rfc9882.original.xml   rfc9882.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 3.4. <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
4) --> -ietf-lamps-cms-ml-dsa-07" number="9882" xml:lang="en" updates="" obsoletes="" c
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft ategory="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs=
-ietf-lamps-cms-ml-dsa-07" category="std" consensus="true" submissionType="IETF" "true" symRefs="true" version="3">
tocInclude="true" sortRefs="true" symRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.30.2 -->
<front> <front>
<title abbrev="ML-DSA in the CMS">Use of the ML-DSA Signature Algorithm in t he Cryptographic Message Syntax (CMS)</title> <title abbrev="ML-DSA in the CMS">Use of the ML-DSA Signature Algorithm in t he Cryptographic Message Syntax (CMS)</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-cms-ml-dsa-07"/> <seriesInfo name="RFC" value="9882"/>
<author fullname="Ben Salter"> <author fullname="Ben Salter">
<organization>UK National Cyber Security Centre</organization> <organization>UK National Cyber Security Centre</organization>
<address> <address>
<email>ben.s3@ncsc.gov.uk</email> <email>ben.s3@ncsc.gov.uk</email>
</address> </address>
</author> </author>
<author fullname="Adam Raine"> <author fullname="Adam Raine">
<organization>UK National Cyber Security Centre</organization> <organization>UK National Cyber Security Centre</organization>
<address> <address>
<email>adam.r@ncsc.gov.uk</email> <email>adam.r@ncsc.gov.uk</email>
</address> </address>
</author> </author>
<author initials="D." surname="Van Geest" fullname="Daniel Van Geest"> <author initials="D." surname="Van Geest" fullname="Daniel Van Geest">
<organization>CryptoNext Security</organization> <organization>CryptoNext Security</organization>
<address> <address>
<email>daniel.vangeest@cryptonext-security.com</email> <email>daniel.vangeest@cryptonext-security.com</email>
</address> </address>
</author> </author>
<date year="2025" month="October" day="02"/> <date year="2025" month="October"/>
<area>Security</area> <area>SEC</area>
<workgroup>Limited Additional Mechanisms for PKIX and SMIME</workgroup> <workgroup>lamps</workgroup>
<keyword>cms</keyword> <keyword>cms</keyword>
<keyword>ml-dsa</keyword> <keyword>ml-dsa</keyword>
<keyword>dilithium</keyword> <keyword>dilithium</keyword>
<abstract>
<?line 94?>
<abstract>
<t>The Module-Lattice-Based Digital Signature Algorithm (ML-DSA), as defined by NIST in FIPS 204, is a post-quantum digital signature scheme that aims to be sec ure against an adversary in possession of a Cryptographically Relevant Quantum C omputer (CRQC). <t>The Module-Lattice-Based Digital Signature Algorithm (ML-DSA), as defined by NIST in FIPS 204, is a post-quantum digital signature scheme that aims to be sec ure against an adversary in possession of a Cryptographically Relevant Quantum C omputer (CRQC).
This document specifies the conventions for using the ML-DSA signature algorithm with the Cryptographic Message Syntax (CMS). This document specifies the conventions for using the ML-DSA signature algorithm with the Cryptographic Message Syntax (CMS).
In addition, the algorithm identifier and public key syntax are provided.</t> In addition, the algorithm identifier and public key syntax are provided.</t>
</abstract> </abstract>
<note removeInRFC="true"> <note removeInRFC="true">
<name>About This Document</name> <name>About This Document</name>
<t> <t>
The latest revision of this draft can be found at <eref target="https:// lamps-wg.github.io/cms-ml-dsa/draft-ietf-lamps-cms-ml-dsa.html"/>. The latest revision of this draft can be found at <eref target="https:// lamps-wg.github.io/cms-ml-dsa/draft-ietf-lamps-cms-ml-dsa.html"/>.
Status information for this document may be found at <eref target="https ://datatracker.ietf.org/doc/draft-ietf-lamps-cms-ml-dsa/"/>. Status information for this document may be found at <eref target="https ://datatracker.ietf.org/doc/draft-ietf-lamps-cms-ml-dsa/"/>.
</t> </t>
skipping to change at line 67 skipping to change at line 67
</t> </t>
<t>Source for this draft and an issue tracker can be found at <t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/lamps-wg/cms-ml-dsa"/>.</t> <eref target="https://github.com/lamps-wg/cms-ml-dsa"/>.</t>
</note> </note>
</front> </front>
<middle> <middle>
<?line 101?> <?line 101?>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<!-- [rfced] We note that "traditional" is in quotes, but please consider whethe
r it should be updated for clarity. The term is ambiguous; "tradition" is a sub
jective term because it is not the same for everyone.
Original:
It is intended to be secure
against both "traditional" cryptographic attacks, as well as attacks
utilising a quantum computer.
-->
<t>The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a digi tal signature algorithm standardised by the US National Institute of Standards a nd Technology (NIST) as part of their post-quantum cryptography standardisation process. <t>The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a digi tal signature algorithm standardised by the US National Institute of Standards a nd Technology (NIST) as part of their post-quantum cryptography standardisation process.
It is intended to be secure against both "traditional" cryptographic attacks, as well as attacks utilising a quantum computer. It is intended to be secure against both "traditional" cryptographic attacks, as well as attacks utilising a quantum computer.
It offers smaller signatures and significantly faster runtimes than SLH-DSA <xre f target="FIPS205"/>, an alternative post-quantum signature algorithm also stand ardised by NIST. It offers smaller signatures and significantly faster runtimes than SLH-DSA <xre f target="FIPS205"/>, an alternative post-quantum signature algorithm also stand ardised by NIST.
This document specifies the use of the ML-DSA in the CMS at three security level s: ML-DSA-44, ML-DSA-65, and ML-DSA-87. See <xref section="B" sectionFormat="of " target="I-D.ietf-lamps-dilithium-certificates"/> for more information on the s ecurity levels and key sizes of ML-DSA.</t> This document specifies the use of the ML-DSA in the CMS at three security level s: ML-DSA-44, ML-DSA-65, and ML-DSA-87. See <xref section="B" sectionFormat="of " target="RFC9881"/> for more information on the security levels and key sizes o f ML-DSA.</t>
<t>Prior to standardisation, ML-DSA was known as Dilithium. ML-DSA and Di lithium are not compatible.</t> <t>Prior to standardisation, ML-DSA was known as Dilithium. ML-DSA and Di lithium are not compatible.</t>
<t>For each of the ML-DSA parameter sets, an algorithm identifier OID has been specified.</t> <t>For each of the ML-DSA parameter sets, an algorithm identifier OID has been specified.</t>
<t><xref target="FIPS204"/> also specifies a pre-hashed variant of ML-DSA, called HashML-DSA. <t><xref target="FIPS204"/> also specifies a pre-hashed variant of ML-DSA, called HashML-DSA.
Use of HashML-DSA in the CMS is not specified in this document. Use of HashML-DSA in the CMS is not specified in this document.
See <xref target="pure-vs-pre-hash"/> for more details.</t> See <xref target="pure-vs-pre-hash"/> for more details.</t>
<section anchor="conventions-and-definitions"> <section anchor="conventions-and-definitions">
<name>Conventions and Definitions</name> <name>Conventions and Definitions</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp <t>
14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>
MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", ",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
nterpreted as "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
only when, they be
appear in all capitals, as shown here.</t> interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/> <xref
<?line -18?> target="RFC8174"/> when, and only when, they appear in all capitals, as
shown here.
</section> </t>
</section>
</section> </section>
<section anchor="ml-dsa-algorithm-identifiers"> <section anchor="ml-dsa-algorithm-identifiers">
<name>ML-DSA Algorithm Identifiers</name> <name>ML-DSA Algorithm Identifiers</name>
<t>Many ASN.1 data structure types use the AlgorithmIdentifier type to ide ntify cryptographic algorithms. <t>Many ASN.1 data structure types use the AlgorithmIdentifier type to ide ntify cryptographic algorithms.
In the CMS, AlgorithmIdentifiers are used to identify ML-DSA signatures in the s igned-data content type. In the CMS, AlgorithmIdentifiers are used to identify ML-DSA signatures in the s igned-data content type.
They may also appear in X.509 certificates used to verify those signatures. They may also appear in X.509 certificates used to verify those signatures.
The same AlgorithmIdentifiers are used to identify ML-DSA public keys and signat ure algorithms. The same AlgorithmIdentifiers are used to identify ML-DSA public keys and signat ure algorithms.
<xref target="I-D.ietf-lamps-dilithium-certificates"/> describes the use of ML-D SA in X.509 certificates. <xref target="RFC9881"/> describes the use of ML-DSA in X.509 certificates.
The AlgorithmIdentifier type is defined as follows:</t> The AlgorithmIdentifier type is defined as follows:</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE { SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE. parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL &Params({AlgorithmSet}{@algorithm}) OPTIONAL
} }
]]></sourcecode> ]]></sourcecode>
<aside> <aside>
skipping to change at line 122 skipping to change at line 133
The OIDs for ML-DSA are described below.</t> The OIDs for ML-DSA are described below.</t>
</dd> </dd>
<dt>parameters:</dt> <dt>parameters:</dt>
<dd> <dd>
<t>The parameters field contains parameter information for the algorit hm identified by the OID in the algorithm field. <t>The parameters field contains parameter information for the algorit hm identified by the OID in the algorithm field.
Each ML-DSA parameter set is identified by its own algorithm OID, so there is no relevant information to include in this field. Each ML-DSA parameter set is identified by its own algorithm OID, so there is no relevant information to include in this field.
As such, parameters <bcp14>MUST</bcp14> be omitted when encoding an ML-DSA Algor ithmIdentifier.</t> As such, parameters <bcp14>MUST</bcp14> be omitted when encoding an ML-DSA Algor ithmIdentifier.</t>
</dd> </dd>
</dl> </dl>
<t>The object identifiers for ML-DSA are defined in the NIST Computer Secu rity Objects Register <xref target="CSOR"/>, and are reproduced here for conveni ence.</t> <t>The object identifiers for ML-DSA are defined in the NIST Computer Secu rity Objects Register <xref target="CSOR"/>, and are reproduced here for conveni ence.</t>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
sigAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) sigAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) 3 } us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) 3 }
id-ml-dsa-44 OBJECT IDENTIFIER ::= { sigAlgs 17 } id-ml-dsa-44 OBJECT IDENTIFIER ::= { sigAlgs 17 }
id-ml-dsa-65 OBJECT IDENTIFIER ::= { sigAlgs 18 } id-ml-dsa-65 OBJECT IDENTIFIER ::= { sigAlgs 18 }
id-ml-dsa-87 OBJECT IDENTIFIER ::= { sigAlgs 19 } id-ml-dsa-87 OBJECT IDENTIFIER ::= { sigAlgs 19 }
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="signed-data-conventions"> <section anchor="signed-data-conventions">
<name>Signed-data Conventions</name> <name>Signed-Data Conventions</name>
<section anchor="pure-vs-pre-hash"> <section anchor="pure-vs-pre-hash">
<name>Pure mode vs pre-hash mode</name> <name>Pure Mode Versus Pre-Hash Mode</name>
<t><xref target="RFC5652"/> specifies that digital signatures for CMS ar <t><xref target="RFC5652"/> specifies that digital signatures for CMS ar
e produced using a digest of the message to be signed, and the signer's private e produced using a digest of the message to be signed and the signer's private k
key. ey.
At the time of publication of that RFC, all signature algorithms supported in th At the time RFC 5652 was published, all signature algorithms supported in the CM
e CMS required a message digest to be calculated externally to that algorithm, w S required a message digest to be calculated externally to that algorithm, which
hich would then be supplied to the algorithm implementation when calculating and would then be supplied to the algorithm implementation when calculating and ver
verifying signatures. ifying signatures.
Since then, EdDSA <xref target="RFC8032"/>, SLH-DSA <xref target="FIPS205"/> and ML-DSA have also been standardised, and these algorithms support both a "pure" and "pre-hash" mode. Since then, EdDSA <xref target="RFC8032"/>, SLH-DSA <xref target="FIPS205"/> and ML-DSA have also been standardised, and these algorithms support both a "pure" and "pre-hash" mode.
In the pre-hash mode, a message digest (the "pre-hash") is calculated separately and supplied to the signature algorithm as described above. In the pre-hash mode, a message digest (the "pre-hash") is calculated separately and supplied to the signature algorithm as described above.
In the pure mode, the message to be signed or verified is instead supplied direc tly to the signature algorithm. In the pure mode, the message to be signed or verified is instead supplied direc tly to the signature algorithm.
When EdDSA <xref target="RFC8419"/> and SLH-DSA <xref target="I-D.ietf-lamps-cms -sphincs-plus"/> are used with CMS, only the pure mode of those algorithms is sp ecified. When EdDSA <xref target="RFC8419"/> and SLH-DSA <xref target="RFC9814"/> are use d with CMS, only the pure mode of those algorithms is specified.
This is because in most situations, CMS signatures are computed over a set of si gned attributes that contain a hash of the content, rather than being computed o ver the message content itself. This is because in most situations, CMS signatures are computed over a set of si gned attributes that contain a hash of the content, rather than being computed o ver the message content itself.
Since signed attributes are typically small, use of pre-hash modes in the CMS wo uldn't significantly reduce the size of the data to be signed, and hence offers no benefit. Since signed attributes are typically small, use of pre-hash modes in the CMS wo uldn't significantly reduce the size of the data to be signed, and hence offers no benefit.
This document follows that convention and does not specify the use of ML-DSA's p re-hash mode ("HashML-DSA") in the CMS.</t> This document follows that convention and does not specify the use of ML-DSA's p re-hash mode ("HashML-DSA") in the CMS.</t>
</section> </section>
<section anchor="signature-generation-and-verification"> <section anchor="signature-generation-and-verification">
<name>Signature generation and verification</name> <name>Signature Generation and Verification</name>
<t><xref target="RFC5652"/> describes the two methods that are used to c alculate and verify signatures in the CMS. <t><xref target="RFC5652"/> describes the two methods that are used to c alculate and verify signatures in the CMS.
One method is used when signed attributes are present in the signedAttrs field o f the relevant SignerInfo, and another is used when signed attributes are absent . One method is used when signed attributes are present in the signedAttrs field o f the relevant SignerInfo, and another is used when signed attributes are absent .
Each method produces a different "message digest" to be supplied to the signatur e algorithm in question, but because the pure mode of ML-DSA is used, the "messa ge digest" is in fact the entire message. Each method produces a different "message digest" to be supplied to the signatur e algorithm in question, but because the pure mode of ML-DSA is used, the "messa ge digest" is in fact the entire message.
Use of signed attributes is preferred, but the conventions for signed-data witho ut signed attributes is also described below for completeness.</t> Use of signed attributes is preferred, but the conventions for signed-data witho ut signed attributes is also described below for completeness.</t>
<t>When signed attributes are absent, ML-DSA (pure mode) signatures are computed over the content of the signed-data. <t>When signed attributes are absent, ML-DSA (pure mode) signatures are computed over the content of the signed-data.
As described in <xref section="5.4" sectionFormat="of" target="RFC5652"/>, the " content" of a signed-data is the value of the encapContentInfo eContent OCTET ST RING. As described in <xref section="5.4" sectionFormat="of" target="RFC5652"/>, the " content" of a signed-data is the value of the encapContentInfo eContent OCTET ST RING.
The tag and length octets are not included.</t> The tag and length octets are not included.</t>
<t>When signed attributes are included, ML-DSA (pure mode) signatures ar e computed over the complete DER encoding of the SignedAttrs value contained in the SignerInfo's signedAttrs field. <t>When signed attributes are included, ML-DSA (pure mode) signatures ar e computed over the complete DER encoding of the SignedAttrs value contained in the SignerInfo's signedAttrs field.
As described in <xref section="5.4" sectionFormat="of" target="RFC5652"/>, this As described in <xref section="5.4" sectionFormat="of" target="RFC5652"/>, this
encoding includes the tag and length octets, but an EXPLICIT SET OF tag is used encoding includes the tag and length octets, but an EXPLICIT SET OF tag is used
rather than the IMPLICIT [0] tag that appears in the final message. rather than the IMPLICIT [0] tag that appears in the final message. At a minimum
The signedAttrs field <bcp14>MUST</bcp14> at minimum include a content-type attr ,
ibute and a message-digest attribute. the signedAttrs field <bcp14>MUST</bcp14> include a content-type attribute and a
message-digest attribute.
The message-digest attribute contains a hash of the content of the signed-data, where the content is as described for the absent signed attributes case above. The message-digest attribute contains a hash of the content of the signed-data, where the content is as described for the absent signed attributes case above.
Recalculation of the hash value by the recipient is an important step in signatu re verification.</t> Recalculation of the hash value by the recipient is an important step in signatu re verification.</t>
<t><xref section="4" sectionFormat="of" target="I-D.ietf-lamps-cms-sphin cs-plus"/> describes how, when the content of a signed-data is large, performanc e may be improved by including signed attributes. <t><xref section="4" sectionFormat="of" target="RFC9814"/> describes how , when the content of a signed-data is large, performance may be improved by inc luding signed attributes.
This is as true for ML-DSA as it is for SLH-DSA, although ML-DSA signature gener ation and verification is significantly faster than SLH-DSA.</t> This is as true for ML-DSA as it is for SLH-DSA, although ML-DSA signature gener ation and verification is significantly faster than SLH-DSA.</t>
<t>ML-DSA has a context string input that can be used to ensure that dif ferent signatures are generated for different application contexts. <t>ML-DSA has a context string input that can be used to ensure that dif ferent signatures are generated for different application contexts.
When using ML-DSA as specified in this document, the context string is set to th e empty string.</t> When using ML-DSA as specified in this document, the context string is set to th e empty string.</t>
</section> </section>
<section anchor="signerinfo-content"> <section anchor="signerinfo-content">
<name>SignerInfo content</name> <name>SignerInfo Content</name>
<t>When using ML-DSA, the fields of a SignerInfo are used as follows:</t > <t>When using ML-DSA, the fields of a SignerInfo are used as follows:</t >
<dl> <dl>
<dt>digestAlgorithm:</dt> <dt>digestAlgorithm:</dt>
<dd> <dd>
<t>Per <xref section="5.3" sectionFormat="of" target="RFC5652"/>, th <t>Per <xref section="5.3" sectionFormat="of" target="RFC5652"/>, th
e digestAlgorithm field identifies the message digest algorithm used by the sign e digestAlgorithm field identifies the message digest algorithm used by the sign
er, and any associated parameters. er and any associated parameters.
Each ML-DSA parameter set has a collision strength parameter, represented by the Each ML-DSA parameter set has a collision strength parameter, represented by the
λ (lambda) symbol in <xref target="FIPS204"/>. <u>λ</u> symbol in <xref target="FIPS204"/>.
When signers utilise signed attributes, their choice of digest algorithm may imp act the overall security level of their signature. When signers utilise signed attributes, their choice of digest algorithm may imp act the overall security level of their signature.
Selecting a digest algorithm that offers λ bits of security strength against sec ond preimage attacks and collision attacks is sufficient to meet the security le vel offered by a given parameter set, so long as the digest algorithm produces a t least 2 * λ bits of output. Selecting a digest algorithm that offers λ bits of security strength against sec ond preimage attacks and collision attacks is sufficient to meet the security le vel offered by a given parameter set, so long as the digest algorithm produces a t least 2 * λ bits of output.
The overall security strength offered by an ML-DSA signature calculated over sig ned attributes is the floor of the digest algorithm's strength and the strength of the ML-DSA parameter set. The overall security strength offered by an ML-DSA signature calculated over sig ned attributes is the floor of the digest algorithm's strength and is the streng th of the ML-DSA parameter set.
Verifiers <bcp14>MAY</bcp14> reject a signature if the signer's choice of digest algorithm does not meet the security requirements of their choice of ML-DSA par ameter set. Verifiers <bcp14>MAY</bcp14> reject a signature if the signer's choice of digest algorithm does not meet the security requirements of their choice of ML-DSA par ameter set.
<xref target="ml-dsa-digest-algs"/> shows appropriate SHA-2 and SHA-3 digest alg orithms for each parameter set.</t> <xref target="ml-dsa-digest-algs"/> shows appropriate SHA-2 and SHA-3 digest alg orithms for each parameter set.</t>
</dd>
<dt/>
<dd>
<t>SHA-512 <xref target="FIPS180"/> <bcp14>MUST</bcp14> be supported for use with the variants of ML-DSA in this document. <t>SHA-512 <xref target="FIPS180"/> <bcp14>MUST</bcp14> be supported for use with the variants of ML-DSA in this document.
SHA-512 is suitable for all ML-DSA parameter sets and provides an interoperable option for legacy CMS implementations that wish to migrate to use post-quantum c ryptography, but that may not support use of SHA-3 derivatives at the CMS layer. SHA-512 is suitable for all ML-DSA parameter sets and provides an interoperable option for legacy CMS implementations that wish to migrate to use post-quantum c ryptography, but that may not support use of SHA-3 derivatives at the CMS layer.
However, other hash functions <bcp14>MAY</bcp14> also be supported; in particula r, SHAKE256 <bcp14>SHOULD</bcp14> be supported, as this is the digest algorithm used internally in ML-DSA. However, other hash functions <bcp14>MAY</bcp14> also be supported; in particula r, SHAKE256 <bcp14>SHOULD</bcp14> be supported, as this is the digest algorithm used internally in ML-DSA.
When SHA-512 is used, the id-sha512 <xref target="RFC5754"/> digest algorithm id entifier is used and the parameters field <bcp14>MUST</bcp14> be omitted. When SHA-512 is used, the id-sha512 <xref target="RFC5754"/> digest algorithm id entifier is used and the parameters field <bcp14>MUST</bcp14> be omitted.
When SHAKE256 is used, the id-shake256 <xref target="RFC8702"/> digest algorithm identifier is used and the parameters field <bcp14>MUST</bcp14> be omitted. When SHAKE256 is used, the id-shake256 <xref target="RFC8702"/> digest algorithm identifier is used and the parameters field <bcp14>MUST</bcp14> be omitted.
SHAKE256 produces 512 bits of output when used as a message digest algorithm in the CMS.</t> SHAKE256 produces 512 bits of output when used as a message digest algorithm in the CMS.</t>
</dd>
<dt/>
<dd>
<t>When signing using ML-DSA without including signed attributes, th e algorithm specified in the digestAlgorithm field has no meaning, as ML-DSA com putes signatures over entire messages rather than externally computed digests. <t>When signing using ML-DSA without including signed attributes, th e algorithm specified in the digestAlgorithm field has no meaning, as ML-DSA com putes signatures over entire messages rather than externally computed digests.
As such, the considerations above and in <xref target="ml-dsa-digest-algs"/> do not apply. As such, the considerations above and in <xref target="ml-dsa-digest-algs"/> do not apply.
Nonetheless, in this case implementations <bcp14>MUST</bcp14> specify SHA-512 as the digestAlgorithm in order to minimise the likelihood of an interoperability failure. Nonetheless, in this case implementations <bcp14>MUST</bcp14> specify SHA-512 as the digestAlgorithm in order to minimise the likelihood of an interoperability failure.
When processing a SignerInfo signed using ML-DSA, if no signed attributes are pr esent, implementations <bcp14>MUST</bcp14> ignore the content of the digestAlgor ithm field.</t> When processing a SignerInfo signed using ML-DSA, if no signed attributes are pr esent, implementations <bcp14>MUST</bcp14> ignore the content of the digestAlgor ithm field.</t>
</dd>
</dl>
<table anchor="ml-dsa-digest-algs"> <table anchor="ml-dsa-digest-algs">
<name>Suitable digest algorithms for ML-DSA</name> <name>Suitable Digest Algorithms for ML-DSA</name>
<thead> <thead>
<tr> <tr>
<th align="left">Signature algorithm</th> <th align="left">Signature Algorithm</th>
<th align="left">Digest Algorithms</th> <th align="left">Digest Algorithms</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">ML-DSA-44</td> <td align="left">ML-DSA-44</td>
<td align="left">SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-384, SH A3-512, SHAKE128, SHAKE256</td> <td align="left">SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-384, SH A3-512, SHAKE128, SHAKE256</td>
</tr> </tr>
<tr> <tr>
<td align="left">ML-DSA-65</td> <td align="left">ML-DSA-65</td>
<td align="left">SHA-384, SHA-512, SHA3-384, SHA3-512, SHAKE256</t d> <td align="left">SHA-384, SHA-512, SHA3-384, SHA3-512, SHAKE256</t d>
</tr> </tr>
<tr> <tr>
<td align="left">ML-DSA-87</td> <td align="left">ML-DSA-87</td>
<td align="left">SHA-512, SHA3-512, SHAKE256</td> <td align="left">SHA-512, SHA3-512, SHAKE256</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<dl> </dd>
<dt>signatureAlgorithm:</dt> <dt>signatureAlgorithm:</dt>
<dd> <dd>
<t>The signatureAlgorithm field <bcp14>MUST</bcp14> contain one of t he ML-DSA signature algorithm OIDs, and the parameters field <bcp14>MUST</bcp14> be absent. The algorithm OID <bcp14>MUST</bcp14> be one of the following OIDs d escribed in <xref target="ml-dsa-algorithm-identifiers"/>:</t> <t>The signatureAlgorithm field <bcp14>MUST</bcp14> contain one of t he ML-DSA signature algorithm OIDs, and the parameters field <bcp14>MUST</bcp14> be absent. The algorithm OID <bcp14>MUST</bcp14> be one of the following OIDs d escribed in <xref target="ml-dsa-algorithm-identifiers"/>:</t>
</dd>
</dl>
<table anchor="tab-oids"> <table anchor="tab-oids">
<name>Signature algorithm identifier OIDs for ML-DSA</name> <name>Signature Algorithm Identifier OIDs for ML-DSA</name>
<thead> <thead>
<tr> <tr>
<th align="left">Signature algorithm</th> <th align="left">Signature Algorithm</th>
<th align="left">Algorithm Identifier OID</th> <th align="left">Algorithm Identifier OID</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">ML-DSA-44</td> <td align="left">ML-DSA-44</td>
<td align="left">id-ml-dsa-44</td> <td align="left">id-ml-dsa-44</td>
</tr> </tr>
<tr> <tr>
<td align="left">ML-DSA-65</td> <td align="left">ML-DSA-65</td>
<td align="left">id-ml-dsa-65</td> <td align="left">id-ml-dsa-65</td>
</tr> </tr>
<tr> <tr>
<td align="left">ML-DSA-87</td> <td align="left">ML-DSA-87</td>
<td align="left">id-ml-dsa-87</td> <td align="left">id-ml-dsa-87</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<dl> </dd>
<dt>signature:</dt> <dt>signature:</dt>
<dd> <dd>
<t>The signature field contains the signature value resulting from t he use of the ML-DSA signature algorithm identified by the signatureAlgorithm fi eld. <t>The signature field contains the signature value resulting from t he use of the ML-DSA signature algorithm identified by the signatureAlgorithm fi eld.
The ML-DSA (pure mode) signature generation operation is specified in Section 5 .2 of <xref target="FIPS204"/>, and the signature verification operation is spec ified in Section 5.3 of <xref target="FIPS204"/>. The ML-DSA (pure mode) signature-generation operation is specified in Section 5 .2 of <xref target="FIPS204"/>, and the signature-verification operation is spec ified in Section 5.3 of <xref target="FIPS204"/>.
Note that <xref section="5.6" sectionFormat="of" target="RFC5652"/> places furt her requirements on the successful verification of a signature.</t> Note that <xref section="5.6" sectionFormat="of" target="RFC5652"/> places furt her requirements on the successful verification of a signature.</t>
</dd> </dd>
</dl> </dl>
</section> </section>
</section> </section>
<section anchor="security-considerations"> <section anchor="security-considerations">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>The security considerations in <xref target="RFC5652"/> and <xref targe t="I-D.ietf-lamps-dilithium-certificates"/> apply to this specification.</t> <t>The security considerations in <xref target="RFC5652"/> and <xref targe t="RFC9881"/> apply to this specification.</t>
<t>Security of the ML-DSA private key is critical. <t>Security of the ML-DSA private key is critical.
Compromise of the private key will enable an adversary to forge arbitrary signat ures.</t> Compromise of the private key will enable an adversary to forge arbitrary signat ures.</t>
<!-- [rfced] The following was provided in response to the intake form:
This document and draft-ietf-lamps-dilithium-certificates use
the same text for one of the security considerations: "ML-DSA
depends on high quality random numbers...". That paragraph
should be kept the same between both documents.
Should the paragraphs be identical? They do not currently match. Please revie
w and let us know how you would like to proceed.
Currently in RFC-to-be 9881 <draft-ietf-lamps-dilithium-certificates>:
ML-DSA depends on high quality random numbers that are suitable for
use in cryptography. The use of inadequate pseudo-random number
generators (PRNGs) to generate such values can significantly
undermine various security properties. For instance, using an
inadequate PRNG for key generation might allow an attacker to
efficiently recover the private key by trying a small set of
possibilities, rather than brute-force searching the whole keyspace.
The generation of random numbers of a sufficient level of quality for
use in cryptography is difficult; see Section 3.6.1 of [FIPS204] for
some additional information.
-->
<t>ML-DSA depends on high quality random numbers that are suitable for use in cryptography. <t>ML-DSA depends on high quality random numbers that are suitable for use in cryptography.
The use of inadequate pseudo-random number generators (PRNGs) to generate such v alues can significantly undermine the security properties offered by a cryptogra phic algorithm. The use of inadequate pseudo-random number generators (PRNGs) to generate such v alues can significantly undermine the security properties offered by a cryptogra phic algorithm.
For instance, an attacker may find it much easier to reproduce the PRNG environm ent that produced any private keys, searching the resulting small set of possibi lities, rather than brute force searching the whole key space. For instance, an attacker may find it much easier to reproduce the PRNG environm ent that produced any private keys, searching the resulting small set of possibi lities, rather than brute-force searching the whole key space.
The generation of random numbers of a sufficient level of quality for use in cry ptography is difficult; see Section 3.6.1 of <xref target="FIPS204"/> for some a dditional information.</t> The generation of random numbers of a sufficient level of quality for use in cry ptography is difficult; see Section 3.6.1 of <xref target="FIPS204"/> for some a dditional information.</t>
<t>By default, ML-DSA signature generation uses randomness from two source s: fresh random data generated during signature generation, and precomputed rand om data included in the signer's private key. <t>By default, ML-DSA signature generation uses randomness from two source s: fresh random data generated during signature generation, and precomputed rand om data included in the signer's private key.
This is referred to as the "hedged" variant of ML-DSA. This is referred to as the "hedged" variant of ML-DSA.
Inclusion of both sources of random can help mitigate against faulty random numb er generators, side-channel attacks and fault attacks. Inclusion of both sources of random data can help mitigate against faulty random number generators, side-channel attacks, and fault attacks.
<xref target="FIPS204"/> also permits creating deterministic signatures using ju st the precomputed random data in the signer's private key. <xref target="FIPS204"/> also permits creating deterministic signatures using ju st the precomputed random data in the signer's private key.
The same verification algorithm is used to verify both hedged and deterministic signatures, so this choice does not affect interoperability. The same verification algorithm is used to verify both hedged and deterministic signatures, so this choice does not affect interoperability.
The signer <bcp14>SHOULD NOT</bcp14> use the deterministic variant of ML-DSA on platforms where side-channel attacks or fault attacks are a concern. The signer <bcp14>SHOULD NOT</bcp14> use the deterministic variant of ML-DSA on platforms where side-channel attacks or fault attacks are a concern.
Side channel attacks and fault attacks against ML-DSA are an active area of rese arch <xref target="WNGD2023"/> <xref target="KPLG2024"/>. Side channel attacks and fault attacks against ML-DSA are an active area of rese arch <xref target="WNGD2023"/> <xref target="KPLG2024"/>.
Future protection against these styles of attack may involve interoperable chang es to the implementation of ML-DSA's internal functions. Future protection against these styles of attack may involve interoperable chang es to the implementation of ML-DSA's internal functions.
Implementers <bcp14>SHOULD</bcp14> consider implementing such protection measure s if it would be beneficial for their particular use cases.</t> Implementers <bcp14>SHOULD</bcp14> consider implementing such protection measure s if it would be beneficial for their particular use cases.</t>
<t>To avoid algorithm substitution attacks, the CMSAlgorithmProtection att ribute defined in <xref target="RFC6211"/> <bcp14>SHOULD</bcp14> be included in signed attributes.</t> <t>To avoid algorithm substitution attacks, the CMSAlgorithmProtection att ribute defined in <xref target="RFC6211"/> <bcp14>SHOULD</bcp14> be included in signed attributes.</t>
</section> </section>
<section anchor="operational-considerations"> <section anchor="operational-considerations">
<name>Operational Considerations</name> <name>Operational Considerations</name>
<t>If ML-DSA signing is implemented in a hardware device such as hardware <t>If ML-DSA signing is implemented in a hardware device such as the hardw
security module (HSM) or portable cryptographic token, implementers might want t are security module (HSM) or portable cryptographic token, implementers might wa
o avoid sending the full content to the device for performance reasons. nt to avoid sending the full content to the device for performance reasons.
By including signed attributes, which necessarily include the message-digest att By including signed attributes, which necessarily includes the message-digest at
ribute and the content-type attribute as described in Section 5.3 of <xref targe tribute and the content-type attribute as described in <xref target="RFC5652" se
t="RFC5652"/>, the much smaller set of signed attributes are sent to the device ction="5.3"/>, the much smaller set of signed attributes are sent to the device
for signing.</t> for signing.</t>
<t>Additionally, the pure variant of ML-DSA does support a form of pre-has
h via external calculation of the μ (mu) "message representative" value describe <t>Additionally, the pure variant of ML-DSA does support a form of pre-has
d in Section 6.2 of <xref target="FIPS204"/>. h via external calculation of the <u>μ</u> "message representative" value descri
bed in Section 6.2 of <xref target="FIPS204"/>.
This value may "optionally be computed in a different cryptographic module" and supplied to the hardware device, rather than requiring the entire message to be transmitted. This value may "optionally be computed in a different cryptographic module" and supplied to the hardware device, rather than requiring the entire message to be transmitted.
Appendix D of <xref target="I-D.ietf-lamps-dilithium-certificates"/> describes u se of external μ calculations in further detail.</t> <xref section="D" target="RFC9881"/> describes use of external μ calculations in further detail.</t>
</section> </section>
<section anchor="iana-considerations"> <section anchor="iana-considerations">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>For the ASN.1 module found in <xref target="asn1"/>, IANA is requested <t>For the ASN.1 module in <xref target="asn1"/>, IANA has assigned the fo
to assign an object identifier for the module identifier (TBD1) with a descripti llowing object identifier in the "SMI Security for S/MIME Module Identifier (1.2
on of "id-mod-ml-dsa-2024". .840.113549.1.9.16.0)" registry:</t>
This should be allocated in the "SMI Security for S/MIME Module Identifier" regi
stry (1.2.840.113549.1.9.16.0).</t> <table anchor="oid">
</section> <thead>
<section anchor="acknowledgments"> <tr>
<name>Acknowledgments</name> <th>Decimal</th>
<t>The authors would like to thank the following people for their contribu <th>Description</th>
tions and reviews that helped shape this document: Viktor Dukhovni, Russ Housley <th>Refernece</th>
, Panos Kampanakis, Mike Ounsworth, Falko Strenzke, Sean Turner, and Wei-Jun Wan </tr>
g.</t> </thead>
<t>This document was heavily influenced by <xref target="RFC8419"/>, <xref <tbody>
target="I-D.ietf-lamps-cms-sphincs-plus"/>, and <xref target="I-D.ietf-lamps-di <tr>
lithium-certificates"/>. <td>83</td>
Thanks go to the authors of those documents.</t> <td>id-mod-ml-dsa-2024</td>
<td>RFC 9882</td>
</tr>
</tbody>
</table>
</section> </section>
</middle> </middle>
<back> <back>
<references anchor="sec-combined-references"> <references anchor="sec-combined-references">
<name>References</name> <name>References</name>
<references anchor="sec-normative-references"> <references anchor="sec-normative-references">
<name>Normative References</name> <name>Normative References</name>
<reference anchor="FIPS204">
<front> <reference anchor="FIPS204" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.
<title>Module-lattice-based digital signature standard</title> FIPS.204.pdf">
<author> <front>
<organization/> <title>Module-Lattice-Based Digital Signature Standard</title>
</author> <author>
<date month="August" year="2024"/> <organization abbrev="NIST">National Institute of Standards and Technology
</front> </organization>
<seriesInfo name="DOI" value="10.6028/nist.fips.204"/> </author>
<refcontent>National Institute of Standards and Technology (U.S.)</ref <date month="August" year="2024"/>
content> </front>
</reference> <seriesInfo name="NIST FIPS" value="204"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.204"/>
</reference>
<!-- [rfced] [CSOR] FYI: We have updated the date for this reference from
20 August 2024 to 13 June 2025 to match the information provided at the URL.
-->
<reference anchor="CSOR" target="https://csrc.nist.gov/projects/computer -security-objects-register/algorithm-registration"> <reference anchor="CSOR" target="https://csrc.nist.gov/projects/computer -security-objects-register/algorithm-registration">
<front> <front>
<title>Computer Security Objects Register</title> <title>Computer Security Objects Register (CSOR)</title>
<author initials="" surname="NIST" fullname="National Institute of S <author>
tandards and Technology"> <organization abbrev="NIST">National Institute of Standards and Te
<organization/> chnology</organization>
</author> </author>
<date year="2024" month="August" day="20"/> <date year="2025" month="June" day="13"/>
</front>
</reference>
<reference anchor="RFC5652">
<front>
<title>Cryptographic Message Syntax (CMS)</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<date month="September" year="2009"/>
<abstract>
<t>This document describes the Cryptographic Message Syntax (CMS).
This syntax is used to digitally sign, digest, authenticate, or encrypt arbitra
ry message content. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="70"/>
<seriesInfo name="RFC" value="5652"/>
<seriesInfo name="DOI" value="10.17487/RFC5652"/>
</reference>
<reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit
le>
<author fullname="S. Bradner" initials="S." surname="Bradner"/>
<date month="March" year="1997"/>
<abstract>
<t>In many standards track documents several words are used to sig
nify the requirements in the specification. These words are often capitalized. T
his document defines these words as they should be interpreted in IETF documents
. This document specifies an Internet Best Current Practices for the Internet Co
mmunity, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying that
only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front> </front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference> </reference>
<reference anchor="I-D.ietf-lamps-dilithium-certificates"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<front> 652.xml"/>
<title>Internet X.509 Public Key Infrastructure - Algorithm Identifi <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
ers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title> 119.xml"/>
<author fullname="Jake Massimo" initials="J." surname="Massimo"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<organization>AWS</organization> 174.xml"/>
</author>
<author fullname="Panos Kampanakis" initials="P." surname="Kampanaki
s">
<organization>AWS</organization>
</author>
<author fullname="Sean Turner" initials="S." surname="Turner">
<organization>sn3rd</organization>
</author>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"
>
<organization>Cloudflare</organization>
</author>
<date day="30" month="September" year="2025"/>
<abstract>
<t> Digital signatures are used within X.509 certificates, Certi
ficate
Revocation Lists (CRLs), and to sign messages. This document
specifies the conventions for using FIPS 204, the Module-Lattice-
Based Digital Signature Algorithm (ML-DSA) in Internet X.509
certificates and certificate revocation lists. The conventions for
the associated signatures, subject public keys, and private key are
also described.
</t> <!-- draft-ietf-lamps-dilithium-certificates-12 - RFC 9881
</abstract> -->
</front> <reference anchor="RFC9881" target="https://www.rfc-editor.org/info/rfc9881">
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-dilithium-ce <front>
rtificates-13"/> <title>Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for
</reference> the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title>
<reference anchor="RFC5754"> <author initials="J." surname="Massimo" fullname="Jake Massimo">
<front> <organization>AWS</organization>
<title>Using SHA2 Algorithms with Cryptographic Message Syntax</titl </author>
e> <author initials="P." surname="Kampanakis" fullname="Panos Kampanakis">
<author fullname="S. Turner" initials="S." surname="Turner"/> <organization>AWS</organization>
<date month="January" year="2010"/> </author>
<abstract> <author initials="S." surname="Turner" fullname="Sean Turner">
<t>This document describes the conventions for using the Secure Ha <organization>sn3rd</organization>
sh Algorithm (SHA) message digest algorithms (SHA-224, SHA-256, SHA-384, SHA-512 </author>
) with the Cryptographic Message Syntax (CMS). It also describes the conventions <author initials="B. E." surname="Westerbaan" fullname="Bas Westerbaan">
for using these algorithms with the CMS and the Digital Signature Algorithm (DS <organization>Cloudflare</organization>
A), Rivest Shamir Adleman (RSA), and Elliptic Curve DSA (ECDSA) signature algori </author>
thms. Further, it provides SMIMECapabilities attribute values for each algorithm <date month='October' year='2025'/>
. [STANDARDS-TRACK]</t> </front>
</abstract> <seriesInfo name="RFC" value="9881"/>
</front> <seriesInfo name="DOI" value="10.17487/RFC9881"/>
<seriesInfo name="RFC" value="5754"/> </reference>
<seriesInfo name="DOI" value="10.17487/RFC5754"/>
</reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<reference anchor="RFC8702"> 754.xml"/>
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<title>Use of the SHAKE One-Way Hash Functions in the Cryptographic 702.xml"/>
Message Syntax (CMS)</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
<author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/ 211.xml"/>
>
<author fullname="Q. Dang" initials="Q." surname="Dang"/>
<date month="January" year="2020"/>
<abstract>
<t>This document updates the "Cryptographic Message Syntax (CMS) A
lgorithms" (RFC 3370) and describes the conventions for using the SHAKE family o
f hash functions in the Cryptographic Message Syntax as one-way hash functions w
ith the RSA Probabilistic Signature Scheme (RSASSA-PSS) and Elliptic Curve Digit
al Signature Algorithm (ECDSA). The conventions for the associated signer public
keys in CMS are also described.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8702"/>
<seriesInfo name="DOI" value="10.17487/RFC8702"/>
</reference>
<reference anchor="RFC6211">
<front>
<title>Cryptographic Message Syntax (CMS) Algorithm Identifier Prote
ction Attribute</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="April" year="2011"/>
<abstract>
<t>The Cryptographic Message Syntax (CMS), unlike X.509/PKIX certi
ficates, is vulnerable to algorithm substitution attacks. In an algorithm substi
tution attack, the attacker changes either the algorithm being used or the param
eters of the algorithm in order to change the result of a signature verification
process. In X.509 certificates, the signature algorithm is protected because it
is duplicated in the TBSCertificate.signature field with the proviso that the v
alidator is to compare both fields as part of the signature validation process.
This document defines a new attribute that contains a copy of the relevant algor
ithm identifiers so that they are protected by the signature or authentication p
rocess. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6211"/>
<seriesInfo name="DOI" value="10.17487/RFC6211"/>
</reference>
</references> </references>
<references anchor="sec-informative-references"> <references anchor="sec-informative-references">
<name>Informative References</name> <name>Informative References</name>
<reference anchor="FIPS180">
<front> <reference anchor="FIPS180" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.
<title>Secure hash standard</title> FIPS.180-4.pdf">
<author> <front>
<organization/> <title>Secure Hash Standard</title>
</author> <author>
<date year="2015"/> <organization abbrev="NIST">National Institute of Standards and Technology
</front> </organization>
<seriesInfo name="DOI" value="10.6028/nist.fips.180-4"/> </author>
<refcontent>National Institute of Standards and Technology (U.S.)</ref <date month="August" year="2015"/>
content> </front>
</reference> <seriesInfo name="NIST FIPS" value="180-4"/>
<reference anchor="FIPS205"> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.180-4"/>
<front> </reference>
<title>Stateless hash-based digital signature standard</title>
<author> <reference anchor="FIPS205" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.
<organization/> FIPS.205.pdf">
</author> <front>
<date month="August" year="2024"/> <title>Stateless Hash-Based Digital Signature Standard</title>
</front> <author>
<seriesInfo name="DOI" value="10.6028/nist.fips.205"/> <organization abbrev="NIST">National Institute of Standards and Technology
<refcontent>National Institute of Standards and Technology (U.S.)</ref </organization>
content> </author>
</reference> <date month="August" year="2024"/>
<reference anchor="RFC5911"> </front>
<front> <seriesInfo name="NIST FIPS" value="205"/>
<title>New ASN.1 Modules for Cryptographic Message Syntax (CMS) and <seriesInfo name="DOI" value="10.6028/NIST.FIPS.205"/>
S/MIME</title> </reference>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<author fullname="J. Schaad" initials="J." surname="Schaad"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<date month="June" year="2010"/> 911.xml"/>
<abstract>
<t>The Cryptographic Message Syntax (CMS) format, and many associa
ted formats, are expressed using ASN.1. The current ASN.1 modules conform to the
1988 version of ASN.1. This document updates those ASN.1 modules to conform to
the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the f
ormats; this is simply a change to the syntax. This document is not an Internet
Standards Track specification; it is published for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5911"/>
<seriesInfo name="DOI" value="10.17487/RFC5911"/>
</reference>
<reference anchor="X680" target="https://www.itu.int/rec/T-REC-X.680"> <reference anchor="X680" target="https://www.itu.int/rec/T-REC-X.680">
<front> <front>
<title>Information Technology - Abstract Syntax Notation One (ASN.1) : Specification of basic notation. ITU-T Recommendation X.680 (2021) | ISO/IEC 8 824-1:2021.</title> <title>Information technology - Abstract Syntax Notation One (ASN.1) : Specification of basic notation</title>
<author> <author>
<organization>ITU-T</organization> <organization>ITU-T</organization>
</author> </author>
<date year="2021" month="February"/> <date year="2021" month="February"/>
</front> </front>
<seriesInfo name="ITU-T Recommendation" value="X.680"/>
<seriesInfo name="ISO/IEC" value="8824-1:2021"/>
</reference> </reference>
<reference anchor="KPLG2024" target="https://ia.cr/2024/138"> <reference anchor="KPLG2024" target="https://ia.cr/2024/138">
<front> <front>
<title>Correction Fault Attacks on Randomized CRYSTALS-Dilithium</ti tle> <title>Correction Fault Attacks on Randomized CRYSTALS-Dilithium</ti tle>
<author initials="E." surname="Krahmer"> <author initials="E." surname="Krahmer">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="Pessl"> <author initials="P." surname="Pessl">
<organization/> <organization/>
</author> </author>
<author initials="G." surname="Land"> <author initials="G." surname="Land">
<organization/> <organization/>
</author> </author>
<author initials="T." surname="Güneysu"> <author initials="T." surname="Güneysu">
<organization/> <organization/>
</author> </author>
<date year="2024"/> <date year="2024"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2024/138</refcontent>
<format type="PDF" target="https://eprint.iacr.org/2024/138.pdf"/> <format type="PDF" target="https://eprint.iacr.org/2024/138.pdf"/>
</reference> </reference>
<reference anchor="WNGD2023" target="https://ia.cr/2023/1931"> <reference anchor="WNGD2023" target="https://ia.cr/2023/1931">
<front> <front>
<title>Single-Trace Side-Channel Attacks on CRYSTALS-Dilithium: Myth or Reality?</title> <title>Single-Trace Side-Channel Attacks on CRYSTALS-Dilithium: Myth or Reality?</title>
<author initials="R." surname="Wang"> <author initials="R." surname="Wang">
<organization/> <organization/>
</author> </author>
<author initials="K." surname="Ngo"> <author initials="K." surname="Ngo">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Gärtner"> <author initials="J." surname="Gärtner">
<organization/> <organization/>
</author> </author>
<author initials="E." surname="Dubrova"> <author initials="E." surname="Dubrova">
<organization/> <organization/>
</author> </author>
<date year="2023"/> <date year="2023"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2023/1931</refcontent>
<format type="PDF" target="https://eprint.iacr.org/2023/1931.pdf"/> <format type="PDF" target="https://eprint.iacr.org/2023/1931.pdf"/>
</reference> </reference>
<reference anchor="RFC5280"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<front> 280.xml"/>
<title>Internet X.509 Public Key Infrastructure Certificate and Cert <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
ificate Revocation List (CRL) Profile</title> 032.xml"/>
<author fullname="D. Cooper" initials="D." surname="Cooper"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<author fullname="S. Santesson" initials="S." surname="Santesson"/> 419.xml"/>
<author fullname="S. Farrell" initials="S." surname="Farrell"/> <!-- draft-ietf-lamps-cms-sphincs-plus-19 is now RFC 9814 -->
<author fullname="S. Boeyen" initials="S." surname="Boeyen"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<author fullname="R. Housley" initials="R." surname="Housley"/> 814.xml"/>
<author fullname="W. Polk" initials="W." surname="Polk"/>
<date month="May" year="2008"/>
<abstract>
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certif
icate revocation list (CRL) for use in the Internet. An overview of this approac
h and model is provided as an introduction. The X.509 v3 certificate format is d
escribed in detail, with additional information regarding the format and semanti
cs of Internet name forms. Standard certificate extensions are described and two
Internet-specific extensions are defined. A set of required certificate extensi
ons is specified. The X.509 v2 CRL format is described in detail along with stan
dard and Internet-specific extensions. An algorithm for X.509 certification path
validation is described. An ASN.1 module and examples are provided in the appen
dices. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5280"/>
<seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="RFC8032">
<front>
<title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
<author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
<date month="January" year="2017"/>
<abstract>
<t>This document describes elliptic curve signature scheme Edwards
-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with r
ecommended parameters for the edwards25519 and edwards448 curves. An example imp
lementation and test vectors are provided.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8032"/>
<seriesInfo name="DOI" value="10.17487/RFC8032"/>
</reference>
<reference anchor="RFC8419">
<front>
<title>Use of Edwards-Curve Digital Signature Algorithm (EdDSA) Sign
atures in the Cryptographic Message Syntax (CMS)</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies the conventions for using the Edwards-c
urve Digital Signature Algorithm (EdDSA) for curve25519 and curve448 in the Cryp
tographic Message Syntax (CMS). For each curve, EdDSA defines the PureEdDSA and
HashEdDSA modes. However, the HashEdDSA mode is not used with the CMS. In additi
on, no context string is used with the CMS.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8419"/>
<seriesInfo name="DOI" value="10.17487/RFC8419"/>
</reference>
<reference anchor="I-D.ietf-lamps-cms-sphincs-plus">
<front>
<title>Use of the SLH-DSA Signature Algorithm in the Cryptographic M
essage Syntax (CMS)</title>
<author fullname="Russ Housley" initials="R." surname="Housley">
<organization>Vigil Security, LLC</organization>
</author>
<author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
<organization>Cisco Systems</organization>
</author>
<author fullname="Panos Kampanakis" initials="P." surname="Kampanaki
s">
<organization>Amazon Web Services</organization>
</author>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"
>
<organization>Cloudflare</organization>
</author>
<date day="13" month="January" year="2025"/>
<abstract>
<t> SLH-DSA is a stateless hash-based signature scheme. This do
cument
specifies the conventions for using the SLH-DSA signature algorithm
with the Cryptographic Message Syntax (CMS). In addition, the
algorithm identifier and public key syntax are provided.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-cms-sphincs-
plus-19"/>
</reference>
</references> </references>
</references> </references>
<?line 323?>
<section anchor="asn1"> <section anchor="asn1">
<name>ASN.1 Module</name> <name>ASN.1 Module</name>
<aside>
<t>RFC EDITOR: Please replace the reference to <xref target="I-D.ietf-la
mps-dilithium-certificates"/>
in the ASN.1 module below with a reference the corresponding published RFC.</t>
</aside>
<sourcecode type="asn.1"><![CDATA[ <sourcecode type="asn.1"><![CDATA[
<CODE BEGINS> <CODE BEGINS>
ML-DSA-Module-2024 ML-DSA-Module-2024
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
id-smime(16) id-mod(0) id-mod-ml-dsa-2024(TBD1) } id-smime(16) id-mod(0) id-mod-ml-dsa-2024(83) }
DEFINITIONS IMPLICIT TAGS ::= BEGIN DEFINITIONS IMPLICIT TAGS ::= BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS SIGNATURE-ALGORITHM, SMIME-CAPS IMPORTS SIGNATURE-ALGORITHM, SMIME-CAPS
FROM AlgorithmInformation-2009 -- in [RFC5911] FROM AlgorithmInformation-2009 -- in [RFC5911]
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) } id-mod-algorithmInformation-02(58) }
sa-ml-dsa-44, sa-ml-dsa-65, sa-ml-dsa-87 sa-ml-dsa-44, sa-ml-dsa-65, sa-ml-dsa-87
FROM X509-ML-DSA-2024 -- From [I-D.ietf-lamps-dilithium-certificates] FROM X509-ML-DSA-2024 -- From [RFC9881]
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-x509-ml-dsa-2024(119) } ; id-mod-x509-ml-dsa-2024(119) } ;
-- --
-- Expand the signature algorithm set used by CMS [RFC5911] -- Expand the signature algorithm set used by CMS [RFC5911]
-- --
SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= { SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= {
sa-ml-dsa-44 | sa-ml-dsa-44 |
skipping to change at line 640 skipping to change at line 534
sa-ml-dsa-87.&smimeCaps, sa-ml-dsa-87.&smimeCaps,
... } ... }
END END
<CODE ENDS> <CODE ENDS>
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="examples"> <section anchor="examples">
<name>Examples</name> <name>Examples</name>
<t>This appendix contains example signed-data encodings. <t>This appendix contains example signed-data encodings.
They can be verified using the example public keys and certificates specified in They can be verified using the example public keys and certificates specified in
Appendix C of <xref target="I-D.ietf-lamps-dilithium-certificates"/>.</t> <xref section="C" target="RFC9881"/>.</t>
<!-- [rfced] Regarding the text marked <sourcecode> and <artwork>, please review
and let us know if any updates are needed. The following was provided in respo
nse via the intake form:
The draft features an ASN.1 module that is tagged as source code
in the XML. The module has been tested to confirm that it compiles.
The draft also features example encodings in base64/PEM format and
in a parsed representation. These are artefacts produced by an
implementation rather than "source code" per se, so aren't tagged
that way. Regardless, we've tested the examples against an independent
implementation to make sure they work.
Please consider whether some should be marked as "x509" for consistency with RFC
-to-be 9881 <draft-ietf-lamps-dilithium-certificates>, as the authors of RFC 988
1 provided the following guidance:
And the PEM examples in the Appendix C.3 can become type “x509”.
RFC-to-be 9881 has not yet been updated.
Note that the current list of preferred values for "type" is available at
<https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>.
If the current list does not contain an applicable type, feel free to
suggest additions for consideration. Note that it is also acceptable
to leave the "type" attribute not set.
-->
<t>The following is an example of a signed-data with a single ML-DSA-44 si gner, with signed attributes included:</t> <t>The following is an example of a signed-data with a single ML-DSA-44 si gner, with signed attributes included:</t>
<artwork><![CDATA[ <sourcecode><![CDATA[
-----BEGIN CMS----- -----BEGIN CMS-----
MIIKsAYJKoZIhvcNAQcCoIIKoTCCCp0CAQExDTALBglghkgBZQMEAgMwQwYJKoZI MIIKsAYJKoZIhvcNAQcCoIIKoTCCCp0CAQExDTALBglghkgBZQMEAgMwQwYJKoZI
hvcNAQcBoDYENE1MLURTQS00NCBzaWduZWQtZGF0YSBleGFtcGxlIHdpdGggc2ln hvcNAQcBoDYENE1MLURTQS00NCBzaWduZWQtZGF0YSBleGFtcGxlIHdpdGggc2ln
bmVkIGF0dHJpYnV0ZXMxggpCMIIKPgIBATA6MCIxDTALBgNVBAoTBElFVEYxETAP bmVkIGF0dHJpYnV0ZXMxggpCMIIKPgIBATA6MCIxDTALBgNVBAoTBElFVEYxETAP
BgNVBAMTCExBTVBTIFdHAhQVn/5vIv1cxCxSTfb9XijQ3jjzTjALBglghkgBZQME BgNVBAMTCExBTVBTIFdHAhQVn/5vIv1cxCxSTfb9XijQ3jjzTjALBglghkgBZQME
AgOgazAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBME8GCSqGSIb3DQEJBDFCBEAL AgOgazAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBME8GCSqGSIb3DQEJBDFCBEAL
v5NoEkfE3OkMRW4rKXw97hdFLivtQ/OVU4Pc/DrfWm3d7POpIxNQ4WCwyGDTWKwi v5NoEkfE3OkMRW4rKXw97hdFLivtQ/OVU4Pc/DrfWm3d7POpIxNQ4WCwyGDTWKwi
dWwcHZ9E3CT0Twj2gI/UMAsGCWCGSAFlAwQDEQSCCXTzX9ZSUYiiAjJ2USF/0b1K dWwcHZ9E3CT0Twj2gI/UMAsGCWCGSAFlAwQDEQSCCXTzX9ZSUYiiAjJ2USF/0b1K
fyTnaJTCFymSXY/ZOE0++0F6BZ9HUQweqTlrfXUmpOLlYK+8Hd/zCmyjboKZZmCA fyTnaJTCFymSXY/ZOE0++0F6BZ9HUQweqTlrfXUmpOLlYK+8Hd/zCmyjboKZZmCA
KY4rPlbI4W9ndcowgSgawGixVsOvOBimudg4B5Tbo43cORwIPW6FdDrCa9eKgcGh KY4rPlbI4W9ndcowgSgawGixVsOvOBimudg4B5Tbo43cORwIPW6FdDrCa9eKgcGh
skipping to change at line 703 skipping to change at line 621
W9K8YhhLo49Oh3GDuf4CZgPULsHXqKcCr9lVDpff/kcxwVeXITQiFVykwjfEllXT W9K8YhhLo49Oh3GDuf4CZgPULsHXqKcCr9lVDpff/kcxwVeXITQiFVykwjfEllXT
gnxR3zQRP61P3aisQxwsaKgHKGzD5idGAzGQuwVgAs95xA/ka1ccMe8a5da+bKP/ gnxR3zQRP61P3aisQxwsaKgHKGzD5idGAzGQuwVgAs95xA/ka1ccMe8a5da+bKP/
9QqnAFFtArVZpso0Xcy2D/iusW2bcBjiSANM4GnZwsyphF0WIK89aq/411WIz3zc 9QqnAFFtArVZpso0Xcy2D/iusW2bcBjiSANM4GnZwsyphF0WIK89aq/411WIz3zc
XflJIW80fAy47VF8W340bSgc24AOrQlz38TEGLIcvqPvSMTQRVUdl2S9PgGo8cpP XflJIW80fAy47VF8W340bSgc24AOrQlz38TEGLIcvqPvSMTQRVUdl2S9PgGo8cpP
J5+lm7FzJftRSTwYsaSwtOUM1hvvXbvcWfO3g8XMJbof8cWH7QeEPcan+ygxqbtt J5+lm7FzJftRSTwYsaSwtOUM1hvvXbvcWfO3g8XMJbof8cWH7QeEPcan+ygxqbtt
ArQ5Dk+BE4Rv/MBJUVi5E30IBHxWXx6OTwSljFDjBwt8bPVk7YMaBWMMY4KZw5jU ArQ5Dk+BE4Rv/MBJUVi5E30IBHxWXx6OTwSljFDjBwt8bPVk7YMaBWMMY4KZw5jU
nRakavONHDQDizfy7U0IRAEjKTxKTFaRk56+y839PF2Tlp63wO0UFzAyQVVkZ2uR nRakavONHDQDizfy7U0IRAEjKTxKTFaRk56+y839PF2Tlp63wO0UFzAyQVVkZ2uR
zs/Q7xYbHEBpepGfq7C0w9Tp7fgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA zs/Q7xYbHEBpepGfq7C0w9Tp7fgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
DhYkNA== DhYkNA==
-----END CMS----- -----END CMS-----
]]></artwork> ]]></sourcecode>
<artwork><![CDATA[ <sourcecode><![CDATA[
SEQUENCE { SEQUENCE {
# signedData # signedData
OBJECT_IDENTIFIER { 1.2.840.113549.1.7.2 } OBJECT_IDENTIFIER { 1.2.840.113549.1.7.2 }
[0] { [0] {
SEQUENCE { SEQUENCE {
INTEGER { 1 } INTEGER { 1 }
SET { SET {
SEQUENCE { SEQUENCE {
# sha512 # sha512
OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 } OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 }
skipping to change at line 856 skipping to change at line 774
7c565f1e8e4f04a58c50e3070b7c6cf564ed831a05630c638299c398d49d16a4 7c565f1e8e4f04a58c50e3070b7c6cf564ed831a05630c638299c398d49d16a4
6af38d1c34038b37f2ed4d08440123293c4a4c5691939ebecbcdfd3c5d93969e 6af38d1c34038b37f2ed4d08440123293c4a4c5691939ebecbcdfd3c5d93969e
b7c0ed14173032415564676b91cecfd0ef161b1c40697a919fabb0b4c3d4e9ed b7c0ed14173032415564676b91cecfd0ef161b1c40697a919fabb0b4c3d4e9ed
f8000000000000000000000000000000000000000000000000000000000e1624 f8000000000000000000000000000000000000000000000000000000000e1624
34` } 34` }
} }
} }
} }
} }
} }
]]></artwork> ]]></sourcecode>
<t>The following is an example of a signed-data with a single ML-DSA-65 si gner, with signed attributes included:</t> <t>The following is an example of a signed-data with a single ML-DSA-65 si gner, with signed attributes included:</t>
<artwork><![CDATA[ <sourcecode><![CDATA[
-----BEGIN CMS----- -----BEGIN CMS-----
MIIOKQYJKoZIhvcNAQcCoIIOGjCCDhYCAQExDTALBglghkgBZQMEAgMwQwYJKoZI MIIOKQYJKoZIhvcNAQcCoIIOGjCCDhYCAQExDTALBglghkgBZQMEAgMwQwYJKoZI
hvcNAQcBoDYENE1MLURTQS02NSBzaWduZWQtZGF0YSBleGFtcGxlIHdpdGggc2ln hvcNAQcBoDYENE1MLURTQS02NSBzaWduZWQtZGF0YSBleGFtcGxlIHdpdGggc2ln
bmVkIGF0dHJpYnV0ZXMxgg27MIINtwIBATA6MCIxDTALBgNVBAoTBElFVEYxETAP bmVkIGF0dHJpYnV0ZXMxgg27MIINtwIBATA6MCIxDTALBgNVBAoTBElFVEYxETAP
BgNVBAMTCExBTVBTIFdHAhQVn/5vIv1cxCxSTfb9XijQ3jjzTjALBglghkgBZQME BgNVBAMTCExBTVBTIFdHAhQVn/5vIv1cxCxSTfb9XijQ3jjzTjALBglghkgBZQME
AgOgazAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBME8GCSqGSIb3DQEJBDFCBEDV AgOgazAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBME8GCSqGSIb3DQEJBDFCBEDV
dAiINSoOkqad8+saHOVVYKw/LS+Cgc4/BqVtOoKFyyTuZAR1cSmheu9HfN8aRDoS dAiINSoOkqad8+saHOVVYKw/LS+Cgc4/BqVtOoKFyyTuZAR1cSmheu9HfN8aRDoS
Ig4wz94jCPe4gULOnjqoMAsGCWCGSAFlAwQDEgSCDO1SnJA5zOCk/J0mfklniShg Ig4wz94jCPe4gULOnjqoMAsGCWCGSAFlAwQDEgSCDO1SnJA5zOCk/J0mfklniShg
BjzE2zH3oafJHtLTAItJwO7niA2s4tqmU9LfVVU4n+bXALkLNXOYY057rdKy/V4W BjzE2zH3oafJHtLTAItJwO7niA2s4tqmU9LfVVU4n+bXALkLNXOYY057rdKy/V4W
u+tbqGWWNUKwBSWAZw/4htJXrN9tb7T+fSTn9A9XfMps2GMai15n9vp4cjia49YS u+tbqGWWNUKwBSWAZw/4htJXrN9tb7T+fSTn9A9XfMps2GMai15n9vp4cjia49YS
skipping to change at line 937 skipping to change at line 855
NabF50gr/XPeh9eMKJzCEFA2NBy20yjr6uHGprkd4Yd7iMzBz/DD9P/4dE6lAXGA NabF50gr/XPeh9eMKJzCEFA2NBy20yjr6uHGprkd4Yd7iMzBz/DD9P/4dE6lAXGA
vALm0S8mrv8p6S1ln2lrYjYptdELG6FbAm5ZFRWD9XDQUCmbDp8qQkw4q7nFSLTx vALm0S8mrv8p6S1ln2lrYjYptdELG6FbAm5ZFRWD9XDQUCmbDp8qQkw4q7nFSLTx
lzu6lQIiB7weAoJ0/WyhrD75GTcp7W9e0pcmqQL6YMYTIlvRSoq0aK4l4nz+7eUY lzu6lQIiB7weAoJ0/WyhrD75GTcp7W9e0pcmqQL6YMYTIlvRSoq0aK4l4nz+7eUY
tCuJjGDmj/+2kHVOZUF/p8fzZmsWBcgpMUJnPo0hTUZ3oQqxsNYFiXZDStVtyA7b tCuJjGDmj/+2kHVOZUF/p8fzZmsWBcgpMUJnPo0hTUZ3oQqxsNYFiXZDStVtyA7b
hS8OX6kEO8652tGQop6jIx3WEUs/vqSa/h1BHVW3aOd29Rqw0Tf1o6BoIoDdccpi hS8OX6kEO8652tGQop6jIx3WEUs/vqSa/h1BHVW3aOd29Rqw0Tf1o6BoIoDdccpi
4NlIgwVFxFhzqxy9QvQF0nuaPIaCZFf8vTxaMSVD7JVmvAG2QJXQXfseyttHnaut 4NlIgwVFxFhzqxy9QvQF0nuaPIaCZFf8vTxaMSVD7JVmvAG2QJXQXfseyttHnaut
i3iV/dQfCk6q5AF3FfLWmpbv7xGzgAqEQLJbWGTgzkWhrUd4XSxMuz3Fdr2miYqZ i3iV/dQfCk6q5AF3FfLWmpbv7xGzgAqEQLJbWGTgzkWhrUd4XSxMuz3Fdr2miYqZ
bKeW7WTYZheWIByiulhuxh9UYf0GDxAYY4m5EGV5pek6xgwhMj1YYmVobHng4g8n bKeW7WTYZheWIByiulhuxh9UYf0GDxAYY4m5EGV5pek6xgwhMj1YYmVobHng4g8n
YKOx3QAAAAAAAAAAAAAAAAAAAAAAAAAECxASHiQ= YKOx3QAAAAAAAAAAAAAAAAAAAAAAAAAECxASHiQ=
-----END CMS----- -----END CMS-----
]]></artwork> ]]></sourcecode>
<artwork><![CDATA[ <sourcecode><![CDATA[
SEQUENCE { SEQUENCE {
# signedData # signedData
OBJECT_IDENTIFIER { 1.2.840.113549.1.7.2 } OBJECT_IDENTIFIER { 1.2.840.113549.1.7.2 }
[0] { [0] {
SEQUENCE { SEQUENCE {
INTEGER { 1 } INTEGER { 1 }
SET { SET {
SEQUENCE { SEQUENCE {
# sha512 # sha512
OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 } OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 }
skipping to change at line 1117 skipping to change at line 1035
86826457fcbd3c5a312543ec9566bc01b64095d05dfb1ecadb479dabad8b7895 86826457fcbd3c5a312543ec9566bc01b64095d05dfb1ecadb479dabad8b7895
fdd41f0a4eaae4017715f2d69a96efef11b3800a8440b25b5864e0ce45a1ad47 fdd41f0a4eaae4017715f2d69a96efef11b3800a8440b25b5864e0ce45a1ad47
785d2c4cbb3dc576bda6898a996ca796ed64d8661796201ca2ba586ec61f5461 785d2c4cbb3dc576bda6898a996ca796ed64d8661796201ca2ba586ec61f5461
fd060f10186389b9106579a5e93ac60c21323d586265686c79e0e20f2760a3b1 fd060f10186389b9106579a5e93ac60c21323d586265686c79e0e20f2760a3b1
dd00000000000000000000000000000000000000040b10121e24` } dd00000000000000000000000000000000000000040b10121e24` }
} }
} }
} }
} }
} }
]]></artwork> ]]></sourcecode>
<t>The following is an example of a signed-data with a single ML-DSA-87 si gner, with signed attributes included:</t> <t>The following is an example of a signed-data with a single ML-DSA-87 si gner, with signed attributes included:</t>
<artwork><![CDATA[ <sourcecode><![CDATA[
-----BEGIN CMS----- -----BEGIN CMS-----
MIITTwYJKoZIhvcNAQcCoIITQDCCEzwCAQExDTALBglghkgBZQMEAgMwQwYJKoZI MIITTwYJKoZIhvcNAQcCoIITQDCCEzwCAQExDTALBglghkgBZQMEAgMwQwYJKoZI
hvcNAQcBoDYENE1MLURTQS04NyBzaWduZWQtZGF0YSBleGFtcGxlIHdpdGggc2ln hvcNAQcBoDYENE1MLURTQS04NyBzaWduZWQtZGF0YSBleGFtcGxlIHdpdGggc2ln
bmVkIGF0dHJpYnV0ZXMxghLhMIIS3QIBATA6MCIxDTALBgNVBAoTBElFVEYxETAP bmVkIGF0dHJpYnV0ZXMxghLhMIIS3QIBATA6MCIxDTALBgNVBAoTBElFVEYxETAP
BgNVBAMTCExBTVBTIFdHAhQVn/5vIv1cxCxSTfb9XijQ3jjzTjALBglghkgBZQME BgNVBAMTCExBTVBTIFdHAhQVn/5vIv1cxCxSTfb9XijQ3jjzTjALBglghkgBZQME
AgOgazAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBME8GCSqGSIb3DQEJBDFCBEAC AgOgazAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBME8GCSqGSIb3DQEJBDFCBEAC
T17yhGvaIiDlQiCKz9cV3dO44RHoOQ1ihksdwSjAosm3RWewuVXGF/ACIE0n2IeV T17yhGvaIiDlQiCKz9cV3dO44RHoOQ1ihksdwSjAosm3RWewuVXGF/ACIE0n2IeV
aZ4GXwFq4xxtCktCZiJkMAsGCWCGSAFlAwQDEwSCEhOYY96ah3JfVdeWO1CemlSW aZ4GXwFq4xxtCktCZiJkMAsGCWCGSAFlAwQDEwSCEhOYY96ah3JfVdeWO1CemlSW
30ZGl8Qta5PTVd4n2ccPMYjFeqR5KIy1uKqZOnKPnnXsEsr9wlvhVNxpHxWAqxpD 30ZGl8Qta5PTVd4n2ccPMYjFeqR5KIy1uKqZOnKPnnXsEsr9wlvhVNxpHxWAqxpD
8mkqUmRT2Cyd0a6qNcIRbA3iXtLjTy6llMey1AnbSRHlRuDilT8OpzAbDy9OEROY 8mkqUmRT2Cyd0a6qNcIRbA3iXtLjTy6llMey1AnbSRHlRuDilT8OpzAbDy9OEROY
skipping to change at line 1226 skipping to change at line 1144
qCKew79jYIyzRIoX0SM37lehkJuMRU7hfziMrC4fhVSjp16MX9fV7r5lRLfJo8n/ qCKew79jYIyzRIoX0SM37lehkJuMRU7hfziMrC4fhVSjp16MX9fV7r5lRLfJo8n/
n6hgrjDXmpSqzGRRatsCLjbYy/Bij7UljieM4uyst1Tb3bJvE0xrQRTQqcjEfEbx n6hgrjDXmpSqzGRRatsCLjbYy/Bij7UljieM4uyst1Tb3bJvE0xrQRTQqcjEfEbx
oAnZkqiDy0qMU9EK5v1EnpAH4XEoaPut3Lezocj2CouAJFo9q71aM0FJ6HMAb9hM oAnZkqiDy0qMU9EK5v1EnpAH4XEoaPut3Lezocj2CouAJFo9q71aM0FJ6HMAb9hM
jKpXuCG/h8xe9uPRXT5/cJCnz6OaK1m4BGT6HBg++idJiH+dS4FBUmO6CN/AubuZ jKpXuCG/h8xe9uPRXT5/cJCnz6OaK1m4BGT6HBg++idJiH+dS4FBUmO6CN/AubuZ
Kw0Fj0RtohMmt+9RhBrxg8JrWFFp973R/W0NP1oA+TK6lJ9q56125ILHJ+saMwAO Kw0Fj0RtohMmt+9RhBrxg8JrWFFp973R/W0NP1oA+TK6lJ9q56125ILHJ+saMwAO
93kz15TLPWIfGj/wvbnkmvPCAKCvxcaAUt7iiKRZBHGc1ZZ4KoNapkiIwJdGb9eh 93kz15TLPWIfGj/wvbnkmvPCAKCvxcaAUt7iiKRZBHGc1ZZ4KoNapkiIwJdGb9eh
N546WTMQ0vspzgjx6zkZWgAOGIaNmrCy07Ln+QEIaqO+wyBRYYGOmK6xvczS2UO2 N546WTMQ0vspzgjx6zkZWgAOGIaNmrCy07Ln+QEIaqO+wyBRYYGOmK6xvczS2UO2
1+UJO2O/xN4BEiktT2yN0NzsGjJETl5vjpnE/wAAAAAAAAAAAAAAAAAAAAkMEh4i 1+UJO2O/xN4BEiktT2yN0NzsGjJETl5vjpnE/wAAAAAAAAAAAAAAAAAAAAkMEh4i
KDI8 KDI8
-----END CMS----- -----END CMS-----
]]></artwork> ]]></sourcecode>
<artwork><![CDATA[ <sourcecode><![CDATA[
SEQUENCE { SEQUENCE {
# signedData # signedData
OBJECT_IDENTIFIER { 1.2.840.113549.1.7.2 } OBJECT_IDENTIFIER { 1.2.840.113549.1.7.2 }
[0] { [0] {
SEQUENCE { SEQUENCE {
INTEGER { 1 } INTEGER { 1 }
SET { SET {
SEQUENCE { SEQUENCE {
# sha512 # sha512
OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 } OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 }
skipping to change at line 1448 skipping to change at line 1366
a0afc5c68052dee288a45904719cd596782a835aa64888c097466fd7a1379e3a a0afc5c68052dee288a45904719cd596782a835aa64888c097466fd7a1379e3a
593310d2fb29ce08f1eb39195a000e18868d9ab0b2d3b2e7f901086aa3bec320 593310d2fb29ce08f1eb39195a000e18868d9ab0b2d3b2e7f901086aa3bec320
5161818e98aeb1bdccd2d943b6d7e5093b63bfc4de0112292d4f6c8dd0dcec1a 5161818e98aeb1bdccd2d943b6d7e5093b63bfc4de0112292d4f6c8dd0dcec1a
32444e5e6f8e99c4ff000000000000000000000000000000090c121e2228323c 32444e5e6f8e99c4ff000000000000000000000000000000090c121e2228323c
` } ` }
} }
} }
} }
} }
} }
]]></artwork> ]]></sourcecode>
</section> </section>
</back>
<!-- ##markdown-source:
H4sIAAAAAAAAA+y92bbbSnYl+o6v4NUZIy0VtTfRN0qnbbDvO4Btlkc5AARI
kCBAoiFIysffUg/1GfV074/dFQDY7b2lVKZrDNdDKvMckUAgmtXMNdeKAM/L
ywsVOZGLvxU+TUJc8O1CtMaFXvelqqkFzVl5KIoDXFDdlR840XpXcLy0RSU4
7yN/FaD92jELPRyGaIUL2tmL0KnwudLTvnyikGEE+Ag9591dH+1pnygTRRi6
PH8rhJFFUZZvemgHs7ACZEcvDo7sFxft9uGLuQtfdu6LFaIXWqLC2Ng5Yej4
XnTeQ/NWTa9TXrwzcPCNsqDPb5TpeyH2wjj8VoiCGFMwAY5CAUYwEQ2bMSzj
/IlK/GC7Cvx4D1e7zs6JsFVQLcuJoGvkwoLMNfKccBcWbD8oDDuteQF5VkHr
tXq1T9QWn6ED6xtVKLwUYIbp39ks04+W44KwnHhHHbEXY9Lubx+sUMjW+mkG
c3a8VaFBuiLXd8hx4Xq4R+HuX4jMXv1gRW6gwFzDjXUU7cNvpRJpRy45R/x6
bVYiF0pG4CchLqU9lMiTK5h3bMCzmfSTVemuAHLfBRmH0UPf13av2ZOvjv/w
ROkn6nxdRzv3E0WhOFr7QSpK+KdQsGPXzWyhjL2ChtwIB+kNmDRI6YKI1L4V
Jp1CH+UCrJxB/4WrcgsV7EUBTp/BmYgM7L2G3L94Zmi+rvzja7z9YDjVQrvC
GDke/s8Oh6Cn1+AvDFeF3rFbmCKv0MAg0/S244HZVl/fXH2eSuZ6fXyKbnN4
HNxK+309Im9FOvgXM23uQfOXMG/+avo7ivL8YAddHlPzrLeGGkvzMPig9crQ
ryLNyqV+S9NfyZ1XuAWNKtpg/C0dK0LBCoMZXK3ADAPzFUw4Iust7QN/g80o
LME4+xj0dxv5xTfSOy8BXkFrHJTQFVnyS0G6ymyQDJgqeSd3iQ+yTgrjvJO0
9d2OyJ9MxjeVtbwQeoNeCMJpEXgXCqww9TIdvM/zXX91zh9NdUCWnn5PQaXA
0iz/QssvLA0Xx/WKIArsN4pyPPutEBmZ/pEQ4dYLf5O18GNZC/kgCsOQbuci
9Pmh2JMkeYVlvTpeVAqwWdJfxrXKy/wVHniU4KfWdZ6+97BeACrVIBI3oyty
9/0oazXwcOGzqvVfmS/fCtoem47tmNktkKCBQkB9L2/8Wmjpkxcd1AH63mGQ
bdounUbhM4iO+VL490JLG5RatUpBlkGUzDdy+fXTB5oDY/+Wdfgg/zo2ghgF
Z6IIBq53ht0G0cnHYnHQqxmUyP0Sw8lPkqj4AQgqnV8dxW5UUKMImduwABfG
YA7+zrkAOlfGC01Xu9pL9YrkH031Jf87t5naa6EToPUuN8h394evhSEESvfj
u43XQhcm8PFN/bXQ+P/+t4fPYfzGKjNUSbV7ndawWr/LAu8DsI5XB5lBCvtX
qbzuLRvaz/qNKlzi/oIguRKjcMyTJDUIRS5+0cF8IPA7Fn6pQBTzANIeRPpe
jt8KvXO0Bi2DuSC4dv7nX5Ds+LUwAzz7+GbntdBf+R/faxO5/a8g8n6kE9BZ
NYYoeETPcuX+BrlmQkoF+wK8ivyrgHIHoyid8CrfikFmXRRFjolfyigEW6s6
EDoBoz5iW58z6vTlawGFBQvbEJysgnFO4YnwKQIYMF3+a8EBNCvs/TB6OcTI
i+IdkJCs3/DWb2iu8Q4DCUNRATlANyIfQmMhBWdcQCuIfSHc8SCAHXEQEn+D
MaDTEKeci7g+eqZ+yHXPoEkXQ7yJCqN86Btkf66MR5Uvr7B4mB+QvBjgISqE
GZ7gMOWDQNiAJRGXzPhPHBKS80BD7wu4BYtCAv/+RSL6SrXIijK69TV96N4P
2C0MDXMJ0mCwjw0XugF+VwizLoA5FiCeHaGh9UplSt05luViivoN4koUgE5T
QPlPqjjT4Hul3eca5nHLCTMjICuZaH9lkCt8JrbzhdjTHgVRzvid4Nl2zLtU
zw/jZsAO4jBBziDXiEwa3AAwH6b0oTUZPijqE/jAle5+euwcZI0ytEgtPMGu
S/7OrxXiCGAjNQdUuE0tt610eN+2wVAL4Q7sEFR4k1q2avI1jVteBFZqI8IV
CkEMCt+ltgeWrnWbqY19/55H5d9//5p6AKGdXhrZnyXzkWKQG/rvtJMG9J8a
fvwu4bpnSCAC+BjgXJ6E9YCPYRcgK2v7woPT5x9F4Wu63vyrLL0WgCxhWJS6
34NunFOhTEZqvVRfH7j4LUt5MXEQZQEeh7//nnrhzoclOg+8wc/m9mY66bip
u0DcDMkg2STAVYaBA/1E/lv7uU67kICmt56feETltwABc8/vk65vl1NHBMaR
6h/6MVwMY9RhBIzM9Rs5gmUD/yPaDnEU5gr9wOUHrWphDYMbGFKNq3KIm1/N
gQdpZNq9aQ5QNsAv8NQa9HxEgUOA77burwUCiXCnCQ2uosgz6/ulR0WDfZBl
3UbP7j1YzSuV6XIPRvdyDF+uwz8qysIRkP+QANRvvwH83hE1FSIJHKn7hRlI
EYWRBDaE3Hyi6Z++Zn8X+oP087g2mrTGtSr5rDXVbvf2gcpbaM3BpFu9f7o/
WRn0erV+NXsYrhaeLlGfeuriU2atnwZDvTXoq91P75acKjuDE4IuASyZ5Mwo
pCwcmoFjZGIqV4b/7/9keJDN/wN0mWUYBWSSfZEZieguWWMvG833AAKyryD5
M4XAM1BAegF9gdL2BHYzFArXxCbXOCAW9t/+TCTzr98K/2iYe4b/p/wCWfDT
xavMni6mMnt/5d3DmRA/uPTBMDdpPl1/I+nn+aqLp+9XuT9c/Md/doFaFF4Y
+Z//iSJGdPWke5xq3dwmLHz/LS/J3LO3u1eFv1NUD3nnQpo+EEqFAAICCJIE
NUktI0yhjzjArft772kLovy8x/PbeHF9JEwDe+5GXz/qKkztKA6z2HTr7y2t
CK/uSK5g6yWdMbCSiFgimQ2BcfCYHTpnYHC3nfmrQCuFR/i8DQcMigwGrDbE
D2OlfRVCgKe/fsZ3dnKPb29iEfT//fs//yrQX73pKR7dIer96rLZ/1Brzp2k
IkLmXNdPQsiT/+M//gMueK8M9cGj39VuYzBu6c3ei74Y1kCTT9+/3R7RcPR7
4du3P90YvAY+V+tXaoXvt0tpKnGz2cKbvl7/4Fifvz91+OXr07O3yBG+e/ap
Xf7nD0PSPnzT5/d/uU3h9y+Fq7vdnv+dyIOi/hGSaAuDVQVbCwDnT58M1ze3
n/4J2oE31yDpI0zV8IGB5FwUxGsH/g4gLq8OkOgEdgDX71HxRo2hH5It526Y
d/H9O6km/P77a04Q/pn0xJIraTAhZsAosvz00Cv1j6V0rv+URQ9QmmvdnOaH
xrBGx8zJMzsgLG6HkQd/E5O4SQg+50u9qS0dIPVAwiFJ9CaBOk1bbjCT5w4f
QwOZG1hzZq3wbJZYXGlFGi+vYcTAMDfA+bvibxN6sIU3M7rzi0eGdBXgB1Tj
xtfJQnLBvVnvK1UjROYjBpOy7KeunAi4VvLIaqDjrwXApojErYxUFIJrXvY4
S4IrnunGFr6F3Xx8FUJfbK6/Pi48jXUQhv2dE5EQTCJoAXumb6Ws3HsXJ+5W
8JpZS1bxe2BdHygjg4xcLmlu+5eLfmC8pB6Z8XUr7SiApJxkY9BXKgUyTpZd
OjBlEs3vQATYCXMOC4Nyu1bRC61qra+36q3amCBM4Xth4wPzeHFC/wVSqpfo
M/sFuoLUITh/ZsQvqS/H4WeZp788lWc/M18KK//4maHhgxn6wWfuS4EURm8C
Cj/zXwocgADlWNedDZ7/4Tyu82Sk50dE4S8/Ij8/Ikt/+RGFPJLC029ptnoN
hw+UMqWYQxJ1dj4Y0TG8EeLswvff3jFVQqjzqikAzWMWBC79LuXNDCRNgrLk
O1NpnCeC0B6H18QVICXL+PPkM51yZhG3iB78A5mic4QARmInGHqU3iRpIOkm
C6u34mY6KZjt15QZfhRjwU32ez+I7jZLJhvgQ+wEJPTdJpVPNZsbJAZmTPZP
rAI+pdklqZ1Efl6Pufb+FXzMASBI/NhNF+GlC4MRXSejBW8wZrd3MSHN2QJS
B70OlfmolXMR8u2RiGiAAylCAyeuWVkWTOKBTHMscasPcuOHNDPD95QPZenT
Q/57U0D4kdiymgAqfCJ28inLBa6m8im1oRuze7Ksr+8l+5k0uj+cFlEe5Bxi
AmURBjmnfOmNED/M5cOH4JBG3/tkrjb/9YeWR+qaqbDTRI7ESIAq9DCy5ZDy
81XvH07hlZoRHT5phE9Tm3RT8KaUtyyPbK2FEAc9EzzPjQm/u5HJlBOkNDnN
g55Wk9m8/6wqmPtDPpxWMRySJ5uIsESw+p0P4g8BG1Ozg8SJuMBj/SXA11IN
SOVI6mtpKIPBclGhKAIpx9EVB/LoCu1Sjef+nfPwrwXQ45pQC1K1MTCx5efu
H1VyJe8QJrFrXy39/bgoS0jyMmZaRfp6pcFPphc+Onrqmd4/RG/qS+D6ceZP
aTHkuoAUPt+j05pEpGv9yiO3PQiD0duKUc6hbxLKQTjtwvLxY+3g/J7E/8Nb
bP786V6EIN5yW9Rriur3+uQKppNtxd0BJMfIZzB/TiGixAclgDVZ+ZQf05mb
Yz5g0gdZWDobsv+UdUTsLrNh4hUf6xAWGab6fszjVGhzZW65Lm6EKA1tAdkW
y9kDiJFY1y+MhYwwLcqkbC2fYh6jsgIuUSmZzKdnrPp0NYJfACFYxyGGZ9Jq
GQx9c7x3jntN1rJ5Z8D0buAUiAo22ecj94kJBTdnuZWn3i/XSc0HlhOQrsk8
PqrXP2bNBGf8OPq4rzRWvGHeOUcjMQw8Nq0qZ/D3M+HfKoifb7L48nPseUCS
qy08TDulvk+Vpe/ftXyXUHjlyRM3g89FnHf2KdsSeRSBk3nCEbnxDQPA19G+
kj1CjK6A8y+FQUWv6QVNH7f6jSxdiVAWs13srchGmRnhKLxVP3Pqbv1cTNdW
f6ugMnUUqsAPb1w/X4r24FvZGnPcvpOhu3MB/rzzxb9W2CDP2xzydeVY85Gg
MjOFEFGbD7utSgtkC/Id1NPWV+9+DCWkp1Yvb/vf/0z/939Nm2bgldZ5bsAE
WQrQ1Jvb6B8iTZowwbM7x3N28e6Wa90qSi9pcnxTWAY/115fcl5zu50N86O7
DznyR0HzA1Mn7JKkRo+tiGs+quSWx6bO9oGJmSjEV240xjeyeaXPOJtLZh15
3gusx9k719E8wlqBCRIoBoK0JxK+4+BjsElr8VfzSI3jF2jPPSat/eRrBuZv
xPLOZ12y9Q2pLw7SVJkEZ1LvIxXoHdn/y/PuVJtXIv0klTtLAmGSk2dPaS7c
SJdOruUUjuQXBC1X6/cbnT8Jvyk1+2hj63E/C8R2Y+nh1fZORNhB5kf7FMwJ
p0jp1C1Gk5NzAb4mZtdQ9gYy8tnlpnJvhkhky2eZjxjmbDZL3u7S+PF2x9e7
qh4mHKbkMQ+ZeLePzvmtO3HJIOeqZOr9uF9zL06rV6kNPDx2IypPhcvM4dSn
WtUwrT3cIYv7ID68eS7HhjfFqze5zD38xw8bvFkGe2UpkMeEoW86qfDvZZqf
1Y6uBuCSnVSf5GlBBpi3Zl/TwknKoO7j/gG8y7DQHwufsw8QN847w3czwL7t
jr0+hKHgumH7AdX+mu8ym2vfSXnv+1UTdwNfu7IUEo7SBPxpw/G+X32zSbI/
5hJtPFYH7t2mppzz7NuijLSAZt87v0nlum8Nd3xyICDAzo4o6bolTfRwF+b1
KrHP2AaPTCEuIiQYRx/sl2YTyaSMCisHiNSzutIanuuTpYQPlvSwnjvXjKBP
cP0CW/hv71cGLAx8PAsf70R5W+3jdLz3MPSQSqfs4ENalzqV6wMSXDOeN1Mm
LOAm3mth5j6DH27cvlLTLJUmdUh1AVaaVhLRwwSdhwBHyjw/Ma9btvReNXnl
hqBPeDewe18fT+7797yulg1F9sJI8CG7hyGBwsDfB8RRC1pTfWGz5B0+ce+m
lkWFdBv7zRCANuQRgWFzn2PSSv21KHsvQ2XnZu61/+vGdPiYI7zfV877Tq3X
iRDZPSA9EVv5cCc9OyOTnYbJwjjZnfUhaKbP+vtbHdzFK2Sesw3upwJVnhcm
DjAE4ifOikQS8pHM/4eHUK7pB2FWgBNp1ptXk/KMN5ctTgt94FhhdoQiS9ld
dCYF6aafgBcC4GXZXkpT7Ngzs4kRG8vrWXfR/jE9AoWCyCGeAI/COJ0aK4iF
fIf2sfHXzGudm198DO2p1LLyn3P1uhxIH1RyT+gc6yVco8wKyOa2IAlkc/td
5w8nG65U9+pv7/Yy3hT278Nni/tg/C0mN/LtdYlm/4/P4Db4DeLIkp8BLSNz
10D9rh74lELfSxvfCrcoRaLEExm5pqw/oXZvD429IS8/Cvck8nr+ddMrtY18
zDznCh+JVQqwz6l5+JSpPBSNbzlbNnD4sHeTkyeyXRfkDpftIaYbhSR2f4ha
lp/6FGFw51eq73sYOnJhGl9vuJGy/rfOnCrxWn+6Gu9T6Hp6dcQPLBxkfg/p
kZNXNFxni11n7ftpoeYZVsjWNaG4jpuG+lSP+QG0LOA/cLhccc+cD0KE5/8g
T85Zz9ePlwWP+G9SpacIp77dwKMK//5QQrvby7+TA4DEPO+bQB/sJf/qn38n
w9wOgT3eyCKNIH7NwFDmv15Vkn7gbve4203udrdTY1j5Ad4ehxGFd8N80PtH
fZKefnk1svRumHvvf0WfHw/z/Vvht/e2n51n/tMn7RoAP47Oecn0d4q6uexj
VlDIdozf33vEumuBG5zrDe35qAZItq2//mX0zMuRb3bQyTbzDV/vw9134tNN
8TdVmJ+e6fn920/M+6NTQukcfmKrT7ufP7KIN4b3tP35i1b0tP/5gUmA1l98
x7obwkf12KdVvbWIu/o+sIS3RweeS75ZjQRQKHbT/CU93vFQxv8LNvL+fMGP
LPCVSqf1s3LgY9Ehxd5bteEx3N3zXpZM8CEVfN51fV/K+aVOuTedwrz7fpQX
JB6zbvEp6y7sXUQIgx0HacB8ZvT5rkBskqhhx+6badmPKcVruvN9e7frKZJm
BxpuacObMJv60H1GRBhAln71KFYaebMCx106txrYbUJv0qX7rna68wlNyF7W
K0WOT4ApOXcremyaOEDwsZfC3dNpfxgeTJtkuwHQroBcetwwvtaULExOFaeC
XTurNTmanUbpIH2BppC9j/mwAfSUXOT7h4/kPstSc5N3PGSB9shc9yGOLf/l
qdurlfowwOfhuN8Iv5BpX0tSKQvK3CpMa1vPpbLYA33tyFHHpwRwn5KNyElP
MD8k6D84XvSanjsmZQJSJ8yOF6eFAJgeyU5sh3AtyFTIXCBFdzLOczuekg5O
5g5KODqB76Vbfam4bqcdSK3nQWcQCkKcvsOZvxtxx4x02/K6t0pe1nBS0uQQ
3vq0aRqQijGogGyFPvWVrH03s4xwj8y85vyIBvZb1WY+c6943GozV1P4gabT
E4IOeQwm/0eYBr75PvcqvjJvvD/bX/J3+Pb+BnIfDzOBSZbP5PwQeZXr60/L
qDCZMF8F2WbKkTYBZujHIJHwG1zBkA7mC03Lwvc6pxUHT6cnHnr+mifF+EbK
H7u47sQ8bU2+O5ByrRxfN9uIteQk+tMaWytsfXp/1JycS4DOry/mpIcq8sU8
aIz4ADD5PTDuyFmlm695hSsV2hunffAuMDjyUpeZv9T1WP9Kn7xeeX1/WH5P
fCwieISzMygWYS6E8oeAT49JT0bVN3EYXY97/ECKPxVefp72CdUfguS7M7mp
qDK5ZhvpP5hefqDOudWVbjUkBChBDrW9yVMeNoWCwv0E9+248/NA7zRKABUC
WUTsO8w3aj5UAnjFkw6yvVESkCCqeOS8gwU5y1/S3M0SHs7iESgz07deyCvz
qR3hDCzAL68vC6an7K+vYJIYXY9TpwDwinJvvnadnQEKo7ObWWU2dFbr9Y6+
e8Rvakhk1iTzzUv9b043PZ5suFZR7hUc8IhrcwJSuQKuYfreV+rKBJsfJgxZ
epidQrAJdGenr4A9Z+cyTIeMk+2LkXelbvWgVLUkMybhUQevPQKXfCwVxEb2
UtZDtfjrtTJx42jDB8Hd9vYejkVmRReRTU/83utOj+DywX4UEJnBlXKR19af
uUzLfsTLfJPlJqKsU7KrGFhJdkjzSDwgFRtA0+36LYbu0hffCp+bWo8ciSyk
+3upRp+CaORvyXkz51FROyARIHKUlc4zEYbkvaU8PpGX5u8H8v3cldL5EJ08
7tmB0YapJZR/ull3PWTnYUIJwQ/da3P8uDXzfsP1SnF/tJn7Jql6R2zf7BOl
DOH29tqPjkdlcv5w7bnuQNn3H5Rwz1/vB0Xeg0wKYtfiKUrfcX0673R00K3W
VPhgc/cPu/iPhc+7+Mv9oMlt/yitvH7K05oPJSG+yxvy8Jc9Q4DhU1ZHTitd
xsMBhdQg77uNz3aVmd+nD8/5vTHiZ1qUpQpXU3suwOVHdoAJe+G1Snl7pa6a
reNveNkiZ7o3IacSfZB0dlwnT2WyV7tSb26pffVdSlLPd+uzE/u5F9p+fC33
odBjiLmlD6ccIz1adCUZxIAI6r87pn07BpB3+XDns16uMl+yzQaUr2t/NZFP
JOH2b0k3CRGfchWH6yuqgm59Ez0coP2k9Vr3tCvdJS+Rnz/J36d9qCt8KuQ/
FHEufGZe2VeZp18ZhhN45ZV5hX/EV/pL+h5cQTXJ24UuxPk0D8yyt+w98zAH
eFJ5zI/gets3JZI99vd5zpJvCIHPpy55e7EuAHvC19N5hGWRM6drRN5fetxp
+VaYOlvgVIVqvF37R8/5WhjHwEGbfhy6GLx1iDw/LHTAfpCHtg7AU49MbBB7
YQJeuv5aqCN36xc0smt22YIFaxh0psfBbW94hp2Xduyl78mnJ+8fTxGSNy3X
GB0zmLPB0Twzy3Eez5d+/aVDpV/zzPZX7Z7oHoQbFlb+7fByroPbwdPrRMPr
G9YGxMlUhalR5zbw/bfUln/y5gwspVCrtvTB+FthSDZHU2gipYE8Z0qhw0xV
/udfmv+/UtfXXB7dKzu6ltv/Q69pYAACH+79LHqlR8vTN0Vhao/v0dxfRPjH
yqBaK5RrjVZf+6c8w37J3yLPf+DhO/itT94s2GFC0l8M3zqTFxKuLyBA8m6F
zufMC74U9lszJK3J38pnJXtZgezh7JwdJm8vFDIX/UxfPz06a+7cIOZqrd7q
t8jLS9r9iJSuNrT0pYF0xhRVmw8HY10rqN3uHykKmqXftFajr+qTce3l9hLV
1+z3jF4q6lAjP4IyHvQe3hq553QwCVopgA2A4P+cv+f0r49CuBe9Xp7evOC+
gB1Zn8nyUmaII2idrv3KUT4LRITXH1si3/Zb5/RZehDIVVZEKOij2dHsZ0FO
xQPyuhUwIVNA99Lk4zdZui52LtDKS65fImiyxjrJQn/VEv8rZHAik360DoYB
C/u98Efip/D/Qu20f1/2e+C/OLodZyEbsXeNkl/I0N5VKzVo/4HxZK+pwMQe
hU4quE9yf3NBlsi7fa+vr0RbWg+Mv4L24YMZftjr6x9SP0mbvh3gx/dk6eHe
w7C1fjX3cPgE/p2/WlM7IUKAwxyo0ZVT3MrEOGvwdErtegwyzN9HzY9u3d43
uP9wxvXpty+MPr2o+lSBvbGayl/HavKXvO5RMzved53Au5N2OWaG6Y/HPOwM
XI85pfc/OGaSZzrZu6QkRLy8pABEjCr9RvVarU6oLtodf9laH82+OjIrPlzz
9Uqlsqcr6qh2qupqt7xyV+vtqrwc9WrqqpeMkuwZKn+o7FcXtX6N6XUnY32k
0XS/Ur6gmRUvZ6No2ajTC63s4kY9Mhsnt9W09lZjtTJZ16OM3XTbggZWs71f
eFN6Oe+dVqt9hcxsuGqVVV0Ve5VWPov+tKz6ernm1qe1xammq0Mqu9jTK7VT
WZ+W9Vbdaqrr0dQrCcfWkTFPlZOm24YydzYjbrO56Jvn5VDqarBCF3VRXm0P
663TUBK6XBn1TpXkSS7lXk1uVLRDQ2sZXHVUa5er9Uq5pnapo9D3a1u7xg22
vfGMDzrzRJHWVr3rHKNRaTCd8EOzVA3s2Y6zpOFg3zr1R/yskpwbVX3WSRzK
miVmc6nUuIpO68mGXbVKk54aNiqzSkNT666ajKq1kVapzPXLXFlqk4XjqJs2
O9HqJdpgOpR91j3U1iv1806bL0rLQY0uFum6WF4qzckowQfdDez5ZLcfdN1F
pyg3rdKlsjtvDL+zXO4qKtVZ8MHQNVr8TPEs009W2golDec0DQfHQdnZxdaK
Lwu64fOcORgnreFMrFvVoIIU3FmZjTVl9Fp1fVGvS7bS5sL4stiZG6mpKF61
bXGWMhwchjO6zfZnF5Gf+KflUHaag1iSVxYvnltJmRpflOkCB9VBWRtsl86E
3Y4m88a60tkN/NWgpsnTFaPbUw6HnnTCXWOw9vj4HOy1QfkkGFaF4srd8ek4
sxyzuEYDrT7yQiHWAiseb+Y66jqyHHnT2da72I5VuXRi49I6tUtSpWfWzPkp
LlLdojUZTOfLo6pPuXrLsrZKgOWTwC+llUFvm7Uz3rU9W4kPRVrm941yqRu0
msKpuDwvrIu7pBYhg6T5oTbod0rTVpxU2Zo0aZqLqjYeLNXFuFdv+OdDo2Ml
06pYmjE1t7roV0U8l6aHMOSb1KYaVx3pAGSY3fB+E0dCezRb4Ip20ibhLtkX
hZqiiXtuVeLohHdUt9YYdRvLKdOUxF2RL1Ltxcxror1Trw9HvHdyz8WKaIrF
dRXNi51B/2L1Sm5EY9T2Tgelfwn2QVJycOswl1VpcFQiChx4mljSTG6YPIqX
2CzJs8Crtkq2dEDahO5ExW2/T/sddoeWx+7CqJ5RVXMn5w7fmh8PKlUfC7ah
req7s6QtWL1q8lu53S51rPJBW8lbuhSN8a7szGulhe1GlnVeHsJq8bj2L8J4
vnZpqno8L41RcpqJkmGtAlFfjTv4NI5ng5E+VirqrO9Eu+Flt6yOD61Tax0Z
K24T+fO4ra/4wYCjStFmHRSXp8pRuIQr05g47bJTCZvjdWwyMwYHg8o4Ltpb
L5kvy6u6xM2i+rpqVw9yrCCaxtSmrM/4U0+dT+0jZ/ottPXC6rBYdZRudAzn
p3U37KFxoBj1pWevTXvClwZ0UgwaM2MpuwxPneVaZV0qDYabxei0qx/n6DBV
ArZ+ETvb0L1AchX0DqXepj7ZROKxb56aqFFrVUu74umitdUyJZTKlxl92LbK
dX/Wqjb17cJXEgdLo5ZoGquedDD2+qmtGigeTujpwmanE12PG6dpZPCoP6Iu
vSoA7qY5rW6WXMkvbnfbTeCWT26xfTxJI+wOGoNpf93pDaVB0mvNNwIdge8c
xlNXn7eOO2ovjI6lfr09G+ntWfUo0nIvEkq8azQO7fJAOiq6tLJPR4vpzua7
ncXMS7rsD1dKUG+JQaM/pPoX6eSfQvm0VVExLJv+cNcfnbfKQQmD2liuJw6H
yw1vUo/Vg+x1bK/IdufrUiten7ZiuW5SiEkq/AgJwykfO51NOAk651kSnxh2
yVmqEXVbttLsa1HMuILUQU67NO9uK+EkrE5V8yB3qUa7uY91ejBYlFjVKbW3
NbGyaTcVrzYfdVenWRNZVXrVDkaqHHjJdGCa+CQBVkin7Xpdoi3K4Jqnrs3a
g3okuufZqt5h4mVn3w32jL0VixMGplqsxRPbQudAH0TC3u/77niO/HWrP5R2
1HK5YcDf1zPXONCn7TKSTsiLlkK9zIxiXVnrQt1Z8HrdLzNLodt258fuvlca
1csl3lOWbYeyD4dNRxWTXmV2Ku/DmC8uBzYabZPjeFlUigN51Oq5IzQ+nHv+
EmvTtciyo91kE6uJVDsvFlRnPC6Fw20XM1p9ntRX4s48BJ5aHjfO7LYZskjk
NnyvtcdHpup7nf5saBhl7bI9eOZwsTdEqtecj3Sny5Tig+GWjpOa24/N0el4
CVGlVR3Sk+7IWXY1YTgZMHKwmSGubNQGQEr43lnV2ZAagW3Zp+ZiF+ui0t7v
kT1V/N0ScbTF7ibVanRRZmf21BjX5N5RC1ASjvs1oRmbZimaL2OXKl8GjaE6
ji6dMueugnk8miiV80LrcTonS1GP8Rl1vhu0B6Umb6xVQz3Ucd3rMrNdaVWf
1QPKN/fTYT9RZ+PRRupbER735qVDTfZmvU3DZdBJSlyuPETyvppUiqK796Z2
o3op992kfNGbF8qfR5uGro/jusMs92exvDqqw3i6NE/zijhcyTXsWwNm3uT3
w040bBejbWXWDbzTpRcHkg8MxRGG3GRZUmvzoOv0kpIt+m40nVZnx0ZV0YUB
xrtVmbfHF61RorVTzMz2vfKOOSLmKIiN846aDGJB6TUNcTNm+/uwUR7HTLsk
1Kf+abU+OpGm8quVut52d65n+X1zRuvrZvskSrNyuynJa2o1ba43h3KM5snY
tX3zfLCCfsKXFWeq1k6l8ORax7qybx3d0BvPOz7EvTF852l7cZEaDZNii6YR
WavK9GzvvYiN2QCfj8PVQL0kpZ6/C4vqPCx20enSjMRdMGu1B2Hcj7pJkOi1
dsxEVGM7csrJMqm6jWJiyLKwOPZOqq/OJ0ooyxttdqmd7YnGb8PeqsFWpsHO
xkkT1+Nuqz5WqgzVXW7r2m6kr2bdTmK1E4mbT1b1waEJctbL266vq60RCvVl
Z1NhxMGlYiTLo4BLQ11aH46jLeWYtDRsd1sblWfidcPTzqjP1rqL0aIzqpu6
uj0LuLlA1abVXvWWut7pecUtozUXzUp5sb00Kd3XfND0TMKX1eay7bV76p5T
S3i1qAeV5n5g7ZwKgIwfsYPKTG7HyvHUGfVm6nyO3foASdSGi6baoTWxjvrm
claBiIfTieysO0jTooG8XXsDOzJKaLKRcJ8T681e0sP9Jttdz41Ea7eoYjHm
G7MZl/hVeTk5+8xu35RO3V05MB1puA6lVX3fjNq4tdwPy7gh9OJadX+8VJrN
cjk4TlSqtpUvcbfbWFiuYbDDWaMnqlyviG3N26CF2B5pXGMyHnVVpTzrRbEm
dLniOdrR9cEgGUyBJ64PbLlfPPaT+Y6Zzw5AQJjQ2KsTw1vNtvuzs5/oXKNc
Pm72RXXLjVuu6XRHDXPJtNw5XjE1aqZ05MV63fV5ZbDmGtXY5ivL1XDSDZvz
Q8esBIo7re5tu7Q1T8kUz1v6yKlPz9tkY9dcd65TK+805i6j8VBkhhxywtEp
CVFn1ew0LlXBsRrqpTGKk+lKDRXhpJa2iDHNHpaRYKGi0RmWKGV08NR6PVKD
6XIf+vTcPLPVkhOHM9YwyxtHU/s9vuEtk/C8X9fpWasjK+hQ4hlm1rpwF5Oa
2267NZNpWz3z0rQuzzieBspjsrw6CEbuhZP1WqPbMo+H4VHr6aPxdGK5rKYM
Vw1fNvdDqi0U3Z1Uv7TtaKzpySJEWhINJj1mfTzOjaM5swfcSp732oZvy+as
CQG7NoS8tXhenQ5GFFFqMBKq22K5xo+PpV65PZk6Qo2jW+XmaTY/iQM90dxN
vbopJ5FsDKdbadFDoNDegu8sE2Ezobwx2qLjoN+sjqrOxT5LE7o1Vmubjn7q
6HU03gpi8SxzyrDO6u5e5JIBPalf1PNoOt0u2XhMXcLSSDotjGatvMf7hn2Q
KnSi6HvJXqm/8oeqrhfbvvqnP2VZKaT595w0zfbJv55+qei3PMGtQkIMX7Pf
5PgfD7/J8b3wrrAtvbKF36Hxn+l/zX/t6N2PH7X6oKzs6bRp1kh/+HGkD38v
6bdCdrb84dJHM2JJZT2d0itDM6/cKw9T5G4DFW6f7kO/G+y3dDef+tkwHyyc
eRjkvvy8C/L67P/IXp+Fpz+9KShcCyd5NeJaXKCeqwuffrqKvyjAj+T+w8Y/
vPx2qL/YPBPoY/Wvj3b4g0Yfa1MABTL004Svf4bkl23J1q2WvXwHciW/s//p
g8Zvr7z9/jetifyK9N+wGu5XF9NVe0OtMGv89Qt6/nZX/L8xgmLbWLRZ1rYE
0+RZU2B5yxbhG2Zli7YwJ9scj/+NeurjF8zlA/f8Gx30ebi3nvQTrfx23e3W
z/u3KvklH1Y+0M3HlvEGIf6qUZ6R4v2K3377yXrz7d/s1P7ftmL+F1f8BsH+
jTYMW+FEmWF5yeQtEyu0yQsiZg1WkUzOojBmJF5g4QK2eM7mFEHgZM4ybZND
li0g0bIsbNocUlgOpkNjRqQN2pRF2uIEGQEBZiVBNBmTsRSbhxFYHv6yadkW
ZfiXxf/bXyHFXzDgX7RV7jX9hauPu34rJJsTbEsUWIGRZUROJLGSCD7CSLbF
GBaPJJvlsUSJssKbcJVVFFawYG0KJ/MWh22DZyREg8/yksDQJoORwimiIVmS
wIqIxywWRBrZlAFCsmybo5FoIk7EMvQkiiIt06wigwY4aGfKIGFblCQBmtCg
N5lBJi3KBiOIFOjE5mRGRqKhWDIn05LCWwbiZMsyOYUxadAcdCtIPIdMVjQs
SUYyqAYxommS/xAAb8kML2CYBK+AWg2DE1lRYjlsSrZkKSYHC4M/Ng8KR9CX
RcM4lgAzM2SBlU1KUDjblGWJQxjDBwaQCMF3k2Z4ibMFQYTFmxzMkZexwigg
MQvxPIxpijLPsogSOSTLYEUMazOCDPYNRiZJEjIV2zAB3SyDQ4xiy8DCEVag
F1pisGBIPGuZDGsxlCnaAkxKMW1YlYx5WeBZyeAUQ2GRZRkKI1sSDAoWbXOm
IUowJ4WVTMuWFYs2OJZCAKwcGDMr2diEv02GMQWbMQx4AksCT1zAUgyT5i3B
AuBlLEnkbVCnYZqSghlKwZgWQYAwM7AURCQIlmIgBIYA6kG8SIPFYIOlJSwx
tqKYiixJ0K0isqYlIApbEpJ50Bpr2AIPS6VpW2Q4Q6AliZEh/+d5LPK0CP5P
CwySTYRA55JEw+QwPEIZYJ0CDRYA3xUs2IYgIoM1QVayyRlgGAbMxpQFZCEO
AgZoyZDAZsFEZUlmeYNieIU3WNFkQeoKw1k8tJckmbNB9SYng4YU0JpCs6Yo
gjR4CdtIMTCG3gToVqIYC8HCQa+cRWMQryiYBqYNBIYBeqEtJNgwMOYkTuJN
O1WgpCCQlCkiG1CCwgYYscmBVjCYhWCbNAeat23AG3AyiHowaUu0aVHiZBFU
JmCwL5uBjxKgj21RNsYINCtwPOjdRjzHWxYrs4aoKEiE0GnJosmZCgJxKgJv
ygjTsgDLkGlGAIuyKRGag0QMFlusyImwbhhK4QDAFNtEEs8A5MnQA8fbAI0C
VsDxFFA5qMpWREuiwDpgLPBOGxuYQRy4LyNgRpF4GnwDXNuiTY4RDIQtQyIA
AFBA8wAnBsOLWJApzDMcL1ng/4JsychSZNvEoghLERExUJYxBNCmJGMLMZIB
zoRp+B9ngOVagBMUApIgMdAzCIeYG7RnWZYHGGMNWuJFxlDA4ERgDQiMQyE2
LmFYHg0GTos0Q0mGZYkGL4A1QjRABiAC+W4xWDYZHrAEMJ+G1gIYAGAMokEX
vIJN2rRtYmaUBdIzMPEfmQc7NkWFQYClpiCCU0BoYWwIJ7Aqi6NtZDAAdxAm
AGTAUAENaZaSJRtuc5gTATlFEbAP8lGkCOBwliyAk7MILBU+0ApZhYmM1HnB
bbCFAQ0pwo8kUYbHIfG0wUhNieNlhaYZLNm0xAkGjxDP0gyghQCGbUo85kVW
tiUabA9bFOA9AsnBHWJRgDk2BEtatJAhw+R5QYApghNAbAPXgpUJoBSiboE2
TROckOLBMEwCHLKlALKCyyksWCZAJDg0mANmRduUIEhA35iRMWCezAO4A/wQ
SbIUI8m2YgHAweJhroKgCJxgygYWEQA8CwKywGEFheZNBTDTsJHFAVRbsEDy
Eq1JiQgWzGOAZJgxoJMEcAYwzhuCAl5HgokAiA9WTYPWLASgBvBuimDZYPPY
BkPiGIMzTQAdUB9YtECaKjIwAlaBBwzLYA2GYcBwTJYFQkDzomLxjIhpFtms
xFKKrRCbNMD+ISwYiIG+sMwwgPuGYNIsZmiIWRzhrxiCrAwmAxQEFGsAQwGE
pYi9gOOI4IymTAKvCYHXMtIVYBOBQwBeA8gAJoH7GDREDlqCwWkDvBIkS5He
wTfAh2yRBuIMDggikSFoKQyEamA9FkyDBssE7IIAaUGgB1MH6GUN4hEUhHgG
1MRgi4QQkIrCMulMAIbAjiH4QDeA74BlSJFYAUHMQ+AiIrEvcHJKsQTgWsiG
mCeS9dvgEgr4N3gUQBQHfAqLBI8QK/CCBDqTeZmAC7g8ADPAOsF5xAgI+Bm0
ZyB+kqAjIAWQUFIYnrEEGpYJAMTbCgNxB/iHSeZhCQoGL6HATDFEHoXjbJ4G
4wPzAKGBNbISRhDQAfAwiI4GsYM+CPSB54GiJAjSLMAuZfPAYgyIlbB8mqXB
3Gji0QZQIhkgGIxQlkArIs8CXeKIz3AGBEGRASoDDAAoDpgNDbMG/wSbo4Es
gk+Bnghsg7x4EUIyBE7gHaIB8uBAISwwUcAMoCzEkIBtAHW0DFqAeMaTqASx
kVVEcCtaAhUCm2JtgYA/RHwJ5spDKAQuJRH4ACQBfiCzLE0kAMICyiHyBk9s
g4f4CqqWLRgZIikIACsEQWSOA3AgXsGnfkiB8zDALxDmbQhV4D6KqABHAbWB
niDU8JIEMYYnSyeUh6zI5EWekF7TsIDiQFesCXDBACXDxKjAMwijQKARoEYi
B9RCtADKINwrEBcsCayaBFKIyAzLcZTE25LNGQZvWiL4IC1gkUQmw2ZsWQRP
YgxwOxJqQLLAuZBoYwhqgJ3E75AgUJxpmQDboBJC7YC/WGA+HPBZjBiIaJZI
IBQBrCMweBPg2CQCsFmFtmkawjyFoFMCGgwEQLgH0Z0Gh+QYoIUQiESwTQi3
gJkCeLwoKqaBIJwAZQLwAfSSOAocHxwdhAvsCgYF6BQEE5AQ4isClgT2CEZE
AyHC4HwMAKmBYFwZvFEmFg7BFUggDArE2jSAXwJTkGwEngP9ANIKiEyNgB0Y
r4LJ9qQkSwQ0IGaCy7KAiSB0CFbAnUVwYEAhSIQw4DcSIYkxYFQeKIaBEURg
iP6KAQsQIEAKhBYCBIuUbAIzF22Iyzy4DQvhBb7yLPgwQJUI1NWE0AKAzpiK
KUGMF2kekMawATUIw2AoGYNUoLkEMoCARuqtYM+iwUkQxRmwaoAw0AqEAaBP
kmgzxA0B9QWDhZQMfAHB2OCIDLkhyRY8AhzDFBkI6hDIyWQtSB2gpYQVwAgL
JoHA91jDtGHGNAd2ABkdC7ZMLgiQxsmGaMA0JAJhyBDIfzwLeCoEX4u1gUZA
gAHPhqVYDLB2lqVoCQgYTQOxgbgKkuVM4C3Ag02eRoQXAC+G3NAEJgs5AmHD
Fs8DT2FN4lOGSFOKANxNglQDbB2QUwaWIhDKYwusBQAt8EgEEiQDmJkI9MGC
aGxwc5C4ACGKsSliG6ApABVEqIgMtAwQBzBXBpYoISCNNHB1QEpbkWB+kI5B
bAa/ZYEDgMUaIAOYDslQMFABxDCA/eBnkDFBPgL/EOQC54ExaIWDRA2D74Ny
IVFjRRrsnKcsjsQQG1AVQA14HPAGmC5vEiIBcVwm1q2A0CCaQ8LLQYINNyGj
Axe0LYiBFDQ3aMBNMFVRlMl4PEYyUEJOBrFBnoZtQC4eAaQIsG4LsiGBgQzA
AAICSAqRCQwf0BVyDsyZNkvTIktbkBAKIHnEsApQMtbgAfl5GegyADjYOjBw
8H1AWKBhlCwQMQL1SY0IgrFggcyAKcq2Ab4gAy+DqGZCeLDBFHkTEZREhPUz
YO+0SBkSyxLzEYEjAagDroHGMcvA0BA6MfBMjoR4DqAIEk0IozToCdsCYD4L
JIOjiOYJvbMUwQBvhNQSOBP4O8AguKUEHB2MEJJg4LgMIUICw/A0hCqLFgCs
LINSWIhwFvgK0GSgUiAJuAvhSSaUFLJaDhAFUI+RFJCYJSIQIXA40QRCRxO6
TUmgBoVVTCCUwOUgosvQAAId5JqgeYkHewHOJQMjAEoN5Aa+giJoMGgBUN0A
QGEJx4VkG9Qgk0SNAxABAgQJPEQXEA9D0jokEUoEywSUUSSggxgSY8gxBYkC
0gB8H1g9QCEAEwuUm1dIegV2IJkCY9kcDykfsDseyDZ0ZfLwJIgN+BJwHZmC
JB7CNYADjMgRl4AoKdKQpNkS8BvgkzzAHMQbjgHFAfsE4oFJpcEGWkgD9FDg
sgxkJSyISElrEECKAHpFIM6QHxlwDxgHDRQVLIPmeDBooHkKTMFEigxtKTB8
gAmOyBcesSBEgGfZkF2bggW8BxgT5Na8BKZmAD8XGFiWIWHIZyDXAnA2KABR
4DY0hAgLTB5CLtgFYxIYxjYvmzwEeAB4MBPIuQ1wZuCjMsQHREKGYiOBUoAu
ShxLcl7gxBBeZAOwClgkD2wb4iUAFWQQkMaYwGQgQkMEggyBJa4P6aMpQMKB
LQgWQAAhFQUCATkeZHqGkcoFkn8a4j4QV6BWIhBvCNUKZHUyyZLTTI2nYE0i
REYsQ0OaR4JsgqqBnADtMQENBeBTFumTWC5wEo5UeUyOkGnFgvyVB7YOLBJi
FcfTkEJxpFZgwcJlHsIBSwg3wQIYBPgfp0BqCZkSUE9Yh0XKSgoGbwQ0g5QA
BEFzkO5BtOJFCCwKAwmFDSwY8mQGcB5MGagVdAOpF5GQCXaKIVBQYPJ/6x9M
sI/insp6z7sc5N+/U/l/leI/f5pTFP7PnOYcdEbvTnMOGptKpbpe/M2nOdm+
9p86zclKMLN+lPzff5qzOqUs1Wn1NX+wPQDgFkPUHEyni05S6mrFysrkS+XD
NBr4nfr5rMdLdcyY2m6NY6Vp92U0rvoa1VrxyUXhN5Uh5leT7sDbHPx3pzlX
WqU6YDSvrQqXQWVbatM7e+t6jrZeUeXNpcZempyP7HYz6upqK2onA8lzVDbk
o8NuonTt6XTCe0Vjrna33f58sFjQghRYnXNpys+ouBgZh8Zs1p90krI2U5dJ
iV9H7XnQVyJD0ou2pnuKqszt3j5kGz3kMIKnHPe8uXEgyC40qu5r/XiXNIIO
PZuO2NLeqh/Ok651Pm4VcTpZepu139mNV7xx6neHkQK56qq9VCWhvr+0olad
Ggn91eUkBkb/XJkY8eR0KsZRsbWqqAdIZs7e7DQeVGnmOOM8Yymxy6Xp4c3x
eOxps3N31KpRJQ6Fl25r25Yb1XAcsZPTuWqWfLo6pPlJ1/ArcplXRwf20GSK
vVmrOymO9MmuVGwnKymabtqUEBSlrbkf6XS7tG3gE/CdRhLGs5HZ3/THy2N4
1s89/xIYF2HTRWu9OO/uy+0m715mrY7u8BTPjCtCezxCm2WptlaKk8UpCvdM
MvP6y2S+3vPlY8+PO+VSI9Klir0oMwCs50YDn08bVdqOqbazF4fOsD0Z0lxv
Dpxne6hvfafaDt1Sc9/qN61urdVw9jJ3MmouPpc6aMpu6Jj2NudJz2pR9V4d
G86xOlhrtelMNJyJVO/UzVUf10/aiuuG4gEZ+xIY6nbp+a69n07kjY7re7R3
3KXfpWhUSval08SJJ3rbVsebzWGwFNRi8zRdb9fd5LyNGL5T4Y6ljbmXJ+NL
9ZRIpbXc7V9q2GeGVEXEOrcPa5dhn+5y+qE97lcaYXURBZFL9319sNxvpOmm
VJJNdcUHGwYtW+dtKz6DwXaPpxNlbbvowPaMtu9UDqVB4o3rWB1rVhKxR0e1
i71zq9SYcB6j8rta0uP74WLaPo2XF2PihHjbprpFyDx5Xdh7CZMsm2etVkm4
hdPsLprjRXPvKD3fEV3rLDWX5b7OXaTGYFBcDs7qoKl18JahmlWpI3akLt3o
iqGyOpfWwDyVkK+e1t36inVC4WS3xcQ8LqqrYrI6y8eKPzJLVUUz111F7lHV
zchdF0/0UnYOvt4uXujdoszblc7pEDkHLra3wbjRaR63s2rtjPW5OpsypS0X
LqNaY7ubi5SHPHZSatiHqeS4C+wOZG5rMJVxd44nRm2+LvuHctxSW0g3qomh
j9tbTt711XrJ5UfJ0MVUC43odVIFM1QNqdWqOCJfHHesamN0XDgWv2m1z1wS
r62L6FR6wjHpTfVSR2Z8URo1Br3lhkIVnWVj79TeDjSseIkh64O4djmM981I
H9lRuVOkS95iuOydOLWxiSdiAqFUwmMmPinV6ZYa1S/0eXve9iUIWTJkIrVN
PxCTpdiIFsphu9suZJEpDmdTfcNzMo205am/ajuG11kDSjcFKhorXCkots1w
0JIRO90o/LkU23pVrXFxba4suZ4amHik1Ktm4yBUZqPFfCxUbM6frQdjx6GG
lUHpsBS7jZ0zn9KWbCwWI2ZeP60meyt0ux4I5jytRdKozVaCkX3WITVljQtj
0k4Ft3YRZYyM9QzVgbDGx+15vK9qJXxo1qelc7136MWBVTme4s7Ors36qyU6
N4rddbIaNjvCqWqrzcShWpHO4mJjsJtO+tgMe3F0NIVqMFR6+mg7kceT9fA0
2DrxyOFKfVM4zlqT7phBpR6eMm4SlymXX1a2Z392YTszgelxWtRcqd7qTK+M
uu247Fw508Oi3Ugax/5Sb3Vbh27Fm62WnFLe72ghpmxz1IRcpF9Sg4132q/Q
OTzJesu97Fv1Di22LEhX9aYwjFz52DuuvSkqzS7zRussL7bxRTUoN2Jbc3O5
rnIrngmZymYX+AFLGxP71Cypx/poL9L1MCwXVWDokbYvJevLwULe0bc3desi
Uee1xiz1ebm5StrqcYC7tcuySJfFkbxxpsalWffnwkoYjMbDuLGR9qOuo52G
U66BF82wf/A4KrGcmbjqe7VaT9Z0ZdpoOWttuhwxTRmyca1USvq9fjdkICtp
W6NaZbKyDvuqXpTtM+KGfIMqedOLVJ8UG76wNKVWR6gH/XUHWjv6JBYAVPvy
0jV2xWTgr9zKlkbL+oTWbGV0CtYoDouUtxj5ttagLzW/POiea5fNFHKDlSoY
iSQsQ4R6m3GrMfajmT6Pgp5d9nvd/qm8mzbUzsGNu5Q023ET1+g0eG5lrqSw
pbEXaw0ctFkV0eQQFaedqm6xs4ZUb/RWFbGnVpOWMe0zfE1QTaNNMcq20xl1
IIsuHoPwtNf6C3k+7mwFbe3ptLOij+OWP2upjW2fX7RjXlxsluzMDzQ7Rp3+
qUQVfdebbdauOdbAQQYure+TRXe9lyquv1VKkbStLDW5K3eOg8lS7nDitEvX
inwXd86mutxy1IK/OOV2byYn1QYXTVx6NFraS61zLtdW54oTrwI5modtdTvs
nuUJJy+iUzVK1FVizvVt1elDpr2YdwQ1wO2xHAYc110uW9yCPjiVVnvaG81s
U/OCSmJpk3k1PszPDUVSDu1AQmMniQSnSc3ZRvsQG316bu0r4oLvaJq+PPHh
ImT10FZKzVndcC7zlboKm+cLe+lWSnRdHzO2U17W2aVNSdHKb5t1un7onNqT
A1+eDdr9LV8pjZO9NhXMnjMpBftt4m96banpnabitujKy0NrMmpL69mEMhuj
nVsecltISmKMonOFDY4JNwm6thlFTtdQDwu9OfWlSXOx3nfmzLG7FPZMNOx0
LsLOcKnLae1hr8yVx50NxxTrB3pS49y4GQciN3PNruYdjo36emKeL7y03yyl
qRctg00v5kbnkYFXlNE/lobjQYVO9lxt4RcrQknV2CbNHeKF6M+KdOvEOLOE
EWuXSbUytby5zhk779Bv1/pMcxVS+Ox0KjtDnxddTpI7rcVmuhCqNREvqvr5
sjdp1zyt5CnkjD3pwJrWLgqLm2VXb4rzQ+nUHVGdg8LVt/3jSTa2FZmry5e5
H8g9ozaMLpuRuVm2ishqB7puTapBq6rWuXBgWe6qI3QDRjDHlLcX9q6H9olT
ms4TPD6MwUAWh81uGUKAVLGgIhfrtlb2hlolNC+tuTrV9VGFgRhrn/weJW82
9mU9vDSD0raJtlFjRO80UezKpUZSwtPqqb4ab2RJxKeqW2wLzT1TZIv7JrIT
edMc0CWqth16yrgkyUOJbrJDeT4NzqHVwo0eXT5w7KbdX1UrurhQxwe3uQ0m
ZcfpdhrNc9/pzurhPKHY3V7onkqiO9PaEKro/ojB3nk2TYyBs/TZzeg03Zgm
qhTZdWc1Apbbn04C/lIenkx8iIUpFdRcVimb8/6qNusK7jmZtk4LZ1OfdM3T
OVFWpSXT1dtG2beXnHw5rCunetTZ2AGq7Iv7JepRmyGEztWFr1RLIzY+RKxV
pE19vTkGQaxU3GF9K4ahGjf6YnU+8rwu1/PrnaTL40oymFjTMYWUirycSdUi
OjHialTeVbn1qFzqlHjDGtWrXDQah12/wVTHfM9xB43WsXfaCIllrNygr2KN
YoJOry/0OKNdWh753bxW9OwZXpfrCa8WV9Uh1x2zjCAppRkwDX3WoOutjtQw
Wa58WqvxZkGtZzWZrpT6vbi5vuwlj40Hu7NV30P+pfJNc4TakcNVEsVIehW/
3duOrONk2Sga7UW/3J2VOOpYcn2+FeAVR7drjJw4tD4PD8fo4Kv21K+N1zwk
d4vehR9Wff/UoDuH6qp5rtoLTq1NBFqkOuq0sjlMenEFXQ6lslzRe9phxTaD
2O6Vpyta43cXO3EqHbFiLcOmcenNztL5zMplTyhNbUQFpag879VgUPvCjpe7
xZbdrXx0ap4WiVHVS1FzwNTKWy2eN1ieawvTiWHR1YbpnV0x5DlENUbsrju+
SJ1DRe2URvMV9D8pHeJVPD2LxiQETnRKvH3lOFDsCrjlcquv417NVaodLMoG
MBTmFFxMfjPvdPdIqADXaZ35YnkxHU+VfnhZdgdLcVw1W63OQpUSbxNHvb61
GJdXshhvj1aFOvCVzmzfmDYVGexQKw6Hg8X66NMm5Hmd6Yqp+cO4MucPdSBc
o0geh+7xVNsDalmbxXkb16hZ53hpFs8asx7oXr+/bjX604bmL6fTiA+mxbHH
amuuujTG4kSI6iYIs35xmqUkGUn1Lr+YUEc+rtSZU3cZ9baxu6gpSNLGx8ni
gOeyXKmNRoJ0GaGwjYqotI/dTZh0pcm0NCp7O6/H8yuqvxufz02tOjCWe3cO
LhcA/R+JgD2VHr3oGocj7tMnXpKjmShUS5irWSNnz3c7Q5vTyyWW6iOjLtCr
oDQf4rWCe532pVKrq2y/fGbp8yYQ42ZjHwDoLyzJ6V3Kl1K1qgxLvFUTXXXe
UKmj2t3RmrwLjvJe1BjXY91gsVnsI6vWbYh1Q90Jy/p4VlXm1dEE0Le6lw+j
bcIfJK+udfUT5V5i0R21nLKUYNVv06XZeR1UJaGhm3tppmB6b+4Oo6646C2A
ux3Hmn+gUYd3ee9SlPBkQUWVuL1pVHebUpHdNqeD5aRe2sv2ZbkLZ2Vzte9N
2t7Qp9f6ZMn5o8Mp7C/qznxZ1aJpdFYlg1pr8mAubmsDWRRYgFR/L25aJ25W
m4Sl40FDpTVTbk5nHBpYrDI+JLRuQ7JQ9lt+1TLNvUPxfbe1Sqb1Ux343+ms
jI6jOu3FaNhClWXdlo/6CfW0aVVqT3dHtcGO2vPR3A7xOYqaHoojyuGcacka
2ZWteBAgbNTt7my3N47SqXFZqYfaqNs2Zg19ddnO1sHE4ufaqRdfuLoVsDtn
cVhSRgfPpJm+WK7xrFU+O7G7jk9rZbKw6Ub1pC4W/E6oNabCHm/F0ypZ9zbM
YrGb+kbTW/Er2aMWncGJG/3w/HmtclK1pjP6+/nz57//K8+fX0ugfz9//gMx
//38+d/Pn//9/Pn/jefPLUHiaVmWOYFFNFZYJCqWzWGDQYyJBUGgRBqZnM1a
rC2TLULM2bSIBNHiEHwXTIPlMTkLy0uCRHa6GQlhcgLHtGxyRAHYJcOyLNl/
M20LsxxNtsxlmQGTxQrmEJL/y86fy798/lxgFVOhOcU0MY1421QsViTnNEVJ
VlhZpGmRAyekLINjbAkxSDLTDXiLnIcweMWkMcaSLNMWMjFLDuYKHNy1QbwC
JyvgyJZE04ZC0QYnSJwii+C6koEsizWIg2NGNAxsCAYCWqSIoHPWoGmBFWRy
+MO2ZVm0WEFCJgUQYInklDPZsYc+bJ4mp7chCxRNC7plEDkBKEqAFEiSJZYj
x6jIXj/LiDIvW5QBDUG/JrIYURBoy7CRQDZFTYVnyflSW+EsrAgCo4DyZFEG
e+FFGjOGyVusaRuUBOMDBtGsAAIzMC8giWPBesjRaIUTwQoYjAyYjSmz5DiP
wpsSYyNsSBjMhJYpGinkjLGJJMFgeB7TNk+6NCTFMsgPKyiKKIACsIxtA9sc
wwoG9E+zNG/bEkyUMsEmWZ6VTHIAgGEMCaTNmDIncTbieGKGnCzQhohlciBK
kmmGhgkhWbIkzDEiC1ogx5bAtVjRJgf0aOjHEIT/v73vWJJlV5Lb56/UohJA
AplYltaiq0v2DqlKa11fT/e6xgVtSOMzksaZxbs2c9+55/RJAUR4uCNDRInN
TJzH/IrrNG6He+QWOxALrDAzl2QSWxMIL1FGKS0MdkLJIGduXpLFBm7FVAkX
aZXbUGb2m48U2VAxz8eqKI4y7G0gPZhWAGnoFHYKW5OHmRZRYtJYWlgKl1Tb
RISRASfH0idMpo9EzlROlSUy9NKIuXg2zpQUEZ5QJkZhO6wQ0kgXMulcMXcQ
axEqEWZwVxngwWDNgAJpvMTizoADP2WiDQKMbyJsjGK+AJYcV8xhU1anTjHD
WIZRLjVTd+HZidCZxwqWRCkngojJWpn9ZkcjTEU6lL7STD0OnJ+yxME5y7ze
PAvwC0vTiqynYXnfBBo8YqSdZjq71db5cSpcnvsuzBMdRA5Lw2wDXwisnotg
3DC8jIlJ2jBDVOZ+4oI41HBdJj4yLQLGlWghkkQlzGfKoxB7lzJP2UVpkDNN
3ioPhh77QZLgrQOZh0HmYLEqkKz3SJmoFRuNUOuEUkxpVxkzI/EPrgmTiZwH
z9Lwjwj3Z3aOY/aUzPDnIjQBcYCJesx1wvYzbTr2bSqweHiXwKaJ9NLUwbmZ
JqrgRCoXNkjh2YGfSSOwoSpSJjFCS6ylZtKZljLGtvlW5llmE8/kUZAzwThR
OhGwNont8GM/TXHPUKaRgHP7LJHIA1iRzBzQAo8aMukLIOXlzGdT8DVrmcAO
T0+ltEy1Egn+yGXYgCROfVzAxSqF7eTY2RCeCTCMfOxCFMS4RepkDPzUuQRM
CfwN5r/lsc+/wMy2KBCsaMrxKtyyFJuGmBHIbzoIzApvEDnnmMGWJXlgbcR8
woSv61yKP0ozZs4DtkTkRMbsWz8J4LFA5dAHloUa5pXiZUzKzFppYF82JdZo
riv+Q2eZ/KbPahUnaRYAdHwrZOqFoQ1MEmimSLNcB+GLmYZAM9iPYDK+NCBf
iQXx8nEb/mDi55b5Vyx7wCv4fmrzJPCZpRcBHKMYsJux1CD45glhOyyjo/Rt
wjyvLNJpkjvYBWwr9nKfCfV5DpdKTZTFzIFSAASjgMAB4NLBe/gUykpCJEI0
k3eyOMK/XGA8hqMg9ZlZE7h/4oPxc8McOTwbLplphX1xgJgMrw7ojUUeKG2C
wNdYb4/5UHgXhG46f0I89mHYKZPRBdM2Y2YFO+bVCzBPRyxNDcMb3C1PUg8r
YS2CROTbyMY2AdiQpYrcxhoABxOPCYWSxS1gDil2AnyB5gSDB3nwfMG7BywE
C0MEVpcm8HQmEad4cJcFjDhGsIzFt8zr0475vZED0kkV554jrsBcDG4D0gPM
NimrEsCABJPNAkS6WGqJpcmZTw0kBlwELLCSDmvnwXkQTONv7RF+oQJsD6K6
dSzDMhk4OdiPzcIgZpiUgbE+WFOaIbQI5vd7UjBzj5m0AJQ4hyHhmXIhsI2+
0S5hMmsMY4HfIMQwYxp+4NPKEeGwzR78CihnmbuWhrAUH9dK4zTJWE6Ww4Wx
x1YEuKSWAmatHAES4MOiNp0AlXOEGqZdhxqhTIkMfmFDnwmGIXNn8dgsRfsm
dGehVkA+uFTm+3hRhC7ERpNoZgkjqObA7kDBkhJSBlqmhv0i9jqZIE4ZXDPN
sTDWxkGGq6Wwf0SmkCnTeeLDAfDuDm8eS/ImuLbEIyLkaOZKAp6YDAmzg1vn
QFrABKwh8pj2/K1gSbFpLFIxMkAMgWtZQ1iD4xjsao4HjvhTgURMIE7BTQRs
zYNnIHQg9oNG2SwO8L6xL5iQqzR2EjEI0YUFdHgHhxWPSAvojnGCaBaDEbP4
Q2BVEt/6eCqbIUAm8DoYSwgnSaJMas1iNFa05DYC8UGsx1uAMOWx8zSiAB5a
KNavIV5FIgNlwH3BWdIIK+98xbKhQKkksKzaw5sC1gKrDXY+8EJ4WBjqAMEs
Zxqg4gronIUYsG0QGpixDzJE9MmzHMwARprkrIrDrobKQyAGUwAbzJgMDmB3
ZGoJy15APMERghSX/IZ/EnlYXMzCHR8h0AcTtJ6CdVtgUsoqvRQg5jKWfsUq
s8zbBZmSQEZEVAe/jeKEQKSYYc46Hj/THshBjJt//RExXoBgBIbJ6kEaIrTC
IABLCoQY62CMBsn0gf9MUM5SY+PQ0yyscbhcmvlgFBl4j2BxYmgEtAkkiJ+D
oASIDEBiGbH6LLUGjFMEYGG+D6oLFPFzn0Vc+MMwAlz4AsYMjpVa30lWssCX
8hwgxxRwC4JsmOUnpAvwCmD+IVhgxAq2PMD/MvnSJ+TDl3wbg87ZiCVH1iD6
BazkcxDnSYgrYpfxCg4UGuiDjSVgKVJtbCwz9Unt4EXAKpXmgOQMOGSDOAHt
kg4mx4AoPZBmvFuOWJ1l4DYRaHriY7cUU5chNUAwFRM+fR9YB3oicQM/gK+n
eBfgjQc+6CMgASQiAJKE1Egk7uTnjMqCQc1I+K0C2rPaRODlsUiAaGhELGbo
yW+9D2RQEIJ2x2kOUgEOzOztVDJ+wV4000gN/R/ME0RLpKS32H/sJ0BVxCnY
AlYEgYnRI8abYN0QsI3Ab7oMTpwK1nSAl32zNSVeC/4BtwNbh+OB5oP75wI6
hgYCcsmnjYGcoCSg4Fg1rJFW1KhYFG3BvwxLVIDskQfUQdQQ3CMw28DBQPW3
nMNAfEgWOkkLz8vwxEAoiAgAsIJ5KOVjj0Lr5QLay8LygYSGieBYwYzhADbI
QhyL/YFvihTkKYaGcNQ+qYvjHDwsgGKJsTYxghE4JXDRwlcAzxEiNtAgYk40
RRXWNYM2h/BOyKUyYwweKSe990IYDatPYZgwF50j9sUIjOA7WI+QlRvgv6B2
AH5sAUszdKQDCLMkR+i3kYdrs0SJpTcR9BPiE9NW49AB76EBcwXDjKhnATtk
WArmxvKPIDbgCWnmudhGCHQa3umz1g72DcqZ4VXAVhPJgt2UVTMst2BJhxV8
9zCSCeAG2AbZB2YGDMMqhqDI+D0jARgRQht9AnwPLw6poBNKXcW6F80yPzBj
vJ9hwSswDusCh5MshHE6g0wQlIZ4Yzw22BHL/BIDX2Imus4Vn9CBdopY+F4e
h4gYwBJsfATSHAa4IGFD+yyhBtqT2PoZhZWB0VuZxYjCWA/wYbyWB5cGiCff
MzkIEuw4xAwdBgvmIBEAdggsAER6s8F2wE8hjE3IUjeXhB5IvgBZBRpBpyLi
IxazUtBBs0KpwxkzGBKCdgwqK8BdZSpIMQyL2yKEc1hizJIGSG3Q1Qgbhb+S
s5wViMtCXugbuBWUKB4shYCCn0MaZ6liRaXKQHHAxXLYJYJGwGoWSCxIGPBO
0H4B7pGkwDeYq4N5gMrBA2D2UNCC6fyg3x5222DvsKcwDKwkqIdBgMVypI7F
kvKLp4hjAQmv+pJMMLCMNacWjuhhi6UBQ4CNIOoawD/rxfDMrORgCSnQBcsL
Fhux8CkHdcuAERlIAWJlaDw8OPgcGBV4lYRsAaUEG6KwhwoHcYqZ7Y9lAv+F
TQYIUjBV4QRL+mERzsOix/i7gC+WLPCII4QssgxTSU5ei8APtsBabLwUbp6y
qhSUSrB0LM4QWDIsn2SdKiDE4WbEc8VaBfA+8rZvbRloDuCF9d4J63fwUsJA
SbGQAXoZWsjCJmDEPmQDOATQA7+A6oZcZQ22D/UOMupDmkAuIIb5JGpQSVp5
8B3wEjhJboG2JsOixTApLD9LHaNEwfQQIxKEHUvazappBO4cEAAhBliHOEP4
9HlYApL3LU8DRoN1QZ6l7CsBxqvJGkBflAEBhwoFqYnIv6BMEw9eB9bPmpNM
8KCPFYyQ5wyuAsxBSkEBGDK4Qw4wyID5s5xcwV1hVZ4MYOJxGoAVQCJIjQAO
XzbAecARNiPzWXsVMeffQqoixkVxQO4AJZ1BWnuwyhwoKuAFCMfwYUCGwt7l
PnxeCbAT4MK3zgssB6aOCBdoZcEdWHUeSFaHaZZJSKwd1DmiCZ5LCf6tFCoR
r5QkvuaDsaKKZQI+412MxweOwpRT1mHpGIpfAt5z7GKOBWehIvYQvFPDgGVC
cAK+QrDiH3gV+BCcBxYI7WwU8BcUjtalwF1xCQHgAYkymQphSnAE9v9gHRQ2
k3WaMXtNOOKCMx4AArSVTxwBsOgZYPF4HEYxhnzQf5lBgIG/QpzB1aDOoUwA
GnBY53/PUAxL6BAVEBtzVhtnGSg3K/9ZOQwYhWrVPICCiTFAMybjHlhohBiN
C0C9mQRBWiaZCXkiDH0DywGfy3LESaA3wkqKiIENB6hnCK88bJGMw4gLmgdC
QCUSDvhyELPCSoEfsOAUPgdRYCnbFYJfRBrEcm5QZQrFALoHFIdFzJBE+Cmf
JBBGygMhSMmIhy4s76NfCLJ0mKwhFVU84cRlsMCeJrFi5TD2zwROpODqGhsC
R4OyQVDlngNxIlbKgyP5POWCj0IrUM6xelwnCJQIb3h8p40PGemyVPKEAaGB
/SES0lASfriZYgUdPZanjTwX8wyL6CQLavBSkOshgpNSUBmQCSYIWY8dRDwo
MHAt2pegE1hwPth6RO2MmJwKBHD2wICsQnzEwpPvAaug4cANIYq0z4eBgotg
kWGQAKmxEPBZ7UHUkiCmCFUZD0ojBGjLQjKgkDJ4YvIXBaUVY/8ABux/Qr4D
EfctDvWAEFwclcOYgXmwKTgXZTfPYGUGaQbGCQGR5zxdwnZoLDbWwDCGwEK9
lKiMddYATRAfBFZ2J4EM94FEvkRw9RlEvmXSChsbW54Okr9T4EB0Yff5ISKM
E8CkhHIPKCKdcInicRFisbRfs8bOwNAQybHkMFMgG3lfjCdgLWEMleIy1taF
CRkkT2YBJUAAlqNmhieA3wpqDdGr4XGIv2D82CjP8CBMJzzqFaCFIbkK2CIw
LgwdD6ERvVP8RMTaKgXhrYGsgMmUrV0AWzwShY5U8M/Ypo7BHyIFbEqyGtJA
RsQqxwaAt+SgmgByxJQ4BFaCPMPUnIfrC+AUdAeIHbAKpAoqOnFGZj4lAQSX
BjOHZ0D+xjymCyQL1VMZQrsA1nnib2DzOf4IBMzx+B3EIUFABxiwohTcV2NH
EBAFTzzhJ3hU+HhEkQC6j8gFFgT9xCMbMirYNLbbOsheSlXBY0OeB4KksZg4
IgtPqE6FA2H0Qgh8ym0IXlC4EBGTBzo8SMFmhizzBD+IDLSJhRoT5MoOF2FV
bg6whPxPoa9yQGlEkg8z9SHBLNiiBcvDdktsN4Q5QijCcGTYUYbFxblkhxAo
DQ9w+6/9gzfAbcCb5P+/Yqwo/H9TjDUeP/9DMdb4p1qp1D7P/+NirKD//r8p
xlp1V3iyX/XzX78Yq1TxxiJ8rxoP11pXdz/rSudjk6lKB0Ewah4HP2K92l7T
5++mdLzu1WiWPe/TeaNeLFVaNf8gW9nUc39BY/6sn4PX61bZ3ip/6/b2PxRj
PX8rtdVgsbDGrVQ7n6bZbCAq2X73O/OU/9fYRT83p4fjaRocZJIMe4tNPTuP
dKf1FvfO+W9w6AwPh/m1dr3Y5+6xmvZfp+ZrVjq/TlUv2m/Pk/1oLCvvFBH7
3E9ao7ik1vNbdzN+m92ul71F6RD/jpq70b263o2jwelTiqtvO6iNBguvNZ2s
ZtXh9pDMG2CAnVVDy1U6Uo+t/078Yuk1zMJbRQTHxehwuTcOx+IjutTSazCK
d83HuOtdx83p3+x4KKyW8n77VLf9cz1fZLfFqypugal/ln+PqDSe2Z+f4nN1
fw1bg0q6Cza7bOY/K62TF1jT+ISVH71v9K+Pd7UUXfZRoTvRplWsHqqTycQ+
zflcsXbSi5PdQfmj6XGatIqvqagUKiuv3WoUmrtmIQmquti6yeeheZmsm62p
eGbRINwca/fm6FAa7vPyeHtj2e0Ze9pOXvto/5ftpfcyencpd7bFXlo53hYb
k1Uma9Vr9k7N5Gfe1RVfPgd7OSsUZs1k2m/2uvFqEBeGYXtcXCXjs1fo/AWd
0+/7PmxHch2lq2GpuZ0aLf7ezWE8E9e8W0/Op/VY2/01mjbvSrXl7ZSsr7+z
5qZS9prdrQmX16sYLubba6HaKl8eeho8Nz/XRTV91eW5fwiL0708F2wcif5P
NWxeV6/ZsLqpn1rHhZfv9P1UrayK/Tokjpm7/V0PputBdji9/Oun01/mrc7P
X/YXbn/ndlGPZ4vrtXWvt+ebtmwVj17yGQ6KslHJgdFRpf6XNWxviaXe+lGr
0t+I/m70ErfBK8o6r9ng6jcX+93Vzn4OLfXbleuLd0oXdbX6AOEGrUKpuLJq
fQpXy/f9HIfBq32elvdxOPzZ6uap7q4De9rK/b76F097r8Etic7eqpJ+0tL+
UapO1lfRaBV3s81vuRGtzbNRml7Sn+CU1uPla9kfZrL9Kj0O0avnH05hqnfT
Xe3gjR/xZVwUh8PwVrktd8OO7l7V7FKuuqTT7n1Gq+J9I955fHWja3h5ll+9
/TIX43zZkNf0U396yUVfiqLfeK02q/dTD+6Tn3ZWnr5L+3h5bb9+mke1vNY/
w3OxmxYKQT8ofvrzpaovzrukWGlevedALI+bZWUYdxZdvV/u2vdZ63ndt8J1
pWbW28vu9757zU/FuLvPJ5Xdb5ZNg6gw+JR+3aN4WHi/w4rtJaddN+38mvx1
enevD3PLN+uTqU5Fzc5X80rfdT7zUr7234uNbtTM8lrbFmH993J74K0v02fW
Vf6z4J/2vda59+LptOpOdufOvt48qctw1/AjM10k684sak1ORTkttIL6uthO
B7uPN1GNdbU82V96yao0Xtbn29j/OabyPhiee+vxMCsNfrYD5dvBo3CaVwuf
eaH6PG0mo09f5/tpwdttioduJsrVYN061Eub6vJ5H+nqpp9VruWC6A27l8u2
Dzq52v617+a6253ft7Pp2O56V8qysndY9FrTcHUu/an6W5ZXh+Zb1g+7++mv
XVluBs0o/t2lpbgp+/VRoVW6rdTRPtvv0iz/3ands+o1TX19vV9G7Sw8qN0w
nNVl9ZZ0e9OrGfSvz878M0j2qmb6fm9b6WaVde15iybN0l3U1Oc0fXv3xsvY
NPlMHvtEmEtYejU79t6YjP+W4T67d8fV3m37Us+LbrRtuaVOYrS4zbP57bW6
mHCuvPO2/5H926R8i85ngPE+nT1/as+CHVQa9/prXl+EfrJo1xv5Ntimy5+V
2Y7due/CupOFUyP0Oo35sGmuv+2/57y0E9ON6QxaP/fnfvuKRvtdoTrL9FPP
hovS77nyKcbGr11vU3MaF8q139+29Pa/9d3Qdtr92e7wN+3fh72ubaqb7ujz
uRRPOoN7fF3MuudddC29puPw1862831Hjzrucrv8br3i4zi//06zfBxlj2BV
uyh13xzKh8HkdDu9Ch+RjdpMjmn1ZqN6q1zZvrqnir8TbtC0j/pm6Q3F6r5o
dAPzSf6K6lTY9WdpcP6b5uH0VU7bTTkR/dqhL+qnYzKui9Cl3bRyqS/6+bw7
nSddrxJMVkl5OpfD6W0st4fq+TDLQvVY78e78brXC+3icDS1jvz5CZ+VSTG9
yZ9P/iwHjfg0lOey11tF+SFv550wX/jTyaMv4/bt9v78LM6rSFVPy3bbzESp
3v/bXPfFdjsansPg/C6Ye2vemTacF+5vj8Hj8fy7T4fmMJ2We5vGIihfXuKv
tQxbsuW/3bhT6O4H9V27MX4ft7fP8ncQFUuzZ333yL3zbzeZy9kUePlcJ7bX
HWzU+6+fTX9WtX3HncX4x1/e3NP0F0do+cK+MbbP4uCGhbyNZ/nbO656QTce
NGrv++l+vD78TvC3rk3CwG9dgreyn8l9OW0ufHtsjj8Nvf5dxI8RByAmt/6s
c1ZedzF/3s6D+H18hL/5tLiIf37/XkfrPilYx/X3nJ6TfthNj6vs2CmO82tw
WpRu/lW9a7qaFgfe7q+cbgu94v60/Tk8L9lO12vCraqNy8/xPX4O1u+2ac/m
11a3966Vd/1HeTEJ1+7ZzERhFK4OXq/j9u5x3E1tbXEbf+r7+UHniFWt2+bZ
bC1mx0Jb9f+Ow+g+RMj6LbbSdsU9llmhs1hHp82Pp+rFn0Y80oVtr7LvX8Pd
JD2PR29zXMxun1frM7otZuV2/bQ6PoeT38JgauxvrVddpO1yvRCpH2/6Pm7e
G7FTy2GwG5za2Jtly22Gr/h8WrnzeHwuraqLv1fr8ar9nlL5VxqlBZd3zbM7
HOWjlndttndF8fH94qtZLwT+cTno1RvuaD9/u+I7j1ZmfIsu1c/P4/NwNr81
Zxf/2X1kh+Wj03Jy7RXGj99L8/LzfD0fqlK8/Talr88u3bTX+aX889N4dINd
oyXGHR0U7bn9t5hWR8dOpR423/GttPD6s3CzTC+1+XqvysGP/PzFlU9po5Xx
o2Pj9DSnXfRcRsHn3Dtdh71r5s9q5e7gt1oDESjcfc/OfsvJLZADbZfP7ii6
HZftzeiyhwjdgTfFy9vjXD/d1OYx+b28VvVjaV8vxPXBctKfd95p1duFi/u9
+vsz9x/l69/zWSo2R9ddWpvIydrWnFuUrmUxevy83CZv/hUiuxLFZN1cDvJz
td+YHDm/qLrXrWor7Hwahcq02rxOE9c8B3/q9afPs+cinTbU8jhoP00sBz/F
zs+mPrLZc/O517aDg9eo7oLHYjQ6Xlwj0fvicPgZZLd2M/7Mz8tjEnxuu23+
h0icJZvlO/9UCyE2oziXzUoy0KuJ9zcoDiG839fJ3+z31T8v1GUg25FfL1i3
N8fj+7dbHu8rg4+chfrorwY2+/1cnp1Cb3L7mcncm+ZLt762jj+fU7Ka79ne
a3q4q/W2qaYIsNdMVqq9+d9t303avdf4mM+Oy2zbetQHYfzKajdPZeVmabLc
dW9GDZfl989uPO9V8veze7nL29D2Dst+I4OzJdt5fRl2f67vn3LXN8WBPS5d
oeKJSanUlcfD5RNMT8+4VJr1NosmnurTLgZDFeej2v6nYEzrEOtXXe/t/u84
aeibnm86HxiF145dqX89PD+hLJyHqe3Wtxs5K57daL0bmb5xi2pdP25bMZyP
NvkqbHyejZ/ibfiOot/RoNH33Gz3nqUtCxt8jAev0nNrBwOdv356k19VmT6d
6YZV97eoD/v7dmRHhyHI+TANn7/NqFg+Cq8z3bSnt8P7paoFWdOPdffQrRUL
/voWtuf1MCyXRv3L9R23u61ac55v5js7L9c3xfI6xps/Gl70ugw/p5voR+L8
rl72g1JX3BdA0MP10RH3Wqfs7Pm56I6Hy+p4fDKd5NbezW/7WzgchcfTzjvc
Nrpynf29Tt2KKY3Nq4noMmkcq8dRXFN1sW52yvI1GIbhXHwa9ZPqJuFkfPiU
98/1aXyaeXo6nE9LFf1Y/t2KfV382DDt32v753Y+fy9mU/kbd5Woubjslg+V
1Ia6H12fr/HrtLy03fjqBY+7umXjQ/b7OwoRSPKksKhm4/L5qe7Z87QbHPI9
SPy1OxOd8u+11Cqadb28C57iFq2Ks6Z3qRVlMVoEdnKML5dTeuzVq9O/XP9V
d9dXP69GeXOyX/TrcaF/rSymhZ4r37fnv899032GUcV6n8Nfc/fziRuXT6tT
eO2H7+vynlYa7fmpvPsT23VV/RZKlWd6xjNM/i5/MilMk2TlDwb3rDHte/ex
yMJs8ncVre22sfy0/janWmt76d7bn+30vB231r9FVwqOM3vuLrJi9Kq3o+RY
PE/sb8sP6l73vewEhXhj6kH8Wdw+8nWoNUbBa9FZ3qa6bXqX0SEcxu1Jfe8m
aa/5fB9K99T0T0c99MPdzqvdl39N0+yKmStkp2AxuryW0/3Q/M7Gs3M4Opjc
1EsrkRfWrUXytuPi71Zt8860N9iWgmQfezoX5ZpenV/V6/PditJuuZx8fpcX
vzfZgzHZ2fr06e8v3fhxDf7ep7L+/DTl63gaZjvxl25nnl23/7brR/CW4qDL
m2lccu9zWm4/s9duu3rGsn+V5rAobpeNzl8CSn+sjV6P96gULybjxfHsVTaF
SkvJV7jfHPMwrGwWYvDoTffNdFR/Ta0afPLZ9LCsj/r5ZLRb3Vrhj5idbb17
7i83v7H2xh/n+64dV83gcm7l9W53NR+D6i/suXFVeelcH3Sf9eXw3Wjcb/Ym
9/ZeLS6qxaL++9sUeyMolulx8zlM29H2PpzeO/G6Udg065PGqzNp/9jwZNqV
56Ff9f+qpcHl8rMu74tzfXj9yjN1+tg7FeIwvsyOfrfW3vX0clJtD2RpsYp2
11OnM16NJ7VXU4zGYaExHg5Ub1Yf5MG0+tabuPQc9iZe3Exq5dMofkQ6YnbW
4vpr70F502gcm7dG+dapNW+dsL7q7SepNNdzokQz/zSvb82D5UfJG5p3kB4K
B8gdUdE9/wGB+Zvdq/2uf6kGYQ96XSbt7uw06h7tj9+5n2uNRljc/h6e9XJo
9t7l3qvmn7wWl39Hn9+sVLz3P7VyZZN+zn8T9XgeBp3a6md3a8hHsj+d1TBa
iuoqiLr99rq8UC/PH9ezIF4pc2k9y6JbzM+9y7Q1uT4K1fu99o7PtXnY7ZfH
z9nrr/C4+PC4aiYPflOn/mmhUm/Kfivz37rR0ND3c6aUKx9rgzdc5bO5rg7L
31ptM62MHo/ZwX+V2iZ0i+3gr55/9no1vk+8C6TZojoO5LVain5+ICLWr7R1
OVUGt2pt5KL79ac5HOyvafGgp9eyO98Hi1EHkXZbXPZnk513rG4a98Zy0g5E
Q043j0s2DV/qs/Fb4/6t6+Ybv/9pTf9afndyeRwGdWvr+14vuv36+nmYrFde
TfZPo3PlWuieJvd+sT04Pfe17JA3XL0tNlNTnseFtImwE/Wbo4nuZp9n4afc
mLZHZm3tz8c732fN3ftiTgWz2G6T/XtTXKfvWHf/utXVz0wtEl1bdIJJmrWr
883iIrr9qQkOyTz+7JNaqe4t9LiqIcfq+W5QE2rwrh7WC38Wn9s70wrvw9P+
Lm75cfyarOJe2Kw6mTTPPzpx7Q4W87YF1a3Xgp/O6145nlsyWR7M4/rZTi7d
IXzmWLgf6p0ffSuP+0l27g0Ki5n57TdDfR9tpu+xfy17tnHMx9m79cpvWXzW
q2NuC/NROjxEFfP5GWwO3UdQ1Z113L5AZQkxj/sV3Z6dd4X7ThW19Or3NB89
dDr5Sc7n63zYHo2nhatSfnlxr07y+aH/am+jdzTdxdU458nF8z1bqfrxNEpO
abHjXcPh4Xbo1MahldfT42VHDgCpq2o9a1WKrwqU0W/WG15/q5WkON1V13+D
RevZGxcbfVDQJPDiXc2UVudWub/UvyKu3+crX7cGPWdb4/Pptm3t/y5Zc1bq
LMWoJRuzabN12Q/Pp0V/+rmMf389X9fc5ceF5dSm42q6ia/luYE9nf3PvVhO
V+9fyIx+A3pyVZN3v1Ao9IJDvhmd/w6T87iSep/3et57KrN5z9qvtG7rm0v7
dNi60VnmZQNOp1eH8qf1aLV+/Mq+YMV9NlmLjwwejZ6q/5Y9p/JTtz4XJ5ts
1z+N3aC+OqX537HRG7gkVt3TtbR87VII0/JzlYSjrT/YjmzfbkajZSUurb3D
btW8/oWNRJSmh8Nzt1iUzlH5MB9llwvi2vBRC+rx/JO0K91iKxmXfz7vYS+6
jqvtg6s+kqcn3eR42jbm1a6t7KPDJasdfl/j0sof2/MomZXsvLp+NJrV0aAi
QjEGZ0m6Qe3S883ib5S1+559DW/XpXrJ6fG+OJppcXpsBIlquWKyKmkjIvGu
NMaX/fIFtaQPv01E6H7v8Yoem7R7l847VzrZM7SbRev9GbWOc/+3p8Jdttq2
773RJFzln3XvUgny1fR3cxKmN7f5NLzo3aibt4/RoegdzGp52VTn+9Pv+dMY
jdztWulu4sUbPGwTTnabddYL7u/rTYxjFbcfNf91+RmNf87JpgYkfXnH0uFv
e15X3/65N7G1jn6I2uFUagbz2tEN7zcFBDgmG1k53kvt+tGeQ+F6fr1tmr1S
bFc9b9M5ze+VRnEVvTJ7H47mY13Ekh8+ZuA6Yh+UG2PTLC8LhXXaXjcL6W9Q
L0/2A1PpF0v3+P7ndZ5+feOPbtDQ+1vBjlYQ7suofZnV6ycbqlFx5veH4lgq
jDtm17ZnrKvUrW6zXbi63rM08KzafoQed4ezVt7YFJ+P+LDdP4aVUqfyeCWu
NLmF63Vn9FduwlT+/oLOse9O23Xr2U4bsc1WXl8HZjbu/fiP6+mz3LzMZ/s3
W5YGjZYDr6i8/bB7KPzUWu48KDzf5dFi0RjsO+b1AA2Rk4H0RGGCaDoovvpB
ubbe3sby3QcQXxubdm2804/N6VArPv9nJcjbXm0VrL1OtRX9uwj5f/jf/8wi
5P/+6e/fRcj/i2X+dxHyv4uQ/12E/F+xCNlnZU2WyyhgPse3XlgH+HfkmHEp
tJemnO2RCSGySFk/NTIyQSw4cShKfJBtG4eBNmHsx1brxIgw931cIEhlmEZR
6FltrM188x154DIlmBzlgjiQxnAEwX9aEbL9l4uQWRacZtZFYSh1rnUaWsOR
ROyujw0wac5kSc+G8MT0O8tD4YcyybFRoZ8rVsvo0LkgZJVnwsk1zlmrHGQT
W3zr7JuO6OUpuzFnTEPmtBhOgWJukgtUzqkpTjMDSKURFj1NBRNglU6kECaB
x0udceSMCnLWErK4N5Ypa6jiwGLzwFmYTWO1yv3MhazaYa0Bm/QLZSN23pbC
05FSGSsgsZMhk9EdDCMLTcRBR2GcBamSIW6R+EmQ4wewixykJfBTzMsUHitc
8zhPHCfPJLi4ybTIcmYNCSVSbbRxMszxNxSnXCQJbcpFOmRiZ2qUJ3xWuEVZ
pNli2+Swpm8Vso9FwLvyMknEruAGUKdYHBCzpTxLI5khZ7wkj33rZwZ0OmWt
bKR8lXwHW2VYjyx0kisQ+mmgBd7B5/SPSOZhqlmqkVjPhNjPQGsndOhHOWsM
tB9nvhMyiAQT37XgVKHIzy0HuuA9ZSgyVoCKBG/i6QRvzMJz5fwgjlhC6eNn
OUlFWUlDMjbH3jEXDujNiUwGb2Njw2EJRnsuYZ1Lzjb60sGiJEdZ+TbAvZQf
KmnhfoEIJeeJBGnM3vKpNXmcaTZf18oL8HOxybCxcR4xyzLIcyxowJkezoSR
dJxxFUc5p385mYs0CljvZoVmgpv2bBKFKo05z0fkiC4cU2IAFTY3JlaJDmgc
WKzUpU4nbMdujcg4lE0ksH/nsSpGJiydEzD6JI849cBleaY1fyzlbBo/TTl6
xrHYmuN5jGF+bozdTlIvgO1y9hp7oGujEgUXYk2diMJMZyaDU2BHOP6HyeMu
syFTH3Fvq6MIu8zKDJHKJOE4OT9k7h8wKINVW+bTMtvPpECgJPYjZvnpMMLr
RFgtvLlSSeblrIKhrULCMElUs1APlszMZ8EpHzk77KechGSwIIIFIlgtkckY
jpvFngq+w1J0rFJtfSxpmiJgm8jFTvP+acY6aLaTx21hTRmrMZkImsE7ZOw8
xz1VQhqgjLAsA+PwBtYSAHFdopiBx7RlGzEvVrPoC2aY5BJeK8OQ01J8i2f3
FauTFWvZuAEO9xQi5iyihKOutEvTQHHaMYt4FDcGrsQ5cl4Aw8fyCqUCllqk
KcxTcwBgGGS5yWLYFefvwOcCGRuYaP6tzkjSFM8n/BR4gBiBB0s5Lyh2Kg2B
ijExjfMSmLjIWmHnhznH3UWcLZWELIz3Q8k0XI9jmwKWWiMGYa8yvKFlmU8Y
CZazw3NgaVhc7SNApfw1XCp3TLFNc85rIRmCK4EZ+YA1A9PHCgFJsoSd4g3L
iSJfKlb4R6xacHgLG1s4HYfOSM5nADoqF7nAAUVpaYJVE/gLHN8R+AwBWQgk
Uqzp+bbFd8yUh09FuR+nnmKep8bzSCwNIMPAFGJAU/at1eWGRwoYw6LEjMNh
lGaZkU78EIjFlgDw/8DwEWTCmRFJmNsk5tzKDLYEkAqj+DucjvmzNkqkdIpp
xpxWmCLaSE/j6W0EILYpCwW14DQ+x/FdBE4DQ9YSjNKwSOs7cSRPLHaY/REU
rF96Pis5sKVJKAXLCn24cQBnYL1haNg9gcmw2Og8hDlbAjAnJQYsmGH1k5dz
1g5n3kh2+wc+qdCGGW+IUAo0BSymAbA/wj/cTKw+5x9lrCnOlNIe8JcLkuI1
k9jBCPw0jF1oOApKmixziTXaAdT+qTgF7jLNOQtZC4sQEHk6jCPjfPENbrBV
zooJ8QthmLuKiCnxMlKpiBPCAsfmLMDjNIJTCLYC8CRCFKJbmtCVvyMt4TEZ
toklT1gz2INLgS3sOILfRxjUCJsRiAKnRHBEZYZ1MjAQxwIoS+aETVXfii+f
WbogBxzwl4tAJH4cwyLCJLMwcw5XA6TlYB5YC1opVpNYiXvDuOCJAk6RWs7d
sFkccZ6BkqlFxOXsGisiPC1IvWIVUsDJRCGWH7ePDIec6JzkRAHxETI1B7wB
QhzThkOLaBD7gU/rygPsAv4GIokOCXE5UC+SAecRWRUhKrFMiFMVlCE1cRne
+p+Sp5hlSfA7T3DUnZTfJhq+1ClsMHcyymBWMdyYRcdJYAxsA1QTWJ0Qz3MD
EuCcH6vcS2MWDgO2YYGIYjnHBgZWSg6ekoItBVIZWaU5iohV8AZumbCWEHQF
kSj2LOK9z6Idh6jxzU422Dhwt9j3E60DQFmcItQgVkhCjTMujg0sgvW8ToQe
AA73Dlm6xcr5CD8C9pBhczkRSFn8jRQxIyfsZ8EXG/B/EhcHDwPaeyz2FmxC
Amb2LTcUAJME6+mrnAnThj0dEEDgenBKbFlmA0QQUDzAiOYkMSw/U8MDVpOm
30pgBfww1hFNNct4OTMvJXlkfQaHw+EvhgBHhjrhsdSNlAsxlyHacrYQi64R
1dOMFCEA0rFlUJJ9K4+wVMJ36T8p8Ng2T+WhSfHfCevJBYlaxuFrLhJKIgQC
/HLJkWLxPw4Ek1WhMbB4MKwYcdGLOMGI055s5OP2CJLaBz3SFggK0sJBk5yK
GOOdE6C4y77DZWFpYJm0KU85VsuxEhP7AqvWYIjJtzFDxJL4kHVucAcWMShG
mABuErFUEjYiQdc9mLgMWHgoJF4KrwE7x58BSR3MiUWKhsMGXZICPRDh4Jlw
4DxMQNzBOrXHqSQWa+VcihCFmEru7yMIUSLFQZjj3UwABFbsysDNxmJjjXlj
BNTIY810xBqH2NnYRWw45Dt4MkxKq5g9OCTbyBDEOYWU06E4l9BEIuVAwswD
I8Mt4IaGJYZs7gE7iei5wCroLWAhGGCCS+csgobpGEHnMcB0hYcFHoDZanrk
tyNHoqgZQAhF6Fh0gogckxcgPrIVDfaUhdopyyE5clGnnlUA59xCzAgfO+ZA
bjmND4/BKa7CgRaAVilEWrwetlmCPGSJhCcrBhILmhcnwoggyyQWj4NNQ2B+
zGFNPpbWGAd4oK0KAdTCa2uLO+TABzJAKT0YMTgEltGwtU7I/jzOz3PWQWUg
CwGHjsFTELzySHxtGxyMQYhsAAvuCctKCU5J5ahhbAl0LBbawa0QaMA3NQv4
OXwuMKyoZOsgMC4D9ZuDCOVelEHb5XArn81pwgBeovMYFMgnbZYQH+zHkdK7
2YjHsSuVZh0rx9fmifZwFwRn/EvhT/HbuAp2iHMaAW1AJngOAJhThBxQKos5
1Qi3CKAHwJKgF8CR8DsAJIgugZVRgZMglYkAkjqYrGLNNbg+1ApHbWEfof1g
XqxR5SRkL+MkRwRNRp2UWgNGg8ejNLCKg/sQfb4TW4mk+H+E4Qg0LsgMm5ZF
iWcRYED4EMHBlSXfkzXEAVtpQEGxxNyw7hlLiCAH86KqMFnqg+hqBG/lwaYd
G71ITlniCCKTQNIwcPocAPod6+l8475ABbCGDeUstAfrsHwZj+XMHNYKxaUI
tsFXDrBhC8cORYIMQxnOpTLYp5hF84azfNnpgqoA/ABsBOCRxqzWyhDR8SgQ
otxk1m0H2vn4cZ1zcEkWiUAxMIMIK0RShBDwRJBkH/sCi45BLhR4N5QVi+BC
6ElQdMlmBUBphDPaOmgYFhWegoifWs7Ahn+CJYGUAVIVVjSi0WnACaXUd46z
r4BW7NoBQWrZ9gkID28WLP7ysE5kM45ltREgUXw5BSJzwuljBr6bsyGSIqOh
G0LlZCw/dpzYBUbtxeCsGnwPS8NIZjnVDtwZcorBBhIaMRdXDLnybDaA+EM2
nWbsZ6Zk6OUc3ZqlcAfsOjU9uBLWHFuPkJInOVvTcF4q3oqnSOAJrM5NKDZY
fQdLzDXB0BE2JOguTMxHSAAWYzMNq7YUS78BxQhErEQGrw44nCvXGg7uEFjA
f2E/rFeHGAefhw1w8iIrxqABwxScQ8LbsHS4NIhyyMG7oF/fGlNQHFi2gf+w
HpOdGPD3OH1byPQ73BWhE0ivZcbB0SqDaAa4QLsAr+BgMvG/RcjQxSAiWBHY
k7BfjATfEyGHfgKlYdYWlCZmuwz6YIQnz2F24F4+iGbOMxKXK6gB9qRIfAQm
7DtkbMQ2copzGP08TWPCInsPQUlxCKzJOcsVcQGbjX8izRmLoKKQtghjcHIj
NbbWV6w/9iHaaOfAhxDgDv6reIjAydGeAOhDZWJrgHQw0QxCFEoTrsQBsHkE
q4sB6rgzOxolMfGRxaqIfRbcDYID/INzRSHygCpZwk4ElAOKg0kFp/lxlB0c
A7EaIBOzZlbDp1itx/I+zrjERWNoPjweB/JB6ucJRwuz5JRVbxyWzB5KnK0L
KwERA1uESbFkN3JeytI4PHn+Za9QyVBmNkbElz5keQjhhSDOIsaArcPAuEwC
OR3FCaxcODwBYlwcQv4klLIRuSJ1Yq5hzQpBVrIRm+RRHkIcy8cdx2SCeOcc
D4eN9RDt8EAB60JjDlYFHxRgiXhRCGmAGgQNghnUoGQZuR/kPDNLER5g0C7y
Mw++iPcBomt2DANC4r8g4KErch4bCSazx9/qZGCFAhei8gNjAaKC+HIKd8De
hjHpGTtBQcnTV9MUpFhwwjliCuhMBJqT2u/7A+uEA3hAJ8VYd4+HblaxmQd2
TOFRI84lRghJMmwaZ9lyyGjItiCIrSRbIWIlO0ZkATYrpvjOwthn20WHNTew
UwLPt9nPtwwfQg8mJwVbo0SJ4qhFCDD2AksCCFKENjZBy6G7BVUfFJeDFgX2
ahiSZdstCCp4H0gWeGfK9mQq0DBjmB7R2mMLIc4aZX9NrBXiRc4R5D57N4VA
MIIoFtbFSYKXY5cyhW0FQ7EptA6oLnBAgO2kXz6Zshkn0RsEgW8BXAMbDVlR
yhY7oBpQqwx6BpDwz1Bn71upamOewSA+GA7VBcfLwJgiS9EI1qKs4HRrEFj8
FsIlgjfiD2EAEOqxC8i3U43gwEKKHlwKXAELmMuI7ZywsCqLOGwyYbmnShl/
8NiCbRV9zxFaQtJscM3AsI+bYQ9CmJ/TIJM+lg+2yncGfXWG4/tSuCoPehDp
LFUbS1JZaopYYDOe98JTfM3VgsUCG6iSeGmb40FAYlJEAMdmAyFW3PvKMlgS
++CBVIP2s6FdwjMtVot/j6ANhzrS0tiGDIgkeJLznVsPlgacN9RyOZilZA02
mA0ieEaCyiHKAaQ++yxwK+W3UyYUgGZtf24oNz1EE4g1FkuzfyiQSn97Z5H4
gtElAjsPCBQI3RTBuJUD2c4RcAU9Ngk9CEDHngYcpWw5aNiQ5wIIHJQkwFsq
3hzqJMp41AUrj3ClAHGKE99F6nFcJgQm/ApviRijTch2BzBe/IlhYweEdlo2
Z7QiwPDcEgEPoE5YjAMPTIVDwXOoMciFKMSaJNBzIcSaw0MqwBcn6IYIjJFm
6ydfc2opuDGbfKaxB40MyGf7DM6DZzMHDtemcbEPBqJQriD3gb9WsoFijItC
d8VZlEDuByL2hLQIdux+4YBuCGP8GKBYDp34fCi4TMR5s5qn3SJgb8/vDHF+
6mAM8QAA5Dssz7UWgcGwil1yKiQQGLahY2llBIBhcbbAg8HztcpyqCKeyaYe
FhPvBiMTeAwJTMYuJvzEEhgGA451BGrGiKqIIprzo8GdEGjjGHdQIvIAbSCK
kNiwrICtYuNYUIPB1hFQXUzjCvmxg+1ekiSGdo/BjjnAOee8ZSwij4R5zKa+
I8cV+B4PZAMevPC/UrJrHgQqHnMZ8Aoghfu6Uq791IMqh6zw2RAr/zYiTDiP
HJHYgDgoX4Xs9YnXgcdzaHPIk+GMzULZLhXbC+mLmAKploNcZXgL+JtlhzUE
IQhd6zh7GxFL++zRw/aa0kiYAlkmlpSIJOIIaMzZ5eAvQJE8JJH+TiaHSYFc
ZN8GhlSl1DK4BLR5wm4yli25vDzgrNNI8aCB7WqgUTjtEwxJm29jURHiUhkQ
hKfcGae05yF0q+MBAmKoJ3nQlsE0wWggeAK4o2+/80ldmOJNfSwmrh3xQw6L
3sl9se+xDRxw2irPIMjmwKrv7rN9A4+Zou99HcAlyuBJcFagVOzY/Q7Gw6Yu
iBm5ped78DL2wePpzff0gydJ0CKkhpROhh3jRIDVTyH7LA+7HJkU9jpM4By+
xwZLMUwccSvn2ZkU1BkwbYS1mJ+H4OlgXBx0mkt2u8lgCSm/YID2KpAsKBSf
06cR1IKYPYbgJTaRRvCYNheWXedSA5WBSBmyfRw0Cykb7QrmlnlskqgSxWJ+
RCipIQL4HYvc1/FTEIgYNguel2Ehwd/ld+AtRTJBRUK9s+cjwkAcGpHAFA2P
H4IQKgwwhAgK5IWa0tjIiKemuDWUEnyMXbrgvcrLQoBnJODu8FilEVJhdxZS
HjGYxgOlBgHMYc1Q8jE/J+Wcsk47ixUr+hPF8AmujY3WicFjfvccZNNyRDuu
6kMtQJE5KmkAvc+BrfCtDAgJu/RyAJmREVuDAQ5pLjRVBcDmB7YMXETHLuBs
Z8iHLOBykoiy7SDWX+QeO5Py82wef78qZYYNidj2N4Ut8QOfDwNKgW4KZC7m
ZxowCaykhTp24FIedBbiRSAzPDI0fPglKTnbfAo2cuThDC6mhc9vaKB8sAYN
dMNKJHAKHkB8e0CA+oU2SdkORgF2OEjXYHXS/J/PIgjQmg1QEP3YwY23SFyM
QJKBH2BdIjY5hI8BP2MwIS0MKCNEHtA5k+CP4HPf+eUIjZJEC5Q8UsAPxFNY
IiSi5UdgoA8INBiXoYiHDfPrrXLfowow1BSbG8R4LpDgMELcwTXoKh5lGd4d
2yalIdeF+ozYTgjvjW3jDG2YHwIBNgrqlI0/FTt8sV+YBeX0EDkMRzaDgfKE
n2PnM8AiYQka3oFWZyBtgnb6DeQBPyjx3DX6UvvUU+xJDUyB51DRW2vZThJv
CD4q2ehZ+Sn0NNaenxewt3BN5RI26LX8GIUngCSC6OJZL7hIyO+soFc+pGTg
80NcmrL5SRDxAxvCYs6WXLRkYAyw1HqSsZ3wFXK+ui/AxCMEdctueoASrLmF
zgZEfxt9S5+D7UOe8nJqOjuEpvymqMACgYDfY1N2XrSxz0/bOgqguey36ZP2
BRRECPVkBBeZ7Y1SIIKX8bMIQpmfxwnZoUk5fVpSxuaSJ8OCbS0R5BV1kg/2
BaaZ5VCuKXigjDwOnLehjwgQwIwSYDDW11IcKjI6wRNecpiIrc19tpk2HNWM
e8F5EKm9nHIo5Mdy4jREELaehzqwYfa5SmM2fOKgc4fQLcGBNfkcO7iyKzm/
9vH7Eic7a3ZNjUCUKbwiJXiIx48R+F9SbhUkNHMYKRg55LblN3ysEwAlztnU
NeIxM8EWG41YAwwEjoKn2DhKCJ6ZQFCJqItlJvKIbc3AURAbCQVgZBoRkF1k
gLEJ+69YsCXYDxGSPZMQZgM4c4LgBLGUcpOAlynu6lFLRkATWFpGV8vYfxo6
jYIADAPQK/D04HOg9KkPxMcDMd6z2xzMlUwVzoYtAt3EwqcI+qBOKT8kgDSH
7N4t/+lmmlL+xQrUnF9IoF1hDYF2nmKHQ6wryAhCCL9n+z6uEPF83Dl+BwOp
Y+dtymNw6pSt8iAOEZ98R/ENrHNgA1grPzABub+I4GAIlAHbQ+Zs3obgyE+C
UFT+t6ksdCZ4HqgP8NeLeM7Fc2TwqjjkERq4Fg/RQEfYr5jfKkAiU8AyO/im
KufhGlv3xlhYm4Ol8cwpBGKzT6EMORVBsWkozJUd1LADAVtMkjQKTnGHngNV
Y/8d3MKH5AE/YRILGLYEA2GjQ4QkPwghjAB53xwIUCTHJuEwA9+GMCtsPMJT
yOEInuZpENuLAlGTzI/4sUexIZb7TvqOsAWwutiPAWEQcexHD0HH714IT/BB
D+8oIvYM/o6PZ+O5VKYW/AdumYHt4BeKoJyy6Ths99tnmDkCPsMoMBG8GK7F
sxc2HqYc/t90vQEL//a8kTJSUiXev9b65r8Be31HeZn0AAA=
<section anchor="acknowledgments" numbered="false">
<name>Acknowledgments</name>
<t>The authors would like to thank the following people for their contribu
tions and reviews that helped shape this document: <contact fullname="Viktor Duk
hovni"/>, <contact fullname="Russ Housley"/>, <contact fullname="Panos Kampanaki
s"/>, <contact fullname="Mike Ounsworth"/>, <contact fullname="Falko Strenzke"/>
, <contact fullname="Sean Turner"/>, and <contact fullname="Wei-Jun Wang"/>.</t>
<t>This document was heavily influenced by <xref target="RFC8419"/>, <xref
target="RFC9814"/>, and <xref target="RFC9881"/>.
Thanks go to the authors of those documents.</t>
</section>
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. Updates of this nature typically
result in more precise language, which is helpful for readers.
Note that our script did not flag any words in particular, but this should
still be reviewed as a best practice.
--> -->
</back>
</rfc> </rfc>
 End of changes. 69 change blocks. 
1167 lines changed or deleted 304 lines changed or added

This html diff was produced by rfcdiff 1.48.