<?xml version='1.0'encoding='utf-8'?> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.19 (Ruby 2.5.1) -->encoding='UTF-8'?> <!DOCTYPE rfcSYSTEM "rfc2629-xhtml.ent">[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-cose-tsa-tst-header-parameter-08" number="9921" updates="" obsoletes="" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true"version="3"> <!-- xml2rfc v2v3 conversion 2.46.0version="3" xml:lang="en"> <!--[rfced] The document title has been updated as follows. Please let us know any objections. Original: COSE Header parameter for RFC 3161 Time-Stamp Tokens Currently: Concise Binary Object Representation (CBOR) Object Signing and Encryption (COSE) Header Parameter for Timestamp Tokens as Defined in RFC 3161 --> <front> <title abbrev="TSTHeader">COSEHeader">Concise Binary Object Representation (CBOR) Object Signing and Encryption (COSE) HeaderparameterParameter for Timestamp Tokens as Defined in RFC3161 Time-Stamp Tokens</title>3161</title> <seriesInfoname="Internet-Draft" value="draft-ietf-cose-tsa-tst-header-parameter-08"/>name="RFC" value="9921"/> <author initials="H." surname="Birkholz" fullname="Henk Birkholz"> <organization abbrev="Fraunhofer SIT">Fraunhofer SIT</organization> <address> <postal> <street>Rheinstrasse 75</street> <city>Darmstadt</city> <code>64295</code> <country>Germany</country> </postal> <email>henk.birkholz@ietf.contact</email> </address> </author> <author initials="T." surname="Fossati" fullname="Thomas Fossati"> <organization>Linaro</organization> <address> <email>thomas.fossati@linaro.org</email> </address> </author> <author initials="M." surname="Riechert" fullname="Maik Riechert"> <organization>Microsoft</organization> <address> <postal><country>UK</country><country>United Kingdom</country> </postal> <email>Maik.Riechert@microsoft.com</email> </address> </author> <dateyear="2025" month="August" day="29"/> <area>Security</area> <workgroup>COSE</workgroup> <keyword>Internet-Draft</keyword>year="2026" month="February"/> <area>SEC</area> <workgroup>cose</workgroup> <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on <https://www.rfc-editor.org/search>. --> <!-- [rfced] Regarding the use of "<tt>" in this document and this note in your reply to our Document Intake email: "We tried to <tt/> all COSE types (e.g., COSE_Sign1) and COSE header names (e.g., 3161-ttc) ... I am not sure we were entirely consistent, though. This also raises the question of why we did not include the types from RFC3161." For consistency of style, we made the following updates. Please let us know any objections: * bstr: We added <tt>s around this term in Table 1. * MessageImprint: We added <tt>s around 4 instances of "the MessageImprint". * TimeStampToken: We added <tt>s around this term in the Introduction. Would you like us to add <tt>s around other terms from RFC 3161 (e.g., TSTInfo)? If yes, please specify which terms/types from RFC 3161 you would like us to enclose in <tt>...</tt>. --> <abstract><?line 54?><t>This document defines twoCBORConcise Binary Object Representation (CBOR) Object SigningAnd Encryptedand Encryption (COSE) header parameters for incorporatingRFC 3161-basedtimestamping based on RFC 3161 into COSE message structures (<tt>COSE_Sign</tt> and <tt>COSE_Sign1</tt>). This enables the use of establishedRFC 3161timestamping infrastructure per RFC 3161 in COSE-based protocols.</t> </abstract><note removeInRFC="true"> <name>About This Document</name> <t> Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-cose-tsa-tst-header-parameter/"/>. </t> <t>Source for this draft and an issue tracker can be found at <eref target="https://github.com/ietf-scitt/draft-birkholz-cose-tsa-tst-header-parameter"/>.</t> </note></front> <middle><?line 59?><section anchor="introduction"> <name>Introduction</name> <t>RFC 3161 <xref target="RFC3161"/> provides a methodto timestampfor timestamping a message digest to prove that it was created before a given time.</t> <t>This document defines two new CBOR Object Signing and Encryption (COSE) <xreftarget="STD96"/>target="RFC9052"/> header parameters that carry theTimestampToken<tt>TimeStampToken</tt> (TST) outputof RFC 3161,<xref target="RFC3161"/>, thus allowing existing and widely deployed trust infrastructure to be used with COSE structures used for signing (<tt>COSE_Sign</tt> and <tt>COSE_Sign1</tt>).</t> <section anchor="use-cases"> <name>Use Cases</name> <t>This section discusses two use cases, each representing one of the two modes of use defined in <xref target="modes"/>. As the security characteristics of the two cases differ, care must be taken when choosing the appropriate mode for a given application. See <xref target="sec-sema-confusion-avoidance"/> for a discussion on the security of the implementations.</t> <t>The primary use case is that of "long-term signatures", i.e., signatures that can still be verified even after the signing certificate has expired. This can address situations where it is important to prevent subsequent denial by the signer or to verify signatures made using (very) short-term certificates. To achieve this, the document signer acquires a fresh TST for the document's signature from a trustedTSATime Stamping Authority (TSA) <xref target="RFC3161"/> and concatenates it with the document. Later, when a relying party verifies the signed document and its associated TST, they can be certain that the document was signed <em>at least</em> at the time specified by theTSA,TSA and that the signing certificate was valid at the time the signature wasmade.</t> <t>Thismade. <!-- [rfced] Section 1.1: Does "primary" in these sentences indicate that the primary use case is more important than the second use case or perhaps was developed earlier? Please see the definition of "primary" on <https://www.merriam-webster.com/dictionary/primary>, and let us know if "primary" should be changed to "first". Original: The primary use case is that of "long-term signatures", i.e., signatures that can still be verified even after the signing certificate has expired. ... This primary usage scenario motivates the "COSE then Timestamp" mode described in Section 2.1. --> </t> <t>This primary usage scenario motivates the "COSE, then Timestamp" mode described in <xref target="sec-cose-then-timestamp"/>.</t> <t>The second use case is new. It is the notarization of a signed document by registering it with a transparency service. This is common practice for ensuring the accountability and auditability of issued documents, which are typically referred to as "statements" in this context. It is also common practice to only register the signed parts of a statement (the "signed statement" portion) with a transparency service, in order to reduce the complexity of consistency checks at a laterstage, as well as avoidingstage and to avoid the need to retrieve or reconstruct unsigned parts. Once the signed parts of a document have been registered in the append-only log at a transparency service, the log entry cannot be changed. In order to avoid losing the TST during the registration process, the TST must be included in the signed statement. To achieve this, the issuer acquires a TST from a TSA, includes it in the to-be-signed part of the statement so that the resulting signed statement includes the TST, and then registers the signed parts (rendering it a "transparent statement"). Later on, a relying party consuming the transparent statement including the TST can be certain that the statement was signed by the issuer <em>at least</em> at the time specified by the TSA. If the issuer's signing key has expired (or has been compromised), the authenticity of the statement can be ascertained by ensuring that no revocation information was made public before the time asserted by the issuer and registered at the transparencyservice.</t>service. <!-- [rfced] Section 1.1: This sentence did not parse. We updated it as follows. If this is incorrect, please clarify "in order to reduce ... as well as avoiding". Original: It is also common practice to only register the signed parts of a statement (the "signed statement" portion) with a transparency service, in order to reduce the complexity of consistency checks at a later stage, as well as avoiding the need to retrieve or reconstruct unsigned parts. Currently: It is also common practice to only register the signed parts of a statement (the "signed statement" portion) with a transparency service, in order to reduce the complexity of consistency checks at a later stage and to avoid the need to retrieve or reconstruct unsigned parts. --> </t> <t>This new usage scenario motivates the"Timestamp"Timestamp, then COSE" mode defined in <xref target="sec-timestamp-then-cose"/>.</t> </section> <section anchor="requirements-notation"> <name>Requirements Notation</name> <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t><?line -18?></section> </section> <section anchor="modes"> <name>Modes of Use</name> <t>There are two different modes of composing COSE protection and timestamping, motivated by the usage scenarios discussed above.</t> <t>The diagrams in this section illustrate the processing flow of the specified modes. For simplicity, only the <tt>COSE_Sign1</tt> processing is shown. Similar diagrams for <tt>COSE_Sign</tt> can be derived by allowing multiple <tt>private-key</tt> parallelogram boxes and replacing the label <tt>[signature]</tt> with <tt>[signatures]</tt>.</t> <section anchor="sec-cose-then-timestamp"><name>COSE<name>COSE, then Timestamp (CTT)</name> <t><xref target="fig-cose-then-timestamp"/> shows the case where the signature(s) field of the signed COSE object is digested and submitted to a TSA to be timestamped. The obtained timestamp token is then added back as an unprotected header into the same COSE object.</t> <t>This mode is utilized when a record of the timing of the signature operation is desired.</t> <figure anchor="fig-cose-then-timestamp"> <name>COSE, then Timestamp (CTT)</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="448" width="616" viewBox="0 0 616 448" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px"> <path d="M 8,32 L 8,288" fill="none" stroke="black"/> <path d="M 48,224 L 48,336" fill="none" stroke="black"/> <path d="M 48,368 L 48,400" fill="none" stroke="black"/> <path d="M 72,112 L 72,184" fill="none" stroke="black"/> <path d="M 80,32 L 80,64" fill="none" stroke="black"/> <path d="M 96,400 L 96,432" fill="none" stroke="black"/> <path d="M 160,320 L 160,336" fill="none" stroke="black"/> <path d="M 160,368 L 160,392" fill="none" stroke="black"/> <path d="M 168,80 L 168,112" fill="none" stroke="black"/> <path d="M 200,112 L 200,144" fill="none" stroke="black"/> <path d="M 224,176 L 224,224" fill="none" stroke="black"/> <path d="M 232,240 L 232,272" fill="none" stroke="black"/> <path d="M 264,80 L 264,112" fill="none" stroke="black"/> <path d="M 264,368 L 264,392" fill="none" stroke="black"/> <path d="M 280,80 L 280,112" fill="none" stroke="black"/> <path d="M 296,240 L 296,272" fill="none" stroke="black"/> <path d="M 304,176 L 304,224" fill="none" stroke="black"/> <path d="M 312,112 L 312,128" fill="none" stroke="black"/> <path d="M 312,400 L 312,432" fill="none" stroke="black"/> <path d="M 320,304 L 320,384" fill="none" stroke="black"/> <path d="M 344,80 L 344,112" fill="none" stroke="black"/> <path d="M 352,336 L 352,368" fill="none" stroke="black"/> <path d="M 360,64 L 360,200" fill="none" stroke="black"/> <path d="M 360,216 L 360,248" fill="none" stroke="black"/> <path d="M 360,264 L 360,288" fill="none" stroke="black"/> <path d="M 376,384 L 376,400" fill="none" stroke="black"/> <path d="M 384,32 L 384,288" fill="none" stroke="black"/> <path d="M 400,336 L 400,368" fill="none" stroke="black"/> <path d="M 432,32 L 432,64" fill="none" stroke="black"/> <path d="M 432,304 L 432,344" fill="none" stroke="black"/> <path d="M 432,360 L 432,384" fill="none" stroke="black"/> <path d="M 456,112 L 456,160" fill="none" stroke="black"/> <path d="M 456,192 L 456,232" fill="none" stroke="black"/> <path d="M 464,288 L 464,336" fill="none" stroke="black"/> <path d="M 544,64 L 544,288" fill="none" stroke="black"/> <path d="M 8,32 L 80,32" fill="none" stroke="black"/> <path d="M 384,32 L 432,32" fill="none" stroke="black"/> <path d="M 8,64 L 360,64" fill="none" stroke="black"/> <path d="M 384,64 L 544,64" fill="none" stroke="black"/> <path d="M 40,80 L 152,80" fill="none" stroke="black"/> <path d="M 168,80 L 264,80" fill="none" stroke="black"/> <path d="M 280,80 L 344,80" fill="none" stroke="black"/> <path d="M 416,80 L 528,80" fill="none" stroke="black"/> <path d="M 24,112 L 136,112" fill="none" stroke="black"/> <path d="M 168,112 L 264,112" fill="none" stroke="black"/> <path d="M 280,112 L 344,112" fill="none" stroke="black"/> <path d="M 400,112 L 512,112" fill="none" stroke="black"/> <path d="M 72,144 L 296,144" fill="none" stroke="black"/> <path d="M 224,176 L 304,176" fill="none" stroke="black"/> <path d="M 40,192 L 104,192" fill="none" stroke="black"/> <path d="M 160,192 L 184,192" fill="none" stroke="black"/> <path d="M 120,208 L 136,208" fill="none" stroke="black"/> <path d="M 200,208 L 216,208" fill="none" stroke="black"/> <path d="M 304,208 L 376,208" fill="none" stroke="black"/> <path d="M 40,224 L 104,224" fill="none" stroke="black"/> <path d="M 160,224 L 184,224" fill="none" stroke="black"/> <path d="M 224,224 L 304,224" fill="none" stroke="black"/> <path d="M 232,240 L 296,240" fill="none" stroke="black"/> <path d="M 432,240 L 496,240" fill="none" stroke="black"/> <path d="M 296,256 L 376,256" fill="none" stroke="black"/> <path d="M 232,272 L 296,272" fill="none" stroke="black"/> <path d="M 432,272 L 496,272" fill="none" stroke="black"/> <path d="M 8,288 L 40,288" fill="none" stroke="black"/> <path d="M 56,288 L 360,288" fill="none" stroke="black"/> <path d="M 384,288 L 544,288" fill="none" stroke="black"/> <path d="M 320,304 L 432,304" fill="none" stroke="black"/> <path d="M 48,320 L 248,320" fill="none" stroke="black"/> <path d="M 352,336 L 400,336" fill="none" stroke="black"/> <path d="M 408,352 L 448,352" fill="none" stroke="black"/> <path d="M 352,368 L 400,368" fill="none" stroke="black"/> <path d="M 320,384 L 432,384" fill="none" stroke="black"/> <path d="M 96,400 L 312,400" fill="none" stroke="black"/> <path d="M 64,416 L 88,416" fill="none" stroke="black"/> <path d="M 320,416 L 360,416" fill="none" stroke="black"/> <path d="M 96,432 L 312,432" fill="none" stroke="black"/> <path d="M 24,112 L 40,80" fill="none" stroke="black"/> <path d="M 136,112 L 152,80" fill="none" stroke="black"/> <path d="M 400,112 L 416,80" fill="none" stroke="black"/> <path d="M 512,112 L 528,80" fill="none" stroke="black"/> <path d="M 296,144 C 304.83064,144 312,136.83064 312,128" fill="none" stroke="black"/> <path d="M 456,160 C 447.16936,160 440,167.16936 440,176" fill="none" stroke="black"/> <path d="M 456,160 C 464.83064,160 472,167.16936 472,176" fill="none" stroke="black"/> <path d="M 40,192 C 31.16936,192 24,199.16936 24,208" fill="none" stroke="black"/> <path d="M 104,192 C 112.83064,192 120,199.16936 120,208" fill="none" stroke="black"/> <path d="M 160,192 C 151.16936,192 144,199.16936 144,208" fill="none" stroke="black"/> <path d="M 184,192 C 192.83064,192 200,199.16936 200,208" fill="none" stroke="black"/> <path d="M 456,192 C 447.16936,192 440,184.83064 440,176" fill="none" stroke="black"/> <path d="M 456,192 C 464.83064,192 472,184.83064 472,176" fill="none" stroke="black"/> <path d="M 40,224 C 31.16936,224 24,216.83064 24,208" fill="none" stroke="black"/> <path d="M 104,224 C 112.83064,224 120,216.83064 120,208" fill="none" stroke="black"/> <path d="M 160,224 C 151.16936,224 144,216.83064 144,208" fill="none" stroke="black"/> <path d="M 184,224 C 192.83064,224 200,216.83064 200,208" fill="none" stroke="black"/> <path d="M 432,240 C 423.16936,240 416,247.16936 416,256" fill="none" stroke="black"/> <path d="M 496,240 C 504.83064,240 512,247.16936 512,256" fill="none" stroke="black"/> <path d="M 432,272 C 423.16936,272 416,264.83064 416,256" fill="none" stroke="black"/> <path d="M 496,272 C 504.83064,272 512,264.83064 512,256" fill="none" stroke="black"/> <path d="M 248,320 C 256.83064,320 264,327.16936 264,336" fill="none" stroke="black"/> <path d="M 448,352 C 456.83064,352 464,344.83064 464,336" fill="none" stroke="black"/> <path d="M 64,416 C 55.16936,416 48,408.83064 48,400" fill="none" stroke="black"/> <path d="M 360,416 C 368.83064,416 376,408.83064 376,400" fill="none" stroke="black"/> <polygon class="arrowhead" points="464,232 452,226.4 452,237.6 " fill="black" transform="rotate(90,456,232)"/> <polygon class="arrowhead" points="416,352 404,346.4 404,357.6 " fill="black" transform="rotate(180,408,352)"/> <polygon class="arrowhead" points="384,256 372,250.4 372,261.6 " fill="black" transform="rotate(0,376,256)"/> <polygon class="arrowhead" points="384,208 372,202.4 372,213.6 " fill="black" transform="rotate(0,376,208)"/> <polygon class="arrowhead" points="328,416 316,410.4 316,421.6 " fill="black" transform="rotate(180,320,416)"/> <polygon class="arrowhead" points="272,392 260,386.4 260,397.6 " fill="black" transform="rotate(90,264,392)"/> <polygon class="arrowhead" points="224,208 212,202.4 212,213.6 " fill="black" transform="rotate(0,216,208)"/> <polygon class="arrowhead" points="168,392 156,386.4 156,397.6 " fill="black" transform="rotate(90,160,392)"/> <polygon class="arrowhead" points="144,208 132,202.4 132,213.6 " fill="black" transform="rotate(0,136,208)"/> <polygon class="arrowhead" points="96,416 84,410.4 84,421.6 " fill="black" transform="rotate(0,88,416)"/> <polygon class="arrowhead" points="80,184 68,178.4 68,189.6 " fill="black" transform="rotate(90,72,184)"/> <g class="text"> <text x="44" y="52">Signer</text> <text x="408" y="52">TSA</text> <text x="88" y="100">private-key</text> <text x="216" y="100">protected</text> <text x="312" y="100">datum</text> <text x="464" y="100">private-key</text> <text x="456" y="180">L</text> <text x="504" y="180">Clock</text> <text x="264" y="196">Message</text> <text x="72" y="212">Sign1</text> <text x="172" y="212">hash</text> <text x="264" y="212">Imprint</text> <text x="264" y="260">nonce</text> <text x="464" y="260">timestamp</text> <text x="376" y="324">unprotected</text> <text x="48" y="356">[protected]</text> <text x="160" y="356">[payload]</text> <text x="264" y="356">[signature]</text> <text x="376" y="356">TST</text> <text x="184" y="420">rfc3161-ctt</text> <text x="252" y="420">COSE</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ .--------. .-----. | Signer | | TSA | +--------+----------------------------------. +-----+-------------. | .-------------. .-----------. .-------. | | .-------------. | | / private-key / | protected | | datum | | | / private-key / | | '-----+-------' '---+-------' '---+---' | | '------+------' | | | | | | | | | | +---------------+------------' | | | | | | | | .+. | | v .---------. | | | L | Clock | | .---------. .----. | Message | | | '+' | | | Sign1 +->+ hash +->+ Imprint +-------->| | | | '-+-------' '----' '---------' | | v | | | .-------. | | .---------. | | | | nonce +--------->| | timestamp | | | | '-------' | | '---------' | '----|--------------------------------------' '---------+---------' | .-------------. | +-------------+-----------+ | unprotected | | | | | | .-----. | | [protected] [payload] [signature] | | TST |<-----' | | | | '-----' | | v v '------+------' | .-------+------------+-----. | '--->+ rfc3161-ctt COSE +<-----' '--------------------------' ]]></artwork> </artset> </figure> <t>In this context, timestamp tokens are similar to a countersignature made by the TSA.</t> </section> <section anchor="sec-timestamp-then-cose"><name>Timestamp<name>Timestamp, then COSE (TTC)</name> <t><xref target="fig-timestamp-then-cose"/> shows the case where a datum is first digested and submitted to a TSA to be timestamped.</t> <t>This mode is used to wrap the signed document and its timestamp together in an immutable payload.</t> <t>A signed COSE message is then built as follows:</t> <ul spacing="normal"> <li>The obtained timestamp token is added to the protectedheaders,</li>headers.</li> <li>The original datum becomes the payload of the signed COSE message.</li> </ul> <figure anchor="fig-timestamp-then-cose"> <name>Timestamp, then COSE (TTC)</name> <artset> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="464" width="616" viewBox="0 0 616 464" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px"> <path d="M 8,32 L 8,304" fill="none" stroke="black"/> <path d="M 40,112 L 40,232" fill="none" stroke="black"/> <path d="M 48,272 L 48,352" fill="none" stroke="black"/> <path d="M 48,384 L 48,416" fill="none" stroke="black"/> <path d="M 64,144 L 64,176" fill="none" stroke="black"/> <path d="M 80,32 L 80,64" fill="none" stroke="black"/> <path d="M 80,176 L 80,232" fill="none" stroke="black"/> <path d="M 96,416 L 96,448" fill="none" stroke="black"/> <path d="M 128,144 L 128,176" fill="none" stroke="black"/> <path d="M 160,336 L 160,352" fill="none" stroke="black"/> <path d="M 160,384 L 160,408" fill="none" stroke="black"/> <path d="M 208,208 L 208,288" fill="none" stroke="black"/> <path d="M 232,128 L 232,176" fill="none" stroke="black"/> <path d="M 240,80 L 240,112" fill="none" stroke="black"/> <path d="M 240,240 L 240,272" fill="none" stroke="black"/> <path d="M 264,384 L 264,408" fill="none" stroke="black"/> <path d="M 288,240 L 288,272" fill="none" stroke="black"/> <path d="M 304,80 L 304,112" fill="none" stroke="black"/> <path d="M 312,128 L 312,176" fill="none" stroke="black"/> <path d="M 312,416 L 312,448" fill="none" stroke="black"/> <path d="M 320,208 L 320,248" fill="none" stroke="black"/> <path d="M 320,264 L 320,288" fill="none" stroke="black"/> <path d="M 320,320 L 320,400" fill="none" stroke="black"/> <path d="M 352,352 L 352,384" fill="none" stroke="black"/> <path d="M 360,64 L 360,88" fill="none" stroke="black"/> <path d="M 360,104 L 360,152" fill="none" stroke="black"/> <path d="M 360,168 L 360,248" fill="none" stroke="black"/> <path d="M 360,264 L 360,304" fill="none" stroke="black"/> <path d="M 376,400 L 376,416" fill="none" stroke="black"/> <path d="M 384,32 L 384,304" fill="none" stroke="black"/> <path d="M 400,352 L 400,384" fill="none" stroke="black"/> <path d="M 432,32 L 432,64" fill="none" stroke="black"/> <path d="M 432,320 L 432,400" fill="none" stroke="black"/> <path d="M 456,112 L 456,160" fill="none" stroke="black"/> <path d="M 456,192 L 456,232" fill="none" stroke="black"/> <path d="M 544,64 L 544,304" fill="none" stroke="black"/> <path d="M 8,32 L 80,32" fill="none" stroke="black"/> <path d="M 384,32 L 432,32" fill="none" stroke="black"/> <path d="M 8,64 L 360,64" fill="none" stroke="black"/> <path d="M 384,64 L 544,64" fill="none" stroke="black"/> <path d="M 40,80 L 152,80" fill="none" stroke="black"/> <path d="M 240,80 L 304,80" fill="none" stroke="black"/> <path d="M 416,80 L 528,80" fill="none" stroke="black"/> <path d="M 304,96 L 376,96" fill="none" stroke="black"/> <path d="M 24,112 L 136,112" fill="none" stroke="black"/> <path d="M 240,112 L 304,112" fill="none" stroke="black"/> <path d="M 400,112 L 512,112" fill="none" stroke="black"/> <path d="M 232,128 L 312,128" fill="none" stroke="black"/> <path d="M 64,144 L 128,144" fill="none" stroke="black"/> <path d="M 168,144 L 192,144" fill="none" stroke="black"/> <path d="M 128,160 L 144,160" fill="none" stroke="black"/> <path d="M 208,160 L 224,160" fill="none" stroke="black"/> <path d="M 312,160 L 376,160" fill="none" stroke="black"/> <path d="M 64,176 L 128,176" fill="none" stroke="black"/> <path d="M 168,176 L 192,176" fill="none" stroke="black"/> <path d="M 232,176 L 312,176" fill="none" stroke="black"/> <path d="M 208,208 L 320,208" fill="none" stroke="black"/> <path d="M 40,240 L 88,240" fill="none" stroke="black"/> <path d="M 240,240 L 288,240" fill="none" stroke="black"/> <path d="M 432,240 L 496,240" fill="none" stroke="black"/> <path d="M 112,256 L 208,256" fill="none" stroke="black"/> <path d="M 296,256 L 384,256" fill="none" stroke="black"/> <path d="M 40,272 L 88,272" fill="none" stroke="black"/> <path d="M 240,272 L 288,272" fill="none" stroke="black"/> <path d="M 432,272 L 496,272" fill="none" stroke="black"/> <path d="M 208,288 L 320,288" fill="none" stroke="black"/> <path d="M 8,304 L 40,304" fill="none" stroke="black"/> <path d="M 56,304 L 360,304" fill="none" stroke="black"/> <path d="M 384,304 L 544,304" fill="none" stroke="black"/> <path d="M 320,320 L 432,320" fill="none" stroke="black"/> <path d="M 48,336 L 248,336" fill="none" stroke="black"/> <path d="M 352,352 L 400,352" fill="none" stroke="black"/> <path d="M 352,384 L 400,384" fill="none" stroke="black"/> <path d="M 320,400 L 432,400" fill="none" stroke="black"/> <path d="M 96,416 L 312,416" fill="none" stroke="black"/> <path d="M 64,432 L 88,432" fill="none" stroke="black"/> <path d="M 320,432 L 360,432" fill="none" stroke="black"/> <path d="M 96,448 L 312,448" fill="none" stroke="black"/> <path d="M 24,112 L 40,80" fill="none" stroke="black"/> <path d="M 136,112 L 152,80" fill="none" stroke="black"/> <path d="M 400,112 L 416,80" fill="none" stroke="black"/> <path d="M 512,112 L 528,80" fill="none" stroke="black"/> <path d="M 168,144 C 159.16936,144 152,151.16936 152,160" fill="none" stroke="black"/> <path d="M 192,144 C 200.83064,144 208,151.16936 208,160" fill="none" stroke="black"/> <path d="M 456,160 C 447.16936,160 440,167.16936 440,176" fill="none" stroke="black"/> <path d="M 456,160 C 464.83064,160 472,167.16936 472,176" fill="none" stroke="black"/> <path d="M 168,176 C 159.16936,176 152,168.83064 152,160" fill="none" stroke="black"/> <path d="M 192,176 C 200.83064,176 208,168.83064 208,160" fill="none" stroke="black"/> <path d="M 456,192 C 447.16936,192 440,184.83064 440,176" fill="none" stroke="black"/> <path d="M 456,192 C 464.83064,192 472,184.83064 472,176" fill="none" stroke="black"/> <path d="M 40,240 C 31.16936,240 24,247.16936 24,256" fill="none" stroke="black"/> <path d="M 88,240 C 96.83064,240 104,247.16936 104,256" fill="none" stroke="black"/> <path d="M 432,240 C 423.16936,240 416,247.16936 416,256" fill="none" stroke="black"/> <path d="M 496,240 C 504.83064,240 512,247.16936 512,256" fill="none" stroke="black"/> <path d="M 40,272 C 31.16936,272 24,264.83064 24,256" fill="none" stroke="black"/> <path d="M 88,272 C 96.83064,272 104,264.83064 104,256" fill="none" stroke="black"/> <path d="M 432,272 C 423.16936,272 416,264.83064 416,256" fill="none" stroke="black"/> <path d="M 496,272 C 504.83064,272 512,264.83064 512,256" fill="none" stroke="black"/> <path d="M 248,336 C 256.83064,336 264,343.16936 264,352" fill="none" stroke="black"/> <path d="M 64,432 C 55.16936,432 48,424.83064 48,416" fill="none" stroke="black"/> <path d="M 360,432 C 368.83064,432 376,424.83064 376,416" fill="none" stroke="black"/> <polygon class="arrowhead" points="464,232 452,226.4 452,237.6 " fill="black" transform="rotate(90,456,232)"/> <polygon class="arrowhead" points="384,160 372,154.4 372,165.6 " fill="black" transform="rotate(0,376,160)"/> <polygon class="arrowhead" points="384,96 372,90.4 372,101.6 " fill="black" transform="rotate(0,376,96)"/> <polygon class="arrowhead" points="328,432 316,426.4 316,437.6 " fill="black" transform="rotate(180,320,432)"/> <polygon class="arrowhead" points="304,256 292,250.4 292,261.6 " fill="black" transform="rotate(180,296,256)"/> <polygon class="arrowhead" points="272,408 260,402.4 260,413.6 " fill="black" transform="rotate(90,264,408)"/> <polygon class="arrowhead" points="232,160 220,154.4 220,165.6 " fill="black" transform="rotate(0,224,160)"/> <polygon class="arrowhead" points="168,408 156,402.4 156,413.6 " fill="black" transform="rotate(90,160,408)"/> <polygon class="arrowhead" points="152,160 140,154.4 140,165.6 " fill="black" transform="rotate(0,144,160)"/> <polygon class="arrowhead" points="120,256 108,250.4 108,261.6 " fill="black" transform="rotate(180,112,256)"/> <polygon class="arrowhead" points="96,432 84,426.4 84,437.6 " fill="black" transform="rotate(0,88,432)"/> <polygon class="arrowhead" points="88,232 76,226.4 76,237.6 " fill="black" transform="rotate(90,80,232)"/> <polygon class="arrowhead" points="48,232 36,226.4 36,237.6 " fill="black" transform="rotate(90,40,232)"/> <g class="text"> <text x="44" y="52">Signer</text> <text x="408" y="52">TSA</text> <text x="88" y="100">private-key</text> <text x="272" y="100">nonce</text> <text x="464" y="100">private-key</text> <text x="272" y="148">Message</text> <text x="96" y="164">datum</text> <text x="180" y="164">hash</text> <text x="272" y="164">Imprint</text> <text x="456" y="180">L</text> <text x="504" y="180">Clock</text> <text x="264" y="228">protected</text> <text x="64" y="260">Sign1</text> <text x="264" y="260">TST</text> <text x="464" y="260">timestamp</text> <text x="376" y="340">unprotected</text> <text x="48" y="372">[protected]</text> <text x="160" y="372">[payload]</text> <text x="264" y="372">[signature]</text> <text x="376" y="372">...</text> <text x="184" y="436">rfc3161-ttc</text> <text x="252" y="436">COSE</text> </g> </svg> </artwork> <artwork type="ascii-art" align="center"><![CDATA[ .--------. .-----. | Signer | | TSA | +--------+----------------------------------. +-----+-------------. | .-------------. .-------. | | .-------------. | | / private-key / | nonce +-------->+ / private-key / | | '-+-----------' '-------' | | '------+------' | | | .---------. | | | | | | .-------. .----. | Message | | | | | | | + datum +->+ hash +->+ Imprint +------->+ .+. | | | '-+-----' '----' '---------' | | | L | Clock | | | | | | '+' | | | | .-------------. | | | | | v v | protected | | | v | | .-------. | .-----. | | | .---------. | | | Sign1 +<-----------+ | TST |<----------+ | timestamp | | | '-+-----' | '-----' | | | '---------' | | | '-------------' | | | '----|--------------------------------------' '-------------------' | .-------------. +-------------+-----------+ | unprotected | | | | | .-----. | [protected] [payload] [signature] | | ... | | | | | | '-----' | | v v '------+------' | .-------+------------+-----. | '--->+ rfc3161-ttc COSE +<-----' '--------------------------' ]]></artwork> </artset> </figure> </section> </section> <section anchor="sec-tst-hdr"><name>RFC 3161 Time-Stamp<name>Timestamp Tokens per RFC 3161: COSE Header Parameters</name> <t>The two modes described in<xref target="sec-timestamp-then-cose"/>Sections <xref target="sec-timestamp-then-cose" format="counter"/> and <xreftarget="sec-cose-then-timestamp"/>target="sec-cose-then-timestamp" format="counter"/> use different inputs into the timestampingmachinery,machinery and consequently create different kinds ofbindingbindings between COSE and TST. To clearly separate theirsemanticssemantics, two different COSE header parameters are defined as described in the following subsections.</t> <section anchor="sec-tst-hdr-ctt"> <name><tt>3161-ctt</tt></name> <t>The <tt>3161-ctt</tt> COSE <em>unprotected</em> header parameter <bcp14>MUST</bcp14> be used for the mode described in <xref target="sec-cose-then-timestamp"/>.</t> <t>The <tt>3161-ctt</tt> unprotected header parameter contains a DER-encodedRFC3161<tt>TimeStampToken</tt> <xref target="RFC3161"/> wrapped in a CBOR byte string (Major type 2).</t> <t>The <tt>MessageImprint</tt> sent in the request to the TSA <bcp14>MUST</bcp14>be:</t>be</t> <!-- [rfced] Sections 3.1 and subsequent: We see that this document uses "MessageImprint" in text but RFC 3161 uses "messageImprint" in its text (e.g., "The messageImprint field" in its Section 2.4.1). Please confirm that you wish to keep the currently capitalized form in this document. --> <ul spacing="normal"> <li>the hash of the CBOR-encoded signature field of the <tt>COSE_Sign1</tt> message, or</li> <li>the hash of the CBOR-encoded signatures field of the <tt>COSE_Sign</tt> message.</li> </ul> <t>In either case, to minimize dependencies, the hash algorithm <bcp14>SHOULD</bcp14> be the same as the algorithm used for signing the COSE message. This may not be possible if the timestamp token has been obtained outside the processing context in which the COSE object is assembled.</t> <t>Refer to<xref target="ctt-sign1"/>Sections <xref target="ctt-sign1" format="counter"/> and <xreftarget="ctt-sign"/>target="ctt-sign" format="counter"/> for concrete examples of <tt>MessageImprint</tt> computation.</t> <section anchor="ctt-sign1"> <name><tt>MessageImprint</tt> Computation for <tt>COSE_Sign1</tt></name> <t>The following illustrates how <tt>MessageImprint</tt> is computed using a sample <tt>COSE_Sign1</tt> message.</t> <t>Given the <tt>COSE_Sign1</tt> message</t> <!-- [rfced] Please review each artwork element and let us know if any should be marked as sourcecode instead. The current list of preferred values for "type" is available at <https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>. If the current list does not contain an applicable type, you may suggest additions for consideration. Note that it is also acceptable to leave the "type" attribute unset. Please note that per <https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>, we changed instances of sourcecode type "asn1" to "asn.1". --> <sourcecodetype="cbor-diag">type="cbor-diag"><![CDATA[ 18( [ / protected h'a10126' /<<<< { / alg / 1:-7 / ECDSA 256 / }>>,>>, / unprotected / { / kid / 4:'11' }, / payload / 'This is the content.', / signature / h'8eb33e4ca31d1c465ab05aac34cc6b23d58fef5c083106c4 d25a91aef0b0117e2af9a291aa32e14ab834dc56ed2a223444547e01f11d3b0916e5 a4c345cacb36' ] )</sourcecode>]]></sourcecode> <t>the <tt>bstr</tt>-wrapped <tt>signature</tt></t> <sourcecodetype="cbor-pretty">type="cbor-pretty"><![CDATA[ 58 40 # bytes(64) 8eb33e4ca31d1c465ab05aac34cc6b23 d58fef5c083106c4d25a91aef0b0117e 2af9a291aa32e14ab834dc56ed2a2234 44547e01f11d3b0916e5a4c345cacb36</sourcecode>]]></sourcecode> <t>(including the heading bytes <tt>0x5840</tt>) is used as input for computing the <tt>MessageImprint</tt>.</t> <t>When using SHA-256, the resulting <tt>MessageImprint</tt> is</t> <sourcecodetype="asn1">type="asn.1"><![CDATA[ SEQUENCE { SEQUENCE { OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) NULL } OCTET STRING 44 C2 41 9D 13 1D 53 D5 55 84 B5 DD 33 B7 88 C2 4E 55 1C 6D 44 B1 AF C8 B2 B8 5E 69 54 76 3B 4E }</sourcecode>]]></sourcecode> </section> <section anchor="ctt-sign"> <name><tt>MessageImprint</tt> Computation for <tt>COSE_Sign</tt></name> <t>The following illustrates how <tt>MessageImprint</tt> is computed using a sample <tt>COSE_Sign</tt> message.</t> <t>Given the <tt>COSE_Sign</tt> message</t> <sourcecodetype="cbor-diag">type="cbor-diag"><![CDATA[ 98( [ / protected / h'', / unprotected / {}, / payload / 'This is the content.', / signatures / [ [ / protected h'a10126' /<<<< { / alg / 1:-7 / ECDSA 256 / }>>,>>, / unprotected / { / kid / 4:'11' }, / signature / h'e2aeafd40d69d19dfe6e52077c5d7ff4e408282cbefb 5d06cbf414af2e19d982ac45ac98b8544c908b4507de1e90b717c3d34816fe926a2b 98f53afd2fa0f30a' ] ] ] )</sourcecode>]]></sourcecode> <t>the <tt>signatures</tt> array</t> <sourcecodetype="cbor-pretty">type="cbor-pretty"><![CDATA[ 81 # array(1) 83 # array(3) 43 # bytes(3) a10126 a1 # map(1) 04 # unsigned(4) 42 # bytes(2) 3131 # "11" 58 40 # bytes(64) e2aeafd40d69d19dfe6e52077c5d7ff4 e408282cbefb5d06cbf414af2e19d982 ac45ac98b8544c908b4507de1e90b717 c3d34816fe926a2b98f53afd2fa0f30a</sourcecode>]]></sourcecode> <t>is used as input for computing the <tt>MessageImprint</tt>.</t> <t>When using SHA-256, the resulting <tt>MessageImprint</tt> is</t> <sourcecodetype="asn1">type="asn.1"><![CDATA[ SEQUENCE { SEQUENCE { OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) NULL } OCTET STRING 80 3F AD A2 91 2D 6B 7A 83 3A 27 BD 96 1C C0 5B C1 CC 16 47 59 B1 C5 6F 7A A7 71 E4 E2 15 26 F7 }</sourcecode>]]></sourcecode> </section> </section> <section anchor="sec-tst-hdr-ttc"> <name><tt>3161-ttc</tt></name> <t>The <tt>3161-ttc</tt> COSE <em>protected</em> header parameter <bcp14>MUST</bcp14> be used for the mode described in <xref target="sec-timestamp-then-cose"/>.</t> <t>The <tt>3161-ttc</tt> protected header parameter contains a DER-encodedRFC3161<tt>TimeStampToken</tt> <xref target="RFC3161"/> wrapped in a CBOR byte string (Major type 2).</t> <t>The <tt>MessageImprint</tt> sent to the TSA (<xref section="2.4" sectionFormat="of" target="RFC3161"/>) <bcp14>MUST</bcp14> be the hash of the payload of the COSE signed object. This does not include the<tt>bstr</tt>-wrapping,<tt>bstr</tt> wrapping -- only the payload bytes. (For an example, see <xref target="ex-ttc"/>.)</t> <t>To minimize dependencies, the hash algorithm used for signing the COSE message <bcp14>SHOULD</bcp14> be the same as the algorithm used in theRFC3161 MessageImprint.<tt>MessageImprint</tt> <xref target="RFC3161"/>. However, this may not be possible if the timestamp requester and the COSE message signer are different entities.</t> </section> </section> <section anchor="timestamp-processing"> <name>Timestamp Processing</name><t>RFC 3161 timestamp<t>Timestamp tokens <xref target="RFC3161"/> useCMSCryptographic Message Syntax (CMS) as the signature envelope format. <xreftarget="STD70"/>target="RFC5652"/> providesthedetails about signature verification, and <xref target="RFC3161"/> providesthedetails specific to timestamp token validation. The payload of the signed timestamp token is the TSTInfo structure defined in <xref target="RFC3161"/>, which contains theMessageImprint<tt>MessageImprint</tt> that was sent to the TSA. The hash algorithm is contained in theMessageImprint<tt>MessageImprint</tt> structure, together with the hash itself.</t> <t>As part of the signature verification, the receiver <bcp14>MUST</bcp14> make sure that theMessageImprint<tt>MessageImprint</tt> in the embedded timestamp token matches a hash of either the payload, signature, or signature fields, depending on the mode of use and type of COSE structure.</t> <t><xref section="B" sectionFormat="of" target="RFC3161"/> provides an example that illustrates how timestamp tokens can be used to verify signatures of a timestamped message when utilizing X.509 certificates.</t> </section> <section anchor="security-considerations"> <name>Security Considerations</name> <t>Please review the Security Considerations section in <xref target="RFC3161"/>; these considerations apply to this document as well.</t> <t>Also review the Security Considerations section in <xreftarget="STD96"/>.target="RFC9052"/>. These considerations apply to this document as well, particularly with regard to the need for implementations to protect private key material. Additionally, solutions based on the COSE header parameters defined in this document must be able to report compromised keys promptly.</t> <t>The following scenario assumes that an attacker can manipulate the clocks on the COSE signer and its relying parties, but not the TSA. It is also assumed that the TSA is a trusted third party, so the attacker cannot impersonate the TSA and create valid timestamp tokens. In such a setting, any tampering with the COSE signer's clock does not have animpact because,impact, because once the timestamp is obtained from the TSA, it becomes the only reliable source of time. However, in both CTT mode and TTC mode, a denial of service can occur if the attacker can adjust the relying party's clock so that the CMS validation fails. This could disrupt the timestamp validation.</t> <t>In CTT mode, an attacker could manipulate the unprotected header by removing or replacing the timestamp. To avoid that, the signed COSE object should be integrity protected during transit and at rest.</t> <t>In TTC mode, the TSA is given an opaque identifier (a cryptographic hash value) for the payload. While this means that the content of the payload is not directly revealed, to prevent comparison with known payloads or disclosure of identical payloads being used over time, the payload would need to be armored, e.g., with a nonce that is shared with the recipient of the header parameter but not the TSA. Such a mechanism can be employed inside the parameters described in this specification but is out of scope for this document. <!-- [rfced] Section 5: As it appears that "the ones" means "the parameters" (per "This document defines two ... parameters" as used in the Abstract and Introduction), we changed "ones" to "parameters". If this is incorrect, please clarify the text. Original: Such a mechanism can be employed inside the ones described in this specification, but is out of scope for thisdocument.</t>document. Currently: Such a mechanism can be employed inside the parameters described in this specification but is out of scope for this document. --> </t> <t>The resolution, accuracy, and precision of the TSA clock, as well as the expected latency introduced by round trips to and from theTSATSA, must be taken into account when implementing solutions based on the COSE header parameters defined in this document.</t> <section anchor="sec-sema-confusion-avoidance"> <name>Avoiding Semantic Confusion</name> <t>CTT mode and TTCmodesmode have different semantic meanings. An implementation must ensure that the contents of the CTT andTCCTTC headers are interpreted according to their specific semantics. In particular, symmetric to the signature and assembly mechanics, each mode has its own separate verification algorithm.</t> <t>Implementers <bcp14>MUST</bcp14> clearly differentiate betweenRFC 3161TSA timestamps <xref target="RFC3161"/> proving the existence of payload data at an earlier point in time (TTC) and timestamps explicitly providing evidence of the existence of the cryptographic signature (CTT). Failure to clearly distinguish between these timestamp semantics can result in vulnerabilities, such as incorrectly accepting signatures created after key revocation based on older payload-only timestamps. Validators must not interpret protected-header payload timestamps as proof of signature creation time and should rely exclusively onRFC 3161TSA timestamps <xref target="RFC3161"/> explicitly covering signature data for determining signature validity timing.</t> </section> </section> <section anchor="iana-considerations"> <name>IANA Considerations</name> <t>IANA has allocated the COSE header parameters defined in <xref target="tbl-new-hdrs"/> in the "COSE Header Parameters" registry <xreftarget="IANA.cose_header-parameters"/>.</t>target="IANA.cose_header-parameters"/> as follows:</t> <table align="left" anchor="tbl-new-hdrs"> <name>New COSE Header Parameters</name> <thead> <tr> <th align="left">Name</th> <th align="left">Label</th> <th align="left">Value Type</th> <th align="left">Value Registry</th> <th align="left">Description</th> <th align="left">Reference</th> </tr> </thead> <tbody> <tr> <td align="left"> <tt>3161-ttc</tt></td> <td align="left">269</td> <tdalign="left">bstr</td>align="left"><tt>bstr</tt></td> <td align="left">-</td> <tdalign="left">RFC 3161 timestamp token: Timestampalign="left">timestamp token <xref target="RFC3161"/>: Timestamp, then COSE</td> <tdalign="left">RFCthis,align="left">RFC 9921, <xref target="sec-tst-hdr-ttc"/></td> </tr> <tr> <td align="left"> <tt>3161-ctt</tt></td> <td align="left">270</td> <tdalign="left">bstr</td>align="left"><tt>bstr</tt></td> <td align="left">-</td> <tdalign="left">RFC 3161 timestamp token: COSEalign="left">timestamp token <xref target="RFC3161"/>: COSE, then Timestamp</td> <tdalign="left">RFCthis,align="left">RFC 9921, <xref target="sec-tst-hdr-ctt"/></td> </tr> </tbody> </table> </section> </middle> <back> <displayreference target="RFC5652" to="STD70"/> <displayreference target="RFC9052" to="STD96"/> <references anchor="sec-normative-references"> <name>Normative References</name><reference anchor="STD70"> <front> <title>Cryptographic Message Syntax (CMS)</title> <seriesInfo name="DOI" value="10.17487/RFC5652"/> <seriesInfo name="RFC" value="5652"/> <seriesInfo name="STD" value="70"/> <author fullname="R. Housley" initials="R." surname="Housley"/> <date month="September" year="2009"/> <abstract> <t>This document describes<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5652.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3161.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml"/> <!-- [rfced] References: STD 96 consists of two RFCs: RFC 9052 and RFC 9338 (Please type "STD 96" (unquoted) in theCryptographic Message Syntax (CMS).Search box on <https://www.rfc-editor.org>). Thissyntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK]</t> </abstract> </front> </reference> <reference anchor="RFC3161"> <front> <title>Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)</title> <seriesInfo name="DOI" value="10.17487/RFC3161"/> <seriesInfo name="RFC" value="3161"/> <author fullname="C. Adams" initials="C." surname="Adams"/> <author fullname="P. Cain" initials="P." surname="Cain"/> <author fullname="D. Pinkas" initials="D." surname="Pinkas"/> <author fullname="R. Zuccherato" initials="R." surname="Zuccherato"/> <date month="August" year="2001"/> <abstract> <t>This document describesmakes theformat of a request sent to a Time Stamping Authority (TSA) and oftext "Also review theresponse that is returned. It also establishes several security-relevant requirements for TSA operation, with regardsSecurity Considerations section in [STD96]" in Section 5 problematic, as this text appears toprocessing requestsrefer togenerate responses. [STANDARDS-TRACK]</t> </abstract> </front> </reference> <reference anchor="STD96"> <front> <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title> <seriesInfo name="DOI" value="10.17487/RFC9052"/> <seriesInfo name="RFC" value="9052"/> <seriesInfo name="STD" value="96"/> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="August" year="2022"/> <abstract> <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a needRFC 9052 only. If you don't wish tobe ablealso refer todefine basic security services for this data format. This document defines the CBORRFC 9338 ("CBOR Object Signing and Encryption(COSE) protocol. This specification describes how(COSE): Countersignatures", published December 2022), we suggest changing "[STD96]" to "[RFC9052]". Also, STD 70 only consists of one RFC (RFC 5652). If you would like tocreate and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes howchange "[STD96]" torepresent cryptographic keys using CBOR.</t> <t>This document, along with RFC 9053, obsoletes RFC 8152.</t> </abstract> </front> </reference> <reference anchor="RFC2119"> <front> <title>Key words for use in RFCs"[RFC9052]", would you also like toIndicate Requirement Levels</title> <seriesInfo name="DOI" value="10.17487/RFC2119"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="BCP" value="14"/> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are usedchange "[STD70]" tosignify"[RFC5652]"? Please advise regarding both of therequirements inabove. Original: Also review thespecification. These words are often capitalized. This document defines these words as they should be interpretedSecurity Considerations section inIETF documents. This document specifies an Internet Best Current Practices for the Internet Community,[STD96]. ... [STD96] Schaad, J., "CBOR Object Signing andrequests discussionEncryption (COSE): Structures andsuggestions for improvements.</t> </abstract> </front> </reference> <reference anchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase inProcess", STD 96, RFC2119 Key Words</title> <seriesInfo name="DOI" value="10.17487/RFC8174"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="BCP" value="14"/> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> </reference>9052, DOI 10.17487/RFC9052, August 2022, <https://doi.org/10.17487/RFC9052>. --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <reference anchor="IANA.cose_header-parameters" target="https://www.iana.org/assignments/cose"> <front> <title>COSE Header Parameters</title> <author> <organization>IANA</organization> </author> </front> </reference> </references><?line 405?><section anchor="examples"> <name>Examples</name> <section anchor="ex-ttc"> <name>TTC</name> <t>The payload</t> <artwork><![CDATA[This'This is thecontent.content.' ]]></artwork> <t>is hashed using SHA-256 to create the following <tt>TimeStampReq</tt> object</t> <sourcecodetype="asn1">type="asn.1"><![CDATA[ SEQUENCE { INTEGER 1 SEQUENCE { SEQUENCE { OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) NULL } OCTET STRING 09 E6 38 D4 AA 95 FD 72 71 86 62 03 59 53 03 BC E2 32 F4 62 A9 4D 38 E3 93 77 3C D3 AA E3 F6 B0 } BOOLEAN TRUE }</sourcecode>]]></sourcecode> <!-- [rfced] Appendices A.1 and A.2: Please confirm that the "OBJECT IDENTIFIER '1 2 3 4 1'" entries are correct and not some type of placeholder. We ask because (1) we don't see anything like it in any published RFC except for RFC 4134, which appears to mostly use similar entries as privacy mark tests and (2) "1.2.3.4.1" yields the following error on <https://oid-base.com/>: Sorry.. Error: * OID 1.2.3 cannot exist: For examples, use {joint-iso-itu-t(2) example(999)} Original: OBJECT IDENTIFIER '1 2 3 4 1' ... OBJECT IDENTIFIER '1 2 3 4 1' --> <t>which is sent to theTime Stamping Authority.</t>TSA.</t> <t>A <tt>TimeStampResp</tt>is returned which containscontaining the<tt>TimeStampToken</tt></t>following <tt>TimeStampToken</tt> is returned:</t> <sourcecodetype="asn1">type="asn.1"><![CDATA[ SEQUENCE { OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) [0] { SEQUENCE { INTEGER 3 SET { SEQUENCE { OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3) NULL } } SEQUENCE { OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4) [0] { OCTET STRING, encapsulates { SEQUENCE { INTEGER 1 OBJECT IDENTIFIER '1 2 3 4 1' SEQUENCE { SEQUENCE { OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) NULL } OCTET STRING 09 E6 38 D4 AA 95 FD 72 71 86 62 03 59 53 03 BC E2 32 F4 62 A9 4D 38 E3 93 77 3C D3 AA E3 F6 B0 } INTEGER 12096870 GeneralizedTime 29/08/2025 07:45:46 GMT BOOLEAN TRUE [...]</sourcecode>]]></sourcecode> <t>The contents of the <tt>TimeStampToken</tt> are <tt>bstr</tt>-wrapped and added to the protected headersbucketbucket, which is then signed alongside the original payload to obtain the <tt>COSE_Sign1</tt>object</t>object.</t> <sourcecodetype="cbor-diag">type="cbor-diag"><![CDATA[ 18([<<{1:<<{1: -7, 269: h'3082154906092a864886f70d010702a082153a308215 36020103310f300d0609608648016503040203050030820184060b2a864886f70d010 9100104a08201730482016f3082016b02010106042a0304013031300d060960864801 65030402010500042009e638d4aa95fd7271866203595303bce232f462a94d38e3937 73cd3aae3f6b0020400b89566180f32303235303832393037343534365a0101ffa082 0111a482010d308201093111300f060355040a13084672656520545341310c300a060 355040b130354534131763074060355040d136d546869732063657274696669636174 65206469676974616c6c79207369676e7320646f63756d656e747320616e642074696 d65207374616d70207265717565737473206d616465207573696e6720746865206672 65657473612e6f7267206f6e6c696e652073657276696365733118301606035504031 30f7777772e667265657473612e6f72673122302006092a864886f70d010901161362 7573696c657a617340676d61696c2e636f6d3112301006035504071309577565727a6 2757267310b3009060355040613024445310f300d0603550408130642617965726ea0 82100830820801308205e9a003020102020900c1e986160da8e982300d06092a86488 6f70d01010d05003081953111300f060355040a130846726565205453413110300e06 0355040b1307526f6f74204341311830160603550403130f7777772e6672656574736 12e6f72673122302006092a864886f70d0109011613627573696c657a617340676d61 696c2e636f6d3112301006035504071309577565727a62757267310f300d060355040 8130642617965726e310b3009060355040613024445301e170d313630333133303135 3733395a170d3236303331313031353733395a308201093111300f060355040a13084 672656520545341310c300a060355040b130354534131763074060355040d136d5468 6973206365727469666963617465206469676974616c6c79207369676e7320646f637 56d656e747320616e642074696d65207374616d70207265717565737473206d616465 207573696e672074686520667265657473612e6f7267206f6e6c696e6520736572766 9636573311830160603550403130f7777772e667265657473612e6f72673122302006 092a864886f70d0109011613627573696c657a617340676d61696c2e636f6d3112301 006035504071309577565727a62757267310b3009060355040613024445310f300d06 03550408130642617965726e30820222300d06092a864886f70d01010105000382020 f003082020a0282020100b591048c4e486f34e9dc08627fc2375162236984b82cb130 beff517cfc38f84bce5c65a874dab2621ae0bce7e33563e0ede934fd5f8823159f078 48808227460c1ed88261706f4281334359dfbb81bd1353fc179610af1a8c8c865dc00 ea23b3a89be6bd03ba85a9ec827d60565905e22d6a584ed1380ae150280cee397e98a 012f380464007862443bc077cb95f421af31712d9683cdb6dffbaf3c8ba5ba566ae52 3d459d6177346d4d840e27886b7c01c5b890d78a2e27bba8dd2f9a2812e157d62f921 c65962548069dcdb7d06de181de0e9570d66f87220ce28b628ab55906f3ee0c210f70 51e8f4858af8b9a92d09e46af2d9cba5bfcfad168cdf604491a4b06603b114caf7031 f065e7eeefa53c575f3490c059d2e32ddc76ac4d4c4c710683b97fd1be591bc610551 86d88f9a0391b307b6f91ed954daa36f9acd6a1e14aa2e4adf17464b54db18dbb6ffe 30080246547370436ce4e77bae5de6fe0f3f9d6e7ffbeb461e794e92fb0951f8aae61 a412cce9b21074635c8be327ae1a0f6b4a646eb0f8463bc63bf845530435d19e80251 1ec9f66c3496952d8becb69b0aa4d4c41f60515fe7dcbb89319cdda59ba6aea4be3ce ae718e6fcb6ccd7db9fc50bb15b12f3665b0aa307289c2e6dd4b111ce48ba2d9efdb5 a6b9a506069334fb34f6fc7ae330f0b34208aac80df3266fdd90465876ba2cb898d95 05315b6e7b0203010001a38201db308201d730090603551d1304023000301d0603551 d0e041604146e760b7b4e4f9ce160ca6d2ce927a2a294b37737301f0603551d230418 30168014fa550d8c346651434cf7e7b3a76c95af7ae6a497300b0603551d0f0404030 206c030160603551d250101ff040c300a06082b06010505070308306306082b060105 0507010104573055302a06082b06010505073002861e687474703a2f2f7777772e667 265657473612e6f72672f7473612e637274302706082b06010505073001861b687474 703a2f2f7777772e667265657473612e6f72673a3235363030370603551d1f0430302 e302ca02aa0288626687474703a2f2f7777772e667265657473612e6f72672f63726c 2f726f6f745f63612e63726c3081c60603551d200481be3081bb3081b80601003081b 2303306082b060105050702011627687474703a2f2f7777772e667265657473612e6f 72672f667265657473615f6370732e68746d6c303206082b060105050702011626687 474703a2f2f7777772e667265657473612e6f72672f667265657473615f6370732e70 6466304706082b06010505070202303b1a39467265655453412074727573746564207 4696d657374616d70696e6720536f6674776172652061732061205365727669636520 285361615329300d06092a864886f70d01010d05000382020100a5c944e2c6fac0a14 d930a7fd0a0b172b41fc1483c3e957c68a2bcd9b9764f1a950161fd72472d41a5eed2 77786203b5422240fb3a26cde176087b6fb1011df4cc19e2571aa4a051109665e94c4 6f50bd2adee6ac4137e251b25a39dabda451515d8ff9e07209e8ec20b7874f7e1a0ed e7c00937fe84a334f8b3265ced2d8ed9df61396583677feb382c1ee3b23e6ea5f05df 30de7b9f89005d25266f612f39c8b4f6daba6d7bfbac19632b90637329f52a6f066a1 0e43eaa81f849a6c5fe3fe8b5ea23275f687f2052e502ea6c30762a668cce07871dd8 e97e315bba929e25589977a0a312ce96c5106b1437c779f2b361b182888f3ee8a2343 74fa063e956192627f7c431073965d1260928eba009e803429ae324cf96f042354f37 bca5afddc79f79346ab388bfc79f01dc9861254ea6cc129941076b83d20556f3be513 26837f2876f7833b370e7c3d410523827d4f53400c72218d75229ff10c6f8893a9a3a 1c0c42bb4c898c13df41c7f6573b4fc56515971a610a7b0d2857c8225a9fb204eacec a2e8971aa1af87886a2ae3c72fe0a0aae842980a77bef16b92115458090d982b59466 03764e75a0ad3d11454b9986f678b9ab6afe8497033ae3abfd4eb43b7bc9dee688159 49e6481582a82e785277f2282107efe390200e0508acb8ea82ea2505276f3c9da2a3d 3b4ad38bbf8842bda36fc2448291f558dc02dd1e0308207ff308205e7a00302010202 0900c1e986160da8e980300d06092a864886f70d01010d05003081953111300f06035 5040a130846726565205453413110300e060355040b1307526f6f7420434131183016 0603550403130f7777772e667265657473612e6f72673122302006092a864886f70d0 109011613627573696c657a617340676d61696c2e636f6d3112301006035504071309 577565727a62757267310f300d0603550408130642617965726e310b3009060355040 613024445301e170d3136303331333031353231335a170d3431303330373031353231 335a3081953111300f060355040a130846726565205453413110300e060355040b130 7526f6f74204341311830160603550403130f7777772e667265657473612e6f726731 22302006092a864886f70d0109011613627573696c657a617340676d61696c2e636f6 d3112301006035504071309577565727a62757267310f300d06035504081306426179 65726e310b300906035504061302444530820222300d06092a864886f70d010101050 00382020f003082020a0282020100b6028e0e3032f11110d964cda94b9d0278e1942a e913aaa59907cda69793995bd9ac7e33bad9fe3704da1c01a98d21afe3f591a59d706 7705167998f5016722e0ab462b21f439171d2cfcc4593f3735af794a5ab311f6c010c 7898de33d75c4510ee76f4bd1d1498cf17d303f06a5dd9f796cc6ca9b657a56fe3ea4 fefbe7ce6b6a18d3e35a30cee5ff170d1cf39a333d3fda8964d22db685b29e561be89 0f0aa845873b2e84ab26ab839ffe8fade9d23bb31e61d273cc9b880649185fabecfa0 534600aba901b614e2e854582dea2226fc19cd7df52bed50d8777cd9988c053a3fc7d c3287a068a4ff12b713cd9803666e955385456ff38f80298cf6b93856e9224774a66c f1cdd11c2f8efd85203d7458b25664b13ed639cded4ff8113d6cc5353d2729473c3c3 07157c722aa5b5dd0bfb2d6c38b1b93749c881ec60026d08951b3824bd71bacbce473 aebd636f0b918b4a2c8ff4694f07457af2d6f1cf82554d1770fd79ff5d314dcd104cd dcabc94138056dfcf017e7eb8572fd52f70144f188da05f5823f58dd06297e7387bed 2d772c13da8266601045fe412dd70986c0c987ba7344b9037387516d258e7885b51f8 968b7f2601213bc4cb4c85f8ff0b84af6a988337cdfb81868f7ecf31dca6716d7ec2d d802c1672629e5c0052cb357dd29aafc43f615b3b1ff9d4e1ce08c71c73e1febb7dc5 6a33621329e9ed6c230203010001a382024e3082024a300c0603551d1304053003010 1ff300e0603551d0f0101ff0404030201c6301d0603551d0e04160414fa550d8c3466 51434cf7e7b3a76c95af7ae6a4973081ca0603551d230481c23081bf8014fa550d8c3 46651434cf7e7b3a76c95af7ae6a497a1819ba481983081953111300f060355040a13 0846726565205453413110300e060355040b1307526f6f74204341311830160603550 403130f7777772e667265657473612e6f72673122302006092a864886f70d01090116 13627573696c657a617340676d61696c2e636f6d31123010060355040713095775657 27a62757267310f300d0603550408130642617965726e310b30090603550406130244 45820900c1e986160da8e98030330603551d1f042c302a3028a026a02486226874747 03a2f2f7777772e667265657473612e6f72672f726f6f745f63612e63726c3081cf06 03551d200481c73081c43081c1060a2b0601040181f22401013081b2303306082b060 105050702011627687474703a2f2f7777772e667265657473612e6f72672f66726565 7473615f6370732e68746d6c303206082b060105050702011626687474703a2f2f777 7772e667265657473612e6f72672f667265657473615f6370732e706466304706082b 06010505070202303b1a394672656554534120747275737465642074696d657374616 d70696e6720536f667477617265206173206120536572766963652028536161532930 3706082b06010505070101042b3029302706082b06010505073001861b687474703a2 f2f7777772e667265657473612e6f72673a32353630300d06092a864886f70d01010d 0500038202010068af7ebf938562ef4ceb3b580be2faf6cc35a26772962f3d95901fa 5630c87d09198984ce8a06a33f8a9c282ed9f1cb11ac6c23e17108ee4efce6fb294de 95c133262255725522ca61971d4a3b7f78250dfb8d4aeec0fb1959b164100520b9c10 e64c62662e4ad4d0abae2298fc948fc4e99e8d9e6b8fdbe4404121ec7c1422eacb2c9 d7328e07396e60b4f3bb803ad4a555c80fefb53f85e7764a0a9fb4afc399f4cd2f5fb f587105c6081cf3d05337b6bb7d1b010b749f4888c912f3696ba1b6902d77b7dfc046 c04a0cc1ec4f8d185e2da55dfb7bc2a2036c6219246a4f99ddbb6f1f829398f3b803d c0ad90dcb59bef4c27c77404b99043b78271867991152c399f12cbfc4c625adc09635 5ae44e342100ec517a502e2f06f940b8d43599bbc1154f8ae761a0b0d555fb4a1391d 4f3420af8dbf12f2d7ddb9d77dce1537804074af175e4f2d6d55b34b5d6f7dcbdd317 30af56480d4c0cff143f9e83bc151866d0ba0f0bbdc47fe27864176bbd6c1ab85df32 5edf777889bc4471bf3fa73e56cc591e8b160cda7b0786a1ec04ac3b24fa2e28d5d19 e5e48004d5e166a83c82ec6fd54fb385ebaf7133a85b52de46db5244e1c34ae8d36e7 12f9fce0d493d7d3edd586c6198e3ec3e6e96346f417ac9f221e0aff33a8f6a0b1ef4 c023630b76adaa8d91433825ecc41c49a5b98b181c7da30e997ab954c73c2cd805afd a993182038a308203860201013081a33081953111300f060355040a13084672656520 5453413110300e060355040b1307526f6f74204341311830160603550403130f77777 72e667265657473612e6f72673122302006092a864886f70d0109011613627573696c 657a617340676d61696c2e636f6d3112301006035504071309577565727a627572673 10f300d0603550408130642617965726e310b3009060355040613024445020900c1e9 86160da8e982300d06096086480165030402030500a081b8301a06092a864886f70d0 10903310d060b2a864886f70d0109100104301c06092a864886f70d010905310f170d 3235303832393037343534365a302b060b2a864886f70d010910020c311c301a30183 0160414916da3d860ecca82e34bc59d1793e7e968875f14304f06092a864886f70d01 0904314204408831bbe259ac6314847a26804e155a6d04c485b43aa55d2dd4c6dd7f5 943b5bd5a3dd24f05a17a2658ef65759ce4e0001f2b8ff99e38718044ab3784b3f174 b6300d06092a864886f70d0101010500048202000b1536e5491e8e941364fa7f2640d 30bfc8543dd8d472dad2db6df0c0483633d2dd4b9455f05d6e65a48ad9382e03741fc be1e0c8f7f607bae33979f9f4f71a07d852db0869518733fafe60779867781f584fc5 221a4fbdfd0736e976543ff5170b5520a65ea8b0b04f8f92b39808b4e3ed74d66d63b a0d1db353baa829db1d1905e4e833fb8f3824acff1a18a4735e5381b89c5e0df92d16 ec0a9a552298c52027e7bde806c153c1161d466d706455c0ae32d0cb108ca86209f57 edc3a7f4b36215170994d9ecb9e69d31bab52567b84a3a1568540469984d9b5b6bf63 4f9d022999cbd6519516d53065f919bee0f520b6b539e2f8fca66f2590c1ce032cb5b fdb170ad32125372e651ca4fa7a05ac72f7d5814ea324f99ad2c8110c06853fcf7d2a f1f28543b0f9ceba2a0f1536faabb07587ebe1d1dddd59fc804697928276613f8d146 f966812da7f25748cfcd298891acdfe041632b760677dfd53865d04d186ce7735d119 0aee0b2cddc0c55e6c48acfda749ec20af4dc0739430d10388bc83efed192c22917f2 f4a67474ac5f36e6608bb71631803fd5fb1a78d7973dd2a01c84dda46f9befccebfcb 300ab73628716b8151acf94e58af15de27c141c8d5ef4f82a51bbebc54cb2e1d4ac2f 0c05be7d3db16b9687f5a2fd28fb110f78f82a0ad0370a16cd9cbb59dc0814cba99e111e33482e45c9b4f948bff15eba70'}>>,11e33482e45c9b4f948bff15eba70'}>>, {4: '11'}, 'This is the content.', h'f5f0f27964f178dcb2254b30fdfdc48abc4499beaea7cb80f4004f30403 f13a44bcca24fc61c5d71d3823bac04b923011dc7d31de35df1aefcd5a8ec5fe0fe6e ' ])</sourcecode>]]></sourcecode> </section> <section anchor="ctt"> <name>CTT</name> <t>Starting with the following <tt>COSE_Sign1</tt>object</t>object,</t> <sourcecodetype="cbor-diag">type="cbor-diag"><![CDATA[ 18( [ / protected h'a10126' /<<<< { / alg / 1:-7 / ECDSA 256 / }>>,>>, / unprotected / { / kid / 4:'11' }, / payload / 'This is the content.', / signature / h'8eb33e4ca31d1c465ab05aac34cc6b23d58fef5c083106c4d 25a91aef0b0117e2af9a291aa32e14ab834dc56ed2a223444547e01f11d3b0916e5a4 c345cacb36' ] )</sourcecode> <t>The]]></sourcecode> <t>the CBOR-encoded signature field is hashed using SHA-256 to create the following <tt>TimeStampReq</tt> object</t> <sourcecodetype="asn1">type="asn.1"><![CDATA[ SEQUENCE { INTEGER 1 SEQUENCE { SEQUENCE { OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) NULL } OCTET STRING DD 94 71 EF E7 43 C4 05 13 35 DF 8F 6D 28 82 F3 BA DC 38 77 00 F7 ED 3F 70 91 67 2A 3E EA F7 C8 } BOOLEAN TRUE }</sourcecode>]]></sourcecode> <t>which is sent to theTime Stamping Authority.</t>TSA.</t> <t>A <tt>TimeStampResp</tt>is returned which containscontaining the following<tt>TimeStampToken</tt></t><tt>TimeStampToken</tt> is returned:</t> <sourcecodetype="asn1">type="asn.1"><![CDATA[ SEQUENCE { OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) [0] { SEQUENCE { INTEGER 3 SET { SEQUENCE { OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3) NULL } } SEQUENCE { OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4) [0] { OCTET STRING, encapsulates { SEQUENCE { INTEGER 1 OBJECT IDENTIFIER '1 2 3 4 1' SEQUENCE { SEQUENCE { OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) NULL } OCTET STRING DD 94 71 EF E7 43 C4 05 13 35 DF 8F 6D 28 82 F3 BA DC 38 77 00 F7 ED 3F 70 91 67 2A 3E EA F7 C8 } INTEGER 12100074 GeneralizedTime 29/08/2025 07:53:00 GMT BOOLEAN TRUE [...]</sourcecode>]]></sourcecode> <t>The contents of the <tt>TimeStampToken</tt> are <tt>bstr</tt>-wrapped and added to the unprotected headers bucket in the original <tt>COSE_Sign1</tt> object to obtain thefollowing</t>following:</t> <sourcecodetype="cbor-diag">type="cbor-diag"><![CDATA[ 18( [ / protected h'a10126' /<<<< { / alg / 1:-7 / ECDSA 256 / }>>,>>, / unprotected / { / 3161-ctt / 270 : h'3082154906092a864886f70d010702a082153a3082 1536020103310f300d0609608648016503040203050030820184060b2a864886f70d0 109100104a08201730482016f3082016b02010106042a0304013031300d0609608648 01650304020105000420dd9471efe743c4051335df8f6d2882f3badc387700f7ed3f7 091672a3eeaf7c8020400b8a1ea180f32303235303832393037353330305a0101ffa0 820111a482010d308201093111300f060355040a13084672656520545341310c300a0 60355040b130354534131763074060355040d136d5468697320636572746966696361 7465206469676974616c6c79207369676e7320646f63756d656e747320616e6420746 96d65207374616d70207265717565737473206d616465207573696e67207468652066 7265657473612e6f7267206f6e6c696e6520736572766963657331183016060355040 3130f7777772e667265657473612e6f72673122302006092a864886f70d0109011613 627573696c657a617340676d61696c2e636f6d3112301006035504071309577565727 a62757267310b3009060355040613024445310f300d0603550408130642617965726e a082100830820801308205e9a003020102020900c1e986160da8e982300d06092a864 886f70d01010d05003081953111300f060355040a130846726565205453413110300e 060355040b1307526f6f74204341311830160603550403130f7777772e66726565747 3612e6f72673122302006092a864886f70d0109011613627573696c657a617340676d 61696c2e636f6d3112301006035504071309577565727a62757267310f300d0603550 408130642617965726e310b3009060355040613024445301e170d3136303331333031 353733395a170d3236303331313031353733395a308201093111300f060355040a130 84672656520545341310c300a060355040b130354534131763074060355040d136d54 686973206365727469666963617465206469676974616c6c79207369676e7320646f6 3756d656e747320616e642074696d65207374616d70207265717565737473206d6164 65207573696e672074686520667265657473612e6f7267206f6e6c696e65207365727 669636573311830160603550403130f7777772e667265657473612e6f726731223020 06092a864886f70d0109011613627573696c657a617340676d61696c2e636f6d31123 01006035504071309577565727a62757267310b3009060355040613024445310f300d 0603550408130642617965726e30820222300d06092a864886f70d010101050003820 20f003082020a0282020100b591048c4e486f34e9dc08627fc2375162236984b82cb1 30beff517cfc38f84bce5c65a874dab2621ae0bce7e33563e0ede934fd5f8823159f0 7848808227460c1ed88261706f4281334359dfbb81bd1353fc179610af1a8c8c865dc 00ea23b3a89be6bd03ba85a9ec827d60565905e22d6a584ed1380ae150280cee397e9 8a012f380464007862443bc077cb95f421af31712d9683cdb6dffbaf3c8ba5ba566ae 523d459d6177346d4d840e27886b7c01c5b890d78a2e27bba8dd2f9a2812e157d62f9 21c65962548069dcdb7d06de181de0e9570d66f87220ce28b628ab55906f3ee0c210f 7051e8f4858af8b9a92d09e46af2d9cba5bfcfad168cdf604491a4b06603b114caf70 31f065e7eeefa53c575f3490c059d2e32ddc76ac4d4c4c710683b97fd1be591bc6105 5186d88f9a0391b307b6f91ed954daa36f9acd6a1e14aa2e4adf17464b54db18dbb6f fe30080246547370436ce4e77bae5de6fe0f3f9d6e7ffbeb461e794e92fb0951f8aae 61a412cce9b21074635c8be327ae1a0f6b4a646eb0f8463bc63bf845530435d19e802 511ec9f66c3496952d8becb69b0aa4d4c41f60515fe7dcbb89319cdda59ba6aea4be3 ceae718e6fcb6ccd7db9fc50bb15b12f3665b0aa307289c2e6dd4b111ce48ba2d9efd b5a6b9a506069334fb34f6fc7ae330f0b34208aac80df3266fdd90465876ba2cb898d 9505315b6e7b0203010001a38201db308201d730090603551d1304023000301d06035 51d0e041604146e760b7b4e4f9ce160ca6d2ce927a2a294b37737301f0603551d2304 1830168014fa550d8c346651434cf7e7b3a76c95af7ae6a497300b0603551d0f04040 30206c030160603551d250101ff040c300a06082b06010505070308306306082b0601 050507010104573055302a06082b06010505073002861e687474703a2f2f7777772e6 67265657473612e6f72672f7473612e637274302706082b06010505073001861b6874 74703a2f2f7777772e667265657473612e6f72673a3235363030370603551d1f04303 02e302ca02aa0288626687474703a2f2f7777772e667265657473612e6f72672f6372 6c2f726f6f745f63612e63726c3081c60603551d200481be3081bb3081b8060100308 1b2303306082b060105050702011627687474703a2f2f7777772e667265657473612e 6f72672f667265657473615f6370732e68746d6c303206082b0601050507020116266 87474703a2f2f7777772e667265657473612e6f72672f667265657473615f6370732e 706466304706082b06010505070202303b1a394672656554534120747275737465642 074696d657374616d70696e6720536f66747761726520617320612053657276696365 20285361615329300d06092a864886f70d01010d05000382020100a5c944e2c6fac0a 14d930a7fd0a0b172b41fc1483c3e957c68a2bcd9b9764f1a950161fd72472d41a5ee d277786203b5422240fb3a26cde176087b6fb1011df4cc19e2571aa4a051109665e94 c46f50bd2adee6ac4137e251b25a39dabda451515d8ff9e07209e8ec20b7874f7e1a0 ede7c00937fe84a334f8b3265ced2d8ed9df61396583677feb382c1ee3b23e6ea5f05 df30de7b9f89005d25266f612f39c8b4f6daba6d7bfbac19632b90637329f52a6f066 a10e43eaa81f849a6c5fe3fe8b5ea23275f687f2052e502ea6c30762a668cce07871d d8e97e315bba929e25589977a0a312ce96c5106b1437c779f2b361b182888f3ee8a23 4374fa063e956192627f7c431073965d1260928eba009e803429ae324cf96f042354f 37bca5afddc79f79346ab388bfc79f01dc9861254ea6cc129941076b83d20556f3be5 1326837f2876f7833b370e7c3d410523827d4f53400c72218d75229ff10c6f8893a9a 3a1c0c42bb4c898c13df41c7f6573b4fc56515971a610a7b0d2857c8225a9fb204eac eca2e8971aa1af87886a2ae3c72fe0a0aae842980a77bef16b92115458090d982b594 6603764e75a0ad3d11454b9986f678b9ab6afe8497033ae3abfd4eb43b7bc9dee6881 5949e6481582a82e785277f2282107efe390200e0508acb8ea82ea2505276f3c9da2a 3d3b4ad38bbf8842bda36fc2448291f558dc02dd1e0308207ff308205e7a003020102 020900c1e986160da8e980300d06092a864886f70d01010d05003081953111300f060 355040a130846726565205453413110300e060355040b1307526f6f74204341311830 160603550403130f7777772e667265657473612e6f72673122302006092a864886f70 d0109011613627573696c657a617340676d61696c2e636f6d31123010060355040713 09577565727a62757267310f300d0603550408130642617965726e310b30090603550 40613024445301e170d3136303331333031353231335a170d34313033303730313532 31335a3081953111300f060355040a130846726565205453413110300e060355040b1 307526f6f74204341311830160603550403130f7777772e667265657473612e6f7267 3122302006092a864886f70d0109011613627573696c657a617340676d61696c2e636 f6d3112301006035504071309577565727a62757267310f300d060355040813064261 7965726e310b300906035504061302444530820222300d06092a864886f70d0101010 5000382020f003082020a0282020100b6028e0e3032f11110d964cda94b9d0278e194 2ae913aaa59907cda69793995bd9ac7e33bad9fe3704da1c01a98d21afe3f591a59d7 067705167998f5016722e0ab462b21f439171d2cfcc4593f3735af794a5ab311f6c01 0c7898de33d75c4510ee76f4bd1d1498cf17d303f06a5dd9f796cc6ca9b657a56fe3e a4fefbe7ce6b6a18d3e35a30cee5ff170d1cf39a333d3fda8964d22db685b29e561be 890f0aa845873b2e84ab26ab839ffe8fade9d23bb31e61d273cc9b880649185fabecf a0534600aba901b614e2e854582dea2226fc19cd7df52bed50d8777cd9988c053a3fc 7dc3287a068a4ff12b713cd9803666e955385456ff38f80298cf6b93856e9224774a6 6cf1cdd11c2f8efd85203d7458b25664b13ed639cded4ff8113d6cc5353d2729473c3 c307157c722aa5b5dd0bfb2d6c38b1b93749c881ec60026d08951b3824bd71bacbce4 73aebd636f0b918b4a2c8ff4694f07457af2d6f1cf82554d1770fd79ff5d314dcd104 cddcabc94138056dfcf017e7eb8572fd52f70144f188da05f5823f58dd06297e7387b ed2d772c13da8266601045fe412dd70986c0c987ba7344b9037387516d258e7885b51 f8968b7f2601213bc4cb4c85f8ff0b84af6a988337cdfb81868f7ecf31dca6716d7ec 2dd802c1672629e5c0052cb357dd29aafc43f615b3b1ff9d4e1ce08c71c73e1febb7d c56a33621329e9ed6c230203010001a382024e3082024a300c0603551d13040530030 101ff300e0603551d0f0101ff0404030201c6301d0603551d0e04160414fa550d8c34 6651434cf7e7b3a76c95af7ae6a4973081ca0603551d230481c23081bf8014fa550d8 c346651434cf7e7b3a76c95af7ae6a497a1819ba481983081953111300f060355040a 130846726565205453413110300e060355040b1307526f6f742043413118301606035 50403130f7777772e667265657473612e6f72673122302006092a864886f70d010901 1613627573696c657a617340676d61696c2e636f6d311230100603550407130957756 5727a62757267310f300d0603550408130642617965726e310b300906035504061302 4445820900c1e986160da8e98030330603551d1f042c302a3028a026a024862268747 4703a2f2f7777772e667265657473612e6f72672f726f6f745f63612e63726c3081cf 0603551d200481c73081c43081c1060a2b0601040181f22401013081b2303306082b0 60105050702011627687474703a2f2f7777772e667265657473612e6f72672f667265 657473615f6370732e68746d6c303206082b060105050702011626687474703a2f2f7 777772e667265657473612e6f72672f667265657473615f6370732e70646630470608 2b06010505070202303b1a394672656554534120747275737465642074696d6573746 16d70696e6720536f6674776172652061732061205365727669636520285361615329 303706082b06010505070101042b3029302706082b06010505073001861b687474703 a2f2f7777772e667265657473612e6f72673a32353630300d06092a864886f70d0101 0d0500038202010068af7ebf938562ef4ceb3b580be2faf6cc35a26772962f3d95901 fa5630c87d09198984ce8a06a33f8a9c282ed9f1cb11ac6c23e17108ee4efce6fb294 de95c133262255725522ca61971d4a3b7f78250dfb8d4aeec0fb1959b164100520b9c 10e64c62662e4ad4d0abae2298fc948fc4e99e8d9e6b8fdbe4404121ec7c1422eacb2 c9d7328e07396e60b4f3bb803ad4a555c80fefb53f85e7764a0a9fb4afc399f4cd2f5 fbf587105c6081cf3d05337b6bb7d1b010b749f4888c912f3696ba1b6902d77b7dfc0 46c04a0cc1ec4f8d185e2da55dfb7bc2a2036c6219246a4f99ddbb6f1f829398f3b80 3dc0ad90dcb59bef4c27c77404b99043b78271867991152c399f12cbfc4c625adc096 355ae44e342100ec517a502e2f06f940b8d43599bbc1154f8ae761a0b0d555fb4a139 1d4f3420af8dbf12f2d7ddb9d77dce1537804074af175e4f2d6d55b34b5d6f7dcbdd3 1730af56480d4c0cff143f9e83bc151866d0ba0f0bbdc47fe27864176bbd6c1ab85df 325edf777889bc4471bf3fa73e56cc591e8b160cda7b0786a1ec04ac3b24fa2e28d5d 19e5e48004d5e166a83c82ec6fd54fb385ebaf7133a85b52de46db5244e1c34ae8d36 e712f9fce0d493d7d3edd586c6198e3ec3e6e96346f417ac9f221e0aff33a8f6a0b1e f4c023630b76adaa8d91433825ecc41c49a5b98b181c7da30e997ab954c73c2cd805a fda993182038a308203860201013081a33081953111300f060355040a130846726565 205453413110300e060355040b1307526f6f74204341311830160603550403130f777 7772e667265657473612e6f72673122302006092a864886f70d010901161362757369 6c657a617340676d61696c2e636f6d3112301006035504071309577565727a6275726 7310f300d0603550408130642617965726e310b3009060355040613024445020900c1 e986160da8e982300d06096086480165030402030500a081b8301a06092a864886f70 d010903310d060b2a864886f70d0109100104301c06092a864886f70d010905310f17 0d3235303832393037353330305a302b060b2a864886f70d010910020c311c301a301 830160414916da3d860ecca82e34bc59d1793e7e968875f14304f06092a864886f70d 010904314204401d3b1f355cc995b2c7a38dfee19a0815ae93a9078cea6db540501ee df305e9f9f41349096a089bf5358380d6ed01eb508cbb551d120e9aca924429148ef1 a229300d06092a864886f70d0101010500048202004f22fe5e554c950f7f74462adde 4f7c4c412d60479c6950c2509d1a5063e04c284eb42dda42e3591447b63fdc72c953e f04c81c1e59874c4d02cfb6b63de977d439998995e960a25755304a12ed23e7ccae97 678a3dd94bc4025399806c9d00454a740800d3dc13016143af48b80c1d24033694f2b edb7c25d35c065e9c2fe71cee598ac2e8700bed5b755f001da3227f85fc178f27c565 64ef5ff64b874916ab6fd2d966c542936a9940d0a5685463dc8e5b6ee82d639abb683 433603541db3362ad77667e2ded4160c8f87e5c048d6bd05a7831871bb1052ddac132 f35baadc2ceea41834efd276d4d2a8525879bd909b3d930d3cd4ef1d87d1a5f47bd9b ef00956fee8e55d2d40b7447074a7295b204f07ee086775729d9cdb59407956127223 88cb3af8a96fac65c79179c7e5292ce06e3f582e3f7d8fa6d7d41759bbd593b32a0fa c8149a2b015e795fca2810133c2d768ef8d9da66ba192cbf142d2e4571e491ed7f7b0 eb920f22c4492ba0260d30fef98a4d503693afe3dcc561b04bb3b32d8a49f27f988fe faa5f7b1af110bdad64a2825348a46651e1371e625c9792dfe9780528e5eb17f6078f cb418a420129e7a19bf8f27508b256e755753d8e6b436c384fa350c2e4e9018fd372c f54f303d462832675c8ac89f04c360a1d0d82f8d52ff7d815e74ad4aa19a68a9acfd2 450855dcb3b2a528063d426dc30268f', / kid / 4:'11' }, / payload / 'This is the content.', / signature / h'8eb33e4ca31d1c465ab05aac34cc6b23d58fef5c083106c4 d25a91aef0b0117e2af9a291aa32e14ab834dc56ed2a223444547e01f11d3b0916e5 a4c345cacb36' ] )</sourcecode>]]></sourcecode> </section> </section> <section numbered="false" anchor="acknowledgments"> <name>Acknowledgments</name> <t>Theeditorsauthors would like to thankAlexey Melnikov, Carl Wallace, Carsten Bormann, Deb Cooley, Eric Vyncke, Francesca Palombini, Leonard Rosenthol, Linda Dunbar, Michael<contact fullname="Alexey Melnikov"/>, <contact fullname="Carl Wallace"/>, <contact fullname="Carsten Bormann"/>, <contact fullname="Deb Cooley"/>, <contact fullname="Éric Vyncke"/>, <contact fullname="Francesca Palombini"/>, <contact fullname="Leonard Rosenthol"/>, <contact fullname="Linda Dunbar"/>, <contact fullname="Michael B.Jones, Michael Prorock, Mike Bishop, Mohamed Boucadair, Orie Steele, Roman Danyliw, Shuping Peng, Stefan Santesson, Steve Lasker,Jones"/>, <contact fullname="Michael Prorock"/>, <contact fullname="Mike Bishop"/>, <contact fullname="Mohamed Boucadair"/>, <contact fullname="Orie Steele"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Shuping Peng"/>, <contact fullname="Stefan Santesson"/>, <contact fullname="Steve Lasker"/>, andYingzhen Qu<contact fullname="Yingzhen Qu"/> for their reviews andcomments.</t>comments. <!-- [rfced] Acknowledgments: As it appears that the authors did not intend to list themselves as editors in the first-page header or in the Authors' Addresses section, we changed "The editors" to "The authors". Please let us know any concerns. Original: The editors would like to thank Alexey Melnikov, Carl Wallace, ... Currently: The authors would like to thank Alexey Melnikov, Carl Wallace, ... --> </t> </section> <section anchor="contributors" numbered="false"toc="include" removeInRFC="false">toc="include"> <name>Contributors</name> <contact initials="C." surname="Bormann" fullname="Carsten Bormann"> <organization/> <address> <email>cabo@tzi.org</email> </address> </contact> <t>Carsten contributed part of the security considerations.</t> <contact initials="O." surname="Steele" fullname="Orie Steele"> <organization/> <address> <email>orie@transmute.industries</email> </address> </contact> <t>Orie contributed an improved version of the diagrams.</t> </section> </back> <!--##markdown-source: H4sIALausWgAA+1963IbSXbm/3yKXHXEUtom2ZVZd267PRRJzcgrtdoi215H R8cor2KNQIBGAVJzxPb/fYt9lt0X2+9kXVAAAd7ADdthc0ZNoCor8+S5ficz T3Fvb499PuAxY7NqNnIHfOfo3ekJ/5NT1k35pZqqCzfDJz+Z8vevjngsMsHP qgu3dzpTF5f8bPLJjesdprSeOnR0dnrWPszsxIzx9AG3U+Vne5Wb+T0zqd3e rFb4N9s7D+32+kH2ooKpqVMH/NmpM/NpNbt6xr58POBEEvv05YC/HqPZ2M32 jqlLZtTsgNczy+oZHrvA/ZOzV+yzG8/dAeP8YzU7n+sDHkauTTWbfdeQoqvp p/PJ6K+3k8OYms/OJ9MDtsebifzJjT/xl+3DGGAyBXGvpmo+Pp94MOn09Rmu dqy4ccNdqGp0wM/Ry35Hwh+IuH0zGc+UmaENzcRhVu/PXTXGF1XXjucp7piJ JfFkiSzTHfoO9hzwYzW9qGfKzkKL+Xg2xcU/uumFGl/1dJ+dTy5UzV9N6lrN qoZwNa7+ii+T8QF/U43VdLIgcBaa7/um+R9G4fY+nuk7fKuqT/x95cy5m85u 9Pe2MtNJPfGzRZf0wH73wB8uugaY+MWQ8J//B2PEi2ml57Mh54/UtJ65MX85 oZmNFx0bpSd/mP21CuRRT+3DgZDuqf6qs6TSMz7xmKTjdatl1KCuIPwwgXq/ H/bdtHL8dObcyC2GnODiHyCZcX2BHversZ1DUJWrb4wfHh8Orsa8uricTj7j 82c3rdGqo8VW6iMUD4OzMU1yVn0OSnx6dpxH9IHzvzkgE0yzVIave5jg21N8 xEUySzK+w+aJMhs+UUaDJ8iUWDX2izGYG89Il+jRkzevYH14ZnZe1c8Y29vb gz6THkI72Rkucpj1/AKPcOt8NXY1n32Z8KOX797z0+rjuBp/5Idjy0/GZnp1 SXN+TkO+4OcrHqUOLqUam8n0ckKMx4Odg9nTqsaTM7iZmrwM3avGs0mgnuNi rT46MpW5mc2nIOH5B7rzZyLgA5hs+eK7+PBivyHcjZUeEb3g9hxWBcZT93pU 1ecYrfduK8N62GA3Er4GGloCIcnZxExGJDTi1EVlLTSFfUOOajqxeAgSZqzv +uvXPcjo99/pyc9QuJorTAf2hslOFgOHq80kbfUR1+huUBsQr2a8mvEvsGcD p0cc1g6sdHjoI+Q5Dt3s3yassfvSCOyd/oszs15uaiE3UsxWcKCZPoDomyIM 1Bg1nV4Frp51EwhRgT9HMHjBJ/PZ5TyYXMeGXTSeY+qj0eQLjet+q+pZR8AX sGV0BXovR5MrUoIprGtVDGCHDkKk9rPzRi8G+hDukH7V7dTuUhD2zTf8Z+jE EeRat7yDdwh8sFVt5nDDDfNIcwy12uVOmXM+dZcYkUwIw0zGrrNnansxIRHj Aj3USMCSCn39Gu78/vs+O6xXPNG5IltzU2KJqYe9hVFBjUdE2SWuO35BvAEn Zor4/eWcfN35ZFITLfSYuoTWXE4rqEkgJvCk0xPcHFUmuLx9duocyAIZezXc HALj2M/JPe2pz5PKqrFxUIDm6ZYfwXeNl6lvqYWPGzlSu86fgqEOClxdKGhK x0FetQqEp56NJuOPe5j2RRCZCmJ8tsurfbe/O7jUadwY0q5GI5o7/GjlKzDW hUl5QiuBqFb0BhEHDQzx4BxW4367rKbOtk6BulLWomsIvJrNG4qJlWTtM6IR s5lMZ2rcWiENM+P1XNfun+eNaY0rBVKu+mFBATiF1oG2qyH9FzAhcCDoJO5e veA1IMasmfqAVDDtbMKhYJULVl/Vu02Y6Ay6HUeZf55X0+BIPH6dBwBGcho2 3qkXJKDZ5AKtg12Ba/BHwSAgcRp3TGMHB0N2Nexkn73BPWheUDMFxR9d0TQo oF51UqgXPLALWqn/agYa63piKtUMexYmdBUkADHS3FU1bgS8NFNydW2Pf8a9 kYMj+DNvW5Gz4/WlM40OtELApHbDqH1v67SBOv6sRpVd6qxr3XCL2pDMOoe6 UOIQggwYNq3I0hFLA+vo8WfBH82IT71LfNYYIMzeAA10foAMrgGhaLzXBwDy DMFmcH+CaQxNBt57n72eNdbj+HgyAwUN9CJLUje4D55M3Uf4E4iIIlorW1IB YBiIz40NdNRNP1fGtWZBljG5uECXl+SOcCMoFaD+fNo7FxNwm9LViGyf2K3m tuovgJiqrucDUmpSngpOk3zX7OoSYhiNiDp4tKkLMRDsfgYWzIL7qJ/xoBGB GkD/32bdzNWontygEI9PxqPFbIe6SFpat/zpuufPg7DaFv3lZ5zsHex8cRuj dom0yZQCIsYF9XPT6A6ogvf7reVAQJYEQg35dmc+1aRsio/IlmjMj+gJk/7i 4M3wO7jbjsNj1zBl6ghfwg9ABFPSiCbU8fl4OLt99m5s3IZJ99pwrtCPdlDN jk2NLrbhwo3tXmDiaPKxoXT95Kk5NXEE3MmGoYfBjM/V+CN519cD7oRJoXkf l8hJ2YUmNZQ06JtwjoE33u0bdkEOWHE0twtqV+W2wWMGHVxylMFFNl4wOIq2 4+D22r5nkz3t9gZs7FOGXnmggL13Qb/zUUAAq0QtOm+n0/mlgQDqmzJ7Dnbb 3l4Vf7aQwmygqS9apwy9373hkklP5hcdj9d20FI3FMsmd7x4ZuCPW3fbsvgB 3hn64QePtgGK6PiEkDAI0/w5dD6oK9kVhFYB2r1oJEvpOQEvM4AeCzLbiai6 nUoz/sCDgcYx2dbnSQOCeJ8V4XPn9/nlHAmC6TB2PynKy6ezGywg2Q7sqmPD WkfbeFoC47cHkz6ENFpDsaUPJgNISaGkDyBNPKHIEkIJ0O17F/Q/uFX+46SB Zk2QIZZ/gbHC9b79+fQMsCv85j++C5/fn/z9z6/fnxzT59M/Hb55039gbYvT P737+c3x4tPiyaN3b9+e/HjcPIyrfOkSe/b28J+eNRbx7N1PZ6/f/Xj4ZuHz F/ihh/wVLQABg4VkumZL0fTl0U//53+LBKz4L8g0pBAlIGvzpRB5gi+EXJrR gotrvhIIYeT5FKWjlJVAdS4RxkZ18MzAZ1/GnPAgGPnffiHO/HrAv9fmUiQ/ tBdowksXO54tXQw8u3nlxsMNE9dcWjNMz82l6yucXqb38J+Wvnd8H1z8/m9H 0Cu+J4q//YFROvu2S2QoR/r6TZO9BOWhvHPa5CdNZkLy6vMestnG6wdERPly m1QFJzhItHd7re9Natkq6j4Pg+Q1UuEWIXXrJr3WdGkb0oN5CCqN1bZhhWjx yDt7f9E7p0D0PnsVssYLSo3gVnYbTaGWw4xx2FvVqghyqOqiGkGLepIIMg0T z9YlkWP/3Myzz4EvKH4AN/APQJjEhj1Y5YeQa49GDpEWHXI9+Y0CWPAxlyNl Or89UtqN+Idfetj664cGugwu1b9+aBzBGmyKVP8MmfrXbzbBUca+fvXVx/VQ NUy/8VUBoza50xKMfl6/4GDyyPZsb+JHoGXSrEKQwYfFjrBOZinDuqhmsxYW hjyl8QH90E0SB1SkW/++WECZhQWIBiKHBI/YrcynALHGAE6tKuJyu6oR1pcC aQrufUBY56iDx8XvORLP6q+08tDlQQa+s0/UqxBxB9Ns8ojJZbu6GObp6iYF Zf/yL//Clao/f2T7e+3PPr/PT9N8n12H1RvQf32vx64DHze0Zd92NPQfNv+A zG/XtCWKOuoWTffXftsnQtY1v6ZOvuMDS8A3tFwI7Rr/s+DsRfjE1zZHJztL FO5gqJ2l7923naaTnaXZU/NAScu5VU7e/HY9uDy4v+hkla9L33f4/Tq5j6QH nex/u9CoRSefbz6zkML+aifX/A3+HY0msKCmk5XG+92na/62Xbm8Xu2E73y7 s0QJXQ/+NHDmh28J9503n14D68EiFwz7YSNPdpbk28iwk/RGxn5e6WQjV/eH sxx0sjL/2zu5BtCk1Gwh7jCd64HDur6zk53l2fSUrMzzmoUL13v3+tkZPv/t 8DJbZfaGn1XbJQrCjWVdH377tp/B0A9fLx5dZ1vLXxZeY7/9ds1+6fv6lZr8 cqmuRhMVvgwiY9M4pDrX3zeTfcigOz2n19L6ec2XFa8yfGx/DXfaL73CsUUv PzScm3oTdknMbNYEqsDupcksjbxW8BR62NcD/s2GuA5YB1A3/bSnRuDd3zwD DAP0fkbdh53ivwmLXLtrkcQzAIbXyws3u6vBuQ64sW4hUwjxYTmJdsW6oBkS sGHSSPhlTTrEn5+dHXX4ZV0O1OGXtfnRevyi2viCKfhqWs8eA05WgEPdNP8y VZe3LpMOOfXRoWWTmNDe4cWcNqyAZhvdxhCHS1iq2zbqkI+eV6MZgR4/IaRZ HyCF4XdhpgYutXBoFSjVu10P0+pjNVajlk8aMOiiTVlb6taBvZbA/zjQZ4Xs 1eB6P+gzmMRKJCGXsAH6DKnbGfSxGkluhT6beLsKFm5FLdfLs98IFu7q5NtW 1+4ACz90AeYm9BnghR4jrAMLt0EffluUHv7cAn02dLJGeW7lSYgwq1AONxZG 24+zEfqsIpzFUMsB9jboc90DuTYMtdrEV0Lt4Ooa6DOUzDIlg6g7pOQG9Nko meVIuLPKk+Fwj8dPS5cfj5/44/HT2lHvh5/4w/DT/v7+wxHbvyXwNJuZJwJP a0DF3eCpRzG7qzCGwNM3t5y148MDej8tzmK06IcOstlpszg3OISwZt9xPRgi EHLLvmRzlKFf6avGl/NZvVg8WTo7c0GbMQjQV7vdDnO7ZT66as+uDHr6VI1t WDPU+EBPazf74jrO0PPwI2GLx4ycmo5oIZ1Wx5rlvWrK6dzCOJyZWF6MDM/f PLpC6LNbP1cr/KGZNIApbOnQVr/pTjIAgX7o0PeHZabTpZbxgyZh/D8PLPXP N6jhYQ25O9HS7d4/Zr94MO6aNa7FgOHAYUUgnB+fvN9zYzpdaLuTZPwDad1p f5LnQ8Cslw0Rqjk7pK9m4QhWOMnwVv2FiL66dFy+6EhpY3sbnT/wulGYdsMM itCca2rBfceDgFDpWojvLYKkEXsiB0cZhkuKS+uzLczcBUq9d3f1pv4+DFAr 0hpXBUhOucIuTeCiGiOL+SvJirZP0W/l2r3HMKgafQRWnp1f8HYVX7vFQqNq EPOizY2jS4HgJejcZBXqird7rpeTuq4oK6j8shG2kJ6208IWWg/6JzDayt5Y GG9zNRJSs0/fj71Yo6WNrwsMRrnHe9q4JxZ8/QqVC9ulonch3ZX23BCdL6F9 G+5+U7RBHmz9ho7QhsF81p5Jgq19c7PJ0aLJygK7IHtcENKo4cKOFxsCNUfG d7Pn5tDDZTip2RzRUSSksCq/RrlA4B+bA3cbtK/JcYyeTPdoS4CJ4jkiwC8h yHw3TKx2lIiEzHZw9fvv+dc+Cn1HeoH/ioO9HL9Ojo5hJzLN+Hdtk9/5Dz/s tv0N7f27vpPv4Fjpe3KwI0QT337vnujStO/4TnfooznAAC0Yz/Z3unYLg/sO tBZOx7FLjIqFFSbJUqWjVCkTJ8ZkWsY2LbzzqYmKWESZSZiVqSqFcj7SkRC5 k8qXSuKKiqUTidJFnFiTZs5KJWWcJEma5C4SXggb66gUmUuZSjBAapTRcUbT +JW9CEGYBebTCdUPe52T+tAT/GEgAto1nF2xtOBJxO/z803wcfXzLHlBjLhr 3tRmde6rU6c2d02f2qxjwZADzdSfL+/ek5MPgZOo5h+i39IiiT686JceVN2E 69YcSdG7R1dNAar9j4RKGis4/dPhHrRud+Wowxr7abP6eizY6cnf/3zy49FJ 0MSlL5y/e/l3J0dn/PXxyY9nr1+9PnnP63NFQ/DnkouMg24uOGyCxzzhuBQE wH/8+c2bRoPx33dHZydn/PTs/esf/xguJgk/kjwRvDzmIubimKcxP055mqI/ /jLlx8c8jvnLnBcFWjbPnNBtccSzY3r+peCHr/hRwV9K/rLg6QnPSp4mPM94 /BKNGQ0dWP9AzzR0TP+f/NJdbmmjVyo3eCWy9Z0NzuXxLqTGl19a3/TLwNHd wxveyyMue8XbPOMG7zjwkOu8H7yXU94mkc1KK0rrHUxTRnluUpt7n7gkKmQh jXZes9TCCWifwMo9bL20ZSGVSVJlykIXaZKYMip0kka5dcKVkc5FbmIbJ4XI vCtlpqSGfHwaY0jpVeTjSHVk/sq6/y77wgWrPwDkTtXVTR9YiHs5wOADQxfP Gwss4gc9FL9oSU3u8VznbfuH8NMoAuu+3KeTC3XZEtv8RMmdj3Sn6J4ng+cS eU965YslBY1FfAud3/BnQjxrH7hPJFqJQc3PXTo4aDnQxnXKOGD1HWq5aLmq oKv62ajif5CgU0Q8fsUPj/mh5KXg8phnL3l+SJYSwzHl/OUxLzOKMEcRT1+G Z44EPzqiEZOcpyUFnaOUZ6/oscOc54KfJPwE46dcZvxVPgw6bX43m5nV1BOX llLP0KRJPZ8s8dx0umxl1H+Laecgz3z+9etpe0RI7ieUhTQ1OS96Zqymiyvb GU2xSbOn0R0RaYttEN4oJ2vPfPJVbBrOOfUHirpug4Xvs+d08kiNu/xoF4RT SYb7Lcj29/0XjBY/7p9s3plI3j8dbZP2TkzLHN5nf5p8cZ+pMmB278S0zf/b E5M3KOuKG6bDFaJQpla5sAgz2AX8qc9fB4VWNzYbadnq6O0pV8NSCDf+7EaT y3C2/UJhJlTr9PZ0WJ9FpFkHpR3VdOxsPhs83tQ8NIdHd9usd7W+a/h8e9bM LNd6NTl6qENo896zjVto6w840crY67GfLCqglk+GNjR1Z+97G6Qnl0XZHIoN 53uXjaahaUXB2s1d1Q20pr+eoN3FVmZfWBK6q2a1G3nax6yXz1lv4HITDYwD wm2914X6hOahKqw7q7xCRUubu4A3s2u4CNGb83AyvLP6dolnYKWDIiRaVFpd hIIJNgbZVIEt3Ghb/BW0nPwUvi8Xq+3T3vRhOHhf/cZfLvzRoEawdwrNFFcT hhvK3p4z7Dacb1YhhZKAwVZ1b3jhTFtzwo1m8j/306hcKUuC8XXV2ch4hnWz jP1Ex79JQJ8r9yUwYUPTxSnNhYL+d3qgdivFuKFM7arRxaUzwU3NBGkO1YI8 eMimpjEo9kPH3A2aWpn5KKxDB4Weuo9q2m+ah8KNUN+6XAnX1nFSeOz2bMPp 6ws6xF8pzObQ2oqaUmEMdG4ymjcPNgWnrWZtWNIeGP0y3V0FRTg6EOpJqMJl eKKeqKDiJlyZja72V1PU/mi6quv5RaOSajZT5lNYCCUTGleX81F32NbQdmm9 RG7n0tszDsNShRDB9HwWwkbvcQaFPs2og2ouiuN0s69iw3ynTe1E4FoTxAYE hqgMTZ/Wk3FHZF/51mxFNJVgq7YUClnqOdUsQYFmsxDC1RjKQYYTYEjv0Abz 3KkbHiwwQai7aeq/lSFpGDWnBeRJV7OzGBkz61dqQ51KS+0u1YIMz1m01U6j Kgi2nsynpqk/DRXAfViGPugJVcmenTUbKWdHwTlRyUhbvIiH2rqEIM6JgQl1 UXtJ0Mr+hZSpccODapN+wsOyGAq4i8DGPUXBru5yMh9ZOtI9nV/OVuY/jIXE fqK7pXeodqGHFcVbs+kRyt8u4ErJM09XTk73gzbFQ6FOicjf3XRKuT4Pw7al CB+Dn1kM2dU0Ub1H1RzoASvgcWfNTBacH2hxW40Lrl8qoCIOPzQmfwvanyse yrHp+PcloncToMCfuXvRw/X+LNA/nlcj14Iwp8b1QhDteswqoK0a1bQVIuos qNJnp0bO7g4rXclLwPZrKoohTf80pnqItouaWEoH80eTEIKp5i+Qb6BUfRvt iCshHE0obhPXd5co+RK42tW7kauaXkymRInb/7i/2xXijVtrUbPm2L2adhXg LS6oLqvBPG/kHzeczGlj2ReO6taq+qILne6iLT+vxv1GyWS8uo/a1Bu0qK4F KDQEGXBT8l6bFl4ue+TWwUIxWge/S9WU86ky7V7pJc1l+HoI0pVgYEvVggHW /HbZKB8ZARUYVe27B5oKg+lkTthjWl2G6EOdD33KSgl52MhtCzsbMNBHsBAH niQeNbuoh12l42m7cUvxuik6b3PbjZXojK26srrxr4tkodsNDpaAUeB3Dscr 4biZe6gIczdspS+974dC0t4egQuJyVIpkqEagGD6k247ugP7/b50CCUL5IA4 dXVxQZWdpoMNC1AZPEez03bVaafpXjkQgCVt6lEgJWPsd8KHWHmB1Mn3dBMn 6gNs7nbRe5aFlwR0m+6L4wd0srFzknWDSVvfGV7b4MZNyOkMGX5bhbpRYFb0 T07sctKBcCqca45qLpX/hGK/UG8zumpRb3gtBKHftvsb4wVJLbnGBfPCGdR9 9grhpn1ZxGKy4UUT8wpetJtqAzoX0WdxjoB8QbPyRNR/no8Q2Jvi5oBYGlRQ N+8waT0oFMFd9oWgLdru3tPRvJuA8N6g6LA3pMmoMZ/Ax6YGd8GhffYPTVCc QH5BbZt1hlYFFyForzfDRh4DJqsgPvCO/FJHHQvEESFNWSOdbW1CHIV38Nwg 10CAwufJZrUYyM+Qh19iQKMT5AMt+QVawVi6HcI9xdGmdiZkGK8Pfzy8kV2E i6T3VDVlVIP77uN9vn6d6dHe2H2hpbIaqVWbET5bf5TmWVeQfEXlgzTqPq11 /Xn1BVHhBR7smv9IKyfX/E2owrrm/0DhmZ9Rttd9ed/1d82PQwBp3rByzcMO etBpOrw2WES75jIr8V9aPcKvPWq7YXHjYO2R6GvQ/l/pfT6U+bfrd4O1wt8H A4bjIhgwj+474LoaslsGpHMxNCCdmBpKgrfHo0bOz551J6N+pLfTrJfL781r dqiQi5TkpD1J0BwLRyT4+k27WsaGayhhfZit257ql6oJVvWba+3Kc/AbTWoQ 1vH6tcn37p8/tHBw09Lz6x/PTv548p6Lm8vQK18fvS49WJlu1qbXrE5zjuz9 JONxwY8TfnjIy5S/Oua5pFXmIuOZ5FFMa9BpTB9eHrVPnUgeS/4qoQaHJU+O qYeTmJcxz3MeH/HjmHrDlVcZfxn1y+Mv3717c3L4Iz97//Ngr7RZdqpWFpXI 25x2J8UOw4vW4APCgfYhq+vLsP8JHzefjkPR3Y01rNVV401CWcPogO+PyT09 F2BtYLWI06QEx3MetnZ+iX7dJLlOynH7/RTcX+wu3mi+WdipkBuEPdwNGwp8 IfThpzVD3hxw1i4W3pxxSRQIPthqWky+7W2gYQAjY6Mu65B81Sv7tGsnP+SZ WLl+k84doo+4IHZW2m7s/NZbW1ja8GdFCN3P7zeurbHG4c/jLHP48xgrvY3k XjQyKrMiX33gj47gTyh9DcYry++i4jsZyZRH+UGSHiQZ/+Pbs5WnllzCL/v7 +782TuFsDdK+sf1DMHvlbE8AxrfWpyADM5/cjPduJ8SpNpVX9J6pRUbXlbD0 aGnSrrzcPNM1dPhLR7oWpxi+//6rOOB7+S7F7gN+vhNHhRSwrSiLSqmKLCmK zOeRjUSUR1KFu7FqWrE4iyRuxLGgbVQ0wkNZRA9FIkujOEpwP47SKKIHIgFt zSK90i0rRYRfiQpNcjxEvzPfPJLpMITAgwmGpy5FHMVidTjWjydoPDSOotJl cWETpcrU21zmosgy0JOWKXrQxslY+iSTqkxsXLi4jHOWx8bGSrnYY2B0lkSR Lso0y0SBKUo8J2N6usDvEr/zOMH3JM5SRVR6T7NgkRBChWlEtplGVMa4BqI9 iI7TFB0rfC2SLJcZvR4xShP0I8BJg1YKrVjTTNN0u5t5Fkd50ndhRZzZNMmK rMxjGWUgA9NMsjLL8C/ORJ4w6jujSzkaJZnITGbyUkZ5HK658GCS+SzO08yC Fpcn4ZrIXAYuhu6YpW7yOHRgoQgRkZ0LPJLS1fCAxb0ktEtD5w5zo8eLQAK+ MJopNc6EdBC/pAYY2YEmah6GCFNoyEc34FoRQwv6KceCxZHPww86adm33Gks JCQFBbipwyVEk4FrkrVEGjyswKgYXM3DFHANHcWgy2J0dCSifvQcwijTPExb 4jkm0U0YMdIQW9k3xBiRpGOBA9No7hS4A75iyJI6yZyKGIwpioqgKQWpN36n rlRkNqQ7cFjoOjLClQUIjKwq8El2JtBOkXVzhNK1Jieg6fdUO1hxFLkoY9FC 7fJUggs+hxYkTaNVWWwSBXuQLDaJgj1IFgtRLDOc3eD4LdKKhBOgDjODpcVQ P/yjecLXQRnjMlXhtuxvN84o7e7eYe1ss7k/wNrZZnN/gLWzzeb+AGtnm839 AdbONpv7A6ydPVzF1mgYu4+K3WntbJO5Bw2RctV6F8bbxK+YWkXMt6FTQkdk +A0L0ClCZlKYxCV4Lk5caQ3CoMy9kfDiIkPvWVkkmo5RYXymnfepyI03ceFx 3bgUnFBFnlilZSaFchEu5i6O0yx2kbOujBNvU1/AzYi09FFeMFAJUkjhyBVZ 3MKsINFEYpIUB0vrtS6EtmQQ3tCURaS8UIXB/7IUVEbMKRnrWBWldpm2iMOq SFXpTCFzm0XgdAnfJ6XNVFokDl0VkXIixewj4xCkc7g+hQgrPe4kGQJ0jqkn CQI6HSfTiPUJJuRhPkJaoEJEdJ1Z7zWumUKrFP/PMuVSyWKbgGjMAgqR2cQC nziZQxg6N5EwKUJ/ZPNCSVzVINRaSQehC+ieSEEuvknBwMoykylQSAZBWJ1D rtaJQlhwEuoT2SzzRS4lJiALnclC6RTThOiciwx8P2TPUuEKnxRpoXyhS1VK C/ySZMpjEoao9sYrK7LCWA8slJRAGBp2Bg4KkRiFPhAb4XBSyNE5r9LYpHkK 9SgjE2Ga0sXSWpNnyiQ2MYnJAaqKWJe5t0I76JQ2kFeaClZkkC5mGsW4CB+k M19C4mUKfVGwlVIZyEfQUXDwJlHWk+tJNO5rUViN9t4hTiOaSfgImGuOCJIZ l7g812C9he06mIoH910O2TgNX+PyErosvYbRCV8AhiEGqERIY1ypwScMEqeQ IWaSQylUBJSWKLghpyPodQYdwD98SuHJoZBWlA4kYEbCmdJnmQE3sjKVFn0Y nZU6UiowQ4CnqUi9y62BDsN/l8ZalZZaQVXAaRcbx5QDhgTpeNQYm1tdepNG WotUkz5mWUodgmGyKMmtWJtAOALzht5Bjs5bnTKVQb4pbD8rYTZe4x+6xIQQ ajw8C7ww5m6KyAJxQnWsLaHoaZFn6MSAuAKSYBGcTarBPR0wNtxCJBR5DWF1 E4VsvnBSAoZE6Dgm14Jb7VVmEfMT+NtEgIk5wHmu4VV8aRwuGpVZCdaD2VLJ MtExDAWdCt91iv4SUTBy2QAuCZQujWwBLoMVApjB+BwExirPDIKjxxwzlZRE l+66wJQTcvQRIklmooX3R+9pg6lxu4uShaQHyUWmyEdiAk0IkoPrLNwgL5rA 5UekCPLGg+hMAkk5pIwJ/hfFSno5DDNsXfDy/feYwi46ztd0jCRD6KZjtqbn dQFMhaSCEAUSil5emDZdkQwhQxq4f0UhAL4u20j2WqqJ2swwSV8Dmkt91k8D FoEQZRYsR+YED05RSmgd/luE6QU4qRllQPENOUgKs4jj96SLtYQt3SCqcnBQ BqkgNhtKtjYMRSxgD+HBhqHgd+E9wPnkhigJdVOaCKMqO7jcADNCOXlAFIS3 AmhiLWpaYKYOEKUELTI8kCPMyACNRIO3wr1BsoNoLwtcAmBJY1luxAd2gA8g F5WaMkmcNJlXBjAzYRbPKjh1GIzGmBrOzYgEcTCmaGQyxDNtbAnHnyUIziWs LBOUIGNWNhEqdc4iP8oproIBaQK0kkTwUwrqgsAGN1FQSNCgRlifGAM3K4EP 4UsVvChgF8zflXCryEngH61U1jmKOyLO0VJoCaRcAntYlcDritQW3pcOfhMx r3BGwg9BCeA84OOdZQ7hGJg6965IFPnMQsMzpgZ02gJxCRFRxMBXRZzlaKTB HCAUF2sZOyRYqY9S6+GlLJxR6RHU8V2m5Fsz8tslQgp8MOiBw8s1kAJmlMVS w3nC38nSp1JlcHqIeSxySeyUKhCgklJlBjEjBl06JWADrfBQTQ/ZSgfM4hSp cZ7hcQRugxkWubC2YA44hvy3RqAn5qVFWea5ihTQLDwuukVw1nChucnz0ksN vUBohf0XhBogQgAuBhbBt5FYM1FKAoC5SYBBc2KGFZLUp3Ba0VJIESGwlAgy El65xGwSOJ3EIw/QRsE3EzQofQ7clykwsADewHeECkNJJ+ANzcUIWZYJBsh0 EcNZpClADLCDiOExCwhIIkr5vIgB8fLIUWUIWqcyJnSXeFgP0lggIYAEJJdg rEcCBHCEgKtKFSsmTGQSqXViEOaMiKFewuSeLAsiMrBBoFFoGgFLRD4Li8kB HalmzWukqU4ZZxhASUGtFHBgQXgO8QsBHI7AwSiAKwqwArgSYMR5gXAshYBt F4iWVGIAfA2nAAQPA3F5iidsbAGy0kSXYIbPckJoGtgMHZXwQTF6V9rbBDAm Rgg1Jel7UYBWlpTIq/CpgCHD4RSphIpKSSl/7qA7JaUuDjZdKMR2R40UAh+a gbXoCKTHlmH2IKLQADegHXYDt2KAegtZCg/tAbQGuBOuyRaAqNpFhHy4iMDW rCJEt/uZNYsI7B6rCHcvIrDHpXgrdLLHpXgrGR67xyrC3YsI7B6rCAj0+Nwu IiRh8SAOq4j9XUa3H7d0M2A6e/zSzYDp7PFLNwOms8cv3QyYzu5eurlHXs26 wLk+r87wGTkbAQ8P5sMGyiwxVgH6lhZwr3CiTKSC9xaxUsgOyijH7ayE2yzL VFskRpREa2VLmDaSHqvg0RBjC0s5KSIF0iw8RwABERbBMstLqkaCbOAW4Z2Q B0mkOj5B6oVQIZGzGySpMRx1TAi6TOCsNTjqAZbhPFlO+QDGhENFQxE5wHif IAe3IoELRWZmMR8okUqRSKADePHMqFKTyOC+HaJZwrxDDpYbpOSIcYWNXdBC JNwpXDQ4KAzCJEJvbGMPxwG2WOTowLmpRvxC+NHwuAxsRWSEI4W3lhSrtcyo WBh+HsktQACy0BiwEsgbU8tjY0pdAF8imS1Sr5CTIZ4xaHUGXIPQGAFJC2Ab V5B3lhaeUUKvDSVnuUVU1s5SwgEtBqApiwKJLtA0IpdlJkYsQnQsVIIpSA2d Qxv4uyzLEDDTmPpEnkorIpEkTiEO4CJuAu7kOfJKoGYvkAYig5O+QPIG5x2B 0aAFCCZDwitiZzPgB+sQ3XwBewVuNSlMGdNDxoQp4n8MCo8wBQFDZzTEEAFj SEK4hRYYNE+AQAqkqJi2zGxUIP0lDAMp5gJgRCOBzGNkn9qSRUUa7EI8kAao CcAz8QCkEKZHl6DXF4ATiRVQL4A6sD6FASbWWKRExjJrFOJTQusqaWa9QYhH juY0Aqn0NgWWRiIHXFgUFmDOg+1Q2gI0ZxKYJY8B/YDIpIXjoPiMeAWGhnTL O2BjC9VGfEEYL9FSwSPAdsjDFbQwBdRVIAZCayjBZ2VWaARDPC4FcvfEUNxP PaYVaWiPz2A4wBIQrtcFEqsCiBCKCEyispxgNqAiZgT5GbKfjFQRSDFFlhyn ubXAO8oDEQHmpRpQHiATMRr5eFSYHLgidgJoUSPnT1kG7c5ABvooIVQTXN8w r5ZJu3YHCIowupRXw/uEtkxQ5O2ccUhuuww2aeKwyQbp9yD7HqbO7PbcGfma Gibg+C5DduaXcnB2RxIOOxelVni8LDYHHLZdmG/bsO3CfBtw2HZhvg04bLsw 3wYcRg5pPZ4KCXKfw0tDKxD4VyDSZPiXIK2SbarM7pm/3pK6+3atucvdTaMh SfgvbZuqNqtNIgjcUyonwh4TsrClZJ49MptfzrDZI7P55aHYI7P55WSePTKb X07m2SOz+eVknsU3VxjCKhVSu4ga3LWYFLjDHrSYtAnYs+UVBIRIeAjtQ/ST Dgk9MmiNbEg76eGEjQEYQNcIaBmyZVumsEavWIpBTJHbqIQHKQs8BhUnN+oL VRqgKmTmiEdaCGXInwITi6hwLnEeQAMRsEysY2WKMIJsHjkc2JciK4RzF8je LPwsokOOcBaR/8d350zkNTxVqUWGxBKeHsEQWs6QYxlSpLAanVhCDw75ZeER 6vCfxJXIgC1SMV14q10Cf4yY40xuRALchRgrTQlJxwQAKX12WYSEE2AFFo0e 4VRTU0QEk1LMD4kVckMkhsg6EacM0B/YZqVPvWYIl5hoimhO5hkjj0II0xnF GaHBcI147yGRwpRh1bjMtIKUkQgiqKKRN1GSMUMnIpBwO5P4wgIfOWlBBTiB /FIqxCb4QIm0H/l64svShmV3RFUoE+YdE+FAQchdkdQapLSaJCtpPQGTRyIb UapahFMRwKBIgGWYhkDwBMPQd6qQVUKZkfEpcMzFCW1TO5MKAMdIQjmizJdw /xBNDCystaE0GtIHBBUqQnoOrhGDBMCsZWAnrAsZudUYBWgFERq4Okf4dbCS vCBHDW6KPHUJgRk8ruMEgAm6iylY+PWcxeghpSMfNgHIALRDeIdsAR9ESgc8 AK4ULaNra5Lc03YONCUH9+GDBMBoSqvqLHWWDKkoSsCOBCjLxx5gBUgW8K0U DsAsiwDtc03bSwpSgDgMUC3iK2ZeWNpbYA6EFvC6NnUiy1QRGyi9yQCjaFkf ItOwLGi3IsAD+ApHiN8JQZAY2gycnbmcgRclLAITKgEugb2tTYGgYAQFwLmh JSxIIQGqB+NNCReOPF8BaKBfQCSEX0gWkg6b0jrPlAUItyUYAxNPHfIHhIMS yLPErChAWIQjGESudJkmiBdGGmAoWgNiqixjAccQF81Wdlw0R3xCwIBp3ysx ZY/GCUOYwLY639HBBLbV+Y4OJrBH44QkXRzeYOtOb6w/L6XCyjtoU+vXPOjI lV1zmKo9S4UHzVruhB1qSujY5oNMoFtv6FpGBjwzRBf+FUCHDXotAcZVbKEs UDdawoLZwo6QhJQxkgvgfMB/MtUo8TfponWpBDkKVAKcLWKhEXlS5NIZLhZJ juAD3wAfkSqYd2ISmFOCBBzeEPkGXBWSDp+yEg4NOTgmAOSPcWiZBY8i46D1 w7Sk7UdC815qWm4uHXISgY6RpsL5JDqmXUymszt25pMQNyNoM8KsSxPyFo4S qgy+gbKZhLiLFA+pTAJS4B1zuG4rwzY0EoekgKHGgXRdJmlYnabzEIDicNaw WQdx0KI90w6Wjiwv91lE+6ZxXCKhQ/CAV1FRTvmo1dAf5ItIueHBPMJWngOP wrUJxCFaMmXwF4gQ2npLBy5cmWegKxwIiDTibaSy1KlCw1/Dd/sSgAQwFgkm nA9yXQuXmsWaqcjSzmIaa3gXWVoNeEtb9Ql8b4zw7ClhVeSQkVgo2GvqkGND iUuTwrehXwssBT+q4Ipo7bcwBJIoNbGuiOCc09iQ8VpgOIJc4Awa06Z1BAyB jE3RfkTpgeCdNUhnPESGCEjzKAElSmc0AnwJq9YKbjbNckoiYyXSDJJATC0B UmwJHck0MCPiES3qyLIsEVuQKpWUoMImstQD0WjnIk/4IkPELxHsACNUlnko JowZ7jpGoEwR7cGJnFaIpZAIYnAtKfIzUgWkz4rWnHO4c5E4ADOK01AEU8Az wj4LOiWB21IxBG5J6qIj2nvVSiKGkX55pTRCEBCFgzJAAvhJES3o6AN0ASAL gFPEhBCAGXwJKI0cnNQQPrMwHpgEKXQJBGZ9yDVjiQgBVwiYgbnSoQyEL8RN A0RDG+aIamC6g/Ubi/Bv0tRlMDgIFr0mJe3NKJ/gDkASzNnCxReFNkXsvINC SAOGCgzPfKIIKEMlUmAceHKolEbSjvASxXS0BFg8L2yOjBbmquCwIByrEOYI qRgwwRtNZwiUhtZKmCqwG4QNSsrE0TEJkVqEdwA4PIoIDKsopErJecD3JEB0 jjCkkZ7RAQjtEFohq0zTSWEPROutLEAFHb8o6FEIkfZflcgMHbkAZKJjNQI9 ISo6wYSAAcL6XZKaEuAQyFJD3SnK59HO78MXeH1NDji9nmvwVq7bXjZGP+c7 AI+RlwgoCRxRAcADSAwVjzxERSIgpAKU5ZRTuQG88wmckaegEUN/YpXA5xoF JQN0oNcqCQuThLkagnsU54RF7I+FdRC0p1f8GTjLwtEWVkQvZGLNqfVfX/Tv 7jk6O2PsdEYFgMOq8UWV/f3OG/8HfIWkZU/wCkkFWLf+FZJnd71h9n4VQgNB /rusFTo+5mUS3j/1ip/k9NK2o4RHKb1MMU758StevKL3JMqCF5K/6opeXh7y 4yOqPMhzHkX8Vc5PjumdWHlEL8TKci4PeXzCTw7p1lHxr1wrtE5G/1k19J9V Q/9eqoYeZ6PDn8fY620kL6qGaHU/T1Zu3141lMYHoOFfoWro5ntC+rqhtvin rw1aE5VX6oR6p/JvI1r3fxvqu1DS+7BCJEZAeetCJNYnz9sUIrHBeH0hkrVl kgsA5DyJTRKldATAIp/IAEAL6Wm72CAXzSMgUWdjnzMK/7lUsXPK5wD7bSGS Ek5tLERKw1GCaFGIxIjsrQuR2INKEzZVJrAHlSZsqkxgDypN2FSZwB5UmrCp MoE9wYaWiNkTbGjJnD2oNGHTEhYLRrVtIRK7zxmiO0+zsEcuGi6Lgj1y0XBZ FOyRi4bLDGcPWjTcdISILUqNtihEYrfVHd7b2tltdYf3tnZ2W93hva2d3VZ3 eG9rZ7fVHd7b2tmWB6YaDWP3U7E7rJ1tNvcHFCKxTQemHlSIRIui2xcisbx4 gkIkBh+zfSESK9QTFCKxVD5BIRKT4gkKkRidSdu6EAmx8QkKkRjt521diMS8 e4JCJMSAJyhEwoyeoBCJGfcEhUhMp09QiMTK9AkKkdjSUajHFiKxxmVvWYjE yIVvXYjEhkc8Hl2IxDYdB3pQIRK77ymeWwuRWCSfoBCJIcptX4jEVs8uPero ErvrPNG9ji6xRx2TWh2KrZ5detTRJbZ6dulRR5fY6tmlRxUiMZE8QSESs/IJ CpGYSZ6gEIkBjWxfiMTgTLcvRGJKPEEhEgPR2xciMdzcvhAJecATFCIxET9B IRKL1RMUIjFnnqAQiRGy2roQiaGn7QuRWGyfoBCJrV1FeGghEntoTczaRQT2 2HdNLNHJHvuuiaUMjz20JmbtIgK71+tM7ipEYs3tLQuR2DbvkOmZzrZ5h0zP dLbNO2R6prP7LN3cmVezReDcohCJwZdsX4jE6DDI1oVIDN50+0IkppInKERi iKvbFyIxIIjtC5EY0rjtC5GAmp+gEIkRAti6EIkhTdi+EInR6aKtC5EY4a6t C5EYgNj2hUgMI25fiMSALLYvRGIhW922EIndlTvfqxCJ3ZmE36cQiW1bbxz1 pctb79uwbeuNQ8Bh29Ybh4DDKOJsXYjE7p2/3laIxJZz90cWIrFHv1ZkmGGz R79WZDgUe/RrRYbJPHv0a0WGyTx79GtFhsk8a1d2titEYg9cTFoPhNjqCsKj CpEY/Mz2hUgMkGD7QiT43ScoRGJItrYvRGJeP0EhEkuyJyhEQt74BIVIlPFt X4jEIM/tC5EYnQ/ZuhCJxfIJCpGYKJ+gEIm5/AkKkRhEu30hEgO0374QiW1R sLyACbeVot4/MWVbvmi2gQlsi4LlRSESW39644GFSO2ax5aFSCycYdhwkOne hUisEd2WhUgsENYXItExbOHBQySHSKmlyYG+rXdIvYkpcEW0VgirNE6ROQF8 R4JWrCGg1IUyHUF7niUsA9btkYwVyHVs5jAJp1NAf60DOJMwAoVMGFKSsBYk eAIR9paV96VCJHgo6eEAACMAq6Gz0Gl6q7W1jiW0DmsoGwJ38tJkaGAQxsAQ 2viLgfoRH2m1UFLtBdgFnwM3pDNk18gT0SGycoBHQxjOpUil0J1FmuMRR7IY URNeM4G7RuAtMWtCeWkedj0VzARpAZJ5A1blLMsLqswqIRBoV4pnqOqntJhB mijEAjgwi0AhSJaQkEJoQuwwwJOwxpjSS0kZn84xAxsjv6K1fSTEcFy0PlAW CvZU5FFEybjOqbAKQgQMkTkCJR0DKDzCDnmGDKE/9R6JMyYEnVGIWJY26TOT QgYx8j3EE0TvUDqEeZrC0R6nQ+6PNFshwhW07h2TkSW00RkTxxGLsxzhEUk4 eW0k9DnlgUlh6YRBqvICPg0+XtNSNBiOuUoGFdMKEU5iEiqBFwJtSNrpGAAE nyJRzUuN2FnqmDZUbGyQOnphAXggRA9h2RJ8wWRLWkVxoJTq4hIK7wBrCGTA SymtSSM9d8g4AaDgKUpbGksLzFFOq/YyhytjgALIzwg20SZOlpq8hOUYzEKW oC/KaOGIrApxsPC0SYGZ5gjp2qZlrGMqW1IMygI3D9sVgCclOE8nFeC54d8t 0LxD4C2tyghtlBTkYXCWqmpy4aiazkKDkQc4XcoIuk1VL1JTzkJnGAF8IGgE OsAO2J93kI2hZR9ACU0UWNxFaMrRrPDQXQUe5YDbHkFAW2WBloAIERbQjvJS J2KMC5BhqJ4K9l0i/qdAXwiaIhTeFZ4ZnVBRGwIQsnIkrDBn0iXYMK2/OOha nsLrANXR6YK4QHCOydIAMREIgPSQJhnm6X1rUWxhnfB2WQ4gp0xRknlBkRSy cFtIMCeVnvhL3CMQqTCeAjYuqQgLGR9GhYQhKDhGEAoztggAltK7rPB9SdG/ fg0Ms09QA8NUsqEG5ht+aOgv+42c/Uh/J6xmXw/m4/H8Qrups+0f1HG2Cn+A qvlrfaPqk2vOU6vxJ3Y4cr+5K/7WjcbVp8nnXXakpiP+j2o0UsaFb/THu/hL +kvL4/EuO3aaH00mI3e1y/7v/6I/gvYPV2PzCU1fTemPvNVG8Z/UaHKhq3G1 y964yZj+wOr7CVWGnE9GuFSNreLH87FW0132tjLnyo34y33+d/SX+hZXfppO pvSH83ABBL+s6vPJJb5MzhX9TdGXk7kBtqrQxbtpRXUmzo1AxfsJ6OTHanw1 qr7sstPzeag++cmNP+LbzHncPVUQcV1PxuHKZ8ffqPqTQ09qbNk/oflf6U9P /P2ctX+qsZq2f6e2bv7w6OQisHqf/T/QDN9KhrUAAA==[rfced] Terminology a) The following terms were used inconsistently in this document. We chose to use the latter forms on the right. Please let us know any objections. COSE then Timestamp -> COSE, then Timestamp time-stamp tokens (3 instances - document title and title of Section 3) -> timestamp token(s) (11 instances in text) Timestamp then COSE -> Timestamp, then COSE b) The following terms appear to be used inconsistently in this document. Please let us know which form is preferred. COSE signed object vs. signed COSE object private-key (where used as a modifier) (e.g., "private-key parallelogram boxes") vs. private key (e.g., "private key material") (un)protected header(s) (where used as a modifier) (e.g., "unprotected header parameter", "protected header parameter", and "protected headers bucket") vs. protected-header (e.g., "protected-header payload timestamps") c) We see that after "TST" is defined as "TimeStampToken" in Section 1, the text alternates between using "TimeStampToken" and "TST". Because this is a short document, would you like to change the subsequent instances of "TimeStampToken" to "TST" once it's defined? --> <!-- [rfced] Please note that we added expansions for the following abbreviations where first used, per Section 3.6 of RFC 7322 ("RFC Style Guide" - <https://www.rfc-editor.org/info/rfc7322>). Please review carefully to ensure correctness. CBOR: Concise Binary Object Representation CMS: Cryptographic Message Syntax (per cited RFC 5652) TSA: Time Stamping Authority (per RFC 3161) --> <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide at <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>, and let us know if any changes are needed. Updates of this nature typically result in more precise language, which is helpful for readers. Note that our script did not flag any words in particular, but this should still be reviewed as a best practice. --> </rfc>