<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.2.12 --> version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
]>

<?rfc rfcedstyle="yes"?>
<?rfc toc="yes"?>
<?rfc tocindent="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="-o*+"?> "rfc2629-xhtml.ent">
<rfc number="8725" consensus="true" xmlns:xi="http://www.w3.org/2001/XInclude"
     ipr="trust200902"
     docName="draft-ietf-oauth-jwt-bcp-07" category="bcp" updates="RFC 7519"> updates="7519"
     obsoletes="" submissionType="IETF" xml:lang="en" tocInclude="true"
     sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 2.37.1 -->
  <front>
    <title abbrev="JWT BCP">JSON Web Token Best Current Practices</title>
    <seriesInfo name="RFC" value="8725"/>
    <seriesInfo name="BCP" value="225"/>
    <author initials="Y." surname="Sheffer" fullname="Yaron Sheffer">
      <organization>Intuit</organization>
      <address>
        <email>yaronf.ietf@gmail.com</email>
      </address>
    </author>
    <author initials="D." surname="Hardt" fullname="Dick Hardt">
      <organization></organization>
      <organization/>
      <address>
        <email>dick.hardt@gmail.com</email>
      </address>
    </author>
    <author initials="M.B." initials="M." surname="Jones" fullname="Michael B. Jones">
      <organization>Microsoft</organization>
      <address>
        <email>mbj@microsoft.com</email>
        <uri>http://self-issued.info/</uri>
        <uri>https://self-issued.info/</uri>
      </address>
    </author>
    <date year="2019" month="October" day="13"/> month="February" year="2020" />
    <area>Security</area>
    <workgroup>OAuth Working Group</workgroup>
    <keyword>Internet-Draft</keyword>

    <keyword>JSON Web Token</keyword>
    <keyword>JWT</keyword>
    <keyword>JSON Object Signing and Encryption</keyword>
    <keyword>JOSE</keyword>
    <keyword>JSON Web Signature</keyword>
    <keyword>JWS</keyword>
    <keyword>JSON Web Encryption</keyword>
    <keyword>JWE</keyword>
    <keyword>attacks</keyword>
    <keyword>Claims</keyword>
    <keyword>Security</keyword>
    <keyword>Cryptography</keyword>

    <abstract>
      <t>JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security
      tokens that contain a set of claims that can be signed and/or encrypted.
      JWTs are being widely used and deployed as a simple security token
      format in numerous protocols and applications, both in the area of
      digital identity, identity and in other application areas.
The goal of this  This Best Current
      Practices document is updates RFC 7519 to provide actionable guidance
      leading to secure implementation and deployment of JWTs.</t>
    </abstract>
  </front>
  <middle>
    <section anchor="introduction" title="Introduction"> numbered="true" toc="default">
      <name>Introduction</name>
      <t>JSON Web Tokens, also known as JWTs <xref target="RFC7519"/>, target="RFC7519"
      format="default"/>, are URL-safe JSON-based security tokens
that contain a set of claims that can be signed and/or encrypted.
The JWT specification has seen rapid adoption because it encapsulates
security-relevant information in one easy-to-protect location, and because
it is easy to implement using widely-available widely available tools.
One application area in which JWTs are commonly used is representing digital identity information,
such as OpenID Connect ID Tokens <xref target="OpenID.Core"/> target="OpenID.Core" format="default"/>
and OAuth 2.0 <xref target="RFC6749"/> target="RFC6749" format="default"/> access tokens and
      refresh tokens, the details of which are deployment-specific.</t>
      <t>Since the JWT specification was published, there have been several widely published
attacks on implementations and deployments.
Such attacks are the result of under-specified security mechanisms, as well as incomplete
implementations and incorrect usage by applications.</t>
      <t>The goal of this document is to facilitate secure implementation and deployment of JWTs.
Many of the recommendations in this document are about
implementation and use of the cryptographic mechanisms underlying JWTs that are defined by
JSON Web Signature (JWS) <xref target="RFC7515"/>, target="RFC7515" format="default"/>,
JSON Web Encryption (JWE) <xref target="RFC7516"/>, target="RFC7516" format="default"/>, and
JSON Web Algorithms (JWA) <xref target="RFC7518"/>. target="RFC7518" format="default"/>.
Others are about use of the JWT claims themselves.</t>
      <t>These are intended to be minimum recommendations for the use of JWTs
in the vast majority of implementation
and deployment scenarios. Other specifications that reference this document can have
stricter requirements related to one or more aspects of the format, based on their
particular circumstances; when that is the case, implementers are advised to adhere
to those stricter requirements. Furthermore, this document provides a floor, not a ceiling,
so stronger options are always allowed (e.g., depending on differing evaluations of the
importance of cryptographic strength vs. computational load).</t>
      <t>Community knowledge about the strength of various algorithms and feasible attacks can
change quickly, and experience shows that a Best Current Practice (BCP) document about
security is a point-in-time statement. Readers are advised to seek out any errata or
updates that apply to this document.</t>
      <section anchor="target-audience" title="Target Audience"> numbered="true" toc="default">
        <name>Target Audience</name>
        <t>The intended audience audiences of this document is:</t>

<t><list style="symbols">
  <t>Implementers are:</t>
        <ul spacing="normal">
          <li>Implementers of JWT libraries (and the JWS and JWE libraries
	  used by those libraries),</t>
  <t>Implementers libraries),</li>
          <li>Implementers of code that uses such libraries (to the extent that some mechanisms may
not be provided by libraries, or until they are), and</t>
  <t>Developers and</li>
          <li>Developers of specifications that rely on JWTs, both inside and
	  outside the IETF.</t>
</list></t> IETF.</li>
        </ul>
      </section>
      <section anchor="conventions-used-in-this-document" title="Conventions used numbered="true" toc="default">
        <name>Conventions Used in this document">

<t>The Document</name>
   <t>
    The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL
NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”,
“MAY”, "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
    "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
    NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
    "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and “OPTIONAL” "<bcp14>OPTIONAL</bcp14>" in this document are
    to be interpreted as
    described in BCP 14 BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
    when, and only when, they appear in all capitals, as shown here.</t> here.
   </t>
      </section>
    </section>
    <section anchor="threats-and-vulnerabilities" title="Threats numbered="true" toc="default">
      <name>Threats and Vulnerabilities"> Vulnerabilities</name>
      <t>This section lists some known and possible problems with JWT
      implementations and deployments.
Each problem description is followed by references to one or more mitigations to those problems.</t>
      <section anchor="weak-signatures-and-insufficient-signature-validation" title="Weak
	       numbered="true" toc="default">
        <name>Weak Signatures and Insufficient Signature Validation"> Validation</name>
        <t>Signed JSON Web Tokens carry an explicit indication of the signing algorithm,
in the form of the “alg” header parameter, "alg" Header Parameter, to facilitate cryptographic agility.
This, in conjunction with design flaws in some libraries and applications, have
	has led to several attacks:</t>

<t><list style="symbols">
  <t>The
        <ul spacing="normal">
          <li>The algorithm can be changed to “none” "none" by an attacker, and some libraries would trust
this value and “validate” "validate" the JWT without checking any signature.</t>
  <t>An “RS256” signature.</li>
          <li>An "RS256" (RSA, 2048 bit) parameter value can be changed into
“HS256”
"HS256" (HMAC, SHA-256), and some libraries
would try to validate the signature using HMAC-SHA256 and using the RSA public key as the
HMAC shared secret (see <xref target="McLean"/> target="McLean" format="default"/> and CVE-2015-9235).</t>
</list></t>
	  <xref target="CVE-2015-9235"/>).</li>
        </ul>
        <t>For mitigations, see Sections <xref target="algorithm-verification" />
	format="counter"/> and <xref target="appropriate-algorithms" />.</t>
	format="counter"/>.</t>
      </section>
      <section anchor="weak-symmetric-keys" title="Weak numbered="true" toc="default">
        <name>Weak Symmetric Keys"> Keys</name>
        <t>In addition, some applications use a keyed MAC algorithm Message Authentication
	Code (MAC) algorithm, such as
“HS256”
"HS256", to sign tokens, tokens but supply a weak symmetric key with
insufficient entropy (such as a human memorable human-memorable password). Such keys
are vulnerable to offline brute-force or dictionary attacks once an
attacker gets hold of such a token <xref target="Langkemper"></xref>.</t> target="Langkemper" format="default"/>.</t>
        <t>For mitigations, see <xref target="key-entropy" />.</t> format="default"/>.</t>
      </section>
      <section anchor="incorrect-composition-of-encryption-and-signature" title="Incorrect
	       numbered="true" toc="default">
        <name>Incorrect Composition of Encryption and Signature"> Signature</name>
        <t>Some libraries that decrypt a JWE-encrypted JWT to obtain a JWS-signed object
do not always validate the internal signature.</t>
        <t>For mitigations, see <xref target="validate-crypto" />.</t> format="default"/>.</t>
      </section>
      <section
	  anchor="plaintext-leakage-through-analysis-of-ciphertext-length" title="Plaintext
	  numbered="true" toc="default">
        <name>Plaintext Leakage through Analysis of Ciphertext Length"> Length</name>
        <t>Many encryption algorithms leak information about the length of the
	plaintext, with a varying amount of
leakage depending on the algorithm and mode of operation. This problem is exacerbated
when the plaintext is initially compressed, because the length of the
compressed plaintext and, thus,
the ciphertext
depend
depends not only on the length of the original plaintext but also
on its content.
Compression attacks are particularly
powerful when there is attacker-controlled data in the same compression
space as secret data, as which is the case for some attacks on HTTPS.</t>
        <t>See <xref target="Kelsey"/> target="Kelsey" format="default"/> for general background
on compression and encryption, encryption and <xref target="Alawatugoda"/> target="Alawatugoda"
format="default"/> for a specific example of attacks on HTTP cookies.</t>
        <t>For mitigations, see <xref target="no-compression"/>.</t> target="no-compression" format="default"/>.</t>
      </section>
      <section anchor="insecure-use-of-elliptic-curve-encryption" title="Insecure numbered="true" toc="default">
        <name>Insecure Use of Elliptic Curve Encryption"> Encryption</name>
        <t>Per <xref target="Sanso"></xref>, target="Sanso" format="default"/>, several JOSE Javascript
	Object Signing and Encryption (JOSE) libraries
	fail to validate their inputs correctly
when performing elliptic curve key agreement (the “ECDH-ES” "ECDH-ES" algorithm).
An attacker that is able to send JWEs of its choosing that use invalid curve points and
observe the cleartext outputs resulting from decryption with the invalid curve points
can use this vulnerability to recover the recipient’s recipient's private key.</t>
        <t>For mitigations, see <xref target="validate-inputs" />.</t> format="default"/>.</t>
      </section>
      <section anchor="multiplicity-of-json-encodings" title="Multiplicity numbered="true" toc="default">
        <name>Multiplicity of JSON Encodings"> Encodings</name>
        <t>Previous versions of the JSON format format, such as the obsoleted <xref target="RFC7159"/>
	target="RFC7159" format="default"/>,
allowed several different character
encodings: UTF-8, UTF-16 UTF-16, and UTF-32. This is not the case anymore, with the latest
standard <xref target="RFC8259"/> target="RFC8259" format="default"/> only allowing UTF-8 except
for internal use within a “closed ecosystem”. "closed ecosystem".
This ambiguity ambiguity, where older implementations and those used within closed environments may generate
non-standard encodings, may result in the JWT being
misinterpreted by its recipient. This This, in turn turn, could be used by a malicious sender to bypass
the recipient’s recipient's validation checks.</t>
        <t>For mitigations, see <xref target="use-utf8" />.</t> format="default"/>.</t>
      </section>
      <section anchor="substitution" title="Substitution Attacks"> numbered="true" toc="default">
        <name>Substitution Attacks</name>
        <t>There are attacks in which one recipient will be given a JWT that was intended for it, it
and will attempt to use it at a different recipient for which that JWT was not intended.
For instance, if an OAuth 2.0 <xref target="RFC6749"/> target="RFC6749" format="default"/> access
token is legitimately presented to an
OAuth 2.0 protected resource for which it is intended, that protected resource might then present
that same access token to a different protected resource for which the access token is not intended,
in an attempt to gain access. If such situations are not caught, this can result in
the attacker gaining access to resources that it is not entitled to access.</t>
        <t>For mitigations, see Sections <xref target="validate-iss-sub" />
	format="counter"/> and <xref target="use-aud" />.</t> format="counter"/>.</t>
      </section>
      <section anchor="cross-jwt-confusion" title="Cross-JWT Confusion"> numbered="true" toc="default">
        <name>Cross-JWT Confusion</name>
        <t>As JWTs are being used by more different protocols in diverse
	application areas, it becomes increasingly
important to prevent cases of JWT tokens that have been issued for one purpose
being subverted and used for another.
Note that this is a specific type of substitution attack.
If the JWT could be used in an application context in which it could be
confused with other kinds of JWTs,
then mitigations MUST <bcp14>MUST</bcp14> be employed to prevent these substitution attacks.</t>
        <t>For mitigations, see Sections <xref target="validate-iss-sub" />,
	format="counter"/>, <xref target="use-aud" />, format="counter"/>,
<xref target="use-typ" />, format="counter"/>, and <xref
target="preventing-confusion" />.</t> format="counter"/>.</t>
      </section>
      <section anchor="indirect-attacks-on-the-server" title="Indirect numbered="true" toc="default">
        <name>Indirect Attacks on the Server"> Server</name>
        <t>Various JWT claims are used by the recipient to perform lookup operations,
such as database and LDAP Lightweight Directory Access Protocol (LDAP) searches.
Others include URLs that are similarly looked up by the server. Any of these claims can be used by
an attacker as vectors for injection attacks or server-side request forgery (SSRF) attacks.</t>
        <t>For mitigations, see <xref target="do-not-trust-claims"/>.</t> target="do-not-trust-claims" format="default"/>.</t>
      </section>
    </section>
    <section anchor="BP" title="Best Practices"> numbered="true" toc="default">
      <name>Best Practices</name>
      <t>The best practices listed below should be applied by practitioners
to mitigate the threats listed in the preceding section.</t>
      <section anchor="algorithm-verification" title="Perform numbered="true" toc="default">
        <name>Perform Algorithm Verification"> Verification</name>
        <t>Libraries MUST <bcp14>MUST</bcp14> enable the caller to specify a
	supported set of algorithms and
MUST NOT
<bcp14>MUST NOT</bcp14> use any other algorithms when performing cryptographic operations.
The library MUST <bcp14>MUST</bcp14> ensure that the “alg” "alg" or “enc” "enc" header specifies the same algorithm
that is used for the cryptographic operation.
Moreover, each key MUST <bcp14>MUST</bcp14> be used with exactly one algorithm,
and this MUST <bcp14>MUST</bcp14> be checked when the cryptographic operation is performed.</t>
      </section>
      <section anchor="appropriate-algorithms" title="Use numbered="true" toc="default">
        <name>Use Appropriate Algorithms"> Algorithms</name>
        <t>As Section 5.2 of <xref target="RFC7515"/> target="RFC7515" sectionFormat="of" section="5.2"/> says, “it
"it is an application decision which algorithms may
be used in a given context. Even if a JWS can be successfully
validated, unless the algorithm(s) used in the JWS are acceptable to
the application, it SHOULD <bcp14>SHOULD</bcp14> consider the JWS to be invalid.”</t> invalid."</t>
        <t>Therefore, applications MUST <bcp14>MUST</bcp14> only allow the use of
	cryptographically current algorithms
that meet the security requirements of the application.
This set will vary over time as new algorithms are introduced
and existing algorithms are deprecated due to discovered cryptographic weaknesses.
Applications MUST <bcp14>MUST</bcp14> therefore be designed to enable cryptographic agility.</t>
        <t>That said, if a JWT is cryptographically protected end-to-end by a
	transport layer, such as TLS
using cryptographically current algorithms, there may be no need to apply another layer of
cryptographic protections to the JWT.
In such cases, the use of the “none” "none" algorithm can be perfectly acceptable.
The “none” "none" algorithm should only be used when the JWT is cryptographically protected by other means.
JWTs using “none” "none" are often used in application contexts in which the content is optionally signed;
then
then, the URL-safe claims representation and processing can be the same in both
the signed and unsigned cases.
JWT libraries SHOULD NOT <bcp14>SHOULD NOT</bcp14> generate JWTs using “none” "none" unless
explicitly requested to do so by the caller.
Similarly, JWT libraries SHOULD NOT <bcp14>SHOULD NOT</bcp14> consume JWTs using “none” "none"
	unless explicitly requested by the caller.</t>
        <t>Applications SHOULD <bcp14>SHOULD</bcp14> follow these algorithm-specific recommendations:</t>

<t><list style="symbols">
  <t>Avoid
        <ul spacing="normal">
          <li>Avoid all RSA-PKCS1 v1.5 encryption algorithms (<xref target="RFC8017"/>, Sec. 7.2},
	  target="RFC8017" sectionFormat="comma" section="7.2"/>), preferring RSA-OAEP
	  RSAES-OAEP
	  (<xref target="RFC8017"/>, Sec. 7.1).</t>
  <t>ECDSA target="RFC8017" sectionFormat="comma" section="7.1"/>).</li>

          <li>Elliptic Curve Digital Signature Algorithm (ECDSA) signatures <xref target="ANSI-X962-2005"/> target="ANSI-X962-2005"
	  format="default"/> require a unique random value for every message
	  that is signed.
If even just a few bits of the random value are predictable across multiple messages messages, then
the security of the signature scheme may be compromised. In the worst case,
the private key may be recoverable by an attacker. To counter these attacks,
JWT libraries SHOULD <bcp14>SHOULD</bcp14> implement ECDSA using the deterministic
approach defined in <xref target="RFC6979"/>. target="RFC6979" format="default"/>.
This approach is completely compatible with existing ECDSA verifiers and so can be implemented
without new algorithm identifiers being required.</t>
</list></t> required.</li>

        </ul>
      </section>
      <section anchor="validate-crypto" title="Validate numbered="true" toc="default">
        <name>Validate All Cryptographic Operations"> Operations</name>
        <t>All cryptographic operations used in the JWT MUST <bcp14>MUST</bcp14> be
	validated and the entire JWT MUST <bcp14>MUST</bcp14> be rejected
if any of them fail to validate.
This is true not only of JWTs with a single set of Header Parameters
but also for Nested JWTs, JWTs in which both outer and inner operations MUST <bcp14>MUST</bcp14> be validated
using the keys and algorithms supplied by the application.</t>

<!-- See draft-ietf-oauth-jwsreq-13, sec. 6.1 and 6.2. -->

      </section>
      <section anchor="validate-inputs" title="Validate numbered="true" toc="default">
        <name>Validate Cryptographic Inputs"> Inputs</name>
        <t>Some cryptographic operations, such as Elliptic Curve Diffie-Hellman key agreement
(“ECDH-ES”)
("ECDH-ES"), take inputs that may contain invalid values, such as values. This includes points not on
the specified elliptic curve
or other invalid points (see, e.g. (e.g., <xref target="Valenta"/>, Sec. target="Valenta" format="default"/>, Section 7.1).
The JWS/JWE library itself must validate these inputs before using them them,
or it must use underlying cryptographic libraries that do so (or both!).</t>

<t>ECDH-ES
        <t>Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) ephemeral
	public key (epk) inputs should be validated
	according to the recipient’s recipient's
chosen elliptic curve. For the NIST prime-order curves P-256, P-384 P-384, and P-521,
validation MUST <bcp14>MUST</bcp14>
be performed according to Section 5.6.2.3.4 “ECC (ECC Partial Public-Key Validation Routine”
Routine) of
NIST Special Publication 800-56A revision 3 "Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography" <xref target="nist-sp-800-56a-r3"></xref>.
Likewise, if target="nist-sp-800-56a-r3" format="default"/>.
If the “X25519” "X25519" or “X448” "X448" <xref target="RFC8037"/> target="RFC8037" format="default"/> algorithms are used,
then the security considerations in <xref target="RFC8037"/> target="RFC8037" format="default"/> apply.</t>
      </section>
      <section anchor="key-entropy" title="Ensure numbered="true" toc="default">
        <name>Ensure Cryptographic Keys have Have Sufficient Entropy"> Entropy</name>
        <t>The Key Entropy and Random Values advice in Section 10.1 of <xref target="RFC7515"/>
	target="RFC7515"  section="10.1" sectionFormat="of"></xref> and the
	Password Considerations in Section 8.8 of <xref target="RFC7518"/>
MUST target="RFC7518"
section="8.8" sectionFormat="of"></xref>
<bcp14>MUST</bcp14> be followed.
In particular, human-memorizable passwords MUST NOT <bcp14>MUST NOT</bcp14> be directly used
as the key to a keyed-MAC algorithm such as “HS256”.
In particular, "HS256".
Moreover, passwords should only be used to perform key encryption, rather
than content encryption,
as described in Section 4.8 of <xref target="RFC7518"/>. target="RFC7518" sectionFormat="of" section="4.8"/>.
Note that even when used for key encryption, password-based encryption is
	still subject to brute-force attacks.</t>
      </section>
      <section anchor="no-compression" title="Avoid Length-Dependent numbered="true" toc="default">
        <name>Avoid Compression of Encryption Inputs"> Inputs</name>
        <t>Compression of data SHOULD NOT <bcp14>SHOULD NOT</bcp14> be done before encryption, because
such compressed data often reveals information about the plaintext.</t>
      </section>
      <section anchor="use-utf8" title="Use UTF-8"> numbered="true" toc="default">
        <name>Use UTF-8</name>
        <t><xref target="RFC7515"/>, target="RFC7515" format="default"/>, <xref target="RFC7516"/>, target="RFC7516"
	format="default"/>, and <xref target="RFC7519"/> target="RFC7519" format="default"/> all
	specify that UTF-8 be used for encoding and decoding JSON
used in Header Parameters and JWT Claims Sets. This is also in line with the
latest JSON specification <xref target="RFC8259"/>. target="RFC8259" format="default"/>.
Implementations and applications MUST <bcp14>MUST</bcp14> do this, this and not use or admit the use of
other Unicode encodings for these purposes.</t>
      </section>
      <section anchor="validate-iss-sub" title="Validate numbered="true" toc="default">
        <name>Validate Issuer and Subject"> Subject</name>
        <t>When a JWT contains an “iss” "iss" (issuer) claim, the application MUST
	<bcp14>MUST</bcp14> validate that the cryptographic keys
used for the cryptographic operations in the JWT belong to the issuer.
If they do not, the application MUST <bcp14>MUST</bcp14> reject the JWT.</t>
        <t>The means of determining the keys owned by an issuer is application-specific.
As one example, OpenID Connect <xref target="OpenID.Core"/> target="OpenID.Core" format="default"/>
issuer values are “https” "https" URLs
that reference a JSON metadata document that contains a “jwks_uri” "jwks_uri" value that is
an “https” "https" URL from which the issuer’s issuer's keys are retrieved as a JWK Set <xref target="RFC7517"/>.
target="RFC7517" format="default"/>.
This same mechanism is used by <xref target="RFC8414"/>. target="RFC8414" format="default"/>.
Other applications may use different means of binding keys to issuers.</t>

        <t>Similarly, when the JWT contains a “sub” "sub" (subject) claim, the
	application MUST <bcp14>MUST</bcp14> validate that
the subject value corresponds to a valid subject and/or issuer/subject issuer-subject pair at the application.
This may include confirming that the issuer is trusted by the application.
If the issuer, subject, or the pair are invalid, the application MUST
	<bcp14>MUST</bcp14> reject the JWT.</t>
      </section>
      <section anchor="use-aud" title="Use numbered="true" toc="default">
        <name>Use and Validate Audience"> Audience</name>
        <t>If the same issuer can issue JWTs that are intended for use by more
	than one relying party or application,
the JWT MUST <bcp14>MUST</bcp14> contain an “aud” "aud" (audience) claim that can be used
to determine whether the JWT
is being used by an intended party or was substituted by an attacker at an unintended party.</t>
        <t>In such cases, the relying party or application MUST <bcp14>MUST</bcp14>
	validate the audience value value,
and if the audience value is not present or not associated with the recipient,
it MUST <bcp14>MUST</bcp14> reject the JWT.</t>
      </section>
      <section anchor="do-not-trust-claims" title="Do numbered="true" toc="default">
        <name>Do Not Trust Received Claims"> Claims</name>
        <t>The “kid” "kid" (key ID) header is used by the relying application to
	perform key lookup. Applications
should ensure that this does not create SQL or LDAP injection vulnerabilities, vulnerabilities by validating
and/or sanitizing the received value.</t>
        <t>Similarly, blindly following a “jku” "jku" (JWK set URL) or “x5u” "x5u" (X.509 URL) header,
which may contain an arbitrary URL,
could result in server-side request forgery (SSRF) attacks. Applications SHOULD
<bcp14>SHOULD</bcp14> protect against such
attacks, e.g., by matching the URL to a whitelist of allowed locations, locations
and ensuring no cookies are sent in the GET request.</t>
      </section>
      <section anchor="use-typ" title="Use numbered="true" toc="default">
        <name>Use Explicit Typing"> Typing</name>
        <t>Sometimes, one kind of JWT can be confused for another. If a particular
kind of JWT is subject to such confusion, that JWT can include an explicit
JWT type value, and the validation rules can specify checking the type.
This mechanism can prevent such confusion.
Explicit JWT typing is accomplished by using the “typ” header parameter. "typ" Header Parameter.
For instance, the <xref target="RFC8417"/> target="RFC8417" format="default"/> specification uses
the “application/secevent+jwt” "application/secevent+jwt" media type
to perform explicit typing of Security Event Tokens (SETs).</t>
        <t>Per the definition of “typ” "typ" in Section 4.1.9 of <xref target="RFC7515"/>,
	target="RFC7515" sectionFormat="of" section="4.1.9"/>,
it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that the “application/” "application/" prefix be omitted from the “typ” "typ" value.
Therefore, for example, the “typ” "typ" value used to explicitly include a type for a SET
SHOULD
<bcp14>SHOULD</bcp14> be “secevent+jwt”. "secevent+jwt".
When explicit typing is employed for a JWT, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14>
that a media type name of the format
“application/example+jwt”
"application/example+jwt" be used, where “example” "example" is replaced by the
	identifier for the specific kind of JWT.</t>
        <t>When applying explicit typing to a Nested JWT, the “typ” header parameter "typ" Header
	Parameter containing the explicit type value
MUST
<bcp14>MUST</bcp14> be present in the inner JWT of the Nested JWT (the JWT
whose payload is the JWT Claims Set).
In some cases cases, the same “typ” header parameter "typ" Header Parameter value will be present in the outer JWT as well,
to explicitly type the entire Nested JWT.</t>
        <t>Note that the use of explicit typing may not achieve disambiguation
	from existing kinds of JWTs,
as the validation rules for existing kinds of JWTs often do not use the “typ” header parameter "typ" Header Parameter value.
Explicit typing is RECOMMENDED <bcp14>RECOMMENDED</bcp14> for new uses of JWTs.</t>
      </section>
      <section anchor="preventing-confusion" title="Use numbered="true" toc="default">
        <name>Use Mutually Exclusive Validation Rules for Different Kinds of JWTs"> JWTs</name>
        <t>Each application of JWTs defines a profile specifying the required
	and optional JWT claims
and the validation rules associated with them.
If more than one kind of JWT can be issued by the same issuer,
the validation rules for those JWTs MUST <bcp14>MUST</bcp14> be written such that
they are mutually exclusive,
rejecting JWTs of the wrong kind.
To prevent substitution of JWTs from one context into another,
application developers may employ a number of strategies:</t>

<t><list style="symbols">
  <t>Use
        <ul spacing="normal">
          <li>Use explicit typing for different kinds of JWTs.
Then the distinct “typ” "typ" values can be used to differentiate between the
	  different kinds of JWTs.</t>
  <t>Use JWTs.</li>
          <li>Use different sets of required claims or different required claim values.
Then the validation rules for one kind of JWT will reject those with different
	  claims or values.</t>
  <t>Use values.</li>
          <li>Use different sets of required header parameters Header Parameters or different
	  required header parameter Header Parameter values.
Then the validation rules for one kind of JWT will reject those with different header parameters
	  Header Parameters or values.</t>
  <t>Use values.</li>
          <li>Use different keys for different kinds of JWTs.
Then the keys used to validate one kind of JWT will fail to validate other kinds of JWTs.</t>
  <t>Use JWTs.</li>
          <li>Use different “aud” "aud" values for different uses of JWTs from the same issuer.
Then audience validation will reject JWTs substituted into inappropriate contexts.</t>
  <t>Use contexts.</li>
          <li>Use different issuers for different kinds of JWTs.
Then the distinct “iss” "iss" values can be used to segregate the different kinds of JWTs.</t>
</list></t> JWTs.</li>
        </ul>
        <t>Given the broad diversity of JWT usage and applications,
the best combination of types, required claims, values, header parameters, Header Parameters, key usages, and issuers
to differentiate among different kinds of JWTs
will, in general, be application specific. application-specific.
As discussed in <xref target="use-typ"/>, target="use-typ" format="default"/>, for new JWT
	applications, the use of explicit typing is RECOMMENDED.</t>
	<bcp14>RECOMMENDED</bcp14>.</t>
      </section>
    </section>
    <section anchor="security-considerations" title="Security Considerations"> numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>This entire document is about security considerations when
      implementing and deploying JSON Web Tokens.</t>
    </section>
    <section anchor="iana-considerations" title="IANA Considerations"> numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>This document requires has no IANA actions.</t>
    </section>
<section anchor="acknowledgements" title="Acknowledgements">

<t>Thanks to Antonio Sanso for bringing the “ECDH-ES” invalid point attack to the attention
of JWE and JWT implementers. Tim McLean <xref target="McLean"/> published the RSA/HMAC confusion attack.
Thanks to Nat Sakimura for advocating the use of explicit typing. Thanks to Neil Madden for his
numerous comments, and to
Carsten Bormann,
Brian Campbell,
Brian Carpenter,
Alissa Cooper,
Roman Danyliw,
Ben Kaduk,
Mirja Kuehlewind,
Barry Leiba,
Eric Rescorla,
Adam Roach,
Martin Vigoureux,
and Eric Vyncke
for their reviews.</t>

</section>
  </middle>
  <back>

    <references title='Normative References'>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7515.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7516.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7518.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8017.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8037.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
        <reference  anchor="RFC2119" target='https://www.rfc-editor.org/info/rfc2119'> anchor="nist-sp-800-56a-r3" target="https://doi.org/10.6028/NIST.SP.800-56Ar3">
          <front>
<title>Key words
            <title>Recommendation for use in RFCs to Indicate Requirement Levels</title> Pair-Wise Key-Establishment Schemes
	    Using Discrete Logarithm Cryptography</title>
            <author initials="E." surname="Barker" fullname="Elaine Barker">
              <organization/>
            </author>
            <author initials="L." surname="Chen" fullname="Lily Chen">
              <organization/>
            </author>
            <author initials="A." surname="Roginsky" fullname="Allen Roginsky">
              <organization/>
            </author>
            <author initials="A." surname="Vassilev" fullname="Apostol Vassilev">
              <organization/>
            </author>
            <author initials='S.' surname='Bradner' fullname='S. Bradner'><organization /></author> initials="R." surname="Davis" fullname="Richard Davis">
              <organization/>
            </author>
            <date year='1997' month='March' />
<abstract><t>In many standards track documents several words are used to signify year="2018" month="April"/>
          </front>
          <seriesInfo name="NIST Special Publication" value="800-56A Revision 3"/>
          <seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Ar3"/>
        </reference>
      </references>
      <references>
        <name>Informative References</name>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7159.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7517.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8414.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8417.xml"/>
        <reference anchor="ANSI-X962-2005">
          <front>
            <title>Public Key Cryptography for the requirements in Financial Services
	    Industry: the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract>
</front>
<seriesInfo name='BCP' value='14'/>
<seriesInfo name='RFC' value='2119'/>
<seriesInfo name='DOI' value='10.17487/RFC2119'/>
</reference>

<reference  anchor="RFC6979" target='https://www.rfc-editor.org/info/rfc6979'>
<front>
<title>Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
<author initials='T.' surname='Pornin' fullname='T. Pornin'><organization /></author>
<date year='2013' month='August' />
<abstract><t>This document defines a deterministic digital signature generation procedure.  Such signatures are compatible with standard Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures and can be processed with unmodified verifiers, which need not be aware of the procedure described therein.  Deterministic signatures retain the cryptographic security features associated with digital signatures but can be more easily implemented in various environments, since they do not need access to a source of high-quality randomness.</t></abstract>
</front>
<seriesInfo name='RFC' value='6979'/>
<seriesInfo name='DOI' value='10.17487/RFC6979'/>
</reference>

<reference  anchor="RFC8259" target='https://www.rfc-editor.org/info/rfc8259'>
<front>
<title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
<author initials='T.' surname='Bray' fullname='T. Bray' role='editor'><organization /></author>
<date year='2017' month='December' />
<abstract><t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format.  It was derived from the ECMAScript Programming Language Standard.  JSON defines a small set of formatting rules for the portable representation of structured data.</t><t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t></abstract>
</front>
<seriesInfo name='STD' value='90'/>
<seriesInfo name='RFC' value='8259'/>
<seriesInfo name='DOI' value='10.17487/RFC8259'/>
</reference>

<reference  anchor="RFC7515" target='https://www.rfc-editor.org/info/rfc7515'>
<front>
<title>JSON Web Signature (JWS)</title>
<author initials='M.' surname='Jones' fullname='M. Jones'><organization /></author>
<author initials='J.' surname='Bradley' fullname='J. Bradley'><organization /></author>
<author initials='N.' surname='Sakimura' fullname='N. Sakimura'><organization /></author>
<date year='2015' month='May' />
<abstract><t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures.  Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification.  Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t></abstract>
</front>
<seriesInfo name='RFC' value='7515'/>
<seriesInfo name='DOI' value='10.17487/RFC7515'/>
</reference>

<reference  anchor="RFC7516" target='https://www.rfc-editor.org/info/rfc7516'>
<front>
<title>JSON Web Encryption (JWE)</title>
<author initials='M.' surname='Jones' fullname='M. Jones'><organization /></author>
<author initials='J.' surname='Hildebrand' fullname='J. Hildebrand'><organization /></author>
<date year='2015' month='May' />
<abstract><t>JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures.  Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification.  Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification.</t></abstract>
</front>
<seriesInfo name='RFC' value='7516'/>
<seriesInfo name='DOI' value='10.17487/RFC7516'/>
</reference>

<reference  anchor="RFC7518" target='https://www.rfc-editor.org/info/rfc7518'>
<front>
<title>JSON Web Algorithms (JWA)</title>
<author initials='M.' surname='Jones' fullname='M. Jones'><organization /></author>
<date year='2015' month='May' />
<abstract><t>This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications.  It defines several IANA registries for these identifiers.</t></abstract>
</front>
<seriesInfo name='RFC' value='7518'/>
<seriesInfo name='DOI' value='10.17487/RFC7518'/>
</reference>

<reference  anchor="RFC7519" target='https://www.rfc-editor.org/info/rfc7519'>
<front>
<title>JSON Web Token (JWT)</title>
<author initials='M.' surname='Jones' fullname='M. Jones'><organization /></author>
<author initials='J.' surname='Bradley' fullname='J. Bradley'><organization /></author>
<author initials='N.' surname='Sakimura' fullname='N. Sakimura'><organization /></author>
<date year='2015' month='May' />
<abstract><t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.  The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t></abstract>
</front>
<seriesInfo name='RFC' value='7519'/>
<seriesInfo name='DOI' value='10.17487/RFC7519'/>
</reference>

<reference  anchor="RFC8017" target='https://www.rfc-editor.org/info/rfc8017'>
<front>
<title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
<author initials='K.' surname='Moriarty' fullname='K. Moriarty' role='editor'><organization /></author>
<author initials='B.' surname='Kaliski' fullname='B. Kaliski'><organization /></author>
<author initials='J.' surname='Jonsson' fullname='J. Jonsson'><organization /></author>
<author initials='A.' surname='Rusch' fullname='A. Rusch'><organization /></author>
<date year='2016' month='November' />
<abstract><t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t><t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series.  By publishing this RFC, change control is transferred to the IETF.</t><t>This document also obsoletes RFC 3447.</t></abstract>
</front>
<seriesInfo name='RFC' value='8017'/>
<seriesInfo name='DOI' value='10.17487/RFC8017'/>
</reference>

<reference  anchor="RFC8037" target='https://www.rfc-editor.org/info/rfc8037'>
<front>
<title>CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)</title>
<author initials='I.' surname='Liusvaara' fullname='I. Liusvaara'><organization /></author>
<date year='2017' month='January' />
<abstract><t>This document defines how to use the Diffie-Hellman algorithms &quot;X25519&quot; and &quot;X448&quot; as well as the signature algorithms &quot;Ed25519&quot; and &quot;Ed448&quot; from the IRTF CFRG elliptic curves work in JSON Object Signing and Encryption (JOSE).</t></abstract>
</front>
<seriesInfo name='RFC' value='8037'/>
<seriesInfo name='DOI' value='10.17487/RFC8037'/>
</reference>

<reference  anchor="RFC8174" target='https://www.rfc-editor.org/info/rfc8174'>
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
<author initials='B.' surname='Leiba' fullname='B. Leiba'><organization /></author>
<date year='2017' month='May' />
<abstract><t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t></abstract>
</front>
<seriesInfo name='BCP' value='14'/>
<seriesInfo name='RFC' value='8174'/>
<seriesInfo name='DOI' value='10.17487/RFC8174'/>
</reference>

<reference anchor="nist-sp-800-56a-r3" target="https://doi.org/10.6028/NIST.SP.800-56Ar3">
  <front>
    <title>Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, Draft NIST Special Publication 800-56A Revision 3</title>
    <author initials="E." surname="Barker" fullname="Elaine Barker">
      <organization></organization>
    </author>
    <author initials="L." surname="Chen" fullname="Lily Chen">
      <organization></organization>
    </author>
    <author initials="S." surname="Keller" fullname="Sharon Keller">
      <organization></organization>
    </author>
    <author initials="A." surname="Roginsky" fullname="Allen Roginsky">
      <organization></organization>
    </author>
    <author initials="A." surname="Vassilev" fullname="Apostol Vassilev">
      <organization></organization>
    </author>
    <author initials="R." surname="Davis" fullname="Richard Davis">
      <organization></organization>
    </author>
    <date year="2018" month="April"/>
  </front>
</reference>

    </references>

    <references title='Informative References'>

<reference  anchor="RFC6749" target='https://www.rfc-editor.org/info/rfc6749'>
<front>
<title>The OAuth 2.0 Authorization Framework</title>
<author initials='D.' surname='Hardt' fullname='D. Hardt' role='editor'><organization /></author>
<date year='2012' month='October' />
<abstract><t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.  This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.  [STANDARDS-TRACK]</t></abstract>
</front>
<seriesInfo name='RFC' value='6749'/>
<seriesInfo name='DOI' value='10.17487/RFC6749'/>
</reference>

<reference  anchor="RFC7159" target='https://www.rfc-editor.org/info/rfc7159'>
<front>
<title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
<author initials='T.' surname='Bray' fullname='T. Bray' role='editor'><organization /></author>
<date year='2014' month='March' />
<abstract><t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format.  It was derived from the ECMAScript Programming Language Standard.  JSON defines a small set of formatting rules for the portable representation of structured data.</t><t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t></abstract>
</front>
<seriesInfo name='RFC' value='7159'/>
<seriesInfo name='DOI' value='10.17487/RFC7159'/>
</reference>

<reference  anchor="RFC7517" target='https://www.rfc-editor.org/info/rfc7517'>
<front>
<title>JSON Web Key (JWK)</title>
<author initials='M.' surname='Jones' fullname='M. Jones'><organization /></author>
<date year='2015' month='May' />
<abstract><t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.  This specification also defines a JWK Set JSON data structure that represents a set of JWKs.  Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t></abstract>
</front>
<seriesInfo name='RFC' value='7517'/>
<seriesInfo name='DOI' value='10.17487/RFC7517'/>
</reference>

<reference  anchor="RFC8414" target='https://www.rfc-editor.org/info/rfc8414'>
<front>
<title>OAuth 2.0 Authorization Server Metadata</title>
<author initials='M.' surname='Jones' fullname='M. Jones'><organization /></author>
<author initials='N.' surname='Sakimura' fullname='N. Sakimura'><organization /></author>
<author initials='J.' surname='Bradley' fullname='J. Bradley'><organization /></author>
<date year='2018' month='June' />
<abstract><t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t></abstract>
</front>
<seriesInfo name='RFC' value='8414'/>
<seriesInfo name='DOI' value='10.17487/RFC8414'/>
</reference>

<reference  anchor="RFC8417" target='https://www.rfc-editor.org/info/rfc8417'>
<front>
<title>Security Event Token (SET)</title>
<author initials='P.' surname='Hunt' fullname='P. Hunt' role='editor'><organization /></author>
<author initials='M.' surname='Jones' fullname='M. Jones'><organization /></author>
<author initials='W.' surname='Denniss' fullname='W. Denniss'><organization /></author>
<author initials='M.' surname='Ansari' fullname='M. Ansari'><organization /></author>
<date year='2018' month='July' />
<abstract><t>This specification defines the Security Event Token (SET) data structure.  A SET describes statements of fact from the perspective of an issuer about a subject.  These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject.  This specification is intended to enable representing security- and identity-related events.  A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.</t></abstract>
</front>
<seriesInfo name='RFC' value='8417'/>
<seriesInfo name='DOI' value='10.17487/RFC8417'/>
</reference>

<reference anchor="ANSI-X962-2005" >
  <front>
    <title>American National Standard X9.62: The Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
    <author >
      <organization></organization>
            <author>
              <organization>American National Standards Institute</organization>
            </author>
            <date year="2005" month="November"/>
          </front>
          <seriesInfo name="ANSI" value="X9.62-2005"/>
        </reference>

        <reference anchor="Alawatugoda" > anchor="Alawatugoda">
          <front>
            <title>Protecting Encrypted Cookies from Compression Side-Channel Attacks</title>
            <author initials="J." surname="Alawatugoda" fullname="Janaka Alawatugoda">
      <organization></organization>
              <organization/>
            </author>
            <author initials="D." surname="Stebila" fullname="Douglas Stebila">
      <organization></organization>
              <organization/>
            </author>
            <author initials="C." surname="Boyd" fullname="Colin Boyd">
      <organization></organization>
              <organization/>
            </author>
            <date month="July" year="2015"/>
          </front>
  <seriesInfo name="Financial
          <refcontent>Financial Cryptography and Data Security" value="pp. 86-106"/> Security, pp. 86-106</refcontent>
          <seriesInfo name="DOI" value="10.1007/978-3-662-47854-7_6"/>
        </reference>

	<reference anchor="Kelsey" > anchor="CVE-2015-9235" target="https://nvd.nist.gov/vuln/detail/CVE-2015-9235">
	  <front>
            <title>CVE-2015-9235 Detail</title>
            <author>
              <organization>NIST</organization>
            </author>

            <date month="May" year="2018"/>
	  </front>
          <refcontent>National Vulnerability Database</refcontent>
	</reference>

        <reference anchor="Kelsey">
          <front>
            <title>Compression and Information Leakage of Plaintext</title>
            <author initials="J." surname="Kelsey" fullname="John Kelsey">
      <organization></organization>
              <organization/>
            </author>
            <date month="July" year="2002"/>
          </front>
  <seriesInfo name="Fast
            <refcontent>Fast Software Encryption" value="pp. 263-276"/> Encryption, pp. 263-276</refcontent>
            <seriesInfo name="DOI" value="10.1007/3-540-45661-9_21"/>
        </reference>

        <reference anchor="Langkemper"
		   target="https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/">
          <front>
            <title>Attacking JWT Authentication</title> authentication</title>
            <author initials="S." surname="Langkemper" fullname="Sjoerd Langkemper">
      <organization></organization>
              <organization/>
            </author>
            <date year="2016" month="September"/> month="September" year="2016"/>
          </front>
        </reference>

        <reference anchor="McLean" target="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//">
		   target="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/">
          <front>
            <title>Critical vulnerabilities in JSON Web Token libraries</title>
            <author initials="T." surname="McLean" fullname="Tim McLean">
      <organization></organization>
              <organization/>
            </author>
            <date year="2015" month="March"/> month="March" year="2015"/>
          </front>
        </reference>

        <reference anchor="Valenta" target="https://ia.cr/2018/298">
          <front>
            <title>In search of CurveSwap: Measuring elliptic curve implementations in the wild</title>
            <author initials="L." surname="Valenta" fullname="Luke Valenta">
      <organization></organization>
              <organization/>
            </author>
            <author initials="N." surname="Sullivan" fullname="Nick Sullivan">
      <organization></organization>
              <organization/>
            </author>
            <author initials="A." surname="Sanso" fullname="Antonio Sanso">
      <organization></organization>
              <organization/>
            </author>
            <author initials="N." surname="Heninger" fullname="Nadia Heninger">
      <organization></organization>
              <organization/>
            </author>
            <date year="2018" month="March"/> month="March" year="2018"/>
          </front>
        </reference>

        <reference anchor="Sanso"
		   target="https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html">
          <front>
            <title>Critical Vulnerability Uncovered in JSON Encryption</title>
            <author initials="A." surname="Sanso" fullname="Antonio Sanso">
      <organization></organization>
              <organization/>
            </author>
            <date year="2017" month="March"/> month="March" year="2017"/>
          </front>
        </reference>

        <reference anchor="OpenID.Core" target="http://openid.net/specs/openid-connect-core-1_0.html"> target="https://openid.net/specs/openid-connect-core-1_0.html">
          <front>
            <title>OpenID Connect Core 1.0</title> 1.0 incorporating errata set 1</title>
            <author initials="N." surname="Sakimura" fullname="Nat Sakimura">
      <organization></organization>
              <organization/>
            </author>
            <author initials="J." surname="Bradley" fullname="John Bradley">
      <organization></organization>
              <organization/>
            </author>
            <author initials="M.B." initials="M." surname="Jones" fullname="Michael B. Jones">
      <organization></organization>
              <organization/>
            </author>
            <author initials="B.d." surname="Medeiros" initials="B." surname="de Medeiros" fullname="Breno de Medeiros">
      <organization></organization>
              <organization/>
            </author>
            <author initials="C." surname="Mortimore" fullname="Chuck Mortimore">
      <organization></organization>
              <organization/>
            </author>
            <date year="2014" month="November"/> month="November" year="2014"/>
          </front>
        </reference>
      </references>
    </references>
    <section anchor="document-history" title="Document History">

<t>[[ anchor="acknowledgements" numbered="false" toc="default">
      <name>Acknowledgements</name>
      <t>Thanks to be removed by <contact fullname="Antonio Sanso"/> for bringing the RFC editor before publication as an RFC ]]</t>

<section anchor="draft-ietf-oauth-jwt-bcp-07" title="draft-ietf-oauth-jwt-bcp-07">

<t><list style="symbols">
  <t>IESG review comments.</t>
</list></t>

</section>
<section anchor="draft-ietf-oauth-jwt-bcp-06" title="draft-ietf-oauth-jwt-bcp-06">

<t><list style="symbols">
  <t>Second AD review.</t>
  <t>Removed unworkable recommendation to pad encrypted passwords.</t>
</list></t>

</section>
<section anchor="draft-ietf-oauth-jwt-bcp-05" title="draft-ietf-oauth-jwt-bcp-05">

<t><list style="symbols">
  <t>Genart review comments.</t>
</list></t>

</section>
<section anchor="draft-ietf-oauth-jwt-bcp-04" title="draft-ietf-oauth-jwt-bcp-04">

<t><list style="symbols">
  <t>AD review comments.</t>
</list></t>

</section>
<section anchor="draft-ietf-oauth-jwt-bcp-03" title="draft-ietf-oauth-jwt-bcp-03">

<t><list style="symbols">
  <t>Acknowledgements.</t>
</list></t>

</section>
<section anchor="draft-ietf-oauth-jwt-bcp-02" title="draft-ietf-oauth-jwt-bcp-02">

<t><list style="symbols">
  <t>Implemented WGLC feedback.</t>
</list></t>

</section>
<section anchor="draft-ietf-oauth-jwt-bcp-01" title="draft-ietf-oauth-jwt-bcp-01">

<t><list style="symbols">
  <t>Feedback from Brian Campbell.</t>
</list></t>

</section>
<section anchor="draft-ietf-oauth-jwt-bcp-00" title="draft-ietf-oauth-jwt-bcp-00">

<t><list style="symbols">
  <t>Initial WG draft. No change from
      "ECDH-ES" invalid point attack to the latest individual version.</t>
</list></t>

</section>
<section anchor="draft-sheffer-oauth-jwt-bcp-01" title="draft-sheffer-oauth-jwt-bcp-01">

<t><list style="symbols">
  <t>Added attention
of JWE and JWT implementers. <contact fullname="Tim McLean"/> published the
RSA/HMAC confusion attack <xref target="McLean"
format="default"/>.
Thanks to <contact fullname="Nat Sakimura"/> for advocating the use of
explicit typing.</t>
</list></t>

</section>
<section anchor="draft-sheffer-oauth-jwt-bcp-00" title="draft-sheffer-oauth-jwt-bcp-00">

<t><list style="symbols">
  <t>Initial version.</t>
</list></t>

</section> typing. Thanks to <contact fullname="Neil Madden"/> for his
numerous comments, and to
<contact fullname="Carsten Bormann"/>,
<contact fullname="Brian Campbell"/>,
<contact fullname="Brian Carpenter"/>,
<contact fullname="Alissa Cooper"/>,
<contact fullname="Roman Danyliw"/>,
<contact fullname="Ben Kaduk"/>,
<contact fullname="Mirja Kühlewind"/>,
<contact fullname="Barry Leiba"/>,
<contact fullname="Eric Rescorla"/>,
<contact fullname="Adam Roach"/>,
<contact fullname="Martin Vigoureux"/>,
and <contact fullname="Éric Vyncke"/>
for their reviews.</t>
    </section>

  </back>

<!-- ##markdown-source:
H4sIAGAoo10AA71c63LbuJL+z6fAUX5sfI4oX+Jr9lLr2J6JZ+LEaznJnJqa
mqJESGJMkVqCtKKTyrvss+yT7dfdAAhK8mSytbVVMxVZAoFGoy9fX8A4jqM6
q3P9Uv00fPdWfdQjdV8+6EK90qZWF01V6aJWt1UyrrOxNlEyGlX6EaM/3qtX
F7dRWo6LZI7H0yqZ1HGm60lcJk09iz8t63g0XsR7J9E4qfW0rFYvFb6ImkWK
v81LdffDhTo52j+LypEpc03fRVG2qF6qumpMfbC3d7Z3ECWVTl6qoR43VVav
omVZPUyrslm8VO/OsY76iC+yYqp+pC+jB73CiPSlui5qXRW6ji+JsCgydVKk
vyd5WYDYFXayyF5GSlWTsU5Nvcrtt0rV5Tj4mBUpGOC+MGVVV3pi/N+reefP
usrGfvC4nM/xrP81K/KsaJfRn+s4z0wdY5JRmWNYXP71b1FEzCsroi3G//QY
fvr7QA1nejLRFX8nLP97UpVF5/uymiZF9o+kzsqCWdBkNf+g50mWv1S9FT0y
GdAx/fuUvhuAyl53rcuBep1UaR2sdJmNH4Iv3Wwpvh7M6OsnJ7sZvBqon8B0
E0x3k41nic5V56cu7RhSlaacdBecjz79+9z94lZTCpKBH2d1vXi5u2t0Pokz
YxqdDrJiUu72oqgoqzkmftTEVojdwf7+mf14fHbiPp4eHLmPEMuj9uNx+/G0
/egf29s/8R9f+I/7J4cQZ2yZz3gRn+7txUfHSVy9eMlEt+fsGObYc5UnEBT1
Kqke7Ll2f3+T5St1MdPFlt+GMxaKn3Web332HN8X6q6c4nQeVtsGLEpTl7n6
kBiT5fpxy5A7Or4qVZfJYyZnZ01I706L0Kd8impSVuo2yar4Y2Y0aFqpK6jh
CFI/I81Qw/FMz7VR7w0p8GVmxhWsgHpTThPo+myuLqrVoi6nVbKYrfqKNVm9
vR7eq+FCj7MkV7cNZhvLasLgc3WnQRZ98UKkg6wN7avKcnWwt38qFCfVVENV
SWgMpCYtswEkcHd/b3C8d3C6S6sMhrcDO2n1ApYJwtQVo+OTQy8w+6HseCE4
3D9sP56wPJy/HV7Hv5wdH8QwcEcvO/w7n2tYkKRQb3lL2OCQzBYx+5ezwfHB
S3U/05CPPFvAHJN5ftTg2zSraWg2LZK6qTQOGdaWGfj86uJyeL4TMuJt+ajn
I10pWp4JypMlnpuWKezs5bvrAXiwv7d3snt2chq/iI9B6eHJ6dFhfPL7MY2H
bBm96g59ER8d7sWHR8fH+/HZ7wf7GIb/3iTF9EHPF7r6lsgPP5Uam2wf6LKl
rpMxG3lyO2T1IT322MOtDfWitns77dNZH2896+VyOTC8YO7XGxT5Lj2wu3e2
i+NP3IrsxpLOirvEhJvxG50U39rWfTa3Izv7ucDhYLJcPTZ5oatklOX4AoqQ
FetuOM9GFZRBm3CfN0k1nqkX+7zHo617JJr2yELujvJyuju2K8ZrK8ZZEX8y
ZREv9SiuacXYr7jLG/2QwGDUybd2+qZ50G7slp/fkgMZNhDcx2Sb2Tov6rLI
SjVMClNuez5Js0S91gWOZE04rgtlNDOknIhGDJcJ0MGNTgwcA4RGO30Zs75k
80Wuyf7waTLTcbxqmeXpJpMPzvpPG40sGYwrEpvT3YOzU+IW0/8tXm1udkMw
PgTHtFLvizGUttKpF5CrYkymcU3+heT9F0zyyVaSSRrMIEnLkWbpMBZX0S5O
dvdebJeUVdw4ErzEaE/CYFbPc9r9u4Uuri8HF2Wlv8UDGDjs/yGbN9U2efmp
nAGCVkma621OaiuA6A55BeBaqlRDDlKdATFsGXMxayCWNwB12Rw0d45C9qIu
yqLQYyBh/K72B3tbLakYm8MNhoPfJabJ0gGA6K6BzzL2i3gs8+LfSsf7v+9Z
HsZxrJIRcCTwdhR1bYHpqyQ3pXooymWhEkPGkL4DYe/v3sQmmWgWjniUGIiK
O1nFam2iegaWY9ka4EIl+LkmhRkDa8yNkh/heEZaGfgRPA+/swv/bY8ZYCqi
9Xi5kSa1WmapBhBpjAwGrxd5uaI/DM3ParZGhRIPCleqiga+rmyMWlQlcDYA
ME+SLBbOoWNvoxIA3+onxQFEcWrdXUbAHDP3I3oOgzAWZxFMwI+YQUQ+c1ri
ETxdzzLzRGyjEMs0jEswpC6JsEcsouhn+OIRdjNtsjQpxjrKNQwSeIBhvMN1
qxIwhGfEysS9gZzwPEsh2FH0jCB6VaYNr/Cnzlt9+WLR59ev/59nTzwk50tC
nE0cg2egymicKxBahsfSkg0CZhonkAuV1TRHsjBNTiFf5OiKKw1omRCrHajC
U3SGwL04sxV8UUyCQaqXl7Jan5lqp44yPiYaS4fguQ9xbGUzTh4RN/DJ1SUk
bBC9w/zrEkLrLmewKMoLOKHYsnDCjXUqvai0IYHD5OsSGG6iH5kGM4EvawYE
H+VUcYKBnfz6lcVXQtmDwZ6cLwHLr18heRBLYw+Rd49oE3TM7Fd9VoxU41ih
PjhR2QbtoJW92B0ZhG+YQXj5oc2zXILmRcPgXKc8M6aZJY+k7pp8LMw/Nm21
3o+MBCph+WLDs3aVAOwfMm/sA0QmkYINNTkLZINgu3L0hmI817D3CKTmpBNG
LeHR6V/spqQla4jDlqXpZ+j4mIQimWIfq455AT82LMOaCZgkY3J/kN3vVPOb
pFjJpLS/MCiyeCNcixiRjMqmjrbMTmpkJxq30RDATMsT4Vu+sgDZarRIwSQj
fR6tWtvShgnPf/o43PEG5QgGpR3VAgwadtUOO2a7U6TtUB9tGBp63g49/foV
GkeCZNo9hhsiIfRGSM8RuT9qeyyGDT54VYNx2AEOA+ZpnhVADPMNllKgSRPa
uYkJkXUbjwls/Tz5VLIg4ccuj6O1EzRjXQD9lmYAOMMOpaMllrdQQ2iH6FJ4
kmRFSWUiyQTh6Ur/Z5NVvB5ZETKDvBkydCCaYAckGUvUxnFFbAmcH5vykreR
VdEiAUwZw5BWapxVWJAyWrAP/wyt14XQlRkRFDzZbzfq+Z8iMJblk5TUO8In
ADQwbSu9YMEPTUVMIDL7a3u17pF8/SQvy6qvihJSp8YaKlNMYQhLmrYkwK7E
L1gy8mWywsc8L5eg5rkeTAd9OgOcJ4kwdpxmlNJi7P6Y5I1lvfCHlASIjfbO
TqyjFFhQF1OY0kdQT8ahqV0knZdJugPhuoDkNAUJAznWXKdTJ5nEOj8Bpn4k
QWiIUi/gJC0TOJ2MfIozZDj1iHQRE4F544d8Ja5Kf0ZgmbGYmFm5dHq5HX6o
568ubncCo8AGwVvAjPi8KKEPBMCBV4lUCBONHag7wJEtpwzX/KBoZ2SNdFUl
NRBU5RKwlhxYRHahndMFn549U/eMZRFwp7wLsZdeJRP79Tbj+TKK/qquQwEU
tWzjWfWcWCRWYMjsgpkJfmbPC4st8um/3+lvmXhcplp2g6eASMjLBAvx5oAr
PtdEHI8zJRgYWNB5sopIfGFjrFzz4n6SPilrA2+f01QrYvSOmMG/qkt4xhyw
XmjZbi7AYoi1AHYLag1jS+wbB8Sficbrq/sfhPfADY8EL2gSQSFrbkNO4wHE
UMLbqN7N++F9ry//qrfv+PPd1X+8v767uqTPw9fnb974D5EdMXz97v2by/ZT
++TFu5ubq7eX8jC+VZ2vot7N+d97Iui9d7f31+/enr/pbXduYrxJcKoFZfgo
RIhgOhBrjmRnkP3//q/9Q7iOv9j0LOCP/EGJVPxBRk5WY2Amf9JZRJBgxP80
C0wKlHFB4EyAAqkdLDJMHZgKuH0/A96rRY0/dDMhxM6M0CxjcUWZeSNiYvE3
HlmURjQfMoJ/IDdLmAWW629Cn6sEQmmfU7J3ca8ZuS9rCyFy3rWYdTcxB51T
J1bOcDtKRGg+6uShdfBCxXVhmgkEMuOMq3f+H5I8E/dJsJBR/1r4AVZWFUS9
IEMG1ESIGxbawkXrrChgIDvtbWTfOV5yY25UDz/3cA5kpRQcGaJvyEJ/DWJ1
TXky5czDgM+lT8eLAOZTU8j5MOPBRiwP95MsGVbxcbWKvxlPMpzNnXEUQGut
OFss0ii/ExcTiWnnZ3oFDqTHQLKwD9I2aKG1tZdlk6dSx4pYIciPib73HoX1
mMiBINoN2enxTEuekwy2cWc1AGXnBVRyeHB03FPP74bnlHA4PFWjrN5p+WnX
WCMbaldGvdf22dc35xd9BQsQ4++dbaRHjnT2Co5Wf9giPRJl0WQx5sJUFqty
TIyRIFFChDFbqIRxSUTjoZNJJdgepkA9h4+CokuSlEIeTHPx4SqmxGZ8dvDi
iFz2D6QCrfT3ybGpf/kMVbHpln/t+VOLcare/vZ2/41nXBu7gNYsqgzbilvf
jrGhEq2ALwkUUdkCxuEa552mmcShzLBQshh4JrRV7Iw22QqRDQf9CZDkkdC6
CG6EYzcNO+EEgQ2WNn5pNu6YBSoV6LCmnMFiBdbZSDNRs2aOQ59r2AmOdheJ
MeQVdgDhOOZ6oE2QKXZZPQ6JoZ4TqkmqUdWAF9DYMZsbKDmDJtJ+H92NSXoj
J/QKnDRqVkJSyOkxJTbH82ubxf/tzx0eqIvtrvwpXPvgDYANhjdzVieITOho
vUWDGeuqILveVPNoEAd4EfuEBmsdMWBkUyIAIbFNfpSjT1g2SksBtIJWO3rA
nowwZaCif2afbpJYLJ3f6y0V/KggrKAFDxSq1rOqbKYzqH2Sr0zGyOIiW8CT
2WGEUSMJM3XAkBap5iRKYXalxbi5R7j018It3hejmhDu5VgymZcNB7WU7mKy
OiC97hhLOos54TBMS2CIFx0odqrO7VHC5nMy1tWIwqDIxi0BCTQCIV6dwZOv
GL/DixlKR7iM0ib97ahgHlBD6KAx/YjHtKyLZA98towk7E66k2JT04xOuJ2S
FJXycRH5bMg+pdMYKV9YApjJQW6jDdjyVbSAf68mTe6CNUquEKa36kT5YMh/
Tr4pJZhunaiBZfc7JF9tFgkponH2kwYz1AlCPw6HxUa1uZnX9/e3Q0oBsb2V
Gh7sLQ2d6oI94QhjqbUCqLYswlUlmvFiJl7jy5egcGhnSjz8pYPmBDAYukYF
Zi4fMg70t+rMly9FGQerUxZBLILNwbyXKH+tDNrahSi6hYH6lcsrv/W9o//p
3TAMMCYJgfmuh8sIRiJmpNNl44OT4wODQJMmbakmsXubVlqyj88Z7VxdXL6O
r4a9Vj3gxc5bxOCDdWeHjZb4h/WchWtWltaZSlQDuphQuypHgoxwqHlG01d8
+lBUEXPoOu9Dkms006Qq584cegQl1mxz5ohAhOgbYZdONQr0Uv7lUVcuvZUt
yDH9Eyl69kisBFO+0yIK271FvCGiBXRy0sYVvUoyPnDHt5V+5NgcVJggOSAD
xeg51ysKbVuMUpud2j86o9Srxd1ORCTvwJkcoJSEMiKRdqu+VO/vf4hP+/zP
viAe+vjiwJo5/EdWxashjLMkTjyrOQteSy8SFfWZFmo7gf6wMWKC6LR4KSjR
WMN5kWp5n0OnQhOy2+qN85IsH87DrEyt5z3By7Ddo2zaEPeWbGvgqHFe26IU
iSM4xLTTujmLx6wqC0ldIUC2dqLWiJSL2O/B86fPg2w219ovcrNcLYrmmQkD
QEDojMXTCo9jIR5rKjI+hEFH2qcBEkxO4kBnTtpCwoeockVIJ1oXw0cf2wii
ftLUdIURa8VNPTn1UjhsRqbO6oZnOrdW7MszE3z9lcPwSrKVztD5ggKFb54w
qjDntKdphsieMce96PeSc9k2rcKHXUtVi5/ArABTNe3X1lQ4i9TKarsCPSsr
87wcWiQilW7+AXMCgJIzaIirJhTLfLv+QNKd6yk4CNXiCoAURGw+sYjaKWzh
RlO5wpQNgcqWsMw6eaGmL4RueWKeTWesS4VbSapY7BE7hNHyATf+cHXGLGu7
CrnD0avEdo7nUwaI/AzQ9LUFu8CjLi1JJ09zAKCAZJsmJfvpVYEFtEXOmJDh
laPDE2oxq7CIpuT6ko1XLQnfaVaNiSGu2+MgkvekSb24X1QlhpPQXJTFpGG8
EZ0btVb3dSrJSYku36WOm1EClwzzZq2NAnnKssG9c7vLmL7DpPCzLq1bS+1V
P0pCnRJ6Nndo62DMo7YwJa1+fMakboumQrSgI6EVe38k4Je6WooMTAouFg+i
t2VtM4e1teABhKlXCy3RTWAG5BgH0XVQwugYKytAwcYZKX6uW7OQ1e0zY2a1
Nb62hv2QFanbtSDYopP94QwfnoWISsU94FjNtZMtJP/vRaf/pNz0o81fwDV+
ZlPeLInUVTV2AhbEe2nG4d55ixaJwUMCN1UUfbDJ+KBmlFQ6SBOHlpb4IYhN
5QCbzaINSUxboSXsPBJHnao3l+e3tpGIoKktW0FC8yblIntQVjPZPGNYz7OD
ACxgaWAsVg0QuLn6n9GOXpuYsSRHQQqJqHnE5svKWGf/yeYhPXau7NQx54qp
TENVBAyeaoTpz4fDux92vnXSX76kZQzRjzkvFQtZAq+lKNH2QjyDn3t1K94N
RBvSb/cb5UZpCxpYhVKsVpJZ5OU0ZCytDCZSlcmSIii1tllYO4+FCpCOsebY
0uZgbWxsz7HtafwQJHjUMyJ0e/IHxL/xaJ9VRksXhwA0apBl7M3qTgiD0jAl
GwvbINEt/EQusS7ZHjpg6ThpR63HCt2MZiuD0k8hscjK0WaaytsilzLFKfYA
sHzu1NXGTRsd+uUjF1V4M7dZNG4j8+gG5ptAfF/pRDJE3q609ojC9ZqDZB2m
eAU3Zq0lYphFD7mQ/olliTzLH4IidMAUzZ23GbmwnCyHuzVb95U909BqydHg
gM4rKGWDNytIfU986ZpBRhQkHcK2X6JdkepAoSG3WM1acPj/K/qTMBOXrVzX
TMO+GeE9/JgzoMA2TZGzhw8TJc/NTlDPsdWvSlDJorYBoQCGlmL2mrY+A1rI
BFT+aVdd4YUHPQtIJxx5dJKUfFhtmBFWzDvHJckXW59smSPyNdfaVkpdabJT
4rZhWLDuwBVWLACm7JKS6JGqmARP9bKjalL3574o6i/hSipMRafMYFyXC6wG
19TThiPpNDOuV7IrgpRaLShNBOU73+BK7VhGrJSygrhVazKeKE1gawxJs7Tv
hOKe5G2TnS0qBc6k7iaK+DmuqaukMGR3EB2uSB2de7p/M4wko/5nTsd17FAM
NiJACrZa4CjJZYE8sgjl9LpbsvS1xSWGNgPKezM9DMT6ociwkZJ6yEbJhFSc
syeBWIvN23jC+g8WS296nBX5E+wcOTM81wkZVgarwja3FoW/E+D7Vq03wVkQ
tElSkZN7tLi0LvCqIhb/LICMhvneO+vhfZtY278DSsk28DEKc7zlxopcC3al
FYdSC/sH85x3FKSt2iqtj8fV5p6t5XGFu3zlEIOIRFo6vCJ+cBANHaTpqyfX
I8vTzL93ubWFuspnZ5cCqEVLrTf3SHyt3+dlFMXq/LGklkNYlLvheXz788Vw
Xz3uD46eyIc/l1zL3v4JNTDBcQzUyeAAHxdcceVmE5ro3fnV7fbB+zsDLMsX
KtrEP7XzdW90wPdYiwjlbooMfFBQ8bSc2/oceWbKN1FbmzGS7RfHLefOsQUh
ZfUJKI3aa2AfR1lrXDuzcaYZ5i4bi/NI6HYUHJkk0LRbg72QBKLecAclXKnq
Gb6P40wIp2DLOTWTDADPeewSCFWiMkmsBwk/95jNDTIx3ULpQN2XFPhQGsid
tQDW/nYhb7s6hettfTGleid1gxnKxDJEIBDj+t2gWZLHODs5I3wrKTE3iiyK
7Ru0VQaIFZFrIY/1NbKmIEpuruFSqdPitrsqjVz5tuPIbHuoPCvRqJULC3w+
uMTzOWT4omON33mkKBhorXBE4IdaHZ5Al2v44t6jNA9NlOu9IQqr7qBKf2LL
GnFmyEnJfCNfbrlKdYeq0UE9RcJWV0zi6F47RP1aYOytK1mbyJVVWC3eismQ
PhlvkNlIgr+Etbmts+COMr/dje1FraBQ4VMaAVpTwOXWrDVNHbAS/ctf4lhR
lWTLjVaDE4zpfoUhk3A82OepjwcHAxXH/9Y91e6JXktZoXuakvT+aiuXTx1n
iwg2Ln5NIF3xa53nVP7tVCKi574KsYMA/EG7woaAuGTl28Fd+p/NSbCYLTHI
uYqh8I253RpIRKkX9sFuLvssFfcRXgymA6ijvRy0ZlClr3y42zZ/cWJY5xOY
MJiasDpj/CZGgtX8Mc8jTprKI4RPgo7YLlvXy8MlqfRzPE1C9hdqNrBsU3pB
xpCqAkEjw3O9eNhxVLShb6BY43FZuasBa3npaEyp9mKNewP1gw3V+GYjLOpc
x5gD7OTfjbqlXo0+/nlxesgCdxsfHez3wzQ3qUBkgRfHVl1C2jiJZPXF4JBq
VBekhnV7izKmC5ptW5C6g8pl5N0BFr956bLyly7Vr5s3Xn8bIBR/0MvMSMaZ
seMvB0dH+2cS4/5yeHjas+WQvRcnlHvuIn0yaf0WeHkf5qKhtre6MwlBX7G2
VxJfd7WSejsklThs+yuubH/Fl2dBX4LNhPAdVvs7ncSduOIPrDvcejlmXOcY
Tvcj1yNTSiXQHm5tkwZlW9f24B4/HZyGT59+/Ro5Y+d6xhiit6XmvvSCxNwL
kv2j0w1iLSVBOYpyMilwMmsjWyYjGed8OreyxFtbWZRtZdlYuV1nG6gPcnK0
SlhOxs5nUhUtPPIOfifiOt2Cjj2HG+wJM7oMoTiU8AmR9YUdxfbaTIAcCY3V
FK6ahttBOMoOumTaTBtkS6CoNGXEl9xfIILkp7Pm/8uztdJ21OkeoNtNVPwP
MDcdFCVfrMULiXc3YSQ+a7sgeAoJeCjhmnBGflsfiO9tGNDNNZeLkcojOypX
EAOZ4S2BjbsA4aUkRuQup8bnIBM6MZjIvSIuGdouSfsHlW4jB102gIJtEb5X
FxJqDTU1qDsIwggio7bNQq+XW6Um3L3sEhReIcZbqqKbiZNUWqRlw+QVOQ4G
JEnnWR0ExpG4wvdFxm3JvjzqMnLG1yjMGg68pkqGYJyhlbo1vCApeRzHx5mv
IFo/zkmuHkb01HMuiVQ7EpX21zGObCdwrDbj2HWU3DH2ZzKJRnVqvXnZ+j6h
w9VKVkpaqp4gSHBnm3lge8tBPeuFA/whriuXha0O2zJQpQTnu5mDu0/nRi6X
SVtKf/161tqlLDfdozXsUD1+vwS4S6WAaO0WSCIyBklNWPt893N48Y5qS71P
ywfzO1xXz4ZvNvSjYkCwgDRrtOkIoeafjIWzFcGKGijm0d22/Onjz6QRXhFP
fNTDmQbf6e7Tw2Ca6MDh/qG/ptOVegKJJNJtic+fxiiTLjAmh67fMX2Gb5j5
PEInixPygKpK1L3IIv4dUirRq9UM2+tKbTpmUVK9jP2W4E83yN5jFPJ23beL
JKuUFfrNRCVt25V9qEyVSSrfq0kraFxFeSKMsOVBGdx3BPE1Aja9TELl07Z/
Viesjeb+dR8+unsY3mYnTQobYUmQVJMQPXaKsnZPrNN8QGfuyrvskqWLQdA0
+fsVm70gOx11Ak1/zxQiTWVC9dzdFLFnrcIbpw4bOAXXJDcWDvCkUebCZ98L
UrQEe3qoz8FXPf24tsBGwkDpmM6Dg2hbgvOP9rohlrq9B8MiKbeRJ1t+cUV9
myKkibnB1JhynHHw4B2XDxr6dM/1SVG4LBXgjronOVR3eqwzMgjWQX55tq3Y
J2a195DRuRAcur7cccWlzKyVU4UN4e7XQJwUVwcqzOlFFvx1C1p8JUQLA6jo
D94N/+MN8YALr23Bc+0FFX2ixgU6xTSyGm0S6hL9h/MGlds7M7prhhCrFClw
qABm3hDM8EPTo9uKP3NiAhZ3h8OQz0f09S+Do70z+VI404/EFIdhMwlXNcpq
jlgxth9JSb/tf/qOeq3alhR1958Tahgx0s7mbttKVM3MAawbzxwjyHewHQTB
taYCq9Qxpc3N3aQ2UsHjE6Ini9L1ZEp5mzPfYrt/vLp3xLfm58rdB7lfLeh5
b3jq1cJmM6i2Q7emoM/UzeBaONzdBNf0EDZjcHNNEkQUUfhkZkIobjGvbSLo
t+1ObOGs9Q5urnB+kfs5WEL6PgEWxNBVk2sp0jv46q9jcNUaTzsX4d0pjXad
F12aBpHnkl2bJiJ4MubkI1+epvNrc1U9ap3YuCWz3rBFI53rphi3C2z5ApzU
j1uRord8MI1/+7SseyCfXqZC+4kCffaXfCyp4Lt76RpXPWt3Lej58OreUKbk
1hppzrr6/nzZRSdK2x+crQXBfXt/P7hSFpa+A9J7nKDPPpPYlEDaZCcZHbUc
s0oflD05yHBIb22g9zhBtcJLjMiItDJjm5FVRazd6/BwIAh8nWfU4O56cmQS
nH1fPbHXJDgJfiNJ9wZw1OGD3Y6coPWbfdvc2bM/9uyrCvJk3JrxNg3tkbyv
qwQKNnBBBaVMuM95bW9sVtoEbf8PRNYZSSfY4VTOTbo8hvOG1t5Icpc0xvKi
XVGaq7mnUa6+JSu60+s637ux4Y6ULjmvmpiwX+IJkkU2XIvmGlWSfKYV7NsH
+lFXgHhjQUK9pRp8DZvMfPl0nb3kWxgOwJhDzqiQLT289lVqJPK+NLHWIGaT
Nxu2TNSg8wzjPkkO2Asu7lbFH/ElMGatpIfyTCtR9aNp2/VM6y9umrrhAurV
Z+iZgafu5Bk9rZc+0vg53KD4l23dY3A2fK8yhCjuIakF8bXpqpxkuRP7VQsa
pBojl0ptlTfoL4ue9BFbINucIX8XM29xfLZZ0TWLtdBcMPTWE5QGbd6TU5pl
RYbQIlcnWXwrWc0dr7XjdT8S7OhfD2E1a0l385lI2M4ycGNB66BjJosf7ant
ZeSuX/bc/ajbXOOvQ5NMiz3EKRQNvyuJ+ilrqlpPMy2XLklC1rVhwrfQnDR0
xJ0NvahlyqINRBCYd7MRWLhpuLtopOul9o8/sYDQ1P5stBRfvcTYcn+HyO6P
lpiA2K1nuy4mbH881C9tq394L8Gv7Bb4JrHrKv0U3dtV//9+C1vpeWo3nGH4
c9LAQ92p+whtK3kbd3+29N1u0iLRrJWyLk2h3WvhSaDfls4wInSsDBnGz4dh
LOtZVgRNcL5jZZNAm4b5bu3hrOF27TF6WmnfufnkpNGP3CdHY0YVOWVpAHe3
dz7e21fwbFzJZrPH/aVAxSNs1F8uh0dFALGmcn1fptyQoj5HpLyMTdJadkQb
RiCZl/wap62bieg8uPps78X1fXOrtXCdpCI1nDXGuKYDFwV97XufyLChcw39
D2BA169yZ65H4d06kX1hgQUc4YuLJMP/VImM03K+e6HNwpOZdmn44C0ATML1
+dvz7cv7de1BUYQvw+W1afL8+di/a4XbBLlxrnjgnF3nbYjMtBEFpT4o8pfp
OsVlGzq7TDPd1+CXZUR8ile+WhC+BGcQvI8zvHPu32XFU90Nz3f5orpHGb7n
vyU6fH2hIP30kYNrS/X206V6hZ9BwwTdJGkqb8VTYGbk34nnXh1t49Qyukgq
Qw7/FUUGRdGPXsEWFOoCsH/EcNT9XS14r/3oHFsyCQ6NXHE/uiupReAyKVZ5
tsRwzPVzkjYP/egmqz4l6udGz3K9hCLgR37vwxudjZJ+dEUX0e+0GZdVjj/P
02Su7qiNBk9SpF6oD9m0bCrdfJasAj/wYVWMH7SKbMSRVVwg1kv3Bjy6akqC
cenE5zWMUVmtoujXX21Da6Xn5WOLlehl4YiWapIPqYUtgjJ0wuUPGvPbbww7
/+h15FGsrq+GP1qSPLMH33jwmB6EMpbY5PmlfZpawu4spU1BLyfnkmu3YY3T
Zknavk+vLZV+a9EjWvRHeidV/b30HnKX3OX3PvaCH1tT2G89dMBMbVui1Mcf
31yoidbpiDXnj5/ep6d/sIPFfXbl+1sT7PHycnEcS8vIgXpb2rdgtC7ZlgSp
fvGYpQ29g1dukIZLGHml+lYyz1PKHq8r9rcf7pDo1/wfMr6WaIBfAAA=

-->
</rfc>