<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.8 -->

<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
]>

<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>

<rfc ipr="trust200902" docName="draft-birkholz-rats-coswid-rim-02" category="std">

  <front>
    <title abbrev="CoSWID RIM">Reference Integrity Measurement Extension for Concise Software Identities</title>

    <author initials="H." surname="Birkholz" fullname="Henk Birkholz">
      <organization abbrev="Fraunhofer SIT">Fraunhofer SIT</organization>
      <address>
        <postal>
          <street>Rheinstrasse 75</street>
          <city>Darmstadt</city>
          <code>64295</code>
          <country>Germany</country>
        </postal>
        <email>henk.birkholz@sit.fraunhofer.de</email>
      </address>
    </author>
    <author initials="P." surname="Uiterwijk" fullname="Patrick Uiterwijk">
      <organization>Red Hat</organization>
      <address>
        <postal>
          <street>100 E Davie Street</street>
          <city>Raleigh</city>
          <code>27601</code>
          <country>Netherlands</country>
        </postal>
        <email>puiterwijk@redhat.com</email>
      </address>
    </author>
    <author initials="D." surname="Waltermire" fullname="David Waltermire">
      <organization abbrev="NIST">National Institute of Standards and Technology</organization>
      <address>
        <postal>
          <street>100 Bureau Drive</street>
          <city>Gaithersburg</city>
          <region>Maryland</region>
          <code>20877</code>
          <country>USA</country>
        </postal>
        <email>david.waltermire@nist.gov</email>
      </address>
    </author>
    <author initials="S." surname="Bhandari" fullname="Shwetha Bhandari">
      <organization abbrev="Cisco">Cisco Systems, Inc.</organization>
      <address>
        <postal>
          <street>Cessna Business Park, Sarjapura Marathalli Outer Ring Road</street>
          <city>Bangalore</city>
          <region>KARNATAKA</region>
          <code>560087</code>
          <country>India</country>
        </postal>
        <email>shwethab@cisco.com</email>
      </address>
    </author>
    <author initials="J." surname="Fitzgerald-McKay" fullname="Jessica Fitzgerald-McKay">
      <organization>Department of Defense</organization>
      <address>
        <postal>
          <street>9800 Savage Road</street>
          <city>Ft. Meade</city>
          <region>Maryland</region>
          <country>USA</country>
        </postal>
        <email>jmfitz2@nsa.gov</email>
      </address>
    </author>

    <date year="2021" month="January" day="13"/>

    <area>Security</area>
    <workgroup>RATS Working Group</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<t>This document specifies the CDDL and usage description for Reference Integrity Measurements (RIM) in Remote Attestation Procedures (RATS). The specification is based on Concise Software Identification (CoSWID) and TCG Reference Integrity Manifest Information Model – based on Host Integrity at Runtime and Start-up (HIRS). Extension points defined in CoSWID used to augment CoSWID tags with new attributes that can express the TCG Reference Integrity Manifest extensions.</t>



    </abstract>


  </front>

  <middle>


<section anchor="introduction" title="Introduction">

<t>Reference Integrity Measurements describe the intended state of (composite) software components installed on a (composite) device. A measurement of all installed software components of a devices allows for assertions about the trustworthiness of the given device. In combination with a root of trust (RoT) for reporting (RTR), these measurements can be refined into evidence and enable Remote ATtestation procedureS (RATS). RATS support the decision process of whether to put trust in the trustworthiness of a device – or not.</t>

<t>The RATS architecture <xref target="I-D.ietf-rats-architecture"/> defines the following roles: Verifier, Attester, Endorse, and Relying Party, and Reference Value Provider. The RATS architecture also specifies that attestation Evidence is created by Attesters and consumed by Verifiers. Ultimately, the goal is to enable a Relying Party to put trust in the trustworthiness of a remote peer (the Attester). Attestation Evidence is composed of believable assertions about an Attester’s trustworthiness characteristics. In RATS, these assertions are called Claims. The Verifier conducts a set of appraisal procedures in order to assess the compliance of an Attester’s trustworthiness characteristics.</t>

<t>A prominent appraisal procedure in RATS is the comparison of Claim values included in attestation Evidence with reference Claim values provided by Reference Value Providers (RVP, e.g. a supply chain entity). The comparison of Claim values via Reference Claim Values (RCV) is vital for the assessment of compliance metrics with respect to software components installed on an Attester. A typical objective here is the remediation of vulnerabilities discovered in certain versions of installed software components.</t>

<t>The Integrity Measurement Architecture (IMA) of the Linux Security Modules (LSM) provides a detailed Event Log (sometimes also referred to as a Measurement Log) that retains a sequence of hash measurements of every software sub-component (e.g. a firmware, an ELF executable, or a configuration file) that is created and appended to the sequence of measurements that composes the event log before the software component in question is started or read – “first measure, than start”.</t>

<t>In essence, to enable this appraisal procedure conducted by Verfiers an Attester’s IMA provides Event Logs that include the hash values of every started software component and therefore are part of the attestation Evidence an Attester creates. The complementary well-known-values that Verifiers require are included in the Reference Integrity Measurements (RIM). RIMs for software components can be provided via Concise Software Identification (CoSWID) tags created or maintained by RVPs, such as the software creators, manufacturers, vendors, or other trusted third parties (e.g. a certification entity).</t>

<t>This document provides an extension to the CoSWID specification defined in <xref target="I-D.ietf-sacm-coswid"/>. The extension adds attributes to CoSWID tags that enable them to express RIMs. One prominent subset of these attributes are illustrated in the TCG Reference Integrity Manifest Information Model [ref] specification. These attributes are added to the existing CoSWID specification via the most general extension point the CoSWID specification provides: $$coswid-extensions. An new map type-definition named “reference-values” is added and is defined in section [ref] of this document.</t>

<t>Furthermore, a usage profile for signed CoSWID tags is defined in this specification in support of the software-component structure of systems managed by package managers. Signed CoSWID tags that are aligned with that software model can be used to describe the contents of one or multiple of the packages that make up the contents of a system. In order to minimize the impact on the sizes of packages, it is likely that any CoSWID tags delivered as part of packages as part of a package manager managed system will not contain actual reference values, but instead a link-entry to a CoSWID tag published by the vendor in a repository.</t>

<section anchor="requirements-notation" title="Requirements Notation">

<t>The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL
NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”,
“MAY”, and “OPTIONAL” in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

</section>
</section>
<section anchor="coswid-attribute-extensions-for-rim" title="CoSWID Attribute Extensions for RIM">

<t>This specification defines two types of attribute sets that can be added to the CoSWID specification via the specified defined extension points:</t>

<t><list style="numbers">
  <t>Attributes that support RIM manifests for Measured Boot (often referred to as Secure Boot) and</t>
  <t>Attributes that support the RPM package manager structure.</t>
</list></t>

<section anchor="rim-requirements-on-existing-coswid-attributes" title="RIM requirements on existing CoSWID attributes">

<t>As defined by NIST IR 8060 [ref], there are required “Meta Attributes” for XML SWID tags that have to be included in a SWID tag in order to compose a valid SWID RIM. In this section, these attributes are mapped to CoSWID attributes and corresponding requirements on attributes defined in the CoSWID specification to compose valid NIST IR 8060 signed Payload content in the Concise Software Identity Reference Integrity Measurement (CoSWID RIM) representation.</t>

<t>The ‘software-meta-entry’ type defined in the CoSWID specification includes the optional members ‘product’, ‘colloquial-version’, ‘revision’, and ‘edition’. These four members MUST be included in a CoSWID RIM in order to compose a valid Reference Integrity Measurement in alignment with NIST IR 8060. Furthermore, the semantics of the text (tstr) typed values MUST convey content that allows for semantic interoperability in a given scope (e.g., an administrative domain). The software-meta-entries provide vital support for steering decisions made by the RATS verifier role in order to enable discovery and matching of related or additional CoSWID RIM available to or discoverable by the verifier.</t>

</section>
<section anchor="rim-extensions-for-hirs" title="RIM Extensions for HIRS">

<t>The following attributes are derived from the TCG Reference Integrity Manifest Information Model [ref] specification. These attributes support the creation of very small CoSWID RIM tags that enable the Remote Integrity Verification (RIV <xref target="I-D.fedorkow-rats-network-device-attestation"/>) of small things, i.e., constrained devices in constrained network environments. In consequence, the majority of the attributes listed in this section represent metadata about firmware and supply chain entities that provide firmware for a device (platform). Analogously to the mandated software-meta-entries illustrated above, the attributes defined in the table below provide more context and enable steering decisions for the appraisal procedures of a Verifier. Consecutively, RIM have to be managed and curated in a consistent manner so that there is no significant threshold for a Verifier to make use of them during an appraisal procedure.</t>

<t>The design of the additional RIM attributes in this section is motivated by the vast variety of identifier types used in production today, e.g. endorsement documents <xref target="I-D.ietf-rats-architecture"/> that are enrolled or on-boarded on the Attester itself. It is vital to highlight that this variety can render semantic self-descriptiveness more difficult. Most importantly though: interoperability beats self-descriptiveness. A convergence towards a common identification scheme with respect to software components and its subset that is firmware is highly encouraged - alas not achieved at the time of creating this proposed standard. The following table defines the semantics of the set of new members that are added via the reference-measurement-entry map. The reference-measurement-entry map is added using the $$coswid-extension CDDL extension point.</t>

<texttable>
      <ttcol align='left'>Attribute Name</ttcol>
      <ttcol align='left'>Quantity</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c>payload-type</c>
      <c>0-1</c>
      <c>The value of this attribute MUST be one equivalent of the following three choices. ‘direct’: the representation used in this RIM (and referred RIMs) is using the CoSWID encoding as its representation. ‘indirect’: the representation used in referred RIMs (‘Support RIMs) is using a different representation than CoSWID as it’s encoding. Analogously, a reference to the corresponding specification MUST be provided if the value is set to an equivalent of ‘indirect’ (see binding-spec-name and binding-spec-version). ‘hybrid’: the representation used in the referred RIMs (‘Support RIMs’) is a mix of CoSWID representations and other representations. In this case, a reference to the representation used MUST be included - even if it is the CoSWID representation - for every Support RIM (see ‘binding-spec-name’ and ‘binding-spec-version’ definition in this table).</c>
      <c>platform-configuration-uri-global</c>
      <c>0-1</c>
      <c>A byte-comparable reference to a Platform Configuration URI as defined by the TCG Platform Certificate Profile [ref TCG Platform Certificate Profile, Version 1.1] for X.509v3 certificates that MUST be identical to the URI included in a TCG Platform Certificate pointing to a resource providing a copy of the CoSWID RIM this attribute is included in.</c>
      <c>platform-configuration-uri-local</c>
      <c>0-1</c>
      <c>A byte-comparable reference to a Platform Configuration URI defined by the TCG Platform Certificate Profile [ref TCG Platform Certificate Profile, Version 1.1] that MUST represent the resource at which a copy of this CoSWID RIM can be found within the (composite) device/platform itself.</c>
      <c>binding-spec-name</c>
      <c>1</c>
      <c>If the value of ‘payload-type’ is an equivalent to the enumeration ‘indirect’, the value of this attribute MUST contain a global unique text (tstr) identifier referring to the specification that defines the representation of the referred RIM in order to enable its decoding.</c>
      <c>binding-spec-version</c>
      <c>1</c>
      <c>If the value of ‘payload-type’ is an equivalent to the enumeration ‘indirect’, the value of this attribute MUST contain a unique version number with respect to the specification represented in the value of ‘binding-spec-name’.</c>
      <c>platform-manufacturer-id</c>
      <c>0-1</c>
      <c>An identifier based on the IANA Private Enterprise Number registry that is assigned to firmware manufacturer. This identifier MUST be included unless the firmware manufacturer and the platform manufacturer are represented by the same text (tstr) value. Analogously, if the firmware manufacturer and the platform manufacturer are represented via the same text (tstr) value, this attribute MAY be omitted.</c>
      <c>platform-manufacturer-name</c>
      <c>0-1</c>
      <c>An identifier number (uint) value that uniquely represents the firmware manufacturer. This identifier MUST be included unless the firmware manufacturer and the platform manufacturer are represented via the same number (unit) value, this attribute MAY be omitted.</c>
      <c>platform-model-name</c>
      <c>1</c>
      <c>An identifier text (tstr) value enabling the identification of a certain device model/type composite. The reliability of this identifier is not absolute. In consequence this identifier MUST NOT be omitted. In an case, the use of this identifier requires foresight and preparation as it’s purpose supports semantic interoperability. Arbitrary, conflicting, or unresolvable values SHOULD be avoided.</c>
      <c>platform-version</c>
      <c>0-1</c>
      <c>A byte-comparable reference to a Platform Certificate’s ‘Manufacturer-Specific Identifier’ extension value [ref TCG Platform Certificate Profile, Version 1.1].</c>
      <c>firmware-manufacturer-id</c>
      <c>0-1</c>
      <c>An IANA defined unique value that is a Private Enterprise Number (Platform manufacturer unique identifier) that SHOULD be included in a CoSWID RIM that covers firmware.</c>
      <c>firmware-manufacturer-name</c>
      <c>0-1</c>
      <c>An identifier that is represented as the name of a platform manufacturer via a text (tstr) value that SHOULD be included in a CoSWID RIM that covers firmware.</c>
      <c>firmware-model-name</c>
      <c>0-1</c>
      <c>An identifier that represents the target platform model via a text (tstr) value that SHOULD be included in a CoSWID RIM.</c>
      <c>firmware-version</c>
      <c>0-1</c>
      <c>An identifier that is represented as the version number of a specific firmware version corresponding to a given set of platform identifiers and SHOULD be included in a CoSWID RIM.</c>
      <c>boot-events</c>
      <c>0-1</c>
      <c>A reference to the platform measured boot event logs that can be compared to individual events from the platform measured boot events collected at platform runtime.</c>
</texttable>

</section>
<section anchor="rim-extensions-for-software-package-management" title="RIM Extensions for Software Package Management">

<t>To enable very small CoSWID tags that basically are signed references to full Base RIMs for each software package that ultimately include all the hash values required by the appraisal procedure of a Verifier, the member rim-reference is added using the $$payload-extension CDDL extension point.</t>

<texttable>
      <ttcol align='left'>Attribute Name</ttcol>
      <ttcol align='left'>Quantity</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c>rim-reference</c>
      <c>0-1</c>
      <c>A URI pointing to the CoSWID Base RIM that will list the payload reference measurements (hashes) in case of a minimal CoSWID tag.</c>
</texttable>

<section anchor="rpm-version-scheme" title="CoSWID Version Scheme for RPM">

<t>To enable encoding version information into a CoSWID tag for RPM packages, the SWID version scheme value index TBD1 has been registered.
RPM versions are defined as epoch:version-release-architecture, where the “epoch:” component is optional.
Epoch is a numerical value, which should be considered zero if the epoch component is missing.
Version and Release can be any string as long as they do not contain a hyphen (-).
Architecture is an alphanumerical string.</t>

<t>Sorting of RPM versions is a multi-step process:
- The epoch, version and release components are compared in that order, as soon as a difference is found, that is the overall difference.
- The epoch component is compared as integers. A higher number means a higher version.
- The version and release components are compared alphabetically, until a digit is encountered in both strings, at which point as many digits are consumed from both to form an integer, which is then compared. If the integers are identical, the comparison continues alphabetically.
- The architecture component is never sorted. If they are different between two versions, the versions are inequal, not higher or lower.</t>

</section>
</section>
<section anchor="coswid-rim-cddl" title="CoSWID RIM CDDL">

<t>The following CDDL specification uses the existing CDDL extension points as defined in <xref target="I-D.ietf-sacm-coswid"/>:</t>

<t><list style="symbols">
  <t>$$coswid-extension</t>
  <t>$$payload-extension</t>
</list></t>

<figure><artwork type="CDDL"><![CDATA[
<CODE BEGINS>
$$coswid-extension //= (reference-values => reference-values-entry)

reference-value-entry = {
  ? payload-type => direct / indirect / hybrid,
  ? platform-configuration-uri-global => any-uri,
  ? platform-configuration-uri-local => any-uri,
  binding-spec-name => text,
  binding-spec-version => text,
  platform-manufacturer-id => uint,
  platform-manufacturer-name => text,
  platform-model-name => text,
  ? platform-version => uint,
  ? firmware-manufacturer-id => uint,
  ? firmware-manufacturer-name => text,
  ? firmware-model-name => text,
  ? firmware-version => uint,
  ? boot-events => [ * boot-event-entry ],
  rim-link-hash => bytes,
}

boot-event-entry = {
   boot-event-number => uint,
   boot-event-type => uint,
   boot-digest-list => [ 1* hash-entry ],
   boot-event-data => bytes
}

$$payload-extension //= ( ? support-rim-type-kramdown => direct / indirect )
$$payload-extension //= ( ? support-rim-format => text )
$$payload-extension //= ( ? support-rim-uri-global => any-uri )
$$payload-extension //= ( ? rim-reference => any-uri )

reference-measurement = 58
payload-type = 59
payload-rim = 60
platform-configuration-uri-global = 61
platform-configuration-uri-local = 62
binding-spec-name = 63
binding-spec-version = 64
platform-manufacturer-id = 65
platform-manufacturer-name = 66
platform-model-name = 67
platform-version = 68
firmware-manufacturer-id = 69
firmware-manufacturer-name = 70
firmware-model-name = 71
firmware-version = 72
rim-link-hash = 73
support-rim-type-kramdown = 74
support-rim-format = 75
support-rim-uri-global = 76
rim-reference = 77
boot-events = 78
boot-event-number = 79
boot-event-type = 80
boot-digest-list = 81
boot-event-data = 82

direct = 0
indirect = 1
hybrid = 2
<CODE ENDS>
]]></artwork></figure>

</section>
</section>
<section anchor="privacy-considerations" title="Privacy Considerations">

<t>TBD</t>

</section>
<section anchor="security-considerations" title="Security Considerations">

<t>To be elaborated on</t>

</section>
<section anchor="iana-considerations" title="IANA Considerations">

<t>This document has added the following entries to the SWID/CoSWID Version Scheme Values registry at <eref target="https://www.iana.org/assignments/swid">https://www.iana.org/assignments/swid</eref>:</t>

<figure><artwork><![CDATA[
Index: TBD1
Version Scheme Name: rpm
Specification: See {{rpm-version-scheme}}
]]></artwork></figure>

</section>


  </middle>

  <back>

    <references title='Normative References'>





<reference  anchor="RFC2119" target='https://www.rfc-editor.org/info/rfc2119'>
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author initials='S.' surname='Bradner' fullname='S. Bradner'><organization /></author>
<date year='1997' month='March' />
<abstract><t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract>
</front>
<seriesInfo name='BCP' value='14'/>
<seriesInfo name='RFC' value='2119'/>
<seriesInfo name='DOI' value='10.17487/RFC2119'/>
</reference>



<reference  anchor="RFC8174" target='https://www.rfc-editor.org/info/rfc8174'>
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
<author initials='B.' surname='Leiba' fullname='B. Leiba'><organization /></author>
<date year='2017' month='May' />
<abstract><t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t></abstract>
</front>
<seriesInfo name='BCP' value='14'/>
<seriesInfo name='RFC' value='8174'/>
<seriesInfo name='DOI' value='10.17487/RFC8174'/>
</reference>



<reference anchor="I-D.ietf-sacm-coswid">
<front>
<title>Concise Software Identification Tags</title>

<author initials='H' surname='Birkholz' fullname='Henk Birkholz'>
    <organization />
</author>

<author initials='J' surname='Fitzgerald-McKay' fullname='Jessica Fitzgerald-McKay'>
    <organization />
</author>

<author initials='C' surname='Schmidt' fullname='Charles Schmidt'>
    <organization />
</author>

<author initials='D' surname='Waltermire' fullname='David Waltermire'>
    <organization />
</author>

<date month='November' day='2' year='2020' />

<abstract><t>ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles.  SWID tag representations can be too large for devices with network and storage constraints.  This document defines a concise representation of SWID tags: Concise SWID (CoSWID) tags.  CoSWID supports a similar set of semantics and features as SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory efficient format.</t></abstract>

</front>

<seriesInfo name='Internet-Draft' value='draft-ietf-sacm-coswid-16' />
<format type='TXT'
        target='http://www.ietf.org/internet-drafts/draft-ietf-sacm-coswid-16.txt' />
</reference>




    </references>

    <references title='Informative References'>





<reference anchor="I-D.fedorkow-rats-network-device-attestation">
<front>
<title>TPM-based Network Device Remote Integrity Verification</title>

<author initials='G' surname='Fedorkow' fullname='Guy Fedorkow'>
    <organization />
</author>

<author initials='E' surname='Voit' fullname='Eric Voit'>
    <organization />
</author>

<author initials='J' surname='Fitzgerald-McKay' fullname='Jessica Fitzgerald-McKay'>
    <organization />
</author>

<date month='April' day='16' year='2020' />

<abstract><t>This document describes a workflow for remote attestation of integrity of network devices.</t></abstract>

</front>

<seriesInfo name='Internet-Draft' value='draft-fedorkow-rats-network-device-attestation-05' />
<format type='TXT'
        target='http://www.ietf.org/internet-drafts/draft-fedorkow-rats-network-device-attestation-05.txt' />
</reference>



<reference anchor="I-D.ietf-rats-architecture">
<front>
<title>Remote Attestation Procedures Architecture</title>

<author initials='H' surname='Birkholz' fullname='Henk Birkholz'>
    <organization />
</author>

<author initials='D' surname='Thaler' fullname='Dave Thaler'>
    <organization />
</author>

<author initials='M' surname='Richardson' fullname='Michael Richardson'>
    <organization />
</author>

<author initials='N' surname='Smith' fullname='Ned Smith'>
    <organization />
</author>

<author initials='W' surname='Pan' fullname='Wei Pan'>
    <organization />
</author>

<date month='December' day='8' year='2020' />

<abstract><t>In network protocol exchanges it is often the case that one entity requires believable evidence about the operational state of a remote peer.  Such evidence is typically conveyed as claims about the peer's software and hardware platform, and is subsequently appraised in order to assess the peer's trustworthiness.  The process of generating and appraising this kind of evidence is known as remote attestation.  This document describes an architecture for remote attestation procedures that generate, convey, and appraise evidence about a peer's operational state.</t></abstract>

</front>

<seriesInfo name='Internet-Draft' value='draft-ietf-rats-architecture-08' />
<format type='TXT'
        target='http://www.ietf.org/internet-drafts/draft-ietf-rats-architecture-08.txt' />
</reference>




    </references>



  </back>

<!-- ##markdown-source:
H4sIAAVc/18AA8Vc63LbRpb+j6foladKUoqkJSeWbNUkE9mSY00sWSMqzk5N
pbaaRJPsCAQ4aIAyE3ufZZ9ln2y/c/qCBglaTjY7mx8xCfTlXL9z6ab6/X5S
6SpTJ+JGTVSp8rESF3mlpqWuVuJSSVOXaq7ySpy/r1RudJGLSVGKl0U+1kaJ
YTGp7mWJSSkG6Uork8jRqFTLE4wZ/nhxJm4uLpO0GOdyjl3SUk6q/kiXd7Mi
+6Vfysr0x4W512m/1PP+wZPEVDJP/0NmRY7hVVmrRC9K/mSqJwcHzzEE+8kT
MVTjmqhM7qeg/vR2KH4syjudT8V3ZVEvkrv7E2alzFXVP6N9k7GsToSp0mSh
TxIhqmJ8IlagWAhTlFWpJiZ8X82br4msq1lRniR9oXM8ez0QLxwHGGoZe63y
u/hpUYKqV6Ws81kBwYrhxS2eetFsvFBzqbMTMcMqAy+db42uBpMwcpAqIgxk
KnBxM1OgpSqlgRaOn+LNuEhBx+7RV0+eP92l75DNiTiT5RwiTSseUedViYff
qXIu85Xn53ogftAQ1L3++S4wdC2rUo/vWm+YqRuViteyaohe1H7It6VKZ7Ia
jIt5ROrhwYE4ByFLDXvhZw21T46PDg4bam9kpvR0FtN6paqZKjMYhfH0ng3E
jzLDnnNdqkAwbZC2XzC9V7KC1coMxmBgoXWlRDEBIVhRlqkR+FfcqvEsL7Ji
uoqUdHUxjFST0vKD+7D8t7k21WBaLNc4fQGHkbU4K/VSBb6+k5q4MKO6nOJh
qaYg6URcynJFnEXyOHh2fLwb8//D8NTzPYTdzZhsHbgezu4hIBm/YK5fajMu
xHBlKjU3PfA+HkSs8duGN2MXGX07pudr6nupjMmxQW10jo8wjPKuJ4ay/Fku
6lISExKTs0yLtxBuKW7IB28KmQb2X8h8Co9mnXjevz+9uTq9Pf3+tGH+6dEB
2G9xf5GnWnr+/zoQr3T1y1SVMkv7l+Pv5SrI4a8gTY9l1wCWx5layLJiJIP2
zwB2uVGNBH6eTzDxybe5kWs6ff4MSh3KpZyqNlOvqgEBZKq2KTRSYJIX8LgK
JkG4c/Pq5ZPDw+fu47PD46/o40X/bKBVNekbOZ47UDwR9t8k0fkkXoIGT1QK
wCvuLYoC5e7xtZ+qpR6rvqwqBb+vmCzYYrwBj5fleAa/HVewV4zwj5Kk3+/D
TghaxlWS3M60EYDvmkVnFmqsJwB5AXMWL8/O3rD71IakkyozLvWi8jHigYhi
xB5Cwz5Ui5HzAm552tAsrstirFIMpWEA9/2BuMWWjoCxHQTSRtIAj/B5S0QK
Y/dsONq3/v7yu27yZK4noAGPnLgx8xLWmQlIJez1uuAhfpasxA2UreeKFwe0
lFW/Xoi91xc3RHgTOheFJsZTNYEvpcS6C5I1rVwVQtZTFrR7XMmpEffADpGr
e+wDSB7Bx0j82HQsc6HeL0ryStLHg1wpT4gZWD3PdZpmKkke0eiySOsxcZwk
D6rO6nqkeF/wpPIUDJDyGF33ACGLAvFL7SO0OoXws5ynU+gCYlhpytZwa78D
cSrmUfaBNTE+mte1Kg1y8w0NL+4NGyLFyJIYw9NRUVdMNCcU8JhqZmENk+nx
FA6WByIuclp/pHNrCawJKcqiYIp4CZhncbvP+5RqgfUI/fZubm/2e7QgLHIe
C450BrGVwQKgdGyWsrDJelQuR5kKLnHbuMTCu8QwuASnPaZe0L5Mfgr3MGGw
Zet+xiGUzGtBzDPVML0tUvAiJIsHU3lRDQgGlN0shg3x668Nlnz86Mza2uKk
IPmTLMoiUwDvd6ok5Ch7zs3p03kOBDOqx4zfqGxF4xFfqpV/5M3wncxqRaBA
oiotFmzSIzNTtDAKThIBoTj3ggZwjBGmK2hgtAoE2VxgDDsB2vEbT7RBhpTB
wTEjW/WsoRRIKbAO6c+qTLZZ+Hx5l1bXCwUl7dEoTxA0fLqNfPYYcqAJ7CnT
amlpWDd1mJtfbddsbD+eSYJ5cInUaGzY4Ems3nTj5cjXrO+9zKSeG6sELyES
G8EHBgqjrMMuFqXUBmJaNGAOORRlaq2RVnfQRexkWhJzNPM3EZ0kp7TDXBMK
dO3KIYaMRTebIVUyECk2Y27EkgyMyBtndWqhudNyGALKYJetyQtrnmw520yX
wtm7655Qg+mARAXfzVbEEjbkCmrlIt0niFxqGa1vX72zr/ZuXr7bJz6XGkDJ
qEQcW0l7JI2EPVeU5RvPFvlORap5GLQbFRFWV6sFAm0mitHPWAEYilKmVF7g
BH7I41iS2H9ZZzlStJHOuGAUKWWdS4xnsY9hcSQNPOBQRTM+ifsOnrrL1tMY
H/YuLk/3PdK/0Xn9PlSRFOXrjCT4ZoikxKnSMBqCHNr6fEkLvikA76aA4BDv
jYUctofSRXCaE1OACfsWikpaKbce8s9aOWOfSTNrxwg8VOB+1TBr6lE/MCz2
nPFMdDmn1wSW4vzNK8R3cFMREPQIuiU55URPkaXbpAxsOFIiACTMg9PYCA4G
SDYxfS3SbN5hscfqVrFUUDoBhmBuNiPY1BJpFmsan7cZSpLIlChsypSCzQ74
AVK6/QiCwBaP24GKgUwwYSKqF2FuRelpl8s7OAowzii+BiywhkbRQbuOSYcE
zA6ryDlfoxzHQQevJFIKuVYg9I6KD294nbgSUeY0YxocyFj6qC3Evcqy/l1e
3Od9Rw8TG+IUhPnPWrtNYzCjjT8vIR9Qx8YmTl0o4BKYgHUERp+de3M+6w0P
G6D4ysknHGa+u0apaurxjLyobUc0B7lCD1PyeiLZn+krtJbyc6xW2DSHwgWZ
8kyXKQueMMb7DKFLQ5hH3PU6p3H/vEmavXO43LxdikQpPbIiW7V9/GhV2Kwg
U2o4RGl80cr0WZfBstWcDd0l+KSUgXibqyjWARZcrHXhulmZ9Z9lNdVxVWMC
v6Pw+QfM+Kc2t8zW5n7groEQ9Z7CM5KhTnGR1dCoOVVSU0XhIIvkxHXSdmF7
9ZyIP/3JdQ+j0kac5lwuzeWC4pLqs240z6RmQSp2QgB3XrRDkGTJJ9/VrRLN
KK6KnCBY2JGtwHZe1SVZ3rxgKHbVMGgkvLV+pKe0Vqzq9ha84lptm4fE3uGG
d4YoEkC7tQ1tGGNss4c8BASwRy3k+I6IsY8ojR1ukmLTZE6f7UtOBvhp8L85
m4LzfV+stopAAG7loxeIY++ukTMDvDwDjhq341zeYanFxmTpGOFkNOSKsHg9
17+4ghOpEfKUwtq0wWOe6dfvCc0RLtN3SMgdf/mqxTTY0TblANR4dA4ERs/k
uhCDfC2ZkBYKU1RJzAQlLgROsOYmSbQ21hPwFM5kKN5JUJff9RX1iDhtiKhD
2TDKtJlZHRKLFuU4KeUqE6VyUa5geo8ewZ0Z8S2CXxU2sNiU6E4hYhTU5Ny5
/GF4u9Oz/4qrt/z55vxvP1zcnJ/R5+Hr0zdvwofEjRi+fvvDm7PmUzPz5dvL
y/OrMzsZT0XrUbJzefr3HVvE7by9vr14e3X6ZidYesBZMi0wP7I9hBJIxxmJ
SbxpsXe8eHn93/91+BWA9d9c6wzFpv1CzTN8QYmb292KHBq3XyG4VUKZjbSS
y8iAF5QXQxfQsJkhjHKeCkEmj7wCTj2oNX0bGw3pIMPGiS7oh1XfF4w31orD
KkDoqF8zWoPJT6KjL2XTgBVrEGlOkuRw0JDsNvLAAYrJWhnZLQ8u3KfiBfUw
9uDeKl9PXzklVjyCu2XJk+07cFpxfbnhIwGYnI2CkDK2U4q9awGiCSYo6Bp0
hAdQI15c3IhnB0cHFoV7Nr1i+3HrwtAukV9HlO4wx/9++UasYd1MLhuzi+q9
MK5VpbpsF6/hxzoV/lCL8ckCtw0Qve4oPCcTTKNQH7/nfkNJhRfyVe6WrEkp
GtyKF1ssJ6LXUtuSnYtD13KVFTL1qNss2H2mt3oocfT5neB+LvAJ/FC+yqmC
RaLdELxQOEkLe7vsLZ/FllOTTQqLhTvQmav5iHLe3YVtXe72xO6Y+k4Qocz6
roCkp6VaaveZRL6LapTW2PWJzKSoy7AcQ+SGbTQsftI6HhIVAxHUwF840MYa
GohWLmFLMfgU9Tl8FK2AAWKvgoftswBTX5kw3dDpEqjvVWtjX9MK9atZvC0W
vgxfWSZt9xPVOPTCGTOXljKl6MuZJFX2aUFpu2/Ib+hVN50Q14XwYMEEVAq1
CgzddyopX8FIF+i4TbP0PSVqHbak7XJj3zBYsTaRraLGx5IQUKkyX1sAZrUz
lEh3coli3ibYBY3yS/GjEG3t/g12rUUC6utbu27anGteD4Ihq1RMkKz/32be
MRRzmeS7LFykzinsRfx31Rm+2dwQZetJX73dXLzjVq9efvzI7RO7KvXjppRs
DRTshNqmsBB2Zd+Dp25O9NgdUWHnpS4LdgHjeuy57zhYo5/LnwsmpCmZPbtI
jKo4aXbJeUAdamnJVCIS2Aaob5KwqWy220Kf2JtsGM8nB74XvreAXZF+qCUL
kyqmRW2ylY/iczp8jZsBbXeICzFQtXRcbsf2ypqjgm0FwggSrF+/r+KTgg6P
Cm2/rg4s57S+YTAg1DfUNYK1UmubbCSKjz7X5UBVh1KSO0uGNEECl3lOIb+w
gqx85y8vOOCwITEUYfdZkaVOsqFzTNk91wLGVwpzAVLZqfIuHlxMQTzA8sFE
GndnP29ku24q+Ahz10vf/meXl/DApYS2rNFp18Ag8jil45pHc+npTslAdypX
rpNruxAW4n12a9bPR0KhpXIgW2Zhqsj7o0KWqW2rxt1/VDFGZRN4SNV0dCGs
mZ7OEEJmlZc3vXSkU4pZUisvgnpapB8OZwHw1E5ga0r1BMpBlTYA4tAhxZyQ
BLO4airq6exkM1CMADGmc1FqBHP8KacMclVxb29YUJSck+TbbSEzhqrVZ/We
uSqnbW3Hw/cwg7PiM4tlBdmOEczZaPuIfNJwbSYRIRThsXSnf3RYS61wBkxY
GksRyrWHKsbdDrExrgF565fxOddGeHYNGW5AuISiKbBT3zGzXXHfhIharK4i
RNJo935gUNO3oOsZU153sydiT+rXagd40Yeo2LmSkMgH8bda2pzvgzhrzvOT
D/1+H8MXNnPsc+L2QRz0D/H/25krcUNvpCl+fC5FHQHKbDHOHUK0DwkJHKDw
WUFxYyB2U+TASOhOnKDijDK4Im9Fvr5H1hGKGGqU8RFIIxEX/8g0OMmGUZAx
rWWqYlfnn7Nvayextztsqq14Y8nuRcqr1lfizravBoiWXROIa8WXHtf7Pmlw
waZdMLQTZS/v0J7VE4dvpB8GQfYx6mu21NHwLvYMVDHSvHyflu9T14xdsPXU
5deIiLuz1ajU6UPqUp8U3S7LToq5fs8nXlY87cUsENg+79qbphwbSz5S3hRc
F2EbyX6fTzRIbraJFNnP2vw+BzJ7GBAxYuW3uyHAXVt6dIlwV0QtSm/ZjDX7
A/I6l3v0W8c5fYTI/jQrRogK3hVPEc8q2yCUNqVtCUGKa7cUhf3oZOiHmwsy
xKjm9ilrMyE0zvkwk3ublKA+OKpHkZ5h53Bw+JOtyQdPD54vv4ya8T4LC+rg
SDG2AY9oIQrbBdnWfRnd2PULtgKDeDD2LmE9EwVOyC3j5LgNXrp1HvyAJrJi
/Acp4l+hhUbYTeJsXcRJC6/vZ5pOYiJhQSCRtFw7C7VzbnvGzsk3b/M89nLz
KQ1EuQkwHwRJ7iIGLAKmOObsMkS0sMsfN+TIuZwQGyzrtdfqCk6hayucL9W5
RinSKrOjbNAimLOuqEc3DshetfKDNcxwNhfjYFeBq/mKlQsI68JyoPH/Li8n
KE8OFkS2s5HNbcooiKSJCw31m7DZ8rv49K+v08bf8lhJ4aIerX1xenUKL+B8
X5zbNjO1ua4svXR103AT3uWU0rg2GYgP+WW8LyVmBA3NfhtBpM4zf7Olcwl/
QhwYW3tbqpaUHBIY8pLYLllsawmDC/h/xLahDd25b2/DPE7/zqneXKOASber
zTl7l+KcDe3VQHC3jdWLtTWk94G+T0j3X6+glqQCEwjov0dW1PuJEbEtog09
WMzwqe5aicXFvr9R43oZvMFjTuEDUvtiI9O+zPPuH22tXS01MkVWV2q9dbMx
3p81xZzSHACSzdGI4FD1t+e6Pjj3MqjOn9meB0ROAZV585nzoi65BesaYWZ7
kxOuUo50VcpyxQ2rSabHlCnw7YE6p+CX2Xt0rqXqTr3o0GZZUD7d0lQDxL85
6DcBGgzsXsbuMXRgGS5RqHI3qt2szn9HzCfSva1/CkcZL30O4jG+8UTO0bfD
6d51p8O4dRoFu3tIjYC3dtvdlSMSdqB/Oy+fABdPfuy47p4Jz7KHvZ3kk3/L
Dtf743iInX4r8WvgV8lyinKuIZm7xv9LWltkbVj45wp0LSmwx/resAPi+lHt
ipZdxZ1E2GZKkz6GzW0l+HnsjIqi6vM9NRP56kZ52MjRH5LSxOaCW/sU13q5
TRMoZ0FtQaf+bpvQ9v/UonSLN8sU31KTkR5L+2OCrccP4YDu2p26XnKXljpD
SXIbksjNA4Cm+Y8MiaorBFS+XmgTniARvpg0qTHxBXC6uQ+mJAqC0J7zZ742
QIfr0eHmnD0jaN+eC4e1LqXpurrXalC78wBlczU97zdq62x9+ez3j+99tTdv
7IhKtrjkjGpKLz0rIr4oQscX1jDcIWyzZOui5R5JTRn+eQwFSysVvgUjY32C
k19PxKNyEcJR37ZVP8J4wp0GHweGtuPKtxmuL2NjCb0x75M6Oo7iXym0bqi4
FaIrN8QTv/YLuO6u6zzlqXovbl+cHZI5wH/42gFl3nQHZ5DQWuHCrz0/swEI
g9WiGM9OPHfIUSAn1fr9Uo9ufLirpzt2+E589dSEM+NBck6vbRTjEoibDC5J
sxWvmRV1llofh82kfEvoFyQSPrfmHdrrz7UxXKt5SbtfNBCp4d5HTpdGS9eA
zAr7L91SEWnRvkEkZqvFDCLa6+8PktYVZlvPyWwxkw35dlWYwtD9/gTG0pKo
bayRj/Yh8YX/dQj9ovXWM9QLmrPtVEd71IMvI9TTrtblytVepylsTtb0Pa2P
cn+gF4IFn+DTgSucoRk4iClpizZsSfkenVDyPbZT7vc3JQOch29Wu6eOFb/s
b+GMZTtSlcXHniAwzpirqe0I8glDXvn76qMCBa/VAN0r8n0Te4VR8nW8lZ3s
N3K/L+EYwbMJbQn4Ze459LZoBZYH6ga+3veSsBc9fbes5xrE4acDZFE6r/mi
esyWF0zr5zMtsefU2OTfRTe72mjRtLWx3D15Mt188rbWi+O/Iy8H6hNxZONO
QcCPrLj3Z+xRqkRwvX62zhDebiLU4f55uEbUgfMm7mq2r+aeJMkXHUcl/HAj
iCTJf+I/S9ufX749Oxcvzr+7uBp+k3Qctjx+/LXYW79hKr7+Rqw/s8c4+0my
9sId73wtfk2E+Ev70AXL2F6NeCx82wYfbQO+Z8c/2C7GIjBKevLgDNvWbE/Y
bN3hPSWcGy+930Xvt7ZyMIbK/u1j1nfqqpij13/ZLNSiLf6yvRb6jFGbe3Vl
8t0DOomJU1S8+If4Inrk7OEnGkpZCN8c5awKQ6nkNL3kY5JsTLAGFC/kwDLa
On7rDaz9DtClTNXnxIVJO/yCU7qYqngVvnvhCSO6upIy9hHw7Wp2/uMPfFf7
rpTzlO5ldhr6/mcvZpMXr4LfMLHTTR6Y304NW9OSzgNcqObps6Tt2OLp8/AE
C+LB0UHyGb4sjg4/Ncw5sDh6knT4rTj6Mun2WHH0VbLdV8XR0y1v/bpHSad/
iqPjZNMvxdGzZLs/iqPnW966NY8Pkk7/E8eHyabfieMnyZobieMvk0+Yojj+
KukyLvrDG9tsRxwfJWt2IY6Pk5aji+NnSYd3iuPnyYZbimcHyaY/imeHyYbv
iWdPksR5zNfiIAnu87U4TGykwMcnLpKdX50hjlF8o0vQ3NkZr/haEKW+9nAV
AfnFGb0OP5fbeM/XhVQmR4W9JURB85FtJm2Mbd0Bp3rAXYluBX1/ecqVVJQg
PO4uZ9752tJ18qGaP8+qamFOHj++v78faJTHg6KcPratfS6wHlPQ/gZJAMCL
/sqEen/C5Ql/X1v/iv/CBEosfjmM8xD6MzT0O+iO+uuj/Yn9CBVS8j8VEMmU
aEcAAA==

-->

</rfc>

