<?xml version='1.0' encoding='utf-8'?> version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.39 (Ruby 3.0.2) -->

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lake-edhoc-22" docName="draft-ietf-lake-edhoc-23" number="9528" submissionType="IETF" category="std" consensus="true" submissionType="IETF" tocDepth="2" tocInclude="true" sortRefs="true" symRefs="true" updates="" obsoletes="" xml:lang="en" version="3">

  <!-- xml2rfc v2v3 conversion 3.18.0 -->
    <front>
    <title abbrev="EDHOC">Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-lake-edhoc-22"/> name="RFC" value="9528"/>
    <author initials="G." surname="Selander" fullname="Göran Selander">
      <organization abbrev="Ericsson">Ericsson AB</organization>
      <address>
        <postal>
          <street>SE-164 80 Stockholm</street>
          <code>164 80</code>
	  <city>Stockholm</city>
          <country>Sweden</country>
        </postal>
        <email>goran.selander@ericsson.com</email>
      </address>
    </author>
    <author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization abbrev="Ericsson">Ericsson AB</organization>
      <address>
        <postal>
          <street>SE-164
          <code>164 80 Stockholm</street> </code>
	  <city>Stockholm</city>
          <country>Sweden</country>
        </postal>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>
    <author initials="F." surname="Palombini" fullname="Francesca Palombini">
      <organization abbrev="Ericsson">Ericsson AB</organization>
      <address>
        <postal>
          <street>SE-164
          <code>164 80 Stockholm</street> </code>
	  <city>Stockholm</city>
          <country>Sweden</country>
        </postal>
        <email>francesca.palombini@ericsson.com</email>
      </address>
    </author>
    <date year="2023" month="August" day="25"/>
    <area>SEC</area>
    <workgroup>LAKE Working Group</workgroup> year="2024" month="March"/>
    <area>sec</area>
    <workgroup>lake</workgroup>
    <keyword>AKE</keyword>
    <keyword>LAKE</keyword>
    <keyword>COSE</keyword>
    <keyword>OSCORE</keyword>
    <keyword>lightweight authenticated key exchange</keyword>
    <keyword>constrained node networks</keyword>
    <keyword>IoT security</keyword>
    <abstract>
      <?line 278?>

<t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman (DH) key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios scenarios, and a main use case is to establish an OSCORE Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing COSE CBOR Object Signing and Encryption (COSE) for cryptography, CBOR Concise Binary Object Representation (CBOR) for encoding, and CoAP Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t>
    </abstract>
  </front>
  <middle>
    <?line 282?>

<section anchor="introduction">
      <name>Introduction</name>
      <section anchor="motivation">
        <name>Motivation</name>
        <t>Many Internet of Things (IoT) deployments require technologies which that are highly performant in constrained environments <xref target="RFC7228"/>. IoT devices may be constrained in various ways, including memory, storage, processing capacity, and power. The connectivity for these settings may also exhibit constraints constraints, such as unreliable and lossy channels, highly restricted bandwidth, and dynamic topology. The IETF has acknowledged this problem by standardizing a range of lightweight protocols and enablers designed for the IoT, including the Constrained Application Protocol (CoAP, CoAP <xref target="RFC7252"/>), Concise Binary Object Representation (CBOR, target="RFC7252"/>, CBOR <xref target="RFC8949"/>), target="RFC8949"/>, and Static Context Header Compression (SCHC, (SCHC) <xref target="RFC8724"/>).</t> target="RFC8724"/>.</t>
        <t>The need for special protocols targeting constrained IoT deployments extends also to the security domain <xref target="I-D.ietf-lake-reqs"/>. Important characteristics in constrained environments are the number of round trips and protocol message sizes, which if (if kept low low) can contribute to good performance by enabling transport over a small number of radio frames, reducing latency due to fragmentation or fragmentation, duty cycles, etc. Another important criterion is code size, which may be prohibitively large for certain deployments due to device capabilities or network load during firmware update. updates. Some IoT deployments also need to support a variety of underlying transport technologies, potentially even with a single connection.</t>
        <t>Some security solutions for such settings exist already. CBOR Object Signing and Encryption (COSE, COSE <xref target="RFC9052"/>) target="RFC9052"/> specifies basic application-layer security services efficiently encoded in CBOR. Another example is Object Security for Constrained RESTful Environments (OSCORE, OSCORE  <xref target="RFC8613"/>) target="RFC8613"/>, which is a lightweight communication security extension to CoAP using CBOR and COSE. In order to establish good quality cryptographic keys for security protocols such as COSE and OSCORE, the two endpoints may run an authenticated Diffie-Hellman key exchange protocol, from which shared secret keying material can be derived. Such a key exchange protocol should also be lightweight; lightweight to prevent bad performance in case of repeated use, e.g., due to device rebooting or frequent rekeying for security reasons; reasons or to avoid latencies in a network formation setting with many devices authenticating at the same time.</t>
        <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a lightweight authenticated key exchange protocol providing good security properties including forward secrecy, identity protection, and cipher suite negotiation. Authentication can be based on raw public keys (RPK) (RPKs) or public key certificates and requires the application to provide input on how to verify that endpoints are trusted. This specification supports the referencing of credentials in order to reduce message overhead, but credentials may alternatively be embedded in the messages.
EDHOC does not currently support pre-shared key Pre-Shared Key (PSK) authentication as authentication with static Diffie-Hellman public keys by reference produces equally small message sizes but with much simpler key distribution and identity protection.</t>
        <t>EDHOC makes use of known protocol constructions, such as SIGMA SIGn-and-MAc <xref target="SIGMA"/>, the Noise XX pattern <xref target="Noise"/>, and Extract-and-Expand <xref target="RFC5869"/>. EDHOC uses COSE for cryptography and identification of credentials (including COSE_Key, CBOR Web Token (CWT), CWT Claims Set (CCS), X.509, and CBOR encoded CBOR-encoded X.509 (C509) certificates, certificates; see <xref target="auth-cred"/>). COSE provides crypto agility and enables the use of future algorithms and credential types targeting IoT.</t>
        <t>EDHOC is designed for highly constrained settings settings, making it especially suitable for low-power networks <xref target="RFC8376"/> such as Cellular IoT, 6TiSCH, IPv6 over the TSCH mode of IEEE 802.15.4e (6TiSCH), and LoRaWAN. A main objective for EDHOC is to be a lightweight authenticated key exchange for OSCORE, i.e., to provide authentication and session key establishment for IoT use cases such as those built on CoAP <xref target="RFC7252"/> involving 'things' with embedded microcontrollers, sensors, and actuators. By reusing the same lightweight primitives as OSCORE (CBOR, COSE, CoAP) and CoAP), the additional code size can be kept very low. Note that while CBOR and COSE primitives are built into the protocol messages, EDHOC is not bound to a particular transport.</t>
        <t>A typical setting is when one of the endpoints is constrained or in a constrained network, network and the other endpoint is a node on the Internet (such as a mobile phone). Thing-to-thing interactions over constrained networks are also relevant since both endpoints would then benefit from the lightweight properties of the protocol. EDHOC could, e.g., be run when a device connects for the first time, time or to establish fresh keys which that are not revealed by a later compromise of the long-term keys.</t>
      </section>
      <section anchor="message-size-examples">
        <name>Message Size Examples</name>
        <t>Examples of EDHOC message sizes are shown in <xref target="fig-sizes"/>, using target="tab-sizes"/>, which use different kinds of authentication keys and COSE header parameters for identification: identification, i.e., static Diffie-Hellman keys or signature keys, either in CBOR Web Token (CWT) / CWT Claims Set (CCS) CWT/CCS <xref target="RFC8392"/> identified by a key identifier using 'kid' <xref target="RFC9052"/>, target="RFC9052"/> or in X.509 certificates identified by a hash value using 'x5t' <xref target="RFC9360"/>. EDHOC always uses ephemeral-ephemeral key exchange. As a comparison, in the case of RPK authentication, authentication and when transferred in CoAP, the EDHOC message size when transferred in CoAP can be less than 1/7 of the DTLS 1.3 handshake <xref target="RFC9147"/> with ECDHE Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) and connection ID, ID; see <xref section="2" sectionFormat="of" target="I-D.ietf-iotops-security-protocol-comparison"/>.</t>
        <figure anchor="fig-sizes">
          <table anchor="tab-sizes">
	     <name>Examples of EDHOC message sizes Message Sizes in bytes.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="208" width="472" viewBox="0 0 472 208" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 464,32" fill="none" stroke="black"/>
                <path d="M 168,64 L 288,64" fill="none" stroke="black"/>
                <path d="M 344,64 L 464,64" fill="none" stroke="black"/>
                <path d="M 8,96 L 464,96" fill="none" stroke="black"/>
                <path d="M 8,160 L 464,160" fill="none" stroke="black"/>
                <path d="M 8,192 L 464,192" fill="none" stroke="black"/>
                <g class="text">
                  <text x="196" y="52">Static</text>
                  <text x="236" y="52">DH</text>
                  <text x="268" y="52">Keys</text>
                  <text x="384" y="52">Signature</text>
                  <text x="444" y="52">Keys</text>
                  <text x="184" y="84">kid</text>
                  <text x="272" y="84">x5t</text>
                  <text x="360" y="84">kid</text>
                  <text x="448" y="84">x5t</text>
                  <text x="48" y="116">message_1</text>
                  <text x="188" y="116">37</text>
                  <text x="276" y="116">37</text>
                  <text x="364" y="116">37</text>
                  <text x="452" y="116">37</text>
                  <text x="48" y="132">message_2</text>
                  <text x="188" y="132">45</text>
                  <text x="276" y="132">58</text>
                  <text x="360" y="132">102</text>
                  <text x="448" y="132">115</text>
                  <text x="48" y="148">message_3</text>
                  <text x="188" y="148">19</text>
                  <text x="276" y="148">33</text>
                  <text x="364" y="148">77</text>
                  <text x="452" y="148">90</text>
                  <text x="32" y="180">Total</text>
                  <text x="184" y="180">101</text>
                  <text x="272" y="180">128</text>
                  <text x="360" y="180">216</text>
                  <text x="448" y="180">242</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
----------------------------------------------------------
                     Static Bytes</name>
	      <thead>
		<tr>
		  <th></th>
		  <th colspan="2">Static DH Keys        Signature Keys
                    ----------------      ----------------
                     kid        x5t        kid        x5t
----------------------------------------------------------
 message_1            37         37         37         37
 message_2            45         58        102        115
 message_3            19         33         77         90
----------------------------------------------------------
 Total               101        128        216        242
----------------------------------------------------------
]]></artwork>
          </artset>
        </figure> Keys</th>
		  <th colspan="2">Signature Keys</th>
		</tr>
		<tr>
		<th></th>
		<th align="right">kid</th>
		<th align="right">x5t</th>
		<th align="right">kid</th>
		<th align="right">x5t</th>

	      </tr>
	      </thead>
	      <tbody>
		<tr>
		  <td>message_1</td>
		  <td align="right">37</td>
		  <td align="right">37</td>
		  <td align="right">37</td>
		  <td align="right">37</td>
		</tr>
		<tr>
		  <td>message_2</td>
		  <td align="right">45</td>
		  <td align="right">58</td>
		  <td align="right">102</td>
		  <td align="right">115</td>
		</tr>
		<tr>
		  <td>message_3</td>
		  <td align="right">19</td>
		  <td align="right">33</td>
		  <td align="right">77</td>
		  <td align="right">90</td>
		</tr>
		<tr>
		  <td>Total</td>
		  <td align="right">101</td>
		  <td align="right">128</td>
		  <td align="right">216</td>
		  <td align="right">242</td>
		</tr>
	      </tbody>
	    </table>

      </section>
      <section anchor="document-structure">
        <name>Document Structure</name>
        <t>The remainder of the document is organized as follows: <xref target="background"/> outlines EDHOC authenticated with signature keys, keys; <xref target="overview"/> describes the protocol elements of EDHOC, including formatting of the ephemeral public keys, keys; <xref target="key-der"/> specifies the key derivation, derivation; <xref target="asym"/> specifies message processing for EDHOC authenticated with signature keys or static Diffie-Hellman keys, keys; <xref target="error"/> describes the error messages, messages; <xref target="duplication"/> describes EDHOC support for transport that does not handle message duplication, duplication; and <xref target="mti"/> lists compliance requirements. Note that normative text is also used in appendices, in particular <xref target="transfer"/>.</t>
      </section>
      <section anchor="term">
        <name>Terminology and Requirements Language</name>
        <t>The
	        <t>
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
    NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
    described in BCP 14 BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
    when, and only when, they appear in all capitals, as shown here.
<?line -6?>
        </t>
        <t>Readers are expected to be familiar with the terms and
        concepts described in CBOR <xref target="RFC8949"/>, CBOR
        Sequences <xref target="RFC8742"/>, COSE structures Structures and processing
        Processing <xref target="RFC9052"/>, COSE algorithms Algorithms <xref
        target="RFC9053"/>, CWT and CWT Claims Set CCS <xref
        target="RFC8392"/>, and the Concise Data Definition Language (CDDL,
        (CDDL) <xref target="RFC8610"/>), target="RFC8610"/>, which is used to express
        CBOR data structures. Examples of CBOR and CDDL are provided
        in <xref target="CBOR"/>. When referring to CBOR, this
        specification always refers to Deterministically Encoded CBOR CBOR,
        as specified in Sections 4.2.1 <xref target="RFC8949" section="4.2.1" sectionFormat="bare"/> and 4.2.2 <xref target="RFC8949" section="4.2.2" sectionFormat="bare"/> of <xref
        target="RFC8949"/>. The single output from authenticated
        encryption (including the authentication tag) is called
        "ciphertext", following <xref target="RFC5116"/>.</t>
      </section>
    </section>
    <section anchor="background">
      <name>EDHOC Outline</name>
      <t>EDHOC specifies different authentication methods of the ephemeral-ephemeral Diffie-Hellman key exchange: exchange, i.e., signature keys and static Diffie-Hellman keys. This section outlines the signature key based signature-key-based method. Further details of protocol elements and other authentication methods are provided in the remainder of this document.</t>
      <t>SIGMA (SIGn-and-MAc)
      <t>SIGn-and-MAc (SIGMA) is a family of theoretical protocols with a large number of variants <xref target="SIGMA"/>. Like in IKEv2 Internet Key Exchange Protocol Version 2 (IKEv2) <xref target="RFC7296"/> and (D)TLS 1.3 <xref target="RFC8446"/><xref target="RFC8446"/> <xref target="RFC9147"/>, EDHOC authenticated with signature keys is built on a variant of the SIGMA protocol, SIGMA-I, which provides identity protection against active attacks on the party initiating the protocol. Also like IKEv2, EDHOC implements the MAC-then-Sign variant of the SIGMA-I protocol. The message flow (excluding an optional fourth message) is shown in <xref target="fig-sigma"/>.</t>
      <figure anchor="fig-sigma">
        <name>MAC-then-Sign variant Variant of the SIGMA-I protocol used Protocol Used by the EDHOC method 0.</name> Method 0</name>
        <artset>
          <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="192" width="560" height="" width="" viewBox="0 0 560 192" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,48 L 8,176" fill="none" stroke="black"/>
              <path d="M 552,48 L 552,176" fill="none" stroke="black"/>
              <path d="M 8,64 L 544,64" fill="none" stroke="black"/>
              <path d="M 16,112 L 552,112" fill="none" stroke="black"/>
              <path d="M 8,160 L 544,160" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="552,160 540,154.4 540,165.6" fill="black" transform="rotate(0,544,160)"/>
              <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill="black" transform="rotate(0,544,64)"/>
              <polygon class="arrowhead" points="24,112 12,106.4 12,117.6" fill="black" transform="rotate(180,16,112)"/>
              <g class="text">
                <text x="40" y="36">Initiator</text>
                <text x="520" y="36">Responder</text>
                <text x="280" y="52">G_X</text>
                <text x="76" y="100">G_Y,</text>
                <text x="116" y="100">Enc(</text>
                <text x="180" y="100">ID_CRED_R,</text>
                <text x="244" y="100">Sig(</text>
                <text x="276" y="100">R;</text>
                <text x="308" y="100">MAC(</text>
                <text x="360" y="100">CRED_R,</text>
                <text x="412" y="100">G_X,</text>
                <text x="448" y="100">G_Y</text>
                <text x="472" y="100">)</text>
                <text x="488" y="100">)</text>
                <text x="504" y="100">)</text>
                <text x="96" y="148">AEAD(</text>
                <text x="164" y="148">ID_CRED_I,</text>
                <text x="228" y="148">Sig(</text>
                <text x="260" y="148">I;</text>
                <text x="292" y="148">MAC(</text>
                <text x="344" y="148">CRED_I,</text>
                <text x="396" y="148">G_Y,</text>
                <text x="432" y="148">G_X</text>
                <text x="456" y="148">)</text>
                <text x="472" y="148">)</text>
                <text x="488" y="148">)</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art" align="center"><![CDATA[
Initiator                                                   Responder
|                                G_X                                |
+------------------------------------------------------------------>|
|                                                                   |
|      G_Y, Enc( ID_CRED_R, Sig( R; MAC( CRED_R, G_X, G_Y ) ) )     |
|<------------------------------------------------------------------+
|                                                                   |
|        AEAD( ID_CRED_I, Sig( I; MAC( CRED_I, G_Y, G_X ) ) )       |
+------------------------------------------------------------------>|
|                                                                   |
]]></artwork>
        </artset>
      </figure>
      <t>The parties exchanging messages in an EDHOC session are called the Initiator (I) and the Responder (R), where the Initiator sends message_1 (see <xref target="overview"/>). They exchange ephemeral public keys, compute a shared secret session key PRK_out, and derive symmetric application keys used to protect application data.</t>
      <ul spacing="normal">
        <li>G_X and G_Y are the ECDH Elliptic Curve Diffie-Hellman (ECDH) ephemeral public keys of I and R, respectively.</li>
        <li>CRED_I and CRED_R are the authentication credentials containing the public authentication keys of I and R, respectively.</li>
        <li>ID_CRED_I and ID_CRED_R are used to identify and optionally transport the credentials of the Initiator I and the Responder, R, respectively.</li>
        <li>Sig(I; . ) and Sig(R; . ) denote signatures made with the private authentication key of I and R, respectively.</li>
        <li>Enc(), AEAD(), and MAC() denotes denote encryption, authenticated encryption Authenticated Encryption with additional data, Associated Data, and message authentication code - Message Authentication Code -- crypto algorithms applied with keys derived from one or more shared secrets calculated during the protocol.</li>
      </ul>
      <t>In order to create a "full-fledged" protocol protocol, some additional protocol elements are needed. EDHOC adds:</t>
      <ul spacing="normal">
        <li>Transcript
        <li>transcript hashes (hashes of message data) data), TH_2, TH_3, TH_4 and TH_4, used for key derivation and as additional authenticated data.</li>
        <li>Computationally data,</li>
        <li>computationally independent keys derived from the ECDH shared secret and used for authenticated encryption of different messages.</li>
        <li>An messages,</li>
        <li>an optional fourth message giving key confirmation to I in deployments where no protected application data is sent from R to I.</li>
        <li>A I,</li>
        <li>a keying material exporter and a key update function with forward secrecy.</li>
        <li>Secure secrecy,</li>
        <li>secure negotiation of the cipher suite.</li>
        <li>Method suite,</li>
        <li>method types, error handling, and padding.</li>
        <li>Selection padding,</li>
        <li>a selection of connection identifiers identifiers, C_I and C_R C_R, which may be used in EDHOC to identify the protocol state.</li>
        <li>Transport state, and</li>
        <li>transport of external authorization data.</li>
      </ul>
      <t>EDHOC is designed to encrypt and integrity protect as much information as possible. Symmetric keys and random material used in EDHOC are derived using EDHOC_KDF with as much previous information as possible, possible; see <xref target="fig-edhoc-kdf"/>. EDHOC is furthermore designed to be as compact and lightweight as possible, in terms of message sizes, processing, and the ability to reuse already existing CBOR, COSE, and CoAP libraries. Like in (D)TLS, authentication is the responsibility of the application. EDHOC identifies (and optionally transports) authentication credentials, credentials and provides proof-of-possession of the private authentication key.</t>
      <t>To simplify for implementors, the use of CBOR and COSE in EDHOC is summarized in <xref target="CBORandCOSE"/>. Test vectors vectors, including CBOR diagnostic notation notation, are provided in <xref target="I-D.ietf-lake-traces"/>.</t> target="RFC9529"/>.</t>
    </section>
    <section anchor="overview">
      <name>Protocol Elements</name>
      <section anchor="general">
        <name>General</name>
        <t>The EDHOC protocol consists of three mandatory messages (message_1, message_2, and message_3), an optional fourth message (message_4), and an error message, between an Initiator (I) and a Responder (R). The odd messages are sent by I, the even by R. Both I and R can send error messages.
The roles have slightly different security properties which that should be considered when the roles are assigned, assigned; see <xref target="sec-prop"/>.
All EDHOC messages are CBOR Sequences <xref target="RFC8742"/>, target="RFC8742"/> and are defined to be deterministically encoded. encoded CBOR as specified in <xref target="RFC8949" sectionFormat="of" section="4.2.1"/>. <xref target="fig-flow"/> illustrates an EDHOC message flow with the optional fourth message as well as the content of each message. The protocol elements in the figure are introduced in Sections <xref target="overview"/> target="overview" format="counter"/> and <xref target="asym"/>. target="asym" format="counter"/>. Message formatting and processing are specified in Sections <xref target="asym"/> target="asym" format="counter"/> and <xref target="error"/>.</t> target="error" format="counter"/>.</t>
        <t>Application data may be protected using the agreed application algorithms (AEAD, hash) in the selected cipher suite (see <xref target="cs"/>) target="cs"/>), and the application can make use of the established connection identifiers C_I and C_R (see <xref target="ci"/>). Media types that may be used for EDHOC are defined in <xref target="media-type"/>.</t>
        <t>The Initiator can derive symmetric application keys after creating EDHOC message_3, message_3; see <xref target="exporter"/>. Protected application data can therefore be sent in parallel or together with EDHOC message_3. EDHOC message_4 is typically not sent.</t>
        <figure anchor="fig-flow">
          <name>EDHOC message flow including Message Flow Including the optional fourth message.</name> Optional Fourth Message</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="288" width="560" height="" width="" viewBox="0 0 560 288" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 8,272" fill="none" stroke="black"/>
                <path d="M 552,48 L 552,272" fill="none" stroke="black"/>
                <path d="M 8,64 L 544,64" fill="none" stroke="black"/>
                <path d="M 16,128 L 552,128" fill="none" stroke="black"/>
                <path d="M 8,192 L 544,192" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/>
                <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill="black" transform="rotate(0,544,64)"/>
                <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fill="black" transform="rotate(180,16,128)"/>
                <g class="text">
                  <text x="40" y="36">Initiator</text>
                  <text x="520" y="36">Responder</text>
                  <text x="176" y="52">METHOD,</text>
                  <text x="248" y="52">SUITES_I,</text>
                  <text x="308" y="52">G_X,</text>
                  <text x="348" y="52">C_I,</text>
                  <text x="392" y="52">EAD_1</text>
                  <text x="280" y="84">message_1</text>
                  <text x="84" y="116">G_Y,</text>
                  <text x="124" y="116">Enc(</text>
                  <text x="164" y="116">C_R,</text>
                  <text x="228" y="116">ID_CRED_R,</text>
                  <text x="352" y="116">Signature_or_MAC_2,</text>
                  <text x="456" y="116">EAD_2</text>
                  <text x="488" y="116">)</text>
                  <text x="280" y="148">message_2</text>
                  <text x="128" y="180">AEAD(</text>
                  <text x="196" y="180">ID_CRED_I,</text>
                  <text x="320" y="180">Signature_or_MAC_3,</text>
                  <text x="424" y="180">EAD_3</text>
                  <text x="456" y="180">)</text>
                  <text x="280" y="212">message_3</text>
                  <text x="248" y="244">AEAD(</text>
                  <text x="296" y="244">EAD_4</text>
                  <text x="328" y="244">)</text>
                  <text x="20" y="260">&lt;-</text>
                  <text x="40" y="260">-</text>
                  <text x="56" y="260">-</text>
                  <text x="72" y="260">-</text>
                  <text x="88" y="260">-</text>
                  <text x="104" y="260">-</text>
                  <text x="120" y="260">-</text>
                  <text x="136" y="260">-</text>
                  <text x="152" y="260">-</text>
                  <text x="168" y="260">-</text>
                  <text x="184" y="260">-</text>
                  <text x="200" y="260">-</text>
                  <text x="216" y="260">-</text>
                  <text x="232" y="260">-</text>
                  <text x="248" y="260">-</text>
                  <text x="264" y="260">-</text>
                  <text x="280" y="260">-</text>
                  <text x="296" y="260">-</text>
                  <text x="312" y="260">-</text>
                  <text x="328" y="260">-</text>
                  <text x="344" y="260">-</text>
                  <text x="360" y="260">-</text>
                  <text x="376" y="260">-</text>
                  <text x="392" y="260">-</text>
                  <text x="408" y="260">-</text>
                  <text x="424" y="260">-</text>
                  <text x="440" y="260">-</text>
                  <text x="456" y="260">-</text>
                  <text x="472" y="260">-</text>
                  <text x="488" y="260">-</text>
                  <text x="504" y="260">-</text>
                  <text x="520" y="260">-</text>
                  <text x="536" y="260">-</text>
                  <text x="280" y="276">message_4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
Initiator                                                   Responder
|                 METHOD, SUITES_I, G_X, C_I, EAD_1                 |
+------------------------------------------------------------------>|
|                             message_1                             |
|                                                                   |
|       G_Y, Enc( C_R, ID_CRED_R, Signature_or_MAC_2, EAD_2 )       |
|<------------------------------------------------------------------+
|                             message_2                             |
|                                                                   |
|            AEAD( ID_CRED_I, Signature_or_MAC_3, EAD_3 )           |
+------------------------------------------------------------------>|
|                             message_3                             |
|                                                                   |
|                           AEAD( EAD_4 )                           |
|<- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
|                             message_4                             |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="method">
        <name>Method</name>
        <t>The data item METHOD in message_1 (see <xref target="asym-msg1-form"/>), target="asym-msg1-form"/>) is an integer specifying the authentication method. EDHOC supports authentication with signature or static Diffie-Hellman keys, as defined in the four authentication methods: 0, 1, 2, and 3, 3; see <xref target="fig-method-types"/>. target="tab-method-types"/>. When using a static Diffie-Hellman key key, the authentication is provided by a Message Authentication Code (MAC) computed from an ephemeral-static ECDH shared secret which that enables significant reductions in message sizes. Note that that, also in the static Diffie-Hellman based Diffie-Hellman-based authentication methods methods, there is an ephemeral-ephemeral Diffie-Hellman key exchange.</t>
        <t>The Initiator and the Responder need to have agreed on a single method to be used for EDHOC, EDHOC; see <xref target="applicability"/>.</t>
        <figure anchor="fig-method-types">

        <table anchor="tab-method-types">
	   <name>Authentication keys Keys for method types.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="464" viewBox="0 0 464 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,160" fill="none" stroke="black"/>
                <path d="M 120,32 L 120,160" fill="none" stroke="black"/>
                <path d="M 288,32 L 288,160" fill="none" stroke="black"/>
                <path d="M 456,32 L 456,160" fill="none" stroke="black"/>
                <path d="M 8,32 L 456,32" fill="none" stroke="black"/>
                <path d="M 8,78 L 456,78" fill="none" stroke="black"/>
                <path d="M 8,82 L 456,82" fill="none" stroke="black"/>
                <path d="M 8,160 L 456,160" fill="none" stroke="black"/>
                <g class="text">
                  <text x="44" y="52">Method</text>
                  <text x="92" y="52">Type</text>
                  <text x="168" y="52">Initiator</text>
                  <text x="336" y="52">Responder</text>
                  <text x="88" y="68">Value</text>
                  <text x="188" y="68">Authentication</text>
                  <text x="264" y="68">Key</text>
                  <text x="356" y="68">Authentication</text>
                  <text x="432" y="68">Key</text>
                  <text x="104" y="100">0</text>
                  <text x="168" y="100">Signature</text>
                  <text x="224" y="100">Key</text>
                  <text x="336" y="100">Signature</text>
                  <text x="392" y="100">Key</text>
                  <text x="104" y="116">1</text>
                  <text x="168" y="116">Signature</text>
                  <text x="224" y="116">Key</text>
                  <text x="324" y="116">Static</text>
                  <text x="364" y="116">DH</text>
                  <text x="392" y="116">Key</text>
                  <text x="104" y="132">2</text>
                  <text x="156" y="132">Static</text>
                  <text x="196" y="132">DH</text>
                  <text x="224" y="132">Key</text>
                  <text x="336" y="132">Signature</text>
                  <text x="392" y="132">Key</text>
                  <text x="104" y="148">3</text>
                  <text x="156" y="148">Static</text>
                  <text x="196" y="148">DH</text>
                  <text x="224" y="148">Key</text>
                  <text x="324" y="148">Static</text>
                  <text x="364" y="148">DH</text>
                  <text x="392" y="148">Key</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
+-------------+--------------------+--------------------+
| Method Types</name>
	      <thead>
		<tr>
		  <th>Method Type | Initiator          | Responder          |
|       Value | Value</th>
		  <th>Initiator Authentication Key | Key</th>
		  <th>Responder Authentication Key |
+=============+====================+====================+
|           0 | Signature Key      | Signature Key      |
|           1 | Signature Key      | Static Key</th>
		</tr>
	      </thead>
	      <tbody>

		<tr>
		  <td align="right">0</td>
		  <td>Signature Key</td>
		  <td>Signature Key</td>
		</tr>
		<tr>
		  <td align="right">1</td>
		  <td>Signature Key</td>
		  <td>Static DH Key      |
|           2 | Static Key</td>
		</tr>
		<tr>
		  <td align="right">2</td>
		  <td>Static DH Key      | Signature Key      |
|           3 | Static Key</td>
		  <td>Signature Key</td>
		</tr>
		<tr>
		  <td align="right">3</td>
		  <td>Static DH Key      | Static Key</td>
		  <td>Static DH Key      |
+-------------+--------------------+--------------------+
]]></artwork>
          </artset>
        </figure> Key</td>
		</tr>
		<tr>
		  <td align="right">23</td>
		  <td>Reserved</td>
		  <td>Reserved</td>
		</tr>
	      </tbody>
	    </table>

	    <t>EDHOC does not have a dedicated message field to indicate the protocol version. Breaking changes to EDHOC can be introduced by specifying and registering new methods.</t>
      </section>
      <section anchor="ci">
        <name>Connection Identifiers</name>
        <t>EDHOC includes the selection of connection identifiers (C_I, (C_I and C_R) identifying a connection for which keys are agreed.</t>
        <t>Connection identifiers may be used to correlate EDHOC messages and facilitate the retrieval of protocol state during an EDHOC session (see <xref target="transport"/>), target="transport"/>) or may be used in applications of EDHOC, e.g., in OSCORE (see <xref target="ci-oscore"/>). The connection identifiers do not have any cryptographic purpose in EDHOC and only facilitate the retrieval of security data associated with the protocol state.</t>
        <t>Connection identifiers in EDHOC are intrinsically byte strings. Most constrained devices only have a few connections for which short identifiers may be sufficient. In some cases cases, minimum length identifiers are necessary to comply with overhead requirements. However, CBOR byte strings - -- with the exception of the empty byte string h’’ h'', which encodes as one byte (0x40) - -- are encoded as two or more bytes. To enable one-byte encoding of certain byte strings while maintaining CBOR encoding, EDHOC represents certain identifiers as CBOR integers on the wire, wire; see <xref target="bstr-repr"/>.</t>
        <section anchor="selection-of-connection-identifiers">
          <name>Selection of Connection Identifiers</name>
          <t>C_I and C_R are chosen by I and R, respectively. The Initiator selects C_I and sends it in message_1 for the Responder to use as a reference to the connection in communication communications with the Initiator. The Responder selects C_R and sends it in message_2 for the Initiator to use as a reference to the connection in communications with the Responder.</t>
          <t>If connection identifiers are used by an application protocol for which EDHOC establishes keys keys, then the selected connection identifiers SHALL <bcp14>SHALL</bcp14> adhere to the requirements for that protocol, protocol; see <xref target="ci-oscore"/> for an example.</t>
        </section>
        <section anchor="bstr-repr">
          <name>Representation of Byte String Identifiers</name>
          <t>To allow identifiers with minimal overhead on the wire, certain byte strings used in connection identifiers and credential identifiers (see <xref target="id_cred"/>) are defined to have integer representations.</t>
          <t>The integers with one-byte CBOR encoding are -24, ..., 23, 23; see <xref target="fig-int-one-byte"/>.</t>
          <figure anchor="fig-int-one-byte">
            <name>One-byte CBOR encoded integers.</name>
            <name>One-Byte CBOR-Encoded Integers</name>
            <artwork align="center"><![CDATA[
Integer:  -24  -23  ... -11  ...  -2   -1    0    1  ...  15  ...  23
Encoding:  37   36  ...  2A  ...  21   20   00   01  ...  0F  ...  17
]]></artwork>
          </figure>
          <t>The byte strings which that coincide with a one-byte CBOR encoding of an integer MUST <bcp14>MUST</bcp14> be represented by the CBOR encoding of that integer. Other byte strings are simply encoded as CBOR byte strings.</t>
          <t>For example:</t>
          <ul spacing="normal">
            <li>0x21 is represented by 0x21 (CBOR encoding of the integer -2), not by 0x4121 (CBOR encoding of the byte string 0x21).</li>
            <li>0x0D is represented by 0x0D (CBOR encoding of the integer 13), not by 0x410D (CBOR encoding of the byte string 0x0D).</li>
            <li>0x18 is represented by 0x4118 (CBOR encoding of the byte string 0x18).</li>
            <li>0x38 is represented by 0x4138 (CBOR encoding of the byte string 0x38).</li>
            <li>0xABCD is represented by 0x42ABCD (CBOR encoding of the byte string 0xABCD).</li>
          </ul>
          <t>One may view this representation of byte strings as a transport encoding: encoding, i.e., a byte string which that parses as the one-byte CBOR encoding of an integer (i.e., integer in the interval -24, ..., 23) is just copied directly into the message, and a byte string which that does not is encoded as a CBOR byte string during transport.</t>
          <t>Implementation
          <aside><t>Implementation Note: When implementing the byte string identifier representation, it can in some programming languages languages, it can help to define a new type, type or other data structure, which (in its user facing user-facing API) behaves like a byte string, string but when serializing to CBOR produces a CBOR byte string or a CBOR integer depending on its value.</t> value.</t></aside>
        </section>
        <section anchor="ci-oscore">
          <name>Use of Connection Identifiers with OSCORE</name>
          <t>For OSCORE, the choice of connection identifier results in the endpoint selecting its Recipient ID, see Section 3.1 of ID (see <xref target="RFC8613"/>, target="RFC8613" section="3.1" sectionFormat="of"/>) for which certain uniqueness requirements apply, see Section 3.3 of apply (see <xref target="RFC8613"/>. target="RFC8613" section="3.3" sectionFormat="of"/>). Therefore, the Initiator and the Responder MUST NOT <bcp14>MUST NOT</bcp14> select connection identifiers such that it results in the same OSCORE Recipient ID. Since the connection identifier is a byte string, it is converted to an OSCORE Recipient ID equal to the byte string.</t>
          <t>Examples:</t>
          <ul spacing="normal">
            <li>A connection identifier 0xFF (represented in the EDHOC message as 0x41FF, 0x41FF; see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient ID 0xFF.</li>
            <li>A connection identifier 0x21 (represented in the EDHOC message as 0x21, 0x21; see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient ID 0x21.</li>
          </ul>
        </section>
      </section>
      <section anchor="transport">
        <name>Transport</name>
        <t>Cryptographically, EDHOC does not put requirements on the underlying layers. Received messages are processed as the expected next message according to the protocol state, state; see <xref target="asym"/>. If processing fails for any reason then, typically, reason, then typically an error message is attempted to be sent and the EDHOC session is aborted.</t>
        <t>EDHOC is not bound to a particular transport layer and can even be used in environments without IP. Ultimately, the application is free to choose how to transport EDHOC messages including errors. In order to avoid unnecessary message processing or protocol termination, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> to use reliable transport, such as CoAP in reliable mode, which is the default transport, transport; see <xref target="coap"/>. In general, the transport SHOULD <bcp14>SHOULD</bcp14> handle:</t>
        <ul spacing="normal">
          <li>message loss,</li>
          <li>message duplication, see duplication (see <xref target="duplication"/> for an alternative,</li> alternative),</li>
          <li>flow control,</li>
          <li>congestion control,</li>
          <li>fragmentation and reassembly,</li>
          <li>demultiplexing EDHOC messages from other types of messages,</li>
          <li>denial-of-service mitigation,</li> mitigation, and</li>
          <li>message correlation, see correlation (see <xref target="ci-edhoc"/>.</li> target="ci-edhoc"/>).</li>
        </ul>
        <t>EDHOC does not require error free error-free transport since a change in message content is detected through the transcript hashes in a subsequent integrity verification, verification; see <xref target="asym"/>. The transport does not require additional means to handle message reordering because of the lockstep processing of EDHOC.</t>
        <t>EDHOC is designed to enable an authenticated key exchange with small messages, where the minimum message sizes are of the order illustrated in the first column of <xref target="fig-sizes"/>. target="tab-sizes"/>. There is no maximum message size specified by the protocol; for example, this is for example dependent on the size of the authentication credentials (if they are transported, see <xref target="auth-key-id"/>).</t>
        <t>The use of transport is specified in the application profile, which in particular particular, may specify limitations in message sizes, sizes; see <xref target="applicability"/>.</t>
        <section anchor="ci-edhoc">
          <name>EDHOC Message Correlation</name>
          <t>Correlation between EDHOC messages is needed to facilitate the retrieval of the protocol state and security context during an EDHOC session. It is also helpful for the Responder to get an indication that a received EDHOC message is the beginning of a new EDHOC session, such that no existing protocol state or security context needs to be retrieved.</t>
          <t>Correlation may be based on existing mechanisms in the transport protocol, protocol; for example, the CoAP Token may be used to correlate EDHOC messages in a CoAP response and in an associated CoAP request. The connection identifiers may also be used to correlate EDHOC messages.</t>
          <t>If correlation between consecutive messages is not provided by other means means, then the transport binding SHOULD <bcp14>SHOULD</bcp14> mandate prepending of an appropriate connection identifier (when available from the EDHOC protocol) to the EDHOC message. If message_1 indication is not provided by other means, then the transport binding SHOULD <bcp14>SHOULD</bcp14> mandate prepending of message_1 with the CBOR simple value <tt>true</tt> (0xf5).</t>
          <t>Transport of EDHOC in CoAP payloads is described in <xref target="coap"/>, including how to use connection identifiers and message_1 indication with CoAP. A similar construction is possible for other client-server protocols. Protocols that do not provide any correlation at all can prescribe prepending of the peer's connection identifier to all messages.</t>
          <t>Note that correlation between EDHOC messages may be obtained without transport support or connection identifiers, for example example, if the endpoints only accept a single instance of the protocol at a time, time and execute conditionally on a correct sequence of messages.</t>
        </section>
      </section>
      <section anchor="auth-key-id">
        <name>Authentication Parameters</name>
        <t>EDHOC supports various settings for how the other endpoint's authentication (public) key may be transported, identified, and trusted.</t>
        <t>EDHOC performs the following authentication related authentication-related operations:</t>
        <ul spacing="normal">
          <li>EDHOC transports information about credentials in ID_CRED_I and ID_CRED_R (described in <xref target="id_cred"/>). Based on this information, the authentication credentials CRED_I and CRED_R (described in <xref target="auth-cred"/>) can be obtained. EDHOC may also transport certain authentication related authentication-related information as External Authorization Data external authorization data (see <xref target="AD"/>).</li>
          <li>
            <t>EDHOC uses the authentication credentials in two ways (see Sections <xref target="asym-msg2-proc"/> target="asym-msg2-proc" format="counter"/> and <xref target="asym-msg3-proc"/>): target="asym-msg3-proc" format="counter"/>):
            </t>
            <ul spacing="normal">
              <li>The authentication credential is input to the integrity verification using the MAC fields.</li>
              <li>The authentication key of the authentication credential is used with the Signature_or_MAC field to verify proof-of-possession of the private key.</li>
            </ul>
          </li>
        </ul>
        <t>Other authentication related authentication-related verifications are out of scope for EDHOC, EDHOC and is are the responsibility of the application. In particular, the authentication credential needs to be validated in the context of the connection for which EDHOC is used, used; see <xref target="auth-validation"/>. EDHOC MUST <bcp14>MUST</bcp14> allow the application to read received information about credential (ID_CRED_R, ID_CRED_I). credentials in ID_CRED_R and ID_CRED_I. EDHOC MUST <bcp14>MUST</bcp14> have access to the authentication key and the authentication credential.</t>
        <t>Note that the type of authentication key, the type of authentication credential, and the identification of the credential have a large impact on the message size. For example, the Signature_or_MAC field is much smaller with a static DH key than with a signature key. A CWT Claims Set (CCS) is much smaller than a self-signed certificate/CWT, certificate / CWT, but if it is possible to reference the credential with a COSE header like 'kid', then that is in turn much smaller than a CCS.</t>
        <section anchor="auth-keys">
          <name>Authentication Keys</name>
          <t>The authentication key (i.e., the public key used for authentication) MUST <bcp14>MUST</bcp14> be a signature key or a static Diffie-Hellman key. The Initiator and the Responder MAY <bcp14>MAY</bcp14> use different types of authentication keys, e.g., one uses a signature key and the other uses a static Diffie-Hellman key.</t>
          <t>The authentication key algorithm needs to be compatible with the method and the selected cipher suite (see <xref target="cs"/>). The authentication key algorithm needs to be compatible with the EDHOC key exchange algorithm when static Diffie-Hellman authentication is used, used and compatible with the EDHOC signature algorithm when signature authentication is used.</t>
          <t>Note that for most signature algorithms, the signature is determined by the signature algorithm and the authentication key algorithm together. When using static Diffie-Hellman keys keys, the Initiator's and the Responder's private authentication keys are denoted as I and R, respectively, and the public authentication keys are denoted G_I and G_R, respectively.</t>
          <t>For X.509 certificates certificates, the authentication key is represented by a SubjectPublicKeyInfo field. For CWT and CCS (see <xref target="auth-cred"/>)) target="auth-cred"/>), the authentication key is represented by a 'cnf' claim <xref target="RFC8747"/> containing a COSE_Key <xref target="RFC9052"/>. In EDHOC, a raw public key (RPK) is an authentication key encoded as a COSE_Key wrapped in a CCS.</t>
        </section>
        <section anchor="auth-cred">
          <name>Authentication Credentials</name>
          <t>The authentication credentials, CRED_I and CRED_R, contains contain the public authentication key of the Initiator and the Responder, respectively.
We use the notation CRED_x to refer to CRED_I or CRED_R.
Requirements on CRED_x applies both to CRED_I and to CRED_R.
The authentication credential typically also contains other parameters that needs to be verified by the application, see application (see <xref target="auth-validation"/>, target="auth-validation"/>) and in particular information about the identity ("subject") of the endpoint to prevent misbinding attacks, see attacks (see <xref target="identities"/>.</t> target="identities"/>).</t>
          <t>EDHOC relies on COSE for identification of credentials (see <xref target="id_cred"/>), for example example, X.509 certificates <xref target="RFC9360"/>, C509 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, CWTs <xref target="RFC8392"/> target="RFC8392"/>, and CWT Claims Sets (CCS) CCSs <xref target="RFC8392"/>. When the identified credential is a chain or a bag, the authentication credential CRED_x is just the end entity X.509 or C509 certificate / CWT. In the choice between a chain or bag a bag, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> to use a chain, since the certificates in a bag are unordered and may contain self-signed and extraneous certificates, which can add complexity to the process of extracting the end entity certificate. The Initiator and the Responder MAY <bcp14>MAY</bcp14> use different types of authentication credentials, e.g., one uses an RPK and the other uses a public key certificate.</t>
          <t>Since CRED_R is used in the integrity verification, see verification (see <xref target="asym-msg2-proc"/>, target="asym-msg2-proc"/>), it needs to be specified such that it is identical when used by the Initiator or Responder. Similarly for CRED_I, see <xref target="asym-msg3-proc"/>. The Initiator and Responder are expected to agree on the specific encoding of the authentication credentials, credentials; see <xref target="applicability"/>. It is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that the COSE 'kid' parameter, when used to identify the authentication credential, refers to a such a specific encoding of the authentication credential. The Initiator and Responder SHOULD <bcp14>SHOULD</bcp14> use an available authentication credential (transported in EDHOC or otherwise provisioned) without re-encoding. If for some reason re-encoding of the an authentication credential passed by reference may occur, then a potential common encoding for CBOR based CBOR-based credentials is bytewise lexicographic order of their deterministic encodings deterministically encoded CBOR, as specified in Section 4.2.1 Sections <xref target="RFC8949" section="4.2.1" sectionFormat="bare"/> and <xref target="RFC8949" section="4.2.2" sectionFormat="bare"/> of <xref target="RFC8949"/>.</t> target="RFC8949"/>. Authentication credentials passed by value are used as is without re-encoding.</t>
          <ul spacing="normal">
            <li>When the authentication credential is an X.509 certificate, CRED_x SHALL <bcp14>SHALL</bcp14> be the DER encoded DER-encoded certificate, encoded as a bstr <xref target="RFC9360"/>.</li>
            <li>When the authentication credential is a C509 certificate, CRED_x SHALL <bcp14>SHALL</bcp14> be the C509Certificate C509 certificate <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</li>
            <li>When the authentication credential is a CWT including a COSE_Key, CRED_x SHALL <bcp14>SHALL</bcp14> be the untagged CWT.</li>
            <li>
              <t>When the authentication credential includes a COSE_Key but is not in a CWT, CRED_x SHALL <bcp14>SHALL</bcp14> be an untagged CWT Claims Set (CCS). CCS. This is how RPKs are encoded, see <xref target="fig-ccs"/> for an example.
              </t>
              <ul spacing="normal">
                <li>Naked COSE_Keys are thus dressed as CCS when used in EDHOC, EDHOC in its simplest form by prefixing the COSE_Key with 0xA108A101 (a map with a 'cnf' claim). In that case case, the resulting authentication credential contains no other identity than the public key itself, itself; see <xref target="identities"/>.</li>
              </ul>
            </li>
          </ul>
          <t>An example of CRED_x is shown below:</t>
          <figure anchor="fig-ccs">
            <name>CWT Claims Set (CCS) containing
            <name>CCS Containing an X25519 static Static Diffie-Hellman key Key and an EUI-64 identity.</name> Identity</name>
            <artwork><![CDATA[
{                                              /CCS/
  2 : "42-50-31-FF-EF-37-32-39",               /sub/
  8 : {                                        /cnf/
    1 : {                                      /COSE_Key/
      1 : 1,                                   /kty/
      2 : h'00',                               /kid/
     -1 : 4,                                   /crv/
     -2 : h'b1a3e89460e88d3a8d54211dc95f0b90   /x/
            3ff205eb71912d6db8f4af980d2db83a'
    }
  }
}
]]></artwork>
          </figure>
        </section>
        <section anchor="id_cred">
          <name>Identification of Credentials</name>
          <t>The ID_CRED fields, ID_CRED_R and ID_CRED_I, are transported in message_2 and message_3, respectively, respectively; see Sections <xref target="asym-msg2-proc"/> target="asym-msg2-proc" format="counter"/> and <xref target="asym-msg3-proc"/>. target="asym-msg3-proc" format="counter"/>.
We use the notation ID_CRED_x to refer to ID_CRED_I or ID_CRED_R.
Requirements on ID_CRED_x applies both to ID_CRED_I and to ID_CRED_R.
The ID_CRED fields are used to identify and optionally transport credentials:</t>
          <ul spacing="normal">
            <li>ID_CRED_R is intended to facilitate for the Initiator retrieving the authentication credential CRED_R and the authentication key of R.</li>
            <li>ID_CRED_I is intended to facilitate for the Responder retrieving the authentication credential CRED_I and the authentication key of I.</li>
          </ul>
          <t>ID_CRED_x may contain the authentication credential CRED_x, for x = I or R, but for many settings settings, it is not necessary to transport the authentication credential within EDHOC. For example, it may be pre-provisioned or acquired out-of-band over less constrained links. ID_CRED_I and ID_CRED_R do not have any cryptographic purpose in EDHOC since the authentication credentials are integrity protected.</t> protected by the Signature_or_MAC field.</t>
          <t>EDHOC relies on COSE for identification of credentials and supports all credential types for which COSE header parameters are defined defined, including X.509 certificates (<xref target="RFC9360"/>), <xref target="RFC9360"/>, C509 certificates (<xref target="I-D.ietf-cose-cbor-encoded-cert"/>), CWT (see <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, CWTs (<xref target="new-header-param"/>) and CWT Claims Set (see <xref CCSs (<xref target="new-header-param"/>).</t>
          <t>ID_CRED_I and ID_CRED_R are of type COSE header_map, as defined in Section 3 of <xref target="RFC9052"/>, target="RFC9052" section="3" sectionFormat="of"/>, and contains contain one or more COSE header parameters. If a map contains several header parameters, the labels do not need to be sorted in bytewise lexicographic order. ID_CRED_I and ID_CRED_R MAY <bcp14>MAY</bcp14> contain different header parameters. The header parameters typically provide some information about the format of the credential.</t>
          <t>Example: X.509 certificates can be identified by a hash value using the 'x5t' parameter, parameter; see Section 2 of <xref target="RFC9360"/>:</t> target="RFC9360" section="2" sectionFormat="of"/>:</t>
          <ul spacing="normal">
            <li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R,</li> R</li>
          </ul>
          <t>Example: CWT or CCS can be identified by a key identifier using the 'kid' parameter, parameter; see Section 3.1 of <xref target="RFC9052"/>:</t> target="RFC9052" section="3.1" sectionFormat="of"/>:</t>
          <ul spacing="normal">
            <li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R.</li> R</li>
          </ul>
          <t>Note that COSE header parameters in ID_CRED_x are used to identify the message sender's credential. There Therefore, there is therefore no reason to use the "-sender" header parameters, such as x5t-sender, defined in Section 3 of <xref target="RFC9360"/>. target="RFC9360" section="3" sectionFormat="of"/>. Instead, the corresponding parameter without "-sender", such as x5t, SHOULD <bcp14>SHOULD</bcp14> be used.</t>
          <t>As stated in Section 3.1 of <xref target="RFC9052"/>, target="RFC9052" section="3.1" sectionFormat="of"/>, applications MUST NOT <bcp14>MUST NOT</bcp14> assume that 'kid' values are unique and several keys associated with a 'kid' may need to be checked before the correct one is found. Applications might use additional information such as 'kid context' or lower layers to determine which key to try first. Applications should strive to make ID_CRED_x as unique as possible, since the recipient may otherwise have to try several keys.</t>
          <t>See <xref target="COSE"/> for more examples.</t>
          <section anchor="new-header-param">
            <name>COSE Header Parameters for CWT and CWT Claims Set</name>
            <t>This document registers two new COSE header parameters parameters, 'kcwt' and 'kccs' 'kccs', for use with CBOR Web Token (CWT, (CWT) <xref target="RFC8392"/>) target="RFC8392"/> and CWT Claims Set (CCS, (CCS) <xref target="RFC8392"/>), target="RFC8392"/>, respectively. The CWT/CCS MUST <bcp14>MUST</bcp14> contain a COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. There may be any number of additional claims present in the CWT/CCS.</t>
            <t>CWTs sent in 'kcwt' are protected using a MAC or a signature and are similar to a certificate (when used with public key cryptography) or a Kerberos ticket (when used with symmetric key cryptography). CCSs sent in 'kccs' are not protected and are therefore similar to raw public keys or self-signed certificates.</t>
            <t>Security considerations for 'kcwt' and 'kccs' are made in <xref target="impl-cons"/>.</t>
          </section>
          <section anchor="compact-kid">
            <name>Compact Encoding of ID_CRED Fields for 'kid'</name>
            <t>To comply with the LAKE Lightweight Authenticated Key Exchange (LAKE) message size requirements, see requirements (see <xref target="I-D.ietf-lake-reqs"/>, target="I-D.ietf-lake-reqs"/>), two optimizations are made for the case when ID_CRED_x, for x = I or R, contains a single 'kid' parameter.</t>
            <ol spacing="normal" type="1"><li>The CBOR map { 4 : kid_x } is replaced by the byte string kid_x.</li>
              <li>The representation of identifiers specified in <xref target="bstr-repr"/> is applied to kid_x.</li>
            </ol>
            <t>These optimizations MUST <bcp14>MUST</bcp14> be applied if and only if ID_CRED_x = { 4 : kid_x } and ID_CRED_x in PLAINTEXT_y of message_y, y = 2 or 3, 3; see Sections <xref target="asym-msg2-proc"/> target="asym-msg2-proc" format="counter"/> and <xref target="asym-msg3-proc"/>. target="asym-msg3-proc" format="counter"/>. Note that these optimizations are not applied to instances of ID_CRED_x which that have no impact on message size, e.g., context_y, or the COSE protected header. Examples:</t> For example:</t>
            <ul spacing="normal">
              <li>For ID_CRED_x = { 4 : h'FF' }, the encoding in PLAINTEXT_y is not the CBOR map 0xA10441FF but the CBOR byte string h'FF', i.e., 0x41FF.</li>
              <li>For ID_CRED_x = { 4 : h'21' }, the encoding in PLAINTEXT_y is neither the CBOR map 0xA1044121, 0xA1044121 nor the CBOR byte string h'21', i.e., 0x4121, but the CBOR integer 0x21.</li>
            </ul>
          </section>
        </section>
      </section>
      <section anchor="cs">
        <name>Cipher Suites</name>
        <t>An EDHOC cipher suite consists of an ordered set of algorithms from the "COSE Algorithms" and "COSE Elliptic Curves" registries as well as the EDHOC MAC length. All algorithm names and definitions follow from COSE algorithms Algorithms <xref target="RFC9053"/>. Note that COSE sometimes uses peculiar names such as ES256 for ECDSA Elliptic Curve Digital Signature Algorithm (ECDSA) with SHA-256, A128 for AES-128, and Ed25519 for the curve edwards25519. Algorithms need to be specified with enough parameters to make them completely determined. The EDHOC MAC length MUST <bcp14>MUST</bcp14> be at least 8 bytes. Any cryptographic algorithm used in the COSE header parameters in ID_CRED fields is selected independently of the selected cipher suite. EDHOC is currently only specified for use with key exchange algorithms of type ECDH curves, but any Key Encapsulation Method Mechanism (KEM), including Post-Quantum Cryptography (PQC) KEMs, can be used in method 0, 0; see <xref target="pqc"/>. Use of other types of key exchange algorithms to replace static DH authentication (method 1,2,3) (methods 1, 2, and 3) would likely require a specification updating EDHOC with new methods.</t>
        <t>EDHOC supports all signature algorithms defined by COSE. Just like in (D)TLS 1.3 <xref target="RFC8446"/><xref target="RFC8446"/> <xref target="RFC9147"/> and IKEv2 <xref target="RFC7296"/>, a signature in COSE is determined by the signature algorithm and the authentication key algorithm together, together; see <xref target="auth-keys"/>. The exact details of the authentication key algorithm depend on the type of authentication credential. COSE supports different formats for storing the public authentication keys including COSE_Key and X.509, which use different names and ways to represent the authentication key and the authentication key algorithm.</t>
        <t>An EDHOC cipher suite consists of the following parameters:</t>
        <ul spacing="normal">
          <li>EDHOC AEAD algorithm</li> algorithm,</li>
          <li>EDHOC hash algorithm</li> algorithm,</li>
          <li>EDHOC MAC length in bytes (Static DH)</li> DH),</li>
          <li>EDHOC key exchange algorithm (ECDH curve)</li> curve),</li>
          <li>EDHOC signature algorithm</li>
          <li>Application algorithm,</li>
          <li>application AEAD algorithm</li>
          <li>Application algorithm, and</li>
          <li>application hash algorithm</li> algorithm.</li>
        </ul>
        <t>Each cipher suite is identified with a pre-defined predefined integer label.</t>
        <t>EDHOC can be used with all algorithms and curves defined for COSE. Implementations can either use any combination of COSE algorithms and parameters to define their own private cipher suite, suite or use one of the pre-defined predefined cipher suites. Private cipher suites can be identified with any of the four values values: -24, -23, -22, and -21. The pre-defined predefined cipher suites are listed in the IANA registry (<xref target="suites-registry"/>) with the initial content outlined here:</t>
        <ul spacing="normal">
          <li>
            <t>Cipher suites 0-3, based on AES-CCM, are intended for constrained IoT where a message overhead is a very important factor. Note that AES-CCM-16-64-128 and AES-CCM-16-128-128 are compatible with the IEEE CCM* Counter with CBC-MAC (CCM)* mode.
            </t>
            <ul spacing="normal">
              <li>Cipher suites 1 and 3 use a larger tag length (128-bit) (128 bits) in EDHOC than in the Application application AEAD algorithm (64-bit).</li> (64 bits).</li>
            </ul>
          </li>
          <li>Cipher suites 4 and 5, based on ChaCha20, are intended for less constrained applications and only use 128-bit tag lengths.</li>
          <li>Cipher suite 6, based on AES-GCM, is for general non-constrained applications. It consists of high performance high-performance algorithms that are widely used in non-constrained applications.</li>
          <li>Cipher suites 24 and 25 are intended for high security applications such as government use and financial applications. These cipher suites do not share any algorithms. Cipher suite 24 consists of algorithms from the CNSA Commercial National Security Algorithm (CNSA) 1.0 suite <xref target="CNSA"/>.</li>
        </ul>
        <t>The different methods (<xref target="method"/>) use the same cipher suites, but some algorithms are not used in some methods. The EDHOC signature algorithm is not used in methods without signature authentication.</t>
        <t>The Initiator needs to have a list of cipher suites it supports in order of preference. The Responder needs to have a list of cipher suites it supports. SUITES_I contains cipher suites supported by the Initiator, Initiator and formatted and processed as detailed in <xref target="asym-msg1-form"/> to secure the cipher suite negotiation. Examples of cipher suite negotiation are given in <xref target="ex-neg"/>.</t>
      </section>
      <section anchor="cose_key">
        <name>Ephemeral Public Keys</name>
        <t>The ephemeral public keys in EDHOC (G_X and G_Y) use compact representation of elliptic curve points, points; see <xref target="comrep"/>. In COSE, compact representation is achieved by formatting the ECDH ephemeral public keys as COSE_Keys of type EC2 or OKP Octet Key Pair (OKP) according to Sections 7.1 <xref target="RFC9053" section="7.1" sectionFormat="bare"/> and 7.2 <xref target="RFC9053" section="7.2" sectionFormat="bare"/> of <xref target="RFC9053"/>, target="RFC9053"/> but only including the 'x' parameter in G_X and G_Y. For Elliptic Curve Keys of type EC2, compact representation MAY <bcp14>MAY</bcp14> be used also in the COSE_Key. COSE always uses compact output for Elliptic Curve Keys of type EC2. If the COSE implementation requires a 'y' parameter, the value y = false or a calculated y-coordinate can be used, used; see <xref target="comrep"/>.</t>
      </section>
      <section anchor="AD">
        <name>External Authorization Data (EAD)</name>
        <t>In order to reduce round trips and the number of messages, messages or to simplify processing, external security applications may be integrated into EDHOC by transporting authorization related authorization-related data in the messages.</t>
        <t>EDHOC allows processing of external authorization data (EAD) to be defined in a separate specification, specification and sent in dedicated fields of the four EDHOC messages (EAD_1, messages: EAD_1, EAD_2, EAD_3, EAD_4). and EAD_4. EAD is opaque data to EDHOC.</t>
        <t>Each EAD field, EAD_x EAD_x, for x = 1, 2, 3 3, or 4, is a CBOR sequence (see <xref target="CBOR"/>) consisting of one or more EAD items. An EAD item ead is a CBOR sequence of an ead_label and an optional ead_value, ead_value; see <xref target="fig-ead-item"/> and  <xref target="CDDL"/> for the CDDL definitions.</t>
        <figure anchor="fig-ead-item">
          <name>EAD item.</name> Item</name>
          <sourcecode type="CDDL"><![CDATA[
ead = (
  ead_label : int,
  ? ead_value : bstr,
)
]]></sourcecode>
        </figure>
        <t>A security application may register one or more EAD labels, see labels (see <xref target="iana-ead"/>, target="iana-ead"/>) and specify the associated processing and security considerations. The IANA registry contains the absolute value of the ead_label, |ead_label|; the same ead_value applies independently of the sign of the ead_label.</t>
        <t>An EAD item can be either critical or non-critical, determined by the sign of the ead_label in the EAD item transported in the EAD field. A negative value indicates that the EAD item is critical critical, and a non-negative nonnegative value indicates that the EAD item is non-critical.</t>
        <t>If an endpoint receives a critical EAD item it does not recognize, recognize or a critical EAD item that contains information that it cannot process, then the endpoint MUST <bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC session MUST <bcp14>MUST</bcp14> be aborted. The EAD item specification defines the error processing. A non-critical EAD item can be ignored.</t>
        <t>The security application registering a new EAD item needs to describe under what conditions the EAD item is critical or non-critical, and thus whether the ead_label is used with a negative or positive sign. ead_label = 0 is used for padding, padding; see <xref target="padding"/>.</t>
        <t>The security application may define multiple uses of certain EAD items, e.g., the same EAD item may be used in different EDHOC messages. Multiple occurrences of an EAD item in one EAD field may also be specified, but the criticality of the repeated EAD item is expected to be the same.</t>
        <t>The EAD fields of EDHOC MUST <bcp14>MUST</bcp14> only be used with registered EAD items, items; see <xref target="iana-ead"/>. Examples of the use of EAD are provided in <xref target="ead-appendix"/>.</t>
        <section anchor="padding">
          <name>Padding</name>
          <t>EDHOC message_1 and the plaintext of message_2, message_3 message_3, and message_4 can be padded with the use of the corresponding EAD_x field, for x = 1, 2, 3, or 4. Padding in EAD_1 mitigates amplification attacks (see <xref target="dos"/>), and padding in EAD_2, EAD_3, and EAD_4 hides the true length of the plaintext (see <xref target="internet-threat"/>). Padding MUST <bcp14>MUST</bcp14> be ignored and discarded by the receiving application.</t>
          <t>Padding is obtained by using an EAD item with ead_label = 0 and a (pseudo-)randomly (pseudo)randomly generated byte string of appropriate length as ead_value, noting that the ead_label and the CBOR encoding of ead_value also add bytes. Examples:</t> For example:</t>
          <ul spacing="normal">
            <li>
              <t>One byte
              <t>One-byte padding (optional ead_value omitted):
              </t>
              <ul spacing="normal">
                <li>EAD_x
                <t>EAD_x = 0x00</li>
              </ul> 0x00</t>
            </li>
            <li>
              <t>Two bytes
              <t>Two-byte padding, using the empty byte string (0x40) as ead_value:
              </t>
              <ul spacing="normal">
                <li>EAD_x
                <t>EAD_x = 0x0040</li>
              </ul> 0x0040</t>
            </li>
            <li>
              <t>Three bytes
              <t>Three-byte padding, constructed from the pseudorandomly generated ead_value 0xe9 encoded as byte string:
              </t>
              <ul spacing="normal">
                <li>EAD_x
                <t>EAD_x = 0x0041e9</li>
              </ul> 0x0041e9</t>
            </li>
          </ul>
          <t>Multiple occurrences of EAD items with ead_label = 0 are allowed. Certain padding lengths require the use of at least two such EAD items.</t>
          <t>Note that padding is non-critical because the intended behaviour behavior when receiving is to ignore it.</t>
        </section>
      </section>
      <section anchor="applicability">
        <name>Application Profile</name>
        <t>EDHOC requires certain parameters to be agreed upon between the Initiator and Responder. Some parameters can be negotiated through the protocol execution (specifically, cipher suite, suite; see <xref target="cs"/>) target="cs"/>), but other parameters are only communicated and may not be negotiated (e.g., which authentication method is used, used; see <xref target="method"/>). Yet Yet, other parameters need to be known out-of-band to ensure successful completion, e.g., whether message_4 is used or not. The application decides which endpoint is the Initiator and which is the Responder.</t>
        <t>The purpose of an application profile is to describe the intended use of EDHOC to allow for the relevant processing and verifications to be made, including things like:</t> like the following:</t>
        <ol spacing="normal" type="1"><li>
            <t>How the endpoint detects that an EDHOC message is received. This includes how EDHOC messages are transported, for example example, in the payload of a CoAP message with a certain Uri-Path or Content-Format; see <xref target="coap"/>.
            </t>
            <ul spacing="normal">
              <li>The
              <t>The method of transporting EDHOC messages may also describe data carried along with the messages that are needed for the transport to satisfy the requirements of <xref target="transport"/>, e.g., connection identifiers used with certain messages, messages; see <xref target="coap"/>.</li>
            </ul> target="coap"/>.</t>
          </li>
          <li>Authentication method (METHOD; see <xref target="method"/>).</li>
          <li>Profile for authentication credentials (CRED_I, (CRED_I and CRED_R; see <xref target="auth-cred"/>), e.g., profile for certificate or CCS, including supported authentication key algorithms (subject public key algorithm in X.509 or C509 certificate).</li>
          <li>Type used to identify credentials (ID_CRED_I, (ID_CRED_I and ID_CRED_R; see <xref target="id_cred"/>).</li>
          <li>Use and type of external authorization data (EAD_1, EAD_2, EAD_3, and EAD_4; see <xref target="AD"/>).</li>
          <li>Identifier used as the identity of the endpoint; see <xref target="identities"/>.</li>
          <li>If message_4 shall be sent/expected, and if not, how to ensure a protected application message is sent from the Responder to the Initiator; see <xref target="m4"/>.</li>
        </ol>
        <t>The application profile may also contain information about supported cipher suites. The procedure for selecting and verifying a cipher suite is still performed as described in Sections <xref target="asym-msg1-form"/> target="asym-msg1-form" format="counter"/> and <xref target="wrong-selected"/>, target="wrong-selected" format="counter"/>, but it may become simplified by this knowledge. EDHOC messages can be processed without the application profile, i.e., the EDHOC messages includes include information about the type and length of all fields.</t>
        <t>An example of an application profile is shown in <xref target="appl-temp"/>.</t>
        <t>For some parameters, like METHOD, the type of the ID_CRED field field, or EAD, the receiver of an EDHOC message is able to verify compliance with the application profile, and profile and, if it needs to fail because of the lack of compliance, to infer the reason why the EDHOC session failed.</t>
        <t>For other encodings, like the profiling of CRED_x in the case that it is not transported, it may not be possible to verify that the lack of compliance with the application profile was the reason for failure: Integrity failure, i.e., integrity verification in message_2 or message_3 may fail not only because of a wrong credential. For example, in case the Initiator uses a public key certificate by reference (i.e., not transported within the protocol) protocol), then both endpoints need to use an identical data structure as CRED_I or else the integrity verification will fail.</t>
        <t>Note that it is not necessary for the endpoints to specify a single transport for the EDHOC messages. For example, a mix of CoAP and HTTP may be used along the path, and this may still allow correlation between messages.</t>
        <t>The application profile may be dependent on the identity of the other endpoint, endpoint or other information carried in an EDHOC message, but it then applies only to the later phases of the protocol when such information is known. (The Initiator does not know the identity of the Responder before having verified message_2, and the Responder does not know the identity of the Initiator before having verified message_3.)</t>
        <t>Other conditions may be part of the application profile, such as what is the target application or use (if there is more than one application/use) to the extent that EDHOC can distinguish between them. In case multiple application profiles are used, the receiver needs to be able to determine which is applicable for a given EDHOC session, for example example, based on the URI to which the EDHOC message is sent, or external authorization data type.</t>
      </section>
    </section>
    <section anchor="key-der">
      <name>Key Derivation</name>
      <section anchor="keys-for-edhoc-message-processing">
        <name>Keys for EDHOC Message Processing</name>
        <t>EDHOC uses Extract-and-Expand <xref target="RFC5869"/> with the EDHOC hash algorithm in the selected cipher suite to derive keys used in message processing. This section defines EDHOC_Extract (<xref target="extract"/>) and EDHOC_Expand (<xref target="expand"/>), target="expand"/>) and how to use them to derive PRK_out (<xref target="prkout"/>) target="prkout"/>), which is the shared secret session key resulting from a completed EDHOC session.</t>
        <t>EDHOC_Extract is used to derive fixed-length uniformly pseudorandom keys (PRK) (PRKs) from ECDH shared secrets. EDHOC_Expand is used to define EDHOC_KDF for generating MACs and for deriving output keying material (OKM) from PRKs.</t>
        <t>In EDHOC EDHOC, a specific message is protected with a certain pseudorandom key, PRK, but how the key is derived depends on the authentication method (<xref target="method"/>) target="method"/>), as detailed in <xref target="asym"/>.</t>
        <!-- A diagram of the EDHOC key schedule can be found in Figure 2 of {{Vucinic22}}. TBD: Rewrite the diagram -->
<section anchor="extract">
          <name>EDHOC_Extract</name>
          <t>The pseudorandom keys (PRKs) used for EDHOC message processing are derived using EDHOC_Extract:</t>
          <artwork><![CDATA[
   PRK = EDHOC_Extract( salt, IKM )
]]></artwork>
          <t>where the input keying material (IKM) and salt are defined for each PRK below.</t>
          <t>The definition of EDHOC_Extract depends on the EDHOC hash algorithm of the selected cipher suite:</t>
          <ul spacing="normal">
            <li>if
            <li>If the EDHOC hash algorithm is SHA-2, then EDHOC_Extract( salt, IKM ) = HKDF-Extract( salt, IKM ) <xref target="RFC5869"/></li>
            <li>if target="RFC5869"/>.</li>
            <li>If the EDHOC hash algorithm is SHAKE128, then EDHOC_Extract( salt, IKM ) = KMAC128( salt, IKM, 256, "" )</li>
            <li>if ).</li>
            <li>If the EDHOC hash algorithm is SHAKE256, then EDHOC_Extract( salt, IKM ) = KMAC256( salt, IKM, 512, "" )</li> ).</li>
          </ul>
          <t>where the Keccak message authentication code Message Authentication Code (KMAC) is specified in <xref target="SP800-185"/>.</t>
          <t>The rest of the section defines the pseudorandom keys PRK_2e, PRK_3e2m PRK_3e2m, and PRK_4e3m; their use is shown in <xref target="fig-edhoc-kdf"/>. The index of a PRK indicates its use or in what message protection operation it is involved.  For example, PRK_3e2m is involved in the encryption of message 3 and in calculating the MAC of message 2.</t>
          <section anchor="prk2e">
            <name>PRK_2e</name>
            <t>The pseudorandom key PRK_2e is derived with the following input:</t>
            <ul spacing="normal">
              <li>The salt SHALL <bcp14>SHALL</bcp14> be TH_2.</li>
              <li>The IKM SHALL <bcp14>SHALL</bcp14> be the ephemeral-ephemeral ECDH shared secret G_XY (calculated from G_X and Y or G_Y and X) as defined in <xref section="6.3.1" sectionFormat="of" target="RFC9053"/>. The use of G_XY gives forward secrecy, secrecy in the sense that compromise of the private authentication keys does not compromise past session keys.</li>
            </ul>
            <t>Example: Assuming the use of curve25519, the ECDH shared secret G_XY is the output of the X25519 function <xref target="RFC7748"/>:</t>
            <artwork><![CDATA[
   G_XY = X25519( Y, G_X ) = X25519( X, G_Y )
]]></artwork>
            <t>Example: Assuming the use of SHA-256 SHA-256, the extract phase of HKDF the Key Derivation Function (HKDF) produces PRK_2e as follows:</t>
            <artwork><![CDATA[
   PRK_2e = HMAC-SHA-256( TH_2, G_XY )
]]></artwork>
          </section>
          <section anchor="prk3e2m">
            <name>PRK_3e2m</name>
            <t>The pseudorandom key PRK_3e2m is derived as follows:</t>
            <t>If the Responder authenticates with a static Diffie-Hellman key, then PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX ), where</t>
            <ul spacing="normal">
              <li>SALT_3e2m is derived from PRK_2e, see PRK_2e (see <xref target="expand"/>, target="expand"/>) and</li>
              <li>G_RX is the ECDH shared secret calculated from G_R and X, or G_X and R (the Responder's private authentication key, key; see <xref target="auth-keys"/>),</li>
            </ul>
            <t>else PRK_3e2m = PRK_2e.</t>
          </section>
          <section anchor="prk4e3m">
            <name>PRK_4e3m</name>
            <t>The pseudorandom key PRK_4e3m is derived as follows:</t>
            <t>If the Initiator authenticates with a static Diffie-Hellman key, then PRK_4e3m = EDHOC_Extract( SALT_4e3m, G_IY ), where</t>
            <ul spacing="normal">
              <li>SALT_4e3m is derived from PRK_3e2m, see PRK_3e2m (see <xref target="expand"/>, target="expand"/>) and</li>
              <li>G_IY is the ECDH shared secret calculated from G_I and Y, or G_Y and I (the Initiator's private authentication key, key; see <xref target="auth-keys"/>),</li>
            </ul>
            <t>else PRK_4e3m = PRK_3e2m.</t>
          </section>
        </section>
        <section anchor="expand">
          <name>EDHOC_Expand and EDHOC_KDF</name>
          <t>The output keying material (OKM) - -- including keys, IVs, initialization vectors (IVs), and salts - -- are derived from the PRKs using the EDHOC_KDF, which is defined through EDHOC_Expand:</t>
          <artwork><![CDATA[
   OKM = EDHOC_KDF( PRK, info_label, context, length )
       = EDHOC_Expand( PRK, info, length )
]]></artwork>
          <t>where info is encoded as the CBOR sequence</t> sequence:</t>
          <sourcecode type="CDDL"><![CDATA[ type="cbor"><![CDATA[
info = (
  info_label : int,
  context : bstr,
  length : uint,
)
]]></sourcecode>
          <t>where</t>
          <t>where:</t>
          <ul spacing="normal">
            <li>info_label is an int</li> int,</li>
            <li>context is a bstr</li> bstr, and</li>
            <li>length is the length of OKM in bytes</li> bytes.</li>
          </ul>
          <t>When EDHOC_KDF is used to derive OKM for EDHOC message processing, then the context includes one of the transcript hashes hashes, TH_2, TH_3, or TH_4 TH_4, defined in Sections <xref target="asym-msg2-proc" format="counter"/> and <xref target="asym-msg3-proc" format="counter"/>.</t>
          <t>The definition of EDHOC_Expand depends on the EDHOC hash algorithm of the selected cipher suite:</t>
          <ul spacing="normal">
            <li>if
            <li>If the EDHOC hash algorithm is SHA-2, then EDHOC_Expand( PRK, info, length ) = HKDF-Expand( PRK, info, length ) <xref target="RFC5869"/></li>
            <li>if target="RFC5869"/>.</li>
            <li>If the EDHOC hash algorithm is SHAKE128, then EDHOC_Expand( PRK, info, length ) = KMAC128( PRK, info, L, "" )</li>
            <li>if ).</li>
            <li>If the EDHOC hash algorithm is SHAKE256, then EDHOC_Expand( PRK, info, length ) = KMAC256( PRK, info, L, "" )</li> ).</li>
          </ul>
          <t>where L = 8 <contact fullname="⋅"/>  length, the output length in bits.</t>
          <t><xref target="fig-edhoc-kdf"/> lists derivations made with EDHOC_KDF, where</t> where:</t>
          <ul spacing="normal">
            <li>hash_length - is the length of output size of the EDHOC hash algorithm of the selected cipher suite</li> suite,</li>
            <li>key_length - is the length of the encryption key of the EDHOC AEAD algorithm of the selected cipher suite</li> suite, and</li>
            <li>iv_length - is the length of the initialization vector of the EDHOC AEAD algorithm of the selected cipher suite</li>
          </ul>
          <t>Further details of the key derivation and how the output keying material is used are specified in <xref target="asym"/>.</t>
          <figure anchor="fig-edhoc-kdf">
            <name>Key derivations using EDHOC_KDF. h'' is CBOR diagnostic notation for the empty byte string, 0x40.</name> Derivations Using EDHOC_KDF</name>
            <artwork align="center"><![CDATA[
KEYSTREAM_2   = EDHOC_KDF( PRK_2e,   0, TH_2,      plaintext_length )
SALT_3e2m     = EDHOC_KDF( PRK_2e,   1, TH_2,      hash_length )
MAC_2         = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )
K_3           = EDHOC_KDF( PRK_3e2m, 3, TH_3,      key_length )
IV_3          = EDHOC_KDF( PRK_3e2m, 4, TH_3,      iv_length )
SALT_4e3m     = EDHOC_KDF( PRK_3e2m, 5, TH_3,      hash_length )
MAC_3         = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 )
PRK_out       = EDHOC_KDF( PRK_4e3m, 7, TH_4,      hash_length )
K_4           = EDHOC_KDF( PRK_4e3m, 8, TH_4,      key_length )
IV_4          = EDHOC_KDF( PRK_4e3m, 9, TH_4,      iv_length )
PRK_exporter  = EDHOC_KDF( PRK_out, 10, h'',       hash_length )
]]></artwork>
          </figure>
<t>h'' is CBOR diagnostic notation for the empty byte string, 0x40.</t>
        </section>
        <section anchor="prkout">
          <name>PRK_out</name>
          <t>The pseudorandom key PRK_out, derived as shown in <xref target="fig-edhoc-kdf"/>, is the output session key of a completed EDHOC session.</t>
          <t>Keys for applications are derived using EDHOC_Exporter (see <xref target="exporter"/>) from PRK_exporter, which in turn is derived from PRK_out as shown in <xref target="fig-edhoc-kdf"/>. For the purpose of generating application keys, it is sufficient to store PRK_out or PRK_exporter. (Note that the word "store" used here does not imply that the application has access to the plaintext PRK_out since that may be reserved for code within a Trusted Execution Environment, Environment (TEE); see <xref target="impl-cons"/>).</t> target="impl-cons"/>.)</t>
        </section>
      </section>
      <section anchor="keys-for-edhoc-applications">
        <name>Keys for EDHOC Applications</name>
        <t>This section defines EDHOC_Exporter in terms of EDHOC_KDF and PRK_exporter. A key update function is defined in <xref target="keyupdate"/>.</t>
        <section anchor="exporter">
          <name>EDHOC_Exporter</name>
          <t>Keying material for the application can be derived using the EDHOC_Exporter interface defined as:</t>
          <artwork><![CDATA[
   EDHOC_Exporter(exporter_label, context, length)
     = EDHOC_KDF(PRK_exporter, exporter_label, context, length)
]]></artwork>
          <t>where</t>
          <t>where:</t>
          <ul spacing="normal">
            <li>exporter_label is a registered uint from the EDHOC_Exporter Label "EDHOC Exporter Labels" registry (<xref target="exporter-label"/>)</li> target="exporter-label"/>),</li>
            <li>context is a bstr defined by the application</li> application, and</li>
            <li>length is a uint defined by the application</li> application.</li>
          </ul>
          <t>The (exporter_label, context) pair used in EDHOC_Exporter must be unique, i.e., an (exporter_label, context) MUST NOT <bcp14>MUST NOT</bcp14> be used for two different purposes. However, an application can re-derive the same key several times as long as it is done securely. For example, in most encryption algorithms algorithms, the same key can be reused with different nonces. The context can can, for example example, be the empty CBOR byte string.</t>
          <t>Examples of use of the EDHOC_Exporter are given in <xref target="transfer"/>.</t>
        </section>
      </section>
    </section>
    <section anchor="asym">
      <name>Message Formatting and Processing</name>
      <t>This section specifies formatting of the messages and processing steps. Error messages are specified in <xref target="error"/>. Annotated traces of EDHOC sessions are provided in <xref target="I-D.ietf-lake-traces"/>.</t> target="RFC9529"/>.</t>
      <t>An EDHOC message is encoded as a sequence of CBOR data items (CBOR Sequence, Sequence <xref target="RFC8742"/>).
Additional optimizations are made to reduce message overhead.</t>
      <t>While EDHOC uses the COSE_Key, COSE_Sign1, and COSE_Encrypt0 structures, only a subset of the parameters is included in the EDHOC messages, messages; see <xref target="COSE"/>. In order to recreate the COSE object, the recipient endpoint may need to add parameters to the COSE headers not included in the EDHOC message, for example example, the parameter 'alg' to COSE_Sign1 or COSE_Encrypt0.</t>
      <section anchor="proc-outline">
        <name>EDHOC Message Processing Outline</name>
        <t>For each new/ongoing EDHOC session, the endpoints are assumed to keep an associated protocol state containing identifiers, keying material, etc. used for subsequent processing of protocol related protocol-related data. The protocol state is assumed to be associated with an application profile (<xref target="applicability"/>) which that provides the context for how messages are transported, identified, and processed.</t>
        <t>EDHOC messages SHALL <bcp14>SHALL</bcp14> be processed according to the current protocol state. The following steps are expected to be performed at reception of an EDHOC message:</t>
        <ol spacing="normal" type="1"><li>Detect that an EDHOC message has been received, for example example, by means of a port number, URI, or media type (<xref target="applicability"/>).</li>
          <li>Retrieve the protocol state according to the message correlation, correlation; see <xref target="ci-edhoc"/>. If there is no protocol state, in the case of message_1, a new protocol state is created. The Responder endpoint needs to make use of available denial-of-service mitigation (<xref target="dos"/>).</li>
          <li>If the message received is an error message, then process it according to <xref target="error"/>, else process it as the expected next message according to the protocol state.</li>
        </ol>
        <t>The message processing steps SHALL <bcp14>SHALL</bcp14> be processed in order, unless otherwise stated. If the processing fails for some reason then, typically, reason, then typically an error message is sent, the EDHOC session is aborted, and the protocol state is erased. When the composition and sending of one message is completed and before the next message is received, error messages SHALL NOT <bcp14>SHALL NOT</bcp14> be sent.</t>
        <t>After having successfully processed the last message (message_3 or message_4 depending on application profile) profile), the EDHOC session is completed, completed; after which which, no error messages are sent and EDHOC session output MAY <bcp14>MAY</bcp14> be maintained even if error messages are received. Further details are provided in the following subsections and in <xref target="error"/>.</t>
        <t>Different instances of the same message MUST NOT <bcp14>MUST NOT</bcp14> be processed in one EDHOC session.  Note that processing will fail if the same message appears a second time for EDHOC processing in the same EDHOC session because the state of the protocol has moved on and now expects something else. Message deduplication MUST <bcp14>MUST</bcp14> be done by the transport protocol (see <xref target="transport"/>) or, if not supported by the transport, as described in <xref target="duplication"/>.</t>
      </section>
      <section anchor="m1">
        <name>EDHOC Message 1</name>
        <section anchor="asym-msg1-form">
          <name>Formatting of Message 1</name>
          <t>message_1 SHALL <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target="CBOR"/>) target="CBOR"/>), as defined below</t> below.</t>
          <sourcecode type="CDDL"><![CDATA[ type="cbor"><![CDATA[
message_1 = (
  METHOD : int,
  SUITES_I : suites,
  G_X : bstr,
  C_I : bstr / -24..23,
  ? EAD_1,
)

suites = [ 2* int ] / int
EAD_1 = 1* ead
]]></sourcecode>
          <t>where:</t>
          <ul spacing="normal">
            <li>METHOD - is an authentication method, method; see <xref target="method"/>.</li> target="method"/>,</li>
            <li>SUITES_I - is an array of cipher suites which that the Initiator supports constructed as specified in <xref target="init-proc-msg1"/>.</li> target="init-proc-msg1"/>,</li>
            <li>G_X - is the ephemeral public key of the Initiator</li> Initiator, and</li>
            <li>C_I - variable length is the variable-length connection identifier. Note identifier (note that connection identifiers are byte strings but certain values are represented as integers in the message, message; see <xref target="bstr-repr"/>.</li> target="bstr-repr"/>), and</li>
            <li>EAD_1 - is the external authorization data, data; see <xref target="AD"/>.</li>
          </ul>
        </section>
        <section anchor="init-proc-msg1">
          <name>Initiator Composition of Message 1</name>
          <t>The processing steps are detailed below and in <xref target="wrong-selected"/>.</t>
          <t>The Initiator SHALL <bcp14>SHALL</bcp14> compose message_1 as follows:</t>
          <ul spacing="normal">
            <li>
              <t>Construct SUITES_I as an array of cipher suites supported by I in order of preference by I with the first cipher suite in the array being the most preferred by I, I and the last being the one selected by I for this EDHOC session. If the cipher suite most preferred by I is selected selected, then SUITES_I contains only that cipher suite and is encoded as an int. All cipher suites, if any, preferred by I over the selected one MUST <bcp14>MUST</bcp14> be included. (See also <xref target="wrong-selected"/>.)
              </t>
              <ul spacing="normal">
                <li>The selected suite is based on what the Initiator can assume to be supported by the Responder; if the Initiator previously received from the Responder has an error message with error code 2 containing SUITES_R (see <xref target="wrong-selected"/>) indicating cipher suites supported by the Responder, then the Initiator SHOULD <bcp14>SHOULD</bcp14> select its most preferred supported cipher suite among those (bearing in mind that error messages may be forged).</li>
                <li>The Initiator MUST NOT <bcp14>MUST NOT</bcp14> change its order of preference for cipher suites, suites and MUST NOT <bcp14>MUST NOT</bcp14> omit a cipher suite preferred to the selected one because of previous error messages received from the Responder.</li>
              </ul>
            </li>
            <li>Generate an ephemeral ECDH key pair using the curve in the selected cipher suite and format it as a COSE_Key. Let G_X be the 'x' parameter of the COSE_Key.</li>
            <li>Choose a connection identifier C_I and store it during the EDHOC session.</li>
            <li>Encode message_1 as a sequence of CBOR encoded CBOR-encoded data items as specified in <xref target="asym-msg1-form"/></li>
          </ul>
        </section>
        <section anchor="resp-proc-msg1">
          <name>Responder Processing of Message 1</name>
          <t>The Responder SHALL <bcp14>SHALL</bcp14> process message_1 in the following order:</t>
          <ul
          <ol spacing="normal">
            <li>Decode message_1 (see <xref target="CBOR"/>).</li>
            <li>Process message_1, in particular message_1. In particular, verify that the selected cipher suite is supported and that no prior cipher suite as ordered in SUITES_I is supported.</li>
            <li>If all processing completed successfully, and if EAD_1 is present, then make it available to the application for EAD processing.</li>
          </ul>
          </ol>
          <t>If any processing step fails, then the Responder MUST <bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC session MUST <bcp14>MUST</bcp14> be aborted.</t>
        </section>
      </section>
      <section anchor="m2">
        <name>EDHOC Message 2</name>
        <section anchor="asym-msg2-form">
          <name>Formatting of Message 2</name>
          <t>message_2 SHALL <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target="CBOR"/>) target="CBOR"/>), as defined below</t> below.</t>
          <sourcecode type="CDDL"><![CDATA[ type="cbor"><![CDATA[
message_2 = (
  G_Y_CIPHERTEXT_2 : bstr,
)
]]></sourcecode>
          <t>where:</t>
          <ul spacing="normal">
            <li>G_Y_CIPHERTEXT_2 - is the concatenation of G_Y (i.e., the ephemeral public key of the Responder) and CIPHERTEXT_2.</li>
          </ul>
        </section>
        <section anchor="asym-msg2-proc">
          <name>Responder Composition of Message 2</name>
          <t>The Responder SHALL <bcp14>SHALL</bcp14> compose message_2 as follows:</t>
          <ul spacing="normal">
            <li>Generate an ephemeral ECDH key pair using the curve in the selected cipher suite and format it as a COSE_Key. Let G_Y be the 'x' parameter of the COSE_Key.</li>
            <li>Choose a connection identifier C_R and store it for the length of the EDHOC session.</li>
            <li>Compute the transcript hash TH_2 = H( G_Y, H(message_1) ) ), where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence. Note that H(message_1) can be computed and cached already in the processing of message_1.</li>
            <li>
              <t>Compute MAC_2 as in <xref target="expand"/> with context_2 = &lt;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt; (see <xref target="CBOR"/> for notation) notation).
              </t>
              <ul spacing="normal">
                <li>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then mac_length_2 is the EDHOC MAC length of the selected cipher suite. If the Responder authenticates with a signature key (method equals 0 or 2), then mac_length_2 is equal to hash_length.</li>
		<li>C_R is a variable-length connection identifier.  Note that connection identifiers are byte strings but certain values are represented as integers in the message; see <xref target="bstr-repr"/>.</li>
                <li>ID_CRED_R - is the identifier to facilitate the retrieval of CRED_R, CRED_R; see <xref target="id_cred"/></li> target="id_cred"/>.</li>
                <li>CRED_R - is the CBOR item containing the authentication credential of the Responder, Responder; see <xref target="auth-cred"/></li> target="auth-cred"/>.</li>
                <li>EAD_2 - is the external authorization data, data; see <xref target="AD"/></li> target="AD"/>.</li>
              </ul>
            </li>
            <li>
              <t>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then Signature_or_MAC_2 is MAC_2. If the Responder authenticates with a signature key (method equals 0 or 2), then Signature_or_MAC_2 is the 'signature' field of a COSE_Sign1 object, computed as specified in Section 4.4 of <xref target="RFC9053"/> target="RFC9052" section="4.4" sectionFormat="of"/> and using the signature algorithm of the selected cipher suite, the private authentication key of the Responder, and the following parameters as input (see <xref target="COSE"/> for an overview of COSE and <xref target="CBOR"/> for notation):  </t>
              <ul spacing="normal">
                <li>protected =  &lt;&lt; ID_CRED_R &gt;&gt;</li>
                <li>external_aad = &lt;&lt; TH_2, CRED_R, ? EAD_2 &gt;&gt;</li>
                <li>payload = MAC_2</li>
              </ul>
            </li>
            <li>
              <t>CIPHERTEXT_2 is calculated with a binary additive stream cipher, using a keystream generated with EDHOC_Expand, EDHOC_Expand and the following plaintext:  </t>
              <ul spacing="normal">
                <li>
                  <t>PLAINTEXT_2 = ( C_R, ID_CRED_R / bstr / -24..23, Signature_or_MAC_2, ? EAD_2 )      </t>
                  <ul spacing="normal">
                    <li>If ID_CRED_R contains a single 'kid' parameter, i.e., ID_CRED_R = { 4 : kid_R }, then the compact encoding is applied, applied; see <xref target="compact-kid"/>.</li>
                    <li>C_R - variable length is the variable-length connection identifier. Note that connection identifiers are byte strings strings, but certain values are represented as integers in the message, message; see <xref target="bstr-repr"/>.</li>
                  </ul>
                </li>
                <li>Compute KEYSTREAM_2 as in <xref target="expand"/>, where plaintext_length is the length of PLAINTEXT_2. For the case of plaintext_length exceeding the EDHOC_KDF output size, see <xref target="large-plaintext_2"/>.</li>
                <li>CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2</li>
              </ul>
            </li>
            <li>Encode message_2 as a sequence of CBOR encoded CBOR-encoded data items as specified in <xref target="asym-msg2-form"/>.</li>
          </ul>
        </section>
        <section anchor="initiator-processing-of-message-2">
          <name>Initiator Processing of Message 2</name>
          <t>The Initiator SHALL <bcp14>SHALL</bcp14> process message_2 in the following order:</t>
          <ul
          <ol spacing="normal">
            <li>Decode message_2 (see <xref target="CBOR"/>).</li>
            <li>Retrieve the protocol state using available message correlation (e.g., the CoAP Token, the 5-tuple, or the prepended C_I, C_I; see <xref target="ci-edhoc"/>).</li>
            <li>Decrypt CIPHERTEXT_2, CIPHERTEXT_2; see <xref target="asym-msg2-proc"/>.</li>
            <li>If all processing is completed successfully, then make ID_CRED_R and (if present) EAD_2 available to the application for authentication- authentication and EAD processing. When and how to perform authentication is up to the application.</li>
            <li>Obtain the authentication credential (CRED_R) and the authentication key of R from the application (or by other means).</li>
            <li>Verify Signature_or_MAC_2 using the algorithm in the selected cipher suite. The verification process depends on the method, method; see <xref target="asym-msg2-proc"/>. Make the result of the verification available to the application.</li>
          </ul>
          </ol>
          <t>If any processing step fails, then the Initiator MUST <bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC session MUST <bcp14>MUST</bcp14> be aborted.</t>
        </section>
      </section>
      <section anchor="m3">
        <name>EDHOC Message 3</name>
        <section anchor="asym-msg3-form">
          <name>Formatting of Message 3</name>
          <t>message_3 SHALL <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target="CBOR"/>) target="CBOR"/>), as defined below</t> below.</t>
          <sourcecode type="CDDL"><![CDATA[ type="cbor"><![CDATA[
message_3 = (
  CIPHERTEXT_3 : bstr,
)
]]></sourcecode>
        </section>
        <section anchor="asym-msg3-proc">
          <name>Initiator Composition of Message 3</name>
          <t>The Initiator SHALL <bcp14>SHALL</bcp14> compose message_3 as follows:</t>
          <ul spacing="normal">
            <li>Compute the transcript hash TH_3 = H(TH_2, PLAINTEXT_2, CRED_R) CRED_R), where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence. Note that TH_3 can be computed and cached already in the processing of message_2.</li>
            <li>
              <t>Compute MAC_3 as in <xref target="expand"/>, with context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;
              </t>
              <ul spacing="normal">
                <li>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then mac_length_3 is the EDHOC MAC length of the selected cipher suite.  If the Initiator authenticates with a signature key (method equals 0 or 1), then mac_length_3 is equal to hash_length.</li>
                <li>ID_CRED_I - is the identifier to facilitate the retrieval of CRED_I, CRED_I; see <xref target="id_cred"/></li> target="id_cred"/>.</li>
                <li>CRED_I - is the CBOR item containing the authentication credential of the Initiator, Initiator; see <xref target="auth-cred"/></li> target="auth-cred"/>.</li>
                <li>EAD_3 - is the external authorization data, data; see <xref target="AD"/></li> target="AD"/>.</li>
              </ul>
            </li>
            <li>
              <t>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then Signature_or_MAC_3 is MAC_3. If the Initiator authenticates with a signature key (method equals 0 or 1), then Signature_or_MAC_3 is the 'signature' field of a COSE_Sign1 object, computed as specified in Section 4.4 of <xref target="RFC9052"/> target="RFC9052" section="4.4" sectionFormat="of"/> and using the signature algorithm of the selected cipher suite, the private authentication key of the Initiator, and the following parameters as input (see <xref target="COSE"/>):  </t>
              <ul spacing="normal">
                <li>protected =  &lt;&lt; ID_CRED_I &gt;&gt;</li>
                <li>external_aad = &lt;&lt; TH_3, CRED_I, ? EAD_3 &gt;&gt;</li>
                <li>payload = MAC_3</li>
              </ul>
            </li>
            <li>
              <t>Compute a COSE_Encrypt0 object as defined in Sections 5.2 <xref target="RFC9052" section="5.2" sectionFormat="bare"/> and 5.3 <xref target="RFC9052" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm of the selected cipher suite, using the encryption key K_3, the initialization vector IV_3 (if used by the AEAD algorithm), the plaintext PLAINTEXT_3, and the following parameters as input (see <xref target="COSE"/>):  </t>
              <ul spacing="normal">
                <li>protected = h''</li>
                <li>external_aad = TH_3</li>
                <li>K_3 and IV_3 are defined in <xref target="expand"/></li>
                <li>
                  <t>PLAINTEXT_3 = ( ID_CRED_I / bstr / -24..23, Signature_or_MAC_3, ? EAD_3 )      </t>
                  <ul spacing="normal">
                    <li>If ID_CRED_I contains a single 'kid' parameter, i.e., ID_CRED_I = { 4 : kid_I }, then the compact encoding is applied, applied; see <xref target="compact-kid"/>.</li>
                  </ul>
                </li>
              </ul>
              <t>
CIPHERTEXT_3 is the 'ciphertext' of COSE_Encrypt0.</t>
            </li>
            <li>Compute the transcript hash TH_4 = H(TH_3, PLAINTEXT_3, CRED_I) CRED_I), where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence.</li>
            <li>Calculate PRK_out as defined in <xref target="fig-edhoc-kdf"/>. The Initiator can now derive application keys using the EDHOC_Exporter interface, interface; see <xref target="exporter"/>.</li>
            <li>Encode message_3 as a CBOR data item as specified in <xref target="asym-msg3-form"/>.</li>
            <li>Make the connection identifiers (C_I, (C_I and C_R) and the application algorithms in the selected cipher suite available to the application.</li>
          </ul>
          <t>After creating message_3, the Initiator can compute PRK_out, see PRK_out (see <xref target="prkout"/>, target="prkout"/>) and derive application keys using the EDHOC_Exporter interface, see interface (see <xref target="exporter"/>. target="exporter"/>). The Initiator SHOULD NOT <bcp14>SHOULD NOT</bcp14> persistently store PRK_out or application keys until the Initiator has verified message_4 or a message protected with a derived application key, such as an OSCORE message, from the Responder and the application has authenticated the Responder. This is similar to waiting for an acknowledgment (ACK) in a transport protocol. The Initiator SHOULD NOT <bcp14>SHOULD NOT</bcp14> send protected application data until the application has authenticated the Responder.</t>
        </section>
        <section anchor="responder-processing-of-message-3">
          <name>Responder Processing of Message 3</name>
          <t>The Responder SHALL <bcp14>SHALL</bcp14> process message_3 in the following order:</t>
          <ul
          <ol spacing="normal">
            <li>Decode message_3 (see <xref target="CBOR"/>).</li>
            <li>Retrieve the protocol state using available message correlation (e.g., the CoAP Token, the 5-tuple, or the prepended C_R, C_R; see <xref target="ci-edhoc"/>).</li>
            <li>Decrypt and verify the COSE_Encrypt0 as defined in Sections 5.2 <xref target="RFC9052" section="5.2" sectionFormat="bare"/> and 5.3 <xref target="RFC9052" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm in the selected cipher suite, suite and the parameters defined in <xref target="asym-msg3-proc"/>.</li>
            <li>If all processing completed successfully, then make ID_CRED_I and (if present) EAD_3 available to the application for authentication- authentication and EAD processing. When and how to perform authentication is up to the application.</li>
            <li>Obtain the authentication credential (CRED_I) and the authentication key of I from the application (or by other means).</li>
            <li>Verify Signature_or_MAC_3 using the algorithm in the selected cipher suite. The verification process depends on the method, method; see <xref target="asym-msg3-proc"/>. Make the result of the verification available to the application.</li>
            <li>Make the connection identifiers (C_I, (C_I and C_R) and the application algorithms in the selected cipher suite available to the application.</li>
          </ul>
          </ol>
          <t>After processing message_3, the Responder can compute PRK_out, see PRK_out (see <xref target="prkout"/>, target="prkout"/>) and derive application keys using the EDHOC_Exporter interface, see interface (see <xref target="exporter"/>. target="exporter"/>). The Responder SHOULD NOT <bcp14>SHOULD NOT</bcp14> persistently store PRK_out or application keys until the application has authenticated the Initiator. The Responder SHOULD NOT <bcp14>SHOULD NOT</bcp14> send protected application data until the application has authenticated the Initiator.</t>
          <t>If any processing step fails, then the Responder MUST <bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC session MUST <bcp14>MUST</bcp14> be aborted.</t>
        </section>
      </section>
      <section anchor="m4">
        <name>EDHOC Message 4</name>
        <t>This section specifies message_4 message_4, which is OPTIONAL <bcp14>OPTIONAL</bcp14> to support. Key confirmation is normally provided by sending an application message from the Responder to the Initiator protected with a key derived with the EDHOC_Exporter, e.g., using OSCORE (see <xref target="transfer"/>). In deployments where no protected application message is sent from the Responder to the Initiator, message_4 MUST <bcp14>MUST</bcp14> be supported and MUST <bcp14>MUST</bcp14> be used. Two examples of such deployments are:</t>
        <ol spacing="normal" type="1"><li>When type="1"><li>when EDHOC is only used for authentication and no application data is sent.</li>
          <li>When sent and</li>
          <li>when application data is only sent from the Initiator to the Responder.</li>
        </ol>
        <t>Further considerations about when to use message_4 are provided in Sections <xref target="applicability"/> target="applicability" format="counter"/> and <xref target="sec-prop"/>.</t> target="sec-prop" format="counter"/>.</t>
        <section anchor="asym-msg4-form">
          <name>Formatting of Message 4</name>
          <t>message_4 SHALL <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target="CBOR"/>) target="CBOR"/>), as defined below</t> below.</t>
          <sourcecode type="CDDL"><![CDATA[ type="cbor"><![CDATA[
message_4 = (
  CIPHERTEXT_4 : bstr,

)
]]></sourcecode>
        </section>
        <section anchor="asym-msg4-proc">
          <name>Responder Composition of Message 4</name>
          <t>The Responder SHALL <bcp14>SHALL</bcp14> compose message_4 as follows:</t>
          <ul spacing="normal">
            <li>
              <t>Compute a COSE_Encrypt0 as defined in Sections 5.2 <xref target="RFC9052" section="5.2" sectionFormat="bare"/> and 5.3 <xref target="RFC9052" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm of the selected cipher suite, using the encryption key K_4, the initialization vector IV_4 (if used by the AEAD algorithm), the plaintext PLAINTEXT_4, and the following parameters as input (see <xref target="COSE"/>):  </t>
              <ul spacing="normal">
                <li>protected = h''</li>
                <li>external_aad = TH_4</li>
                <li>K_4 and IV_4 are defined in <xref target="expand"/></li>
                <li>
                  <t>PLAINTEXT_4 = ( ? EAD_4 )
                  </t>
                  <ul spacing="normal">
                    <li>EAD_4 - is the external authorization data, data; see <xref target="AD"/>.</li>
                  </ul>
                </li>
              </ul>
              <t>
CIPHERTEXT_4 is the 'ciphertext' of COSE_Encrypt0.</t>
            </li>
            <li>Encode message_4 as a CBOR data item as specified in <xref target="asym-msg4-form"/>.</li>
          </ul>
        </section>
        <section anchor="initiator-processing-of-message-4">
          <name>Initiator Processing of Message 4</name>
          <t>The Initiator SHALL <bcp14>SHALL</bcp14> process message_4 as follows:</t>
          <ul spacing="normal">
            <li>Decode message_4 (see <xref target="CBOR"/>).</li>
            <li>Retrieve the protocol state using available message correlation (e.g., the CoAP Token, the 5-tuple, or the prepended C_I, C_I; see <xref target="ci-edhoc"/>).</li>
            <li>Decrypt and verify the COSE_Encrypt0 as defined in Sections 5.2 <xref target="RFC9052" section="5.2" sectionFormat="bare"/> and 5.3 <xref target="RFC9052" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm in the selected cipher suite, suite and the parameters defined in <xref target="asym-msg4-proc"/>.</li>
            <li>Make (if present) EAD_4 available to the application for EAD processing.</li>
          </ul>
          <t>If any processing step fails, then the Initiator MUST <bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC session MUST <bcp14>MUST</bcp14> be aborted.</t>
          <t>After verifying message_4, the Initiator is assured that the Responder has calculated the key PRK_out (key confirmation) and that no other party can derive the key.</t>
        </section>
      </section>
    </section>
    <section anchor="error">
      <name>Error Handling</name>
      <t>This section defines the format for error messages, messages and the processing associated with the currently defined error codes. Additional error codes may be registered, registered; see <xref target="error-code-reg"/>.</t>
      <t>Many kinds of errors that can occur during EDHOC processing. As in CoAP, an error can be triggered by errors in the received message or internal errors in the receiving endpoint. Except for processing and formatting errors, it is up to the application when to send an error message. Sending error messages is essential for debugging but MAY <bcp14>MAY</bcp14> be skipped if, for example, an EDHOC session cannot be found or due to denial-of-service reasons, reasons; see <xref target="dos"/>. Error messages in EDHOC are always fatal. After sending an error message, the sender MUST <bcp14>MUST</bcp14> abort the EDHOC session. The receiver SHOULD <bcp14>SHOULD</bcp14> treat an error message as an indication that the other party likely has aborted the EDHOC session.  But since error messages might be forged, the receiver MAY <bcp14>MAY</bcp14> try to continue the EDHOC session.</t>
      <t>An EDHOC error message can be sent by either endpoint as a reply to any non-error EDHOC message. How errors at the EDHOC layer are transported depends on lower layers, which need to enable error messages to be sent and processed as intended.</t>
      <t>error SHALL <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target="CBOR"/>) target="CBOR"/>), as defined below</t> below.</t>
      <figure anchor="fig-error-message">
        <name>EDHOC error message.</name> Error Message</name>
        <sourcecode type="CDDL"><![CDATA[ type="cbor"><![CDATA[
error = (
  ERR_CODE : int,
  ERR_INFO : any,
)
]]></sourcecode>
      </figure>
      <t>where:</t>
      <ul spacing="normal">
        <li>ERR_CODE - is an error code encoded as an integer. The value 0 is reserved for success and can only be used internally, internally; all other values (negative or positive) indicate errors.</li>
        <li>ERR_INFO - is the error information. Content and encoding depend on the error code.</li>
      </ul>
      <t>The remainder of this section specifies the currently defined error codes, codes; see <xref target="fig-error-codes"/>. target="tab-error-codes"/>. Additional error codes and corresponding error information may be specified.</t>
      <figure anchor="fig-error-codes">

<table anchor="tab-error-codes">
<name>EDHOC error codes Error Codes and error information.</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="208" width="560" viewBox="0 0 560 208" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,192" fill="none" stroke="black"/>
              <path d="M 96,32 L 96,192" fill="none" stroke="black"/>
              <path d="M 224,32 L 224,192" fill="none" stroke="black"/>
              <path d="M 552,32 L 552,192" fill="none" stroke="black"/>
              <path d="M 8,32 L 552,32" fill="none" stroke="black"/>
              <path d="M 8,62 L 552,62" fill="none" stroke="black"/>
              <path d="M 8,66 L 552,66" fill="none" stroke="black"/>
              <path d="M 8,96 L 552,96" fill="none" stroke="black"/>
              <path d="M 8,128 L 552,128" fill="none" stroke="black"/>
              <path d="M 8,160 L 552,160" fill="none" stroke="black"/>
              <path d="M 8,192 L 552,192" fill="none" stroke="black"/>
              <g class="text">
                <text x="52" y="52">ERR_CODE</text>
                <text x="140" y="52">ERR_INFO</text>
                <text x="196" y="52">Type</text>
                <text x="280" y="52">Description</text>
                <text x="80" y="84">0</text>
                <text x="252" y="84">This</text>
                <text x="296" y="84">value</text>
                <text x="332" y="84">is</text>
                <text x="380" y="84">reserved</text>
                <text x="80" y="116">1</text>
                <text x="124" y="116">tstr</text>
                <text x="280" y="116">Unspecified</text>
                <text x="352" y="116">error</text>
                <text x="80" y="148">2</text>
                <text x="132" y="148">suites</text>
                <text x="256" y="148">Wrong</text>
                <text x="316" y="148">selected</text>
                <text x="380" y="148">cipher</text>
                <text x="432" y="148">suite</text>
                <text x="80" y="180">3</text>
                <text x="124" y="180">true</text>
                <text x="264" y="180">Unknown</text>
                <text x="340" y="180">credential</text>
                <text x="428" y="180">referenced</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+----------+---------------+----------------------------------------+
| ERR_CODE | ERR_INFO Type | Description                            |
+==========+===============+========================================+
|        0 |               | This value is reserved                 |
+----------+---------------+----------------------------------------+
|        1 | tstr          | Unspecified error                      |
+----------+---------------+----------------------------------------+
|        2 | suites        | Wrong Error Information</name>
<thead>
<tr>
<th>ERR_CODE</th>
<th>ERR_INFO Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="right">0</td>
<td></td>
<td>Reserved for success</td>
</tr>
<tr>
<td align="right">1</td>
<td>tstr</td>
<td>Unspecified error</td>
</tr>
<tr>
<td align="right">2</td>
<td>suites</td>
<td>Wrong selected cipher suite            |
+----------+---------------+----------------------------------------+
|        3 | true          | Unknown suite</td>
</tr>
<tr>
<td align="right">3</td>
<td>true</td>
<td>Unknown credential referenced          |
+----------+---------------+----------------------------------------+
]]></artwork>
        </artset>
      </figure> referenced</td>
</tr>
<tr>
<td align="right">23</td>
<td></td>
<td>Reserved</td>
</tr>
</tbody>
</table>

      <section anchor="success">
        <name>Success</name>
        <t>Error code 0 MAY <bcp14>MAY</bcp14> be used internally in an application to indicate success, i.e., as a standard value in case of no error, e.g., in status reporting or log files. Error code 0 MUST NOT <bcp14>MUST NOT</bcp14> be used as part of the EDHOC message exchange. If an endpoint receives an error message with error code 0, then it MUST <bcp14>MUST</bcp14> abort the EDHOC session and MUST NOT <bcp14>MUST NOT</bcp14> send an error message.</t>
      </section>
      <section anchor="unspecified-error">
        <name>Unspecified Error</name>
        <t>Error code 1 is used for errors that do not have a specific error code defined. ERR_INFO MUST <bcp14>MUST</bcp14> be a text string containing a human-readable diagnostic message which SHOULD that <bcp14>SHOULD</bcp14> be written in English, for example example, "Method not supported". The diagnostic text message is mainly intended for software engineers that who during debugging need to interpret it in the context of the EDHOC specification. The diagnostic message SHOULD <bcp14>SHOULD</bcp14> be provided to the calling application where it SHOULD <bcp14>SHOULD</bcp14> be logged.</t>
      </section>
      <section anchor="wrong-selected">
        <name>Wrong Selected Cipher Suite</name>
        <t>Error code 2 MUST <bcp14>MUST</bcp14> only be used when replying to message_1 in case the cipher suite selected by the Initiator is not supported by the Responder, Responder or if the Responder supports a cipher suite more preferred by the Initiator than the selected cipher suite, suite; see <xref target="resp-proc-msg1"/>. In this case, ERR_INFO = SUITES_R and is of type suites, suites; see <xref target="asym-msg1-form"/>. If the Responder does not support the selected cipher suite, then SUITES_R MUST <bcp14>MUST</bcp14> include one or more supported cipher suites. If the Responder supports a cipher suite in SUITES_I other than the selected cipher suite (independently of if the selected cipher suite is supported or not) not), then SUITES_R MUST <bcp14>MUST</bcp14> include the supported cipher suite in SUITES_I SUITES_I, which is most preferred by the Initiator. SUITES_R MAY <bcp14>MAY</bcp14> include a single cipher suite, suite; in which case case, it is encoded as an int. If the Responder does not support any cipher suite in SUITES_I, then it SHOULD <bcp14>SHOULD</bcp14> include all its supported cipher suites in SUITES_R.</t>
        <t>In contrast to SUITES_I, the order of the cipher suites in SUITES_R has no significance.</t>
        <section anchor="cipher-suite-negotiation">
          <name>Cipher Suite Negotiation</name>
          <t>After receiving SUITES_R, the Initiator can determine which cipher suite to select (if any) for the next EDHOC run with the Responder.</t>
          <t>If the
          <t>The Initiator intends needs to contact the Responder in the future, the Initiator SHOULD remember which selected cipher suite to use until the next message_1 has been sent, otherwise sent; otherwise, the Initiator and Responder will likely run into an infinite loop where the Initiator selects its most preferred cipher suite and the Responder sends an error with supported cipher suites.  After a completed EDHOC session, the Initiator MAY <bcp14>MAY</bcp14> remember the selected cipher suite to use in future EDHOC sessions. Note that if the Initiator or Responder is updated with new cipher suite policies, any cached information may be outdated.</t>
          <t>Note that the Initiator's list of supported cipher suites and order of preference is fixed (see Sections <xref target="asym-msg1-form"/> target="asym-msg1-form" format="counter"/> and <xref target="init-proc-msg1"/>). target="init-proc-msg1" format="counter"/>). Furthermore, the Responder SHALL <bcp14>SHALL</bcp14> only accept message_1 if the selected cipher suite is the first cipher suite in SUITES_I that the Responder also supports (see <xref target="resp-proc-msg1"/>). Following this procedure ensures that the selected cipher suite is the most preferred (by the Initiator) cipher suite supported by both parties. For examples, see <xref target="ex-neg"/>.</t>
          <t>If the selected cipher suite is not the first cipher suite which that the Responder supports in SUITES_I received in message_1, then the Responder MUST <bcp14>MUST</bcp14> abort the EDHOC session, session; see <xref target="resp-proc-msg1"/>. If SUITES_I in message_1 is manipulated, then the integrity verification of message_2 containing the transcript hash TH_2 will fail and the Initiator will abort the EDHOC session.</t>
        </section>
        <section anchor="ex-neg">
          <name>Examples</name>
          <t>Assume that the Initiator supports the five cipher suites suites, 5, 6, 7, 8, and 9 9, in decreasing order of preference. Figures <xref target="fig-error1" format="counter"/> and <xref target="fig-error2" format="counter"/> show two examples of how the Initiator can format SUITES_I and how SUITES_R is used by Responders to give the Initiator information about the cipher suites that the Responder supports.</t>
          <t>In Example 1 (<xref target="fig-error1"/>), the Responder supports cipher suite 6 but not the initially selected cipher suite 5. The Responder rejects the first message_1 with an error indicating support for suite 6 in SUITES_R. The Initiator also supports suite 6, 6 and therefore selects suite 6 in the second message_1. The Initiator prepends in SUITES_I the selected suite 6 with the more preferred suites, in this case suite 5, to mitigate a potential attack on the cipher suite negotiation.</t>
          <figure anchor="fig-error1">
            <name>Cipher suite negotiation example 1.</name> Suite Negotiation Example 1</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="224" width="560" height="" width="" viewBox="0 0 560 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,48 L 8,208" fill="none" stroke="black"/>
                  <path d="M 552,48 L 552,208" fill="none" stroke="black"/>
                  <path d="M 8,64 L 544,64" fill="none" stroke="black"/>
                  <path d="M 16,128 L 552,128" fill="none" stroke="black"/>
                  <path d="M 8,192 L 544,192" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/>
                  <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill="black" transform="rotate(0,544,64)"/>
                  <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fill="black" transform="rotate(180,16,128)"/>
                  <g class="text">
                    <text x="40" y="36">Initiator</text>
                    <text x="520" y="36">Responder</text>
                    <text x="152" y="52">METHOD,</text>
                    <text x="220" y="52">SUITES_I</text>
                    <text x="264" y="52">=</text>
                    <text x="284" y="52">5,</text>
                    <text x="316" y="52">G_X,</text>
                    <text x="356" y="52">C_I,</text>
                    <text x="400" y="52">EAD_1</text>
                    <text x="280" y="84">message_1</text>
                    <text x="196" y="116">ERR_CODE</text>
                    <text x="240" y="116">=</text>
                    <text x="260" y="116">2,</text>
                    <text x="308" y="116">SUITES_R</text>
                    <text x="352" y="116">=</text>
                    <text x="368" y="116">6</text>
                    <text x="280" y="148">error</text>
                    <text x="144" y="180">METHOD,</text>
                    <text x="212" y="180">SUITES_I</text>
                    <text x="256" y="180">=</text>
                    <text x="280" y="180">[5,</text>
                    <text x="312" y="180">6],</text>
                    <text x="348" y="180">G_X,</text>
                    <text x="388" y="180">C_I,</text>
                    <text x="432" y="180">EAD_1</text>
                    <text x="280" y="212">message_1</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
Initiator                                                   Responder
|              METHOD, SUITES_I = 5, G_X, C_I, EAD_1                |
+------------------------------------------------------------------>|
|                             message_1                             |
|                                                                   |
|                   ERR_CODE = 2, SUITES_R = 6                      |
|<------------------------------------------------------------------+
|                               error                               |
|                                                                   |
|             METHOD, SUITES_I = [5, 6], G_X, C_I, EAD_1            |
+------------------------------------------------------------------>|
|                             message_1                             |
]]></artwork>
            </artset>
          </figure>
          <t>In Example 2 (<xref target="fig-error2"/>), the Responder supports cipher suites 8 and 9 but not the more preferred (by the Initiator) cipher suites 5, 6 or 7. To illustrate the negotiation mechanics mechanics, we let the Initiator first make a guess that the Responder supports suite 6 but not suite 5. Since the Responder supports neither 5 nor 6, it rejects the first message_1 with an error indicating support for suites 8 and 9 in SUITES_R (in any order). The Initiator also supports suites 8 and 9, and prefers suite 8, so it  selects suite 8 in the second message_1. The Initiator prepends in SUITES_I the selected suite 8 with the more preferred suites in order of preference, in this case case, suites 5, 6 and 7, to mitigate a potential attack on the cipher suite negotiation.</t>
          <t>Note 1. If
	  <ol type="Note %d.">
          <li>If the Responder had supported suite 5, then the first message_1 would not have been accepted either, since the Responder observes that suite 5 is more preferred by the Initiator than the selected suite 6. In that case case, the Responder would have included suite 5 in SUITES_R of the response, and it would then have become the selected and only suite in the second message_1.</t>
          <t>Note 2. For message_1.</li>
          <li>For each message_1 message_1, the Initiator MUST <bcp14>MUST</bcp14> generate a new ephemeral ECDH key pair matching the selected cipher suite.</t> suite.</li>
	</ol>
          <figure anchor="fig-error2">
            <name>Cipher suite negotiation example 2.</name> Suite Negotiation Example 2</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="224" width="560" height="" width="" viewBox="0 0 560 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,48 L 8,208" fill="none" stroke="black"/>
                  <path d="M 552,48 L 552,208" fill="none" stroke="black"/>
                  <path d="M 8,64 L 544,64" fill="none" stroke="black"/>
                  <path d="M 16,128 L 552,128" fill="none" stroke="black"/>
                  <path d="M 8,192 L 544,192" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/>
                  <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill="black" transform="rotate(0,544,64)"/>
                  <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fill="black" transform="rotate(180,16,128)"/>
                  <g class="text">
                    <text x="40" y="36">Initiator</text>
                    <text x="520" y="36">Responder</text>
                    <text x="136" y="52">METHOD,</text>
                    <text x="204" y="52">SUITES_I</text>
                    <text x="248" y="52">=</text>
                    <text x="272" y="52">[5,</text>
                    <text x="304" y="52">6],</text>
                    <text x="340" y="52">G_X,</text>
                    <text x="380" y="52">C_I,</text>
                    <text x="424" y="52">EAD_1</text>
                    <text x="280" y="84">message_1</text>
                    <text x="188" y="116">ERR_CODE</text>
                    <text x="232" y="116">=</text>
                    <text x="252" y="116">2,</text>
                    <text x="300" y="116">SUITES_R</text>
                    <text x="344" y="116">=</text>
                    <text x="368" y="116">[9,</text>
                    <text x="396" y="116">8]</text>
                    <text x="280" y="148">error</text>
                    <text x="128" y="180">METHOD,</text>
                    <text x="196" y="180">SUITES_I</text>
                    <text x="240" y="180">=</text>
                    <text x="264" y="180">[5,</text>
                    <text x="292" y="180">6,</text>
                    <text x="316" y="180">7,</text>
                    <text x="344" y="180">8],</text>
                    <text x="380" y="180">G_X,</text>
                    <text x="420" y="180">C_I,</text>
                    <text x="464" y="180">EAD_1</text>
                    <text x="280" y="212">message_1</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
Initiator                                                   Responder
|            METHOD, SUITES_I = [5, 6], G_X, C_I, EAD_1             |
+------------------------------------------------------------------>|
|                             message_1                             |
|                                                                   |
|                  ERR_CODE = 2, SUITES_R = [9, 8]                  |
|<------------------------------------------------------------------+
|                               error                               |
|                                                                   |
|           METHOD, SUITES_I = [5, 6, 7, 8], G_X, C_I, EAD_1        |
+------------------------------------------------------------------>|
|                             message_1                             |
]]></artwork>
            </artset>
          </figure>
        </section>
      </section>
      <section anchor="unknown-credential-referenced">
        <name>Unknown Credential Referenced</name>
        <t>Error code 3 is used for errors due to a received credential identifier (ID_CRED_R in message_2 or ID_CRED_I message_3) containing a reference to a credential which that the receiving endpoint does not have access to. The intent with this error code is that the endpoint who sent the credential identifier should should, for the next EDHOC session session, try another credential identifier supported according to the application profile.</t>
        <t>For example, an application profile could list x5t and x5chain as supported credential identifiers, identifiers and state that x5t should be used if it can be assumed that the X.509 certificate is available at the receiving side. This error code thus enables the certificate chain to be sent only when needed, bearing in mind that error messages are not protected so an adversary can try to cause unnecessary unnecessary, large credential identifiers.</t>
        <t>For the error code 3, the error information SHALL <bcp14>SHALL</bcp14> be the CBOR simple value <tt>true</tt> (0xf5). Error code 3 MUST NOT <bcp14>MUST NOT</bcp14> be used when the received credential identifier type is not supported.</t>
      </section>
    </section>
    <section anchor="duplication">
      <name>EDHOC Message Deduplication</name>
      <t>EDHOC by default
      <t>By default, EDHOC assumes that message duplication is handled by the transport, transport (which is exemplified by CoAP in this section exemplified with CoAP, section); see <xref target="coap"/>.</t>
      <t>Deduplication of CoAP messages is described in Section 4.5 of <xref target="RFC7252"/>. target="RFC7252" section="4.5" sectionFormat="of"/>. This handles the case when the same Confirmable (CON) message is received multiple times due to missing acknowledgment on the CoAP messaging layer. The recommended processing in <xref target="RFC7252"/> is that the duplicate message is acknowledged (ACK), acknowledged, but the received message is only processed once by the CoAP stack.</t>
      <t>Message deduplication is resource demanding and therefore not supported in all CoAP implementations. Since EDHOC is targeting constrained environments, it is desirable that EDHOC can optionally support transport layers which that do not handle message duplication. Special care is needed to avoid issues with duplicate messages, messages; see <xref target="proc-outline"/>.</t>
      <t>The guiding principle here is similar to the deduplication processing on the CoAP messaging layer: layer, i.e., a received duplicate EDHOC message SHALL NOT <bcp14>SHALL NOT</bcp14> result in another instance of the next EDHOC message. The result MAY <bcp14>MAY</bcp14> be that a duplicate next EDHOC message is sent, provided it is still relevant with respect to the current protocol state. In any case, the received message MUST NOT <bcp14>MUST NOT</bcp14> be processed more than once in the same EDHOC session. This is called "EDHOC message deduplication".</t>
      <t>An EDHOC implementation MAY <bcp14>MAY</bcp14> store the previously sent EDHOC message to be able to resend it.</t>
      <t>In principle, if the EDHOC implementation would deterministically regenerate the identical EDHOC message previously sent, it would be possible to instead store the protocol state to be able to recreate and resend the previously sent EDHOC message. However, even if the protocol state is fixed, the message generation may introduce differences which that compromise security. For example, in the generation of message_3, if I is performing a (non-deterministic) ECDSA signature (say, method 0 or 1, 1 and cipher suite 2 or 3) 3), then PLAINTEXT_3 is randomized, but K_3 and IV_3 are the same, leading to a key and nonce reuse.</t>
      <t>The EDHOC implementation MUST NOT <bcp14>MUST NOT</bcp14> store the previous protocol state and regenerate an EDHOC message if there is a risk that the same key and IV are used for two (or more) distinct messages.</t>
      <t>The previous message or protocol state MUST NOT <bcp14>MUST NOT</bcp14> be kept longer than what is required for retransmission, for example, in the case of CoAP transport, no longer than the EXCHANGE_LIFETIME (see Section 4.8.2 of <xref target="RFC7252"/>).</t> target="RFC7252" section="4.8.2" sectionFormat="of"/>).</t>
    </section>
    <section anchor="mti">
      <name>Compliance Requirements</name>
      <t>In the absence of an application profile specifying otherwise:</t>
      <t>An
      <ul spacing="normal">
      <li>An implementation MAY <bcp14>MAY</bcp14> support only an Initiator or only Responder.</t>
      <t>An a Responder.</li>
      <li>An implementation MAY <bcp14>MAY</bcp14> support only a single method. None of the methods are mandatory-to-implement.</t>
      <t>Implementations MUST mandatory to implement.</li>
      <li>Implementations <bcp14>MUST</bcp14> support 'kid' parameters. None of the other COSE header parameters are mandatory-to-implement.</t>
      <t>An mandatory to implement.</li>
      <li>An implementation MAY <bcp14>MAY</bcp14> support only a single credential type (CCS, CWT, X.509, or C509). None of the credential types are mandatory-to-implement.</t>
      <t>Implementations MUST mandatory to implement.</li>
      <li>Implementations <bcp14>MUST</bcp14> support the EDHOC_Exporter.</t>
      <t>Implementations MAY EDHOC_Exporter.</li>
      <li>Implementations <bcp14>MAY</bcp14> support message_4. Error codes (ERR_CODE) 1 and 2 MUST <bcp14>MUST</bcp14> be supported.</t>
      <t>Implementations MUST supported.</li>
      <li>Implementations <bcp14>MUST</bcp14> support EAD.</t>
      <t>Implementations MUST EAD.</li>
      <li>Implementations <bcp14>MUST</bcp14> support cipher suite suites 2 and 3. Cipher suites 2 (AES-CCM-16-64-128, SHA-256, 8, P-256, ES256, AES-CCM-16-64-128, SHA-256) and 3 (AES-CCM-16-128-128, SHA-256, 16, P-256, ES256, AES-CCM-16-64-128, SHA-256) only differ in the size of the MAC length, so supporting one or both of these is not significantly different. Implementations only need to implement the algorithms needed for their supported methods.</t> methods.</li>
      </ul>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <section anchor="sec-prop">
        <name>Security Properties</name>
        <t>EDHOC has similar security properties as can be expected from the theoretical SIGMA-I protocol <xref target="SIGMA"/> and the Noise XX pattern <xref target="Noise"/>, which are similar to methods 0 and 3, respectively. Proven security properties are detailed in the security analysis publications referenced at the end of this section.</t>
        <t>Using the terminology from <xref target="SIGMA"/>, EDHOC provides forward secrecy, mutual authentication with aliveness, consistency, and peer awareness. As described in <xref target="SIGMA"/>, message_3 provides peer awareness to the Responder Responder, while message_4 provides peer awareness to the Initiator.	By including the authentication credentials in the transcript hash, EDHOC protects against an identity misbinding attack like the Duplicate Signature Key Selection (DSKS)-like identity mis-binding attack (DSKS) that the MAC-then-Sign variant of SIGMA-I is otherwise vulnerable to.</t>
        <t>As described in <xref target="SIGMA"/>, different levels of identity protection are provided to the Initiator and the Responder. EDHOC provides identity protection of the Initiator against active attacks and identity protection of the Responder against passive attacks. An active attacker can get the credential identifier of the Responder by eavesdropping on the destination address used for transporting message_1 and then sending its own message_1 to the same address. The roles should be assigned to protect the most sensitive identity/identifier, typically that which is not possible to infer from routing information in the lower layers.</t>
        <t>EDHOC messages might change in transit due to a noisy channel or through modification by an attacker. Changes in message_1 and message_2 (except Signature_or_MAC_2 when the signature scheme is not strongly unforgeable) are detected when verifying Signature_or_MAC_2. Changes to not strongly unforgeable Signature_or_MAC_2, Signature_or_MAC_2 and message_3 are detected when verifying CIPHERTEXT_3. Changes to message_4 are detected when verifying CIPHERTEXT_4.</t>
        <t>Compared to <xref target="SIGMA"/>, EDHOC adds an explicit method type and expands the message authentication coverage to additional elements such as algorithms, external authorization data, and previous plaintext messages. This protects against an attacker replaying messages or injecting messages from another EDHOC session.</t>
        <t>EDHOC also adds a selection of connection identifiers and downgrade downgrades protected negotiation of cryptographic parameters, i.e., an attacker cannot affect the negotiated parameters. A single session of EDHOC does not include negotiation of cipher suites, but it enables the Responder to verify that the selected cipher suite is the most preferred cipher suite by the Initiator which that is supported by both the Initiator and the Responder, Responder and to abort the EDHOC session if not.</t>
        <t>As required by <xref target="RFC7258"/>, IETF protocols need to mitigate pervasive monitoring when possible. Therefore, EDHOC therefore only supports methods with ephemeral Diffie-Hellman and provides a key update function (see <xref target="keyupdate"/>) for lightweight application protocol rekeying. Either of these provides forward secrecy, in the sense that compromise of the private authentication keys does not compromise past session keys (PRK_out), (PRK_out) and compromise of a session key does not compromise past session keys. Frequently re-running EDHOC with ephemeral Diffie-Hellman forces attackers to perform dynamic key exfiltration where the attacker must have continuous interactions with the collaborator, which is a significant sustained attack.</t>
        <t>To limit the effect of breaches, it is important to limit the use of symmetric group keys for bootstrapping. Therefore, EDHOC therefore strives to make the additional cost of using raw public keys and self-signed certificates as small as possible. Raw public keys and self-signed certificates are not a replacement for a public key infrastructure but SHOULD <bcp14>SHOULD</bcp14> be used instead of symmetric group keys for bootstrapping.</t>
        <t>Compromise of the long-term keys (private signature or static DH keys) does not compromise the security of completed EDHOC sessions. Compromising the private authentication keys of one party lets an active attacker impersonate that compromised party in EDHOC sessions with other parties but does not let the attacker impersonate other parties in EDHOC sessions with the compromised party. Compromise of the long-term keys does not enable a passive attacker to compromise future session keys (PRK_out). Compromise of the HDKF HKDF input parameters (ECDH shared secret) leads to compromise of all session keys derived from that compromised shared secret. Compromise of one session key does not compromise other session keys. Compromise of PRK_out leads to compromise of all keying material derived with the EDHOC_Exporter.</t>
        <t>Based on the cryptographic algorithms algorithm requirements <xref target="sec_algs"/>, (<xref target="sec_algs"/>), EDHOC provides a minimum of 64-bit security against online brute force attacks and a minimum of 128-bit security against offline brute force attacks. To break 64-bit security against online brute force force, an attacker would on average have to send 4.3 billion messages per second for 68 years, which is infeasible in constrained IoT radio technologies. A forgery against a 64-bit MAC in EDHOC breaks the security of all future application data, while a forgery against a 64-bit MAC in the subsequent application protocol (e.g., OSCORE <xref target="RFC8613"/>) typically only breaks the security of the data in the forged packet.</t>
        <t>As the EDHOC session is aborted when verification fails, the security against online attacks is given by the sum of the strength of the verified signatures and MACs (including MAC in AEAD). As an example, if EDHOC is used with method 3, cipher suite 2, and message_4, the Responder is authenticated with 128-bit security against online attacks (the sum of the 64-bit MACs in message_2 and message_4). The same principle applies for MACs in an application protocol keyed by EDHOC as long as EDHOC is rerun re-run when verification of the first MACs in the application protocol fails. As an example, if EDHOC with method 3 and cipher suite 2 is used as in Figure 2 of <xref target="I-D.ietf-core-oscore-edhoc"/>, 128-bit mutual authentication against online attacks can be achieved after completion of the first OSCORE request and response.</t>
        <t>After sending message_3, the Initiator is assured that no other party than the Responder can compute the key PRK_out. While the Initiator can securely send protected application data, the Initiator SHOULD NOT <bcp14>SHOULD NOT</bcp14> persistently store the keying material PRK_out until the Initiator has verified message_4 or a message protected with a derived application key, such as an OSCORE message, from the Responder. After verifying message_3, the Responder is assured that an honest Initiator has computed the key PRK_out. The Responder can securely derive and store the keying material PRK_out, PRK_out and send protected application data.</t>
        <t>External authorization data sent in message_1 (EAD_1) or message_2 (EAD_2) should be considered unprotected by EDHOC, EDHOC; see <xref target="unprot-data"/>. EAD_2 is encrypted encrypted, but the Responder has not yet authenticated the Initiator and the encryption does not provide confidentiality against active attacks.</t>
        <t>External authorization data sent in message_3 (EAD_3) or message_4 (EAD_4) is protected between the Initiator and Responder by the protocol, but note that EAD fields may be used by the application before the message verification is completed, completed; see <xref target="AD"/>. Designing a secure mechanism that uses EAD is not necessarily straightforward. This document only provides the EAD transport mechanism, but the problem of agreeing on the surrounding context and the meaning of the information passed to and from the application remains. Any new uses of EAD should be subject to careful review.</t>
        <t>Key compromise impersonation (KCI): In
	<dl newline="false" spacing="normal">
          <dt>Key Compromise Impersonation (KCI):</dt> <dd>In EDHOC authenticated with signature keys, EDHOC provides KCI protection against an attacker having access to the long-term key or the ephemeral secret key. With static Diffie-Hellman key authentication, KCI protection would be provided against an attacker having access to the long-term Diffie-Hellman key, key but not to an attacker having access to the ephemeral secret key. Note that the term KCI has typically been used for compromise of long-term keys, keys and that an attacker with access to the ephemeral secret key can only attack that specific EDHOC session.</t>
        <t>Repudiation: If session.</dd>
          <dt>Repudiation:</dt> <dd>If an endpoint authenticates with a signature, the other endpoint can prove that the endpoint performed a run of the protocol by presenting the data being signed as well as the signature itself. With static Diffie-Hellman key authentication, the authenticating endpoint can deny having participated in the protocol.</t> protocol.</dd>
	</dl>
        <t>Earlier versions of EDHOC have been formally analyzed <xref target="Bruni18"/> <xref target="Norrman20"/> <xref target="CottierPointcheval22"/> <xref target="Jacomme23"/> <xref target="GuentherIlunga22"/> target="GuentherIlunga22"/>, and the specification has been updated based on the analysis.</t>
      </section>
      <section anchor="crypto">
        <name>Cryptographic Considerations</name>
        <t>The SIGMA protocol requires that the encryption of message_3 provides confidentiality against active attackers and EDHOC message_4 relies on the use of
authenticated encryption. Hence, the message authenticating functionality of the authenticated encryption in EDHOC is critical: critical, i.e., authenticated encryption MUST NOT <bcp14>MUST NOT</bcp14> be replaced by plain encryption only, even if authentication is provided at another level or through a different mechanism.</t>
        <t>To reduce message overhead overhead, EDHOC does not use explicit nonces and instead relies on the ephemeral public keys to provide randomness to each EDHOC session. A good amount of randomness is important for the key generation, generation to provide liveness, liveness and to protect against interleaving attacks. For this reason, the ephemeral keys MUST NOT <bcp14>MUST NOT</bcp14> be used in more than one EDHOC message, and both parties SHALL <bcp14>SHALL</bcp14> generate fresh fresh, random ephemeral key pairs. Note that an ephemeral key may be used to calculate several ECDH shared secrets. When static Diffie-Hellman authentication is used used, the same ephemeral key is used in both ephemeral-ephemeral and ephemeral-static ECDH.</t>
        <t>As discussed in <xref target="SIGMA"/>, the encryption of message_2 does only need needs to protect against a passive attacker as since active attackers can always get the Responder's identity by sending their own message_1. EDHOC uses the EDHOC_Expand function (typically HKDF-Expand) as a binary additive stream cipher which that is proven secure as long as the expand function is a PRF. Pseudorandom Function (PRF). HKDF-Expand is not often used as a stream cipher as it is slow on long messages, and most applications require both confidentiality with indistinguishability under adaptive chosen ciphertext (IND-CCA) attack (IND-CCA2) as well as integrity protection. For the encryption of message_2, any speed difference is negligible, IND-CCA IND-CCA2 does not increase security, and integrity is provided by the inner MAC (and signature depending on method).</t>
        <t>Requirements for how to securely generate, validate, and process the ephemeral public keys depend on the elliptic curve. For X25519 and X448, the requirements are defined in <xref target="RFC7748"/>. For X25519 and X448, the check for all-zero output as specified in <xref target="RFC7748" sectionFormat="of" section="6"/> <bcp14>MUST</bcp14> be done. For secp256r1, secp384r1, and secp521r1, the requirements are defined in Section 5 of <xref target="SP-800-56A"/>. For secp256r1, secp384r1, and secp521r1, at least partial public-key public key validation MUST <bcp14>MUST</bcp14> be done.</t>
        <t>The same authentication credential MAY <bcp14>MAY</bcp14> be used for both the Initiator
   and Responder roles.  As noted in Section 12 of <xref target="RFC9052"/> target="RFC9052" section="12" sectionFormat="of"/>, the use of a single key for multiple algorithms is strongly discouraged unless proven secure by a dedicated cryptographic analysis.  In particular particular, this recommendation applies to using the same private key for static Diffie-Hellman authentication and digital signature authentication. A preliminary conjecture is that a minor change to EDHOC may be sufficient to fit the analysis of a secure shared signature and ECDH key usage in <xref target="Degabriele11"/> and <xref target="Thormarker21"/>.</t> target="Thormarker21"/>. Note that Section 5.6.3.2 of <xref target="SP-800-56A"/> allows a key agreement key pair to be used with a signature algorithm in certificate requests.</t>
        <t>The property that a completed EDHOC session implies that another identity has been active is upheld as long as the Initiator does not have its own identity in the set of Responder identities it is allowed to communicate with. In Trust on first use trust-on-first-use (TOFU) use cases, see cases (see <xref target="tofu"/>, target="tofu"/>), the Initiator should verify that the Responder's identity is not equal to its own. Any future EDHOC methods using using, e.g., pre-shared keys PSKs might need to mitigate this in other ways. However, an active attacker can gain information about the set of identities an Initiator is willing to communicate with. If the Initiator is willing to communicate with all identities except its own own, an attacker can determine that a guessed Initiator identity is correct. To not leak any long-term identifiers, using a freshly generated authentication key as an identity in each initial TOFU session is RECOMMENDED.</t> <bcp14>RECOMMENDED</bcp14>.</t>
        <t>NIST SP 800-56A <xref target="SP-800-56A"/> forbids deriving secret and non-secret randomness from the same KDF Key Derivation Function (KDF) instance, but this decision has been criticized by Krawczyk in <xref target="HKDFpaper"/> and doing so is common practice. In addition to IVs, other examples are the challenge in EAP-TTLS, Extensible Authentication Protocol Tunneled Transport Layer Security (EAP-TTLS), the RAND in 3GPP AKAs, Authentication and Key Agreement (AKA), and the Session-Id in EAP-TLS 1.3. Note that part of KEYSTREAM_2 is also non-secret randomness randomness, as it is known or predictable to an attacker. The more recent NIST SP 800-108 <xref target="SP-800-108"/> aligns with <xref target="HKDFpaper"/> and states that that, for a secure KDF, the revelation of one portion of the derived keying material must not degrade the security of any other portion of that keying material.</t>
      </section>
      <section anchor="sec_algs">
        <name>Cipher Suites and Cryptographic Algorithms</name>
        <t>When using a private cipher suite or registering new cipher suites, the choice of the key length used in the different algorithms needs to be harmonized, harmonized so that a sufficient security level is maintained for authentication credentials, the EDHOC session, and the protection of application data. The Initiator and the Responder should enforce a minimum security level.</t>
        <t>The output size of the EDHOC hash algorithm MUST <bcp14>MUST</bcp14> be at least 256-bits, 256 bits, i.e., the hash algorithms SHA-1 and SHA-256/64 (SHA-256 truncated to 64-bits) SHALL NOT 64 bits) <bcp14>SHALL NOT</bcp14> be supported for use in EDHOC except for certificate identification with x5t and c5t. For security considerations of SHA-1, see <xref target="RFC6194"/>. As EDHOC integrity protects all the whole authentication credentials, the choice of hash algorithm in x5t and c5t does not affect security, security and using the same hash algorithm as in the cipher suite, but with as much truncation as possible, is RECOMMENDED. <bcp14>RECOMMENDED</bcp14>. That is, when the EDHOC hash algorithm is SHA-256, using SHA-256/64 in x5t and c5t is RECOMMENDED. <bcp14>RECOMMENDED</bcp14>. The EDHOC MAC length MUST <bcp14>MUST</bcp14> be at least 8 bytes and the tag length of the EDHOC AEAD algorithm MUST <bcp14>MUST</bcp14> be at least 64-bits. 64 bits. Note that secp256k1 is only defined for use with ECDSA and not for ECDH. Note that some COSE algorithms are marked as not recommended in the COSE IANA registry.</t>
      </section>
      <section anchor="pqc">
        <name>Post-Quantum Considerations</name>
        <t>As of the publication of this specification, it is unclear when or even if a quantum computer of sufficient size and power to exploit public key cryptography will exist. Deployments that need to consider risks decades into the future should transition to Post-Quantum Cryptography (PQC) in the not-too-distant future. Many other systems should take a slower wait-and-see approach where PQC is phased in when the quantum threat is more imminent. Current PQC algorithms have limitations compared to Elliptic Curve Cryptography (ECC) (ECC), and the data sizes would be problematic in many constrained IoT systems.</t>
        <t>Symmetric algorithms used in EDHOC EDHOC, such as SHA-256 and AES-CCM-16-64-128 AES-CCM-16-64-128, are practically secure against even large quantum computers. Two of NIST's security levels for quantum-resistant public-key public key cryptography are based on AES-128 and SHA-256. Quantum A quantum computer will likely be expensive, expensive and slow due to heavy error correction, and Grover’s correction. Grover's algorithm, which is proven to be optimal, cannot effectively be parallelized. Grover’s algorithm It will provide little or no advantage in attacking AES, and AES-128 will remain secure for decades to come <xref target="NISTPQC"/>.</t>
        <t>EDHOC supports all signature algorithms defined by COSE, including PQC signature algorithms such as HSS-LMS. EDHOC is currently only specified for use with key exchange algorithms of type ECDH curves, but any Key Encapsulation Method (KEM), including PQC KEMs, can be used in method 0. While the key exchange in method 0 is specified with the terms of the Diffie-Hellman protocol, the key exchange adheres to a KEM interface: G_X is then the public key of the Initiator, G_Y is the encapsulation, and G_XY is the shared secret. Use of PQC KEMs to replace static DH authentication would likely require a specification updating EDHOC with new methods.</t>
      </section>
      <section anchor="unprot-data">
        <name>Unprotected Data and Privacy</name>
        <t>The Initiator and the Responder must make sure that unprotected data and metadata do not reveal any sensitive information. This also applies for encrypted data sent to an unauthenticated party. In particular, it applies to EAD_1, ID_CRED_R, EAD_2, and error messages. Using the same EAD_1 in several EDHOC sessions allows passive eavesdroppers to correlate the different sessions. Note that even if ead_value is encrypted outside of EDHOC, the ead_labels in EAD_1 is revealed to passive attackers and the ead_labels in EAD_2 is revealed to active attackers. Another consideration is that the list of supported cipher suites may potentially be used to identify the application. The Initiator and the Responder must also make sure that unauthenticated data does not trigger any harmful actions. In particular, this applies to EAD_1 and error messages.</t>
        <t>An attacker observing network traffic may use connection identifiers sent in clear in EDHOC or the subsequent application protocol to correlate packets sent on different paths or at different times. The attacker may use this information for traffic flow analysis or to track an endpoint. Application protocols using connection identifiers from EDHOC SHOULD <bcp14>SHOULD</bcp14> provide mechanisms to update the connection identifiers and MAY <bcp14>MAY</bcp14> provide mechanisms to issue several simultaneously active connection identifiers. See <xref target="RFC9000"/> for a non-constrained example of such mechanisms. Connection identifiers can can, e.g., be chosen randomly among the set of unused 1-byte connection identifiers. Connection identity privacy mechanisms are only useful when there are not fixed identifiers identifiers, such as IP address or MAC address in the lower layers.</t>
      </section>
      <section anchor="internet-threat">
        <name>Updated Internet Threat Model Considerations</name>
        <t>Since the publication of <xref target="RFC3552"/> target="RFC3552"/>, there has been an increased awareness of the need to protect against endpoints that are compromised, malicious, compromised or malicious or whose interests simply do not align with the interests of users <xref target="I-D.arkko-arch-internet-threat-model-guidance"/>. <xref target="RFC7624"/> describes an updated threat model for Internet confidentiality, confidentiality; see <xref target="sec-prop"/>. <xref target="I-D.arkko-arch-internet-threat-model-guidance"/> further expands the threat model. Implementations and users should take these threat models into account and consider actions to reduce the risk of tracking by other endpoints. In particular, even data sent protected to the other endpoint endpoint, such as ID_CRED fields and EAD fields fields, can be used for tracking, tracking; see Section 2.7 of <xref target="I-D.arkko-arch-internet-threat-model-guidance"/>.</t> target="I-D.arkko-arch-internet-threat-model-guidance" section="2.7" sectionFormat="of"/>.</t>
        <t>The fields ID_CRED_I, ID_CRED_R, EAD_2, EAD_3, and EAD_4 have variable length, and information regarding the length may leak to an attacker. A passive attacker may, e.g., be able to differentiate endpoints using identifiers of different length. To mitigate this information leakage leakage, an implementation may ensure that the fields have a fixed length or use padding. An implementation may, e.g., only use fixed length identifiers like 'kid' of length 1. Alternatively, padding may be used (see <xref target="padding"/>) to hide the true length of, e.g., certificates by value in 'x5chain' or 'c5c'.</t>
      </section>
      <section anchor="dos">
        <name>Denial-of-Service</name>
        <name>Denial of Service</name>
        <t>EDHOC itself does not provide countermeasures against denial-of-service attacks. In particular, by sending a number of new or replayed message_1 message_1, an attacker may cause the Responder to allocate the state, perform cryptographic operations, and amplify messages. To mitigate such attacks, an implementation SHOULD <bcp14>SHOULD</bcp14> make use of available lower layer mechanisms. For instance, when EDHOC is transferred as transferred as an exchange of CoAP messages, the CoAP server can use the Echo option defined in <xref target="RFC9175"/> target="RFC9175"/>, which forces the CoAP client to demonstrate reachability at its apparent network address. To avoid an additional roundtrip round trip, the Initiator can reduce the amplification factor by padding message_1, i.e., using EAD_1, EAD_1; see <xref target="padding"/>.
Note that while the Echo option mitigates some resource exhaustion aspects of
spoofing, it does not protect against a distributed denial-of-service attack made by real, potentially compromised, clients. Similarly, limiting amplification only reduces the impact, which still may be significant because of a large number of clients engaged in the attack.</t>
        <t>An attacker can also send a faked message_2, message_3, message_4, or error in an attempt to trick the receiving party to send an error message and abort the EDHOC session. EDHOC implementations MAY <bcp14>MAY</bcp14> evaluate if a received message is likely to have been forged by an attacker and ignore it without sending an error message or aborting the EDHOC session.</t>
      </section>
      <section anchor="impl-cons">
        <name>Implementation Considerations</name>
        <t>The availability of a secure random number generator is essential for the security of EDHOC. If no true random number generator is available, a random seed MUST <bcp14>MUST</bcp14> be provided from an external source and used with a cryptographically secure pseudorandom number generator. As each pseudorandom number must only be used once, an implementation needs to get a unique input to the pseudorandom number generator after reboot, reboot or continuously store state in nonvolatile memory. Appendix B.1.1 in <xref target="RFC8613"/> target="RFC8613" sectionFormat="of" section="B.1.1"/> describes issues and solution approaches for writing to nonvolatile memory. Intentionally or unintentionally weak or predictable pseudorandom number generators can be abused or exploited for malicious purposes. <xref target="RFC8937"/> describes a way for security protocol implementations to augment their (pseudo)random number generators using a long-term private key and a deterministic signature function. This improves randomness from broken or otherwise subverted random number generators. The same idea can be used with other secrets and functions functions, such as a Diffie-Hellman function or a symmetric secret secret, and a PRF like HMAC or KMAC. It is RECOMMENDED <bcp14>RECOMMENDED</bcp14> to not trust a single source of randomness and to not put unaugmented random numbers on the wire.</t>
        <t>For many constrained IoT devices devices, it is problematic to support several crypto primitives. Existing devices can be expected to support either ECDSA or EdDSA. Edwards-curve Digital Signature Algorithm (EdDSA). If ECDSA is supported, "deterministic ECDSA" ECDSA", as specified in <xref target="RFC6979"/> MAY target="RFC6979"/>, <bcp14>MAY</bcp14> be used. Pure deterministic elliptic-curve signatures signatures, such as deterministic ECDSA and EdDSA EdDSA, have gained popularity over randomized ECDSA as their security do does not depend on a source of high-quality randomness. Recent research has however found that implementations of these signature algorithms may be vulnerable to certain side-channel and fault injection attacks due to their determinism. See e.g., Section 1 of For example, see <xref target="I-D.irtf-cfrg-det-sigs-with-noise"/> target="I-D.irtf-cfrg-det-sigs-with-noise" section="1" sectionFormat="of"/> for a list of attack papers. As suggested in Section 2.1.1 of <xref target="RFC9053"/> target="RFC9053" section="2.1.1" sectionFormat="of"/>, this can be addressed by combining randomness and determinism.</t>
        <t>Appendix D of <xref target="I-D.ietf-lwig-curve-representations"/>
        <t><xref target="I-D.ietf-lwig-curve-representations" sectionFormat="of" section="D"/> describes how Montgomery curves curves, such as X25519 and X448 X448, and (twisted) Edwards curves as curves curves, such as Ed25519 and Ed448 Ed448, can be mapped to and from short-Weierstrass form for implementation implementations on platforms that accelerate elliptic curve group operations in short-Weierstrass form.</t>
        <t>All private keys, symmetric keys, and IVs MUST <bcp14>MUST</bcp14> be secret. Only the Responder SHALL <bcp14>SHALL</bcp14> have access to the Responder's private authentication key key, and only the Initiator SHALL <bcp14>SHALL</bcp14> have access to the Initiator's private authentication key. Implementations should provide countermeasures to side-channel attacks attacks, such as timing attacks. Intermediate computed values values, such as ephemeral ECDH keys and ECDH shared secrets MUST secrets, <bcp14>MUST</bcp14> be deleted after key derivation is completed.</t>
        <t>The Initiator and the Responder are responsible for verifying the integrity and validity of certificates. Verification of validity may require the use of a Real-Time Clock (RTC). The selection of trusted CAs certification authorities (CAs) should be done very carefully and certificate revocation should be supported. The choice of revocation mechanism is left to the application. For example, in case of X.509 certificates, Certificate Revocation Lists <xref target="RFC5280"/> or OCSP the Online Certificate Status Protocol (OCSP) <xref target="RFC6960"/> may be used.</t>
        <t>Similar considerations as for certificates are needed for CWT/CCS. The endpoints are responsible for verifying the integrity and validity of CWT/CCS, CWT/CCS and to handle revocation. The application needs to determine what trust anchors are relevant, relevant and have a well-defined trust-establishment process. A self-signed certificate/CWT certificate / CWT or CCS appearing in the protocol cannot be a trigger to modify the set of trust anchors. One common way for a new trust anchor to be added to (or removed from) a device is by means firmware upgrade. See <xref target="RFC9360"/> for a longer discussion on trust and validation in constrained devices.</t>
        <t>Just like for certificates, the contents of the COSE header parameters 'kcwt' and 'kccs' defined in <xref target="cwt-header-param"/> must be processed as untrusted input. inputs. Endpoints that intend to rely on the assertions made by a CWT/CCS obtained from any of these methods need to validate the contents. For 'kccs', which enables transport of raw public keys, the data structure used does not include any protection or verification data. 'kccs' may be used for unauthenticated operations, e.g. e.g., trust on first use, with the limitations and caveats entailed, entailed; see <xref target="tofu"/>.</t>
        <t>The Initiator and the Responder are allowed to select the connection identifier identifiers C_I and C_R, respectively, for the other party to use in the ongoing EDHOC session as well as in a subsequent application protocol (e.g., OSCORE <xref target="RFC8613"/>). The choice of the connection identifier is not security critical in EDHOC but intended to simplify the retrieval of the right security context in combination with using short identifiers. If the wrong connection identifier of the other party is used in a protocol message message, it will result in the receiving party not being able to retrieve a security context (which will abort the EDHOC session) or retrieve the wrong security context (which also aborts the EDHOC session as the message cannot be verified).</t>
        <t>If two nodes unintentionally initiate two simultaneous EDHOC sessions with each other other, even if they only want to complete a single EDHOC session, they MAY <bcp14>MAY</bcp14> abort the EDHOC session with the lexicographically smallest G_X. Note that in cases where several EDHOC sessions with different parameter sets (method, COSE headers, etc.) are used, an attacker can affect which parameter set will be used by blocking some of the parameter sets.</t>
        <t>If supported by the device, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that at least the long-term private keys are stored in a Trusted Execution Environment (TEE, (TEE) (for example, see for example <xref target="RFC9397"/>) and that sensitive operations using these keys are performed inside the TEE.  To achieve even higher security security, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that additional operations such as ephemeral key generation, all computations of shared secrets, and storage of the PRK keys can be done inside the TEE. The use of a TEE aims at preventing code within that environment to be tampered with, with and preventing data used by such code to be read or tampered with by code outside that environment.</t>
        <t>Note that HKDF-Expand has a relatively small maximum output length of 255 <contact fullname="⋅"/>  hash_length, where hash_length is the output size in bytes of the EDHOC hash algorithm of the selected cipher suite. This means that when SHA-256 is used as a hash algorithm, PLAINTEXT_2 cannot be longer than 8160 bytes. This is probably not a limitation for most intended applications, but to be able to support support, for example example, long certificate chains or large external authorization data, there is a backwards compatible method specified in <xref target="large-plaintext_2"/>.</t>
        <t>The sequence of transcript hashes in EDHOC (TH_2, TH_3, and TH_4) does not make use of a so-called running hash. This is a design choice choice, as running hashes are often not supported on constrained platforms.</t>
        <t>When parsing a received EDHOC message, implementations MUST <bcp14>MUST</bcp14> abort the EDHOC session if the message does not comply with the CDDL for that message. Implementations are not required to support non-deterministic encodings and <bcp14>MAY</bcp14> abort the EDHOC session if the received EDHOC message is not encoded using deterministic CBOR. Implementations <bcp14>MUST</bcp14> abort the EDHOC session if validation of a received public key fails or if any cryptographic field has the wrong length. It is RECOMMENDED <bcp14>RECOMMENDED</bcp14> to abort the EDHOC session if the received EDHOC message is not encoded using deterministic CBOR.</t>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This Section section gives IANA Considerations considerations and, unless otherwise noted, conforms with <xref target="RFC8126"/>.</t>
      <section anchor="exporter-label">
        <name>EDHOC Exporter Label Registry</name>
        <t>IANA is requested to create has created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
        <t>Registry Name: EDHOC
	<dl newline="false" spacing="normal">
        <dt>Registry Name:</dt> <dd>EDHOC Exporter Label</t>
        <t>Reference: [[this document]]</t>
        <figure anchor="fig-exporter-label"> Labels</dd>
        <dt>Reference:</dt> <dd>RFC 9528</dd>
	</dl>

<table anchor="tab-exporter-label">
<name>EDHOC exporter label.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="288" width="536" viewBox="0 0 536 288" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,256" fill="none" stroke="black"/>
                <path d="M 120,32 L 120,256" fill="none" stroke="black"/>
                <path d="M 368,32 L 368,256" fill="none" stroke="black"/>
                <path d="M 528,32 L 528,256" fill="none" stroke="black"/>
                <path d="M 8,32 L 528,32" fill="none" stroke="black"/>
                <path d="M 8,62 L 528,62" fill="none" stroke="black"/>
                <path d="M 8,66 L 528,66" fill="none" stroke="black"/>
                <path d="M 8,96 L 528,96" fill="none" stroke="black"/>
                <path d="M 8,128 L 528,128" fill="none" stroke="black"/>
                <path d="M 8,160 L 528,160" fill="none" stroke="black"/>
                <path d="M 8,192 L 528,192" fill="none" stroke="black"/>
                <path d="M 8,224 L 528,224" fill="none" stroke="black"/>
                <path d="M 8,256 L 528,256" fill="none" stroke="black"/>
                <g class="text">
                  <text x="40" y="52">Label</text>
                  <text x="176" y="52">Description</text>
                  <text x="416" y="52">Reference</text>
                  <text x="24" y="84">0</text>
                  <text x="160" y="84">Derived</text>
                  <text x="220" y="84">OSCORE</text>
                  <text x="276" y="84">Master</text>
                  <text x="332" y="84">Secret</text>
                  <text x="404" y="84">[[this</text>
                  <text x="476" y="84">document]]</text>
                  <text x="24" y="116">1</text>
                  <text x="160" y="116">Derived</text>
                  <text x="220" y="116">OSCORE</text>
                  <text x="276" y="116">Master</text>
                  <text x="324" y="116">Salt</text>
                  <text x="404" y="116">[[this</text>
                  <text x="476" y="116">document]]</text>
                  <text x="36" y="148">2-22</text>
                  <text x="172" y="148">Unassigned</text>
                  <text x="28" y="180">23</text>
                  <text x="164" y="180">Reserved</text>
                  <text x="404" y="180">[[this</text>
                  <text x="476" y="180">document]]</text>
                  <text x="52" y="212">24-32767</text>
                  <text x="172" y="212">Unassigned</text>
                  <text x="64" y="244">32768-65535</text>
                  <text x="160" y="244">Private</text>
                  <text x="208" y="244">Use</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+-------------+------------------------------+-------------------+
| Label       | Description                  | Reference         |
+=============+==============================+===================+
| 0           | Derived Exporter Labels</name>
<thead>
<tr>
<th>Label</th>
<th>Description</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>Derived OSCORE Master Secret | [[this document]] |
+-------------+------------------------------+-------------------+
| 1           | Derived Secret</td>
<td>RFC 9528</td>
</tr> <tr>
<td>1</td>
<td>Derived OSCORE Master Salt   | [[this document]] |
+-------------+------------------------------+-------------------+
| 2-22        | Unassigned                   |                   |
+-------------+------------------------------+-------------------+
| 23          | Reserved                     | [[this document]] |
+-------------+------------------------------+-------------------+
| 24-32767    | Unassigned                   |                   |
+-------------+------------------------------+-------------------+
| 32768-65535 | Salt</td>
<td>RFC 9528</td>
</tr><tr>
<td>2-22</td>
<td>Unassigned</td>
<td></td>
</tr>
<tr>
<td>23</td>
<td>Reserved</td>
<td>RFC 9528</td>
</tr> <tr>
<td>24-32767</td>
<td>Unassigned</td>
<td></td>
</tr><tr>
<td>32768-65535</td>
<td>Reserved for Private Use                  |                   |
+-------------+------------------------------+-------------------+

]]></artwork>
          </artset>
        </figure>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="160" width="432" viewBox="0 0 432 160" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,128" fill="none" stroke="black"/>
              <path d="M 120,32 L 120,128" fill="none" stroke="black"/>
              <path d="M 424,32 L 424,128" fill="none" stroke="black"/>
              <path d="M 8,32 L 424,32" fill="none" stroke="black"/>
              <path d="M 8,62 L 424,62" fill="none" stroke="black"/>
              <path d="M 8,66 L 424,66" fill="none" stroke="black"/>
              <path d="M 8,96 L 424,96" fill="none" stroke="black"/>
              <path d="M 8,128 L 424,128" fill="none" stroke="black"/>
              <g class="text">
                <text x="40" y="52">Range</text>
                <text x="180" y="52">Registration</text>
                <text x="276" y="52">Procedures</text>
                <text x="24" y="84">0</text>
                <text x="44" y="84">to</text>
                <text x="68" y="84">23</text>
                <text x="168" y="84">Standards</text>
                <text x="236" y="84">Action</text>
                <text x="28" y="116">24</text>
                <text x="52" y="116">to</text>
                <text x="88" y="116">32767</text>
                <text x="156" y="116">Expert</text>
                <text x="212" y="116">Review</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+-------------+-------------------------------------+
| Range       | Registration Use</td>
<td></td>
</tr>
</tbody>
</table>

<t>This registry also has a "Change Controller" field. For registrations made by IETF documents, the IETF is listed.</t>

<table>
  <name>Registration Procedures             |
+=============+=====================================+
| 0 to 23     | Standards Action                    |
+-------------+-------------------------------------+
| 24 to 32767 | Expert Review                       |
+-------------+-------------------------------------+

]]></artwork>
        </artset> for EDHOC Exporter Labels</name>
  <thead>
    <tr>
      <th>Range</th>
      <th>Registration Procedures</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>0-23</td>
      <td>Standards Action</td>
    </tr>
    <tr>
      <td>24-32767</td>
      <td>Expert Review</td>
    </tr>
    <tr>
      <td>32768-65535</td>
      <td>Private Use</td>
    </tr>
  </tbody>
</table>

      </section>
      <section anchor="suites-registry">
        <name>EDHOC Cipher Suites Registry</name>
        <t>IANA is requested to create has created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
        <t>Registry Name: EDHOC
	<dl newline="false" spacing="normal">
        <dt>Registry Name:</dt> <dd>EDHOC Cipher Suites</t>
        <t>Reference: [[this document]]</t> Suites</dd>
        <dt>Reference:</dt> <dd>RFC 9528</dd>
	</dl>
        <t>The columns of the registry are Value, Array and Array, Description, and Reference, where Value is an integer and the other columns are text strings. The initial contents of the registry are:</t>
        <artwork><![CDATA[
Value: -24
Array: N/A
Description: Private Use
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: -23
Array: N/A
Description: Private Use
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: -22
Array: N/A
Description: Private Use
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: -21
Array: N/A
Description: Private Use
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 0
Array: 10,

	<table>
	  <name>EDHOC Cipher Suites</name>
  <thead>
    <tr>
      <th>Value</th>
      <th>Array</th>
      <th>Description</th>
      <th>Reference</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>-24</td>
      <td>N/A</td>
      <td>Private Use</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>-23</td>
      <td>N/A</td>
      <td>Private Use</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>-22</td>
      <td>N/A</td>
      <td>Private Use</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>-21</td>
      <td>N/A</td>
      <td>Private Use</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>0</td>
      <td>10, -16, 8, 4, -8, 10, -16
Description: AES-CCM-16-64-128, -16</td>
      <td>AES-CCM-16-64-128, SHA-256, 8, X25519, EdDSA,
      AES-CCM-16-64-128, SHA-256
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 1
Array: 30, AES&nbhy;CCM&nbhy;16&nbhy;64&nbhy;128, SHA-256</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>1</td>
      <td>30, -16, 16, 4, -8, 10, -16
Description: AES-CCM-16-128-128, SHA-256, -16</td>
      <td>AES-CCM-16-128-128, SHA&nbhy;256, 16, X25519, EdDSA,
      AES-CCM-16-64-128, SHA-256
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 2
Array: 10, AES&nbhy;CCM&nbhy;16&nbhy;64&nbhy;128, SHA-256</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>2</td>
      <td>10, -16, 8, 1, -7, 10, -16
Description: AES-CCM-16-64-128, -16</td>
      <td>AES-CCM-16-64-128, SHA-256, 8, P-256, ES256,
      AES-CCM-16-64-128, SHA-256
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 3
Array: 30, AES&nbhy;CCM&nbhy;16&nbhy;64&nbhy;128, SHA-256</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>3</td>
      <td>30, -16, 16, 1, -7, 10, -16
Description: AES-CCM-16-128-128, SHA-256, -16</td>
      <td>AES-CCM-16-128-128, SHA&nbhy;256, 16, P-256, ES256,
      AES-CCM-16-64-128, SHA-256
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 4
Array: 24, AES&nbhy;CCM&nbhy;16&nbhy;64&nbhy;128, SHA-256</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>4</td>
      <td>24, -16, 16, 4, -8, 24, -16
Description: ChaCha20/Poly1305, -16</td>
      <td>ChaCha20/Poly1305, SHA-256, 16, X25519, EdDSA, ChaCha20/Poly1305, SHA-256
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 5
Array: 24, SHA-256</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>5</td>
      <td>24, -16, 16, 1, -7, 24, -16
Description: ChaCha20/Poly1305, -16</td>
      <td>ChaCha20/Poly1305, SHA-256, 16, P-256, ES256,
      ChaCha20/Poly1305, SHA-256
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 6
Array: 1, ChaCha20/&wj;Poly1305, SHA-256</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>6</td>
      <td>1, -16, 16, 4, -7, 1, -16
Description: A128GCM, -16</td>
      <td>A128GCM, SHA-256, 16, X25519, ES256, A128GCM, SHA-256
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 23
Reserved
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 24
Array: 3, SHA-256</td>
      <td>RFC 9528</td>
    </tr>
    <tr>

      <td>23</td>
      <td>Reserved</td>
      <td></td>
      <td>RFC 9528</td>
    </tr>
    <tr>

      <td>24</td>
      <td>3, -43, 16, 2, -35, 3, -43
Description: A256GCM, -43</td>
      <td>A256GCM, SHA-384, 16, P-384, ES384,
      A256GCM, SHA-384
Reference: [[this document]]
]]></artwork>
        <artwork><![CDATA[
Value: 25
Array: 24, SHA-384</td>
      <td>RFC 9528</td>
    </tr>
    <tr>
      <td>25</td>
      <td>24, -45, 16, 5, -8, 24, -45
Description: ChaCha20/Poly1305, -45</td>
      <td>ChaCha20/Poly1305, SHAKE256, 16, X448, EdDSA,
      ChaCha20/Poly1305, SHAKE256
Reference: [[this document]]
]]></artwork>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,160" fill="none" stroke="black"/>
              <path d="M 144,32 L 144,160" fill="none" stroke="black"/>
              <path d="M 448,32 L 448,160" fill="none" stroke="black"/>
              <path d="M 8,32 L 448,32" fill="none" stroke="black"/>
              <path d="M 8,62 L 448,62" fill="none" stroke="black"/>
              <path d="M 8,66 L 448,66" fill="none" stroke="black"/>
              <path d="M 8,96 L 448,96" fill="none" stroke="black"/>
              <path d="M 8,128 L 448,128" fill="none" stroke="black"/>
              <path d="M 8,160 L 448,160" fill="none" stroke="black"/>
              <g class="text">
                <text x="40" y="52">Range</text>
                <text x="204" y="52">Registration</text>
                <text x="300" y="52">Procedures</text>
                <text x="44" y="84">-65536</text>
                <text x="84" y="84">to</text>
                <text x="112" y="84">-25</text>
                <text x="208" y="84">Specification</text>
                <text x="300" y="84">Required</text>
                <text x="32" y="116">-20</text>
                <text x="60" y="116">to</text>
                <text x="84" y="116">23</text>
                <text x="192" y="116">Standards</text>
                <text x="260" y="116">Action</text>
                <text x="308" y="116">with</text>
                <text x="356" y="116">Expert</text>
                <text x="412" y="116">Review</text>
                <text x="28" y="148">24</text>
                <text x="52" y="148">to</text>
                <text x="88" y="148">65535</text>
                <text x="208" y="148">Specification</text>
                <text x="300" y="148">Required</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+----------------+-------------------------------------+
| Range          | Registration SHAKE256</td>
      <td>RFC 9528</td>
    </tr>
  </tbody>
</table>

<table>
  <name>Registration Procedures             |
+================+=====================================+
| -65536 to -25  | Specification Required              |
+----------------+-------------------------------------+
| -20 for EDHOC Cipher Suites</name>
  <thead>
    <tr>
      <th>Range</th>
      <th>Registration Procedures</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>-65536 to -25</td>
      <td>Specification Required</td>
    </tr>
    <tr>
      <td>-24 to -21</td>
      <td>Private Use</td>
    </tr>
    <tr>
      <td>-20 to 23      | Standards 23</td>
      <td>Standards Action with Expert Review |
+----------------+-------------------------------------+
| 24 to 65535    | Specification Required              |
+----------------+-------------------------------------+
]]></artwork>
        </artset> Review</td>
    </tr>
    <tr>
      <td>24 to 65535</td>
      <td>Specification Required</td>
    </tr>
  </tbody>
</table>

      </section>
      <section anchor="method-types">
        <name>EDHOC Method Type Registry</name>
        <t>IANA is requested to create has created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
        <t>Registry Name: EDHOC
	<dl newline="false" spacing="normal">
        <dt>Registry Name:</dt> <dd>EDHOC Method Type</t>
        <t>Reference: [[this document]]</t> Types</dd>
        <dt>Reference:</dt> <dd>RFC 9528</dd>
	</dl>
        <t>The columns of the registry are Value, Initiator Authentication Key, and Responder Authentication Key, and Reference, where Value is an integer and the key columns are text strings describing the authentication keys.</t>
        <t>The initial contents of the registry are shown in <xref target="fig-method-types"/>. target="tab-method-types"/>. Method 23 is Reserved.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,160" fill="none" stroke="black"/>
              <path d="M 144,32 L 144,160" fill="none" stroke="black"/>
              <path d="M 448,32 L 448,160" fill="none" stroke="black"/>
              <path d="M 8,32 L 448,32" fill="none" stroke="black"/>
              <path d="M 8,62 L 448,62" fill="none" stroke="black"/>
              <path d="M 8,66 L 448,66" fill="none" stroke="black"/>
              <path d="M 8,96 L 448,96" fill="none" stroke="black"/>
              <path d="M 8,128 L 448,128" fill="none" stroke="black"/>
              <path d="M 8,160 L 448,160" fill="none" stroke="black"/>
              <g class="text">
                <text x="40" y="52">Range</text>
                <text x="204" y="52">Registration</text>
                <text x="300" y="52">Procedures</text>
                <text x="44" y="84">-65536</text>
                <text x="84" y="84">to</text>
                <text x="112" y="84">-25</text>
                <text x="208" y="84">Specification</text>
                <text x="300" y="84">Required</text>
                <text x="32" y="116">-24</text>
                <text x="60" y="116">to</text>
                <text x="84" y="116">23</text>
                <text x="192" y="116">Standards</text>
                <text x="260" y="116">Action</text>
                <text x="308" y="116">with</text>
                <text x="356" y="116">Expert</text>
                <text x="412" y="116">Review</text>
                <text x="28" y="148">24</text>
                <text x="52" y="148">to</text>
                <text x="88" y="148">65535</text>
                <text x="208" y="148">Specification</text>
                <text x="300" y="148">Required</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+----------------+-------------------------------------+
| Range          | Registration

	<table>
	  <name>Registration Procedures             |
+================+=====================================+
| -65536 to -25  | Specification Required              |
+----------------+-------------------------------------+
| -24 for EDHOC Method Types</name>
	  <thead>
	    <tr>
	      <th>Range</th>
	      <th>Registration Procedures</th>
	    </tr>
	  </thead>
	  <tbody>
	    <tr>
	      <td>-65536 to -25</td>
	      <td>Specification Required</td>
	    </tr>
	    <tr>
	      <td>-24 to 23      | Standards 23</td>
	      <td>Standards Action with Expert Review |
+----------------+-------------------------------------+
| 24 to 65535    | Specification Required              |
+----------------+-------------------------------------+
]]></artwork>
        </artset> Review</td>
	    </tr>
	    <tr>
	      <td>24 to 65535</td>
	      <td>Specification Required</td>
	    </tr>
	  </tbody>
	</table>
      </section>
      <section anchor="error-code-reg">
        <name>EDHOC Error Codes Registry</name>
        <t>IANA is requested to create has created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
        <t>Registry Name: EDHOC
	<dl newline="false" spacing="normal">
        <dt>Registry Name:</dt>  <dd>EDHOC Error Codes</t>
        <t>Reference: [[this document]]</t> Codes</dd>
        <dt>Reference:</dt> <dd>RFC 9528</dd>
      </dl>
        <t>The columns of the registry are ERR_CODE, ERR_INFO Type, Description, Change Controller, and Reference, where ERR_CODE is an integer, ERR_INFO is a CDDL defined type, and Description is a text string. The initial contents of the registry are shown in <xref target="fig-error-codes"/>. target="tab-error-codes"/>. Error code 23 is Reserved.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,160" fill="none" stroke="black"/>
              <path d="M 144,32 L 144,160" fill="none" stroke="black"/>
              <path d="M 448,32 L 448,160" fill="none" stroke="black"/>
              <path d="M 8,32 L 448,32" fill="none" stroke="black"/>
              <path d="M 8,62 L 448,62" fill="none" stroke="black"/>
              <path d="M 8,66 L 448,66" fill="none" stroke="black"/>
              <path d="M 8,96 L 448,96" fill="none" stroke="black"/>
              <path d="M 8,128 L 448,128" fill="none" stroke="black"/>
              <path d="M 8,160 L 448,160" fill="none" stroke="black"/>
              <g class="text">
                <text x="40" y="52">Range</text>
                <text x="204" y="52">Registration</text>
                <text x="300" y="52">Procedures</text>
                <text x="44" y="84">-65536</text>
                <text x="84" y="84">to</text>
                <text x="112" y="84">-25</text>
                <text x="180" y="84">Expert</text>
                <text x="236" y="84">Review</text>
                <text x="32" y="116">-24</text>
                <text x="60" y="116">to</text>
                <text x="84" y="116">23</text>
                <text x="192" y="116">Standards</text>
                <text x="260" y="116">Action</text>
                <text x="28" y="148">24</text>
                <text x="52" y="148">to</text>
                <text x="88" y="148">65535</text>
                <text x="180" y="148">Expert</text>
                <text x="236" y="148">Review</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+----------------+-------------------------------------+
| Range          | Registration Reserved. This registry also has a "Change Controller" field. For registrations made by IETF documents, the IETF is listed.</t>

	<table>
	  <name>Registration Procedures             |
+================+=====================================+
| -65536 to -25  | Expert Review                       |
+----------------+-------------------------------------+
| -24 to 23      | Standards Action                    |
+----------------+-------------------------------------+
| 24 to 65535    | Expert Review                       |
+----------------+-------------------------------------+
]]></artwork>
        </artset> for EDHOC Error Codes</name>
	  <thead>
	    <tr>
	      <th>Range</th>
	      <th>Registration Procedures</th>
	    </tr>
	  </thead>
	  <tbody>
	    <tr>
	      <td>-65536 to -25</td>
	      <td>Expert Review</td>
	      </tr><tr>
	      <td>-24 to 23</td>
	      <td>Standards Action</td>
	      </tr><tr>
	      <td>24 to 65535</td>
	      <td>Expert Review</td>
	    </tr>
	  </tbody>
	</table>

      </section>
      <section anchor="iana-ead">
        <name>EDHOC External Authorization Data Registry</name>
        <t>IANA is requested to create has created a new registry under the new registry group "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
        <t>Registry Name: EDHOC
	<dl newline="false" spacing="normal">
        <dt>Registry Name:</dt> <dd>EDHOC External Authorization Data</t>
        <t>Reference: [[this document]]</t> Data</dd>
        <dt>Reference:</dt> <dd>RFC 9528</dd>
      </dl>
        <t>The columns of the registry are Name, Label, Description, and Reference, where Label is a non-negative nonnegative integer and the other columns are text strings. The initial contents of the registry is are shown in <xref target="fig-ead-labels"/>. target="tab-ead-labels"/>. EAD label 23 is Reserved.</t>
        <figure anchor="fig-ead-labels">
          <name>EAD labels.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="128" width="536" viewBox="0 0 536 128" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,112" fill="none" stroke="black"/>
                <path d="M 104,32 L 104,112" fill="none" stroke="black"/>
                <path d="M 168,32 L 168,112" fill="none" stroke="black"/>
                <path d="M 368,32 L 368,112" fill="none" stroke="black"/>
                <path d="M 528,32 L 528,112" fill="none" stroke="black"/>
                <path d="M 8,32 L 528,32" fill="none" stroke="black"/>
                <path d="M 8,62 L 528,62" fill="none" stroke="black"/>
                <path d="M 8,66 L 528,66" fill="none" stroke="black"/>
                <path d="M 8,112 L 528,112" fill="none" stroke="black"/>
                <g class="text">
                  <text x="36" y="52">Name</text>
                  <text x="136" y="52">Label</text>
                  <text x="224" y="52">Description</text>
                  <text x="416" y="52">Reference</text>
                  <text x="48" y="84">Padding</text>
                  <text x="136" y="84">0</text>
                  <text x="212" y="84">Randomly</text>
                  <text x="288" y="84">generated</text>
                  <text x="404" y="84">[[this</text>
                  <text x="476" y="84">document]]</text>
                  <text x="196" y="100">CBOR</text>
                  <text x="236" y="100">byte</text>
                  <text x="284" y="100">string</text>
                  <text x="408" y="100">Section</text>
                  <text x="464" y="100">3.8.1</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+-----------+-------+------------------------+-------------------+
| Name      | Label | Description            | Reference         |
+===========+=======+========================+===================+
| Padding   |   0   | Randomly

	<table anchor="tab-ead-labels">
	  <name>EDHOC EAD Labels</name>
	  <thead>
	    <tr>
	      <th>Name</th>
	      <th>Label</th>
	      <th>Description</th>
	      <th>Reference</th>
	    </tr>
	  </thead>
	  <tbody>
	    <tr>
	      <td>Padding</td>
	      <td>0</td>
	      <td>Randomly generated     | [[this document]] |
|           |       | CBOR byte string       | Section 3.8.1     |
+-----------+-------+------------------------+-------------------+
]]></artwork>
          </artset>
        </figure>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="160" width="432" viewBox="0 0 432 160" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,128" fill="none" stroke="black"/>
              <path d="M 120,32 L 120,128" fill="none" stroke="black"/>
              <path d="M 424,32 L 424,128" fill="none" stroke="black"/>
              <path d="M 8,32 L 424,32" fill="none" stroke="black"/>
              <path d="M 8,62 L 424,62" fill="none" stroke="black"/>
              <path d="M 8,66 L 424,66" fill="none" stroke="black"/>
              <path d="M 8,96 L 424,96" fill="none" stroke="black"/>
              <path d="M 8,128 L 424,128" fill="none" stroke="black"/>
              <g class="text">
                <text x="40" y="52">Range</text>
                <text x="180" y="52">Registration</text>
                <text x="276" y="52">Procedures</text>
                <text x="24" y="84">0</text>
                <text x="44" y="84">to</text>
                <text x="68" y="84">23</text>
                <text x="168" y="84">Standards</text>
                <text x="236" y="84">Action</text>
                <text x="284" y="84">with</text>
                <text x="332" y="84">Expert</text>
                <text x="388" y="84">Review</text>
                <text x="28" y="116">24</text>
                <text x="52" y="116">to</text>
                <text x="88" y="116">65535</text>
                <text x="184" y="116">Specification</text>
                <text x="276" y="116">Required</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+-------------+-------------------------------------+
| Range       | Registration Procedures             |
+=============+=====================================+
| 0 string</td>
	      <td>RFC 9528, <xref target="padding"/></td>
	    </tr>
	    <tr>
	      <td></td>
	      <td>23</td>
	      <td>Reserved</td>
	      <td>RFC 9528</td>
	    </tr>
	  </tbody>
	</table>

	<table>
	  <name>Registration procedures for EDHOC EAD Labels</name>
  <thead>
    <tr>
      <th>Range</th>
      <th>Registration Procedures</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>0 to 23     | Standards 23</td>
      <td>Standards Action with Expert Review |
+-------------+-------------------------------------+
| 24 to 65535 | Specification Required              |
+-------------+-------------------------------------+

]]></artwork>
        </artset> Review</td>
      </tr><tr>
      <td>24 to 65535</td>
      <td>Specification Required</td>
    </tr>
  </tbody>
</table>

      </section>
      <section anchor="cwt-header-param">
        <name>COSE Header Parameters Registry</name>
        <t>IANA is requested to register has registered the following entries in the "COSE Header Parameters" registry under the registry group "CBOR Object Signing and Encryption (COSE)" (see <xref target="fig-header-params"/>): target="tab-header-params"/>). The value of the 'kcwt' header parameter is a COSE Web Token (CWT) <xref target="RFC8392"/>, and the value of the 'kccs' header parameter is a CWT Claims Set (CCS), (CCS); see <xref target="term"/>. The CWT/CCS must contain a COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. The Value Registry column for this item is empty and omitted from the table below.</t>
        <figure anchor="fig-header-params">

	<table anchor="tab-header-params">
	  <name>COSE header parameter labels.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="560" viewBox="0 0 560 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,240" fill="none" stroke="black"/>
                <path d="M 64,32 L 64,240" fill="none" stroke="black"/>
                <path d="M 128,32 L 128,240" fill="none" stroke="black"/>
                <path d="M 256,32 L 256,240" fill="none" stroke="black"/>
                <path d="M 552,32 L 552,240" fill="none" stroke="black"/>
                <path d="M 8,32 L 552,32" fill="none" stroke="black"/>
                <path d="M 8,62 L 552,62" fill="none" stroke="black"/>
                <path d="M 8,66 L 552,66" fill="none" stroke="black"/>
                <path d="M 8,160 L 552,160" fill="none" stroke="black"/>
                <path d="M 8,240 L 552,240" fill="none" stroke="black"/>
                <g class="text">
                  <text x="36" y="52">Name</text>
                  <text x="96" y="52">Label</text>
                  <text x="160" y="52">Value</text>
                  <text x="204" y="52">Type</text>
                  <text x="312" y="52">Description</text>
                  <text x="36" y="84">kcwt</text>
                  <text x="92" y="84">TBD1</text>
                  <text x="192" y="84">COSE_Messages</text>
                  <text x="272" y="84">A</text>
                  <text x="300" y="84">CBOR</text>
                  <text x="336" y="84">Web</text>
                  <text x="376" y="84">Token</text>
                  <text x="424" y="84">(CWT)</text>
                  <text x="492" y="84">containing</text>
                  <text x="272" y="100">a</text>
                  <text x="316" y="100">COSE_Key</text>
                  <text x="364" y="100">in</text>
                  <text x="384" y="100">a</text>
                  <text x="416" y="100">'cnf'</text>
                  <text x="464" y="100">claim</text>
                  <text x="504" y="100">and</text>
                  <text x="300" y="116">possibly</text>
                  <text x="360" y="116">other</text>
                  <text x="416" y="116">claims.</text>
                  <text x="464" y="116">CWT</text>
                  <text x="492" y="116">is</text>
                  <text x="296" y="132">defined</text>
                  <text x="340" y="132">in</text>
                  <text x="368" y="132">RFC</text>
                  <text x="408" y="132">8392.</text>
                  <text x="488" y="132">COSE_Messages</text>
                  <text x="276" y="148">is</text>
                  <text x="320" y="148">defined</text>
                  <text x="364" y="148">in</text>
                  <text x="392" y="148">RFC</text>
                  <text x="432" y="148">9052.</text>
                  <text x="36" y="180">kccs</text>
                  <text x="92" y="180">TBD2</text>
                  <text x="152" y="180">map</text>
                  <text x="272" y="180">A</text>
                  <text x="296" y="180">CWT</text>
                  <text x="340" y="180">Claims</text>
                  <text x="384" y="180">Set</text>
                  <text x="424" y="180">(CCS)</text>
                  <text x="492" y="180">containing</text>
                  <text x="272" y="196">a</text>
                  <text x="316" y="196">COSE_Key</text>
                  <text x="364" y="196">in</text>
                  <text x="384" y="196">a</text>
                  <text x="416" y="196">'cnf'</text>
                  <text x="464" y="196">claim</text>
                  <text x="504" y="196">and</text>
                  <text x="300" y="212">possibly</text>
                  <text x="360" y="212">other</text>
                  <text x="416" y="212">claims.</text>
                  <text x="464" y="212">CCS</text>
                  <text x="492" y="212">is</text>
                  <text x="296" y="228">defined</text>
                  <text x="340" y="228">in</text>
                  <text x="368" y="228">RFC</text>
                  <text x="408" y="228">8392.</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+------+-------+---------------+------------------------------------+
| Name | Label | Value Type    | Description                        |
+======+=======+===============+====================================+
| kcwt | TBD1  | COSE_Messages | A Header Parameter Labels</name>

	  <thead>
	    <tr>
	      <th>Name</th>
	      <th>Label</th>
	      <th>Value Type</th>
	      <th>Description</th>
	    </tr>
	  </thead>
	  <tbody>
	    <tr>
	      <td>kcwt</td>
	      <td>13</td>
	      <td>COSE_Messages</td>
	      <td>A CBOR Web Token (CWT) containing  |
|      |       |               |
	      a COSE_Key in a 'cnf' claim and    |
|      |       |               |
	      possibly other claims. CWT is      |
|      |       |               |
	      defined in RFC 8392. COSE_Messages |
|      |       |               |
	      is defined in RFC 9052.            |
+------+-------+---------------+------------------------------------+
| kccs | TBD2  | map           | A 9052.</td>
	      </tr><tr>
	      <td>kccs</td>
	      <td>14</td>
	      <td>map</td>
	      <td>A CWT Claims Set (CCS) containing  |
|      |       |               |
	      a COSE_Key in a 'cnf' claim and    |
|      |       |               |
	      possibly other claims. CCS is      |
|      |       |               |
	      defined in RFC 8392.               |
+------+-------+---------------+------------------------------------+
]]></artwork>
          </artset>
        </figure> 8392.</td>
	    </tr>
	  </tbody>
	</table>

      </section>
      <section anchor="well-known">
        <name>The Well-Known
        <name>Well-Known URI Registry</name>
        <t>IANA is requested to add has added the well-known URI "edhoc" to the "Well-Known URIs" registry.</t>
        <ul spacing="normal">
          <li>URI suffix: edhoc</li>
          <li>Change controller: IETF</li>
          <li>Specification document(s): [[this document]]</li>
          <li>Related information: None</li>
        </ul>
        <dl>
          <dt>URI Suffix:</dt><dd>edhoc</dd>
         <dt>Change Controller:</dt><dd>IETF</dd>
          <dt>Reference:</dt><dd>RFC 9528</dd>
          <dt>Related Information:</dt><dd> None</dd>
        </dl>
      </section>
      <section anchor="media-type">
        <name>Media Types Registry</name>
        <t>IANA is requested to add has added the media types "application/edhoc+cbor-seq" and "application/cid-edhoc+cbor-seq" to the "Media Types" registry.</t>
        <section anchor="applicationedhoccbor-seq-media-type-registration">
          <name>application/edhoc+cbor-seq Media Type Registration</name>
          <ul spacing="normal">
            <li>Type name: application</li>
            <li>Subtype name: edhoc+cbor-seq</li>
            <li>Required parameters: N/A</li>
            <li>Optional parameters: N/A</li>
            <li>Encoding considerations: binary</li>
            <li>Security considerations: See Section 7
          <dl>
            <dt>Type name:</dt><dd> application</dd>
            <dt>Subtype name:</dt><dd> edhoc+cbor-seq</dd>
            <dt>Required parameters:</dt><dd> N/A</dd>
            <dt>Optional parameters:</dt><dd> N/A</dd>
            <dt>Encoding considerations:</dt><dd> binary</dd>
            <dt>Security considerations:</dt><dd>See <xref target="duplication"/> of this document.</li>
            <li>Interoperability considerations: N/A</li>
            <li>Published specification: [[this document]] (this document)</li>
            <li>Applications RFC 9528.</dd>
            <dt>Interoperability considerations:</dt><dd> N/A</dd>
            <dt>Published specification:</dt><dd>RFC 9528</dd>
            <dt>Applications that use this media type: type:</dt><dd> To be identified</li>
            <li>Fragment identified</dd>
            <dt>Fragment identifier considerations: N/A</li>
            <li>
              <t>Additional considerations:</dt><dd> N/A</dd>

              <dt>Additional information:  </t>
              <ul spacing="normal">
                <li>Magic number(s): N/A</li>
                <li>File extension(s): N/A</li>
                <li>Macintosh </dt>
             <dd>
<t><br/></t>
<dl>
                <dt>Magic number(s):</dt><dd> N/A</dd>
                <dt>File extension(s):</dt><dd> N/A</dd>
                <dt>Macintosh file type code(s): N/A</li>
              </ul>
            </li>
            <li>Person code(s):</dt><dd> N/A</dd>
              </dl>
</dd>

            <dt>Person &amp; email address to contact for further information: information:</dt><dd> See "Authors' Addresses" section.</li>
            <li>Intended usage: COMMON</li>
            <li>Restrictions on usage: N/A</li>
            <li>Author: section in RFC 9528.</dd>
            <dt>Intended usage:</dt><dd> COMMON</dd>
            <dt>Restrictions on usage:</dt><dd> N/A</dd>
            <dt>Author:</dt><dd> See "Authors' Addresses" section.</li>
            <li>Change Controller: IESG</li>
          </ul> section.</dd>
            <dt>Change Controller:</dt><dd> IETF</dd>
          </dl>

      </section>
        <section anchor="applicationcid-edhoccbor-seq-media-type-registration">
          <name>application/cid-edhoc+cbor-seq Media Type Registration</name>
          <ul spacing="normal">
            <li>Type name: application</li>
            <li>Subtype name: cid-edhoc+cbor-seq</li>
            <li>Required parameters: N/A</li>
            <li>Optional parameters: N/A</li>
            <li>Encoding considerations: binary</li>
            <li>Security considerations:
          <dl>
            <dt>Type name:</dt><dd> application</dd>
            <dt>Subtype name:</dt><dd> cid-edhoc+cbor-seq</dd>
            <dt>Required parameters:</dt><dd> N/A</dd>
            <dt>Optional parameters:</dt><dd> N/A</dd>
            <dt>Encoding considerations:</dt><dd> binary</dd>
            <dt>Security considerations:</dt><dd> See Section 7 <xref target="duplication"/> of this document.</li>
            <li>Interoperability considerations: N/A</li>
            <li>Published specification: [[this document]] (this document)</li>
            <li>Applications RFC 9528.</dd>
            <dt>Interoperability considerations:</dt><dd> N/A</dd>
            <dt>Published specification:</dt><dd>RFC 9528</dd>
            <dt>Applications that use this media type: type:</dt><dd> To be identified</li>
            <li>Fragment identified</dd>
            <dt>Fragment identifier considerations: N/A</li>
            <li>
              <t>Additional information:  </t>
              <ul spacing="normal">
                <li>Magic number(s): N/A</li>
                <li>File extension(s): N/A</li>
                <li>Macintosh considerations:</dt><dd> N/A</dd>

              <dt>Additional information:</dt>
<dd>
<t><br/></t>
              <dl>
                <dt>Magic number(s):</dt><dd> N/A</dd>
                <dt>File extension(s):</dt><dd> N/A</dd>
                <dt>Macintosh file type code(s): N/A</li>
              </ul>
            </li>
            <li>Person code(s):</dt><dd> N/A</dd>
              </dl>
</dd>

            <dt>Person &amp; email address to contact for further information: information:</dt><dd> See "Authors' Addresses" section.</li>
            <li>Intended usage: COMMON</li>
            <li>Restrictions on usage: N/A</li>
            <li>Author: section in RFC 9528.</dd>
            <dt>Intended usage:</dt><dd> COMMON</dd>
            <dt>Restrictions on usage:</dt><dd> N/A</dd>
            <dt>Author:</dt><dd> See "Authors' Addresses" section.</li>
            <li>Change Controller: IESG</li>
          </ul> section.</dd>
            <dt>Change Controller:</dt><dd> IETF</dd>
          </dl>

        </section>
      </section>
      <section anchor="content-format">
        <name>CoAP Content-Formats Registry</name>
        <t>IANA is requested to add has added the media types "application/edhoc+cbor-seq" and "application/cid-edhoc+cbor-seq" to the "CoAP Content-Formats" registry under the registry group "Constrained RESTful Environments (CoRE) Parameters".</t>
        <figure anchor="fig-format-ids">

<table anchor="tab-format-ids">
  <name>CoAP Content-Format IDs</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="128" width="584" viewBox="0 0 584 128" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,112" fill="none" stroke="black"/>
                <path d="M 272,32 L 272,112" fill="none" stroke="black"/>
                <path d="M 360,32 L 360,112" fill="none" stroke="black"/>
                <path d="M 416,32 L 416,112" fill="none" stroke="black"/>
                <path d="M 576,32 L 576,112" fill="none" stroke="black"/>
                <path d="M 8,32 L 576,32" fill="none" stroke="black"/>
                <path d="M 8,62 L 576,62" fill="none" stroke="black"/>
                <path d="M 8,66 L 576,66" fill="none" stroke="black"/>
                <path d="M 8,112 L 576,112" fill="none" stroke="black"/>
                <g class="text">
                  <text x="40" y="52">Media</text>
                  <text x="84" y="52">Type</text>
                  <text x="316" y="52">Encoding</text>
                  <text x="380" y="52">ID</text>
                  <text x="464" y="52">Reference</text>
                  <text x="124" y="84">application/edhoc+cbor-seq</text>
                  <text x="288" y="84">-</text>
                  <text x="388" y="84">TBD5</text>
                  <text x="452" y="84">[[this</text>
                  <text x="524" y="84">document]]</text>
                  <text x="140" y="100">application/cid-edhoc+cbor-seq</text>
                  <text x="288" y="100">-</text>
                  <text x="388" y="100">TBD6</text>
                  <text x="452" y="100">[[this</text>
                  <text x="524" y="100">document]]</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+--------------------------------+----------+------+-------------------+
| Media Type                     | Encoding | ID   | Reference         |
+================================+==========+======+===================+
| application/edhoc+cbor-seq     | -        | TBD5 | [[this document]] |
| application/cid-edhoc+cbor-seq | -        | TBD6 | [[this document]] |
+--------------------------------+----------+------+-------------------+
]]></artwork>
          </artset>
        </figure>
  <thead>
    <tr>
      <th>Content Type</th>
      <th>Content Coding</th>
      <th>ID</th>
      <th>Reference</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>application/edhoc+cbor-seq</td>
      <td>-</td>
      <td>64</td>
      <td>RFC 9528</td>
      </tr><tr>
      <td>application/cid-edhoc+cbor-seq</td>
      <td>-</td>
      <td>65</td>
      <td>RFC 9528</td>
    </tr>
  </tbody>
</table>

      </section>
      <section anchor="rt">
        <name>Resource Type (rt=) Link Target Attribute Values Registry</name>
        <t>IANA is requested to add has added the resource type "core.edhoc" to the "Resource Type (rt=) Link Target Attribute Values" registry under the registry group "Constrained RESTful Environments (CoRE) Parameters".</t>
        <ul spacing="normal">
          <li>Value: "core.edhoc"</li>
          <li>Description: EDHOC resource.</li>
          <li>Reference: [[this document]]</li>
        </ul>
        <dl>
          <dt>Value:</dt><dd>"core.edhoc"</dd>
          <dt>Description:</dt><dd>EDHOC resource.</dd>
          <dt>Reference:</dt><dd>RFC 9528</dd>
        </dl>
      </section>
      <section anchor="expert-review-instructions">
        <name>Expert Review Instructions</name>
        <t>The IANA Registries registries established in this document are defined as "Expert Review",  "Specification Required" Required", or "Standards Action with Expert Review". This section gives some general guidelines for what the experts should be looking for, but they are being designated as experts for a reason so they should be given substantial latitude.</t>
        <t>Expert reviewers should take into consideration the following points:</t>

        <ul spacing="normal">
          <li>Clarity
          <li>The clarity and correctness of registrations. Experts are expected to check the clarity of purpose and use of the requested entries. Expert needs to make sure the values of algorithms are taken from the right registry, registry when that is required. Experts should consider requesting an opinion on the correctness of registered parameters from relevant IETF working groups. Encodings that do not meet these objective objectives of clarity and completeness should not be registered.</li>
          <li>Experts should take into account the
          <li>The expected usage of fields when approving code point assignment. The length of the encoded value should be weighed against how many code points of that length are left, the size of device it will be used on, and the number of code points left that encode to that size.</li>
          <li>Even for
          <li>The fact that even "Expert Review" specifications are recommended. When specifications are not provided for a request where Expert Review is the assignment policy, the description provided needs to have sufficient information to verify the code points above.</li>
        </ul>
      </section>
    </section>
  </middle>
  <back>

<displayreference target="I-D.ietf-rats-eat" to="EAT"/>
<displayreference target="I-D.ietf-lake-reqs" to="LAKE-REQS"/>
<displayreference target="I-D.ietf-core-oscore-edhoc" to="EDHOC-CoAP-OSCORE"/>
<displayreference target="I-D.ietf-cose-cbor-encoded-cert" to="C509-CERTS"/>
 <displayreference target="I-D.ietf-core-oscore-key-update" to="KUDOS"/>
<displayreference target="I-D.ietf-lwig-curve-representations" to="CURVE-REPR"/>
<displayreference target="I-D.ietf-iotops-security-protocol-comparison" to="CoAP-SEC-PROT"/>
<displayreference target="I-D.irtf-cfrg-det-sigs-with-noise" to="HEDGED-ECC-SIGS"/>
<displayreference target="I-D.ietf-lake-authz" to="LAKE-AUTHZ"/>
<displayreference target="I-D.arkko-arch-internet-threat-model-guidance" to="THREAT-MODEL-GUIDANCE"/>

    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs

<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6960.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8724.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8742.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9175.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9360.xml"/>

      </references>
      <references>
        <name>Informative References</name>

<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8376.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9176.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9397.xml"/>

<!-- [I-D.ietf-rats-eat] Approved-announcement to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are be sent::AD Followup -->

<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-rats-eat.xml"/>

<!-- [I-D.ietf-lake-reqs] IESG state Expired
Long Way used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices to fix John Preuß Mattsson' last name-->

<reference anchor="I-D.ietf-lake-reqs" target="https://datatracker.ietf.org/doc/html/draft-ietf-lake-reqs-04">
<front>
<title>Requirements for the Internet Community, and requests discussion and suggestions a Lightweight AKE for improvements.</t>
            </abstract> OSCORE</title>
<author initials="M." surname="Vučinić" fullname="Mališa Vučinić">
<organization>Inria</organization>
</author>
<author initials="G." surname="Selander" fullname="Göran Selander">
<organization>Ericsson AB</organization>
</author>
<author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
<organization>Ericsson AB</organization>
</author>
<author initials="D." surname="Garcia-Carillo" fullname="Dan Garcia-Carillo">
<organization>Odin Solutions S.L.</organization>
</author>
<date month="June" day="8" year="2020"/>
</front>
<seriesInfo name="BCP" value="14"/> name="Internet-Draft" value="draft-ietf-lake-reqs-04"/>
</reference>

<!-- [I-D.ietf-lake-traces] companion doc RFC 9529 -->

<reference anchor="RFC9529" target="https://www.rfc-editor.org/info/rfc9529">
<front>
<title>Traces of Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
<author initials="G." surname="Selander" fullname="Göran Selander">
<organization>Ericsson</organization>
</author>
<author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
<organization>Ericsson</organization>
</author>
<author initials="M." surname="Serafin" fullname="Marek Serafin">
<organization>ASSA ABLOY</organization>
</author>
<author initials="M." surname="Tiloca" fullname="Marco Tiloca">
<organization>RISE</organization>
</author>
<author initials="M." surname="Vučinić" fullname="Mališa Vučinić">
<organization>Inria</organization>
</author>
<date month="March" year="2024"/>
</front>
<seriesInfo name="RFC" value="2119"/> value="RFC9529"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/> value="10.17487/RFC9529"/>
</reference>

<!-- [I-D.ietf-core-oscore-edhoc] Waiting for AD Go-Ahead -->

<xi:include
href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-core-oscore-edhoc.xml"/>

<!-- [I-D.ietf-cose-cbor-encoded-cert] IESG state I-D Exists
     Long Way used to fix John Preuß Mattsson's last name-->

<reference anchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3279" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml"> anchor="I-D.ietf-cose-cbor-encoded-cert" target="https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-07">
<front>
            <title>Algorithms and Identifiers for the Internet
<title>
CBOR Encoded X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> Certificates (C509 Certificates)
</title>
<author fullname="L. Bassham" initials="L." surname="Bassham"/> initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
<organization>Ericsson AB</organization>
</author>
<author initials="G." surname="Selander" fullname="Göran Selander">
<organization>Ericsson AB</organization>
</author>
<author fullname="W. Polk" initials="W." surname="Polk"/> initials="S." surname="Raza" fullname="Shahid Raza">
<organization>RISE AB</organization>
</author>
<author fullname="R. Housley" initials="R." surname="Housley"/> initials="J." surname="Höglund" fullname="Joel Höglund">
<organization>RISE AB</organization>
</author>
<author initials="M." surname="Furuhed" fullname="Martin Furuhed">
<organization>Nexus Group</organization>
</author>
<date month="April" year="2002"/>
            <abstract>
              <t>This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI). Digital signatures are month="October" day="20" year="2023"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-07"/>
</reference>

<!-- [I-D.ietf-core-oscore-key-update] IESG state I-D Exists -->

<xi:include
href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-core-oscore-key-update.xml"/>

<!-- [I-D.ietf-lwig-curve-representations] IESG state IESG Evaluation::Revised I-D Needed -->

<xi:include
href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-lwig-curve-representations.xml"/>

<!-- [I-D.ietf-iotops-security-protocol-comparison] IESG state I-D Exists  -->

<xi:include
href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-iotops-security-protocol-comparison.xml"/>

<!-- [I-D.irtf-cfrg-det-sigs-with-noise] IESG state Expired
Long Way used to sign certificates fix John Preuß Mattsson's last name-->
<reference anchor="I-D.irtf-cfrg-det-sigs-with-noise" target="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-det-sigs-with-noise-00">
<front>
<title>
Deterministic ECDSA and certificate revocation list (CRLs). Certificates include the public key of the named subject. [STANDARDS-TRACK]</t>
            </abstract> EdDSA Signatures with Additional Randomness
</title>
<author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
<organization>Ericsson</organization>
</author>
<author initials="E." surname="Thormarker" fullname="Erik Thormarker">
<organization>Ericsson</organization>
</author>
<author initials="S." surname="Ruohomaa" fullname="Sini Ruohomaa">
<organization>Ericsson</organization>
</author>
<date month="August" day="8" year="2022"/>
</front>
<seriesInfo name="RFC" value="3279"/>
          <seriesInfo name="DOI" value="10.17487/RFC3279"/> name="Internet-Draft" value="draft-irtf-cfrg-det-sigs-with-noise-00"/>
</reference>

<!-- [I-D.ietf-lake-authz.xml] IESG state I-D Exists -->

<xi:include
href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-lake-authz.xml"/>

<!-- [I-D.arkko-arch-internet-threat-model-guidance] IESG state	Expired -->

<xi:include
href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.arkko-arch-internet-threat-model-guidance.xml"/>

        <reference anchor="RFC3552" target="https://www.rfc-editor.org/info/rfc3552" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml"> anchor="SP-800-56A">
          <front>
            <title>Guidelines
            <title>Recommendation for Writing RFC Text on Security Considerations</title> Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/> surname="Barker">
              <organization/>
            </author>
            <author fullname="B. Korver" initials="B." surname="Korver"/> initials="L." surname="Chen">
              <organization/>
            </author>
            <author initials="A." surname="Roginsky">
              <organization/>
            </author>
            <author initials="A." surname="Vassilev">
              <organization/>
            </author>
            <author initials="R." surname="Davis">
              <organization/>
            </author>
            <date month="July" year="2003"/>
            <abstract>
              <t>All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract> year="2018" month="April"/>
          </front>
          <seriesInfo name="BCP" value="72"/>
          <seriesInfo name="RFC" value="3552"/> name="NIST" value="Special Publication 800-56A Revision 3"/>
	  <seriesInfo name="DOI" value="10.17487/RFC3552"/> value="10.6028/NIST.SP.800-56Ar3"/>
        </reference>

        <reference anchor="RFC5116" target="https://www.rfc-editor.org/info/rfc5116" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml"> anchor="SP-800-108" target="https://doi.org/10.6028/NIST.SP.800-108r1-upd1">
          <front>
            <title>An Interface and Algorithms
            <title>Recommendation for Authenticated Encryption</title> Key Derivation Using Pseudorandom Functions</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/> initials="L." surname="Chen">
              <organization/>
            </author>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
            </abstract> year="2022" month="August"/>
          </front>
          <seriesInfo name="RFC" value="5116"/> name="NIST" value="Special Publication 800-108 Revision 1"/>
	  <seriesInfo name="DOI" value="10.17487/RFC5116"/> value="10.6028/NIST.SP.800-108r1-upd1"/>
        </reference>

        <reference anchor="RFC5869" target="https://www.rfc-editor.org/info/rfc5869" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml"> anchor="SP800-185" target="https://doi.org/10.6028/NIST.SP.800-185">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <title>SHA-3 Derived Functions cSHAKE, KMAC, TupleHash and ParallelHash</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/> initials="J" surname="Kelsey">
              <organization/>
            </author>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/> initials="S" surname="Chang">
              <organization/>
            </author>
            <author initials="R" surname="Perlner">
              <organization/>
            </author>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract> year="2016" month="December"/>
          </front>
          <seriesInfo name="RFC" value="5869"/> name="NIST" value="Special Publication 800-185"/>
	  <seriesInfo name="DOI" value="10.17487/RFC5869"/> value="10.6028/NIST.SP.800-185"/>
        </reference>

        <reference anchor="RFC6090" target="https://www.rfc-editor.org/info/rfc6090" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml"> anchor="Degabriele11" target="https://eprint.iacr.org/2011/615">
          <front>
            <title>Fundamental Elliptic Curve Cryptography Algorithms</title>
            <title>On the Joint Security of Encryption and Signature in EMV</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/> initials="J." surname="Degabriele">
              <organization/>
            </author>
            <author initials="A." surname="Lehmann">
              <organization/>
            </author>
            <author fullname="K. Igoe" initials="K." surname="Igoe"/> surname="Paterson">
              <organization/>
            </author>
            <author initials="N." surname="Smart">
              <organization/>
            </author>
            <author fullname="M. Salter" initials="M." surname="Salter"/> surname="Strefler">
              <organization/>
            </author>
            <date month="February" year="2011"/>
            <abstract>
              <t>This note describes the fundamental algorithms of Elliptic Curve year="2011" month="December"/>
          </front>
        </reference>

        <reference anchor="NISTPQC" target="https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs">
          <front>
            <title>Post-Quantum Cryptography (ECC) as they were defined in some seminal references from 1994 FAQs</title>
            <author>
              <organization>National Institute Standards and earlier. These descriptions may be useful for implementing the fundamental algorithms without using any of the specialized methods that were developed in following years. Only elliptic curves defined over fields of characteristic greater than three are in scope; these curves are those used in Suite B. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6090"/>
          <seriesInfo name="DOI" value="10.17487/RFC6090"/>
        </reference>
        <reference anchor="RFC6960" target="https://www.rfc-editor.org/info/rfc6960" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6960.xml">
          <front>
            <title>X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP</title>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="M. Myers" initials="M." surname="Myers"/>
            <author fullname="R. Ankney" initials="R." surname="Ankney"/>
            <author fullname="A. Malpani" initials="A." surname="Malpani"/>
            <author fullname="S. Galperin" initials="S." surname="Galperin"/>
            <author fullname="C. Adams" initials="C." surname="Adams"/>
            <date month="June" year="2013"/>
            <abstract>
              <t>This document specifies a protocol useful in determining the current status of a digital certificate without requiring Certificate Revocation Lists (CRLs). Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFCs 2560 and 6277. It also updates RFC 5912.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6960"/>
          <seriesInfo name="DOI" value="10.17487/RFC6960"/>
        </reference>
        <reference anchor="RFC6979" target="https://www.rfc-editor.org/info/rfc6979" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml">
          <front>
            <title>Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
            <author fullname="T. Pornin" initials="T." surname="Pornin"/>
            <date month="August" year="2013"/>
            <abstract>
              <t>This document defines a deterministic digital signature generation procedure. Such signatures are compatible with standard Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures and can be processed with unmodified verifiers, which need not be aware of the procedure described therein. Deterministic signatures retain the cryptographic security features associated with digital signatures but can be more easily implemented in various environments, since they do not need access to a source of high-quality randomness.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6979"/>
          <seriesInfo name="DOI" value="10.17487/RFC6979"/>
        </reference>
        <reference anchor="RFC7252" target="https://www.rfc-editor.org/info/rfc7252" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC7748" target="https://www.rfc-editor.org/info/rfc7748" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml">
          <front>
            <title>Elliptic Curves for Security</title>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="M. Hamburg" initials="M." surname="Hamburg"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="January" year="2016"/>
            <abstract>
              <t>This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7748"/>
          <seriesInfo name="DOI" value="10.17487/RFC7748"/>
        </reference>
        <reference anchor="RFC7959" target="https://www.rfc-editor.org/info/rfc7959" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml">
          <front>
            <title>Block-Wise Transfers in the Constrained Application Protocol (CoAP)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="Z. Shelby" initials="Z." role="editor" surname="Shelby"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a RESTful transfer protocol for constrained nodes and networks. Basic CoAP messages work well for small payloads from sensors and actuators; however, applications will need to transfer larger payloads occasionally -- for instance, for firmware updates. In contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, CoAP is based on datagram transports such as UDP or Datagram Transport Layer Security (DTLS). These transports only offer fragmentation, which is even more problematic in constrained nodes and networks, limiting the maximum size of resource representations that can practically be transferred.</t>
              <t>Instead of relying on IP fragmentation, this specification extends basic CoAP with a pair of "Block" options for transferring multiple blocks of information from a resource representation in multiple request-response pairs. In many important cases, the Block options enable a server to be truly stateless: the server can handle each block transfer separately, with no need for a connection setup or other server-side memory of previous block transfers. Essentially, the Block options provide a minimal way to transfer larger representations in a block-wise fashion.</t>
              <t>A CoAP implementation that does not support these options generally is limited in the size of the representations that can be exchanged, so there is an expectation that the Block options will be widely used in CoAP implementations. Therefore, this specification updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7959"/>
          <seriesInfo name="DOI" value="10.17487/RFC7959"/>
        </reference>
        <reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8126" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8392" target="https://www.rfc-editor.org/info/rfc8392" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml">
          <front>
            <title>CBOR Web Token (CWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8392"/>
          <seriesInfo name="DOI" value="10.17487/RFC8392"/>
        </reference>
        <reference anchor="RFC8410" target="https://www.rfc-editor.org/info/rfc8410" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml">
          <front>
            <title>Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8410"/>
          <seriesInfo name="DOI" value="10.17487/RFC8410"/>
        </reference>
        <reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8610" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8613" target="https://www.rfc-editor.org/info/rfc8613" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC8724" target="https://www.rfc-editor.org/info/rfc8724" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8724.xml">
          <front>
            <title>SCHC: Generic Framework for Static Context Header Compression and Fragmentation</title>
            <author fullname="A. Minaburo" initials="A." surname="Minaburo"/>
            <author fullname="L. Toutain" initials="L." surname="Toutain"/>
            <author fullname="C. Gomez" initials="C." surname="Gomez"/>
            <author fullname="D. Barthel" initials="D." surname="Barthel"/>
            <author fullname="JC. Zuniga" initials="JC." surname="Zuniga"/>
            <date month="April" year="2020"/>
            <abstract>
              <t>This document defines the Static Context Header Compression and fragmentation (SCHC) framework, which provides both a header compression mechanism and an optional fragmentation mechanism. SCHC has been designed with Low-Power Wide Area Networks (LPWANs) in mind.</t>
              <t>SCHC compression is based on a common static context stored both in the LPWAN device and in the network infrastructure side. This document defines a generic header compression mechanism and its application to compress IPv6/UDP headers.</t>
              <t>This document also specifies an optional fragmentation and reassembly mechanism. It can be used to support the IPv6 MTU requirement over the LPWAN technologies. Fragmentation is needed for IPv6 datagrams that, after SCHC compression or when such compression was not possible, still exceed the Layer 2 maximum payload size.</t>
              <t>The SCHC header compression and fragmentation mechanisms are independent of the specific LPWAN technology over which they are used. This document defines generic functionalities and offers flexibility with regard to parameter settings and mechanism choices. This document standardizes the exchange over the LPWAN between two SCHC entities. Settings and choices specific to a technology or a product are expected to be grouped into profiles, which are specified in other documents. Data models for the context and profiles are out of scope.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8724"/>
          <seriesInfo name="DOI" value="10.17487/RFC8724"/>
        </reference>
        <reference anchor="RFC8742" target="https://www.rfc-editor.org/info/rfc8742" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8742.xml">
          <front>
            <title>Concise Binary Object Representation (CBOR) Sequences</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document describes the Concise Binary Object Representation (CBOR) Sequence format and associated media type "application/cbor-seq". A CBOR Sequence consists of any number of encoded CBOR data items, simply concatenated in sequence.</t>
              <t>Structured syntax suffixes for media types allow other media types to build on them and make it explicit that they are built on an existing media type as their foundation. This specification defines and registers "+cbor-seq" as a structured syntax suffix for CBOR Sequences.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8742"/>
          <seriesInfo name="DOI" value="10.17487/RFC8742"/>
        </reference>
        <reference anchor="RFC8747" target="https://www.rfc-editor.org/info/rfc8747" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml">
          <front>
            <title>Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="March" year="2020"/>
            <abstract>
              <t>This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8747"/>
          <seriesInfo name="DOI" value="10.17487/RFC8747"/>
        </reference>
        <reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8949" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9052" target="https://www.rfc-editor.org/info/rfc9052" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9053" target="https://www.rfc-editor.org/info/rfc9053" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).</t>
              <t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9053"/>
          <seriesInfo name="DOI" value="10.17487/RFC9053"/>
        </reference>
        <reference anchor="RFC9175" target="https://www.rfc-editor.org/info/rfc9175" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9175.xml">
          <front>
            <title>Constrained Application Protocol (CoAP): Echo, Request-Tag, and Token Processing</title>
            <author fullname="C. Amsüss" initials="C." surname="Amsüss"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document specifies enhancements to the Constrained Application Protocol (CoAP) that mitigate security issues in particular use cases. The Echo option enables a CoAP server to verify the freshness of a request or to force a client to demonstrate reachability at its claimed network address. The Request-Tag option allows the CoAP server to match block-wise message fragments belonging to the same request. This document updates RFC 7252 with respect to the following: processing requirements for client Tokens, forbidding non-secure reuse of Tokens to ensure response-to-request binding when CoAP is used with a security protocol, and amplification mitigation (where the use of the Echo option is now recommended).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9175"/>
          <seriesInfo name="DOI" value="10.17487/RFC9175"/>
        </reference>
        <reference anchor="RFC9360" target="https://www.rfc-editor.org/info/rfc9360" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9360.xml">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Header Parameters for Carrying and Referencing X.509 Certificates</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="February" year="2023"/>
            <abstract>
              <t>The CBOR Object Signing and Encryption (COSE) message structure uses references to keys in general. For some algorithms, additional properties are defined that carry parameters relating to keys as needed. The COSE Key structure is used for transporting keys outside of COSE messages. This document extends the way that keys can be identified and transported by providing attributes that refer to or contain X.509 certificates.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9360"/>
          <seriesInfo name="DOI" value="10.17487/RFC9360"/>
        </reference>
      </references>
      <references>
        <name>Informative References</name>
        <reference anchor="RFC2986" target="https://www.rfc-editor.org/info/rfc2986" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml">
          <front>
            <title>PKCS #10: Certification Request Syntax Specification Version 1.7</title>
            <author fullname="M. Nystrom" initials="M." surname="Nystrom"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <date month="November" year="2000"/>
            <abstract>
              <t>This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2986"/>
          <seriesInfo name="DOI" value="10.17487/RFC2986"/>
        </reference>
        <reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC6194" target="https://www.rfc-editor.org/info/rfc6194" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml">
          <front>
            <title>Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms</title>
            <author fullname="T. Polk" initials="T." surname="Polk"/>
            <author fullname="L. Chen" initials="L." surname="Chen"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="March" year="2011"/>
            <abstract>
              <t>This document includes security considerations for the SHA-0 and SHA-1 message digest algorithm. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6194"/>
          <seriesInfo name="DOI" value="10.17487/RFC6194"/>
        </reference>
        <reference anchor="RFC7228" target="https://www.rfc-editor.org/info/rfc7228" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml">
          <front>
            <title>Terminology for Constrained-Node Networks</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="M. Ersue" initials="M." surname="Ersue"/>
            <author fullname="A. Keranen" initials="A." surname="Keranen"/>
            <date month="May" year="2014"/>
            <abstract>
              <t>The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7228"/>
          <seriesInfo name="DOI" value="10.17487/RFC7228"/>
        </reference>
        <reference anchor="RFC7258" target="https://www.rfc-editor.org/info/rfc7258" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml">
          <front>
            <title>Pervasive Monitoring Is an Attack</title>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2014"/>
            <abstract>
              <t>Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="188"/>
          <seriesInfo name="RFC" value="7258"/>
          <seriesInfo name="DOI" value="10.17487/RFC7258"/>
        </reference>
        <reference anchor="RFC7296" target="https://www.rfc-editor.org/info/rfc7296" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml">
          <front>
            <title>Internet Key Exchange Protocol Version 2 (IKEv2)</title>
            <author fullname="C. Kaufman" initials="C." surname="Kaufman"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <date month="October" year="2014"/>
            <abstract>
              <t>This document describes version 2 of the Internet Key Exchange (IKE) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining Security Associations (SAs). This document obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 to be an Internet Standard.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="79"/>
          <seriesInfo name="RFC" value="7296"/>
          <seriesInfo name="DOI" value="10.17487/RFC7296"/>
        </reference>
        <reference anchor="RFC7624" target="https://www.rfc-editor.org/info/rfc7624" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml">
          <front>
            <title>Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="B. Schneier" initials="B." surname="Schneier"/>
            <author fullname="C. Jennings" initials="C." surname="Jennings"/>
            <author fullname="T. Hardie" initials="T." surname="Hardie"/>
            <author fullname="B. Trammell" initials="B." surname="Trammell"/>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="D. Borkmann" initials="D." surname="Borkmann"/>
            <date month="August" year="2015"/>
            <abstract>
              <t>Since the initial revelations of pervasive surveillance in 2013, several classes of attacks on Internet communications have been discovered. In this document, we develop a threat model that describes these attacks on Internet confidentiality. We assume an attacker that is interested in undetected, indiscriminate eavesdropping. The threat model is based on published, verified attacks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7624"/>
          <seriesInfo name="DOI" value="10.17487/RFC7624"/>
        </reference>
        <reference anchor="RFC8366" target="https://www.rfc-editor.org/info/rfc8366" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml">
          <front>
            <title>A Voucher Artifact for Bootstrapping Protocols</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
            <author fullname="T. Eckert" initials="T." surname="Eckert"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>This document defines a strategy to securely assign a pledge to an owner using an artifact signed, directly or indirectly, by the pledge's manufacturer. This artifact is known as a "voucher".</t>
              <t>This document defines an artifact format as a YANG-defined JSON document that has been signed using a Cryptographic Message Syntax (CMS) structure. Other YANG-derived formats are possible. The voucher artifact is normally generated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)).</t>
              <t>This document only defines the voucher artifact, leaving it to other documents to describe specialized protocols for accessing it.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8366"/>
          <seriesInfo name="DOI" value="10.17487/RFC8366"/>
        </reference>
        <reference anchor="RFC8376" target="https://www.rfc-editor.org/info/rfc8376" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8376.xml">
          <front>
            <title>Low-Power Wide Area Network (LPWAN) Overview</title>
            <author fullname="S. Farrell" initials="S." role="editor" surname="Farrell"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>Low-Power Wide Area Networks (LPWANs) are wireless technologies with characteristics such as large coverage areas, low bandwidth, possibly very small packet and application-layer data sizes, and long battery life operation. This memo is an informational overview of the set of LPWAN technologies being considered in the IETF and of the gaps that exist between the needs of those technologies and the goal of running IP in LPWANs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8376"/>
          <seriesInfo name="DOI" value="10.17487/RFC8376"/>
        </reference>
        <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8937" target="https://www.rfc-editor.org/info/rfc8937" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml">
          <front>
            <title>Randomness Improvements for Security Protocols</title>
            <author fullname="C. Cremers" initials="C." surname="Cremers"/>
            <author fullname="L. Garratt" initials="L." surname="Garratt"/>
            <author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically secure" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. An initial entropy source that seeds a CSPRNG might be weak or broken as well, which can also lead to critical and systemic security problems. This document describes a way for security protocol implementations to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8937"/>
          <seriesInfo name="DOI" value="10.17487/RFC8937"/>
        </reference>
        <reference anchor="RFC9000" target="https://www.rfc-editor.org/info/rfc9000" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9147" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC9176" target="https://www.rfc-editor.org/info/rfc9176" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9176.xml">
          <front>
            <title>Constrained RESTful Environments (CoRE) Resource Directory</title>
            <author fullname="C. Amsüss" initials="C." role="editor" surname="Amsüss"/>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="M. Koster" initials="M." surname="Koster"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>In many Internet of Things (IoT) applications, direct discovery of resources is not practical due to sleeping nodes or networks where multicast traffic is inefficient. These problems can be solved by employing an entity called a Resource Directory (RD), which contains information about resources held on other servers, allowing lookups to be performed for those resources. The input to an RD is composed of links, and the output is composed of links constructed from the information stored in the RD. This document specifies the web interfaces that an RD supports for web servers to discover the RD and to register, maintain, look up, and remove information on resources. Furthermore, new target attributes useful in conjunction with an RD are defined.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9176"/>
          <seriesInfo name="DOI" value="10.17487/RFC9176"/>
        </reference>
        <reference anchor="RFC9397" target="https://www.rfc-editor.org/info/rfc9397" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9397.xml">
          <front>
            <title>Trusted Execution Environment Provisioning (TEEP) Architecture</title>
            <author fullname="M. Pei" initials="M." surname="Pei"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="D. Wheeler" initials="D." surname="Wheeler"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>A Trusted Execution Environment (TEE) is an environment that enforces the following: any code within the environment cannot be tampered with, and any data used by such code cannot be read or tampered with by any code outside the environment. This architecture document discusses the motivation for designing and standardizing a protocol for managing the lifecycle of Trusted Applications running inside such a TEE.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9397"/>
          <seriesInfo name="DOI" value="10.17487/RFC9397"/>
        </reference>
        <reference anchor="I-D.ietf-rats-eat" target="https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-21" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-rats-eat.xml">
          <front>
            <title>The Entity Attestation Token (EAT)</title>
            <author fullname="Laurence Lundblade" initials="L." surname="Lundblade">
              <organization>Security Theory LLC</organization>
            </author>
            <author fullname="Giridhar Mandyam" initials="G." surname="Mandyam">
              <organization>Qualcomm Technologies Inc.</organization>
            </author>
            <author fullname="Jeremy O'Donoghue" initials="J." surname="O'Donoghue">
              <organization>Qualcomm Technologies Inc.</organization>
            </author>
            <author fullname="Carl Wallace" initials="C." surname="Wallace">
              <organization>Red Hound Software, Inc.</organization>
            </author>
            <date day="30" month="June" year="2023"/>
            <abstract>
              <t>An Entity Attestation Token (EAT) provides an attested claims set that describes state and characteristics of an entity, a device like a smartphone, IoT device, network equipment or such. This claims set is used by a relying party, server or service to determine how much it wishes to trust the entity. An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation-oriented claims.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-eat-21"/>
        </reference>
        <reference anchor="I-D.ietf-lake-reqs" target="https://datatracker.ietf.org/doc/html/draft-ietf-lake-reqs-04" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lake-reqs.xml">
          <front>
            <title>Requirements for a Lightweight AKE for OSCORE</title>
            <author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
              <organization>Inria</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Dan Garcia-Carillo" initials="D." surname="Garcia-Carillo">
              <organization>Odin Solutions S.L.</organization>
            </author>
            <date day="8" month="June" year="2020"/>
            <abstract>
              <t>This document compiles the requirements for a lightweight authenticated key exchange protocol for OSCORE. This draft has completed a working group last call (WGLC) in the LAKE working group. Post-WGLC, the requirements are considered sufficiently stable for the working group to proceed with its work. It is not currently planned to publish this draft as an RFC.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-reqs-04"/>
        </reference>
        <reference anchor="I-D.ietf-lake-traces" target="https://datatracker.ietf.org/doc/html/draft-ietf-lake-traces-05" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lake-traces.xml">
          <front>
            <title>Traces of EDHOC</title>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Marek Serafin" initials="M." surname="Serafin">
              <organization>ASSA ABLOY</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE</organization>
            </author>
            <date day="28" month="April" year="2023"/>
            <abstract>
              <t>This document contains some example traces of Ephemeral Diffie- Hellman Over COSE (EDHOC).</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-traces-05"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-edhoc" target="https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-edhoc-08" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-edhoc.xml">
          <front>
            <title>Using EDHOC with CoAP and OSCORE</title>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Stefan Hristozov" initials="S." surname="Hristozov">
              <organization>Fraunhofer AISEC</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson</organization>
            </author>
            <date day="8" month="August" year="2023"/>
            <abstract>
              <t>The lightweight authenticated key exchange protocol EDHOC can be run over CoAP and used by two peers to establish an OSCORE Security Context. This document details this use of the EDHOC protocol, by specifying a number of additional and optional mechanisms. These especially include an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-edhoc-08"/>
        </reference>
        <reference anchor="I-D.ietf-cose-cbor-encoded-cert" target="https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-06" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-cose-cbor-encoded-cert.xml">
          <front>
            <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization> Technology (NIST)</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>Nexus Group</organization>
            </author>
            <date day="7" month="July" year="2023"/>
            <abstract>
              <t>This document specifies a CBOR encoding of X.509 certificates. The resulting certificates are called C509 Certificates. The CBOR encoding supports a large subset of RFC 5280 and all certificates compatible with the RFC 7925, IEEE 802.1AR (DevID), CNSA, RPKI, GSMA eUICC, and CA/Browser Forum Baseline Requirements profiles. When used to re-encode DER encoded X.509 certificates, the CBOR encoding can in many cases reduce the size of RFC 7925 profiled certificates with over 50%. The CBOR encoded structure can alternatively be signed directly ("natively signed"), which does not require re- encoding for the signature to be verified. The document also specifies C509 COSE headers, a C509 TLS certificate type, and a C509 file format.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-06"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-key-update" target="https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-key-update-05" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-key-update.xml">
          <front>
            <title>Key Update for OSCORE (KUDOS)</title>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="10" month="July" year="2023"/>
            <abstract>
              <t>This document defines Key Update for OSCORE (KUDOS), a lightweight procedure that two CoAP endpoints can use to update their keying material by establishing a new OSCORE Security Context. Accordingly, it updates the use of the OSCORE flag bits in the CoAP OSCORE Option as well as the protection of CoAP response messages with OSCORE, and it deprecates the key update procedure specified in Appendix B.2 of RFC 8613. Thus, this document updates RFC 8613. Also, this document defines a procedure that two endpoints can use to update their OSCORE identifiers, run either stand-alone or during a KUDOS execution.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-key-update-05"/>
        </reference>

        <reference anchor="I-D.ietf-lwig-curve-representations" target="https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-23" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lwig-curve-representations.xml"> anchor="SECG" target="https://www.secg.org/sec1-v2.pdf">
          <front>
            <title>Alternative
            <title>SEC 1: Elliptic Curve Representations</title>
            <author fullname="Rene Struik" initials="R." surname="Struik">
              <organization>Struik Security Consultancy</organization>
            </author>
            <date day="21" month="January" year="2022"/>
            <abstract>
              <t>This document specifies how to represent Montgomery curves and (twisted) Edwards curves as curves in short-Weierstrass form and illustrates how this can be used to carry out elliptic curve computations leveraging existing implementations and specifications of, e.g., ECDSA and ECDH using NIST prime curves. We also provide extensive background material that may be useful for implementers of elliptic curve cryptography.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lwig-curve-representations-23"/>
        </reference>
        <reference anchor="I-D.ietf-iotops-security-protocol-comparison" target="https://datatracker.ietf.org/doc/html/draft-ietf-iotops-security-protocol-comparison-02" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-iotops-security-protocol-comparison.xml">
          <front>
            <title>Comparison of CoAP Security Protocols</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
              <organization>INRIA</organization>
            </author>
            <date day="11" month="April" year="2023"/>
            <abstract>
              <t>This document analyzes and compares the sizes of key exchange flights and the per-packet message size overheads when using different security protocols to secure CoAP. The described overheads are independent of the underlying transport. Small message sizes are very important for reducing energy consumption, latency, and time to completion in constrained radio network such as Low-Power Wide Area Networks (LPWANs). The analyzed security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, cTLS, EDHOC, OSCORE, and Group OSCORE. The DTLS and TLS record layers are analyzed with and without 6LoWPAN- GHC compression. DTLS is analyzed with and without Connection ID.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-iotops-security-protocol-comparison-02"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-det-sigs-with-noise" target="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-det-sigs-with-noise-00" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfrg-det-sigs-with-noise.xml">
          <front>
            <title>Deterministic ECDSA and EdDSA Signatures with Additional Randomness</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Erik Thormarker" initials="E." surname="Thormarker">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Sini Ruohomaa" initials="S." surname="Ruohomaa">
              <organization>Ericsson</organization>
            </author>
            <date day="8" month="August" year="2022"/>
            <abstract>
              <t>Deterministic elliptic-curve signatures such as deterministic ECDSA and EdDSA have gained popularity over randomized ECDSA as their security do not depend on a source of high-quality randomness. Recent research has however found that implementations of these signature algorithms may be vulnerable to certain side-channel and fault injection attacks due to their determinism. One countermeasure to such attacks is to re-add randomness to the otherwise deterministic calculation of the per-message secret number. This document updates RFC 6979 and RFC 8032 to recommend constructions with additional randomness for deployments where side-channel attacks and fault injection attacks are a concern. The updates are invisible to the validator of the signature and compatible with existing ECDSA and EdDSA validators.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-det-sigs-with-noise-00"/>
        </reference>
        <reference anchor="I-D.selander-lake-authz" target="https://datatracker.ietf.org/doc/html/draft-selander-lake-authz-03" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.selander-lake-authz.xml">
          <front>
            <title>Lightweight Authorization using Ephemeral Diffie-Hellman Over COSE</title>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
              <organization>INRIA</organization>
            </author>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <author fullname="Aurelio Schellenbaum" initials="A." surname="Schellenbaum">
              <organization>Institute of Embedded Systems, ZHAW</organization>
            </author>
            <date day="7" month="July" year="2023"/>
            <abstract>
              <t>This document describes a procedure for authorizing enrollment of new devices using the lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC). The procedure is applicable to zero-touch onboarding of new devices to a constrained network leveraging trust anchors installed at manufacture time.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-selander-lake-authz-03"/>
        </reference>
        <reference anchor="I-D.arkko-arch-internet-threat-model-guidance" target="https://datatracker.ietf.org/doc/html/draft-arkko-arch-internet-threat-model-guidance-00" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.arkko-arch-internet-threat-model-guidance.xml">
          <front>
            <title>Internet Threat Model Guidance</title>
            <author fullname="Jari Arkko" initials="J." surname="Arkko">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Stephen Farrell" initials="S." surname="Farrell">
              <organization>Trinity College Dublin</organization>
            </author>
            <date day="12" month="July" year="2021"/>
            <abstract>
              <t>Communications security has been at the center of many security improvements in the Internet. The goal has been to ensure that communications are protected against outside observers and attackers. This memo suggests that the existing RFC 3552 threat model, while important and still valid, is no longer alone sufficient to cater for the pressing security and privacy issues seen on the Internet today. For instance, it is often also necessary to protect against endpoints that are compromised, malicious, or whose interests simply do not align with the interests of users. While such protection is difficult, there are some measures that can be taken and we argue that investigation of these issues is warranted. It is particularly important to ensure that as we continue to develop Internet technology, non-communications security related threats, and privacy issues, are properly understood.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-arkko-arch-internet-threat-model-guidance-00"/>
        </reference>
        <reference anchor="SP-800-56A" target="https://doi.org/10.6028/NIST.SP.800-56Ar3">
          <front>
            <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title>
            <author initials="E." surname="Barker">
              <organization/>
            </author>
            <author initials="L." surname="Chen">
              <organization/>
            </author>
            <author initials="A." surname="Roginsky">
              <organization/>
            </author>
            <author initials="A." surname="Vassilev">
              <organization/>
            </author>
            <author initials="R." surname="Davis">
              <organization/>
            </author>
            <date year="2018" month="April"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-56A Revision 3"/>
        </reference>
        <reference anchor="SP-800-108" target="https://doi.org/10.6028/NIST.SP.800-108r1">
          <front>
            <title>Recommendation for Key Derivation Using Pseudorandom Functions</title>
            <author initials="L." surname="Chen">
              <organization/>
            </author>
            <date year="2022" month="August"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-108 Revision 1"/>
        </reference>
        <reference anchor="SP800-185" target="https://doi.org/10.6028/NIST.SP.800-185">
          <front>
            <title>SHA-3 Derived Functions cSHAKE, KMAC, TupleHash and ParallelHash</title>
            <author initials="" surname="John Kelsey">
              <organization/>
            </author>
            <author initials="" surname="Shu-jen Chang">
              <organization/>
            </author>
            <author initials="" surname="Ray Perlner">
              <organization/>
            </author>
            <date year="2016" month="December"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-185"/>
        </reference>
        <reference anchor="Degabriele11" target="https://eprint.iacr.org/2011/615">
          <front>
            <title>On the Joint Security of Encryption and Signature in EMV</title>
            <author initials="J. P." surname="Degabriele">
              <organization/>
            </author>
            <author initials="A." surname="Lehmann">
              <organization/>
            </author>
            <author initials="K. G." surname="Paterson">
              <organization/>
            </author>
            <author initials="N. P." surname="Smart">
              <organization/>
            </author>
            <author initials="M." surname="Strefler">
              <organization/>
            </author>
            <date year="2011" month="December"/>
          </front>
        </reference>
        <reference anchor="NISTPQC" target="https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs">
          <front>
            <title>Post-Quantum Cryptography FAQs</title>
            <author>
              <organization/>
            </author>
            <date year="2023" month="August"/>
          </front>
        </reference>
        <reference anchor="SECG" target="https://www.secg.org/sec1-v2.pdf">
          <front>
            <title>Standards for Efficient Cryptography 1 (SEC 1)</title>
            <author>
              <organization/>
              <organization>Certicom Research</organization>
            </author>
            <date year="2009" month="May"/>
          </front>
	  <refcontent>Standards for Efficient Cryptography</refcontent>
        </reference>

        <reference anchor="SIGMA" target="https://www.iacr.org/cryptodb/archive/2003/CRYPTO/1495/1495.pdf">
          <front>
            <title>SIGMA - The
            <title>SIGMA: the 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols</title>
            <author initials="H." surname="Krawczyk">
              <organization/>
            </author>
            <date year="2003" month="June"/>
          </front>
        </reference>

        <reference anchor="HKDFpaper" target="https://eprint.iacr.org/2010/264.pdf">
          <front>
            <title>Cryptographic Extraction and Key Derivation: The HKDF Scheme</title>
            <author initials="H." surname="Krawczyk">
              <organization/>
            </author>
            <date year="2010" month="May"/>
          </front>
        </reference>

        <reference anchor="Thormarker21" target="https://eprint.iacr.org/2021/509.pdf">
          <front>
            <title>On using the same key pair for Ed25519 and an X25519 based KEM</title>
            <author initials="E." surname="Thormarker">
              <organization/>
            </author>
            <date year="2021" month="April"/>
          </front>
        </reference>

        <reference anchor="CNSA" target="https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite"> target="https://en.wikipedia.org/w/index.php?title=Commercial_National_Security_Algorithm_Suite&amp;oldid=1181333611">
          <front>
            <title>Commercial National Security Algorithm Suite</title>
            <author initials="" surname="NSA">
              <organization/>
            <author>
              <organization>Wikipedia</organization>
            </author>
            <date year="2015" month="August"/> year="2023" month="October"/>
          </front>
        </reference>

        <reference anchor="GuentherIlunga22" target="https://eprint.iacr.org/2022/1705">
          <front>
            <title>Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol</title>
            <author initials="F." surname="Günther">
              <organization/>
            </author>
            <author initials="M." surname="Ilunga"> surname="Mukendi">
              <organization/>
            </author>
            <date year="2022" month="December"/>
          </front>
        </reference>

        <reference anchor="Jacomme23" target="https://hal.inria.fr/hal-03810102/">
          <front>
            <title>A comprehensive, formal and automated analysis of the EDHOC protocol</title>
            <author initials="C." surname="Jacomme">
              <organization/>
            </author>
            <author initials="E." surname="Klein">
              <organization/>
            </author>
            <author initials="S." surname="Kremer">
              <organization/>
            </author>
            <author initials="M." surname="Racouchot">
              <organization/>
            </author>
            <date year="2022" month="October"/>
          </front>
        </reference>

        <reference anchor="CottierPointcheval22" target="https://arxiv.org/abs/2209.03599">
          <front>
            <title>Security Analysis of the EDHOC protocol</title>
            <author initials="B." surname="Cottier">
              <organization/>
            </author>
            <author initials="D." surname="Pointcheval">
              <organization/>
            </author>
            <date year="2022" month="September"/>
          </front>
        </reference>

        <reference anchor="Norrman20" target="https://arxiv.org/abs/2007.11427">
          <front>
            <title>Formal Analysis of EDHOC Key Establishment for Constrained IoT Devices</title>
            <author initials="K." surname="Norrman">
              <organization/>
            </author>
            <author initials="V." surname="Sundararajan">
              <organization/>
            </author>
            <author initials="A." surname="Bruni">
              <organization/>
            </author>
            <date year="2020" month="September"/>
          </front>
        </reference>
        <reference anchor="Bruni18" target="https://www.springerprofessional.de/en/formal-verification-of-ephemeral-diffie-hellman-over-cose-edhoc/16284348">
          <front>
            <title>Formal Verification of Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author initials="A." surname="Bruni">
              <organization/>
            </author>
            <author initials="T." surname="Sahl Jørgensen">
              <organization/>
            </author>
            <author initials="T." surname="Grønbech Petersen">
              <organization/>
            </author>
            <author initials="C." surname="Schürmann">
              <organization/>
            </author>
            <date year="2018" month="November"/>
          </front>
        </reference>

        <reference anchor="CborMe" target="https://cbor.me/">
          <front>
            <title>CBOR Playground</title>
            <author initials="C." surname="Bormann">
              <organization/>
            </author>
            <date year="2018" month="May"/>
          </front>
        </reference>

        <reference anchor="Noise" target="https://noiseprotocol.org/noise.html">
          <front>
            <title>The Noise Protocol Framework, Revision 34</title> Framework</title>
            <author initials="T." surname="Perrin">
              <organization/>
            </author>
            <date year="2018" month="July"/>
          </front>
	  <refcontent>Revision 34</refcontent>
        </reference>
      </references>
    </references>
    <?line 1918?>

<section anchor="transfer">
      <name>Use with OSCORE and Transfer over CoAP</name>
      <t>This appendix describes how to derive an OSCORE security context when EDHOC is used to key OSCORE, OSCORE and how to transfer EDHOC messages over CoAP. The use of CoAP or OSCORE with EDHOC is optional, but if you are using CoAP or OSCORE, then certain normative requirements apply as detailed in the  subsections.</t>
      <section anchor="oscore-ctx-derivation">
        <name>Deriving the OSCORE Security Context</name>
        <t>This section specifies how to use EDHOC output to derive the OSCORE security context.</t>
        <t>After successful processing of EDHOC message_3, the Client and Server derive Security Context security context parameters for OSCORE as follows (see Section 3.2 of <xref target="RFC8613"/>):</t> target="RFC8613" section="3.2" sectionFormat="of"/>):</t>
        <ul spacing="normal">
          <li>
            <t>The Master Secret and Master Salt SHALL <bcp14>SHALL</bcp14> be derived by using the EDHOC_Exporter interface, see interface (see <xref target="exporter"/>: target="exporter"/>):
            </t>
            <ul spacing="normal">
              <li>The EDHOC Exporter Labels for deriving the OSCORE Master Secret and the OSCORE Master Salt, Salt are the uints 0 and 1, respectively.</li>
              <li>The context parameter is h'' (0x40), the empty CBOR byte string.</li>
              <li>By default, oscore_key_length is the key length (in bytes) of the application AEAD Algorithm algorithm of the selected cipher suite for the EDHOC session. Also by default, oscore_salt_length has value 8. The Initiator and Responder MAY <bcp14>MAY</bcp14> agree out-of-band on a longer oscore_key_length than the default, default and on shorter or
longer than the default oscore_salt_length.</li>
            </ul>
          </li>
        </ul>
        <artwork><![CDATA[
   Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length )
   Master Salt   = EDHOC_Exporter( 1, h'', oscore_salt_length )
]]></artwork>
        <ul spacing="normal">
          <li>The AEAD Algorithm SHALL algorithm <bcp14>SHALL</bcp14> be the application AEAD algorithm of the selected cipher suite for the EDHOC session.</li>
          <li>The HKDF Algorithm SHALL algorithm <bcp14>SHALL</bcp14> be the one based on the application hash algorithm of the selected cipher suite for the EDHOC session. For example, if SHA-256 is the application hash algorithm of the selected cipher suite, HKDF SHA-256 is used as the HKDF Algorithm algorithm in the OSCORE Security Context.</li> security context.</li>
          <li>The relationship between identifiers in OSCORE and EDHOC is specified in <xref target="ci-oscore"/>. The OSCORE Sender ID and Recipient ID SHALL <bcp14>SHALL</bcp14> be determined by the EDHOC connection identifiers C_R and C_I for the EDHOC session as shown in <xref target="fig-edhoc-oscore-id-mapping"/>.</li> target="tab-edhoc-oscore-id-mapping"/>.</li>
        </ul>
        <figure anchor="fig-edhoc-oscore-id-mapping">

	<table anchor="tab-edhoc-oscore-id-mapping">
	  <name>Usage of connection identifiers Connection Identifiers in OSCORE.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="144" width="488" viewBox="0 0 488 144" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,128" fill="none" stroke="black"/>
                <path d="M 152,32 L 152,128" fill="none" stroke="black"/>
                <path d="M 304,32 L 304,128" fill="none" stroke="black"/>
                <path d="M 480,32 L 480,128" fill="none" stroke="black"/>
                <path d="M 8,32 L 480,32" fill="none" stroke="black"/>
                <path d="M 8,62 L 480,62" fill="none" stroke="black"/>
                <path d="M 8,66 L 480,66" fill="none" stroke="black"/>
                <path d="M 8,96 L 480,96" fill="none" stroke="black"/>
                <path d="M 8,128 L 480,128" fill="none" stroke="black"/>
                <g class="text">
                  <text x="188" y="52">OSCORE</text>
                  <text x="244" y="52">Sender</text>
                  <text x="284" y="52">ID</text>
                  <text x="340" y="52">OSCORE</text>
                  <text x="408" y="52">Recipient</text>
                  <text x="460" y="52">ID</text>
                  <text x="40" y="84">EDHOC</text>
                  <text x="104" y="84">Initiator</text>
                  <text x="232" y="84">C_R</text>
                  <text x="392" y="84">C_I</text>
                  <text x="40" y="116">EDHOC</text>
                  <text x="104" y="116">Responder</text>
                  <text x="232" y="116">C_I</text>
                  <text x="392" y="116">C_R</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
+-----------------+------------------+---------------------+
|                 | OSCORE OSCORE</name>
	  <thead>
	    <tr>
	      <th></th>
	      <th>OSCORE Sender ID | OSCORE ID</th>
	      <th>OSCORE Recipient ID |
+=================+==================+=====================+
| EDHOC Initiator |        C_R       |         C_I         |
+-----------------+------------------+---------------------+
| EDHOC Responder |        C_I       |         C_R         |
+-----------------+------------------+---------------------+
]]></artwork>
          </artset>
        </figure>
        <t>Client ID</th>
	    </tr>
	  </thead>
	  <tbody>
	    <tr>
	      <td>EDHOC Initiator</td>
	      <td align="center">C_R</td>
	      <td align="center">C_I</td>
	      </tr><tr>
	      <td>EDHOC Responder</td>
	      <td align="center">C_I</td>
	      <td align="center">C_R</td>
	    </tr>
	  </tbody>
	</table>

        <t>The Client and Server SHALL <bcp14>SHALL</bcp14> use the parameters above to establish an OSCORE Security Context, security context, as per Section 3.2.1 of <xref target="RFC8613"/>.</t> target="RFC8613" section="3.2.1" sectionFormat="of"/>.</t>
        <t>From then on, the Client and Server retrieve the OSCORE protocol state using the Recipient ID, ID and optionally other transport information such as the 5-tuple.</t>
      </section>
      <section anchor="coap">
        <name>Transferring EDHOC over CoAP</name>
        <t>This section specifies how EDHOC can be transferred as an exchange of CoAP <xref target="RFC7252"/> messages. CoAP provides a reliable transport that can preserve packet ordering, provides flow and congestion control, and handles message duplication. CoAP can also perform fragmentation and mitigate certain denial-of-service attacks. The underlying CoAP transport should be used in reliable mode, in particular particular, when fragmentation is used, to avoid, e.g., situations with hanging endpoints waiting for each other.</t>
        <t>EDHOC may run with the Initiator either being a CoAP client or CoAP server. We denote the former by the "forward message flow" (see <xref target="forward"/>) and the latter by the "reverse message flow" (see <xref target="reverse"/>). By default, we assume the forward message flow, but the roles SHOULD <bcp14>SHOULD</bcp14> be chosen to protect the most sensitive identity, identity; see <xref target="security"/>.</t>
        <t>According to this specification, EDHOC is transferred in POST requests to the Uri-Path: "/.well-known/edhoc" (see <xref target="well-known"/>), target="well-known"/>) and 2.04 (Changed) responses. An application may define its own path that can be discovered, e.g., using a resource directory <xref target="RFC9176"/>. Client applications can use the resource type "core.edhoc" to discover a server's EDHOC resource, i.e., where to send a request for executing the EDHOC protocol, protocol; see <xref target="rt"/>. An alternative transfer of the forward message flow is specified in <xref target="I-D.ietf-core-oscore-edhoc"/>.</t>
        <t>In order for the server to correlate a message received from a client to a message previously sent in the same EDHOC session over CoAP, messages sent by the client SHALL <bcp14>SHALL</bcp14> be prepended with the CBOR serialization of the connection identifier which that the server has selected, selected; see <xref target="ci-edhoc"/>. This applies both to the forward and the reverse message flows. To indicate a new EDHOC session in the forward message flow, message_1 SHALL <bcp14>SHALL</bcp14> be prepended with the CBOR simple value <tt>true</tt> (0xf5). Even if CoAP is carried over a reliable transport protocol protocol, such as TCP, the prepending of identifiers specified here SHALL <bcp14>SHALL</bcp14> be practiced to enable interoperability independent of how CoAP is transported.</t>
        <t>The prepended identifiers are encoded in CBOR and thus self-delimiting. The representation of identifiers described in <xref target="bstr-repr"/> SHALL <bcp14>SHALL</bcp14> be used. They are sent in front of the actual EDHOC message to keep track of messages in an EDHOC session, and only the part of the body following the identifier is used for EDHOC processing. In particular, the connection identifiers within the EDHOC messages are not impacted by the prepended identifiers.</t>
        <t>An EDHOC message has media type application/edhoc+cbor-seq, "application/edhoc+cbor-seq", whereas an EDHOC message prepended by a connection identifier has media type application/cid-edhoc+cbor-seq, "application/cid-edhoc+cbor-seq"; see <xref target="content-format"/>.</t>
        <t>To mitigate certain denial-of-service attacks, the CoAP server MAY <bcp14>MAY</bcp14> respond to the first POST request with a 4.01 (Unauthorized) containing an Echo option <xref target="RFC9175"/>. This forces the Initiator to demonstrate reachability at its apparent network address. If message fragmentation is needed, the EDHOC messages may be fragmented using the CoAP Block-Wise Transfer mechanism <xref target="RFC7959"/>.</t>
        <t>EDHOC error messages need to be transported in response to a message that failed (see <xref target="error"/>). EDHOC error messages transported with CoAP are carried in the payload.</t>
        <t>Note that the transport over CoAP can serve as a blueprint for other client-server protocols:</t>
        <ul spacing="normal">
          <li>The client prepends the connection identifier selected by the server  (or, for message_1, the CBOR simple value <tt>true</tt>) to any request message it sends.</li>
          <li>The server does not send any such indicator, as responses are matched to request by the client-server protocol design.</li>
        </ul>
        <section anchor="forward">
          <name>The Forward Message Flow</name>
          <t>In the forward message flow flow, the CoAP client is the Initiator and the CoAP server is the Responder. This flow protects the client identity against active attackers and the server identity against passive attackers.</t>
          <t>In the forward message flow, the CoAP Token enables correlation on the Initiator (client) side, and the prepended C_R enables correlation on the Responder (server) side.</t>
          <ul spacing="normal">
            <li>EDHOC message_1 is sent in the payload of a POST request from the client to the server's resource for EDHOC, prepended with the identifier <tt>true</tt> (0xf5) (0xf5), indicating a new EDHOC session.</li>
            <li>EDHOC message_2 or the EDHOC error message is sent from the server to the client in the payload of the response, in the former case with response code 2.04 (Changed), (Changed) and in the latter with response code as specified in <xref target="edhoc-oscore-over-coap"/>.</li>
            <li>EDHOC message_3 or the EDHOC error message is sent from the client to the server's resource in the payload of a POST request, prepended with the connection identifier C_R.</li>
            <li>If EDHOC message_4 is used, or in case of an error message, it is sent from the server to the client in the payload of the response, with response codes analogously to message_2. In case of an error message sent in response to message_4, it is sent analogously to the error message sent in response to message_2.</li>
          </ul>
          <t>An example of a completed EDHOC session over CoAP in the forward message flow is shown in <xref target="fig-coap1"/>.</t>
          <figure anchor="fig-coap1">
            <name>Example of the forward message flow.</name> Forward Message Flow</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="352" width="496" height="" width="" viewBox="0 0 496 352" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 24,48 L 24,336" fill="none" stroke="black"/>
                  <path d="M 112,48 L 112,336" fill="none" stroke="black"/>
                  <path d="M 24,64 L 104,64" fill="none" stroke="black"/>
                  <path d="M 32,144 L 112,144" fill="none" stroke="black"/>
                  <path d="M 24,208 L 104,208" fill="none" stroke="black"/>
                  <path d="M 32,288 L 112,288" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="112,208 100,202.4 100,213.6" fill="black" transform="rotate(0,104,208)"/>
                  <polygon class="arrowhead" points="112,64 100,58.4 100,69.6" fill="black" transform="rotate(0,104,64)"/>
                  <polygon class="arrowhead" points="40,288 28,282.4 28,293.6" fill="black" transform="rotate(180,32,288)"/>
                  <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" fill="black" transform="rotate(180,32,144)"/>
                  <g class="text">
                    <text x="28" y="36">Client</text>
                    <text x="108" y="36">Server</text>
                    <text x="152" y="68">Header:</text>
                    <text x="204" y="68">POST</text>
                    <text x="272" y="68">(Code=0.02)</text>
                    <text x="68" y="84">POST</text>
                    <text x="160" y="84">Uri-Path:</text>
                    <text x="284" y="84">"/.well-known/edhoc"</text>
                    <text x="184" y="100">Content-Format:</text>
                    <text x="372" y="100">application/cid-edhoc+cbor-seq</text>
                    <text x="156" y="116">Payload:</text>
                    <text x="216" y="116">true,</text>
                    <text x="264" y="116">EDHOC</text>
                    <text x="328" y="116">message_1</text>
                    <text x="152" y="148">Header:</text>
                    <text x="204" y="148">2.04</text>
                    <text x="256" y="148">Changed</text>
                    <text x="68" y="164">2.04</text>
                    <text x="184" y="164">Content-Format:</text>
                    <text x="356" y="164">application/edhoc+cbor-seq</text>
                    <text x="156" y="180">Payload:</text>
                    <text x="216" y="180">EDHOC</text>
                    <text x="280" y="180">message_2</text>
                    <text x="152" y="212">Header:</text>
                    <text x="204" y="212">POST</text>
                    <text x="272" y="212">(Code=0.02)</text>
                    <text x="68" y="228">POST</text>
                    <text x="160" y="228">Uri-Path:</text>
                    <text x="284" y="228">"/.well-known/edhoc"</text>
                    <text x="184" y="244">Content-Format:</text>
                    <text x="372" y="244">application/cid-edhoc+cbor-seq</text>
                    <text x="156" y="260">Payload:</text>
                    <text x="212" y="260">C_R,</text>
                    <text x="256" y="260">EDHOC</text>
                    <text x="320" y="260">message_3</text>
                    <text x="152" y="292">Header:</text>
                    <text x="204" y="292">2.04</text>
                    <text x="256" y="292">Changed</text>
                    <text x="68" y="308">2.04</text>
                    <text x="184" y="308">Content-Format:</text>
                    <text x="356" y="308">application/edhoc+cbor-seq</text>
                    <text x="156" y="324">Payload:</text>
                    <text x="216" y="324">EDHOC</text>
                    <text x="280" y="324">message_4</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
Client    Server
  |          |
  +--------->| Header: POST (Code=0.02)
  |   POST   | Uri-Path: "/.well-known/edhoc"
  |          | Content-Format: application/cid-edhoc+cbor-seq
  |          | Payload: true, EDHOC message_1
  |          |
  |<---------+ Header: 2.04 Changed
  |   2.04   | Content-Format: application/edhoc+cbor-seq
  |          | Payload: EDHOC message_2
  |          |
  +--------->| Header: POST (Code=0.02)
  |   POST   | Uri-Path: "/.well-known/edhoc"
  |          | Content-Format: application/cid-edhoc+cbor-seq
  |          | Payload: C_R, EDHOC message_3
  |          |
  |<---------+ Header: 2.04 Changed
  |   2.04   | Content-Format: application/edhoc+cbor-seq
  |          | Payload: EDHOC message_4
  |          |
]]></artwork>
            </artset>
          </figure>
          <t>The forward message flow of EDHOC can be combined with an OSCORE exchange in a total of two round-trips, round trips; see <xref target="I-D.ietf-core-oscore-edhoc"/>.</t>
        </section>
        <section anchor="reverse">
          <name>The Reverse Message Flow</name>
          <t>In the reverse message flow flow, the CoAP client is the Responder and the CoAP server is the Initiator. This flow protects the server identity against active attackers and the client identity against passive attackers.</t>
          <t>In the reverse message flow, the CoAP Token enables correlation on the Responder (client) side, and the prepended C_I enables correlation on the Initiator (server) side.</t>
          <ul spacing="normal">
            <li>To trigger a new EDHOC session, the client makes an empty POST request to the server's resource for EDHOC.</li>
            <li>EDHOC message_1 is sent from the server to the client in the payload of the response with response code 2.04 (Changed).</li>
            <li>EDHOC message_2 or the EDHOC error message is sent from the client to the server's resource in the payload of a POST request, prepended with the connection identifier C_I.</li>
            <li>EDHOC message_3 or the EDHOC error message is sent from the server to the client in the payload of the response, in the former case with response code 2.04 (Changed), (Changed) and in the latter with response code as specified in <xref target="edhoc-oscore-over-coap"/>.</li>
            <li>If EDHOC message_4 is used, or in case of an error message, it is sent from the client to the server's resource in the payload of a POST request, prepended with the connection identifier C_I. In case of an error message sent in response to message_4, it is sent analogously to an error message sent in response to message_2.</li>
          </ul>
          <t>An example of a completed EDHOC session over CoAP in the reverse message flow is shown in <xref target="fig-coap2"/>.</t>
          <figure anchor="fig-coap2">
            <name>Example of the reverse message flow.</name> Reverse Message Flow</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="320" width="496" height="" width="" viewBox="0 0 496 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 24,48 L 24,304" fill="none" stroke="black"/>
                  <path d="M 112,48 L 112,304" fill="none" stroke="black"/>
                  <path d="M 24,64 L 104,64" fill="none" stroke="black"/>
                  <path d="M 32,112 L 112,112" fill="none" stroke="black"/>
                  <path d="M 24,176 L 104,176" fill="none" stroke="black"/>
                  <path d="M 32,256 L 112,256" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="112,176 100,170.4 100,181.6" fill="black" transform="rotate(0,104,176)"/>
                  <polygon class="arrowhead" points="112,64 100,58.4 100,69.6" fill="black" transform="rotate(0,104,64)"/>
                  <polygon class="arrowhead" points="40,256 28,250.4 28,261.6" fill="black" transform="rotate(180,32,256)"/>
                  <polygon class="arrowhead" points="40,112 28,106.4 28,117.6" fill="black" transform="rotate(180,32,112)"/>
                  <g class="text">
                    <text x="28" y="36">Client</text>
                    <text x="108" y="36">Server</text>
                    <text x="152" y="68">Header:</text>
                    <text x="204" y="68">POST</text>
                    <text x="272" y="68">(Code=0.02)</text>
                    <text x="68" y="84">POST</text>
                    <text x="160" y="84">Uri-Path:</text>
                    <text x="284" y="84">"/.well-known/edhoc"</text>
                    <text x="152" y="116">Header:</text>
                    <text x="204" y="116">2.04</text>
                    <text x="256" y="116">Changed</text>
                    <text x="68" y="132">2.04</text>
                    <text x="184" y="132">Content-Format:</text>
                    <text x="356" y="132">application/edhoc+cbor-seq</text>
                    <text x="156" y="148">Payload:</text>
                    <text x="216" y="148">EDHOC</text>
                    <text x="280" y="148">message_1</text>
                    <text x="152" y="180">Header:</text>
                    <text x="204" y="180">POST</text>
                    <text x="272" y="180">(Code=0.02)</text>
                    <text x="68" y="196">POST</text>
                    <text x="160" y="196">Uri-Path:</text>
                    <text x="284" y="196">"/.well-known/edhoc"</text>
                    <text x="184" y="212">Content-Format:</text>
                    <text x="372" y="212">application/cid-edhoc+cbor-seq</text>
                    <text x="156" y="228">Payload:</text>
                    <text x="212" y="228">C_I,</text>
                    <text x="256" y="228">EDHOC</text>
                    <text x="320" y="228">message_2</text>
                    <text x="152" y="260">Header:</text>
                    <text x="204" y="260">2.04</text>
                    <text x="256" y="260">Changed</text>
                    <text x="68" y="276">2.04</text>
                    <text x="184" y="276">Content-Format:</text>
                    <text x="356" y="276">application/edhoc+cbor-seq</text>
                    <text x="156" y="292">Payload:</text>
                    <text x="216" y="292">EDHOC</text>
                    <text x="280" y="292">message_3</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
Client    Server
  |          |
  +--------->| Header: POST (Code=0.02)
  |   POST   | Uri-Path: "/.well-known/edhoc"
  |          |
  |<---------+ Header: 2.04 Changed
  |   2.04   | Content-Format: application/edhoc+cbor-seq
  |          | Payload: EDHOC message_1
  |          |
  +--------->| Header: POST (Code=0.02)
  |   POST   | Uri-Path: "/.well-known/edhoc"
  |          | Content-Format: application/cid-edhoc+cbor-seq
  |          | Payload: C_I, EDHOC message_2
  |          |
  |<---------+ Header: 2.04 Changed
  |   2.04   | Content-Format: application/edhoc+cbor-seq
  |          | Payload: EDHOC message_3
  |          |
]]></artwork>
            </artset>
          </figure>
        </section>
        <section anchor="edhoc-oscore-over-coap">
          <name>Errors in EDHOC over CoAP</name>
          <t>When using EDHOC over CoAP, EDHOC error messages sent as CoAP responses MUST <bcp14>MUST</bcp14> be sent in the payload of error responses, i.e., they MUST <bcp14>MUST</bcp14> specify a CoAP error response code. In particular, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that such error responses have response code either 4.00 (Bad Request) in case of client error (e.g., due to a malformed EDHOC message), message) or 5.00 (Internal Server Error) in case of server error (e.g., due to failure in deriving EDHOC keying material). The Content-Format of the error response MUST <bcp14>MUST</bcp14> be set to application/edhoc+cbor-seq, "application/edhoc+cbor-seq"; see <xref target="content-format"/>.</t>
        </section>
      </section>
    </section>
    <section anchor="comrep">
      <name>Compact Representation</name>
      <t>This section defines a format for compact representation based on the Elliptic-Curve-Point-to-Octet-String Conversion defined in Section 2.3.3 of <xref target="SECG"/>.</t>
      <t>As described in Section 4.2 of <xref target="RFC6090"/> target="RFC6090" section="4.2" sectionFormat="of"/>, the x-coordinate of an elliptic curve public key is a suitable representative for the entire point whenever scalar multiplication is used as a one-way function. One example is ECDH with compact output, where only the x-coordinate of the computed value is used as the shared secret.</t>
      <t>In EDHOC, compact representation is used for the ephemeral public keys (G_X and G_Y), G_Y); see <xref target="cose_key"/>. Using the notation from <xref target="SECG"/>, the output is an octet string of length ceil( (log2 q) / 8 ), where ceil(x) is the smallest integer not less than x. See <xref target="SECG"/> for a definition of q, M, X, xp, and ~yp. The steps in Section 2.3.3 of <xref target="SECG"/> are replaced by:</t> with the following steps:</t>
      <ol spacing="normal" type="1"><li>Convert the field element xp to an octet string X of length ceil( (log2 q) / 8 ) octets using the conversion routine specified in Section 2.3.5 of <xref target="SECG"/>.</li>
        <li>Output M = X</li> X.</li>
      </ol>
      <t>The encoding of the point at infinity is not supported.</t>
      <t>Compact representation does not change any requirements on validation, validation; see <xref target="crypto"/>. Using compact representation has some security benefits. An implementation does not need to check that the point is not the point at infinity (the identity element). Similarly, as not even the sign of the y-coordinate is encoded, compact representation trivially avoids so-called "benign malleability" attacks where an attacker changes the sign, sign; see <xref target="SECG"/>.</t>
      <t>The following may be needed for validation or compatibility with APIs that do not support compact representation or do not support the full <xref target="SECG"/> format:</t>
      <ul spacing="normal">
        <li>If a compressed y-coordinate is required, then the value ~yp set to zero can be used. The In such a case, the compact representation described above can in such a case be transformed into the SECG point compressed Standards for Efficient Cryptography Group (SECG) point-compressed format by prepending it with the single byte 0x02 (i.e., M = 0x02 || X).</li>
        <li>If an uncompressed y-coordinate is required, then a y-coordinate has to be calculated following Section 2.3.4 of <xref target="SECG"/> or Appendix C of <xref target="RFC6090"/>. target="RFC6090" sectionFormat="of" section="C"/>. Any of the square roots (see <xref target="SECG"/> or <xref target="RFC6090"/>) can be used. The uncompressed SECG format is M = 0x04 || X || Y.</li>
      </ul>
      <t>For example: The curve P-256 has the parameters (using the notation in <xref target="RFC6090"/>)</t> target="RFC6090"/>):</t>
      <ul spacing="normal">
        <li>p = 2<sup>256</sup>  - 2<sup>224</sup> + 2<sup>192</sup> + 2<sup>96</sup>  - 1</li>
        <li>a = -3</li>
        <li>b = 410583637251521421293261297800472684091144410159937255
54835256314039467401291</li>
      </ul>
      <t>Given an example x:</t>
      <ul spacing="normal">
        <li>x = 115792089183396302095546807154740558443406795108653336
398970697772788799766525</li>
      </ul>
      <t>we
      <t>We can calculate y as the square root w = (x<sup>3</sup> + a <contact fullname="⋅"/>  x + b)<sup>((p + 1)/4)</sup> (mod p)</t> p).</t>
      <ul spacing="normal">
        <li>y = 834387180070192806820075864918626005281451259964015754
16632522940595860276856</li>
      </ul>
      <t>Note that this does not guarantee that (x, y) is on the correct elliptic curve. A full validation according to Section 5.6.2.3.3 of <xref target="SP-800-56A"/> can be achieved is done by also checking that 0 <contact fullname="≤"/>  x &lt; p and that y<sup>2</sup> <contact fullname="≡"/>  x<sup>3</sup> + a <contact fullname="⋅"/>  x + b (mod p).</t>
    </section>
    <section anchor="CBORandCOSE">
      <name>Use of CBOR, CDDL, and COSE in EDHOC</name>
      <t>This Appendix appendix is intended to help implementors not familiar with CBOR <xref target="RFC8949"/>, CDDL <xref target="RFC8610"/>, COSE <xref target="RFC9052"/>, and HKDF <xref target="RFC5869"/>.</t>
      <section anchor="CBOR">
        <name>CBOR and CDDL</name>
        <t>The Concise Binary Object Representation (CBOR) <xref target="RFC8949"/> is a data format designed for small code size and small message size. CBOR builds on the JSON data model but extends it by by, e.g., encoding binary data directly without base64 conversion. In addition to the binary CBOR encoding, CBOR also has a diagnostic notation that is readable and editable by humans. The Concise Data Definition Language (CDDL) <xref target="RFC8610"/> provides a way to express structures for protocol messages and APIs that use CBOR. <xref target="RFC8610"/> also extends the diagnostic notation.</t>
        <t>CBOR data items are encoded to or decoded from byte strings using a type-length-value encoding scheme, where the three highest order bits of the initial byte contain information about the major type. CBOR supports several types of data items, in addition to integers (int, uint), simple values, byte strings (bstr), and text strings (tstr), (tstr). CBOR also supports arrays []  of data items, maps {} of pairs of data items, and sequences <xref target="RFC8742"/> of data items. Some examples are given below.</t>
        <t>The EDHOC specification sometimes use CDDL names in CBOR diagnostic notation as in in, e.g., &lt;&lt; ID_CRED_R, ? EAD_2 &gt;&gt;. This means that EAD_2 is optional and that ID_CRED_R and EAD_2 should be substituted with their values before evaluation. I.e., That is, if ID_CRED_R = { 4 : h'' } and EAD_2 is omitted omitted, then &lt;&lt; ID_CRED_R, ? EAD_2 &gt;&gt; = &lt;&lt; { 4 : h'' } &gt;&gt;, which encodes to 0x43a10440. We also make use of the occurrence symbol "*", like in in, e.g.,  2* int, meaning two or more CBOR integers.</t>
        <t>For a complete specification and more examples, see <xref target="RFC8949"/> and <xref target="RFC8610"/>. We recommend implementors get used to CBOR by using the CBOR playground <xref target="CborMe"/>.</t>
        <figure anchor="fig-cbor-examples">

<table anchor="tab-cbor-examples">
<name>Examples of use Use of CBOR and CDDL.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="480" viewBox="0 0 480 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,48 L 472,48" fill="none" stroke="black"/>
                <path d="M 8,288 L 472,288" fill="none" stroke="black"/>
                <g class="text">
                  <text x="52" y="36">Diagnostic</text>
                  <text x="200" y="36">Encoded</text>
                  <text x="356" y="36">Type</text>
                  <text x="16" y="68">1</text>
                  <text x="188" y="68">0x01</text>
                  <text x="372" y="68">unsigned</text>
                  <text x="440" y="68">integer</text>
                  <text x="20" y="84">24</text>
                  <text x="196" y="84">0x1818</text>
                  <text x="372" y="84">unsigned</text>
                  <text x="440" y="84">integer</text>
                  <text x="24" y="100">-24</text>
                  <text x="188" y="100">0x37</text>
                  <text x="372" y="100">negative</text>
                  <text x="440" y="100">integer</text>
                  <text x="24" y="116">-25</text>
                  <text x="196" y="116">0x3818</text>
                  <text x="372" y="116">negative</text>
                  <text x="440" y="116">integer</text>
                  <text x="28" y="132">true</text>
                  <text x="188" y="132">0xf5</text>
                  <text x="364" y="132">simple</text>
                  <text x="416" y="132">value</text>
                  <text x="24" y="148">h''</text>
                  <text x="188" y="148">0x40</text>
                  <text x="356" y="148">byte</text>
                  <text x="404" y="148">string</text>
                  <text x="40" y="164">h'12cd'</text>
                  <text x="204" y="164">0x4212cd</text>
                  <text x="356" y="164">byte</text>
                  <text x="404" y="164">string</text>
                  <text x="36" y="180">'12cd'</text>
                  <text x="220" y="180">0x4431326364</text>
                  <text x="356" y="180">byte</text>
                  <text x="404" y="180">string</text>
                  <text x="36" y="196">"12cd"</text>
                  <text x="220" y="196">0x6431326364</text>
                  <text x="356" y="196">text</text>
                  <text x="404" y="196">string</text>
                  <text x="16" y="212">{</text>
                  <text x="32" y="212">4</text>
                  <text x="48" y="212">:</text>
                  <text x="80" y="212">h'cd'</text>
                  <text x="112" y="212">}</text>
                  <text x="212" y="212">0xa10441cd</text>
                  <text x="352" y="212">map</text>
                  <text x="20" y="228">&lt;&lt;</text>
                  <text x="44" y="228">1,</text>
                  <text x="68" y="228">2,</text>
                  <text x="100" y="228">true</text>
                  <text x="132" y="228">&gt;&gt;</text>
                  <text x="212" y="228">0x430102f5</text>
                  <text x="356" y="228">byte</text>
                  <text x="404" y="228">string</text>
                  <text x="16" y="244">[</text>
                  <text x="36" y="244">1,</text>
                  <text x="60" y="244">2,</text>
                  <text x="92" y="244">true</text>
                  <text x="120" y="244">]</text>
                  <text x="212" y="244">0x830102f5</text>
                  <text x="360" y="244">array</text>
                  <text x="16" y="260">(</text>
                  <text x="36" y="260">1,</text>
                  <text x="60" y="260">2,</text>
                  <text x="92" y="260">true</text>
                  <text x="120" y="260">)</text>
                  <text x="204" y="260">0x0102f5</text>
                  <text x="372" y="260">sequence</text>
                  <text x="20" y="276">1,</text>
                  <text x="44" y="276">2,</text>
                  <text x="76" y="276">true</text>
                  <text x="204" y="276">0x0102f5</text>
                  <text x="372" y="276">sequence</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
 Diagnostic          Encoded              Type
-----------------------------------------------------------
 1                   0x01                 unsigned integer
 24                  0x1818               unsigned integer
 -24                 0x37                 negative integer
 -25                 0x3818               negative integer
 true                0xf5                 simple value
 h''                 0x40                 byte string
 h'12cd'             0x4212cd             byte string
 '12cd'              0x4431326364         byte string
 "12cd"              0x6431326364         text string
 { CDDL</name>
<thead>
<tr>
<th>Diagnostic</th>
<th>Encoded</th>
<th>Type</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>0x01</td>
<td>unsigned integer</td>
</tr><tr>
<td>24</td>
<td>0x1818</td>
<td>unsigned integer</td>
</tr><tr>
<td>-24</td>
<td>0x37</td>
<td>negative integer</td>
</tr><tr>
<td>-25</td>
<td>0x3818</td>
<td>negative integer</td>
</tr><tr>
<td>true</td>
<td>0xf5</td>
<td>simple value</td>
</tr><tr>
<td>h''</td>
<td>0x40</td>
<td>byte string</td>
</tr><tr>
<td>h'12cd'</td>
<td>0x4212cd</td>
<td>byte string</td>
</tr><tr>
<td>'12cd'</td>
<td>0x4431326364</td>
<td>byte string</td>
</tr><tr>
<td>"12cd"</td>
<td>0x6431326364</td>
<td>text string</td>
</tr><tr>
<td>{ 4 : h'cd' }       0xa10441cd           map
 << }</td>
<td>0xa10441cd</td>
<td>map</td>
</tr><tr>
<td>&lt;&lt; 1, 2, true >>    0x430102f5           byte string
 [ >></td>
<td>0x430102f5</td>
<td>byte string</td>
</tr><tr>
<td>[ 1, 2, true ]      0x830102f5           array
 ( ]</td>
<td>0x830102f5</td>
<td>array</td>
</tr><tr>
<td>( 1, 2, true )      0x0102f5             sequence )</td>
<td>0x0102f5</td>
<td>sequence</td>
</tr><tr>
<td> 1, 2, true          0x0102f5             sequence
-----------------------------------------------------------
]]></artwork>
          </artset>
        </figure> true</td>
<td>0x0102f5</td>
<td>sequence</td>
</tr>
</tbody>
</table>

</section>

      <section anchor="CDDL">
        <name>CDDL Definitions</name>
        <t>This section compiles the CDDL definitions for ease of reference.</t>
        <sourcecode type="CDDL"><![CDATA[
suites = [ 2* int ] / int

ead = (
  ead_label : int,
  ? ead_value : bstr,
)

EAD_1 = 1* ead
EAD_2 = 1* ead
EAD_3 = 1* ead
EAD_4 = 1* ead

message_1 = (
  METHOD : int,
  SUITES_I : suites,
  G_X : bstr,
  C_I : bstr / -24..23,
  ? EAD_1,
)

message_2 = (
  G_Y_CIPHERTEXT_2 : bstr,
)

PLAINTEXT_2 = (
  C_R,
  ID_CRED_R : map / bstr / -24..23,
  Signature_or_MAC_2 : bstr,
  ? EAD_2,
)

message_3 = (
  CIPHERTEXT_3 : bstr,
)

PLAINTEXT_3 = (
  ID_CRED_I : map / bstr / -24..23,
  Signature_or_MAC_3 : bstr,
  ? EAD_3,
)

message_4 = (
  CIPHERTEXT_4 : bstr,
)

PLAINTEXT_4 = (
  ? EAD_4,
)

error = (
  ERR_CODE : int,
  ERR_INFO : any,
)

info = (
  info_label : int,
  context : bstr,
  length : uint,
)
]]></sourcecode>
      </section>
      <section anchor="COSE">
        <name>COSE</name>
        <t>CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> describes how to create and process signatures, message authentication codes, MACs, and encryption encryptions using CBOR. COSE builds on JOSE, JSON Object Signing and Encryption (JOSE) but is adapted to allow more efficient processing in constrained devices. EDHOC makes use of COSE_Key, COSE_Encrypt0, and COSE_Sign1 objects in the message processing:</t>
        <ul spacing="normal">
          <li>ECDH ephemeral public keys of type EC2 or OKP in message_1 and message_2 consist of the COSE_Key parameter named 'x', 'x'; see Section 7.1 Sections <xref target="RFC9053" section="7.1" sectionFormat="bare"/> and 7.2 <xref target="RFC9053" section="7.2" sectionFormat="bare"/> of <xref target="RFC9053"/></li> target="RFC9053"/>.</li>
          <li>
            <t>The ciphertexts in message_3 and message_4 consist of a subset of the single recipient encrypted data object COSE_Encrypt0, which is described in Sections 5.2-5.3 <xref target="RFC9052" sectionFormat="bare" section="5.2"/> and <xref target="RFC9052" sectionFormat="bare" section="5.3"/> of <xref target="RFC9052"/>. The ciphertext is computed over the plaintext and associated data, using an encryption key and an initialization vector. The associated data is an Enc_structure consisting of protected headers and externally supplied data (external_aad). COSE constructs the input to the AEAD <xref target="RFC5116"/> for message_i (i = 3 or 4, 4; see Sections <xref target="m3"/> target="m3" format="counter"/> and <xref target="m4"/>, target="m4" format="counter"/>, respectively) as follows:  </t>
            <ul spacing="normal">
              <li>Secret key K = K_i</li>
              <li>Nonce N = IV_i</li>
              <li>Plaintext P for message_i</li>
              <li>Associated Data A = [ "Encrypt0", h'', TH_i ]</li>
            </ul>
          </li>
          <li>
            <t>Signatures in message_2 of method 0 and 2, and in message_3 of method 0 and 1, consist of a subset of the single signer data object COSE_Sign1, which is described in Sections 4.2-4.4 <xref  target="RFC9052" sectionFormat="bare" section="4.2"/> and <xref target="RFC9052" sectionFormat="bare" section="4.4"/> of <xref target="RFC9052"/>. The signature is computed over a Sig_structure containing payload, protected headers and externally supplied data (external_aad) using a private signature key key, and verified using the corresponding public signature key. For COSE_Sign1, the message to be signed is:  </t>
            <artwork><![CDATA[
 [ "Signature1", protected, external_aad, payload ]
]]></artwork>
            <t>
where protected, external_aad external_aad, and payload are specified in Sections <xref target="m2"/> target="m2" format="counter"/> and <xref target="m3"/>.</t> target="m3" format="counter"/>.</t>
          </li>
        </ul>
        <t>Different header parameters to identify X.509 or C509 certificates by reference are defined in <xref target="RFC9360"/> and <xref target="I-D.ietf-cose-cbor-encoded-cert"/>:</t>
        <ul spacing="normal">
          <li>
            <t>by a hash value with the 'x5t' or 'c5t' parameters, respectively:  </t>
            <ul spacing="normal">
              <li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R,</li> R and</li>
              <li>ID_CRED_x = { TBD3 22 : COSE_CertHash }, for x = I or R;</li> R,</li>
            </ul>
          </li>
          <li>
            <t>or by a URI with the 'x5u' or 'c5u' parameters, respectively:  </t>
            <ul spacing="normal">
              <li>ID_CRED_x = { 35 : uri }, for x = I or R,</li> R, and</li>
              <li>ID_CRED_x = { TBD4 23 : uri }, for x = I or R.</li>
            </ul>
          </li>
        </ul>
        <t>When ID_CRED_x does not contain the actual credential, it may be very short, e.g., if the endpoints have agreed to use a key identifier parameter 'kid':</t>
        <ul spacing="normal">
          <li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R. For further optimization, see <xref target="id_cred"/>.</li>
        </ul>
        <t>Note that ID_CRED_x can contain several header parameters, for example example, { x5u, x5t } or { kid, kid_context }.</t>
        <t>ID_CRED_x MAY <bcp14>MAY</bcp14> also identify the credential by value. For example, a certificate chain can be transported in an ID_CRED field with COSE header parameter c5c or x5chain, as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/> and <xref target="RFC9360"/> and credentials target="RFC9360"/>. Credentials of type CWT and CCS can be transported with the COSE header parameters registered in <xref target="cwt-header-param"/>.</t>
      </section>
    </section>
    <section anchor="auth-validation">
      <name>Authentication Related
      <name>Authentication-Related Verifications</name>
      <t>EDHOC performs certain authentication related operations, see authentication-related operations (see <xref target="auth-key-id"/>, target="auth-key-id"/>), but in general general, it is necessary to make additional verifications beyond EDHOC message processing. Which verifications that are needed depend on the deployment, in particular particular, the trust model and the security policies, but most commonly commonly, it can be expressed in terms of verifications of credential content.</t>
      <t>EDHOC assumes the existence of mechanisms (certification authority or other trusted third party, pre-provisioning, etc.) for generating and distributing authentication credentials and other credentials, as well as the existence of trust anchors (CA certificates, trusted public keys, etc.). For example, a public key certificate or CWT may rely on a trusted third party whose public key is pre-provisioned, whereas a CCS or a self-signed certificate/CWT certificate / CWT may be used when trust in the public key can be achieved by other means, or in the case of Trust trust on first use, see <xref target="tofu"/>.</t>
      <t>In this section section, we provide some examples of such verifications. These verifications are the responsibility of the application but may be implemented as part of an EDHOC library.</t>
      <section anchor="validating-auth-credential">
        <name>Validating the Authentication Credential</name>
        <t>The authentication credential may contain, in
        <t>In addition to the authentication key, the authentication credential may contain other parameters that needs need to be verified. For example:</t>
        <ul spacing="normal">
          <li>In X.509 and C509 certificates, signature keys typically have key usage "digitalSignature" "digitalSignature", and Diffie-Hellman public keys typically have key usage "keyAgreement" <xref target="RFC3279"/><xref target="RFC3279"/> <xref target="RFC8410"/>.</li>
          <li>In X.509 and C509 certificates certificates, validity is expressed using Not After and Not Before. In CWT and CCS, the “exp” "exp" and “nbf” "nbf" claims have similar meanings.</li>
        </ul>
      </section>
      <section anchor="identities">
        <name>Identities</name>
        <t>The application must decide on allowing a connection or not not, depending on the intended endpoint, and in particular whether it is a specific identity or in a set of identities. To prevent misbinding attacks, the identity of the endpoint is included in a MAC verified through the protocol. More details and examples are provided in this section.</t>
        <t>Policies for what connections to allow are typically set based on the identity of the other endpoint, and endpoints typically only allow connections from a specific identity or a small restricted set of identities. For example, in the case of a device connecting to a network, the network may only allow connections from devices which that authenticate with certificates having a particular range of serial numbers and signed by a particular CA. Conversely, a device may only be allowed to connect to a network which that authenticates with a particular public key.</t>
        <ul spacing="normal">
          <li>When a Public Key Infrastructure (PKI) is used with certificates, the identity is the subject whose unique name, e.g., a domain name, a Network Access Identifier (NAI), or an Extended Unique Identifier (EUI), is included in the endpoint's certificate.</li>
          <li>Similarly, when a PKI is used with CWTs, the identity is the subject identified by the relevant claim(s), such as 'sub' (subject).</li>
          <li>When PKI is not used (e.g., CCS, self-signed certificate/CWT) certificate / CWT), the identity is typically directly associated with the authentication key of the other party. For example, if identities can be expressed in the form of unique subject names assigned to public keys, then a binding to identity is achieved by including both the public key and associated subject name in the authentication credential: credential. CRED_I or CRED_R may be a self-signed certificate/CWT certificate / CWT or CCS containing the authentication key and the subject name, name; see <xref target="auth-cred"/>. Each Thus, each endpoint thus needs to know the specific authentication key/unique key / unique associated subject name, name or set of public authentication keys/unique keys / unique associated subject names, which it is allowed to communicate with.</li>
        </ul>
        <t>To prevent misbinding attacks in systems where an attacker can register public keys without proving knowledge of the private key, SIGMA <xref target="SIGMA"/> enforces a MAC to be calculated over the "identity". EDHOC follows SIGMA by calculating a MAC over the whole authentication credential, which in case of an X.509 or C509 certificate certificate, includes the "subject" and "subjectAltName" fields, and fields and, in the case of CWT or CCS CCS, includes the "sub" claim.</t>
        <t>(While the SIGMA paper only focuses on the identity, the same principle is true for other information such as policies associated with the public key.)</t>
      </section>
      <section anchor="cert-path">
        <name>Certification Path and Trust Anchors</name>
        <t>When a Public Key Infrastructure (PKI) is used with certificates, the trust anchor is a Certification Authority certification authority (CA) certificate. Each party needs at least one CA public key certificate, certificate or just the CA public key. The certification path contains proof that the subject of the certificate owns the public key in the certificate. Only validated public-key public key certificates are to be accepted.</t>
        <t>Similarly, when a PKI is used with CWTs, each party needs to have at least one trusted third party third-party public key as a trust anchor to verify the end entity CWTs. The trusted third party third-party public key can, e.g., be stored in a self-signed CWT or in a CCS.</t>
        <t>The signature of the authentication credential needs to be verified with the public key of the issuer. X.509 and C509 certificates includes the “Issuer” "Issuer" field. In CWT and CCS, the “iss” "iss" claim has a similar meaning. The public key is either a trust anchor or the public key in another valid and trusted credential in a certification path from the trust anchor to the authentication credential.</t>
        <t>Similar verifications as made with the authentication credential (see <xref target="validating-auth-credential"/>) are also needed for the other credentials in the certification path.</t>
        <t>When PKI is not used (CCS, (CCS and self-signed certificate/CWT), certificate / CWT), the trust anchor is the authentication key of the other party, party; in which case case, there is no certification path.</t>
      </section>
      <section anchor="revocation">
        <name>Revocation Status</name>
        <t>The application may need to verify that the credentials are not revoked, revoked; see <xref target="impl-cons"/>. Some use cases may be served by short-lived credentials, for example, where the validity of the credential is on par with the interval between revocation checks. But, in general, credential lifetime and revocation checking are complementary measures to control credential status. Revocation information may be transported as External Authentication Authorization Data (EAD), (EAD); see <xref target="ead-appendix"/>.</t>
      </section>
      <section anchor="tofu">
        <name>Unauthenticated Operation</name>
        <t>EDHOC might be used without authentication by allowing the Initiator or Responder to communicate with any identity except its own. Note that EDHOC without mutual authentication is vulnerable to active on-path attacks and therefore unsafe for general use. However, it is possible to later establish a trust relationship with an unknown or not-yet-trusted endpoint. Some examples:</t> examples are listed below:</t>
        <ul spacing="normal">
          <li>The EDHOC authentication credential can be verified out-of-band at a later stage.</li>
          <li>The EDHOC session key can be bound to an identity out-of-band at a later stage.</li>
          <li>Trust on first use (TOFU) can be used to verify that several EDHOC connections are made to the same identity. TOFU combined with proximity is a common IoT deployment model which that provides good security if done correctly. Note that secure proximity based on short range wireless technology requires very low signal strength or very low latency.</li>
        </ul>
      </section>
    </section>
    <section anchor="ead-appendix">
      <name>Use of External Authorization Data</name>
      <t>In order to reduce the number of messages and round trips, or to simplify processing, external security applications may be integrated into EDHOC by transporting related external authorization data (EAD) in the messages.</t>
      <t>The EAD format is specified in <xref target="AD"/>, this target="AD"/>. This section contains examples and further details of how EAD may be used with an appropriate accompanying specification.</t>
      <ul spacing="normal">
        <li>One example is third party assisted third-party-assisted authorization, requested with EAD_1, and an authorization artifact (“voucher”, ("voucher", cf. <xref target="RFC8366"/>) returned in EAD_2, EAD_2; see <xref target="I-D.selander-lake-authz"/>.</li> target="I-D.ietf-lake-authz"/>.</li>
        <li>Another example is remote attestation, requested in EAD_2, and an Entity Attestation Token (EAT, (EAT) <xref target="I-D.ietf-rats-eat"/>) target="I-D.ietf-rats-eat"/> returned in EAD_3.</li>
        <li>A third example is certificate enrolment, enrollment, where a Certificate Signing Request (CSR, (CSR) <xref target="RFC2986"/>) target="RFC2986"/> is included in EAD_3, and the issued public key certificate (X.509 <xref target="RFC5280"/>, target="RFC5280"/> and C509 <xref target="I-D.ietf-cose-cbor-encoded-cert"/>) or a reference thereof is returned in EAD_4.</li>
      </ul>
      <t>External authorization data should be considered unprotected by EDHOC, and the protection of EAD is the responsibility of the security application (third party (third-party authorization, remote attestation, certificate enrolment, enrollment, etc.). The security properties of the EAD fields (after EDHOC processing) are discussed in <xref target="sec-prop"/>.</t>
      <t>The content of the EAD field may be used in the EDHOC processing of the message in which they are contained. For example, authentication related information authentication-related information, like assertions and revocation information, transported in EAD fields may provide input about trust anchors or validity of credentials relevant to the authentication processing. The EAD fields (like ID_CRED fields) are therefore made available to the application before the message is verified, verified; see details of message processing in <xref target="asym"/>. In the first example above, a voucher in EAD_2 made available to the application can enable the Initiator to verify the identity or the public key of the Responder before verifying the signature. An application allowing EAD fields containing authentication information thus may need to handle authentication related authentication-related verifications associated with EAD processing.</t>
      <t>Conversely, the security application may need to wait for EDHOC message verification to complete. In the third example above, the validation of a CSR carried in EAD_3 is not started by the Responder before EDHOC has successfully verified message_3 and proven the possession of the private key of the Initiator.</t>
      <t>The security application may reuse EDHOC protocol fields which that therefore need to be available to the application. For example, the security application may use the same crypto algorithms as in the EDHOC session and therefore needs access to the selected cipher suite (or the whole SUITES_I). The application may use the ephemeral public keys G_X and G_Y, G_Y as ephemeral keys or as nonces, nonces; see <xref target="I-D.selander-lake-authz"/>.</t> target="I-D.ietf-lake-authz"/>.</t>
      <t>The processing of the EAD item (ead_label, ? ead_value) by the security application needs to be described in the specification where the ead_label is registered, see registered (see <xref target="iana-ead"/>, target="iana-ead"/>), including the optional ead_value for each message and actions in case of errors. An application may support multiple security applications that make use of EAD, which may result in multiple EAD items in one EAD field, field; see <xref target="AD"/>. Any dependencies on security applications with previously registered EAD items needs need to be documented, and the processing needs to consider their simultaneous use.</t>
      <t>Since data carried in EAD may not be protected, or be processed by the application before the EDHOC message is verified, special considerations need to be made such that it does not violate security and privacy requirements of the service which that uses this data, data; see <xref target="unprot-data"/>. The content in an EAD item may impact the security properties provided by EDHOC. Security applications making use of the EAD items must perform the necessary security analysis.</t>
    </section>
    <section anchor="appl-temp">
      <name>Application Profile Example</name>
      <t>This appendix contains a rudimentary example of an application profile, profile; see <xref target="applicability"/>.</t>
      <t>For use of EDHOC with application X X, the following assumptions are made:</t>
      <ol spacing="normal" type="1"><li>Transfer in CoAP as specified in <xref target="coap"/> with requests expected by the CoAP server (= Responder) at /app1-edh, no Content-Format needed.</li>
        <li>METHOD = 1 (I uses signature key, key; R uses static DH key.)</li>
        <li>
          <t>CRED_I is an encoded with IEEE 802.1AR IDevID encoded as a C509 certificate of type 0 <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.
          </t>
          <ul spacing="normal">
            <li>R acquires CRED_I out-of-band, indicated in EAD_1.</li>
            <li>ID_CRED_I = {4: h''} is a 'kid' with the value of the empty CBOR byte string.</li>
          </ul>
        </li>
        <li>
          <t>CRED_R is a CCS of type OKP as specified in <xref target="auth-cred"/>.
          </t>
          <ul spacing="normal">
            <li>The CBOR map has parameters 1 (kty), -1 (crv), and -2 (x-coordinate).</li>
            <li>ID_CRED_R is {TBD2 {14 : CCS}.   Editor's note: TBD2 is the COSE header parameter value of 'kccs', see <xref target="cwt-header-param"/></li> CCS}.</li>
          </ul>
        </li>
        <li>External authorization data is defined and processed as specified in <xref target="I-D.selander-lake-authz"/>.</li> target="I-D.ietf-lake-authz"/>.</li>
        <li>EUI-64 is used as the identity of the endpoint (see an example in <xref target="auth-cred"/>).</li>
        <li>No use of message_4: the message_4. The application sends protected messages from R to I.</li>
      </ol>
    </section>
    <section anchor="large-plaintext_2">
      <name>Long PLAINTEXT_2</name>
      <t>By the definition of encryption of PLAINTEXT_2 with KEYSTREAM_2, it is limited to lengths of PLAINTEXT_2 not exceeding the output of EDHOC_KDF, EDHOC_KDF; see <xref target="expand"/>. If the EDHOC hash algorithm is SHA-2 SHA-2, then HKDF-Expand is used, which limits the length of the EDHOC_KDF output to 255 <contact fullname="⋅"/>  hash_length, where hash_length is the length of the output of the EDHOC hash algorithm given by the cipher suite. For example, with SHA-256 as an EDHOC hash algorithm, the length of the hash output is 32 bytes and the maximum length of PLAINTEXT_2 is 255 <contact fullname="⋅"/>  32 = 8160 bytes.</t>
      <t>While PLAINTEXT_2 is expected to be much shorter than 8 kB for the intended use cases, it seems nevertheless prudent to specify a solution for the event that this should turn out to be a limitation.</t>
      <t>A potential work-around is to use a cipher suite with a different hash function. In particular, the use of KMAC removes all practical limitations in this respect.</t>
      <t>This section specifies a solution which that works with any hash function, function by making use of multiple invocations of HKDF-Expand and negative values of info_label.</t>
      <t>Consider the PLAINTEXT_2 partitioned in parts P(i) of length equal to M = 255 <contact fullname="⋅"/>  hash_length, except possibly the last part P(last) P(last), which has 0 &lt; length <contact fullname="≤"/>  M.</t>
      <artwork><![CDATA[
PLAINTEXT_2 = P(0) | P(1) | ... | P(last)
]]></artwork>
      <t>where | "|" indicates concatenation.</t>
      <t>The object is to define a matching KEYSTREAM_2 of the same length and perform the encryption in the same way as defined in <xref target="asym-msg2-proc"/>:</t>
      <artwork><![CDATA[
CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2
]]></artwork>
      <t>Define the keystream as:</t>
      <artwork><![CDATA[
KEYSTREAM_2 = OKM(0) | OKM(1)  | ... | OKM(last)
]]></artwork>
      <t>where</t>
      <t>where:</t>
      <artwork><![CDATA[
OKM(i) = EDHOC_KDF( PRK_2e, -i, TH_2, length(P(i)) )
]]></artwork>
      <t>Note that if length(PLAINTEXT_2) <contact fullname="≤"/> M ≤ M, then P(0) = PLAINTEXT_2 and the definition of KEYSTREAM_2 = OKM(0) coincides with <xref target="fig-edhoc-kdf"/>.</t>
      <t>This describes the processing of the Responder when sending message_2. The Initiator makes the same calculations when receiving message_2, message_2 but interchanging PLAINTEXT_2 and CIPHERTEXT_2.</t>
      <t>An application profile may specify if it supports or does not support the method described in this appendix.</t>
    </section>
    <section anchor="keyupdate">
      <name>EDHOC_KeyUpdate</name>
      <t>To provide forward secrecy in an even more efficient way than re-running EDHOC, this section specifies the optional function EDHOC_KeyUpdate in terms of EDHOC_KDF and PRK_out.</t>
      <t>When EDHOC_KeyUpdate is called, a new PRK_out is calculated as a "hash" of the old PRK_out using output of the EDHOC_Expand function as illustrated by with the following pseudocode. old PRK_out as input. The change of PRK_out causes a change to PRK_exporter PRK_exporter, which enables the derivation of new application keys superseding the old ones, using EDHOC_Exporter, EDHOC_Exporter; see <xref target="exporter"/>.</t> target="exporter"/>. The process is illustrated by the following pseudocode.</t>
      <artwork><![CDATA[
EDHOC_KeyUpdate( context ):
   new PRK_out = EDHOC_KDF( old PRK_out, 11, context, hash_length )
   new PRK_exporter = EDHOC_KDF( new PRK_out, 10, h'', hash_length )
]]></artwork>
      <t>where hash_length denotes the denotes the output size in bytes of the EDHOC hash algorithm of the selected cipher suite.</t>
      <t>The
      <t>   The EDHOC_KeyUpdate takes a the context as input to enable binding of
   the updated PRK_out to some event that triggered the key update.  The
   Initiator and the Responder need to agree on the context, which can,
   e.g., be a counter, a pseudorandom number, or a hash.  To provide
   forward secrecy secrecy, the old PRK_out and keys derived from it (old
   PRK_exporter and old application keys) must be deleted as soon as
   they are not needed.  When to delete the old keys and how to verify
   that they are not needed is up to the application.</t> application. Note that the
   security properties depend on the type of context and the number
   of KeyUpdate iterations.</t>
      <t>An application using EDHOC_KeyUpdate needs to store PRK_out. Compromise of PRK_out leads to compromise of all keying material derived with the EDHOC_Exporter since the last invocation of the EDHOC_KeyUpdate function.</t>
      <t>While this key update method provides forward secrecy secrecy, it does not give as strong security properties as re-running EDHOC. EDHOC_KeyUpdate can be used to meet cryptographic limits and provide partial protection against key leakage, but it provides significantly weaker security properties than re-running EDHOC with ephemeral Diffie-Hellman. Even with frequent use of EDHOC_KeyUpdate, compromise of one session key compromises all future session keys, and an attacker therefore only needs to perform static key exfiltration <xref target="RFC7624"/>, which is less complicated and has a lower risk profile than the dynamic case, case; see <xref target="sec-prop"/>.</t>
      <t>A similar method to do a key update for OSCORE is KUDOS, KUDOS; see <xref target="I-D.ietf-core-oscore-key-update"/>.</t>
    </section>
    <section anchor="example-protocol-state-machine">
      <name>Example Protocol State Machine</name>
      <t>This appendix describes an example protocol state machine for the Initiator and for the Responder. States are denoted in all capitals capitals, and parentheses denote actions taken only in some circumstances.</t>
      <t>Note that this state machine is just an example, and that details of processing are omitted, for omitted. For example:</t>
      <ul spacing="normal">
        <li>When
        <li>when error messages are being sent (with one exception)</li>
        <li>How exception);</li>
        <li>how credentials and EAD are processed by EDHOC and the application in the RCVD state</li>
        <li>What state; and</li>
        <li>what verifications are made, which includes not only MACs and signatures</li> signatures.</li>
      </ul>
      <section anchor="initiator-state-machine">
        <name>Initiator State Machine</name>
        <t>The Initiator sends message_1, triggering the state machine to transition from START to WAIT_M2, and waits for message_2.</t>
        <t>If the incoming message is an error message message, then the Initiator transitions from WAIT_M2 to ABORTED. In case of error code 2 (Wrong Selected Cipher Suite), the Initiator remembers the supported cipher suites for this particular Responder and transitions from ABORTED to START. The message_1 that the Initiator subsequently sends takes into account the cipher suites supported by the Responder.</t>
        <t>Upon receiving a non-error message, the Initiator transitions from WAIT_M2 to RCVD_M2 and processes the message. If a processing error occurs on message_2, then the Initiator transitions from RCVD_M2 to ABORTED. In case of successful processing of message_2, the Initiator transitions from RCVD_M2 to VRFD_M2.</t>
        <t>The Initiator prepares and processes message_3 for sending. If any processing error is encountered, the Initiator transitions from VRFD_M2 to ABORTED. If message_3 is successfully sent, the Initiator transitions from VRFD_M2 to COMPLETED.</t>
        <t>If the application profile includes message_4, then the Initiator waits for message_4. If the incoming message is an error message message, then the Initiator transitions from COMPLETED to ABORTED. Upon receiving a non-error message, the Initiator transitions from COMPLETED (="WAIT_M4") to RCVD_M4 and processes the message. If a processing error occurs on message_4, then the Initiator transitions from RCVD_M4 to ABORTED. In case of successful processing of message_4, the Initiator transitions from RCVD_M4 to PERSISTED (="VRFD_M4").</t>
        <t>If the application profile does not include message_4, then the Initiator waits for an incoming application message. If the decryption and verification of the application message is successful, then the Initiator transitions from COMPLETED to PERSISTED.</t>

	<figure>
  <name>Initiator State Machine</name>
        <artset>
          <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="528" width="536" height="" width="" viewBox="0 0 536 528" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 40,32 L 40,48" fill="none" stroke="black"/>
              <path d="M 40,128 L 40,432" fill="none" stroke="black"/>
              <path d="M 232,48 L 232,96" fill="none" stroke="black"/>
              <path d="M 232,128 L 232,176" fill="none" stroke="black"/>
              <path d="M 232,208 L 232,256" fill="none" stroke="black"/>
              <path d="M 232,288 L 232,336" fill="none" stroke="black"/>
              <path d="M 232,368 L 232,416" fill="none" stroke="black"/>
              <path d="M 232,448 L 232,496" fill="none" stroke="black"/>
              <path d="M 424,352 L 424,512" fill="none" stroke="black"/>
              <path d="M 72,112 L 200,112" fill="none" stroke="black"/>
              <path d="M 40,192 L 200,192" fill="none" stroke="black"/>
              <path d="M 40,272 L 200,272" fill="none" stroke="black"/>
              <path d="M 40,352 L 200,352" fill="none" stroke="black"/>
              <path d="M 296,352 L 424,352" fill="none" stroke="black"/>
              <path d="M 40,432 L 192,432" fill="none" stroke="black"/>
              <path d="M 296,512 L 424,512" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="304,512 292,506.4 292,517.6" fill="black" transform="rotate(180,296,512)"/>
              <polygon class="arrowhead" points="240,496 228,490.4 228,501.6" fill="black" transform="rotate(90,232,496)"/>
              <polygon class="arrowhead" points="240,416 228,410.4 228,421.6" fill="black" transform="rotate(90,232,416)"/>
              <polygon class="arrowhead" points="240,336 228,330.4 228,341.6" fill="black" transform="rotate(90,232,336)"/>
              <polygon class="arrowhead" points="240,256 228,250.4 228,261.6" fill="black" transform="rotate(90,232,256)"/>
              <polygon class="arrowhead" points="240,176 228,170.4 228,181.6" fill="black" transform="rotate(90,232,176)"/>
              <polygon class="arrowhead" points="240,96 228,90.4 228,101.6" fill="black" transform="rotate(90,232,96)"/>
              <polygon class="arrowhead" points="80,112 68,106.4 68,117.6" fill="black" transform="rotate(180,72,112)"/>
              <polygon class="arrowhead" points="48,360 36,354.4 36,365.6" fill="black" transform="rotate(270,40,360)"/>
              <polygon class="arrowhead" points="48,280 36,274.4 36,285.6" fill="black" transform="rotate(270,40,280)"/>
              <polygon class="arrowhead" points="48,200 36,194.4 36,205.6" fill="black" transform="rotate(270,40,200)"/>
              <polygon class="arrowhead" points="48,128 36,122.4 36,133.6" fill="black" transform="rotate(270,40,128)"/>
              <g class="text">
                <text x="48" y="36">-</text>
                <text x="64" y="36">-</text>
                <text x="80" y="36">-</text>
                <text x="96" y="36">-</text>
                <text x="112" y="36">-</text>
                <text x="128" y="36">-</text>
                <text x="144" y="36">-</text>
                <text x="160" y="36">-</text>
                <text x="176" y="36">-</text>
                <text x="196" y="36">-&gt;</text>
                <text x="232" y="36">START</text>
                <text x="260" y="68">Send</text>
                <text x="320" y="68">message_1</text>
                <text x="40" y="84">|</text>
                <text x="112" y="100">Receive</text>
                <text x="168" y="100">error</text>
                <text x="32" y="116">ABORTED</text>
                <text x="240" y="116">WAIT_M2</text>
                <text x="272" y="148">Receive</text>
                <text x="344" y="148">message_2</text>
                <text x="116" y="180">Processing</text>
                <text x="184" y="180">error</text>
                <text x="240" y="196">RCVD_M2</text>
                <text x="268" y="228">Verify</text>
                <text x="336" y="228">message_2</text>
                <text x="116" y="260">Processing</text>
                <text x="184" y="260">error</text>
                <text x="240" y="276">VRFD_M2</text>
                <text x="260" y="308">Send</text>
                <text x="320" y="308">message_3</text>
                <text x="108" y="340">(Receive</text>
                <text x="172" y="340">error)</text>
                <text x="248" y="356">COMPLETED</text>
                <text x="276" y="388">(Receive</text>
                <text x="356" y="388">message_4)</text>
                <text x="112" y="420">(Processing</text>
                <text x="188" y="420">error)</text>
                <text x="464" y="420">(Verify</text>
                <text x="240" y="436">(RCVD_M4)</text>
                <text x="488" y="436">application</text>
                <text x="476" y="452">message)</text>
                <text x="272" y="468">(Verify</text>
                <text x="348" y="468">message_4)</text>
                <text x="248" y="516">PERSISTED</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art" align="center"><![CDATA[
    +- - - - - - - - - -> START
    |                       |
                            | Send message_1
    |                       |
          Receive error     v
ABORTED <---------------- WAIT_M2
    ^                       |
    |                       | Receive message_2
    |                       |
    |    Processing error   v
    +-------------------- RCVD_M2
    ^                       |
    |                       | Verify message_2
    |                       |
    |    Processing error   v
    +-------------------- VRFD_M2
    ^                       |
    |                       | Send message_3
    |                       |
    |    (Receive error)    v
    +-------------------- COMPLETED ----------------+
    ^                       |                       |
    |                       | (Receive message_4)   |
    |                       |                       |
    |   (Processing error)  v                       | (Verify
    +------------------- (RCVD_M4)                  |  application
                            |                       |  message)
                            | (Verify message_4)    |
                            |                       |
                            v                       |
                          PERSISTED <---------------+
]]></artwork>
</artset>
</figure>
      </section>
      <section anchor="responder-state-machine">
        <name>Responder State Machine</name>
        <t>Upon receiving message_1, the Responder transitions from START to RCVD_M1.</t>
        <t>If a processing error occurs on message_1, the Responder transitions from RCVD_M1 to ABORTED. This includes sending an error message with error code 2 (Wrong Selected Cipher Suite) if the selected cipher suite in message_1 is not supported. In case of successful processing of message_1, the Responder transitions from RCVD_M1 to VRFD_M1.</t>
        <t>The Responder prepares and processes message_2 for sending. If any processing error is encountered, the Responder transitions from VRFD_M1 to ABORTED. If message_2 is successfully sent, the Initiator transitions from VRFD_M2 to WAIT_M3, WAIT_M3 and waits for message_3.</t>
        <t>If the incoming message is an error message message, then the Responder transitions from WAIT_M3 to ABORTED.</t>
        <t>Upon receiving message_3, the Responder transitions from WAIT_M3 to RCVD_M3. If a processing error occurs on message_3, the Responder transitions from RCVD_M3 to ABORTED. In case of successful processing of message_3, the Responder transitions from RCVD_M3 to COMPLETED (="VRFD_M3").</t>
        <t>If the application profile includes message_4, the Responder prepares and processes message_4 for sending. If any processing error is encountered, the Responder transitions from COMPLETED to ABORTED.</t>
        <t>If message_4 is successfully sent, or if the application profile does not include message_4, the Responder transitions from COMPLETED to PERSISTED.</t>
	<figure>
	  <name>Responder State Machine</name>
        <artset>
          <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="528" width="384" height="" width="" viewBox="0 0 384 528" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 40,128 L 40,432" fill="none" stroke="black"/>
              <path d="M 232,48 L 232,96" fill="none" stroke="black"/>
              <path d="M 232,128 L 232,176" fill="none" stroke="black"/>
              <path d="M 232,208 L 232,256" fill="none" stroke="black"/>
              <path d="M 232,288 L 232,336" fill="none" stroke="black"/>
              <path d="M 232,368 L 232,416" fill="none" stroke="black"/>
              <path d="M 232,448 L 232,496" fill="none" stroke="black"/>
              <path d="M 72,112 L 200,112" fill="none" stroke="black"/>
              <path d="M 40,192 L 200,192" fill="none" stroke="black"/>
              <path d="M 40,272 L 200,272" fill="none" stroke="black"/>
              <path d="M 40,352 L 200,352" fill="none" stroke="black"/>
              <path d="M 40,432 L 192,432" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="240,496 228,490.4 228,501.6" fill="black" transform="rotate(90,232,496)"/>
              <polygon class="arrowhead" points="240,416 228,410.4 228,421.6" fill="black" transform="rotate(90,232,416)"/>
              <polygon class="arrowhead" points="240,336 228,330.4 228,341.6" fill="black" transform="rotate(90,232,336)"/>
              <polygon class="arrowhead" points="240,256 228,250.4 228,261.6" fill="black" transform="rotate(90,232,256)"/>
              <polygon class="arrowhead" points="240,176 228,170.4 228,181.6" fill="black" transform="rotate(90,232,176)"/>
              <polygon class="arrowhead" points="240,96 228,90.4 228,101.6" fill="black" transform="rotate(90,232,96)"/>
              <polygon class="arrowhead" points="80,112 68,106.4 68,117.6" fill="black" transform="rotate(180,72,112)"/>
              <polygon class="arrowhead" points="48,360 36,354.4 36,365.6" fill="black" transform="rotate(270,40,360)"/>
              <polygon class="arrowhead" points="48,280 36,274.4 36,285.6" fill="black" transform="rotate(270,40,280)"/>
              <polygon class="arrowhead" points="48,200 36,194.4 36,205.6" fill="black" transform="rotate(270,40,200)"/>
              <polygon class="arrowhead" points="48,128 36,122.4 36,133.6" fill="black" transform="rotate(270,40,128)"/>
              <g class="text">
                <text x="232" y="36">START</text>
                <text x="272" y="68">Receive</text>
                <text x="344" y="68">message_1</text>
                <text x="116" y="100">Processing</text>
                <text x="184" y="100">error</text>
                <text x="32" y="116">ABORTED</text>
                <text x="240" y="116">RCVD_M1</text>
                <text x="268" y="148">Verify</text>
                <text x="336" y="148">message_1</text>
                <text x="116" y="180">Processing</text>
                <text x="184" y="180">error</text>
                <text x="240" y="196">VRFD_M1</text>
                <text x="260" y="228">Send</text>
                <text x="320" y="228">message_2</text>
                <text x="112" y="260">Receive</text>
                <text x="168" y="260">error</text>
                <text x="240" y="276">WAIT_M3</text>
                <text x="272" y="308">Receive</text>
                <text x="344" y="308">message_3</text>
                <text x="116" y="340">Processing</text>
                <text x="184" y="340">error</text>
                <text x="240" y="356">RCVD_M3</text>
                <text x="268" y="388">Verify</text>
                <text x="336" y="388">message_3</text>
                <text x="112" y="420">(Processing</text>
                <text x="188" y="420">error)</text>
                <text x="240" y="436">COMPLETED</text>
                <text x="264" y="468">(Send</text>
                <text x="332" y="468">message_4)</text>
                <text x="240" y="516">PERSISTED</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art" align="center"><![CDATA[
                          START
                            |
                            | Receive message_1
                            |
         Processing error   v
ABORTED <---------------- RCVD_M1
    ^                       |
    |                       | Verify message_1
    |                       |
    |    Processing error   v
    +-------------------- VRFD_M1
    ^                       |
    |                       | Send message_2
    |                       |
    |     Receive error     v
    +-------------------- WAIT_M3
    ^                       |
    |                       | Receive message_3
    |                       |
    |    Processing error   v
    +-------------------- RCVD_M3
    ^                       |
    |                       | Verify message_3
    |                       |
    |   (Processing error)  v
    +------------------- COMPLETED
                            |
                            | (Send message_4)
                            |
                            v
                         PERSISTED
]]></artwork>
</artset>
</figure>
      </section>
    </section>
    <section anchor="change-log">
      <name>Change Log</name>
      <t>RFC Editor: Please remove this appendix.</t>
      <ul spacing="normal">
        <li>
          <t>From -21 to -22  </t>
          <ul spacing="normal">
            <li>Normative text on transport capabilities.</li>
          </ul>
        </li>
        <li>
          <t>From -20 to -21  </t>
          <ul spacing="normal">
            <li>Recommendation to use chain instead of bag</li>
            <li>
              <t>Improved text about
              </t>
              <ul spacing="normal">
                <li>denial-of-service</li>
                <li>deriving secret and non-secret randomness from the same KDF instance</li>
                <li>practical security against quantum computers</li>
              </ul>
            </li>
            <li>
              <t>Clarifications, including
              </t>
              <ul spacing="normal">
                <li>several updates section 3.4. Transport</li>
                <li>descriptions in COSE IANA registration</li>
                <li>encoding in Figure 5, reading of Figure 17</li>
              </ul>
            </li>
            <li>Removed term "dummy"</li>
            <li>Harmonizing captions</li>
            <li>Updated references</li>
            <li>Acknowledgments</li>
          </ul>
        </li>
        <li>
          <t>From -19 to -20
          </t>
          <ul spacing="normal">
            <li>C_R encrypted in message_2</li>
            <li>C_R removed from TH_2</li>
            <li>Error code for unknown referenced credential</li>
            <li>Error code 0 (success) explicitly reserved</li>
            <li>Message deduplication section moved from appendix to body</li>
            <li>
              <t>Terminology
              </t>
              <ul spacing="normal">
                <li>discontinued -&gt; aborted</li>
                <li>protocol run / exchange -&gt; session</li>
              </ul>
            </li>
            <li>
              <t>Clarifications, in particular
              </t>
              <ul spacing="normal">
                <li>when to derive application keys</li>
                <li>the role of the application for authentication</li>
              </ul>
            </li>
            <li>Security considerations for kccs and kcwt</li>
            <li>Updated references</li>
          </ul>
        </li>
        <li>
          <t>From -18 to -19
          </t>
          <ul spacing="normal">
            <li>
              <t>Clarifications:
              </t>
              <ul spacing="normal">
                <li>Relation to SIGMA</li>
                <li>Role of Static DH</li>
                <li>Initiator and Responder roles</li>
                <li>Transport properties</li>
                <li>Construction of SUITES_I</li>
                <li>Message correlation, new subsection 3.4.1, replacing former appendix H</li>
                <li>Role of description about long PLAINTEXT_2</li>
                <li>ead_label and ead_value</li>
                <li>Message processing (Section 5)</li>
                <li>Padding</li>
                <li>Cipher suite negotiation example</li>
              </ul>
            </li>
            <li>
              <t>Other updates:
              </t>
              <ul spacing="normal">
                <li>Improved and stricter normative text in Appendix A</li>
                <li>Naming and separate sections for the two message flows in Appendix A: Forward/Reverse message flow,</li>
                <li>Table index style captions</li>
                <li>Aligning with COSE terminology: header map -&gt; header_map</li>
                <li>Aligning terminology, use of "_" instead of "-"</li>
                <li>Prefixing "EDHOC_" to functions</li>
                <li>Updated list of security analysis papers</li>
                <li>New appendix with example state machine</li>
                <li>Acknowledgements</li>
                <li>Language improvements by native English speakers</li>
                <li>Updated IANA section with registration procedures</li>
                <li>New and updated references</li>
                <li>Removed appendix H</li>
              </ul>
            </li>
          </ul>
        </li>
        <li>
          <t>From -17 to -18  </t>
          <ul spacing="normal">
            <li>Padding realised as EAD with ead_label = 0, PAD fields removed</li>
            <li>Revised EAD syntax; ead is now EAD item; ead_value is now optional</li>
            <li>
              <t>Clarifications of
              </t>
              <ul spacing="normal">
                <li>Identifier representation</li>
                <li>Authentication credentials</li>
                <li>RPK</li>
                <li>Encoding of ID_CRED with kid</li>
                <li>Representation of public keys, y-coordinate of ephemeral keys and validation</li>
                <li>Processing after completed protocol</li>
                <li>Making verifications available to the application</li>
                <li>Relation between EDHOC and OSCORE identifiers</li>
              </ul>
            </li>
            <li>Terminology alignment in particular session / protocol; discontinue / terminate</li>
            <li>Updated CDDL</li>
            <li>Additional unicode encodings</li>
            <li>Large number of nits from WGLC</li>
          </ul>
        </li>
        <li>
          <t>From -16 to -17  </t>
          <ul spacing="normal">
            <li>EDHOC-KeyUpdate moved to appendix</li>
            <li>Updated peer awareness properties based on SIGMA</li>
            <li>Clarify use of random connection identifiers</li>
            <li>Editorials related to appendix about messages with long PLAINTEXT_2</li>
            <li>Updated acknowledgments (have we forgotten someone else? please send email)</li>
          </ul>
        </li>
        <li>
          <t>From -15 to -16  </t>
          <ul spacing="normal">
            <li>TH_2 used as salt in the derivation of PRK_2e</li>
            <li>CRED_R/CRED_I included in TH_3/TH_4</li>
            <li>Distinguish label used in info, exporter or elsewhere</li>
            <li>
              <t>New appendix for optional handling arbitrarily large message_2
              </t>
              <ul spacing="normal">
                <li>info_label type changed to int to support this</li>
              </ul>
            </li>
            <li>Updated security considerations</li>
            <li>Implementation note about identifiers which are bstr/int</li>
            <li>Clarifications, especifically about compact representation</li>
            <li>Type bug fix in CDDL section</li>
          </ul>
        </li>
        <li>
          <t>From -14 to -15
          </t>
          <ul spacing="normal">
            <li>
              <t>Connection identifiers and key identifiers are now byte strings
              </t>
              <ul spacing="normal">
                <li>
                  <t>Represented as CBOR bstr in the EDHOC message
                  </t>
                  <ul spacing="normal">
                    <li>Unless they happen to encode a one-byte CBOR int</li>
                  </ul>
                </li>
                <li>More examples</li>
              </ul>
            </li>
            <li>
              <t>EAD updates and details
              </t>
              <ul spacing="normal">
                <li>Definition of EAD item</li>
                <li>Definition of critical / non-critical EAD item</li>
              </ul>
            </li>
            <li>New section in Appendix D: Unauthenticated Operation</li>
            <li>
              <t>Clarifications
              </t>
              <ul spacing="normal">
                <li>Lengths used in EDHOC-KDF</li>
                <li>
                  <t>Key derivation from PRK_out
                  </t>
                  <ul spacing="normal">
                    <li>EDHOC-KeyUpdate and EDHOC-Exporter</li>
                  </ul>
                </li>
                <li>Padding</li>
              </ul>
            </li>
            <li>
              <t>Security considerations
              </t>
              <ul spacing="normal">
                <li>When a change in a message is detected</li>
                <li>Confidentiality in case of active attacks</li>
                <li>Connection identifiers should be unpredictable</li>
                <li>Maximum length of message_2</li>
              </ul>
            </li>
            <li>Minor bugs</li>
          </ul>
        </li>
        <li>
          <t>From -13 to -14
          </t>
          <ul spacing="normal">
            <li>Merge of section 1.1 and 1.2</li>
            <li>Connection and key identifiers restricted to be byte strings</li>
            <li>Representation of byte strings as one-byte CBOR ints (-24..23)</li>
            <li>Simplified mapping between EDHOC and OSCORE identifiers</li>
            <li>
              <t>Rewrite of 3.5
              </t>
              <ul spacing="normal">
                <li>Clarification of authentication related operations performed by EDHOC</li>
                <li>Authentication related verifications, including old section 3.5.1, moved to new appendix D</li>
              </ul>
            </li>
            <li>
              <t>Rewrite of 3.8
              </t>
              <ul spacing="normal">
                <li>Move content about use of EAD to new appendix E</li>
                <li>ead_value changed to bstr</li>
              </ul>
            </li>
            <li>
              <t>EDHOC-KDF updated
              </t>
              <ul spacing="normal">
                <li>transcript_hash argument removed</li>
                <li>TH included in context argument</li>
                <li>label argument is now type uint, all labels replaced</li>
              </ul>
            </li>
            <li>
              <t>Key schedule updated
              </t>
              <ul spacing="normal">
                <li>New salts derived to avoid reuse of same key with expand and extract</li>
                <li>PRK_4x3m renamed PRK_4e3m</li>
                <li>K_4 and IV_4 derived from PRK_4e3m</li>
                <li>New PRK: PRK_out derived from PRK_4e3m and TH_4</li>
                <li>Clarified main output of EDHOC is the shared secret PRK_out</li>
                <li>Exporter defined by EDHOC-KDF and new PRK PRK_exporter derived from PRK_out</li>
                <li>Key update defined by Expand instead of Extract</li>
              </ul>
            </li>
            <li>All applications of EDHOC-KDF in one place</li>
            <li>
              <t>Update of processing
              </t>
              <ul spacing="normal">
                <li>EAD and ID_CRED passed to application when available</li>
                <li>identity verification and credential retrieval omitted in protocol description</li>
                <li>Transcript hash defined by plaintext messages instead of ciphertext</li>
                <li>Changed order of input to TH_2</li>
                <li>Removed general G_X checking against selfie-attacks</li>
              </ul>
            </li>
            <li>Support for padding of plaintext</li>
            <li>Updated compliance requirements</li>
            <li>
              <t>Updated security considerations
              </t>
              <ul spacing="normal">
                <li>Updated and more clear requirements on MAC length</li>
                <li>Clarification of key confirmation</li>
                <li>Forbid use of same key for signature and static DH</li>
              </ul>
            </li>
            <li>Updated appendix on message deduplication</li>
            <li>
              <t>Clarifications of
              </t>
              <ul spacing="normal">
                <li>connection identifiers</li>
                <li>cipher suites, including negotiation</li>
                <li>EAD</li>
                <li>Error messages</li>
              </ul>
            </li>
            <li>Updated media types</li>
            <li>Applicability template renamed application profile</li>
            <li>Editorials</li>
          </ul>
        </li>
        <li>
          <t>From -12 to -13
          </t>
          <ul spacing="normal">
            <li>no changes</li>
          </ul>
        </li>
        <li>
          <t>From -12:
          </t>
          <ul spacing="normal">
            <li>Shortened labels to derive OSCORE key and salt</li>
            <li>ead_value changed to bstr</li>
            <li>Removed general G_X checking against selfie-attacks</li>
            <li>Updated and more clear requirements on MAC length</li>
            <li>Clarifications from Kathleen, Stephen, Marco, Sean, Stefan,</li>
            <li>Authentication Related Verifications moved to appendix</li>
            <li>Updated MTI section and cipher suite</li>
            <li>Updated security considerations</li>
          </ul>
        </li>
        <li>
          <t>From -11 to -12:
          </t>
          <ul spacing="normal">
            <li>Clarified applicability to KEMs</li>
            <li>Clarified use of COSE header parameters</li>
            <li>Updates on MTI</li>
            <li>Updated security considerations</li>
            <li>New section on PQC</li>
            <li>Removed duplicate definition of cipher suites</li>
            <li>Explanations of use of COSE moved to Appendix C.3</li>
            <li>Updated internal references</li>
          </ul>
        </li>
        <li>
          <t>From -10 to -11:
          </t>
          <ul spacing="normal">
            <li>Restructured section on authentication parameters</li>
            <li>Changed UCCS to CCS</li>
            <li>Changed names and description of COSE header parameters for CWT/CCS</li>
            <li>Changed several of the KDF and Exporter labels</li>
            <li>Removed edhoc_aead_id from info (already in transcript_hash)</li>
            <li>Added MTI section</li>
            <li>EAD: changed CDDL names and added value type to registry</li>
            <li>Updated Figures 1, 2, and 3</li>
            <li>Some correction and clarifications</li>
            <li>Added core.edhoc to CoRE Resource Type registry</li>
          </ul>
        </li>
        <li>
          <t>From -09 to -10:
          </t>
          <ul spacing="normal">
            <li>SUITES_I simplified to only contain the selected and more preferred suites</li>
            <li>Info is a CBOR sequence and context is a bstr</li>
            <li>Added kid to UCCS example</li>
            <li>Separate header parameters for CWT and UCCS</li>
            <li>CWT Confirmation Method kid extended to bstr / int</li>
          </ul>
        </li>
        <li>
          <t>From -08 to -09:
          </t>
          <ul spacing="normal">
            <li>G_Y and CIPHERTEXT_2 are now included in one CBOR bstr</li>
            <li>MAC_2 and MAC_3 are now generated with EDHOC-KDF</li>
            <li>Info field “context” is now general and explicit in EDHOC-KDF</li>
            <li>Restructured Section 4, Key Derivation</li>
            <li>Added EDHOC MAC length to cipher suite for use with static DH</li>
            <li>More details on the use of CWT and UCCS</li>
            <li>Restructured and clarified Section 3.5, Authentication Parameters</li>
            <li>Replaced 'kid2' with extension of 'kid'</li>
            <li>EAD encoding now supports multiple ead types in one message</li>
            <li>Clarified EAD type</li>
            <li>Updated message sizes</li>
            <li>Replaced “perfect forward secrecy” with “forward secrecy”</li>
            <li>Updated security considerations</li>
            <li>Replaced prepended 'null' with 'true' in the CoAP transport of message_1</li>
            <li>Updated CDDL definitions</li>
            <li>Expanded on the use of COSE</li>
          </ul>
        </li>
        <li>
          <t>From -07 to -08:
          </t>
          <ul spacing="normal">
            <li>Prepended C_x moved from the EDHOC protocol itself to the transport mapping</li>
            <li>METHOD_CORR renamed to METHOD, corr removed</li>
            <li>Removed bstr_identifier and use bstr / int instead; C_x can now be int without any implied bstr semantics</li>
            <li>Defined COSE header parameter 'kid2' with value type bstr / int for use with ID_CRED_x</li>
            <li>Updated message sizes</li>
            <li>New cipher suites with AES-GCM and ChaCha20 / Poly1305</li>
            <li>Changed from one- to two-byte identifier of CNSA compliant suite</li>
            <li>Separate sections on transport and connection id with further sub-structure</li>
            <li>Moved back key derivation for OSCORE from draft-ietf-core-oscore-edhoc</li>
            <li>OSCORE and CoAP specific processing moved to new appendix</li>
            <li>Message 4 section moved to message processing section</li>
          </ul>
        </li>
        <li>
          <t>From -06 to -07:
          </t>
          <ul spacing="normal">
            <li>Changed transcript hash definition for TH_2 and TH_3</li>
            <li>Removed "EDHOC signature algorithm curve" from cipher suite</li>
            <li>New IANA registry "EDHOC Exporter Label"</li>
            <li>New application defined parameter "context" in EDHOC-Exporter</li>
            <li>Changed normative language for failure from MUST to SHOULD send error</li>
            <li>Made error codes non-negative and 0 for success</li>
            <li>Added detail on success error code</li>
            <li>Aligned terminology "protocol instance" -&gt;  "session"</li>
            <li>New appendix on compact EC point representation</li>
            <li>Added detail on use of ephemeral public keys</li>
            <li>Moved key derivation for OSCORE to draft-ietf-core-oscore-edhoc</li>
            <li>Additional security considerations</li>
            <li>Renamed "Auxililary Data" as "External Authorization Data"</li>
            <li>Added encrypted EAD_4 to message_4</li>
          </ul>
        </li>
        <li>
          <t>From -05 to -06:
          </t>
          <ul spacing="normal">
            <li>New section 5.2 "Message Processing Outline"</li>
            <li>Optional inital byte C_1 = null in message_1</li>
            <li>New format of error messages, table of error codes, IANA registry</li>
            <li>Change of recommendation transport of error in CoAP</li>
            <li>Merge of content in 3.7 and appendix C into new section 3.7 "Applicability Statement"</li>
            <li>Requiring use of deterministic CBOR</li>
            <li>New section on message deduplication</li>
            <li>New appendix containin all CDDL definitions</li>
            <li>New appendix with change log</li>
            <li>Removed section "Other Documents Referencing EDHOC"</li>
            <li>Clarifications based on review comments</li>
          </ul>
        </li>
        <li>
          <t>From -04 to -05:
          </t>
          <ul spacing="normal">
            <li>EDHOC-Rekey-FS -&gt; EDHOC-KeyUpdate</li>
            <li>Clarification of cipher suite negotiation</li>
            <li>Updated security considerations</li>
            <li>Updated test vectors</li>
            <li>Updated applicability statement template</li>
          </ul>
        </li>
        <li>
          <t>From -03 to -04:
          </t>
          <ul spacing="normal">
            <li>Restructure of section 1</li>
            <li>Added references to C509 Certificates</li>
            <li>Change in CIPHERTEXT_2 -&gt; plaintext XOR KEYSTREAM_2 (test vector not updated)</li>
            <li>"K_2e", "IV_2e" -&gt; KEYSTREAM_2</li>
            <li>Specified optional message 4</li>
            <li>EDHOC-Exporter-FS -&gt; EDHOC-Rekey-FS</li>
            <li>Less constrained devices SHOULD implement both suite 0 and 2</li>
            <li>Clarification of error message</li>
            <li>Added exporter interface test vector</li>
          </ul>
        </li>
        <li>
          <t>From -02 to -03:
          </t>
          <ul spacing="normal">
            <li>Rearrangements of section 3 and beginning of section 4</li>
            <li>Key derivation new section 4</li>
            <li>Cipher suites 4 and 5 added</li>
            <li>EDHOC-EXPORTER-FS - generate a new PRK_4x3m from an old one</li>
            <li>Change in CIPHERTEXT_2 -&gt; COSE_Encrypt0 without tag (no change to test vector)</li>
            <li>Clarification of error message</li>
            <li>New appendix C applicability statement</li>
          </ul>
        </li>
        <li>
          <t>From -01 to -02:
          </t>
          <ul spacing="normal">
            <li>New section 1.2 Use of EDHOC</li>
            <li>Clarification of identities</li>
            <li>New section 4.3 clarifying bstr_identifier</li>
            <li>Updated security considerations</li>
            <li>Updated text on cipher suite negotiation and key confirmation</li>
            <li>Test vector for static DH</li>
          </ul>
        </li>
        <li>
          <t>From -00 to -01:
          </t>
          <ul spacing="normal">
            <li>Removed PSK method</li>
            <li>Removed references to certificate by value</li>
          </ul>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors want to thank
<contact fullname="Christian Amsüss"/>,
<contact fullname="Alessandro Bruni"/>,
<contact fullname="Karthikeyan Bhargavan"/>,
<contact fullname="Carsten Bormann"/>,
<contact fullname="Alessandro Bruni"/>,
<contact fullname="Timothy Claeys"/>,
<contact fullname="Baptiste Cottier"/>,
<contact fullname="Roman Danyliw"/>,
<contact fullname="Martin Disch"/>,
<contact fullname="Martin Duke"/>,
<contact fullname="Donald Eastlake"/>, Eastlake 3rd"/>,
<contact fullname="Lars Eggert"/>,
<contact fullname="Stephen Farrell"/>,
<contact fullname="Loïc Ferreira"/>,
<contact fullname="Theis Grønbech Petersen"/>,
<contact fullname="Felix Günther"/>,
<contact fullname="Dan Harkins"/>,
<contact fullname="Klaus Hartke"/>,
<contact fullname="Russ Housley"/>,
<contact fullname="Stefan Hristozov"/>,
<contact fullname="Marc Ilunga"/>,
<contact fullname="Charlie Jacomme"/>,
<contact fullname="Elise Klein"/>,
<contact fullname="Erik Kline"/>,
<contact fullname="Steve Kremer"/>,
<contact fullname="Alexandros Krontiris"/>,
<contact fullname="Ilari Liusvaara"/>,
<contact fullname="Rafa Marín-López"/>,
<contact fullname="Kathleen Moriarty"/>,
<contact fullname="David Navarro"/>,
<contact fullname="Karl Norrman"/>,
<contact fullname="Salvador Pérez"/>,
<contact fullname="Radia Perlman"/>,
<contact fullname="David Pointcheval"/>,
<contact fullname="Maïwenn Racouchot"/>,
<contact fullname="Eric Rescorla"/>,
<contact fullname="Michael Richardson"/>,
<contact fullname="Thorvald Sahl Jørgensen"/>,
<contact fullname="Zaheduzzaman Sarker"/>,
<contact fullname="Jim Schaad"/>,
<contact fullname="Michael Scharf"/>,
<contact fullname="Carsten Schürmann"/>,
<contact fullname="John Scudder"/>,
<contact fullname="Ludwig Seitz"/>,
<contact fullname="Brian Sipos"/>,
<contact fullname="Stanislav Smyshlyaev"/>,
<contact fullname="Valery Smyslov"/>,
<contact fullname="Peter van der Stok"/>,
<contact fullname="Rene Struik"/>,
<contact fullname="Vaishnavi Sundararajan"/>,
<contact fullname="Erik Thormarker"/>,
<contact fullname="Marco Tiloca"/>,
<contact fullname="Sean Turner"/>,
<contact fullname="Michel Veillette"/>,
<contact fullname="Mališa Vučinić"/>,
<contact fullname="Paul Wouters"/>,
and
<contact fullname="Lei Yan"/>
for reviewing and commenting on intermediate draft versions of the draft. this document. We are especially indebted to the late <contact fullname="Jim Schaad"/> for his continuous reviewing and implementation of early draft versions of this and other drafts.</t> document.</t>
      <t>Work on this document has in part been supported by the H2020 project SIFIS-Home (grant agreement 952652).</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9y9y3Yb2ZUoOOdXxJUGAtMARACkRMlOVzNJKkVLSskk7cxc
VbVUQSBAhgVEwBEBUrQye/WkR/0FPer+il53cEftP7lf0vt5zj7xAKl8uFzN
cilJIOI89tlnvx+DwWCrSqtF8jw6Xl0ly6SIF9FROp+nyeBlslgs4yx6e50U
0eHbs+Ood3z08u3h9tYsn2bxEt6ZFfG8GqRJNR8s4g/JIJld5dPBeLwVX1wU
yTUMii9sbaWr4nlUFeuyGu/sPNuB74skfh6dHR9u3eTFh8siX6+eR68PXh1H
38LfaXYZfY2fbU3j6nlUVrOtcn2xTMsyzbPqdgUznxyfv9ia5lmZZOW6pMGT
LfhgBu8+j9awoP2tVfo8ehhNYQvrMonioohvo146j+LFIrpNyu0oL6KruLyK
rpIi2YqiKp8+xy/g1zIvqiKZl+7v26X9E56cJavq6nk03tqK19VVXjzfGkQM
lK///v8UMOdZsoizWVLg2+uCvzKf5QWs87hIp2WZZ9HBV/CRA5p8im/CKpIK
ITUYPdmN9neiM5j7w1W+WMK303ydVcUtfH2TzBJ8PlnG6eJ5dJnDCoalzPa/
JDLgcJov3TL/kF9l0bsiWf/9/4rexFUlM6ZZWqXxArb6B7vy5oO/6gb+Aosb
LmWy9vW/gC1Ok3IaR+/iRb68gIUHCzYf/qpLnes6hiudMlzwVpYXsJX0Onm+
Ba+dvjgcj0bPnvOvk/FT9+ve3lh+3RuNnuiv+0/0gSdwdfTXZ0/8r26Ep2M3
wtOnu/v667M9fWB/NH7ifn26q79Onulr+7sjHXf/if11or8+HbvXnu6O/a9P
9ddnuzrbsx23HPhVR3g2erqnv05wF1tpNm9A6Nm+A8B432119GzXbXW873ft
f32mrz194hc6eeJ2PXnqft3ddb8+mzx1C93ZcQt1m4I1P3FrfkafngyOhkT4
irgqBwnQKfshUcMi+WvZ/LQqYkCX4PNpXiSDvKT/EAmtfVsmg+lFXgySDAhc
MhtMk6LqHOBDcjtYr2ZxlYRz36SXg+m6uMZ1rYoECGcFIAcKGjyW5lW+Kgdl
Ao+m1e1gVcAH03wBUyxXcZECUrvnC5x5XlwOZkk1KNPLcnCTVleDLE9LN7fS
IN47ksq/6Vdx8eFDPoiL6dUgzaqkyGCU6goYQzVYwjYXg8t1OsO7BUgBr5y9
G+zv7Az2nhzgAECD4+ISr+tVVa3K548fz/J0CBf98Whn+GRnvP/4m5Oz8+HZ
u6G8VEz4LWZ2pwnsZ5lkMwJBBPgHBCMtBt/C0qNXAMHjsoovFml5BQ9V0dkU
eWMZ/alE1nSUltMiqZLodX4JIKmultFhcbuq8ssiXl3d0jwlkICkRMzm1UbR
A1zQg+fRg7NVMgUKG71bwwRTXoAsEtZ1nSKTiyYP6DXlLTzEQP6LVBoI9PEw
+gqASOyk5evXw+jwiihVy5cHw+g0v4RfP9x2PvDnGBjuIrluf+B0GB3FsFr6
lNAtOlgV6SIa74z2zYGNdvY//8DgpWJ0x4HBMUVHAOZr/ojP5l2ZrGfI/Wb5
MnqxzqaE4j/1SGAZ/khG9zgSC3OByfoSxB4ACkhFBBQad3/vJ8Bkf89C5Ozl
wWDCAEhmfqvRFL54ddyPXr05OOxH5+vVInmJQg6ABHAc5LtFssAPfjJM9vfu
AQiSLl4lizLpwK+zq/XgL0kG4Iqzyw4MA3ntXVIsMsFwBuhRMk2WFyCSAp49
QZAeJZfxBWxjkYxG7VAFegcUZpjG04KgC2+OHj8ZBeB8m0XVVQLrTvG+C/mL
8nl0nE3xcuP2EYRn6WUWV+sigTVGx2/+fA9QDKN3Q7PKzvv2OrkCebvjwr4a
Rl/DQACCgsWVlme+oZnOlnFRtT/wBr5FuXbRCdERQhRR4N0fD9uBOS2L6TBL
y2p4mV8/flfkf0mmVfl4lZfV4K/rOKvWy8HUkMPH8/ivpYX0O3zyj/xkQDij
Fwd/LFuvzoSuzvHh1+1Lurm5AUYzvaTDhV9Gg+vxcDWbB9elgtOLi1lJtOMY
NJxpiqQ9WMAo6sEs0WjbrOINYCFqLbSEk6/fdLAfXINDMN7/7OIxcje4n4Bx
O5PHh6ffvzt/+3i0+2yP/mksEUePBtE54OEj+CMbwJIHbw6mj4CyAiOOp1eg
eQBYAFGzCu8kXPyasoYoelIhpyIERZQ+eXU8eCdsvLwbXV8Oo1dFfDP92+0H
A4U/rLMEwUAn8fLV0YtVvEqKe1+3ncfjJ7v1/T4wsE+n0fFHFI3cRQvJ+3OC
Ck4szPgeNKh9J3yeox3cyPkVCp7IQsf3Jh3j0eO9nWeNvbxFLRM5EIK8BBUk
AkEsWoFQwQg3G+/tjZ7RzuCYvuO/LuISjvDV8Zv7cXu/3BamO6are/jNWQeC
JtnwJv2QrpJZGtNW8K/Hh8hVCyT0778hQMMvSv3eHyxAkUT55v3ZOq0Su1//
XqTvearp3ov8exv3Botuu/dAoeHjr9eA7aCinyzW2WU8Ht/7oMaPR0939kKM
i4H6rRcRCqoR3KwBXqUB3jWYFje1Wle6nQP457ZMS2QCeKhky4hep5dX1U2C
/9ZuIiLs8ccp8rMk0gt3j4N9AZT97/+DtthJtXnv7TSbBYs/xCQgjSft4LmK
F8M0K+Do5wX+MdiZ7I/gFowfW/gcRCjmFwnsqgSy1Y9IMVsw1q6rfEkbjVsB
o5rC3Rs+HOpqOzH91SJJO5jcGd5qtFR1AusUBl9Pr/LKwOvttMotuA7zqkqT
4h2ye6An1/GiC7Hi4mN6TSgVX5SPx2O4+zuTvWfPAsrtMP9nguaroa6s/fsj
4PB+yWZ/Z8mqChHim7yAs8vGO/fa1s7O0+FotDt+arf1gk/fboo3RKgeaEhI
4w5B/AQSnmaAIyf5OeDodTpN7sFyQLaR1bZ//2cQW9bIveH//tL1EAhQXxVr
sve0AoUIPj0x6lBISIxAMnKZFHBk84TsjXBxZglQz8d8FwbXwJPmIhAP8vkg
UbvpYMas+IpZ8SCHJ1l5J53+8ejJeH93srvfAuE/mzEJyve3xd4J3AAujW/P
AbTx1SL6w9//OwADzamdz31d/P2/ZxcJCCHvEpRCux6F6w0s+u//o3DCLJ/G
NwAQFTNJQTy8yIs3SYeUCd8Nl0lAnQ6/ensavVvEt2gvzmb3IjRf5fVlCP/f
5zsipormAsiKoReX7gl9Mryqlgu7KBRLaBhH8tEyuUzQrt03+vzu3csFGIO6
U6R2tX9YL3S5g8EggrtKQtLW1vkVXMhZPl3T9StRWQNEKT8DdfpRHMFnt0Tz
YUyi8gvD3uJNgiZKN4lyO2Kn7iLgd+XQ077rdAYLW66rNbISPyjAhTjMDYjl
oIlOi2R626dVwAvwCNBTPICEZEIdD3aN1qJsBktCorMu40sSdaeG+pTTJIuL
NC+Zc0VL+JicANMY5eISxehE6RfKY2/PDt+eHkdq9sLBquRjBfhzGxUJC3YE
O5zSajd9xkr8mKxz8CBv4TA/eEcfw5qycpUXVZ84QjybpSJgoDEvKtO/JeSj
uECJcVXxkSzymyGf+DKdzUBn3HoYnWRVkc/WBA34+2H0Jq9EOt7aehNnt/gE
mdGQhAB+ZJdl1ANCvB3NktUiv0VMKWE7f12noL4CXK+yfJFfItbcgAAOgICP
r+DoAeVAuCd6B7hVg22SXadFnvFgnz6JLfbHH4dE82dM8wHit7gj+yKMc42H
sobp4tuyDx9MF2uEWLRMlnkBsCyrvIDj7OO5T5H8wnfTGJATzoTBuspvkmJI
tw7GzhA3rvHACNJXCZxumQD/xK3jEuJFCSf98Sq9SCu/GFh4ucb9ltE6K5JF
CoiQMPrnZQmnD1idJQtYokCjAGQp0ilegwt47CadVVe8ntltFi9BeanyFcLy
lpeG3il0LUXx9EOW3yyS2SW8WuGVhZ3BZMvo4hZ2yypp+jfcZxwVdJfg7Owl
VBLEqAxoDW8XcPOTMr3M5A6QlpefW4jiR5YfgwLprDiOUPUQSft6iHvjH38E
ogBvTZGcfZXCFbqN3l6gfg+EzNqM4U3AenkTLf70JplH8IEpDoL3J3qZxDMk
OyRVEjsFDfvw5aG++nS8C68OkZwlUZbIfkoxPfm9M3UmdKgJGRa1YUYgDCWf
OlxxUsX0Ss9yogKfPjWN9IS8S7yjiO9w+khigSWXsJVyI/7jjcFZsjVxNjg7
Yk1w6dMVn5juAXC8JFKFFx4wi29cOudLD/ediADSnSK9WFcJrv8yz2f+Jk4T
RBrCADphpSsRChqAPuUSHZtmJfEszdE9tcT5igRIB763AGqeTQEea5oDvr9c
unMF4M/WSP9upwt8K6mmQ5D/clROotSDCCAK8IEXAKMdGdNNyd2HndO9A0UC
rtACT5DJZwKDAFDtyclimHrQlb9IF/AqUBJ4A0gaslOAUgw3bo0SWjRPi+UN
gp99HSBz5MukgRGECYRXMHq5XhG8YqJDCZv31uidWNyGELW0EYgR8KAMnaKw
jeQ6yZjdAcDhpYWnQ8CjtrZoFQ7nynyxZqssoTXSHEeeko+AX7DAAq4IkA1i
I3LZ0MZIJAHwx5gfe8iB5Oagbw1ujmH8F3EJFy/29xzw+xZOzS8mKZg2J2r8
wv2wSwmRHFfgDzv5GC9XC2KWuiodqC7rnx6fnaNSfWxvRo9Zql70J6MJLlew
Hg4mIHKoDIKIKvTJrZjuMxENOD1iqMKJEVbEZAEgcHURb5HMBFydLs9fQeQg
fh5YmlA+4RPRmTylUcZA3B7n0H3gNQc0BIjNVjnxEMRzkKxRfri/qKQzgeRT
5EsBSAkkJxEZqMLniSmirRfJoEgHMzb1oy6ES2wfFobK14sZIz68ZKD8W4QP
kOFrFBgv4pCyIJFD2QjpRrJKaBsgMAEFGF4O+7X7WSQXeU7UGGA4R4EChywS
WXgAWUDvEnDlt/gojBBf5+lMaBBiLcwbu/stbmBCAbolfNOWKNuoYGHlR7wi
lTe4VekyGf5SknG3INwOd5ZzcUmEeBazAM4V71W5c0PobRF4mZ9O0xXexhLt
aACnSwB7zOLwQSBIK5KwRRH+LuKbaEWuG0b33um7VxTx4j8kSsx6Z8LMSmTD
kiVVIzIQ5pAgD7tYrSuc4Qp4FnxO+vAtvAFH4e8GMUYM+EGEpRORg9A7zrSY
ZyqSeVIgQiBGzeGyJjMmuIQf7m4TC0scI0W2dwXEsx8BvwxeYskPZeFYuA9A
BnXPmZA6nFSGKYdbrFjMctg3EL8IDq5g4qgMAy7NQK4ogq337gxAGSoySDJq
nxDuliwP1TDOHszFrds/oRPuEWg0Ui5cAjH1QHag7fLFIIaSIp0uaGWztGTx
QY3obYrUlmx4CeJPSVoRwBzF1MxjMws8rGsAB1SiyB6KT5/ovz/+yESRtd/v
votWcYUwh+/pI/yeOBjb9cmZcfxxhR8RT8DIFpS8eDWwjrJdxTIbsTYSe+A9
f7VwiPevElXMvk0uovP8Q4Lc89tzFG+/PY8OF3G6hN0Are0dHp7Bp98N93ae
ieKGrylbpM/hIfh3O7guAJMkgX3gmQ9wKSjG8vqdxsubiOLLlHiQl98Z6wXy
8zV5E2O1mfNN9LuLMODNSsAg47gzTGuagOgrgS7s9SEKrANFKBEBm1A8rUj7
wbdBCh2QgqUUWRQ8jJr58UfPGgGL1yDPsc7x5DwFiZ5h9zo/jb89+AaIE6vc
OUkOcAXZB6JLrog13ZvG4rvKhdNhAuzIkKP6Ncxwx6xp0CANKyWKiGoK8Oy+
usrhs4t1uiDaRsKG0YuAaFzni2uE36OKNOtHYvRQqgJKIOisKL7nC9TQEEGy
MsdfyAYxrdYxaLdlYFJwrCvU+NIlSc0lLkwsE6JwsQSIq9v+TGsCXFNUKpBK
g8wBBx4IUcGkhQICKDkrUXUlBjblDhNJ5gUrPYDrQATgkkwJPZw8Deh6gGgM
h7RwrD1FqwPcyzxL1Fru2QepFR6H4dhIULCfCYoyePFtkVtlDBYyMwRKLn5Q
tY709NDjaJlfICxWV7CK7SEbTQZVPqAzJkOTuCRL1rJaFsAAI3mrSBbJNepH
cLioreWIIG5PNySYIbbC6WTJHC4iiYC4tprGrxKDwMWZIQXqUxxJRTM4aRRC
CZax06BYJymdeQDUJdA2UELqiyTmJWWQ4OBfYkbeDoTHirJivECjxy3eVpRH
2UGUL9PSndoiR5glxZLtfmyaEoZ1hvh4zKpECURLfvOehJCz4cQgwAInIk19
nl4O6AtkJXxj0MaOvBKk5BRVfRioRgFoHw6vr9gAAVgJ1wyt1gSRkJs87+DS
NBLKsi7kAz8BuKesDmetLCZ63MpjlJI+I2oi8ytokVK5zwrZ6qMP6eyR1fb6
cg+YKQXCW31ACmu+jhfrRAf7uFfpYJMnO8h3D0q6URrW11fBSPUAEBgb1lrv
07IHx8hH1x0OpxB1EkmokCI4ciSx8Mfo8VPFm6Pz12fRaDiBxcJJXoE0Iusb
7T4FGBF5PT48eslqmNeyo5Mj5b5n8skYx/ycGEbY/9bW/9r+E8VxeX2Jxtef
+OOs+sGPWMaOXqL3rHSfOtzCT1vfrA/f/mn7pIBC+isgQPunP2unggbvR3bW
ydM7f/Vvju2bu3vu1719/W20454ZYdCWvjmxb46e+dH9F0/9nM92ftZGz/MK
mFf4M9px2x6N3XLHoyfu193xz5m0A0G3Pj2PHjrayI6oLx/cRVvhSl7cAq0Y
PgAyS5xrEAPbyb58ME2Qzz34kSj3kSrOZyT/A2aycbbAcHe0len1dRo2OoaL
yziDWWbIVecgAOU35XO4nxfx9AM76+BC5+tqAYyzlNWFAh8rSzVC++kTMt3r
NLmB10HOnYJuI8Kzk0iA5bLBSbfdD/VsTCIQvZJEDGcEMDoYzoRh07A7FHOd
xQBfILXKhSHhk3F5uwweUzgbp4UXd+/cJnGYTv6DEwJJzYsGBOhTI5B9+jRb
O4U9eJoXosps4JNigdCpvkiJF17DNgOymPXp07JKYWwQG6qSeMciJfORGA7o
JKyo6VIfInIHpGKRXZfMI+LVCuQjtOsQ9zGy46dPyk6IVCNmnoOIkZJVlnWp
UzNn9Bo0hTWu+dNDFEV+ZKTFwwNMBznhwZs/nZ0/6PN/o2/e0u+nx3/808np
8RH+fvby4PVr98uWPHH28u2fXh/53/ybh2/fvDn+5ohfhk+j4KOtB28Ovn/A
QHvw9t35ydtvDl4/YA5rrVNkJiFtiGTNFYaV4yXa0tMjMH11+O7//b9HuwCU
/ybZI3AG/AemcSCzBBzj2fIMtDr+E7DkdgtBHLP4vEBT4gr0PfRswUVlSQuT
n4Zbv/sXvJvR4Mm//B6gfUpSE8tjyUdA9Iot6LDOebwEdRZGJFQmoyjAu1Qe
PQWlo4yC1ZOQZDxFopmfkdkQbR3iCtolEYektlJpj/Oh6MUKxCG20XrFWb+c
0JcghJEYGApjRgzzqoP6vI7iKo6OQDTPSKvyWNU7PDp67W3ZO+TvcsZsQmcU
qT+Sl4v3N8Ox/EaGkSXQXvmCcQnMos/OWPLF71FG+xYFKzIPkdMDzeCkB1ZN
i1q8QK8qP0wq9hHKu3BjyI1Fyv6xWDV4djcATyqyVBntDsfDES0OfyPRypwe
OzjF9QEkHY2BpMaEhC4xbovQK1kT16v4cpvUPQxMh8vCBk+kFg/6wkrcuWNa
lJADIWpvmafArTesRo0jnkJ7raE2O+gEV/msbHAHH9WzyZj/vE7KyfrQScvV
ECpCq+OHZAWwA4kVlxc3jF6sC1I4ZkkVpwtabJP90d2nxzq2WEeyqsnUDWVC
VxYZ+3o2EHmbtWqiAbcCtBxoFin23oci/jF2+XmHJHrdYo4aEAPiMHqdfiDn
w8mr4+uxWlyeobUJN9Q72lYlgVFwdxe+MlpC/95cNi29dSfWpei581a9a4b+
HpzoFXcWvRZzahRfAgjRk8eGLhA3ABNLNTogS7uVpMpKr4DX5w+QGy4QBgQA
Z1ZBQsHnis+/OTiUQFXYU+vaBydm0HNv3Y7m6FnuAcLKDQRUzFdiMZrniFj6
KJ1tQ/m+XMZ1XUn0oxPeE0gTn/9zmoD0QYmwP9z16Nfvv7vrkR+2fvPThWz9
+f0Pd6/lHj9ulK/ff99HgtsDdfX9IQgZ74Fsw/n1otPf4oH2Iv0Qdoj/fB9t
0//JKL/7+Vv6zS+7oyg6OD448vs5kf2c2P2c9HnneGx+P/9sZ9SuTAGuqzL1
WTeO+f/FrVO7kOBGO0PQqGDwTmXrXMgDMijhKBwLxRI9iWyZCu9i0kYiLpzS
37/eybYIxHKrot4piSeJRKf4R0uKj/FKe4/tKF7NIiOoNb53KExTCpVHI37o
u7a293enr94Dk5NAKfJeYyI9wKcIIxWYQqsUJbQ1eACFKaBCXxBe4XB4XzT4
Bo1E7esksxDDBiNgUCBghyCNxQjLYhjdRTdijYVaVxOa+IHgO1LOk7XZIDfO
7S4RZ+woiaAVKCDEqMfajlJt4LtWe0uCxQmC+vNWAdehRstS8BLDHR5G25rg
1jvlP2Fc1OQcJ0Uf0izxkv+K1OIGuPDsN24eySIgKJETiRtDCqITlkZ67HfL
lSxleAcI4ggPpsyvfozoDBg4t5xxuCGmqdxAZyexFizZkocCVO2crNMG20lq
RX0VVyZxSQF/39qysSlTzG3GK/Ngvl4sBnMOC3xgYjcweMjsqEXKKzhMDr3q
IvnMZuVzBOo5YgVoXauKrL8AxZ78F87CafQAo+3o/OV7EDXg3wn9u8sYh4aB
0NrBnqvSLik8DXctg8yZBQo8swRVezLUNwDqLm1IO3A2t5LOY4fdeHHeO/Fh
EQedsk10mZLvjoIe8gxjx1xcw0lUi0Vjupk5QoQKeY0UkahEDkXczikNw0to
BO+ATgg3NSkkEhlXwBFr0VxSdhntaiEhfDPRgh2EfZDj24SE0GNvmOGQn7gv
diGy5Lhg5BWeYHYpgy5UAZlbq7r3P4ACq2QRKFIQ06eGG8Y9S6M8ElexrOvc
RyjOKZarUAyCi/e3gLA3vdmoTvOhs/8fuOZlYURvxEuKf3DVIzgIY5UDA7pY
YECgYzVON5O8cHc44XbwcimesteEPn+PSYdMbGRKDKKiOOaOudU9gWIFl8T5
MJv7UAfY5pxVOiIpdsvoFi+7A/LtFKjCkeXFXG+JLfX2Em/i4IDKW46joXo4
HHnIcYgaVaceZhfBvkgvCgyWLL2qxkpZv05dU43lQU4Da+TphCOZC+SgoPgG
hKqLwZWNMBvD7fpqG2LdDH7J55iQgyASKcT5T7v4FIaL5RxCg0hMvkHVvch3
bwI1Qoe5wxokBevlEoD0N2u9gQfxOTKYJCU64qc4ojFOs5UojS+zHC00aIAV
TGqYg9oqiJBa9tAHcx8rj/j00IlzZDf9OslQLmKBM0xII3822XIJUgVg7RJj
0mGlt14Q7Tl5se+9Nv7XCbHwTtLr3t4VVg/PBrZrdGEDhick7jal2jiUa1m9
zWczvz7yGlNQ4210wkdGYbrw5ylmAMFiRBYhfyTKwDXr+ZBdHDla565iFFPp
2i1uDatpi+jT6E3y7Eu6A5wa8jR2ibpRKUag5Iuu5AFGRN/kCk/yYLEIvTb8
yiZLKQGH6EfdzifRS0MhQWgDQKfzYrHG4AUO9qv5iMhO4AS7rrMEAnSTwEpj
vuuUJcN6UYLJ6fIYH1FTeBGjEyyJAp6ohAKntCieG3cPuxvY1zJ08QTGoVMz
DBMSWHumc9TwSOJEwVCUOjP38erC7n1wTnxZJDX+b+TGHkqwfRK3tnV3JbHX
pBa5KXrWtMQgaEeSzaiImBiQp8SGkFgjNJLZfRi1zpGSFvcG87w1dgxdMZaD
G/cUIdBcE3Q+fVriewN8j4B1HqgTuMq7Fbl4ToEiKO06JuqphWK/CkZ4vO+6
JS2cElllMkdeeSE3nZ1FVMuEw1kuE7J9ctBAOOGw9sEusSqORoLLgn6vki2e
/zgj15vj85dvAXXO/nRyfnzGVpPv+nic/QhwKnSni9HiH2FAaXXnt6zllzUs
eVvZIRrEQoMZq57v8+I96IjIdxA+Y2NY+keYylqDFTbs6Of81EZpM7qFMJkw
TCYOJjzKPxJfJhuf+lXgUvthMCEcdgM4tIzyu0H0c//vvviye8eO2gyRxIo1
qKPJpENvWgenvsv2yDF6pDZ+esgGS7FIsnpbJUuhUUhqG/ZC5KyDZXk5GiBD
JmdoSkIFqWmJZPDNbzt8furYCgITOuLnnRfnjjCJuLR8jOQMgEiHM+x5tNOP
QJodsxQ1sQobP0IcsHQuWJYI4u4VtG2Tsz1ZjKeoPJViaqkbh2iX6sFN3laz
qthJUFJ2HkmZusVuwlKohpYjxMgrTCk5ki9cmmNkLdFGaVBMhsovrTtkh2SH
Z5HYsyDAZ3pQGxJGw2DpsvdILhd5jHx44oMWczsrz6F044L0WahglbTDnRVS
y1ba2f4hUAK5SeeAMtEPUYvM8IPZTws9+zMFav5QxwusstH+4dZvvrQ/4V8b
Pwzo1g4MHwQg6mrbPgzeHHW+aaMc294cdzx095yTzjfb5vzp59lGky1RUNp8
0GLzn5NS6c1xd9HhWuoR4zgQspnYPR3lT5MF+wQy/ioMggO1qSTTylcgdFOW
B18vigORmHGOxDUaF2agezLN6V+XoEQmZMfOkhu94BzSfWgCcI0G8ukhKBzO
gEe8SUMa7mFo7JHEC1LftrMkMqE1zyNMmcSxdlEoGYB1HbYPa3UdNLznRZGg
lb6hYsOm5/EU6YLCtEClBovrBGEWZNRUE3/DKydc0ZmtiCEiJoRGU6Pb2HBF
DuNPXREKp8dJRVd1ynXBcJYb3Mnqua6rdbHKuRicaHwaJLZp4z5rHsWBuCzz
aepDKwLcU3tvx1EE1lXEvjQrRfPCcFSMkMJ0GlBY87IK8is045MWKzdjDljp
wVAa3Civ0NDcggTlWtOdKVOYfCyc+4M2k+V6GS2S7BJ2Zd9lPwvaFrAGAqHQ
coWBdbh9TTysRT2+zG+Sa/SwkdHGbg4ERgc34HyJc2TQB8tVFcAiuvqf/9v/
Cf9zfB2NOZQLhI4oerC383F3ZxuGpQA9iepCo8xN7jxVHOwbneciGeDbA3pb
C5XQvZRk/GC5nCCEoUHq6vRJcWRU5hN1dYRLN0wAQwmEE5nQhcTcAMiUM2M5
G6pHrFGeD0P/RDvRAWQzdg/yiWP6Fln82r2OUShlMGny5hN2i6dVKOxq7ozn
3VXOpeQxCMonbUqSlL2eWS2l3R2/WwMvyQ/tl3TauaSxr/bhtvJTl1T6NblF
oL+yk1Q7zzSKsgEx87TAX0fGEG/BKpl4V2oV9Way9tkoCjeKZxzDkAuFMgG/
DIm4MlFbDbrJjsRMaxkMGcFqpUwAy75C5D/jyxfyNo+f5CiIF6SBmUc4DxcJ
CRJOJQwBprdeMWt3U+FWladafW6Rkd01Yhqklzm4mTTsYLzbj4ZD4CnjQLGB
AQb6Wl0I3jrh0Z9H+Dr+Axo9jBENRiP+BT4CuWowYrmRRED+fLQnv4wnW8eZ
dmDgbI/JE/3uQH/BAcY4wA79o6PsvNDhnrYKYHbxKoC9bcIgmTk43Sf8pk71
AHGnOQgxqUY5xF2Axrwzr+5SUDkm4unJ8TWh0OL6a4S08uIwektmywZqkEfq
1pL2BlOBA3yRuzodFAKw8xHAm5b1ZdDHvZaFeJQbjEFioUxOfHx31PmC5VM4
7vaQ5t05ap0XPt4872gSztv5QjjvzpHMO9pvnXd3BF/cZ6DRvgw06Rpocr+B
JjrQwVeH7bDYHdNX9xkMH8SiSIDgJMWgS4TDc4sG7QpRB7mADw9K3HWMgxkk
qjUuSpYryJB0Hzzvcfq1/ikmA0pdQMHRUh4KJ/3LmmS6FbpkZkAMpxXFhgg9
d/6/ttU5nSgt7TWIGxfBBd6YbOMT9eEymNDS8ZwNOc67q6YpO5JJwQwB3UdG
PCVAsAAJTAcE7OWSCypxkkAZXSWLFZdJQcJOhU1uSA8kbYCjs8O0AI0w7qHs
VFEMXEGCOYx78O5kG4gKsoaSY4QDOHHZC3IzlhTNwGXEJEXAV5JogRhyxUA2
izhah77jhVDuqDDMP4n/u10BJDopqgsqg8p9mTzZ6jkgpGFucpc2iBLbeuH9
hC6TWxRJql1QYieAdEWluzUPVLNAJ8ORT1aggkN9I5EoGwYJCN2pmKcRCBQo
0NzWB5zUBiSpjX1R/btC7SJNNZINdIk6lI3OXKGqw4CKAwhw7caH0RmlmNeF
PA9MCtQP0CWtJK3+GvMrOF0/axuci4+o1GXGGPoMbmrUEn1BFYPbpt/5+OJF
1LNEUHYUWrThRiORffGiRSHYbiwX329bL042vGs9yNLut57x6GeuZjzSlDVH
ij899NYBUF+sio66sKpUjuphWk2AniJSmnJlVN4LNDyYPKGYpSByQFzjohde
mTyuDDPx3IancFlnQjhCnd5ZT8UHfzIPMhwpFYUFbK3yROJ93/tW+41YD0LL
qkKd1wU8kUNXb09oWMGnL9BLPLMxYveoOMHA4aQ0XAOFg3hLTFDDDwlYDuA+
eTeM/rSoUowOw7XXXfQYtoURMmgNuMrRpiIVkPysNfOSd9UQEMqwVBmXwlpn
3s7QkkiKBZv0VDjMwzMkWJBJOlRN0NWzNIVHXeUWDOlKM/8MNtoxiWy4ZWBe
MZCg4HVWrPJ4RXiQRZccUiRF0dz2JUeSs0hJItUdYV3Nvvk7yCzl4cPsVdHc
TBUnfJ0cYFJkBf+GXwHOEtzrPg1LGrJhM4arsLyAY4XvZ8kSNpgCGfvYiE8o
JeSXeDWbe318XclvZ8BsMdBMCupFWDjlkvditqhGR7NFYI4UDkjaV+3Ca1lW
vi6MaA6wXE8kFquu9eVoCA6FTkoMRXVV5OvLK384QVQwFVIp1xellG3zkZW2
snX98p8HB91YtYkQXibwFOu0QTJxkRDmI8Qvkmm8tgVEph/KKlkFeC/m0e7Y
UKnZuqlwEHsQbQWt0qZFqP2vWYNEFsZX1cdNedciVVOBO7leZiwhmFIlIiMw
pQL5/WNjEhOoJFqi3vHfspifMmXVGow+llq4AA3SLH0SlsSiPdxKJTY5OR98
RoWrMOk9nfkKrHoo7qDTWpJonSZimfR04UlIkMONqot4GEB+XaZiz2i4Irvd
dCR+8vmr7/TQXysWN/lGof3Zf6EBhXV6XErwPBU+vb/dn+1xYWnoLmcA0Eef
544KAVbGbLUkXlLIu3p0KBqdnLGwFGHooWwi9PkiuUyzTHUzUjGCBfSNQJnl
Pry3tidbo1G3hMDR6lwCD/GyeNCKVd3VGXTjLxO8dWm5dMKrRyNT9NKjdV9S
r4Elcfmc+3ptiILRexJsnEiIOJED76uQR4DMldVGD4qrFH2P2dVG2kQ26kY6
XVMWaIByeRXEATBvETKp9lAPq4uUFTFhphyPixTCq2hzMcAW+arArXbIvD2u
CXUNkhqXeHO5F0EQ8LYKs8FGSd7ztnCDpZu31P/Je/KTOcs06ahc4FCqGf0H
Nnr9D3SAzPeIatkcA3VC8smv4lssGFwK6/AFCVSUsZVCRJSjwnAd9m+fWBTC
g1aLM2LZO1hsirTPFlCkQBCJ26cLwOCaLlBjICki8VJeOXQh3RK4Kf49V/AO
XXwG/Sh+g4vEonJD26xBljhMkhSPyg5MoXSohcVxHxzShuq1CykXN7+o2HOn
ErURYKT4SF50gDegDFFarwdHPkDQVbCknYv8wLRrqj5SK5NGIJFaZ1R08SNe
SzpYlVIwe50LyhVolYpKCbG2wh67vWte/ne+kNinh5aHuqIDGs2kte5d/UWq
z4hodlWvVfeoEfvU47zCbZJnBLwBE/cFvyTFQ2qt6jKktm8pkVBaRqE2DVM4
zL0AcZ6YM0ntkt3jsjDCPJeLvFZuFdP3O9IZe7WLl87eu2KZXykLYZHHT9G/
KwezmbhZn8eW5dTQB0VPFw+sVN+jqdqIOsBUS/c51pSmgyCliYqIiBP/4IiE
KwUpFTm9Y3PIPG9yapFQD7cbY7rANAiOx48n8vE29xX5glhd5wzcQQPtC0L2
2xUAEwT/5uCQA1DKYfcEkvS5cXOuVooj8PVYVh/oImWF75HVw2k87EjpODi7
MZHw18Qxyimgvg0YI0Hi3plMJ1bevQNtA+kKmFk6sxqFimAyS2v4i1OEEIaB
HC/Dkeqs6E3WR3ZY1qV2ygGj+AURNDfd76hn4rHdPd8OpuHojOmUyvzlbXBA
9HB5D10gCvgOSRAYUdda4rGRfuZH8TlvzaLBBFu/NYkq4UIlKSfd5UF5aNJQ
htGLutjagbipZAiS0qn5CD5s9KWEisamh4CpUoICRGvtyPqwNEKMduX5QHRi
Uw7yMYzB3gHgo2wncuIHHb2LEgihIUuydTPJ7UCFKJ1cF1dMQSJYdda6LFiy
eA6asYuWbZbihW1BFXE00TX39crbkoPhjW3nf63Bc2PMcD0mpMV+f/A9CYQ+
B8wZhFry/TWQC4N0iM7XFxPWqdVHOpfXCRuXgBRQFMoZreiMHXWVSESd+O7U
pGEXZb//nEwVAjOMf5m9Va1bbsZOM5XjumJd83gI1yfxX7QOHJAaitrE8LOW
4SQH1H8jljY0xXr7Tds6OshdCE7NXArizDeUow18To/KsO7Ho3JDqqvGnGCF
BXIKtEZKeeK5obKFHehrEcS+ft+s9IBUs6VYbQdQmk7zODpbUwVx7kEN5OME
GBWTWqbJrsjb4ZkTlozot/05cz2aZvNHoJUB7XWJlliI1lT8iF15eVuIjuQA
lR9qjRek7wIHx7csJHRt6+A3BZbtm4mlg8hpGz09NGKjkFXaeCvpCDKnGxJ0
X7dZbj78n1Bi5Fu2K+IzLsWZJv3ouBF5rXlJeKi0ouHWac3/JS9xtY6Sy2v7
F2P2B+nLm2Vgn/5HGoDbO9NmUy2azWhWciNR0t98I1d1imR9tU8Z42hT5PIS
C0ibvQclo/6D7Xp1dNvGZZmWaluRwmO6CBkplURxjdgkyCEstdPCHY0VdDBV
20I9veVymxLTgGYtX7tcdmqNiX0eB3IJBviklG50nQeoXnazjmPZrKotJNQK
fsmspn2QC4V6iqB3PL68S2YXlNNQFjmGSA6Jt48YW9sn1wAnulD5wAdnKNQl
wAK6/Xiy1L44f2icoOR3xlvgwMyMfBUJM3vUbAWlAxmRjSGo7iZomQj7WUiU
BJKpGbNc9I9xxQixrpB8z7U8qCy+6IcGImbIX1K+CmhXXczKuFJ5m3TV3usG
axsSTMV4oFqpCWfa7BCzujh5Yi2B8P6SILAj1eqBWCrxhnk9UxEPIvifj8UF
FYNMiQtpuCXZn+EqVPVvA7YHdL2MK6VPOF+SVBFtxKRtOoN2h424PgJkVlWO
CA6XtHfktW8AYWvJbJy9b0qcxuLZ/gmb2AwxMVTTPbQm9G5K0TPmOZ/0oMbe
G6wuSxZctGAks21nIy2Sga6ZTO7UPAtDzCSkwnx/t30FL34+na4L0dZi37uO
or/RX6ODEVJRZBjZ4QITVElRP7RoJAJTl03CHlFeR1qEpSfc0GVXbVkpLVsr
KIsWR0e5N9qO4pbeB32l0RwxfsGU8ujYBwQHDwfyFob3BD0R7r+SBslvXwc+
dWj4wj3Y32ctAnii92HEtvlRy2LWwBEusREp8qZ7zqIJXUY4JcOCxGZmvIjm
fHEWTNcwaUgtXPgfmsSBgJc2l8WGrU9RM21E8pMZ8pv4QzJzC9NunMDZZoUL
fULNwFOZ1AnqEnDJzqWSdEBqygqS1Tz9qKzNS+Sod+58PBjt7B9g2f8elg1Z
qcnEqA7bwvXRcxKX6lvGoL4W+7uBtBNBs1x4mJMFyaxSM4XA2oGxdwh7Bw5Q
FLfpZBiu7nqRLPKb52H4/6fOHPXWn8cAVWzNPY6eRw92x4O9ncFkNHjxYnD8
YjB5OpiMB5NnD/r1l0CixZf24aV7z/cYIMtNwEf3f+2xHttj6YqB747q62l9
80PlXsLNXT3a2Xl014uPgavJSwOcafdeM02La32JZ7oYxZMEaOKTnWR/fzaJ
92d7u+PRaDZ9tjffuXiG6RKPPz4O+nxM5vPxzl5y8XT0bDSePZld7M934/mz
/Z3ZGH6fxI/o6R+38P9/bM2rgNul6RStlker/AL1He/tjZ5tyIKX+k7HfzoZ
PNl1GDyUkgMPXeCw1zZCHVYVDUkLZ2uzOB/6tkym8TKBUFSLcQlzpqzjdlK3
dnyWg6Vdl9V1hOqs94hhzzFdeFOp9W/X9drQp2Y+EO02hM5nVg417P65rUd6
GjRYD8NkmslnEiTSUeahrkedbjKJYcOhWmXUu1fiBbbPW8nJHSvBYo7+YKw6
dR91kXXkj9GXER3+KdviyciIznvnEE4dHw1STcPyrt2TIe9RflbzUKSVL2qV
DIzcSYrvlDBwhj4w9KxdEJJgDAK1abIpuIs0+4BRqx3e3c/MPPaK7Ab3p6QJ
h8UejWP7s00YFLzlSoxgpES9taL3sHW0DAuLZKm41WL86BlhcrvN/NG7hwAo
TSrF9JIlNwNe0YBWpAXE6tS682mDym3FhlGWRy+b2fp7kGzqBVVcSoST3rUJ
hzT+EPuZKZXbDsxubEJzgF4zbxJoGQCJX/OQvElPI2VIjWq3s/FnTY+gz3B4
3na+WkThrm5rOCh3XDO6rs0s8V01GFkCGoyU41M02QWpgAQZVCBe4hQ/NiiL
WS4iBKp0IO92LLO1yxwtta6Wd2XV8Jm3LBbXCoPAXz9qhC3/SR/Xlx04Xzru
XBqwxjbeFnhpE/F/1BT8QsMmpX5clrtUhdxx8gcDfv1Bcxk+dB5OUx7r33Ev
pL3eCZBR6k5MGIZxRsSrKBRTx3dWALeEYMK+2iEkLhFF+5LjN8PJG0fUD4tN
uEykuCzXSwE8nzqhrUgPlBkl0a7XVLqH3T218g+xvIosRqvzoDfwKpmiPnbB
oHbbJp96wjHN62w2jA7s0pZU2ZYMLT6G3F5ahQfOqWESjyLuVos8i7JgOOtO
vHK+Wgiz01uO165NLFU7MbPpmvziVH7R4FzpABJU9nVMrHBJP2R2cWYeYocy
sYUjmh2JSHNdWPE6kmmOc6rYaf6Qb8RLRsV3YePKrqZGDxuEv94HXWu7cJEI
jBruuHiPPkxvAMA4C/w6LR/RxHhAHOjYbHnZt1b4du4EVCl8qq0+A7yEiiVj
q3ICY3igvzq8dHrbRexBacQ3nrFdcnlR4vpTk6/MjKHO6HrQrxQURbM4aExR
UeRGML5fqciqQaBkobRuAY7IJTha07Rpdr3NY75KClh7jroZ3KlKXvSxU6Wt
bR0OMEQWEOwBz1Bbupqa5rJYTxzNsuvd47lmRluwCaO1DySn+rdyxRBxmugU
0zFRJ3k0XQDqD/A9F/D/kKrJYyjOsTF8qrbzgrUdHpoapD6UctmDDxSGeR4W
a8HjfX3w6jhMwLCpdaoEhkWW4QlqO0slVUCDWkp4X+nXr1oI2XnogBz1aKoA
TkRy4as1rgu7H8k9wCuG1qWAr4rPehFPvfPRJvXSY8OtMY/RTBQPUk7DQrkm
zZHsitIOAfBABkV9s0xqcHBBN/J4Ove1hdJ5t4AQiH0fcQXvXh+cfHN+/N35
+1sbCA7q+S28PEYITj5XVY+CSLLG4vU+mL1qOHFp0A3Wx8yEiDpIDz5IzOKT
OqWEPeHKBTe0I7xcOia3vhcciVIvjIXAQ+vq0YsXj1CcYheb3IQatER/rCzW
kJVyF5NqSe903wUlhnBw7abOGbjDTUsZj+61FOmM3LoczKrN8qJrPTCDXQ8+
HaxeM9UluxapBEcxnWEUE9Uhw3iyA1U2gxgnW+Y8lhRMqp9IKoCp6OxSJB7Q
wR24bx4QnvGnx4tFukID2OG6uE7gK+atWCW/XiFbYiSBVXCRKez4tbDRVHD3
WUWdua6D2kGVF7Ohx6HFcW6bCAoPhr2X7P+ES76mVo08iwpSx2fjvScc83p4
dHbAZPLs5cEAPu5HB9jJFr88OD4bwO+s4B3P2PLnSB7uPEpm2LKipK+GBlhW
KvSkhuZJMkpNtHqbSF4w7FLczph/a4KsmKLVQenpTwWfxGUV7WvNq4OGLcJD
3Hp671Q91LZG7T4keM60NnE98NpD60y/B4BXIS8gefRACWSr9qi50unoVPuT
QF/y7UAxByUjYJTxqlxLloaUo+y9On6zbXNc3uVlNfjjOs6qNeCVkRmi3rs/
Hm5H8Dx2doqDVGntZqX0d/VXoq5SE6KWJ9u1ATKMEusyobD1lAeZadQf9yfb
0Q1J5xh/urj1aaa1npfUScXn8BIQw8KF9RKzcPvagvycSgeMFbFiGP0B4z0W
QcuLDX0ImafVexj2A+kwFZPVrxNAWM/r1ERU1C6AYZnekXcOyfit8QEdMdhW
0WbiozD2thtW4lhYK6vc90fqDi007TFU7EcwkC1GY1TCmBFPQillglFNxPuu
rd4DsMP78BI2JWlyjSchJosG61L7Ud3HZDJqfmzIm/brjnquvum2e64jvrbn
KYR/tgW1sFORyQdorNF+WVvp1jF2eggg4kJbPJmPyfDs7STMuxfxRbJwl9IS
Gn7JskbpKEzEzt1OUoHpeoYVftgyJ9IHB22gMrK8kHIJ5GiqMVLui2TZkJTt
4dAG9JRqMK3dLUl2lCedmcQzv1f7LOXyNYdosyMyALJbj1XrQm0zVFZpgMXc
BuMx/jPSDhsd05J0iz26Pas7OfjmQOWUWzRD85MD/QgVd1oDtypd+N4e3KV2
Rn2iCa8jlbxksp0BrMzlA6PYcHj4pu8M+eS+medF4Fg4yc/FTKhitKudR4EN
8MctytpAULCO9TyeUslEL+/INIPRk8GTXZRT6DzNp/ARf1y0x6mfHB8fg6b8
5t++oCIYQ/GrflHbHDdCnkhEHiWKFNizWG9pD+e5SKtt7+Ygd72AvfuWRT1Y
N744bIPpLk27Z+B6eBXD/8Y7LYBtuG0C25/TyXALslqzg7Jl/uhJ7UC/xgOV
ogRS+wNk+WzQNSlFgllCeZWi0Mc5iZSyaYUDynov8GxmyeLWSR4bJ2gD2pih
Nt5rgojmd/nuAXxULL5EDKSSMEJB4E0gH9kUb0O4OdaGwysnvjCqzE4X2e9w
GAIXlhnoIy3ax+E3IJePhjvyxqdP+IHrx2Lb33EF9h72baEi/nCN1axNtaOC
RbLQyF0GDSEUVVjhTt+rBGVE7zYRRfTPUFj0JXW6sjAaZd9dAKVmZAF06r3u
yGHqpIw088FoK5fSVK+q+tnjDl1LFm+xCR+WJ73o5nbR1/ZEYl0LSjCxAOby
U2sNFHCJJXf7I/XK4otp/xc2ke96ik70MsWaRzRZ8nEA36p9LTp2hfk5rULT
stAf+R4EC4zVIMGxtaOqI3M904p1WxLn2TjStD0lqjGz3shJ3b6u0BLekDQK
bj/XMRKyhukVVaVA4JtmUKRrd7eBxTgwFyXmtSmyLL199S6sgnWmxaWfDpn6
Px2OrXuF6srhRWJLV9CO49FHY9FDWBkgsY8+NB5E9RV17h29oyot2X4Nuq+h
CjgkBZP+ryPBTVxJAMIds1MEqtOM07CKoihhyJ4f3QbuQnyD3Z9or5vD8hI2
Y5v2qLdAywnGJA150a+BBYyjm1KrgY9uA74eHP0Y9lelbhfYcI1KgxXpqnSS
vvcF+EJAXDzZ9f6zTRNds8p2liFOBg5TEGecK7R/YcJsNOTP70AzkrnNSpBq
6tVVytota+WQNjTQFJCwwcU4JzFDFI+pSkK9ua8VpslD4LsNiLXDiqC1Sg89
ak4lPZik7RD/Zxczgg+o9Gm+itFtRitTsAxFccBHaBp+66Ozk3M3lgmeym5f
olup+odWZpAIB/yQkvqZhQpwbNwBraJKlmQIcn9FTrYMh2WLIHz5nrQTjWBz
fXXwG8LtoKlnPBvgoKL447KOjl6LT4/uD/xpTXq1liP49RYu6MuoB4Knn/05
YlIfPvoXPzF8iAb6/tZ2awSfrsW1DJINU9AdViRpQWHCYPUINoBHS/GJRHEW
4yQa66EVnUiB9p5h24qvVi7JuIQk6j5QRoLEs/iizBdYrIO3rqlPCqB+9G8/
uD/+7YffekHHg0vj6BqGOpRGuFehDCA6vmKIUCVRI6ewfErWQPEERVH5u99h
vWms1VWY1PFrEYr6naQzHiALj6l6EO9DW32UPonCDYUmRV0fN8nEJX7eAHZT
XNUIL4ImmUltAEqZ0pn820EJuGl+mZEThGl+42kpIyOnbH37mhwDkBfnJOKQ
KSHklkPGXurc6QpuhYUlL+Lph1rMkmv66JNaw/KSzoIsNSZZ2NVlh6ZGHldK
adLMHuPp8Aw0GygF6AGXC+M3aIrWK2mbr0hZLx3FSbFa5YTLgIIGzYCdid+g
E0UaKMzwWFOza+eyMZhr63Q4rMI952VKvyPGD80bX0Y77i0kgtJx2lmN+U9i
71E3DJAsiRVGSzSyKGM6VTjyrk43RwLc1mt9V7y+VCvlFb3RSShppkjU+xcb
qoCKRmZualAtzBnyvbdKgWxqhmAxJiKS9nBsQtaF19hENXLT+U4xjK4kdAZm
M0UcM34L8Q5VB5xNiv2RVaLRcRi5CuYgA259FKHsYfSOTxFkLz1PlVh8YSyX
Pr7A9iFS0qSta3AQl72rNwUHtgViTJnIMIZKpAcWJWpCRD/aHbrFMsrAyqRM
J5I0EvkU6SRxVgWMWV5SfIrpm65jeImHfGLUa/Aq1X5HWJlMzUJqGHRA0ERa
LJWeJdUAmy3HFZVc0IUqNRJiwV7BtJzGxcxzGibLRCNMIZqtLbfb0pfhurjV
YBWDzuyFC+4tM5DeqkzWs3ywzU3SAcvY0sOarikePg9Kz8mGgfIaSQmIOWtE
wnZC8cr5dG1im+HfeLcwB1W8eYGv/K22wNGj6TUltSiHo4Zlcz2kLwRVvsS+
ATvYlv4mF8u6I1I+FLLZjUd67dgNtoy7SyNTB+3a2K4SXDLzBh6GdQuk/SZ2
PibPbLqaWVPb/KPk2dZWFz1zdKH1+Mmig9F0wAEPhcoqeMVI6Dxw5k46vyuG
yJAVzUveNsBz5VEzYJJaBRaHdMY6qnefouZBATUe3VNigHw3YBIpzmZ4xzsu
RYqFEIK0VB84Lurr1G3RGv8vXHPB9cpUuutIEB1GZ9QGwA8h9EvNMElYhtc3
w6ZadOTvdPIFVcoOfQy2XTSZGqpaXQIK3UZW4Jv6mORvqpAdLKbHvJIdaK19
HOuFpZxBcRh9n7SswPj4P2ToLbHpBFSht0RzFiAGSklYBVWc+6SA6nJY+gha
MxNnI4lFqnYGPaGTKRFc7Y0l4iG8Fp6UK2ltmxuR00SyElwRzXotW8E0J2oF
6Kk8kw392hBItT5Q7pNr9FfUlKGw/BjDDCPI+oH1iHJC0OP8nCLBXkrhLrdH
ru+s9vJ6A3eKDuNyXppbqbmbmGHZ0ls+qCcYVF+UbEOun8llZqmips4lLj69
SH8q0sG7GLlegU0i0G00eEEy/m/D0uFMts6vXGUiW2u4pRS3k7TcYUhL8KJI
yQyWY7sQX+1IXnMOBSn2q8djEmuAYMFplHNlqjYnax628jOxXW1lQb0cpuDw
FqZw83CmB60Xr8eddn/buHhbk6Eja82yV2GhDk2F42SK39poAFe6gzeyMiPa
4FROHrA46U3dmzzlKDlxrRIb1Gp8BFl3oQzYI4hq1Di1Ed8fbM8k+7mMEd2k
KSq5tcehKUSDJHDhLsNZhz1LR5cSjk+GpuuJmGFZ7nN5urU6LX55Njn3aVBY
dxcdRouFtkF4rEqBVIyZIxHsa3FaoaixDeK1ypOnBGTac8JGUHU68Fg4lNt1
zqU2iujuoQZlN5NqPKrUHODsqAZyOMO1z3PtdBfQRm36WYsqKKsUYCNuQ3Wj
hHU+634Ujga9KYAyDDQoS+31LituirxbDL+ulA/Mh3xskcwuXeSWIymqnTiP
jitx2w4yDWX0NodaU4ikraiqC7fBXXhNAhFE62/Wcru7WRjnejOQ4IkB9tyg
Q36hBSZslgsFOjEZ6ruLEwTB4e2Fe9E3WogE17dwolhKDUoRT2L8Kfl9HbVu
BZogva2ogn1GbMOABdp5qIWQjtnn4N15okyY8nturm5bLD5z8sEJFLQIr1St
ECiIuAYLEs3ExylXGuxtirpQ+G1QmbeyIpgtvCjQoJeb29gImugmLu3u8B7h
XuBOPY9O2gu4BknQ3lIGmjeuj+CKixSDggNwHNHtCQK8wuTSzFc28ELXxoo7
eMN82Ukp7liDnOazWnF5my2BlBHti0Gr5CnVWXxZnbC3Fnn9XAp2sjCqRgu0
bpDUIFAC3aUtRVfFCb8gFCfEKu6i+72woc/XjU8BUONomX7kLlsgaOE9eHl+
/i6wZLG4w5JZdaU2vJTFJCaVLI62Vew2PqZNVP6ipdlEnb+FtatNazNL0FRG
46L8wdYdMaazVWs9oaHwJ3SRga5xFZfeWuU0KC7vuKZuE34+od7ZMOqFkQXO
To1ft+7Hs0fJXEMNFCDtKr0Z61WziNXd4/u13DH+ZLitdYyNUVcTuePC5au2
0k6NY7mRCq3ETDBeqQqel+g1aQ/C+ZFLzteL2dJpnn4Mj7r2AChHUUxlrIZU
5IozdsKt0/LKIRs8vSRvPtEJZ8ltWbYvW1BjLLailnKTeoKfpqpMYy2sH0vY
Q60hhlVuXFzTn05PcFAeqnE/VYoi9N4kQSKzxMCKra2HFIp9lFDEH37/6SHW
hgck+ZGMFa+0QXzY0OSd0xXVUkGk9JhrrA0A4wbHH1cs15y+ONzbf/IM5Jxa
HdQwSFN5VXvBV4IkJT1SbISP3ak3nxI9shStRz0gNON7WR+GHkk5OM390+9p
zfQ1/uZsqqbTAuKJWc6701fvUQyCd1bFB/iNghJtbyqKriLnYpFUjqkjs/El
dkjsjV0mwSxEBvWxu/WrwcEvY55+TGYDEb/WWYpEBrPKjcmOIdeDBW/zfBR7
EqyuHIaACOYhDwd//erohQmrox28OTiU1vRIv3BRJIlwFAfMTN1WkERS3bG3
r97IImA5SN9dNVJbF82gtdceanp8fYdMqLVlgZRNZSDNhE24vnTtJqUgLq01
CIpE0t/9t8EgOgBSEmNTTaVyPtK5nF6B+rBwcSOUR4xjvEgvkdFLeM6f19M0
S6djqgV5/tXRcyDTN0UqDX509MHg96avkMODTw8VjcVO1Hrc5bZ3cYX0wpp8
qFwEg4kty8FUYekl+4P2EZgk+jJ8oReV8QIo0cmrN9F257tbvrEVl/dvYMoJ
Ygo552G4oKgFEUgMz8DZqT6Uhhq6EAZn9nIQq2FAKyHalB5D9vx0voGKlZyW
JP7gbpgAwF7CPRq0fmeo5r3me3VMWU93T/kK7ik8aj7uR5RC9eBBtH3Pqej5
+00FjwZT7Y3GMpU5+VfJdBp/8N0dawajfAacHwfbbnT2+vTp7N3+zs5gtL/n
bAFFUlb+CEMuUPdi8B1BEj4GYQT/O0nGnMOCf+wmkyVFa6Qsf4QaKsWxYB+v
wYfZXBNXMH7jI2skiJY+mkEa5SJnTjOWd8wtrGShrqeJVt/MrvMFWUcDwdut
1Dyi/BO0FcySEuzXOSZazVej22yfDPPcWPP5GSjtZEW+tJTVsXafWUIXmu4L
uc7x+rpKe+cv34+H+hUiTFDzz8VDDnxkZJNZYZji91HPhOsRQ9Hgxe8R1F+/
/55TcbYbYRZah+LJUCpRmBTFc+8wokkuKagECA6mDvL009u+l1gyVa+RgcMi
0tKkWXTXNndiuHlthc4pIySUtrrLAVbC0JOTBVJ0KmUziuWmA1AijQhHltVJ
bbT5OmNgcB7Y0919KpiygeLTkF/K+73o+z7Bfdt89F2foL+B9m/cluR2qhBP
xJuUK/wSCadvFi3YGGsOankns8LHgfwC7g9knh6hZJ/3tWHN7m7g9dtwO/R2
6v0IFndS1+FsO8iy3n+jUbBOiK+bpsF5zw5en9NXuJ9TOBYpb4MXzn1nV6eS
GJFBtq6qAEzyL7xHAwkOtaBY8xZy4bTv+nwN+U6eRr1g4xtr/7ckB273t7bI
JmL2zsu2ZAvJ9oajwa/vOhrjl/upR0PTtB8NfoVHc/J982jqq3NHw+fZdTgn
33/W4XAZq+/7lkae8OHYRg0//XBk97rwoC2mahde78LrjLIs7YqPbqPmMDD+
Hm5jcvLnsu/ExBIesPKscyqgMGziJtzkppuw8gh1hNsVb6YrsDJ33jBmD2fr
k71Hw0Cl0kJfzeTbWhfzy2Aa86Z59A4RGp+mCC0ffFFpyIrGDbfE89JrHNDr
V+ojerXDk0bzRrqe59GaHgnDe7cEl6PoN3Y4roIMz/M3Omiq5Yz5Y00h5YV7
TwLCVfNKt7a+9XInYk1TE8bHN2k6ckXdItSzYVIjm/2HmTnAvxO6MvDLbktB
rbKl1Men55Ly8eWDKWiAgMYPusp/tD26UaVZcQ2G/xyNphNTvWLT/cgvod9s
WoBTc8zXr3+mknPXfCRFtMwnF/Q1PLYPG//0P/+P//3HH3+Ut/tWKDNJ1KAu
wNE3lAzKBRPm4PI6ZuKGCciZ8BTc3XsZd2AulcyoPZl/Eubg+EB924avKSKm
B0tbgvmds6TXXZNI5q9aN6+TKfUk+MlzvVgXZMuulR7ADXige5NgN6NSwkSl
tUKd1ZmQukj6q+Pvz85Pjw/evB8b5qA8hYS0CItbMFWiHxe0+d4xDC/pRd2j
jIJRLLZsbwFO0wKi9gFYIBn7AkIYKBtP5X14c3sLHjKFnztGmChhpR+DUNtb
J3+2A3S8vxu871FFIECSyIbX94LXmxCYdM/PctwTD4FJAIEJjKDm4Y0jPKUl
7LYuAZ7ZBEIeYD8YoA7C3Tvffxa8b0GIz4Bchs7OouV12Fo/GgEqXj1yFcfD
9XfhuMsEUuKmqUCvgqtWBsZImHeIU+HtIskG7aNZTo0cXGlr5+qsR8VSkaYd
TDGCyeOiusmLDwOgHZcZMNyE+a3EjMupfXooNn3JgWjVJwgGRpnoNhH1a0q4
9QWQyajb/u8dMWGefKfVVo6s5xQG+htN2k6j0A+d9CvtEdu0D4TGxr2xhaoK
gxWNf8D60VhkZwtXuQYdakoVKdEjXaFXTyeEAe06h1Ev7LQJBziLHtA7D5ja
Eqd1ZpWUKuq5x+0SrrCXRtD704e96/RaNTN2hakxt7W4dqUhhPFS0uI59zKO
jl2s7HF2nRY5Jee7zAZfN3B72OZfs8U+pRhmlydLDhgPLSmWPuOCxGK1YHrQ
HXAzyhX1MHf2nrRmFINn+BGXPlGbjrQ0RqWtrVc1nqc3zwJavB8hknrly+wD
/p1jsSVdUFyz46CyFL7U07V0KFiiX1mqFeL9ne/b6Z1MFb7FaozJZ0HFqNa2
3m/zNb1ia5roaAMaDRADZmhoSLbUUw3C8LjXnGKefcPTpE50AW47WsVpEXYd
8WtfYnWpCy25q9FicL7dw7kavhoPQihyk5v0JiEXJQUPY+XZfj1ADFGIqsZw
0dsryZwiJ5uUquUCcnCnKdwk1jL1M1TquEQB1mutRwRR+0wjpgb1PcwsgsNF
4uNmTSmnHBMW2Gas54YvBP77xHCkeh1Bb+ClS2ySh2rwr1VIIC11jjQdr6pz
zb/wBQaICngX36eHJHnW6IoKp6UtTSAL8KHXWZAsC5i+Ql+xTWYs20RdyWXE
pGbiz6ipF7EmeFgeV7bkc4XFTflF7RXTCHwImiTZTGkWFCh1nbJJevTBmTyh
FX6f7o6JKB/4srsdFVR90n69DNAQzRMYlVRrnG46HOFv2IZ5xNYq+vuYMXDH
R4Fhoj+GFmGrsAsp+Eg8ytT7c0GZPi83iNVSnsOFmymyxRQdmGImV+JWF+UU
C+3iWaRGtAvjt1WzMcspTENxo3BZQm2ztGF1YXhLsLXoEVzDR9QV0wErkhJa
DlRScKEjJiV6y/WfSH4DAUXKQf3IEZTkM86Sm8dAKnIfwO8Cb6ogTI4SjagA
OdeWTZIV0acgiZyDvKjGuW0+Y0Lu+3UFEZhPNR16okgHjSgZJGJQnRgZ3lZh
cCHKdua0tCu9CDLdpVRXawxdr9EUTyNY5DoyFitxo9JE+c2GvAxfIqwf1pQZ
1lIvS+/3M3VnbF0TmpjrUNa2yyDw7kaiSY2ugTiyD8XmDHHnHK0H+XEOyxGl
rETtGSsoN14kLsmrnoUCDHeZxBmRN4qj5BoefQzc6nM8K6gsHKzcAnaAz3gY
nXJbGBfVa8+4ARxdmImfdDkcKQvodPtN5FyW10Z1nsyp+NdcZmxfsrqbmMYE
ZFavXeQohouFozqpGqbrehIChsAlwNQrlKix0ahkulKWmSa0AjwmrryL7lQh
L2blIKNeTHba9hOkgABgJrmePBX2OcmSV9zJENVdSEId6jVUZKmqJaqGkbIF
ybUSVB+kKSqF5kvxc6sEt20z2pxMUvVmi7jjvu8k0m8AxYcFejqsqifFvcu1
dVnQ4WGDgIVX13feQy2VUurFEoYVDkxJEzOr12fxOdNjIYCuyQLrhytX0IkE
iZtA7j9HNiEBqT5Vb3Fr4EsuBHSl6yQ9H0me29w9Np/T8lup43Y70NzOAGy0
HCaYcLWSFqEIqZfzdrlhxAogRZKWqH5yDnRCMt68bSifLle3VNbFpzAYg9jL
1BfXC6Szra0jJ84GBcWdFKxQtPJ8iMxZDUjDyBQ+NDjsQtbVCh+Mj9n7ccES
HIYTk2Bv9GMzkAZfUBGFAK42R5dRuB6OjVR8mV9zTC2CA8Og+eqXXJAaExuJ
RgydfAFwXXv00MR3UjFEz/Lh824msb+Y1DxsltCXLKlmXTb3YL8lccjM72pO
BSLQCCSe5UiMWC8Ccd4+UktA2trylRB8L8woEJPrlYxMNA2F3rW4Fv2g7F/k
TB3vW3Q1655rpb8tiisxzsZD+pYU4MdYUXQ4HE+40BCnwG1tb21Jhbsvo3+N
xl/g2NG/w8PobOQKCl9Goy8webzFUUmuL1nWoD0atJ5YjC1I3cLRy1zEt83a
fD4+2wcSuCKANre+3nMWiy2kFfkD6YB4QgTKIIyMsjkr9ZB9eOOQVncdg6SJ
3FYMBK3ZoLZAaUe6KJIWo7CWFGKrAbimF4+r/sY7kwq6Za1kmILUNHDATfJp
DTbFreubmN0o5ikP30PDlWr4XoOplApssGk2pkqwL2G1J5X15LxGMUi+OMwa
Ey9AhdElX2CqMR++x6KYxJgOTAoIxElHAUn+zofgYeOgWl6iBDzTJBeJ2uDI
AMLjFDKFFwOIffpn2ZQiTjOakM19aVkn/CK4BAtomSkoUE9iW7OKJSfYEGra
0SQ23ar8FF/AnQpq5UOpxcdtvz47NQ8MPIG4Q1fPRLTXYdTD/keUSNqCBds+
O9wN4zJBXdbGjVqgPbpMWYekvlZclKfOCZxM/VvllP5t2ArWmyipyrxIwy2Z
sw1BkAtp0EdkvR5bbVWgf6qkvr7ZbY1mxYfvKC/q1mDKYtm7Qg3CeGiKjK2h
R3tibhQvOZkMb1jvAgQFkQOWKaEsALkmMYnZHhD1MpltUxknOS2/GCfSSGFy
XE7bHSOTf4hZiIbudazfUk8H9jsSvSHANZO/qAda38CG06Xw2a+lBgsddRgr
i5xBrLl6hbmQ6cY8G8ngWHIaYWx7aA+j1xxLqubMsG5o7otw0tNE7a7ynGpQ
tzIW4lKkQFRcHyWarV25/boD7AturFQjrS2WPiUKxuLX5LL1FGxmJv7mvAtM
MJaXYDWngJeE+i+zAdUr/VobAjmhGLGEo6S2r1DUor2/qw9IKjum16UY2VcE
abrdp5vaqxrrpSF7QFpDbwSatpxJDWm2Q3DrW871NtzUa31WOXOJ0szoU9fP
TEgE2QkQ55yNQO6MVcrmnNBt872kCOBtnZ+ztmzojz+kf0hdvhbxfIzi+Xij
eD424vm4Lp6Pfw3xfCzi+dfvv39/ePLu5fEp9UYad1TwNJJz442B2gkxWNY3
McAA054vLbBJhnVnJB35zOjD+h3tEPhCCFJkXfslrctq47qs9p9BXL//BYnr
aUhc1TsbBlA16SzCdS2+gVokJMUKYXxfD5fah/86grQdbUtzhJe9bReL/Lkh
ZZpEg3YRuf70tnVY11Df6i/BesRrN+XtML2bxpiVB4spQCO8dUWDAmrvhgig
wcFQpNWYAGwpoqMBUACa3/3O13rR2Cr9i9XWcfT734f3lY5G41dEpPyZOQKu
MxFACWvRkAtlsu1orQnTCs7K9HLZfE73XJ+rpd+yph1c07hrTfQQV8F38UTc
8MI2fh9YlA/7rbMri0zp6Mybu2OoFeCRMd2A3LmNCqF64ZgYUWdX8zr1CqLj
g1kYAe6t5QqD/fUw4UwP6H1evGccB9jTL7/CGbfPRuTOjfJIS7fMlTyKC1A8
lP4+16Q6TejaHe7WKt8bKt3WD2IToveFQHTlQbQcvYoHbT2WmIAgdetZ7ywH
dmWkk16nyQ1hK1XGp0DxNirxXJQZnxj9ZRQQH6Ay8oji2vuYinfDQ11kSceU
ImpfMiIQGbR8Hu3fPqVE0ADbFhW30rb2mmxFSbwUYGq1SurnLd/4+pEmepnD
rFuBqPFZunPfx5FEGGR4ps5W9LhuN2zBPr/37S3XS+dkbka5swOqhsH4V2zn
0FNpQOkdJ5jH5rtRur6lpqOAawv7o+nvQ5Tpv5A9j49ImacNaK6zUG293ohg
biSCmAP30Ybqsmy8nnycJsksUCcpNM5EvuvKqUPSwI8wNjuweP9lgHPfAZsw
G2tRUce/hIoqWkDT4Nmuo47bDZN1jXT8GRrpuE0j3eSklrvuFLkWH7XW9iSp
FqsHUWdu/ntvUK0pREsDSguu7jNDg0HTuc3rgTVjZEhwYF3tdz9Tb/Xqqb/k
VCYknasOuy1k5E7lNeQgA63JHBQwIUerqToiAQx17oMZBquWeWh3b6me8h1i
C9dfPN3e1FsQE6O99clup4fFgaSHPEc98En8mU0RLbzes+H7VX1hbSCoeKV4
XMt6Cp01jfOO3kizVim5olw7GHrT2d3fylAzLP76VoammWGCZobJRjPDxCjJ
k7qZYfJrmBkmYmYw93PSZWK4n2cn3INR9O9yykyaTpmNGu+ENF6WmQwDUAHq
n0DvpUX+XH133NB3J23M2iq8k1DhPdFUGv2LpasJSpaR1Wp/anp1XbsYd2m1
k5+o1d53gXeqPKOuRd1HrT35fLX2ZKNae/Kz1FrTK26TWjv5SWrtr4MKDeYz
UbXWx5P9cmfcPtuvq9aO/yFqrTn6n6DW3qmkntyhpLaTkjYldWJpV1yLq2YY
11ity9neG465celwUgNwv16x7jNSSYP+DGEm7CvcV3XVlbxKSY8oW1JssDhU
w5m35fx8ypJjS5Nf7qSuHj1qPRs8GHn8lbREoTXb4lwB12go7CQMGCy4h64+
8SjgdPVQWT/5fGX9JFDWT36mso6rCsQbJQKMF3hQj9SyYyPZ7xRAdlUAmfTD
k+ZN/GcJILRytQPZLMEACVrLZIWBEBh9J9k99TTBeySMmaIokuPY5i6eiL8l
SAbZoHZPvNr9ReT1hw6LSo8008NAlzI7MYlFmx1Em1UQDnylyGtKJdCt9Wv8
DGEq/MRnqEpPK6lRyVTiFwV67WAlyANDI0CBxbaH3NOukeLZnB3AuqhtCSM2
G7Vnd7l5W62OmjdJuqTccAZfdhbg9Pbs8O3psclLaQujaZ4o5Y8asaFWYVe7
WZRYsT1FBz1WbY1TLvbJxl7Q/qR0O/Vv7h0cvqKG3HFLHOkG4JKG2V5cn/Dc
Q/Nz1n+/gIjJ/cIfJp9hbJr8ExmbTu8yNvleAN4966SOX1zc2EQ6TPS+5/UB
Ha5Xm/nZRrCTdiPY5L+kEezkLiPYyS9jBJv8w41gk1/SCPZPxgoN3taYoSdJ
/4nM0NLFn88M7ybfjj9smP6XZBd+vn/eIKymeXQXzaO73WnQXrpwReHevjs/
efvNwWsqUcHRb0MqnA53YJ6acv4ZWlslE4kzcS5uXX5ULf1S93mPljdN0cYV
JEpmNa7h8FNbJzH+ipxj81Eod3ybMoOBkizyW+4lxcqEJAn+Ih17+gamekJh
HKJ+uqZMM2x2mJiUeBLX7BLjQnI1fTU4aiKJ0eIuo7ZGxznNp4nwso8hZl5+
65o71J6gkcPt+sOR7VrhSZOzwkbS0jGHmkFINXkPmGb6ey07VIIBAGGRoq+c
R7Ddwr9rrOO7dQv/7q9h4d9tWvh3uyz894rkC7fwGZF8u10G/rph6J/HIrR7
h0Vo96dbhHb/IRahXWcR2lWL0O4dFqHAJETYIyaeXVcZ8wv5+3PSgmoYeG8j
TM1gsPuZBoPdz/PT797PT99A5Zq6tPtPpC7d6Zv/r6gu7Vp1iWTfhsaz++vF
rP/DvcksV/v+dg7P6jYmKTZBuS2adODpMsqLJkQMvzTl0qLeh5rspLoCZyO4
tq0V194xlX8+UPDzQyk98xLeWnBpG95pR80spn0UeE3VGoIkmyDx3bXDqJXO
IIWH61Asbh2MfSpVOYxM5RjzuS8dpgWinLaADw3woQF8SRj2BnHiQ5pxA3V6
QDqDIhioP7LmyNTzoWF+0qjwwpoSAOIUBnpweZlI7puMK/fDpRi5ajai2biN
1B6lzGgp84CNrrGgBoG11kDWlBPiYbTkW6vC7qQixfHgkIZAEFiIriVIoUe1
LEWV59YzF+vLS3zywufWlx/S1QrvxDwo19H3d0lvBMBLmuBxvxYccS3th+oV
K7j+giu0QyUrGkWRUtfXhpxzNzHWewN2soADo7tmtINmKQv6VpUluqXNW8zK
nmtCJboexlhWzQxATZWcKdjd5bWXDnsKApqT1sekoW3a6CtXJK+ed5deXlU+
867WJgsPBYufVdybM83WScvwpspTuAVBaZLGEZvTyrZ2Y64NXIk7s+GFwgbe
PERQy4W7FQuGxxawi/hWym3ZVn/G2oJ9xwt+rNTqiVoeKcmIEdQgIkmeWgjC
VLvhuEpkoait8mu/oHTOA7Jkfnx6+v7w7dGxz8HHT06+efEWPsEc2ZqY7mp0
EqVS+EudzpajwdKaJj/ITTewOaeNpF2MKRUjF/eQ54IgptKiWCIloiXT7o9a
p45pFWWYLRaCxxLF2ssSrClzTVSNdYzrxCWyyimVQ1ksQUIXaxr1DbVDNK3A
OQQZIRAf/PZcExos5zHTzJ1WO8OdLEUJiz8C+pjKqbXzGgIQCnLEhz25tE0H
hR85KTasQxzFcXl9ufWbgfsxv7b+3fnzm60fPAr84AFMjZN/AKGQvZy4pg0/
P2z95kv3Y35t/bvzB9ciPzvRD/Up2FnD2Gdxr2UtvxBc5GcEc1fo+TZr+VPm
FQw+vS64/LJrGcPcks7t1vItNVVtN9D+mmuZIFyKtZkE4UK9Mq3p3iVnz375
tXTTQb5qLVTQ38EmBUHKSLbIM6ZlW1vHniTuqJxSI2gRNyK1UhJ1DRbiJWTR
FeIsOV4qm2GTIsHmzAXIa2kiNQvCV6gRrhHftZU9LGiRX0bU5FIlGV1hvZIn
TGfbe4Zl0pKPnE1PwVYohCh3FiGgWbmrUZtgR9QgkBk3ST9hEn678EiAt/eK
dhYcwcgVbHcKgkjes5wq9VzF6BvwvQnNSoV0Dz2Jc3pVRLYYTrOwcXdxdLVe
xtkAwzK5HpovZO0AQmKFiHMwGHYFrLj453F2uUjLq7D23IM3HKIW1BV6wJzV
DF/VSm8hoyJUYyFEyovNqxsqpZeBKJ0kDhase3gZW4UewtkV9ppBEV8DaNgS
FSaaCvyEr9bWpsvym3YWUa0FCPeiXk5aGqBU5jXA4kvNwWYidqZE7JCJ2BkR
sU8Pa1UuAqQY80EG4gapKSReSjm4IMff9ZgOSKUtm9LQolvLQJl0Mnyqnofn
agnF9SorhS060ZiO2uVuMIqwvFErccC1Q0mIwe31PZp/6WuGSEUWPGtk71oh
I3RFarWFlsxCV7NbtrZplZWpFXPKRyTlWriJS8FwaC8iUrZM3gVOW/eAxcrN
AIx6KPNJJ+oFuY3TDQbhsBwDJ/dtb9odjdReGsUu1bmtmkV3al5CPw3wH53F
Bc+FUKeuhTgw4Thr8i0FeO4+WVTJutbuab7cZbcokOyxMkvHoZoxTtG6xv19
CqxgBFc0GN0Xd6nf02AUUn6BZ2JkLREsjnhD025AQb5JLnMEZ4q1tVmj92YS
HawtQKveGLre7liq4/S4fNG2S9+n0olMTIt15q1T1v3UiHBm6l6qyh1P6wY7
DdBZY7BCfblyFqDUJFjNVBbc2agZ/VrejWxLPQKRdAVUpVF1pWUvwympW5xb
HRUNFKMEbhq2kzPGUVskpPf5KvIdRU3VNVpk2VZkqFGaoUYUCGBOliA4d5IU
PvjOBg51gOJ1c9Dspg8CSzgbPpdaxWybAdIoEQX/M6dbSuV/sWZiSdewUFG+
wCYMZAu91ayRFq0xX1c0DOBY2IrBdo3DHkXstm2/qzHZ1ZoVlmCV1MZarRx1
tiEO0HqFvG1XCxPJfj38g00pXE17SqZKw7DvIM50I1qLqTla22L7plphjqX0
2nkqLto544i3kklotiahC+3qZXR3MR+K+gmxulen8ts1WcSKGhdw/biKECKx
KY9f+pCWQSbG6ZM7oIU0vgNivh5iC9O14PS1fTN/Tt3hIx06wQZBZm4qGWUW
FVAQztIVOyzMjGSgAsn7NoyTsnlT9YSa1qIpvu6pkhp/V+m7LuuutOHQcAhs
wEFHAtxG6sc1q8s52PJ5XNf53B51LXpKjYNwOc8QGDMqCl+66Mzwdg6lb3lp
DVKjjf3t3GPjjsdKiu2rBXtoX62QW4r3xhdNlMhAx65VfQOsdkhC/O5SXUeW
G3rCxiEZTVGg5WIrVFnAkBMBzbEXQmS7ToJ85U97J56Qg0IvjTj+Kcqk7X7t
1UO6iuQvxNj8jfPIrMXe1QzhqvapCMZGVV6FlZxqUcYhJZMXnLus4HLOymHN
eEwmqH6vL6ZTG1scx2WNmjbqKD7xEk5Nu3H1HY1yotDqk2bGFcVRol3lldiM
4qpCR6mETAYwzrwo12oU9Yv//B93cFs16yOXn+17GHyJq//6/Xd99qhztbRN
xr+f+vP7H+prqf14hNr0c9co9/tpH8WZj7/EPnPurn8JWNE1yu9+PmB+c+eO
Nthl79jR5/7UR2lBl39Fav7vG3HmnwtfOk2rI7WqHnZcS2frGt3Vxc0Q6HFA
oMf3JdBltC+80dLpGg26Q9piTouy+FOgf3kEfH5dVoWm8dqdLRO0mKbTMrrB
mid1ji4kHuNP4uhyjd6wDRyqwWIcEzmTnmatb2XiS93DOFak9Gn1C/EZD0yr
YvfIvn3L4sb2PbiPG0b7iuA56G5BlinzGjva/6XZ0f4d7KijQnMblxLkwI08
/QX4FeljoxYDzFVsC+p6BqkSbuNU8/Vi5m3epKyz6oQeKcKQvuuNZyfKL8hv
JpgpE7Ed6nPNkoK/Ynmk+JeyPh2vk9boeg25SQ2WiaWHnaKlhH4BZvP7BAbZ
6DRfJuE6SFWl2F9bRruBTAJ9KUtEDYY8PGuqP+otl66yJKniXcUlQUSdXrkU
79bkkH+QnPLT2M4/Gd/51eSUTjHlX4FQ7f976yj/v5ZTutCFdc5upPnnwpdO
OWV8bzllfHe3WefYPvSO7VPn2A78UZM2J6WEp8XedmI85KaKSM8XrzKWDyqb
4TP6XBbVduit9EY6msrM4E07zehAb/tn76n2W9VkcwqpEX6altalmhrxxo12
c5VzBBVxwtZNlldE1Fts5eouxsCzOGNvTscYPjOl3vappT/QUJrKmYjCth5r
U1oXWUY/7nEc0cc9kPhQAgq8Gm1LkhDVUuq/xDyG7NWFDcyRqUlwnOsDp0D8
bri384xq/LENi7vFubBlecofIWatSBKzOZbqCkvUU4CbxC+ZAXk3JtCNGCf5
S9FNjFa1+9Tsjyn5qDJ5ByXZ+uPZNUACS0ziHjV+MGZnQ5YgauGXVMuvA4xy
VoRU5lb1zSfWNOSi8PBrisMrU7rVHFvxHxih8h9Rb+fjfG87iJaYNKMlblTa
uuOWkve07hWmNLZaFttR0I3o00PbG0i77F1QWFmMuZ6MEHKr1M1uR4A5rzCa
OmlrRaTCqwaxJR8TAATHUtD95ahjrYoRc3JSuETMucBkAhu6G/Q38oVu9lyk
/9MxRvoLIvL6BPFQHnRApSZQhxJPjvjcO3z7zXZbg7FoCdBIqekktYwV6rlM
JW45zMkXqdusGx+iuE8XdZsvlxw4EfamMssPqJmCJOiT5qdFnRILAfRJdQsQ
xjxPN8vHkObSA8attUSdAePJ9aCT2lGDMJyvC2q2vIw1/tha9cKoBKRSiwWP
TVcAocM5bapSuiS8Ci9gJfEuqOxyWKNvhu3iwOH004KzJhA6PALFd644tpHk
bgkHcCUROOpW+I4LzkHMaMNrWB5GnMAlm8bS/ZBoEfGx6zzFqIVyrVWfGodT
+lRh00dUu/9crlMC3QqI2pSQSlssmqoPdOgB/G35tW4Ee25Zul9YGGfl2+NJ
Tjdp1MzdtJObKkCGGboIaMZhelNC0LjtpZmw+ZrvJ+jzFbmXe4WOjAIUletY
OTuqXdROc3Mvz5NMPI9l0m9H+/bWc0vuKEhBwVOvoDWawvmCHBhBBC8+CLcU
nNADG3we4juBibO2cSLTiIdYXjiodGGVvCBKGUJQsf/AIU1f/ZCt87GWqsEC
KYZJ0cUoEqdEkv9gxqmui9oSagvse8UXwZgDbGR1iC1JPAv2FiSO1TcjHYSR
bMjO7gSIafGtLQ5bJlI3MOOBbkR2q75okAeLnJowayfuqeu7hk74Il9SL03s
/Z1WLb2/cWwzpvHnTehAqNOJFJ1gGbiHeQTBQWyjvn52YKqv9cr4ti+FGKRI
XD802kidOrY72IpYSJUBmLDuv5GoBOS/UV1LcRsb1McqmHIyOKc3Z1NpUy4U
qh2FXbRkJYYZ7j1UbzVLJ3tpmmDUqIBpKQukKi0/GI+1tk7n5dPig/7vPYnS
2obzA1BmUyeVlENtzybLMnlJtRVakvABXfvY/V2jtKjpFrG6v67TQqbGwonA
SIjdo5943oIVGjBLRNkIQVkejE839rvDlwfffH38/vXJi+PzkzeSX+8lmf3h
uCbLbLMwhxnJi5TI8ykvkDPbPz1cVinbr0nhuCi1cnSHYsEBlRSM6GJpnhP5
aiNcwk1JfghiRegTG0J0jwFcoBjjO4ajZI7b8GfaNj2b4US3gyofuFGRDIay
hCQ5yhy12m1lOD7zONN1PEhp3jTp5+zMCOncs/nw8KwfHX573meNCn6Hf7fD
pdVe+jkwcGzBVXVoe8Ms3+VrWoWkjHpqotqORnQnx81CDHet5fjg6K5HapQO
J5oMo8PAIzIGAff4bHB4+GYwejJ4sjsYjff7KMgMxntPKCLhHf92fEb/6X6Y
k0YnwXjwfW3A0ZPPGZGOn1mKEyaAIOvR+kKy7GzgfbMkRxSKImr44dIrci6G
sHKjJxQsWQMmze5iqvVLpgS+bo5IsGLkSK3FQm4dpcieCe+jnpOmCMWnh8oV
2f7knntX5KuEYoH4GS4zocokBu6pWKsDIBXSVyjjl4wProe2q5UB/w+0nuWT
s5Ov3xwMTjwt//SJPpL4Lnz8mxx593ffwZWuMBcCHqGPuFkAsnjqquxlbCU2
O4wRfZU6QYBcAO+HjV1TxGHLqm3PT2/e5+di0EFuS5QDqFGVwM9knXgLVT3P
C07gT67aA4sM+SK/vGWYuC33fR4vCtLU3PsG0zdKlK+mKEusq7VUPTDFTNjz
toD9ZZQBQnVGsKjQVPqsrRKMRMMYfnyAkoNrzYTdCnzlNbeK8O1GgRM8hIWt
QXDHiybi+KtbcdbcWX3YZR3XwqkMyCry9MWXWPOzio6cyuKqblGNHo78p7oG
R2evzrYHGEgqAjMcMsgCg4tUdGB2tjkxBq77AJc3wBG5/UZGoY2KxKlt3H69
XqCsxBIyMppumDsaANQEcJQCn9yKZGcUnVQ0UyDCINngYIZ1dGobs17a1wEw
pgsjQJA24d3vm4BHeX8Vg1TlBwCky8IxpRrXZbLJhNsYHnN84+uknMGtXRml
GfYHlFeiuGazAhHOy5gqt9kiBiOFWOayrqnb542NBNROnSjByrCiJ+dofPJW
V9ztZcbnIuARvzDAAsbnZFMHwsd+j32UC0SPI1xzEftk+Ay0MmRERDOKfF2x
bclbKOWG2HTkodLrWjK2djfNGDTUbFOs+RnQ1lt6IEsWXNgDJru8gp3MfMTj
xS2JoHKQwNVpwDIMo4yNWxQYfcLFAVpaQXjTnbur5RS9oI5nVpiYg/WcMkoi
x2u1reRaSmHhGL5URXMWv8gq7xy0tS2Q3cdk46y24G8wX1jZ6R6v78LRoVoQ
S7/YBpMAbOSA9I9I6NJK9UySTCntkKrrlIHeXKev2GJKbBOxSSJeiP7hKqM6
caO/ufSOxGGIBunKDzllju0uDWJtUImyqWJbbaTkGhQYeBJ8SvdAzVv1KFmB
EQaNEKBKR/axqXZHIyQs+wfX/7IADcJ4HKwrD9/GCjU5PLSCe2r0DJd5mQUE
DjEtBvou9EAHQxOxUWYOVMdQzxRMxHtwXjNNfqkvJ+xCjJaCtArcMkEptnu3
hnXEqyNHohG34chWM6j8DkYlQaR5Z1ZnigmrFTNRp8HD4KpJ7+O1ODk+f+Hk
yNIJzi6OBoS865hY0jKHteTke6ILqDRWGaY3fEu0h0QdqWDJyakuTKPWjkAq
OjDLZXMMp1v48tmSBgBf8TdYvQH51AKJ801CJLqm3rN0XCTwDtV3OebgLKdc
dMuMTo7NStcIzJnEcjW6ddX+Lz0CmtdWMXE1Ph16qifVfLb7UnfAThHbZ+83
4DB6UVCdi4rMm4NinWW+0s3mEwAQoP1Pb2FpK8bObrN4KW1mk4/zdFEVNm+U
hFC9vct1Kc5qqUyCVI2SW2OpR+WrAeWLBWIvFzh0VyG22h4gUlmxA4SnQNtW
DoeOvcJJc2AyAQC7KDBsKHHOEdD+AANxjMq+IP3Cy9vlEot8TaNLYNUrPpA5
6Z85FhSISVJqYjdmIl8Lf9I6roYNTHPO3OEiYUV8Y1r0MrUE4jEfiNxjnL/c
wAxLX1JeuLtdp581hPiduHxLPGXll0o52lbBIABhYl+xnpLYgOTPJ/5KBj3b
su8PKOa84Q1BY98AVTdBd70xXmLB6EbpT0JRW+V2K6YHOiUxo9YksXIYuUWo
drTplsJIaHSQij1JVXJR8VDeBjSC6wCHWzUowUxeTWs1kATHfT0g1JMRym5v
Gp7aOkv4XsfgfIFqKzH77zoEtwSpshPXlA7meAb2kjjXTrjaJnx59OqF1EM0
BsUeBeaVVySbEZ2ttskGX9bmy7mgdjCf1mkVc0jtEIJB6yvCA76LkDLAQ0oa
jqJl1zYsmJkMRhzCYoES3FFbFi7MVzG7nkWVsxKSsVUVgXEbi5e+h2/LFstH
jCEh6XJNRTSf7IJOXhlLjIiNwJ0xY/aiwGqeRPQDdTUYA02B7YPM512jUJQ2
kuIPn7UEI/+xc40qabOgTdxE65rtDifRRbpYmEK65GXSkFKkTE/2o9sk9oWl
kBmAGhizUphmgV/9JD8HOj1LQWlNpldkY6JcvgMuvVX4dce6I7RhumtJey0b
JApRQq5OvRxuX6w/8Z0z0KDrC25/2SHeSKlJqU5M0t3+k9EExSOvI3MBhvaV
kiWAynNqiwGsOAZ3F05D5McW6dLXNfP6mKvX6Gowdh6+4hyMg+llmYrG5dqX
gK2KoOGYa17h2AejLMCqxEB4tYkJ7LCW5TaZ7eLMeKhURdA4QLqeogZO6p7G
UI3drWc9pPWS3jRY960Jt96r7dcffWASGIdrkCB/Mq74qAluq8N8WQdoursY
YYBQsSYg+l5JLAL/6yBTJJQY3zhYWSnHu+s8VTOsjyciNOg+gQDyLACHzg89
Im6hx8mTkXgDTwZHwzSp5oMpCGWDvKT/SMnUvjuCdtNvx3lo4N/0Ciu/wrTc
K4ZFjcbu5b6RvF1W6sSn+HhXBFRNZJ1tZuolQGuVO52XtL0WP35jaoJi8e10
Uc/UxBcIExMOKNhUur6jakFHzX2ZPmB6yif/yRrQaHmBZlXWRrOD+pHA+Fcg
Q8ARhztx3eYap3DeODAHf22QkM3uhqFErG4+MbTadNuWOIAkMC/2KFp8O/Lx
omhlpNa728Yyq1XXYcp15qdXoqExXfzdAOeiwp3UwZermqA4g2+s2wrbovx1
CyLwhoYIzuJhCn072U1EHi6AKxZwS2lDO/xnAmnC8JgEQNrlD3epP5gBSFLd
YHZPV9kN4WpKEvuaTqYBewdH3NTQFbm19cntYV+w9mntkgFlTkuvFAXVvLFK
IKrTFIDDiKiZcqXI0jBnSUsRw7GGAqd01UFMuryqxEIixshZPl0vXYCyE0BJ
TDg4MqGGbiYfjQlPgxRGXC++LJLE+CPg2hVYM1ZLfaEZVNEAO8NIAXD809rw
UYGReMRs1t5khqtJkkPllhKGaM9oL4TlerQHWesvEmqHwY7zNVqPrtPkBlCI
m1U4qd8rbGScenV4sv0cY/CEqTbFgqAbZtkQ3mGAwG3VYuUFOZgjbKfGMxio
d1pT3Ft5WCmios/Rt7SMznagIZfs11fkY97Um/YT1tictu+TQ/O7R2rfWFhI
hSbCxSOl8SIwZeE571aov4U6subnx+HWmCPduRxfX9X6Ql3Vu7rR/TRZgdhK
IH9eL/W3uatq30TxuFdwcjwgAw/3nZjz8OSoBlBeCx68uNWq7Go8Ifp4kXA6
A5mbYsyuZRtV6HtKK7RKfTaS1R3YNveFazxlt4oKZBEBGTGufKSBa+8GND4u
FikzebaTOHeAz8Kca3cZCkz4W4JFNr4CWKSj/R9/pCCJAh7Ixjv012FeVTDi
O1zN9Aq7BY/H9MUfYgpaH0/or69ROYNTOFmss8uYHlGqFRTr85WbtJTQhbUA
aKwE19w7DOwBjQAUNhdINw/yclmDN1kMggQgx0NtmKanPvdipOrvCbyjwBlB
tEHdQ7bB9tWtkAL6BQyjl5zO2+Viw/Z+YvPntQiadg3oNXHkgaBw4X1/3v24
DXkUKylxXPK8BZDKsCCyhtk2u6Z5Olg5lxrFIlgHcGwCFRwzZBs2CFcYfeuC
MwFvMQ6v7sJCeDp/JcWnSmCBmGhD6HuKZI3G7F///9p7k+ZIkixN7I5fYYIU
YTgy3T18w1qV1YIEEJmo2NAAIjOLVUWMwd0AWIXDDeXmjqUio6UvFJJC4YW3
EZkRmRGZyxwoc+BlDn2aHP6R+iV8q+pTNXMAEZFZC9norgzA3UzXp0/f+j0S
mThCVmNLKNE2CvPeTs4LUMnSS0SZwdU3rwRmdc0Rw3PtA4GbtjcfXyPeKnXz
K4GRZ2CcCa9XExLnGJEiigDxzWhqNKdKghCKcCaWPQr05xFYuCYJ/XfhuWdw
ZC5ksmFnlEscgIUhlw6esOIbSQ9a1LXEaG3NSw4slaVUS6pnljVV+kqRkUn3
D7vXr2ENaIru25Z/jvzb7nPpFYclgTZ5OZyXZSXQZjH/6DGRBiF38f5WjMuo
ssVMBRm9APtrZIsToZ+YEBxTCWxGYXtB3In6aki0CwyuJBY6P6IXCb55vvus
xd+vMPjvaT7BFDh26FyzDSq9VMOEsyZemXC4zFpQaLGiDsmldXD4rJ3YDlXY
Ls5mKpcI/LDtEU0fnBgyLm4YN9+488U8hS4nI+w6kzGTQszaSYzAaC2M/Tmf
50CTXB8LND1SWC8KWOTEF/tJGvuvdls7O9sr9vb3qF5eRtSDu5BgGBwPLkVM
yHFZB5xTdD7Oz9E+20yku8CLj4zAWxMFgcANwXJjUZ7yySQjW1jSID3aCSoM
LypaB5ufVkgOM2Z25GxSNdPp7sonmpi8mI9SLYGj9YYWc1+Pck/PjMeI2T7E
RJ7rjJfs+97qaneTmvt+MNjQ/B0zokodKHTirw82UMN7RiiNw6ve6tq026Rf
+xsD/JUtCMOr1V532n24VY26l+zBo4PWRqfTWl3b/qBeUnKT0NmfUmgar0UL
+ZQsnbuHgWWOgFVLwgJHjC2sM2ohvs80UrhqNDAIXwWhcG8TFYVT7PqsAq6F
ZH3DLngdh4w9uZRHW3uz9MFQyDuLOTor0F4yRnIIWQSGfmGGlIgjkbNHBT/U
H1nInVNYLt+Akh8ptksx9BKwpQO2EGMwOTp1zI+6Vih8B87dDFUYd0TCh1Ai
uEIp45KZIzAUVJLnU59kTl4j1Ko4RA4GJ3evVEqYwxiGecau+DNxxLvYYHQy
8zLp/ehHguKmInrMOWkGqX83O09Pp3k2zrpdB2t5fIHS/RSulF7XZRhKpPKd
DnSB65hixXOVmV0CoN48TnKXu4vgQC+y8Shm/p4Uw8x9jZJ0LboIExKxjP2R
HyDPL3H+FDEuRaoASgBdhSJ0kY0TwRxP52TLFrs0knDj+PWzNyv0K6biuBTM
WXE21yvdQB2y+SMOcqq9geXSAh6CqRmFTovtKgHEqsb9MJWyjwqoqCVbTIyR
4yorQUdE94gCRHuAYoFJe6vx0FNELArv9aiEssRmYdNJaINH9EhJBatZ4goS
8L0vMM6y70sCOHX/o0A3g2Es9EnIVOiW9P2ZxafSJMMZOVk5jiB9S3eqt2AE
oAdSq45lW3OJjepqNKdlQJ6kGwiqYoIUZZ1/h3s7r1++3Hu1u4cpLa/2gZcf
HSRyXUR3B7Kj03wkbnwyJrC1RDLuWvKn0TOcEY9YG0hNLhdXDYmU/TzMy0Cv
ZvUP0/+Q4z6fpjfDP929heGg4HWVXmG5VglZpGEUYje9JLcV0tVQMmklogd3
eP/bsqlmFkXZ1FRCYHhjzGYhtrS3fdA6Pn5xJC6F7VcIvp30vz44SLafb5sq
aUe8jq39kXvtxVHSbfetiqGlIZ7v/ebo+HBv+yWb1ik8s37RnLDIaCiMyQVX
zkxTToPo4+MLAeDCPGHgzHYPu50Nv4fwB64a4q6IEaq6npRNKMyTw42Eo8Nz
Kndca3FEDbvB2HLvVlNPT+wOoYAypPVRxkGmFU/7RKuHBy2ms7gpMawY7HHW
pENTy7a/4imHh6MtlpZIV+PzpFdt4K+k3EiuUMd1HW7iMFMmmCLnbEQ8cZwI
5VQ3WgZnLojylbQCFvBPjMWkFNeyULZhrli3NmyMkAIVEkRXU9bXJIw0q57+
oLafSWCoeKJi7LkqHDjfM9lEQj5cpEk4YLm3gXtfUXE0nzrmsqguTI1KVyhE
pU6QT9H360KL8c3wHdL8WxxqL2lrT9cGSUN+x7o5E/FIFeKVL1cMUEBQexkX
VCDGpZKNL+cXgMUIW7bpR4pjM1ydOfmaVyKqeoz5MjhkvchBal3rbg6ojpVz
28cKGQskNxfF+L4coZgso+WFaZlReqFGorNDhSySSKOmUhctEJZFQH7ONydQ
Knp1Zf3pFvehkM342gGCo/zkpk+FqKWQvPSpjDxCs+nR/KpdaKM+b7FKchtw
2ygzIQ9Eeq7PBqQblVettCO0Zm8B0bjedh1oieprSni0dJxFz/cp0x4ZdmxD
iMxHyb7mHHBaLUjMJMfiqxaORXaLXtrffrUt/G16x4z0oChnrX+cp5MZnOGK
gfrqj0MC2HZeBp8A6DP9rHXc1bacDGE1prypmFyuBtjkj9KXuN6njJDv+R6y
CtLIKZkHrZu3V+MCWjWhr0bzumPU8OwW5oRuUl8cnWMxMhW6eWaUn09CR0p5
YRPxAWl8JHM3SQ0S0SFcItt14+Afd1Z0hWHhW7OiaKFNhgyr1GQ7eemvtvIO
LpZLlzw1YxjTkvOWbtJ81oKZt5A7AGOeFii6cXA29EPmkYtULhl3WHQ5ZxdU
6FJRJvNLFEcxt3ZHkEawCUM0pM9QPLVs9tCk3OypdWMHrRvRnPd2dlbcIWHf
O+xZGbgW0TdMiiuacwnQJIrVk5UAGjxykclmdHqXyiUmUSLK2rHzSvKy5AiS
+CcA4mzXExsmUSCjYsUkiOGONwUSIopPT8roLmNLkrzUAhlcNthYRAKCxIE4
nxCOk0bnr6l28o/xGbCFPSRzeIIW1yabDCVF7SJLr+8cZBfpEO5u/xotFdM/
//O/NTlLzYqtk4UPxBW6TMdNTdLh6HtKEqb9S6coD49ROmnXNszj9e6B2Wyc
ceEehCeDuYmKz3IqMmtYhqbbN1yPG4bIQaFGd4rL1vLBZJ0Mb0ncEqBdMgUo
OWiZonFg7/Dk44qB3hHfa5pcWzwGte8okX1zdNR68fKobdxRrjglJ8W48mkB
8+a0CrGdmHa1FBQZQMhaKLlKeCwwHGEPrsmrci5itRQvazzfe7kSjxs+K5sa
4ea8JQKyYgPHgrGYZ5Lclm3nmGbQNh17j8xMPuCl0mg6Qr5UcuIkjItdQGfp
MNtCUEtJo5qYS4MjGyI1HBEwf6M5V5ldCKHqk+/d11GA+BuJ6ZZ1YTAecgSa
ZIQ4XVzQB7mAjtjX08i/S27dKOEG9QCDKYBglT58aBd5II72ADWK4R3cmzak
Ki5wX5WpSTmiPBQMWZNwHtPBSDuAIaT0h+B9oTpGPqE7m2hrC7ZSoA8nA5rg
Uh/Z5WOnWLOcT0KXqyQkBCZNuuONCZOC0ZoOPfOQwUwl7DZENcRtC6RLhj0l
HiAetjBLguxmpXNA+QRoSW4iNjhW9CevdtXVBlIZJEtHJ67IqV8K0FVQRHAB
B+I0g4fH6WnGefgy3FJWXrxlkXfMi5DVl3vxy7EbDY1wgspphbEAO++hwkJo
sHXI2ePApSkKTCU07WHFj4iUKKlCqSHJCIGKiiEV14lGUenFaCzJIauQFYmT
MWHVURGB1zgLHONts7pO8LIov6FASQtB9tP6tFeNGWRR1Ykb4v16KGQ/oD6O
sy8V8NNQ4lU6u6BEXqwb6T4l1EVedJ90J6MVy6m3gkoiP03pDOUBb3RnaL0p
RiiZmCMgopoRqxl3wWqQtY5XQEKG9YJ3IQ/sseCUTlIBF6cTo5un/n0CGnTn
vczRLZNOMgZLk+NQ33A7OVLFebPT6bBNkhL3J60AZFFQh+mIEAa59k8VrOuG
jJcqm7dPM3WeslEOB3VZOPBxzguc0HnqtlBjXDjYSlek1fMVYZYk1WxbaBNP
h4r2eDVJJiCXAwtIV6SV/QOH+cBJA+7PekwEvLokbGmf6uvChI5ZdXhZjLJx
VQXM5bEWaxhwnfnaCZE6SDvTX1VH3DQzHpeJ8/+ODDCKg2SsjztQelaHzjTI
lmvCicGAGqAcKg96g9vGgkhWzkpGqb3Tu5JMnz6Pyz9GeZ64ppyPAIr026KV
TocXrWjqrUtcoRaiXaING+027MFd6w1gxopxQp4JjQ0TtYzeJGp1qx559NUo
5PCGqPUPHBDonFMxcXsEBDuEKtQSW3yIpIxSOqPMavum6MoIBT2XAvBOp9ac
4JkLhyJbMSLh4QZPRQc4vYviHKs3AF3RXibxIpCo6VGcpDsFLHpoFDb5G31Q
thWYhZXSgHjJ1Zfca6/7pJQPIQKW76QvByFeJw9RQHpTh3cyYCWc4HTQtq+A
WhwV4dn/NDtPpw4oSExSeFmQ3yj2CGxXo3UuEYzRcTf1I7jLCDEZzFHjS8Iy
G1gWC9SD/ZPvKvb1+SHjyCgksIIxh+Pmwn5enpG1o9VgVqd2N9avrtCRg2nc
Vcg6MzXloWETdh4EeMRwehguzA90odkx5RWwBtzU7oJoMMEtkK8oLQ/08Vwc
GVSj3dkKdUBBUvfpnS9F/kQgz5/gBJ8MV4dPmDPvZhNgBq3irHWEAs0Q6zKP
itJBj3F0bl0CBVWSuwTuyvl0wj5Hrr1S2nOxedG5MzFZcJ3OqR4n1koHtadQ
YBKT79MNPKC4TgxAHkqMSJkgvnON9hmF2igWQRg6gb59ZkdM/CmBat9Z8BRD
bHzoeSLNGgoT4YWkVA0FcQDv5joMxIJnhQcKFlO0R3JGayADgfy3/5BKHpzo
wTGaNysNDD6NRWDYP6xrsweShaA6V+KANrvrq8DB2WIjOA6ureFY4y5G2SVL
OjP0xqVDF/eVsnsaRNWUzqnKwh67SZGe04nFOqBcDZDSryIHOY7bcHPeE58b
OsRnMOBWD4uShnpsmI2IbhidnrapmnrjrBZ2dXS3SzZ5O5zu7PYCKE28Clfk
HynOloDiijPi6PksOB6BNJESxipc0ZTxtehwAOGMKNQHVnfcDPSoQPbgLSHc
b8LfQ85B9lQ6RMFqEWfiteQ9BYqFBVTzHMNFa5SNQc04zfhYUTATmy792ZT+
sTQ9RSxpDqfia2xHMQpcRgpD2M7St+Ys9wzynf91QBKV1gKQ455dXjGA9TSn
jAhbKEFyHaULVwzLxYbjhwsqe9ai8zKcJ0brz8nxdmZhwA0AtxhzkBvb/IBz
tv5ZNkXX6vmErOPsq8LYEsf24hGjZnEqwGnVMRO/DmWpGtEZvifFRGxAwoZy
DYh3/nUJV5bNlfAODlLBOBIOnNNAbes1p0FRdMuk4FvonqYcF2ziWvJzJUre
6sJy0ZcCMOURr+T0ibDo8joDNm6N7ldlNh8VC8ZC7k6KS6l77JIDoYzZoiCe
XGX0zp+O4cYpKGX5H+l+RY+zyIv3jkNyg6cZYqAQvXuwG5cfK1jcE1Qyrwu0
TRLi42UxvSMtG8nnNvmq3W13HSvnzH2jEAi2PsVYFOO5xgCSh0dMcjdT5hyE
0FbtaZ+KxORSDQDlokkefHSDsmAULHLv7H2q9Cmv8lQ9bSImO+UK1LzpFahW
peg7G5v99VDfwfAuDlc00KJsJYlPNQoF83OFc82nSYNHubJwmBr95IOjbJAk
w10EcOTGvq/h2wp7f0l+kLISpHQ6Ld6yo9LDWJbz0+uMrGuLhmaS+OHYpIGi
YbBjJFEgsfHkBmGuguGkIeccgePcYybciiLRWZz9BnV+ePI5/AtkEju/FfFv
RvGFLiRWznOYFiLJHXR1ztmuRxsVr4BLU7nJp1r3p9bJN8rwXtV4JusWnDnM
YGcIYl6Ce3tJdmxY3b1bDm93DcXAuqYZKdnILnT0nI/gF+KM/JFFZ2smyyHB
0CPLhN3kvCN6mNc21zeB2k3Ycjs5mAuUoW9CA8Jb5OKx6Ba60TVdsiqII+Xb
65zX7qrA+tvM41GE9Hj4+loph8edNzFy+CD11OzxRX5+0cJgT3zSb3gbZHUK
GsN0QdR1yVxzwTGacJznmj8Zn2EHvVbrSBNBJkCBJV2IXH1wUFoKsUkHIuVy
HX/QlFnBcRCXJ0/TL90l2wBZwXJh4AZNYopoEmfTc6xQgOhaZQtPYmvCuMli
MFQDukh8FAPHIebl/Byk+CjMvEfc3USa98nAlXsWyjI2yxwgJZ5yvbDobNlZ
gHymd8duhIUxvsnPmYpaoHhxKicvfMB0MbPhJdxX5yAfYzw3eRYdsUW5CPRL
Y3aDgW2jFSA5TAMv9aW0jF/fG/n390bYgMz0Eq6tKEu7vIBD1fouQxUbTn9J
99klrXR0YaMtGu41/FotesNhNubErTCjQmDKvGZIPqLannAtyRvtLgUMlXZs
0+cC739berR38SK+nozvIrWVQ8TCSm2VWOrFgGTUVaHNWhiOBc26R+5ttmq5
E3vdIiMA8sbgsMnB0i2e5ZdBtt4+vz0ia5DDxSCbhX+pWqGz9NH9YV6cTw3J
OFKfpS1C78pomjHiQfthT2k6dQVMCQUKiczDgahd91xQy0ecqaJwc8Yc006+
jRBx3JPIvtQ1HGSTHII+2DrOMQBrXADXaBwe7yiOj8VYpasW5ruzbVGSMUEG
h3qnmARjHqGNLpxm14WMyKIZaF0C6srH+JmnPRQEakTZmZN/Aw9fXPpFC3xU
auLBedkxwzr0Hb3IS8IvAza42ttADwy0+Xrn6EDvyjX8zBjOMMBH8OmjaMi0
jKMrBfnQo/rvfHf8dGfniCfuDZSfQgTSpMtklYpZfi3FJ2fcZ07N8FH+VFNF
RKoJ7MhUB8UVn7h1PuqUatdSYw+904ILBu7FvLy4FCP3kLHpF0FCPoVR40LD
wHFkvnigBvSSpC3BPHgdOa8rJmQgePWd9V4FA0cWmGn0vIrxXI7XPqdlj0YC
wN4gs+BloXh+KySEkxklJ2MnIn1gAaPp5Q0VvbmisG/rweuveQ+eFJSR7FW5
K7T/kU04i3DfRDIEMvs1PkwicUxWTfVVzshgIj6nBSVTnrwd3syeUK/w67B8
Ehrq4MsWv9Sil5DaseOgGFeK8Y/KBkgfBVk2dGWR8jZijwkFFvFxhdenfDzU
CpUqySbFqUZ/s3Z+5+UwTdNRP5rmNgYTZwbAk1LTkwNLdlgvpBIEYKVNE+jn
0EZJx6kANOOgbID5NIS34QhzWVZrXadAqiiMwBqFUdwTcrApUk3vzrORjMRW
4fClZB3jmhZh8tQjbxqTtMUcfrHTG4v4choC+nts2Y2mM9wEoGCFxpvTN5Pz
wkccaYJOkKdL2QEfiyEYXx31U1DEeRe+LjAMBiVxrpQrq5KLpZ5tgcB10GDn
Ko1TYpiNhqdEZDrBKCKbGHrW8Um+C33okrd1gymaC4YdFEISKFcfQZr69XFW
w5lGH2qpwDpTJvNSEpFcrTeaYKZ2OzupBp8naneBnXOFXSnShp/VorY4auuU
Ih0rjWmmos7JM38FZ8N0aFy9G9QMMaQythhxUhgyiZsiCMOoRaole524X33N
OgmJvBF8ZhXlvKEhykKhV1CVXoR37g90dpsPQ9MiYr4ghNvXJ9/bsC6RZEoJ
lV4QSMZ1LU1UjnB8vBTLpMEctGlvBeQ7s2F7xRVtqwDca/4E71fQJFOCgQI7
RZmR09UuPfh4MAresABDnjgvXXEaWB/YdkiF0rwDjvaosZGxcELmTDkSx3I3
7d0C7dF52vN1SZPG8d4e80tTFk4v7c11dH46aCUfdmhUNZdBUpr+PW5RTnIg
jRd6aifkmWK8RqYttFdkxrixaObeiWU6r6oqMbIJhg2zguPtGaHuonWmC0Ku
lc06OHzOsxFVmCT6eC7HVmOAT5I0xxAfqiVwLZhMVBsZ6ZE4DwYmmsVnOWuW
IjCZmBF9cQlpgO5iJSyaL1elLhgNJyVjbtAE2yVGmQtyjPvFanz+SFmEiwuy
UVKYG0eIM7z5ZXrLAMOc4eUTZXqrq0Ar7/78v//P70E4wiyeEw1suNGYIP1I
Q3ttmhiCn1Aezn35YgouW1fCQWy9LICKizGbuOQBg0caNto0ZSh7hqHaYocb
3bUOD88XUkW7JlwRd4LZ7iURtqIXpbkzLcCH5MAG5UTVmmkPHiWmVwqMU7wX
+wTvrUsy86UpT4Fxid0Hcz1mpDxJaHhk96SGW66MyUmPZCaGdyARRMrphiWp
LM554/gbdC3Cf/v034HBhA9c88AQW1KLVisdYFt+fVMqkHw+UfkFNs4+KGoj
I7CE5ZqLUFdwtqe25IEC+xXfgvMsRmhDFZ8k2jTuqdVhr+QAo3x856+2nd3d
FyIU+iLkC2z3D/RVP26X4D/BM68ZfaH9Geu4cwlOSgqr+i7TCYeuY+KdCF3n
VDOh7nlgFE3FzPAeFMLroKJsbPKTtGOUS7u9NSKpz7SeuyKqJy8wXhoEcU5S
g5Fk8k2LIqmxJigOQCqasq0WRQ8pw0uaq6a4CRgOhxiaj9m4uLy3qIzGazSA
kyjQoNGtLLO5goLRtxBmRhp6Bdf3Vu0M8CFBxtlKfvvbmQXc/P3vl5b+yf8k
aVpeny8tfdGyP+FflZ+6r79Y+kGWj39+QNhQOp64e5WfHxI3RP/Z0hdf2p/w
r8pP3dc4ik7Qza4khYtm8jLF9GqkKvRn/VBdHRzFT7EW3ceMIgUVIPk5R9Fr
9Xp+FG8mrl5a3Y7UfPYTjaIfbjxFJ9WN4eddi0Gr31tfW//rrgUOYaO1trra
X4VuDkRSxoSiv9woLANYereVfHaWn7dCVpfM8tk4+3JZM9KFvdB37WVghJ/M
RMyaHFI4m6cPYnAsSBygYWtEToVoGT6EVQTcARi2EOQPyRGonSMSS7aH9Yzq
g5fczKs3wM6Y6H5AHg2CFFq0c7gP6n8+tq9gR/3FFiJVmHuNk3Vaein97V5s
wQweutfI0FSM55fOT+xHh3Lat+hQaibb02nK1nlzRamG8K0mZ1HWwCw7z7yF
TnOjuAdCcEGbCcb1Tc4lIkPhbmKTrx3IVrBf9meJut9KWr3BEg1zK3n1dHvJ
jHPL8oz712NRHw933v9rdt77a3be/et13tGuu51m0upyHe4B/Ar/yEfhiB4o
4c1u+CbHeDSXmMEsfufnmZRbz75OCv/3yFnVFxL/m5hXr26zuvDr+sdtVlAd
/a80p37tXj1yUo8o+v5XmpbjpL1BlQTls3BaOxcp/H+v8/SgGN91+53Vx1Dg
4pd+nmmt1k5LduujplW3WX/pWa25cxXt1XpTPoooEOjn652XizYooLvo0Z+J
MfSXVMH5mTpw9NyH9Rj0ecY9+L0Pm8OfRWsEk3UT728MdLfp170j/EeXKHry
Z5pBSLqDVR7QqjmRg9XHkO7zPb/jBHr7iANJ73zkvB6j9XyQgmAVn4/WfT5I
/SHNcw1lezgCpAEF+BOHWub3Xq3kg+bY6lmVq07nYvypQDv6pB5Z7WIVO/kL
zDGkEad8CZrKMQKwGNWLjd4txGUp/3b1LjP4n0jr8gEP22GA4fNMwN98AMTi
J2Qgj9HWCBtpga6msawatFVT21XiNB6jz2HwwM2EvRdoSgm2+H1bFxOOABrZ
5XZo/ys3+Yg5tvhw//+Fm3gXBeWH7VAwhfVP4Mct9LSgLedvl52Y4X8qO9k7
PDzZeb2716Tf9l89e01cqhkac2q5hb4aMgzTEHn8yEXmgiap6chWxM8ZfvJ4
00/MKvwGEqfYE3y1UVblFv+fYxYfYxD9oDk+zCx+6h4rzOJnnuMC0cMVK9wO
vPIEFma4B/pZW1k6+hvmG4sn8ql8BLtpssvyMbyDfZt08BHyZ5Kdp4J49jPY
iPOywifSETtmSimTya6YD+YSX0T/VmlqAWXjcukx4rVY6OF92Lf7RfRvlV8s
4CEHkvHPzrEOd6ZQSR6ankdR50n8IRin/osBCRRaI/vkvtDog357o92tOawf
uZz22Dr/m9th53vTXS7J4/Yg//+7dLg9Qlz7OPb7cYLaRzvciLN9wyH9Bz6k
33DbSvj+Aq6rGPAMT0P8kYsaYvSuw9Zaru9wuY5PxzyayP01Fyo90tKumEnl
ay41sHlg0YI9gwRqxw5caGWLeBkDywgDkwSGOLNB5Coc8HfZaXJM+c6Nne+O
VyQip7/Zw6oiykPjNjFkf0Gb3x0nO2OKczzKZtDmztGKC7fPppfILHGUmsdA
+RLIdlOKRcUhnSAOKv31ZDg5e5IMsTkZ1/pgXVtgTdNt55nWl8tnGWU+IT6F
5N9d5rNZZsrIckI8nOPippZBfxGSXkyCjyJJx6I9d+YRk/kheTAeJzrlixj0
o449jgUJAfo8/mq3SwwWF/ql4NTA39vMcmNqkJ0hDux4tWfT0WDv3UDcieRR
rQg8vAKE0euIoAeklZe6Lg+2YjJ1gHISJOl2PO2HW8nLuCGsLdWu5VifTC94
sHiPetj3ZXoVjGW79nT9be0RHOlP3aPooZ9odetu+ICB6iVfmwpmr324W5D/
fIepfM+pLMubw317r1CSHxVsWXSjgNDEOR/uSWpjORtdFMNlzddcDrswVwlw
rRa9QVj5t1sJvYgf7jASFdLEFG6qbLqV7O8dP8OvwttXhbBGCffG7377u1A0
+93vf/d7fOeQAE0DBLqt5FUxyWgZXmKCMDG0MjSowsdkbHto/vQkqfRlsmzC
oZ/SfL4YnoIqXmZ/XCbCDB4Y5qNW/JAumxlWsGSfwZAXd2JmEwhguAz04YTU
INMALer8dOa/DFvkBRQhx2cVcigDfPf6ShIWar7bw2hdwWc1sbVbUs6Suq6v
LLJFWZUqJ6+7ygy6tUQ7lN9NeRICQBS3IcM4mFNqajYKYbEXUEzSCD5awRa2
bRVLrU3PI/K7v4VZH6e+oko2wlefTVPGhjH5XQvGue2zPyypLi0lyefJy/Q8
HwpcCZE7vYTfPENUHYyYn2Acdfjdy3SIIJflRXJGmGS4y2gH8k/B8lC9+OR/
SBC6fuzQVrnExCwdcuy+4nAGhwg3aZmVaBCmtgUzAgi2lMKbuk0TDtqGC2sr
wWjw16+YrlAxEvQYxCnnB3Q5qN1HdiIsYydgGUdfV89L9cz9FGem2uq/npt/
PTd/3+eGcRp32JrUekajD1VP+Yon9te5JuvG+Dht1aTRHO4dHSNOtUkZLEEu
LQ73VqwSfJ+adY/UVvl1kTHM8KG6nx88X/gh2d9NHpfuUKdJVX5dZBi7R9Dg
EbX84EDgX11oHnuAA8cNrT0qYv8TFrtOkGYybmFBSJWiq8QFC1+K/HyoCJ60
Y43p7MuV5EU+eZscY6rZLNmeCTIn68zB0Zk+eFwcPijxnuVhMc3akWT9oQP4
Gc8FbJ+E4diR0udBxA3b33Vu/KIxuC8Q4ckFERjz9icM3IAcUJAPcDFlham+
qSKSKJCoaTWoL50COwoaX24myXK9lW8ZUxSXH2FtXJZkvzLIM6NEabYnjxPE
287GMARBS1To6IzasUA746KgPOszrC7DVUYzqcmUcRoco5bxZPR9hiFBfHoE
3yn4Jd8ojmhCAAxY+Qn9BpgOO5uPcFdkLlOaS4ykTqjpYSmP0KbIqCBw/36O
er4DrZH6ToqSPzWiFiHj8bBxWhYNb3iRCTLrUAHkzhS+UdE7vadDD5KYNbVZ
j3hjK31kigWFSZth8Tmc6MTb2hj3QY+KK+zH1ckEWmnk5yCr5Su08bgElLW4
yieKB0PepJplyUKpkUeiYDykDCcIhYwt0rnFmcrlIIKWwOddZtlM8tYLMs1S
YvuZW0zeGMY4oCHI2CVT2I+mDbsZzc9Tg2LoK/3S5nFZbOhLwNBp0Qgj9Nrl
jDPoPedMkXxKVomwRqHmfLL91lPwTYZJ9SMHhozwcQLaqC2XruSqNIl7i2hS
jACjRTwV5ifCOLBFRg1KsWmdgak48VwT1hlEAFqmFbtm8N6YxYQStWItuRKH
WPkKT2f1IQOSPnJHnKhLoxECPinZ6H6BYeRwEd8JAo6x3bpG3VEhtCdTx9Ci
4SMij9blzoIlSU+La2LsrRalZ1NC7hstKSaZiriqx4JBzoCQdNW++0yByTVP
N1VIwRAlkKCrplQRYKJtVkBHQshzLReE8Vv8hmBacXPacZh2XPrBBUAINFrE
CeOumf9rT4Vodsyr87PkrpgL4gbSffgubcTEgUlOeIWvM+UqfOei+HQniJsE
/qP+GkbQkeJDgrgvtazxaxmfUxZ3ZGnefVaUeE+3hrPblseu01XXW0tT6N2i
4/SlohDjG/iNMN3FO4FwhoSUV84JJhBFCoGWwoEq6LMF7d5hdHgqMcig89JN
ZSqWSfod8TEA7GvyHteeQ70UJCG6p3BvwyReqvhjEmoZ7PDU14M+vTN1ZWkC
Jy5f2pWOU6+Rpjq+f7+FccSfmwKuYZJ1KTUDq5tYHV7NlzDSpisCPqcD2aFn
uyGEU9uPYhgvJNLwxZMnSaNzO+isSM0w8kPFDm1p5Ssq/oqop82E6eoETlkE
iGHKSjcUEGNFWbwFf6JitNuPwsVwOFQR+vo24gydVkdVwvLosBAEhG+UjbpK
YT5qlLB9zqcZYXoguP5pqni0gqNRnTMhazCHlRHIO4QHha9MlywIh3m0Zqzt
xbHvsP4hXXwZkWIj6TRxN+t2ZsW+zknj1de74et2CVcWx7QzaUVb6Y5Q7ZY/
DgplwZZrjwjzsqhHBLdxRUzjIXwAGssiqgvBKM8sPMsn9NbkOdVgvURzlRth
Act3KzSVavflRX4FKzO7wfICtqRMPrG3tLvVIjiVYd5iilBPtuuXDs3+rpwi
mApxcvjAcFBBnXSAUNzLgtprOyeHgkO3X7/0hHIdBTah/ikjBI2+hSC/Uqfj
UTacGqtBve3hi6VqPv0P1cVwHwUrUmerqTHF1Bt0sGdeBs+53FhwzWJ/Ja5f
xSH5sXPmnj2X/KHai+358KfquTbGqX6z1YrzRvWQBfTlCL69DFcnlZhpUWm1
L5cRSzybor2nKpAwOWsdHCOGkARMZb7VBGGk1PhcNqmUPPNvlVAMMjfLKIhI
L6rohLSS6mgCFD7py8EEcsUHL61YIpSr6cqB6LEv3MNnWrHfIS1DI6ut2RxY
HUudKsxPPeajFeuHRXp1v3ApHIBxyEx5omRBdSIuU9ejwny+qBJ9JZqMYHxx
ITI/HVLPhlQKmMMbpdAlXMkodWHFHdeAVKYkTR4x1HOGX0JLuQLiItZu6QGS
5gacmMscaZ0arRN1Jn4NXlAqgatloFQJuKfIFekgeODGd06X8HPzurFiRboF
wBpvBJHsa2SxghSOR66XJlkisbSSVv4q89lc1FDSdnA3OH5MQWCx2LtYqQy0
oitxTSDUcwOH6LmWFDpgY5YtDlVMbd0pUIrx7pgUggJL2HtTvUKW4U+EAnN7
gZvnI834Sw/0l6G5a2ZeRyy6aZnVvy5fEu6olXZvSLWeX7oBVUbgDHYJEE1W
aikvX5LT1IgkLwmCq5nKx1Jl09RSJPZBPCHZHgLLG0mNFbJwBhaDZm3BLySC
g9dHx2o3cKjtb6Z56yCdXWwly0/bPqjjqVidZSlMXMj7FT4FvXZnkDTYkzRa
USDrjAr/BmIP0gCbXamwF97YWEvWn0kUDnLg49docVLSmztEMzF3j3I0mBVo
SJcyY4i85Zii9TnaUmX3W9S1X4JCRXJ7UkbWai0DxnYWVxfK2V8Y4Y7gJ4MC
S77muBDTDEeLS+OL9Hn7g8iCdbRUI4a5Egt098kVSJMiCtmfMFszlZbotggK
/aauE4e9xnjMpkabfwZBG3MpJ8RWIW6YSl8HUpm7AJrenEKvyJGT1p1YCC1f
scPT48qhwgljxoKif3LA9mxyqgPOZdhSM1HU8lSs1vUH0VVXKFEjE9VnPi2w
2yJYf+UWdeyBK9DlkxGDGHJCQwRqN7mHM/jagw+vAcH2icL6b7As1r9B/fxs
FRjSnoDXEqukCh5wDaOWw9Rccwd6wUDu8+OdA9bzpX8xywTleR3hEfmbEWOt
1CEb1xh8m80fNsAA1ojnNSE4brzwdbRuVK5agl+DoALz1FuCYVVpVXhz5iWj
zKM3hYvVtUXTsaVG4vmoQVEO0mk5m1JxEpAn3Ny4NM6xeluU3uF08DxIrRvC
xTgOLVhsZ8yupIw1POkOAFeeizCEg/oaeEFr46fF6M44VvCjEN3aYY07ViNW
tZpK5AuLWzvg1iy2fqrFmav7eX2tdovoRppEK4EH0Hv+73EoC19lcS9sw/dG
6PH1R/+ejqoOZ8cKwggGQlEvPkAgq9bGRGsRX4Cuwi+Du9srV4vNDdqdbtJ4
M1GUU7w9TSAsLoQpIGlqagrjMjU1vTT1SRU19888j4oFQy5j0ayjE0G+11cc
QKdbna8QK7r1HUJoOru/L/HBwvzm6ibtgIDD2dKFvg7AaWY5Bou4LG6E1xSJ
FGdsKxfJhVokEa62B9ss7Q8NnAp0C0PV8hTp3bhIkVt5eGEKyPcVB5zqg/IH
axmEOXwK7Ptqii6vMy3MJtdgS+jHVbZ3Zmm5JuUQlPfcfs5+dHpn70CsbMGQ
/aai6X03ywoXQ7pz5Gpg5lHmKdsyNOnAwcJKoUxBcJaLETtHgFuVCmlJ4bQN
LzQxhTsJpIJ4OcTHLfGv2PczuVIlDj55hgLSu89U0CfZZ6Eg5ehSFjePD5Fe
+/Zoy0PO5qGHEBsUEb60go3K7r5aK3tfFW+9dL1oB/ELcdlrYrH3zMuwI85/
0GIYKuwZt7Ofa4PHu0LFlbzH03NdNN/c05I3AjV4ItwSWRxDx06XJFgjNcpR
YtTkgEM617uXQf1KPSm9MO8uv2ad8GRORyA1KXFKeehYbqsZey8JTI9hZVWd
lhu1l7MtQVQmLWoJHYymERYvCY1fnaaOw3EGd6BtubdEna15oVoDMDCYIbNq
kYHmfc20+x807Yc266Ftr93DRdVJDmm4+7H3cOCNGFzpV4tCxfVwtf7AT7Bz
1VXHw52Oi3PWlDDwROmIJLNFY3Knw95qpoKxGXHU/uOb6XEpZQVjp01wFcsW
6XD3aTI1icVIT93Y2v5PVcu76Ozww3bMpSDB5gf40xuCf/WDJCZuMc00EPjh
y06701uR1+hjguG915QRdRJF+G09IDvGbx8wUWxRseJmzPGqE/rhl96c7SZE
h1rOtLxCHz00vEcOLWJlf8+rTNWIIh71t7jIg3hQi3yl6sWgI+OStP3hXHTq
MI0L3l3osThedFpdvIVY3Lh0kXJc76pwNnfKsJsVM6mDdAMyG1ZSbc2m+VWp
qtQDligntx2KISWS29TC6uS2OoPLIrnN1LhaLLc5gWeh3LZIDFsoty0S9O6T
2+rm9SFym5G2Hpbb9h8pAVbktuPCFdyrEY+advYYUck+GooRCaS4h6W2e6XE
T7mUHxadPlnI+4tKO/ufLJz9HcukP7WQ9xfeuZ9H4vuglj5J6KvlxfVCX+/v
ROj7m5ARaqTDvydBbD8WxGoEy7/+Ilekw8cIYr0FgljdSXhIECPRhyDYTDEp
Gx2xgPVJSSe2pEZvNettmMwmSm7YW9x8ifBajs+NuMfVzzmjyob4KrNqqtyK
DYfPE0OvuBsWFLgjw2DUHweah/eDhAQM2p1O0vgqHVEGDjDeFcvrhYtzc1Iq
dDRXQ3A6luJ8ATms0IWxSu1SHixmjUoMDe1R0INcmXU9oG0Z00jIPSDRutzT
24xiM4B6yXEppUqjNDLNbQiX0m8Ue13v8ZYsdGBgvP1OQQ4bWLXABYaBOJdw
ccWhOOyTRwM1t8P1hqWNyI0WRFDuSYX71g5WuG8dYCRIa1a0Xg9n2ax1xKhX
MHM8NL4juvE13qnX7rf7HO90tLfzNU1hO3LP6bMDE7291tnEYss4ils4LxQH
gf4OuWJlYMlwTiE+rvYvA/xgZCV5Ku3krn1kJ97eU81OwTAZPPZJOUwxbAbL
iuY+qMFEZKYYY9qiktPzCefYUi1qvXXhUSorTyKDri9H0mtYgXMDxpNiCcPW
sLc9kxhjCz6y818Mowu20voPadYOZM/USk4aX598T8rF1ye/WfF0V1IoMbqi
3jhXz6TQMoEoaOmGsrYgCQOMkVkgfSgqGkxOAoqHWT5uJA0QcnrJH1eSp8lG
sqILQ9/drqg250qnKlIe+h+oWBsFVN9qWW4egmTKEPnl6g2GQ/SymXzfTG6v
WHv6p7srPqvlLLsq7yVSSdi5GqdD8rdQsnm3LbQ+E79fNh4BJVIOB3QiMlsw
9+8fmD0/beqPopSppwm08BnG0gSStB3yanSu8JpNXvNGvEy+TL5nK0GmacVa
w5WTsij0D9frztVR1jqE0NZOPU35EoFsO1A3kktlgWd87XNHTggQVnhiWkCw
FM2BOZQuw+QUjuZZPuNQo7C0oR+K+g41lVD8dTxNmVr9vBvehwB/yVYCQz/K
L3NgBVgKO5XChNeZBMJgXUdZyDt7hhHNi+MXFh7IGd4jFIRJsXelKSS5DDPF
lonsxZ27rG5oOSJBLV9a/tINSVfa0QKbhzSyQBy47OKl02IK1OtlMMvFjUz8
a/tgP0w11EqfCyaHaS3hg3RI5uNxcExR6BOVjzWUKVegj9dSsy4lgQrbYq4I
p1jvzz9l00KtXC6WY9H4/I3DAbxDwvKVEBmWCFxoqlb9FQUSRy/UY0Ysd+np
nY2qyWdeYZSC0pRQ07nt9JIGC154NOnv3/3wux+S71fashwgC04evyJp+ACe
HfafA0WhkEZgco4ALNsYBJwOodU1C28nun7x2N259IU/zokrFsWsVJ+7b8O8
tVLdk2BitJyyejAvWY6BLAf/8xuMifYJF4wayJc9FRzh+V4EgdmNefWmyifB
yJDyrqC/3i+BSH8F7fzyKf6S/Pl//T/1s95APvtCPulu9qJPNu1rXWgyhSZb
ffjlFH4ZdDurG/21/npvtbva6w563d5mv7cG/13f6HQG6721jUFns9sdDODJ
7urmJj65urQ62Oivwoj63UGnvzlYWx904JXu0tLXlMmdeuX+lg7QLXTV7a6u
b/Y6G5vdjX5/c63f6XU2V1cHaxud9e7qAFpYXd0YDPqDztr65mq3s7G22u/3
15b6mxub6521zfX19d76xsb65ub62hr0vbR0w+fCkVBy56QPv/vJDXTduKWl
6LulSU0N5Vv4+3SFHmg0ruCP7srTwYo82rgsRskVbcUdNLTRH/Q31ruwNOsd
WOqNztpGD35f3VgbwLTWemudzmpvoztY7fZgrdZgVVbXVwdL3bW1fm+119uE
SW7Cwx2skLi6FgZtECaA3BLnMP4UhAn5snHbTO5I3AjztCPREk4A8zDDL1Mb
lqsHa7W91rZixEELZtRaXduG5ZDjIBXDOcwJY8bpwmKShRF1aAH/t//EC/hL
oFNXs/yOSVMWkB77j/TYQ3ugi93WLF2Mr//q9WGT8MpZLCIsOae4vvsMv4fP
8WNVJByDQOhKha3BFOJsfOWvZVSAcaXPUrg981QMgxSFwskOm4NNFBcJKl3T
Hzr0CQ6B4586qw7UkxKg6FPY300tvusiA6kZGa/4Q0A8G2IM0leEo6RgpZGW
1MAXVuyQpGYz4lwLW+JwFLkquXw46a2UUU6V1rmkuFrmMB1c0ifnOSbDC1H9
+uj1K24YA/THFCxOkEQjxABFQmCl04lojADFr3ActNRhBlmQdLO1gRERSS3X
ovJq7pQmaDTablOWDamOy6OP8vR8UlBhZccsPeJBOiL1CWeajUSXgsFezC/T
SekUXlprggff9ZL3CxBM5rgoDdygFbvRNnUDtSh0a9/SrZAw3AcBCOOSu7gg
H6oIQ/EiCcZ8Uz3ooHmani4vLkXNJFG0xaWgFUYY1jD0FIZE+bn8F+k5JiG2
dMHqGITYYsG+xXKJ28JyiGqWiyPHyLELTC+9QDiDUhJRYJc8grcie1NPijNr
83JAYpEsg8v0D6jNQe9CbyJsobJ/TbodIzAh6oGbIRnsLZmIUlViqi6opphI
jKqfCRXDWu923g0MoJV8gKAkSmPGX3j6ciNKsVxTiaAvv0/iAV2moIG9e09g
H2k+rQyYzpjUbS8dri5mAwUPgqiO+oLcjLyVjHyiwLnHzn0S5E6QnjHLgbyY
lpCXINRb6YKP6w5ISl/zkf3lL5P93ZOdw71d9Fj/A6Krn/SSX/1K3I+XWaqY
aPyNQQ7wjN21wMmY9KDP8iH0lnw2nxk3RD5VVJPTDAgE5o5/SkrSPsmX+Zlp
98vkXTJItijj+73pBYcjkMMkTi6aDjQAX9k2fvWrpgTi86EhubNzO+in3c5g
0KE0HiIEwmIx8C3FEK5URrMq7y5P4XQv/+7z5WYyzglnRNY16X2eEFXiCtLl
eENn8hInSzuj1Csiond0RFtMyVe0REIeqiR5xo+PGA5CY3c4HeHNhohLCjIh
ifI2ChY/uRqnd+fkO4dGd06L6cvsEe6SZNdTmvvZE34U/FBdpdrEycf9LAX1
xfUHZO/qx/OJXICy2EuIkl7zaneju/Hgq62adzu3/fXKh3F9hCUu+lF9tdpr
9VWM16m+elZtz/K9JSLy6muDTuVDwx/xrW5vOHoSv9XDTxe/VfMSvjXod0Fh
6K8N6t9axreW47fWqm8ZRr3kjjB2+N69RWe2G4wRWPMSnvku1QekVQQ2wCPr
d7qdXrCEwch+a1/6vfaxUX2LroalpGGfX9HnK08n7ipYsi+Yyd/3yqccmAd9
SWivd7dP6FOiO23uZW4ntN6Xh4wCLt5FXqAqUcSFj2KjPjK9fCwmIF99SN7h
LE3ufKoAbFFyPL60xDW9gcv/Vhgv7NtT/HdpCaRAVPSWEmhpdMKVQ7aIN8NH
/0AfsuizlaB00FwCnQ6vjS5qpp/j90t8iwR/9sM/B/7PJR8hwt2+3Dv+5vWu
7/Pozf7x3tHJPnzCw8YP0XytA+D0dP4LZgF8p93u9Xm4NDIao48G4W6+PvnN
yc7+wTd7h8d73x/Dx2Y+PhSDnzXP9eueG1SfG9jn2CHEz7jCUm6CrqTUFhpW
6QUUA+V5/DXeBkV38Ssg1uYtkuqwCUu3ruYE0BTrd4+u6mD1sypckxb9gTcl
SSlh0DoU6V0qXFwxj8QHFvYy35/gKJF4T4P1OtWv4U/BXQJhb5ReKaoi2rnk
sneAVgaDKKfEbgd8yIBgpWaKcIiTHlUBnmet9ETWoeN15RNcpq7ArbnKGj6Z
STslKw35g+odLygVYSrT3g6FJb1+TvEY/gyQ+OJIlcDmSudYdPD4HtYHxddR
8uT2CYs5DiS4zU2tG+ca7GL//XuXgUJwJEhGpR1BPxjBwI4gZVwqNxqxdE4d
7oDsJi41yuq8VvGCshCZ1zsDy2S13Wutqj3FkV47GjJlRKrfjPznZBUcpzkf
DJxDWpbFME91OC7leGKpDp2H9PBE9TFNSb2mbGTuOGpK/F0wpxOnwepCicdF
QhApsRLDI1iVzaREFabZzik/VRps6DcnaTpakQPAtDvXQMZ8Ithc+AeB67CV
pNtdE1+Y7loOGh5wDwokG6j4e9l3ku/lAI0tFjlqJayvlSAAlGAP4Qo9h9ae
n+T8+asCZflX8NH+t/rZgVv5g3Ak/PW2Xz8yHGzDy7/7bbKsVLEscETH38DY
ERv0c+JKzEcsdfY47ZJKZDIEVo+PaEDB8TPd5iPImMTXaZVy6dw/SLYDINuB
2tgjsnUssUq1Kc4zJCLNE5RQjuankZIzXVwRHJwdjJI+Qf7lQXYfWUUpIpVG
wuwreJOBkewCWXbILglVCISi8Af23G1sd9nMrZnYYTddIMvv+VW2qix4mu8f
eYFSesMgxMuep3zGXcFycxnlSsbVNEitlUC/u+T79mpnkwAr8F9MHGU9E/Xw
Oy9hBciz6nvY7K91XL8mjrrMRH5kXa+FrSKAHPoRMBiHUKRYwnI+pSe3q7Mn
OI4nQ/zFjzY8xXpyVaW/JTtAH0UR2qkd6OobbP49Zw7i9/vY7GGz9s3jr3b7
D7/7Cxx6MeXRY+UPO+y5Dnv+wcNeRWlmmn/AYAeL3mhL1JV/w3u0xfCG45Ws
b2B7RAAI9pjP1IsKx+SOkd4UwiJXJFMFS6GQJ0KVGymuYsrhKT5y1N/cT97m
oyfsFQ0mgrOAr+Cv92pO5D/p48rU6CAqHj3ami7lBlPGD+/ijIjwvZvE90mu
H1kFNSdWjkVTgDDYF/UugZ1twn9mCbsBeWQ4TBVNCajC9UFwe2gdckeL2Ixb
aCQeovkIcC21hw7d3xTGNalJGE7d7kqIBrshaivmDFeHOOrbVWqwGR7dB4+q
Nx+ZI+6n4kU8LIlE4uPOUd2gPRZE3SBLixnM4GxxTTjOwIgLYGtdnG+JrStk
yrvPUAhveX/We03JFgij0uXFR9L6VNoj5AdqTAmLWgTybuUjlCdIPp84JGyO
FZxkKBejZ0JhmlNf1+E6GOJpdldMosC+APvgO7qCw5eIlgnQgIMcGJFCHTHw
17i4Q1tejJJEBvopVnhjF41P2pUYFELUzckiPp8xgA8aCCmSK3e4NuLIkDTy
DJcRdj8cIsY0ekKX2D6M2+GZMtQQi3jZLe443igkwkgmfZk0/CkgEycjCyBq
9tQhe80Za/4inxLGNKILwdha5HxBrxH5g7LZsL1CR1kKYKriNyKE9VNGuYn1
NUPbBGpBPZpPKV4GI5TVbRzMg5c5nQyxZAWoldvBRdp0Qzdakgy0wgxMxJ/l
C3hBw1kjMKoMwc4otam6IsBNEV88jBsMFglFC4dYQQe3YOyg8VlLxBnT8VPt
VbG5GEGc5qsBuWbEVX8wryQ5DTTlgfiimHCOqSWMvCOwiXnpkGdnxdlcsYBm
1j50k6m7jWOqMmOVoqCXgDZJPi2ziGAVaVYCWDU+qAbVlY4Gz99ZzTl0UfFO
HOzHOD+dplTrCq0R3wofEnkzYmE7/ri8++zaPdoihuPpTty/C6mVhiY3W8UZ
Nqu++RbVf94SKw8ih3Hw2aeZk5cD6uR7fCISI3H9WGRshhJ0iZdEPiQJngQH
pBFGV18e5ef5LB07UZnLp0RFkq1VYXFT8Os2SiS4Nct8bfV765vv37MDZEAO
kIcHz5EQEjXouR6rDCBVJIwFje/iX1+Rl4oc1eYWZCXhz//876CBP//zv6eP
4a/J6Rn+xYX6BKCcQ/HUG1RyBPRnyT5H7SGu07vPcveHUoJFJcOjMwI9YJQR
P9CQqABppuAI05GHR5qIqi3RDirbOSUzBNojWuGLLnVuKB9ayCc6TUTZ9OMl
iCnE3KJUu7w8zbn7AIDGNxPKmRyOMRzPBTQpBelqx2txs4tpMT+/kKxBdqi3
k5cFqSiIM676o3GeOpj4PGQnsOwHcg/6chZ+/UpvhCOe4YgQJxyElMdz4VMW
rq6Xo31DdN1yD7ZbQTKrXfFUojSmUk6Jgqcr6x/C+oZsN9XSAdolx/ykCqzD
26MoO8hk7humWB3FgGBYjuh3wSkD4hd13dPZVCEyGTJNihbwLsqdRKqXeWVn
W4OW4ebCcFadkRssXkQ4Xomh5UEHs6wZcKkQR6Yrz4WIi3zHQYoH/CmaKvcn
Z9PUWzgaB8/3V1yQemUFItLXuPA5G2T4/p5P8j/OuUabqmIwweKSoPbpwzR5
JZPYJmx64RukgDVebe9zvgjeTbdy0N9wm/a5vTf4XHTY7EF8Utqht9lq5UKI
b2Qlnu+HswV++MAsfck0hc9xNUKIRzZKDNsQkLcn8NaTpCHvrvhNkI6Rv1Hn
kuhCbPgeeWalOjR3Gl1okrGHOi2mepmGh50ksCqetj+U9TK1pKmSV433SJeJ
Aze4CAaTcSBBSrisslZn1uFJWSmM95fisBAr0IhskRnZ9qyDWyh9bCWk+5KW
LlEZIirdL0/i46gwekvggtV1KosZVaCaidaf7KUUtSG3B0HrOXkGUwq5FeWl
1Z6eysIvWAk6S8JiZe2qbZQPNFI6CyvfppY3XV7Cu45hMprb4suTwrvvSorx
qomgTye+aLqVoDTaTgvZ4MKMs9G5i2NRAypJiUf7X7/cxoBP/Pf9e1hdQW3j
y7gSku1cFMtKhMvqhtKKFtzk6Z17jS8CbM69DfxvfA/JuTUMEpMXGjGVsTH3
WZbtkFJ98tf2eIalwpel3I+Tg+x9aai20uIysyzYtAao72NWLHiqVykiZNNt
dFYM55gzGEkLUs8HTxviqw1zSbeiOACPtVaHZa3qey2rMnfWCjtHA/Uak26l
mA0Kkduiub77DNeuhdi2msX5yRed1Y2lSn0wlG2n6YPevBJcN3ysWa/l40wF
kVLSGDMQARZoy3Rc/4Ddku3JPiZetmAEBOUrzAiV5UJrL1nWo5lsVie/mZSx
Bqx0Y2fxGvdfdDxnBGhFYxadtGD9eZhdcbbSo2/bLF4qLYQULFmdxcBeBmW4
XWG1pIwkWLpesE9eygdaBGakAgy6S2bFVCV6e0HI8aLP4YxJdKPXJVUvX6gG
1ymvdYfBBaaW5RyB8O5TB4ODDjrcPr2DahwxioWaH7TtdD2JSY50PV650EYj
icNpuAGS4BgSWDphpkAkxXekbIJZEVrLGjpnKIlokxcurKfA2ICC2JmjbKFs
ZEYiGTX3GDkQ3HwqsZUmk8sLVtY8VzlhOjX1gFSkwgflwXpG9WiJj7Qrvpbo
vpjRlUxDqB8mF+G8LuTToxlQeclYQvJZnbaf3rmEQHcohUkF5kuBvsXG3nrw
aDRetdBFjOISxRaj7wbH61BQKWmcxEXyAbXGBKkdGEHPrGjr48Cd5US5pKFD
uvKuNGlCTQ/Ta/SISBUXP2/OHAHW8tWc7dliam/aJsf5GUU4E+nH75JIMc0k
dJaSKqd3ePBKcrRLkeNpYX1gVGdiDr2aTbE3rqyP9WwA/e+JfzY27ZH7v7G3
veuSjrN01NKCcAoqlTB6ruqdo+S1Oh+wmhzaPl0BAqrh6OyvIsRFlHl65+0/
uMYeIwk9aA56qUbYpExXnyp6i1ePoty3E+9N48Fo95dz8iNGo4DNvp6PcccI
t7tQBKpiQjKFk19Frp9yoPd8UqZnmTHZj3Gq7eQbkI+B0hWT4aoAPUjaRZFz
auuUyOkNigQpLNh8QqgiYgpr3WWzljJMVRmicHuHYSv+i4W8TfQ5d+XYSlvo
tZGBwjjPs3bQpmLWGLP5KQVYc7K1N/c81GLFgJ40jl8/exPkKsY8Q32gcfki
xbjVgpAimepg4N6CliPcNZCXbhG+XBAK2IOU7BfHxjUlHijmkS5X5rwoRt4b
BYryCEUUSVcb31nio6cy05czvRGrEgPSTY5WBEylz4YXk2JcnLsc7pKd22i+
IrECz/xUqnVO/Xe4uJPhnc0qC445gl2bU/7us+Bom7oFhA88mg+ZP/oinEHa
D0fUCxod38QUso375L2CPhLEL1ZQK0LdExgfPk1nmuDLm4vmFeVbyBzU1+na
TINpjRzziuL/Sk052d41Ka5RGMr2LqMmBNG8Ild7ayzMWZ35aq4VbH1sPHA2
yQmm4qugH1Ek5pDyoCeEVRLkRZBhKIKtsGIp2lHo1AdTbprqu1wPk+JpNWQu
XB40Cp5hDnYDBL3rAjQxkgjhejrTjK3+2hoKNNMMJFfxuFOwsMUbBGEkRX7c
GqdvMxKH/iQuim2R7cwUptklngOEJCtnlSH75mXAe8w3tv3jgs0Hu3rctN5/
oJWylSH6SnW4fR6NrJ8ZjVWAsgnco+x6FjOE0e0yF3UrEDggiB0dNnmVepsb
tErW9EjdejhAEtFHi/yhDZbcOTywt8HJlvzJg9ENK2xD97FNdBWh9bysrMOA
ikovPio+p0mLJqPLaOID2uD8CZiJxzmk7wTMA0lehM16Z2TdmUd8B0PXMTlX
6WXBrokL+jiICqACGGStlBHQkedSyI2UfGBx0QaW37ESzVytmlTyB73OVw61
QeICKs0GRz6o5xAWWzXcyEvcMy1yIYwmclo2F8V6WPmO8rSAO+C06RIM5Urz
aDOOyTFrg7NQxzQHskp2YxAcoAgVssNWcncm8HrfrY0TOY62hWYQBAeVK+rk
FimLbvX0GtitCmcVVzc/GCxz6WQb5l+GYVfjV3jf0/IOA3cc3jvJJcpBCKIC
vRfCPB3/esT4hqkCjEYibmimsJ6yqubvZWGZLr+pcrOzOVRqQDnx2qy7rXkR
ScK25jSao636xtXXFlFmrGiHxj3s3VAC4tl4J9hCfmF7x3pnpvSKbqPtVvQE
yj10GxleBbKRTvtztWrgDjg6tKUnODdGkXhAHTOVHiq7wWMivBxXcxmtZypg
hzH8eNwEQwW1A4WBrFiz9SMPpSsWpkVrNc18xWiXsu3KwQvfkYNlKnzcR74R
W7p3q7TyF0nfjDHkq66Wkq3r2aQrJxqoVWIxZe+gQwytqwvbKKztXZOR5GJY
NLb63A+DuUUhU/4pTg2ZMu4QJj8/RiA6vshqLgG6M2fZZdJw+VtNm7e14guJ
1CywtRUGke7WR8SPeguHTxTLbdiis66kkxREKQoS9L42shNparTPKnOFBl3y
EEpuooAZxwalVNUXo1MkIoF0q5+pBPbYbGVYOfWgMJmXWLkZMwu0IV1bGgnq
Y47d6VxRyGf8HK2NRV4I1MVqByFaoqu+ZoI+fWfBphTDOYdZBUKTEoF7VCUu
fCCfouoEk0gnGXRDBgS0XaJ4R4JayJCYIRYzLgTmQu4xxNv15bnUgksy5J/h
VYlkxKGQNERZCsMq6LojVw6DU8x8vDYsFEHU+OUkVgfcbBhjkqmIyMWdeGPJ
zcQQMZQTxLvGMmkLP3K5RiKPSWkvPVS4NFw3KzxDRjB0wTQq3bZ9fdhINSWD
nMmV91tO4UtaXZS0ZBdIa2aeju9Aa5MwYLMPB9PiDJ1tinP67jPsuAUtO5RI
1cu9DgpCP5xMNQpaTOHwiF1x487VzF+xXM5VbYFS9Eg5u1jQxPfi13dBWRgD
exUaWbaWlrptX1cKARqodFO1aDUhSisetVS/zG6vgqpJFjq+8aW/WlfQbvQU
xtZFhNwmWqUjTE+2ubeXem3NTP0y6SaNfSalIKSvmRzKp6haDJPdb8TH2G9r
MABnju3v7e0lG51eu7t9CJJpdr2/67BIOPI0dtVqTHnnMTpcm3JmPofRpEMx
8GgsgjeYIS8eiXlVBJGuvqiB+/uYkDAgCAiBy6GkBV5r5tfE/wkjXuARXGJ4
e2nQ1siH3IXTyjww77G6lTZsgXM88ChSw5fpFUk+JjITduHt7G6lmbTgt+H0
WoBKWr2kYXE2V9phugiN5t3xV7uY8gtjggOfJHugcxSIFo6FaLcS+lY0z/oc
Ap49TOfJ2+GwfOIwDytB+kur7eQ+JZlSyjj/wOTRMiHU1AVdIAysQSdv9ltr
DkJdQ7EXRhGS58nZLqLVhzVbRxOjnmOXD7pV4flUO8wkqTkjHjnTDpGj7zOH
elHAUT94sb3/SjKu3302TqfnWcvlbZ70gD19xSc2hPU0KZvwl22EaPH53m+O
jg/3tl+irYct4lQ2km8UTo4u4zcJ4fF2COfbySOMoqmM6+T57jPnpri9gnUn
1e3MXHCUreWkT+z36JttoEBUXgjKqrVHL3pke76HaHS8Q5K6XZhmsWMdDIy/
t7pqIL6wyxN+SU1L5iOl2rBVP7GFQxcAHcnMMRJwJJvTetMkV9fI01PTWLNm
CPSEx4vt94hX+LIbl+ktyCiX5i27V/BGuAp9zOPf6K51uBnyb+KVF73k7gER
LFCmIKs4SUbAijeSt185h6qL+3XuvyaXx2MpDEFgL9iIfgV3ZcbWCI+jXRbj
OZGow96lGCUPSycGMbSiJQXvLcWDETWomXYb1LWZuFAYLoJN4Xnpk8oCDUWC
Mkc+qRGX2oMV71drhsqxfo7RRWgSu84o5krrvpIfUYdUuqhgSdprL6z5bpaA
yRzHX3pPWjAwxJqKZCAnaOcTNTDRqbUHCf/nYF8EFAnNkw4mgdV+J/wGFEHr
MKNED43mLpODRr5iEHtBhEBArYIgKu85euINFM8bn5txSoViQPk4aODvK7IO
eHN1kl9qFx7y72WIzrFkB/slNNJZQQz8Rhf/abfb9Ac1HAI8MBv43Q/uTifz
C/4yUbLCm1TympmSpGZ3ymUbcRcMF3XSMyrZMmq6noxIaniyKoj4NGK8pWWY
VIdmr9Zled5Do+eQ0l3t+AMcji+DHfse7n4zrnDauzwF7Bo16Nk0Sy+h76h1
O60vQfJ4yauKv8C6uoXFvxctbdggPgkk86Vn1o3k4PD5SQ/YYyunNHa4hnjV
GkhdK0nUqHfe5WfuQT/rFUshfJcQKYRLo5wzvClrZzssMHxupBHcXNmDKxS8
HZ2JNcEkt5exXlkxEFLAVSlpE6YM3nFgfGSMDW+t0dBGUn0vKLoBi5MHbWgm
IbBowjvOI6mBQooMwXANlBoNhY0Bwp0x1HjmUeok84PNuQQVEFk7jIrE0ovs
dXb35gpD1UB4AZKb0+/vJSSVzdtanosg24cSlMRQ0hFUCaEhXlBEams6n0xc
tYHITegZbGA0UUZaGZrNRfTyBK4bUilcPBoNVHkRg7ARmbopBaLkeflCo1lJ
RVlGZrjsBIyxa9zgCHD7wrjdcNFCNx7PuZSx09C8NnhVZvNRwQUoSBW/0AwI
7WGYkpqV6lfAzfAruOz5ZlegOq6SxWeEDJ5yRnBqlmDI/Aa0gaZiLwyO0YeO
IoAp1oGToT6MXEh/x5BvqHNEy9twuD0rWwKIYNc4YCdmPZtJlwEs8NVmIOut
RM24BQjaMp1AWx3B2gjbqblN7AMg6wDHKv/bfzDCJKGi5hMR4+4TLZ0lpsa+
asEaDSXOuP6YWzGy6oo4LG4OjfuW1vkoeipEyYzCVowMxsXPspHeGPJSzLWU
sXpup7YpSu732MGyJRreZqM5cejzCRFKKhQ9hXZBJeJ4B85AoZWSbLB67hEf
LhwbkStRdCZopcDaGvqUIwLK1YUPY0pfYesSWXi5UhQh8PPJdC5DxdhHnyEx
CxIZCHBRx0TjwF4EDiqKvIvbIR3oqs76X+Hg9sR5onDGTQqVdcyMCqPAKuRl
wCTGoIaX6qzxX6OYGxVzcWvpovDCs44QMRKsQgKel04jrc2N1AnfqpYQP/cU
p5eOC/epXBrG5Hmec6VxYJioQdfZHKkUd3iHtCuDimKeLrNsJv6T82l6BTSs
Wql6j5AeSWJGP4Z3zGtBRJwOLPJbKshGd/bMTwgNY2S8mhCWMTxGtcyrQ6+9
AHknvH8kTH2FqeFtSs+ckclvMgssjn7SzWj30WgfRJe5b1kBOpuTMc88Uvpo
F00i8W4kyl5wZKnCsZj/sP3sFiSRmcYuYkDG+lqP4JccoBDpk+RQFGscnSi6
YzEJZppM8/Ktk2louehGu5uklwhYnvq08CCqINk2odVEbXiCC0uFqKdKXVAY
yPM3u6+P7q38iWAPIvIQLrczMB+oGxDDdbPkJaZXTbLY1OylS4Nr7zyIJb16
ya86FTrkyvqpKddOPZYCwYO3FIfQI3Z3eoVZ1ELPKarGmO1eynPOq4R3zYS3
MmeIYLihpsP5JYwIfXHtCrx8OFT44A8cxWACKxTr18QEGHEaRytAvEHc8JZL
34tqgOELpxlFdSGxN4j2CwrnQi0U5rECb36DCagRWgP6FCTH1ztuJHRT7jnL
eUWTO9z5dpenSQOCiVQxAtBK71OOJB8AGRYt5cvtHZ+jykheksPtdrRCLHa7
2a7ogPGaenu7YIRgD/BSQVcBq0F0Jx4dbx8e4xffbe8fn7yUIDB08JcBRhkq
EPsKyQ3n0CgjYq4PCzLOtDKJibFwXYvZU7rE3re/eg2Kym5QLpIb5CKbSeM7
YutHKh3tsHR0hNKRRN/7ntC5xem/tAZauicQqUo5JnlpE3WjcrrxiGWYVNwA
F45lIo9L6MLpzQ4hjBoxX0r5Jvh1EtsowhJDEeeTWcWcWJpRx4EOsBNvrgqr
FaboD29FxT8fv/hIxvirtayXiQniaXNJGnM0uS9CrSa/rdFLH7Pz2uOCnfeB
G5F2HXbzyB6+PXyGv7bjs4OladJpVkbz9vEhZ3LAKF6KqtDcVddAahuRFCsF
aO4blwwmnPmZ6TSP4lZKCrN7fKs7r18evNjDdt2BrdP6HSsy9VZrdq7KCAbO
tv+T8QE35GBVfgIa9w03vlxmgh8sr3iSH/wUJF+/cAsIcvDRJD94JMlTDwd7
h0f7RzJxJg6Y+P0U4SRpIY1HUwahggopBFEmZiXZuuAsoR5RMdQQal4PD8Tj
1jogKLcWD6PNJ1iENqn836+Y2dP3ppxq8PPD0oIv+Fu4uAxgbPfRTR0S/Wux
TPy5XtJL6JcxJLfydHr/f7q39YV9ux5tYduHxkrfHsRHBceKX3xRBx+uDPqT
xvotq9I/91CFu37SUIP97z92oI1g/wkF/r6BerqPv/ri/sF/5KQaMbEMVh7x
1kN9NeLtgUavF4+BiWDhqsAgmS+u1I7FcJwHTvDCz7W87gPvNyJq5QE9xDcW
fH7vWwsX6563/I0Rs5Uv7kP6v6/ysxGmIx0mutqt+hIYFCuM3WkrvKddvtEe
dU0/3Li0GdzQpJo7WUk9OaGIw1aYRysriohaH0gbwJxXao9+kMTwQTNmHtcV
Idm/84CQ3Pt4IfmecclgFgnJvU8Wkvmi7C9Sdvsfq+zeMyfp0s5p4UHoP7hC
pjXexP7jBdaHW5cmP1pW/aAeAiGd96j/kKy6QHt5PN0Ofha6rVVkaCK+33rS
xb4+WjR/9JA+TBSu//Gi8KKfh660WGjoPra1WrFtsTQs3O2nlDAfI7h/vIT5
aUMNJMxHi8K1GsbigQrf+Uk1jEdLwx+lYXzaWKP9f+xQa0XYxSKqO6SfdK4a
AQUMHpBH75cgF3/reMhHioXJDkcjvCjOl5YOn+1IUPFWcjCmokwcaFeJLfk8
eYbsrNUjqaDV6yG8PZbZoBQ5fAEd4Ohz1uxK9GxwwH1O3gnXQodb6HILh1rS
zqWtUVjjBdeZLGdY6QmuttP0nB7fv6SMMan0SOmZEg4+yiZ5OsbAcUmmcJ9P
+XYvuVQIheYVk5b8yf7uCbq3GFhHw4AwGgUHkE5cUz7w0Kc3iJvxj/N0Mptf
auWMaUmj3Rmnxh9hEoukQUVxYHeVj6XptweSVYAr6SaCjqkrF+1IId/726+2
JR9n6rWoz33JT3jwWX6O7sLVJlVPFVlBPuyuyy5cyqpOL5Pl0fzy8m6Zvvgm
nV4Wk/xP+BZsKHVOX7yRSAaXg80fbw8Vk47yW/y2dzd52zu8MCeHphCPrZ3i
vp7KkGhXMFiNvtnzcj5KEAoM4kZh0W7iFzqIQElX/wqG3CL22oyymRg2hx5/
KSLlKBvNbfg474sZkfMXYnhsMbqjt49h+XKGrdBNy0uMwMgnmAnf+hVSLGoS
jqDErTidT5Kn6CbjwwkPinN3ARkZn4k0deOiH6bkiY/CKeQppO5pMc7qDH5k
SwwSWpekwg6TepQJhY9jVgEHewxvZovIwpPABpFAd7NmUluaDSLwL+TiQQQ+
/VwGfaRJK5oEEnhevSCGk9RJu4NkPPry1Y5WLxIjqGZOytdKDYRoMpb8cYxU
Iq+SP6tdPFpX43SIxwS96+jAUgL5JpqCOceSXz6Ocg70DLuMRUIe1uzDaGxG
aG64it8r8tABook7drNjNd1Jdl7g0uHz4tilfXmNgQPKkXRbHNslXylDFmNw
YsD9gSxdNW7dt1fppaL3l6gRSFacJyGkQiyjqrrcGeFMBk1tYWw/Bp48Pcwo
UTp4uKm7TPFWOez+LYzwbpxZfkWsaSxoFr7oxsyf1y3NnsEcHjh//NcJVZwM
XzcvNTWgY/lk2d5Wy61l3QA4CPktvrbMQR/LSNkaeaND01MzlupPlew5xqHU
x19xZCAvD5s/JE4h8DfrwB1L5pxD+dgVw855bzkf8fQumfCW7k3OCZipvKKw
mHiodPE4QH9Oa/O3EFPliPzpZsxABfO6e8NeQebcGNaxzqxjg4UGIWu8z2CM
Aua1vStr4Y7Nl0mnmRz4ZH+5UuTGu6Y38bXybjJLb3+Bb7LN58YlOf7CZP3K
VxraWsPFYO/0wHiM5mlQ4103ZWH1Cl2Og+fy255e5YUrnswTfZuP3NoFZeQ9
xi2HBt2ZRDPy7Icp3eQNcggAjnB9HAghhiiawMjdWsqIODsiCr24J48+ZvUK
IufjPTTcxy1iGV+vCYm2l5L8aiIINCjqqRvmL+wlDJ/z+cWgEUvPVHGUdsaX
fkGQNRQcVJjiUbzAdDADCDUh8xVZhb5+sWOJdo2Jdp2JlqbX8pFuInEVjuKD
8VxleIfcYEAQp/K4WDQHnKX3o1LhnXIjieE0NQTilWShXzFL0lk4ELmWXFwP
UVvNJeVHm4ZiX9Ig4NIbEtLgmpllHLJEsUDjMvuH5Iq1jZIQSS+BVlbMuq3y
uq1JCS0U/ly6YJmOXd2SMF6akxv4Fc6hfKr5rAYbHRrrP4X/DPjBXa6GOEdO
x0xDMWwwVwfzZyS6EsOfYOScaFHlwgT0qzHvhA7CEVSnOXDEaQ5iJmURRgYC
PgimeCqlnbIQSDuSS/aWgAWgVrYUsOGyXjpb0ltbABQZNoHiyWhrDT0ohD7G
bgH7for1dZM6qTNzyApoN+N2CMhrOKvhcZ9TSfDkdA4CEawP6itYCFhuDLPZ
A97s1SUVyGpoVgOKw88obvfGZvOWS7qmjiMy1XDaL5beDWA3ZDe8tg0LO2H8
OYwMvqDt5WhuYgQpRrO1qEMt9+56fGnLufNk8BJR1Y7qF3GY3ZK8sRukxOiN
U/8tSIyseT4l5dX9ad9iktQ72YpQu1uLwSrrNlvH8EJyUvVMCAvbfaYPIKS0
OYXEBSW02RB4zPlSraDV0uBlbc/Iqws1D31WwK1FZSK0XOMkgLUm944+DYR1
lssdS2CFBn6cIS4F2tK8UEeJHi4M8RiyEUjCeM3pWy8rCaLBiYcH4AKb4rGw
ilGfz8BAVNCpltLg7rtSJrfbFu3Yj6zuXJiaIpy6GR2QOnHBPoLnpULmwNKl
ZPUKa4WMckiAPnBKqC7BY6/xw+xmmrMk0m+vuvW2FEjb8lCJNw1lNtGi2tj2
I4CZLM4LJgp4hW4VFTp3PU8sn9+tzmDD7T0azhSSg/mjB22ptLSnr3kB0zB+
5FVWath9ppKzvkaGNlIkTziTZXpOmCtGypXbM7j/XK6KPK6PiaKpjYisS/fR
nKvfjMf8UCm6rgjSyALK4QUI++MsHiPxI7iwfSIIShnXRT4SfCakcjS2IQ2L
IuPyZ2GUaG9zrAHYyuC2fwlvcjlp+iDrO4YJf9F7+9/CL0HiSfzkK8412nJZ
GLVPM7q+SAqGQonk80mch+8KpFyk02yk1saAGcJuqjihiadKuC1NfpM8qDBJ
pjI+0+RzHylvG5WEfq+T7rnlRF12HKK86CRabPWkoG3aYyPlhdHhqpxg4DYu
uigmV2lZOmHSmZYY+F5VAnnVgT4EkWhhnUpEc5zmGUJNSyQ6iftqNjOmFGvr
oc84v8ssiS+87QRbszy+bLcaS+QwMhosJW9LapcYI63SqqjHCJ7lQazFNozA
5XnW8vcLsE8R6FBsvBJlFpdXhxgI15x2gXboADsoeOYeOdCK6eigQDllCOL3
NEIimlAZD764lgKK9zyZs1HgJhVkPHnuWQGC7iiJTzT5eB32DJuOvPnODEt5
ogk7DAyw96ja8MVCPYe/tWHdlucbA5g7ntu77tcgtSEYLjCfPCXWKDZvCy6U
IH4RgT8pn6rxKEc6mJEEeiwJ9FlYQPh5IsPgkS0mIQKIQNoWruyNv3Lvav0d
5MBLD980H0vLH0Ncld0kzvY8nV2MQYRoJkcztFHALy/T6RDUsKMs5U/P4N+l
mhu+vqDs/Sr2y+N9d+kT2zGU8qjD5feEvWK6Nf6iSEPSKJLney/L6Bk5NfUF
ds04eBWP9x957kNtAPG2/nEn2Gc9X3FufnBgluTWGqcTf1XYEbsldsrGTrsf
DJGS5CfEy2t8AuwN7Ha3ZGyuNs3Ijj0GUg3XR1n1GwRvwpCWnaPgcynCNRkF
tveFa058a+e746dxO+quE+eJXtnuUueDGCwywRecpHjyck2DBXU/aaRjdMZx
uZlQkltRM1RIokvCoLbc4SWF2s8tpTcE8ArlNkIwJ5vsXbAh7PorExByJd+I
N4wA9AW83Z2JWC/UkWGqXZtmRyteAL+BzSvmU7ilSPN3Xbu97rALsNvZEv1O
nC0KmZ4zIVFilq147iL1HIe5IlIiGlEqRXMHLiyDeKHWwmk/Q754VOylr4Xl
ubm8zaljIh/vCiENVFwWC2mEGn/DhIKUAp/smPsRlDlKasQeMi3jJ0wXVHm0
H/jlYfdYZ1OW5+uT31RgJJzRw4r0VElJDRyiZW7vCAgF/tZ3r0lBZc0iDvR5
WUAGdP7zP/87WTKshCPagN4MLJ2zA7ViFogOsbqkBk2SVHedscBuAAvQ/oag
hGjrrDoTtD4atRUi1PDiMhgnFjqoukHB2AyBm5GC/teMr5cDy3BYgyYNiKDm
ek9Ud4ENVvxawqDzZiDnj8d1dAAfDkoIhVASKHQ/jWXK3hWkSMJzoRFQZSYE
O4gHCBuJajIi6kTp27ixNG54pPrVB5gZXV8Y9Mck/mQyH49lWZ5gJbQnangj
jEMfJGLjZcMuibv5m0lNaqTXZKN4o4GRG8t7h91FnQ05SgduYDsnt9aL702B
TqfIZyjjqNvCj1TMHEJzBLJ4AmLWoZPzEIyJPm4SE7V6uL8P8IieeCmVXWJl
ZhiCKiW/oLFiOjwZOQn3y9eOmRDC5ziXJmGDLlMkV1mmXVF76mEBLdGa+8KM
IThvikl4+yDVocQRplFSA9t7R62vd14yN7tI4f97HejooBjfdfsdtfzKrUb7
gvYn2oKbgu1QZslwu18dbTu1aOYkNsuxnZM5iEmSq8CrC5KfL8Usyvlpy/EH
5S60bSDtkjxtjZ0+L51r6E7Ts1mrko5OdyS3JU/TMhDUp5azND78WrOTDEUW
fBDFo8y899w05Czt/lSwP6qzvhWu+KxOZ87dHMn9IraQfkjNy4Je7XU8B6cC
/OIaKzJiz5FgLYRiQ5futCknS71AWWrZP221KFXqPUUvy2W17K8ja1o2oqAL
WRir/xvneAaXB46fhvvyzRElORx98/rNi13xUaE6KNuAuL8+34DAsFsO7A0X
qsOaL8ca2XuObykCWuYvTTvy3FgKxRpX57LnTRKPtowRCsmy+DrDVXKatPpm
9oC5EZhmnZMmHpfw01pocHsgFp8FVEMfPAnGyfrA1cK8dXl7fgs61BhBf7Fu
zzIaqZfvKeyzbKfnI82oIIg5MCcDczzY7dhZ2/LrqQdttd1LlvX8Gdf46/ls
DKQovb1WByAeH6yORhb0k27yZYL3YZBc4vuQWjwu415tDs2EPAthKj58Gpwb
S93k+o3CKe1FKzH1jFGsLEV8DQZJut9eZ33CKXScKz8x64HPLId2D8oxQm1/
WbcO9X+Dm4geGSRq9LgOSWCtrvM9BqCYwl3lBrJM10sL1UAZ8RbBuQo5mQ5g
mcOfdgXAvIQHWGl1qC/LgUymlgbnlEeUdLwFaRcwANLTF3s6O6tCX8ymDjPE
K3l2hCc68pPVdBTr57ER65ESmz6E9WWSa5h6MY2+CQ0Xpe6ts27ZebH3qjPY
qojYgRfLnkhvCiDtEYGkTd2hMqBqJFirAsFCeVNuhLyYNMyUuIAkT2iFm1zG
EIHlZrK8/y3+gm1Z3EYWIRyesXPoK00O7M7pBRNsnm4nP/iCUXMwxpAK20iF
+1Kvllwd9FzUm7e0Q6evt2D3Ax4RMDm9OcnecpYiFpRfC7NdbGLs9N12pVMq
vuYA6d0hp4GcAqdh0CPzlSxE5P61HEKe2AmkQXbQrLKpIljL7w8wjeSQ1tJp
qQbfjzw/HHg7UdC7h6gEhd+TPeb9HSc6z9LzpOEMqyRk+mVaefyqB7xlZ9GB
seeEjYSdXs390oX7RavVqR+zZhi+Dn21iUG7L8oswYZFisZHMQeO6F/Eb5zz
OXYIYKCWP4QkCjmN3a8GG/463a2QER8cPRckqPDzkGNY1PnTO1ZiuMBAFH/+
bksitbLRl8uTYlnLspLAAOqJK9aUTt4uvXv3budiivcTENn2Zfnjv5Tl+/fv
m/jFNoaFwIynRfLVdD7J9fPnKagOOSwDvPLVRTo9T6/TiX65k05LjH36Cq/4
ifv4OL+E436H+wtilX76FYarligxFDPY4ql+fljAuyDUTO7G+Y1++BIj3iYY
vjS8iD+bv830o11kXyD2pOUModj14xcwrmQPgYpm+pFY3JNnKYY6j92TxY//
ZZg8Q2NbPk3dBC6yvEy+nv74Xyen2fAiOSDTSOYm+Cwbw6H4+sd/QTArNxGY
AuYTvM0nbs7Px+m8xA9nfnCHc2Ca32ClkezOjO4M38bNKf5UXJspD5P98Xxy
7sYG/GAKenHy65TuYP14DwNFk+fjLHej3Jvmb+ETYMymGxDhn6PXYmo2/pb2
vYQvMIoQxqDf7eN5S17k8/I6Tf3yHKZnKXoufvy/Jq0XP/7fV9mfPLWwhwON
VjmWfvNrcw3K6CsgHuA0hrbGmGKDxOOGmI6v0xGcqYMf//PUN3yYok/qIJuO
zbPc6AEK/8MLdKL6Zfvxv9xkk0lyCIs0H14UM7MmQ7zBQWAfu/m8zIFZZuPk
EP+djsrCUzKcomuksKP0Ypz8+sf/CuLkxBDC/5hiYMCf/pQiCR/B3vt1/XV+
mRxBe1hyJ+wGP52exWcIPv3xX4Jj9OviAj+ew2XiWn0xH93kmPqdz9zafDXF
83yUXxWl3+gU5NBxep0cXd6VF+O7NHM09W06xmKi+MXYU9qBFFRA7RMT6ou3
bunhtoIPpvP8rW8iLy8msPrJ0RxE8Sn83x/SkO5w5S6DBSFXV3Kcj4uhW3n0
eyXHWM9walcJFunbLB+Ps9ks86+P8//nP6bJt/P//n+AFPzf/xc38nQ+Tr4r
KCuJPgNqpqXK8uQ3NKqlMwLtQsFVg/VFfqVrf8IiBbk9Z1RmrFRPEEVhorbX
Tr7LyMqcSeEcwqkbZacShsSwlIhIHO083Q+YbCYRulj6JxxKHkYx4m0M5+Iu
GkfOThCuvUlDIrj9YvqWTYUYEiZCPeEWStQwiDcYmxqDfX3T6/Q6aE0hKPKj
/Wf7R61v0D3SOJ/ilUEQq9TW5mpvbbWH+dKYSXg2np+dLf2/xGpO6kwMAwA=

-->
</rfc>