<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-rats-coserv-07" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="CoSERV">Concise Selector for Endorsements and Reference Values</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-rats-coserv-07"/>
    <author initials="P." surname="Howard" fullname="Paul Howard">
      <organization>Arm</organization>
      <address>
        <email>paul.howard@arm.com</email>
      </address>
    </author>
    <author initials="T." surname="Fossati" fullname="Thomas Fossati">
      <organization>Linaro</organization>
      <address>
        <email>Thomas.Fossati@linaro.org</email>
      </address>
    </author>
    <author initials="H." surname="Birkholz" fullname="Henk Birkholz">
      <organization>Fraunhofer SIT</organization>
      <address>
        <email>henk.birkholz@ietf.contact</email>
      </address>
    </author>
    <author initials="S." surname="Kamal" fullname="Shefali Kamal">
      <organization>Fujitsu</organization>
      <address>
        <email>Shefali.Kamal@fujitsu.com</email>
      </address>
    </author>
    <author initials="G." surname="Mandyam" fullname="Giridhar Mandyam">
      <organization>AMD</organization>
      <address>
        <email>gmandyam@amd.com</email>
      </address>
    </author>
    <author initials="D." surname="Ma" fullname="Ding Ma">
      <organization>Alibaba Cloud</organization>
      <address>
        <email>xynnn@linux.alibaba.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Remote ATtestation ProcedureS</workgroup>
    <keyword>RATS</keyword>
    <keyword>attestation</keyword>
    <keyword>endorsement</keyword>
    <keyword>reference value</keyword>
    <abstract>
      <?line 108?>

<t>In the Remote Attestation Procedures (RATS) architecture, Verifiers require Endorsements and Reference Values to assess the trustworthiness of Attesters.
This document specifies the Concise Selector for Endorsements and Reference Values (CoSERV), a structured query/result format designed to facilitate the discovery and retrieval of these artifacts from various providers.
CoSERV defines a query language and corresponding result structure using CDDL, which can be serialized in CBOR format, enabling efficient interoperability across diverse systems.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-rats-wg.github.io/draft-ietf-rats-coserv/draft-ietf-rats-coserv.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-rats-coserv/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Remote ATtestation ProcedureS Working Group mailing list (<eref target="mailto:rats@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/rats/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/rats/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-rats-wg/draft-ietf-rats-coserv"/>.</t>
    </note>
  </front>
  <middle>
    <?line 114?>

<section anchor="sec-intro">
      <name>Introduction</name>
      <t>Remote Attestation Procedures (RATS) enable Relying Parties to evaluate the trustworthiness of remote Attesters by appraising Evidence.
This appraisal necessitates access to Endorsements and Reference Values, which are often distributed across multiple providers, including hardware manufacturers, firmware developers, and software vendors.
The lack of standardized methods for querying and retrieving these artifacts poses challenges in achieving seamless interoperability.</t>
      <t>The Concise Selector for Endorsements and Reference Values (CoSERV) addresses this challenge by defining a query language and a corresponding result structure for the transaction of artifacts between a provider and a consumer.
The query language format provides Verifiers with a standard way to specify a set of relevant artifacts, such that they can be obtained from Endorsers and Reference Value Providers.
Queries can be based on characteristics of the Attester's environment.
Alternatively, queries can be based on the precise identifiers of one or more Reference Integrity Manifest (RIM) documents.
In turn, the result format allows those Endorsers and Reference Value Providers to package the selected artifacts within a standard structure.
This facilitates the efficient discovery and retrieval of relevant Endorsements and Reference Values from providers, maximising the re-use of common software tools and libraries within the transactions.</t>
      <t>The CoSERV query language is intended to form the input data type for tools and services that provide access to Endorsements and Reference Values.
The CoSERV result set is intended to form the corresponding output data type from those tools and services.</t>
      <t>The environment characteristics of Endorsements and Reference Values are derived from the equivalent concepts in CoRIM <xref target="I-D.ietf-rats-corim"/>.
CoSERV therefore borrows heavily from CoRIM, and shares some data types for its fields.
And, like CoRIM, the CoSERV schema is defined using CDDL <xref target="RFC8610"/>. A CoSERV query can be serialized in CBOR <xref target="STD94"/> format.</t>
      <t>In addition to the CBOR-based data formats for CoSERV queries and responses, this specification also defines API bindings and behaviours for the exchange of CoSERV queries and responses.
This is to facilitate standard interactions between CoSERV producers and consumers.
Standard API endpoints and behaviours will encourage the growth of interoperable software tools and modules, not only for parsing and emitting CoSERV-compliant data, but also for implementing the clients and services that need to exchange such data when acting in the capacity of the relevant RATS roles.
This will be of greater benefit to the software ecosystem than the CoSERV data format alone.
See <xref target="secapibindings"/> for the API binding specifications.</t>
      <section anchor="terminology-and-requirements-language">
        <name>Terminology and Requirements Language</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<t>This document uses terms and concepts defined by the RATS architecture.
For a complete glossary, see <xref section="4" sectionFormat="of" target="RFC9334"/>.</t>
        <t>This document uses terms and concepts defined by the CoRIM specification.
For a complete glossary, see <xref section="1.1.1" sectionFormat="of" target="I-D.ietf-rats-corim"/>.</t>
        <t>This document uses the terms <em>"actual state"</em> and <em>"reference state"</em> as defined in <xref section="2" sectionFormat="of" target="I-D.ietf-rats-endorsements"/>.</t>
        <t>The terminology from CBOR <xref target="STD94"/>, CDDL <xref target="RFC8610"/> and COSE <xref target="STD96"/> applies;
in particular, CBOR diagnostic notation is defined in <xref section="8" sectionFormat="of" target="STD94"/>
and <xref section="G" sectionFormat="of" target="RFC8610"/>. Terms and concepts are always referenced as proper nouns, i.e., with Capital Letters.</t>
      </section>
    </section>
    <section anchor="secaggregation">
      <name>Aggregation and Trust Models</name>
      <t>The roles of Endorser or Reference Value Provider might sometimes be fulfilled by aggregators, which collect from multiple supply chain sources, or even from other aggregators, in order to project a holistic view of the endorsed system.
The notion of such an aggregator is not explicit in the RATS architecture.
In practice, however, supply chains are complex and multi-layered.
Supply chain sources can include silicon manufacturers, device manufacturers, firmware houses, system integrators, service providers and more.
In practical terms, an Attester is likely to be a complex entity, formed of components from across such supply chains.
Evidence would be likewise structured, with contributions from different segments of the Attester's overall anatomy.
A Verifier for such Evidence may find it convenient to contact an aggregator as a single source of truth for Endorsements and Reference Values.
An aggregator would have intelligence about the Attester's complete anatomy and supply chain.
It would have the ability to contact all contributing supply chain actors for their individual Endorsements and Reference Values, before collecting them into a cohesive set, and delivering them to the Verifier as a single, ergonomic package.
The contributing supply chain actors might themselves be CoSERV-enabled, in which case the aggregator would send one or more separate CoSERV queries to those actors as part of the aggregation process.
Alternatively, it might be necessary to use vendor-specific protocols to gather these artifacts and convert them into the aggregated CoSERV response.
The choice between these approaches is deployment-dependent, and is considered to be an implementation detail of the aggregator.
In pure RATS terms, an aggregator is still an Endorser or a Reference Value Provider - or, more likely, both.
It is not a distinct role, and so there is no distinctly-modeled conveyance between an aggregator and a Verifier.
However, when consuming from an aggregator, the Verifier may need visibility of the aggregation process, possibly to the extent of needing to audit the results by inspecting the individual inputs that came from the original supply chain actors.
CoSERV addresses this need, catering equally for both aggregating and non-aggregating supply chain sources.</t>
      <t>To support deployments with aggregators, CoSERV allows for flexible trust models as follows.</t>
      <ul spacing="normal">
        <li>
          <t><strong>Shallow Trust</strong>: in this model, the consumer trusts the aggregator, solely and completely, to provide authentic descriptions of the endorsed system.
The consumer does not need to audit the results of the aggregation process.
The term "shallow" is used here to indicate the number of supply chain links that are traversed by the consumer.
When trust in the aggregator is absolute, only one link needs to be traversed, from the consumer to the aggregator, because the aggregator is the sole authority.</t>
        </li>
        <li>
          <t><strong>Deep Trust</strong>: in this model, the consumer has a trust relationship with the aggregator, but does not deem this to be sufficient.
The consumer can still use the collected results from the aggregation process, where it is convenient to do so, but also needs to audit those results.
The term "deep" is used to indicate that the consumer needs to traverse more supply chain links in order to gain an adequate level of trust, because trust in the aggregator is only partial.
It means that the consumer has to reach more "deeply" into the supply chain sources, compared with the shallow model.</t>
        </li>
      </ul>
      <t>Any given CoSERV transaction can operate according to either model.
The consumer decides which model to use when it forms a query.
The CoSERV result payload can convey both the aggregated result and the audit trail as needed.
The payload size may be smaller when the shallow model is used, but the choice between the two models is a question for implementations and deployments.</t>
      <t>Although CoSERV is designed to support aggregation, it is not a requirement.
When aggregation is not used, CoSERV still fulfills the need for a standard conveyance mechanism between Verifiers and Endorsers or Reference Value Providers.</t>
    </section>
    <section anchor="secinfomodel">
      <name>CoSERV Information Model</name>
      <section anchor="overview">
        <name>Overview</name>
        <t>CoSERV is designed to facilitate query-response transactions between a producer and a consumer.
In the RATS model, the producer is either an Endorser or a Reference Value Provider, and the consumer is a Verifier.
CoSERV defines a single top-level data type that can be used for both queries and result sets.
Queries are authored by the consumer (Verifier), while result sets are authored by the producer (Endorser or Reference Value Provider) in response to the query.
A CoSERV data object always contains a query.
When CoSERV is used to express a result set, the query is retained alongside the result set that was yielded by that query.
This allows consumers to verify a match between the query that was sent to the producer, and the query that was subsequently returned with the result set.
Such verification is useful because it mitigates security threats arising from any untrusted infrastructure or intermediaries that might reside between the producer and the consumer.
An example of this is caching in HTTP <xref target="STD98"/> and CoAP <xref target="RFC7252"/>.
It might be expensive to compute the result set for a query, which would make caching desirable.
However, if caching is managed by an untrusted intermediary, then there is a risk that such an untrusted intermediary might return incorrect results, either accidentally or maliciously.
Pairing the original query with each result set provides an end-to-end contract between the consumer and producer, mitigating such risks.
The transactional pattern between the producer and the consumer would be that the consumer begins the transaction by authoring a query and sending it to the producer as a CoSERV object.
The producer receives the query, computes results, and returns a new CoSERV object formed from the results along with the original query.
Notionally, the producer is "adding" the results to the query before sending it back to the consumer.</t>
      </section>
      <section anchor="secartifacts">
        <name>Artifacts</name>
        <t>Artifacts are what the consumer (Verifier) needs in order to verify and appraise Evidence from the Attester, and therefore they form the bulk of the response payload in a CoSERV transaction.
The common CoSERV query language recognises three artifact types.
These correspond to the three categories of endorsement artifact that can be identified natively in the RATS architecture:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Trust Anchor</strong>: A trust anchor is as defined in <xref target="RFC6024"/>.
An example of a trust anchor would be the public part of the asymmetric signing key that is used by the Attester to sign Evidence, such that the Verifier can verify the cryptographic signature.
This is just one example.
Other forms of trust anchor are possible.
CoSERV does not place any additional requirements or constraints on the conveyance or use of trust anchors, beyond what is already described in <xref target="RFC9334"/> and <xref target="I-D.ietf-rats-endorsements"/>.
<xref section="4" sectionFormat="of" target="I-D.ietf-rats-endorsements"/> sets out the applicable patterns for the endorsement of verification keys, all of which apply equally here.</t>
          </li>
          <li>
            <t><strong>Endorsed Value</strong>: An endorsed value is as defined in <xref section="1.1.1" sectionFormat="of" target="I-D.ietf-rats-corim"/>.
This represents a characteristic of the Attester that is not directly presented in the Evidence, such as certification data related to a hardware or firmware module.</t>
          </li>
          <li>
            <t><strong>Reference Value</strong>: A reference value is as defined in <xref section="1.1.1" sectionFormat="of" target="I-D.ietf-rats-corim"/>.
A reference value specifies an individual aspect of the Attester's desired state.
Reference values are sometimes informally called "golden values".
An example of a reference value would be the expected hash or checksum of a binary firmware or software image running in the Attester's environment.
Evidence from the Attester would then include claims about the Attester's actual state, which the Verifier can then compare with the reference values at Evidence appraisal time.</t>
          </li>
        </ul>
        <t>When artifacts are produced by an aggregator (see <xref target="secaggregation"/>), the following additional classifications apply:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Collected Artifacts</strong>: these refer to artifacts that were derived by the aggregator by collecting and presenting data from original supply chain sources, or from other aggregators.
Collected artifacts form a single holistic package, and provide the most ergonomic consumption experience for the Verifier.</t>
          </li>
          <li>
            <t><strong>Source Artifacts</strong>: these refer to artifacts that were obtained directly from the original supply chain sources, and used as inputs into the aggregation process, allowing the aggregator to derive the collected artifacts.</t>
          </li>
        </ul>
        <t>In the shallow trust model of aggregation, only the collected artifacts are used by the consumer.
In the deep trust model, both the collected artifacts and the source artifacts are used.
The source artifacts allow the consumer to audit the collected artifacts and operate the trust-but-verify principle.</t>
      </section>
      <section anchor="secenvironments">
        <name>Environments</name>
        <t>Some CoSERV queries use environments as the basis for artifact selection.
An environment defines the scope (or scopes) in which the endorsement artifacts are applicable.
Given that the consumer of these artifacts is likely to be a Verifier in the RATS model, the typical interpretation of the environment would be that of an Attester that either has produced evidence, or is expected to produce evidence, that the Verifier needs to appraise.
The Verifier consequently needs to query the Endorser or Reference Value Provider for artifacts that are applicable in that environment.
For CoSERV queries that are based on environments, there are three mutually-exclusive methods for defining those environments.
Exactly one of these three methods <bcp14>MUST</bcp14> be used for the query to be valid.
All three methods correspond to environments that are also defined within CoRIM <xref target="I-D.ietf-rats-corim"/>.</t>
        <ul spacing="normal">
          <li>
            <t><strong>Class</strong>: A class is an environment that is expected to be common to a group of similarly-constructed Attesters, who might therefore share the same set of endorsed characteristics.
An example of this might be a fleet of computing devices of the same model and manufacturer.</t>
          </li>
          <li>
            <t><strong>Instance</strong>: An instance is an environment that is unique to an individual and identifiable Attester, such as a single computing device or component.</t>
          </li>
          <li>
            <t><strong>Group</strong>: A group is a collection of common Attester instances that are collected together based on some defined semantics.
For example, Attesters may be put into groups for the purpose of anonymity.</t>
          </li>
        </ul>
        <section anchor="secstateful">
          <name>Stateful Environments</name>
          <t>In addition to specifying the Attester environment by class, instance, or group, it is sometimes necessary to constrain the target environment further by specifying aspects of its state.
This is because the applicability of Endorsements and Reference Values might vary, depending on these stateful properties.
Consider, for example, an Attester instance who signs Evidence using a derived attestation key, where the derivation algorithm is dependent on one or more aspects of the Attester's current state, such as the version number of an upgradable firmware component.
This example Attester would, at different points in its lifecycle, sign Evidence with different attestation keys, since the keys would change upon any firmware update.
To provide the correct public key to use as the trust anchor for verification, the Endorser would need to know the configured state of the Attester at the time the Evidence was produced.
Specifying such an Attester solely by its instance identifier is therefore insufficient for the Endorser to supply the correct artifact.
The environment specification would need to include these critical stateful aspects as well.
In CoRIM <xref target="I-D.ietf-rats-corim"/>, stateful environments are modeled as an environment identifier plus a collection of measurements, and CoSERV takes the same approach.
Therefore, any environment selector in a CoSERV query can optionally be enhanced with a collection of one or more measurements, which specify aspects of the target environment state that might materially impact the selection of artifacts.</t>
        </section>
        <section anchor="environment-uniqueness">
          <name>Environment Uniqueness</name>
          <t>Because CoSERV is a query language, the CoSERV environment structure has been designed such that it is well suited to forming queries.
It has been optimized such that the most common query styles are also the simplest to construct.
For the case of environment-based queries, this design makes it very straightforward to query for artifacts by (multiples of) instance, group or class.
It is not possible to query by combinations of these properties at the same time.
For example, it is not possible to form a query that selects by instance or group, while simultaneously being constrained by the scope of a specific class.
As a more precise example, it would not be possible to form a single query that selects artifacts for instance "0x010203040506", but only for devices of class "ACME SiliconPro 2000".
This is a departure from CoRIM environments, which can optionally be modeled as combinations of instance, group or class.
This design choice is a pragmatic one that is taken by CoSERV, but it does raise some deployment considerations in terms of environment uniqueness.</t>
          <t>In many deployments, it is expected that the identifiers used for instances and groups would be highly entropic and either universally unique, or at least unique within the scope of any given CoSERV provider/consumer pair, such that material ambiguities would not arise.
Identifiers of type <tt>uuid</tt> or <tt>ueid</tt>, for example, are typical.
However, some profiles might define their identifier types such that uniqueness is not guaranteed.
Care is therefore needed when using CoSERV with such profiles.
Where globally unique identifiers are not guaranteed, a CoSERV provider <bcp14>SHOULD</bcp14> be scoped such that any identifier used in a query remains unambiguous within that provider.
For example, a provider might be scoped to a single product family (effectively constraining the class).
This preserves the simplicity of the CoSERV environment model while avoiding ambiguity in practice.</t>
        </section>
      </section>
      <section anchor="secinfoqueries">
        <name>Queries</name>
        <t>The purpose of a query is to allow the consumer (Verifier) to specify the artifacts that it needs.
CoSERV offers a small but versatile query language.
The following styles of query are available:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Queries by Environment</strong>: This query style is used to select the artifacts that are applicable to the Attester's environment.
See <xref target="secenvironments"/>.</t>
          </li>
          <li>
            <t><strong>Queries by RIM Identifier</strong>: This query style is used to select artifacts that are Reference Integrity Manifest (RIM) artifacts, and where the consumer already knows the precise identifiers of the specific RIMs that it needs.</t>
          </li>
        </ul>
        <t>Further details are given in the sections below.</t>
        <section anchor="secinfoqueryenv">
          <name>Queries by Environment</name>
          <t>When a CoSERV query is specified using an environment, the following information is conveyed in the query:</t>
          <ul spacing="normal">
            <li>
              <t>A specification of the required artifact type: Reference Value, Endorsed Value or Trust Anchor.
See <xref target="secartifacts"/> for definitions of artifact types.
A single CoSERV query can only specify a single artifact type.</t>
            </li>
            <li>
              <t>A specification of the Attester's environment.
Environments can be selected according to Attester instance, group or class.
Additional properties of the environment state can be specified by adding one or more measurements to the selector.
See <xref target="secenvironments"/> for full definitions.
To facilitate efficient transactions, a single query can specify either multiple instances, multiple groups or multiple classes.
However, it is not possible to mix instance-based selectors, group-based selectors and class-based selectors in a single query.</t>
            </li>
            <li>
              <t>A switch to select the desired supply chain depth.
A CoSERV query can request collected artifacts, source artifacts, or both.
This switch is especially relevant when the CoSERV query is fulfilled by an aggregator.
The collected artifacts are intended for convenient consumption (according to the shallow trust model), while the source artifacts are principally useful for auditing (according to the deep trust model).
It is possible for a query to select for source artifacts only, without the collected artifacts.
This might happen when the consumer needs to inspect or audit artifacts from across the deep supply chain, while not requiring the convenience of the aggregated view.
It could also happen when the consumer is acting as an intermediate broker, gathering artifacts for delivery to another aggregator.
See <xref target="secaggregation"/> for details on aggregation, auditing and trust models.</t>
            </li>
          </ul>
        </section>
        <section anchor="secinfoqueryrim">
          <name>Queries by RIM Identifier</name>
          <t>Reference Integrity Manifests (RIMs) are a common type of artifact format for representing Endorsements and Reference Values.
RATS defines the CoRIM format for the encoding of RIMs (see <xref target="I-D.ietf-rats-corim"/>).
CoSERV supports a query style that allows individual RIMs to be obtained based on their identifiers.
This is a more direct style of query, compared with the query by environment.
It is applicable in cases where the consumer is already aware of the precise set of RIMs that it needs.
There is no environment matching performed in this case, nor is there any aggregation.
The shallow and deep trust models are therefore not applicable for this style of query, and there is no distinction between source and collected artifacts.
The producer is expected to do nothing more than look up the identified documents and return them directly in the result set.</t>
          <t>The query contains one or more identifiers for RIM documents, or for tags contained in RIM documents.
RIM identifiers of the following types are permitted:</t>
          <ul spacing="normal">
            <li>
              <t>CoRIM identifiers (<xref section="4.1.1" sectionFormat="of" target="I-D.ietf-rats-corim"/>)</t>
            </li>
            <li>
              <t>CoMID tag identifiers (<xref section="5.1.1.1" sectionFormat="of" target="I-D.ietf-rats-corim"/>)</t>
            </li>
            <li>
              <t>CoSWID tag identifiers (<xref section="2.3" sectionFormat="of" target="RFC9393"/>)</t>
            </li>
          </ul>
          <t>All three of these identifier types are required to be globally unique as per their corresponding specifications.
A single query may contain identifiers of different types.</t>
        </section>
        <section anchor="avoidance-of-volatile-data-in-queries">
          <name>Avoidance of Volatile Data in Queries</name>
          <t>CoSERV queries do not contain timestamps or any similarly volatile or unpredictable fields.
This is to ensure that any set of materially-identical queries will always yield the same encoded sequence of CBOR bytes, regardless of the time when they were issued, or of other volatile factors.
Along with the other encoding rules set out in <xref target="secencoding"/>, it means that a query can be used as a stable and canonical identifier of artifacts.
This property of queries is an important enabler of efficient CoSERV transactions.
See, for example, the HTTP caching design described in <xref target="secrrapicaching"/>.</t>
        </section>
        <section anchor="query-logging">
          <name>Query Logging</name>
          <t>A CoSERV implementation <bcp14>MAY</bcp14> log the time at which a query was received and fulfilled.
This might sometimes be desirable for transparency or audit purposes.
Implementations are free to define their own transparency events, which can then include timestamps or other suitable information.</t>
        </section>
      </section>
      <section anchor="secinforesults">
        <name>Result Sets</name>
        <t>The result set contains the artifacts that the producer collected in response to the query.
Result sets always include a timestamp indicating the expiry time of the entire result set.
Consumers <bcp14>MUST NOT</bcp14> consider any part of the result set to be valid after this expiry time.</t>
        <t>The remaining information contained in the result set depends on the style of query that was used: either a query by environment, or a query by RIM identifier.</t>
        <section anchor="secinforesultsenv">
          <name>Results for Queries by Environment</name>
          <t>For queries by environment, the top-level structure of the result set contains the following two items in addition to the expiry timestamp:</t>
          <ul spacing="normal">
            <li>
              <t>A collection of one or more result entries.
This will be a collection of either reference values, endorsed values or trust anchors.
See <xref target="secartifacts"/> for definitions of artifact types.
Artifact types are never mixed in any single CoSERV result set.
The artifacts in the result collection therefore <bcp14>MUST</bcp14> match the single artifact type specified in the original CoSERV query.</t>
            </li>
            <li>
              <t>A collection of the original source materials from which the producer derived the correct artifacts to include in the result set.
These source materials are optional, and their intended purpose is auditing.
They are included only when requested by the original CoSERV query.
Source materials would typically be requested in cases where the consumer is not willing to place sole trust in the producer, and therefore needs an audit trail to enable additional verifications.</t>
            </li>
          </ul>
          <t>Each individual result entry combines a CoMID triple with an authority delegation chain.
CoMID triples are exactly as defined in <xref section="5.1.4" sectionFormat="of" target="I-D.ietf-rats-corim"/>.
Each CoMID triple will demonstrate the association between an environment matching that of the CoSERV query, and a single artifact such as a reference value, trust anchor or endorsed value.
The authority delegation chain is composed of one or more authority delegates.
Each authority delegate is represented by a public key or key identifier, which the consumer can check against its own set of trusted authorities.
The authority delegation chain serves to establish the provenance of the result entry, and enables the Verifier to evaluate the trustworthiness of the associated artifact.
The purpose of the authority delegation chain is to allow CoSERV responses to support decentralized trust models, where Verifiers may apply their own policy to determine which authorities are acceptable for different classes of artifact.</t>
          <t>Because each result entry combines a CoMID triple with an authority delegation chain, the entries are consequently known as quadruples (or "quads" for short).</t>
        </section>
        <section anchor="secinforesultsrim">
          <name>Results for Queries by RIM Identifier</name>
          <t>Queries by RIM identifier are significantly simpler than queries by environment, and the result set structure is likewise simpler.
There are no authority delegation chains or "quads" in the result.
The result does not contain any extracted or aggregated information.
Instead, it is composed of entire RIM documents, obtained and passed through verbatim from their original supply chain sources.</t>
          <t>The result is a flat map structure, keyed by the RIM identifier.
Each key in the map <bcp14>MUST</bcp14> correspond to one of the RIM identifiers in the original query.
Each mapped value is the corresponding RIM data object, contained within a Conceptual Message Wrapper (CMW) as per <xref target="I-D.ietf-rats-msg-wrap"/>.</t>
          <t>The permitted RIM content for each map entry depends upon the type of key used in the query.</t>
          <t>When the key is a CoRIM identifier, the RIM content <bcp14>MUST</bcp14> be the CoRIM data object whose identity matches the key.</t>
          <t>When the key is a CoMID tag identifier, the RIM content <bcp14>MUST</bcp14> be a CoRIM data object, which contains the CoMID tag whose identity matches the key.
The CoRIM data object may also contain other CoMID (or CoSWID) tags with different identifiers, even if those identifiers were not included in the query.</t>
          <t>When the key is a CoSWID tag identifier, the RIM content <bcp14>MUST</bcp14> be one of the following:</t>
          <ul spacing="normal">
            <li>
              <t>The CoSWID data object whose identity matches the key.</t>
            </li>
            <li>
              <t>A CoRIM data object, which contains the CoSWID tag whose identity matches the key.
The CoRIM data object may also contain other CoSWID (or CoMID) tags with different identifiers, even if those identifiers were not included in the query.</t>
            </li>
          </ul>
          <t>The recipient of the query <bcp14>MAY</bcp14> return only a subset of the RIMs that were requested, if it is not able to satisfy the entire query.
An empty set is also a valid result in the worst case.</t>
          <t>For CoMID and CoSWID tag identifiers, the producer may be in possession of multiple revisions of the RIM tag with that identity.
In such cases, the producer <bcp14>MUST</bcp14> populate the result set with the newest available revision only.
The "newest" revision is defined as the one with the highest integer version counter in the relevant tag's identity map.
See <xref section="5.1.1.2" sectionFormat="of" target="I-D.ietf-rats-corim"/> and <xref section="2.3" sectionFormat="of" target="RFC9393"/> for additional details of tag versioning.</t>
          <t>It is possible for multiple keys in the result set to map to the same data object.
For example, if a query selects for two CoMID identifiers, <tt>CoMID-A</tt> and <tt>CoMID-B</tt>, and the producer has a single CoRIM containing both of those CoMID tags, then the producer <bcp14>MAY</bcp14> populate the result set with entries for both <tt>CoMID-A</tt> and <tt>CoMID-B</tt>, where both entries map to identical copies of the single containing CoRIM.</t>
          <t>The producer <bcp14>SHOULD</bcp14> ensure that all RIMs in the result set are signed.
In cases where the producer is returning copies of RIMs from upstream supply chain actors on a pass-through basis, the producer <bcp14>SHOULD</bcp14> preserve the original signatures from those supply chain actors, as opposed to re-constructing and re-signing the RIMs.</t>
        </section>
        <section anchor="rim-validity-and-results-expiry">
          <name>RIM Validity and Results Expiry</name>
          <t>Signed RIMs usually have an explicit validity period.
For example, signed CoRIMs include validity information in the protected header map (see <xref section="4.2.1" sectionFormat="of" target="I-D.ietf-rats-corim"/>).
RIM validity information can take the form of CWT claims (<tt>nbf</tt>, not before time, and <tt>exp</tt>, expiration time) or use the CoRIM validity map.
Whatever method is used to define the validity period:</t>
          <ol spacing="normal" type="1"><li>
              <t>The CoSERV query result <bcp14>MUST NOT</bcp14> expire after the end of the validity period but may expire before the end of the validity period.</t>
            </li>
            <li>
              <t>The RIM <bcp14>MUST NOT</bcp14> be included in the CoSERV result if it is outside of its validity period.</t>
            </li>
          </ol>
        </section>
      </section>
    </section>
    <section anchor="secdatamodel">
      <name>CoSERV Data Model</name>
      <t>This section specifies the CBOR data model for CoSERV queries and result sets.</t>
      <t>CDDL is used to express rules and constraints of the data model for CBOR.
These rules must be strictly followed when creating or validating CoSERV data objects.</t>
      <t>The top-level CoSERV data structure is given by the following CDDL:</t>
      <sourcecode type="cddl"><![CDATA[
;# import comid-autogen

coserv = {
  &(profile: 0) => profile
  &(query: 1) => query
  ? &(results: 2) => results
}

profile = comid.oid-type / ~uri
]]></sourcecode>
      <section anchor="common-data-types">
        <name>Common Data Types</name>
        <t>CoSERV inherits the following types from the CoRIM data model <tt>class-map</tt>, <tt>$class-id-type-choice</tt>, <tt>$instance-id-type-choice</tt> and <tt>$group-id-type-choice</tt>.</t>
        <t>The collated CDDL is in <xref target="collated-cddl-coserv"/>.</t>
      </section>
      <section anchor="profile">
        <name>Profile</name>
        <t>In common with EAT and CoRIM, CoSERV supports the notion of profiles.
As with EAT and CoRIM, profiles are a way to extend or specialize the structure of a generic CoSERV query in order to cater for a specific use case or environment.</t>
        <t>In a CoSERV query, the profile can be identified by either a Uniform Resource Identifier (URI) or an Object Identifier (OID).
This convention is identical to how EAT profiles are identified using the <tt>eat_profile</tt> claim as described in <xref section="4.3.2" sectionFormat="of" target="RFC9711"/>.</t>
      </section>
      <section anchor="query-structure">
        <name>Query Structure</name>
        <t>The CoSERV query language enables Verifiers to specify the desired characteristics of Endorsements and Reference Values based on the environment in which they are applicable.</t>
        <t>The top-level structure of a CoSERV query is given by the following CDDL:</t>
        <sourcecode type="cddl"><![CDATA[
;# import comid-autogen
;# import corim-autogen
;# import rfc9393 as coswid

query = {
 ( environment-query // rim-query )
}

environment-query = (
  &(artifact-type: 0) => artifact-type
  &(environment-selector: 1) => environment-selector-map
  &(result-type: 2) => result-type
)

rim-query = (
  &(rim-selector: 3) => [ + rim-selector-id ]
)

rim-selector-id = [ &(comid: 0), comid.$tag-id-type-choice ]
                  / [ &(coswid: 1), coswid.tag-id ]
                  / [ &(corim: 2), corim.$corim-id-type-choice ]

artifact-type = &(endorsed-values: 0)
                / &(trust-anchors: 1)
                / &(reference-values: 2)

result-type = &(collected-artifacts: 0)
              / &(source-artifacts: 1)
              / &(both: 2)
]]></sourcecode>
        <t>At top level, the query is partitioned into mutually-exclusive variants for the different query styles: queries by environment, or queries by RIM identifier.
See <xref target="secinfoqueries"/> for details about the query styles and how they are used.</t>
        <t>The meanings of the query fields are detailed in the following subsections for each supported style.</t>
        <section anchor="queries-by-environment">
          <name>Queries by Environment</name>
          <section anchor="artifact-type">
            <name>Artifact Type</name>
            <t>For queries by environment, the <tt>artifact-type</tt> field is the foremost discriminator of the query.
It is an artifact category selector.
Its three permissible values are <tt>trust-anchors</tt> (codepoint 1), <tt>endorsed-values</tt> (codepoint 0) and <tt>reference-values</tt> (codepoint 2).</t>
            <t>See <xref target="secartifacts"/> for full definitions of artifact types.</t>
            <t>It is expected that implementations might choose to store these different categories of artifacts in different top-level stores or database tables.
Where this is the case, the <tt>artifact-type</tt> field serves to narrow the query down to the correct store or table.
Even where this is not the case, the discriminator is useful as a filter for the consumer, resulting in an efficiency gain by avoiding the transfer of unwanted data items.</t>
          </section>
          <section anchor="environment-selector">
            <name>Environment Selector</name>
            <t>For queries by environment, the environment selector forms the main body of the query, and its CDDL is given below:</t>
            <sourcecode type="cddl"><![CDATA[
;# import comid-autogen

environment-selector-map = { selector }

stateful-class = [
  class: comid.class-map
  ? measurements: [ + comid.measurement-map ]
]

selector //= ( &(class: 0) => [
  + stateful-class
] )

stateful-instance = [
  instance: comid.$instance-id-type-choice
  ? measurements: [ + comid.measurement-map ]
]

selector //= ( &(instance: 1) => [
  + stateful-instance
] )

stateful-group = [
  group: comid.$group-id-type-choice
  ? measurements: [ + comid.measurement-map ]
]

selector //= ( &(group: 2) => [
  + stateful-group
] )
]]></sourcecode>
            <t>Environments can be specified according to instance, group or class. See <xref target="secenvironments"/> for details.</t>
            <t>Although these three environment definitions are mutually-exclusive in a CoSERV query, all three support multiple entries.
This is to gain efficiency by allowing the consumer (Verifier) to query for multiple artifacts in a single transaction.
For example, where artifacts are being indexed by instance, it would be possible to specify an arbitrary number of instances in a single query, and therefore obtain the artifacts for all of them in a single transaction.
Likewise for classes and groups.
However, it would not be possible for a single query to specify more than one kind of environment.
For example, it would not be possible to query for both class-level and instance-level artifacts in a single CoSERV transaction.</t>
            <t>All three environment selector types can optionally be enhanced with one or more <tt>measurement-map</tt> entries, which are used to express aspects of the environment state.
See <xref target="secstateful"/> for a description of stateful environments.</t>
            <section anchor="selector-semantics">
              <name>Selector Semantics</name>
              <t>When multiple environment selectors are present in a single query, such as multiple instances or multiple groups, the recipient of the query <bcp14>MUST</bcp14> consider these to be alternatives, and hence use a logical <tt>OR</tt> operation when applying the query to its internal data stores.</t>
              <t>Below is an illustrative example of how a CoSERV query for endorsed values, selecting for multiple Attester instances, might be transformed into a semantically-equivalent SQL database query:</t>
              <sourcecode type="sql"><![CDATA[
SELECT *
  FROM endorsed_values
 WHERE ( instance-id = "At6tvu/erQ==" ) OR
       ( instance-id = "iZl4ZVY=" )`
]]></sourcecode>
              <t>The same applies for class-based selectors; however, since class selectors are themselves composed of multiple inner fields, the recipient of the query <bcp14>MUST</bcp14> use a logical <tt>AND</tt> operation in consideration of the inner fields for each class.</t>
              <t>Also, for class-based selectors, any unset fields in the class are assumed to be wildcard (<tt>*</tt>), and therefore match any value.</t>
              <t>Below is an illustrative example of how a CoSERV query for reference values, selecting for multiple Attester classes, might be transformed into a semantically-equivalent SQL database query:</t>
              <sourcecode type="sql"><![CDATA[
SELECT *
  FROM reference_values
 WHERE ( class-id = "iZl4ZVY=" AND class-vendor = "ACME Inc." ) OR
       ( class-id = "31fb5abf-023e-4992-aa4e-95f9c1503bfa" )
]]></sourcecode>
            </section>
          </section>
          <section anchor="result-type">
            <name>Result Type</name>
            <t>For queries by environment, the <tt>result-type</tt> field selects for the desired type(s) of results: <tt>collected-artifacts</tt> (codepoint 0), <tt>source-artifacts</tt> (codepoint 1) or <tt>both</tt> (codepoint 2).
See <xref target="secaggregation"/> for definitions of source and collected artifacts.</t>
          </section>
        </section>
        <section anchor="queries-by-rim-identifier">
          <name>Queries by RIM Identifier</name>
          <section anchor="rim-selector">
            <name>RIM Selector</name>
            <t>The <tt>rim-selector</tt> (codepoint 3) is the only data field in this style of query.
It contains a set of one or more RIM identifiers.
RIMs can be selected by an arbitrary mixture of CoRIM, CoMID or CoSWID identifiers, as explained in <xref target="secinfoqueryrim"/>.</t>
          </section>
        </section>
      </section>
      <section anchor="result-set-structure">
        <name>Result Set Structure</name>
        <t>The result set structure is given by the following CDDL:</t>
        <sourcecode type="cddl"><![CDATA[
;# import cmw-autogen
;# import comid-autogen

results = {
  ( environment-result // rim-result )
  &(expiry: 10) => tdate ; RFC3339 date
}

environment-result = (
  ; result-type: collectect-artifacts
  result-set //

  ; result-type: source-artifacts
  &(source-artifacts: 11) => [ + cmw.cbor-record ] //

  ; result-type: both
  (
    result-set
    &(source-artifacts: 11) => [ + cmw.cbor-record ]
  )
)

rim-result = (
  &(rims: 5) => cmw.cbor-collection
)

result-set //= reference-values
result-set //= endorsed-values
result-set //= trust-anchors

refval-quad = {
  &(authorities: 1) => [ + comid.$crypto-key-type-choice ]
  &(rv-triple: 2) => comid.reference-triple-record
}

reference-values = (
  &(rvq: 0) => [ * refval-quad ]
)

endval-quad = {
  &(authorities: 1) => [ + comid.$crypto-key-type-choice ]
  &(ev-triple: 2) => comid.endorsed-triple-record
}

cond-endval-quad = {
  &(authorities: 1) => [ + comid.$crypto-key-type-choice ]
  &(ce-triple: 2) => comid.conditional-endorsement-triple-record
}

endorsed-values = (
  &(evq: 1) => [ * endval-quad ]
  &(ceq: 2) => [ * cond-endval-quad ]
)

ak-quad = {
  &(authorities: 1) => [ + comid.$crypto-key-type-choice ]
  &(ak-triple: 2) => comid.attest-key-triple-record
}

cots-stmt = {
  &(authorities: 1) => [ + comid.$crypto-key-type-choice ]
  &(cots: 2) => cots
}

trust-anchors = (
  &(akq: 3) => [ * ak-quad ]
  &(tas: 4) => [ * cots-stmt ]
)

;
; import CoTS
;
cots = "TODO COTS"
]]></sourcecode>
        <t>Result sets are described in <xref target="secinforesults"/>.
As with the query data model, the result set is partitioned into mutually-exclusive variants for the different query styles: queries by environment, or queries by RIM identifier.
The <tt>environment-result</tt> and <tt>rim-result</tt> types provide the separate data models for each style respectively.
Only the <tt>expiry</tt> field (codepoint 10) is common to both styles.</t>
      </section>
      <section anchor="secencoding">
        <name>Encoding Requirements</name>
        <t>Implementations may wish to use serialized CoSERV queries as canonical identifiers for artifact collections.
For example, a Reference Value Provider service may wish the cache the results of a CoSERV query to gain efficiency when responding to a future identical query.
For these use cases to be effective, it is essential that any given CoSERV query is always serialized to the same fixed sequence of CBOR bytes.
Therefore, CoSERV queries <bcp14>MUST</bcp14> always use CBOR deterministic encoding as specified in <xref section="4.2" sectionFormat="of" target="STD94"/>.
Further, CoSERV queries <bcp14>MUST</bcp14> use CBOR definite-length encoding.</t>
      </section>
      <section anchor="signed-coserv">
        <name>Cryptographic Binding Between Query and Result Set</name>
        <t>CoSERV is designed to ensure that any result set passed from a producer to a consumer is precisely the result set that corresponds to the consumer's original query.
This is the reason why the original query is always included along with the result set in the data model.
However, this measure is only sufficient in cases where the conveyance protocol guarantees that CoSERV result sets are always transacted over a secure channel without any untrusted intermediaries.
Wherever this is not the case, producers <bcp14>MUST</bcp14> create an additional cryptographic binding between the query and the result.
This is achieved by transacting the result set within a cryptographic envelope, with a signature added by the producer, which is verified by the consumer.
A CoSERV data object can be signed using COSE <xref target="STD96"/>.
A <tt>signed-coserv</tt> is a <tt>COSE_Sign1</tt> with the following layout:</t>
        <sourcecode type="cddl"><![CDATA[
signed-coserv = #6.18([
  protected: bytes .cbor signed-coserv-protected-hdr
  unprotected: signed-coserv-unprotected-hdr
  payload: bytes .cbor coserv
  signature: bytes
])
]]></sourcecode>
        <t>The payload <bcp14>MUST</bcp14> be the CBOR-encoded CoSERV.</t>
        <sourcecode type="cddl"><![CDATA[
]]></sourcecode>
        <t>The protected header <bcp14>MUST</bcp14> include the signature algorithm identifier.
The protected header <bcp14>MUST</bcp14> include either the content type <tt>application/coserv+cbor</tt> or the CoAP Content-Format TBD1.
Other header parameters <bcp14>MAY</bcp14> be added to the header buckets, for example a <tt>kid</tt> that identifies the signing key.</t>
      </section>
    </section>
    <section anchor="examples">
      <name>Examples</name>
      <section anchor="query-data-examples">
        <name>Query Data Examples</name>
        <t>This section provides some illustrative examples of valid CoSERV query objects.</t>
        <t>The following example shows an environment-based query for Reference Values scoped by a single class.
The <tt>artifact-type</tt> is set to 2 (<tt>reference-values</tt>), indicating a query for Reference Values.
The <tt>profile</tt> is given the example value of <tt>tag:example.com,2025:cc-platform#1.0.0</tt>.
Finally, the <tt>environment-selector</tt> uses the key 0 to select for class, and the value contains a single entry with illustrative settings for the identifier, vendor and model.</t>
        <sourcecode type="edn"><![CDATA[
{
  / profile / 0: "tag:example.com,2025:cc-platform#1.0.0",
  / query /   1: {
    / artifact-type /         0: 2, / reference-values /
    / environment-selector /  1: {
      / class / 0: [ [
        {
          / class-id /  0: 560(h'00112233'),  / tagged-bytes /
          / vendor /    1: "Example Vendor",
          / model /     2: "Example Model"
        }
      ] ]
    },
    / result-type / 2: 1 / source-artifacts /
  }
}
]]></sourcecode>
        <t>The next example is similar, but adds a second entry to the set of classes in the <tt>environment-map</tt>, showing how multiple classes can be queried at the same time.</t>
        <sourcecode type="edn"><![CDATA[
{
  / profile / 0: "tag:example.com,2025:cc-platform#1.0.0",
  / query /   1: {
    / artifact-type /         0: 2, / reference-values /
    / environment-selector /  1: {
      / class / 0: [
        [ {
          / class-id /  0: 560(h'8999786556'),  / tagged-bytes /
          / vendor /    1: "Example Vendor",
          / model /     2: "Example Model"
        } ],
        [ {
          / class-id /  0:
            37(h'31FB5ABF023E4992AA4E95F9C1503BFA')  / UUID /
        } ]
      ]
    },
    / result-type / 2: 2 / both collected and source artifacts /
  }
}
]]></sourcecode>
        <t>The following example shows a query for Reference Values scoped by instance.
Again, the <tt>artifact-type</tt> is set to 2, and <tt>profile</tt> is given a demonstration value. The <tt>environment-selector</tt> now uses the key 1 to select for instances, and the value contains two entries with example instance identifiers.</t>
        <sourcecode type="edn"><![CDATA[
{
  / profile / 0: "tag:example.com,2025:cc-platform#1.0.0",
  / query /   1: {
    / artifact-type / 0: 2, / reference-values /
    / environment-selector /  1: {
      / instance / 1: [
        [ 550(h'02DEADBEEFDEAD') ], / UEID /
        [ 560(h'8999786556') ]      / tagged-bytes /
      ]
    },
    / result-type / 2: 0 / collected artifacts /
  }
}
]]></sourcecode>
        <t>This next example shows how a query can be based on one or more RIM identifiers, instead of environments.
In this case, the query is requesting three specific CoRIMs.</t>
        <sourcecode type="edn"><![CDATA[
{
  / profile / 0: "tag:example.com,2025:cc-platform#1.0.0",
  / query / 1: {
    3: [
      [ / corim / 2, "corim-acme-gizmo-1.0.0" ],
      [ / corim / 2, "corim-acme-gizmo-1.2.0" ],
      [ / corim / 2, "corim-acme-gizmo-2.0.0" ]
    ]
  }
}
]]></sourcecode>
      </section>
      <section anchor="result-data-examples">
        <name>Result Data Examples</name>
        <t>This section provides some illustrative examples of valid CoSERV queries with their corresponding result sets.</t>
        <t>In this next example, the query is a reference value query based on class.</t>
        <t>The top-level structure is a map with three entries: <tt>profile</tt> (codepoint 0), <tt>query</tt> (codepoint 1) and <tt>results</tt> (codepoint 2).</t>
        <t>The profile and query structures are the same as in the previous examples.
The result structure is a map with two entries: <tt>expiry</tt> (codepoint 10) and <tt>rvq</tt> (codepoint 0).
The <tt>rvq</tt> (reference value quad) entry comprises the asserting authority and the asserted triples.
A single reference-value triple is shown in this example.
Its <tt>environment-map</tt>, as expected, is the same as the <tt>environment-map</tt> that was supplied in the query.
The rest of the structure is the <tt>measurement-map</tt> as defined in CoRIM <xref target="I-D.ietf-rats-corim"/>.</t>
        <sourcecode type="edn"><![CDATA[
{
  / profile / 0: "tag:example.com,2025:cc-platform#1.0.0",
  / query / 1: {
    0: 2,
    1: {
      0: [ [
        {
          0: 560(h'8999786556')
        }
      ] ]
    },
    2: 0
  },
  / results / 2: {
    0: [
      {
        1: [ 560(h'abcdef') ],
        2: [
          {
            0: {
              0: 560(h'8999786556')
            }
          },
          [
            {
              0: 37(h'31FB5ABF023E4992AA4E95F9C1503BFA'),
              1: {
                / version / 0: {
                  0: "1.2.3",
                  1: 16384
                },
                / svn / 1: 553(2)
              }
            }
          ]
        ]
      }
    ],
    10: 0("2030-12-13T18:30:02Z")
  }
}
]]></sourcecode>
        <t>The following example is for a query that requested the results be provided in the "source artifacts" format.
This means one or more original signed manifests containing information that satisfies the query criteria.</t>
        <t>Compared with the previous example, the <tt>rvq</tt> entry is empty, while the <tt>source-artifacts</tt> (codepoint 11) contain two CMW records <xref target="I-D.ietf-rats-msg-wrap"/>, each of which contains a (made up) manifest with the type "application/vnd.example.refvals".</t>
        <sourcecode type="edn"><![CDATA[
{
  / profile / 0: "tag:example.com,2025:cc-platform#1.0.0",
  / query /   1: {
    / artifact-type /         0: 2, / reference-values /
    / environment-selector /  1: {
      / class / 0: [ [
        {
          / class-id /  0: 560(h'00112233'),  / tagged-bytes /
          / vendor /    1: "Example Vendor",
          / model /     2: "Example Model"
        }
      ] ]
    },
    / result-type / 2: 1 / source-artifacts /
  },
  / results / 2: {
    / expiry / 10: 0("2030-12-13T18:30:02Z"),
    / source artifacts / 11: [
      [ "application/vnd.example.refvals", h'afaeadac' ],
      [ "application/vnd.example.refvals", h'adacabaa' ]
    ]
  }
}
]]></sourcecode>
        <t>This next example shows how a query can be based on one or more RIM identifiers, instead of environments.
In this case, the query is requesting three specific CoRIMs.
The corresponding result set consequently has three entries.
Each key in the result map corresponds to one of the RIM identifiers that was specified in the query.
For brevity, the actual RIM content is represented here simply as an array of a single byte.
In real-world situations, these arrays would contain complete CMW encodings as described in <xref target="secinforesultsrim"/>.</t>
        <sourcecode type="edn"><![CDATA[
{
  / profile / 0: "tag:example.com,2025:cc-platform#1.0.0",
  / query / 1: {
    3: [
      [ / corim / 2, "corim-acme-gizmo-1.0.0" ],
      [ / corim / 2, "corim-acme-gizmo-1.2.0" ],
      [ / corim / 2, "corim-acme-gizmo-2.0.0" ]
    ]
  },
  / results / 2: {
    5: {
      "corim-acme-gizmo-1.0.0": [
        "application/rim+cose",
        h'aa'
      ],
      "corim-acme-gizmo-1.2.0": [
        "application/rim+cose",
        h'bb'
      ],
      "corim-acme-gizmo-2.0.0": [
        "application/rim+cose",
        h'cc'
      ]
    }
    10: 0("2030-12-13T18:30:02Z")
  }
}
]]></sourcecode>
      </section>
    </section>
    <section anchor="secapibindings">
      <name>API Bindings</name>
      <t>This section sets out the ways in which CoSERV queries and responses can be exchanged between software components and services using APIs.
The CoSERV data format itself is agnostic of any particular API model or transport.
The API bindings provided here are intended to complement the data format.
They will allow implementations to build the complete functionality of a CoSERV producer or consumer, in a way that is well-suited to any transport or interaction model that is needed.</t>
      <t>It is intended that these API definitions carry minimal additional semantics, since these are largely the preserve of the CoSERV query language itself.
The API definitions are merely vehicles for the exchange of CoSERV queries and responses.
Their purpose is to facilitate standard interactions that make the most effective use of available transports and protocols.</t>
      <t>The only API binding that is specified in this document is a request-response protocol that uses HTTP for transport.
This is a simple pattern, and likely to be a commonly occurring one for a variety of use cases.
Future specifications may define other API bindings.
Such future bindings may introduce further HTTP-based protocols.
Alternatively, they may define protocols for use with other transports, such as CoAP <xref target="RFC7252"/>.</t>
      <section anchor="secrrapi">
        <name>Request Response over HTTP</name>
        <t>This section defines and mandates the API endpoint behaviours for CoSERV request-response transactions over HTTP.
Implementations <bcp14>MUST</bcp14> provide all parts of the API as specified in this section.
The API is a simple protocol for the execution of CoSERV queries.
It takes a single CoSERV query as input, and produces a corresponding single CoSERV result set as the output.
It is a RESTful API because the CoSERV query serves as a unique and stable identifier of the target resource, where that resource is the set of artifacts being selected for by the query.
The encoding rules for CoSERV are deterministic as set out in <xref target="secencoding"/>.
This means that any given CoSERV query will always encode to the same sequence of bytes.
The Base64Url encoding (<xref section="2" sectionFormat="of" target="RFC7515"/>) of the byte sequence becomes the rightmost path segment of the URI used to identify the target resource.
The <tt>GET</tt> method is then used with this URI to execute the query.
Further details are provided in the subsections below.</t>
        <t>Authentication is out of scope for this document.
Implementations <bcp14>MAY</bcp14> authenticate clients, for example for authorization or for preventing denial of service attacks.</t>
        <section anchor="secrrapierrors">
          <name>Errors</name>
          <t>For error responses (4xx or 5xx status codes), the <tt>Content-Type</tt> header field <bcp14>MUST</bcp14> be <tt>application/concise-problem-details+cbor</tt>, and the content <bcp14>MUST</bcp14> be a Concise Problem Details object <xref target="RFC9290"/> containing the following:</t>
          <dl newline="true">
            <dt>title:</dt>
            <dd>
              <t>A human-readable string that identifies the error that prevented the CoSERV Service from processing the request.
This string should be short and suitable for inclusion in log messages.</t>
            </dd>
            <dt>detail:</dt>
            <dd>
              <t>A human-readable string that describes the error in more depth.
This should ideally provide sufficient detail to enable the error to be rectified.</t>
            </dd>
          </dl>
        </section>
        <section anchor="secrrapidisco">
          <name>Discovery</name>
          <t>Clients discover CoSERV HTTP API endpoints by means of a well-known URI that is formed using the <tt>/.well-known/</tt> path prefix as defined in <xref target="RFC8615"/>.
This URI supplies a single discovery document that clients can use to locate the URIs of other API endpoints, in addition to finding out other relevant information about the configuration and capabilities of the service.</t>
          <t>Implementations that provide CoSERV HTTP API endpoints <bcp14>MUST</bcp14> also provide the discovery endpoint at the path <tt>/.well-known/coserv-configuration</tt>.
This endpoint <bcp14>MUST</bcp14> be accessible via GET with no additional query parameters.</t>
          <t>The response content can be formatted using either JSON <xref target="STD90"/> or CBOR, governed by standard HTTP content negotiation (<xref section="12" sectionFormat="of" target="STD97"/>).
The media types defined for this purpose are <tt>application/coserv-discovery+json</tt> (for JSON-formatted documents) or <tt>application/coserv-discovery+cbor</tt> (for CBOR-formatted documents).
If the client presents any media type other than these two options in its HTTP <tt>Accept</tt> header, the implementation <bcp14>SHOULD</bcp14> respond with an HTTP 406 (Not Acceptable) status code.
If the client presents one of the two valid media types, then the implementation <bcp14>MUST</bcp14> respond with the HTTP 200 (OK) status code, unless it is prevented from doing so by an error condition beyond the scope of this specification.
When the 200 (OK) status code is returned, the response <bcp14>MUST</bcp14> contain exactly one discovery document in the requested format (JSON or CBOR).
The contents of the discovery document <bcp14>MUST</bcp14> conform to the CDDL data model given below, which is common to both the JSON and CBOR encodings.</t>
          <sourcecode type="cddl"><![CDATA[
;# import rfc9711 as eat
;# import cmw-autogen as cmw
;# import rfc9052 as cose
;# import jwk-autogen as jwk

coserv-well-known-info = {
  version-label => version,
  capabilities-label => [ + capability ],
  api-endpoints-label => { + tstr => tstr },
  ? result-verification-key-label =>
    eat.JC<jwk.JWK_Set, cose.COSE_KeySet>
}

version-label = eat.JC<"version", 1>
capabilities-label = eat.JC<"capabilities", 2>
api-endpoints-label = eat.JC<"api-endpoints", 3>
result-verification-key-label = eat.JC<"result-verification-key", 4>

version = tstr

capability = {
  media-type-label => cmw.media-type,
  artifact-support-label => artifact-support
}

media-type-label = eat.JC<"media-type", 1>
artifact-support-label = eat.JC<"artifact-support", 2>

non-empty-array<M> = (M) .and ([ + any ])
artifact-support = non-empty-array<[
  ? "source",
  ? "collected",
  ? "rims"
]>
]]></sourcecode>
          <section anchor="discovery-document-contents">
            <name>Discovery Document Contents</name>
            <t>This section defines how to populate and interpret the data fields in the discovery document.</t>
            <t>The collated CDDL is in <xref target="collated-cddl-discovery"/>.</t>
            <section anchor="version">
              <name>Version</name>
              <t>The version field is denoted by the label <tt>"version"</tt> in JSON documents and by the codepoint <tt>1</tt> in CBOR documents.
It is a Semantic Versioning (semver) string, which denotes the version and patch level of the service that is providing the API endpoints described by the document.
The semver string <bcp14>MUST</bcp14> conform to the ABNF defined in <xref target="SEMVER"/>.
Version numbers and patch levels are otherwise implementation-defined.</t>
            </section>
            <section anchor="capabilities">
              <name>Capabilities</name>
              <t>The capabilities field is denoted by the label <tt>"capabilities"</tt> in JSON documents and by the codepoint <tt>2</tt> in CBOR documents.
This field allows clients to discover the profiled variants of CoSERV for which the service implementation can satisfy queries and provide artifacts.
This field is structured as an array, which allows for service implementations that support more than one profile.
Each supported profile is indicated according to its parameterized media type, along with the categories of artifact that can be provided for the profile.
The permitted artifact categories are <tt>"source"</tt>, <tt>"collected"</tt> and <tt>"rims"</tt>.</t>
              <t>The two categories <tt>"source"</tt> and <tt>"collected"</tt> refer specifically to the results of queries that are based on environments.
The presence of either or both of these two categories in the array indicates that the service implementation supports environment-based queries, as described in <xref target="secinfoqueryenv"/>.
The difference between source and collected artifacts is explained in <xref target="secartifacts"/>.</t>
              <t>The category <tt>"rims"</tt> refers to the results of queries that are based on RIM identifiers.
The presence of this category indicates that the service implementation supports identifier-based queries, as described in <xref target="secinfoqueryrim"/>.</t>
              <t>Each profile is paired with a non-empty set of artifact categories, allowing the service implementation to indicate the ways in which it can satisfy queries.
This pairing caters for situations where the service implementation might support different combinations of artifact category for different profiles.</t>
            </section>
            <section anchor="api-endpoints">
              <name>API Endpoints</name>
              <t>The API endpoints field is denoted by the label <tt>"api-endpoints"</tt> in JSON documents and by the codepoint <tt>3</tt> in CBOR documents.
This field allows clients to derive the correct URL for making HTTP API calls.
The field is a map whose keys are the symbolic names of the APIs, and whose values are the URL path for the API endpoint.</t>
              <t>The symbolic name <tt>CoSERVRequestResponse</tt> is defined for services that offer the transactional API described in <xref target="secrrapiquery"/>.
Service implementations that offer this API <bcp14>MUST</bcp14> include a key with this name in the endpoints map field, and the corresponding endpoint URL path <bcp14>MUST</bcp14> end with <tt>/{query}</tt>.
This allows the consumer to form a valid CoSERV query URI using variable expansion as per <xref target="RFC6570"/>, replacing the <tt>{query}</tt> variable with the Base64Url-encoded CoSERV query object.
There <bcp14>MUST NOT</bcp14> be any other variables that require substitution.</t>
            </section>
            <section anchor="result-verification-key">
              <name>Result Verification Key</name>
              <t>The result verification key is denoted by the label <tt>"result-verification-key"</tt> in JSON documents and by the codepoint <tt>4</tt> in CBOR documents.
This field provides one or more public keys that can be used for the cryptographic verification of CoSERV query results that are returned by the service implementation.
In JSON-formatted discovery documents, each key is a JSON Web Key (JWK) as defined in <xref target="RFC7517"/>.
In CBOR-formatted discovery documents, each key is a COSE Key as defined in <xref target="STD96"/>.</t>
              <t>This field is optional.
As described in <xref target="signed-coserv"/>, there are situations where it is permissible for CoSERV result sets to be unsigned, namely when they are transacted over an end-to-end secure channel without any untrusted intermediaries.
CoSERV service implementations <bcp14>MAY</bcp14> publish discovery documents without result-verification keys in cases where they exclusively produce unsigned CoSERV result sets.
Unsigned CoSERV result sets are characterized by use of the <tt>application/coserv+cbor</tt> media type (as opposed to the <tt>application/coserv+cose</tt> media type).
The supported media types, along with their profile parameters, are published in the <tt>capabilities</tt> field of the discovery document.
If all supported media types are variants of <tt>application/coserv+cbor</tt>, indicating unsigned results only, then there is no need for the verification key set to be included in the discovery document.
If one or more of the supported media types are variants of <tt>application/coserv+cose</tt>, indicating signed results, then the verification key set <bcp14>MUST</bcp14> be included.</t>
            </section>
          </section>
          <section anchor="discovery-document-cbor-encoding">
            <name>Discovery Document CBOR Encoding</name>
            <t>When the discovery document is encoded as CBOR, it is exempt from the encoding rules specified in <xref target="secencoding"/>.
These encoding rules are designed to ensure that CoSERV queries can be used as canonical and stable identifiers.
The discovery document is an independent structure, and not part of the CoSERV data model itself.
Therefore, these encoding rules do not apply.</t>
          </section>
          <section anchor="discovery-document-examples">
            <name>Discovery Document Examples</name>
            <t>The contents of the responses in the following examples are for illustrative purposes only.</t>
            <t>Example HTTP request for retrieving the discovery document in JSON format:</t>
            <sourcecode type="http-message"><![CDATA[
GET /.well-known/coserv-configuration HTTP/1.1
Host: endorsements-distributor.example
Accept: application/coserv-discovery+json
]]></sourcecode>
            <t>Corresponding HTTP response:</t>
            <sourcecode type="http-message"><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/coserv-discovery+json

Content (JSON)

=============== NOTE: '\' line wrapping per RFC 8792 ================

{
  "version": "1.2.3-beta",
  "capabilities": [
    {
      "media-type": "application/coserv+cose; profile=\"tag:vendor.\
                                       com,2025:cc_platform#1.0.0\"",
      "artifact-support": [
        "source",
        "collected"
      ]
    }
  ],
  "api-endpoints": {
    "CoSERVRequestResponse": "/endorsement-distribution/v1/coserv/{\
                                                              query}"
  },
  "result-verification-key": [
    {
      "alg": "ES256",
      "crv": "P-256",
      "kty": "EC",
      "x": "usWxHK2PmfnHKwXPS54m0kTcGJ90UiglWiGahtagnv8",
      "y": "IBOL-C3BttVivg-lSreASjpkttcsz-1rb7btKLv8EX4",
      "kid": "key1"
    }
  ]
}
]]></sourcecode>
            <t>Example HTTP request for retrieving the discovery document in CBOR format:</t>
            <sourcecode type="http-message"><![CDATA[
GET /.well-known/coserv-configuration HTTP/1.1
Host: endorsements-distributor.example
Accept: application/coserv-discovery+cbor
]]></sourcecode>
            <t>Corresponding HTTP response:</t>
            <sourcecode type="http-message"><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/coserv-discovery+cbor

Content (in CBOR Extended Diagnostic Notation (EDN))

=============== NOTE: '\' line wrapping per RFC 8792 ================

{
  / version / 1: "1.2.3-beta",
  / capabilities / 2: [
    {
      / media-type / 1: "application/coserv+cose; profile=\"tag:\
                                vendor.com,2025:cc_platform#1.0.0\"",
      / artifact-support / 2: [
        "source",
        "collected"
      ]
    }
  ],
  / api-endpoints / 3: {
    "CoSERVRequestResponse": "/endorsement-distribution/v1/coserv/{\
                                                              query}"
  },
  / result-verification-key / 4: [
    {
      / kty / 1: 2,
      / alg / 3: -7,
      / crv / -1: 1,
      / x / -2: h'1A2B3C4D',
      / y / -3: h'5E6F7A8B',
      / kid / 2: h'ABCDEF1234'
    }
  ]
}
]]></sourcecode>
          </section>
        </section>
        <section anchor="secrrapiquery">
          <name>Execute Query</name>
          <t>This endpoint executes a single CoSERV query and returns a CoSERV result set.</t>
          <t>The HTTP method is <tt>GET</tt>.</t>
          <t>The URL path is formed of the discovered <tt>coserv</tt> endpoint (as set out in <xref target="secrrapidisco"/>), where the <tt>{query}</tt> template variable is substituted with the CoSERV query to be executed, which is represented as a Base64Url encoding of the query's serialized CBOR byte sequence.</t>
          <t>There are no additional URL query parameters.</t>
          <t>Clients <bcp14>MUST</bcp14> set the <tt>Accept</tt> header field to a suitably-profiled <tt>application/coserv+cose</tt> or <tt>application/coserv+cbor</tt> media type.</t>
          <t>Endpoint implementations <bcp14>MUST</bcp14> respond with an HTTP status code and content according to one of the subheadings below.</t>
          <section anchor="responses">
            <name>Responses</name>
            <section anchor="successful-transaction-200">
              <name>Successful Transaction (200)</name>
              <t>This response indicates that the CoSERV query was executed successfully.</t>
              <t>Example HTTP request:</t>
              <sourcecode type="http-message"><![CDATA[
# NOTE: '\' line wrapping per RFC 8792

GET /coserv/ogB4I3R... HTTP/1.1
Host: endorsements-distributor.example
Accept: application/coserv+cose; \
        profile="tag:vendor.com,2025:cc_platform#1.0.0"
]]></sourcecode>
              <t>Example HTTP response:</t>
              <sourcecode type="http-message"><![CDATA[
# NOTE: '\' line wrapping per RFC 8792

HTTP/1.1 200 OK
Content-Type: application/coserv+cose; \
              profile="tag:vendor.com,2025:cc_platform#1.0.0"

Content (in CBOR Extended Diagnostic Notation (EDN))

/ signed-coserv / 18([
  / protected / << {
    / alg / 1: -7 / ECDSA 256 /,
    / cty / 2 : "application/coserv+cbor"
  } >>,
  / unprotected / {},
  / payload / <<
{
  / profile / 0: "tag:example.com,2025:cc-platform#1.0.0",
  / query /   1: {
    / artifact-type /         0: 2, / reference-values /
    / environment-selector /  1: {
      / class / 0: [ [
        {
          / class-id /  0: 560(h'00112233'),  / tagged-bytes /
          / vendor /    1: "Example Vendor",
          / model /     2: "Example Model"
        }
      ] ]
    },
    / result-type / 2: 0 / collected-artifacts /
  },
  / results / 2: {
    / rvq / 0: [
      {
        / authorities / 1: [ 560(h'abcdef') ],
        / reference-triple / 2: [
          / environment-map / {
            / class / 0: {
              / class-id /  0: 560(h'00112233'),
              / vendor /    1: "Example Vendor",
              / model /     2: "Example Model"
            }
          },
          [
            / measurement-map / {
              / mval / 1: {
                / digests / 2: [
                  [ 1, h'aa' ],
                  [ 2, h'bb' ]
                ],
                / name / 11: "Component A"
              }
            },
            / measurement-map / {
              / mval / 1: {
                / digests / 2: [
                  [ 1, h'cc' ],
                  [ 2, h'dd' ]
                ],
                / name / 11: "Component B"
              }
            }
          ]
        ]
      }
    ],
    / expiry / 10: 0("2030-12-13T18:30:02Z")
  }
}
  >>,
  / signature / h'face5190'
])
]]></sourcecode>
            </section>
            <section anchor="failure-to-validate-query-400">
              <name>Failure to Validate Query (400)</name>
              <t>This response indicates that the supplied query is badly formed.</t>
              <t>Example HTTP request:</t>
              <sourcecode type="http-message"><![CDATA[
# NOTE: '\' line wrapping per RFC 8792

GET /coserv/badquery... HTTP/1.1
Host: endorsements-distributor.example
Accept: application/coserv+cose; \
        profile="tag:vendor.com,2025:cc_platform#1.0.0"
]]></sourcecode>
              <t>Example HTTP response:</t>
              <sourcecode type="http-message"><![CDATA[
# NOTE: '\' line wrapping per RFC 8792

HTTP/1.1 400 Bad Request
Content-Type: application/concise-problem-details+cbor

Content (in CBOR Extended Diagnostic Notation (EDN))

{
  / title /  -1: "Query validation failed",
  / detail / -2: "The query payload is not in CBOR format"
}
]]></sourcecode>
            </section>
            <section anchor="failure-to-negotiate-profile-406">
              <name>Failure to Negotiate Profile (406)</name>
              <t>This response indicates that the client has specified a CoSERV profile that is not understood or serviceable by the receiving endpoint implementation.</t>
              <t>Example HTTP request:</t>
              <sourcecode type="http-message"><![CDATA[
# NOTE: '\' line wrapping per RFC 8792

GET /coserv/ogB4I3R... HTTP/1.1
Host: endorsements-distributor.example
Accept: application/coserv+cose; \
        profile="tag:vendor.com,2025:cc_platform#2.0.0"
]]></sourcecode>
              <t>Example HTTP response:</t>
              <sourcecode type="http-message"><![CDATA[
# NOTE: '\' line wrapping per RFC 8792

HTTP/1.1 406 Not Acceptable
Content-Type: application/concise-problem-details+cbor

Content (in CBOR Extended Diagnostic Notation (EDN))

{
  / title /  -1: "Unsupported profile",
  / detail / -2: "Profile tag:vendor.com,2025:cc_platform#2.0.0 \
                  not supported",
}
]]></sourcecode>
            </section>
          </section>
          <section anchor="too-many-requests-429">
            <name>Too Many Requests (429)</name>
            <t>A server could apply rate limiting to requests received from clients.
This is a common practice for services that require significant processing power to generate a response, such as a CoSERV endpoint.
If this is the case, and a client exceeds their request quota, the server can return a 429 (Too Many Requests) response.
The response headers <bcp14>MAY</bcp14> include a <tt>Retry-After</tt> header field indicating how long the client should wait before making a new request.</t>
            <t>Example HTTP request:</t>
            <sourcecode type="http-message"><![CDATA[
# NOTE: '\' line wrapping per RFC 8792

GET /coserv/ogB4I3R... HTTP/1.1
Host: endorsements-distributor.example
Accept: application/coserv+cose; \
        profile="tag:vendor.com,2025:cc_platform#1.0.0"
]]></sourcecode>
            <t>Example HTTP response:</t>
            <sourcecode type="http-message"><![CDATA[
# NOTE: '\' line wrapping per RFC 8792

HTTP/1.1 429 Too Many Requests
Content-Type: application/concise-problem-details+cbor
Retry-After: 120

Content (in CBOR Extended Diagnostic Notation (EDN))

{
  / title /  -1: "Too many requests",
  / detail / -2: "You're doing that too often! Try again in 2 minutes",
}
]]></sourcecode>
          </section>
        </section>
        <section anchor="secrrapicaching">
          <name>Caching</name>
          <t>In practical usage, the artifacts transacted via CoSERV queries (such as trust anchors and reference values) may change significantly less often than they are used.
For example, a Verifier needs to use the artifacts whenever it needs to verify or appraise Evidence from an Attester.
This might be a very frequent operation, for which a low latency is desirable.
By contrast, the artifacts themselves would vary only as a consequence of impactful changes to the Attester's desired state or environment.
One example of such an impactful change might be the roll-out of a firmware update, which would result in a new reference value for the impacted firmware component(s).
Such changes would tend to be relatively infrequent.
The caching of CoSERV artifacts is therefore beneficial for overall system performance.</t>
          <t>CoSERV is designed to facilitate both client-side and server-side caching by use of the standard HTTP caching mechanisms specified in <xref target="STD98"/>.
This includes use of the <tt>Cache-Control</tt> header field and its associated directives.
It also includes the use of entity-tags (ETags).
The following features of CoSERV and its HTTP binding are specifically designed to favor caching implementations:</t>
          <ul spacing="normal">
            <li>
              <t>CoSERV queries form stable URL paths.
As specified in <xref target="secencoding"/>, any given CoSERV query will always serialize to the same fixed sequence of bytes.
This allows queries to be used as canonical and stable resource identifiers, which in turn allows them to function effectively as cache keys.</t>
            </li>
            <li>
              <t>The result set is cryptographically bound to the query.
As specified in <xref target="signed-coserv"/>, the origin server is required to return a signed response that combines the result set with the client's original query, in any deployment where untrusted intermediaries might exist.
This means that the client can always verify the integrity of the result on an end-to-end basis, even in the presence of caching infrastructure.</t>
            </li>
            <li>
              <t>Only safe HTTP methods are used.
CoSERV queries are executed as read-only operations using HTTP <tt>GET</tt>.
The execution of a query does not modify any state on the server, which creates more opportunities for the re-use of cached results.</t>
            </li>
          </ul>
          <t>Although reusing cached responses is generally desirable, clients that need to bypass the caching infrastructure can do so by specifying <tt>Cache-Control: no-cache</tt> in their requests.</t>
          <section anchor="http-caching-and-result-set-expiry">
            <name>HTTP Caching and Result Set Expiry</name>
            <t>CoSERV's data model includes a mandatory expiration timestamp on every result set.
This is an authoritative marker of the point in time at which the entire result set becomes invalid, and the query must be re-executed to obtain fresh results.
This timestamp is established by the origin server.</t>
            <t>In the presence of HTTP caching infrastructure, the origin server <bcp14>MUST NOT</bcp14> set HTTP cache directives (e.g. <tt>Cache-Control: max-age</tt>, <tt>Expires</tt>) such that the freshness lifetime of the HTTP response exceeds the result set expiry timestamp contained within the CoSERV results.</t>
          </section>
          <section anchor="example-http-messages-with-caching">
            <name>Example HTTP Messages with Caching</name>
            <t>This section illustrates a caching scenario.</t>
            <t>In this example, the CoSERV HTTP API server endpoint is hosted by an HTTP origin (coserv.example), while a reverse proxy (cache.example) operates a public cache in front of the origin.</t>
            <t>Client A sends a request using a specific CoSERV query.
As the reverse proxy has a "cache miss" for the resource, it forwards the request to the origin.
The origin then constructs the response and returns it to the proxy.
The response includes cache-control headers that are compatible with the time-to-live associated with the computed result set.
For the purposes of this example, the HTTP response <tt>max-age</tt> has been set to 10 minutes and the <tt>s-maxage</tt> to 1 hour.
This means that the origin allows intermediaries (e.g., its CDN) to cache this resource for longer than the client.
The result is different caching behaviours between clients and intermediaries, which reduces the load on the origin by enabling CDNs to cache content for longer, while ensuring that clients receive fresher content.
Before forwarding it to the client, the proxy stores the response in its cache using the request URI as the cache key alongside the entry's time-to-live value.</t>
            <aside>
              <t>This "differential caching" strategy could be useful if the origin and its CDN have control plane APIs that the origin owner can use to instruct the CDN operator to purge certain cached entries <xref target="RFC8007"/>. For instance, in CoSERV, this feature could be used in case of an unexpected revocation.</t>
            </aside>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="576" width="576" viewBox="0 0 576 576" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 40,64 L 40,560" fill="none" stroke="black"/>
                  <path d="M 200,64 L 200,96" fill="none" stroke="black"/>
                  <path d="M 224,112 L 224,560" fill="none" stroke="black"/>
                  <path d="M 248,64 L 248,96" fill="none" stroke="black"/>
                  <path d="M 408,80 L 408,560" fill="none" stroke="black"/>
                  <path d="M 216,48 L 232,48" fill="none" stroke="black"/>
                  <path d="M 216,80 L 232,80" fill="none" stroke="black"/>
                  <path d="M 216,112 L 232,112" fill="none" stroke="black"/>
                  <path d="M 40,144 L 216,144" fill="none" stroke="black"/>
                  <path d="M 224,160 L 248,160" fill="none" stroke="black"/>
                  <path d="M 232,192 L 248,192" fill="none" stroke="black"/>
                  <path d="M 224,256 L 400,256" fill="none" stroke="black"/>
                  <path d="M 408,272 L 432,272" fill="none" stroke="black"/>
                  <path d="M 416,304 L 432,304" fill="none" stroke="black"/>
                  <path d="M 232,384 L 408,384" fill="none" stroke="black"/>
                  <path d="M 224,432 L 248,432" fill="none" stroke="black"/>
                  <path d="M 232,464 L 248,464" fill="none" stroke="black"/>
                  <path d="M 48,544 L 224,544" fill="none" stroke="black"/>
                  <path d="M 216,48 C 207.16936,48 200,55.16936 200,64" fill="none" stroke="black"/>
                  <path d="M 232,48 C 240.83064,48 248,55.16936 248,64" fill="none" stroke="black"/>
                  <path d="M 408,48 C 399.16936,48 392,55.16936 392,64" fill="none" stroke="black"/>
                  <path d="M 408,48 C 416.83064,48 424,55.16936 424,64" fill="none" stroke="black"/>
                  <path d="M 216,80 C 207.16936,80 200,72.83064 200,64" fill="none" stroke="black"/>
                  <path d="M 232,80 C 240.83064,80 248,72.83064 248,64" fill="none" stroke="black"/>
                  <path d="M 408,80 C 399.16936,80 392,72.83064 392,64" fill="none" stroke="black"/>
                  <path d="M 408,80 C 416.83064,80 424,72.83064 424,64" fill="none" stroke="black"/>
                  <path d="M 216,112 C 207.16936,112 200,104.83064 200,96" fill="none" stroke="black"/>
                  <path d="M 232,112 C 240.83064,112 248,104.83064 248,96" fill="none" stroke="black"/>
                  <path d="M 248,160 C 256.83064,160 264,167.16936 264,176" fill="none" stroke="black"/>
                  <path d="M 248,192 C 256.83064,192 264,184.83064 264,176" fill="none" stroke="black"/>
                  <path d="M 432,272 C 440.83064,272 448,279.16936 448,288" fill="none" stroke="black"/>
                  <path d="M 432,304 C 440.83064,304 448,296.83064 448,288" fill="none" stroke="black"/>
                  <path d="M 248,432 C 256.83064,432 264,439.16936 264,448" fill="none" stroke="black"/>
                  <path d="M 248,464 C 256.83064,464 264,456.83064 264,448" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="424,304 412,298.4 412,309.6" fill="black" transform="rotate(180,416,304)"/>
                  <polygon class="arrowhead" points="408,256 396,250.4 396,261.6" fill="black" transform="rotate(0,400,256)"/>
                  <polygon class="arrowhead" points="240,464 228,458.4 228,469.6" fill="black" transform="rotate(180,232,464)"/>
                  <polygon class="arrowhead" points="240,384 228,378.4 228,389.6" fill="black" transform="rotate(180,232,384)"/>
                  <polygon class="arrowhead" points="240,192 228,186.4 228,197.6" fill="black" transform="rotate(180,232,192)"/>
                  <polygon class="arrowhead" points="224,144 212,138.4 212,149.6" fill="black" transform="rotate(0,216,144)"/>
                  <polygon class="arrowhead" points="56,544 44,538.4 44,549.6" fill="black" transform="rotate(180,48,544)"/>
                  <circle cx="40" cy="64" r="6" class="opendot" fill="white" stroke="black"/>
                  <g class="text">
                    <text x="28" y="36">client</text>
                    <text x="64" y="36">A</text>
                    <text x="224" y="36">cache.example</text>
                    <text x="412" y="36">coserv.example</text>
                    <text x="80" y="132">GET</text>
                    <text x="144" y="132">ogB4I3RhZ..</text>
                    <text x="312" y="148">lookup(obB4I3RhZ..)</text>
                    <text x="252" y="212">MISS</text>
                    <text x="264" y="244">GET</text>
                    <text x="328" y="244">ogB4I3RhZ..</text>
                    <text x="488" y="276">compute</text>
                    <text x="484" y="292">result</text>
                    <text x="472" y="308">set</text>
                    <text x="256" y="324">200</text>
                    <text x="284" y="324">OK</text>
                    <text x="448" y="324">(expiry</text>
                    <text x="488" y="324">=</text>
                    <text x="512" y="324">now</text>
                    <text x="536" y="324">+</text>
                    <text x="560" y="324">1h)</text>
                    <text x="260" y="340">C-C:</text>
                    <text x="332" y="340">max-age=600,</text>
                    <text x="336" y="356">s-maxage=3600</text>
                    <text x="292" y="372">#6.18([...])</text>
                    <text x="316" y="420">store(K=obB4I3RhZ..,</text>
                    <text x="340" y="436">V=#6.18([...],</text>
                    <text x="320" y="452">TTL=3600)</text>
                    <text x="72" y="484">200</text>
                    <text x="100" y="484">OK</text>
                    <text x="76" y="500">C-C:</text>
                    <text x="148" y="500">max-age=600,</text>
                    <text x="152" y="516">s-maxage=3600</text>
                    <text x="108" y="532">#6.18([...])</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
client A             cache.example          coserv.example
                         .---.                   .-.
    o                   |     |                 |   |
    |                   |'---'|                  '+'
    |                   |     |                   |
    |                    '-+-'                    |
    |   GET ogB4I3RhZ..    |                      |
    +--------------------->| lookup(obB4I3RhZ..)  |
    |                      +---.                  |
    |                      |    |                 |
    |                      |<--'                  |
    |                      | MISS                 |
    |                      |                      |
    |                      |   GET ogB4I3RhZ..    |
    |                      +--------------------->|
    |                      |                      +---.  compute
    |                      |                      |    | result
    |                      |                      |<--'  set
    |                      |  200 OK              | (expiry = now + 1h)
    |                      |  C-C: max-age=600,   |
    |                      |       s-maxage=3600  |
    |                      |  #6.18([...])        |
    |                      |<---------------------+
    |                      |                      |
    |                      | store(K=obB4I3RhZ.., |
    |                      +---.   V=#6.18([...], |
    |                      |    |  TTL=3600)      |
    |                      |<--'                  |
    |  200 OK              |                      |
    |  C-C: max-age=600,   |                      |
    |       s-maxage=3600  |                      |
    |  #6.18([...])        |                      |
    |<---------------------+                      |
    |                      |                      |
]]></artwork>
            </artset>
            <t>At a later point, after 2 minutes, a different client B makes the same request.
This time, the request generates a "cache hit" event on the proxy.
The response is therefore served from the public cache, bypassing the origin.
This reduces the load on the origin, where computing the result set is generally costly, as well as reducing the overall latency of the transaction.
Client B operates a local cache, where it stores a copy of the response.</t>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="416" width="472" viewBox="0 0 472 416" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 24,80 L 24,96" fill="none" stroke="black"/>
                  <path d="M 40,112 L 40,400" fill="none" stroke="black"/>
                  <path d="M 56,80 L 56,96" fill="none" stroke="black"/>
                  <path d="M 200,64 L 200,96" fill="none" stroke="black"/>
                  <path d="M 224,112 L 224,400" fill="none" stroke="black"/>
                  <path d="M 248,64 L 248,96" fill="none" stroke="black"/>
                  <path d="M 408,80 L 408,400" fill="none" stroke="black"/>
                  <path d="M 216,48 L 232,48" fill="none" stroke="black"/>
                  <path d="M 216,80 L 232,80" fill="none" stroke="black"/>
                  <path d="M 216,112 L 232,112" fill="none" stroke="black"/>
                  <path d="M 40,144 L 216,144" fill="none" stroke="black"/>
                  <path d="M 224,160 L 248,160" fill="none" stroke="black"/>
                  <path d="M 232,192 L 248,192" fill="none" stroke="black"/>
                  <path d="M 48,304 L 224,304" fill="none" stroke="black"/>
                  <path d="M 40,352 L 64,352" fill="none" stroke="black"/>
                  <path d="M 48,384 L 64,384" fill="none" stroke="black"/>
                  <path d="M 216,48 C 207.16936,48 200,55.16936 200,64" fill="none" stroke="black"/>
                  <path d="M 232,48 C 240.83064,48 248,55.16936 248,64" fill="none" stroke="black"/>
                  <path d="M 408,48 C 399.16936,48 392,55.16936 392,64" fill="none" stroke="black"/>
                  <path d="M 408,48 C 416.83064,48 424,55.16936 424,64" fill="none" stroke="black"/>
                  <path d="M 40,64 C 31.16936,64 24,71.16936 24,80" fill="none" stroke="black"/>
                  <path d="M 40,64 C 48.83064,64 56,71.16936 56,80" fill="none" stroke="black"/>
                  <path d="M 216,80 C 207.16936,80 200,72.83064 200,64" fill="none" stroke="black"/>
                  <path d="M 232,80 C 240.83064,80 248,72.83064 248,64" fill="none" stroke="black"/>
                  <path d="M 408,80 C 399.16936,80 392,72.83064 392,64" fill="none" stroke="black"/>
                  <path d="M 408,80 C 416.83064,80 424,72.83064 424,64" fill="none" stroke="black"/>
                  <path d="M 40,96 C 31.16936,96 24,88.83064 24,80" fill="none" stroke="black"/>
                  <path d="M 40,96 C 48.83064,96 56,88.83064 56,80" fill="none" stroke="black"/>
                  <path d="M 40,112 C 31.16936,112 24,104.83064 24,96" fill="none" stroke="black"/>
                  <path d="M 40,112 C 48.83064,112 56,104.83064 56,96" fill="none" stroke="black"/>
                  <path d="M 216,112 C 207.16936,112 200,104.83064 200,96" fill="none" stroke="black"/>
                  <path d="M 232,112 C 240.83064,112 248,104.83064 248,96" fill="none" stroke="black"/>
                  <path d="M 248,160 C 256.83064,160 264,167.16936 264,176" fill="none" stroke="black"/>
                  <path d="M 248,192 C 256.83064,192 264,184.83064 264,176" fill="none" stroke="black"/>
                  <path d="M 64,352 C 72.83064,352 80,359.16936 80,368" fill="none" stroke="black"/>
                  <path d="M 64,384 C 72.83064,384 80,376.83064 80,368" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="240,192 228,186.4 228,197.6" fill="black" transform="rotate(180,232,192)"/>
                  <polygon class="arrowhead" points="224,144 212,138.4 212,149.6" fill="black" transform="rotate(0,216,144)"/>
                  <polygon class="arrowhead" points="56,384 44,378.4 44,389.6" fill="black" transform="rotate(180,48,384)"/>
                  <polygon class="arrowhead" points="56,304 44,298.4 44,309.6" fill="black" transform="rotate(180,48,304)"/>
                  <g class="text">
                    <text x="28" y="36">client</text>
                    <text x="64" y="36">B</text>
                    <text x="224" y="36">cache.example</text>
                    <text x="412" y="36">coserv.example</text>
                    <text x="80" y="132">GET</text>
                    <text x="144" y="132">ogB4I3RhZ..</text>
                    <text x="312" y="148">lookup(obB4I3RhZ..)</text>
                    <text x="248" y="212">HIT</text>
                    <text x="72" y="228">200</text>
                    <text x="100" y="228">OK</text>
                    <text x="76" y="244">C-C:</text>
                    <text x="148" y="244">max-age=480,</text>
                    <text x="152" y="260">s-maxage=3480</text>
                    <text x="80" y="276">Etag:</text>
                    <text x="128" y="276">"xyz"</text>
                    <text x="108" y="292">#6.18([...])</text>
                    <text x="132" y="340">store(K=obB4I3RhZ..,</text>
                    <text x="156" y="356">V=#6.18([...],</text>
                    <text x="132" y="372">TTL=480)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
client B             cache.example          coserv.example
                         .---.                   .-.
   .-.                  |     |                 |   |
  |   |                 |'---'|                  '+'
  |'-'|                 |     |                   |
   '+'                   '-+-'                    |
    |   GET ogB4I3RhZ..    |                      |
    +--------------------->| lookup(obB4I3RhZ..)  |
    |                      +---.                  |
    |                      |    |                 |
    |                      |<--'                  |
    |                      | HIT                  |
    |  200 OK              |                      |
    |  C-C: max-age=480,   |                      |
    |       s-maxage=3480  |                      |
    |  Etag: "xyz"         |                      |
    |  #6.18([...])        |                      |
    |<---------------------+                      |
    |                      |                      |
    | store(K=obB4I3RhZ.., |                      |
    +---.   V=#6.18([...], |                      |
    |    |  TTL=480)       |                      |
    |<--'                  |                      |
    |                      |                      |
]]></artwork>
            </artset>
            <t>After 9 more minutes, B is instructed to make the same request again.
The request generates a "cache hit" event on the local cache.
However, the cached resource is become stale and needs to be revalidated.
Therefore, B sends a conditional request to the proxy.
The request generates a "cache hit" event on the proxy where the resource is still fresh due to the differential caching behaviour dictated by the original response from the origin.
The proxy returns a 304 (Not modified) status code, which instructs the client to reuse its local copy of the response.</t>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="416" width="480" viewBox="0 0 480 416" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 24,80 L 24,96" fill="none" stroke="black"/>
                  <path d="M 40,112 L 40,400" fill="none" stroke="black"/>
                  <path d="M 56,80 L 56,96" fill="none" stroke="black"/>
                  <path d="M 200,64 L 200,96" fill="none" stroke="black"/>
                  <path d="M 224,112 L 224,400" fill="none" stroke="black"/>
                  <path d="M 248,64 L 248,96" fill="none" stroke="black"/>
                  <path d="M 408,80 L 408,400" fill="none" stroke="black"/>
                  <path d="M 216,48 L 232,48" fill="none" stroke="black"/>
                  <path d="M 216,80 L 232,80" fill="none" stroke="black"/>
                  <path d="M 216,112 L 232,112" fill="none" stroke="black"/>
                  <path d="M 40,144 L 64,144" fill="none" stroke="black"/>
                  <path d="M 48,176 L 64,176" fill="none" stroke="black"/>
                  <path d="M 40,256 L 216,256" fill="none" stroke="black"/>
                  <path d="M 224,272 L 248,272" fill="none" stroke="black"/>
                  <path d="M 232,304 L 248,304" fill="none" stroke="black"/>
                  <path d="M 48,384 L 224,384" fill="none" stroke="black"/>
                  <path d="M 216,48 C 207.16936,48 200,55.16936 200,64" fill="none" stroke="black"/>
                  <path d="M 232,48 C 240.83064,48 248,55.16936 248,64" fill="none" stroke="black"/>
                  <path d="M 408,48 C 399.16936,48 392,55.16936 392,64" fill="none" stroke="black"/>
                  <path d="M 408,48 C 416.83064,48 424,55.16936 424,64" fill="none" stroke="black"/>
                  <path d="M 40,64 C 31.16936,64 24,71.16936 24,80" fill="none" stroke="black"/>
                  <path d="M 40,64 C 48.83064,64 56,71.16936 56,80" fill="none" stroke="black"/>
                  <path d="M 216,80 C 207.16936,80 200,72.83064 200,64" fill="none" stroke="black"/>
                  <path d="M 232,80 C 240.83064,80 248,72.83064 248,64" fill="none" stroke="black"/>
                  <path d="M 408,80 C 399.16936,80 392,72.83064 392,64" fill="none" stroke="black"/>
                  <path d="M 408,80 C 416.83064,80 424,72.83064 424,64" fill="none" stroke="black"/>
                  <path d="M 40,96 C 31.16936,96 24,88.83064 24,80" fill="none" stroke="black"/>
                  <path d="M 40,96 C 48.83064,96 56,88.83064 56,80" fill="none" stroke="black"/>
                  <path d="M 40,112 C 31.16936,112 24,104.83064 24,96" fill="none" stroke="black"/>
                  <path d="M 40,112 C 48.83064,112 56,104.83064 56,96" fill="none" stroke="black"/>
                  <path d="M 216,112 C 207.16936,112 200,104.83064 200,96" fill="none" stroke="black"/>
                  <path d="M 232,112 C 240.83064,112 248,104.83064 248,96" fill="none" stroke="black"/>
                  <path d="M 64,144 C 72.83064,144 80,151.16936 80,160" fill="none" stroke="black"/>
                  <path d="M 64,176 C 72.83064,176 80,168.83064 80,160" fill="none" stroke="black"/>
                  <path d="M 248,272 C 256.83064,272 264,279.16936 264,288" fill="none" stroke="black"/>
                  <path d="M 248,304 C 256.83064,304 264,296.83064 264,288" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="240,304 228,298.4 228,309.6" fill="black" transform="rotate(180,232,304)"/>
                  <polygon class="arrowhead" points="224,256 212,250.4 212,261.6" fill="black" transform="rotate(0,216,256)"/>
                  <polygon class="arrowhead" points="56,384 44,378.4 44,389.6" fill="black" transform="rotate(180,48,384)"/>
                  <polygon class="arrowhead" points="56,176 44,170.4 44,181.6" fill="black" transform="rotate(180,48,176)"/>
                  <g class="text">
                    <text x="28" y="36">client</text>
                    <text x="64" y="36">B</text>
                    <text x="232" y="36">cache.example</text>
                    <text x="420" y="36">coserv.example</text>
                    <text x="128" y="132">lookup(obB4I3RhZ..)</text>
                    <text x="64" y="196">HIT</text>
                    <text x="112" y="196">(stale)</text>
                    <text x="64" y="228">GET</text>
                    <text x="128" y="228">ogB4I3RhZ..</text>
                    <text x="128" y="244">If-None-Match:"xyz"</text>
                    <text x="248" y="324">HIT</text>
                    <text x="72" y="340">304</text>
                    <text x="104" y="340">Not</text>
                    <text x="156" y="340">modified</text>
                    <text x="76" y="356">C-C:</text>
                    <text x="140" y="356">max-age=0,</text>
                    <text x="152" y="372">s-maxage=3060</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
client B              cache.example          coserv.example
                         .---.                   .-.
   .-.                  |     |                 |   |
  |   |                 |'---'|                  '+'
  |'-'|                 |     |                   |
   '+'                   '-+-'                    |
    | lookup(obB4I3RhZ..)  |                      |
    +---.                  |                      |
    |    |                 |                      |
    |<--'                  |                      |
    | HIT (stale)          |                      |
    |                      |                      |
    | GET ogB4I3RhZ..      |                      |
    | If-None-Match:"xyz"  |                      |
    +--------------------->|                      |
    |                      +---.                  |
    |                      |    |                 |
    |                      |<--'                  |
    |                      | HIT                  |
    |  304 Not modified    |                      |
    |  C-C: max-age=0,     |                      |
    |       s-maxage=3060  |                      |
    |<---------------------+                      |
    |                      |                      |
]]></artwork>
            </artset>
          </section>
        </section>
      </section>
    </section>
    <section anchor="implementation-status">
      <name>Implementation Status</name>
      <t>[^rfced] please remove this section prior to publication.</t>
      <t>This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in <xref target="RFC7942"/>.
The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs.
Please note that the listing of any individual implementation here does not imply endorsement by the IETF.
Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors.
This is not intended as, and must not be construed to be, a catalog of available implementations or their features.
Readers are advised to note that other implementations may exist.</t>
      <t>According to <xref target="RFC7942"/>, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as they see fit".</t>
      <section anchor="veraison">
        <name>Veraison</name>
        <t>Responsible Organisation: Veraison (open source project within the Confidential Computing Consortium).</t>
        <t>Location: https://github.com/veraison</t>
        <t>Description: Veraison provides components that can be used to build a Verifier, and also exemplifies adjacent RATS roles such as the Relying Party.
There is an active effort to extend Veraison so that it can act in the capacity of an Endorser or Reference Value Provider, showing how CoSERV can be used as a query language for such services.
This includes library code to assist with the creation, parsing and manipulation of CoSERV queries.</t>
        <t>Level of Maturity: This is a proof-of-concept prototype implementation.</t>
        <t>License: Apache-2.0.</t>
        <t>Coverage: This implementation covers all aspects of the CoSERV query language.</t>
        <t>Contact: Thomas Fossati, Thomas.Fossati@linaro.org</t>
      </section>
    </section>
    <section anchor="seccons">
      <name>Security Considerations</name>
      <t>CoSERV implements a conveyance protocol for specific categories of Conceptual Message in <xref target="RFC9334"/>, namely Endorsements and Reference Values.
Consequently, it is used only between the Endorser and Verifier roles, or between the Reference Value Provider and Verifier roles of the RATS architecture.
The relevant security considerations are therefore the ones associated with those roles and their interactions.</t>
      <t>Certain security characteristics are desirable for interactions between the Verifier and the Endorser or Reference Value Provider.
However, these characteristics would be the province of the specific implementations of these roles, and of the transport protocols in between them.
They would not be the province of the CoSERV data object itself.
Examples of such desirable characteristics might be:</t>
      <ul spacing="normal">
        <li>
          <t>The Endorser or Reference Value Provider is available to the Verifier when needed.</t>
        </li>
        <li>
          <t>The Verifier is authorised to query data from the Endorser or Reference Value Provider.</t>
        </li>
        <li>
          <t>Queries cannot be intercepted or undetectably modified by an entity that is interposed between the Verifier and the Endorser or Reference Value Provider.</t>
        </li>
      </ul>
      <section anchor="in-relation-to-corim">
        <name>In Relation to CoRIM</name>
        <t>CoSERV's data model inherits heavily from that of <xref target="I-D.ietf-rats-corim"/>.
CoSERV responses can contain one or more complete CoRIM artifacts.
They can also contain aggregated views that are composed of multiple CoRIM fragments.
The security and privacy considerations set out in <xref section="11" sectionFormat="of" target="I-D.ietf-rats-corim"/> therefore apply equally to CoSERV.</t>
      </section>
      <section anchor="forming-native-database-queries-from-coserv">
        <name>Forming Native Database Queries from CoSERV</name>
        <t>Implementations should take care when transforming CoSERV queries into native query types that are compatible with their underlying storage technology (such as SQL queries).
There is a risk of injection attacks arising from poorly-formed or maliciously-formed CoSERV queries.
Implementations must ensure that suitable sanitization procedures are in place when performing such translations.</t>
      </section>
      <section anchor="aggregators">
        <name>Aggregators</name>
        <t>Aggregation (see <xref target="secaggregation"/>) is the process of combining artifacts from multiple Endorser or Reference Value Provider sources, which is a necessary step in some supply chains.
CoSERV supports aggregation explicitly at the protocol level, but is agnostic with regards to how (or whether) such support is used.
However, there are specific security considerations for deployments that make use of aggregators.</t>
        <t>When used, aggregators feed Endorsements and Reference Values to the Verifier (possibly via further aggregators).
This means that they act in the Endorser and/or Reference Value Provider roles of RATS, both of which are trusted roles.
Aggregators are therefore trusted components.
Further, since the purpose of an aggregator is to provide a consolidated point of consumption for the Verifier, there is a risk of its becoming a single point of failure or vulnerability.
An aggregator that is unavailable, malfunctioning, or malicious, has the potential to impact the security of the overall deployment.
For example, a malicious aggregator might attempt to impersonate or otherwise subvert the authority of other actors in the supply chain, such as hardware or firmware vendors.</t>
        <t>The intent of CoSERV is for aggregators to provide an optional convenience layer for the Verifier, rather than to be a subversive authority.
The design features of CoSERV can be used alongside judicious deployment practices to mitigate the risks.
An informative and non-exhaustive list of mitigations follows:-</t>
        <ul spacing="normal">
          <li>
            <t><strong>Use independent chains of trust.</strong>
It is established above that aggregators are trusted components.
This does not mean that they necessarily become a sole or replacement trust authority.
CoSERV's aggregation model allows for deference to other authorities that exist in the supply chain.
This is true even when an aggregator is acting in the Endorser role.
A hardware Endorsement, for example, might be delivered to the Verifier via an aggregator (along with multiple other artifacts, such as Reference Values).
But the authority of that Endorsement can still be chained back to the hardware provider, and this authority can be checked by the Verifier using a trust anchor associated with that hardware provider.</t>
          </li>
          <li>
            <t><strong>Inspect the authority delegation chains.</strong>
The "quads" feature of the CoSERV data model provides explicit tracking of supply chain sources.
Each inner CoMID triple of an aggregated CoSERV response is annotated with an authority delegation chain.
This is a sequence of delegated trust authorities, each of which might be either a further upstream aggregator or a primary supply chain actor.
This information allows the consumer (Verifier) to inspect the provenance of each aggregated result, which can be checked against its own independent record of trustworthy sources.</t>
          </li>
          <li>
            <t><strong>Use source artifacts.</strong>
CoSERV's aggregation model supports the pass-through of artifacts from upstream supply-chain actors, known as "source artifacts" in the data model.
Source artifacts are passed verbatim in CoSERV, meaning that they retain any original signatures.
This provides another means of checking the provenance and integrity of such artifacts, independently of any signature that is applied to the CoSERV result by the aggregator (see <xref target="signed-coserv"/>).</t>
          </li>
          <li>
            <t><strong>Mutual trust between aggregators and primary supply chain actors.</strong>
The default assumption of CoSERV is that trust flows in one direction only: CoSERV consumers trust CoSERV producers, but not the reverse.
When a Verifier sends a CoSERV query to an aggregator, the Verifier is trusting that aggregator, but not the reverse.
Likewise, when an aggregator calls a primary supply chain source (whether using CoSERV or some proprietary mechanism), then the aggregator is trusting that primary supply chain source, but not the reverse.
Indeed, a primary supply chain source might not even be aware of the existence of any aggregator that is consuming artifacts from it, let alone place any trust in such an aggregator.
However, it is perfectly valid for a deployment to deviate from this baseline, provided that the suitable technical and contractual enablers are put in place.
There could exist an aggregator that is trusted - and vouched for - by the primary supply chain actor(s) from which it consumes.
Supply chain actors might even actively provision their artifacts into the aggregator for onward distribution.
The clients of such an aggregator might then be able to make more use of the "shallow trust" model described in <xref target="secaggregation"/>, with a greater reliance on collected artifacts rather than source artifacts.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>A CoSERV query can potentially contain privacy-sensitive information.
Specifically, the <tt>environment-selector</tt> field of the query may reference identifiable Attester instances in some cases.
This concern naturally also extends to the data objects that might be returned to the consumer in response to the query, although the specifications of such data objects are beyond the scope of this document.
Implementations should ensure that appropriate attention is paid to this.
Suitable mitigations include the following:</t>
      <ul spacing="normal">
        <li>
          <t>The use of authenticated secure channels between the producers and the consumers of CoSERV queries and returned artifacts.</t>
        </li>
        <li>
          <t>Collating Attester instances into anonymity groups, and referencing the groups rather than the individual instances.</t>
        </li>
      </ul>
      <section anchor="aggregators-1">
        <name>Aggregators</name>
        <t>Aggregators (as described in <xref target="secaggregation"/>) can pose a specific privacy risk.
This is because they necessarily correlate inputs from multiple supply-chain actors, and can observe repeated CoSERV queries over time.
In doing so, an aggregator might be able to infer details about the composition of an Attester's hardware, firmware or software components.
Such details would not be accessible to individual supply-chain actors implementing the Endorser or Reference Value Provider roles.
There is consequently a risk that such inferred details could be misused to create a covert channel.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>[^rfced] replace "RFCthis" with the RFC number assigned to this document.</t>
      <section anchor="media-types-registrations">
        <name>Media Types Registrations</name>
        <t>IANA is requested to add the following media types to the "Media Types" registry <xref target="IANA.media-types"/>.</t>
        <table anchor="tab-mc-regs">
          <name>CoSERV Media Types</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Template</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">
                <tt>coserv+cbor</tt></td>
              <td align="left">
                <tt>application/coserv+cbor</tt></td>
              <td align="left">
                <xref target="secdatamodel"/> of RFCthis</td>
            </tr>
            <tr>
              <td align="left">
                <tt>coserv+cose</tt></td>
              <td align="left">
                <tt>application/coserv+cose</tt></td>
              <td align="left">
                <xref target="signed-coserv"/> of RFCthis</td>
            </tr>
            <tr>
              <td align="left">
                <tt>coserv-discovery+cbor</tt></td>
              <td align="left">
                <tt>application/coserv-discovery+cbor</tt></td>
              <td align="left">
                <xref target="secrrapidisco"/> of RFCthis</td>
            </tr>
            <tr>
              <td align="left">
                <tt>coserv-discovery+json</tt></td>
              <td align="left">
                <tt>application/coserv-discovery+json</tt></td>
              <td align="left">
                <xref target="secrrapidisco"/> of RFCthis</td>
            </tr>
          </tbody>
        </table>
        <section anchor="applicationcoservcbor">
          <name><tt>application/coserv+cbor</tt></name>
          <dl spacing="compact">
            <dt>Type name:</dt>
            <dd>
              <t>application</t>
            </dd>
            <dt>Subtype name:</dt>
            <dd>
              <t>coserv+cbor</t>
            </dd>
            <dt>Required parameters:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Optional parameters:</dt>
            <dd>
              <t>"profile" (CoSERV profile in string format.  OIDs must use the dotted-decimal notation.)</t>
            </dd>
            <dt>Encoding considerations:</dt>
            <dd>
              <t>binary (CBOR)</t>
            </dd>
            <dt>Security considerations:</dt>
            <dd>
              <t><xref target="seccons"/> of RFCthis</t>
            </dd>
            <dt>Interoperability considerations:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Published specification:</dt>
            <dd>
              <t>RFCthis</t>
            </dd>
            <dt>Applications that use this media type:</dt>
            <dd>
              <t>Verifiers, Endorsers, Reference Value Providers</t>
            </dd>
            <dt>Fragment identifier considerations:</dt>
            <dd>
              <t>The syntax and semantics of fragment identifiers are as specified for "application/cbor". (No fragment identification syntax is currently defined for "application/cbor".)</t>
            </dd>
            <dt>Person &amp; email address to contact for further information:</dt>
            <dd>
              <t>RATS WG mailing list (rats@ietf.org)</t>
            </dd>
            <dt>Intended usage:</dt>
            <dd>
              <t>COMMON</t>
            </dd>
            <dt>Restrictions on usage:</dt>
            <dd>
              <t>none</t>
            </dd>
            <dt>Author/Change controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Provisional registration:</dt>
            <dd>
              <t>no</t>
            </dd>
          </dl>
        </section>
        <section anchor="applicationcoservcose">
          <name><tt>application/coserv+cose</tt></name>
          <dl spacing="compact">
            <dt>Type name:</dt>
            <dd>
              <t><tt>application</tt></t>
            </dd>
            <dt>Subtype name:</dt>
            <dd>
              <t><tt>coserv+cose</tt></t>
            </dd>
            <dt>Required parameters:</dt>
            <dd>
              <t>n/a (cose-type is explicitly not supported, as it is understood to be "cose-sign1")</t>
            </dd>
            <dt>Optional parameters:</dt>
            <dd>
              <t>"profile" CoSERV profile in string format.
OIDs must use the dotted-decimal notation.
Note that the <tt>cose-type</tt> parameter is explicitly not supported, as it is understood to be <tt>"cose-sign1"</tt>.</t>
            </dd>
            <dt>Encoding considerations:</dt>
            <dd>
              <t>binary</t>
            </dd>
            <dt>Security considerations:</dt>
            <dd>
              <t><xref target="seccons"/> of RFCthis</t>
            </dd>
            <dt>Interoperability considerations:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Published specification:</dt>
            <dd>
              <t>RFCthis</t>
            </dd>
            <dt>Applications that use this media type:</dt>
            <dd>
              <t>Verifiers, Endorsers, Reference Value Providers</t>
            </dd>
            <dt>Fragment identifier considerations:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Person and email address to contact for further information:</dt>
            <dd>
              <t>RATS WG mailing list (rats@ietf.org)</t>
            </dd>
            <dt>Intended usage:</dt>
            <dd>
              <t>COMMON</t>
            </dd>
            <dt>Restrictions on usage:</dt>
            <dd>
              <t>none</t>
            </dd>
            <dt>Author/Change controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Provisional registration?</dt>
            <dd>
              <t>no</t>
            </dd>
          </dl>
        </section>
        <section anchor="applicationcoserv-discoverycbor">
          <name><tt>application/coserv-discovery+cbor</tt></name>
          <dl spacing="compact">
            <dt>Type name:</dt>
            <dd>
              <t>application</t>
            </dd>
            <dt>Subtype name:</dt>
            <dd>
              <t>coserv-discovery+cbor</t>
            </dd>
            <dt>Required parameters:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Optional parameters:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Encoding considerations:</dt>
            <dd>
              <t>binary (CBOR)</t>
            </dd>
            <dt>Security considerations:</dt>
            <dd>
              <t><xref target="seccons"/> of RFCthis</t>
            </dd>
            <dt>Interoperability considerations:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Published specification:</dt>
            <dd>
              <t>RFCthis</t>
            </dd>
            <dt>Applications that use this media type:</dt>
            <dd>
              <t>Verifiers, Endorsers, Reference Value Providers</t>
            </dd>
            <dt>Fragment identifier considerations:</dt>
            <dd>
              <t>The syntax and semantics of fragment identifiers are as specified for "application/cbor". (No fragment identification syntax is currently defined for "application/cbor".)</t>
            </dd>
            <dt>Person &amp; email address to contact for further information:</dt>
            <dd>
              <t>RATS WG mailing list (rats@ietf.org)</t>
            </dd>
            <dt>Intended usage:</dt>
            <dd>
              <t>COMMON</t>
            </dd>
            <dt>Restrictions on usage:</dt>
            <dd>
              <t>none</t>
            </dd>
            <dt>Author/Change controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Provisional registration:</dt>
            <dd>
              <t>no</t>
            </dd>
          </dl>
        </section>
        <section anchor="applicationcoserv-discoveryjson">
          <name><tt>application/coserv-discovery+json</tt></name>
          <dl spacing="compact">
            <dt>Type name:</dt>
            <dd>
              <t>application</t>
            </dd>
            <dt>Subtype name:</dt>
            <dd>
              <t>coserv-discovery+json</t>
            </dd>
            <dt>Required parameters:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Optional parameters:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Encoding considerations:</dt>
            <dd>
              <t>binary (JSON is UTF-8-encoded text)</t>
            </dd>
            <dt>Security considerations:</dt>
            <dd>
              <t><xref target="seccons"/> of RFCthis</t>
            </dd>
            <dt>Interoperability considerations:</dt>
            <dd>
              <t>n/a</t>
            </dd>
            <dt>Published specification:</dt>
            <dd>
              <t>RFCthis</t>
            </dd>
            <dt>Applications that use this media type:</dt>
            <dd>
              <t>Verifiers, Endorsers, Reference Value Providers</t>
            </dd>
            <dt>Fragment identifier considerations:</dt>
            <dd>
              <t>The syntax and semantics of fragment identifiers are as specified for "application/json". (No fragment identification syntax is currently defined for "application/json".)</t>
            </dd>
            <dt>Person &amp; email address to contact for further information:</dt>
            <dd>
              <t>RATS WG mailing list (rats@ietf.org)</t>
            </dd>
            <dt>Intended usage:</dt>
            <dd>
              <t>COMMON</t>
            </dd>
            <dt>Restrictions on usage:</dt>
            <dd>
              <t>none</t>
            </dd>
            <dt>Author/Change controller:</dt>
            <dd>
              <t>IETF</t>
            </dd>
            <dt>Provisional registration:</dt>
            <dd>
              <t>no</t>
            </dd>
          </dl>
        </section>
      </section>
      <section anchor="coap-content-formats">
        <name>CoAP Content-Formats</name>
        <t>IANA is requested to register the following Content-Format IDs in the "CoAP Content-Formats" registry, within the "Constrained RESTful Environments (CoRE) Parameters" registry group <xref target="IANA.core-parameters"/>:</t>
        <table align="left">
          <name>New CoAP Content Formats</name>
          <thead>
            <tr>
              <th align="left">Content-Type</th>
              <th align="left">Content Coding</th>
              <th align="left">ID</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">application/coserv+cbor</td>
              <td align="left">-</td>
              <td align="left">TBD1</td>
              <td align="left">
                <xref target="secdatamodel"/> of RFCthis</td>
            </tr>
            <tr>
              <td align="left">application/coserv+cose</td>
              <td align="left">-</td>
              <td align="left">TBD2</td>
              <td align="left">
                <xref target="signed-coserv"/> of RFCthis</td>
            </tr>
          </tbody>
        </table>
        <t>If possible, TBD1 and TBD2 should be assigned in the 256..9999 range.</t>
      </section>
      <section anchor="well-known-uri-for-coserv-configuration">
        <name>Well-Known URI for CoSERV Configuration</name>
        <t>IANA is requested to register the following in the "Well-Known URIs" registry <xref target="IANA.well-known-uris"/>:</t>
        <t>URI suffix: coserv-configuration</t>
        <t>Change controller: IETF</t>
        <t>Specification document: RFCthis</t>
        <t>Related information: N/A</t>
      </section>
    </section>
  </middle>
  <back>
    <displayreference target="STD98" to="HTTP"/>
    <displayreference target="STD97" to="HTTP-CACHING"/>
    <displayreference target="STD96" to="COSE"/>
    <displayreference target="STD94" to="CBOR"/>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC6570">
          <front>
            <title>URI Template</title>
            <author fullname="J. Gregorio" initials="J." surname="Gregorio"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="M. Hadley" initials="M." surname="Hadley"/>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="D. Orchard" initials="D." surname="Orchard"/>
            <date month="March" year="2012"/>
            <abstract>
              <t>A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6570"/>
          <seriesInfo name="DOI" value="10.17487/RFC6570"/>
        </reference>
        <reference anchor="RFC7515">
          <front>
            <title>JSON Web Signature (JWS)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7515"/>
          <seriesInfo name="DOI" value="10.17487/RFC7515"/>
        </reference>
        <reference anchor="RFC7517">
          <front>
            <title>JSON Web Key (JWK)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7517"/>
          <seriesInfo name="DOI" value="10.17487/RFC7517"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="STD90">
          <front>
            <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
            <date month="December" year="2017"/>
            <abstract>
              <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t>
              <t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="90"/>
          <seriesInfo name="RFC" value="8259"/>
          <seriesInfo name="DOI" value="10.17487/RFC8259"/>
        </reference>
        <reference anchor="RFC8615">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="RFC9290">
          <front>
            <title>Concise Problem Details for Constrained Application Protocol (CoAP) APIs</title>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="October" year="2022"/>
            <abstract>
              <t>This document defines a concise "problem detail" as a way to carry machine-readable details of errors in a Representational State Transfer (REST) response to avoid the need to define new error response formats for REST APIs for constrained environments. The format is inspired by, but intended to be more concise than, the problem details for HTTP APIs defined in RFC 7807.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9290"/>
          <seriesInfo name="DOI" value="10.17487/RFC9290"/>
        </reference>
        <reference anchor="STD98">
          <front>
            <title>HTTP Caching</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.</t>
              <t>This document obsoletes RFC 7234.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="98"/>
          <seriesInfo name="RFC" value="9111"/>
          <seriesInfo name="DOI" value="10.17487/RFC9111"/>
        </reference>
        <reference anchor="STD97">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="STD96">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="STD94">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="RFC9393">
          <front>
            <title>Concise Software Identification Tags</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="J. Fitzgerald-McKay" initials="J." surname="Fitzgerald-McKay"/>
            <author fullname="C. Schmidt" initials="C." surname="Schmidt"/>
            <author fullname="D. Waltermire" initials="D." surname="Waltermire"/>
            <date month="June" year="2023"/>
            <abstract>
              <t>ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles. SWID tag representations can be too large for devices with network and storage constraints. This document defines a concise representation of SWID tags: Concise SWID (CoSWID) tags. CoSWID supports a set of semantics and features that are similar to those for SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory-efficient format.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9393"/>
          <seriesInfo name="DOI" value="10.17487/RFC9393"/>
        </reference>
        <reference anchor="I-D.ietf-rats-corim">
          <front>
            <title>Concise Reference Integrity Manifest</title>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>arm</organization>
            </author>
            <author fullname="Ned Smith" initials="N." surname="Smith">
              <organization>Independent</organization>
            </author>
            <author fullname="Wei Pan" initials="W." surname="Pan">
              <organization>Huawei Technologies</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Remote Attestation Procedures (RATS) enable Relying Parties to assess
   the trustworthiness of a remote Attester and therefore to decide
   whether or not to engage in secure interactions with it.  Evidence
   about trustworthiness can be rather complex and it is deemed
   unrealistic that every Relying Party is capable of the appraisal of
   Evidence.  Therefore that burden is typically offloaded to a
   Verifier.  In order to conduct Evidence appraisal, a Verifier
   requires not only fresh Evidence from an Attester, but also trusted
   Endorsements and Reference Values from Endorsers and Reference Value
   Providers, such as manufacturers, distributors, or device owners.
   This document specifies the information elements for representing
   Endorsements and Reference Values in CBOR format.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-corim-10"/>
        </reference>
        <reference anchor="I-D.ietf-rats-msg-wrap">
          <front>
            <title>RATS Conceptual Messages Wrapper (CMW)</title>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Ned Smith" initials="N." surname="Smith">
              <organization>Independent</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <author fullname="Dionna Glaze" initials="D." surname="Glaze">
              <organization>Google LLC</organization>
            </author>
            <date day="11" month="December" year="2025"/>
            <abstract>
              <t>   The Conceptual Messages introduced by the RATS architecture (RFC
   9334) are protocol-agnostic data units that are conveyed between RATS
   roles during remote attestation procedures.  Conceptual Messages
   describe the meaning and function of such data units within RATS data
   flows without specifying a wire format, encoding, transport
   mechanism, or processing details.  The initial set of Conceptual
   Messages is defined in Section 8 of RFC 9334 and includes Evidence,
   Attestation Results, Endorsements, Reference Values, and Appraisal
   Policies.

   This document introduces the Conceptual Message Wrapper (CMW) that
   provides a common structure to encapsulate these messages.  It
   defines a dedicated CBOR tag, corresponding JSON Web Token (JWT) and
   CBOR Web Token (CWT) claims, and an X.509 extension.

   This allows CMWs to be used in CBOR-based protocols, web APIs using
   JWTs and CWTs, and PKIX artifacts like X.509 certificates.
   Additionally, the draft defines a media type and a CoAP content
   format to transport CMWs over protocols like HTTP, MIME, and CoAP.

   The goal is to improve the interoperability and flexibility of remote
   attestation protocols.  Introducing a shared message format such as
   CMW enables consistent support for different attestation message
   types, evolving message serialization formats without breaking
   compatibility, and avoiding the need to redefine how messages are
   handled within each protocol.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-msg-wrap-23"/>
        </reference>
        <reference anchor="SEMVER" target="https://semver.org/spec/v2.0.0.html">
          <front>
            <title>Semantic Versioning 2.0.0</title>
            <author>
              <organization/>
            </author>
            <date year="2013"/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="IANA.media-types" target="https://www.iana.org/assignments/media-types">
          <front>
            <title>Media Types</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.core-parameters" target="https://www.iana.org/assignments/core-parameters">
          <front>
            <title>Constrained RESTful Environments (CoRE) Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.well-known-uris" target="https://www.iana.org/assignments/well-known-uris">
          <front>
            <title>Well-Known URIs</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC6024">
          <front>
            <title>Trust Anchor Management Requirements</title>
            <author fullname="R. Reddy" initials="R." surname="Reddy"/>
            <author fullname="C. Wallace" initials="C." surname="Wallace"/>
            <date month="October" year="2010"/>
            <abstract>
              <t>A trust anchor represents an authoritative entity via a public key and associated data. The public key is used to verify digital signatures, and the associated data is used to constrain the types of information for which the trust anchor is authoritative. A relying party uses trust anchors to determine if a digitally signed object is valid by verifying a digital signature using the trust anchor's public key, and by enforcing the constraints expressed in the associated data for the trust anchor. This document describes some of the problems associated with the lack of a standard trust anchor management mechanism and defines requirements for data formats and push-based protocols designed to address these problems. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6024"/>
          <seriesInfo name="DOI" value="10.17487/RFC6024"/>
        </reference>
        <reference anchor="RFC7942">
          <front>
            <title>Improving Awareness of Running Code: The Implementation Status Section</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.</t>
              <t>This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="205"/>
          <seriesInfo name="RFC" value="7942"/>
          <seriesInfo name="DOI" value="10.17487/RFC7942"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC8007">
          <front>
            <title>Content Delivery Network Interconnection (CDNI) Control Interface / Triggers</title>
            <author fullname="R. Murray" initials="R." surname="Murray"/>
            <author fullname="B. Niven-Jenkins" initials="B." surname="Niven-Jenkins"/>
            <date month="December" year="2016"/>
            <abstract>
              <t>This document describes the part of the Content Delivery Network Interconnection (CDNI) Control interface that allows a CDN to trigger activity in an interconnected CDN that is configured to deliver content on its behalf. The upstream CDN can use this mechanism to request that the downstream CDN pre-position metadata or content or to request that it invalidate or purge metadata or content. The upstream CDN can monitor the status of activity that it has triggered in the downstream CDN.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8007"/>
          <seriesInfo name="DOI" value="10.17487/RFC8007"/>
        </reference>
        <reference anchor="RFC9711">
          <front>
            <title>The Entity Attestation Token (EAT)</title>
            <author fullname="L. Lundblade" initials="L." surname="Lundblade"/>
            <author fullname="G. Mandyam" initials="G." surname="Mandyam"/>
            <author fullname="J. O'Donoghue" initials="J." surname="O'Donoghue"/>
            <author fullname="C. Wallace" initials="C." surname="Wallace"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>An Entity Attestation Token (EAT) provides an attested claims set that describes the state and characteristics of an entity, a device such as a smartphone, an Internet of Things (IoT) device, network equipment, or such. This claims set is used by a relying party, server, or service to determine the type and degree of trust placed in the entity.</t>
              <t>An EAT is either a CBOR Web Token (CWT) or a JSON Web Token (JWT) with attestation-oriented claims.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9711"/>
          <seriesInfo name="DOI" value="10.17487/RFC9711"/>
        </reference>
        <reference anchor="I-D.ietf-rats-endorsements">
          <front>
            <title>RATS Endorsements</title>
            <author fullname="Dave Thaler" initials="D." surname="Thaler">
              <organization>Armidale Consulting</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   In the IETF Remote Attestation Procedures (RATS) architecture, a
   Verifier accepts Evidence and uses Appraisal Policy for Evidence,
   typically with additional input from Endorsements and Reference
   Values, to generate Attestation Results in formats that are useful
   for Relying Parties.  This document illustrates the purpose and role
   of Endorsements and discusses some considerations in the choice of
   message format for Endorsements in the scope of the RATS
   architecture.

   This document does not aim to define a conceptual message format for
   Endorsements and Reference Values.  Instead, it extends RFC9334 to
   provide further details on Reference Values and Endorsements, as
   these topics were outside the scope of the RATS charter when RFC9334
   was developed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-endorsements-09"/>
        </reference>
        <reference anchor="I-D.ietf-iotops-mud-rats">
          <front>
            <title>MUD-Based RATS Resources Discovery</title>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <author fullname="Peter Chunchi Liu" initials="P. C." surname="Liu">
              <organization>Huawei Technologies</organization>
            </author>
            <date day="28" month="November" year="2025"/>
            <abstract>
              <t>   Manufacturer Usage Description (MUD) files and the MUD URIs that
   point to them are defined in RFC 8520.  This document introduces a
   new type of MUD file to be delivered in conjunction with a MUD file
   signature and/or to be referenced via a MUD URI embedded in other
   documents or messages, such as an IEEE 802.1AR Secure Device
   Identifier (DevID) or a CBOR Web Token (CWT).  These signed documents
   can be presented to other entities, e.g., a network management system
   or network path orchestrator.  If this entity also takes on the role
   of a verifier as defined by the IETF Remote ATtestation procedureS
   (RATS) architecture, this verifier can use the references included in
   the MUD file specified in this document to discover, for example,
   appropriate reference value providers, endorsement documents or
   endorsement distribution APIs, trust anchor stores, remote verifier
   services (sometimes referred to as Attestation Verification
   Services), or transparency logs.  All theses references in the MUD
   file pointing to resources and auxiliary RATS services can satisfy
   general RATS prerequisite by enabling discovery or improve discovery
   resilience of corresponding resources or services.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-iotops-mud-rats-02"/>
        </reference>
      </references>
    </references>
    <?line 1956?>

<section anchor="collated-cddl">
      <name>Collated CDDL</name>
      <section anchor="collated-cddl-coserv">
        <name>CoSERV Data Model</name>
        <artwork><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

signed-coserv = #6.18([
    protected: bytes .cbor signed-coserv-protected-hdr,
    unprotected: signed-coserv-unprotected-hdr,
    payload: bytes .cbor coserv,
    signature: bytes,
])
signed-coserv-protected-hdr = {
  1 => int,
  2 => "application/coserv+cbor" / 10000,
  * cose.label => cose.values,
}
signed-coserv-unprotected-hdr = {* cose.label => cose.values}
cose.label = int / text
cose.values = any
coserv = {
  &(profile: 0) => profile,
  &(query: 1) => query,
  ? &(results: 2) => results,
}
profile = comid.oid-type / ~uri
query = {environment-query // rim-query}
environment-query = (
  &(artifact-type: 0) => artifact-type,
  &(environment-selector: 1) => environment-selector-map,
  &(result-type: 2) => result-type,
  )
rim-query = (&(rim-selector: 3) => [+ rim-selector-id])
rim-selector-id = [
    &(comid: 0),
    comid.$tag-id-type-choice,
] / [
    &(coswid: 1),
    coswid.tag-id,
] / [
    &(corim: 2),
    corim.$corim-id-type-choice,
]
artifact-type = &(endorsed-values: 0) / &(trust-anchors: 1) / &(\
                                                 reference-values: 2)
result-type = &(collected-artifacts: 0) / &(source-artifacts: 1) / &\
                                                            (both: 2)
results = {
  (environment-result // rim-result),
  &(expiry: 10) => tdate,
}
environment-result = (result-set // &(source-artifacts: 11) => [+ \
                                                cmw.cbor-record] // (
        result-set,
        &(source-artifacts: 11) => [+ cmw.cbor-record],
      ))
rim-result = (&(rims: 5) => cmw.cbor-collection)
result-set //= (reference-values // endorsed-values // trust-anchors)
refval-quad = {
  &(authorities: 1) => [+ comid.$crypto-key-type-choice],
  &(rv-triple: 2) => comid.reference-triple-record,
}
reference-values = (&(rvq: 0) => [* refval-quad])
endval-quad = {
  &(authorities: 1) => [+ comid.$crypto-key-type-choice],
  &(ev-triple: 2) => comid.endorsed-triple-record,
}
cond-endval-quad = {
  &(authorities: 1) => [+ comid.$crypto-key-type-choice],
  &(ce-triple: 2) => comid.conditional-endorsement-triple-record,
}
endorsed-values = (
  &(evq: 1) => [* endval-quad],
  &(ceq: 2) => [* cond-endval-quad],
  )
ak-quad = {
  &(authorities: 1) => [+ comid.$crypto-key-type-choice],
  &(ak-triple: 2) => comid.attest-key-triple-record,
}
cots-stmt = {
  &(authorities: 1) => [+ comid.$crypto-key-type-choice],
  &(cots: 2) => cots,
}
trust-anchors = (
  &(akq: 3) => [* ak-quad],
  &(tas: 4) => [* cots-stmt],
  )
cots = "TODO COTS"
environment-selector-map = {selector}
stateful-class = [
  class: comid.class-map,
  ? measurements: [+ comid.measurement-map],
]
selector //= (&(class: 0) => [+ stateful-class] // &(instance: 1) =\
        > [+ stateful-instance] // &(group: 2) => [+ stateful-group])
stateful-instance = [
  instance: comid.$instance-id-type-choice,
  ? measurements: [+ comid.measurement-map],
]
stateful-group = [
  group: comid.$group-id-type-choice,
  ? measurements: [+ comid.measurement-map],
]
cmw.start = cmw.cmw
cmw.cmw = cmw.json-cmw / cmw.cbor-cmw
cmw.json-cmw = cmw.json-record / cmw.json-collection
cmw.cbor-cmw = cmw.cbor-record / cmw.cbor-collection / cmw.$cbor-tag
cmw.json-record = [
  type: cmw.media-type,
  value: cmw.base64url-string,
  ? ind: uint .bits cmw.cm-type,
]
cmw.cbor-record = [
  type: cmw.coap-content-format-type / cmw.media-type,
  value: bytes,
  ? ind: uint .bits cmw.cm-type,
]
cmw.tag-cm-cbor<tn, fmt> = #6.<tn>(bytes .cbor fmt)
cmw.tag-cm-data<tn> = #6.<tn>(bytes)
cmw.json-collection = {
  ? __cmwc_t: ~uri / cmw.oid,
  + &(label: text) => cmw.json-cmw,
}
cmw.cbor-collection = {
  ? __cmwc_t: ~uri / cmw.oid,
  + &(label: int / text) => cmw.cbor-cmw,
}
cmw.media-type = text .abnf ("Content-Type" .cat cmw.Content-Type-\
                                                                ABNF)
cmw.base64url-string = text .regexp "[A-Za-z0-9_-]+"
cmw.coap-content-format-type = uint .size 2
cmw.oid = text .regexp "([0-2])((\\.0)|(\\.[1-9][0-9]*))*"
cmw.cm-type = &(
  reference-values: 0,
  endorsements: 1,
  evidence: 2,
  attestation-results: 3,
  appraisal-policy: 4,
)
cmw.Content-Type-ABNF = '

Content-Type   = Media-Type-Name *( *SP ";" *SP parameter )
parameter      = token "=" ( token / quoted-string )

token          = 1*tchar
tchar          = "!" / "#" / "$" / "%" / "&" / "\'" / "*"
               / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
               / DIGIT / ALPHA
quoted-string  = %x22 *( qdtext / quoted-pair ) %x22
qdtext         = SP / %x21 / %x23-5B / %x5D-7E
quoted-pair    = "\\" ( SP / VCHAR )

Media-Type-Name = type-name "/" subtype-name

type-name = restricted-name
subtype-name = restricted-name

restricted-name = restricted-name-first *126restricted-name-chars
restricted-name-first  = ALPHA / DIGIT
restricted-name-chars  = ALPHA / DIGIT / "!" / "#" /
                         "$" / "&" / "-" / "^" / "_"
restricted-name-chars =/ "." ; Characters before first dot always
                             ; specify a facet name
restricted-name-chars =/ "+" ; Characters after last plus always
                             ; specify a structured syntax suffix

DIGIT     =  %x30-39           ; 0 - 9
POS-DIGIT =  %x31-39           ; 1 - 9
ALPHA     =  %x41-5A / %x61-7A ; A - Z / a - z
SP        =  %x20
VCHAR     =  %x21-7E           ; printable ASCII (no SP)
'
cmw.$cbor-tag /= cmw.tag-cm-data<1668612070> / cmw.tag-cm-cbor<\
                                         1668612069, cmw.my-evidence>
cmw.my-evidence = {&(eat_nonce: 10) => bytes .size (8 .. 64)}
comid.concise-mid-tag = {
  ? &(language: 0) => text,
  &(tag-identity: 1) => comid.tag-identity-map,
  ? &(entities: 2) => [+ comid.comid-entity-map],
  ? &(linked-tags: 3) => [+ comid.linked-tag-map],
  &(triples: 4) => comid.triples-map,
  * $$concise-mid-tag-extension,
}
comid.attest-key-triple-record = [
  environment: comid.environment-map,
  key-list: [+ comid.$crypto-key-type-choice],
  ? conditions: comid.non-empty<{
            ? &(mkey: 0) => comid.$measured-element-type-choice,
            ? &(authorized-by: 1) => [+ comid.$crypto-key-type-\
                                                             choice],
}>,
]
comid.$class-id-type-choice /= comid.tagged-oid-type / comid.tagged-\
                                       uuid-type / comid.tagged-bytes
comid.class-map = comid.non-empty<{
    ? &(class-id: 0) => comid.$class-id-type-choice,
    ? &(vendor: 1) => tstr,
    ? &(model: 2) => tstr,
    ? &(layer: 3) => uint,
    ? &(index: 4) => uint,
}>
comid.comid-entity-map = comid.entity-map<comid.$comid-role-type-\
                                choice, $$comid-entity-map-extension>
comid.$comid-role-type-choice /= &(tag-creator: 0) / &(creator: 1) \
                                                   / &(maintainer: 2)
comid.conditional-endorsement-series-triple-record = [
  condition: comid.stateful-environment-record,
  series: [+ comid.conditional-series-record],
]
comid.conditional-series-record = [
  selection: [+ comid.measurement-map],
  addition: [+ comid.measurement-map],
]
comid.COSE_Key = {
  1 => tstr / int,
  ? 2 => bstr,
  ? 3 => tstr / int,
  ? 4 => [+ tstr / int],
  ? 5 => bstr,
  * comid.cose-label => comid.cose-value,
}
comid.cose-label = int / tstr
comid.cose-value = any
comid.coswid-triple-record = [
  comid.environment-map,
  [+ comid.concise-swid-tag-id],
]
comid.concise-swid-tag-id = text / bstr .size 16
comid.$crypto-key-type-choice /= comid.tagged-pkix-base64-key-type \
/ comid.tagged-pkix-base64-cert-type / comid.tagged-pkix-base64-cert\
-path-type / comid.tagged-cose-key-type / comid.tagged-pkix-asn1der-\
cert-type / comid.tagged-key-thumbprint-type / comid.tagged-cert-\
thumbprint-type / comid.tagged-cert-path-thumbprint-type / comid.\
                                                         tagged-bytes
comid.tagged-pkix-base64-key-type = #6.554(tstr)
comid.tagged-pkix-base64-cert-type = #6.555(tstr)
comid.tagged-pkix-base64-cert-path-type = #6.556(tstr)
comid.tagged-key-thumbprint-type = #6.557(comid.digest)
comid.tagged-cose-key-type = #6.558(comid.COSE_Key)
comid.tagged-cert-thumbprint-type = #6.559(comid.digest)
comid.tagged-cert-path-thumbprint-type = #6.561(comid.digest)
comid.tagged-pkix-asn1der-cert-type = #6.562(bstr)
comid.domain-dependency-triple-record = [
  comid.domain-type,
  [+ comid.domain-type],
]
comid.domain-membership-triple-record = [
  domain-id: comid.domain-type,
  members: [+ comid.domain-type],
]
comid.conditional-endorsement-triple-record = [
  conditions: [+ comid.stateful-environment-record],
  endorsements: [+ comid.endorsed-triple-record],
]
comid.domain-type = comid.environment-map
comid.endorsed-triple-record = [
  condition: comid.environment-map,
  endorsement: [+ comid.measurement-map],
]
comid.entity-map<role-type-choice, extension-socket> = {
    &(entity-name: 0) => comid.$entity-name-type-choice,
    ? &(reg-id: 1) => uri,
    &(role: 2) => [+ role-type-choice],
    * extension-socket,
}
comid.$entity-name-type-choice /= text
comid.environment-map = comid.non-empty<{
    ? &(class: 0) => comid.class-map,
    ? &(instance: 1) => comid.$instance-id-type-choice,
    ? &(group: 2) => comid.$group-id-type-choice,
}>
comid.flags-map = {
  ? &(is-configured: 0) => bool,
  ? &(is-secure: 1) => bool,
  ? &(is-recovery: 2) => bool,
  ? &(is-debug: 3) => bool,
  ? &(is-replay-protected: 4) => bool,
  ? &(is-integrity-protected: 5) => bool,
  ? &(is-runtime-meas: 6) => bool,
  ? &(is-immutable: 7) => bool,
  ? &(is-tcb: 8) => bool,
  ? &(is-confidentiality-protected: 9) => bool,
  * $$flags-map-extension,
}
comid.$group-id-type-choice /= comid.tagged-uuid-type / comid.tagged\
                                                               -bytes
comid.identity-triple-record = [
  environment: comid.environment-map,
  key-list: [+ comid.$crypto-key-type-choice],
  ? conditions: comid.non-empty<{
            ? &(mkey: 0) => comid.$measured-element-type-choice,
            ? &(authorized-by: 1) => [+ comid.$crypto-key-type-\
                                                             choice],
}>,
]
comid.$instance-id-type-choice /= comid.tagged-ueid-type / comid.\
tagged-uuid-type / comid.tagged-bytes / comid.tagged-pkix-base64-key\
-type / comid.tagged-pkix-base64-cert-type / comid.tagged-cose-key-\
type / comid.tagged-key-thumbprint-type / comid.tagged-cert-\
                thumbprint-type / comid.tagged-pkix-asn1der-cert-type
comid.ip-addr-type-choice = comid.ip4-addr-type / comid.ip6-addr-type
comid.ip4-addr-type = bytes .size 4
comid.ip6-addr-type = bytes .size 16
comid.int-range-type-choice = int / comid.tagged-int-range
comid.int-range = [
  min: int / comid.negative-inf,
  max: int / comid.positive-inf,
]
comid.tagged-int-range = #6.564(comid.int-range)
comid.positive-inf = null
comid.negative-inf = null
comid.linked-tag-map = {
  &(linked-tag-id: 0) => comid.$tag-id-type-choice,
  &(tag-rel: 1) => comid.$tag-rel-type-choice,
}
comid.mac-addr-type-choice = comid.eui48-addr-type / comid.eui64-\
                                                            addr-type
comid.eui48-addr-type = bytes .size 6
comid.eui64-addr-type = bytes .size 8
comid.$measured-element-type-choice /= comid.tagged-oid-type / comid\
                                      .tagged-uuid-type / uint / tstr
comid.measurement-map = {
  ? &(mkey: 0) => comid.$measured-element-type-choice,
  &(mval: 1) => comid.measurement-values-map,
  ? &(authorized-by: 2) => [+ comid.$crypto-key-type-choice],
}
comid.measurement-values-map = comid.non-empty<{
    ? &(version: 0) => comid.version-map,
    ? &(svn: 1) => comid.svn-type-choice,
    ? &(digests: 2) => comid.digests-type,
    ? &(flags: 3) => comid.flags-map,
    ? (
                  &(raw-value: 4) => comid.$raw-value-type-choice,
                  ? &(raw-value-mask-DEPRECATED: 5) => comid.raw-\
                                                     value-mask-type,
          ),
    ? &(mac-addr: 6) => comid.mac-addr-type-choice,
    ? &(ip-addr: 7) => comid.ip-addr-type-choice,
    ? &(serial-number: 8) => text,
    ? &(ueid: 9) => comid.ueid-type,
    ? &(uuid: 10) => comid.uuid-type,
    ? &(name: 11) => text,
    ? &(cryptokeys: 13) => [+ comid.$crypto-key-type-choice],
    ? &(integrity-registers: 14) => comid.integrity-registers,
    ? &(int-range: 15) => comid.int-range-type-choice,
    * $$measurement-values-map-extension,
}>
comid.non-empty<M> = M .and ({+ any => any})
comid.oid-type = bytes
comid.tagged-oid-type = #6.111(comid.oid-type)
comid.$raw-value-type-choice /= comid.tagged-bytes / comid.tagged-\
                                                     masked-raw-value
comid.raw-value-mask-type = bytes
comid.tagged-masked-raw-value = #6.563([
    value: bytes,
    mask: bytes,
])
comid.reference-triple-record = [
  ref-env: comid.environment-map,
  ref-claims: [+ comid.measurement-map],
]
comid.stateful-environment-record = [
  environment: comid.environment-map,
  claims-list: [+ comid.measurement-map],
]
comid.svn-type = uint
comid.svn = comid.svn-type
comid.min-svn = comid.svn-type
comid.tagged-svn = #6.552(comid.svn)
comid.tagged-min-svn = #6.553(comid.min-svn)
comid.svn-type-choice = comid.svn / comid.tagged-svn / comid.tagged-\
                                                              min-svn
comid.$tag-id-type-choice /= tstr / comid.uuid-type
comid.tag-identity-map = {
  &(tag-id: 0) => comid.$tag-id-type-choice,
  ? &(tag-version: 1) => comid.tag-version-type,
}
comid.$tag-rel-type-choice /= &(supplements: 0) / &(replaces: 1)
comid.tag-version-type = uint .default 0
comid.tagged-bytes = #6.560(bytes)
comid.triples-map = comid.non-empty<{
    ? &(reference-triples: 0) => [+ comid.reference-triple-record],
    ? &(endorsed-triples: 1) => [+ comid.endorsed-triple-record],
    ? &(identity-triples: 2) => [+ comid.identity-triple-record],
    ? &(attest-key-triples: 3) => [+ comid.attest-key-triple-record],
    ? &(dependency-triples: 4) => [+ comid.domain-dependency-triple-\
                                                             record],
    ? &(membership-triples: 5) => [+ comid.domain-membership-triple-\
                                                             record],
    ? &(coswid-triples: 6) => [+ comid.coswid-triple-record],
    ? &(conditional-endorsement-series-triples: 8) => [+ comid.\
                       conditional-endorsement-series-triple-record],
    ? &(conditional-endorsement-triples: 10) => [+ comid.conditional\
                                         -endorsement-triple-record],
    * $$triples-map-extension,
}>
comid.ueid-type = bytes .size (7 .. 33)
comid.tagged-ueid-type = #6.550(comid.ueid-type)
comid.uuid-type = bytes .size 16
comid.tagged-uuid-type = #6.37(comid.uuid-type)
comid.version-map = {
  &(version: 0) => text,
  ? &(version-scheme: 1) => comid.$version-scheme,
}
comid.digest = [
  alg: int / text,
  val: bytes,
]
comid.digests-type = [+ comid.digest]
comid.integrity-register-id-type-choice = uint / text
comid.integrity-registers = {+ comid.integrity-register-id-type-\
                                        choice => comid.digests-type}
comid.concise-swid-tag = {
  comid.tag-id => text / bstr .size 16,
  comid.tag-version => integer,
  ? comid.corpus => bool,
  ? comid.patch => bool,
  ? comid.supplemental => bool,
  comid.software-name => text,
  ? comid.software-version => text,
  ? comid.version-scheme => comid.$version-scheme,
  ? comid.media => text,
  ? comid.software-meta => comid.one-or-more<comid.software-meta-\
                                                              entry>,
  comid.entity => comid.one-or-more<comid.entity-entry>,
  ? comid.link => comid.one-or-more<comid.link-entry>,
  ? comid.payload-or-evidence,
  * $$coswid-extension,
  comid.global-attributes,
}
comid.payload-or-evidence //= (comid.payload => comid.payload-entry \
                           // comid.evidence => comid.evidence-entry)
comid.any-uri = uri
comid.label = text / int
comid.$version-scheme /= comid.multipartnumeric / comid.\
multipartnumeric-suffix / comid.alphanumeric / comid.decimal / comid\
                                                 .semver / int / text
comid.any-attribute = (comid.label => comid.one-or-more<text> / \
                                              comid.one-or-more<int>)
comid.one-or-more<T> = T / [2*T]
comid.global-attributes = (
  ? comid.lang => text,
  * comid.any-attribute,
  )
comid.hash-entry = [
  hash-alg-id: int,
  hash-value: bytes,
]
comid.entity-entry = {
  comid.entity-name => text,
  ? comid.reg-id => comid.any-uri,
  comid.role => comid.one-or-more<comid.$role>,
  ? comid.thumbprint => comid.hash-entry,
  * $$entity-extension,
  comid.global-attributes,
}
comid.$role /= comid.tag-creator / comid.software-creator / comid.\
aggregator / comid.distributor / comid.licensor / comid.maintainer \
                                                         / int / text
comid.link-entry = {
  ? comid.artifact => text,
  comid.href => comid.any-uri,
  ? comid.media => text,
  ? comid.ownership => comid.$ownership,
  comid.rel => comid.$rel,
  ? comid.media-type => text,
  ? comid.use => comid.$use,
  * $$link-extension,
  comid.global-attributes,
}
comid.$ownership /= comid.shared / comid.private / comid.abandon / \
                                                           int / text
comid.$rel /= comid.ancestor / comid.component / comid.feature / \
comid.installationmedia / comid.packageinstaller / comid.parent / \
comid.patches / comid.requires / comid.see-also / comid.supersedes \
                          / comid.supplemental / -256 .. 64436 / text
comid.$use /= comid.optional / comid.required / comid.recommended / \
                                                           int / text
comid.software-meta-entry = {
  ? comid.activation-status => text,
  ? comid.channel-type => text,
  ? comid.colloquial-version => text,
  ? comid.description => text,
  ? comid.edition => text,
  ? comid.entitlement-data-required => bool,
  ? comid.entitlement-key => text,
  ? comid.generator => text / bstr .size 16,
  ? comid.persistent-id => text,
  ? comid.product => text,
  ? comid.product-family => text,
  ? comid.revision => text,
  ? comid.summary => text,
  ? comid.unspsc-code => text,
  ? comid.unspsc-version => text,
  * $$software-meta-extension,
  comid.global-attributes,
}
comid.path-elements-group = (
  ? comid.directory => comid.one-or-more<comid.directory-entry>,
  ? comid.file => comid.one-or-more<comid.file-entry>,
  )
comid.resource-collection = (
  comid.path-elements-group,
  ? comid.process => comid.one-or-more<comid.process-entry>,
  ? comid.resource => comid.one-or-more<comid.resource-entry>,
  * $$resource-collection-extension,
  )
comid.file-entry = {
  comid.filesystem-item,
  ? comid.size => uint,
  ? comid.file-version => text,
  ? comid.hash => comid.hash-entry,
  * $$file-extension,
  comid.global-attributes,
}
comid.directory-entry = {
  comid.filesystem-item,
  ? comid.path-elements => {comid.path-elements-group},
  * $$directory-extension,
  comid.global-attributes,
}
comid.process-entry = {
  comid.process-name => text,
  ? comid.pid => integer,
  * $$process-extension,
  comid.global-attributes,
}
comid.resource-entry = {
  comid.type => text,
  * $$resource-extension,
  comid.global-attributes,
}
comid.filesystem-item = (
  ? comid.key => bool,
  ? comid.location => text,
  comid.fs-name => text,
  ? comid.root => text,
  )
comid.payload-entry = {
  comid.resource-collection,
  * $$payload-extension,
  comid.global-attributes,
}
comid.evidence-entry = {
  comid.resource-collection,
  ? comid.date => comid.integer-time,
  ? comid.device-id => text,
  ? comid.location => text,
  * $$evidence-extension,
  comid.global-attributes,
}
comid.integer-time = #6.1(int)
comid.tag-id = 0
comid.software-name = 1
comid.entity = 2
comid.evidence = 3
comid.link = 4
comid.software-meta = 5
comid.payload = 6
comid.hash = 7
comid.corpus = 8
comid.patch = 9
comid.media = 10
comid.supplemental = 11
comid.tag-version = 12
comid.software-version = 13
comid.version-scheme = 14
comid.lang = 15
comid.directory = 16
comid.file = 17
comid.process = 18
comid.resource = 19
comid.size = 20
comid.file-version = 21
comid.key = 22
comid.location = 23
comid.fs-name = 24
comid.root = 25
comid.path-elements = 26
comid.process-name = 27
comid.pid = 28
comid.type = 29
comid.entity-name = 31
comid.reg-id = 32
comid.role = 33
comid.thumbprint = 34
comid.date = 35
comid.device-id = 36
comid.artifact = 37
comid.href = 38
comid.ownership = 39
comid.rel = 40
comid.media-type = 41
comid.use = 42
comid.activation-status = 43
comid.channel-type = 44
comid.colloquial-version = 45
comid.description = 46
comid.edition = 47
comid.entitlement-data-required = 48
comid.entitlement-key = 49
comid.generator = 50
comid.persistent-id = 51
comid.product = 52
comid.product-family = 53
comid.revision = 54
comid.summary = 55
comid.unspsc-code = 56
comid.unspsc-version = 57
comid.multipartnumeric = 1
comid.multipartnumeric-suffix = 2
comid.alphanumeric = 3
comid.decimal = 4
comid.semver = 16384
comid.tag-creator = 1
comid.software-creator = 2
comid.aggregator = 3
comid.distributor = 4
comid.licensor = 5
comid.maintainer = 6
comid.abandon = 1
comid.private = 2
comid.shared = 3
comid.ancestor = 1
comid.component = 2
comid.feature = 3
comid.installationmedia = 4
comid.packageinstaller = 5
comid.parent = 6
comid.patches = 7
comid.requires = 8
comid.see-also = 9
comid.supersedes = 10
comid.optional = 1
comid.required = 2
comid.recommended = 3
corim.corim = corim.concise-rim-type-choice
corim.concise-rim-type-choice /= corim.tagged-unsigned-corim-map / \
                                                   corim.signed-corim
corim.concise-tl-tag = {
  &(tag-identity: 0) => corim.tag-identity-map,
  &(tags-list: 1) => [+ corim.tag-identity-map],
  &(tl-validity: 2) => corim.validity-map,
}
corim.$concise-tag-type-choice /= corim.tagged-concise-swid-tag / \
           corim.tagged-concise-mid-tag / corim.tagged-concise-tl-tag
corim.corim-entity-map = corim.entity-map<corim.$corim-role-type-\
                                choice, $$corim-entity-map-extension>
corim.$corim-id-type-choice /= tstr / corim.uuid-type
corim.corim-locator-map = {
  &(href: 0) => uri / [+ uri],
  ? &(thumbprint: 1) => corim.digest / [corim.digest],
}
corim.corim-map = {
  &(id: 0) => corim.$corim-id-type-choice,
  &(tags: 1) => [+ corim.$concise-tag-type-choice],
  ? &(dependent-rims: 2) => [+ corim.corim-locator-map],
  ? &(profile: 3) => corim.$profile-type-choice,
  ? &(rim-validity: 4) => corim.validity-map,
  ? &(entities: 5) => [+ corim.corim-entity-map],
  * $$corim-map-extension,
}
corim.unsigned-corim-map = corim.corim-map
corim.corim-meta-map = {
  &(signer: 0) => corim.corim-signer-map,
  ? &(signature-validity: 1) => corim.validity-map,
}
corim.$corim-role-type-choice /= &(manifest-creator: 1) / &(manifest\
                                                          -signer: 2)
corim.corim-signer-map = {
  &(signer-name: 0) => corim.$entity-name-type-choice,
  ? &(signer-uri: 1) => uri,
  * $$corim-signer-map-extension,
}
corim.COSE-Sign1-corim = [
  protected: bstr .cbor corim.protected-corim-header-map,
  unprotected: corim.unprotected-corim-header-map,
  payload: bstr .cbor corim.tagged-unsigned-corim-map,
  signature: bstr,
]
corim.$profile-type-choice /= uri / corim.tagged-oid-type
corim.cwt-claims = {
  &(iss: 1) => tstr,
  ? &(sub: 2) => tstr,
  ? &(exp: 4) => int / float,
  ? &(nbf: 5) => int / float,
  * int => any,
}
corim.protected-corim-header-map = {
  &(alg: 1) => int,
  &(content-type: 3) => "application/rim+cbor",
  corim.meta-group,
  * corim.cose-label => corim.cose-value,
}
corim.meta-group = ((
        corim.corim-meta-identity,
        ? corim.cwt-claims-identity,
      ) // corim.cwt-claims-identity)
corim.corim-meta-identity = (&(corim-meta: 8) => bstr .cbor corim.\
                                                      corim-meta-map)
corim.cwt-claims-identity = (&(CWT-Claims: 15) => corim.cwt-claims)
corim.signed-corim = #6.18(corim.COSE-Sign1-corim)
corim.tagged-concise-swid-tag = #6.505(bytes .cbor corim.concise-\
                                                            swid-tag)
corim.tagged-concise-mid-tag = #6.506(bytes .cbor corim.concise-mid-\
                                                                 tag)
corim.tagged-concise-tl-tag = #6.508(bytes .cbor corim.concise-tl-\
                                                                 tag)
corim.tagged-unsigned-corim-map = #6.501(corim.unsigned-corim-map)
corim.unprotected-corim-header-map = {* corim.cose-label => corim.\
                                                          cose-value}
corim.validity-map = {
  ? &(not-before: 0) => time,
  &(not-after: 1) => time,
}
corim.concise-mid-tag = {
  ? &(language: 0) => text,
  &(tag-identity: 1) => corim.tag-identity-map,
  ? &(entities: 2) => [+ corim.comid-entity-map],
  ? &(linked-tags: 3) => [+ corim.linked-tag-map],
  &(triples: 4) => corim.triples-map,
  * $$concise-mid-tag-extension,
}
corim.attest-key-triple-record = [
  environment: corim.environment-map,
  key-list: [+ corim.$crypto-key-type-choice],
  ? conditions: corim.non-empty<{
            ? &(mkey: 0) => corim.$measured-element-type-choice,
            ? &(authorized-by: 1) => [+ corim.$crypto-key-type-\
                                                             choice],
}>,
]
corim.$class-id-type-choice /= corim.tagged-oid-type / corim.tagged-\
                                       uuid-type / corim.tagged-bytes
corim.class-map = corim.non-empty<{
    ? &(class-id: 0) => corim.$class-id-type-choice,
    ? &(vendor: 1) => tstr,
    ? &(model: 2) => tstr,
    ? &(layer: 3) => uint,
    ? &(index: 4) => uint,
}>
corim.comid-entity-map = corim.entity-map<corim.$comid-role-type-\
                                choice, $$comid-entity-map-extension>
corim.$comid-role-type-choice /= &(tag-creator: 0) / &(creator: 1) \
                                                   / &(maintainer: 2)
corim.conditional-endorsement-series-triple-record = [
  condition: corim.stateful-environment-record,
  series: [+ corim.conditional-series-record],
]
corim.conditional-series-record = [
  selection: [+ corim.measurement-map],
  addition: [+ corim.measurement-map],
]
corim.COSE_Key = {
  1 => tstr / int,
  ? 2 => bstr,
  ? 3 => tstr / int,
  ? 4 => [+ tstr / int],
  ? 5 => bstr,
  * corim.cose-label => corim.cose-value,
}
corim.cose-label = int / tstr
corim.cose-value = any
corim.coswid-triple-record = [
  corim.environment-map,
  [+ corim.concise-swid-tag-id],
]
corim.concise-swid-tag-id = text / bstr .size 16
corim.$crypto-key-type-choice /= corim.tagged-pkix-base64-key-type \
/ corim.tagged-pkix-base64-cert-type / corim.tagged-pkix-base64-cert\
-path-type / corim.tagged-cose-key-type / corim.tagged-pkix-asn1der-\
cert-type / corim.tagged-key-thumbprint-type / corim.tagged-cert-\
thumbprint-type / corim.tagged-cert-path-thumbprint-type / corim.\
                                                         tagged-bytes
corim.tagged-pkix-base64-key-type = #6.554(tstr)
corim.tagged-pkix-base64-cert-type = #6.555(tstr)
corim.tagged-pkix-base64-cert-path-type = #6.556(tstr)
corim.tagged-key-thumbprint-type = #6.557(corim.digest)
corim.tagged-cose-key-type = #6.558(corim.COSE_Key)
corim.tagged-cert-thumbprint-type = #6.559(corim.digest)
corim.tagged-cert-path-thumbprint-type = #6.561(corim.digest)
corim.tagged-pkix-asn1der-cert-type = #6.562(bstr)
corim.domain-dependency-triple-record = [
  corim.domain-type,
  [+ corim.domain-type],
]
corim.domain-membership-triple-record = [
  domain-id: corim.domain-type,
  members: [+ corim.domain-type],
]
corim.conditional-endorsement-triple-record = [
  conditions: [+ corim.stateful-environment-record],
  endorsements: [+ corim.endorsed-triple-record],
]
corim.domain-type = corim.environment-map
corim.endorsed-triple-record = [
  condition: corim.environment-map,
  endorsement: [+ corim.measurement-map],
]
corim.entity-map<role-type-choice, extension-socket> = {
    &(entity-name: 0) => corim.$entity-name-type-choice,
    ? &(reg-id: 1) => uri,
    &(role: 2) => [+ role-type-choice],
    * extension-socket,
}
corim.$entity-name-type-choice /= text
corim.environment-map = corim.non-empty<{
    ? &(class: 0) => corim.class-map,
    ? &(instance: 1) => corim.$instance-id-type-choice,
    ? &(group: 2) => corim.$group-id-type-choice,
}>
corim.flags-map = {
  ? &(is-configured: 0) => bool,
  ? &(is-secure: 1) => bool,
  ? &(is-recovery: 2) => bool,
  ? &(is-debug: 3) => bool,
  ? &(is-replay-protected: 4) => bool,
  ? &(is-integrity-protected: 5) => bool,
  ? &(is-runtime-meas: 6) => bool,
  ? &(is-immutable: 7) => bool,
  ? &(is-tcb: 8) => bool,
  ? &(is-confidentiality-protected: 9) => bool,
  * $$flags-map-extension,
}
corim.$group-id-type-choice /= corim.tagged-uuid-type / corim.tagged\
                                                               -bytes
corim.identity-triple-record = [
  environment: corim.environment-map,
  key-list: [+ corim.$crypto-key-type-choice],
  ? conditions: corim.non-empty<{
            ? &(mkey: 0) => corim.$measured-element-type-choice,
            ? &(authorized-by: 1) => [+ corim.$crypto-key-type-\
                                                             choice],
}>,
]
corim.$instance-id-type-choice /= corim.tagged-ueid-type / corim.\
tagged-uuid-type / corim.tagged-bytes / corim.tagged-pkix-base64-key\
-type / corim.tagged-pkix-base64-cert-type / corim.tagged-cose-key-\
type / corim.tagged-key-thumbprint-type / corim.tagged-cert-\
                thumbprint-type / corim.tagged-pkix-asn1der-cert-type
corim.ip-addr-type-choice = corim.ip4-addr-type / corim.ip6-addr-type
corim.ip4-addr-type = bytes .size 4
corim.ip6-addr-type = bytes .size 16
corim.int-range-type-choice = int / corim.tagged-int-range
corim.int-range = [
  min: int / corim.negative-inf,
  max: int / corim.positive-inf,
]
corim.tagged-int-range = #6.564(corim.int-range)
corim.positive-inf = null
corim.negative-inf = null
corim.linked-tag-map = {
  &(linked-tag-id: 0) => corim.$tag-id-type-choice,
  &(tag-rel: 1) => corim.$tag-rel-type-choice,
}
corim.mac-addr-type-choice = corim.eui48-addr-type / corim.eui64-\
                                                            addr-type
corim.eui48-addr-type = bytes .size 6
corim.eui64-addr-type = bytes .size 8
corim.$measured-element-type-choice /= corim.tagged-oid-type / corim\
                                      .tagged-uuid-type / uint / tstr
corim.measurement-map = {
  ? &(mkey: 0) => corim.$measured-element-type-choice,
  &(mval: 1) => corim.measurement-values-map,
  ? &(authorized-by: 2) => [+ corim.$crypto-key-type-choice],
}
corim.measurement-values-map = corim.non-empty<{
    ? &(version: 0) => corim.version-map,
    ? &(svn: 1) => corim.svn-type-choice,
    ? &(digests: 2) => corim.digests-type,
    ? &(flags: 3) => corim.flags-map,
    ? (
                  &(raw-value: 4) => corim.$raw-value-type-choice,
                  ? &(raw-value-mask-DEPRECATED: 5) => corim.raw-\
                                                     value-mask-type,
          ),
    ? &(mac-addr: 6) => corim.mac-addr-type-choice,
    ? &(ip-addr: 7) => corim.ip-addr-type-choice,
    ? &(serial-number: 8) => text,
    ? &(ueid: 9) => corim.ueid-type,
    ? &(uuid: 10) => corim.uuid-type,
    ? &(name: 11) => text,
    ? &(cryptokeys: 13) => [+ corim.$crypto-key-type-choice],
    ? &(integrity-registers: 14) => corim.integrity-registers,
    ? &(int-range: 15) => corim.int-range-type-choice,
    * $$measurement-values-map-extension,
}>
corim.non-empty<M> = M .and ({+ any => any})
corim.oid-type = bytes
corim.tagged-oid-type = #6.111(corim.oid-type)
corim.$raw-value-type-choice /= corim.tagged-bytes / corim.tagged-\
                                                     masked-raw-value
corim.raw-value-mask-type = bytes
corim.tagged-masked-raw-value = #6.563([
    value: bytes,
    mask: bytes,
])
corim.reference-triple-record = [
  ref-env: corim.environment-map,
  ref-claims: [+ corim.measurement-map],
]
corim.stateful-environment-record = [
  environment: corim.environment-map,
  claims-list: [+ corim.measurement-map],
]
corim.svn-type = uint
corim.svn = corim.svn-type
corim.min-svn = corim.svn-type
corim.tagged-svn = #6.552(corim.svn)
corim.tagged-min-svn = #6.553(corim.min-svn)
corim.svn-type-choice = corim.svn / corim.tagged-svn / corim.tagged-\
                                                              min-svn
corim.$tag-id-type-choice /= tstr / corim.uuid-type
corim.tag-identity-map = {
  &(tag-id: 0) => corim.$tag-id-type-choice,
  ? &(tag-version: 1) => corim.tag-version-type,
}
corim.$tag-rel-type-choice /= &(supplements: 0) / &(replaces: 1)
corim.tag-version-type = uint .default 0
corim.tagged-bytes = #6.560(bytes)
corim.triples-map = corim.non-empty<{
    ? &(reference-triples: 0) => [+ corim.reference-triple-record],
    ? &(endorsed-triples: 1) => [+ corim.endorsed-triple-record],
    ? &(identity-triples: 2) => [+ corim.identity-triple-record],
    ? &(attest-key-triples: 3) => [+ corim.attest-key-triple-record],
    ? &(dependency-triples: 4) => [+ corim.domain-dependency-triple-\
                                                             record],
    ? &(membership-triples: 5) => [+ corim.domain-membership-triple-\
                                                             record],
    ? &(coswid-triples: 6) => [+ corim.coswid-triple-record],
    ? &(conditional-endorsement-series-triples: 8) => [+ corim.\
                       conditional-endorsement-series-triple-record],
    ? &(conditional-endorsement-triples: 10) => [+ corim.conditional\
                                         -endorsement-triple-record],
    * $$triples-map-extension,
}>
corim.ueid-type = bytes .size (7 .. 33)
corim.tagged-ueid-type = #6.550(corim.ueid-type)
corim.uuid-type = bytes .size 16
corim.tagged-uuid-type = #6.37(corim.uuid-type)
corim.version-map = {
  &(version: 0) => text,
  ? &(version-scheme: 1) => corim.$version-scheme,
}
corim.digest = [
  alg: int / text,
  val: bytes,
]
corim.digests-type = [+ corim.digest]
corim.integrity-register-id-type-choice = uint / text
corim.integrity-registers = {+ corim.integrity-register-id-type-\
                                        choice => corim.digests-type}
corim.concise-swid-tag = {
  corim.tag-id => text / bstr .size 16,
  corim.tag-version => integer,
  ? corim.corpus => bool,
  ? corim.patch => bool,
  ? corim.supplemental => bool,
  corim.software-name => text,
  ? corim.software-version => text,
  ? corim.version-scheme => corim.$version-scheme,
  ? corim.media => text,
  ? corim.software-meta => corim.one-or-more<corim.software-meta-\
                                                              entry>,
  corim.entity => corim.one-or-more<corim.entity-entry>,
  ? corim.link => corim.one-or-more<corim.link-entry>,
  ? corim.payload-or-evidence,
  * $$coswid-extension,
  corim.global-attributes,
}
corim.payload-or-evidence //= (corim.payload => corim.payload-entry \
                           // corim.evidence => corim.evidence-entry)
corim.any-uri = uri
corim.label = text / int
corim.$version-scheme /= corim.multipartnumeric / corim.\
multipartnumeric-suffix / corim.alphanumeric / corim.decimal / corim\
                                                 .semver / int / text
corim.any-attribute = (corim.label => corim.one-or-more<text> / \
                                              corim.one-or-more<int>)
corim.one-or-more<T> = T / [2*T]
corim.global-attributes = (
  ? corim.lang => text,
  * corim.any-attribute,
  )
corim.hash-entry = [
  hash-alg-id: int,
  hash-value: bytes,
]
corim.entity-entry = {
  corim.entity-name => text,
  ? corim.reg-id => corim.any-uri,
  corim.role => corim.one-or-more<corim.$role>,
  ? corim.thumbprint => corim.hash-entry,
  * $$entity-extension,
  corim.global-attributes,
}
corim.$role /= corim.tag-creator / corim.software-creator / corim.\
aggregator / corim.distributor / corim.licensor / corim.maintainer \
                                                         / int / text
corim.link-entry = {
  ? corim.artifact => text,
  corim.href => corim.any-uri,
  ? corim.media => text,
  ? corim.ownership => corim.$ownership,
  corim.rel => corim.$rel,
  ? corim.media-type => text,
  ? corim.use => corim.$use,
  * $$link-extension,
  corim.global-attributes,
}
corim.$ownership /= corim.shared / corim.private / corim.abandon / \
                                                           int / text
corim.$rel /= corim.ancestor / corim.component / corim.feature / \
corim.installationmedia / corim.packageinstaller / corim.parent / \
corim.patches / corim.requires / corim.see-also / corim.supersedes \
                          / corim.supplemental / -256 .. 64436 / text
corim.$use /= corim.optional / corim.required / corim.recommended / \
                                                           int / text
corim.software-meta-entry = {
  ? corim.activation-status => text,
  ? corim.channel-type => text,
  ? corim.colloquial-version => text,
  ? corim.description => text,
  ? corim.edition => text,
  ? corim.entitlement-data-required => bool,
  ? corim.entitlement-key => text,
  ? corim.generator => text / bstr .size 16,
  ? corim.persistent-id => text,
  ? corim.product => text,
  ? corim.product-family => text,
  ? corim.revision => text,
  ? corim.summary => text,
  ? corim.unspsc-code => text,
  ? corim.unspsc-version => text,
  * $$software-meta-extension,
  corim.global-attributes,
}
corim.path-elements-group = (
  ? corim.directory => corim.one-or-more<corim.directory-entry>,
  ? corim.file => corim.one-or-more<corim.file-entry>,
  )
corim.resource-collection = (
  corim.path-elements-group,
  ? corim.process => corim.one-or-more<corim.process-entry>,
  ? corim.resource => corim.one-or-more<corim.resource-entry>,
  * $$resource-collection-extension,
  )
corim.file-entry = {
  corim.filesystem-item,
  ? corim.size => uint,
  ? corim.file-version => text,
  ? corim.hash => corim.hash-entry,
  * $$file-extension,
  corim.global-attributes,
}
corim.directory-entry = {
  corim.filesystem-item,
  ? corim.path-elements => {corim.path-elements-group},
  * $$directory-extension,
  corim.global-attributes,
}
corim.process-entry = {
  corim.process-name => text,
  ? corim.pid => integer,
  * $$process-extension,
  corim.global-attributes,
}
corim.resource-entry = {
  corim.type => text,
  * $$resource-extension,
  corim.global-attributes,
}
corim.filesystem-item = (
  ? corim.key => bool,
  ? corim.location => text,
  corim.fs-name => text,
  ? corim.root => text,
  )
corim.payload-entry = {
  corim.resource-collection,
  * $$payload-extension,
  corim.global-attributes,
}
corim.evidence-entry = {
  corim.resource-collection,
  ? corim.date => corim.integer-time,
  ? corim.device-id => text,
  ? corim.location => text,
  * $$evidence-extension,
  corim.global-attributes,
}
corim.integer-time = #6.1(int)
corim.tag-id = 0
corim.software-name = 1
corim.entity = 2
corim.evidence = 3
corim.link = 4
corim.software-meta = 5
corim.payload = 6
corim.hash = 7
corim.corpus = 8
corim.patch = 9
corim.media = 10
corim.supplemental = 11
corim.tag-version = 12
corim.software-version = 13
corim.version-scheme = 14
corim.lang = 15
corim.directory = 16
corim.file = 17
corim.process = 18
corim.resource = 19
corim.size = 20
corim.file-version = 21
corim.key = 22
corim.location = 23
corim.fs-name = 24
corim.root = 25
corim.path-elements = 26
corim.process-name = 27
corim.pid = 28
corim.type = 29
corim.entity-name = 31
corim.reg-id = 32
corim.role = 33
corim.thumbprint = 34
corim.date = 35
corim.device-id = 36
corim.artifact = 37
corim.href = 38
corim.ownership = 39
corim.rel = 40
corim.media-type = 41
corim.use = 42
corim.activation-status = 43
corim.channel-type = 44
corim.colloquial-version = 45
corim.description = 46
corim.edition = 47
corim.entitlement-data-required = 48
corim.entitlement-key = 49
corim.generator = 50
corim.persistent-id = 51
corim.product = 52
corim.product-family = 53
corim.revision = 54
corim.summary = 55
corim.unspsc-code = 56
corim.unspsc-version = 57
corim.multipartnumeric = 1
corim.multipartnumeric-suffix = 2
corim.alphanumeric = 3
corim.decimal = 4
corim.semver = 16384
corim.tag-creator = 1
corim.software-creator = 2
corim.aggregator = 3
corim.distributor = 4
corim.licensor = 5
corim.maintainer = 6
corim.abandon = 1
corim.private = 2
corim.shared = 3
corim.ancestor = 1
corim.component = 2
corim.feature = 3
corim.installationmedia = 4
corim.packageinstaller = 5
corim.parent = 6
corim.patches = 7
corim.requires = 8
corim.see-also = 9
corim.supersedes = 10
corim.optional = 1
corim.required = 2
corim.recommended = 3
coswid.tag-id = 0
]]></artwork>
      </section>
      <section anchor="collated-cddl-discovery">
        <name>API Discovery Data Model</name>
        <artwork><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

coserv-well-known-info = {
  version-label => version,
  capabilities-label => [+ capability],
  api-endpoints-label => {+ tstr => tstr},
  ? result-verification-key-label => eat.JC<jwk.JWK_Set, cose.\
                                                        COSE_KeySet>,
}
version-label = eat.JC<"version", 1>
capabilities-label = eat.JC<"capabilities", 2>
api-endpoints-label = eat.JC<"api-endpoints", 3>
result-verification-key-label = eat.JC<"result-verification-key", 4>
version = tstr
capability = {
  media-type-label => cmw.media-type,
  artifact-support-label => artifact-support,
}
media-type-label = eat.JC<"media-type", 1>
artifact-support-label = eat.JC<"artifact-support", 2>
non-empty-array<M> = M .and ([+ any])
artifact-support = non-empty-array<[
    ? "source",
    ? "collected",
    ? "rims",
]>
cmw.start = cmw.cmw
cmw.cmw = cmw.json-cmw / cmw.cbor-cmw
cmw.json-cmw = cmw.json-record / cmw.json-collection
cmw.cbor-cmw = cmw.cbor-record / cmw.cbor-collection / cmw.$cbor-tag
cmw.json-record = [
  type: cmw.media-type,
  value: cmw.base64url-string,
  ? ind: uint .bits cmw.cm-type,
]
cmw.cbor-record = [
  type: cmw.coap-content-format-type / cmw.media-type,
  value: bytes,
  ? ind: uint .bits cmw.cm-type,
]
cmw.tag-cm-cbor<tn, fmt> = #6.<tn>(bytes .cbor fmt)
cmw.tag-cm-data<tn> = #6.<tn>(bytes)
cmw.json-collection = {
  ? __cmwc_t: ~uri / cmw.oid,
  + &(label: text) => cmw.json-cmw,
}
cmw.cbor-collection = {
  ? __cmwc_t: ~uri / cmw.oid,
  + &(label: int / text) => cmw.cbor-cmw,
}
cmw.media-type = text .abnf ("Content-Type" .cat cmw.Content-Type-\
                                                                ABNF)
cmw.base64url-string = text .regexp "[A-Za-z0-9_-]+"
cmw.coap-content-format-type = uint .size 2
cmw.oid = text .regexp "([0-2])((\\.0)|(\\.[1-9][0-9]*))*"
cmw.cm-type = &(
  reference-values: 0,
  endorsements: 1,
  evidence: 2,
  attestation-results: 3,
  appraisal-policy: 4,
)
cmw.Content-Type-ABNF = '

Content-Type   = Media-Type-Name *( *SP ";" *SP parameter )
parameter      = token "=" ( token / quoted-string )

token          = 1*tchar
tchar          = "!" / "#" / "$" / "%" / "&" / "\'" / "*"
               / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
               / DIGIT / ALPHA
quoted-string  = %x22 *( qdtext / quoted-pair ) %x22
qdtext         = SP / %x21 / %x23-5B / %x5D-7E
quoted-pair    = "\\" ( SP / VCHAR )

Media-Type-Name = type-name "/" subtype-name

type-name = restricted-name
subtype-name = restricted-name

restricted-name = restricted-name-first *126restricted-name-chars
restricted-name-first  = ALPHA / DIGIT
restricted-name-chars  = ALPHA / DIGIT / "!" / "#" /
                         "$" / "&" / "-" / "^" / "_"
restricted-name-chars =/ "." ; Characters before first dot always
                             ; specify a facet name
restricted-name-chars =/ "+" ; Characters after last plus always
                             ; specify a structured syntax suffix

DIGIT     =  %x30-39           ; 0 - 9
POS-DIGIT =  %x31-39           ; 1 - 9
ALPHA     =  %x41-5A / %x61-7A ; A - Z / a - z
SP        =  %x20
VCHAR     =  %x21-7E           ; printable ASCII (no SP)
'
cmw.$cbor-tag /= cmw.tag-cm-data<1668612070> / cmw.tag-cm-cbor<\
                                         1668612069, cmw.my-evidence>
cmw.my-evidence = {&(eat_nonce: 10) => bytes .size (8 .. 64)}
jwk.JWK = {
  "kty" => tstr,
  ? "use" => tstr,
  ? "key_ops" => [* tstr],
  ? "alg" => tstr,
  ? "kid" => tstr,
  ? "x5u" => tstr,
  ? "x5c" => [* jwk.bytes-b64u],
  ? "x5t" => jwk.bytes-b64u,
  ? "x5t#S256" => jwk.bytes-b64u,
  ? jwk.RSA-Key-Fields,
  ? jwk.EC-Key-Fields,
  ? jwk.Symmetric-Key-Fields,
}
jwk.JWK_Set = [+ jwk.JWK]
jwk.RSA-Key-Fields = (
  "n" => jwk.bytes-b64u,
  "e" => jwk.bytes-b64u,
  ? "d" => jwk.bytes-b64u,
  ? "p" => jwk.bytes-b64u,
  ? "q" => jwk.bytes-b64u,
  ? "dp" => jwk.bytes-b64u,
  ? "dq" => jwk.bytes-b64u,
  ? "qi" => jwk.bytes-b64u,
  )
jwk.EC-Key-Fields = (
  "crv" => tstr,
  "x" => jwk.bytes-b64u,
  "y" => jwk.bytes-b64u,
  ? "d" => jwk.bytes-b64u,
  )
jwk.Symmetric-Key-Fields = ("k" => jwk.bytes-b64u)
jwk.bytes-b64u = tstr .b64u bytes
eat.JC<J, C> = eat.JSON-ONLY<J> / eat.CBOR-ONLY<C>
eat.JSON-ONLY<J> = J .feature "json"
eat.CBOR-ONLY<C> = C .feature "cbor"
cose.COSE_KeySet = [+ cose.COSE_Key]
cose.COSE_Key = {
  1 => tstr / int,
  ? 2 => bstr,
  ? 3 => tstr / int,
  ? 4 => [+ tstr / int],
  ? 5 => bstr,
  * cose.label => cose.values,
}
cose.label = int / tstr
cose.values = any
]]></artwork>
      </section>
    </section>
    <section anchor="openapi-schema">
      <name>OpenAPI Schema</name>
      <t>The OpenAPI schema for the request/response HTTP API described in <xref target="secrrapi"/> is provided below.</t>
      <artwork><![CDATA[
openapi: '3.0.0'

info:
  title: CoSERV HTTP API Binding
  description: CoSERV HTTP API Binding, including request-response
               and discovery
  version: '1.0.0alpha'
paths:
  /coserv/{query}:
    get:
      summary: Query the CoSERV endpoint.
      parameters:
        - in: path
          name: query
          schema:
            type: string
            format: base64url
          required: true
          description: base64url-encoded CoSERV query
      responses:
        '200':
          description: >
            A CoSERV result set has been successfully computed.
          content:
            application/coserv+cose:
              schema:
                type: string
                format: binary
                description: >
                  A CoSERV result set enveloped in a COSE Sign1
                  object.
        '400':
          description: >
            The request was malformed; e.g., the query was not valid
            base64url, or the CoSERV data item could not be
            successfully parsed.
          content:
            application/concise-problem-details+cbor:
              schema:
                type: string
                format: binary
                description: >
                  A CBOR-encoded problem details data item.
        '406':
          description: >
            The server cannot produce a response matching the list
            of acceptable values defined in the request's 'Accept'
            header field.  In particular, the client may have
            specified a CoSERV profile that is not understood or
            serviceable by the server.
          content:
            application/concise-problem-details+cbor:
              schema:
                type: string
                format: binary
                description: >
                  A CBOR-encoded problem details data item.
  /.well-known/coserv-configuration:
    get:
      summary: Retrieve the CoSERV configuration document.
      responses:
        '200':
          description: >
            The CoSERV configuration document has been successfully
            retrieved.
          content:
            application/coserv-discovery+json:
              schema:
                type: string
                format: binary
                description: >
                  A JSON-encoded CoSERV configuration document.
            application/coserv-discovery+cbor:
              schema:
                type: string
                format: binary
                description: >
                  A CBOR-encoded CoSERV configuration document.
]]></artwork>
    </section>
    <section anchor="locating-coserv-services">
      <name>Locating CoSERV Services</name>
      <t>CoSERV facilitates the conveyance of Endorsements and Reference Values to the Verifier.
The question of how the Verifier locates the CoSERV-enabled service(s) that it needs is beyond the scope of this specification.
But it is an important consideration for successful deployments.
When aggregators are used (see <xref target="secaggregation"/>), those might also need to locate upstream CoSERV-enabled services.
This non-normative appendix sets out some illustrative examples of how services might be located.
This list is neither exhaustive nor prescriptive.
Deployments are free to use whatever logistics are sensible.
Note that the goal here is solely one of bootstrapping.
Once the base URL of a suitable service is known, CoSERV provides in-protocol discovery mechanisms, such as the one described in <xref target="secrrapidisco"/>, which cater for the discovery of more specific API endpoints and capabilities.</t>
      <ul spacing="normal">
        <li>
          <t>Some CoSERV-enabled services might exist in locations that are documented publicly by supply chain actors.
A hardware vendor, for example, might document the base URL for the service that endorses their products.
In such a case, the location would be prior knowledge within the Verifier or aggregator that needs to consume the service.
It could be hard-coded, or made available via a configuration file.</t>
        </li>
        <li>
          <t>The locations of suitable services might be carried within the Evidence produced by an Attester.
An example would be a specific claim within an attestation report that is reserved and documented for this purpose.
As part of the verification process, the Verifier would process this claim and use it to locate the required service(s).</t>
        </li>
        <li>
          <t>Services could be located via Manufacturer Usage Description (MUD) files as per <xref target="I-D.ietf-iotops-mud-rats"/>.</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The participants in the "Staircase meeting" at FOSDEM '25:</t>
      <artwork><![CDATA[
@@@@#=+++==+=+++++==+++++++++=========-========================-=======
@@@@@@@@#+*++++=+++****#########+====================================-=
*+@@@@@@%@%@%=***#*########%#####*++===============================-===
%%%%%@@%#@*@@@%%%%##%%%####%%###%#%++++=+=+================--==========
%%%%%%@@@%#%@%@@%###%#%#%%%#%%%#%%####===%%%+==================-=======
%%%%%%%@%%##%%%%%####%++=+=++++*%*=#+*++++++%#=== Mathias Brossard ====
%%%@%%%%%%%%%%%@%%####*##**#***+%%#**=*==*==*%================-========
%%%%%%@%%%%%%%%%#@###**+==%**%###%#+*+++=*+=*%=========================
%%%%%%%%%%%#%%%#*%###%###@#**%##%@#*%#++=+*#*=======================-==
@@@@@@@@%@@@#%#%%####%##%%%**###**%#+++++++++++======================--
%%@@@@@@@@%%#%%#%#==+%##%+%+=**##*%#%@@%%%***+==============-===-===-=:
%-*@%@%%%%#%%%##%==--#**##+*@@%%#*#@@@%%%%%%@%##%%==----======----=---:
%%%@@%#**%%%%%##%---#%@@%%%##**@@@%%%%%%%%@@#***%%=...-== Thomas ==-::+
=###%@@%%%%%%#*+===%#%%##%*#@@@@%%%%%%%%@@%%*+*+#=..:==== Fossati =-:**
+**+#%@@@@@@@@@@@@####*+++*@@@@@%%%@%%%%%#@%=+=--.:====================
+++**+%%@@@@@@%%%%%%%@@+#++#@@%@%%%@%%%%%@#+=-:.:==++++++++++++++++++++
+=++*#%#%@@%%%%%%#%**@+#+-+-%#%*%%%###%%%%#%%++++********++++++++++++++
++++**###=*@%%%%%%%++%*%+*==%##*#%+###@@@@%%%#===++++* Yogesh ++ ++++++
++=+++#**+=@*@@@@%#++#==+=+-%##**#*=+@@@@@%%#*----===+ Deshpande =+=+==
==+**+###++%++**@%*++#====+*##*****@%@#%%##%%*-==========+++++===+=++++
*+++++###++%=++*%#**+%===*++##***++@@%#%@%%%@%###-:::===++=---=-----:==
%++=-=%###+#====****=#===+=*=##*+%*@@%%%%%%@@%*=++#--===*==+=-+==+=-+++
%==----###=%===++*++=%*=+=***@#+***@%%*@%%%##%*##*%%@+=+==+++++++++++++
#*++----##=@*=+=**+*=*++#+=%%#*##%#*+@%@@%%%%%**%@%@@+#+**#*#####***#*+
+*+++@**+#%=%=+++++*=#++#%#+*****##*+@+++%%%%%#@@@@@@=-====-----+**++++
+*+*=%%#**#%=%@%=#++=%+***++*********%%%@%%#-==*+===++===++++++++++++++
#+**++%@%**#%@@%+#+*+%++=+=+*##*****%%%##%==-==**-+====-----:---::::--=
%%***+#%@%**%%=#*#+++%=====+*****#*+*@@+====-==%#*+-.-..-==:==.-.:::...
##**++=@%%#*#%%++#**=%-====+%%+###+++%#=====-+=%%##**+------===::=---::
#***++=+%%%#*%%==#+-+---==+*%%#@@%%++##=====-==%%%%=*++== Paul =:---===
##***+===%%@##@#%#*#=----===+++=+##*+##=====-==%%%%=*=-.. Howard .:-===
##***++==%%%%+**#%%#++-#%====+++%*++==#=====-==%%%%%%+--.:.-::--+=--+=+
##***+=+=%@%%##%##+######=++*=%=---*=+*=====--+%%%%%%+#--:.:--+**#*####
****+++==+%%@@%%%#%*########-%%=-====+*=-===-=+%%%%%%+++++++++*********
*+****++=##%%@@@%%#%+###%###%#@#+=+++==--===-=+%%%%%#+=+++--..====----=
++**+=#++#%%@+#@@@#%%####*#*##@*##%#*++=======+------++=++=--.-----=---
*%++*=+*+%#@#*@*%%#%%*###%#####+##%%=--+======+==:---+=--- Thore -===--
*++##**%=:==-#*+%#%=-=%%#%#%#%%##%*-=====-=--====--*-+-=== Sommer --=-=
-++*=%%*=%++-:#+=:*:####%#%%#%%**++=-==+---*-=*==--**+-===============+
-%#=%%%%%%@%%*%%##*%%%%%%%%%*@#%#++==---------=*+###++========+++++++++
-%@=*%%@%#%%@#@%%%%%%#@++++++@%%@#%%%%%%%---=====++++++++++++++++++++++
-%@=++*#@%#%*@++*#%%%*%*#*##@%+:%##+@@%%#%%#==========+++++++++++++++++
=%%=*==+%###+@%@%%@@%%%%####****+%#%%%%@%*###=:-========++++++++=++++++
==@==-+*##**+#%%%%#%##**###******++*%#%%##%*%#--===========++++++++++++
=-%=+*+-%#**-%@%%%@##**#*******+***%%%%##*%%%%-==++##===== Hannes +++++
+=@+*++++%**=%*+++%##+=@%%@%@@%*@%%%%%%+###+*==+=---%#==== Tschofenig +
+=@=++++*%**+%@+*=%###=-=-=-###%%@%%%#%*%#%%+==--+==%#====+=+++++++++++
*=%%==*+*#**=%@+#@@#==+=%*-----=%%#%%%%##%#%%%@=-+*%*++++++++++++++++++
#*@#+*+++#**=*=++-=+=+*#%%%%%%=-+%%%@@@%##%%%@#=+=+++++++++++++++++++++
****:::::-:::.=*++.=+**#######%%####%####*%%#%%%+++++++++++++++++++++++
*****:-::---==%+++=###+%********%%####%####@%##%%+++++++++++***********
#***##+++%#*++%++=+##*=%++#@@@@@%%%#%#####*%%##%%@*+++++++*************
#####+++*@%#+*@++*+%##+%++===+++++++++==========-=***+*****************
%%%#+***++@%@*@++*%%%%*#+===========================%%+================
%===++*++#***#@**%%%#%#+==========================%%%==================
######*****###*##*##===========================%%%#====================
#######****##*#*##**=====+++=++-----=======++%%#+======================
#########**#***##*#*#=+=======-:::::--====@%##-========================
######*=####**=#####*++++++++=-------+++@%##--=============------------
%%######@@@@@@@%++++=%====%+==----=++%%%#==---=========================
%%%%#%%###@@=**=++=------==#----+++%%%#+====-======================+===
======+##=%@++**=#-:--::---+-+++%%%#===== Ionut Mihalcea ==============
---------=+=*++%#*+=-=::---*++%%%#==================================+==
------------==%==-:::=*=*##%%%%#======*================================
===========-=##------+%%@%%%#+====================== =  /` _____ `\;,
###############*+*****@%%%#+========================   /__(^===^)__\';,
*############++++++#%%%#++==========++==============     /  :::  \   ,;
+++****##*#++=+++@%%%#+==== The Staircase ==========    |   :::   | ,;'
++++++++======++@#%#================================    '._______.'`
++++++++====++@#%#===================================  Dionna Glaze ===
]]></artwork>
      <t>Henk Birkholz and Jag Raman are puppeteering in the shadows.</t>
      <t>The authors would like to thank
Carl Wallace
for their reviews and suggestions.
[^rfced]: RFC Editor:</t>
    </section>
    <section anchor="contributors" numbered="false" toc="include" removeInRFC="false">
      <name>Contributors</name>
      <contact initials="C." surname="Wallace" fullname="Carl Wallace">
        <organization>Red Hound Software, Inc.</organization>
        <address>
          <email>carl@redhoundsoftware.com</email>
        </address>
      </contact>
      <t>Carl contributed in-depth reviews, resulting in many improvements and clarifications across the document.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y962Lb1pUo/J9PgWFyaskhqIsvidXarSzLiRo7di0lOW3q
E4EkRCEmAQYAJTOJ+yznWb4n+9Z177UBUJKddE5npp5ObALY97XX/RLHca/O
6lm6F/UPinycVWl0nM7ScV2U0Rn8/2E+Kcoqnad5XUVJPolepWdpmebjNPom
mS3Tqt9LRqMyvaAOjg9ffdPvjZM6nRblai+q6kmvNynGeTKHESZlclbHWVqf
xWVSV/G4qNLyIt7+tFctR/OsqrIir1cL+PLo8ORpFH0UJbOqgI6zfJIuUvhP
XvcHUT+dZDC9LJnhj6P9x/AXzLR/9Orkab+XL+ejtNzrTWASe71xkVdpXi2r
vagul2kPpnmnl5RpAr0ep+NlmdWrfu+yKN9My2K5gKev0nlRp9H+SZ1WdVLD
lKKXZTFOJ8syPe733qQr+Hqy14vi6NX+yTH+ndTuW/yZ+i3Dn6XbsAvcsN5F
mi9hZlF0wxGjiPek/y3MMsun0efYDp/Pk2wGz3Ev/4S7OizKKT5PyvE5PD+v
60W1t7WFn+Gj7CId6mdb+GBrVBaXVbqFHWxhw2lWny9HuOHujC6nW93Hht/P
EpyyGcq2G3Jvw6xY08Oax8Pzej7r93rJsj4v4CDjKMvh+F4Ooy+Ky6ScwLgM
Ti+T5cw/g0UlefYT7d9etF/O4VnKO7SAD4fn9OGfknI+HBdz7fVkGD0tqgpa
uW5Pzot5UpnHYc/PsjwpC985fz6Uz/80o9e4xTrEF8PocVa+OS9mP7kxvkjz
N/YpfL4XPS2TZX5eALREx0cnfoRz+Hg4ko/5oAGs62Rc6xDHw+jLZJ7MXP/H
5+lZMsvcU+5/+UNWV0vfsXw1pK/+dMav7e58Poyew51fJXPX8+dZmU3Ok9K8
oM73nz/xHU/n/PJPyXxi+3uC/bmuniAw02/uYZaNklESHcyK5cT39XaV5zlu
6/LtMOFPqEu82nWZjZY1AkkUyRAHw+jbZDZLxik805EOknIWPKYBX6UTAJ8l
4LTj4qwG6EgH0VE+HtIXMvoYWv6pTCfn+F0ln9H4+JGbAkHGI3oW8WjuFQyS
5THgr/ocUMFFll5WA/hHtZzVuP4sh2ucr6JsviiLC4Nnx3Bns7NsTGAHj8Yl
QFhUn6cR4NMlfjfs9fKinMMHF4RPXj09uH/v0+29CLBaXKfzBV5Pfv7pvZ17
e9EPl5X7+Sn+fMM/P7u/A63GkwmCyvHJkwfbe7SUGL6pEKfBn4d79OXuvQeu
DfR4mc5m8Zu8uMz56YPdB9gTE5J4MZH+PnP9IaKIxwkgo3xq+n2ws7NDPydZ
BdMGyvHFyclLaf1p2BowaxI23W43jQ/2D744+upz6eK+6wJxjG29fW83bH3w
4vhQWt31rUZFabfhwd0HjVaPX7ySLbhz5+5eRPgMcaw+fHCHxr7McE+O4idD
i/bKbC5N6N+tL+bVNL4sk4V+NL/EGR4+/+bwFU9RSfgx7E1eZ+Pom7REaooQ
tjvcHm73ebpIE6Pd7Z073Copp2nN24rYG3b2Ii2JPFSLdLx1QU0JH/d6WX7W
BLbtXVhpncRl+qMC1oO7uzDJZY4jw2ImCn+793Zx/clCoGd7+1OEuDyLx3U5
k036dGdHVpgmdWsTDFmt9DPzyH6fFXWxgG1bTqjpXtR40OtBC6D8e7SNz54i
EX56UJ9nwM304hgo+qiqS0SwvaOc7pzS6LqDRlfRBnICm0R3sxp4pyWiEjgC
uL9wDnDbf1xmZXo9LxXVRZRUVSoXHTiWqgZuAyaW47PiTCYAnQ57JzBdhwsi
PDAcjlt+GCsXbTAHtzmIEmDdyiWtZBL9uEzL1RbjrIihIJqkVTbN4SVM+SwZ
Z7MMtiVl/JRVY0Bl5YoGKVPAgymwPjh9eA2zSso6gzYwi7OymANbVGbFsooQ
AWYTWhvPAwY5w5XDbGgKwG/k02UyTRlBFiVMaVHkE4RymZ2bdbSs8PHBkyfP
BtHleTY+B1yeR6M0Ah4DWMfsJ0LMdHFlTQPg3JLRDJulZ4B5M9zXLIfdLhZp
mYxwjStFxBO4B7CZUbWC45jDlAlu5hkg0bTX+wgISV0WE5gLgsrPH1XpOM7w
0bte70awRFNBuJutcEIvcc8YQHAvl7rXHSBS2u4R/EYw6cWiTDLakUPcYzhz
ASB5A8eTp2PogY4Ryc2YoLC4Hmp0e4EwwvB1miMAONon2zVHcreABblDHsDW
jmdLOjzgJyZIWJEULhEyYCfwi7OsnNPzSXqRzvAU4CHOQSlxdMEoABeTAniM
3+AOwK7mE+iSznieAhs5qegGEBThgAYw8WcTLBdAJKpofA4cQ5pP4Z8AKEiz
+OsqTeYz3J0mbAAQnPz6yxclkwkAQkVXOTPTwIOkG0Er6LoSyXWXAmfCYJPk
VcLACRvmVz5K68sUjjBxB+U6BilqDtSBltgYW3CCNKkM6rsEGYCQCZ9IdJms
EKgYW63wTVoz0M4AruG+uakMomoJUFWfQ8cw5ZVe32JUJxkiHsIdsq1l557i
tVKM8heYMV4g6WWUVNAFrB52FxE9vKyAblaCpNztuVXBTbzIyiJnjmt/Bg9z
ooKz1YD2oatX7GJRpgQGeN1q2Q7ovchTlFbnRZma+QK6SKcojCJfnZ3B2IAI
jp5vOgQPS0BStCzzAfUeYmOAEJDk4AUA7k33BM9hATcGDxB7rAhc8co6aMDT
Q9D35+dASdCHR/1MeDzivIIKuMO+/lLQIRucMU/eZnNGZLwL8bJCtAPwOZ/D
xjvEUBfFjPsEmaFM6JRkOY0LULlrSzSnAdoZX/N8IqQO9ps6yPLFskaGKiHx
nG+WGxPl2GxMe+Lvxfsg1aGdkl5juCrrphPe+2JZN2aH28jQ0Z6krN/Aedet
uP6sGFGXcDUmOiD0CqwPHDt1CngRxCDCpgcFQHf088+GA373ztF9aFimZ3hD
gO9GHQXIwMlFNltxv9RYCAFMFIauinnql8vIPkP+IktnE1jgfj4ZACC8SbVt
7Xe3Gp8D14w7y+zGxLAOOEOUi2Bu0X4IIeu5CWwD8373Tm7nkLhIwOoZ4Vs4
NhodPo0ZYdDE+VueuhkI4ZYvEJ5uheSWqILweywekp7McUv7L4+iUUaQwG1H
6TnsXrEsK0cA0rdwxEhT4GSvGk2ueVY1+DyHEIgGykVy1EN6XBAHpIhIKQj0
eaytcaoAzIsiU6gyc73MZjN4O4YfiqOmAAxAUGDShvYCV9Fx7ecw9gy3Ky+A
wuQIO7D2RVJWygCk86wmGZynC1AIInOGeAkPZBABA8MbS9AE7wj4FfWMZ5m7
CuF1z1O+nG6PiZDRIV+eI20dq+RP/SSAhBHxC+VxyBH5wKgsZu4QaD9GdGTT
EiQkoM2jNIdDrxWm3DakIGoSY4ozyi20G1iDxQExgtNIU4BZ4FCTRaZww8DL
pNCDUwh1iDg++ig6Sct5lhezYroSvEDSDiOKZ4JHGcW8ATKO2tMq6j//+vgE
1bf4d/TVC/r3q8O/fH306vAJ/vv4i/1nz9w/evLF8Rcvvn72xP/Ltzx48fz5
4VdPuDE8jYJHvf7z/b/2GWX0X7w8OXrx1f6zPh+BlaIYhHCTCb6AhBNBrHrA
1YyBpeVb/vjg5f/3f3fuwqb9B4iNuzs7D2C7+MdnO5/ehR94zjwaQR7/RC6m
B/x2mpTEUMJp4pbXAGPwLVzp8+IyjxD1wcbe/g535vVe9IfReLFz95E8wAUH
D3XPgoe0Z+0nrca8iR2POoZxuxk8b+x0ON/9vwa/dd/Nwz/8EcStNIp3Pvvj
o16vIdIuiQUG6HL4g8mHomlgh0k0x3tiRe9h7ymALrKseGcBWU1nqJwtgV+r
CNSPU+Z87+JVip2qBgnQh02BqVlwOW48iZ0h/J+fiCOFnTNBzoVm830fpSRg
p1CCTPvf0/S+73tbg3vuJwsw54fd9UNaLYqMzMPorWaiG5C2QYM80vioOqNH
wGfgowWg07T6fQ8GXiBTOV7OknLAPU2yZJoXyF0ggmYqlq2Z62c0Vx64hwP5
V5/zKyHRJ+2TwhudzEDsqLwhBm80EiegHjD4MkdZdJgOByytHPCdjJ6lNSta
QJrfnwLGnQqthe5PUOyOnheTFKgNSfeJ/+Id7yChbsM5lcj2r+PGo3k2Pa+J
j6mzeYqkNDpbzs4A5TOYaf9F6QTucTFDjp2PxwnY1RK2fYUcXIbs8LIcIxGE
oUGEzvnbAvmrsEf4FvByWpJQUBY/YL9JdF7MiAGMUG2tBErAZSKqD+ZU4QxF
liRiBzTHd4/nikQ4fQvwAKROKV/HxQU+aUHcxDgdwOiXMOdyECyJT5Rv1Vsm
9LjyeJasYGMnQM061k/MGqsbYIOAhwHwaOoaJimS8LUaiPNiScyXkNWM5DXZ
PCH/Xk4RBiRcEYAU3V2kC06+xL1BvnS2ErqTuLWxinJAxBqlSpJxgCsjukrn
KLoV2vFgj4Y91fIAuV3OkKuiUS5RHvWKPQF4a8WQnifZGcEpCh1TpuRtwRil
OyRiCcjDxXwFXLYT/Il5oHm5icxB8oe7DVebJAEARhITYdVizGoATYJqP+TV
iL3DY6QplEuY8Y0UKsj12w55J4C7ZOI+m2VT+joZgbjUXJtD27I4ZvPMHsPJ
1rZLbK8qQrummTEFEQdlwTNB9ZBjyjNkCyYZbBgi9hvo3UYsIwkeEMaUYLMg
ODpPKxDGUG5kXgSwFWot3YfCNbpDM1s+iNJyWuTFHC6/KAn4ol+7GEZk2H+V
zi4YkwmDzTrNCWEbVclWsnXNc6pSYp68rqRKgYag6NEQV2gRKNjK+Ijagdgo
vBq8jPcTBfCWFgcgkmcNU2UtKNBp7Bh1C6xhjJW4Yyd1MUYpAz6AjhGVNvWH
QoFgr2tzJHY6cKG9cE+ilmzveYGYRAUp6XgBgyYgplZMIhezYoVwETuvCD5f
VBZCV4iCWAJBfJJ70YV3YZLWSTZr7k9RMq5CLSEhZo+rQkwO9IDufEDWkvWE
LYb3Az5CRnQAt0CA6P4IYUhIYwz4uSaiqSpeVgPwR+6L2SqeI9lNZYdXSW72
q4FCSHOp4D3sfaEEhcQwlkcRjBmZ2qaD8GIg7iKp7iKrMrnk6+FrgPpj+I5x
OkvbNeI6aIK90P2DG7qcZLXR5ZGiHpD3wt9liw9I4SQS5jiZp17FAhzjNMuR
F2xfR6dSaSiVcR6DCB11CB2AyAaYikVkPB2/LJGV8yKP7bMuLgM5x4LeFGVt
wFS1wJbf0Fmx3hKHPQOal6EsTyaNaM68VYIv6SO0sES3bx+fUxvmwG7f3nMy
HDUYiDKMNQ3cVdWAc6DXAGSzldxSxvMIlsz6sKYOqExKhlQW/BZMG6/igNyg
kyJlsFY9QPugr8JNynxH/YqX2scbsMTh6DpAhwgVY7UAsb8Tc17mTECueiPQ
QkJtmZC9yoksXp//LV4G3nRhzMILn4xgv5Y1XEuSZREnY+e0vEqwjOt+4MHS
n0LROoERMMzLNurPKlFjzPgIipKsKnjuT9J0cbNDPycyxgsq0xmrKs6zBUNh
ayaoJ9UTm6SkMcl0WdVS1dmNM0Z+khGhrkKIcDpxh+w2ohNFXDJuqwVpG3Zo
AneoMNont88KR0jsZBALLjD5hYeVEEzYhuLn7/rUgxMa24YgKxhMCa+gKhPx
BXQ8Q7OcsGVVbY51PTQRDJE0mMyIBszTJK86pojHCGOWKRA+nh2tcLbqe2ra
LevgnU6QAroDl5vE4AKIZD9fRdPswmsqrT0Mz5YUizVp7GH1grDTjIi9dBLe
eWAO0PDFXA19ofwD0ZqMLTXOkt2l3l8kq1mRTGh8Jm2Mihtsg3yNyIveMFCU
SNITxusoBWH32mGV/cTsN0L0HI2JJc+qtTUKPQx9dSc/EtWXhWLnTBZU0cYF
alJ1WyK201EC3PsZQPByeq6rJ47G+xIo+TCXZiDXhFmF0qsXBXfZ+yWf8SJU
wU8XVaRpxjCEms+IcXGabMNOzFPU3GbV3C3cWzRxRd7CdoVIz5oDmcORes/A
HEltwFoDdKqhvXxHqtQXFyhJppe9XvfmGAU8gVGszGNgzwqNuKSBbxlxj4wI
bpCo+x4GFnC/Mac3cDDprgXBh+e/Wl4dIt7VxSJmVOItVsLnkI2FEJpjTRp2
CrGMGRMvqXyIerTJXbSh09kkNcostX10NnV7snETRc4moj1/LIyn5M7vB0r4
YsRaFlZOkcBI6g39mmDbw4Fi9fTtAhk5ugk68YEfBT8tUzGRo4J/ivKANRmj
GZF29xLwxQoNZLpWeOawEx4dM2fOboOjo/hIdnuAZcB0Fi/w8K7nSsiZ3UIP
Is2Pl6MK7jU0AXQO01+WucXffuao34FxaRpq/OLNgfvt6A8JdHU2JbN0JW7e
0BNaTfCQ2YAsbP8qWuZEsEjteFYm3l0CERraAebAtLMJmWbMwiJMCnfWbkFw
3UIuaz+Hk0sQOzL3x0Y18YREmEGvRVSeWg9J1asW+y9Zr5osUEF7ZORVAIc0
JzGftA5zEBJap82IjrZcdYcsZM+TN6mbAyIasqYZQSk781OsUDeWTEUdmQe7
5vZoRaCYe9ENwDSr3vC+qWqwu6XbVjx91NahSXtcK6szcAhpPCaXChJYUDuQ
oFaxWFYzANyXSab6DS8XMbARNBE3YbbGuazAtICtj+sC1eGs5UD9jT1dh0Pw
TDxIC6SxVIS9w3qVMfNYGaaxwDiBMr8ZxHjFXZs1GqXTLFcXQc+44LEw02z8
g9g8yda7rHUhWeUjSIYRkvAO+gEcQZpdiO1BQEjArPJHIy4ecHDYX55ehn2q
DtOxxMojE4Ly9zw8sWHvq4K3brZqk6c+GtTzaT/oz+JbVY+Z1Y/QQUy+8VcT
Ke++092wNl9/Al32r5A6XLZOw1MUYasty6z4Eskve9qlXiXqtkMVjw4/ivcD
Wgy9j8doOXvjrcRCYZTJIzedNjerfCo5x3R7uMAJF1NgduiMy9TrsdiXgnqo
rIeJ7iB/LcE+Gds6jC3J9GNoufOGmkSqgFtrD9hjkZ+NLfs58KIlCn/7Il8k
9ISQTMNwFItTMiLLEPEmYVtzyWArl6MZqTuN9rBazefoujSOkAtDMEIbNi1I
abKwCU6jj0wsfOuOueHI5rVKuCMCHwRQ5WpRF9MyWZzLcIlxtIL//YATR/Fb
1jPsvSCEyJKFSmG6NARW0UOlnvVSSXeBoRBE/NQvBW5daS330AWCOEoW9NPh
QGWS4QPxvbLjklp6hVByKZuUzIDsTlZRYEJXzx+2u0Zs1Os2R3baa8OPmHlT
NT7ZHcfkFyIo1/i9GPiEzgI+Ak4WUdmMJFrxaSX5UrVjbJpHkDxUDRAxfwSU
uVcLUZxXF1xeZ/Olky5TZPBY7d9wxGoaYRwgkvIiQ3KJ0jU350Hx8wYkwqwA
h9Z+4cSOkqpEFFbeIRcVc2oCY48a3oAG+8vXshHp9iE70O7EO7aTDc/pQxNS
lHaYpYiPQeUcyknD3quwP8bi3s4qYQ14vOOEjK39aQEscS6f99sYpDnDAIkg
P0ZqoPOkOqdLdJ6O3wCl4LYjDA9b+T1FM5k67WRzQsccPKFnt84RdT0RkfkQ
G6Y2z/EsyVD70GXqso4Eyh628FTNGnNSrFi+vLm3tadu3rMcdxrILAvrATUV
gq4spVEVbVTOK8lY1t9tMiPAOmHiczz6gkUCujMhU3h5hYYcOPWcI+cIs2xf
oWUQ4LvJsWSSGo9GQfNmivDEmN6YKaSbR9w0+VmRtb1TPW8t891GeUTas5ZL
LnEDTnJ2Bnqx0Q2UN71QoW9eAGr2tjzmWkidTaAKdJuASNCjl9VJ185m1/fd
Meeh7TDSNaYKtxc4eaKpSaX2jpblLNCiJgoGjaNBNSqdW0M366Y7dJE9qgAz
Zge6qlb/RErLNT0RHC87NesyAqotbfcDr9fr7E8kATF6twdinq79mpfR0Lx7
48O6sVTXyeIEzDIeLetYGJMFCBPjjJgNZJMPPQoSTtkgJWSWj9ERt2GhRS7B
foanS/xsUmVMmR2nyD7oxLcSQfUeyao0op0Zw5yjDcSd+K9q0xuUmzQ+3D3P
GQx7n5P+ty1cdUQptX00HG7MuvVowDmTw4fzIkzUPYYn6NcVinkIeHmDvIvY
e84+S4wuU0fRmQF2VIdtWPiR+abNenqbggglDFMe5aNsofoY97EqbdKbuTTZ
kzWmKMOeZXIAAWV72naAdm1dgIWFp4FoG8jORTLJfFkTxxanb4H+kXbEhgG5
IBq2pdi+gLC+TQhnke+BwoJ0K32QI6bVSxqNFgEIUMNsgm4Gs0bLUIgKLoXf
H+/LPdGQhTXu8kzakOwxA0YUkNiu8PIom2jBZOTEQuL4KBkBWRGzOaYLgM1j
9n/JVFOjyZBDKLyThwiq5IbPdxNN0xLU4xjiRjhBpzbMabQSNAVzB6xoYOUU
O1jLDaJRGFeTq5Vx2pJdOcpRsT9W3jyTn1dszjLP4AxpN0JGEz0rRGolqPXS
urLTjh43J8xSlHhtycwofQOfF286acmUk2AsISfjvcRk+gZMPDoHoTElFOFu
B4dDCAhVEhNc8dWSfR+YAEGxDWHICJFbmpaXmRbLEgPiGDkV+WrOoW4fAT04
RqYRNa9twlDJq3et6AcJ/lKy7RZpDwV5KwTmgVs6oTqamdqDPBMfOO04qZUx
McU4B32fLUverpWdCssTBGEYOSLSg8regcFaEJjzA7k+NIaB+4L0o+y0Q2E6
6uCjeyVOqRjpidwfu/KQB6A/tqQDLOhOosag8uw3B7Ekjn81SUpQ0lULNDMo
8IkGkqAupz6fi6cRuxfhTK0vltmrhjAxXpbsNsjShF4Q/OqCQ9KNwwKqghfT
MpnQtXIykbkwtP2KKUIBZ4DChvdTlBCSLKfTm2Vn6Xg1xv0KdDEsuvhWjU1B
X84MP8P54m8hzxLHsVyQ+68R35aLCYNJETDdqroWjRKpjNganJjIbtXU4PFa
RcQgJLE8BXUmwWQLyrCcZdOlk3RbugGh+XhDAi0AGVyUkxj2jv0VUP2860Ic
ZdAvifZWcaiLaBSPDaEC8IFzmHDYw61DjLuOk+YtUgZh2IpBCyOcwl1QuZav
zxggltgtd48UQGGlmKKCWPFOGjrwbUIWtRT6wsJIg2SYDVgAf9FC3/M0qZai
SBuICYc1s8kb5WGRgqljHy2eN3FAABbsg4YRWxWvj0ErFqojJ3NQfp6Qh7sE
3obzsnc4nCNzzy4sN7zfHTi0qp1jCeO2ObmS0TSy+YK1vqnn54MoYyEehmZE
XxPxxRD2Xu+x4Fpv+2wGOwfxe+G01HSH7PIIrSzOfu61sEw+EDDgYVb7UEq8
BMJzkpXNdYKbPKcgv1CXS9K1EGueYlWvZmqDnlXipkJeEVXtqdNyLIwuXYWE
iatZiAQGylwk5I9XQka7CtdwweMBqYMDgOljfiPPpofcN1zhDQ0RwHPdNHRV
WL+SKa51zFT9se+VdB5z1GJZj7gqNZRLEQ9BOKt+Ar4j6+xe9BrGLsywo16R
teqchQVg2z3sLCwqyVMy/8FZ4Qk6BsDL5CwxkgbOOfLKavcRvOhGaMC2namg
nYI40475Ct/XMe1AZeNX0N9+u72zvbt9Z/vu9r3t+312tXHxiYbPZWa+v3/w
/DA65pgFEK2i3e3t7b5nTJDAo8WCovtdcGxDPvL5L0JsYTBc81TXg8eJgUVx
D6J5gCA5RQ+XMaEZ5aoR45Fpkm8rLzcTnzu2hwm3qk5CzodZJoOMXCoWDnvX
lw5lsDKH0igZXyOFNC/06K21EflOhvMsNuJrYYGddH4OdwwtAZjCA0R7jh9l
wRzmgawN7SnPiVhVGGsGKFbnaYPPPTQ2/dA0gmTLqSMWSVZaC5Li2SiB85oC
9qLAdgel6NuAUSdhzgHyqDldLrPJKU7tdJnCv5p8ZenUFsYBgM4GZnWWzRwb
y4IFrgQjFjwp5NBrP1V/QHrhAXmXIIukyHccJOwg4NkH9l1j1zQJweZdIVpG
/epMyDumpKC6kdn44GSx/3DQgaefLruFxDuO5FQsgqe0XH55BClEg/m2l5gi
LEe5kY8CU9i4Q/ZR/2UD/ZnMGk7klaFJEBeMwgwasFHJHOPeN1JgWcdiL3UI
zsciw83clKtJSuhSTfZEezIbYNxBNlmSZpSaXBQZSScKYGSf1agsVgOqp5Xz
YRNCJZFvVmD0Xkm4uraK0ljPTV4QErNC1VHGDtXeo71AJp5kbzTfEF6he1hn
s2aCEmYuvdFAiDTMT5wkkFpfYJpEwO5iMdA1AuoyjArK7bTLhtpb7yzG/l3z
b6i+RKu9zrzjYrID/eq7YXNqiOv9Zb/h7DpmdoNMJCYzS0LmXRUfvV+MWHpR
RmHoW5MDhQBT6TB03jri3lOR0TlYhS8zY0rFoalzdoRDFY6y+8xCMF3Bjr5T
Y1TITvu0Ci4JRMj4N41PmfHqVD/ulbe7Uq8ETvsNacZ5cZDB3WvkJdVnQ38w
iEJ7M+Jw6xRhQ/id48o7o+p0VL3p2rGv6KYtViBHYtL08GdB++H6ha21WloZ
y2XQULOEdbZu6TjajMi+N/0Z7rNDx87Cig7nTnjEzg+kiOmWi1xeBRHB1t5L
jmBZAhoyG05qAeOy63PjWG/dQZOLpNgC2Xh1OdfgXsekDPwzYVUK8xltEJ6v
d+TrZLrn2VvXpYgcutRK9rv5WHNTVlXrDWcKMksRAAGiiCQ1QI7OSG/tgJQk
07jJ+v3Ai5KSqNWyYQ1aljBivzjGjJChTABZQdpXYhhcmg3nCd9EBWH4dR5E
yp1cYQt0+XnO2IVGQzus6XUjgPU1ZkjnobzWGijWOeaA2AWWxD60+WHf7WGa
tshNFfccWBhnUXNmFM/bnALiCI4hVreCTkvriVfvn2P6i9zveTsgRQLgIl1G
M1mgzYOKa7EApPuFYM6o1TFIegxjpyczIRXock/7MCY+muT2tTPNKk3gkohL
irqwwhUflcUbvG4cF0ofBWKgROCu2MrQNPlbPG6dHqQpU8IiD23T7rDJbmxi
59o0MWQWGmQR1WG93lV8QEWMQLXJrIyzHq1EllHSIMllcM7OlYkSD14fsE1m
VGvpZWHW9MiofVww2j5j5kF8RQLF3qbjEyWixGuRmC1i1odd3I21h7mRIsg0
Z9O6BSJPZeVwoh7s8iBDKH/ZFZLk1CkBfeS7GFpIUT1UdbFbxrcuYWeis4Dp
EitcF391YiJrA0EAvfpxa4Gais+uhtrhNDCZktf5svugh0XxSxBExpE/Ibap
xEbrJD6UWP1i+YApxjjcPucV2wgGJq9n8aZW7ETe251YqBHeYmyhkwKnQguf
s98tXOxZUbyJgOEINAYTn5DPOD3jN3Pv7iLsn41aMFkTXaSH5Tosg4zbgGDv
RmInIdycZOoiRfhogu/gAsHPDl7bc6wsoxPtwAQvwGRNiEHli2abbhi/y05n
vU1q9vzoCU5rXdN7w25PP258/O3VrXeHdzi/CyVOxlbGpu5Ujy0VBC7PsdZ8
l5uKAjSBpJp1IUye18xxtR+yZ2gslSNobrW3Kwl7TQh4HwXqRCjPN8WMBdQn
6B8GXQh6dhFf6vLAIOlGIjtnncyZ0cOL5+z00YX2iR65Odz+STauxaTG6e9M
DjcshlAq9sNuGEl49X3MixqLFz7nTcSIf45TooAhr98lXExcIKp6eI2U32e0
qlNKdD5NyslMUtM6e5SS1RV7jGVVtUT1TEFmQSaLblVnGsm+3wgWoM8cMSgx
2xsvh+zYyqbza7T0ZEGwaWLYS/XlYFM+7x0hErR3syOPh7HQkiEqFxI/Voqy
slS9MLI50h7kMzn5BTX3gkDbYb8iJqChm8PlUnyQjdWZ5k2XalhvWSaowpPo
IcMCrKJnxXSKWdc9f91IDPF8/6+A9Kb+lNChj92gNYQmqTQgZEIb5HjkgMsL
shi5sCLGYLhSJIX5eOV5PFEYoe2hGT9Kau00ZY8+o3fEVGlBZ5jeKNR119YD
NrxADDto/BEq6+R4VnC9YtR9nNZGySVBJpreyQcROYzeofapLdnxhGl9kOAr
G47Id07XkPhVaHC3MrhAzTJkK/HYnARcZ2VIhQ5cKJ/mknPKdkIGNvTBRgt6
p6YoOWPHNKagOuZQ92QuWkmrGQkIVqNrdjFw4QUh4Y9cfCDezj0XANbJPLHS
3b8K6ZnchFcamw/fXqcskuNmddFTyR4tDVo6IR/CaqIHWxsZAIohypcg92AW
cRKhG3lCzS7TyYs+ab1hV8ZDU0XWyh3ZtAjLljYduQeNYAa6NEGYx6/QOQW/
WU2PSgrURoiGncib1UtZID4JLlkIUmZxnsskWOd4VdaIt1VZRiskHTpPZasW
GHZsffCxMKFKTUVm9a6pDhOoV06XK0RlPRw6eMkT9hlqDkUSgJj3HMuclV4f
oWp5pEwiNFJnK1Fb0IAmY6VqXbwZdc2mHDenIhEIbE1iU6Pv6xqRBrkehFZR
WnCgEmUECbJKtEKKjRGJKK9NjEB8D1N1rzO0LjfIqx1iaKiRBM09UqN3ytGS
xPOWpGljN4vcZytBEV/d1CVRmG3Ax5SKj+m66Bjkmu+2eOYhT7ExPukc52wR
Ei/upKqKcZYE4lHDg8UJeup23NSADSRlQPO2eJfHBs4YhE5NyL4EKEQu7tp9
YgX6HCF00kRprVaIR2gz2m8iG0IlyjvriAV94l+eNNiYlyDBC0XugICLGLsm
DyhkOoRh1ghmnUCmObuvWKGa5QAaicnMKocVgHlJjHLKwh6fBMMvUw7npn2D
ahAWHoxAPGwa6uprD8fZ7xqJyyqbtmOCLDdAImfEtqK/Ohz6TBooSSXqECYs
3aKAc1oxt8cpSFPlQf1GswJqjAk+HWPpZS9RflvSM/RORTYA/Nde7YHyWS7t
ROA3T3WR8K78uEwm5ZJuPwYt9PF31WedKnRdb17NnaxT2wmDwoq7xvdGXqF4
NwxeRWRHE2N/pJLVHOu4Gg1DMeyLZ20kIoLzSXJvqlRis/sVu0a8hO5BQN6G
lrF2oaoqApNf3FsKy0cMUVoNbsDAo+t3mkwGLruSRyrCEze1K6roo+AphB5c
eklZaoBKjKDfuYthQkC9KoppGIgHpBk8m5HjxsJv4ABxkKerTV6VUBthKd4e
bEtcTBg/4EMUoqb2psnFCKWmjueo2jZRqo4HcSoQ2h+fo2RgWHhXEuKAM+wi
pXyOztfTNPq2xJ7LaOPg+bebqmJxetn5pUsu7HRPNBJ2rh6jqUxQ7qaKB+R5
SxhOtM24OeqQYYQnSWbG3ru8+U3N1sDtl46r4Rxe4Wzzs1xSjAi3r1dMOAUP
wxhrhmxrxdYPm7QH9Rl+jbzge71uSiedCyF0i6YNvVAsBHO3Gxx08+3Rk03W
MjYcpQ1sDTiTcIaAVzRs+6TNwUvruMkbnE+HFnD9bhmYdwIUiUS8aOrrfY4v
proON9t/N9Hf+ACoXz6B5//sA2DcNM4WpH+SnWShGfU/os8mGSDhtDy1wTE2
zNNx9JQmxqToEuMyeuJU4ssjeFfzIAEvOl/UK61oQpuSiIJBESdPG5gZNPsm
6NQmkWEIruJS3aE+biQKkdAW9GAqqLCaemirqRxLMlY2uSOeGp0x6xmT2p0z
eZET/0vyS2MkAtBFsVjOknYGHqe0zNNLtGM7ZyM3Pm05Q06fP+r7dyYxugQQ
4DVwnaJzYlpxrbJpWrpIi3GxzGsfpOhM3rC8W5UF34VK86HafrclgkRh9vWm
fp6Nx17EcjbLM9rSC1eUED0222ZndygUetFWFqHHApAGtZgnWvNFE9eEbsbe
+UxdckkBeVkIDAVAc0rP4v1TWqH8enzq2SB3zuc23osvudxnpJwU2VvozXQo
u/JpkQzEwH27EmCUs3Spz9bOkllr+kYbyU55bf64WBj/GBew5qZOa1ECrXMU
98jAajATK2n7gJTVRH3wUVvMt+Y3RjTsrq3zol6Jz1ougFVKk3lnhumCMtuh
B4oyaRRJ3LiPMnP1hmzoaTS7SmVLI3UMRoU5igUzkJSO0odF+kJysSaHUTSp
DD0AxzeI1ahwIJm8mcM/JKVer3fMoQm08GUlWUYwnXiS+3T5F9oDhusXkwac
S3QDnZ5XFbs2gYuaA8BaclQAm0xIcqE2dG/y2+2y2rGFsbNz0rhjPjEmzSUl
vDj49kRzT2yc5qOz04H40nN6o2wuGQtOYbHwjnSd3B2+29QcM54zc0MT0voW
4JFVhxRfa10dvbGguX/ALewMlV3wHj8Cxk4xTnNJnb6bwsr18jR6JN9TpDTS
ZuSyN13RaNjb5Vngstyoo7RFuUMVqCO1xbKm/HMSr9jq3eeeJFOjSTqJOFOT
TrKDlBx6o4YolenAtuwevL4wlU/B2KOqIB3ZCtk6p2WgXFIh3pnmIDCwajm5
3RzVCCMqXZBxQgli/dRZfIx5/cghpOR9SExZJ0siVDjz2nr7TSDesrOpyGde
VY/rAwD6xz/+QeWSf/+RWPhQyswmMUi9xTTNsTg1Yp3oYfRzL4p+tyF+63vR
9mb08JG6sdMrdhKNdugF/YDHf4QXIt7vRbv0Sn724NCkOfROow4LGJkEo63o
H8syw9mRFeuAPXTo/E9Q2e7ziubonlS3DBFcPE2zdRgWlk/nlB3/4O7BZT39
mH/J4DHHgtAL51PYeMd3/WN2LGy8k6NB5TqnxxdIIsWoPqVKL1InXsybmG+A
NpMoDq+YqOfh/onwiVTxrekNRNyYq1riAwv2q87mLgaCnZ+kjiUldidlhHgW
YqpdNmQZK1ASAUykmEQs9DE0eeIoE7tmpFXPaER9HBxWhm5CFFHdUNcKZifA
aOdaG6289ezrPCP8DMSIFfdGubTx9aujTXYxiF6w2GLfvgDxRCxK7FKnrs+e
zYDFnBeXtH3BnpnJLF39xlO4uN/LZ6dMKVgpHti1PVG6Y3lSaKswwBbuY930
qwo6qiLV6yEbcQfqmvpBNRCDCqBByKjJULJqJSNpYKUG9DQ9U38dbrLPgap3
PC/PxliwnMPCqGR5j8cmdLYRBCryi62tCLviH5uIo9rfPIw2COGpUjZmX3fG
iMFD+sx2oD7Giia73iFWooaMKKV3izu5781ez09V54RP/CB3qNF30SeRfQ4I
K3qtze3Dh/Dp7zZok3E5A8HKHwPf30By0D5q/dmS5rjRuMCBbPqQ21/ZhgrH
71IT+OfwYz7R1qC9YHthwri9bJyJ2b6LE2+NswXfcUYgMfri9Dq/crYg190u
bpTfdhrTuT/EztTZMS72x4jJftYaGD9DgYeGIoq3jxLigpPSNzIiU8J5xCGE
UlCObGeIwTLkSV77vBde+WJDe/fWasxDF4GmTteZy228VOja69OzhbHEgGjO
OW5qZZJAEc5Ahyaq8xloctjvSwqyYt+emzRBUKjckSAap3oV8khJBVaS9Wld
XA2986lTicW43lPiNIDFU56rqqGRb6aYaqweDKCMEalFGSzOOcn6XHKag3Rl
AjWOak1nSspm0TKYFICnAWSfRhvoyEZZJOgOnjYuSPAB4CziZJpgH3y0i2ad
tU4SzWCRLk8JWWkYwNrMsM8uV7AILu4L5yayR2UhOMzSGrhPGK9FQ4DQuoQQ
jdzfiKo0EdnUwEtNYE22A/IMXn+23uyZJ1jN1wDqhNy4NCFvKb7TBSdGrJk2
Hl6wH74ZFWXIcOQQXnxGcFLWAHeh3JU18g6ELki2RRS5xTFvvOJaF2g71nBI
tq8meXXGTnzL/DIhAzPxx+S+M5QbYd2JtAj89RejM+cD53ZlGxBOqJisgtsg
hZ/gJJVfFuYAo+JuIqisI6VI6/00gKBrnoyY49KB6AFCpn/vCcFzwgEJMDaO
ao+IKX9lntM4r3tAn9xAW1tAkpFUcMfMHOBIn0ThBHqvgc/wk3Lx9Twv/alT
WyeR/AYz9UPtdE1WXzfmy7FsPFn6t5tpl3D0G0xTBtntmiO9owkSHe0M0nP+
UUFI0drgvOiqQDmhd7YYSG3SrLXS/mXeF7SDbrfSonAOX+5L/RKcajl0i8sq
V9fG3H289jax5JpgZZ9nw/UeIFZf38Lm4w6Ud5diMrdBXZzEIssn6VsW3Pwm
ZyZfoI3jc3GaSBNHGYwHE/N5lnxqg1aIXtN9ik3h7A0SRC5JWuSaq9mtWdsz
9Qk4U0AI0imE8YjdqTVEBA7SavgF+ugMNIC8yfJJIytEO9fI2gwe/vhIb87Y
i8kf4VTFGPKo82S7Eq6bEIVOlM5KlutS91j3p9PGFT9VKFY7pUtBauuDhDl8
WvGwhiN1qdrEgGOLnlFKwK4USULsPnIUDv4hiebEzGvuXHsbNICR3LS64FId
zdqxr0GoK0PWQCwR3XZN9pwQP2fBNJzI09eBlKj2c8mdhjqeWTEljcbpi1en
kiWVMlFR5DhaChQ/ODDlLFnU50x1ishIkf8Ruk5JUMAMUBe66yH6MnkQkclv
SPtnLT86qjerSYcD5NPOFjjwKSaYddGQLs40IefF+PTHZQb9E8vyl2ee7dMY
dqAM1Y+z3vHhs8ODk+g2EJCnr148d3P7nufWi7794vDVIVAcQ3CBzPX36/v1
xXIrLf/y8GE/2oxevFJxrvVp9rfZ3b9981f87JQJ0ola+6SitEcvzRjk35ui
wZTIjZmVEOhqX5vU+gYZQMuRWyQZ6nrAasDK/ldPLLBkeZjORjuwY3jpSwLb
AYNgBbi1qxxI1Rqq7cJdCM7m5ZJ2qUKSpeFPl9lsMsb0UBunt083m0iffaOx
T/HU/DXQ2nYlvw5chVD884HVTa0FrarJDuEPzlLecBFYAmRMx3SUj4dNKLZd
3Nk5G91LRmfx9u6dNL774MFunCR30/jBvbMH451723dGZ0lf2a2PvOvfTUVo
o1jxQpaxcRstJn6zUW3igTmDwmmHIqYh34IA3NTBNERkSiSElLMl9F4ZxBwI
vNfFbF4dwKxbBw+9lHVC+2M0dMH07myq0EoeLpyknRUQEuYaRqBIVLgrzSXe
MJY4NzzvyELazm0xajBn8+yt6nedfQJ9BZwbVuiekJAWYJZ4V/Fm6Pa7ZuBS
Uxu+zo/zvZXJ88tOVXIgVWo9HrZ/hRpjmYiojOXXJut8ySwOkhTLfTUm14x+
H716enDnzp0HeFxpU7cs7VmR+/soUP4qTI1rD8XwlXyDO7G11Ws3awI+Ta1D
I7nj1MSwJ8PxCARnrKUDWPZ1d8d4W3A7CGn4WdDP9x0BGm2qMjrYA1JmQ+N7
1Na180ErPa+Z5S14GDX1WM33DV1Y83WgScPOz+C7GD18nQHUeG87QdlJsB9z
6Zv4TbpqacthORcxe2Sr9MqN/Jz5rewMwkdzOX5nLn50OoXodmQnSpp9WOdv
OfO0e+ZuN1sTB0wziX/jSbgNCieBQ4mbli2m055T4+zdXqa4lztuL+2sdeAf
nb4BPmitjXY8efObLRS66loop/jlNu39rqu4quf1b7LRhTfW479xgOBmeAvY
mx+9kel2pHvA3dQJ9HLXbJtOkfbr973fK8o9KE6O4Td+gDzHyYsnL6KDFyfH
fWYrgjhSMgQ0Y4VtTOs7b/g22lln+Vc22JGQfw2bChH7NjUQPwOPGk9F6LY5
mitMm4n0xa/S2kGIDShTrsaOWfeGvRdaBeSU6ZSyXpYt2t6UkANJrE+qBV6k
VtCQePVXttiWlNKQWPVeKwwanYsuKVyI00hXFGhHMTZNl5yqM2q9UWfDU4Nm
Vvj19V1Jj5+NUzOZc64eab0Xqw6TdYeKTeILXcQB8fhnS2ZKggQEK5cot0qd
R4SmaHFZEV2yz4rSzaAfgmY4CBJsOoughFabjbRupWcUitqd1CBI1tzYfZII
pWtKYUw+VBLJxJV6XMKCpAqjTgPnO3arBcKNN1OS4XWPZoYh3hoVVvmUHEF5
IIa7g6C63OOMt/2xRAf+xdWKNAwkACX5Fqq/zbqqxM2UEra8JgfTcOYm75tJ
p22DPiVljdyvZqFaH5xSeWMRN75VtWJcToxpqkyTilQ2jfjVJhg4n7tGQUqL
8fKGr5rRZnIBC1bSuSLnJhd6d8irFtJDf8wCbqTPVCpu9q3gZ80rTXNWpSNq
Ly7IsYcq3aaUrT7HfJ6SmKtZ4tYWtBV73oXG9LeMa3pmAm3kapdyEXhfeCuA
rZHAVrs2cBhSZnInjc+zVGtsqSpVdGsNn2hSFIbjAf5PZ8UiHWjOc+fci3NM
W3WcVWkKA3MIcNpRuqmzVLMKdQz5kqL2xfEh1+atUi5gdxrcmlOOcjnF775H
d9+dUw9eXtyaJSs4Kha4IpK4gl6AwH90f7jz2QZabpz/7h4jpIg4/ChoELuP
4vNJCY0wMYxrFn5qXsnHUlQ07J+/hrduf+V97/Wm19NpPdIgqArQU6yZYnhf
h2alpnHTM5l6Mcn+7dn6ShUNjuDqXsQNTo671mw90an4YyFMb/FaP8F1U8Zk
9obcf4lRb9gkfsopyU4eP9nRMpwyGHIV85TqqqCD/0ihUBCXfDVajt+kGHto
8rwgmLzBFM0m6sR545ryo+Tbe8htKuP+Rn6e/nng2uvqHFNC5y6VHhFuDsEJ
aGXoOeshViddnWMGtTC83KSvZ6Vgy09OMh6PTG5Rl1687UeQVRr/sRtttL0u
Ngc2HUpyxbjSvfM4dPoPMpHIijgwEnbjtE6me1psFXi6we727r298ThezBJM
uD//aGe4Pdw+BQqdmSrFp1029VMk1C5ELNpu5FaUYjeKIXkKVvHEe8RRkYQ/
gjOE3anJDUj5bBtKJ8pLKpTEhAtvXDrJeyjzbDmv0a1oey/q32zN/QE1Fe+/
KIp29kiCwoehs9mW89iC3ncH8Lslnm9Jw659w/aub/yIVdw01+/IkM1/fnb/
ch+hMnaLhr13f3vj/Nb29s7O7u6dO7cAXuAFLHQKGI9R3FbQXHaMpg6D9+VS
Rd/Qc1q7/5hdo3mZu+Zj8rjvu0/fyb9ei0Pfu4Gs2nrJbWEPO/BXUxlEE3wH
IqXDlXn6tnYgixeE84Fxgn1AOayuRKlboMblsq1ddYHUGQ4CmGX/brzYeJ9Q
z9/MLKukkDnRSUfJh/8uIObO77ubgNhnDx48+PSz+/fu3f9/BGTR68ENZxy4
U975FCZ/Z+fp43v7j59u7945RJvF/v7dwwf3nj44QIvF46f7tzaxl6+/Pnpi
VvLO+adeB9a78Bdb2r2qH4vTN7PKtiB9Lc25GYFR8yLwZlOXtOEKCiMRSW0a
kZhEK0hT2VgWtZQQHuVjraYA7e800L6x1K5B/RivqCF9HBSoV75djan6z752
v811cyvZwuf2xt27R3h798nh/pPHh4dP8W+Awtc45teHARx+13EDAdfKEJ3X
8DqA3cY705HkuQGgKDJZXMzAydbRIMWgiw24wnzE9e6AR2z4tVRSTdYlYg3c
myUUm2UmcnvSEBIOC/wnwIU7wTv+yL6jDSuzOe7fIOpLfMF4nsbT7Kd5EXNH
HkfdoMHu+zXYlRF6esDuoLxx7J/BJ7vrWXdkFA1D5PQcLdA0zrNdY1zS2ikE
qaPAurARTkicLHRO7IxEWGTPoLamyZdGadp5xdOZlHttB+cTE3aEX6paV2bi
PC7EgcMxHAsMbseSKbqtQfKXtSvx2HDPq2EbClie8MWPjfUJ788v2vubTDZ9
QqAFltGRfI7A75QsWLiUNoqr+R0lOsp4DS5ZbAMlalIhBLVzdHpWe7NePHJY
7+DCEu//PVCtlm5lJ+MWuaSJFM5sUto5/Rhts/NlCfaaumy5m4V5ytYVo/2n
oRgiM70oCujGFfx/Jzt2HSOOCL8nv7acMpsIgZuFDucHQ4IlgyWjMWwSkSf3
etfSs3CS1GH44LqZ29mbmQtqDD7r6PiGPN6g0XKnPUvmXjnHxFbXMmTEPqLv
O/1mj9Lrzv07n91tvXrX/hqkoYuc4eHevTsbu81IoHdrN8iHTum/+K2c0A7M
cXujj8XY4p3deOfOyc5ne3e297Z3/9bfvJ4LzaqwWALeO5/m0JpERqkSFncZ
+02+ty9p7jWTLmUqtpxCkLwgpaLHkpbfJHGwEflcjo6ysKgWSfgRQGJo98B4
7VZi+iZiVpcjRJuMHxFrYfoWW57iGm8hICMukzUm4Hj+bcRW2CrMDzVg6xtg
pkYCniTamCcTLLi66Rbu50w8W98q8C7yyVARDpv5q/5/H6H0f5reYy1O3tL0
uFtXX2Ydsy1sAmxaBvZaIBpEgOnPEuDQk/Ety5jerCW0SkZJcquLQ/0vIkqc
nDfTxYUZjn0CxPOkCnnPdmY7aYoMXsPKd0VyO8/hNLP2GoPxCPFYLSpZrA3P
xT2c0r+RJpQMc5TKcCWFXZKyTFZSM5R5OrwytHllmsziy6JEv8sMepZCTmyj
pnaucrRgPeQpZ2mdEupTy2zVEevezu34T2Wt/tWlt7U3/57Hjetmanmv4HbC
15+ghccgNLiayS3FVIMrOt59745Hoxt0vPsBMx6PXcc9j2lvzNR8FO2/PFJP
AHFBSRaZmG+rVnIYND9rfLIYzYVKd2eFkeSwgrHSt1xEfWIKtpzVYb13bipu
JpUYWGGS1dDmc2CnXba/ZTXQyzMSEqd5Qf4VUlaVvJPGy1lS0jKZWLkCBEUp
yUbxna7Y82gukanLnU2Vm9UpxzsCeJYNS1lwmQzynG/476C3yjKbab5vwQVn
S65hk8ykPKctT8qeEmR31XBVMn5T5hEproslrGNfwhrX7dYXFZz6u+S4JNkB
bcm1Vl2IsV+n1CyoeGusv/YYEBs6LufZHMvPevO/uuZXGnSheDCNZlg5fKb2
d8nE1ZFt2qfn4BP1h9MKAISjwZonKUDeLPUGL4Uv9qheD4/Uc1baZOh1UKUP
dZETDJUwmyckZ67prShE3fkekQsOnp5L6ucOgQdXBw/V2JB7iIE8dyoNeoZ+
NpKlVrVCRJxjVzrCuY5wwV28b1Qn5KwJ6VqkipP1wu2oMUqJtc6YyXe20pAo
cV6DB8V4vCxLrY/Iog469KUMrM4XCx2USH8QVs4hPzFJw8WZLu1lG/aOMcBL
XL7cFcQ2GRZZRvCHt1wFFNckNmWzl/s+ektMrys7pvuSpo6z5cA6Nv+7E/KR
ZmTgJ1eOZOH96WnHUXXIO06uNrTHhDCp3koTVWoFM7K4IjTVIn7hBsA9Y6Fo
lJ4nKGmJb55z9mkcsa0N40dvV0rh/JPi4IjRmogBXfgfjtxmmPyc/YULwETB
y9+ydLzUOKbwmlGoRE216ZvhkeL9g2hmsZTU0oLhKgK4oPzSmsIPLvPlsoZO
XBaI6NXh8QnGJhJwSZLvFnqRFASUDUArQCGpkfIvQXEfEigRb6E0zwLDwDlu
Jf6h08axQdXLFBzA60I/KMJ01dTANeoWGQiQrB3GZTC5qq5RoC+4yunRVnFi
Z5zA5dE6O3o/x+gx3Lr7d78uZ37GtkAX+Sn+cFm9e7epe4eNfW9wJMVcwL/E
+C7CnYB/zuGb6dzE1H396sgFscqJrLoOQ/S4nx+enJq8fzVXDfeaDHiGPVJE
LAJtGggIHeWFmxoamx9FiwzvL3GcWqvdcho+imSiku6ugJ2i7Y5ruv9XUiRL
L2hRRxfBhicQV/EkdfNPEjfI+StQO5NyPUXYIvRzxcHFMReQejJ+o3FTh2WJ
TuceTaX0QIrZ0A/Dpm3cffsWB7kHf2G87xLVSiCbbIr+Rx2fTshcKl5M7P+s
rl4ND6ocPTrRDw2u2DyWnWaXKm/t7EqGTQ3R7RgbRk80hyz74BF+lq4x46zR
fQUedXu93s97F9UiGacP+9v9d706q7G29160H50vASvHWDmRrj9mFXREOPS6
4l2Scu6086LZk5t1LDtPDq6w1DFmGHaei4TJtQgtDwISvcTvU+Z/xkJahoot
wuQ7z6GjWI1rzsnV8VR5D69dg0qUdglZLvUpucQuT4nnAkumEHSlHcZvlQc0
5VPMnhRc1WXMOd0E5p5kcBGowKkHO0zNUqDzMAM6pWohOiZ7SMTUUkZy9Rf9
J/LExOVyMQW60cIsSXyoSSa3NfSfbp0ykoFjO8vetiqtxP5Lh0Kxc7GZGBo2
cUtyvBg7JctyUL5ZckT5rBhrKl/oq/K17ILVDZpVns6ECyRUUnM5JsnUbNW5
PjsUwPxZNl2KGwIXqlskI+RgbYZfhs1hO5pA4JmPe/0piDN7VQRxE34/HCej
Zc5wv8NDEA/TYMKnst2uubv7Y7o+lKcpSyJA8IzLsZqElzaYmHkvS19vgfkl
xSgid/L+1Q5QxP3zz8cvvkIw+KGi2FTJOjqIpri0nB1HnCTApfek3zydFrUU
1zGUcIdJ4XldL2IUiChZLk6MXK0l/kRB0NEJlUIoIVXbATV2m/0JTvQ02sCW
OPfYr8sVsuCQ3Ct7YYfWDc2y2tkL0CwGIIZwzdFQEV/hV6OM9DlX2sMbcFlI
SgvSDWAyBNq5030q1aJUgwlKo/agZGvW4hZae4Xa392+H218VdTRviv5smlp
1NoJGxUizo2N9uY8TFLuZilEBMlgMvgRzWZ3ezvaePFlMIMBMJVU45KDUDyp
ILowKQjzFxIEzPjTxd8BkK4KoYbMRdCUvTQ4lrImrnRC1wx8Sm20E9f2Qmj6
C9JDauUp3JoOzOa0smrFEj3LBt0XgZpN1QHThfBZfNvd6dCUblSYTcpTZXLK
mnxVxjO/EUGFDWkKlJEVo12cDtV6kocpLD/d2SHzeVJ3hy9TrNT8stFq+96u
JL5MzZsfLt/YZvBTc/waShIjupZQQrGPxrMElobBfPIAFXgWW/sPKM5Q36xY
WQjkM3YI2X/6M3xaA8mnIGn8m/Skf1STiq1sRsGK2pAUhLAfwz8f/AGWMPzz
t19+f5xSfZcqHVKIwpfpCp48wuDFxhK0YV+e9wfRzqNe11rcl/YlfL77qNe5
IPd98BYa3HnUu2ZJruma76CTu4/cUuB73K5ez+wzHxdhBQ7qdLuMsdP+OR2H
WvgkrZT/tvkG96/dp5utf8W7uK5jvzOND3g3ezmskmyxMVkd/vD8EQaZPt+M
hnhRNhCkEGu/3myNAN81G39HMCSG6T5DVN85wOkDjC7v914/MskrPNf3RG++
iAtN9yrVjFA6y8JXP+CES0DOAXVa9WqQ3KSNYN4jZ7RrrFVxYd7fMFRwJwoi
Lh8lSAKFqX3IJ3LqoP8URyGcFFYEd6FEavw+3aFPOUbPl+pW/YVmTdLZkIQN
HMQFZhljtl7xIs+I2XqdLpeswvwt7AMWMn+OWWYOTjnlkM/zFiiZu9/eE+oK
56ISRhdK33/81dNGIcPD598cvsKtllVJNrKqOV8pW4msBCUOC+lwLJ26Ezsw
CEXO3nK+151dgI9ufoC7nQdIgM0jktK/ciJBXXghp/b+cRMfDu21Z8iK+fqD
emwNdgR5WS2nY7XaTt3XqEft9sH5dk2sUdOlDeNpUx26zoFFVHBJ9ILsa7Iq
sen6xLFqnqR7SFE5rayBdeUZeIq99UzZoBmC2Z25VGQw5vGd5kbVlG5q5J3o
io0188Vq1b5TxXmYvN5gPIkjZ5SnCeqRkzTtfVv52DYnjw/Px81mLgrDBEvr
gbLurjTG/dBof6I2FFHSiSSj+ev44letCbpsfiWp1vlATHHqNSDn8uR3h3VR
8rm11muS0bBw8juetkb9kz5QrX9Xpf6RtLeNhDcmh65ifk38q4fEW1691za3
Mvg0d1p8JWSoD9hD3/v7baGa/+mGmXu1SDLns5V4Ot5URRswGIQZLddMmDJ6
8uo6zLxZ3YWIBOXglKiaT1JrtgHvGmHinteMLIXjtYqoz1tMxTmTdopkdxxh
8U9fx0EoBpK6QyV1PWfl8NTvOpoR8qQ3Jxp3PoBoUFFo6YiTIX/96hlnTUve
4O46LQ0iE4FUtwDxk6ZSRlRBy7ler+YjrKsa5ck8tSYhCTvhJiY3NmuwnrFG
R5Gq3Ta5fkHHqCNGkiYmM7WYndrqZYbUyPUp8ORYRPeGrmQmtt/mzSCFIl0N
vBfHVxEt7RhGx76CGOCEXJC8oYCmn2nRBoUM3E3aXKuutqYqp8Fye0WjpKoz
ON36meeqKi85ctHhcfYDVAAiL5V0Bd+yTQTHItYBVWOAFmGfiPVzBTaXZRbX
gAKQ30UnyjLFstlOL6qz8J046urMO4347CD4V0u72ipFKFawBkg7rSLnAYtF
kNB8UgMGkKSoH9k0d98YKS0CiTPIUGZFOC0TueZurhP6bn5L7153S11AiPW0
8+Wkq4ARIfuTSzMeZCkIVhUaT1eOTDnapKocnXE31iRftKY2sCUkVeJU6ypu
0sZ8m45w56ONP3/75WZbPf7D5Ru8YUd5S094ff+UEgH7bvWqSRIaXKrmwaUc
RM1LH6QgeUe6LXHOadEX0b6ZfP+BYd1n0WDjxTLnzgd0/7Xofa1VFlr5NZAh
m8R1geTgw3JtaA2iNXiLCgIuuS54xz67QTrA3pVMbOQZwZpkkoyJTTzkV6Er
79ibYe/r9S+5xrWri/MTA+jSVxBfn0TBKI43wpJ6a9sVSDx8O1E7ekEj0OSG
UgM6+Ai75C0FAzbz8gZ7O++plQo1p9NanSYpm9G9onMeNIKV8tZuSJCywJ2H
41dz8WjJBd4pLwt5bTn80sKTEsDaUUJuzTKC6ALRG3z4qvC4glWFazLK9s6Z
qxVI5z68QrmE6FoTaZmawl0KbfV1IAGYbTySKeot8sy+2FnDIaORmqnlcoGS
VqOJZFnrzIvUcEmz9CLI2NXplVKpFNW1PMzQm3Od7DQ3kXPMtGAyH3QEajjd
Gf27cbjTpFZ11+omBVf3xcTXV5yNjats2wi8v0GrHI0Lr8RtJEu4Db4UQ1kl
ZXJ7GmxADLGYKyT9MHqaXyjv023jIArINE1S7pDdTkztPbQ8XmvGpKG3doY7
vS+Kqt7THJmEqVHbCNMYLbEUjSysx9arvehaMx9rVg8CVlPWybvXNWedDVmH
XnzZs/4aNxlTG7CpZ7PXexj+Qb7vcC+69fdb0Qy96y6x1jvODFnQV08Pos8+
fbAbNRo97JHLutOZakhYPErrhBTKoUpO/Z+dZ7fRk++FHtEG6/xecf3Dv5M3
PEexDP/eEXbW+cd4zX8fes3/ve8crtsa+MBZ2yjNnYu36oFaTtpk2mkIlurO
3u8UonD1WzZNpwMwijbZke3Y+vnGi17zhyWFvrrer+WwWyeVzKY4ycPj3Xv3
/aaNywt8+jIOnr6pV/TtgX/0Fh8sq2/ffvHl7sv5Wf7Fl5f/++Xxvbvz7Tcn
48///GD762w6+zb7PDmHE84vPvMtqaujxy+exQd3Htf1N9nFNJ4dl+n+8Q+L
N3U9rn6Kd8rRp6P6y2cXnx3+77tmGtkE28Jydvr+bNQ9/tdhGCJR/5IYBrmP
/2wMQ2N6DKP7c/hWvM6fZM59/6tCNEIbh0++2vxt8ZCNWt1p46Kt0Jiw5aN3
fRSeR0jSxw1x0vX3UrDWjZDRVsveaGdLwP3+CGkrtDbD7zv/mkhpa52dG97c
bR8ZYBs+q12zfbMpry/+1D8EZAX/jTE02T98i49ga89v7ezvPr5zcPfJLf8S
O47v4Mt7h/effrr/2WPz8g2FYVLT/ccHTw6f7uzeuXurjWjIV1NcVDmRm/ed
45X3Gg5T4tC61tGa4h1QgVD5iBIvxYnuju67958lf1p55dRZ3suuIQ/Bk1PN
b+imtdHhp2w8AN9tDowe2CulVHHltVNouFLtkQ1NbiaVHalDOsrwznXERvWR
w3eHC7Mt43EryALr8rw6F2beFNE5hL5ouFEd/mjq6UgiTSUG7YYXlMiZXNuC
HUBXsTMUrpeHu128WkI2ssh6Li01Q8u5ST2trEOR1OomjB1Y74xXFZwSroYi
N9RFWvV8zOe7IkFLcu5DR/0Tr+eNNoCWbAp4O4elDgNL6MhOOTH43DF4Qzpe
Kxd0EbOPbkRHekyoBY8V08d3j+68Gg6HvyFlFmrhUaTSDcvKricK/U5mZT0R
v+m635fYt5bxYYv5QB5hK8xoiuieU6VumWSgW9Ef/uBj9YkA7CABgL8PD54c
70fAo0ZbGik+JqqxG60h8XDdiB5Fjx4xSTJJVOHXz0KoNBsqjv3vrAP/klkH
gixf75F4oLz4MdrqTgqzFZkyApLV7IokMfaMJE3QVjNzTHhcaJnaamRdCc6q
mZDl+jNqNXiPU3mvk7GnY06G/3zXWFKztmVz0fQNwLUNaQ/fTrIp5Uhp7agb
Erg9Dv+2Z2Lf7w44irujEndHiy22JnJiif6BxjZH+/3Gp420NYP/Z0sfj69e
+mTyK5f++Jqlm1/XZOy5ab4PiXOPHHr2eaO3YEVww9N7Ow+2b7nU1cylPE2y
GalsC0wjmVH5IWbJN+7ejFFxObdcQo1RMpmthI3+JzMoMBTHt/2P4lDgZIDF
n2io7pWsyvqYtA9lPZioU3AZ4j6UHvsMMhcMQeRTSiXYhYpLUBWLlf0TFUMc
ryAp+EMlUt9IiyGgfiXxKBQxR5wFwOr9m8CqhEucB3HBNgXBGWd3kowBMKcl
bEdZ1QWIjN6Rg0S2kVZuGKfZReAb0TRZ/09i0Xf/ky7A/SgMj/kXuANf5y2P
0E74V6C90Va25Av8g4DpxoIxzEWJTooieo42eUEOGOe6+wCmvM8h4RiHgzGQ
ZNWKqBzQLJtntYi6pbZiuNaAHnHZsnkVJF5lQQkjxmmHo5Pzi8FE/qi1Ym81
jRhdFJfsDDRN85Qmkjgo8SkK3O30jlhH4p8o0eic0gmF90QvePp2nKaTSuzi
qsr+cQnHOHDeJbgVSS56I2gL2xRttLZv083J5ZFk9MJKDXZh8F5Wp6/SulzF
+2d1WjYUH8ZOjMEAZL03SEliUy+TDBMlSJXSN5zeP08vfXDt/yR08p9ET+Hk
Wwf/oRjFAMBetLO7/VuiGJzknAsO8SQ7Ecxfi+UtNMwXLj4a6FdUwIzy/4hO
UF1KtakyTGYwz3LUqwZIJDrA8jTQ1mtlx/zkHeXylSsPjPgS91vyjTkx0ngR
YVBrww9gQy82eQxFWiiONbhhHd1Nym0iSW4MEgG8RaGHtCIXjrlyNcFb9b20
hj15k1RaUSycNXpCUVGgrPafkbp9hZQfjr9MMFzjEH3jcg2Ah6G1qK9mpdCK
vklEJrKzkpPD+QrJAxMBgWWUARUA8sMSYVJlqkSCNuw9XpE2skyqurXFvp4z
J127wAqrlMImqaTQlEluAQwJNENNJG+mcxbXud+qXPVcqnweUQ1uU2L+RR4U
QuYzzFsdm3rGiCqL2SyWbBEY2VTOKfnVcoFShqqvef6iq6d0T4zswmTFrsgH
DYhUSXtzqbQ2MI6XMuzoIrlrvGoudn8muXMwzFwORkI7BeS9n2LgmV+7ytEj
ABNMFpBwihg0DZBv1Ar2cY4IhrhXVqJ3Fw8zmZe4OADh/7jKRAXNtIl/67RC
n7NGmLZ8M09x4Vk1b7nycIy23mEN/heiVQXebHj10xgxFpxeg4BRyBq6xFVV
Mc4S9o0sOSMUh3dR6LzrFzuUvtGvp17FgO4BAxyewF/i2+a9Yc7ShNNnmyOQ
AWmZmjkqsWmXML4k3NsLjDSWHWmYAYBWxE10RI7I4n6kRqCKvDKvcoca3CTj
jDOxXFNnz6We8e7SLnKjuNZnyufmsXkwxTQEiJF4G+eETQFsmoTN5/NivMGF
DdGtcggbZfyTpfxl4N5LWz8qlrnzaJREMx1b1+HQKrl9lRGTNJxcv7vwPJl3
qJPUUFwcDyMkNMNOWC3NcFStQnmchiJHiFnMihU5LrB5bp3/quCz9G1WhVmK
mxIlMpJy7EIzCFtBZ9NSMt2ZyVIQo3WtHSVVhk7FCE8+W7yLxnHwDEgrce5u
eEhUoLNKzgLjZmUoYTMxXOkNiHjkmE0l5tRnSp40CyEnMmAbKcJCkAhLk7NO
ipTl5DncjLMV7a5QkNww2gqQXEuvEv9LEmCWuQQyCoYv01hwBoGjc6bEVEQz
dAaensMjnqL/Ql3sKhEmFC8QKR34iBM8NnIpxZu1wlqNIkJ0bTCd6qSQPAYM
1Cv8LMSSe7ABhFzTUzk8L3NoVA7vpvJVjaqTh6TgU3KBtNj4KioyTSSvGgYA
kUZQ4pcy4HprIMwUPXfhXevZ7u3Etdwp6Nm7cJ6Ub3zyL9FbcHeY3MTHZyJS
KYNrpvmtspz0PT5UhEFijmwdEdvYQRraUEeUjQGobnXuz5Tm59eAJn/Ca+yu
PFq1UYWWkwhvSEAIw1PsQjcurAPX49qmhpxFG+lwOmyd9Dx5GwPLi1GTdGpY
io25IYcRaIU58qez7CylDZVdDgQXK6Pa3RVtr98TyWMhXgGCHQIXBwdkgYT0
XLIoMVoU0GsEpzuHU85KJ/tXAaUD9FeYyh1BZvRm/hzZVK//wmj3SoJX1NAu
B7DBVECFxk3NqI6iP7oqUSTr2xV8hxvvPhP0RNOUUBQ+MQKpwqdU42GcR0KE
Wo98YjJJCnZLbJZnT8CJfPGJ2NmcE1fd5yEx1KJv8JUmzMvIWQ6YUneoPKCQ
R53ZiYdGcg8fU32lpbD1Hj6sT0vmeqH5NDQRDkfQ/OIxA6tTULgQG2SV4fYH
0VAIZ0iFZogUDGPnaSk0ojts0cpTjTp2PspnHXASwvup3h3azRFFxLL7/s62
iqEOlZxWMXxOX+MHAE/LspsAy1YKi9Mg33SJB8RDHoBUTTltpXoza4qZdcKz
RHWMSe4jJCMo0YJ8vA/TVM7c57TUQF+lNi7Fg5uQ0kFgc5ZjYWBIAy7UUhZD
JcERC2K11SdfVX7e6p7iZ6wXiFzvncCvUxAtHiMl0v1RexAuWZoRgCWs6WCM
Gw88vAFJx/TcIXxKviOe17KZA47i+BJPXbkYGIWsVJpXK8XaCreqEAa5xBim
skvww3e9RxEde99tPYpesvv9iLHXdCVaTeaWUSDNzgLwEEkCdhPA74I3Ei/J
YpbkHBjaAqniMhcVoSQ7y+SiMhKEnhgpcWo4uAog/47TkpOfM2eSShkzDASb
5Fk8rssZyF/RU1MIbcAFZhAHSVllkYSCJU000omzPQPHqjVyEFUVmjGJlGFJ
Ul1Me2NFgPZPgFXN4wApr/ddHMZxPOx8PqRGRce7X8x/m89/6XW/g2e3YKhb
HW9ufXJrfaM1Q101UHQr/iS+1fXCt0EFqShGz/82HK7tStt8Enf9efQLXNni
zXKxUYxcX5tXzo276tjxK9v80v3u6jZ/iLt24Zpxnh8dH3/A3N57nO4juG7f
uo7gA+YmRyCE8EMWx/9hKvIh7flsgFpe05g915qPN4SlfEjFGT+Jds43r+nn
ID5wrO7D+9vbg+iGp6pU++EdaHV9GynwPRwOX2+6x9dBacefT357iCOKt/Hl
Q3NVBze7qd88NMu6po3e1JOTZ7RlmzeZ2zU3tRsIurvSNp0Hfk0b+tM88Gva
dB74lW3WHPhN5tZ8ua4NmT32a9TFYyYPFoZBqkULjreQoB3BcH9MXB9TgnxT
oi7MgIuMzSDgitTUacSJ86zuk+anVi6wk8e3OmgSuCY+kNNKRAPRayg/5sUO
4niv4jvVWZ0xnWforA7Qq1eAZ6gxZDfhogysTYLu3cCiGVfjhqal9L7QQxXS
HlvxDlPKznQtLspdOFA0bSxWzdjKLr7ncXDK/1y+Z9hJotdAnfI9v3S/vZrv
gdcdL6/he6Bpx6t/8z30+IP4ni+OTq5o86sx8N3PPgQDQ6vr2xyixT3qv139
1L/x3P4lsTa/7CbTV7VZR6avnZuQadhl3YRr96ALsK4d5z3aMOUiOvWAdeqO
WD3mZHQssLIG1tVysZSKfQGU2LwHkTJoetj7orhMLzTPsdfKu6IRrDJGy4DU
zHUWdlIUi98g2itMTP5jp7pzmYNhxIZWLaCV70tjTXCWnW1VoxWPNdWTpTPf
dSkgvPoHXo/rpG5qrWnGQsMdvbaqQJ6ID167s32XUz+TRSVLJ420y2rZszpD
IXlkOENdBWo65Hw+iFr+m1x2dHgdueymcV0tmqioc3prx+n84p+AipDGbdCN
3bxxm+6XV7fpYDKubXN0Fn9V5Gn8HNOq7gk1+zDW5P3X81+ZNUHsYpHLVV11
sibEmLw3a7J9/1rW5D9L0PsoCmtDRMeEXXvf/Z/ybJxOXkfwEtWsZTovLsRQ
oOayRZmpsnekzoDDhklNi/yKnw4ibsC/XMujGZaq1letOaWpw4iCNNPha80J
tSguCq5ZqqaXI7Q05GkdPylBdGWrLAVjSM7PBMeBRsmsmXAsLpc5JmGOkcK4
BKb0zUIN/s2pN4pphRX1CrQkZRXP9+jw5KkaCyawnop3ktyAOSsO/JiW4hQ8
wckTZ/Dq6UE17L3k08BceF5BP8vc0tHhAB2DLrIJljtt5Ngk8u58FLjUqfFj
VVKNU3QVkubEfOQFesdgmgFvrVoIkQ08PHy1kkZl1XZRehiNNoNsD+w8azyq
OQJCtjCRPJVkTMc3o1QNheK8QI6NABkJVswJSvG1oKwUnwT1sBr2XolpEK2C
yeQik7xkfpc5z2GzJ3THFF8Y9Pb1AdItGBpEfQIPUyASi9Oml5oQ+7Ioybd5
WhbLRaUgM82J4cKVZpNUXRwKkxCOZkcWHNx+dsYj46+MH3BJOF8uwIjx0+q4
CR+jkUlTS8JheoDBqZ0BbzpKxm/MWFSIW/wPeUdsXT5hvRN2yuEs58uFso0G
OtuLZj9Uujym7E3F/qxViu5idZ/r8n2TogNqkfck0pzsuC/KKbr8Ubs990m0
USx8wmGYJ9WRCtwH8jP2F4NZHTh1DzyuAOSz5XwTxnwmVqU98q6u9ra2ptDD
coSe2lsXOpveE48ozAxcEklT6rSVN9LVCPUuuuLIj36ElK5sxpWpkskPyRiv
36v9k2N0LMV8ZepIDAt6lc7IM+dlUtYrTd4pfi9csVJuMxVHI5dQN9Wq4JlJ
sl9MtSvbhMlRxlqoNMekuog5KAH1K+eg+g05qL7k9cL8sYK1+viLa0Ej95k6
T7kKoBQ6gavR+Immh+YsG5Xo4asl7AS9eiM9+lWRa/EiKSt1McKq8VRtoJ2A
k3Iz9p5p/vznCLuw0L3Ix3fACRZnMfwPvd3TRc3wTlHErQCnZzBpdMaP9hfk
goChK+jPhFAyTbXXRoZ3fEsej7AcNGU6ethZJnXIfvRwOthdMYd9fFpUCPkD
+T2U33+agdhVFsOinCK5P8a0lXiIBxarSJU4xDTvvKOuzlCEzot0hRbasCik
8xsJ07Qf8C7hNRfPGyWuSV3FSTk+R6woaTcPTSyFeIMF4ESJM31ZcU3gt2RS
jo6X4mqA2+XAMmGoZld3uiMDypVuvl0Hth1tXSlyvHE4/wxj/QnFsbQtBbsq
3d9xuL+SVVlU1iT2UoXQlo8JZmLmEcX7IwvK+FJ6ETGr+7FcRk4MnvCJCEtT
Vc7UsrVb4FapviY3udahiqNKWxO4VFu9MHQXmcukbgrKdzOAun7GfVZPTnmO
PJ1B1xC/krkWYaahhUnoGt5mQJSagpoCUXMXOqd+v4nNFaprP3lRn9xw3wiV
+CLBRXgClH1W6zJzp+4dNmSPRaEU4nBKRVJUkXKzo4spolmSUMo+EXjghU0p
sBPDPBG8MSeNF46kehX5rkcaFcpFWyiV628AVkjZj3KkX47ZOSheHT1f5w0K
FwoZ6fM0ucgwyJp3gpJ/O2RDpdaRj/degqYyudbFsqlQXX1uGjssrgEQxt7N
VeHaJlNg2KcJh/iklw0fM9obmM98OasptwP3ega0wBR2cHeZy3pkF8m4hUOC
3Equ7twO1Z2zSzWIhuMaAXNq7QneBN7ppwWWmJ1GX7ET7BPYWZSPHHzQdnKD
dg1BCdDDgr9YGTyV5Ml4T8+k34a3NYAKMNU8lqRwouSyV3nkZQyMJfMzqN9G
UgKweZ4XwOqvfADV8V+e6UibluWJ4Mq8IZkt/0G2TMqkwpgZcQdcvLMoYJRY
011hxn0QarNiWfmnrYLHTYkA5ROb9dVV9qwSdOz+SUUjEPcmFN3BNebR72os
OygxM7Rc8qTFHeXrwJ6t0b6AG9wnEDzkB8XKIYvMhTL8UyzMK6GhImaSNzkF
DXAAiQb20DY4KL0RPmOeujLJtzBgCQdB/qyq0wWuriJt95JAEfBolptM2Foh
w8yYCn/A1mNkm1aWVJaDagYNgE/m1LcaLkjggu1L1qMjt7lBYWUp3gVxStZU
ecI7hFRMc4orcVpHyKnchIuYsIXhtQq8P56h5CbG0Qb2BUlV1/M9LRKxAdgE
RZ0VxRJqdXTT8WanW+jKsvGWQdq66nAd34M8z8AVmZFQPUqQzlEi9OGwZ+Cy
ye7Ih176cfqFAWawG6fWf1bkC78qgl9fhJQD+goxkoi3PsE0VlRgHY36I3tB
qu7ACLXYYsQFmlPpuf7OJMcCdHWxnKEVhSvGwUqD2SkpXOaOtg8Qe2hgERXw
sghlQFoUWnFRi9iJDpUUzccskgKf+nGL94AHvFZUp+vdTo25FEzcj6mueQwQ
M4pcohp93a1qOYIxeHSNjVj5ArbJmI7VVcb2d9nHpgOHNKEgRCxVrQGJHM6s
RVoz9tf10hcnGAyuhj3p3JUGYAEkzwhQZ8kqLTvOGO6oL0lacNgpL6wih25d
l9PpoYqlI9IukFCdk+4Py4nssImY0oB/mjcmDphq7RyEsopgxWkzLsTch/V6
3p4ncCnwEerviEHg1oJlyIN7L0b28vbtrzmBh0vyzViUoAOv1vD2bVG02HiR
ZMQqW6SuzavZcSFPuG65RjCl5Pmt+EORekbSFpkvYWuLGR02VxthHaLEMfud
doybxfDMv5nyYxOHhDA4hkHOpNCiiZCurQsEvdYQFYIcN0a0tIVF8KwoJCbE
hIjA4KQ8BBvMHNRlH/iQXlhAxokwm0gaUXM48oYpTuAIrKxSya+/R00qADj9
8bLjZtKmmJlycSay1o5S3hnkykl3x1N061s4/Qzz5168qFcK/ePzdPzGG3Dd
8jRixEasd8ixpCxsDDckYD7KScHRWBDsp0KH8AgA1HhN+8C8TjDERPzA1yay
d0o25R+Qdxq/EdW4BRjlW6R0XZbnVI38+dGTSPKvhSQoqIXhPNBIevJLNkFl
7dXYVCE22lW+QygKLg5FR1BVFUdxHeRJ3TdP/5eLqi7TZG5BDs8E5Yg5MWJ2
7YTKnUrN6Fk7ahNt6Klvise/Ozjc7DRPtBQdztTsFnvJuTjHEKDIx6IiqTsi
O5BBbGwvcojtEti185U/LsWFWjzOSWYAK1cgGsdl0swxD159XlLspKkoJgyw
20zetNhsGhwJW67gkvabU+i7WhsOIoe948ZHXIAEJoCiYlqOYJJzG/CAWNen
qUDEW6YsYmK1JXWhcLnMXO01hfwkZ6zC7B/yRLjn6oNozkyDcVw8LiMfj4zM
ocxWalrySdSU50nEmKO1nYNcw4I5LCIUCSUMgd7kg32+JH0hXwRVJgSUi0Xj
NSDtEAbQkgSHh21WdjBgOHhzaZQzCZOSctilCIioVNxzzIBcBs3R4dNjofco
AgVKI0gzax8pJ9W6TbIN9d5p5jAOKMUgRLWZjOlAwn7ZOeqz7E2K/NygiwBS
zbh1aEHgeUNEJkHzMltU9CLNR5spiL41tnYJFjZNZZcG0x5M/oph16zmCOCP
JKcrp8yIERunXEk8SpgNZUJBbIPiW4TiDtadz7hDHM4Aic3SmrjAVMR07INB
AecguT98p0asdPWoMLHATDLCMcNreUiq/HdBKdxEgyWWakzXM/DVTU2SQVEr
kCLE5UDg/ChjukUUMadGzQUrjWj6qhvhcCrmqZJOeUaZxJg6vyiW5MiGs4/1
aq+/jRvVJi/Gl47ke1RhWpLW3dXUAniAiSZhoIWTgZw1QSYHSS4Ix0yb8o/k
GL8X2Tz0ktBEIgBNtpaWmERAjNAjylkS6kkhaFKC9KtzNuDS7vSFwLQLFQYa
mIFW6pxSxD9yzLOMaWfeWf3UCjItWodmnJeiIQytOJjWLMAvSHmdjDlbOY2l
KBhjQEpVRkKI4QTggExCEUZJp13Jghu1siTgPVmZfDWahoP2VPPruGC/ymmH
qGqZUDOysJV5RKSGpi0G0JpQqPofev29KmGUQXLF8zSCU9mZLDe5M0yaDqwe
JskUrIHCmyXYGGBHpAKy6aoQ9XY1Lha+VKwpstWtNbU6QsylhFiVUr7VdFbs
QbJIMllCRpdG7rwVEzXTGk7B5Y5xJglVSC0RsmspxBzWrQuNQY6mmXqXSvxa
FlMTkm1hd0hZZbDyOqLTziMnqlfkqznyHmz9HwQpr5RhEc+AQKwPfQhct1eo
RhG9bHTW2W2oSfm2VKkNh1dVPErznokHETiRpFmhbEz1QamYQZYD1m0qVTt5
SkLdqOoYsXcGiNOplTl0v7mceDYnwij5zKpi0InLDBqDm52WkhOtQqWAyJJs
m8hcDpPc5r9S0W3gNTnEA5zVYZqpSpJMafeB9S2hzPyZm4c7tY5t8MZAPfwb
KaBF9ejU/WNjJ1ZNn2jiSdCDblBk1+m6mOJ5VqkPBmdlIS0jacTkphDaPdr/
ar+Fc52vnOhBov7PP//u+PDZ03fv+t4pARPt5cv5KC3Ftyd1l9vgCwTi51TE
4YRsI6/SacY10GgoGl+yA6WVeLInk0mIAILSfYLn+qbXPqrKsdsVXIP/wD6H
vqwN19b+JfoK3eJ/iU60OMcv5hB+6f3S8k1sP+l6Ay21cIiUrPjlinIWv/A1
RcRLdPbdOzbsye5GQW9UHWNNb/KuJXms7a5Ru2hNxx1ftYqe3GQILMB2/RD6
1bVD/LwXfQS0Ip6PYzjoirMmPpQaPha8+u84w+HaE8DEA2SVG9fvetiEXDb2
ekECyB6ggFFtX5ouer1XmsnKl0jBb/KtpNd7odrd8F1fE8ZGG41kxMgv1JTY
gdmVYRS9OHoiljdNYzgpsFJtjO6Vc+g7l1ySw02siSIFYEKrDg6KZcYx0Tfm
pIQvj7vtP/glHQD5yoRbjwliYAkUvcemgo7GtO6XrgZpwGtw5663fb/HwuI4
Bzl/w7GNCoxATBRrwj/XIU3AI0/F+GzSpHVMlezSK+Bd3komvnmSk/MDGkfa
PYgDpU14hjx5WD4D62YMMaSj3YM49sqIiMyXZcmY3JYP7+gPjuslmTWi30Uw
yWyGOBF9aAmfs58UtVWNmeF2caHk1PPt5xE2ReAgjfwGmtT/BMLuGfpObfLh
kjsq5fnEdgcvnj9/8RWCOAKleNcUuf8AuJwUzpGUelsHnBRScm2AcIZfoAss
zF4lHQqQ8Sif+7jikiJiW39JbZPT9jU9DXtZf1E5TxHXzMgqa58Nci9T9Kv4
ZvlE4WyI6VMPiH53+ps3uPjX3fveza9976vAXfrUreXUj/6hyzq16zod3gDB
/BuzuKnylUXU8t/q0v7x6kvbZBp+FY1t1Vj8AGpL7/5NGP9NGP8L3bFrCGOT
a/6t7hhXSv4n3jEqTA0n/PXJ0/izWCuX1+nb+t8375908/BMf8ubx/39D7h5
wKPtv4y0LsBTmv06HQX3kJYNRUXYOEKWTqyo/a7OveJiYON3+gcUC8b+Dq8O
j08w492hV1hXKEa+OtzEeBi5k0YFQkpGpwgZF2Ua+7v77t0eKkNs8YPI/YS/
6Tr/AhNv6kc66z4ATobvYlSrPH6ycyP1xhqm33ezexO9xs+A6GbwycP+LD2r
+6oR+Cq9DA4x0n1GvEExlaS9G/B08cLRgKLEHqVekyUnsXvv/nD4AP5EJQIW
67O+xSrXX5LhHNMgItALd39gq12/H+To0Yedd6m2fJHtGLAnnyjOo1qenWVv
HZIfh3Np3wy5F8dBFKpq7gIkSe7rtCn+Skdfbe33enEck0MO6hJZSY5q3idP
nsl9ol1BP2wumhf9/NFYvorHk8lMz5dSFvxWhbHDypkPNb8JxRS7kpZ7nJc9
GhIMB01i91F8Pim5TJsphrnX+Nq88t9L6atwFG7AHzjPA/lkgIXbrpgGrAMr
huxEDx+hwQE72cV/r63lSQXl4A9+eZuGHs6SERwBNKJfXIQDC4NcuR4c+Ir2
73r2FU4Nq5oAee+Zj+BFkq967kRwJb/bEFF4L9rexE7l54DekRVrL9qhN2zS
gud/hDeSE3kv2qV38hOXoaL1Q9TmZ5NhkU20KuY/4KL02JwHo1vTn1Qg3YrK
bB5Lcer2+4fRBk0rKE2qEw8e8vS7jIu6mq53WA+RW5pqnuESXe+bPTdVnBc0
gZ9+kDvU5rtPIvs4ziavuZ15Aq35UvxugzYM18PAyfv3cZ1MY9nDeHxeZGMY
/zXspm9VXWKzHdcMfw+5WfNTGBwXpF/Cz+HH9Fd7iF5YAfYhbSixXBMp+Upb
vwXPyWgdS5UZ2mF8+gHl2ZtFZXGuPVta9SGtolVV1c2Erdr2BU/m15WK30An
dTOXSm5PAGHinSRAzL82BRApNyTMhUG1ptIsvRDEpTnAkqwXw3K21qxpR8Hr
/dc1nl8SHozZJ+41jrHhevFj+zKcV8+g2Z+222RI98uiKwJN71FL10xOExCn
O2leOe1Es8bwVtSAQXwUgB/2cgbvYvTvdFjOOEAqBsC58w3jkhvxm3Rlr8Br
QQUXUjxXEQE3apbWleXjqbZmzYu/+FFR1Xe3IzNHQAmwpt9wxmn3jN3GtSaM
mZ/i33YObl/COZgcU7FJEdGeUvOUFfWnuIs7uotmzm7cH3XE725HzYW9Zsyd
vPmtlgk9dS0zIYs3t2lvdl3FVT2vf4tdLjwJxn9j/8Fl8CTzzY+OKN2OZAOk
lzqBTu76PZP5yWbhb+imf/LiyQsQA0+O+711tBNXpL+Bn0EnZhCZYq4fzWSO
/r2n0EC1o4Xo/tFWJoZP3BY0Cha/RtLk64pv0eWSbrd188KxXzMeVacO3mSP
OcMW+pU0IjHOgZT5jl4gt9hsKCv1o8lJ6oMWpX3ftQczkNFkmjIU/fq14yCG
hrFKBFTC1vPLnvwtT1AlEePPLYPO5Sv3znwqXthbprFD/j3bg47oyUowhGsk
Tz+mx8Dw9JpD8eYwG4fvvD8CbgfhFn6BbpH37y7LWcz2IN6tLAe+aonc9HBE
afhp+dL+da85x+Zo4yJZxFIMIGaZTVnhtZMRMeSGoyOTB49wEn+osebdvH7E
shb8fLRhxR54tWnboHoAP2p+vtnrOB3BVX+Mvv8e3o6/B8EUmXlZSIF8ZhR9
AteFJJA91iwqmVdQIOzXcYjv2bcXbhqMhB/B7yx0jl9Gw2SUn0Ubfatx6cPO
YK4UaGAfx7+OV8Q/+4+/esr72IQrN58ynQJXGPW/24//lsQ/bccPvo9ff9Lv
XQk3DwUcKqx3ttuT/Wn1ufHddrz7enNj4+9/H25v/oJ/fbcTP3gNjx+8vr25
eVuGmXueutfFe5PUaiuSAuakR5LkB9Ai/mRqR7Jv7OTCO/SG6zkC9V0UIB4D
B3x30OONCXYc9wumcasXlAOFjXzIbiX8FbkO3d6Ibh+/jPq/79Pf3tK62fP/
pj+wK8WbNI/6D/vRhvx7i8rTAlshp7HZ6/EL9+dhtHO7xqwMPfqvfdH/DxTn
+x/Rfz+m//4v+u/v6L9/v0V/3W4WpceHn9CrmP47pP/+H/rv9/TfU/rvL/Tf
f3Q0f3L0+dEJ/L3/7OUX+71wBTCv//V2dxf35ccJgYFb4yLJYFvodU/e+cXA
3m3hqx3+60587zH9696T+NPDnu2B1/73v+MuUqtvDr7Yf4Vb1zybh4T7YjRz
RP2tPsZIugew0e7dQxQzSI0MY9BL+2XH617jQfuT+Cwrqzq6vbN7v/kGj7Fq
9iDfQ0e0qbrJrc+oceszPCgPDOvRhUDJ78zp67mvGekhA8jvowNNDFJpnWKe
8aSopQbe1Vjq91pKDQO6kjFIVLST60f9pDEqZ2YH9qmOFjMM/33PQV1psIna
OVgz2uvxFjJcAcTd2Y7vPAg62Y7i6EHv5YvjmD/lz3aan+3QZ3wwrre7O/G9
fYLk+zvxp/vw2T589jd4ksDfP/UAgt0dQMDf7jE4+yfQ7DAYZwEXjX2k948P
jo6ijbyAi7DZu9ULmI9oi7kWS1937t//7P7O7van24+EnlmK/R6ERju6/2DA
vMMqViz8qNd4gAQVJKWk/j4vmN1lvli4ASIeG59Fw2F0/+4mCiQimVG15Tly
jcnUEWUku5wbStlrRCQqOKCKiTO3qOTCvdk3nsFHBVItcs5uKOfQf2Pf4LW2
mGX5m5SmVBmtGjfy71wT1EWhwOUkGpkPP9Sp3I4+/rix4JjiANAwxULaVWKc
MHpGDNpzMraXjGQsbI1Wtr2bCXV/9HmYnZxEgd3zRb36w88BxOD+zKETPRnp
XZh52M6ZSNehFBB2INLnT/D9aHW9/PkrmSO30nePiIeVQUgQDOUVuk4KTFOY
nVEkB89vPKPlck0PdDF6DZnUKbCbu4+bphNu7HzXOgauEecs0C2uAUH6d2So
01sRvqKsBAr7S7E68CuMpnyrkM6v3j3qdd8otx7/6A86bfoUfd5vesayNLpG
4TD+Hj3qreneny+jEPKMx40RHa77DRv1QeCGncyTjCs6lqS3vVr9VFEkROcl
d030MjrxO1TesnonirirPYvZ/JgyjtOUvu6YV/CNTILVHTSJK0T26P9v78u7
2ziOff+fT9GPMCJywKG4S4IDmTQlX9s3tvwkJTn3WooyBIbkRNiCAUQxCv3Z
Xy29T/cAEGkn57wgMUX2Ul1dXV1Vvf2AdwHKpcVUo2cvXj1/99/FjX2mhZoH
4pNK9hUfbp1LdfxKHITKHEqDYdKlITuyK6daHGBzrSMsnUaLDmN77XJqyQek
Er+GPtSSydflIDKOEftsDxQ5BCZBDswdIj9XrbseUielY907TiKWM2LWpu/L
jxkvE3VZUPuH8VL49XdBO+YXepNk+E3bwbIkQd1eiFBejfcGxQysQbRBqn+1
GJ1TiBRuB+u+SVYpxbxGCt7B7wSsfJPsaT/k6OhwE/VtK17BSEXWOFqphhkR
We04VC0kWVn+EZ8T7gzKS4hOvHrusMoajzfdGe/XoY6EG3vS2Fh01Lj28V5T
bUfJfGEe72+eW1IZTNCeZwo7oB8OyJyyal9Nz28r3ZrXMnVU4BOq6qqcBinL
Uujwg43I6t1lra10/uF7Hptsg/d5W9+t0dXCZz91McgRCBrLpIlUzFsGDK7F
4kp+yopX/BhiW+hoI6sm/fcF7X5+kqfdsiLdunTjNCsnHKrNisuMz9QpspqV
25ImcmAtXnyG5OlnWuPLOLZY4+gY5I2NgOCWR6NuF52jFRUs2scfWhYNxxJc
zzkBaTxg0LHnxRCWa+pESC7kykrfhSp03Hw+mQy3TQF+RKwY9DJR0T7QfZT9
UPagOF9cqjC5VnUKUXRmXR46DBXTyCV2yaMgwcWYvk8XtbYrjoPERqMF7Rp0
xaNQ/rx/3hWPQzl9CzfcY+aJUx6XsVrUoQVscJxqEUhsXXTnfXDH5ertgP8s
pX/NpXRkOtcHvfAHHYK0Zn3g4WwKOqFrEHOuEpo2x6RvkrtFm76oltQKRyJK
b6cZXrF2hKlkWU4PTaamWk6PTWoSKtlz9uIOk0A9r4xeVmAf6BKsxxAvkZxu
6aJ+VTnpRuW469QbE2jBB9Cd8QVFNflHtwA/7FcF3ibh5lQId7jptauiOZsM
fmHuYjhM6hy4Oe5en747YSXXdmNCF+fUtuUMd1v2/NKQ6nk02foo78e1oFiU
h48DegDpoO13m+W+HvltuVpynNgtx0o9Vraiybot3X5btV8hL7OoLei98M+K
Gz7DKkOlD7k3vnYDfL5p70t7lnt/ieU2pjfAvqHeGLQReigGynbXZKIbuFUf
xm5fICEcqvE6q3KDNZmo1ypclOIGFS55UZsqtRkYYgiB8+tMXlawt9i/0Olx
J8mfr2wi0F71Pnv2/KeXz89OXz9/pu8HElEs9pkTyKJues6fLWvfVU5sFcTF
p7sVSE9llUdWlYCbsEawmEEslzFOh4r61DkKF0F/rOI7pqg9tFVoQYsSW2P0
tDKleMEjb2i6rbAigx7jUf7BqlquO67jY/V6AsnYShAo4VRnPwCVjtxKdZem
FlJffBGeW064q9YdZp79gAvBH8QOPi7Z/NQhcDW8JD6+uVVeSBs0aR2TsLnj
lwt7aitDpSsqYbWvWc9g6PSZmo06DbV1w4mZK57Sh7vm11f++kC+zvBvInGL
9gsJ2WD4CqyMLiAXNykawnksAetUuhS8wj5Aw9bHWqsIbtJfSDS0+0Hvi6Df
MqnavKsSyhmUsOqPZ8tR4BK0yba/qQt6e2SGFBU82HRa2PI49AMTrOmpXCDp
rss8yYyaD/Woi3Y2+HDAs1mms5l9WqyjuzXCuq9kce1W/eNo5VrZVt7a7Hph
H59MEZiU2kiTJ1MSiYmu6SZh0vqOloIL3U0ChkDOuF195Y6LmFPqxtDBn3j2
zdfGqWnZcm8br37zOLplqM25u6Cvn+mHV/wWhdr5ev2IP3YEb1GpbQqb28ze
Zmx9+/iOul/jpbaNrN87+LzUN5zvmxfnMEzvUlnHXfWzMqf2CkellYplNNVo
J9Y5el2BDaO1u363dIU1BBrfjH9rAhFregajD7Ol4q63Nh/hXZuDA8+228XJ
uu9uenRUBbN0imwK1JZYRPFAnRTpdEXQWmZoW+utR1TcaC1Vsqp/VYz8/WM3
01hWXnZIz5wPL+2Lu/K+swkpnDqV6oOZM5SuStWDTN/h9PQK02yoB0JT7Hsn
GrlqoqvrkWo+tPTyL1qpg2Q5ALYnVPL3T5a3nXJS8PIpanFZzNSmJzczmy4q
d3dZ7r7g1zmHMozHy4d2vsyVII3yAqatIV4BizG/jKssDVpkqjD+Q1N7o2Ke
G1L4jdX4HGUyK34fKHjncAfEM7t5auTCPq6pfekFTUXVA9y8aqqI+YFq8lUz
FlZX/sylNlIryzopNi+Hk3OwoeBPCcGYnxxH6fG7GifbMKrKE2fNN3Qe6r0w
fTfxqZfCZJRlggUaPqfHGTwr1dafvAUip4SJwT2tMYsuBkbNZ/MxgsyWfWuP
28/K+FaqLpEPp1e5X01hf6259WV9dsC3IM7qQ1EzTNhlPSxCi927I2NrB1bG
+6Tr8lGnBMw81ethK/01Lp/xmvPP++lrZXdrKiRfl2l1zvF9g5mo6sqP00H1
qAwzrvLqSmoRuwlKAF9BQb+8YERp7pLUOxlWFD55czJqqfh013qux0pnJgse
6zZNzC+wgDMnzQmDqWe6p6anYnit6UmNORsK6sac1k9t4fyMN4kF4au1WcGY
W2lD+m5ZK8Hcn/u8O3j8Cai7MWp6k1eOgnxdbI+YFCQsZ4KjtdRHTK7HHGRb
rkanWeNtz7Qv4K8acRmS1FtAnCJTFf5SY839XG+kDbt6uKurHK/Q6xMYxI2e
mzOG/DyHyHX8GcbA+dRGCYVgmCAobFtd+gqoWaeor9FBRlREVUEgwV8xyAOk
O5H33+eXhSxQzKyMGdN8o10TxCrWxtmMIbJMQlUUGcG464QFfhNZgd9a0iQR
q7iJeR6KbP/omC/GHx4cexLBkdYS0d8f5nE2sBLg3xHDKN336LgRTXAy4Zcd
8JMs3DfjSNDXXQlBHdVtfKM3gW6BujbEdAPz1eSh7IKXY8GsMQEG0aILn0tk
WoiB6NQu/L64CdG7LPDb9FBPGwJoHUVhjyp6bGYibqcAodbPG7Kyi3yE6OxB
FyO/YiIUuC5G9O0WIWsyrqZVP6NvII9nBwYDLY6nFWvGgPMrdZxW6ZfFtnfn
r7GZzBpDXV0oELYyKky8LuZb1cwus0SfcF6MbupOBTj3hoq+nLShYVkkwLJq
u6m25s9Ux8EIsO0Oieqf6bYTwmBydQP6OcpK+OHoDyqz9RbAFnDTRMV4pCk6
YU7WUhtvvFftgTNmyNKn6FjeKu6sptbTbHt0HQZVTixMnLJdsBbXyIemtxYX
rpa4a37P+jras14rnsi9GSytpm9YhxMJOlaLuy7isplNJo5l3PLWkvVuBiaE
FqmqtFZn3QXkKm1pU4YRlHtmWcwyvNDn+rUPJd2jCvU/JDSK8DVTa/XF5kGe
OOJxqX3IQO8Ndv0AQL6G3XNWRJCw7wkJkg6sABz+PAzFEpB+5I4kpBxbyzX4
85HeyOIdJn2fRG4siSf6UgRF5WJPc+1sMIm9Pat72m6JvX2fMytPdcLfSBJ7
qj+8ChV7R76JwsRja6Lg349cI4FJj70Zi2mqR2x5xf6ubbsNd/uqQzTTxL7q
iFEWsa86oOeW2Fec85wS+2YEHCsp9o9dbjUB3QvSkX3VA7mLuv/EUQ5V62BP
d1Qq18G+ZoSkc6B4tRe34kCxy7NIHGhBm/kiDhSrZlEnDhSbvJwTB4pPa5Em
Dp5orlBFDndtXVL7woeKdVp8iUPFdyDoFYeqE26wKw5VN0JBrjg0nbKCW3Go
L1ipoFYcPrKlGw5mxeHjQCFWkkPVYSt4FUeq216QKo72jApwcCqO9t0kHZSK
owMtSxWMiiM97VUQKo5UX53gUxwdu8lGOEeqy7VtNmOIYttsxjI5G23GOqmt
NstA8c4Zzt6DxyrR3gUxrdb2QazmzD6I1Zi1E2Ia1HshxhhauyHGHqq1t2lf
rc5Ns3L5bprUS2lTq68X06aeWk6bivXltOG4tqC2zfiMKWvjIZfUxpDrRbUx
5XpZbay5tbC2TLpeB5vuWHqvDYq1FuYeIfAg/aSDbv6Lz0UQNM46y0kac3lB
jgXUEdhYw2hiUTzg+szFN5O1qXmszIfW8Y3/GF7dWJCsZf5jeCqvLqFYJ++h
8uph+zCjL3ok+vsWfZXKtG8TDeso+QRyTSKrHUh5AgsWHumywWyWjT3O/ktk
zHBeIltQlJ/7Etltxn2JHEW6dG6nYCn7dophn3y4gTmjEUFHpoaaEYtgDOEX
DV5gHKc5NEWS8mwUytt/vzWDZ7RXtWVfg2lA7VSaVVOqmDpoXvX38mYM07jv
1q9JQVfUALIHNnsyNXRNBwkZTT6MarIPGXEU4sibJqlWhMCTGBrduoHoCU/o
7iDgZoo9ElR/5o4GF+Ucm3mNL2x1eG+VqetOA/te0igflxd4J8Z+Jv/QyrjL
VmOmOkdP5kM988Tgva4j7hte131lKsI88d7XmbEzzYWGEJ+xZq/wq3Ey5ULw
8MgGlaZNP4n2jFUMljI3cFXkAzNSDqy0UpPmKgZZ2m8q6oiwmo03TQ/j3ybx
+YLjLYHQbMoTzzxdz+UtSmMrqspHmSDBL859hImvGJxWzULeaL6Anum7H+Pz
CzXzvNxUyNOufHxjBicuNs0eXQbZUyTZZim0M+yYsiQOqDbQYkRtXk9jUzQz
9YZfqqeiCzCg0yyAAbc2bpOYq+61ua9csblB/pXwRV8rtMVH35FSW3ULo7IE
41nqDP1G0Nezz53mrlXbqmmRx8nZn19nZ/KSrr617dZQNGyFFwrwPTxlVZVY
CMI3onaPNl3gdjv8uts9DtVShJGRy8dxAx9Y9O6IgSLOi44ziZXHDaxAyV+F
k6DPJG72NmNedUv722aL0DRt79IZM+XVhLd9rTDvi8aTecYIa/rqm9wI5DzC
QdPmtBwVdpR2X5hZsWVCFDOLmx+th5mFlVbDzCJ+1sbMwlrrYWbxKmDZQ1+O
iVZ/6IvlV3/oS9Tv66FvkNX7fujLjUQxswKxgh9DfCZmlkVBvSshRXQws0LS
D2NmRfth7v/+dphZoRnVuFId/UqYWUHy/xrMLGnk7oSZRZHBGphZfpshzKzG
MiKMmcUx31LMrHCxt9bS47fFzFonpI1jZrk1hMLMkslxzKyIfbYHKoKZFckV
UcysBiNfM2sNmFmRUi7mQEOhGmaWE5H5mFk+oRhmllUuhmJgtxPHzPJLRTGz
7hg/Baz8WphZS4ehhpnVVKMBM2uJZC3MrJneaKsF2hHMLHvG+3WWYGbFG1sF
Mytae1XMLCKwImaWVdbBzPLSrXn9GZhZgUZczKx4a3fCzFrifWKYWWz3GjCz
PHatQMHHzIqTinnLlTCzmv3U/WJmLdvV+1Uxs5oatzCzAoJbHo16m7irYGYR
O+tiZlGlBswszP8PZta/HjMrOk71c8bIuuj+MLOQ5jqYWf9ZSq/wCS+lGzGz
7EEv/EGPYGb56+SmoNPDzFo3fg1hZn1WtOmLakmtKGYW6W0EM4vzfMwsTnUx
s+ol65hZtXoi8DyWCi3BzLK6ZWNmOVVFADOLJkcTZhYWqGNmhZoTFmaW066K
5sKYWT4Hbs56mFk0FVbGzNKlg5hZFJ3EMLPIUgUws2T6vWJmhdqqY2aZlpsw
s5Zat6Xbb/eHmRUI/0QMM2slq+xjZvkNrIOZ1exkbgPse5hZsaCthpmFBZdj
ZtEiYGXMLLP4WoKZ5URtqtTKmFkkpPvGzEKi/wLMrNh0twJpHzMr4iasEVwX
MwspLsfMolL3gpm1LJRaBTNLmvr1MLOiLk0tpFbGzHLn2RLMLCwcwMwKmTsL
M8uupag0YWYtC53uDzNLzZU4ZpbV7H1gZlGDq2JmRcL5GmZW8z7A2phZkWbr
mFlL2q1hZslUbd4tUCwiZWFmBbLDmFmyoLdHFsDMslrY8jj0AxMFkOW1ej9a
aNRRY2ZFoq6ltxJXxsxqCOuimFmqgTpmVizsWxkzK0RahDCzaoagjplFRTzM
rFjo0IyZ1TA1V8XMatwy1Oa8CTMrvuJfHTMLadwdM6tx+/g3xsxq3HD+DTGz
eCv6vjGzeBMhwt5vgZnl7bD/lphZTsAm4phZwR0YCzPLoaPvHTVhZgU38gxm
llNfEbwnzCwyoCHMLLPsECtjZvlLFdGz5ozGzAoHmb7D8TGzIqGpkJhZS4h+
HmaW3x//olUNM8t4wqYn/zWv4z3r1fc5g5hZtPsSwsyicCGKmUW5TZhZToHI
s21b8WzMrKAWmSpBPBSnPYOZRQG686q9VvBeMbPYTxrMrHD7QcwstafVVDGA
mcUDuCZmFlaKPNiN0FOYWVa2YXRdzCySgYOZZacYzCzy9x5mFokhhJkV0Bqz
6ApiZrF7asLMIgZ8zCyaxxZm1hpbX9YngpmluuxhZlm9DmnH52Nm+ZQUZpaf
XsPMCqqQMG/ymeM6Zlatg+qBPWbcBTPLn1iOGW3AzOLo2GBmWUpnJovBzApP
TBcziwyyh5nldk+/qA9iZi2ZnhZmljL9NjSWY+H8jBpmFnslFzOLTY2FmUVT
6NfAzHKNmjAwPzQKQcwsEqTGzPJGa6mP8DCzSJweZhYrhDXTbMwsTTyIK0Sx
VWW7sSWYWctG2sPMoqE1mFlkey3MLBLGr4CZpYRgmHAwszi6sDGzMMXFzOKI
KoSZxQ4kgJnFGRZmlo5VrI0zBzOLxGNjZskgZlXMrFrME8XMUmNrJOJgZlmc
DayE/q+CmVWPaIKTaRlmFo1iA2YWj/IyzCx2jlHMLLLFYcwsbaZXwczyCwcw
s2hqrYqZRarVhJnFUy2ImWVlRTCzePTDmFmsc0HMLLImccwsK/tzMLOWxoBN
mFnsNRzMrLBjjGFmkYUom51qADOLJRnHzIpw7g2VwcwKNxzGzLLbbqp9F8ws
t9tOCBNBnCL9CWBmaUoNE9VgZoWjkxBm1hK1iWFmLelBCDMrMpbLMbOWaXYQ
M8vOiYWJa2FmLeEigplFAd0amFlLWoljZmFuADOLArIgZhaRi8smhJlVXxva
3VwfM2tJZyOYWQ1taVOmMbM4TqljZrFfi2BmxYTWhJm1pC8NmFkq5teYWU4A
YGFmmYWPRCuxhWRBlViYWbVYQoKtWCMp0VaM/SCoFY4OLMwsHaxJlBUrKmeA
lVqwJTGzVPc8zCyHMw8zC/PCmFnUPQszy/NbZsPUxsxyvARjZrm2nzGzjOVl
zKy6xWXMLD3TGDPLVRbGzHLmFmNmmTnFmFkBK8mYWXXDxZhZ2mAxZpYxLIyZ
ZZTDwczijtqYWcyIwcwiQjXMLDOLGDPLmy+MmUVxqIeZRXpkYWaRT/Uxs5gr
jZmldcnBzKJ4yGBmRYJexsyqB7uMmRULchkzqxbcMmaWE9QyZtaSYJYxs4JB
LGNmecErY2YFglTGzHKCU8bMCgWljJnlBqOMmeUEoYyZVQs+GTMrFHQyZhYN
ShgzK5TlYmbRYNUxs1jgNmYWcepjZimT4WJmORbDxcyi5nzMLLYNPmYWG0gH
M4u642NmEUkHM4uHwMbMIo5szCyq5GJmsQa6mFlkHhzMLHYRYcwsthRBzCzO
sjCztJXWmFmsHg5mFsvcwcySxtvDzKK562JmWeQGVm/qmFm4TW27tV9++SVJ
Wi1x+tN34llZ8U1/8QzmkfgBn8aKTy2cqDk9vR8MhtlAFbpNqHLP/YgfX7x+
3hUP3jwQ4O8KcT3Lp9MSPAN0Qrz85kw8fvRkX3iVeglyVsw+ZNfFcJi9H4Nl
wpuoExlcKKejt2ZlArn4fJqfl0N63W4K4AmWyrjhJ5rTEg8bp5MSQ1xd8JN8
PynfV95yrAGDAvMIp155IcFD6ChcVwMt2fn+7Pd/u36/8/2f//vdq2K+LbAL
d3gupx6JAa2nGKB4nVZNbsj0jW2x9zQJ9V6XtDOh+P7TJCgEXd7JhQoHT5Ml
gtBVI+WAyOHTxFgwvniqB0YOr/Ex1gPV0bXle2gApUfLMJqZzOamrJ+D0qvT
1LyaLJZhjLCRi1eAZakviGT5bJZ7N99+pptvb7dqxKGMX/Fneei+wXHPhjqE
35BBdDEwSTCpYWSStzDyICCwOkQRf4f/EvmvTPlbBQ3hnw+5wDmsn1UpnWcV
lVe6HlqVdRSf2BRUi/inU4kLmO0CTv2CkgnKzWuKDx8Yrqc+4PLsATP4AcNi
NszQb4wveZaW40FXXvo5LyFS4+7L+m8Tn0e/tf4kn2YKM+hiMhvl5pVCjBl9
N2+l1slZjjJk4vfz8ba4GNE7OVhlwJ9PHRAWyNqy62Akg4X84ltJYHT0HuS7
d5Dbfzfvil8k6BMUnpT0QL5DkAbneP8eF05bapYpVaBFUWAQ16Rt9kx1C0pv
VAtOTEnbheDSxxdic+NMjsZrnJwgmXxOBOzke0CnOf36x29Yjr5eaX4gZCk+
TsXGz6fZ/+bZP3azJ++yt52NpFFv1A00Wq3sJ1I+NZqbP+9m+2+3NjffvNnZ
3fon/vPzXvbkLSQ/eZtubaWymZGi+jvcTDA3y/gublfsouTdd6d7lCSXnl2x
T3aTbnKxSWYzjbe92CVOZ3lZQQA+nUDshTh62wkLxpE4ygvYeJAkdjIIEuwd
DSWV+hGXN+mmSF/9JDa+3KB/IQiC1Dm4/q3E/E4fkMrkfTEWG70NsSl/fyj+
vphgpCFHYytJOEN/INpJIYzKZwn9tDM2/s8GENho0c8v6Gebfv6Ofr55QP+A
cD1tgMQOZWX0c4d+/oV+vqOff6Wf/6SfvwSqP/vuv77DI9vTP/z07Wni9gD4
an/c30e5/H0gd8ZliWleglgoO5F5pjMgu4eYtcf/HGRHX9NvR8+yR88TmwL3
/c0blCLV+tPZt6cvUXT+2PTI9vEydOPhhqgW5zohSUxeD8MfYJ/glijTLhnI
TryEepHsopxVc5Hu7R/7OTiMlU9BlgdCJFQl5FoxqlwrhgNllCFuLqSW/M4a
fTXukZZ6rCBfijP4E7w63mVi3CfBHA8mc5EPr/ObqtlKfSmqKSy4Lm5ELiA8
KOaCJBlvteO1SohSYphDm9MhLLjXbRTagTUrPuYR1Q0ssT4KXigmCYuQ9Qo0
7mA3O3jiENkVGSxOfnrxKuOiXGzPL7ZHxXhgNLXDvezolDT5eC97dArFTqHY
/0JKDv/+IwEN1nMAFX83YXU2KVDtudMO7Y/ge19x+ursu+/E5ngCE2EreZA4
wQcdIXr+de/4+PHx3v7uo92n0p/ZHnsNR6MIHT/Z5tjhRt/o4UjNSkCH+rtN
iC3fQSBIr8Llk2z75uJjPgzduk3kEkO64Y3385sNtVjhOGRjURV+EoTe7ybT
ipJ/TilHvszdyIeXtdLlwE/6eLSoJ/UVPeSJ2M3OwXu+1QXmVMDNNZmtV/tH
x9ESmPby1WkGK6Dsm7IYDiqT/vwsmPzqBta2OF+cXC0yXJUJuswoE94m9UYE
b9VvjCOMbRTxPg3iWdN41t8bCDZUGzTU+3sZydtKauJTHe7PPjgjvPExJoGb
9SXA7YbGB5vfeB+oxlXM33K1CME1/sGvaeSC7PttcfZUrc9evfgxe/HjH/7n
99/jHMaks69fvOSks6dJrUxPfC/0Ls8GBr8biV8LCp1ZhQgylHYodqxFupD3
ZK3Ut24h8ZsBPEGj1rU1+ItjRD7nMJkunpMuJhjKibeCxItpMcbdoFe4w58n
n7qiNYEk3BygTf/8NkleXxW6HCcKcIJiDsm4CwVe7CG4sulkXBXi29evf6Lt
Jd7SPQePU47Fp09V0Yfl77S8vRVlhcC7aB8H4E6Hk+sd3luS7XbFg4Od3Z1d
CEBxU6iLqzjcze2Ks8mr5y//ZJr4GhZlEHZBAWv/OFpsGxjpDxf4q2I7U2z7
th9X9Xrry2xJAWt7yBptqj5I8OSgQv4e8n7Ww09AdXZz2yVyl8W8K+nKXeCu
+L+YT4KTTKoNmB1ZUofNVVfzlAl8QY6NWWzy60Nqz0rl0ek63eElMEeoTgYv
ZmCVq5ZFVq7aXYTV42xhi8eRtFlQgaub4HjKbtl8KRlbPXqwv7v7oBuj+tTh
8lTR5NWMqGAuXuUYiMFKoVr08YjmYjEc3gjc4F1AMLVj1ZcLN1ciNkgwj1wH
/+l6WhASZqNAHaGW49wZmqUdjXe3GH+AaTLlqZTT1qEgZNxA/cn532Alb0Tw
4HB1Ub82E1pcg4hH+RC7Uwy+FMXO5c42KS4NLWWPIfolhFSHiNaJbSFthOwQ
xmCCzsv7k8VwQNXP3ZnnDCdMhWrtweRL/2BeIEKEsK+Y5+WwIhTof5fRRcej
ZovkU0g+jYic8TteZ/xQm2Gp0M/HKF8+rCpAabSBHuHBBNpAHBp8nemQmFyI
HMZgyiG2dBiD4qIcs/ZZNv9BJR6cUtkHDgkG64UVEgQAO0J8N8aRnJf9xTCf
sQr1hyUelozyG5jJHzwVoDVLCa3lSnEkzjlUzefoPLBjizG0Uc0nkwFomUsA
BFD2C+L/nG0ty+T/X016uGMOWqTB0yBR1N24w3qJEV3xobAnslMV1sD9Be5H
KfHe0dy/XtZO2Pg7NGaS6c/xBObEq4PR4r/JWFNM6/nY5mFYoX//rrq8pH8y
cP0D3fYAOyaLv+J5X+G2JSVc5H08dspxnU1WZwJu9AYPhtHKPbd2Uince6l2
XMWf2OrNJ1TtT3TIhebjNXu/ivgBEleTa6eEoAsosjVmAvqEhmigrNJmtSXN
2FyMiwIWSCUq880EGCBL1Qc3j7TnV5AhbSGP307y9YLqlcivKEd4vpTDfIB+
VRBLSzlhYG4mBsh+OpzcUC93kj9fwawxJ/RAB9Y7C3CyYrMqCg7SVTbQur3d
Qns9QadRXl7hVlc1IbZRNtxZsZiCUhT5KNLhCsVGNnucjUlNSjAmoJYQ+JYf
MbqpxAT6VU1GhSiHwwVQ4zLFx3yE70CVpBVByct5ITkYyBbQlZF3KEqQ5Azq
X+VADUlBw2AglRZ+KHaSZ0YsJISLGfQfOoU3Xa5hfIoPNJz4QrHsc5EK75lB
13aSHydz6YxwyC4n+RB8HpTAEZsMCwhdJmMaxPPJBBdffCS+k7xA5cIqGCKJ
P778A3lbGK2Sva3sIdIhU71tOUBcLYGyjAmlbtKfDM3yRIwKvHRTVqNqG4f+
SuSsgshFZBVGlW9vt6GzJVRAOc70ms5QBv7wCq5WRFpO6TNjmjb2qTOs4zLx
Ckcyogxy7IqPNFZjoW5sVSxOFLOa5+jTFudgvECc4MbpThuE+Fc5hsB40Qxa
OwVfMBvgTRTBoN/b1AepOduyNe04HNGrziqhEwPyeIXEV85k9IQz57uxlCz0
tyo4itHXza4pnAWFnM5KoIpjB52+BE0CTZQxk7YRUMC6I0OtsiEA7cOZDKza
fEHTcxkvQwPYXbo4NKDgegSBlsg/gMPnaK3MkUHHbGLgtAOj8tpimKaUr3XW
vOrnsxkGYBb7z9VupgwoBzgmYIVO6bQJjePpWMndyCM3ikNoIIoiVLSOqcBd
01G5Cu9gomK8NuBFuFEHHjHcPFjMpridkZxWFFqyvUQdMNcRhLy8t+1Kn1lT
1xCJGnOGbeHkB/tqbJsKdumajbHgKE/lbczYSGtEo/BDPl7gNYDFDNr8Y5WD
Ljyzbrht/vDHZ1s0NBXOVbwr8+lTVsLEnlbZaIGYMfPq9nYH3dxpX+kTWavk
U5fhjYpBb+MCDHKxITdoOMgupznOTDlsG68gGpyhyoKRKNBbboDkxTcvXj17
/gOEZUdd3nk5gU+r1+l0er0O/kO/qI++tpP593j8DKJDtDop1YT/Uvi01KcT
o+BSS9IO02nj/3pIQdNo08+0s4wU8pS08QNkWicpUoMPEGgTCfrZbrWZz16N
XGb1lum0kUQLWTqRdYkW/4ckoST8EWAsc+kACeZDcsIMoKzaaU+KrtNpIz3Q
JFBS0JGvZ5OqyvFag6Rz0jafEyYEMkJJpWkH/k7TXtqj/7dj7Oh+aUKtEyST
QhfaacqdJHZ6kFSn48uHSeB/sm4L6BGd9gkmYT+Bv/iAaf1BUbeUWFlWpEUp
UalrpjdyCY0VUyIqKMsO0unA8CClFAfyhMimnRof8r9u0s7SExYPq00bqaOQ
QSxEO21JvUIpIp9YQKkO/Qb/dROphcC+1EFIlQxgpzQNLIYDCHR2dnaADNjt
yQiGH4h1u52kh+JQhVvEOUupTYxYVKBnMHItINNFVsQ3qD7zUgCdNE1gVnZa
WkY0Y3lSYbeYzolUiDboZpYxldq40/zuKGnrxjswSK0TlhyngkWAlpFKJ/BJ
UP3TVtvqGwwMksk6Gf7OM0WOQ0daFfz4dCgLp2KquIGJlLY7KQoKRqvdQaVk
XnF+UQXxP5PLoroSnY7QdDCHZgJZjhNUuxYZx6zNs6zXUfqVyhHvoI2/AvuL
93rJoiSQiJIGdQHFg19PYFSQDqYjmRSTTngE26llcZR6s11IuJ9MB0WFqtTB
+YjkaMZ3pG1iPWyBtnSJTE/qIGghzlNMQEm0mAtkoEdyAEuBCtBOtToDr1C/
RV1LsUTW4Z/Aj1RzFHSbmkF7jOWRIlp/7Fc7Zf1u03xrn5BI3PFClWNCIGeq
DSOFfQJqOLlaqOQnSitgXpywdmmHQK4BxgsFdEJK3WtzG2hJO2S/2AMBHTSq
rNT0YTtIsumwJiGdlFpOkRDoPtqsdocErFQulQY3Q+mzjH2tTlpEEIohIeAe
We5IO68GXhsUHIaso3np4n/wAcEnbJ9aRAhsAnQa+8Aawv1KccZ2pN1CaWU7
GVkOGG74DeiAIUnIqIMuk1BxTqB7aFP/QSSsWOxwejjMbJVoZGj4QZeIqYRV
DeugjQdGaIZiGdBJlCvRbik7isLukasWP+WwGO11mV7COovWC7S/haY+bSnD
Sf4Yx8un04OOiW8n1+gFd7oWnQ6XQK1o40TNWm05h9qU6dCBcmjOdjKUME4P
aE3x0+lJ14zzgz6o2qBRwBmoZyqtekfSgbkBJo20h9UxkSaJpMo2pq0Dlwz6
wBJPpX9RdNRHaxjMd6bUQ7sgvVhHulR00h2O1TKbDidC33a070nIPPNEgPnX
Iq8qQwXg60ROMOUA5YCT8UObnykHlqRovXqow+jRT1Kyw6mOxjrk+bJMEoJ/
cKDJ9qADg+VZxn5Zmqs2ameG5qaFMiEHrfxYJgcrk7MTpgb+hsvKEcTJyFAv
yWhYwOAAX1kXet5NuxwqMGcp2TnqEBBMiU7a8ePXTgLGvKdjoJTUXgcyKaol
S1l+etKUO0aa5nvWPumlZHpRoZUPO+HckzaZePqo2CDkBSUd9IRICPwf+kTk
i0er3emiYqqYxnMWDp0ezRcKeVod8sMq+mXj06F4Bs0K6ng38yn1FJ3eCRoE
Mlkd6X/J/UkblpIv4oFrt+yQuefyk7VRezK0rBl7KRWrEhU2h0r8OHJq9otv
8TlRJaRf7p1weNxG+5WS0WqRXSMnoZw+DRP7rCxjSYnXVf9qclGMy0tBdFTA
DbI4QWVCQaBuZRRoyLlL4UaPNZvpdOyOJaiE6AZSsqc0wyhKaKesMBw3tlkx
YWwzbDEw7q1ULpk4bAelZk/B3emRxaEohMi0XC5sfuDTJeeBhh9N706vo9df
OpwmObds0xOgk3bJRKLZ7JAlaqHUlQvUlJgpq3JqPuQvpG9JO+wAoW0k2FIR
o1rQcQx0ktapIJ0Wu6gUAzGaGDTwbdf3GuXLelKr3E9CZpLDJWgK6dBMb1yX
BlZ0iQ56qIMn7MzbTWRwGGsf7ldLRii0fmu16sVsIsFsSaclIx1eCFIOz2Xl
xzmlHWVU0VFzk2nptXHWlXEJfHDYo/sBql89JtVTS3Y5TJnyMx2i4pLJrE/C
etZqqcUcVSdBtqVhpv6gVLIsyg6vT1n9IexL055mAoIDyUpbiSVCBvPk6ye0
TW1UHugZhms0TTqKCBUR303Gi7n4obzKh/0i915AJcal4NKaZgeuN5FOalFp
/HRsOjxPeYjAgKRyscQlYytuw4/1e9ZrteT4SDMYURa8oPnwr+IdfsRf33y5
bbRHDn9HLnDiNIAKEHn3bvMv8Otftt69e/MA6KQ2FdYZWn7bM9xf/NM50kMh
oP9CvIHft79MOmr3KW2xSzOs0H6o2Rxz6fxTSDrw2/aXDxLXvgCZ1vLxQToP
dt7xZ+fBXx0iq5EgKs/KyXici/8a5v8gNvn069ti/F58Xc7eX02G/6C9y+/z
S/EyH+HOKoRb08V0WsyLgi6ly73A6iofTK5xjx77zkj8ldwQHZbvCz7vysfv
k7N8NhR/xkeQ/SKR++TlTODz1uKad/2rxeUlH4QBwZ//MrvoF4O3XXrx93xQ
4rdKJv8P01t0Pc9HAgA=

-->

</rfc>
