh319GKigGnvi+5fhCTAN/u9VF9DeAGyZTvNP
vBEHhXmGZNkSunqvf7DZIOJeJKXgkWb5ygJuYB5JGGdpMRwo6y3VaqzW3WD1
eE8Fxqb6bYnZU9hVc3370SODPCJ4Ycsw4MbqzEI3T19JWUSzx57D8dTFz1f0
Wq1Pex5Arz5D6/3Wug8jXWdRqkc8KW07TixAL3/wWAPAwurZEc3yDVpCdY/z
YV0cvB8UrKixihp/e6JtpqOX0/T5c+yQFGch7dtwf8WDFYnx716KGLueHSKI
7BeB+FhU7TPY2Rm2bY/3GyGMmJ7OFwQI6wNcvhiqcRBWhZTJA1UtXzgY+8oe
R3ahmrGv2+SQqQE53VudmY7+MCVDGNwf/CZiuKXnga1TgNIPaiiPnGP/CsWQ
1Dz0OJNxMk2SleJDvYxUnHtijCvr7tkRGTkIxwDdZue3jvW/LY+ZOoeXNiqO
8puDO9DSbfF3Jc/YypPFd+tDdkJZTvx3DESi2PNOiqrbieZif5b+wwFkHPY5
fyyrhlTQUcSW5NIRuOmwoXuVUW9ZHB48ZzE+OXkdOjROTt7wH49uTv/69VsX
rhxIqod+nRBDWdvfS9p3T/mkzSAFraeD4txqsp6O/JgSeQA2DjeJ2aiNq4L/
71l/20yQNQ8AhpYDiZSO2lPfhBVzSg6mljV4JAAMGBDCspUbE/WUWc1xeqPi
k/kUZbnjhgRbFu63IeJ7FHdulbFZV0oPDvRL8jrAW06kgRDF9R9uJfJoTPDi
Ze8Tddxd85LWQbZeWqdZM+67CHa968/a45Coct92rGX4p2nkxjqAAm/U2Fo5
5tJAFDGHv4j7qsP22ZPmtBECQ5JdxFmjSnenDLf/9oF6cjnOpSCpIBN1HT0j
pUS3wm5pZn2K7+Qqu1e1Ho0AAqqkwJpxdgPdP2n4ugDue3givJYizh1lTRx3
2GwSTnmH89+NxR1wr8F/wUG/s1EGBOZ1UkhM2rvnvWpW34Z5NkxhL6jP7B5E
DZx8rEMAwhmBuKkozafxCfqJbj79vdz1fdgnVd3iops5VHWLqIqjQk5jIDB+
WhUurhYMyMkncHYRZKW6Z3I6+rJ4DL7Nl9P4PJG2PU6vqDECK92Y4bUv21OH
SzWo4pxu7gzpc4I6pqkGg7CPBUTbdUUdWVQ8XSi9dhM8WRZ6Wwg25vyWhH1s
A9hevZwtAVu/zkYy1xaGZWJWD4upwLXLytvuR3LBQUyCU7ot5W/pwnM7jRrk
0pwPyzBK5+MzXi5Hlao8enJaZk2SqUkroZRh7RSJksDWtqRQw7B3Ri0qB26z
sfASRp7Fr7aysyC4iiR5kSm6rPGMerMrHuZy+BZbLewoE/pFBwZba/j29Qt3
nQyxkjAZNYbKQM6Vj0AWz7mD2OhOm80duz5o+l6+eCGufhynN2gOI2DvTo20
cD1Q3UMK8YqBTjF2WXNSOlVB9tnJgHitjUzwWoI0K7YG9t5J3OhDZ05qWJ01
A6hSKbRnz7N5fY/Cw1dkHav3nCrkIrt0/yZpZCVXpZ814DTRQNbAefwDCTPL
HdeZF+UqHpM9IUEahjrO8ocU19+uZhfOlHQtkTcttvy2r9d01b39wU4PZyk9
DsP7a8a1Rkaw4Dx7HeUMsKBNKRRbt/Snt8EWTdxPJ8bZv7SrcE8S0bYHYpRl
eWFFlZr77iDGuIszZt+YPryMGb984+dTAYzWASFnRZBfNnenoayMz+CR0raH
FaOPdzyKLj/Jxl6IxVYfFnJuKgNyUlq6FqVaq8YmpTZlthOm1cAiWpc0cLgl
2JbZnH0hy2Orq0G6Ijt44ICjwDKsubn2oSiy3OvbDYWSoQvxkFV4TMcXKOt7
iQ1S4O9cWQm5rCbfIdVnTkSSHG8q5Z1u0egmQeeakIOPwVy5lkknCByKr5pJ
1ybD+mpvL+KjFBsOAnflmhqoDMv1eQ+K/UZ0DVPoogTf3hGXCiK0GaD/vSxd
XgDtPc7uVSk0IoT2UUcoIdmaSvRzqLdIcgmHMkDwkp+OlotLUIiyyt3Tol37
SfGW5DwQyCdWuPgZkiLxlRMAgkm9sGtxinkCnye2kkMYRwIxBQ0GyXF/xjkW
YsHQtUMyXPAlEsGXwBRGUAX3Gqj1JrkqSSJIN4RRa1HIMZfrij+WsR7m4luk
aXNTlV4rDWniPfdnor4rQ6jr0OtpyX66Qly0GFRmEcxjJY3qa9FtYCrEtzm2
nyzaMnUxQ3IssgrBi9FDV8OjK8B80N8SuHnnue+up7c64km5RypLc4N76Oxn
eVI+ii+4O23qXExm61g1Fio6ZMbJgRCAq2vvG2PB1N1VqQc9YfcXOr92CJCm
1WSCXM+zRZuB1iUiU9LyFrXDhH31h/nZ4viPu6t6LYGGirQtXVd4fGX1NjmK
JiKgHT3cfbdK7m8MVRITPXHoHp2i1zo1TuXF/ThG705z0lvJaM8onVIDYzvQ
IZNpuiyOcgJUW0rHu9CixJe7db1W5NsRj+Egp/t0hi4f9Q8cwB3COptqcA2A
WHfTsowUwf44xUCTYHeeHuD4mx4oRFtp0dTXfWxLh4NMl9jwtOW6mruGq+uV
mivmCGfWbRIrvnRNRVCb/cUTuz4jClbQlNiu/qc2wY98p68tQwwnejmD/kCG
+gnFGADa3vEUSsAG070evlwHcL+jz4SbG+dnQmpNdcsgRnzvvvE3gnyWup5j
VRLtE92mCZehssWCA1rfyoHBNitat1riWsyDckLMgCkpolQh8QcpOAsd08iL
FQQT9/QSiLtXlzndIQHn8zP+2AWap2QAkQccCux2DddLOYlc1iQwMLrJPlMy
FKaB46q6NT5hgo7IsgYtgB2onHpdXGBfAZmUzUx4qWVmNMo1jCV238l0/FM6
4fd2pgP5rU7COv1NAXKousoBExel+0mG1aEfDEHJH86pnvgCk/v5kSQ510ni
v+uYQMea4Jml6NmvfVl3uZv/3lfteux95Gm383YrkdHceYuiolXhfmDD9b7g
kAp9ZGqWcD+fATvyPMNtWt4H0xl3ZtxwLMYWPNsgG4uHfB6YE0I5xRfn/JzS
rKrIX+dYkgKqsW0VoNjQxowuMLS9Z/t+n8DOTplQGzbapZ2IRmIwFU+9xvKE
ayuulItuJl2aII2ldPO9a/sIV8LJu/FnRD/U/aBFgK+Csygae0jKkPXU+ENm
lbG/m/Eu6bJGTZXcDpbIsQ+4AeqKess/xHB59vGs58unl+tX9EM3PDLL3a3e
Z+Isx473UhZLIqL1X0gFjNjWbYl9pp+p6pr5oRAlAw2uMU1j7G9GYCKN2/Wl
LOYwlPmtcBL9OfqhIOQvPsKD0u/ahTYipKdrNOrcpqnd74QkP6FlfwwJlxv9
H9BepbcOUAAA

-->

</rfc>

