draft-ietf-anima-brski-discovery-00.xml

<?xml version="1.0" encoding="utf-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.8 (Ruby 2.6.10) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>

<?rfc compact="yes"?>
<?rfc iprnotified="no"?>
<?rfc strict="yes"?>

<rfc ipr="trust200902" docName="draft-ietf-anima-brski-discovery-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="BRSKI-discovery">Discovery for BRSKI variations</title>

    <author initials="T." surname="Eckert" fullname="Toerless Eckert" role="editor">
      <organization abbrev="Futurewei">Futurewei USA</organization>
      <address>
        <postal>
          <country>USA</country>
        </postal>
        <email>tte@cs.fau.de</email>
      </address>
    </author>
    <author initials="E." surname="Dijk" fullname="Esko Dijk">
      <organization>IoTconsultancy.nl</organization>
      <address>
        <email>esko.dijk@iotconsultancy.nl</email>
      </address>
    </author>

    <date year="2024"/>

    <area>Operations and Management</area>
    <workgroup>ANIMA</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<?line 95?>

<t>This document specifies how BRSKI entities, such as registrars, proxies, pledges or others
that are acting as responders, can be discovered and selected by BRSKI entities acting as initiators.</t>



    </abstract>



  </front>

  <middle>


<?line 100?>

<section anchor="terminology"><name>Terminology</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

<t>This document relies on the terminology defined in <xref target="BRSKI"/>.  The following terms are described partly in addition.</t>

<dl>
  <dt>Context:</dt>
  <dd>
    <t>See Variation Context.</t>
  </dd>
  <dt>Initiator:</dt>
  <dd>
    <t>A host that is using an IP transport protocol to initiate a connection or transaction to another host called the responder.</t>
  </dd>
  <dt>Initiator socket:</dt>
  <dd>
    <t>A socket consisting of an initiators IP or IPv6 address, protocol and protocol port number from which it
initiates connections or transactions to a responder (typically UDP or TCP).</t>
  </dd>
  <dt>Objective Name:</dt>
  <dd>
    <t>See Service Name.</t>
  </dd>
  <dt>Resource Type:</dt>
  <dd>
    <t>See Service Name.</t>
  </dd>
  <dt>Responder:</dt>
  <dd>
    <t>A host that is using an IP transport protocol to respond to transaction or connection requests from an Initiator.</t>
  </dd>
  <dt>Responder socket:</dt>
  <dd>
    <t>A socket consisting of a responders IP or IPv6 address, protocol and protocol port 
number on which it responds to requests of the protocol (typically UDP or TCP).</t>
  </dd>
  <dt>Role:</dt>
  <dd>
    <t>In the context of this document, a type of entity in a variation of BRSKI that can act as a responder and whose supported variations can be discovered. BRSKI roles relevant in this document include Join Registrar, Join Proxy and Pledge. The IANA registry defined by this document allows to specify variations for any roles. See also Variation Context.</t>
  </dd>
  <dt>Socket:</dt>
  <dd>
    <t>The combination of am  IP or IPv6 address, an IP protocol that utilizes a port number (such as TCP or UDP) and a port number of that protocol.</t>
  </dd>
  <dt>Service Name:</dt>
  <dd>
    <t>The name for (a subset of) the functionality/API provided by a discoverable responder socket. This term is inherited from <xref target="DNS-SD"/> but unless otherwise specified also used in this document to apply to any other discovery functionality/API. The terminology used by other mechanisms typically differs. For example, when <xref target="GRASP"/> is used to discover a responder socket for BRSKI, the Objective Name carries the equivalent to the service name. In <xref target="CORE-LF"/>, the Resource Type (rt=) carries the equivalent of the service name.</t>
  </dd>
  <dt>Type:</dt>
  <dd>
    <t>See Variation Type.</t>
  </dd>
  <dt>Variation:</dt>
  <dd>
    <t>A combination one one variation choice each for every variation type applicable to the variation context of one discoverable BRSKI communications.
For example, in the context of BRSKI, a variation is one choice for "mode", one choice for "enroll" and once choice for "vformat".</t>
  </dd>
  <dt>Variation Context:</dt>
  <dd>
    <t>A set of Services for whom the same set of variations applies</t>
  </dd>
  <dt>Variation Type:</dt>
  <dd>
    <t>The name for one aspect of a protocol for which two or more choices exist (or may exist in the future), and where the choice 
can technically be combined orthogonal to other variation types. This document defined the BRSKI variation types "mode", "enroll" and "vformat".</t>
  </dd>
  <dt>Variation Type Choice:</dt>
  <dd>
    <t>The name for different values that a particular variation type may have.
For example, this document does defines the choices "rrm" and "prm" for the BRSKI variation "mode".</t>
  </dd>
  <dt anchor="ACP">ACP:</dt>
  <dd>
    <t>"An Autonomic Control Plane", <xref target="RFC8994"/>.</t>
  </dd>
  <dt anchor="BRSKI">BRSKI:</dt>
  <dd>
    <t>"Bootstrapping Remote Secure Key Infrastructure", <xref target="RFC8995"/>.</t>
  </dd>
  <dt anchor="BRSKI-AE">BRSKI-AE:</dt>
  <dd>
    <t>"Alternative Enrollment Protocols in <xref target="BRSKI"/>", <xref target="I-D.ietf-anima-brski-ae"/>.</t>
  </dd>
  <dt anchor="BRSKI-PRM">BRSKI-PRM:</dt>
  <dd>
    <t>"<xref target="BRSKI"/> with Pledge in Responder Mode", <xref target="I-D.ietf-anima-brski-prm"/>.</t>
  </dd>
  <dt anchor="cBRSKI">cBRSKI:</dt>
  <dd>
    <t>"Constrained Bootstrapping Remote Secure Key Infrastructure (<xref target="BRSKI"/>)", <xref target="I-D.ietf-anima-constrained-voucher"/>.</t>
  </dd>
  <dt anchor="COAP">COAP:</dt>
  <dd>
    <t>"The Constrained Application Protocol (CoAP)", <xref target="RFC7252"/>.</t>
  </dd>
  <dt anchor="CORE-LF">CORE-LF:</dt>
  <dd>
    <t>"Constrained RESTful Environments (CoRE) Link Format", <xref target="RFC6690"/>.</t>
  </dd>
  <dt anchor="cPROXY">cPROXY:</dt>
  <dd>
    <t>"Constrained Join Proxy for Bootstrapping Protocols", <xref target="I-D.ietf-anima-constrained-join-proxy"/>.</t>
  </dd>
  <dt anchor="DNS-SD">DNS-SD:</dt>
  <dd>
    <t>"DNS-Based Service Discovery", <xref target="RFC6763"/>.</t>
  </dd>
  <dt anchor="EST">EST:</dt>
  <dd>
    <t>"Enrollment over Secure Transport", <xref target="RFC7030"/>.</t>
  </dd>
  <dt anchor="GRASP">GRASP:</dt>
  <dd>
    <t>"GeneRic Autonomic Signaling Protocol", <xref target="RFC8990"/>.</t>
  </dd>
  <dt anchor="GRASP-DNSSD">GRASP-DNSSD:</dt>
  <dd>
    <t>"DNS-SD Compatible Service Discovery in GeneRic Autonomic Signaling Protocol (GRASP)", <xref target="I-D.eckert-anima-grasp-dnssd"/>.</t>
  </dd>
  <dt anchor="JWS-VOUCHER">JWS-VOUCHER:</dt>
  <dd>
    <t>"JWS signed Voucher Artifacts for Bootstrapping Protocols", <xref target="I-D.ietf-anima-jws-voucher"/>.</t>
  </dd>
  <dt anchor="lwCMP">lwCMP:</dt>
  <dd>
    <t>"Lightweight Certificate Management Protocol (CMP) Profile", <xref target="I-D.ietf-lamps-lightweight-cmp-profile"/>.</t>
  </dd>
  <dt anchor="mDNS">mDNS:</dt>
  <dd>
    <t>"multicast DNS", <xref target="RFC6762"/>.</t>
  </dd>
  <dt anchor="SCEP">SCEP:</dt>
  <dd>
    <t>"Simple Certificate Enrolment Protocol", <xref target="RFC8894"/>.</t>
  </dd>
</dl>

</section>
<section anchor="overview"><name>Overview</name>

<t>The mechanisms described in this document are intended to help solve the following challenges.</t>

<t>Signaling BRSKI variation for responder selection.</t>

<t>When an initiator such as a proxy or pledge uses a mechanism such as
<xref target="DNS-SD"/> to discover an instance of a role it intends to connect to, such
as a registrar, it may discover more than one such instance. In the presence
of variations of the BRSKI mechanisms that impact interoperability, performance
or security, not all discovered instances may support exactly what the initiator needs to achieve
interoperability and/or best performance, security or other metrics. In this case, the service
announcement mechanism needs to carry the necessary additional information beside the name that
indicates the service to aid the initiator in
selecting an instance that it can inter operate and achieve best performance with.</t>

<t>Easier use of additional discovery mechanisms.</t>

<t>In the presence of different discovery mechanisms, such as <xref target="DNS-SD"/>, <xref target="GRASP"/>,
<xref target="CORE-LF"/> or others, the details of how to apply each of these mechanisms are usually
specified individually for each mechanism, easily resulting in inconsistencies. Deriving
as much as possible the details of discovery from a common specification and registries
can reduce such inconsistencies and easy introduction of additional discovery mechanisms.</t>

<t>Generalization of principles related to discovery and operation of proxies.</t>

<t>Because of the unified approach to discovery of BRSKI Variations described in this document,
it also allows to use <xref target="DNS-SD"/> for document for <xref target="cBRSKI"/> and <xref target="cPROXY"/>, which may be
of interest in networks such as Thread, which use <xref target="DNS-SD"/>.</t>

</section>
<section anchor="specification"><name>Specification</name>

<section anchor="abstracted-brski-discovery-and-selection"><name>Abstracted BRSKI discovery and selection</name>

<t>In the abstract model of discovery used by this document and intended to apply to all described discovery mechanisms, an entity operating as an initiator of a transport
connection for a particular BRSKI protocol role, such as a pledge, discovers one or more responder sockets
(IP/IPv6-address, responder-port, IP-protocol) of entities acting as responders for the peer BRSKI role, such
as registrar. The initiator uses some discovery mechanism such as <xref target="DNS-SD"/>, <xref target="GRASP"/> or <xref target="CORE-LF"/>. In the
the initiator looks for a particular combination of a Service Name and an IP-protocol, and in return learns
about responder sockets from one or more responders that use this IP-protocol and serve the requested Service Name
type service across it. It also learns the BRSKI variation(s) supported on the socket.</t>

<t>Service Name is the name of the protocol element used in <xref target="DNS-SD"/>, unless explicitly specified, it is used
as a placeholder for the equivalent protocol elements in other discovery mechanisms. In <xref target="GRASP"/>, it is called
objective-name, in <xref target="CORE-LF"/> it is called Resource Type.</t>

<t>Upon discovery of the available sockets, the initiator selects one, whose supported variation(s) best match
the expectations of the initiator, including performance, security or other preferences. Selection may also
include attempting to establish a connection to the responder socket, and upon connection failure
to attempt connecting to the next best responder socket. This is for example necessary when discovery
information may not be updated in real-time, and the best responder has gone offline.</t>

</section>
<section anchor="variation-contexts"><name>Variation Contexts</name>

<t>A Variation Context is a set of (Discover Mechanism, Service Names, IP-protocols) across which this document
and the registry of variations defines a common set of variations. The initial registry defined in this
document defines two variation contexts.</t>

<dl>
  <dt>BRSKI context:</dt>
  <dd>
    <t>context for discovery of BRSKI registrar and proxy variations by proxies, pledges or agents
(as defined in <xref target="BRSKI-PRM"/>) via the Service Names defined for <xref target="DNS-SD"/> and <xref target="GRASP"/> via
TCP and hence (by default) TLS (version 1.2 or higher according to <xref target="BRSKI"/>).</t>
  </dd>
  <dt>cBRSKI context (constrained BRSKI):</dt>
  <dd>
    <t>context for discovery of BRSKI registrar and proxy variations by proxies, pledges 
via the Service Names defined for <xref target="DNS-SD"/>, <xref target="GRASP"/> and <xref target="CORE-LF"/> via UDP, and hence (by default) secure COAP.</t>
  </dd>
</dl>

<t>Note that the Service Names for cBRSKI include the same <xref target="DNS-SD"/> Service Names as for the BRSKI context,
hence enabling the use of <xref target="DNS-SD"/> with cBRSKI.</t>

<t>This document does not define variations for different end-to-end encryption mechanisms, so
only the "(by default)" options exist at the time of writing this document. However, the mechanisms described here
can also be used to introduce backward incompatible new secure transport options. For example when responders start
to support only TLS 1.3 or higher in the presence of TLS 1.2 only initiators, then new variations can be added,
such that those initiators will not select those responders.</t>

<t>This document does not introduce variation contexts for discovery of other BRSKI roles, such as discovery
of pledges by agents (as defined in <xref target="BRSKI-PRM"/>), or discovery of MASA by registrars. However, the registry
introduced by this document is defined such that it can be extended by such additional contexts through future
documents.</t>

</section>
<section anchor="variation-types-and-choices"><name>Variation Types and Choices</name>

<t>A Variation Type is a variation in one aspect of the BRSKI connection between initiator and responder that ideally
orthogonal from variations in other aspects of the BRSKI connection.</t>

<t>A Variation Type Choice is one alternative (aka: value) for its Variation Type.</t>

<t>This document, and the initial registry documenting the variation types introduces three variation types as follows:</t>

<dl>
  <dt>mode:</dt>
  <dd>
    <t>A variation in the basic sequence of URI endpoints communicated. This document introduces the choices of
"rrm" to indicate the endpoints and sequence as defined in <xref target="BRSKI"/> and "prm" to indicate the endpoints and sequence
as defined in <xref target="BRSKI-PRM"/>. Note that registrars also act as responders in "prm". "rrm" was chosen because the
more logical "pim" (pledge initiator mode) term was feared to cause confusion with other technologies that use that term.</t>
  </dd>
  <dt>vformat (voucher format):</dt>
  <dd>
    <t>A variation in the encoding format of the voucher communicated between registrar and pledge. This document introduces
the choices "cms" as defined in <xref target="BRSKI"/>, "cose" as defined in <xref target="cBRSKI"/> and "jose" as defined in <xref target="JWS-VOUCHER"/>.</t>
  </dd>
  <dt>enroll:</dt>
  <dd>
    <t>A variation in the URI endpoints used for enrollment of the pledge with keying material (trust anchors and certificate (chain)). This document introduces the following :choices
</t>

    <t><list style="symbols">
      <t>"est" as introduced by <xref target="BRSKI"/> to indicate the <xref target="EST"/> protocol, which is default</t>
      <t>"cmp" to indicate the CMP protocol according to the Lightweight CMP profile (<xref target="lwCMP"/>). The respective adaptations to BRSKI have been introduced by <xref target="BRSKI-AE"/>.</t>
      <t>"scep" to indicate <xref target="SCEP"/>. This is only a reservation, because no specification for the use of <xref target="SCEP"/> with BRSKI exists.</t>
    </list></t>
  </dd>
</dl>

</section>
<section anchor="variations"><name>Variations</name>

<t>A Variation is the combination of one Choice each for every Variation Type applicable to the Variation Context.
In other words, a variation is a possible instance of BRSKI if supported by initiator and responder. In <xref target="BRSKI"/>,
the default variation is "registrar responder mode" (rrm) and use of the "cms voucher format" (cms).</t>

</section>
<section anchor="brski-variations-discovery-registry"><name>BRSKI Variations Discovery Registry</name>

<t>The IANA "BRSKI Variations Registry" as specified by this document, see <xref target="registry"/> specifies the
defined parameters for discovery of BRSKI variations.</t>

<section anchor="brski-variation-contexts-table"><name>BRSKI Variation Contexts table</name>

<t>This table, <xref target="fig-contexts"/>, defines the BRSKI Variations Contexts.</t>

<t>The "Applicable Variation Types" lists the Variation Types from whose choices a Variation for this
context is formed. The "Service Name(s)" column lists the discovery mechanisms and their Service Name(s)
that constitute the context.</t>

</section>
<section anchor="brski-variation-type-choices-table"><name>BRSKI Variation Type Choices table</name>

<t>This table, <xref target="fig-choices"/>, defines the Variations Type Choices.</t>

<t>The "Context" column lists the BRSKI Variation Context(s) to which this line applies. If it is empty, then the same
Context(s) apply as that of the last prior line with a non-empty Context column.</t>

<t>The "Variation Type" column lists the BRSKI Variation Type to which this line applies. If it is empty, then the
same Variation Type applies as that of the last prior line with a non-empty Variation Type column.
Variation Types <bcp14>MUST</bcp14> the listed in the order in which the Variation Types are listed in the Applicable Variation Types
column of the BRSKI Variation Contexts table.</t>

<t>The "Variation Type Choice" column defines a Variation Type Choice term within the Context(s) of the line.
To allow the most flexible encodings of variations, all Variation Types and Variation Type Choices <bcp14>MUST</bcp14> be unique strings (across all Variation Types).
This allows to encode Variation Type Choices in a discovery mechanism without indicating their Variation Type. Variation Types
and Variation Type Choices and <bcp14>MUST</bcp14> be strings from lowercase letters a-z and digits 0-9 and <bcp14>MUST</bcp14> start with a letter. The
maximum length of a Variation Type Choice is 12 characters.</t>

<t>The "Reference" column specifies the documents which describe the Variation Type Choice. Relevant specification
includes those that only specify the semantics without referring to the aspects of discovery and/or those
that specify only the Discovery aspects. Current RFCs for BRSKI variations preceding this RFC typically
only specify the semantics, and this document adds the discovery aspects.</t>

<t>The "Dflt" Flag specifies a Variation Type Choice that is assumed to be the default Choice for the Context,
such as "rrm" for the BRSKI context. Such a Variation Type Choice is to be assumed to be supported in discovery
if discovery is performed without indication of any or an empty signaling element to carry the Variation or
Variation Choices. For example, <xref target="BRSKI"/> specifies the empty string "" as the objective-value in <xref target="GRASP"/>
discovery. Because "rrm", "est" and "cms" are default in the BRSKI context, this Discovery signaling
indicates the support for those Variation Type Choices.</t>

<t>The "Dflt<em>" Flag specifies a Variation Type Choice that is only default in a subset of Discovery options in a
context. The Note(s) column has then to explain which subset this is. Like for "Dflt", the signaling in
this subset of Discovery options can then forego indication of the "Dflt</em>" Variation Type Choice.</t>

<t>The "Rsvd" Flag specifies a Variation Type Choice for which no complete specification exist on how to use it
within BRSKI (or more specifically the context), but which is known to be of potential interest. "Rsvd"
Variation Type Choices <bcp14>MUST NOT</bcp14> be considered for the  Discoverable Variations table. They are documented
primarily to reserve the Variation Type Choice term.</t>

<t>The Note(s) section expands the Variation Type Choice terms and provides additional beneficial specification
references beyond the "Reference" column.</t>

</section>
<section anchor="variation"><name>BRSKI Discoverable Variations table</name>

<t>This table <xref target="fig-variations"/> enumerates the Discoverable Variations and categorizes them.</t>

<t>The "Context" column lists the BRSKI Variation Context(s) to which this line applies. If it is empty, then the same
Context(s) apply as that of the last prior line with a non-empty Context column.</t>

<t>The "Spec / Applicability" lists the document(s) that specify the variation, if the variation is
explicitly described. If the variation is not described explicitly, but rather a combination of
Variation Type Choices from more than one BRSKI related specification, then this column will
indicate "-" if by expert opinion it is assumed that this variation should work, or "NA", if
by expert opinion, this variation could not work. The "Explanations" column includes references
to the relevant documents and as necessary additional explanation.</t>

<t>The "Variation" column lists the Variation Type Choices that form the Variation. The Variation Type Choices
<bcp14>MUST</bcp14> be listed in the order in which the Variation Types are listed in the Applicable Variation Types
column of the BRSKI Variation Contexts table.</t>

<t>The "Variation String" column has the string term used to indicate the variation when using the
simple encoding of BRSKI Variation Discovery for GRASP as described in <xref target="GRASP"/>. It is formed by
concatenating the Choices term from the Variation column with the "-" character, excluding those
Choices terms (and "-" concatenator) which are Default for the Context. If this procedure ends
up with the empty string, then this is indicated as "" in the column.</t>

<t>The "Explanations" column explains the "Spec / Applicability" status of the Variation.</t>

</section>
<section anchor="extending-or-modifying-the-registry"><name>Extending or modifying the registry</name>

<t>Unless otherwise specified below, extension or changes to the registry require standards action.</t>

<t>Additional Variation Type Choices and Variation Context discovery mechanism Service Names including
additional discovery mechanisms require (only) specification and expert review if they refer to non standard action
protocols and/or protocol variation aspects. For example, a specification how to use <xref target="SCEP"/> with BRSKI would
fall under this clause as it is an informational RFC.</t>

<t>Non standards action Variation Type Choices can not be Default(Dflt). They can only be Dflt* for non standards action
(sub)Contexts.</t>

<t>Reservation of additional Variation Type Choices requires (only) expert review.</t>

<t>Additional Contexts <bcp14>MUST</bcp14> be added at the end of the BRSKI Variation Contexts table.</t>

<t>Additional Variation Types <bcp14>MUST</bcp14> be added at the end of the Applicable Variation Types column of the
BRSKI Variation Contexts table and at the end of existing lines for the Context in the 
BRSKI Variation Type Choices. Additional Variation Types <bcp14>MUST</bcp14> be introduced with a Default (Dflt) 
Variation Type Choice. These rules ensures that the rule to create the Variation String for GRASP
(and as desired by other discovery mechanism), and it also enables to add new Variation Type and Choices
without changing pre-existing Variation Strings: Any Variations String implicitly include the Default Choice for
any future Variation Types.</t>

<t>When a new Variation Type is added, their Default Choice <bcp14>SHOULD</bcp14> be added to the Variation Column of existing
applicable lines in the BRSKI Discoverable Variations table. Variations that include new non-Default 
Variation Type Choices <bcp14>SHOULD</bcp14> be added at the end of the existing lines for the Context.</t>

</section>
</section>
<section anchor="brski-join-proxies-support-for-variations"><name>BRSKI Join Proxies support for Variations</name>

<section anchor="permissible-variations"><name>Permissible Variations</name>

<t>Variations according to the terminology of this document are those that do not require changes to BRSKI join proxy operations,
but that can transparently pass across existing join proxies without changes to them - as long as they support the rules
outlined in this document.</t>

<t>Different choices for e.g.: pledge to registrar encryption mechanisms, voucher format (vformat), use of different URI endpoints or enrollment
protocol endpoints (mode) are all transparent to join proxies, and hence join proxies can not only support existing, well-defined
Choices of these Variation Types, but without changes to the proxies also future ones - and only those are permitted to become
Variation Type Choices.</t>

<t>Changes to the BRSKI mechanism that do require additional changes to join proxies are not considered Variations
according to this document and <bcp14>MUST NOT</bcp14> use the same discovery protocol signaling elements as those defined for variations
by this document. Instead, they <bcp14>SHOULD</bcp14> use different combinations of Service Name and Protocol (e.g.: TCP vs. UDP).</t>

<t>For example, the stateless join proxy mode defined by <xref target="cPROXY"/> is such a mechanism that requires explicit
join proxy support. Therefore, registrars sockets that support circuit proxy mode use the GRASP objective "AN_join_registrar",
and registrar sockets that support stateless join proxy mode use the GRASP objective "AN_join_registrar_rjp". This
enables join proxies to select the registrar and socket according to what the join proxy supports and prefers. By
not using the same signaling element(s) for variations, join proxies can support discovery of all variations
independent of their support for stateless join proxy operations.</t>

</section>
<section anchor="proxy"><name>Join Proxy support for Variations</name>

<t>Join proxies supporting the mechanisms of this document <bcp14>MUST</bcp14> signal for each socket they announce to initiators via a discovery
mechanism the Variation(s) supported on the socket. These Variation(s) <bcp14>MUST</bcp14> all be supported by the registrar that the join
proxy then uses for the connection from the initiator (e.g.: pledge). Pledges <bcp14>SHOULD</bcp14> announce sockets to initiators so that
all Variations that are supported by registrars that the join proxy can interoperate with are also available to the initiators
connecting to the join proxy.</t>

<t>To meet these requirements, join proxies can employ different implementation option. In the most simple one, a join proxy
allocates a separate responder socket for every Variation for which it discovers one or more registrars supporting
this Variation. It then announces that socket with only that one Variation in the discovery mechanism, even if the Registrar(s) are all
announcing their socket with multiple Variations. When the join proxy operates in circuit mode, it can then
select one of the registrars supporting the variation for every new initiator connection based on policies
as specified by BRSKI specifications and/or discovery parameters, such as priority and weight when <xref target="DNS-SD"/> is used,
and redundant registrars include those parameters.</t>

<t>TBD: insert example of received Registrar announcement and created proxy announcement ??</t>

<t>Join proxies <bcp14>MAY</bcp14> reduce the number of sockets announced to initiators by using a single socket for all Variations for
which they have the same set of registrar sockets supporting those Variations. This primarily helps to reduce the size
of the discovery messages to initiators and can save socket resources on the join proxy.</t>

<t>Join proxies <bcp14>MAY</bcp14> create multiple sockets in support of other discovery options, even for the same Variation(s).
For example, if <xref target="DNS-SD"/> is used by two registrars, both announcing the same priority but different weights, then 
the join proxy may create a separate socket for each of these registrars - and their variations, so that the join proxy can equally announce the same
priority and weight for both sockets to initiators. This allows to maintain the desired weights of use of registrars,
even when the join proxy operates in stateless mode, in which it can not select a separate registrar for every 
client initiating a connection.</t>

</section>
<section anchor="colo"><name>Co-location of Proxy and Registrar</name>

<t>In networks using <xref target="BRSKI"/> and <xref target="ACP"/>, registrars must have a co-located
proxy, because pledges can only use single-hop discovery (DULL-GRASP) and will only discover
proxies, but not registrar. Such a co-located proxy does not constitute additional processing/code
on a registrar supporting circuit mode, it simply implies that the registrars BRSKI services(s) are
announced with a proxy Service Name, to support pledges, and the  registrar service name, to
support join proxies.</t>

<t>To ease consistency of deployment models in the face of different discovery mechanisms, Variations and
non-Variation enhancements to BRSKI, it is <bcp14>RECOMMENDED</bcp14> that all future options to BRSKI do always have
a Service Name for proxies and a separate Service Name in support of pledge or other initiators. Pledges
and other initiators <bcp14>SHOULD</bcp14> always only look for the proxy Service Name, and only Proxies should look
for a registrar Service Name. Registrars therefore <bcp14>SHOULD</bcp14> always include the proxy functionality according
to the prior paragraph. This only involves additional code on the registrar beyond the service announcement
in case the Registrar would otherwise not implement circuit mode.</t>

</section>
</section>
<section anchor="brski-pledges-support-for-variations"><name>BRSKI Pledges support for Variations</name>

<section anchor="brski-pledge-context"><name>BRSKI-PLEDGE context</name>

<t>BRSKI-PLEDGE is the context for discovery of pledges by nodes such as registrar-agents.
Pledges supporting <xref target="BRSKI-PRM"/> <bcp14>MUST</bcp14> support it. It may also be used by other variations of BRSKI
when supported by pledges.</t>

<t>Pledges supporting BRSKI-PLEDGE <bcp14>MUST</bcp14> support DNS-SD for discovery via mDNS, using link-local scope.
For DNS-SD discovery beyond link-local scope, pledges <bcp14>SHOULD</bcp14> support DNS-SD via <xref target="I-D.ietf-dnssd-srp"/>.</t>

<t>TBD: Is there sufficient auto-configuration support in <xref target="I-D.ietf-dnssd-srp"/>, that pledges without any
configuration can use it, and if so, do we need to raise specific additional requirements to enable this
in pledges ?</t>

<t>These DNS-SD requirements are defaults. Specifications for specific deployment contexts such as specific
type of radio network solutions may need to specify their own requirements overriding or amending these
requirements.</t>

<t>Pledges <bcp14>MUST</bcp14> support to be discoverable via their service instance name. They <bcp14>MAY</bcp14> be discoverable
via DNS-SD browsing, so that registrar-agents can find even unexpected pledges through DNS-SD browsing.</t>

<t>Support for browsing is required to discover over the network pledges supporting only <xref target="BRSKI-PRM"/>,
but not <xref target="BRSKI"/> if they have no known serial-number information from which their service instance
name can be constructed, so it is a crucial feature for robust enrollment.  See <xref target="security-considerations"/>
for more details about discovery and BRSKI-PLEDGE.</t>

<t>When pledges are discoverable vis DNS-SD browsing, they <bcp14>MUST</bcp14> expect that a large number of pledges
exist in the network at the same time, such as in the order of 100 or more, and schedule their responses
according to the procedures in <xref target="mDNS"/> and <xref target="DNS-SD"/> to avoid simultaneous reply from all pledges.</t>

<t>TBD: What is the best section in mDNS/DNS-SD to point to for this timed reply to scale ?</t>

<t>Browsing via DNS-SD for a pledge is circumvented by the pledge not announcing its PTR RR for
"brski-registrar". Technically, the remaining RR may not constitute full DNS-SD service, but
they do provide the required discovery for the known service instance name of the pledge.</t>

<t>counter measures such as limiting the number and rate of PRM connects that they accept, ideally 
on a per-initiator basis (assuming that DDoS attacks are more harder to mount than single
attacker DoS attacks).</t>

<section anchor="service-instance-name"><name>Service Instance Name</name>

<t>The service instance name chosen by a BRSKI pledge <bcp14>MUST</bcp14> be composed from information which is</t>

<t><list style="symbols">
  <t>Easily known by BRSKI operations, such as the operational personnel or software automation,
specifically sales integration,</t>
  <t>Available to the pledges BRSKI software itself, for example by being encoded in some attribute of the IDevID.</t>
</list></t>

<t>Typically, a customer will know the serial number of a product from sales information, or even
from bar-code/QR-codes on the product itself. If this serial number is used as the service instance
name to discover a pledge from a registrar-agent, then this may lead to possible duplicate replies
from two or more pledges having the same serial number, such as in the following cases:</t>

<t><list style="numbers">
  <t>A manufacturer has different product lines and re-uses serial-numbers across them.</t>
  <t>Two different manufacturer re-use the same serial-numbers.</t>
</list></t>

<t>If pledges enable browsing of their service instance name, they <bcp14>MAY</bcp14> support <xref target="DNS-SD"/> specified
procedures to create unique service instance names when they discover such clashes, by appending
a space and serial number, starting with 2 to the service instance name: "&lt;service-instance-name&gt; (2)",
as described in <xref target="DNS-SD"/> Appendix D.</t>

<t>Nevertheless, this approach to resolving conflicts is not desirable:</t>

<t><list style="symbols">
  <t>If browsing of DNS-SD service instance name is not supported, registrar-agents would have to
always (and mostly wrongly) guess that there is a clash and (mostly unnecessarily) search
for "&lt;service-instance-name&gt; (2)".</t>
  <t>If a clash exists between pledges from the same manufacturer, and even if the registrar-agent
then attempts to start enrolling all pledges with the same clashing service instance name,
it may not have enough information to determine which the correct pledge is. This would happen
especially if the IDevID from both devices (of different product type), had the same serial
number, and the CA of both was the same (because they come from the same manufacturer).
Even if some other IDevID field was used to distinguish their device model, the registrar-agent
would not be able to determine that difference without additional vendor specific programming.</t>
</list></t>

<t>In result:</t>

<t><list style="symbols">
  <t>Vendors <bcp14>MUST</bcp14> document a scheme how their pledges form a service instance name from
information available to the customer of the pledge.</t>
  <t>These service instance names <bcp14>MUST</bcp14> be unique across all IDevID of the manufacturer that
share the same CA.</t>
</list></t>

<t>The following mechanisms are recommended:</t>

<t><list style="symbols">
  <t>Pledges <bcp14>SHOULD</bcp14> encode manufacturer unique product instance information in their
subject name serialNumber. <xref target="RFC5280"/> calls this the X520SerialNumber.</t>
  <t>Pledges <bcp14>SHOULD</bcp14> make this serialNumber information consistent with easily accessible
product instance information when in physical possession of the pledge, such as
product type code and serial number on bar-code/QR-code to enable <xref target="BRSKI-PRM"/> discovery
without additional backend sales integration. Note that discovery alone does not
allow for enrollment!</t>
  <t>Pledges <bcp14>SHOULD</bcp14> construct their service instance name by concatenating
their X520SerialNumber with a domain name prefix that is used by the manufacturer
and thus allows to disambiguate devices from different manufacturer using the
same serialNumber scheme, and hence the likelihood of service instance name clashes.</t>
</list></t>

<figure title="Example service instance name data" anchor="service-name-example"><artwork><![CDATA[
Service Instance Name:
  "PID:Model-0815 SN:WLDPC2117A99.example.com"

Manufacturer published Service Instance Name schema:
 PID:\<PID>\\ SN:\<SN>.example.com

Pledge IDevID certificate information:
  ; Format as shown by e.g.: openssh
  Subject: serialNumber = "PID:Model-0815 SN:WLDPC2117A99",
    O = Example, CN = Model-0815

DNS-SD RR for the pledge:
  ; PTR RR to support browsing / discovery of service instance name
  _brski-pledge._tcp.local  IN PTR
    PID:Model-0815\\ SN:WLDPC2117A99\\.example\\.com._brski-pledge._tcp.local
 
  ; SRC and TXT RR for the service instance name
  PID:Model-0815\\ SN:WLDPC2117A99\\.example\\.com._brski-pledge._tcp.local
    IN SRV 1 1 
    PID:Model-0815\\ SN:WLDPC2117A99\\.example\\.com.local
  PID:Model-0815\\ SN:WLDPC2117A99\\.example\\.com._brski-pledge._tcp.local
    IN TXT ""

  ; AAAA address resolution for the target host name
  PID:Model-0815\\ SN:WLDPC2117A99\\.example\\.com.local
    IN AAAA fda3:79a6:f6ee:0000::0200:0000:6400:00a1
]]></artwork></figure>

<t>In <xref target="service-name-example"/>, the manufacturer "example" identifies device instances 
through a product identifier &lt;PID&gt; and a serial number &lt;SN&gt;. Both are printed on labels
on the product/packaging and/or communicated during purchase of the product.</t>

<t>The service instance name of pledges from this manufacturer are using the
string "PID:&lt;PID&gt; SN:&lt;SN&gt;.example.com". "example.com" is assumed to be a
domain owned by this manufacturer. &lt;PID&gt; and &lt;SN&gt; are replaced by the actual
strings.</t>

<t>The IDevID encodes the service instance name without the domain ending (".example.com")
in the X520SerialNumber field. Other fields of the IDevID are not used.</t>

<t>The resulting DNS-SD RRs that the pledge announces are shown in the example.
" " and "." characters are escaped as recommended by <xref target="DNS-SD"/>.</t>

<t>In this example, the same string as constructed for the service instance name
is also used as the target host name. This is of course not necessary, but
unless the pledge already obtains a host name through other DNS means,
re-using the same name allows to avoid coming up with a second method to
construct a unique name.</t>

</section>
</section>
</section>
<section anchor="variation-signaling-and-encoding-rules-for-different-discovery-mechanisms"><name>Variation signaling and encoding rules for different discovery mechanisms</name>

<section anchor="dns-sd"><name>DNS-SD</name>

<section anchor="signaling"><name>Signaling</name>

<t>The following definitions apply to any instantiation of DNS-SD including DNS-SD via mDNS as defined in
<xref target="DNS-SD"/>, but also via unicast DNS, for example by registering the necessary DNS-SD Resource Records (RR) via <xref target="I-D.ietf-dnssd-srp"/> (SRP).</t>

<t>The requirements in this document do not guarantee interoperability when using DNS-SD, instead, they need to be amended
with deployment specific specifications / requirements as to which signaling variation, such as mDNS
or unicast DNS with SRP is to be supported between initiator and responder. When using unicast DNS
(with SRP), additional mechanisms are required to learn the IP / IPv6 address(es) of feasible DNS and
SRP servers, and deployment may also need agreements for the (default) domain they want to use in
unicast DNS. Hence, a mandatory to implement (MTI) profile is not feasible because of the wide range
of variations to deploy DNS-SD.</t>

<t>TBD: We could say that mDNS <bcp14>MUST</bcp14> be supported, unless the network context defines an interoperable
mode to support DNS-SD without mDNS ???</t>

</section>
<section anchor="encoding"><name>Encoding</name>

<t>Variation Type Choices defined in the IANA registry <xref target="fig-variations"/> are encoded as <xref target="DNS-SD"/> Keys with
a value of 1 in the DNS-SD service instances TXT RR.
This is possible because all Variation Type Choices are required to be unique across all Variation Types. It also allows to shorten
the encoding from "key=1" to just "key" for every Variation Type Choice, so that the TXT-DATA encoding can be more compact.</t>

<t>If the TXT Record does not contain a Variation Type Choice for a particular applicable Variation Type, then this indicates
support for the Default Choice of this Variation Type in the context of the DNS-SD Service Name. For example, if the TXT
Record is "jose", then this indicates support for "rrm" and "est", if the Service Name is brski-registrar or brski-proxy and the
protocol is TCP (BRSKI Context), but also when the protocol is UDP (cBRSKI context), because "rrm" and "est" are defaults
in both contexts.</t>

<t>If multiple Variation Type Choices for the same Variation Type are indicated, then this implies
that either of these Variation Type Choices is supported in conjunction with any of the other
Variation Type Choices in the same TXT Record. For example, if the TXT Record is "prm" "rrm" "cms" "jose", then
this implies support for rrm-cms-est, rrm-jose-est, prm-cms-est and prm-jose-est. This example also shows
that if the default Variation Type Choice, such as "rrm" and another Choice of the same Variation Type ("prm") are to
be indicated as supported, then both need to be included in the TXT Record.</t>

<t>In <xref target="DNS-SD"/>, a responder does not only indicate a Service Name, but also its Service Instance Name, which needs
to be unique across the domain to support initiators selecting a responder. This specification makes no recommendation
for choosing the Instance portion of that name. Usually it is the same, or derived from some form of pre-existing system name.</t>

<t>Registrars <bcp14>SHOULD</bcp14> support support their configuration without specifying a name to use in the Service Instance Name to minimize the
amount of configuration required. Registrars <bcp14>SHOULD</bcp14> support the configuration of such a name.</t>

<t>If the responder needs to indicate different sockets for different (set of) Variations, for example,
when operating as a proxy, according to <xref target="proxy"/>, then it needs to signal for each socket a separate Service Instance Name
with the appropriate port information in its SRV Record and the supported Variations for that socket in the TXT Record of that
Service Instance Name. In this case, it is <bcp14>RECOMMENDED</bcp14> that the Instance Name includes the Variation it supports,
such as in the format specified in <xref target="variation"/> and used in the Variation String column of the <xref target="fig-variations"/> table.</t>

<figure title="DNS-SD for a simple BRSKI and cBRSKI registrar" anchor="dnssd-example-1"><artwork><![CDATA[
               _brski-registrar._tcp.local
               IN PTR  0200:0000:7400._brski-registrar._tcp.local
0200:0000:7400._brski-registrar._tcp.local
                IN SRV  1 2 4555 0200:0000:7400.local
0200:0000:7400._brski-registrar._tcp.local IN TXT  "rrm" "prm"
0200:0000:7400.local
                IN AAAA  fda3:79a6:f6ee:0000::0200:0000:6400:0001

               _brski-registrar._udp.local
                IN PTR  0200:0000:7400._brski-registrar._udp.local
0200:0000:7400._brski-registrar._udp.local
                IN SRV  1 2 5684 0200:0000:7400.local
0200:0000:7400._brski-registrar._udp.local IN TXT  ""
]]></artwork></figure>

<t>In the above example <xref target="dnssd-example-2"/>, a registrar supports BRSKI with "rrm" and "prm" modes across the same TCP socket, port 4555.
It uses "cms" voucher format and "est" enrollment, which are not included in the TXT strings because both are default for
_brski-registrar._tcp. The registrar also offers cBRSKI with "rrm" mode,  "cose" voucher and "est" enrollment on UDP port 5684,
the COAP over DTLS default port. The TXT RR for this has only an empty string because "rrm", "cose" and
"est" are default for cBRSKI.</t>

<t>As the instance name, the registrar uses in this example the MAC address "0200:0000:7400", which is
MAC address of the interface on which the registrar has the IPv6 address "fda3:79a6:f6ee:0000::0200:0000:6400:0001".
The registrar should know that this MAC address is globally unique (assigned by IEEE). Else it should instead
use its IPv6 address as the Instance Name. For example, if the registrar is just a software application not
knowing the specifics of the hardware it is running on, the MAC address <bcp14>MUST NOT</bcp14> be used. If only mDNS is used
(as in this example), then the IPv6 link-local address would also suffice as the Instance Name.</t>

<t>In this example, a single Instance Name suffices, because BRSKI and cBRSKI are two separate service
contexts: they are distinguished by different protocols: TCP vs. UDP.</t>

<figure title="DNS-SD for a BRSKI registrar supporting RRM and PRM" anchor="dnssd-example-2"><artwork><![CDATA[
0123456789012345678901234567890123456789012345678901234567890123456789
                   _brski-registrar._tcp.local
               IN PTR  0200:0000:7400-rrm._brski-registrar._tcp.local
0200:0000:7400-rrm._brski-registrar._tcp.local
               IN SRV  1 2 4555 0200:0000:7400-rrm.local
0200:0000:7400-rrm._brski-registrar._tcp.local IN TXT ""
0200:0000:7400-rrm.local
               IN AAAA fda3:79a6:f6ee:0000::0200:0000:6400:0001

                   _brski-registrar._tcp.local
               IN PTR 0200:0000:7400-prm._brski-registrar._tcp.local
0200:0000:7400-prm._brski-registrar._tcp.local
               IN SRV 1 2 4555 0200:0000:7400-prm.local
0200:0000:7400-prm._brski-registrar._tcp.local
               IN TXT "prm" "cmp"
0200:0000:7400-prm.local
               IN AAAA fda3:79a6:f6ee:0000::0200:0000:6400:0001
]]></artwork></figure>

<t>In the second example <xref target="dnssd-example-2"/>, a registrar needs to use two different Instance Names, because both
share the same service context: BRSKI - TCP with service name brski-registrar. In this example, the registrar
offers "rrm" mode with "cms" voucher and "est" enrollment. It also offers "prm" mode with "cms" voucher,
but (only) with "cmp" enrollment protocol. Because the registrar does not offer "rrm" with "cmp", or
"prm" with "est", it is not possible to coalesce all variations under one Instance Name, so instead, two
Instance Names have to be created, and with them the necessary (duplicate) RR.</t>

<t>Note that the "-rrm" and "-prm" in the Instance Names are only explanatory and could be any mutually unique
strings - as is true for the whole Instance Name.</t>

<t>Note too, that because both Instances share the same port number 4555 (and hence TCP socket), they both have
to be provided by the same BRSKI application. If two separate applications where to be started on the
dame host, one for "rrm", the other for "prm", then they would have separate sockets and hence port numbers.</t>

</section>
</section>
<section anchor="grasp"><name>GRASP</name>

<section anchor="signaling-1"><name>Signaling</name>

<t>This document does not specify a mandatory to implement set of signaling options to guarantee
interoperability of discovery between initiator and responders when using GRASP. Like for the
other discovery mechanisms, these requirements will have to come from other specifications
that outline what in <xref target="GRASP"/> is called the "security and transport substrate" to be used for
GRASP.</t>

<t><xref target="RFC8994"/> specifies one such "security and transport substrate", which is zero-touch deployable.
It is mandatory to support for initiators and responders implementing the so-called
"Autonomic Network Infrastructure" (ANI). DULL GRASP is used for link-local discovery of
proxies, and the ACP is used to automatically and securely build the connectivity for multi-hop discovery
of registrars by proxies.</t>

</section>
<section anchor="encoding-1"><name>Encoding</name>

<t>To announce protocol variations with <xref target="GRASP"/>, the supported Variation is indicated in the 
objective-value field of the GRASP objective, using the method of forming the Variation string term
in <xref target="variation"/>, and listed in the Variation String column of the <xref target="fig-variations"/> table.</t>

<t>If more than one Variation is supported, then multiple objectives have to be announced, each with
a different objective-value, but the same location information if the different Variations are
supported across the same socket. Different sockets require different objective structures in GRASP anyhow.</t>

<t>Compared to DNS-SD, the choice of encoding for GRASP optimizes for minimum parsing effort, whereas
the DNS-SD encoding is optimized for most compact encoding given the limit for DNS-SD TXT records.</t>

<figure title="GRASP example for a BRSKI registrar supporting RRM and PRM" anchor="grasp-example-1"><artwork><![CDATA[
[M_FLOOD, 12340815, h'fe800000000000000000000000000001', 180000,
    [["AN_Proxy", 4, 1, "",
     [O_IPv6_LOCATOR,
     h'fe800000000000000000000000000001', IPPROTO_TCP, 4443],
     ["AN_Proxy", 4, 1, "prm",
     [O_IPv6_LOCATOR,
     h'fe800000000000000000000000000001', IPPROTO_TCP, 4443],
     ["AN_Proxy", 4, 1, "",
     [O_IPv6_LOCATOR,
     h'fe800000000000000000000000000001', IPPROTO_UDP, 4684]]
]
]]></artwork></figure>

<t><xref target="grasp-example-1"/> is an example for a GRASP service announcement for "AN_Proxy" in support of BRSKI
with both "rrm" and "prm" supported on the same socket (TCP port number) and for cBRSKI with
COAP over DTLS.</t>

<t>Note that one or more complete service instances (in the example 3) can be contained within a single GRASP message
without the need for any equivalent to the Service Instance Name of the DNS-SD PTR RR or the
Target name of the DNS-SD SRV RR. DNS-SD requires them because its encoding is
decomposed into different RR, but it also intentionally introduces the Service Instance Name
as an element for human interaction with selection (browsing and/or diagnostics of selection),
something that the current GRASP objective-value encoding does not support.</t>

<t>Because this GRASP encoding does not support service instance name, examples such as</t>

<figure title="GRASP example with two different processes" anchor="grasp-example-2"><artwork><![CDATA[
[M_FLOOD, 12340815, h'fe800000000000000000000000000001', 180000,
    [["AN_Proxy", 4, 1, "",
     [O_IPv6_LOCATOR,
     h'fe800000000000000000000000000001', IPPROTO_TCP, 4443],
     ["AN_Proxy", 4, 1, "",
     [O_IPv6_LOCATOR,
     h'fe800000000000000000000000000001', IPPROTO_UDP, 4684]]
]

[M_FLOOD, 42310815, h'fe800000000000000000000000000001', 180000,
    [["AN_Proxy", 4, 1, "prm",
     [O_IPv6_LOCATOR,
     h'fe800000000000000000000000000001', IPPROTO_TCP, 44000]]
]
]]></artwork></figure>

<t>In <xref target="grasp-example-2"/>, A separate application process supports "prm" and hence
uses a separate socket, with example TCP port 44000. In this case, there is
no need nor significant benefit to merge all service instance announcements into
a single GRASP message. Instead, the BRSKI-"rrm"/cBRSKI process would be
able to generate and send its own, first, message shown in the example, and the
second process would send its own, second message in the example.</t>

<t>For a more extensive, DNS-SD compatible encoding of the objective-value that also
support Service Instance Names, see <xref target="I-D.eckert-anima-grasp-dnssd"/>.</t>

</section>
</section>
<section anchor="core-lf"><name>CORE-LF</name>

<t>"Web Linking", <xref target="RFC5988"/> defines a format, originally for use with
HTTP headers, to link an HTTP document against other URIs. Web linking is not a standalone
method for discovery of services for use with HTTP.</t>

<t>Based on Web Linking, "Constrained RESTful Environments (CoRE) Link Format", <xref target="CORE-LF"/> introduces a
stand alone method to discover services instances, which are called resources in CORE-LF;
primarily for use with <xref target="COAP"/> but equally for use with, for use with HTTP or any other suitable web transfer protocols.</t>

<t>In CORE-LF, an initiator may use (link-local) IPv6 multicast UDP packet to the COAP port (5683)
to discover a a possible responder for a specifically requested resource. The responder will reply with unicast UDP.
If the IPv6 address of a responder has been configured or is otherwise known to the initiator, it
may equally query the parameters of the desired resource via unicast to the default COAP UDP or
TCP port (5683).</t>

<t>A service such as BRSKI registrar, join proxy or pledge can be considered to be a resource, but it
can equally be broken down into a set of component resources resources, in which case the group
can be requested. As mentioned above, CORE-LF can equally be used to request and discover resources
not using COAP, but any other suitable protocol.</t>

<t><xref target="RFC9176"/> defines a "Resource Directory" mechanism for CORE-LF which is abbreviated CORE-RD. Initiators
can learn the IPv6 address protocol (TCP or UDP) and port numberaof a CORE-RD server by some other
mechanism (such as DNS-SD) and then use a unicast UDP or TCP COAP connection to the CORE-RD server
to discover CORE-LF resources available on other systems. Resource providers can likewise register
their resources with the resource directory server using CORE-RD registration procedures.</t>

<t>In summaery, CORE-LF including CORE-RD is a mechanism for registration and discovery of resources and
hence services which may be preferred in deployments over other options and can equally be applicable
to register/discover any variation of BRSKI for any type of BRSKI service.</t>

<section anchor="signaling-2"><name>Signaling</name>

<section anchor="existing-definitions"><name>Existing definitions</name>

<t><xref target="cBRSKI"/> specifies the use of CORE-LF as a reference methods
for pledges to discover registrars - in the absence of any proxies, to allow deployments
of scenarios where no proxies are needed - and hence also where <xref target="cBRSKI"/>.
is not needed. Because BRSKI is designed so that pledges can be agnostic of whether they connect
to a registrar directly or via a proxy, the resource/service that the pledge needs to discover
is nevertheless called "(brski) join proxy (for pleges)", and encoded in CORE-LF as the value
"brski.jp" for the resource type attribute ("rt=resource-type") according to <xref target="CORE-LF"/>.</t>

<t>The following picture, <xref target="corelf-example-1"/> shows the encoding and an example of this discovery.
"ff02::fd" is the link-local scope address for "All Coap Nodes" in IPv6, as introduced in <xref target="RFC7390"/>,
which also defines IPv6 and site-scoped address options.</t>

<figure title="CORE-LF discovery of registrar/proxy by pledges" anchor="corelf-example-1"><artwork><![CDATA[
Template:

REQ: GET coap://[All_Coap_Nodes_IP_multicast_addr]/.well-known/core?rt=brski.jp

RES: 2.05 Content
   <coaps://[Responder_IP_unicast_address]:join-port>; rt="brski.jp"

Example:

REQ: GET coap://[ff02::fd]/.well-known/core?rt=brski.jp

RES: 2.05 Content
   <coaps://[fe80::c78:e3c4:58a0:a4ad]:8485>;rt=brski.jp
]]></artwork></figure>

<t><xref target="cPROXY"/> introduces the operations of a CoAP based join proxy
both as a connection based proxy as in <xref target="BRSKI"/> (only using UDP connections for COAPs instead
of TCP for TLS as in <xref target="BRSKI"/>), but also as a new, stateless join proxy - to eliminate the
need for potentially highly constrained join proxy nodes to keep connection state and avoid
the complexity of protecting that state against attacks. The new resource type "brski.rjp" is
defined to support stateless join proxies to discover registrars and their UDP port number
that support the stateless, so-called JPY protocol.</t>

<t>The following picture, <xref target="corelf-example-2"/> shows the encoding and an example of this discovery.
<xref target="cPROXY"/> introduces the new scheme "coaps+jpy" for the packet
header used by the stateless JPY" protocol. The request in the template is assumed to be
based on unicast, relying on another method to discover the IP address of the registrar first.
It could equally use COAP site-scoped IP multicast, but in general, the assumeption is that
registrar will not necessarily be link-local connected to proxies (this may be different in
specific deployments). Even though the registrar IP address is hence known, the reply still
needs to include this address again because in the <xref target="RFC6690"/> link format, and <xref target="RFC3986"/>, Section 3.2, the
authority attribute can not include a port number unless it also includes the IP address.</t>

<figure title="CORE-LF discovery of registrars that support stateless JPY protocll by proxies" anchor="corelf-example-2"><artwork><![CDATA[
Template:

REQ: GET /.well-known/core?rt=brski.rjp

RES: 2.05 Content
     <coaps+jpy://[Responder_IP_unicast_address]:join-port>;rt=brski.rjp

Example:

REQ: GET /.well-known/core?rt=brski.rjp

RES: 2.05 Content
     <coaps+jpy://[2001:db8:0:abcd::52]:7633>;rt=brski.rjp
]]></artwork></figure>

</section>
<section anchor="new-variation-discovery"><name>New variation discovery</name>

<t>This document expands the above summarized existing CORE-LF definitions from
<xref target="cBRSKI"/> and <xref target="cPROXY"/> as follows.</t>

<t>Discovery of stateful sockets on a registrar uses the resource type "brski.rjps" (for 
"registrar (for) join proxies stateful)" - instead of "brski.rjp" for the previosly
defined stateless connection mode.</t>

<t>The following picture <xref target="corelf-example-3"/> show template and example of this discovery option.
In Example 1, the registrar is running on a separate port 7634 from the COREs UDP port, so
this response needs to also include the IP address of the responding registrar (as explained
above). In Example 2, the registar functions are provided via the default (potentially shared)
COAPS port, so this is not necessary. In both cases, the response include a shorter URL part
"/b/s" which allows that the service can be used via that shorter prefix than the default
"/.well-known/brksi", hence shortening the required COAPS packet sizes.</t>

<figure title="CORE-LF discovery of registrars that support stateless JPY protocll by proxies" anchor="corelf-example-3"><artwork><![CDATA[
Template:

REQ: GET /.well-known/core?rt=brski.r

RES: 2.05 Content
     <scheme://[Responder_IP_unicast_address]:join-port>;rt=brski.rjps

Example 1:

REQ: GET /.well-known/core?rt=brski.rjp

RES: 2.05 Content
     <coaps://[2001:db8:0:abcd::52]:7634/b/s>;rt=brski.rjps

Example 2:

REQ: GET /.well-known/core?rt=brski.rjp

RES: 2.05 Content
     </b/s>;rt=brski.rjps
]]></artwork></figure>

<t>TBD: Question: can we really reply without coaps given how we always want coaps - aka: the query itself
may not have been coaps ?? This is  question for constrained proxy/voucher - can we rightfully (according to
IETF specs) make the expection that even though the resource discovery is done insecure, that it is understood 
that the actual resource consumption has to use coaps ????  - question for COAP experts.</t>

<t>Explanations:</t>

<t>The discovery and distinction between a stateless and stateful registrar socket is orthogonal
to the concept of a variation of BRSKI as defined in this document. Therefore, the distinction
between a stateless and stateless socket on a registrar is provided solely via the CORE-LF
resource-type, "brski.rjp" (stateless) and "brski.r" (stateful). In other words, the "rt"
attribute in CORE-LF serves as the abstract "Service Name" in this document. If discover
of stateless join proxies was required with other discovery mechanisms such as GRASP or
DNS-SD, then new "Service Name" equivalents in those discovery mechanisms would need to be
defined. For the purpose of this document, it is assumed that stateless proxy operations
is well enough supported with CORE-LF.</t>

<t>To indicate variations other than the default combination implied by <xref target="cBRSKI"/>
and <xref target="cPROXY"/>, this document specifies the new "bv" (brski variation)
attribute for CORE-LF records, which is specified relative only to "rt=brski.*" resource targets.</t>

<t>The value to the "bv=" attribute is a flattened string of the non-default Variation Type Choices
as specified for GRASP, so that CORE-LF does not introduce another registry table to maintain.
The only difference is that the absence of the "bv=" attribute is equivalent to the
actual defaults established by <xref target="cBRSKI"/> and <xref target="cPROXY"/>,
namely "rrm" (registrar response-mode) with "cose" (CBOR with COSE signed voucher) and "est" - enrollment
via the 'fitting' variation of EST, in the case of using COAPS it is <xref target="RFC9148"/>, e.g.: EST over COAPS.
Including or excluding "bv=" (empty value) is hence equivalent to "bs=cose", aka: the default variation
over COAPS.</t>

<t>When a variation implies use of HTTPS (or in the future any other transport other than COAPS), then
the schema, and hence IP-address needs to be included in the CORE-LF response. Likewise, even if the
protocol schema is coaps, then the IP address needs to be included if the resource is not served on
the standard COAPS UDP port.</t>

<t>[ Q: How does the schema indicate UDP versus TCP for COAPS ??? ]</t>

<t>The following <xref target="corelf-example-4"/> shows the schema and an example for various BRSKI registar
variations, discovered via CORE-LF.</t>

<t>"rt=brski-rjp" withough any any "bv" attribute indicates the default combination of 
"rrm", "cose" and "est" (EST via COAPS) as in <xref target="cBRSKI"/>.</t>

<t>Likewise, "rt=brski.rjps" without any "bv" attribute indicate the default combination
of "rrm", "cose" and "est" (EST via COAPS), as introduced above.</t>

<t>"rt=brski.rjps;bv=" indicates <xref target="BRSKI"/> withe HTTPS, "rrm", "cmp", and "est". It is
not possible currently to specify this with "rt=brski.rjp", because there is no
HTTPS equivalent to the UDP based transport required for "brski.rjp".</t>

<t>"rt=brski.rjp;bv=cose-cmp" and "rt=brski.rjps;bv==cose-cmp" indicate the combination of
the constrained defaults of "rrm" and "cose", but combined with "cmp" enrollment protocol
instead of "est".</t>

<t>[Q: Is this a potential option ? If so, would it require any similar definition like EST-COAP ??? ]</t>

<t>Note how in the example, different port numbers are used (7633 vs. 7634) to separate
different transpot protocol options, but different URL prefixes ("b2", vs. "b2", vs. "b3")
to separate different set of endpoints. The later may not be necessary but may be helpfull.</t>

<figure title="CORE-LF discovery of registrars by a proxy for different BRSKI variations" anchor="corelf-example-4"><artwork><![CDATA[
Template:

REQ: GET /.well-known/core?rt=brski.rj*

RES: 2.05 Content
     <scheme://[Responder_IP_unicast_address]:join-port>;rt=brski.rjp*(;brv=brski-variation-string)

Example:

REQ: GET /.well-known/core?rt=brski.rj*

RES: 2.05 Content
     <coaps://[2001:db8:0:abcd::52]:7633/b>;rt=brski.rjp,
     <coaps://[2001:db8:0:abcd::52]:7633/b>;rt=brski.rjp;bv=cose-cmp,
     <coaps://[2001:db8:0:abcd::52]:7634/b>;rt=brski.rjps,
     <https://[2001:db8:0:abcd::52]:7634/b>;rt=brski.rjps;bv=,
     <https://[2001:db8:0:abcd::52]:7634/b2>;rt=brski.rjps;bv=jose-cmp,
     <https://[2001:db8:0:abcd::52]:7634/b3>;rt=brski.rjps;bv=cose-cmp
]]></artwork></figure>

<t>[ Q: Can we actually use the * discovery to only discover the two variations of
registrar transport variations "rj*" - when we are a registrar ??? we do not want to
discover the resource that proxies or registrars provide to pledges!!! ]</t>

<t>When pledges need to discover (and select)  proxies (or registrars) supporting a specific
combination of variations, the encoding of attributes is the same as shown in
<xref target="corelf-example-3"/> except that now, "rt=brski.jp" needs to be discovered.</t>

<t>It is a responsibility of the proxy to discover registrars and map their discovered "bv=" variations
for rt=brski.rjp" and/or "brski.rjps" to the same "bv=" variations to their announced "rt=brski.jp"
resources: For provies, there is simply a 1:1 mapping of the "bv" attribute and the connection scheme
for the resources discovered from registrars, except for the subset of variations that can rely
on COAPS transport, for those both the "rt=brski.rjp" and "rt=brski.rjps" are options how to
proxy the resource for the pleges.</t>

<t>Note that the port numbers announced by the proxy resources will of course likely be different than
those announced by the registarars.</t>

<figure title="CORE-LF discovery of registrars or proxies by pledges for various BRSKI variations" anchor="corelf-example-5"><artwork><![CDATA[
Template:

REQ: GET /.well-known/core?rt=brski.jp

RES: 2.05 Content
     <scheme://[Responder_IP_unicast_address]:join-port>;rt=brski.jp(;brv=brski-variation-string)

Example:

REQ: GET /.well-known/core?rt=brski.rj*

RES: 2.05 Content
     <coaps://[2001:db8:0:abcd::52]:7734/b>;rt=brski.jp,
     <https://[2001:db8:0:abcd::52]:7734/b>;rt=brski.jp;bv=,
     <https://[2001:db8:0:abcd::52]:7734/b2>;rt=brski.jp;bv=jose-cmp,
     <https://[2001:db8:0:abcd::52]:7734/b3>;rt=brski.jp;bv=cose-cmp
]]></artwork></figure>

</section>
</section>
</section>
</section>
</section>
<section anchor="updates-to-existing-rfcs"><name>Updates to existing RFCs</name>

<section anchor="rfc8995"><name>RFC8995</name>

<t>TBD.</t>

</section>
</section>
<section anchor="iana-considerations"><name>IANA considerations</name>

<section anchor="registry"><name>BRSKI Variations Discovery Registry (section)</name>

<t>This document requests a new section named "BRSKI Variations Discovery Parameters"
in the "Bootstrapping Remote Secure Key Infrastructures (BRSKI) Parameters"
registry (https://www.iana.org/assignments/brski-parameters/brski-parameters.xhtml).
Its initial content is as follows.</t>

<t>[ RFC editor. Please remove the following sentence.
Note: This section contains three tables according to the specifications of this document.
If it is not possible to introduce more than one table per section, then we will modify the request
accordingly for three sections, but given how the three tables are tightly linked, that would be unfortunate. ]</t>

<t>Registration Procedure(s):
  Standards action or expert review based on registration.  See ThisRFC.</t>

<t>Experts:
  TBD.</t>

<t>Reference:
  ThisRFC.</t>

<t>Notes:</t>

<dl>
  <dt>Dflt flag:</dt>
  <dd>
    <t>Indicates a Variation Type Choice that is assumed to be used if the service discover/selection mechanism does not indicate any variation.</t>
  </dd>
  <dt>Rsvd Flag:</dt>
  <dd>
    <t>Indicates a Variation Type Choice that is reserved for use with the mechanism described in the Note(s) column, but for which no specification yet exists.</t>
  </dd>
  <dt>Spec / Applicability:</dt>
  <dd>
    <t>A "-" indicates that the variation is considered to be feasible through existing specifications, but not explicitly mentioned in them.
An "NA" indicates that the combination is assumed to be not working with the currently available specifications.</t>
  </dd>
</dl>

<texttable title="BRSKI Variation Contexts" anchor="fig-contexts">
      <ttcol align='left'>Context</ttcol>
      <ttcol align='left'>Applicable Variation Types</ttcol>
      <ttcol align='left'>Discovery Mechanism</ttcol>
      <ttcol align='left'>Service Name(s)</ttcol>
      <c>BRSKI</c>
      <c>mode<br />vformat<br />enroll</c>
      <c>GRASP</c>
      <c>"AN_join_registrar" /<br /> "AN_Proxy"<br />with IPPROTO_TCP</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>DNS-SD</c>
      <c>"brski-registrar" /<br /> "brski-proxy"<br /> with TCP</c>
      <c>cBRSKI</c>
      <c>mode<br />vformat<br />enroll</c>
      <c>GRASP</c>
      <c>"AN_join_registrar" /<br /> "AN_join_registrar_rjp" /<br /> "AN_Proxy"<br /> with IPPROTO_UDP</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>DNS-SD</c>
      <c>"brski-registrar" /<br /> "brski-proxy"<br /> with UDP</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>CORE-LF</c>
      <c>rt=brski.*</c>
      <c>BRSKI-PLEDGE</c>
      <c>mode<br />vformat<br />enroll</c>
      <c>DNS-SD</c>
      <c>"brski-pledge" with TCP</c>
</texttable>

<texttable title="BRSKI Variation Type Choices" anchor="fig-choices">
      <ttcol align='left'>Context</ttcol>
      <ttcol align='left'>Variation Type</ttcol>
      <ttcol align='left'>Variation Type Choice</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <ttcol align='left'>Flags</ttcol>
      <ttcol align='left'>Note(s)</ttcol>
      <c>BRSKI, cBRSKI</c>
      <c>mode</c>
      <c>rrm</c>
      <c><xref target="RFC8995"/><br />ThisRFC</c>
      <c>Dflt</c>
      <c>Registrar Responder Mode <br /> the mode specified in <xref target="RFC8995"/></c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>prm</c>
      <c>ThisRFC  <br /></c>
      <c>&#160;</c>
      <c>Pledge Responder Mode    <br /> <xref target="I-D.ietf-anima-brski-prm"/></c>
      <c>BRSKI</c>
      <c>vformat</c>
      <c>cms</c>
      <c><xref target="RFC8368"/><br />ThisRFC</c>
      <c>Dflt</c>
      <c>CMS-signed JSON Voucher  <br /></c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>cose</c>
      <c>ThisRFC<br /></c>
      <c>&#160;</c>
      <c>CBOR with COSE signature<br /></c>
      <c>cBRSKI</c>
      <c>&#160;</c>
      <c>cose</c>
      <c>ThisRFC<br /></c>
      <c>Dflt</c>
      <c>CBOR with COSE signature <br /> <xref target="I-D.ietf-anima-constrained-voucher"/></c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>cms</c>
      <c><xref target="RFC8368"/><br />ThisRFC</c>
      <c>&#160;</c>
      <c>CMS-signed JSON Voucher  <br /></c>
      <c>BRSKI, cBRSKI</c>
      <c>&#160;</c>
      <c>jose</c>
      <c>ThisRFC<br /></c>
      <c>Dflt*</c>
      <c>JOSE-signed JSON, Default when prm is used<br /> <xref target="I-D.ietf-anima-jws-voucher"/>, <xref target="I-D.ietf-anima-brski-ae"/></c>
      <c>BRSKI-PLEDGE</c>
      <c>mode</c>
      <c>prm</c>
      <c>ThisRFC</c>
      <c>Dflt</c>
      <c>Pledge responder Mode<br /><xref target="I-D.ietf-anima-brski-prm"/></c>
      <c>&#160;</c>
      <c>vformat</c>
      <c>jose</c>
      <c>ThisRFC</c>
      <c>Dflt</c>
      <c>JOSE-signed JSON, Default when prm is used<br /> <xref target="I-D.ietf-anima-jws-voucher"/>, <xref target="I-D.ietf-anima-brski-ae"/></c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>cms</c>
      <c>ThisRFC</c>
      <c>Rsvd</c>
      <c>CMS-signed JSON Voucher, not specified.</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>cose</c>
      <c>ThisRFC</c>
      <c>Rsvd</c>
      <c>CBOR with COSE signature, not specified.</c>
      <c>BRSKI, cBRSKI, BRSKI-PLEDGE</c>
      <c>enroll</c>
      <c>est</c>
      <c><xref target="RFC8995"/><br /><xref target="RFC7030"/></c>
      <c>Dflt</c>
      <c>Enroll via EST           <br /> as specified in <xref target="RFC8995"/>, extension for <xref target="BRSKI-PRM"/> when used in context BRSKI-PLEDGE</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>cmp</c>
      <c>ThisRFC</c>
      <c>&#160;</c>
      <c>Lightweight CMP Profile  <br /> {I-D.ietf-anima-brski-ae}}, <xref target="I-D.ietf-lamps-lightweight-cmp-profile"/></c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>scep</c>
      <c>ThisRFC</c>
      <c>Rsvd</c>
      <c><xref target="RFC8894"/></c>
</texttable>

<dl>
  <dt>Note 1:</dt>
  <dd>
    <t>The Variation String "EST-TLS" is equivalent to the Variation String "" and is required and only permitted for the AN_join_registrar objective value in GRASP for backward compatibility with RFC8995, where it is used for this variation. Note that AN_proxy uses "".</t>
  </dd>
</dl>

<texttable anchor="fig-variations">
      <ttcol align='left'>Context</ttcol>
      <ttcol align='left'>Spec / Applicability</ttcol>
      <ttcol align='left'>Variation String</ttcol>
      <ttcol align='left'>Variation</ttcol>
      <ttcol align='left'>Explanations / Notes</ttcol>
      <c>BRSKI</c>
      <c><xref target="RFC8995"></xref></c>
      <c>"" / "EST-TLS"</c>
      <c>rrm cms  est</c>
      <c>Note 1</c>
      <c>&#160;</c>
      <c><xref target="I-D.ietf-anima-brski-ae"/></c>
      <c>cmp</c>
      <c>rrm cms  cmp</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c><xref target="I-D.ietf-anima-brski-prm"/></c>
      <c>prm</c>
      <c>prm jose est</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>-</c>
      <c>jose</c>
      <c>rrm jose est</c>
      <c>possible variation of <xref target="RFC8995"/> with voucher according to <xref target="I-D.ietf-anima-jws-voucher"/></c>
      <c>&#160;</c>
      <c>-</c>
      <c>jose-cmp</c>
      <c>rrm jose cmp</c>
      <c>possible variation of <xref target="RFC8995"/> with voucher according to <xref target="I-D.ietf-anima-jws-voucher"/> and enrollment according to <xref target="I-D.ietf-lamps-lightweight-cmp-profile"/></c>
      <c>&#160;</c>
      <c>-</c>
      <c>cose</c>
      <c>rrm cose est</c>
      <c>possible variation of <xref target="RFC8995"/> with voucher according to <xref target="I-D.ietf-anima-constrained-voucher"/></c>
      <c>&#160;</c>
      <c>-</c>
      <c>cose-cmp</c>
      <c>rrm cose cmp</c>
      <c>possible variation of <xref target="RFC8995"/> with voucher according to <xref target="I-D.ietf-anima-constrained-voucher"/> and enrollment according to <xref target="I-D.ietf-lamps-lightweight-cmp-profile"/></c>
      <c>&#160;</c>
      <c>-</c>
      <c>prm-cmp</c>
      <c>prm jose cmp</c>
      <c>possible variation of <xref target="I-D.ietf-anima-brski-prm"/> and <xref target="I-D.ietf-anima-brski-ae"/></c>
      <c>&#160;</c>
      <c>-</c>
      <c>prm-cose</c>
      <c>prm cose est</c>
      <c>possible variation of <xref target="I-D.ietf-anima-brski-prm"/> and <xref target="I-D.ietf-anima-constrained-voucher"/></c>
      <c>&#160;</c>
      <c>-</c>
      <c>prm-cose-cmp</c>
      <c>prm cose cmp</c>
      <c>possible variation of <xref target="I-D.ietf-anima-brski-prm"/>, <xref target="I-D.ietf-anima-constrained-voucher"/> and <xref target="I-D.ietf-anima-brski-ae"/></c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>cBRSKI</c>
      <c><xref target="I-D.ietf-anima-constrained-voucher"/></c>
      <c>""</c>
      <c>rrm cose est</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>-</c>
      <c>&#160;</c>
      <c>&#160;</c>
      <c>TBD: all the possible variations as for BRSKI ???</c>
</texttable>

</section>
<section anchor="service-names-registry"><name>Service Names Registry</name>

<t>IANA is asked to modify and amend the "Service Name and Transport Protocol Port Number Registry" registry (https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt) as follows:</t>

<t>brski-proxy and brski-registrar are to be added as Service Names for the "udp" protocol using ThisRFC as the reference.</t>

<t>The registrations for brski-proxy and brski-registrar for the "tcp" protocol are to be updated to also include ThisRFC as their reference.</t>

<t>The Defined TXT keys column for brski-proxy and brski-registrar for both "tcp" and "udp" protocols are to state the following text:</t>

<t>See ThisRFC and the "BRSKI Variation Type Choices" table in the "Bootstrapping Remote Secure Key Infrastructures (BRSKI) Parameters" registry.</t>

<t>TBD: This request likely does not include all the necessary formatting.</t>

</section>
<section anchor="brski-well-known-uris-fixes-opportunistic"><name>BRSKI Well-Known URIs fixes (opportunistic)</name>

<t>The following change requests to "https://www.iana.org/assignments/brski-parameters/brski-parameters.xhtml#brski-well-known-uris" are cosmetic in nature and are included in this document solely because support for Endpoint URIs is implied by the mechanisms specified in this document and the existing registry has these cosmetic issues.</t>

<t><list style="numbers">
  <t>IANA is asked to change the name of the first column of the table from "URI" to "URI Suffix". This is in alignment with other table columns with the same syntax/semantic, such as "https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml".</t>
  <t>IANA is asked to change the Reference from <xref target="RFC8995"/> to <xref section="8.3.1" sectionFormat="comma" target="RFC8995"/>.</t>
  <t>IANA is asked to include the following "Note" text: The following table contains the assigned BRSKI protocol Endpoint URI suffixes under "/.well-known/brski"." - This note is added to introduce the term "Endpoint" into the registry table as that is the term commonly used (instead of URI) in several of the memos for which this discovery document was written. It is meant to help readers map the registry to the terminology used in those documents.</t>
</list></t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>In <xref target="BRSKI-PRM"/>, pledges are easier subject to DoS attacks than in <xref target="BRSKI"/>, because attackers
can be initiators and delay or prohibit enrollment of a pledge by opening so many connections to
the pledge that a valid registrar-agents connection to the pledge may not be possible. Discovery
of the pledge via DNS-SD increases the ability of attackers to discover pledges against which such
DoS attacks can be attempted.</t>

<t>Especially when supporting DNS-SD browsing across unicast DNS,
Pledges <bcp14>MUST</bcp14> implement DoS prevention measures, such as limiting the number and rate of accepted TCP
connections on a per-initiator basis. If feasible for the implementation, simultaneous connections
<bcp14>SHOULD</bcp14> be possible, so that an ongoing attacker connection will not delay a valid registrar-agent
connection. When accepting connections, a strategy such as LRU <bcp14>MAY</bcp14> be used to ensure that an attacker
will not be able to monopolize connections.</t>

<t>Browsing via DNS-SD, especially via unicast DNS which makes information available network-wide does
also introduce a perpass attack, gathering intelligence against what type and serial number of
devices are installed in the network. Whether or not this is seen as a relevant risk is highly
installation dependent. Networks <bcp14>SHOULD</bcp14> implement filtering measures at mDNS and/or DNS RR/services
level to prohibit such data collection if there is a risk, and this is seen as an undesirable attack
vector.</t>

</section>
<section anchor="acknowledgments"><name>Acknowledgments</name>

<t>TBD.</t>

</section>
<section anchor="draft-considerations"><name>Draft considerations</name>

<section anchor="open-issues"><name>Open Issues</name>

<t>Questions to the DNS-SD community, potential review with</t>

<t>TBD</t>

</section>
<section anchor="change-log"><name>Change log</name>

<t>[RFC Editor: please remove this section.]</t>

<t>WG draft 00:</t>

<t>Added section for CORE-LF. Still missing to update existing text with the CORE-LF definitions.</t>

<t>Individual version 01:</t>

<t>Various enhancements</t>

<t>Individual version 00:</t>

<t>Initial version.</t>

</section>
</section>


  </middle>

  <back>


    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC3986">
  <front>
    <title>Uniform Resource Identifier (URI): Generic Syntax</title>
    <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
    <author fullname="R. Fielding" initials="R." surname="Fielding"/>
    <author fullname="L. Masinter" initials="L." surname="Masinter"/>
    <date month="January" year="2005"/>
    <abstract>
      <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="66"/>
  <seriesInfo name="RFC" value="3986"/>
  <seriesInfo name="DOI" value="10.17487/RFC3986"/>
</reference>

<reference anchor="RFC5280">
  <front>
    <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
    <author fullname="D. Cooper" initials="D." surname="Cooper"/>
    <author fullname="S. Santesson" initials="S." surname="Santesson"/>
    <author fullname="S. Farrell" initials="S." surname="Farrell"/>
    <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <author fullname="W. Polk" initials="W." surname="Polk"/>
    <date month="May" year="2008"/>
    <abstract>
      <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5280"/>
  <seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>

<reference anchor="RFC6690">
  <front>
    <title>Constrained RESTful Environments (CoRE) Link Format</title>
    <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
    <date month="August" year="2012"/>
    <abstract>
      <t>This specification defines Web Linking using a link format for use by constrained web servers to describe hosted resources, their attributes, and other relationships between links. Based on the HTTP Link Header field defined in RFC 5988, the Constrained RESTful Environments (CoRE) Link Format is carried as a payload and is assigned an Internet media type. "RESTful" refers to the Representational State Transfer (REST) architecture. A well-known URI is defined as a default entry point for requesting the links hosted by a server. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6690"/>
  <seriesInfo name="DOI" value="10.17487/RFC6690"/>
</reference>

<reference anchor="RFC6762">
  <front>
    <title>Multicast DNS</title>
    <author fullname="S. Cheshire" initials="S." surname="Cheshire"/>
    <author fullname="M. Krochmal" initials="M." surname="Krochmal"/>
    <date month="February" year="2013"/>
    <abstract>
      <t>As networked devices become smaller, more portable, and more ubiquitous, the ability to operate with less configured infrastructure is increasingly important. In particular, the ability to look up DNS resource record data types (including, but not limited to, host names) in the absence of a conventional managed DNS server is useful.</t>
      <t>Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the absence of any conventional Unicast DNS server. In addition, Multicast DNS designates a portion of the DNS namespace to be free for local use, without the need to pay any annual fee, and without the need to set up delegations or otherwise configure a conventional DNS server to answer for those names.</t>
      <t>The primary benefits of Multicast DNS names are that (i) they require little or no administration or configuration to set them up, (ii) they work when no infrastructure is present, and (iii) they work during infrastructure failures.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6762"/>
  <seriesInfo name="DOI" value="10.17487/RFC6762"/>
</reference>

<reference anchor="RFC6763">
  <front>
    <title>DNS-Based Service Discovery</title>
    <author fullname="S. Cheshire" initials="S." surname="Cheshire"/>
    <author fullname="M. Krochmal" initials="M." surname="Krochmal"/>
    <date month="February" year="2013"/>
    <abstract>
      <t>This document specifies how DNS resource records are named and structured to facilitate service discovery. Given a type of service that a client is looking for, and a domain in which the client is looking for that service, this mechanism allows clients to discover a list of named instances of that desired service, using standard DNS queries. This mechanism is referred to as DNS-based Service Discovery, or DNS-SD.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6763"/>
  <seriesInfo name="DOI" value="10.17487/RFC6763"/>
</reference>

<reference anchor="RFC7390">
  <front>
    <title>Group Communication for the Constrained Application Protocol (CoAP)</title>
    <author fullname="A. Rahman" initials="A." role="editor" surname="Rahman"/>
    <author fullname="E. Dijk" initials="E." role="editor" surname="Dijk"/>
    <date month="October" year="2014"/>
    <abstract>
      <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for constrained devices and constrained networks. It is anticipated that constrained devices will often naturally operate in groups (e.g., in a building automation scenario, all lights in a given room may need to be switched on/off as a group). This specification defines how CoAP should be used in a group communication context. An approach for using CoAP on top of IP multicast is detailed based on existing CoAP functionality as well as new features introduced in this specification. Also, various use cases and corresponding protocol flows are provided to illustrate important concepts. Finally, guidance is provided for deployment in various network topologies.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7390"/>
  <seriesInfo name="DOI" value="10.17487/RFC7390"/>
</reference>

<reference anchor="RFC8990">
  <front>
    <title>GeneRic Autonomic Signaling Protocol (GRASP)</title>
    <author fullname="C. Bormann" initials="C." surname="Bormann"/>
    <author fullname="B. Carpenter" initials="B." role="editor" surname="Carpenter"/>
    <author fullname="B. Liu" initials="B." role="editor" surname="Liu"/>
    <date month="May" year="2021"/>
    <abstract>
      <t>This document specifies the GeneRic Autonomic Signaling Protocol (GRASP), which enables autonomic nodes and Autonomic Service Agents to dynamically discover peers, to synchronize state with each other, and to negotiate parameter settings with each other. GRASP depends on an external security environment that is described elsewhere. The technical objectives and parameters for specific application scenarios are to be described in separate documents. Appendices briefly discuss requirements for the protocol and existing protocols with comparable features.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8990"/>
  <seriesInfo name="DOI" value="10.17487/RFC8990"/>
</reference>

<reference anchor="RFC8994">
  <front>
    <title>An Autonomic Control Plane (ACP)</title>
    <author fullname="T. Eckert" initials="T." role="editor" surname="Eckert"/>
    <author fullname="M. Behringer" initials="M." role="editor" surname="Behringer"/>
    <author fullname="S. Bjarnason" initials="S." surname="Bjarnason"/>
    <date month="May" year="2021"/>
    <abstract>
      <t>Autonomic functions need a control plane to communicate, which depends on some addressing and routing. This Autonomic Control Plane should ideally be self-managing and be as independent as possible of configuration. This document defines such a plane and calls it the "Autonomic Control Plane", with the primary use as a control plane for autonomic functions. It also serves as a "virtual out-of-band channel" for Operations, Administration, and Management (OAM) communications over a network that provides automatically configured, hop-by-hop authenticated and encrypted communications via automatically configured IPv6 even when the network is not configured or is misconfigured.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8994"/>
  <seriesInfo name="DOI" value="10.17487/RFC8994"/>
</reference>

<reference anchor="RFC8995">
  <front>
    <title>Bootstrapping Remote Secure Key Infrastructure (BRSKI)</title>
    <author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
    <author fullname="M. Richardson" initials="M." surname="Richardson"/>
    <author fullname="T. Eckert" initials="T." surname="Eckert"/>
    <author fullname="M. Behringer" initials="M." surname="Behringer"/>
    <author fullname="K. Watsen" initials="K." surname="Watsen"/>
    <date month="May" year="2021"/>
    <abstract>
      <t>This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8995"/>
  <seriesInfo name="DOI" value="10.17487/RFC8995"/>
</reference>


<reference anchor="I-D.ietf-anima-brski-ae">
   <front>
      <title>BRSKI-AE: Alternative Enrollment Protocols in BRSKI</title>
      <author fullname="David von Oheimb" initials="D." surname="von Oheimb">
         <organization>Siemens AG</organization>
      </author>
      <author fullname="Steffen Fries" initials="S." surname="Fries">
         <organization>Siemens AG</organization>
      </author>
      <author fullname="Hendrik Brockhaus" initials="H." surname="Brockhaus">
         <organization>Siemens AG</organization>
      </author>
      <date day="1" month="March" year="2024"/>
      <abstract>
	 <t>   This document defines an enhancement of Bootstrapping Remote Secure
   Key Infrastructure (BRSKI, RFC 8995).  It supports alternative
   certificate enrollment protocols, such as CMP, that use authenticated
   self-contained signed objects for certification messages.

   This offers the following advantages.  The origin of requests and
   responses can be authenticated independently of message transfer.
   This supports end-to-end authentication (proof of origin) also over
   multiple hops, as well as asynchronous operation of certificate
   enrollment.  This in turn provides architectural flexibility where
   and when to ultimately authenticate and authorize certification
   requests while retaining full-strength integrity and authenticity of
   certification requests.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-anima-brski-ae-10"/>
   
</reference>


<reference anchor="I-D.ietf-anima-brski-prm">
   <front>
      <title>BRSKI with Pledge in Responder Mode (BRSKI-PRM)</title>
      <author fullname="Steffen Fries" initials="S." surname="Fries">
         <organization>Siemens AG</organization>
      </author>
      <author fullname="Thomas Werner" initials="T." surname="Werner">
         <organization>Siemens AG</organization>
      </author>
      <author fullname="Eliot Lear" initials="E." surname="Lear">
         <organization>Cisco Systems</organization>
      </author>
      <author fullname="Michael Richardson" initials="M." surname="Richardson">
         <organization>Sandelman Software Works</organization>
      </author>
      <date day="4" month="March" year="2024"/>
      <abstract>
	 <t>   This document defines enhancements to Bootstrapping a Remote Secure
   Key Infrastructure (BRSKI, RFC8995) to enable bootstrapping in
   domains featuring no or only limited connectivity between a pledge
   and the domain registrar.  It specifically changes the interaction
   model from a pledge-initiated mode, as used in BRSKI, to a pledge-
   responding mode, where the pledge is in server role.  For this, BRSKI
   with Pledge in Responder Mode (BRSKI-PRM) introduces a new component,
   the Registrar-Agent, which facilitates the communication between
   pledge and registrar during the bootstrapping phase.  To establish
   the trust relation between pledge and registrar, BRSKI-PRM relies on
   object security rather than transport security.  The approach defined
   here is agnostic to the enrollment protocol that connects the domain
   registrar to the domain CA.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-anima-brski-prm-12"/>
   
</reference>


<reference anchor="I-D.ietf-anima-constrained-voucher">
   <front>
      <title>Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI)</title>
      <author fullname="Michael Richardson" initials="M." surname="Richardson">
         <organization>Sandelman Software Works</organization>
      </author>
      <author fullname="Peter Van der Stok" initials="P." surname="Van der Stok">
         <organization>vanderstok consultancy</organization>
      </author>
      <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis">
         <organization>Cisco Systems</organization>
      </author>
      <author fullname="Esko Dijk" initials="E." surname="Dijk">
         <organization>IoTconsultancy.nl</organization>
      </author>
      <date day="3" month="March" year="2024"/>
      <abstract>
	 <t>   This document defines the Constrained Bootstrapping Remote Secure Key
   Infrastructure (cBRSKI) protocol, which provides a solution for
   secure zero-touch onboarding of resource-constrained (IoT) devices
   into the network of a domain owner.  This protocol is designed for
   constrained networks, which may have limited data throughput or may
   experience frequent packet loss. cBRSKI is a variant of the BRSKI
   protocol, which uses an artifact signed by the device manufacturer
   called the &quot;voucher&quot; which enables a new device and the owner&#x27;s
   network to mutually authenticate.  While the BRSKI voucher data is
   encoded in JSON, cBRSKI uses a compact CBOR-encoded voucher.  The
   BRSKI voucher data definition is extended with new data types that
   allow for smaller voucher sizes.  The Enrollment over Secure
   Transport (EST) protocol, used in BRSKI, is replaced with EST-over-
   CoAPS; and HTTPS used in BRSKI is replaced with DTLS-secured CoAP
   (CoAPS).  This document Updates RFC 8995 and RFC 9148.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-anima-constrained-voucher-24"/>
   
</reference>


<reference anchor="I-D.ietf-anima-constrained-join-proxy">
   <front>
      <title>Join Proxy for Bootstrapping of Constrained Network Elements</title>
      <author fullname="Michael Richardson" initials="M." surname="Richardson">
         <organization>Sandelman Software Works</organization>
      </author>
      <author fullname="Peter Van der Stok" initials="P." surname="Van der Stok">
         <organization>vanderstok consultancy</organization>
      </author>
      <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis">
         <organization>Cisco Systems</organization>
      </author>
      <date day="6" month="November" year="2023"/>
      <abstract>
	 <t>   This document extends the work of Bootstrapping Remote Secure Key
   Infrastructures (BRSKI) by replacing the Circuit-proxy between Pledge
   and Registrar by a stateless/stateful constrained Join Proxy.  The
   constrained Join Proxy is a mesh neighbor of the Pledge and can relay
   a DTLS session originating from a Pledge with only link-local
   addresses to a Registrar which is not a mesh neighbor of the Pledge.

   This document defines a protocol to securely assign a Pledge to a
   domain, represented by a Registrar, using an intermediary node
   between Pledge and Registrar.  This intermediary node is known as a
   &quot;constrained Join Proxy&quot;.  An enrolled Pledge can act as a
   constrained Join Proxy.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-anima-constrained-join-proxy-15"/>
   
</reference>


<reference anchor="I-D.ietf-anima-jws-voucher">
   <front>
      <title>JWS signed Voucher Artifacts for Bootstrapping Protocols</title>
      <author fullname="Thomas Werner" initials="T." surname="Werner">
         <organization>Siemens AG</organization>
      </author>
      <author fullname="Michael Richardson" initials="M." surname="Richardson">
         <organization>Sandelman Software Works</organization>
      </author>
      <date day="29" month="August" year="2023"/>
      <abstract>
	 <t>   [TODO: I-D.draft-ietf-anima-rfc8366bis] defines a digital artifact
   called voucher as a YANG-defined JSON document that is signed using a
   Cryptographic Message Syntax (CMS) structure.  This document
   introduces a variant of the voucher artifact in which CMS is replaced
   by the JSON Object Signing and Encryption (JOSE) mechanism described
   in RFC7515 to support deployments in which JOSE is preferred over
   CMS.

   In addition to explaining how the format is created, the
   &quot;application/voucher-jws+json&quot; media type is registered and examples
   are provided.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-anima-jws-voucher-09"/>
   
</reference>

<reference anchor="RFC7030">
  <front>
    <title>Enrollment over Secure Transport</title>
    <author fullname="M. Pritikin" initials="M." role="editor" surname="Pritikin"/>
    <author fullname="P. Yee" initials="P." role="editor" surname="Yee"/>
    <author fullname="D. Harkins" initials="D." role="editor" surname="Harkins"/>
    <date month="October" year="2013"/>
    <abstract>
      <t>This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7030"/>
  <seriesInfo name="DOI" value="10.17487/RFC7030"/>
</reference>

<reference anchor="RFC8368">
  <front>
    <title>Using an Autonomic Control Plane for Stable Connectivity of Network Operations, Administration, and Maintenance (OAM)</title>
    <author fullname="T. Eckert" initials="T." role="editor" surname="Eckert"/>
    <author fullname="M. Behringer" initials="M." surname="Behringer"/>
    <date month="May" year="2018"/>
    <abstract>
      <t>Operations, Administration, and Maintenance (OAM), as per BCP 161, for data networks is often subject to the problem of circular dependencies when relying on connectivity provided by the network to be managed for the OAM purposes.</t>
      <t>Provisioning while bringing up devices and networks tends to be more difficult to automate than service provisioning later on. Changes in core network functions impacting reachability cannot be automated because of ongoing connectivity requirements for the OAM equipment itself, and widely used OAM protocols are not secure enough to be carried across the network without security concerns.</t>
      <t>This document describes how to integrate OAM processes with an autonomic control plane in order to provide stable and secure connectivity for those OAM processes. This connectivity is not subject to the aforementioned circular dependencies.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8368"/>
  <seriesInfo name="DOI" value="10.17487/RFC8368"/>
</reference>


<reference anchor="I-D.ietf-lamps-lightweight-cmp-profile">
   <front>
      <title>Lightweight Certificate Management Protocol (CMP) Profile</title>
      <author fullname="Hendrik Brockhaus" initials="H." surname="Brockhaus">
         <organization>Siemens</organization>
      </author>
      <author fullname="David von Oheimb" initials="D." surname="von Oheimb">
         <organization>Siemens</organization>
      </author>
      <author fullname="Steffen Fries" initials="S." surname="Fries">
         <organization>Siemens AG</organization>
      </author>
      <date day="17" month="February" year="2023"/>
      <abstract>
	 <t>This document aims at simple, interoperable, and automated PKI management operations covering typical use cases of industrial and Internet of Things (IoT) scenarios.  This is achieved by profiling the Certificate Management Protocol (CMP), the related Certificate Request Message Format (CRMF), and transfer based on HTTP or Constrained Application Protocol (CoAP) in a succinct but sufficiently detailed and self-contained way.  To make secure certificate management for simple scenarios and constrained devices as lightweight as possible, only the most crucial types of operations and options are specified as mandatory.  More specialized or complex use cases are supported with optional features.
	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-lightweight-cmp-profile-21"/>
   
</reference>


<reference anchor="I-D.ietf-dnssd-srp">
   <front>
      <title>Service Registration Protocol for DNS-Based Service Discovery</title>
      <author fullname="Ted Lemon" initials="T." surname="Lemon">
         <organization>Apple Inc.</organization>
      </author>
      <author fullname="Stuart Cheshire" initials="S." surname="Cheshire">
         <organization>Apple Inc.</organization>
      </author>
      <date day="4" month="March" year="2024"/>
      <abstract>
	 <t>   The Service Registration Protocol for DNS-Based Service Discovery
   uses the standard DNS Update mechanism to enable DNS-Based Service
   Discovery using only unicast packets.  This makes it possible to
   deploy DNS Service Discovery without multicast, which greatly
   improves scalability and improves performance on networks where
   multicast service is not an optimal choice, particularly IEEE 802.11
   (Wi-Fi) and IEEE 802.15.4 networks.  DNS-SD Service registration uses
   public keys and SIG(0) to allow services to defend their
   registrations.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-dnssd-srp-25"/>
   
</reference>

<reference anchor="RFC9148">
  <front>
    <title>EST-coaps: Enrollment over Secure Transport with the Secure Constrained Application Protocol</title>
    <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
    <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
    <author fullname="M. Richardson" initials="M." surname="Richardson"/>
    <author fullname="S. Raza" initials="S." surname="Raza"/>
    <date month="April" year="2022"/>
    <abstract>
      <t>Enrollment over Secure Transport (EST) is used as a certificate provisioning protocol over HTTPS. Low-resource devices often use the lightweight Constrained Application Protocol (CoAP) for message exchanges. This document defines how to transport EST payloads over secure CoAP (EST-coaps), which allows constrained devices to use existing EST functionality for provisioning certificates.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9148"/>
  <seriesInfo name="DOI" value="10.17487/RFC9148"/>
</reference>

<reference anchor="RFC9176">
  <front>
    <title>Constrained RESTful Environments (CoRE) Resource Directory</title>
    <author fullname="C. Amsüss" initials="C." role="editor" surname="Amsüss"/>
    <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
    <author fullname="M. Koster" initials="M." surname="Koster"/>
    <author fullname="C. Bormann" initials="C." surname="Bormann"/>
    <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
    <date month="April" year="2022"/>
    <abstract>
      <t>In many Internet of Things (IoT) applications, direct discovery of resources is not practical due to sleeping nodes or networks where multicast traffic is inefficient. These problems can be solved by employing an entity called a Resource Directory (RD), which contains information about resources held on other servers, allowing lookups to be performed for those resources. The input to an RD is composed of links, and the output is composed of links constructed from the information stored in the RD. This document specifies the web interfaces that an RD supports for web servers to discover the RD and to register, maintain, look up, and remove information on resources. Furthermore, new target attributes useful in conjunction with an RD are defined.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9176"/>
  <seriesInfo name="DOI" value="10.17487/RFC9176"/>
</reference>

<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>

<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>




    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC5988">
  <front>
    <title>Web Linking</title>
    <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
    <date month="October" year="2010"/>
    <abstract>
      <t>This document specifies relation types for Web links, and defines a registry for them. It also defines the use of such links in HTTP headers with the Link header field. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5988"/>
  <seriesInfo name="DOI" value="10.17487/RFC5988"/>
</reference>

<reference anchor="RFC7252">
  <front>
    <title>The Constrained Application Protocol (CoAP)</title>
    <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
    <author fullname="K. Hartke" initials="K." surname="Hartke"/>
    <author fullname="C. Bormann" initials="C." surname="Bormann"/>
    <date month="June" year="2014"/>
    <abstract>
      <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
      <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7252"/>
  <seriesInfo name="DOI" value="10.17487/RFC7252"/>
</reference>

<reference anchor="RFC8894">
  <front>
    <title>Simple Certificate Enrolment Protocol</title>
    <author fullname="P. Gutmann" initials="P." surname="Gutmann"/>
    <date month="September" year="2020"/>
    <abstract>
      <t>This document specifies the Simple Certificate Enrolment Protocol (SCEP), a PKI protocol that leverages existing technology by using Cryptographic Message Syntax (CMS, formerly known as PKCS #7) and PKCS #10 over HTTP. SCEP is the evolution of the enrolment protocol sponsored by Cisco Systems, which enjoys wide support in both client and server implementations, as well as being relied upon by numerous other industry standards that work with certificates.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8894"/>
  <seriesInfo name="DOI" value="10.17487/RFC8894"/>
</reference>


<reference anchor="I-D.eckert-anima-grasp-dnssd">
   <front>
      <title>DNS-SD Compatible Service Discovery in GeneRic Autonomic Signaling Protocol (GRASP)</title>
      <author fullname="Toerless Eckert" initials="T. T." surname="Eckert">
         <organization>Futurewei Technologies USA
      Inc.</organization>
      </author>
      <author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
         <organization>Orange</organization>
      </author>
      <author fullname="Christian Jacquenet" initials="C." surname="Jacquenet">
         <organization>Orange</organization>
      </author>
      <author fullname="Michael H. Behringer" initials="M. H." surname="Behringer">
         </author>
      <date day="5" month="January" year="2024"/>
      <abstract>
	 <t>   DNS Service Discovery (DNS-SD) defines a framework for applications
   to announce and discover services.  This includes service names,
   service instance names, common parameters for selecting a service
   instance (weight or priority) as well as other service-specific
   parameters.  For the specific case of autonomic networks, GeneRic
   Autonomic Signaling Protocol (GRASP) intends to be used for service
   discovery in addition to the setup of basic connectivity.
   Reinventing advanced service discovery for GRASP with a similar set
   of features as DNS-SD would result in duplicated work.  To avoid
   that, this document defines how to use GRASP to announce and discover
   services relying upon DNS-SD features while maintaining the intended
   simplicity of GRASP.  To that aim, the document defines name
   discovery and schemes for reusable elements in GRASP objectives.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-eckert-anima-grasp-dnssd-06"/>
   
</reference>




    </references>


<?line 1298?>

<section anchor="discovery-for-constrained-brski"><name>Discovery for constrained BRSKI</name>

<t>This appendix section is intended to describe the current issues with <xref target="cBRSKI"/> and <xref target="cPROXY"/> as of 08/2023, which
make both drafts incompatible with this document. It will be removed if/when those issues will be fixed.</t>

<section anchor="current-constrained-text-for-grasp"><name>Current constrained text for GRASP</name>

<t>The following is the current encodings from <xref target="cBRSKI"/>.</t>

<t><list style="symbols">
  <t>The transport-proto is IPPROTO_UDP</t>
  <t>the objective is AN_join_registrar, identical to <xref target="BRSKI"/>.</t>
  <t>the objective name is "BRSKI_RJP".</t>
</list></t>

<t>Here is an example M_FLOOD announcing the Registrar on example port 5685, which is a port number chosen by the Registrar.</t>

<figure title="cBRSKI Fig 5: Example of Registrar announcement message" anchor="cbrski-fig5"><artwork align="left"><![CDATA[
[M_FLOOD, 51804231, h'fda379a6f6ee00000200000064000001', 180000,
[["AN_join_registrar", 4, 255, "BRSKI_RJP"],
[O_IPv6_LOCATOR,
h'fda379a6f6ee00000200000064000001', IPPROTO_UDP, 5685]]]
]]></artwork></figure>

<t>Most Registrars will announce both a JPY-stateless and stateful ports, and may also announce an HTTPS/TLS service:</t>

<figure anchor="cbrski-fig6"><artwork align="left"><![CDATA[
[M_FLOOD, 51840231, h'fda379a6f6ee00000200000064000001', 180000,
[["AN_join_registrar", 4, 255, ""],
 [O_IPv6_LOCATOR,
  h'fda379a6f6ee00000200000064000001', IPPROTO_TCP, 8443],
 ["AN_join_registrar", 4, 255, "BRSKI_JP"],
 [O_IPv6_LOCATOR,
  h'fda379a6f6ee00000200000064000001', IPPROTO_UDP, 5684],
 ["AN_join_registrar", 4, 255, "BRSKI_RJP"],
 [O_IPv6_LOCATOR,
  h'fda379a6f6ee00000200000064000001', IPPROTO_UDP, 5685]]]
]]></artwork></figure>

<t>The following is the current text from <xref target="cPROXY"/>.</t>

<t><list style="symbols">
  <t>The transport-proto is IPPROTO_UDP</t>
  <t>the objective is AN_join_registrar, identical to <xref target="BRSKI"/>.</t>
  <t>the objective name is "BRSKI_RJP".</t>
</list></t>

<t>Here is an example M_FLOOD announcing the Registrar on example port 5685, which is a port number chosen by the Registrar.</t>

<figure title="Example of Registrar announcement message" align="left" anchor="cproxy-rjp"><artwork><![CDATA[
   [M_FLOOD, 51804231, h'fda379a6f6ee00000200000064000001', 180000,
   [["AN_join_registrar", 4, 255, "BRSKI_RJP"],
    [O_IPv6_LOCATOR,
     h'fda379a6f6ee00000200000064000001', IPPROTO_UDP, 5685]]]
]]></artwork></figure>

<t>Most Registrars will announce both a JPY-stateless and stateful ports, and may also announce an HTTPS/TLS service:</t>

<figure title="Example of Registrar announcing two services" align="left" anchor="cproxy-rjp-example"><artwork><![CDATA[
   [M_FLOOD, 51840231, h'fda379a6f6ee00000200000064000001', 180000,
   [["AN_join_registrar", 4, 255, ""],
    [O_IPv6_LOCATOR,
     h'fda379a6f6ee00000200000064000001', IPPROTO_TCP, 8443],
    ["AN_join_registrar", 4, 255, "BRSKI_JP"],
    [O_IPv6_LOCATOR,
     h'fda379a6f6ee00000200000064000001', IPPROTO_UDP, 5684],
    ["AN_join_registrar", 4, 255, "BRSKI_RJP"],
    [O_IPv6_LOCATOR,
     h'fda379a6f6ee00000200000064000001', IPPROTO_UDP, 5685]]]
]]></artwork></figure>

<section anchor="issues-and-proposed-change"><name>Issues and proposed change</name>

<t>One goal of this document is to define variations such that proxies can deal with existing
and future variations. This only works for variations for which proxies would need to perform
specific processing other than passing on data between pledge and registrar.</t>

<t>Changes in protocol that require specific new behavior of proxies must therefore not be
variations signaled via the objective-value field of GRASP objectives.</t>

<t>In result, this document recommends the following changes to the encoding for <xref target="cBRSKI"/> and <xref target="cPROXY"/>.</t>

<figure title="Proposed Encoding of registrar announcements" align="left" anchor="new-example"><artwork><![CDATA[
[M_FLOOD, 51840231, h'fda379a6f6ee00000200000064000001', 180000,
[["AN_join_registrar", 4, 255, ""],
 [O_IPv6_LOCATOR,
  h'fda379a6f6ee00000200000064000001', IPPROTO_TCP, 8443],
 ["AN_join_registrar", 4, 255, ""],
 [O_IPv6_LOCATOR,
  h'fda379a6f6ee00000200000064000001', IPPROTO_UDP, 5684],
 ["AN_join_registrar_rjp", 4, 255, ""],
 [O_IPv6_LOCATOR,
  h'fda379a6f6ee00000200000064000001', IPPROTO_UDP, 5685]]]
]]></artwork></figure>

<t>In summary:</t>

<t><list style="symbols">
  <t>Circuit proxy operation is indicted with objective-name "AN_join_registrar" and IPPROTO_UDP.
The default for AN_join_registrar/UDP is the use of COAPs and CBOR encoded voucher. For this
default, the objective-value is "".</t>
  <t>Stateless JPY proxy operations is indicated with objective-name "AN_join_registrar_rjp" and IPPROTO_UDP.
The default for AN_join_registrar/UDP is the use of COAPs and CBOR encoded voucher. For this
default, the objective-value is "".</t>
</list></t>

</section>
</section>
</section>

    <section anchor="contributors" numbered="false" toc="include" removeInRFC="false">
        <name>Contributors</name>
    <contact initials="T." surname="Werner" fullname="Thomas Werner">
      <organization>Siemens AG</organization>
      <address>
        <postal>
          <country>Germany</country>
        </postal>
        <email>thomas-werner@siemens.com</email>
        <uri>https://www.siemens.com/</uri>
      </address>
    </contact>
    <contact initials="S." surname="Fries" fullname="Steffen Fries">
      <organization>Siemens AG</organization>
      <address>
        <postal>
          <country>Germany</country>
        </postal>
        <email>steffen.fries@siemens.com</email>
        <uri>https://www.siemens.com/</uri>
      </address>
    </contact>
    <contact initials="H." surname="Brockhaus" fullname="Hendrik Brockhaus">
      <organization>Siemens AG</organization>
      <address>
        <postal>
          <country>Germany</country>
        </postal>
        <email>hendrik.brockhaus@siemens.com</email>
        <uri>https://www.siemens.com/</uri>
      </address>
    </contact>
    <contact initials="M." surname="Richardson" fullname="Michael Richardson">
      <organization></organization>
      <address>
        <postal>
          <country>Canada</country>
        </postal>
        <phone>+41 44 878 9200</phone>
        <email>mcr+ietf@sandelman.org</email>
      </address>
    </contact>
    <contact initials="D." surname="von&nbsp;Oheimb" fullname="David von&nbsp;Oheimb">
      <organization abbrev="Siemens">Siemens AG</organization>
      <address>
        <postal>
          <street>Otto-Hahn-Ring 6</street>
          <city>Munich</city>
          <code>81739</code>
          <country>Germany</country>
        </postal>
        <email>david.von.oheimb@siemens.com</email>
        <uri>https://www.siemens.com/</uri>
      </address>
    </contact>
    </section>

  </back>

<!-- ##markdown-source:
H4sIABoIHmYAA9296XLj1rUw+h9PgdBV16QPSQ09qZXBR5bkWDk9KJLsnFTs
6gJJUIJFAvwAUGql3fdZ7rPcJ7tr3HttAFRLHTv31HEqNkUCe1h77TUPo9Eo
mhazLL/cj9f1fLQXRXVWL9L9+MujrJoWN2l5F8+LMv7m7Py/TuKbpMySOivy
6ssomUzK9GaffxnN9OloVkzzZAkjzMpkXo+yFIZN8myZjCZldZ35J0fb21FV
J/nsXbIocnihLtdplK1K+lTVu9vbL7d3o2o9WWZVBZNe3K3gqZPji2+jpEyT
/fjtKi15OTEME79O8uQyXaZ5Hd3Cfg7enLw+iK5v4ZW8Tss8rUdHuKRomtT7
cVXPYOd5lebVupK5Z0kNE+xu7z6NVtl+FMd1MQVI3KWw3TieFstVMq39F9Xd
skznlfmiKOvwG9hNXtTZPEtn8GVe0FN1mflhknV9VZT70SjOcnjxYhwfT6/T
soYHGYwXRVou0qry35cFHlA6y+qihD+LEjb77bpel+ltmsXfnx/Al3o67nva
wDqvy7t9eSRdJtkCdl6n/zmtxvNkPZ6luozjcXyU/XztFnFcXRf6Dc13Ulwg
9NYLOMDp3Thf+AFTeHY8g2f/MyvqxkMIctj+ZF3znmWLV8UyqeK/4SGVdqF/
Tstlkt/ppOcZnm4VH/zZLJ/eHd3Su/9Z8RNjOCt4ZF1m+/FVXa+q/a2t29vb
sfl5y81+XqfzeZrH35ZZWj1y9orfHc/x3c+a/bs0n5XZdfxNWUyvr5L1Y1dw
xe+PJ/r+Z63idTa9StJFfIb/LWdVkdtlHMLFmiXwzeqKLmrvP57uxE+fxnsv
9uKXcE17fjnLafkfeOX/s4IbmS5g9WNYuqLV0Ti+KfL/K59Uq9+/vUqz5cRh
2FFyk806fm1vXFFbvuQblaZwo97WdTH6LrnKR2dA0eLnuIeshg28XuewMdrS
DGnb3s6LJy+/7Ia0bGSG6xnDesYFLeVRYI3yAoars5sUqcjZt4dPXu49l4/P
dve25ePz5y/dxxfPd/3HJ/IRVqkP7L20H5/6j8/w48noaNyitEm68adVuez4
DS9rXSZZns5GN8V6epWWn3jq5yLLYbDi/V3Hgz/fVnYY3M/2E7eJJ8/3gncW
yXJVjRbZ5VUN5Ar+PZouVzj2PFuEG5nlVTUbVeVKhnq583TPfXwBcI6yfN44
gGcv9/SZF7vPFNR7ewxJHDol8ipLvyyTasUTwXCj0QiwDjc9raPo4iqrYuBy
a+Q0cbVKp0jfq/iquBU2Cd9nNXw1jCvYfQykrUwvM3y/hO8QXPTjapHOLuFF
YK9FDUCqovoqqWPgbTFMhBhMb1arAq4SvjlN8niSxspB0xmxvSpdpNMa/pjc
NeY3w2Q5fJMA1a3GvJ9lNpst0ij6Ir4A1M/yYlFc3sUfvqj9Xx9xr2l8nd7F
twUQhbj3+vvzi96Q/xu/eUufz47/+v3J2fERfj7/7uDVK/chkifOv3v7/asj
/8m/efj29evjN0f8MnwbB19FvdcHf4dfcJO9t6cXJ2/fHLzqwVaA6NsjQIDV
BUImQ0a/KlOERlJFs7SaArOBP+Cdbw5P/9//Z+dp/OHD7+Dkd3d2Xn78KH8A
OXgKf9wCLeXZinxxJ3/CwdxFyWqVJiWOkiwWcAyrrE4WcCAA2AqOPQcqXKYA
2K/+gZD5aT/+w2S62nn6J/kCNxx8qTALviSYtb9pvcxA7PiqYxoHzeD7BqTD
9R78Pfhb4W6+/MPXC7j88Whn7+s/Rc37UKYLxLwCDwmOxeDWLJ0jzUAofvhA
iPrx4ziOEcXmxWJR3CKq4gsVnag/vFVS1nAeCP0ZCD0g7wGoD0GQSN/X+xEw
gjSNf1DJNJYf4JETxXl86ADuZ1XHdMNgveuKLkYen5yC7JfkcMnKGq8miHzF
AtFJbgzcReASeQ5XDEeHu0qPJ/wnPJfkdHl5+CngB6wYt+4url0JiIhAZmpe
EH/G0SsgDrieYo5L8ncVVwcvnZzePMe9w5BMP3iRiKnuD1p/vl5OYCnzslgC
+gLLizMUGHUrldlJ1dhKRXvxq4779d0qw/3cxd8f0TIuDk8HsJm3k59xiJs0
foOcWw7gPC1vsil/Bw+dpVWxLuFvEto3PsNzfdb5yErxoz0RWKc5rjL9P+u0
qisGCQ6nsLXzP+BUDB1+7KGgiMPnAgvSU9HxKt6KrBJmQtRx7288gzNUASLU
bOiFKeM8v29uI1CoGIZI8QdiCnyLvB6HPzDPIMAjgwE4Il2zqIB7uoXjSYGf
rXBPgOJeFWyzpbGMiYoKcrBFepMAaWgR7iyfLtazNP4LSBHxmbLIIf99ilIF
TX1KfHJMlOLk4M2BclNPUoDzNVgC0hOCLfPnO7te1GdB1uPljQkzgZoXnTTk
3GHGBcF5OclyB7lkGXciA6OtR1YE7brOFtk/kScHV7WvEgIcLA4ExzygTYeP
0cEm/gLgysxl0vWhKE3b6ydwVJMqRZQYEIrM1zldiWQBWLB1cHqCY4GIy9BL
3Oklk4WhXXIbEPYAXiTOeDmzHAhehlhA1+rDh6M356PzI2ChoNjF65zUVaKK
txkijYhIMwbzumImEJ4YUp/VChCdSOodv+5WdddeP+ODZTA08ERfXaagyuRZ
BezE36JZBuoayEDxtwCk9D2InIt0SJwedvHns4PzU9gEkZ+UKIvOH1wHoRDO
LEJCQhySRbgUJeqE9BNc7+wmWcg28ZtKDg8PbIy3+MOHw7dnx6NX3378yMMF
BDTul/UfB5vGFKoRjAls2RBej9n4LfzovtiPiegFiA28Hf/vicT0qsCB0wRQ
FXed0on434nE4OkBlBF9ZJNmAE+fcOQA15hUwAKWqKTxFR0DzQxOKGvROYG8
pWVZRaPLanGhvSXoeyBBNr9Oc7j7i57IetPwxxvWHXoWTLERN4BF0L1SdsYE
Bejjko8BT1+eMESHwJNWdky2ZzWvLq41wStTM+NxZIRnQfZR3xZIK5ZFqSuv
AFRAEuM+fp3cyV8CtTnZgAZDoeMpistXbs+oBQPBquG65HJLJkrp4BIAEboq
LvHe4bHy1QpPvhLq4K6yUmWcpGE35BfcuQQH0Q14Qv9DWmobVnydcU64Cmu6
GahAkcSYTdeLpLlWAs5VcpO2MCykRrMCBuN9VAZYsPKyXMpyV/gJV9G1T97h
OI6iD/vxFweHpx/h/4g9vYM8PljXRV4ssymhFUAAWFySI0A+fBD9HkVjfpcl
Zfo3vf9NUdTIJ1crlE3O0mVRo2Q1hSOO/wtUtZN8DsprXa6neOpmzGcwphly
dHD8UT/wwhZoJSWlOT6mcyFQnAr+VYHgTuNusDo05jk9e/3RfaKZ3CjxbVZf
CX+PSQZQGvuaEWTDHAB6N8mUx5p6CB16A0X8OGjFfbe0QdfsHQYSt47Dtwen
H/FftAZEU7uOA6aOhBunTrw7LA5OB3pEaJcwozE3kP+29nV2fH4xXy/goG6y
ssjxpCoc7+x4EL/K8mtEbrxLMjZamjzETs/e/vffP/J/WiMb4Ys4XABAhwyf
go43DLlpRUjg/9C0+PGbBFmtCjPO6eAW/uL5EzcC7Pkj/J/eNRhKDFrO9EJ1
BQfV7Sd+58zh6d80yJ/TPD2Da+gv5Hl2iSKG2aq5QY2BRrB+2JD57HZ1fgSn
v1zBeSOLa+0Ocf0hc8d9Gtzj4iYjlVvYX/52Pvrh7feH3x2ffTSfaWHwd1zB
HADvHxh54wOgk3OQ+KvHnrWx7bm5F7eHr08/0r9pvlfelhcfpjgT3oDU+Gns
VXgNgu8pW/vCCe81DLrJlwD2j/gvmnq5XgADgIsdwzcGl/wFOz88Pv2I/6Ln
zzPkAsEqCcGCRTpM2CP6jLaztzd4tOltzKYyI3MGtqe2vQotVfmMhcyrdLEC
oXJxw3zZG0NgsAVIeJcpGu08djR5DR6dkU7JHMhGkr+hYGstCs4gSXIFXHH4
is2QKPLi124L+mhkxPtAIsZh0X83TUVDBnUKNVveGilfoonDRzaFRqJYOk0P
HkeO7AYlkQaYOEuhtAKdZKzK7gr2msIXUShgiRTMwLHCP1kUyHXH9sECvYaT
DPUI0NvTkqQOGg+BB1SEfsgL0iKtsVVXUtGaRRVGCWJak7kwqWkFHth5mjIc
QHDOQGiOmvOjILEFD05A+7dLGbqFOOMwbAn9hpWAIUO1u0qHVvKPkjwvQE3i
q+UP0i0D9Yc7egNOBXS0BP5SkxrId85qXqA+X4FuyM+itIVQhOXP6G5Ugb6B
+8tmja1neSSIyGYchyp8HGxqIHDEBA+0s6HWy4BqAYQEBUDo46TK4BXAVcI5
v3avKPqjJ8NbgDL4kpcZu97xJnuP9kOvGw4jo6h5wz0fwyytk2xBmIi+AKfR
kt7E6FkFNAIJwbpao8wdeSUZoQyKOX3N6ha+714bwt9VBj/BnpDKAXwzBKUY
rGCbGYrkR6Ch38CPeOWWsqVVUVXEkBqrNVo2mclIGwMkkDWJ2ILnI1cXFRk8
QLgV66m7p8EK6HFYKfI6EHHhOWc1+cSpAS1F3lgCsfunM7WsShg/W4k9KalD
9ZztRIWGA/AL5GUBHPgmnSaCMLhv0DLZFrGCRxCywTjOHvaDpyybSfkwymo2
aniDE05lSCapKUr58Y8PH6Yq/eKi4U8Wxz4ORbtD4jIh6kb3I2VFLk9B6yuv
K4efF1dlmsz0pXBW4k3n9vTgiy/iA/FhoVxMmwzh5ziHuzfq9IpRm1mEqKLW
lgZvy2cBb/M2HaSlDpDdVw8wSqyUcpTsuwoYGLEaZxGOjK2XzHpW9eM9Ov0Z
+dPQMkDie0O3FrYeqF7dNPdUUf/kdAvtfCNn53PPjHAtw/jkdKSzDZzJNfTD
GTOyqo6rNC2NwdRzSscn2dTlYUCsuiqWaRcc7ydgMWGgI2HKVKOQei+K4rpq
A7Rp/gwM+ky/cwuEoaAD7AS0qzxepEmZV1EyKdZ1G8BMfDrPQLg4Ijmhm5lD
MLcU4UlM6UalwLVFpPsrw0qmJRBCYEKwe7m+vLIuTb5fDYzVW9xaahUNrbBo
gHIMs2nKh7tFF0Stn/Z0xGKavkcdMUNhwnEDEpHEIBkJ2ibT9KpYIOQUhYwx
sDkhqe1NY6qltifG9KmzsRsrKtSkOcItDXnZnv3ZZ0N7JdCf7+HkQrpKBOUG
eA6Z/eTQhw25gWkQXcXhZp8DHgqJCCCtwF0hELxHk1koC7phh+JqwEv4CTEL
RAUSD6bsGhCKSEQZMSVSn0VS1+lyRdcaqBusBXaVVVeht1AMoU1U53uxXrFl
1NEvAA2osBESSx7c/cqTsOD2vuatb7DRZ3xvxa5lBD0ycvswPSvs4eZQ3p0A
d1zNiLnSpU0WozrDg8fl4uyNia8AIS/pws7n6BIeE5dpGU2rKDpof4srTdRQ
2lfVOH7t5Rx7t6qAusLxyyUWg6jlQZGu1rmJQkVBzXpezGkaay29XbS9TSIF
RA2DZ0V22ZbRm0QQsXE7G7IastmI2RI+HOVXd+L7wIEFXLcriASUarjvURz3
k6rD206GuI+D+CZLCDwBeN3zLKI48YVFFGUe8CoMj64q/P6KROr+hCCTgCw6
iC9encd95KUIgJ3xLi7rCnR21Ben06KcCSp7MxtAZxqAJ+5Prf0Ofxr8NiCD
rTwGFpaLMlg8KcRxvj86HW6CS8XWKTQPwobfoBGyVn0xnBvnFIAoqXFeBXMu
4UtJ1TBEC7CGEa8lzZE6IeivUlWezGBkheVJx814DrKEI3FgoDT9qF6bApFv
VBejFMX+fFrerZi0WM2qiCiwBhfRs+DpgbzHQ7LfQgCDtAdXegsUmhdvFjaO
vytu0RHFHKTT8oKuDtJTiMdPUufWU5UEKFoyvb5NyhmpL85gl6e3emQ++EDW
GPgOmaoaOQX4AEil6HcW8wDtGK/FzviJuQ1ZWzHlh3b5DR8DQvvLaUltnzuI
oiAjRCTyCUIhyzQRJLcZCN54fsxZ5QG/4s0H7oHUpmntW8jc0/j9vajtmQ7q
ZXL50Ol8yVbr+6jVMG5O9Prg/ADf9iF1DVRQeh25DXToKZmf0wNPzBITlCZE
hZncyTa80upgUF+VxfrySvxrjh1UTTZ4QT4vpAzsx2rwQ/JwETM0rsy84QcM
rrZKDBPQCdPUakesoyt/5k3NUjIwGEceCdoGmZyEyPNVmyYcdyyct6S+18T4
kPrJdbLPjrkB4UsGI7c80ReNeJXcWpIs85VHlIo1XYrusOlc0vYDRCNJS9+P
ItRn2ZcbwJxknKTKpnBbQI+Qi/n9GYZUzlZFhujqPdUY6HLRCGgxi/BOw2IO
rIY9h0R82IrGkrsbl/UYmbXzSgjfYcfjwwbCcOnNt2sce07kr5MYNDgMyJA2
eJumHstWbuHnKVITREQ2saAmGbPutigu0ZsMr2TwbH+lPj7FVDyBAUeU4EBz
UMCYNvNIgHTzNUkRxJwYPclHjbEeWRpohEj3YCDAJnEhgwwiDg7+e7DhrAFE
lPwijyne68v2qN1lawgaLjapGw8wicS6j6fLqrfpdIfwM4Cz/XtgMOr93PmM
dfyg/Yc96xv2HWI0cUVSGoxPTdRXPjY6g+v0DkEFcEpLvJp9ytKBNcHmSka7
qfGf9IEhZ/lg8Ik74r0d+1OljnEcfxX3QNfoceiyJeP+LjRvwIcP6B/8GHvr
gwTbVSpoyMDT5ap9fw5fm4itQFbFXwNXFj+J3if0F7PX6+OAlQa8LxIGlMyS
lSqkMAwTU4w9AFQiot2xLXTKfxzLOqtp2ljohw/ktvrodT0SFig4CQRCmmzo
bmNeNCy4KiM6CZBH4+OV0HEUwJocrMGwxMzRsAYh+T/sDBRqcIx2oFBH4N2J
siSKPG/F+STelm2dUCI3z43NYHK3iT2K6UMvX8RGcUKUcLKev/Ket1J8R9wH
SsjxesbCjJc8DgkQPAlfDhiuLQOz9wufqewSuWDHXutxfYhuh/cbNGUctG4g
yigLhYP2yQpIqZV+rJIStIhabZIdypVRjXEHrS04TT9GM0gqXJ0+o9Y0zy5H
KjUhmbOBNa3dHXq1GWHQO/Do0hCpevECkbWBQixtSQg0yrpKexPzEN8E0OGn
3hiBJ8UsHWa1+lW/Ag0FyMJ6mZsZu6xpKr5kZdwYgFM7SLPN6rXQnKkLM+2C
qRGv7oMrP9AEqwGoHUeBKkDu2NaGk0WLG9xWY26hHACJaoOrNBdzINqt7kRn
UcU1MoOwQyAR/i03ZoGe+lWZoekZhyWClAABy0c0nrMZ8XJ1FyGsHrAZAsXn
bCMi/buLkLFk+ajNNIbRPTVRmDJHaMCsqtXshMbxGeuPuok28qNfMXxp8yWK
BGiByL/pYncDXpDLwd8b2Lp1BRb6ACqyOIMdCkIyJl6IW40VfMwOmC+AP+Em
VHCrQsPdkNxMXZrXhmtFMJ6QUxAEZkrNxUH7Yl3sGA1oOF1C7/CjtbSQQ2eg
ePsuNw0CAP0gwtxFrwHK0VCRWgd2z3YoC1q2pHshSghrTUsMGIgXaU2UPhn9
kx6fZZeol22PXvq3yYiheMsvEFmMlsn7bLmG4dL8sr5iH9BGfXBnFwNYyN9Y
OsJzptZ1hy0BT3LMSy27aszpwHOZagz8UBIMAmlHLfWVmDz4iubOuXInQQxL
eDObVu48yP5fGtnPKMWBv3SLeAgMzbRdR3UmLs/VZYRxfLguyVZ29u1h1ZlW
jwYhkAidtQse9NHr0ebVq+IcuGJnsyan0oXIYRzNF8ACvl0kl+YUNt5aycxJ
qgrGn0nGnRWaDn0QtbnWYp1KNHa201A5js/poc3YxNOFk3spLwtcG/ag4FXx
+MBjzTsnfsyc/D/ofSb6XLlIK3XaBbEzfolFaSPEhcOGYcVeXQnxXGaiOxr3
esxDgLg7jxvZTVi1E6Nz5DY1jjWmgUA6VF0JtUNWMEt/KkJkQ7swo4rHULfl
ZoyPWDHniusbKI/FqK8ejVKE12a9JnnFrFFtxPhA5PAGp0UrBnIPoShXDExy
v6FPNXHMUoatWXkag1p3LUH/dBUkmsodf5ZH9Oh9q6HYeZwMhkkviwZq1QYo
3dRL6WJ1M3sw3HwmQF5QWQqg0WlD12NLOnyQUCTElqyOhO0yNvTV0e5eXQjt
EvAOhpTR4/To6xyTXfnyoS0X4J6TmU4jVcayk+4AfuG3mH5KKQY5xpiVYnzA
aR18Q0lFpQ887DtGbiFy6SwCSWsJD3KUCevB93ALNhRJuKbiTSX2VECWJJ91
KRT27Uo9TJg9VVnL8CTNQfSZIkBCVuR9yvDMXSE2zjYzDDSBe2ERf/jCcY2P
Vi8QtcCzFCA9aQ7AKt2l3jQwWXDgqcuipEw1eHb5v0thwJCoeMtJwxSDabVI
RStavGXqgcV5iBaG0AYNmqSJ3nAeKNpm80nxpqmTyr/Hlw3OiUzxDfvKphtF
4l0YNqsOUQ6TCzDRwRkDN/gk0UHkqH7cG/Vwd5M7Cqggr1eW07pD5s++JvjG
76wC1rqYocHmmrw2vTcHPQRV1Bps2Hx1Sm8iXPBtUcGPkXTz/iuHd06o81cq
clEWIgZ6GZJCkqruaNfUD99SazrQfJNejoBA6SJ8iLfQ/U6kEvr/IL0ubil2
5ySa9Bo8VSUWUuG8N9XYUf2hkmuU87hJg+YQe2dyb0daGu6KDIHEHrZzm/hL
Jw5R8JYz2wDGokyAy8idMuVPCZdLNyUEq7sCNQMcsd/pLENAEQ0aYjnfDodK
Ispb+IabtygHcnx4VEci0TQEYiEKKJiWBQj76GXGgPlovfIrsfKhvbSUfTsT
lwTK1D2fG2kpXeflEWGIT3IDMQTdr147D6BHaOZMx+QXpeMjEyjQRoW1c7tG
329OAJ6koIkO2b1aZZKuD3QLPcLuGovHD0P5MhROsEYYFiWKE+eF9Nf4Hk24
HXLUpYeHkRQuTiz6RJiyW14fpddBR6y00LwypQQRZhl3TLdwrzmSTNma7Cxy
8U2qXzqPhL9WTpkM9IyksQAj9XWZ+W+R4EZztG+sxVWMHGFBSgX6XJja5zYn
AAAB6iiFr+StQ9l0DigeS2iZXIc+isMDkeWmxLI45ZTEZLoseccEUR+k8IEx
Dp95l0cjqnzDUuTAKj2x4HxCpHLUUUk1xVloXAqGuDzUXLYRUz899mbaHge0
Pbp/EcwEg9FJN8B7uyA7XYM+KUFpjRsofPEDdmZcXCKgKUlkJIi7hRrCDQxS
WWO4PxboK5XTEoFYs+doWqbKdJpsy/OPqC8yADCRrLT1AToutaRIa0w/RU0x
YYIzogicpgXYxHSobYHIGQWalunIQbq5wmo/PsjvrPQtK0cuKWKkjf86atlY
IjRbcOhJ8wBc5lfXmrNKoobE3NgYWUoJObzscNEp7unmIuPRY4wKbA6f0Ons
N2QPkF3j0lGe1/VtEoCbC25fpPvR3frkXO4rat/W9mFdocgHT7HshDgg7W9W
m2r6kG2pimahFq5h5e2Us4KopvIYwyJ5oZheqxl8rgjmMEL9wRVy4ci1BA2O
gEyrBO3ZbNZ2AHHD4H4DBHb8eBmP8PosCs5fIB6mkNHbWEXw3sLGxvowvSg6
ciGC6okj1/D4cryv8QWkuauPdUP0YOhQjfsS6gF3VlyvPhQxDG8IAhsiHx/v
HuhzLArVXQOGaOCGC7MwsvGdAeyUzbGF1mUGMpiH8W26WIzE3eqkSJcR1ri9
YnPpPA03IREouf0FYvXIFy5jPMLtrBDl6loNpqBRphuuEVbUCmdqJFI6vFSc
tBFx/s0AKrgEhIqx9JjL0rggzSwiZyqSwCIOgfVU2x1ky1wrHjkEgo3k9SaR
qOkqx1AAUKsSJop3SlNwZo9VRh+vTPkPn/zik5kZuTFO+gY4Jdb0Afg2yk2Q
YFunJCqb64y4aOsa+fywONPkr+apOMlGbQmRGVCwkZgqCJ9FmQ5tsJcm37C5
QzB3mpXTdVbbJekpsFbm7NRx7+DNO5ztnRuzN4xMqmBSdk+xefMPn+ld+fOq
x7EwkTLrAAExDlfDXtNG5JZU8Qmw0OXwtuGnVr+U6wd9cxchZjv1Vsq+NFER
DUkh7g3bhENBEgReICUyGAtKX7rCkFQXm5WVAYfqhKfnDaK/meIO3ewt/vAF
V22Ior/YdcrTulujB7VYGbsQCRI+fVWgTbdL05RNlT0MIMMYeuMqjSySGyJ5
b0LWRUhQ8VlaDkIzcBhN7hooUdujjxh8NVswjMxg03XUnODDi/qWqYGKcyqx
zkJO3L7dhQj2XxW0iChwOmtJm7KxeHOD6w6kddnVmlzN8ncplc58GpYQe78M
l1HpBRc/LloXCjh8PskqVcpDVLcDs1MgdsWdoaFkA8KnRW9bsbFM0k3Jxy92
IkoAS8zcCJeCPVOYNoRBS3U7taoz7Mz7S7J6Y7qnp4gO1dn7Y4x6JzXjhJ6k
0jSemiNVmQOTr9mydhGJO7SOIa43V5uyK4NHtm8WSTSx38cI2Bmp1sUqEETH
8d/UnN6iBiyeK4VHijvUwHfcm6TtM3Dm4SVpkYGbAMQMdpTb/ZWw0epU6QU+
rApkUhjJ0AhfY5EjMGQ4S4hh/C5czacYkCtACirEEqcpVd1clotkUSp3mq3z
WZIHgc9e4ULZwc+DaP/N0T6GGqZc8YFRdB6jtx5408wfWxwUYSCXCumpmpMU
/Pz11w0y+/rg75pUj/D11f+UZOjrswbxmNxpycwY/+MSLDmJN6QoqDw6IzOX
wzIsjB2dbe4dHH3gCdYCYN4ThxVNpLKl20uV/ZOS2pu3oKoSkR3NdtgVBawR
1yY7KSXD1BWXDehSC4xiHnC3Q/eReYbr0lZmTbeu3Ekl+2H0Vx+DgMLydPMO
RCMec2s0G5TsCyTDwW3mwR0Co+zv6SWjsuYARY0LjXmbsk1DEi0hDCpPGEwf
mUhFK5sID+piJ0DpyT3subc667ouH85Om+3kdYIwPoZqmQC3SpRGiqlGNo8b
EBXPgDKiA7r9BJnzUpEQOlOBVXU2IXgBU1Hk92Qtmi4yDl+nTfBVC1JjUL46
LEbEpMQo6WuYevrw4QtQEYqPVGPBFXXguxvmeXz4gGXjPgbS+hIj7unC4uQ8
F/nAYR4f+K05Vs66il8yWRhdFSuD7v2j71+9GnGRKT4+TBfjeAx5KHK6L6Im
WyVcXQKJ2vFLkTNwSWQm4tUojOT4qHBFWxg7F6FZ25IcT2pafIrEgzs2kwVW
QQ8kYSNSnVH4aOQpp9gieaVWixvGJnFPgOhTkuwCTalNfCnSl6wExMJSmlSp
FhNO8ynJ9iDKg1jEVXqwsIYzmM2Th9WoCZ32EZrJvKSR5leJMBhvMdLMflP2
WyRLOG+1I0hIi7MyzTAA8za5qwjloka9hzn7J95rsRdzgcKqCAHBFYuPy7e3
REHkZWLQzV+dEM0LIhTFMhW+jEbHcTqTiLPpsY8aX4y4vIU/1KA6tb+wZPNi
xbmxBmuf5dmDIrVetYyc8QYDFhBGl2WyuhIqKPmeN1gArAoTDWep8jq/TBNA
4gpaGJkiQuEuERXaUx1y+BiXHCV4qjAe3DJrD1UF5j5TqOSTvTo++vOxxg1J
xrt+6xJGNmRwm5zQvJilvsaN2/WIc0XHUWNFhmpySpton7JeKfGhxRtcCrBz
ApjIS/VHR8RTAmVL1geQ6Zg+2GkwuxQCDLeLWi6WqRsKzV9k+TURz0UMj2BK
JEoW8qp/TU69+bRPZhfUbMyNs5lSeq5zBqWIkUx7IvgNb84xdomk1nVdYMLG
PLtcS0UlB9F8w3hDJie6HDVfYk+VcCRkShyMJt4WFG6HSGtuUypVRnJjYvzG
U3sprMbJ0desx6INCGmvzP81+cFhDAFE8JoJj8QiH6G+QcYUndhQapf2q8ip
D0VaYb1MZlmhPB0L+q15RCqvIRszAUUgemE0XbAyPOwyUwc7EKJcwg9gK5F9
EiM2FBkDpOPgvKDCshQ5yDzfcjlTXH+aXLEoMzfejPBNAeCkBFGNjNkqIzYv
J53sPEPPN4pm65xLsqQzdyiaMN0YEosbGgKjXyPZkC2HtbjpX6QeCahX7VtJ
RDWgDOwdQbrnxSx1ypNElRcS31hRfuNIlC9bKMU0VugGaJRz7e9cAxypsiw6
2wBq4lQHkX1NMYJzkNyR71L9xmKCop13VIxjqtz94YOWqBmpFV3D+oiBkfFC
S7lxYaWwqJclT+oXVHjRPQgxpWqfN0GIcIwPVOSGeJGUl1ZFlVGjoPa0HpFI
aaTrcE0ZvUZB+BMMs7O9rVYZJhDV9Aq0SK5al2kKXpW2HAipj6eRWsVUE1SF
aVvEMrkpshmKktSaLC3WiGkoVnL9OxCJPMknKvk3iVTGWagIjoaMwjw4y5ZA
DcYmpxJ+0Bwz2u9MJkASANQ7RQL1jSK6uWZSc0uypSvmzMsbCnVVo6X8ShUq
vSqJWRynF2fx2Rkp+D2ulOyt8nDNfYlvrZSAehcVRj5zRYCMxD5fAyRkYYLp
pAVEhBJAsSUIVgaTqzoLorjwJ3et2sQnTDTGYjDYkYvKXSbs91c8WWTLzBme
BOvIkoMCJ+paZ69VH/NqAQlh6QpYjZRBiFnXABVx5I1UmPJPdSiq9ZJngLeP
jopzLMSUTK/5ptBVw+5oHL+zxIXGFHTJqlXED8Ov5k1O+QQxSaXLE9091SWj
YK1uwGhqPab3SiU7PneNrsDA76LSJgyWTGm8dhR9FR9zsUg+AmdjM05jB2C6
hfo9KmlpWSE8F3gdq2Je35I5EmQDnmaIndds4HiVLLgQQ3pZyhNfxQdNU7MS
H9HSdFxA33QxHwbFqyYo95A3hVKsyLtMZe8AuNRE0KHPyVF6c3LEXQ8Uw4HQ
AkmFx0vWahEEKjYj+fWUi3RBrFDJoNR9OIBSOCsytYh+nwDLw/Vs/fWM/usM
UjoK78XH+YUTqnlIIyo7WUjYe0JOXqpzNhivDQ/ES7xIkxkTIglQmK259nhK
NAgNr+y7MF0E9FCAEYYOLbvyFs02lYpB48C6Gjvj+AAWka+xqDRcX64R5tVZ
hRBHYrAhdsTlDC3TdZEKNYWg7wLtui3MMMEMPEJzzToSFoH1GoZIi07E8K60
rjuovA8kIxWvDB9xpuvI8B0fl6QphV0DV85wZWofE3Cni6S6ImPLHUa+s/wX
YXRfMk211mFwJJirh1shq8Zus8FIMO1+3PvxD/LLSH+h2n5/ivu7A3TctqJt
3XYPeDXvY7xmb9AoBvMsqA4moZ6tp4qm2gVhEsr+gHx1ZQLfMxI29pE6wdHY
swh5TYMgygBOMxu2JVDWctmgXWDtE1bUKQYMnUtYprksgFjfDeLLdVp5RlFK
CR6CP8G5Ly+scw0fzyjOM01KaiVJaUP3gnPMG9RBubSCqyOiKOn8iIS8FrNZ
/LHOocaGubhIruUC2d9NuZssR5KR0gszPrqYpqJV4SPduI99w2onFRBM05zE
d8tqkE6lHNmUmsh1EMxKFBWdICO2Dj0gxCXstUl3iJhHZgk5A4Xsx7OUe6z0
A7OY0hFUvQZDGHDWvP+u65Y34B0eII7RqLdKfPGFvilfc4dsNb3nUAZYneNY
zoSYEVsSdOFZijkQSdBCCO/nGotDMq3hLbHpb7jhXG9dRgQGtgn79JDmYBwB
h5THJnXbK8qwxJlVZQFkwJaXS1K44hjNz1xBmi7iD/S06JI+DoeEb9jjFbPO
rPRoizkPyYariuCjvnMeUVouZ8ecGxLgV+LE30A4GxnbJlFbTkCGC1gE+dVB
WrlKSsMoDg8kWt7zsUZx7hJDppZUCYyg1HDoS+Z3MJWsy4kCunoLC2afGbY6
rtYU38JgY8x9Q2g75l4D2C0WiC+KNJVoE7Dg/362u31uH26vbZlcp1b6eNPW
Zp1VWhzJUlccJWaWHLDj7337ICaGRperu4qKPaHIkVZV5pMftciyNhOIg6vL
Js4WV4vJWxwKWcbWExr8fMBI3HUNsMAfxoK2hFNb/MqozAtqUCXuC2IhWIEg
rI70uza4na5/nzyBTD1IUmECDo83D1R9FLMCNTR+GWOPgP36DoleI7QYiGsm
gre2DjbYYbKcZJdrFE2UphKV2yBV+cSd2JJVWR6TBRsOictYZNfpIrsqCgq9
3aDWsIADN+//hn+iTrUIW/L2Tk+O9rEL0GK0vbfzLD5/s/+3V0en2Lj1xcHL
l2PREbDfci+KXtulr9ZUitfUgA5G58UnMAlO8eMf4N9/+vFHnODHP5y/+ZMd
WW1sSltsfStzEXC9v5eOO74nLKa9UTwQKFV5VaHMcM63fT8E5h8/tdkeMuM4
fgtPHqvL+fAN/OVfiSKRnVj9N3ePFyeWAePfcnLXVmiM7zw2GOOdtF5iMv2u
nq7GbIiOT97g8LTEcB8MVbuTH39U8MInAPB406hRTMs+PzskHLv47wu7s01r
/BWnj2lf52c/xDvwv8/bnA71qy8LwdHrRQSiA/hHW0+y4L12ETkIqxrNdDV3
V/1cMAWT04TzWfJk/8XL5Pn+/Hma7m/DP/v727vwb/r4/Cl9Snb4lmPDHRWU
cQ0j1fDrrF6kf/xSsHoDyZgldfIlO8zRHNoeRnsmBgSsJz/20PST15xRL6KX
7+QSqU3a2wDc42XMxMF5Ny2LYloRf1NIXB02qJCARBBz0kUVhUaBLVDgrpNL
bodCEU1BdUHQHilnZA3KRVLZ8vH48vg+Q5FxoInYSoYAAwruM+ISMaXohKd+
nbQP6zzaP9u1P5JI2BNQO1N/zE49tiCkKUSuoir2jn/h04BgUrJGdis0l4Ws
blsJA0C5PsWO8IrEb9LvBTsaRGK4aLFbEtvH8VsS5emPKjQtuVh2ZLuyQN+A
xdFeE5Agqo8PFaQYTuIMWn1Slhb1YineMTbpp/wCKOPJio1FRhjlwHDT7UN7
AoXx5cTs+LSTyrojPkFIs8p0ahVNqUlGTAnCOeZvl+JUdrnWbCmW1gYWIAvs
WwKsZlJTLmrix3QOIlapYH9oBsbEFrLxBJYpet7LN2zRBwDhQ5pIi3d2im7T
ZQoYgmgbeTktUVGdd9Oo2esjuRMuaM1Jy5ySFha+7grRYNc4H5AagF2JlYbO
QcH+mURz2Ba4fCh15sKJBM18LwPj5UUvRFgUNLKly9H3RWeKzxLV4d5oLYMr
q6Jp6SztLndekVwbPZyl6H4BzfzsbHCPoznun5+dDjTDPPB2tjqjSdoTSKkl
bDxN41bDLJNUzusZEph86oY6WpE+8WWhzDzryXUqcSPSdKvhJa58AQuPDqYK
hFpDEfTYPMyAlfEPNu5LF5mIgvvLNkvwLm/SjBn1dVDMU/QaTktn9S5TamvC
VOwUtme7VPdTLrc2R60PtSrCn3wW4aKpiEopsU82WkkDKQjKyWWZCqyUnvRd
xXshxHQmtwl7xMjtn0dmT+P4u5QacSTINmYIDEJ/H5rSf31xMnD1VsUG6BY9
CXs73aIzqsRkpEZzODKeUCw6Yw2hIzn2Uik+USUStk0XyRVR88ZGQ8nUqakB
La7gnQ26R/15KYprIypDGRZN9TUGAROFOBYqs6H9bVDwl8406IXeUfeFGIi4
ToKGQNj6lM2BUcIVusnzqgNvMMNWIoZLBbzMNBTTc2gXzPMZ+Q3c7LThNBNZ
XYMe09D9Cg8k56Yvrn4zCj696/TujztUMfdndKbj373NdWh5YWHMK2xwdHRw
ceBHFl8+91ouqI0guxTkcSGDQcQjRbLeV7wp6KqUbMrzDuo+aFmuyMZi0WGF
+buajtPM+m010DYHHUa+NSObZaORbBQL4lIJ6s7lBaFiplkyFihzozWbJjVc
1TEFgXCfX42fRcHVZfzBK5hb12cX4mFQq4qwxYUF21e+P4JXwl4jAx8z21hr
ECOEYiOZjU1LF8CAduJFozRPZ/S4ZI5TD1Ap5BFAkgNbuaZgmpEgtCFT1NeY
rAx3yciw97NEIooglLsOTCRabSIwmS/BZHB7I0rEBiWoKD0DkWvQWSSJ7NYC
FIEXRvD4CGA+pD/wLf5r5X+S3Dv/q0ifKrfQoaNsLXCTJWpJuU0XP6hLyO3L
WPK0d6n7/Pq0Yc7QAbFyYk6TLECeb9DREvYY0URCRx0pN8AWPdeLbolJcnJU
RoJGpfBO0oh7dRcBg0I6jWBaHJ16g0Zd5NhoU4aD2Xw139/TCi90MGExErRF
47K9CsNl0ajXzVVROMneLZHCuNSKnKjG8T33ypRAKj0abhGC7S41FoLcMuSg
oEaQpgxDdQey4pKHwxIiLsa3ET5pMtwzSmIyAYzKvSWUjwGgTnsWcQIqFxof
MXIEgLjM/sntEhKOIyElys6irDKIRG6sUii6eQvtdxySL1s8UcehYpBrBuuQ
x2syrhFfoN/0OSVoYCJ/A61hyBGzYcvGWFISGl2fpCO43Iqs9svZkDDaEVQe
RtA4nyb5n1e4QkafpseFrsLZD0qz1CnoCWeYIRXbzL7WLVXE7LZfN3v0bgi9
DzBeQuVdydogd9AhZOWrqboYDLI62/axAGdfG/CjVqd3tKZVLCWsFNYhR2ox
G7LlxeE/7xrMu2mtNP+wnTiOvZnwxdPt7fF9Izzi0bg9Gx43SLW78dNnz541
p33sBGp3VSaH9L/5+saVkM30gUbT7Z3o00Bez+7Z98Og7Id4xKP3QfnZ872n
nwllN4GHcs+bjtmaIORmtKNW4yBkUtKGWbyj9MFGXzixIBOpmBQ3zvwGCB+O
v6tMt5GOpCFrRHGMuEiSz5JslIZ1sgwFUqq2fCSahIg4jk5qzipnQalR2MSL
oN7hODRV5bg1V1t80HrfKtBO1DI982Xoom78ls4lLoMVJYcCyX+lUDR75kws
bVWji+9aNdrCUeimnSNycI8NbILHMdxH2PJMl+eKVITOnqyiEDLuc5KHdZMn
jSrI0j0nn0UtGd701cOqXHxG7WAvAwU6oSy0q9Ijrw8Onb+lF2J2z/eciexj
rh9pnZac42XLPPo5tcqiNdTEvYeSjd44Cg9Ssp0k8FErdtqFwZ+Xi2JCUpWI
fxgGC7yYjcwnx8fHg3F8vKCEDR1QLG4Rp3FU4XJ1CyFD7NIg/EJhGaSxJybO
lLVi4lPoicdNOAOwSJcOsBiVK1GklDWwznNOAhi2TsxWICZbPoZoEXaRNUZb
7faT1uEPTJFa2rFJxtHROWyH1RHKp0m74dFhsXeJ2w1nNQ9TeU21ReJIB7kt
TAYwCyVaJLvaZzOchPtrNBKfcBBTxcUHg8o1yva3d3afPH32/MXey3/lU4t/
/BoSxAiu/yOkiE8+/jhBgob7nHmMI3fjiBskic8WJD4P3o3lrR4H7k893g3u
TdBebYL246ch4K/EYrFqncLqVzuFDYLMbqcg02xna5Kazs5ec6Gps9dGmhEf
14PFGadyUchjEFcdkB5DclCWiBrRc2od1q7GsvAREQ+SF2yWdNPG51WkwGXp
fo9E/vAyh8gggcjUJXV4m7EOsbpnCM4Kk4qg+vMqkGKULvquCyHz8jYZnE+b
I7qh0DwR8Rr4SzGF1urMcEZ0jB0vMExtmjbKP0mRVgxNa1hx0Mbj/F+3RRSe
oIZCU7oIlyEZSpo/a83Lho+v73IFBmTob7Qq7o282DuiLakrIpw2oap0iztX
ZLuQbDT2taBvLgeGu67XRvJQ9z8XHEQDT7n23URur4omb0QnDq+vKCT9NBB+
T5zfooG6JJBKHAfRmL6PY/Mi+0A8ijQWJcAzICXpyQUv0JDCib3Qwtkfliub
Hyn+v9SToZBtV8sqmiUUcIsmUDxwZ0gfevstf7nSL9XN5qPfG8VAKhOoZzav
VcG40tqHLy7LpFp97PJXdzYI1lzWjb47qSXjnaemwoDz8UYtH2/QaOcTztLK
eoRpH6arB0JzY7FXLqrSqGHFmUJ6a3woOI8S+ovZ1CyVL7l0nK1PTtl7gN6p
NHvQPE62PLmu0thbpMaj6qlTTLpxRrybKKI44L2XL58GTWQQNcgU9OmBTSPM
fwKkRzWSPvGHsmWHK6kHp2iN9I3CPLYnrJ61E82LEW866h2s6yIvltk0fiP+
0pN8DhhG4RfrErsnHrw5Ae0Ca5AIDmamG6kRr22Aoq9Hoia8g0P/IoZOSIba
VMrVzKSVN1aZXmeLmZpNqXLLDQKOEmnRmRNWR4mCijOmhfy45bDFVmVaF6dd
s1syLxxqDDdZHsPy7lqHudkUiHMMRPVpVEkcmpKEEvWCTv6iXOq3JsbF1/KP
mlZDhm7YbODzDYfoLAtaVAQ7bjpLnF/N7SpgZK6Qy5AtxeLG9lJMA17sDnGU
2tXnCezDWpdKx7AVVso08mfVNPFo5cGjlhVdC6V2LCx2l4C0TOl0kN9dFViI
/BDdzOIl1yAXwlnnlbJ9ixUDgLQuqW0LYTO6GNZLdDMTOqRz+JbMSLCSpIqM
89eNhaFcMghfQCrHJz5v/9hldiNKMGXk0pMyFArUJUcFqdr4j9fvvn319i3s
AHVADDcdxldfztO97Xv+2fkSHqcnOPD5H//A2p9UTAmI2VP4cQhaE/8W/+Pt
O9TG3716e3hw8fZMvn3QHCenp2dvL96+A54Pwz59+uQnHbNjPuK2/94pf8X5
QJOHYZ/vPf3pp+gnr5AQx29bVhmlVKN4rF7y4UNjWGaGaL0LRuRZuorYsHzj
ANIoISRlWpCkkmzWtMW2q4P6ixr3UcAzMhCXvfLWQSYnoY0ykINt1Ujfe6sV
KtMPgzzjJwNTFgIDRKQQFbc7Y8sPA0RK4kU2rJVcxwQ1kJuRrgBlk/rUm12N
YZCHZACIWHTB4Zx5+znykZ2NG4VTOBXXyddo9TOEI5qlLhsdxDmrUp6dMf3V
ovoo7eUcuUYe7KAZeLeLL2HcWXjUuFovNdYqMWEO4pGGP/suu8GVj0wuc6Bn
YjR0Tw6GEXqL6yuX90+UVvo0Npir8F+3cS8JS43lKPIqImC8XKNNj29KOhaU
caUP/teR0t+MrhkYPd19svNrwug3If/w7X30eLebHrPyHhhupKBeWrk8icZI
KNEddOqi+q53czEVdRpjRJ6QVoHJoSQNyqIcWaVdNT3gtWRYR7nEjuaYmgp6
IalTeS2t84igLdPykg0grftheQQl8xVRN/EMC7pLERziE1tC5nXXt2KRiDQ3
9RJWwjAizYH6gVSY4jAEwbtErVzm6Azmd1pJJGa5cJ5wPBedzuM10wKoEljC
nEY6JqGAL4SZBLM66IbsYrwaBEsK/VW+TmEnoa20YzyGcadYyaQegaq8TEaM
TGRXpHQDKnX59ux49OrbKOr9LZ2Azp1fwwp6Q0lbfbm3h7mZrhM0i9poC8su
M6b9SMiRVBLD/e7i4hTQLZlR2DGGLsOASPbpB5+QfIk5A7Xo49+fnWCpY5h+
wdOrSS2R9kGYzBmJGtSqOqcFIoOF0HxIx7VYsdnckNogovRD3Pvs+Pxivl6A
FniTlUXOONk/LM6OB/SGJAQSSARYKAh5jpdEtErJOXU5CqYihK7QiRXWESzG
BV8WF/BH5vm96YoZ7A5XcoDGCWTJWtHVPjFsQyMWsUNsIOuM2wrdAmDI2oBG
T+c7Ys+WLGPIEdFquMHocRy57zX7AXvSSOOjmHDyFydcK55lGxLFCGn7z57v
PRlEYWmUxNtPfZCThATY4jQox6SkzSrA1O2tL5Hph6s00d41TJ2cYBJHFXg6
qXKMfx+dtxM0VWlIFiIQ+TZ92UXXQJXdwQIZtAZHCB09EViqNBv2Raj1cmt1
XN1GkNEhI7uOzAg7BGlRRo5AMxjRC+4IrMYUNWT8YVBWV3P/bXkz6eohirlb
k4p8kS0cPKG6K9cAoBnTTbTVqI2QxMc8zW2ZZ/fJ1O11pS0vy2K9imQp7nDH
8UEVL1nARGUdAz2Gio5xYzVqMJK3pR26YJab3PR5QHBKcGX7Pjg3gVjsXu68
eB6QwJ7LnDnKsDhGUYJm45scIM7qQp29LplMsD8ZmYPox7MjZG2+WD/syCZ5
GOx0ZijSeGBwbEPCgbRe+0kIh2VkSftAQ5cvbGHaMPQVTZgDDZTVcT3HxF4Y
nA+nJQQ0NeDdnbYTBjdaQeDRwFeOwABHBjqFcVZjn4wkRvmSqxBiIjrdN81m
imqtHSeDurBBd41meigKBj1zXqpeCi8yUcEfpnfVerlMUsx50+X7HC0dgMrL
hMcdjGmx746LXTsI5LOIjfeOIzCGIM2YpNKVpJQ+6C5dh8tJCsjU9K6V1c09
8AkIkWvElJZbnsgCsvtK/65vp6qjWv4yKLs8bnsRvmCbqYbimrQ3vDHT7j7p
ktyjYKXQUtf6VXhmRYHErshkYS+xqXieafBXRe9K43dnTa4lycQCEC3A1TTN
YfOF+mzyIuxvBNIsAH5kPCyaglCiLKX7Gkcim/AL3pnIYMu4Qx3F3WhCii3j
jcckCiyuHEanU625Yg3dr4joqfFLEkIviHJzbxWJybVov6UsoJm36rzErg44
rt+UfVL5o9cn1+7A8oq+HAisftAb+hRKxlBzmDghyahSr3D886rnXH7uahKG
+Zpv/V5Z/1F/HOGPGIgfBho7gatV4mWVkeEVpTJ4I13MAzsVJRGwGK5CNScG
2K4PnLSod3Uc9ebz7d39/fmsp3HpzTq9jiqzYWuBLSaTVfwGowbJvIWke8hh
va5nItnkgZO8ePJyG+uXiuiH2KVchSk+KipZnY5oqpmXT1ba+of0ywvsxgKc
ZD+Kzo7/uh//+fgC/c2r/a2tf8CK3uGK3tGKQL1950SydzjcT1tj6mFG8ssW
wu1rOAM9MhzwfD/eHW8/42wcKmEU/wFHr3D4MxWScGRhE+9kmT/tI+KMkCn9
6fcxjOoxIYqkMEDXkhXm/+LSUGnf35++2NtPn0yf7j/bS7b3k6fJ7Kf9vad7
z/70ezuWU9ObiKN6umJ2g47Ljdziy+ELSrOx1Pf3Co1hvkYjS5qHBfBSbqJi
uuJwmGcVNCOQpyR7SoqhKn3tS0cARG3k1P61SmSQg9PKhfjBzMjH8QcM1mwM
ZnOuaA15ejvsbkU1ogI+6DLIpWtn5Iyaq4JsgsSPrrLLq8WdJKuzomVG4fLg
MNJ1mq7sjmlOvqqYCR6xjw9P5724lFEe0r5GFNrPb4hCKeU6WSfAFjYh8RGc
xH5jbO7kREzjJ+3YdLaZG/nuGy5AlgWyKGiSRsZrHXjonavxX07/buJSHk7i
dj+XxG1GUwSWVAnr0a36j59Xd56IszIXsWofFC3yEIPd9Mx2Lq6cRK9Muxba
1SpCEbmuQkJWsCrg4o6jP10+V4duzfJyM0LXdP5AWw95xjlmReUlZNkk1VqK
CwM5eim6Ty6GJKnwxoteqcuTckf8ZKR62uoJGUtmho0IrvO+Fbv6rujnxPoZ
szzqqGBeYSAv++6oyEK4XwMLDLkmQYZIqsoLqBeD+LFYRCaFSBsgcFNZjv/F
G+UdBbn4hoGPPX+OfIwtO2oP4trM8OOTl3vP0Uh5Lhf6yXiXZo6SNayX4xuc
BKCtW3QBSRDSI5na3uNgkmr8Nu9ji/ewlHIjT1Gugvj/KKYXjt3B8n6V5exu
b+/szyZ7+8DfJtPZ/v6z3Z/2Xzx/8qSxgE1MbvdhTG5jm0dPsrAXnxO8v/yo
msEbICRezfBRGI3wo/T9CpCmElkeEzlI+yrJbe0S/dwiTXENqkpoNA3GPUfX
kkpIaEVNa62lEDeBpj517Tf61ZCBvC2xeqYBMh6JxFHPv4RfDEJmofMMeqSu
EAfG+S338e1O0htQShZ3jhl5UBu+KB09OvlDmz08Efbg6W1iIktbbEH796EK
rCWcdpp5FEE8vnUjEH4AAj711Tbx1CrHEpHhceaw1nz3Wom92RtpOd0/Ktvi
oZ5wl1SSLCLCnwE5K3T9u3b9yAckkbqSKk8S+yc9FZylrW9lGAo3nA3Ii3zu
tsLAc1qghFzS5JxcjjWUh2bpVWoIHJc9QJv3KyoeEPW2JluAV6oUcHkEVeJc
cC6rjsR2eclJ7YbyBQVzuxcY2dKbSXldZaDEiQGCqy9oMJEr6CBbZcsttnr7
bPq6mZyxlPHZpLVytDXe+dWo632U9Sme0MY17P4aa+iaYRMBf/LbEXAqpfJX
FNiwGiJh3S0ih1je1aRO/awRahJEhJTmNtUqzVQlhn8excl1QlkrYgrniupR
UI1YbO34/Ndfu2pU8f+RZXBMh1EjSIPY0tDxkVslNpnDTgd3QByMESE6Ob74
lqxR1UCrqabSAoNMmVSgoSVPOWuiwpZ4V05OTApDlEhljv+muO6qxoqZkbu8
XA3Nj4WbWC9ZdrxKXOi+bh02D7sJtk0CKi61xFoVMeAch2EjHdtnbhB2CeG0
IFEeJeI2MWdPJgblgs3ekOTiKAEKlxjVoc2usNApCLysu3aYD5NGPZugHfeF
71XNcXluedG9y6O/ZFUNJk0NKoV6V8UCw0GViKsrM7ApDQO223fDs9lbf9Nf
kGsTKWeF4xZj4HjtvbLuRV50NfYvsjO7hLmEwnWnddyztRx6HcA58fHRkUon
bc3zNjHtc7g17cZQaOcAkoCXMjJxhzmpeI1V+RgkyZOjbutdQ0sla1f7QuUV
zgkkUWZdYuhQq5O0Jkk4hc+p7QtxcAQtrtFAiVRUy5T7MDDavUCdu/K54ge2
AZhYVENuaNu+SwUT7csucmQUypHDcBMNezaBcnLTi9lq6ucfGByxriCJpzQx
3D7VH8h7QuGk3HS4QFwTTvBVzwijFOulZRUlJIAvKSzljz2jWJGTYr7AgvIs
UpYmrADbDN5bUqXR0dcFp/oaS471aCiUMyY4Xd0VtKo1IkObg3J6qzSndKXP
MyP2GNv+ht21YuciobZa6ycGMppo/eDgnBv6wpAadcBaOPyw7ymNSm8jFL5d
VhHlJvcPv3l7pvh4fhyLxV+Y0sAkNI1MClKkhOrLeVajevNlSFCPzy+GrsKT
VA/1HstzuUbilXy6hzjKlYnhxVi8bvAcyvHqtaJ0Xf2D4djn3GvCn4E3EoQQ
7U2qP0658I9j4Yozbs2RnZNbUlkWoXWCxPeDMQjncZ/yEGg8aVfpfbA+6cHc
YRp+4OoPadlnW7P65HSkOoNTLDqK8xiXJJ0rZ5igfzFo3e3rU/FMlACCPDrI
G47vn9GpLnx1tecFcgq0ckViOMtnSalCt6pLAMof/xGDQPkdOrEKLZkqa1GC
h09jbb915Qy7PAzKET81NcWWhvg0MCDK4A3zIY6Jp4lttWxEQVJGttewcgtR
TTx9dlRsRKyXJcdLrmKF/yf6aTmq1h7bRLYBiaJWjQC5Z328Azw/4ouzcHu/
XeRPuxdI2j0n1N6zqk2LQs79wDU1/UKktVo40Wp+T5fUA8Nb/HGVKV+joZ+T
UhPdnJQ1mXGwgwuokTBYaVvmOhdmldaDMPP3fLaoBvsB6kZ8edsRy4iGbLr1
l9dJK+Qk8yM3t4o7RZCNKFOTttCChHkgOIkQLcRN4HUExwX0dHh4oWiTtR6h
ChUbk0Uja74hAOPt/Kv02yQ26ywGYkaJv0bJDnthssiUOYgQflXZMsNygd6i
RWEOSMNHJO/LBaZIddSsmoGJJlrUpABKcWjYUB+NgZT2j7rrgM5cbDWRf1eO
y+/Ut0wPW5eToYIsDGio7k12AYA4uP30pEfhXM4kZEpRcVhQms+on544ZtCO
ULqeNBObuYqTiyEcu8+jQvfZFt6vfjMbxFf930/KG6FujhiOWM4aPN74e89K
P2meeLI1CRc3/Ow37Y188ChPm6NU+upVXT/2VVzBY17f7Xj/58YOHjLOk45x
FBIbLTFPH2qJoeZ/0lo6qMnGbNVzUzTCMPM/ZKsGS7Xir0Iy8JWZBK5c0OKd
XWy3RdgO2finPI02T/QA/VBOpQTcWy5paRVupEe3qdZ0lhrAUTCnV1Eo3kU0
1yJwlboek4W6zX/3u98hoQtamap+6Ybvc/g2pnkMYu8wC8Ye2CQmHy8aNWQH
K7QEblM0bSjDr2xJQt8EhMpwd1jZQbhG4wgXNyxurWiBMo8VDr2chMFm0kNW
ZNHMp0yzUwBR5R6f8zJZid/ZSF8s3vtdUjhVwNs1iybwaGinOdxvcwj5MSt9
tma4Q2drqfbJDkCnLOZvFh6ooBfi/87+Dq57ZTTRhqylicA2HoDodNQMJars
vsnt4AE01ENxdVvXE2FDdmN4Ymg6RDcz9nhg6dndkKG8XmgVArEBNaDZEiWp
ZILE6JEHpojkNO09Ma1duDttWJ8hZOwO8to3lsazMZCLhaneT917Gp5k1KQi
3kxrOBXqk/Jzbf33Wbb/FUb78+p/DJt90eBVPz+Uu7RffASLe9Fkcfz2Ixnc
iyaDCxn9Rvb27KHsje89EWYfFNWhPoZ87ov4+9WM9b3CO3zPvj2krgsxF0t4
Rk4JjELlMulh82x6kMc2id7e53umNqi+9HkexB++UMPUx6ZHWmJVJP7JtYZG
8xDc83umOXXB/T3tTNL7pihqBA/Tu7N0WVDpU/QcYNX2Rg2FSopgD4KxnAmt
ryd8e3s7zpI8GRfl5RYXeKOQkC2ps+1ebn0xfn9VLxcDjISpJGNhwTV/cjHO
Gq85iCAA/jidZXVRjrFHWkJB2Et009eBZaHCltY5BgojCduXssECOkmRpY7x
acqWwCpu9ftu9G9o2o8pa6O7zo43O4Z1CSSUn3JvptzloRbxhqjlEhj/XMkf
nbrvQr7Qhte4ZHldtCLv7iJJK9gUTo8uKHgdI2O4CgLQc01Mi9dYp6BeY9jc
GOUerQdMkDrVSPR+NcBOX+diG0JosfxSiiMoxoABQE8XMGWjz6XbPB4CHOAY
KSQ5j3BIvkdnGnRNX7nn8PDQpXQ0xxqLi+RyPwId1xkhNhXB1yZ2YUMhrlI7
DzzYSju2fHKvD6I3ZmSthG1j1XHZ1c0s/vbR64KbxSa3IBsK12Umt41y8SeE
BRyDlMXgk8f3pdJ20aiKfZfW0hMW1nkOP8Vb2GSXQvFJqsMlH8S9US8wcQmr
N+bSqp2K4xpkaEcdXwE7uDO8SIQgBkVk0wzR0OfP8MaW2C/0II97bw46lxJ4
SJpnSrJ/UV67FsX1lTUs+eSOcGEAkij6RWv7u9JrvzgItcruV/CjJ62v9Zh+
CUqjw/H8Ev2yP2r80/5mw4/NB2Ew4SOxWSPa/f8wKf90w1Fu+JFNRPgju9j4
QapxgBLMO8cVe/EWPm+qH+CfBDmTPBzjxM1/2t8EP0reqEzcqMfmpjWNF2hm
PjSYEmecNvb6iK3ev9Pwl3ckJXfBIQ4AgUbEfxEQj4TDZ86oghB+9i46hzyj
01fHR38+fgBEO5bOYlPPnROsD2UyrMWj9T9FHmuKInq7qt5HvGytu9Ygkb+Y
N3FVlm7+Ejv+AJ+R3uJ1VIL4yH/uv6H3XcfmD/fe64f/4w5q6G8AHxSfRFku
3VFrta5nHz8SkJhTMt4hj/zF1/OPnWZDjTwJqMxj8K9GRXc3qoPRPUj4CzbL
cJ/dGmiC5uO/SCvb5mpied509eJkcL0ZS12LW1CbEgoSw6fpsmrA6MnzvY0w
Onx9PhLf6F/O376Jf5ConcYWPolH98IIFZkGjJrDOxh1+G0TFMAfsp5uyvnI
dShgNqxjw1kZ38ZInMxwap8EzMPOSkHza51V+4r5Jf38ABghiL6C3/8CkLEr
GroeSWSqxKsh5eK6gfbzbeWBNdx0AZJUINlNwvlT5zVsAl6OVq5hGVxDXOG9
N7D7LP296wDcxhX8GwH3KBzcuG6S7jdi4NBUqcww4OgzCMLmOTdcxM5JA8we
NjDml9jzd0x50YkanIRTAbefYAqFO7FjfhN9xegz9v/QAQXROCEXGWpFEYkY
DHuqS01N102K5IJg1Z8+vtWnj0/+8wrV39sU/w1HeYo6LTX7E5q2EYkCDFsk
y1U1Wvih0EQ1kr6BD6B51TRdPfTsGY57VJHzs/8xYpp039ogpdkAK5TUyOS7
g8ohukRbRRl76BC+eHXe6wx36nie7dGZiRbEv8lBtErLZVbbhrEtWd0UNeTI
MlfPEF+ZJNPrWwxV0Wo10sUT743gohQl1IDYyk0Gf3lNPvaGblgCW7K5hwZ6
1o2mCPpehyrtj7C5f/sN3CcTKAtjkHXDiqP3C5Qbft0ssVqh6Zd/CEB+6sQW
PKctf7gsdBKRRJrBsna8Y9HLYPf9lNhcVp7KDY0/dFybBwwtzMkwQB4a/yaW
xKu+d+j7bk/r11/u/7k59OjeoT3T5L/LYNXOkBgE4VkRnfDbFSkPM9Pv45mP
XuTIHZ1ZJJ3ab7hITud3IS+bXn0MRf7UXqcdBzL9bQ7k0yLzQxbbPJjpb3Mw
3Yv9/+GAuFnjyv79AGS8h3RwsO39kvejFmdku9WDsOexi/vXEUfXyZA06/xM
IHaI4JsR5uHAvu+fR5Nl+tYoyG2GsgGuyBBblGDj8L/x6v0T95/w/cNTGhUW
PmRffvO4xdlWisiA8TVeiDRPqQip1vDQWE4yJFbmMWbxynk8o4jcpWTGv2Yj
vvi8KMgXe3eynzLo4Yu/XbgYoVONDDzFv95wUrZO0Isf4Z0UJ9AIXakVeflH
Et1wz0/j+n09MH7J/ShqdhNuNhxOXC+GZCbNskPwqPjbW89WvlSBBNmrupBo
ErBYQsdR0I/Ll9j41HLcbPXUzuZXuSYH+KyVCBuuhApehWs5kowrrNR9jT3A
pYT7Q1fF9ZZpWRTEEoCj0hVyaY3Q30s9YqLIeBld2M79Go/4ZH9F/7jDwLFk
Ll5cifaDNETCYIxrUVJw5V76kFO2saBXbWwCCv6GYST/RXX+sD5lLAGwBQWa
rXN0w00HzTh7dFZdpj6SADMpfi3f/Rf8tQ9vGa3LTCKOgHLCo9kUwSuGRLrn
ZTMLIsho4uw5Dfe2nSKOJV6Xt+56PruYIZtyZi0T4QSKGM5p6UiGNMir7Mqr
ak2hUDvjuEW7BK50bqbUNRX3aLQvYDTjRvKweopvww/xOXZge98buxRTLNm9
kFOwmXU8Ao9qKsxx9fG7vE7eA9VaJjms2jSf/uQxNw6u+TcfMmrBu/cDwHto
aJNW4iS50OnjWoJjb/xkvEMZEE86RrbJ9x6Re6iH9vi2xyGOK3hcaAdVRWGz
navJy5TOohF3wMM7xE2QmtnpgNu9Mcah0vHkhWSxER0PIj3okFMQF3o6fI+L
UJp6BZp1llQuFMC9hq2rpXYSRsubAH9Y5YBq1GN5tGShGLUE4lSZCIBG8QSH
7pipeVuinSWXNAx4lcNlKZYdE6mptKFEb5rFFm55WV4siss70+mXMjJlDmpZ
wmQSrSGHQTRU/OEL7SEzCuOktJi0sQ0OXZwWEgkMM6AimGQEooYVxbkWU+Kw
GlsvyueI8COplLCcmGKoHKg6SxfJnQSIXWWTrA76imJKsdSpm1AKKBUkqDBV
ML8zYaBISCOJl5xdaiFkNFRlMx+INkouKY+1XadSXjMJByqVjX2sQaTBt/ww
2mLFTQtXBLttpJrg62J13e6DWF0HWKlJxViDhCKyUNVygDUW6agpKviYiCnF
e5Pp1oQ1y1J8PXzuX6K1OuHnYXQqE1NvTN++CSfFMiMcDoI4WSFL9bSLGoBo
KQgpvkMNgpD94zanGE+L4sbhaWRPhVKzV2k58sWBJ4BJFeU2u9gVFYPcihKO
yKoyLLaU5ClGCJphI2mPbo7JZ55SgNdlQSAQ6NsDdxWYGPE24IjZxDjmvEXa
IjfDcQuhZp7UewkupALr1dn38euDv9vCs2mOAHXr03VFbjF4zJoEW+TFqlhg
23gzE1aq1pP1iDcEZcghhC0PjB1OtXLoNVWM9i1wfCROzu2aRrcYdo9yUKSd
GzRVF89ulWDiPS15GF8myAGpAndeA3XOLrkSpsNkDBWiKo4UlV9iEKEgTDGP
ZikXNWWxA6RHqnEmEp+shuBNbBawAmGj1VQqKgbAMfGL9AbpJnDFa0pQpVpy
kQwpdYVSoBYzyqOXtlQg6zPeeMyfZ4uat6NIDzvlBrESCY8fz85UC6kimDld
SGkupld07iCmY2G+hYaucXBbKYnWuE4tGN/YTE7crspYeWMwRzdUoJZI+cEU
+R/eWy5U6qJdj8pkXneFu76FfccnJCxFkdbq0EB9U1R+CchS3w1NepoEDpJA
QxPReIcsWQDTwbhPlOePKexzH+lYEPbpAzvHmLbx53hGa9zeBn3ggPi0xn2a
xPdxfF5TxCXId2K6Yq3HS4Vk73diVkfFJyrOO8tushlmeGPWK06yjdVffpAA
4zS/SrShQPfTuMoTiXuVL2Hc0WhEzg0CuWPpzZIj3KmGw4VBYwHEy967zZIk
WSMycuaKhBPaADkRbrV2+z2Vq4Dabu9t7W7vPpFKARGVLCF9jcCNk5mWAQK2
sK5EzWRwomeHwZhbt5y7jNKEWw0/hFLZjFWfQ1mv3Twdj6sB0NR4RLLSjWpO
TaXCqcm//SomSdKlWIxITsQRTCAYPYYjen8UPNByVw3jDC8/FoVnqTeYJnyf
NAYYhPXTd2d/OUUp+zu9vj7hWZqOaIqEckQf6FP4Z7UZ+jNT0SEsXzdFWOeq
MblB2h21nu3sbWObE2pxMkueYCta7ERL3UZ2uekINqFttDjh9iaNWDzqc7L7
DFZldvsTPNzsdfKgqYLuLLjZn34yTU6mrJDOs0vNFOiJ9e/b7DJ+tu9qcQFS
exgG/aGkZQYqscyrSCH7Y2+Rzmu0b73G1mVnPtOAUNZ16OOaqVjQaLShxA01
QhlKytSdFDjV16UrxfkWVkQVDrDfdTpPt3/908FD6epA86hzofYze9Kl50Ho
wNjwL0+sCPH0wROf/cozb0LF55q0YlDx+f2oSPecOryyELARG++lfEwmhegJ
RSdq9ACa91UXxfuRYPrjQ2he8/2HU7wf/30kD5OV/mWiF2tbp4fiW3xPn6fP
xzpGOrKxYnELxbkHE7wv4/8ZhK51Jp9D6h5wJr/iUQQ0L44fRfZ+XWR4+pgV
/FvxUVP4HoKXTerXQk2s6cr6BncdKQtuEMgmySh6m6fxZaHmMmv/zdguQr4K
6/4ilSpIFUdbyCyFMaQXGWsGVJFLqgT518WASyY81vs009C4ZphAuRpqQe0y
UHpRXfa1laW3FyUm+8JDqBhLtVNS/7RgndiHuIOyp3CsR5FV2dk/aY9a/MNN
h8mFk/QqucmKUiqa0yqX66pmtRIr5onhILJwoyYcpmrpxo7CjYaH0t4E9N/1
om4WNsPKZEt0CFYNG/BUdiSqZdCsdqMS0yne/q8QoP4tgtM7LsHz20waykyA
hk06cap3+9iURig7OVmbTmj/nPJuH8Wew6ycrrO6Wd7PtcZ2Bf08EpPY0pVg
hChmNjOOWJPUckyIkK23tjDHJ2t0n8GWCDgYRf1qKxMJRtBChlkFw8vQw85r
lkm44leYphlWVQ0qGYZtwB+22XeussD/vA3/f4CpfwNmJgEA

-->

</rfc>