<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-liao-ace-est-c509-01" category="std" consensus="true" submissionType="IETF" tocDepth="4" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="EST-C509">EST for C509 Certificates</title>
    <seriesInfo name="Internet-Draft" value="draft-liao-ace-est-c509-01"/>
    <author initials="L." surname="Liao" fullname="Lijun Liao">
      <organization>NIO</organization>
      <address>
        <email>lijun.liao@nio.io</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <abstract>
      <?line 49?>

<t>This document defines Enrollment over Secure Transport (EST) protocol operations over HTTPS for use with C509 certificates. The operations specified in this document support CA certificate distribution, C509 certificate enrollment, C509 certificate re-enrollment, and server-side key generation using C509 certificates. This document also defines operations for Certificate Revocation List (CRL) distribution.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-liao-ace-est-c509/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Authentication and Authorization for Constrained Environments Working Group mailing list (<eref target="mailto:ace@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/ace/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/ace/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ace-wg/xxx"/>.</t>
    </note>
  </front>
  <middle>
    <?line 53?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Enrollment over Secure Transport (EST) <xref target="RFC7030"/> defines HTTPS-based operations for X.509 <xref target="RFC5280"/> certificate enrollment and CA certificate distribution.  Payloads are DER-encoded and wrapped in CMS (Cryptographic Message Syntax, <xref target="RFC5652"/>) structures.  C509 <xref target="I-D.ietf-cose-cbor-encoded-cert"/> defines a compact, CBOR-encoded alternative to DER X.509 certificates.  C509 certificates are substantially smaller.</t>
      <t>Although C509 was developed with constrained devices in mind, its benefits extend to unconstrained devices operating over low-bandwidth links and to large-scale deployments.  Smaller, CBOR-encoded certificates reduce bandwidth and storage requirements, accelerate TLS handshakes, and lower parsing and serialization overhead even on powerful endpoints; because C509 does not use ASN.1/DER, implementations can avoid complex ASN.1 parsing code, which reduces code size and complexity and lowers the attack surface for certificate parsing libraries.  In complex systems (for example, connected cars) that contain diverse device classes—microcontrollers, sensor chips, and SoCs—using a common certificate format wherever practical simplifies integration and provisioning.  Using C509 consistently across device classes simplifies provisioning, interoperability, and over-the-air updates, and can reduce overall operational costs and latency.</t>
      <t>This document defines EST operations that carry C509 objects in place of DER X.509 objects, following the same HTTPS/TLS transport and URI path structure as <xref target="RFC7030"/>.  For environments where HTTPS/TLS is impractical, EST for C509 certificates over CoAP with OSCORE is defined in <xref target="I-D.ietf-ace-coap-est-oscore"/>.</t>
      <t>A key property of this design is that EST clients do not require a CBOR parser or generator:</t>
      <ul spacing="normal">
        <li>
          <t>For non-KEM-only key types, the C509 CSR is typically pre-provisioned as an opaque binary blob by the device manufacturer or a provisioning tool; the EST client sends it verbatim as the POST body of <tt>simpleenroll</tt> or <tt>simplereenroll</tt> without interpreting its contents.</t>
        </li>
        <li>
          <t>For KEM-only key types, the EST client needs to communicate with the key device to get the public key (<tt>C509PublicKey</tt>) and the certification request (<tt>C509CertificationRequest</tt>) after receiving the KEM challenge object (<tt>KemChall</tt>) from the EST server; in this case, the EST client considers the <tt>C509PublicKey</tt>, <tt>KemChall</tt>, and <tt>C509CertificationRequest</tt> opaque binary blobs.</t>
        </li>
        <li>
          <t>For all key types, the C509 certificate returned in the response is stored directly to persistent memory without parsing.  This property makes the EST client implementation extremely lightweight.</t>
        </li>
      </ul>
      <t>This document uses <tt>C509CertificationRequest</tt> as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/> as the C509 Certificate Signing Request (C509 CSR) format.  An EST client uses a C509 CSR to request issuance of a C509 certificate from an EST server.</t>
      <t>The operations defined in this document are:</t>
      <figure anchor="tab-ops-overview">
        <name>Operations Defined in This Document</name>
        <artwork><![CDATA[
+==========+============+=========+==============+=================+
| Opera-   | Category   | Client  | Request      | Response        |
| tion     |            | Authen- | Media Type   | Media Type      |
|          |            | tica-   |              |                 |
|          |            | tion    |              |                 |
+==========+============+=========+==============+=================+
| caps     | Capability | No      | (none)       | text/plain      |
|          | discovery  |         |              |                 |
+----------+------------+---------+--------------+-----------------+
| cacert   | CA cert.   | No      | (none)       | application/    |
|          | retrieval  |         |              | cose-c509-      |
|          |            |         |              | cert+cbor       |
+----------+------------+---------+--------------+-----------------+
| cacerts  | CA cert.   | No      | (none)       | application/    |
|          | chain      |         |              | cose-c509+cbor; |
|          | retrieval  |         |              | usage=chain     |
+----------+------------+---------+--------------+-----------------+
| crlinfo  | CRL        | No      | (none)       | application/    |
|          | metadata   |         |              | c509-crlinfo    |
|          | retrieval  |         |              | +cbor           |
+----------+------------+---------+--------------+-----------------+
| crl      | CRL        | No      | (none)       | application/    |
|          | retrieval  | No      |              | c509-crl+cbor   |
+----------+------------+---------+--------------+-----------------+
| csrattrs | CSR        | No      | (none)       | application/    |
|          | attributes |         |              | cose-c509-      |
|          | retrieval  |         |              | crtemplate+cbor |
+----------+------------+---------+--------------+-----------------+
| kemchall | KEM        | Yes     | application/ | application/    |
|          | challenge  |         | c509-pubkey  | cbor            |
|          | issuance   |         | +cbor        |                 |
+----------+------------+---------+--------------+-----------------+
| simple   | Cert.      | Yes     | application/ | application/    |
| enroll   | enrollment |         | cose-c509-   | cose-c509-       |
|          |            |         | pkcs10+cbor  | cert+cbor      |
+----------+------------+---------+--------------+-----------------+
| simple   | Cert. re-  | Yes     | application/ | application/    |
| reenroll | enrollment |         | cose-c509-   | cose-c509-      |
|          |            |         | pkcs10+cbor  | cert+cbor       |
+----------+------------+---------+--------------+-----------------+
| server   | Server-side| Yes     | application/ | application/    |
| keygen   | key        |         | cose-c509-   | cose-c509-      |
|          | generation |         | pkcs10+cbor  | pem+cbor        |
+----------+------------+---------+--------------+-----------------+
]]></artwork>
      </figure>
    </section>
    <section anchor="conventions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The following terms are used in this document:</t>
      <dl>
        <dt>EST client:</dt>
        <dd>
          <t>The entity that contacts the EST server to obtain certificates or CA information, as defined in <xref section="1" sectionFormat="comma" target="RFC7030"/>.</t>
        </dd>
        <dt>EST server:</dt>
        <dd>
          <t>The entity that processes EST requests, typically acting as an RA between the EST client and the CA, as defined in <xref section="1" sectionFormat="comma" target="RFC7030"/>.</t>
        </dd>
        <dt>CA:</dt>
        <dd>
          <t>Certification Authority.  The entity that issues C509 certificates.</t>
        </dd>
        <dt>C509 CSR:</dt>
        <dd>
          <t>C509 Certification Request.  A CBOR-encoded certification request used by an EST client to request issuance of a C509 certificate.</t>
        </dd>
        <dt>PoP:</dt>
        <dd>
          <t>Proof of Possession.  Verification that the requester holds the private key corresponding to the public key in the C509 CSR.</t>
        </dd>
      </dl>
    </section>
    <section anchor="c509-csr">
      <name>C509 Certification Request (C509 CSR)</name>
      <t>A C509 CSR is a CBOR-encoded certification request used to request issuance of a C509 certificate.  It is the C509 analogue of the PKCS#10 CSR <xref target="RFC2986"/> used in standard EST operations.</t>
      <t>This document uses <tt>C509CertificationRequest</tt> as defined in <xref section="4" sectionFormat="comma" target="I-D.ietf-cose-cbor-encoded-cert"/>.  An EST client sends a C509 CSR to request certificate issuance or re-enrollment. The media type is <tt>application/cose-c509-pkcs10+cbor</tt>.</t>
      <t>For server-side key generation requests (<xref target="serverkeygen"/>), the EST client does not possess the private key and does not know the public key that the EST server will generate.  In this case, the <tt>subjectPublicKeyAlgorithm</tt> in <tt>TBSCertificationRequest</tt> <bcp14>MUST</bcp14> be set to the integer code for <tt>empty-publickey</tt> (see <xref target="empty-publickey"/>) and <tt>subjectPublicKey</tt> <bcp14>MUST</bcp14> be an empty byte string (<tt>h''</tt>).  Because no private/public key is available, no PoP signature can be computed/verified: the <tt>signatureAlgorithm</tt> <bcp14>MUST</bcp14> be set to the <tt>id-alg-unsigned</tt> integer code and <tt>signatureValue</tt> <bcp14>MUST</bcp14> be a zero-length byte string.  EST servers <bcp14>MUST</bcp14> accept C509 CSRs using <tt>empty-publickey</tt> and <tt>id-alg-unsigned</tt> for <tt>serverkeygen</tt> requests and <bcp14>MUST NOT</bcp14> verify a PoP signature in this case.</t>
      <section anchor="empty-publickey">
        <name>empty-publickey Algorithm</name>
        <t>This document defines a new C509 public key algorithm, <tt>empty-publickey</tt>, to be used exclusively in C509 CSRs for <tt>serverkeygen</tt> requests to indicate that no public key is available in the CSR.</t>
        <t>The <tt>empty-publickey</tt> algorithm code (TBD1) <bcp14>MUST NOT</bcp14> appear in C509 certificates.  It is only valid in the <tt>subjectPublicKeyAlgorithm</tt> field of <tt>TBSCertificationRequest</tt> when the corresponding <tt>subjectPublicKey</tt> is an empty byte string (<tt>h''</tt>).  EST servers <bcp14>MUST</bcp14> reject any C509 CSR using <tt>empty-publickey</tt> in a <tt>simpleenroll</tt> or <tt>simplereenroll</tt> request.</t>
      </section>
      <section anchor="change-subject-name">
        <name>CRAttribute ChangeSubjectName</name>
        <t>The ChangeSubjectName for X.509 PKI is defined in <xref target="RFC6402"/>. The corresponding definition for C509 certification request is a CBOR-array consisting of a <tt>subject</tt> and a <tt>subjectAlt</tt>. At least one of <tt>subject</tt> and <tt>subjectAlt</tt> <bcp14>MUST NOT</bcp14> be <tt>null</tt>.</t>
        <sourcecode type="cddl" name="c509est.cddl"><![CDATA[
ChangeSubjectName = [
  subject     C509Name / null,
  subjectAlt  SubjectAltName / null
]
]]></sourcecode>
        <t>This CRAttribute <bcp14>MAY</bcp14> be included in a <tt>simplereenroll</tt> request to change the <tt>Subject</tt> field and/or the <tt>SubjectAltName</tt> extension in the newly generated certificate.</t>
      </section>
      <section anchor="proof-of-possession">
        <name>Proof of Possession</name>
        <t><tt>simpleenroll</tt> and <tt>simplereenroll</tt> <bcp14>MUST</bcp14> verify the PoP signature in the C509 CSR before issuing a certificate.  The <tt>serverkeygen</tt> operation does not require PoP verification because the EST server generates the key pair itself.</t>
        <section anchor="c509pubkey">
          <name>C509PublicKey</name>
          <t>A <tt>C509PublicKey</tt> contains a subject public key in the C509 encoding.  It uses the same field types as <tt>TbsCertificate</tt> in <xref target="I-D.ietf-cose-cbor-encoded-cert"/> and is defined as:</t>
          <artwork name="c509est.cddl"><![CDATA[
C509PublicKey = [
  subjectPublicKeyAlgorithm : AlgorithmIdentifier,
  subjectPublicKey          : Defined
]
]]></artwork>
          <t>The <tt>subjectPublicKeyAlgorithm</tt> field uses the full <tt>AlgorithmIdentifier</tt> encoding as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, without limitation.
The <tt>subjectPublicKey</tt> field uses the same encoding as in C509 certificates: for most algorithms it is a CBOR byte string, but for RSA public keys it is encoded as an array of two unwrapped CBOR unsigned bignums <tt>[~biguint, ~biguint]</tt> when the exponent is not 65537, as specified in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
          <t>The media type of <tt>C509PublicKey</tt> is <tt>application/c509-pubkey+cbor</tt> (see <xref target="iana-c509-pubkey"/>); the corresponding CoAP Content-Format is defined in <xref target="content-format"/>.  The "magic number" is TBD2, using the reserved CBOR tag 55799 and Content-Format TBD3, as described in <xref section="2.2" sectionFormat="comma" target="RFC9277"/>.</t>
        </section>
        <section anchor="pop-kem">
          <name>Proof of Possession for KEM Private Keys</name>
          <t>Some public-key algorithms are KEM-only (key-encapsulation mechanisms) and do not provide a signature operation suitable for the traditional PoP signature carried in a <tt>C509CertificationRequest</tt>.  For CSRs whose <tt>subjectPublicKeyAlgorithm</tt> is a KEM algorithm, an EST server <bcp14>MUST</bcp14> obtain explicit proof that the requester holds the corresponding KEM private key.  This document specifies an interactive KEM challenge–response PoP mechanism.</t>
          <t>The recommended KEM PoP flow is:</t>
          <ul spacing="normal">
            <li>
              <t>Challenge issuance: Upon receipt of a KEM public key (<tt>C509PublicKey</tt>) in the <tt>kemchall</tt> operation, an EST server returns a CBOR-encoded KEM challenge object (<tt>KemChall</tt>) with media type <tt>application/cbor</tt>.</t>
            </li>
          </ul>
          <sourcecode type="cddl" name="c509est.cddl"><![CDATA[
KemChall = [
  keyId         : bstr,
  encapAlg      : int,
  encapsulation : bstr
]
]]></sourcecode>
          <t>In particular:</t>
          <ul spacing="normal">
            <li>
              <t><tt>keyId</tt> is the SHA-256 fingerprint of the CBOR-encoded <tt>C509PublicKey</tt>,</t>
            </li>
            <li>
              <t><tt>encapAlg</tt> is the encapsulation algorithm (TBD: define a new registry or reuse a COSE algorithm), and</t>
            </li>
            <li>
              <t><tt>encapsulation</tt> is the KEM ciphertext produced by encapsulating a freshly generated one-time secret key <tt>S</tt> to the client's KEM public key.</t>
            </li>
          </ul>
          <t>The server <bcp14>MUST</bcp14> retain the challenge state (at least <tt>keyId</tt>, <tt>S</tt>, and the lifetime) for the duration of the challenge.</t>
          <ul spacing="normal">
            <li>
              <t>Client decapsulation and response: The client decapsulates <tt>encapsulation</tt> to recover the one-time secret key <tt>S</tt>.  The client computes a MAC value over the CBOR-encoded <tt>TBSCertificationRequest</tt> with the key <tt>S</tt>.  The client then submits a follow-up operation as usual.</t>
            </li>
            <li>
              <t>Server verification: The server computes the <tt>keyId</tt>, retrieves the challenge state for that <tt>keyId</tt>, and verifies that the state is still within its validity period.  The server then derives <tt>K</tt> from <tt>S</tt> and verifies the received <tt>mac</tt> against the saved <tt>TBSCertificationRequest</tt>.  The server proceeds with certificate issuance as for signature-based PoP.  If verification fails or the challenge has expired, the server <bcp14>MUST</bcp14> reject the request.</t>
            </li>
          </ul>
          <t>Implementations <bcp14>SHOULD</bcp14> use HMAC-SHA256 (with integer value TBD4) by default, unless constrained by the KEM's security requirements.  Servers <bcp14>MUST</bcp14> enforce challenge timeouts and retry limits to mitigate replay and denial-of-service risks.</t>
          <t>IANA is requested to register MAC algorithms to be used in <tt>C509CertificationRequest</tt> (<xref target="iana-sigalg"/>).</t>
        </section>
      </section>
    </section>
    <section anchor="est-url-structure">
      <name>EST URL Structure and Path Components</name>
      <t>The operations in this document follow the same URI path structure defined in <xref section="3.2.2" sectionFormat="comma" target="RFC7030"/>.  Retrieval operations (<tt>caps</tt>, <tt>cacert</tt>, <tt>cacerts</tt>, <tt>crlinfo</tt>, <tt>crl</tt>) use HTTP GET:</t>
      <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<operation>
Request target: /.well-known/cest/<label>/<operation>
]]></artwork>
      <t>Enrollment operations (<tt>kemchall</tt>, <tt>simpleenroll</tt>, <tt>simplereenroll</tt>, <tt>serverkeygen</tt>) use HTTP POST:</t>
      <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<operation>
Request target: /.well-known/cest/<label>/<operation>
]]></artwork>
      <t>An EST server <bcp14>MUST</bcp14> return HTTP 405 (Method Not Allowed) if a client uses POST for a retrieval operation or GET for an enrollment operation.</t>
      <t>The optional <tt>&lt;label&gt;</tt> path segment follows <xref section="3.2.2" sectionFormat="comma" target="RFC7030"/>: an EST server <bcp14>MAY</bcp14> use an additional path segment before the operation name to distinguish services for multiple CAs or certificate profiles.</t>
      <section anchor="cbor-transfer">
        <name>CBOR Transfer</name>
        <t>All POST request bodies in this document are CBOR-encoded.  CBOR-based response bodies are base64-encoded for transport.  The CBOR encoding <bcp14>MUST</bcp14> be deterministic as specified in Sections <xref target="RFC8949" section="4.2.1" sectionFormat="bare"/> and <xref target="RFC8949" section="4.2.2" sectionFormat="bare"/> of <xref target="RFC8949"/>.  Servers <bcp14>MUST NOT</bcp14> include a <tt>Content-Transfer-Encoding</tt> header for CBOR payloads.</t>
        <t>The media types used in this document are:</t>
        <table anchor="tab-media-types">
          <name>Media Types Used in This Document</name>
          <thead>
            <tr>
              <th align="left">Media Type</th>
              <th align="left">Structure</th>
              <th align="left">Defined in</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">application/cose-c509-cert+cbor</td>
              <td align="left">C509Certificate (single certificate)</td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">application/cose-c509+cbor;usage=chain</td>
              <td align="left">COSE_C509</td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">application/cose-c509-pkcs10+cbor</td>
              <td align="left">C509CertificationRequest</td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">application/c509-pubkey+cbor</td>
              <td align="left">C509PublicKey</td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="left">application/cbor</td>
              <td align="left">KemChall</td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="left">application/cose-c509-crtemplate+cbor</td>
              <td align="left">C509CertificationRequestTemplate</td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">application/cose-c509-pem+cbor</td>
              <td align="left">C509PEM (key + cert)</td>
              <td align="left">
                <xref target="I-D.ietf-cose-cbor-encoded-cert"/></td>
            </tr>
            <tr>
              <td align="left">application/c509-crl+cbor</td>
              <td align="left">C509CRL</td>
              <td align="left">
                <xref target="I-D.liao-cose-c509-revocation"/></td>
            </tr>
            <tr>
              <td align="left">application/c509-crlinfo+cbor</td>
              <td align="left">C509CRLInfo</td>
              <td align="left">
                <xref target="I-D.liao-cose-c509-revocation"/></td>
            </tr>
          </tbody>
        </table>
        <t>The <tt>caps</tt> operation returns <tt>text/plain</tt> with a list of capability keywords.</t>
      </section>
    </section>
    <section anchor="caps-section">
      <name>EST Server Capability Discovery</name>
      <section anchor="caps">
        <name>caps</name>
        <t>The <tt>caps</tt> operation allows an EST client to discover which C509-specific operations the EST server supports before invoking them.  EST clients and EST servers <bcp14>MUST</bcp14> support <tt>caps</tt>.</t>
        <section anchor="caps-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the server's C509 capability list.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/caps
]]></artwork>
        </section>
        <section anchor="caps-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>text/plain</tt></t>
            </li>
            <li>
              <t>Body: A plain-text list of capability keywords, one keyword per line.  The EST server <bcp14>MUST</bcp14> terminate each line with <tt>&lt;CR&gt;&lt;LF&gt;</tt>.  The EST client <bcp14>MUST</bcp14> be able to parse lines terminated by <tt>&lt;CR&gt;&lt;LF&gt;</tt>, <tt>&lt;CR&gt;</tt>, or <tt>&lt;LF&gt;</tt>.  Keywords are unquoted and case-insensitive.</t>
            </li>
          </ul>
          <t>The following keywords are defined.  An EST server <bcp14>MUST</bcp14> include a keyword in the <tt>caps</tt> response if and only if it supports the corresponding operation.</t>
          <table anchor="tab-caps-keywords">
            <name>caps Keywords Defined in This Document</name>
            <thead>
              <tr>
                <th align="left">Keyword</th>
                <th align="left">Description</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">
                  <tt>cacert</tt></td>
                <td align="left">EST server supports <tt>cacert</tt> (<xref target="cacert"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>cacerts</tt></td>
                <td align="left">EST server supports <tt>cacerts</tt> (<xref target="cacerts"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>crlinfo</tt></td>
                <td align="left">EST server supports <tt>crlinfo</tt> (<xref target="crlinfo"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>crl</tt></td>
                <td align="left">EST server supports <tt>crl</tt> (<xref target="crl"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>csrattrs</tt></td>
                <td align="left">EST server supports <tt>csrattrs</tt> (<xref target="csrattrs"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>kemchall</tt></td>
                <td align="left">EST server supports <tt>kemchall</tt> (<xref target="kemchall"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>simpleenroll</tt></td>
                <td align="left">EST server supports <tt>simpleenroll</tt> (<xref target="simpleenroll"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>simplereenroll</tt></td>
                <td align="left">EST server supports <tt>simplereenroll</tt> (<xref target="simplereenroll"/>)</td>
              </tr>
              <tr>
                <td align="left">
                  <tt>serverkeygen</tt></td>
                <td align="left">EST server supports <tt>serverkeygen</tt> (<xref target="serverkeygen"/>)</td>
              </tr>
            </tbody>
          </table>
          <t>An EST client that receives an HTTP error response to a <tt>caps</tt> request <bcp14>MUST NOT</bcp14> attempt the operations defined in this document.</t>
          <t>Example response:</t>
          <artwork><![CDATA[
cacert
cacerts
crlinfo
crl
csrattrs
kemchall
simpleenroll
simplereenroll
serverkeygen
]]></artwork>
        </section>
      </section>
      <section anchor="csrattrs">
        <name>csrattrs</name>
        <t>The <tt>csrattrs</tt> operation returns a <tt>C509CertificationRequestTemplate</tt> that an EST client <bcp14>MAY</bcp14> use to construct a C509 CSR.</t>
        <section anchor="csrattrs-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the CSR template.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/csrattrs
]]></artwork>
        </section>
        <section anchor="csrattrs-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-crtemplate+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509CertificationRequestTemplate</tt> as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
            </li>
          </ul>
          <t>An HTTP response code of 204 or 404 indicates that CSR attributes are not available.</t>
        </section>
      </section>
    </section>
    <section anchor="ca-certificates">
      <name>Distribution of CA Certificates</name>
      <section anchor="cacert">
        <name>cacert</name>
        <t>The <tt>cacert</tt> operation returns the issuing CA certificate for the requested EST service as a single base64-encoded CBOR <tt>C509Certificate</tt>.</t>
        <section anchor="cacert-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the CA certificate.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/cacert
]]></artwork>
        </section>
        <section anchor="cacert-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-cert+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509Certificate</tt> for the issuing CA, as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
            </li>
          </ul>
          <t>The response body contains exactly one C509 certificate.</t>
          <t>Successful <tt>cacert</tt> responses <bcp14>SHOULD</bcp14> include HTTP caching metadata.  EST servers <bcp14>SHOULD</bcp14> include <tt>ETag</tt>, <tt>Last-Modified</tt>, <tt>Cache-Control</tt>, and <tt>Expires</tt> headers when the certificate lifetime provides a meaningful freshness bound.</t>
        </section>
      </section>
      <section anchor="cacerts">
        <name>cacerts</name>
        <t>The <tt>cacerts</tt> operation returns the CA certificate chain for the requested EST service as a CBOR sequence of C509 certificates.</t>
        <section anchor="cacerts-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the CA certificate chain.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/cacerts
]]></artwork>
        </section>
        <section anchor="cacerts-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509+cbor;usage=chain</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>COSE_C509</tt> representing an ordered certificate chain.  The first element is the issuing CA certificate; subsequent elements are intermediate and root CA certificates in chain order. If a Root CA key update applies, the EST server <bcp14>SHOULD</bcp14> include the three "Root CA Key Update" certificates OldWithOld, OldWithNew, and NewWithOld in the response chain.  These are defined in <xref section="4.4" sectionFormat="comma" target="RFC9810"/>.</t>
            </li>
          </ul>
          <t>Successful <tt>cacerts</tt> responses <bcp14>SHOULD</bcp14> include HTTP caching metadata.</t>
        </section>
      </section>
    </section>
    <section anchor="crl-operations">
      <name>Distribution of C509 CRLs</name>
      <t>The <tt>crlinfo</tt> and <tt>crl</tt> operations provide C509 CRL access.  The C509 CRL format is defined in <xref target="I-D.liao-cose-c509-revocation"/>.</t>
      <section anchor="crlinfo">
        <name>crlinfo</name>
        <t>The <tt>crlinfo</tt> operation returns metadata about the current C509 CRL for the target CA as a <tt>C509CRLInfo</tt> object without the full revocation list.  This enables an EST client to check whether its locally cached CRL is still current before requesting the full <tt>crl</tt>.  <tt>C509CRLInfo</tt> is defined in <xref target="I-D.liao-cose-c509-revocation"/>.</t>
        <section anchor="crlinfo-request">
          <name>Request</name>
          <t>The EST client sends a GET request for CRL metadata.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/crlinfo
Request target: /.well-known/cest/<label>/crlinfo
                [?crlnumber=<n>][&crldp=<dp>]
]]></artwork>
          <t>The optional <tt>crlnumber</tt> query parameter carries the decimal representation of the CRL number the client is interested in.  When present, the EST server <bcp14>MUST</bcp14> return the <tt>C509CRLInfo</tt> for the CRL with that exact <tt>crlNumber</tt>.  If no CRL with the requested <tt>crlnumber</tt> is available, the EST server <bcp14>MUST</bcp14> return HTTP status 404 (Not Found).  When <tt>crlnumber</tt> is absent, the server returns the <tt>C509CRLInfo</tt> for the most recent CRL.</t>
          <t>The optional <tt>crldp</tt> query parameter carries the CRL Distribution Point identifier.  When present, the EST server <bcp14>MUST</bcp14> return the <tt>C509CRLInfo</tt> for the CRL associated with that distribution point.  When both <tt>crlnumber</tt> and <tt>crldp</tt> are present, the server <bcp14>MUST</bcp14> return the <tt>C509CRLInfo</tt> matching both criteria.</t>
        </section>
        <section anchor="crlinfo-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/c509-crlinfo+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509CRLInfo</tt> as defined in <xref target="I-D.liao-cose-c509-revocation"/>.</t>
            </li>
          </ul>
          <t><tt>C509CRLInfo</tt> carries all CRL fields from <tt>C509CRLInfoData</tt> — including <tt>crlType</tt>, <tt>signatureAlgorithm</tt>, <tt>authoritySubject</tt>, <tt>authorityKeyIdentifier</tt>, <tt>crlNumber</tt>, <tt>thisUpdate</tt>, <tt>nextUpdate</tt>, <tt>baseCrlNumber</tt>, and <tt>crlExtensions</tt> — without the <tt>revokedCertsList</tt>.  An EST client can use these fields to compare <tt>crlNumber</tt>, <tt>nextUpdate</tt>, or compute a freshness check against its local cache before deciding whether to download the full <tt>C509CRL</tt> via <tt>crl</tt>.</t>
          <t>If no matching CRL is available, the EST server <bcp14>MUST</bcp14> return HTTP status 404 (Not Found).</t>
        </section>
      </section>
      <section anchor="crl">
        <name>crl</name>
        <t>The <tt>crl</tt> operation returns the C509 CRL for the target CA.</t>
        <section anchor="crl-request">
          <name>Request</name>
          <t>The EST client sends a GET request for the C509 CRL.  No request body is sent.  The EST server <bcp14>SHOULD NOT</bcp14> require client authentication for this operation.</t>
          <artwork><![CDATA[
Method: GET
Request target: /.well-known/cest/<label>/crl
Request target: /.well-known/cest/<label>/crl
                [?crlnumber=<n>][&crldp=<dp>]
]]></artwork>
          <t>The optional <tt>crlnumber</tt> query parameter carries the decimal representation of the CRL number.  When present, the EST server <bcp14>MUST</bcp14> return the full <tt>C509CRL</tt> with that exact <tt>crlNumber</tt>.  When <tt>crlnumber</tt> is absent, the server returns the most recent CRL.</t>
          <t>The optional <tt>crldp</tt> query parameter carries the CRL Distribution Point identifier.  When present, the EST server <bcp14>MUST</bcp14> return the full <tt>C509CRL</tt> for the CRL associated with that distribution point.  When both <tt>crlnumber</tt> and <tt>crldp</tt> are present, the server <bcp14>MUST</bcp14> return the <tt>C509CRL</tt> matching both criteria.</t>
          <t>If no matching CRL is available, the EST server <bcp14>MUST</bcp14> return HTTP status 404 (Not Found).</t>
        </section>
        <section anchor="crl-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/c509-crl+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509CRL</tt> as defined in <xref target="I-D.liao-cose-c509-revocation"/>.</t>
            </li>
          </ul>
          <t>Successful <tt>crl</tt> responses <bcp14>SHOULD</bcp14> include HTTP caching metadata.  When present, <tt>Last-Modified</tt> <bcp14>SHOULD</bcp14> reflect the CRL <tt>thisUpdate</tt> value, and when <tt>nextUpdate</tt> is present, <tt>Expires</tt> <bcp14>SHOULD</bcp14> reflect <tt>thisUpdate + nextUpdate</tt>.</t>
          <t>If no matching CRL is available, the EST server <bcp14>MUST</bcp14> return HTTP status 404 (Not Found).</t>
        </section>
      </section>
    </section>
    <section anchor="enrollment-ops">
      <name>Certificate Enrollment Operations</name>
      <section anchor="enrollment-auth">
        <name>Client Authentication</name>
        <t>The enrollment operations defined in this section (<tt>kemchall</tt>, simpleenroll<tt>, </tt>simplereenroll<tt>, and </tt>serverkeygen`) require client authentication.  The client authentication requirements are unchanged from <xref target="RFC7030"/>.  EST clients and EST servers <bcp14>MUST</bcp14> follow <xref section="3.2.3" sectionFormat="comma" target="RFC7030"/> and <xref section="3.3.2" sectionFormat="comma" target="RFC7030"/> for client authentication, respectively.</t>
      </section>
      <section anchor="kemchall">
        <name>kemchall</name>
        <t>The <tt>kemchall</tt> operation requests a KEM-based Proof-of-Possession challenge for a submitted C509 public key whose <tt>subjectPublicKeyAlgorithm</tt> is a KEM algorithm.</t>
        <section anchor="kemchall-request">
          <name>Request</name>
          <t>An authenticated EST client sends a POST request containing a <tt>C509PublicKey</tt> (<xref target="c509pubkey"/>) to request a KEM challenge.</t>
          <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<label>/kemchall
Media type: application/c509-pubkey+cbor

<Base64-encoded C509PublicKey>
]]></artwork>
          <t>If the request does not contain a KEM public key, the EST server <bcp14>MUST</bcp14> return HTTP 400 (Bad Request).  If the server supports KEM PoP for the submitted algorithm, it issues a challenge; otherwise, it <bcp14>MUST</bcp14> return HTTP 501 (Not Implemented).</t>
        </section>
        <section anchor="kemchall-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>KemChall</tt> (<xref target="pop-kem"/>).</t>
            </li>
          </ul>
          <t>A client that receives a <tt>KemChall</tt> uses the recovered one-time secret key to produce the PoP MAC and then proceeds with a normal enrollment request (<tt>simpleenroll</tt> or <tt>simplereenroll</tt>) including the computed MAC in the request (see <xref target="pop-kem"/> for the PoP flow). The EST server verifies the MAC using the stored challenge state and issues the certificate on success.</t>
        </section>
      </section>
      <section anchor="simpleenroll">
        <name>simpleenroll</name>
        <t>The <tt>simpleenroll</tt> operation requests issuance of a new C509 certificate from the EST server.</t>
        <section anchor="simpleenroll-request">
          <name>Request</name>
          <t>An authenticated EST client sends a POST request containing a C509 CSR (<xref target="c509-csr"/>).</t>
          <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<label>/simpleenroll
Media type: application/cose-c509-pkcs10+cbor

<Base64-encoded C509CertificationRequest>
]]></artwork>
          <t>The <tt>C509CertificationRequest</tt> <bcp14>MUST</bcp14> include a valid PoP signature.  The EST server <bcp14>MUST</bcp14> verify the PoP signature against the public key in the C509 CSR before issuing a certificate, as required by <xref section="3.4" sectionFormat="comma" target="RFC7030"/>.</t>
        </section>
        <section anchor="simpleenroll-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-cert+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509Certificate</tt> issued for the subject in the C509 CSR, as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="simplereenroll">
        <name>simplereenroll</name>
        <t>The <tt>simplereenroll</tt> operation renews or rekeys an existing C509 certificate.</t>
        <section anchor="simplereenroll-request">
          <name>Request</name>
          <t>An authenticated EST client sends a POST request containing a C509 CSR for re-enrollment.  The request Subject field and SubjectAltName extension <bcp14>MUST</bcp14> be identical to the corresponding fields in the certificate being renewed or rekeyed.</t>
          <t>The <tt>ChangeSubjectName</tt> attribute defined in <xref target="change-subject-name"/> <bcp14>MAY</bcp14> be included in the CSR to request that these fields be changed in the new certificate.</t>
          <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<label>/simplereenroll
Media type: application/cose-c509-pkcs10+cbor

<Base64-encoded C509CertificationRequest>
]]></artwork>
          <t>Re-enrollment processing follows <xref section="4.2.2" sectionFormat="comma" target="RFC7030"/>.  The EST server <bcp14>MUST</bcp14> verify the PoP signature in the C509 CSR.</t>
        </section>
        <section anchor="simplereenroll-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-cert+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded renewed <tt>C509Certificate</tt>, as defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="serverkeygen">
        <name>serverkeygen</name>
        <t>The <tt>serverkeygen</tt> operation requests server-side key generation and returns the generated private key and the issued C509 certificate.</t>
        <t>As discussed in <xref section="9" sectionFormat="comma" target="RFC9148"/>, transporting private keys generated by the EST server is inherently risky. The use of server-generated private keys increases the risk of digital identity theft. Therefore, implementations <bcp14>SHOULD NOT</bcp14> use EST functions that rely on server-generated private keys.</t>
        <section anchor="serverkeygen-request">
          <name>Request</name>
          <t>An authenticated EST client sends a POST request containing a C509 CSR.  The <tt>subjectPublicKeyAlgorithm</tt> in the C509 CSR <bcp14>SHOULD</bcp14> be set to <tt>empty-publickey</tt> (<xref target="empty-publickey"/>) and <tt>subjectPublicKey</tt> <bcp14>SHOULD</bcp14> be an empty byte string (<tt>h''</tt>), because the key pair is generated by the EST server.  The <tt>signatureAlgorithm</tt> <bcp14>SHOULD</bcp14> be the <tt>id-alg-unsigned</tt> integer code and <tt>signatureValue</tt> <bcp14>SHOULD</bcp14> be a zero-length byte string.  EST servers <bcp14>MUST</bcp14> accept C509 CSRs that use <tt>empty-publickey</tt> and <tt>id-alg-unsigned</tt> for <tt>serverkeygen</tt> and <bcp14>MUST NOT</bcp14> verify a PoP signature in this case.</t>
          <artwork><![CDATA[
Method: POST
Request target: /.well-known/cest/<label>/serverkeygen
Media type: application/cose-c509-pkcs10+cbor

<Base64-encoded C509CertificationRequest>
]]></artwork>
        </section>
        <section anchor="serverkeygen-response">
          <name>Response</name>
          <t>On success, the EST server returns a 200 response with:</t>
          <ul spacing="normal">
            <li>
              <t>Media type: <tt>application/cose-c509-pem+cbor</tt></t>
            </li>
            <li>
              <t>Body: A base64-encoded <tt>C509PEM</tt>.</t>
            </li>
          </ul>
          <t>The <tt>C509CertData</tt> field in the <tt>C509PEM</tt> <bcp14>MUST</bcp14> contain only the issued C509 certificate for the generated key pair.</t>
          <t>The EST server <bcp14>SHOULD</bcp14> delete the private key from its storage as soon as the response has been transmitted successfully, unless the deployment policy requires retention for key escrow or disaster recovery (see <xref target="security"/>).  The private key is protected only by the TLS channel; no additional encryption is applied.</t>
        </section>
      </section>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>The security requirements of <xref target="RFC7030"/> apply in full to all operations defined in this document.</t>
      <section anchor="transport-security">
        <name>Transport Security</name>
        <t>All operations defined in this document <bcp14>MUST</bcp14> be carried out over HTTPS (HTTP over TLS) as required by <xref section="3" sectionFormat="comma" target="RFC7030"/>.  Implementations <bcp14>MUST NOT</bcp14> fall back to plain HTTP.</t>
        <t>EST clients and servers <bcp14>SHOULD</bcp14> use C509 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/> for TLS authentication when both peers support C509.  This enables end-to-end C509 usage, including the TLS handshake itself, and reduces size and parsing overhead consistently.  EST servers <bcp14>MUST</bcp14> continue to accept X.509 certificates <xref target="RFC5280"/> for TLS client authentication for interoperability with clients that do not yet support C509.</t>
        <section anchor="tls-certificate-type-negotiation">
          <name>TLS Certificate Type Negotiation</name>
          <t>When C509 certificates are used for TLS authentication, the client and server negotiate the certificate type using the <tt>server_certificate_type</tt> and <tt>client_certificate_type</tt> TLS extensions as defined in <xref target="RFC7250"/>.</t>
        </section>
        <section anchor="client-authentication">
          <name>Client Authentication</name>
          <t>The <tt>caps</tt>, <tt>cacert</tt>, <tt>cacerts</tt>, <tt>crlinfo</tt>, and <tt>crl</tt> operations <bcp14>SHOULD NOT</bcp14> require client authentication, consistent with <xref section="4.1.2" sectionFormat="comma" target="RFC7030"/>.  The <tt>kemchall</tt>, <tt>simpleenroll</tt>, <tt>simplereenroll</tt>, and <tt>serverkeygen</tt> operations <bcp14>MUST</bcp14> require client authentication.</t>
        </section>
      </section>
      <section anchor="server-key-generation">
        <name>Server Key Generation</name>
        <t>The <tt>serverkeygen</tt> operation delivers a generated private key to the EST client over TLS.  EST servers <bcp14>SHOULD</bcp14> delete the private key after successful transmission.  EST clients <bcp14>MUST</bcp14> store the key material securely immediately upon receipt.</t>
        <t>As discussed in <xref section="9" sectionFormat="comma" target="RFC9148"/>, transporting private keys generated by the EST server is inherently risky. The use of server-generated private keys increases the risk of digital identity theft. Therefore, implementations <bcp14>SHOULD NOT</bcp14> use EST functions that rely on server-generated private keys.</t>
      </section>
      <section anchor="c509-certificate-validation">
        <name>C509 Certificate Validation</name>
        <t>EST clients <bcp14>MUST</bcp14> validate received C509 certificates against an independently configured trust anchor according to <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.  The trust model for C509 certificates differs from classical X.509 certificate chain validation when C509 is used in the HyPKI trust architecture; in that case, validation uses the cosigner-signed Merkle tree or signed allowlist rather than a certificate chain.</t>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <section anchor="iana-well-known">
        <name>Well-Known URI Registry</name>
        <t>IANA is requested to register the following entry in the "Well-Known URI" registry established by <xref target="RFC8615"/>:</t>
        <table anchor="tab-iana-well-known">
          <name>Well-Known URI Registration for cest</name>
          <thead>
            <tr>
              <th align="left">URI Suffix</th>
              <th align="left">Change Controller</th>
              <th align="left">Reference</th>
              <th align="left">Status</th>
              <th align="left">Related Information</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>cest</tt></td>
              <td align="left">IETF</td>
              <td align="left">This document</td>
              <td align="left">permanent</td>
              <td align="left">C509 EST operations as defined in this document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-pubkey">
        <name>C509 Public Key Algorithms Registry</name>
        <t>IANA is requested to register the following entry in the "C509 Public Key Algorithms" registry under the registry group "CBOR Encoded X.509 (C509)" defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>:</t>
        <table anchor="tab-iana-pubkey">
          <name>empty-publickey Registration</name>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Value</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Value</td>
              <td align="left">TBD1</td>
            </tr>
            <tr>
              <td align="left">Name</td>
              <td align="left">empty-publickey</td>
            </tr>
            <tr>
              <td align="left">Identifiers</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">OID</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">Parameters</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">DER</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">Comments</td>
              <td align="left">Exclusively for use in <tt>subjectPublicKeyAlgorithm</tt> of a <tt>TBSCertificationRequest</tt> for server-side key generation (<tt>serverkeygen</tt>).  <bcp14>MUST NOT</bcp14> appear in C509 certificates.</td>
            </tr>
            <tr>
              <td align="left">Reference</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-sigalg">
        <name>C509 Signature Algorithms Registry</name>
        <t>IANA is requested to register the following entry in the "C509 Signature Algorithms" registry under the registry group "CBOR Encoded X.509 (C509)" defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>:</t>
        <table anchor="tab-iana-sigalg">
          <name>HMAC-SHA256 Registration</name>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Value</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Value</td>
              <td align="left">TBD4</td>
            </tr>
            <tr>
              <td align="left">Name</td>
              <td align="left">hmacWithSHA256</td>
            </tr>
            <tr>
              <td align="left">Identifiers</td>
              <td align="left">id-hmacWithSHA256</td>
            </tr>
            <tr>
              <td align="left">OID</td>
              <td align="left">1.2.840.113549.2.9</td>
            </tr>
            <tr>
              <td align="left">Parameters</td>
              <td align="left">N/A</td>
            </tr>
            <tr>
              <td align="left">OID</td>
              <td align="left">06 08 2A 86 48 86 F7 0D 02 09</td>
            </tr>
            <tr>
              <td align="left">Comments</td>
              <td align="left">HMAC over SHA256</td>
            </tr>
            <tr>
              <td align="left">Reference</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-cratttype">
        <name>C509 CR Attributes Registry</name>
        <t>IANA is requested to register the following entry in the "C509 CR Attributes" registry under the registry group "CBOR Encoded X.509 (C509)" defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/>:</t>
        <artwork><![CDATA[
+-------+-----------------------------------------------------------+
| Value | CR Attribute                                              |
+=======+===========================================================+
|  TBD5 | Name:            CMC Change Subject Name                  |
|       | Identifiers:     id-cmc-changeSubjectName                 |
|       | OID:             1.3.6.1.5.5.7.7.36                       |
|       | DER:             06 08 2B 06 01 05 05 07 07 24            |
|       | Comments:        RFC 6402                                 |
|       | attributeValue:  ChangeSubjectName                        |
+-------+-----------------------------------------------------------+
]]></artwork>
        <section anchor="iana-c509-pubkey">
          <name>Media Type application/c509-pubkey+cbor</name>
          <t>When the <tt>application/c509-pubkey+cbor</tt> media type is used, the payload is a <tt>C509PublicKey</tt> structure.</t>
          <t>Type name: application</t>
          <t>Subtype name: c509-pubkey+cbor</t>
          <t>Required parameters: N/A</t>
          <t>Optional parameters: N/A</t>
          <t>Encoding considerations: binary</t>
          <t>Security considerations: See the Security Considerations section of [[this document]].</t>
          <t>Interoperability considerations: N/A</t>
          <t>Published specification: [[this document]]</t>
          <t>Applications that use this media type: Applications that employ C509 public keys.</t>
          <t>Fragment identifier considerations: N/A</t>
          <t>Additional information:</t>
          <ul spacing="normal">
            <li>
              <t>Deprecated alias names for this type: N/A</t>
            </li>
            <li>
              <t>Magic number(s): TBD2</t>
            </li>
            <li>
              <t>File extension(s): .c509</t>
            </li>
            <li>
              <t>Macintosh file type code(s): N/A</t>
            </li>
          </ul>
          <t>Person &amp; email address to contact for further information: iesg@ietf.org</t>
          <t>Intended usage: COMMON</t>
          <t>Restrictions on usage: N/A</t>
          <t>Author: COSE WG</t>
          <t>Change controller: IETF</t>
        </section>
      </section>
      <section anchor="content-format">
        <name>CoAP Content-Formats Registry</name>
        <t>IANA is requested to add entries for "application/c509-pubkey+cbor" to the "CoAP Content-Formats" registry in the registry group "Constrained RESTful Environments (CoRE) Parameters".</t>
        <figure anchor="tab-format-ids">
          <name>CoAP Content-Format IDs</name>
          <artwork><![CDATA[
+----------------------+---------+-----------+-------+------------+
| Content              | Content | Media     | ID    | Reference  |
| Format               | Coding  | Type      |       |            |
+======================+=========+===========+=======+============+
| application/         | -       | [[link    | TBD3  | [[this     |
| c509-pubkey+cbor     |         | to x.y]]  |       | document]] |
+----------------------+---------+-----------+-------+------------+
]]></artwork>
        </figure>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC5652">
          <front>
            <title>Cryptographic Message Syntax (CMS)</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <date month="September" year="2009"/>
            <abstract>
              <t>This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="70"/>
          <seriesInfo name="RFC" value="5652"/>
          <seriesInfo name="DOI" value="10.17487/RFC5652"/>
        </reference>
        <reference anchor="RFC6402">
          <front>
            <title>Certificate Management over CMS (CMC) Updates</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="November" year="2011"/>
            <abstract>
              <t>This document contains a set of updates to the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS). This document updates RFC 5272, RFC 5273, and RFC 5274.</t>
              <t>The new items in this document are: new controls for future work in doing server side key generation, definition of a Subject Information Access value to identify CMC servers, and the registration of a port number for TCP/IP for the CMC service to run on. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6402"/>
          <seriesInfo name="DOI" value="10.17487/RFC6402"/>
        </reference>
        <reference anchor="RFC7030">
          <front>
            <title>Enrollment over Secure Transport</title>
            <author fullname="M. Pritikin" initials="M." role="editor" surname="Pritikin"/>
            <author fullname="P. Yee" initials="P." role="editor" surname="Yee"/>
            <author fullname="D. Harkins" initials="D." role="editor" surname="Harkins"/>
            <date month="October" year="2013"/>
            <abstract>
              <t>This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7030"/>
          <seriesInfo name="DOI" value="10.17487/RFC7030"/>
        </reference>
        <reference anchor="RFC7250">
          <front>
            <title>Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="P. Wouters" initials="P." role="editor" surname="Wouters"/>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="J. Gilmore" initials="J." surname="Gilmore"/>
            <author fullname="S. Weiler" initials="S." surname="Weiler"/>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>This document specifies a new certificate type and two TLS extensions for exchanging raw public keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The new certificate type allows raw public keys to be used for authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7250"/>
          <seriesInfo name="DOI" value="10.17487/RFC7250"/>
        </reference>
        <reference anchor="RFC8615">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9277">
          <front>
            <title>On Stable Storage for Items in Concise Binary Object Representation (CBOR)</title>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document defines a stored ("file") format for Concise Binary Object Representation (CBOR) data items that is friendly to common systems that recognize file types, such as the Unix file(1) command.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9277"/>
          <seriesInfo name="DOI" value="10.17487/RFC9277"/>
        </reference>
        <reference anchor="RFC9810">
          <front>
            <title>Internet X.509 Public Key Infrastructure -- Certificate Management Protocol (CMP)</title>
            <author fullname="H. Brockhaus" initials="H." surname="Brockhaus"/>
            <author fullname="D. von Oheimb" initials="D." surname="von Oheimb"/>
            <author fullname="M. Ounsworth" initials="M." surname="Ounsworth"/>
            <author fullname="J. Gray" initials="J." surname="Gray"/>
            <date month="July" year="2025"/>
            <abstract>
              <t>This document describes the Internet X.509 Public Key Infrastructure (PKI) Certificate Management Protocol (CMP). Protocol messages are defined for X.509v3 certificate creation and management. CMP provides interactions between client systems and PKI components such as a Registration Authority (RA) and a Certification Authority (CA).</t>
              <t>This document adds support for management of certificates containing a Key Encapsulation Mechanism (KEM) public key and uses EnvelopedData instead of EncryptedValue. This document also includes the updates specified in Section 2 and Appendix A.2 of RFC 9480.</t>
              <t>This document obsoletes RFC 4210, and together with RFC 9811, it also obsoletes RFC 9480. Appendix F of this document updates Section 9 of RFC 5912.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9810"/>
          <seriesInfo name="DOI" value="10.17487/RFC9810"/>
        </reference>
        <reference anchor="I-D.ietf-cose-cbor-encoded-cert">
          <front>
            <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>University of Glasgow</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>IN Groupe</organization>
            </author>
            <author fullname="Lijun Liao" initials="L." surname="Liao">
              <organization>NIO</organization>
            </author>
            <date day="30" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a CBOR encoding of X.509 certificates.  The
   resulting certificates are called C509 certificates.  The CBOR
   encoding supports a large subset of RFC 5280 and common certificate
   profiles, and it is extensible.

   Two types of C509 certificates are defined.  One type is an
   invertible CBOR re-encoding of DER-encoded X.509 certificates with
   the signature field copied from the DER encoding.  The other type is
   identical except that the signature is computed over the CBOR
   encoding instead of the DER encoding, thereby avoiding the use of
   ASN.1.  Both types of certificates have the same semantics as X.509
   while providing comparable size reduction.

   This document also specifies CBOR-encoded data structures for
   certification requests and certification request templates, new COSE
   headers, as well as a TLS certificate type and a file format for
   C509.  This document updates RFC 6698 by extending the TLSA selectors
   registry to include C509 certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-20"/>
        </reference>
        <reference anchor="I-D.liao-cose-c509-revocation">
          <front>
            <title>CBOR Encoded Certificate Revocation Management</title>
            <author fullname="Lijun Liao" initials="L." surname="Liao">
              <organization>NIO</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>University of Glasgow</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   This document specifies CBOR-encoded PKI structures for use with C509
   certificates (draft-ietf-cose-cbor-encoded-cert), X.509 certificates
   (RFC 5280), and future certificate types.  It defines C509 CRL and
   C509 OCSP, compact CBOR encodings of X.509 Certificate Revocation
   Lists (RFC 5280) and OCSP messages (RFC 6960), respectively.  The
   structures defined in this document are certificate-type agnostic and
   can be used with C509 certificates, X.509 certificates, or future
   certificate types without modification.  C509 OCSP improves on RFC
   6960 by signing a wider set of fields to prevent algorithm-
   substitution and certificate-chain substitution attacks, replacing
   plaintext serial numbers with hashes to preserve requestor privacy,
   replacing the two-hash issuer identity with a single certificate
   hash, and identifying all participants (requestor, responder, issuer)
   by a uniform certificate hash rather than type-specific fields.  C509
   CRL and C509 OCSP are not wire-format-compatible with their DER-
   encoded X.509 counterparts and cannot be converted to or from them
   without semantic interpretation.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-liao-cose-c509-revocation-00"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC2986">
          <front>
            <title>PKCS #10: Certification Request Syntax Specification Version 1.7</title>
            <author fullname="M. Nystrom" initials="M." surname="Nystrom"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <date month="November" year="2000"/>
            <abstract>
              <t>This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2986"/>
          <seriesInfo name="DOI" value="10.17487/RFC2986"/>
        </reference>
        <reference anchor="RFC9148">
          <front>
            <title>EST-coaps: Enrollment over Secure Transport with the Secure Constrained Application Protocol</title>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
            <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="S. Raza" initials="S." surname="Raza"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>Enrollment over Secure Transport (EST) is used as a certificate provisioning protocol over HTTPS. Low-resource devices often use the lightweight Constrained Application Protocol (CoAP) for message exchanges. This document defines how to transport EST payloads over secure CoAP (EST-coaps), which allows constrained devices to use existing EST functionality for provisioning certificates.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9148"/>
          <seriesInfo name="DOI" value="10.17487/RFC9148"/>
        </reference>
        <reference anchor="I-D.ietf-ace-coap-est-oscore">
          <front>
            <title>Protecting EST Payloads with OSCORE</title>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>RISE</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>Nexus</organization>
            </author>
            <author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
              <organization>Inria</organization>
            </author>
            <date day="2" month="July" year="2026"/>
            <abstract>
              <t>   Enrollment over Secure Transport (EST) is a certificate provisioning
   protocol over HTTPS [RFC7030] or CoAPs [RFC9148].  This document
   specifies how to carry EST over the Constrained Application Protocol
   (CoAP) protected with Object Security for Constrained RESTful
   Environments (OSCORE).  The specification builds on the EST-coaps
   [RFC9148] specification, but uses OSCORE and Ephemeral Diffie-Hellman
   over COSE (EDHOC) instead of DTLS.  The specification also leverages
   the certificate structures defined in
   [I-D.ietf-cose-cbor-encoded-cert], which can be optionally used
   alongside X.509 certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-coap-est-oscore-11"/>
        </reference>
      </references>
    </references>
    <?line 737?>

<section anchor="flows">
      <name>Message Flow Diagrams</name>
      <section anchor="flow-caps">
        <name>caps</name>
        <figure anchor="fig-caps">
          <name>caps message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="336" width="432" viewBox="0 0 432 336" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,320" fill="none" stroke="black"/>
                <path d="M 384,48 L 384,320" fill="none" stroke="black"/>
                <path d="M 32,96 L 376,96" fill="none" stroke="black"/>
                <path d="M 32,304 L 376,304" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="384,96 372,90.4 372,101.6" fill="black" transform="rotate(0,376,96)"/>
                <polygon class="arrowhead" points="40,304 28,298.4 28,309.6" fill="black" transform="rotate(180,32,304)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="360" y="36">EST</text>
                  <text x="404" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="268" y="84">/.well-known/cest/&lt;p&gt;/caps</text>
                  <text x="64" y="132">Status:</text>
                  <text x="112" y="132">200</text>
                  <text x="140" y="132">OK</text>
                  <text x="56" y="148">Media</text>
                  <text x="104" y="148">type:</text>
                  <text x="172" y="148">text/plain</text>
                  <text x="60" y="180">cacert</text>
                  <text x="64" y="196">cacerts</text>
                  <text x="64" y="212">crlinfo</text>
                  <text x="48" y="228">crl</text>
                  <text x="68" y="244">kemchall</text>
                  <text x="84" y="260">simpleenroll</text>
                  <text x="92" y="276">simplereenroll</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                 EST Server
  |                                            |
  | Method: GET                                |
  | Request target: /.well-known/cest/<p>/caps |
  |------------------------------------------->|
  |                                            |
  | Status: 200 OK                             |
  | Media type: text/plain                     |
  |                                            |
  | cacert                                     |
  | cacerts                                    |
  | crlinfo                                    |
  | crl                                        |
  | kemchall                                   |
  | simpleenroll                               |
  | simplereenroll                             |
  |                                            |
  |<-------------------------------------------|
  |                                            |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-cacert">
        <name>cacert</name>
        <figure anchor="fig-cacert">
          <name>cacert message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="224" width="456" viewBox="0 0 456 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,208" fill="none" stroke="black"/>
                <path d="M 408,48 L 408,208" fill="none" stroke="black"/>
                <path d="M 32,96 L 400,96" fill="none" stroke="black"/>
                <path d="M 32,192 L 400,192" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="408,96 396,90.4 396,101.6" fill="black" transform="rotate(0,400,96)"/>
                <polygon class="arrowhead" points="40,192 28,186.4 28,197.6" fill="black" transform="rotate(180,32,192)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="384" y="36">EST</text>
                  <text x="428" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="276" y="84">/.well-known/cest/&lt;p&gt;/cacert</text>
                  <text x="64" y="132">Status:</text>
                  <text x="112" y="132">200</text>
                  <text x="140" y="132">OK</text>
                  <text x="56" y="148">Media</text>
                  <text x="104" y="148">type:</text>
                  <text x="256" y="148">application/cose-c509-cert+cbor</text>
                  <text x="96" y="180">&lt;Base64-encoded</text>
                  <text x="228" y="180">C509Certificate&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                    EST Server
  |                                               |
  | Method: GET                                   |
  | Request target: /.well-known/cest/<p>/cacert  |
  |---------------------------------------------->|
  |                                               |
  | Status: 200 OK                                |
  | Media type: application/cose-c509-cert+cbor   |
  |                                               |
  | <Base64-encoded C509Certificate>              |
  |<----------------------------------------------|
  |                                               |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-cacerts">
        <name>cacerts</name>
        <figure anchor="fig-cacerts">
          <name>cacerts message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="224" width="480" viewBox="0 0 480 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,208" fill="none" stroke="black"/>
                <path d="M 448,48 L 448,208" fill="none" stroke="black"/>
                <path d="M 32,96 L 440,96" fill="none" stroke="black"/>
                <path d="M 32,192 L 440,192" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="448,96 436,90.4 436,101.6" fill="black" transform="rotate(0,440,96)"/>
                <polygon class="arrowhead" points="40,192 28,186.4 28,197.6" fill="black" transform="rotate(180,32,192)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="408" y="36">EST</text>
                  <text x="452" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="280" y="84">/.well-known/cest/&lt;p&gt;/cacerts</text>
                  <text x="64" y="132">Status:</text>
                  <text x="112" y="132">200</text>
                  <text x="140" y="132">OK</text>
                  <text x="56" y="148">Media</text>
                  <text x="104" y="148">type:</text>
                  <text x="284" y="148">application/cose-c509+cbor;usage=chain</text>
                  <text x="96" y="180">&lt;Base64-encoded</text>
                  <text x="204" y="180">COSE_C509&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                       EST Server
  |                                                    |
  | Method: GET                                        |
  | Request target: /.well-known/cest/<p>/cacerts      |
  |--------------------------------------------------->|
  |                                                    |
  | Status: 200 OK                                     |
  | Media type: application/cose-c509+cbor;usage=chain |
  |                                                    |
  | <Base64-encoded COSE_C509>                         |
  |<---------------------------------------------------|
  |                                                    |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-crlinfo">
        <name>crlinfo</name>
        <figure anchor="fig-crlinfo">
          <name>crlinfo message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="240" width="456" viewBox="0 0 456 240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,224" fill="none" stroke="black"/>
                <path d="M 408,48 L 408,224" fill="none" stroke="black"/>
                <path d="M 32,112 L 400,112" fill="none" stroke="black"/>
                <path d="M 32,208 L 400,208" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="408,112 396,106.4 396,117.6" fill="black" transform="rotate(0,400,112)"/>
                <polygon class="arrowhead" points="40,208 28,202.4 28,213.6" fill="black" transform="rotate(180,32,208)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="384" y="36">EST</text>
                  <text x="428" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="280" y="84">/.well-known/cest/&lt;p&gt;/crlinfo</text>
                  <text x="168" y="100">[?crlnumber=&lt;n&gt;][&amp;crldp=&lt;dp&gt;]</text>
                  <text x="64" y="148">Status:</text>
                  <text x="112" y="148">200</text>
                  <text x="140" y="148">OK</text>
                  <text x="56" y="164">Media</text>
                  <text x="104" y="164">type:</text>
                  <text x="248" y="164">application/c509-crlinfo+cbor</text>
                  <text x="96" y="196">&lt;Base64-encoded</text>
                  <text x="212" y="196">C509CRLInfo&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                    EST Server
  |                                               |
  | Method: GET                                   |
  | Request target: /.well-known/cest/<p>/crlinfo |
  |   [?crlnumber=<n>][&crldp=<dp>]               |
  |---------------------------------------------->|
  |                                               |
  | Status: 200 OK                                |
  | Media type: application/c509-crlinfo+cbor     |
  |                                               |
  | <Base64-encoded C509CRLInfo>                  |
  |<----------------------------------------------|
  |                                               |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-crl">
        <name>crl</name>
        <figure anchor="fig-crl">
          <name>crl message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="448" viewBox="0 0 448 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,240" fill="none" stroke="black"/>
                <path d="M 408,48 L 408,240" fill="none" stroke="black"/>
                <path d="M 32,128 L 400,128" fill="none" stroke="black"/>
                <path d="M 32,224 L 400,224" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="408,128 396,122.4 396,133.6" fill="black" transform="rotate(0,400,128)"/>
                <polygon class="arrowhead" points="40,224 28,218.4 28,229.6" fill="black" transform="rotate(180,32,224)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="376" y="36">EST</text>
                  <text x="420" y="36">Server</text>
                  <text x="64" y="68">Method:</text>
                  <text x="112" y="68">GET</text>
                  <text x="64" y="84">Request</text>
                  <text x="128" y="84">target:</text>
                  <text x="264" y="84">/.well-known/cest/&lt;p&gt;/crl</text>
                  <text x="168" y="100">[?crlnumber=&lt;n&gt;][&amp;crldp=&lt;dp&gt;]</text>
                  <text x="72" y="164">Status:</text>
                  <text x="120" y="164">200</text>
                  <text x="148" y="164">OK</text>
                  <text x="64" y="180">Media</text>
                  <text x="112" y="180">type:</text>
                  <text x="240" y="180">application/c509-crl+cbor</text>
                  <text x="104" y="212">&lt;Base64-encoded</text>
                  <text x="204" y="212">C509CRL&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                   EST Server
  |                                               |
  | Method: GET                                   |
  | Request target: /.well-known/cest/<p>/crl     |
  |   [?crlnumber=<n>][&crldp=<dp>]               |
  |                                               |
  |---------------------------------------------->|
  |                                               |
  |  Status: 200 OK                               |
  |  Media type: application/c509-crl+cbor        |
  |                                               |
  |  <Base64-encoded C509CRL>                     |
  |<----------------------------------------------|
  |                                               |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-simpleenroll">
        <name>simpleenroll</name>
        <figure anchor="fig-simpleenroll">
          <name>simpleenroll message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="336" width="552" viewBox="0 0 552 336" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,320" fill="none" stroke="black"/>
                <path d="M 448,48 L 448,320" fill="none" stroke="black"/>
                <path d="M 32,192 L 440,192" fill="none" stroke="black"/>
                <path d="M 32,304 L 440,304" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="448,192 436,186.4 436,197.6" fill="black" transform="rotate(0,440,192)"/>
                <polygon class="arrowhead" points="40,304 28,298.4 28,309.6" fill="black" transform="rotate(180,32,304)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="400" y="36">EST</text>
                  <text x="444" y="36">Server</text>
                  <text x="56" y="68">[HTTP</text>
                  <text x="104" y="68">Basic</text>
                  <text x="140" y="68">or</text>
                  <text x="180" y="68">Digest</text>
                  <text x="228" y="68">auth</text>
                  <text x="280" y="68">header,</text>
                  <text x="60" y="84">or</text>
                  <text x="88" y="84">TLS</text>
                  <text x="132" y="84">client</text>
                  <text x="212" y="84">certificate]</text>
                  <text x="64" y="116">Method:</text>
                  <text x="116" y="116">POST</text>
                  <text x="64" y="132">Request</text>
                  <text x="128" y="132">target:</text>
                  <text x="300" y="132">/.well-known/cest/&lt;p&gt;/simpleenroll</text>
                  <text x="56" y="148">Media</text>
                  <text x="104" y="148">type:</text>
                  <text x="264" y="148">application/cose-c509-pkcs10+cbor</text>
                  <text x="96" y="180">&lt;Base64-encoded</text>
                  <text x="264" y="180">C509CertificationRequest&gt;</text>
                  <text x="484" y="196">Verify</text>
                  <text x="532" y="196">PoP,</text>
                  <text x="480" y="212">Issue</text>
                  <text x="524" y="212">C509</text>
                  <text x="476" y="228">cert</text>
                  <text x="64" y="244">Status:</text>
                  <text x="112" y="244">200</text>
                  <text x="140" y="244">OK</text>
                  <text x="56" y="260">Media</text>
                  <text x="104" y="260">type:</text>
                  <text x="256" y="260">application/cose-c509-cert+cbor</text>
                  <text x="96" y="292">&lt;Base64-encoded</text>
                  <text x="228" y="292">C509Certificate&gt;</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                      EST Server
  |                                                    |
  | [HTTP Basic or Digest auth header,                 |
  |   or TLS client certificate]                       |
  |                                                    |
  | Method: POST                                       |
  | Request target: /.well-known/cest/<p>/simpleenroll |
  | Media type: application/cose-c509-pkcs10+cbor      |
  |                                                    |
  | <Base64-encoded C509CertificationRequest>          |
  |--------------------------------------------------->| Verify PoP,
  |                                                    | Issue C509
  |                                                    | cert
  | Status: 200 OK                                     |
  | Media type: application/cose-c509-cert+cbor        |
  |                                                    |
  | <Base64-encoded C509Certificate>                   |
  |<---------------------------------------------------|
  |                                                    |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="flow-serverkeygen">
        <name>serverkeygen</name>
        <figure anchor="fig-serverkeygen">
          <name>serverkeygen message flow</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="384" width="544" viewBox="0 0 544 384" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,368" fill="none" stroke="black"/>
                <path d="M 408,48 L 408,368" fill="none" stroke="black"/>
                <path d="M 32,208 L 400,208" fill="none" stroke="black"/>
                <path d="M 32,336 L 400,336" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="408,208 396,202.4 396,213.6" fill="black" transform="rotate(0,400,208)"/>
                <polygon class="arrowhead" points="40,336 28,330.4 28,341.6" fill="black" transform="rotate(180,32,336)"/>
                <g class="text">
                  <text x="16" y="36">EST</text>
                  <text x="60" y="36">Client</text>
                  <text x="368" y="36">EST</text>
                  <text x="412" y="36">Server</text>
                  <text x="56" y="68">[HTTP</text>
                  <text x="104" y="68">Basic</text>
                  <text x="140" y="68">or</text>
                  <text x="180" y="68">Digest</text>
                  <text x="228" y="68">auth</text>
                  <text x="280" y="68">header,</text>
                  <text x="60" y="84">or</text>
                  <text x="88" y="84">TLS</text>
                  <text x="132" y="84">client</text>
                  <text x="212" y="84">certificate]</text>
                  <text x="64" y="116">Method:</text>
                  <text x="116" y="116">POST</text>
                  <text x="64" y="132">Request</text>
                  <text x="128" y="132">target:</text>
                  <text x="260" y="148">/.well-known/cest/&lt;p&gt;/serverkeygen</text>
                  <text x="56" y="164">Media</text>
                  <text x="104" y="164">type:</text>
                  <text x="264" y="164">application/cose-c509-pkcs10+cbor</text>
                  <text x="56" y="196">&lt;CBOR</text>
                  <text x="100" y="196">C509</text>
                  <text x="136" y="196">CSR</text>
                  <text x="168" y="196">(no</text>
                  <text x="220" y="196">pubkey)&gt;</text>
                  <text x="452" y="228">Generate</text>
                  <text x="452" y="244">keypair,</text>
                  <text x="440" y="260">Issue</text>
                  <text x="484" y="260">C509</text>
                  <text x="64" y="276">Status:</text>
                  <text x="112" y="276">200</text>
                  <text x="140" y="276">OK</text>
                  <text x="440" y="276">cert,</text>
                  <text x="492" y="276">Delete</text>
                  <text x="56" y="292">Media</text>
                  <text x="104" y="292">type:</text>
                  <text x="252" y="292">application/cose-c509-pem+cbor</text>
                  <text x="432" y="292">key</text>
                  <text x="468" y="292">from</text>
                  <text x="516" y="292">server</text>
                  <text x="96" y="324">&lt;Base64-encoded</text>
                  <text x="196" y="324">C509PEM&gt;</text>
                  <text x="52" y="356">(key</text>
                  <text x="84" y="356">no</text>
                  <text x="124" y="356">longer</text>
                  <text x="164" y="356">on</text>
                  <text x="192" y="356">EST</text>
                  <text x="240" y="356">server)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
EST Client                                  EST Server
  |                                               |
  | [HTTP Basic or Digest auth header,            |
  |   or TLS client certificate]                  |
  |                                               |
  | Method: POST                                  |
  | Request target:                               |
  |            /.well-known/cest/<p>/serverkeygen |
  | Media type: application/cose-c509-pkcs10+cbor |
  |                                               |
  | <CBOR C509 CSR (no pubkey)>                   |
  |---------------------------------------------->|
  |                                               | Generate
  |                                               | keypair,
  |                                               | Issue C509
  | Status: 200 OK                                | cert, Delete
  | Media type: application/cose-c509-pem+cbor    | key from server
  |                                               | 
  | <Base64-encoded C509PEM>                      |
  |<----------------------------------------------|
  | (key no longer on EST server)                 |
  |                                               |
]]></artwork>
          </artset>
        </figure>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors thank xxx for reviewing and commenting on intermediate versions of the draft.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1963LbyJXwfz5Fr1y1kTKELNmSLxqPE5qSMypbllaSM19q
yhWCRJPCGgQYAJSsWNrKO+w+wD7LPkqeZM+lrwBIkbTsOF+tkhqTIPp2+tz7
nNNBELQu98TjVquMy0TuibWDs3MxzHLR3d16LroyL+NhPAhLWay1omyQhmN4
KcrDYRkkcZgF4UAGsiiDAbwebG23wn4/l9AjdBNgF60WNN4TRRm1iml/HBdF
nKXl9QR6OTw4fw0/Z1GcjvbEtBwGz1qtSbzXEqLMBnviWhbwscjyMpfDwny/
Hrtf4c1ITsqLPbHTal3KdCqx/SjPphNYTGdaXsi0xAXAsCJMI4GPsjz+Kz+h
lWZpUeZhnMpIHKSXcZ6lY2gEC4buaaZrv2T5R5il+AP2i8/HYZzAc1j972NZ
DjezfISPw3wAM1m7KMtJsffwIb6Fj+JLualfe4gPHvbz7KqQD6H9Q2w3isuL
aZ87DK5GDz99+rTWaoU0VVxPIBjwb+N/n6bw3zCDh0JAd3vi3eExfZE8pwRf
2cS9+X0aZ5tx1mqlWT6G5V4SaE5fd3cfPdvSH5/sPlIfn+xs6Y9Ptx7rF54+
2tUfnz3Z3tUfn+88Vx+fP3r6VH98tk3vHgb7tNxgkBUyGPSzPJAp7LOMggEg
lH6F8IdfQeQBtMl4n/ZarTgdVib96PmzJ3qc7Z1n3jgItUEWTggTs2KQ5dCq
FQSBCPu4tYOy1Tq/iAsBGDzFvRWRHMJ+F7DfeZYk9Ci7lLk4k4NpLsV5HqbF
BDBPrAMib4hJngGiZYnIJjKnORb8/s/n5ydnhEXTQoor2EYmnIFDOJvi/EK6
LYuJHMCPgG5xKkpvXsV0QsN2O24XIophGXF/iu3btRGENKto+DEHAnV+Rxoo
ZA6TD4o4kuKjvBYjmarJwTIQzxvX4M4zTIrMANFZGtGTM/ip2VTA2gLA2T19
u+EtZ5M3ahxHUSJbrQfiMC3zLJoOqNHnBzF+vW21Ftypz58V/t7emvnRJgX9
sACIV+b6/zZxpdQIqQIaNcOVwDZnUzaFOAmvkyyMCmACUuwfnGqcp6ZXeTiZ
8IZ3j84ADPn1pMxG8PQiHogjWRThSIqz67QMP7XVfIA0b283gHXmAAxYK2wC
b8znz3dQmLP2UAyy8QQoADDj1bEzqaSUeUoEBjwU56tg4e96HRNoecDKizIE
xhomybUoxvCPzGEnOwlwrOlIEcFVCBgjL2WS4dKJOAYOr4Wf4gF0CDAZx2nU
FnFZiD6g4hA/yE+lBMDB3KZpUyu1kYCshA5JdgU7nEZXcQTDJHH6sSDAQ3tg
wSMZFIMwgT2TkyS7JvYOizvjiVdA4602l4CKUtiuiX7KLMf9yuVfpnEuqTug
rMFAJjgpwMq3Z+IC3iwuwo+yYKKDGcI8J2FOFKbIEACoRREu40KGkQCIwbdU
TLDBcJoAGkaTDOig+BHAMwiR0xB8owwmmGYl8Z7O2bvN7YewjwDH8SShSSlE
H4Qg+i6zOCJcSOQnftnMBZfdFleAiRdqvQU9E0X8V0kzVe3i8toupQDWBb+W
ZTj4CAiRD4ELE025NKKHSOJ+HuYxodRhauZRXBelHBdiHdvJTyE+bSOSpHJQ
4lZA8w0YJyzxYQkYAFQHcCqkwgMxSMKikMXf//Zf43iQZ/gW0iy80gb4pgXO
5yKeqD04y7r4KjM5Io0xANqdMIsdAIYEeYT7hdIDfkoAGDA7ZNuIsaUc5Van
APFwGaNiA93CAt87PBTgD2wC9gLoJIQJFkVl5m6/bj9tGiUnNO/HCYCel4Bo
EgDkgzAGoTOJEEv5F9xmha74EqC25XYwf2AVJdNEAm3SwfXmTKEIKqDDJxn8
YZ5f85qy/r/D7hDdThLc9Gzo8A/1axsgmQCeICQQTwrQX5gRP0TiKA3bxgm9
Pz0ETAHiMrxOAOtwWDkA9TViiKOd8RY5XcJKAJJ6u9rCU2Q9miaG0c06J8yT
js+6x6cH2J4BQFza4bEN2gXMCJgdyc4JbREQBkCBZbks4lGK3RHgcBqDJKYp
RxmRq2IbgIDId4hGYEIwVSWHUedrBbTiNEuDNwdHQZYC/uBwqJACcBGkrKGf
ndJQ1xNcdYLzkYHBI2T0uOewneFfpsDG4jSEbewnWV/0r6kXhY3jMJ0CBSPs
aSqhh4zARrPkR3rfrgfpC8RdXAqAZx+QZYyD4Tsnx/BSP4sIKD1CcMmytId9
qye5eYbbkE1LxnhYALF1FAJIzsSrNTxmwcKZVSolzAr4PlL3NGWypo3GF7Gd
WjK8MpIlPZ1M+wnIYfxxvYdwPaEHb+R1b4PFCLxkcQjpHjdRokZD73fd3075
J2w6hAXBqwMZX2pKgCUAS0LBk4IIYXKBXt7IcRefQqthno3NqlhX+9GoigNQ
Y2prJjYTaZ5cWUFb2M6ZU8yecgOiWOAjR2nCQV/bBBRKtWqL34HMU+DXMHUU
myjBAfcHyA9hA4B0FH8UYznOYEiNC0pyAOUTkzJkNkaJWl2/L/FQd0CpDEMk
8eiivJL43xq7myL3nQOKcBZDmKl0KfSvms7iDBgCbv+pxhlNuhtK3sAqO6m7
IJpbaEkcQKURDkzoaZgy2w3rG0DIE6YO7tDCPQPEWZZvfoRkOP2H/Wv98JP5
cz66X7zHta/4pHUjjnHwAKzUG9GFWY5wp+kLLxc+adjQH35VeKP+bqAT2lv+
2fm7EWzlB/DpSEZxKM4BP+kH76vqxGnndYJSI6g+rn29sxOe4QKd3BNgB+Gk
UGN0w4nSFODLu0wPvQ4yRG7YKQJxPAS5HaeNywGjZoDy8dqd9SLLCcyf89H9
4j2ufcUntBzEZV4OW1ub9GXmcsCsShThPmxYDrAj0DovQf2ZtxzrhGiESePS
653AZH9ArvB1YFLcG0xA+JjNXwAmtKYfVwPsFM3an+yA9weTPEEXEcHk9K0d
cFWYjGUZgiod3gETRBEz9IrI5uLIfcNEj3EvMPGWYzuZARO9rPtbTgHiqgSV
5oYk4BcvBztDb40svoAVLMhPcrBqJ2hmMVTuDSYf5ZhURxgD1Ugz4J+kFgIe
EBZhBUoP9ZZD6wedGJU9/OojbLUTo5D4nXh4/hVFBhsTNEZX8cblYcKWCL3t
OP08mLiIUceTBWXG5OOg2N5SoKnJjK8HEzAKl4aJts9Whsl9gOQeYULKMA15
Zv3fS8IEKAKMdHqbiKO+nOVg4nje58BkIsc+Nd0PTFw9//OeeFCG/SCbFAHq
f5exvBJ0JvjT2rG1HPat5UDG1L6yHNZu0XXfzdJLPG7DN9HOpLdj/v75wcD+
essmCYLwKsvBXF87en92vtbmf8W7Y/p8evBv7w9PD/bx89nPnbdvzYeWeuPs
5+P3b/ftJ9uye3x0dPBunxvDU+E9aq0ddf60xsbw2vHJ+eHxu87btUZ7CE2v
vrSuCXKptCJZDECaMCRedU/+57+3d8BE/Bc8qNrefg62IH95tv10B75cgX2i
3HfovOCvYLRct/BYIMyxF2TroM3HZZigQw/M5YvsKhXo5QIL7re/ImQ+7IkX
/cFke+eleoAL9h5qmHkPCWb1J7XGDMSGRw3DGGh6zyuQ9ufb+ZP3XcPdefji
d6BbSRFsP/vdyxbjiONGlPmYjx+mRYPxCoarNaD3Wnt06ob4Vl47HmR0XPqu
FdzgrE++Zd9LmKO6bQ4i8eCt6hFQ/sk2HkYRDW+TY9D23TSNSZ4NJHl+8T1l
1aM7xbjw0IWJ/mny3J12AP3KK+DFVaeH9kt1OwvPrNvBGXnuDn0gXl6Tq8Wf
K4p2mGj9OBC6Uq4J6tB3eGCvypxHx8as0xXXi0Y72r/Wjgu1woW9HjCfk+wE
p3KSZ/AG/P8kQxgXfDb3R5nbMWll7JuivgEFLrIkYryY5PElulGQNQ2ynN1X
EbtAq65C5eLSkNgkFjgTFK7XB5ghqc1Ffot+ZNeTGy4MrsWhI8RhyQ5pNdsw
DZNsNJXstJbi5E337MH2Fs2BkAdP24FvaULDw74ozKPK0cDXdqlZ9N2hMwDf
R8bu52YnmesRs8DJ/cNwPpgfk5MIfZoIop4r9a3wdgRyD1aN3tA5h+iaqMX6
58/8GusNt7cbNdetOcSbMMLWsBDJ3Lz0Mc2uqmho8NnhaVcxSBM1I8lnbhXv
ca+YkuvZ+Ik7yQjZwMW4h3vTO3911ryHJHZAIhay1DRB52EwKh0a4plLD8yf
8jrgScIce2K9kBI2vPIcz7fJIV2djB0GOAI1Au4AAMETd6DF9d7Fb37T24CF
vVIHommmgfbQpVDAj0sMwunjuSK8A1xC4PFMSIdMeGIGQ+BpJNiF0cNLYhMy
2lMQ0i86oGlYfS+OgjAZBdMUG8io58OD16e7+mOYTKWzOvFXmWcB2mDlhbtE
WJrdzoLfxwPmSWnwvVDBGnVg05C1WdHGuOjYs4iKLbQ+IQgMgHgVaLknEMjr
HojKwMLACRhcdadnHTaGIgVNk9bkbFyoe2rXl9dWKhkxJ/lpkAAYLtHZj8EV
BjbzVgvtY2DqxB2IehB7mrHGMHni78gvGsBtlk0bvn7+an97w4LTqngNYTWK
M5NaeBkmsTk4mUefgKNJRGdrM6kUVUw+tfKEWAOhxcVdNFZDxFzSoVWYXlvm
OwsXUbNd5AxQbQ4jVve0o701onsRpiN5xvN+h8fIID3pWaAWE2BwnDIp6m/b
MJ+TN4e1U14V+Ibi5bwGrcjYL00nya5AtoI7zPPwWp/7U3jKkADAM2LatN87
SdnbFJ1SJDKEbrJU8pGp+7b7rsUqIIBeOgXIbXoHNoMoSlp1IPwkfsXYSX5C
NiQuhn56KLCbtv0ZxhHizHx2Xmp9qNqMRTbNBxLRnjbhpzWUlriNOI81TfTu
doIVwPYU0G3EuxDOxAY6xqXFME2cabgwBQB0HsK+uD+pCfc4fgjVP01QwGYS
I6X9MB9GugbVsdWqYK5i5v5kaU8U0yRtqs42ndP6vgRcYq1ERaF4mhqxGJ9v
GYXL6gE6hACHunSVWx0gVNEH9LILcwg+wfiRuCxkMqTls+pq+IJSUdkJSEpq
5VRZB+Qg4mu8mqEbk0rHMu1Q6YgmJIQ3kk6UUTvsnfcL5+S0t/DJK+yLQ9ph
UTnG9NfmUUOdwYo9K8kOI7SHYJZ5u6GJdeXsadfISjSyCLs3cBsCJYpewwx7
BtLLn123zcF7Eo9jPkffbJ5ZbUK0ke7QTaJuj1joOCtKKy8peMSwTlf6tAUw
C2pxetZx8Eq3MGGMJLyY56Itc4XhgjrYkjrV+o/owz9TGLL363/AR6A9MC/0
pw+OwJSfgP1TUAGT2pPd3cdP2SHjxu0uAFOlMDgGBvL2ChnVbA7re2dzQ6vO
MRhtgfMr6M4/Nkh4imvqctxM8Jqj2apCT4XVBOzaINMKJ7o2DkcAZoBSX+Zr
2Ao0mUdtJdpVNAfyEwXaMhyJ3d2nz59zdKw/JjR9rPwSjquMBC6GjFvT7tHm
IwLVg2YWTEiAhx0nyiZ6g1jw+cEkmwQf5RjI5ywba3so8HRHdhaZkKF1+BF3
KJwU04S55ViidImLcbGh7Cw2xTD0CVV3h41bJgx8uyTVcKhkT5mHUayi7KoG
Rp7HRsjNtItVeBvprVcXgE3zrTMkGISIoyR7AR8skJRPC9AZeohpUWTtz3F+
+JiEQziGqI7EsbHqihyIBMk/io6ry0qE09//9p8mBgiBY0CuqCOXGKcFpjyA
ibYZ3hkmYOXGBUXBdc0Rlbbj98T7CaleAxmDOUT6Fc11XhCX1qr1CZojVavQ
4xCmmifm7rgtCjJzqN2na+U6qOpqur0SSjD7w8iRKpi/gJKH8BaQQD9H9qUf
G3Tm11eQQIcpxluV8QB64uDDHk2kp71GZz93gke7T4Dzw+JzwIq01L4jD0jV
0DPqSs/d9ObP2ppPaDntKValDMNcjjDM/pqdN6jZwLYcnx3YVhvkWLcD6X7N
aLRx8eQCKA+UQqQDjJEld6PTgFSxIaDqhaclgigIyniMBv8AEIOwq3fW07Y/
O3F+U1QQUOG2S47QOFRIaLGoKJG41kOt/yuot3GItnHwJvFQ4hw2DMeJpooX
qT0wPVKsngqqiqQHZehMEyI7pQfV19B3VwEhudQoIIjGmQENJT9MMCK5U5CA
jjpdtGqnHJHcgC6z7Vc3YLM2BMZ7CconQ9+FOiMIphOHS4foHpmGCUGED/w8
TZlhoHbITFnxCN4EddivHld3jfcidDYNQaxcSIVltPw2hT+iUw4XBniAEyd7
H33tMOk4i9QS9akELjGCH3D83pseB/Yh6lWGkSq+FME5Dgfw+wjVcjV4eDkP
zP6QdDKBwbOcqtHkQg3ZsWIknMqqAaaNyv3Qt0WGYZzQOYoPvosQszsmYL5E
7Ir0yYT4qiOhYAMPKwkN6lAKucHPgGIBcCdkTus0b+18Y7wDjrKzgaQOXCWc
JqDzTdME3axuTokKhQYaBkouMLEId8XN7sBkEdcDIvFYaOCuCskC1OdCERqy
LNKkydsE/8YjDo+dJKHy6co0DpMgGwa4fgxIzuPiI/rUDzvvOogwWkQrVz8y
QgQT0JSj4ji+MHTbzva9rysVEvYOmoP2SOcVKPfen74VZzbyHuZ2gsH4XSAK
0oRR3cLY92meBCZC/7YWVVo7PWWytCZCQ5j//EOrx5usHApxauJunAHXe8ir
kFtyiJz9xA85UEt9BPlM+HJ+fiL+cHDO9mHrSILRE+3hk5Y+pykxX6jcEw83
r2SSBOhyB/ENvzx8YQZ/ucjbSdiXyUuvFY7ppbK5qzG6SbviMGvXfA7tio/A
WRwG31dWh4++3fI6dV2UVSqe387WrljnmYl3oGx3EElkBCoaKnJu/DOlEQwp
GSGv7z8yFtg2fiF1Q1TMKybyWSnnPTXnnkJDOXLwtJiDgXtVBbvzJwI42p6R
0f29TpWbp3RphLJ4kWIj9g1O4+JCKOpnxjoGFhVj6E63Q5zTy6XKs2Gc0OEr
emvQAqPsxyFM6PMDsj9L9R0dNiBrCIDaldYH81w2UCnaSK5QxqQ//Mqc3eju
qjm+jb882TFCnAShzudREoVmZ1wC+rQjkniGH6e4+kGDRa0yiw34C7ED8N8m
lrRjeIHHiNEVqnyJZGIpI1QDJjhQc+gJzK0DSJEjl9NuOF+zZqUXzfEFKjje
iyq/cfjmjRscc9O62QuCwPlPyw8oskeL1YAnjNnymDgoiGiAJ24GCuiCNws5
xmaOy2G9boDuDSnWfybPzRd2HngBTE2LspJp1bEqfhIvusx3991UNrLWVSW+
0evK2Gd39mJ3tBL+OWfx5+rFLwd4JURMAwHMEvR7iB8IeVbGmkqQbw3YGHCs
u56Z1z+nYxTUlc5Nx4cYbb1Y5zqKjYg5YGJWQWyWagvxvpgRwkb+TlIqHKat
/QE9mzqh7JMQVLyCDOGBzb0AaFNMm1GvlPHhpGfsmyQL4NswGmiAxO9uibNT
Sgf/MGtKIQusWrSMzt5QybwIwEDx2IGf0umdDqiqA4U5m0gvs4/K5zdWB4A6
hxF5ce1AUJct4IkqZ56mb7VGJYfUkhriOFCYa2GlDV0e5Tc6BMmCEAEPM3uX
ufKNjm4LiuwQ5/4SbRybOTvRYVR+jRAeOS48LWIFVVFpR7h0VosYJEqaGpjw
dwDKMRq0A4wMa1e3xzqkHm1tWYmMKEi+miMjuvY8JIWfXgFQ9kRH0IOA/B9z
ULZNB5DqG1qlmEgv68CkPWdRTmUSwgGl3Ks0y96L7unLF29fv+w5LRWwTdwD
+k8x/w9zX6ltYTskg8z20ubP8C+eG+uO36g5c0Bg+pdpVqpaCxifEIAFjMd/
6I/crAYSfnSbKgvERhe5a7SahQaK9iMyRdrsxqGN7oTPcWlpqu5YdTHrRi/E
ZXz75DKfcFhwy1citK3jvN5EyeY1MPv4I8baOB0UvYU6KJweCtuFMq3u6kK/
hl3wZ7cLu4a5XejmtqnKDOnd0dS8hu3VF9OJdQTP7cS+Bp3oL6YT/3B4Zif+
axgU5jyodGaPled2lte7y2sdeqfIs2fnvVYPWXPkKjEtQz5KspK8MuQ4L0Lc
j98jD5nyXZEsI/NQ5jm5ehVhAY8ILbUx17WRNSUqWqVvZM1Ob8XQXK4xYT2h
zNsZv9U/RUvhKv7b0ojT0pvfcjev5YO+5YJOs32byQRcX6OhFuwGR+v6xpwT
I6029hiIvh6gjVNKgU/Z1+KESdals5rDahKaAi/VdP4pBLLez0ahbEFx74J5
IVvBldkVM3sBZFj61H+TaJLozsyeYthAP3i0tYMCdwf+0cFyyquNW+5k06EU
xVNTEzNHmu++Ux0Ju+t2vGpypAEFboCAVn4pARh/pSkaBZilWZ1KKP5UxdJU
CjRpFLV+VL13Mbuy8XyXDOsKqMk/UIG3bFJrcbQVyaZTifv5/gmHeWSzLqsA
8a2IRrtMFicX2TOgt9hSz5tYNKbDdYtd21Ao+SmkyhaoRjfkKJwxSLCmk8Fo
3ZM51dA6J1ElvHWBc9X5yZVozEqT3sF5OEJ9+W1YlMFRFpFvDR90oR8ZdLk6
kq4CckCHMIV2jRVO0KhDRfr0UUdF4M6NZYgFLXAhdGSa4olKP5um0aZDxYVB
jcKn40ZxV6cKlam+ABkTwRb4u0qCaMpYaSLeVYVewzz/eWh4lkGqAfJtqLjm
gJxLzNoziQQzwTCklI/s8RgAcNeP5zQbQnZfnANsJB8g6piAZonxIxW2IzQy
LVi+UXgLeZVKPiHLs6xapZF864yyNKdNPBANxal6E71wXK+LPWCyDtQKOVNs
0QXolmJNd4LuzPfUyZo/9HES/QKwh3/a+vM7ecWEDh/Ub7WqPA6g8Dij4UQO
i3o6eTibO8QD65ysWJqVNWoJpKSeviXWkSeB1eoNB9E2JbEwMg8d1V9Hbul+
KGeiKPSphH46bI6Lu8PBqHibqv9AEySTtjqzOm8z5SXCPoZYEoud5jmimTsn
3nGiYtzs0NoA7AXt6bAjHatpwkHtNLVnjIwvmaI+1uAoBGkw+Ij8HnqgMGCR
ZJx8iNuEKhDMyMQs6Lkq96DicTookONRcSdgWH+6qwDYY9IM0uWZNE7fkZnf
P2NWFufyLaonFr/+Dn7hEM6fXqQvP/z6r/A9mvz0Ipq8/MCM3z8TNa/3BIyd
Y2R4Ho7xpE6FLzLHjOQgHoeJZb9eABLCm3txwqKoJB8yTpbaxGh+QRVD9VDj
f+5ZMXnZPGQywhfGUuFBQMOkctEq3vEqOBAlzdz3XOXBXbCfHzZnNsTBMJJn
WpBFtI4n169R4dnQi6r227dLrMjM2Uuj8Gh0iSBjOH1bO7+mrZy/T7hqj6ue
YOlQEZso8fvbhLAoskFMDlu7H25VXEFlS/WA/Qydww6UNAfHJaHo8Wa00GyA
ibNQob4HeVxiSdXNum5j+MjX1W2qp1l32id6IU12yHxG6bfXGIAHlSRMMEK/
UDFjzpv7wA974u9/+y8lmylnC2aM52IcZlJLeYSnoU4R1/k37rM3GP1mUhDa
LinCF+SRrLDgt1R+Ku03hEjXeVnjw4FO3Sl4qq606yEYPsoILbsCS0r3annB
mNWpUmAKqSHB9SAniGb+BL0pZSYUUAeDkmXD0lLH1RlpybJSS0VkkARPLVXx
PA7YNgYZOHJSbUZPXMahkpqtFjMsg81K+H45a9IKC5OAo6jMNMBmaiNNsnlF
40mN8U8il5d8+3uTx8uy+wqWzhe0Kwi+71HEVdb8vci4OfLtazKMquT8VlJz
UYm5irT07NU8WcHt5iNUxcOmO8nlMNHhy7gnrvjjgGSWcuRoc0WPoBK3unPj
mKt063QnfhBO86+LEV4tWyd41akL9fmBjb/EGlLszFeJCJVbWLx3kX0r8dEU
wVk/zFOhMn647J3Rspy360fMzhUkfr5BRci4keEq/oCzlCPWuPzK5XdGz6g4
6Rnhp49Vemvjz48xJpKr7jfNtE14LiktK7lmdcDUEPz8wJxnK8WgITnKKRFB
mXQq3h9zyTB03cnTs6HwHLLL6RnIOKvFHVZJcaupH3qujg4CaqCzfOUnrigk
Xkis8ttz7k81MRODBmwG9O2GW14m9LPBNlcLt1ZagzlYdjnkvFDHVuvFq8qB
lTt1FYZ9OHQNX5s6ri9SqCbN3c0hdoCvr78CbVatbYNNbUeSmaACk8mn47gM
MjhJi7EpMBVaWP4oMtSer2IsVBOX9Vnsbm0zgzJZIbJJcDn48XWl1x1Cy+QH
IkLppFVKvujMCIRw25gca5WFNSMjDSOpOK2NXkbIU5oIJ5CllcyeUNCNUInL
cW05+ztLdWw4tiMHN3H5HBrSOJhVd5y7bNZtEEKneW5sVlV9L7UJu7Tpx6qA
fDUTi5P/CZGqh1eZ2XEAOHI/d3WAJV4gjs7E9wFQ54R+tS1TvqZWhd1HsRoH
c8e5Ny5mykwo9kU1xgjdvoBDeREvM7lUU/B3M6tqimJ4aW2hOUlMlag8rpjj
5VzPiFacWZ7DzZabXdttbtUOOkZWOgHFLjaK6h3Hv224VAUHvuvzcyKxyGXp
dBZRgdRqZ+qGMvMqbeaN1Jk30ieQYsGJwlQqArOCPqkqPA2n8U3UmH81ehzW
q8+Jc4dTKtearWxTLcFjC9roIFo2eNERpbORvTBT5fmK60f6fYm/E7xQoCiA
yUhXuKrVD+rZeJ9KJYmGQky3TTV+Sh0qZpUonSFrnXR9KbQebYv2VHbti9lY
/m0Y2am717roJ23L7Gwzm+O0FAtrqEPZxGXy75LPaCys8ZvVGYlj5uHi3WhW
zURm1FcyIn5OcUeV32scWrZWQLVqow400CaQj8idgtI1pkXhnrZv7zyz+PAc
6/KY1DpEHmeIwhlZJTA7u0dHb1g7mG4ew8zia9a00DMOeotaYOPksSmolqHR
PaE1toniEVYnVnyHasTKIVfRzEk81q+ec/y2ODDdyQXGss5CIb2X4qXmT6jO
rZ0NvHdebapwza2Q6akHap22MGRDBcxlql/a/ubV5mt75b5sVa+5qGFW11Dd
0g5LfsgVCls6E/+i0paEG7iyL6huuUJRyy+RLm7o99eVLVX27hPDN2LuOuPw
Lh3y5OCot1lR7PkYklWd2HF647u8ZdpLQRk1cxipUUctxms62LSnUv4pUiQT
WTKKuyybbDY83NPXe2KCcsalREo3aAoLWPSpIDeyZuXXKIyHObk2RSb4oEZf
OSomGcDRFJZAmwGTlfWxFc4BE3+yK1TJQDaEhbo9jnMFlS2t61OgVcek7C6C
r0or+fpMAp5iAHhFIipXqUx+RE+xk7cO24XX0eI80PFGwWkUyMmX7CKn76oL
5oy718xCV7ppKJqBMsO9jxd7JsuKzlswsyNJFszbAIS3N/3qWXGS+yL3mmmN
WdfjwtNk5/7mdXIs0QMA08Yi5hxpadW6JIbZDHFlfbwYFT0zdNkWDrHplqgv
nKuYvZImtdjVhVJ2EYNwjyuu6itzKjWROI65YBoGqUaJgYAMyizAa3dpDhSb
2a54e7yrbVUBybZSivjqWHNrrL781dxs696G2iQFkOjjdMpZPywR6pcSe7c1
61XPPgyu3qKqituoLeDjPK76di1LHzzMaLF79wCEEv/fyVFWxjRKq0VHQ/Vd
MzcVNG9N242UsqgAJg93LWtmGxUVs94wJe3+7LzyZ3xFHzpSzw2/4lSMMVk0
Xh3waHfLeCsaD3HcvOS76680hmoueqTfdtCGN6/Rctp2LKflKqnUz4bcaSr/
87yjImJPKssbA3T/YIyFO8wNEER0mzGI4WYrQtn1jharmVRzIsAMycbXkFoJ
pQWXvh7BZUqcz13q2iXYfBzSsXPCXJ4qbY9VLHSCMc22GN//mTXLmzX160L/
iF5NhT+1rbnkH52qXw2cR/k0qS4j6B9YXZEABpQ0jEdTlGtlPqU3Bhd4WjcY
ZLm+5WIRQ5vpjPsYww/JjKuWo3g4RPwk3YpuvCZ/VY2rq7j5S7NyFlzUYewW
ZJHi52us462mnw8uYlR2YEnqily6qxrPjpy+zCkKrAfNBTTsqSbsEVAlJqJj
jL0qa0ZHVEl2RWnysGUUyXWBhX4aMgxQR6JqXTX9CEtt8SH4L2gvvEF7gQpg
neqChvxOYM2J27sqf1Goislihx3NjZ96zR9lTZi6idANSPe4uHB0mWdPtndv
b6mYDU7pbDocxp+w4AaX2u6aS9QFXsQ6RHIbcLEbChHAhwkh86G9Haeh5E0l
b50c+Dfi8OD8Nfzj1xLFO66go5Q/07ZXbiEP56h3NkG5AlKdoty8B1ZJwLmt
3VpqZEucmHnHllqrbp0pjr36ts0ezdnCaRpJnQKlHo3ybDqB5pj3dKCsLSYq
umVmY21Jzxnhwmuyx24EmfK1wgPqKVbU26b8cvJK39QugcCfbEAoYsu7hx16
eny473w70bFd7it4j7z91qXKsCW+cODc84A7hmwX693N8dFw4f2ZFSaH8+9w
Wa+EiwDLW+xGB5y4SzTn81BVXbKo0LQKShdPXfQ8M+6LOdip6vx9MXY2DfY9
I+eOi5wX43CAuU+qQmQdN+MoaHiHMRVUys1nO1ub29uPd3eew5fnsxGXW2w9
EVvPxKOOePZE7DzD/75+Krb2xdYjsfW8itJYupL1OWfkhTGHt1djjlsGcxbW
dE9Fx2ZtV9FlgJnvaCB8OcZ4A31zVKFby2feerj43w8OWrkrqhcJm/dnL/qu
39+9+B/OBXF7VzBm77lDdI+6WnLrQ0TC/oa56DsmPSrgzoAQBuNBMKhdHTKv
F8B6bypAMo83n4Attgv/ewr/e/xkJlxsL8D0/V4UGb2iD9tia5f+/xT//2hn
Vi+askxXoOgIvNtlxgyaezHnnLT10Ff9LpWZvdwP1hkPr1NncG7hO03AztUA
yidBXoL5lwv4t5+hns1+CVUdkSPxqqFxpn4rulixaUo46YyEEbf90v5UD2E7
1Q42E+MNOwfctNU61rHgtV90MUf2CBh1e0/04zTMr2FQ7YasvnAm2Zyd5dDU
UaWgM/z6q6dcfviAwbVVJ1K1f5oeQYgUbV1zTVWarnUJZrKFlXPYQa+NHd97
/TUs9pFdV2Mq0ZR8nYdcetQGwjfPs2Ndv871lsA6fyv2MZuAj87AfAKdG7ev
sFkVPCvs5bfiyLktYr3Y2KPbIuD56zhxohXol03cf2oyiNMyKy4EVjJltEP2
TS8xDGG3YR/+FdYZxgl6qXNypGf6+k6ay3Cak2HmTl/Eshj9HqXDZpaPeM/o
VgFyY+4JvJT0+B0iHh5DKVudjEP6mSFDSU17XGH+lz+01E1KNDZbRHtkv7BQ
rd+04YnVyi0bM8QqrJBkaKzAvDaPXte0R2itaXBH1JowvIqcdYpen4KBhb6g
g/QyzrOUtZL1bnZ6sOGoOGv+lQWtGbyt+d7hRob4A2lBNPEKAzWPdY1Vfgqa
Ff1rVSPi2OqekXofxCFQfULsUk/9fzW/niFsGz7Zz16jH1r1a6LVSOZecKD+
JE4/8me8FYWfETlp6dNYzNS9EBq2/dPm9YcP7losO/EvhF55X5rug2bkDWJb
7qvpgpnD/QI1TeiFTj3QLXIEZIuHaK8xtH0/DkeAUegYwaBPU+tnop8Eqtol
DB2GxeWI/F7K83zXn62x2Wq6aH7O3w01cDLDFmuwwJnwhCs/coM54r769/Jm
tTWwZ2aPTnOP3yy0aCtkbMnIOQ2WnpKq5LRsg2KJBqoSwzINFpqPaWByJRZt
4IUXL94gX6TJavvwYgnsW2EEzSuG8Yho2CsKOFY8ACl8rVLfS1G9KvK1Ct2L
LyF9IZanftNmUQbABLAsD1iJDZi5LcEJHBjcFa3iFilffW7zw1zky4Y2y6Dv
Khgs6khMu2bQmL7NROTCx+RVRRj/fRE2q6Usj9JOw2XwunAaLrdHq2O4M9Xl
0NwDzh243lAY/8umWsN6Xcvq5fyGS6L+yvivRqwTQeFTQTM/N9WQmAxMSaT/
Lzm6WqyG8tzc/qZxvgGNfAUp0Fij/56lAJcnaaCIf5AUUDutCUB9bSYAB/lX
RvzvHe+dNivg/Srr+Wa0shyxqDZ3EYt/o8vqc5tBLM2i4x9GKw6dNNFIJemS
iKWSebmy1nRfStOvFAMK0MabMnKxH48o0XtaXqjyqO0ZDYXwYxCd0+AqLVQb
rjhVN0B9qYaLUbu3W4saCPULf+5ZaZoVEV9puBzyK9Yh/sjJASfZSXvlaYtD
jFCnia7eB5VY/rr6bcOFU19zq6pWnW34D9RvPRRXvMt71sTE/LQyZmJ+btlK
TOweJP9yvGsVtrW6BFuOWTXzqUXaOH8z2Jq7f6uwtS/QeCm+wabmp5lgZ//G
TOJYloWtMjcdqCxXagzTxyybVRhmjVcuaa4QsrbFPkU7L7qTzgVpNzbfp1iZ
8sRM5ndycDTDtF9dQaNL3ABvkgwv4MZzSxsVvdE8zrIL8jmkSy2aQ7rPahxS
dAZIcYmMRir95/ODsPLoFvqfpmw5yEjlDnElSTreTj+KT58+qVz5y1hecY1v
zByh4A7KJkn9atwY/85nuVyKJsrDYbnZ+l9v27aQ2rAAAA==

-->

</rfc>
