rfc9399.original.xml   rfc9399.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.5.26 (Ruby 2.3.7) --> <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.5.26 (Ruby 2.3.7) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
-ietf-lamps-rfc3709bis-10" category="std" consensus="true" submissionType="IETF" <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
obsoletes="3709, 6170" tocInclude="true" sortRefs="true" symRefs="true" version -ietf-lamps-rfc3709bis-10" number="9399" submissionType="IETF" category="std" co
="3"> nsensus="true" obsoletes="3709, 6170" updates="" tocInclude="true"
sortRefs="true" symRefs="true" xml:lang="en" version="3">
<!-- xml2rfc v2v3 conversion 3.15.3 --> <!-- xml2rfc v2v3 conversion 3.15.3 -->
<front> <front>
<title abbrev="Logotypes in X.509 Certificates">Internet X.509 Public Key In frastructure: Logotypes in X.509 Certificates</title> <title abbrev="Logotypes in X.509 Certificates">Internet X.509 Public Key In frastructure: Logotypes in X.509 Certificates</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-rfc3709bis-10"/> <seriesInfo name="RFC" value="9399"/>
<author initials="S." surname="Santesson" fullname="Stefan Santesson"> <author initials="S." surname="Santesson" fullname="Stefan Santesson">
<organization abbrev="IDsec Solutions">IDsec Solutions AB</organization> <organization abbrev="IDsec Solutions">IDsec Solutions AB</organization>
<address> <address>
<postal> <postal>
<postalLine>Forskningsbyn Ideon</postalLine> <postalLine>Forskningsbyn Ideon</postalLine>
<postalLine>SE-223 70 Lund</postalLine> <postalLine>SE-223 70 Lund</postalLine>
<postalLine>SE</postalLine> <postalLine>Sweden</postalLine>
</postal> </postal>
<email>sts@aaa-sec.com</email> <email>sts@aaa-sec.com</email>
</address> </address>
</author> </author>
<author initials="R." surname="Housley" fullname="Russ Housley"> <author initials="R." surname="Housley" fullname="Russ Housley">
<organization abbrev="Vigil Security">Vigil Security, LLC</organization> <organization abbrev="Vigil Security">Vigil Security, LLC</organization>
<address> <address>
<postal> <postal>
<street>516 Dranesville Road</street> <street>516 Dranesville Road</street>
<city>Herndon, VA</city> <city>Herndon</city>
<region>VA</region>
<code>20170</code> <code>20170</code>
<country>US</country> <country>United States of America</country>
</postal> </postal>
<email>housley@vigilsec.com</email> <email>housley@vigilsec.com</email>
</address> </address>
</author> </author>
<author initials="T." surname="Freeman" fullname="Trevor Freeman"> <author initials="T." surname="Freeman" fullname="Trevor Freeman">
<organization>Amazon Web Services</organization> <organization>Amazon Web Services</organization>
<address> <address>
<postal> <postal>
<street>1918 8th Ave</street> <street>1918 8th Ave</street>
<city>Seattle, WA</city> <city>Seattle</city>
<region>WA</region>
<code>98101</code> <code>98101</code>
<country>US</country> <country>United States of America</country>
</postal> </postal>
<email>frtrevor@amazon.com</email> <email>frtrevor@amazon.com</email>
</address> </address>
</author> </author>
<author initials="L." surname="Rosenthol" fullname="Leonard Rosenthol"> <author initials="L." surname="Rosenthol" fullname="Leonard Rosenthol">
<organization>Adobe</organization> <organization>Adobe</organization>
<address> <address>
<postal> <postal>
<street>345 Park Avenue</street> <street>345 Park Avenue</street>
<city>San Jose, CA</city> <city>San Jose</city>
<region>CA</region>
<code>95110</code> <code>95110</code>
<country>US</country> <country>United States of America</country>
</postal> </postal>
<email>lrosenth@adobe.com</email> <email>lrosenth@adobe.com</email>
</address> </address>
</author> </author>
<date year="2022" month="December" day="11"/> <date year="2023" month="April"/>
<area>Security</area> <area>sec</area>
<keyword>Internet-Draft</keyword> <workgroup>lamps</workgroup>
<keyword>X.509</keyword>
<keyword>Public Key Infrastructure</keyword>
<keyword>authentication</keyword>
<keyword>security identification</keyword>
<keyword>certificates</keyword>
<abstract> <abstract>
<t>This document specifies a certificate extension for including <t>This document specifies a certificate extension for including
logotypes in public key certificates and attribute certificates. logotypes in public key certificates and attribute certificates.
This document obsoletes RFC 3709 and RFC 6170.</t> This document obsoletes RFCs 3709 and 6170.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="intro"> <section anchor="intro">
<name>Introduction</name> <name>Introduction</name>
<t>This specification supplements <xref target="RFC5280"/>, which profiles <t>This specification supplements <xref target="RFC5280"/>, which profiles
public-key certificates and certificate revocation lists (CRLs) for use in public key certificates and certificate revocation lists (CRLs) for use in
the Internet, and it supplements <xref target="RFC5755"/> which profiles the Internet, and it supplements <xref target="RFC5755"/>, which profiles
attribute certificates for use in the Internet.</t> attribute certificates for use in the Internet.</t>
<t>This document obsoletes RFC 3709 <xref target="RFC3709"/> and RFC 6170 <xref target="RFC6170"/>. <t>This document obsoletes <xref target="RFC3709"/> and <xref target="RFC6 170"/>.
<xref target="changes"/> provides a summary of the changes since the publication of <xref target="changes"/> provides a summary of the changes since the publication of
RFC 3709 and RFC 6170.</t> <xref target="RFC3709"/> and <xref target="RFC6170"/>.</t>
<t>The basic function of a certificate is to bind a public key to the <t>The basic function of a certificate is to bind a public key to the
identity of an entity (the subject). From a strictly technical identity of an entity (the subject). From a strictly technical
viewpoint, this goal could be achieved by signing the identity of the viewpoint, this goal could be achieved by signing the identity of the
subject together with its public key. However, the art of Public Key subject together with its public key. However, the art of Public Key
Infrastructure (PKI) has developed certificates far beyond this Infrastructure (PKI) has developed certificates far beyond this
functionality in order to meet the needs of modern global networks and functionality in order to meet the needs of modern global networks and
heterogeneous information and operational technology structures.</t> heterogeneous information and operational technology structures.</t>
<t>Certificate users must be able to determine certificate policies, <t>Certificate users must be able to determine certificate policies,
appropriate key usage, assurance level, and name form constraints. appropriate key usage, assurance level, and name form constraints.
Before a relying party can make an informed decision whether a Before a relying party can make an informed decision whether a
particular certificate is trustworthy and relevant for its intended particular certificate is trustworthy and relevant for its intended
usage, a certificate may be examined from several different usage, a certificate may be examined from several different
perspectives.</t> perspectives.</t>
<t>Systematic processing is necessary to determine whether a particular <t>Systematic processing is necessary to determine whether a particular
certificate meets the predefined prerequisites for an intended usage. certificate meets the predefined prerequisites for an intended usage.
Much of the information contained in certificates is appropriate and Much of the information contained in certificates is appropriate and
effective for machine processing; however, this information is not effective for machine processing; however, this information is not
suitable for a corresponding human trust and recognition process.</t> suitable for a corresponding human trust and recognition process.</t>
<t>Humans prefer to structure information into categories and <t>Humans prefer to structure information into categories and
symbols. Most humans associate complex structures of reality with easily symbols. Most humans associate complex structures of reality with easily
recognizable logotypes and marks. Humans tend to trust things that recognizable logotypes and marks. Humans tend to trust things that
they recognize from previous experiences. Humans may examine they recognize from previous experiences. Humans may examine
information to confirm their initial reaction. Very few consumers information to confirm their initial reaction. Very few consumers
actually read all terms and conditions they agree to in actually read all terms and conditions they agree to in accepting a
accepting a service, rather they commonly act on trust derived from service; instead, they commonly act on trust derived from previous
previous experience and recognition.</t> experience and recognition.</t>
<t>A big part of this process is branding. Service providers and product <t>A big part of this process is branding. Service providers and product
vendors invest a lot of money and resources into creating a strong vendors invest a lot of money and resources into creating a strong
relation between positive user experiences and easily recognizable relation between positive user experiences and easily recognizable
trademarks, servicemarks, and logotypes.</t> trademarks, servicemarks, and logotypes.</t>
<t>Branding is also pervasive in identification instruments, including <t>Branding is also pervasive in identification instruments, including
identification cards, passports, driver's licenses, credit cards, identification cards, passports, driver's licenses, credit cards,
gasoline cards, and loyalty cards. Identification instruments are gasoline cards, and loyalty cards. Identification instruments are
intended to identify the holder as a particular person or as a member intended to identify the holder as a particular person or as a member
of the community. The community may represent the subscribers of a of the community. The community may represent the subscribers of a
service or any other group. Identification instruments, in physical service or any other group. Identification instruments, in physical
form, commonly use logotypes and symbols, solely to enhance human form, commonly use logotypes and symbols, solely to enhance human
recognition and trust in the identification instrument itself. They recognition and trust in the identification instrument itself. They
may also include a registered trademark to allow legal recourse for may also include a registered trademark to allow legal recourse for
unauthorized duplication.</t> unauthorized duplication.</t>
<t>Since certificates play an equivalent role in electronic exchanges, <t>Since certificates play an equivalent role in electronic exchanges,
we examine the inclusion of logotypes in certificates. We consider we examine the inclusion of logotypes in certificates. We consider
certificate-based identification and certificate selection.</t> certificate-based identification and certificate selection.</t>
<section anchor="cert-ident"> <section anchor="cert-ident">
<name>Certificate-based Identification</name> <name>Certificate-Based Identification</name>
<t>The need for human recognition depends on the manner in which <t>The need for human recognition depends on the manner in which
certificates are used and whether certificates need to be visible to certificates are used and whether certificates need to be visible to
human users. If certificates are to be used in open environments and human users. If certificates are to be used in open environments and
in applications that bring the user in conscious contact with the in applications that bring the user in conscious contact with the
result of a certificate-based identification process, then human result of a certificate-based identification process, then human
recognition is highly relevant, and may be a necessity.</t> recognition is highly relevant and may be a necessity.</t>
<t>Examples of such applications include:</t> <t>Examples of such applications include:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Web server identification where a user identifies the owner <li>Web server identification where a user identifies the owner
of the website.</li> of the website.</li>
<li>Peer e-mail exchange in business-to-business (B2B), <li>Peer email exchange in business-to-business (B2B),
business-to-consumer (B2C), and private communications.</li> business-to-consumer (B2C), and private communications.</li>
<li>Exchange of medical records, and system for medical prescriptions. </li> <li>Exchange of medical records and system for medical prescriptions.< /li>
<li>Unstructured e-business applications (i.e., non-EDI applications). </li> <li>Unstructured e-business applications (i.e., non-EDI applications). </li>
<li>Wireless client authenticating to a service provider.</li> <li>Wireless client authenticating to a service provider.</li>
</ul> </ul>
<t>Most applications provide the human user with an opportunity to view <t>Most applications provide the human user with an opportunity to view
the results of a successful certificate-based identification the results of a successful certificate-based identification
process. When the user takes the steps necessary to view these results, process. When the user takes the steps necessary to view these results,
the the
user is presented with a view of a certificate. This solution has two user is presented with a view of a certificate. This solution has two
major problems. First, the function to view a certificate is often major problems. First, the function to view a certificate is often
rather hard to find for a non-technical user. Second, the rather hard to find for a non-technical user. Second, the
skipping to change at line 167 skipping to change at line 178
</section> </section>
<section anchor="cert-select"> <section anchor="cert-select">
<name>Selection of Certificates</name> <name>Selection of Certificates</name>
<t>One situation where software applications must expose human users to <t>One situation where software applications must expose human users to
certificates is when the user must select a single certificate from a certificates is when the user must select a single certificate from a
portfolio of certificates. In some cases, the software application portfolio of certificates. In some cases, the software application
can use information within the certificates to filter the list for can use information within the certificates to filter the list for
suitability; however, the user must be queried if more than one suitability; however, the user must be queried if more than one
certificate is suitable. The human user must select one of them.</t> certificate is suitable. The human user must select one of them.</t>
<t>This situation is comparable to a person selecting a suitable plastic <t>This situation is comparable to a person selecting a suitable plastic
card from his wallet. In this situation, substantial assistance is card from their wallet. In this situation, substantial assistance is
provided by card color, location, and branding.</t> provided by card color, location, and branding.</t>
<t>In order to provide similar support for certificate selection, the <t>In order to provide similar support for certificate selection, the
users need tools to easily recognize and distinguish users need tools to easily recognize and distinguish
certificates. Introduction of logotypes into certificates provides certificates. Introduction of logotypes into certificates provides
the necessary graphic.</t> the necessary graphic.</t>
</section> </section>
<section anchor="cert-combo"> <section anchor="cert-combo">
<name>Combination of Verification Techniques</name> <name>Combination of Verification Techniques</name>
<t>The use of logotypes will, in many cases, affect the users decision t o <t>The use of logotypes will, in many cases, affect the user's decision to
trust and use a certificate. It is therefore important that there be trust and use a certificate. It is therefore important that there be
a distinct and clear architectural and functional distinction between a distinct and clear architectural and functional distinction between
the processes and objectives of the automated certificate the processes and objectives of the automated certificate
verification and human recognition.</t> verification and human recognition.</t>
<t>Since logotypes are only aimed for human interpretation and contain <t>Since logotypes are only aimed for human interpretation and contain
data that is inappropriate for computer based verification schemes, data that is inappropriate for computer-based verification schemes,
the logotype extension <bcp14>MUST NOT</bcp14> be an active component in automat the logotype certificate extension <bcp14>MUST NOT</bcp14> be an active componen
ed t in automated
certification path validation as specified in <xref section="6" sectionFormat="o certification path validation, as specified in <xref section="6" sectionFormat="
f" target="RFC5280"/>.</t> of" target="RFC5280"/>.</t>
<t>Automated certification path verification determines whether the <t>Automated certification path verification determines whether the
end-entity certificate can be verified according to defined end entity certificate can be verified according to defined
policy. The algorithm for this verification is specified in <xref target="RFC52 80"/>.</t> policy. The algorithm for this verification is specified in <xref target="RFC52 80"/>.</t>
<t>The automated processing provides assurance that the certificate is <t>The automated processing provides assurance that the certificate is
valid. It does not indicate whether the subject is entitled to any valid. It does not indicate whether the subject is entitled to any
particular information, or whether the subject ought to be trusted to particular information or whether the subject ought to be trusted to
perform a particular service. These are authorization perform a particular service. These are authorization
decisions. Automatic processing will make some authorization decisions, decisions. Automatic processing will make some authorization decisions,
but others, depending on the application context, involve the human user.</t> but others, depending on the application context, involve the human user.</t>
<t>In some situations, where automated procedures have failed to <t>In some situations, where automated procedures have failed to
establish the suitability of the certificate to the task, the human establish the suitability of the certificate to the task, the human
user is the final arbitrator of the post certificate verification user is the final arbitrator of the post certificate verification
authorization decisions. In the end, the human will decide whether authorization decisions. In the end, the human will decide whether
or not to accept an executable email attachment, to release personal or not to accept an executable email attachment, to release personal
information, or follow the instructions displayed by a web browser. information, or to follow the instructions displayed by a web browser.
This decision will often be based on recognition and previous This decision will often be based on recognition and previous
experience.</t> experience.</t>
<t>The distinction between systematic processing and human processing is <t>The distinction between systematic processing and human processing is
rather straightforward. They can be complementary. While the rather straightforward. They can be complementary. While the
systematic process is focused on certification path construction and systematic process is focused on certification path construction and
verification, the human acceptance process is focused on recognition verification, the human acceptance process is focused on recognition
and related previous experience.</t> and related previous experience.</t>
<t>There are some situations where systematic processing and human <t>There are some situations where systematic processing and human
processing interfere with each other. These issues are discussed in processing interfere with each other. These issues are discussed in
the <xref target="sec-cons"/>.</t> the <xref target="sec-cons"/>.</t>
</section> </section>
<section anchor="terms"> <section anchor="terms">
<name>Terminology</name> <name>Requirements Language</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp 14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp 14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i nterpreted as "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i nterpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t> appear in all capitals, as shown here.</t>
</section> </section>
</section> </section>
<section anchor="logotypes"> <section anchor="logotypes">
<name>Different Types of Logotypes in Certificates</name> <name>Different Types of Logotypes in Certificates</name>
<t>This specification defines the inclusion of three standard logotype typ es:</t> <t>This specification defines the inclusion of three standard logotype typ es:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Community logotype</li> <li>community logotype</li>
<li>Issuer organization logotype</li> <li>issuer organization logotype</li>
<li>Subject organization logotype</li> <li>subject organization logotype</li>
</ul> </ul>
<t>The community logotype is the general mark for a community. It <t>The community logotype is the general mark for a community. It
identifies a service concept for entity identification and identifies a service concept for entity identification and
certificate issuance. Many issuers may use a community logotype to certificate issuance. Many issuers may use a community logotype to
co-brand with a global community in order to gain global recognition co-brand with a global community in order to gain global recognition
of its local service provision. This type of community branding is of its local service provision. This type of community branding is
very common in the credit card business, where local independent card very common in the credit card business, where local independent card
issuers include a globally recognized brand (such as VISA and issuers include a globally recognized brand (such as Visa and
MasterCard). Certificate issuers may include more than one community Mastercard). Certificate issuers may include more than one community
logotype to indicate participation in more than one global community.</t> logotype to indicate participation in more than one global community.</t>
<t>Issuer organization logotype is a logotype representing the <t>The issuer organization logotype is a logotype representing the
organization identified as part of the issuer name in the organization identified as part of the issuer name in the
certificate.</t> certificate.</t>
<t>Subject organization logotype is a logotype representing the <t>The subject organization logotype is a logotype representing the
organization identified in the subject name in the certificate.</t> organization identified in the subject name in the certificate.</t>
<t>In addition to the standard logotype types, this specification <t>In addition to the standard logotype types, this specification
accommodates inclusion of other logotype types where each class of accommodates inclusion of other logotype types where each class of
logotype is defined by an object identifier. The object identifier logotype is defined by an object identifier. The object identifier
can be either locally defined or an identifier defined in <xref target="extn-oth er"/> can be either locally defined or an identifier defined in <xref target="extn-oth er"/>
of this document.</t> of this document.</t>
</section> </section>
<section anchor="logotype-data"> <section anchor="logotype-data">
<name>Logotype Data</name> <name>Logotype Data</name>
<t>This specification defines two types of logotype data: image data and <t>This specification defines two types of logotype data: image data and
skipping to change at line 275 skipping to change at line 286
significantly increase the size of the certificate.</t> significantly increase the size of the certificate.</t>
<t>Several image objects, representing the same visual content in differen t <t>Several image objects, representing the same visual content in differen t
formats, sizes, and color palates, may represent each logotype image. At formats, sizes, and color palates, may represent each logotype image. At
least one of the image objects representing a logotype <bcp14>SHOULD</bcp14> con tain an least one of the image objects representing a logotype <bcp14>SHOULD</bcp14> con tain an
image with a width between 60 pixels and 200 pixels and a height between image with a width between 60 pixels and 200 pixels and a height between
45 pixels and 150 pixels.</t> 45 pixels and 150 pixels.</t>
<t>Several instances of audio data may further represent the same audio <t>Several instances of audio data may further represent the same audio
sequence in different formats, resolutions, and languages. At least one sequence in different formats, resolutions, and languages. At least one
of the audio objects representing a logotype <bcp14>SHOULD</bcp14> provide text- based of the audio objects representing a logotype <bcp14>SHOULD</bcp14> provide text- based
audio data suitable for processing by text-to-speech software.</t> audio data suitable for processing by text-to-speech software.</t>
<t>A typical use of text based audio data is inclusion in web applications <t>A typical use of text-based audio data is inclusion in web applications
where the where the
audio text is placed as the "alt" atttribute value of an HTML image (img) elemen audio text is placed as the "alt" attribute value of an HTML image (img) element
t ,
and the language value obtained from LogotypeAudioInfo is included as the "lang" and the language value obtained from LogotypeAudioInfo is included as the "lang"
attribute of that image.</t> attribute of that image.</t>
<t>If a logotype of a certain type (as defined in <xref target="logotypes" />) is <t>If a logotype of a certain type (as defined in <xref target="logotypes" />) is
represented by more than one image object, then each image object <bcp14>MUST</b cp14> represented by more than one image object, then each image object <bcp14>MUST</b cp14>
contain variants of roughly the same visual content. Likewise, if a contain variants of roughly the same visual content. Likewise, if a
logotype of a certain type is represented by more than one audio object, logotype of a certain type is represented by more than one audio object,
then the audio objects <bcp14>MUST</bcp14> contain variants of the same audio in formation. then the audio objects <bcp14>MUST</bcp14> contain variants of the same audio in formation.
A spoken message in different languages is considered a variation of A spoken message in different languages is considered a variation of
the same audio information. When more than one image object or more than the same audio information. When more than one image object or more than
one audio object for the same logotype type is included in the certificate, one audio object for the same logotype type is included in the certificate,
skipping to change at line 301 skipping to change at line 312
<t>A client <bcp14>MAY</bcp14> simultaneously display multiple logotypes o f different <t>A client <bcp14>MAY</bcp14> simultaneously display multiple logotypes o f different
logotype types. For example, it may display one subject organization logotype types. For example, it may display one subject organization
logotype while also displaying a community logotype, but it <bcp14>MUST NOT</bcp 14> logotype while also displaying a community logotype, but it <bcp14>MUST NOT</bcp 14>
display multiple image variants of the same community logotype.</t> display multiple image variants of the same community logotype.</t>
<t>Each logotype present in a certificate <bcp14>MUST</bcp14> be represent ed by at <t>Each logotype present in a certificate <bcp14>MUST</bcp14> be represent ed by at
least one image data object.</t> least one image data object.</t>
<t>Client applications <bcp14>SHOULD</bcp14> enhance processing and off-li ne <t>Client applications <bcp14>SHOULD</bcp14> enhance processing and off-li ne
functionality by caching logotype data.</t> functionality by caching logotype data.</t>
</section> </section>
<section anchor="extn"> <section anchor="extn">
<name>Logotype Extension</name> <name>Logotype Certificate Extension</name>
<t>This section specifies the syntax and semantics of the logotype <t>This section specifies the syntax and semantics of the logotype
certificate extension.</t> certificate extension.</t>
<section anchor="extn-format"> <section anchor="extn-format">
<name>Extension Format</name> <name>Extension Format</name>
<t>The logotype extension <bcp14>MAY</bcp14> be included in public key c ertificates <t>The logotype certificate extension <bcp14>MAY</bcp14> be included in public key certificates
<xref target="RFC5280"/> or attribute certificates <xref target="RFC5755"/>. <xref target="RFC5280"/> or attribute certificates <xref target="RFC5755"/>.
The logotype extension <bcp14>MUST</bcp14> be identified by the following object The logotype certificate extension <bcp14>MUST</bcp14> be identified by the foll owing object
identifier:</t> identifier:</t>
<artwork><![CDATA[
<sourcecode type="asn.1"><![CDATA[
id-pe-logotype OBJECT IDENTIFIER ::= id-pe-logotype OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-pe(1) 12 } security(5) mechanisms(5) pkix(7) id-pe(1) 12 }
]]></artwork> ]]></sourcecode>
<t>This extension <bcp14>MUST NOT</bcp14> be marked critical.</t> <t>This extension <bcp14>MUST NOT</bcp14> be marked critical.</t>
<t>Logotype data may be referenced through either direct or indirect <t>Logotype data may be referenced through either direct or indirect
addressing. Client applications <bcp14>SHOULD</bcp14> support both direct and i ndirect addressing. Client applications <bcp14>SHOULD</bcp14> support both direct and i ndirect
addressing. Certificate issuing applications <bcp14>MUST</bcp14> support direct addressing. Certificate issuing applications <bcp14>MUST</bcp14> support direct
addressing, and certificate issuing applications <bcp14>SHOULD</bcp14> support addressing, and certificate issuing applications <bcp14>SHOULD</bcp14> support
indirect addressing.</t> indirect addressing.</t>
<t>The direct addressing includes information about each logotype in the <t>The direct addressing includes information about each logotype in the
certificate, and URIs point to the image and audio data object. Multiple certificate, and URIs point to the image and audio data object. Multiple
URIs <bcp14>MAY</bcp14> be included for locations for obtaining the same logotyp e object. URIs <bcp14>MAY</bcp14> be included for locations for obtaining the same logotyp e object.
Multiple hash values <bcp14>MAY</bcp14> be included, each computed with a differ ent Multiple hash values <bcp14>MAY</bcp14> be included, each computed with a differ ent
one-way hash function. Direct addressing supports cases where just one-way hash function. Direct addressing supports cases where just
one or a few alternative images and audio objects are referenced.</t> one or a few alternative images and audio objects are referenced.</t>
<t>The indirect addressing includes one or more references to an externa l <t>The indirect addressing includes one or more references to an externa l
hashed data structure that contains information on the type, content, and hashed data structure that contains information on the type, content, and
location of each image and audio object. Indirect addressing supports location of each image and audio object. Indirect addressing supports
cases where each logotype is represented by many alternative audio or cases where each logotype is represented by many alternative audio or
image objects.</t> image objects.</t>
<t>Both direct and indirect addressing accommodate alternative URIs to <t>Both direct and indirect addressing accommodate alternative URIs to
obtain exactly the same logotype data. This opportunity for replication is obtain exactly the same logotype data. This opportunity for replication is
intended to improve availability. Therefore, if a client is unable to intended to improve availability. Therefore, if a client is unable to
fetch the item from one URI, the client <bcp14>SHOULD</bcp14> try another URI in the fetch the item from one URI, the client <bcp14>SHOULD</bcp14> try another URI in the
sequence. All direct addressing URIs <bcp14>SHOULD</bcp14> use the HTTPS scheme sequence. All direct addressing URIs <bcp14>SHOULD</bcp14> use the HTTPS scheme
(https://...) (https://...),
or the HTTP scheme (http://...) or the DATA scheme (data://...) <xref target="RF the HTTP scheme (http://...), or the DATA scheme (data://...) <xref target="RFC3
C3986"/>. 986"/>.
However, the "data" URI scheme <bcp14>MUST NOT</bcp14> be used with the indirect addressing. However, the "data" URI scheme <bcp14>MUST NOT</bcp14> be used with the indirect addressing.
Clients <bcp14>MUST</bcp14> support retrieval of referenced LogoTypeData with th Clients <bcp14>MUST</bcp14> support retrieval of the referenced LogotypeData wit
e h
HTTP <xref target="RFC9110"/> and the HTTP with TLS <xref target="RFC8446"/>, or HTTP <xref target="RFC9110"/>, HTTP with TLS <xref target="RFC8446"/>, or subseq
subsequent versions of uent versions of
these protocols. Client applications <bcp14>SHOULD</bcp14> also support the "da ta" URI these protocols. Client applications <bcp14>SHOULD</bcp14> also support the "da ta" URI
scheme <xref target="RFC2397"/> for direct addressing with embedded logotype dat a scheme <xref target="RFC2397"/> for direct addressing with embedded logotype dat a
within the extension.</t> within the extension.</t>
<t>Note that the HTTPS scheme (https://...) requires the validation of o ther <t>Note that the HTTPS scheme (https://...) requires the validation of o ther
certificates to establish a secure connection. For this reason, the certificates to establish a secure connection. For this reason, the
HTTP scheme (http://...) may be easier for a client to handle. Also, the HTTP scheme (http://...) may be easier for a client to handle. Also, the
hash of the logotype data provides data integrity.</t> hash of the logotype data provides data integrity.</t>
<t>The logotype extension <bcp14>MUST</bcp14> have the following syntax: <t>The logotype certificate extension <bcp14>MUST</bcp14> have the follo
</t> wing syntax:</t>
<artwork><![CDATA[ <sourcecode type="asn.1"><![CDATA[
LogotypeExtn ::= SEQUENCE { LogotypeExtn ::= SEQUENCE {
communityLogos [0] EXPLICIT SEQUENCE OF LogotypeInfo OPTIONAL, communityLogos [0] EXPLICIT SEQUENCE OF LogotypeInfo OPTIONAL,
issuerLogo [1] EXPLICIT LogotypeInfo OPTIONAL, issuerLogo [1] EXPLICIT LogotypeInfo OPTIONAL,
subjectLogo [2] EXPLICIT LogotypeInfo OPTIONAL, subjectLogo [2] EXPLICIT LogotypeInfo OPTIONAL,
otherLogos [3] EXPLICIT SEQUENCE OF OtherLogotypeInfo otherLogos [3] EXPLICIT SEQUENCE OF OtherLogotypeInfo
OPTIONAL } OPTIONAL }
LogotypeInfo ::= CHOICE { LogotypeInfo ::= CHOICE {
direct [0] LogotypeData, direct [0] LogotypeData,
indirect [1] LogotypeReference } indirect [1] LogotypeReference }
skipping to change at line 374 skipping to change at line 386
LogotypeImage ::= SEQUENCE { LogotypeImage ::= SEQUENCE {
imageDetails LogotypeDetails, imageDetails LogotypeDetails,
imageInfo LogotypeImageInfo OPTIONAL } imageInfo LogotypeImageInfo OPTIONAL }
LogotypeAudio ::= SEQUENCE { LogotypeAudio ::= SEQUENCE {
audioDetails LogotypeDetails, audioDetails LogotypeDetails,
audioInfo LogotypeAudioInfo OPTIONAL } audioInfo LogotypeAudioInfo OPTIONAL }
LogotypeDetails ::= SEQUENCE { LogotypeDetails ::= SEQUENCE {
mediaType IA5String, -- MIME media type name and optional mediaType IA5String, -- Media type name and optional
-- parameters -- parameters
logotypeHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue, logotypeHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
logotypeURI SEQUENCE SIZE (1..MAX) OF IA5String } logotypeURI SEQUENCE SIZE (1..MAX) OF IA5String }
LogotypeImageInfo ::= SEQUENCE { LogotypeImageInfo ::= SEQUENCE {
type [0] LogotypeImageType DEFAULT color, type [0] LogotypeImageType DEFAULT color,
fileSize INTEGER, -- In octets, 0=unspecified fileSize INTEGER, -- In octets, 0=unspecified
xSize INTEGER, -- Horizontal size in pixels xSize INTEGER, -- Horizontal size in pixels
ySize INTEGER, -- Vertical size in pixels ySize INTEGER, -- Vertical size in pixels
resolution LogotypeImageResolution OPTIONAL, resolution LogotypeImageResolution OPTIONAL,
skipping to change at line 414 skipping to change at line 426
LogotypeReference ::= SEQUENCE { LogotypeReference ::= SEQUENCE {
refStructHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue, refStructHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
refStructURI SEQUENCE SIZE (1..MAX) OF IA5String } refStructURI SEQUENCE SIZE (1..MAX) OF IA5String }
-- Places to get the same LogotypeData -- Places to get the same LogotypeData
-- image or audio object -- image or audio object
HashAlgAndValue ::= SEQUENCE { HashAlgAndValue ::= SEQUENCE {
hashAlg AlgorithmIdentifier, hashAlg AlgorithmIdentifier,
hashValue OCTET STRING } hashValue OCTET STRING }
]]></artwork> ]]></sourcecode>
<t>When using indirect addressing, the URI (refStructURI) pointing to <t>When using indirect addressing, the URI (refStructURI) pointing to
the external data structure <bcp14>MUST</bcp14> point to a resource that contain s the external data structure <bcp14>MUST</bcp14> point to a resource that contain s
the DER-encoded data with the syntax LogotypeData.</t> the DER-encoded data with the syntax LogotypeData.</t>
<t>At least one of the optional elements in the LogotypeExtn structure <t>At least one of the optional elements in the LogotypeExtn structure
<bcp14>MUST</bcp14> be present.</t> <bcp14>MUST</bcp14> be present.</t>
<t>When using direct addressing, at least one of the optional elements <t>When using direct addressing, at least one of the optional elements
in the LogotypeData structure <bcp14>MUST</bcp14> be present.</t> in the LogotypeData structure <bcp14>MUST</bcp14> be present.</t>
<t>The LogotypeReference and LogotypeDetails structures explicitly <t>The LogotypeReference and LogotypeDetails structures explicitly
identify one or more one-way hash functions employed to authenticate identify one or more one-way hash functions employed to authenticate
referenced image or audio objects. CAs <bcp14>MUST</bcp14> include a hash value for each referenced image or audio objects. Certification Authorities (CAs) <bcp14>MUST< /bcp14> include a hash value for each
referenced object, calculated on the whole object. CAs <bcp14>MUST</bcp14> use the referenced object, calculated on the whole object. CAs <bcp14>MUST</bcp14> use the
one-way hash function that is associated with the certificate signature to one-way hash function that is associated with the certificate signature to
compute one hash value, and CAs <bcp14>MAY</bcp14> include other hash values. C lients compute one hash value, and CAs <bcp14>MAY</bcp14> include other hash values. C lients
<bcp14>MUST</bcp14> compute a one-way hash value using one of the identified fun ctions, <bcp14>MUST</bcp14> compute a one-way hash value using one of the identified fun ctions,
and clients <bcp14>MUST</bcp14> discard the logotype data if the computed hash v alue does and clients <bcp14>MUST</bcp14> discard the logotype data if the computed hash v alue does
not match the hash value in the certificate extension.</t> not match the hash value in the certificate extension.</t>
<t>A MIME type is used to specify the format of the image or audio objec
t <t>A media type is used to specify the format of the image or audio object
containing the logotype data. The mediaType field <bcp14>MUST</bcp14> contain a string containing the logotype data. The mediaType field <bcp14>MUST</bcp14> contain a string
that is constructed according to the ABNF <xref target="RFC5234"/> provided in that is constructed according to the ABNF <xref target="RFC5234"/> rule for medi
Section 4.2 of <xref target="RFC6838"/>. MIME types <bcp14>MAY</bcp14> include a-type
parameters.</t> provided in <xref target="RFC9110" sectionFormat="of" section="8.3.1"/>. Media
types <bcp14>MAY</bcp14> include parameters. To keep the mediaType field as
small as possible, optional whitespace <bcp14>SHOULD NOT</bcp14> be included.<
/t>
<t>Image format requirements are specified in <xref target="image-format "/>, and audio <t>Image format requirements are specified in <xref target="image-format "/>, and audio
format requirements are specified in <xref target="audio-format"/>.</t> format requirements are specified in <xref target="audio-format"/>.</t>
<t>When language is specified, the language tag <bcp14>MUST</bcp14> use <t>When language is specified, the language tag <bcp14>MUST</bcp14> use
the <xref target="RFC5646"/> syntax.</t> the syntax in <xref target="RFC5646"/>.</t>
<t>Logotype types defined in this specification are:</t> <t>The following logotype types are defined in this specification:</t>
<ul empty="true"> <ul>
<li> <li>community logotype: If communityLogos is present, the logotypes
<t>Community Logotype: If communityLogos is present, the logotypes
<bcp14>MUST</bcp14> represent one or more communities with which the certifica te <bcp14>MUST</bcp14> represent one or more communities with which the certifica te
issuer is affiliated. The communityLogos <bcp14>MAY</bcp14> be present in an end issuer is affiliated. The communityLogos <bcp14>MAY</bcp14> be present in an end
entity certificate, a CA certificate, or an attribute entity certificate, a CA certificate, or an attribute
certificate. The communityLogos contains a sequence of Community Logotypes, certificate. The communityLogos contains a sequence of community logotypes,
each representing a different community. If more than one Community each representing a different community. If more than one community
logotype is present, they <bcp14>MUST</bcp14> be placed in order of preferred logotype is present, they <bcp14>MUST</bcp14> be placed in order of preferred
appearance. Some clients <bcp14>MAY</bcp14> choose to display a subset of the appearance.
present community logos; therefore the placement within the Some clients <bcp14>MAY</bcp14> choose to display a subset of the
present community logos; therefore, the placement within the
sequence aids the client selection. The most preferred logotype sequence aids the client selection. The most preferred logotype
<bcp14>MUST</bcp14> be first in the sequence, and the least preferred logotype <bcp14>MUST</bcp14> be first in the sequence, and the least preferred logotype
<bcp14>MUST</bcp14> be last in the sequence.</t> <bcp14>MUST</bcp14> be last in the sequence.</li>
</li> <li>issuer organization logotype: If issuerLogo is present, the
</ul>
<ul empty="true">
<li>
<t>Issuer Organization Logotype: If issuerLogo is present, the
logotype <bcp14>MUST</bcp14> represent the issuer's organization. The logotyp e logotype <bcp14>MUST</bcp14> represent the issuer's organization. The logotyp e
<bcp14>MUST</bcp14> be consistent with, and require the presence of, an <bcp14>MUST</bcp14> be consistent with, and require the presence of, an
organization name stored in the organization attribute in the organization name stored in the organization attribute in the
issuer field (for either a public key certificate or attribute issuer field (for either a public key certificate or attribute
certificate). The issuerLogo <bcp14>MAY</bcp14> be present in an end entity certificate). The issuerLogo <bcp14>MAY</bcp14> be present in an end entity
certificate, a CA certificate, or an attribute certificate.</t> certificate, a CA certificate, or an attribute certificate.</li>
</li> <li>subject organization logotype: If subjectLogo is present, the
</ul>
<ul empty="true">
<li>
<t>Subject Organization Logotype: If subjectLogo is present, the
logotype <bcp14>MUST</bcp14> represent the subject's organization. The logoty pe logotype <bcp14>MUST</bcp14> represent the subject's organization. The logoty pe
<bcp14>MUST</bcp14> be consistent with, and require the presence of, an <bcp14>MUST</bcp14> be consistent with, and require the presence of, an
organization name stored in the organization attribute in the organization name stored in the organization attribute in the
subject field (for either a public key certificate or attribute subject field (for either a public key certificate or attribute
certificate). The subjectLogo <bcp14>MAY</bcp14> be present in an end entity certificate). The subjectLogo <bcp14>MAY</bcp14> be present in an end entity
certificate, a CA certificate, or an attribute certificate.</t> certificate, a CA certificate, or an attribute certificate.</li>
</li>
</ul> </ul>
<t>The relationship between the subject organization and the subject <t>The relationship between the subject organization and the subject
organization logotype, and the relationship between the issuer and organization logotype, and the relationship between the issuer and
either the issuer organization logotype or the community logotype, either the issuer organization logotype or the community logotype,
are relationships asserted by the issuer. The policies and practices are relationships asserted by the issuer. The policies and practices
employed by the issuer to check subject organization logotypes or employed by the issuer that check subject organization logotypes or
claims its issuer and community logotypes is outside the scope of claims about its issuer and community logotypes are outside the scope of
this document.</t> this document.</t>
</section> </section>
<section anchor="image-info"> <section anchor="image-info">
<name>Conventions for LogotypeImageInfo</name> <name>Conventions for LogotypeImageInfo</name>
<t>When the optional LogotypeImageInfo is included with a logotype <t>When the optional LogotypeImageInfo is included with a logotype
image, the parameters <bcp14>MUST</bcp14> be used with the following semantics a nd image, the parameters <bcp14>MUST</bcp14> be used with the following semantics a nd
restrictions.</t> restrictions.</t>
<t>The xSize and ySize fields represent the recommended display size for <t>The xSize and ySize fields represent the recommended display size for
the logotype image. When a value of 0 (zero) is present, no recommended the logotype image. When a value of 0 (zero) is present, no recommended
display size is specified. When non-zero values are present and these display size is specified. When non-zero values are present and these
values differ from corresponding size values in the referenced image object, values differ from corresponding size values in the referenced image object,
then the referenced image <bcp14>SHOULD</bcp14> be scaled to fit within the size parameters then the referenced image <bcp14>SHOULD</bcp14> be scaled to fit within the size parameters
of LogotypeImageInfo, while preserving the x and y ratio. Dithering may of LogotypeImageInfo while preserving the x and y ratio. Dithering may
produce a more appropriate image than linear scaling.</t> produce a more appropriate image than linear scaling.</t>
<t>The resolution field is redundant for all logotype image formats <t>The resolution field is redundant for all logotype image formats
listed in <xref target="image-format"/>. The optional resolution field <bcp14>SH OULD</bcp14> listed in <xref target="image-format"/>. The optional resolution field <bcp14>SH OULD</bcp14>
be omitted when the image format already contains this information.</t> be omitted when the image format already contains this information.</t>
</section> </section>
<section anchor="embedded-image"> <section anchor="embedded-image">
<name>Embedded Images</name> <name>Embedded Images</name>
<t>If the logotype image is provided through direct addressing, then <t> If the logotype image is provided through direct addressing, then t
the image <bcp14>MAY</bcp14> be stored within the logotype certificate extension he
using the image <bcp14>MAY</bcp14> be stored within the logotype certificate extension u
"data" scheme <xref target="RFC2397"/>. The syntax of the "data" URI scheme sing
defined is included here for convenience:</t> the "data" scheme <xref target="RFC2397"/>. The syntax of the "data" URI sche
<artwork><![CDATA[ me is
dataurl := "data:" [ mediatype ] [ ";base64" ] "," data shown below, which incorporates Errata ID 2045 and uses modern ABNF
mediatype := [ type "/" subtype ] *( ";" parameter ) <xref target="RFC5234"/>:</t>
data := *urlchar <sourcecode type="abnf"><![CDATA[
parameter := attribute "=" value dataurl = "data:" [ media-type ] [ ";base64" ] "," data
]]></artwork> data = *(reserved / unreserved / escaped)
<t>When including the image data in the logotype extension using the reserved = ";" / "/" / "?" / ":" / "@" / "&" / "=" / "+" /
"$" / ","
unreserved = alphanum / mark
alphanum = ALPHA / DIGIT
mark = "-" / "_" / "." / "!" / "~" / "*" / "'" / "(" / ")"
escaped = "%" hex hex
hex = HEXDIG / "a" / "b" / "c" / "d" / "e" / "f"
]]></sourcecode>
<t>where media-type is defined in <xref target="RFC9110" sectionFormat="of" sect
ion="8.3.1"/> and
ALPHA, DIGIT, and HEXDIG are defined in <xref target="RFC5234" sectionFormat="
of" section="B.1"/>.</t>
<t>When including the image data in the logotype certificate extension u
sing the
"data" URI scheme, the following conventions apply:</t> "data" URI scheme, the following conventions apply:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The value of mediaType in LogotypeDetails <bcp14>MUST</bcp14> be i dentical to the <li>The value of mediaType in LogotypeDetails <bcp14>MUST</bcp14> be i dentical to the
media type value in the "data" URL.</li> media type value in the "data" URL.</li>
<li>The hash of the image <bcp14>MUST</bcp14> be included in logotypeH ash and <bcp14>MUST</bcp14> be <li>The hash of the image <bcp14>MUST</bcp14> be included in logotypeH ash and <bcp14>MUST</bcp14> be
calculated over the same data as it would have been, had the image calculated over the same data as it would have been if the image
been referenced through a link to an external resource.</li> had been referenced through a link to an external resource.</li>
</ul> </ul>
<aside>
<t>NOTE: As the "data" URI scheme is processed as a data source rather <t>NOTE: As the "data" URI scheme is processed as a data source rather
than as a URL, the image data is typically not limited by any than as a URL, the image data is typically not limited by any
URL length limit settings that otherwise apply to URLs in general.</t> URL length limit settings that otherwise apply to URLs in general.</t>
<t>NOTE: Implementations need to be cautious about the size of images <t>NOTE: Implementations need to be cautious about the size of images
included in a certificate in order to ensure that the size of included in a certificate in order to ensure that the size of
the certificate does not prevent the certificate from being the certificate does not prevent the certificate from being
used as intended.</t> used as intended.</t>
</aside>
</section> </section>
<section anchor="extn-other"> <section anchor="extn-other">
<name>Other Logotypes</name> <name>Other Logotypes</name>
<t>Logotypes identified by otherLogos (as defined in <xref target="extn- format"/>) can be used to <t>Logotypes identified by otherLogos (as defined in <xref target="extn- format"/>) can be used to
enhance the display of logotypes and marks that represent partners, enhance the display of logotypes and marks that represent partners,
products, services, or any other characteristic associated with the products, services, or any other characteristic associated with the
certificate or its intended application environment when the standard certificate or its intended application environment when the standard
logotype types are insufficient.</t> logotype types are insufficient.</t>
<t>The conditions and contexts of the intended use of these logotypes <t>The conditions and contexts of the intended use of these logotypes
are defined at the discretion of the local client application.</t> are defined at the discretion of the local client application.</t>
<t>Three other logotype types are defined in the follow subsections.</t> <t>Three other logotype types are defined in the follow subsections.</t>
<section anchor="extn-other-1"> <section anchor="extn-other-1">
<name>Loyalty Logotype</name> <name>Loyalty Logotype</name>
<t>When a loyalty logotype appears in the otherLogos, it <bcp14>MUST</ bcp14> be identified <t>When a loyalty logotype appears in otherLogos, it <bcp14>MUST</bcp1 4> be identified
by the id-logo-loyalty object identifier.</t> by the id-logo-loyalty object identifier.</t>
<artwork><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-logo OBJECT IDENTIFIER ::= { id-pkix 20 } id-logo OBJECT IDENTIFIER ::= { id-pkix 20 }
id-logo-loyalty OBJECT IDENTIFIER ::= { id-logo 1 } id-logo-loyalty OBJECT IDENTIFIER ::= { id-logo 1 }
]]></artwork> ]]></sourcecode>
<t>A loyalty logotype, if present, <bcp14>MUST</bcp14> contain a logot ype associated <t>A loyalty logotype, if present, <bcp14>MUST</bcp14> contain a logot ype associated
with a loyalty program related to the certificate or its use. The with a loyalty program related to the certificate or its use. The
relation between the certificate and the identified loyalty program relation between the certificate and the identified loyalty program
is beyond the scope of this document. The logotype extension <bcp14>MAY</bcp14> is beyond the scope of this document. The logotype certificate extension <bcp14
contain more than one Loyalty logotype.</t> >MAY</bcp14>
contain more than one loyalty logotype.</t>
<t>If more than one loyalty logotype is present, they <bcp14>MUST</bcp 14> be <t>If more than one loyalty logotype is present, they <bcp14>MUST</bcp 14> be
placed in order of preferred appearance. Some clients <bcp14>MAY</bcp14> choose placed in order of preferred appearance. Some clients <bcp14>MAY</bcp14> choose
to display a subset of the present loyalty logotype data; therefore the to display a subset of the present loyalty logotype data; therefore, the
placement within the sequence aids the client selection. The most placement within the sequence aids the client selection. The most
preferred loyalty logotype data <bcp14>MUST</bcp14> be first in the sequence, an d the preferred loyalty logotype data <bcp14>MUST</bcp14> be first in the sequence, an d the
least preferred loyalty logotype data <bcp14>MUST</bcp14> be last in the sequenc e.</t> least preferred loyalty logotype data <bcp14>MUST</bcp14> be last in the sequenc e.</t>
</section> </section>
<section anchor="extn-other-2"> <section anchor="extn-other-2">
<name>Certificate Background Logotype</name> <name>Certificate Background Logotype</name>
<t>When a certificate background logotype appears in the otherLogos, i t <t>When a certificate background logotype appears in otherLogos, it
<bcp14>MUST</bcp14> be identified by the id-logo-background object identifier.</ t> <bcp14>MUST</bcp14> be identified by the id-logo-background object identifier.</ t>
<artwork><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-logo-background OBJECT IDENTIFIER ::= { id-logo 2 } id-logo-background OBJECT IDENTIFIER ::= { id-logo 2 }
]]></artwork> ]]></sourcecode>
<t>The certificate background logotype, if present, <bcp14>MUST</bcp14 > contain a <t>The certificate background logotype, if present, <bcp14>MUST</bcp14 > contain a
graphical image intended as a background image for the certificate, graphical image intended as a background image for the certificate
and/or a general audio sequence for the certificate. The background and/or a general audio sequence for the certificate. The background
image <bcp14>MUST</bcp14> allow black text to be clearly read when placed on top of image <bcp14>MUST</bcp14> allow black text to be clearly read when placed on top of
the background image. The logotype extension <bcp14>MUST NOT</bcp14> contain mo re the background image. The logotype certificate extension <bcp14>MUST NOT</bcp14 > contain more
than one certificate background logotype.</t> than one certificate background logotype.</t>
</section> </section>
<section anchor="extn-other-3"> <section anchor="extn-other-3">
<name>Certificate Image Logotype</name> <name>Certificate Image Logotype</name>
<t>When a certificate image logotype appears in the otherLogos, it <t>When a certificate image logotype appears in otherLogos, it
<bcp14>MUST</bcp14> be identified by the id-logo-certImage object identifier.</t > <bcp14>MUST</bcp14> be identified by the id-logo-certImage object identifier.</t >
<artwork><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-logo-certImage OBJECT IDENTIFIER ::= { id-logo 3 } id-logo-certImage OBJECT IDENTIFIER ::= { id-logo 3 }
]]></artwork> ]]></sourcecode>
<t>The certificate image logotype, if present, aids human interpretati on <t>The certificate image logotype, if present, aids human interpretati on
of a certificate by providing meaningful visual information to the of a certificate by providing meaningful visual information to the
user interface (UI). The logotype extension <bcp14>MUST NOT</bcp14> contain mor e user interface (UI). The logotype certificate extension <bcp14>MUST NOT</bcp14> contain more
than one certificate image logotype.</t> than one certificate image logotype.</t>
<t>Typical situations when a human needs to examine <t>Typical situations when a human needs to examine
the visual representation of a certificate are:</t> the visual representation of a certificate are:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A person establishes a secured channel with an authenticated <li>A person establishes a secured channel with an authenticated
service. The person needs to determine the identity of the service. The person needs to determine the identity of the
service based on the authenticated credentials.</li> service based on the authenticated credentials.</li>
<li>A person validates the signature on critical information, such a s <li>A person validates the signature on critical information, such a s
signed executable code, and needs to determine the identity of the signed executable code, and needs to determine the identity of the
signer based on the signer's certificate.</li> signer based on the signer's certificate.</li>
<li>A person is required to select an appropriate certificate to be <li>A person is required to select an appropriate certificate to be
used when authenticating to a service or Identity Management used when authenticating to a service or identity management
infrastructure. The person needs to see the available infrastructure. The person needs to see the available
certificates in order to distinguish between them in the selection certificates in order to distinguish between them in the selection
process.</li> process.</li>
</ul> </ul>
<t>The display of certificate information to humans is challenging due <t>The display of certificate information to humans is challenging due
to lack of well-defined semantics for critical identity attributes. to lack of well-defined semantics for critical identity attributes.
Unless the application has out-of-band knowledge about a particular Unless the application has out-of-band knowledge about a particular
certificate, the application will not know the exact nature of the certificate, the application will not know the exact nature of the
data stored in common identification attributes such as serialNumber, data stored in common identification attributes, such as serialNumber,
organizationName, country, etc. Consequently, the application can organizationName, country, etc. Consequently, the application can
display the actual data, but faces the problem of labeling that data display the actual data but faces the problem of labeling that data
in the UI and informing the human about the exact nature (semantics) in the UI and informing the human about the exact nature (semantics)
of that data. It is also challenging for the application to of that data. It is also challenging for the application to
determine which identification attributes are important to display determine which identification attributes are important to display
and how to organize them in a logical order.</t> and how to organize them in a logical order.</t>
<t>When present, the certificate image <bcp14>MUST</bcp14> be a comple te visual <t>When present, the certificate image <bcp14>MUST</bcp14> be a comple te visual
representation of the certificate. This means that the display of representation of the certificate. This means that the display of
this certificate image represents all information about the this certificate image represents all information about the
certificate that the issuer subjectively defines as relevant to show certificate that the issuer subjectively defines as relevant to show
to a typical human user within the typical intended use of the to a typical human user within the typical intended use of the
certificate, giving adequate information about at least the following certificate, giving adequate information about at least the following
three aspects of the certificate:</t> three aspects of the certificate:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Certificate Context</li> <li>certificate context</li>
<li>Certificate Issuer</li> <li>certificate issuer</li>
<li>Certificate Subject</li> <li>certificate subject</li>
</ul> </ul>
<t>Certificate Context information is visual marks and/or textual <t>Certificate context information is visual marks and/or textual
information that helps the typical user to understand the typical information that helps the typical user to understand the typical
usage and/or purpose of the certificate.</t> usage and/or purpose of the certificate.</t>
<t>It is up to the issuer to decide what information -- in the form of <t>It is up to the issuer to decide what information -- in the form of
text, graphical symbols, and elements -- represents a complete visual text, graphical symbols, and elements -- represents a complete visual
representation of the certificate. However, the visual representation of the certificate. However, the visual
representation of Certificate Subject and Certificate Issuer representation of certificate subject and certificate issuer
information from the certificate <bcp14>MUST</bcp14> have the same meaning as th e information from the certificate <bcp14>MUST</bcp14> have the same meaning as th e
textual representation of that information in the certificate itself.</t> textual representation of that information in the certificate itself.</t>
<t>Applications providing a Graphical User Interface (GUI) to the <t>Applications providing a Graphical User Interface (GUI) to the
certificate user <bcp14>MAY</bcp14> present a certificate image as the only visu al certificate user <bcp14>MAY</bcp14> present a certificate image as the only visu al
representation of a certificate; however, the certificate user <bcp14>SHOULD</bc p14> representation of a certificate; however, the certificate user <bcp14>SHOULD</bc p14>
be able to easily obtain the details of the certificate content.</t> be able to easily obtain the details of the certificate content.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="cert-types"> <section anchor="cert-types">
<name>Type of Certificates</name> <name>Type of Certificates</name>
<t>Logotypes <bcp14>MAY</bcp14> be included in public key certificates and attribute <t>Logotypes <bcp14>MAY</bcp14> be included in public key certificates and attribute
certificates at the discretion of the certificate issuer; however, the certificates at the discretion of the certificate issuer; however, the
relying party <bcp14>MUST NOT</bcp14> use the logotypes as part of certification path relying party <bcp14>MUST NOT</bcp14> use the logotypes as part of certification path
validation or automated trust decision. The sole purpose of logotypes is validation or automated trust decisions. The sole purpose of logotypes is
to enhance the display of a particular certificate, regardless of its to enhance the display of a particular certificate, regardless of its
position in a certification path.</t> position in a certification path.</t>
</section> </section>
<section anchor="use-in-clients"> <section anchor="use-in-clients">
<name>Use in Clients</name> <name>Use in Clients</name>
<t>All PKI implementations require relying party software to have some <t>All PKI implementations require relying party software to have some
mechanism to determine whether a trusted CA issues a particular mechanism to determine whether a trusted CA issues a particular
certificate. This is an issue for certification path validation, certificate. This is an issue for certification path validation,
including consistent policy and name checking.</t> including consistent policy and name checking.</t>
<t>After a certification path is successfully validated, the replying <t>After a certification path is successfully validated, the replying
party trusts the information that the CA includes in the certificate, party trusts the information that the CA includes in the certificate,
including any certificate extensions. The client software can choose including any certificate extensions. The client software can choose
to make use of such information, or the client software can ignore to make use of such information, or the client software can ignore
it. If the client is unable to support a provided logotype, the client it. If the client is unable to support a provided logotype, the
<bcp14>MUST NOT</bcp14> report an error, rather the client <bcp14>MUST</bcp14> b client <bcp14>MUST NOT</bcp14> report an error; instead, the client <bcp14>MU
ehave as though no ST</bcp14> behave as
logotype extension was included in the certificate. Current standards though no logotype certificate extension was included in the certificate. Cu
rrent standards
do not provide any mechanism for cross-certifying CAs to constrain do not provide any mechanism for cross-certifying CAs to constrain
subordinate CAs from including private extensions (see <xref target="sec-cons"/> ).</t> subordinate CAs from including private extensions (see <xref target="sec-cons"/> ).</t>
<t>Consequently, if relying party software accepts a CA, then it should <t>Consequently, if relying party software accepts a CA, then it should
be prepared to (unquestioningly) display the associated logotypes to be prepared to (unquestioningly) display the associated logotypes to
its human user, given that it is configured to do so. Information its human user, given that it is configured to do so. Information
about the logotypes is provided so that the replying party software about the logotypes is provided so that the replying party software
can select the one that will best meet the needs of the human can select the one that will best meet the needs of the human
user. This choice depends on the abilities of the human user, as well as user. This choice depends on the abilities of the human user, as well as
the the
capabilities of the platform on which the replaying party software is capabilities of the platform on which the replaying party software is
running. If none of the provided logotypes meets the needs of the running. If none of the provided logotypes meets the needs of the
human user or matches the capabilities of the platform, then the human user or matches the capabilities of the platform, then the
logotypes can be ignored.</t> logotypes can be ignored.</t>
<t>A client <bcp14>MAY</bcp14>, subject to local policy, choose to display none, one, or <t>A client <bcp14>MAY</bcp14>, subject to local policy, choose to display none, one, or
any number of the logotypes in the logotype extension. In many cases, any number of the logotypes in the logotype certificate extension. In many case s,
a client will be used in an environment with a good a client will be used in an environment with a good
network connection and also used in an environment with little or no network connection and also used in an environment with little or no
network connectivity. For example, a laptop computer can be docked network connectivity. For example, a laptop computer can be docked
with a high-speed LAN connection, or it can be disconnected from the with a high-speed LAN connection, or it can be disconnected from the
network altogether. In recognition of this situation, the client <bcp14>MUST</b cp14> network altogether. In recognition of this situation, the client <bcp14>MUST</b cp14>
include the ability to disable the fetching of logotypes. However, include the ability to disable the fetching of logotypes. However,
locally cached logotypes can still be displayed when the user locally cached logotypes can still be displayed when the user
disables the fetching of additional logotypes.</t> disables the fetching of additional logotypes.</t>
<t>A client <bcp14>MAY</bcp14>, subject to local policy, choose any combin ation of <t>A client <bcp14>MAY</bcp14>, subject to local policy, choose any combin ation of
audio and image presentation for each logotype. That is, the client audio and image presentation for each logotype. That is, the client
skipping to change at line 705 skipping to change at line 722
especially difficult with audio logotypes. It is important that the especially difficult with audio logotypes. It is important that the
human user be able to recognize the context of the logotype, even if human user be able to recognize the context of the logotype, even if
other audio streams are being played.</t> other audio streams are being played.</t>
<t>If the relying party software is unable to successfully validate a <t>If the relying party software is unable to successfully validate a
particular certificate, then it <bcp14>MUST NOT</bcp14> display any logotype dat a particular certificate, then it <bcp14>MUST NOT</bcp14> display any logotype dat a
associated with that certificate.</t> associated with that certificate.</t>
</section> </section>
<section anchor="image-format"> <section anchor="image-format">
<name>Image Formats</name> <name>Image Formats</name>
<t>Animated images <bcp14>SHOULD NOT</bcp14> be used.</t> <t>Animated images <bcp14>SHOULD NOT</bcp14> be used.</t>
<t>The following table lists many common image formats and the <t>The following table lists common image formats and the
corresponding MIME type. The table also indicates the support corresponding media type. The table also indicates the support
requirements for these image formats. The filename extensions requirements for these image formats. The file name extensions
commonly used for each of these formats is also commonly used for each of these formats is also
provided. Implementations <bcp14>MAY</bcp14> support other image formats.</t> provided. Implementations <bcp14>MAY</bcp14> support other image formats.</t>
<table anchor="image-format-table"> <table anchor="image-format-table">
<name>Image Formats</name> <name>Image Formats</name>
<thead> <thead>
<tr> <tr>
<th align="left">Format</th> <th align="left">Format</th>
<th align="left">MIME Type</th> <th align="left">Media Type</th>
<th align="left">Extension</th> <th align="left">Extension</th>
<th align="left">References</th> <th align="left">References</th>
<th align="left">Implement?</th> <th align="left">Implement?</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">JPEG</td> <td align="left">JPEG</td>
<td align="left">image/jpeg</td> <td align="left">image/jpeg</td>
<td align="left">.jpg<br/>.jpeg</td> <td align="left">.jpg<br/>.jpeg</td>
skipping to change at line 778 skipping to change at line 795
<td align="left">PDF</td> <td align="left">PDF</td>
<td align="left">application/pdf</td> <td align="left">application/pdf</td>
<td align="left">.pdf</td> <td align="left">.pdf</td>
<td align="left"> <td align="left">
<xref target="ISO32000"/><br/><xref target="ISO19005"/><br/><xref target="RFC8118"/></td> <xref target="ISO32000"/><br/><xref target="ISO19005"/><br/><xref target="RFC8118"/></td>
<td align="left"> <td align="left">
<bcp14>MAY</bcp14> support</td> <bcp14>MAY</bcp14> support</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<aside>
<t>NOTE: The image/svg+xml-compressed media type is widely implemented, bu t it <t>NOTE: The image/svg+xml-compressed media type is widely implemented, bu t it
has not yet been registered with IANA.</t> has not yet been registered with IANA.</t>
</aside>
<t>When a Scalable Vector Graphics (SVG) image is used, whether the image is <t>When a Scalable Vector Graphics (SVG) image is used, whether the image is
compressed or not, the SVG Tiny profile <xref target="SVGT"/> <bcp14>MUST</bcp14 > be followed, with compressed or not, the SVG Tiny profile <xref target="SVGT"/> <bcp14>MUST</bcp14 > be followed, with
these additional restrictions:</t> these additional restrictions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The SVG image <bcp14>MUST NOT</bcp14> contain any Internationalized Resource <li>The SVG image <bcp14>MUST NOT</bcp14> contain any Internationalized Resource
Identifier (IRI) references to information stored outside of the Identifier (IRI) references to information stored outside of the
SVG image of type B, C, or D, according to Section 14.1.4 of <xref target="SVGT" />.</li> SVG image of type B, C, or D, according to Section 14.1.4 of <xref target="SVGT" />.</li>
<li>The SVG image <bcp14>MUST NOT</bcp14> contain any 'script' element, according to <li>The SVG image <bcp14>MUST NOT</bcp14> contain any script element, ac cording to
Section 15.2 of <xref target="SVGT"/>.</li> Section 15.2 of <xref target="SVGT"/>.</li>
<li>The XML structure in the SVG file <bcp14>MUST</bcp14> use linefeed ( 0x0A) as <li>The XML structure in the SVG file <bcp14>MUST</bcp14> use linefeed ( 0x0A) as
the end-of-line (EOL) character when calculating a hash over the the end-of-line (EOL) character when calculating a hash over the
SVG image.</li> SVG image.</li>
</ul> </ul>
<t>When a GZIP-compressed SVG image is fetched with HTTP, the <t>When a GZIP-compressed SVG image is fetched with HTTP, the
client will receive a response that includes these headers:</t> client will receive a response that includes these headers:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Content-Type: image/svg+xml Content-Type: image/svg+xml
Content-Encoding: gzip Content-Encoding: gzip
]]></artwork> ]]></artwork>
<t>In this case, the octet stream of type image/svg+xml is compressed with <t>In this case, the octet stream of type image/svg+xml is compressed with
GZIP <xref target="RFC1952"/> as specified in <xref target="SVGR"/>.</t> GZIP <xref target="RFC1952"/>, as specified in <xref target="SVGR"/>.</t>
<t>When an uncompressed SVG image is fetched with HTTP, the client will re ceive <t>When an uncompressed SVG image is fetched with HTTP, the client will re ceive
a response with the same Content-Type header, but no Content-Encoding header.</t > a response with the same Content-Type header but no Content-Encoding header.</t>
<t>Whether the SVG image is GZIP-compressed or uncompressed, the hash valu e for <t>Whether the SVG image is GZIP-compressed or uncompressed, the hash valu e for
the SVG image is calculated over the uncompressed SVG content with the SVG image is calculated over the uncompressed SVG content with
canonicalized EOL characters as specified above.</t> canonicalized EOL characters, as specified above.</t>
<t>When an SVG image is embedded in the certificate extension using the <t>When an SVG image is embedded in the certificate extension using the
"data" URL scheme, the SVG image data <bcp14>MUST</bcp14> be provided in GZIP-co mpressed "data" URL scheme, the SVG image data <bcp14>MUST</bcp14> be provided in GZIP-co mpressed
form, and the XML structure, prior to compression, <bcp14>SHOULD</bcp14> use lin efeed form, and the XML structure, prior to compression, <bcp14>SHOULD</bcp14> use lin efeed
(0x0A) as the end-of-line (EOL) character.</t> (0x0A) as the end-of-line (EOL) character.</t>
<t>When a bitmap image is used, the PNG <xref target="ISO15948"/> format < bcp14>SHOULD</bcp14> be used.</t> <t>When a bitmap image is used, the PNG <xref target="ISO15948"/> format < bcp14>SHOULD</bcp14> be used.</t>
<t>When a Portable Document Format (PDF) document according to <xref targe t="ISO32000"/> <t>According to <xref target="ISO32000"/>, when a Portable Document Format (PDF) document
is used, it <bcp14>MUST</bcp14> also be formatted according to the profile PDF/A <xref target="ISO19005"/>.</t> is used, it <bcp14>MUST</bcp14> also be formatted according to the profile PDF/A <xref target="ISO19005"/>.</t>
</section> </section>
<section anchor="audio-format"> <section anchor="audio-format">
<name>Audio Formats</name> <name>Audio Formats</name>
<t>Implementations that support audio <bcp14>MUST</bcp14> support the MP3 audio format <t>Implementations that support audio <bcp14>MUST</bcp14> support the MP3 audio format
<xref target="MP3"/> with a MIME type of "audio/mpeg" <xref target="RFC3003"/>. <xref target="MP3"/> with a media type of "audio/mpeg" <xref target="RFC3003"/>.
Implementations <bcp14>SHOULD</bcp14> support Implementations <bcp14>SHOULD</bcp14> support
text-based audio data with a MIME type of "text/plain;charset=UTF-8". text-based audio data with a media type of "text/plain;charset=UTF-8".
Implementations <bcp14>MAY</bcp14> support other audio formats.</t> Implementations <bcp14>MAY</bcp14> support other audio formats.</t>
<t>Text-based audio data using the MIME type of "text/plain;charset=UTF-8" is <t>Text-based audio data using the media type of "text/plain;charset=UTF-8 " is
intended to be used by text-to-speech software. When this audio type is used, intended to be used by text-to-speech software. When this audio type is used,
the following requirements apply:</t> the following requirements apply:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>LogotypeAudioInfo <bcp14>MUST</bcp14> be present and specify the lan guage of the text.</li> <li>LogotypeAudioInfo <bcp14>MUST</bcp14> be present and specify the lan guage of the text.</li>
<li>The fileSize, playTime, and channels elements of LogotypeAudioInfo < bcp14>MUST</bcp14> have the value of 0.</li> <li>The fileSize, playTime, and channels elements of LogotypeAudioInfo < bcp14>MUST</bcp14> have the value of 0.</li>
<li>The sampleRate element of LogotypeAudioInfo <bcp14>MUST</bcp14> be a bsent.</li> <li>The sampleRate element of LogotypeAudioInfo <bcp14>MUST</bcp14> be a bsent.</li>
</ul> </ul>
</section> </section>
<section anchor="sec-cons"> <section anchor="sec-cons">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>Implementations that simultaneously display multiple logotype types <t>Implementations that simultaneously display multiple logotype types
(subject organization, issuer, community, or other), <bcp14>MUST</bcp14> ensure that (subject organization, issuer organization, community, or other) <bcp14>MUST</bc p14> ensure that
there is no ambiguity as to the binding between the image and the there is no ambiguity as to the binding between the image and the
type of logotype that the image represents. "Logotype type" is type of logotype that the image represents. "Logotype type" is
defined in <xref target="cert-ident"/>, and it refers to the type defined in <xref target="cert-ident"/>, and it refers to the type
of entity or affiliation represented by the logotype, not the of entity or affiliation represented by the logotype, not the
of binary format of the image or audio.</t> of binary format of the image or audio.</t>
<t>Logotypes are very difficult to securely and accurately define. Names <t>Logotypes are very difficult to securely and accurately define. Names
are also difficult in this regard, but logotypes are even worse. It are also difficult in this regard, but logotypes are even worse. It
is quite difficult to specify what is, and what is not, a legitimate is quite difficult to specify what is, and what is not, a legitimate
logotype of an organization. There is an entire legal structure around logotype of an organization. There is an entire legal structure around
this issue, and it will not be repeated here. However, issuers should this issue, and it will not be repeated here. However, issuers should
skipping to change at line 863 skipping to change at line 882
providers who want to issue logotypes from doing so, where relevant.</t> providers who want to issue logotypes from doing so, where relevant.</t>
<t>It is impossible to prevent fraudulent creation of certificates by <t>It is impossible to prevent fraudulent creation of certificates by
dishonest or badly performing issuers, containing names and logotypes dishonest or badly performing issuers, containing names and logotypes
that the issuer has no claim to or has failed to check correctly. Such that the issuer has no claim to or has failed to check correctly. Such
certificates could be created in an attempt to socially engineer a user certificates could be created in an attempt to socially engineer a user
into accepting a certificate. The premise used for the logotype work is into accepting a certificate. The premise used for the logotype work is
thus that logotype graphics in a certificate are trusted only if the thus that logotype graphics in a certificate are trusted only if the
certificate is successfully validated within a valid path. It is thus certificate is successfully validated within a valid path. It is thus
imperative that the representation of any certificate that fails to imperative that the representation of any certificate that fails to
validate is not enhanced in any way by using the logotype data.</t> validate is not enhanced in any way by using the logotype data.</t>
<t>This underlines the necessity for CAs to provide reliable services, <t>This underlines the necessity for CAs to provide reliable services
and the relying party's responsibility and need to carefully select and the relying party's responsibility and need to carefully select
which CAs are trusted to provide public key certificates.</t> which CAs are trusted to provide public key certificates.</t>
<t>This also underlines the general necessity for relying parties to use <t>This also underlines the general necessity for relying parties to use
up-to-date software libraries to render or dereference data from up-to-date software libraries to render or dereference data from
external sources, including logotype data in certificates, to minimize external sources, including logotype data in certificates, to minimize
risks related to processing potentially malicious data before it has been risks related to processing potentially malicious data before it has been
adequately verified and validated. Implementers should review the guidance adequately verified and validated. Implementers should review the guidance
in <xref section="7" sectionFormat="of" target="RFC3986"/>.</t> in <xref section="7" sectionFormat="of" target="RFC3986"/>.</t>
<t>Referenced image objects are hashed in order to bind the image to the <t>Referenced image objects are hashed in order to bind the image to the
signature of the certificate. Some image types, such as SVG, allow signature of the certificate. Some image types, such as SVG, allow
part of the image to be collected from an external source by part of the image to be collected from an external source by
incorporating a reference to an external file that contains the image. If incorporating a reference to an external file that contains the image. If
this feature were used within a logotype image, the hash of the image this feature were used within a logotype image, the hash of the image
would only cover the URI reference to the external image file, but would only cover the URI reference to the external image file but
not the referenced image data. Clients <bcp14>SHOULD</bcp14> verify that SVG not the referenced image data. Clients <bcp14>SHOULD</bcp14> verify that SVG
images meet all requirements listed in <xref target="image-format"/> and reject images meet all requirements listed in <xref target="image-format"/> and reject
images that contain references to external data.</t> images that contain references to external data.</t>
<t>CAs issuing certificates with embedded logotype images should be <t>CAs issuing certificates with embedded logotype images should be
cautious when accepting graphics from the certificate requestor for cautious when accepting graphics from the certificate requester for
inclusion in the certificate if the hash algorithm used to sign the inclusion in the certificate if the hash algorithm used to sign the
certificate is vulnerable to collision attacks such as <xref target="RFC6151"/>. In certificate is vulnerable to collision attacks, as described in <xref target="RF C6151"/>. In
such a case, the accepted image may contain data that could help an such a case, the accepted image may contain data that could help an
attacker to obtain colliding certificates with identical certificate attacker to obtain colliding certificates with identical certificate
signatures.</t> signatures.</t>
<t>Certification paths may also impose name constraints that are <t>Certification paths may also impose name constraints that are
systematically checked during certification path processing, which, systematically checked during certification path processing, which,
in theory, may be circumvented by logotypes.</t> in theory, may be circumvented by logotypes.</t>
<t>Certificate path processing as defined in <xref target="RFC5280"/> does not constrain <t>Certificate path processing, as defined in <xref target="RFC5280"/>, do es not constrain
the inclusion of logotype data in certificates. A parent CA can the inclusion of logotype data in certificates. A parent CA can
constrain certification path validation such that subordinate CAs cannot constrain certification path validation such that subordinate CAs cannot
issue valid certificates to end-entities outside a limited name space or issue valid certificates to end entities outside a limited name space or
outside specific certificate polices. A malicious CA can comply with outside specific certificate policies. A malicious CA can comply with
these name and policy requirements and still include inappropriate these name and policy requirements and still include inappropriate
logotypes in the certificates that it issues. These certificates will logotypes in the certificates that it issues. These certificates will
pass the certification path validation algorithm, which means the client pass the certification path validation algorithm, which means the client
will trust the logotypes in the certificates. Since there is no will trust the logotypes in the certificates. Since there is no
technical mechanism to prevent or control subordinate CAs from including technical mechanism to prevent or control subordinate CAs from including
the logotype extension or its contents, where appropriate, a parent CA the logotype certificate extension or its contents, where appropriate, a parent CA
could employ a legal agreement to impose a suitable restriction on the could employ a legal agreement to impose a suitable restriction on the
subordinate CA. This situation is not unique to the logotype extension.</t> subordinate CA. This situation is not unique to the logotype certificate extens ion.</t>
<t>When a relying party fetches remote logotype data, a mismatch between t he <t>When a relying party fetches remote logotype data, a mismatch between t he
media type provided in the mediaType field of the LogotypeDetails and the media type provided in the mediaType field of the LogotypeDetails and the
Content-Type HTTP header of the retrieved object <bcp14>MUST</bcp14> be treated as a Content-Type HTTP header of the retrieved object <bcp14>MUST</bcp14> be treated as a
failure and the fetched logotype data should not be presented to the failure, and the fetched logotype data should not be presented to the
user. However, if more than one location for the remote logotype data is user. However, if more than one location for the remote logotype data is
provided in the certificate extension, the relying party <bcp14>MAY</bcp14> try to fetch provided in the certificate extension, the relying party <bcp14>MAY</bcp14> try to fetch
the remote logotype data from an alternate location to resolve the failure.</t> the remote logotype data from an alternate location to resolve the failure.</t>
<t>When a subscriber requests the inclusion of remote logotype data in a <t>When a subscriber requests the inclusion of remote logotype data in a
certificate, the CA cannot be sure that any logotype data will be certificate, the CA cannot be sure that any logotype data will be
available at the provided URI for the entire validity period of the available at the provided URI for the entire validity period of the
certificate. To mitigate this concern, the CA may provide the logotype certificate. To mitigate this concern, the CA may provide the logotype
data from a server under its control, rather than a subscriber-controlled data from a server under its control, rather than a subscriber-controlled
server.</t> server.</t>
<t>The controls available to a parent CA to protect itself from rogue <t>The controls available to a parent CA to protect itself from rogue
skipping to change at line 963 skipping to change at line 982
servers <bcp14>MAY</bcp14> reduce visibility into the data that is being returne d by servers <bcp14>MAY</bcp14> reduce visibility into the data that is being returne d by
encrypting with HTTPS and padding to a few common sizes.</t> encrypting with HTTPS and padding to a few common sizes.</t>
<t>Similarly, when fetching logotype data from a server, the server operat or <t>Similarly, when fetching logotype data from a server, the server operat or
can determine which clients are making use of certificates that contain can determine which clients are making use of certificates that contain
particular logotype data. As above, locally caching logotype data will particular logotype data. As above, locally caching logotype data will
eliminate the need to fetch the logotype data each time the certificate eliminate the need to fetch the logotype data each time the certificate
is used, and lack of caching would reveal usage frequency. Even when is used, and lack of caching would reveal usage frequency. Even when
implementations cache logotype data, regardless of whether direct or implementations cache logotype data, regardless of whether direct or
indirect addressing is employed, the server operator could observe when indirect addressing is employed, the server operator could observe when
logotype data is fetched for the first time.</t> logotype data is fetched for the first time.</t>
<t>In addition, the use of an encrypted DNS mechanism, such as DoT <xref t <t>In addition, the use of an encrypted DNS mechanism, such as DNS over TLS (DoT
arget="RFC7858"/> ) <xref target="RFC7858"/>
or DoH <xref target="RFC9230"/>, hides the name resolution traffic associated fe or DNS over HTTPS (DoH) <xref target="RFC9230"/>, hides the name resolution traf
tching fic, which is usually a first step in fetching
remote logotype objects from third parties.</t> remote logotype objects.</t>
<t>When the "data" URI scheme is used with direct addressing, there is no <t>When the "data" URI scheme is used with direct addressing, there is no
network traffic to fetch logotype data, which avoids the observations of network traffic to fetch logotype data, which avoids the observations of
network traffic or server operations described above. To obtain this network traffic or server operations described above. To obtain this
benefit, the certificate will be larger than one that contains a URL. benefit, the certificate will be larger than one that contains a URL.
Due to the improved privacy posture, the "data" URI scheme with direct Due to the improved privacy posture, the "data" URI scheme with direct
addressing will be the only one that is supported by some CAs. addressing will be the only one that is supported by some CAs.
Privacy-aware certificate subscribers <bcp14>MAY</bcp14> wish to insist that log otype Privacy-aware certificate subscribers <bcp14>MAY</bcp14> wish to insist that log otype
data is embedded in the certificate with the "data" URI scheme with data is embedded in the certificate with the "data" URI scheme with
direct addressing.</t> direct addressing.</t>
<t>In cases where logotype data is cached by the relying party, the cache <t>In cases where logotype data is cached by the relying party, the cache
skipping to change at line 988 skipping to change at line 1007
multiple URIs. The index should include hash values for all supported multiple URIs. The index should include hash values for all supported
hash algorithms. The cached data should include the media type as well as hash algorithms. The cached data should include the media type as well as
the logotype data. Implementations should give preference to logotype data the logotype data. Implementations should give preference to logotype data
that is already in the cache when multiple alternatives are offered in the that is already in the cache when multiple alternatives are offered in the
LogotypeExtn certificate extension.</t> LogotypeExtn certificate extension.</t>
<t>When the "data" URI scheme is used, the relying party <bcp14>MAY</bcp14 > add the embedded <t>When the "data" URI scheme is used, the relying party <bcp14>MAY</bcp14 > add the embedded
logotype data to the local cache, which could avoid the need to fetch the logotype data to the local cache, which could avoid the need to fetch the
logotype data if it is referenced by a URL in another certificate.</t> logotype data if it is referenced by a URL in another certificate.</t>
<t>When fetching remote logotype data, relying parties should use the most <t>When fetching remote logotype data, relying parties should use the most
privacy-preserving options that are available to minimize the opportunities privacy-preserving options that are available to minimize the opportunities
for servers to "fingerprint" clients. For example, avoid cookies, e-tags, and for servers to "fingerprint" clients. For example, avoid cookies, ETags, and
client certificates.</t> client certificates.</t>
<t>When a relying party encounters a new certificate, the lack of network traffic <t>When a relying party encounters a new certificate, the lack of network traffic
to fetch logotype data might indicate that a certificate with references to the to fetch logotype data might indicate that a certificate with references to the
same logotype data has been previously processed and cached.</t> same logotype data has been previously processed and cached.</t>
<t>TLS 1.3 <xref target="RFC8446"/> includes the ability to encrypt the se rver's certificate <t>TLS 1.3 <xref target="RFC8446"/> includes the ability to encrypt the se rver's certificate
in the TLS handshake, which helps hide the server's identity from anyone that in the TLS handshake, which helps hide the server's identity from anyone that
is watching activity on the network. If the server's certificate includes is watching activity on the network. If the server's certificate includes
remote logotype data, the client fetching that data might disclose the remote logotype data, the client fetching that data might disclose the
otherwise protected server identity.</t> otherwise protected server identity.</t>
</section> </section>
<section anchor="iana"> <section anchor="iana">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>For the new ASN.1 Module in <xref target="asn1-mod-new"/>, IANA <t>For the new ASN.1 module in <xref target="asn1-mod-new"/>, IANA has
is requested to assign an object identifier (OID) for the module assigned the following OID
identifier. The OID for the module should be allocated in the "SMI in the "SMI Security for PKIX Module Identifier" registry
Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).</t> (1.3.6.1.5.5.7.0):</t>
<t>For the existing entries in the Structure of Management Information (SM
I) <table anchor="iana1" align="left">
Numbers registry that refer to RFC 3709 or RFC 6170, IANA is requested <name></name>
update the entries to refer to this document. These entries are:</t> <thead>
<artwork><![CDATA[ <tr>
1.3.6.1.5.5.7.0.22 id-mod-logotype <th>Decimal</th>
1.3.6.1.5.5.7.0.68 id-mod-logotype-certimage <th>Description</th>
1.3.6.1.5.5.7.1.12 id-pe-logotype <th>References</th>
1.3.6.1.5.5.7.20.1 id-logo-loyalty </tr>
1.3.6.1.5.5.7.20.2 id-logo-background </thead>
1.3.6.1.5.5.7.20.3 id-logo-certImage <tbody>
]]></artwork> <tr>
</section> <td>107</td>
<section anchor="acks"> <td>id-mod-logotype-2022</td>
<name>Acknowledgments</name> <td>RFC 9399</td>
<section anchor="acks-rfc3709"> </tr>
<name>Acknowledgments from RFC 3709</name> </tbody>
<t>This document is the result of contributions from many </table>
professionals. The authors appreciate contributions from all members
of the IETF PKIX Working Group. We extend a special thanks to Al <t>IANA has updated the entries in the "Structure of Management
Arsenault, David Cross, Tim Polk, Russel Weiser, Terry Hayes, Alex Information (SMI) Numbers" registry that referred to <xref
Deacon, Andrew Hoag, Randy Sabett, Denis Pinkas, Magnus Nystrom, Ryan target="RFC3709"/> or <xref target="RFC6170"/> to refer to this
Hurst, and Phil Griffin for their efforts and support.</t> document. These entries are noted in the tables below.</t>
<t>Russ Housley thanks the management at RSA Laboratories, especially
Burt Kaliski, who supported the development of this specification. The <t>From the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0)
vast majority of the work on this specification was done while :</t>
Russ was employed at RSA Laboratories.</t> <table anchor="iana2" align="left">
</section> <name></name>
<section anchor="acks-rfc6170"> <thead>
<name>Acknowledgments from RFC 6170</name> <tr>
<t>The authors recognize valuable contributions from members of the PKIX <th>Decimal</th>
working group, the CA Browser Forum, and James Manger, for their <th>Description</th>
review and sample data.</t> <th>References</th>
</section> </tr>
<section anchor="acks-additional"> </thead>
<name>Additional Acknowledgments</name> <tbody>
<t>Combining RFC 3709 and RFC 6170 has produced an improved <tr>
specification. The authors appreciate contributions from all members <td>22</td>
of the IETF LAMPS Working Group. We extend a special thanks to <td>id-mod-logotype</td>
Alexey Melnikov for his guidance on media types. We extend a special <td>RFC 9399</td>
thanks to Tim Geiser for his careful checking of the new examples in </tr>
Appendix B.4 and B.5. We extend a special thanks to Corey Bonnell, <tr>
Daniel Kahn Gillmor, Roman Danyliw, Paul Wouters, Paul Kyzivat, Shuping Peng, <td>68</td>
Sheng Jiang, Rob Wilton, Eric Vyncke, Donald Eastlake, and Dan Harkins <td>id-mod-logotype-certimage</td>
for their careful review and helpful comments.</t> <td>RFC 9399</td>
</section> </tr>
</tbody>
</table>
<t>From the "SMI Security for PKIX Certificate Extension" registry (1.3.6.1.5.5.
7.1):</t>
<table anchor="iana3" align="left">
<name></name>
<thead>
<tr>
<th>Decimal</th>
<th>Description</th>
<th>References</th>
</tr>
</thead>
<tbody>
<tr>
<td>12</td>
<td>id-pe-logotype</td>
<td>RFC 9399</td>
</tr>
</tbody>
</table>
<t>From the "SMI Security for PKIX Other Logotype Identifiers" registry (1.3.6.1
.5.5.7.20):</t>
<table anchor="iana4" align="left">
<name></name>
<thead>
<tr>
<th>Decimal</th>
<th>Description</th>
<th>References</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>id-logo-loyalty</td>
<td>RFC 9399</td>
</tr>
<tr>
<td>2</td>
<td>id-logo-background</td>
<td>RFC 9399</td>
</tr>
<tr>
<td>3</td>
<td>id-logo-certImage</td>
<td>RFC 9399</td>
</tr>
</tbody>
</table>
</section> </section>
</middle> </middle>
<back> <back>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5
280"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"
<front> />
<title>Internet X.509 Public Key Infrastructure Certificate and Cert <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5755.xml"
ificate Revocation List (CRL) Profile</title> />
<author fullname="D. Cooper" initials="D." surname="Cooper"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3986.xml"
<organization/> />
</author> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2397.xml"
<author fullname="S. Santesson" initials="S." surname="Santesson"> />
<organization/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2046.xml"
</author> />
<author fullname="S. Farrell" initials="S." surname="Farrell"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3003.xml"
<organization/> />
</author> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5646.xml"
<author fullname="S. Boeyen" initials="S." surname="Boeyen"> />
<organization/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml"
</author> />
<author fullname="R. Housley" initials="R." surname="Housley"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1952.xml"
<organization/> />
</author> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"
<author fullname="W. Polk" initials="W." surname="Polk"> />
<organization/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9110.xml"
</author> />
<date month="May" year="2008"/>
<abstract> <reference anchor="NEW-ASN1" target="https://www.itu.int/rec/T-REC-X.680"
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certif >
icate revocation list (CRL) for use in the Internet. An overview of this approa
ch and model is provided as an introduction. The X.509 v3 certificate format is
described in detail, with additional information regarding the format and seman
tics of Internet name forms. Standard certificate extensions are described and
two Internet-specific extensions are defined. A set of required certificate ext
ensions is specified. The X.509 v2 CRL format is described in detail along with
standard and Internet-specific extensions. An algorithm for X.509 certificatio
n path validation is described. An ASN.1 module and examples are provided in th
e appendices. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5280"/>
<seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="RFC5755" target="https://www.rfc-editor.org/info/rfc5
755">
<front>
<title>An Internet Attribute Certificate Profile for Authorization</
title>
<author fullname="S. Farrell" initials="S." surname="Farrell">
<organization/>
</author>
<author fullname="R. Housley" initials="R." surname="Housley">
<organization/>
</author>
<author fullname="S. Turner" initials="S." surname="Turner">
<organization/>
</author>
<date month="January" year="2010"/>
<abstract>
<t>This specification defines a profile for the use of X.509 Attri
bute Certificates in Internet Protocols. Attribute certificates may be used in
a wide range of applications and environments covering a broad spectrum of inter
operability goals and a broader spectrum of operational and assurance requiremen
ts. The goal of this document is to establish a common baseline for generic app
lications requiring broad interoperability as well as limited special purpose re
quirements. The profile places emphasis on attribute certificate support for In
ternet electronic mail, IPsec, and WWW security applications. This document obs
oletes RFC 3281. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5755"/>
<seriesInfo name="DOI" value="10.17487/RFC5755"/>
</reference>
<reference anchor="RFC3986" target="https://www.rfc-editor.org/info/rfc3
986">
<front>
<title>Uniform Resource Identifier (URI): Generic Syntax</title>
<author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee
">
<organization/>
</author>
<author fullname="R. Fielding" initials="R." surname="Fielding">
<organization/>
</author>
<author fullname="L. Masinter" initials="L." surname="Masinter">
<organization/>
</author>
<date month="January" year="2005"/>
<abstract>
<t>A Uniform Resource Identifier (URI) is a compact sequence of ch
aracters that identifies an abstract or physical resource. This specification d
efines the generic URI syntax and a process for resolving URI references that mi
ght be in relative form, along with guidelines and security considerations for t
he use of URIs on the Internet. The URI syntax defines a grammar that is a supe
rset of all valid URIs, allowing an implementation to parse the common component
s of a URI reference without knowing the scheme-specific requirements of every p
ossible identifier. This specification does not define a generative grammar for
URIs; that task is performed by the individual specifications of each URI schem
e. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="66"/>
<seriesInfo name="RFC" value="3986"/>
<seriesInfo name="DOI" value="10.17487/RFC3986"/>
</reference>
<reference anchor="RFC2397" target="https://www.rfc-editor.org/info/rfc2
397">
<front>
<title>The "data" URL scheme</title>
<author fullname="L. Masinter" initials="L." surname="Masinter">
<organization/>
</author>
<date month="August" year="1998"/>
<abstract>
<t>A new URL scheme, "data", is defined. It allows inclusion of sm
all data items as "immediate" data, as if it had been included externally. [STAN
DARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2397"/>
<seriesInfo name="DOI" value="10.17487/RFC2397"/>
</reference>
<reference anchor="RFC2046" target="https://www.rfc-editor.org/info/rfc2
046">
<front>
<title>Multipurpose Internet Mail Extensions (MIME) Part Two: Media
Types</title>
<author fullname="N. Freed" initials="N." surname="Freed">
<organization/>
</author>
<author fullname="N. Borenstein" initials="N." surname="Borenstein">
<organization/>
</author>
<date month="November" year="1996"/>
<abstract>
<t>This second document defines the general structure of the MIME
media typing system and defines an initial set of media types. [STANDARDS-TRACK
]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2046"/>
<seriesInfo name="DOI" value="10.17487/RFC2046"/>
</reference>
<reference anchor="RFC3003" target="https://www.rfc-editor.org/info/rfc3
003">
<front>
<title>The audio/mpeg Media Type</title>
<author fullname="M. Nilsson" initials="M." surname="Nilsson">
<organization/>
</author>
<date month="November" year="2000"/>
<abstract>
<t>The audio layers of the MPEG-1 and MPEG-2 standards are in freq
uent use on the internet, but there is no uniform Multipurpose Internet Mail Ext
ension (MIME) type for these files. The intention of this document is to define
the media type audio/mpeg to refer to this kind of contents. [STANDARDS-TRACK]
</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3003"/>
<seriesInfo name="DOI" value="10.17487/RFC3003"/>
</reference>
<reference anchor="RFC5646" target="https://www.rfc-editor.org/info/rfc5
646">
<front>
<title>Tags for Identifying Languages</title>
<author fullname="A. Phillips" initials="A." role="editor" surname="
Phillips">
<organization/>
</author>
<author fullname="M. Davis" initials="M." role="editor" surname="Dav
is">
<organization/>
</author>
<date month="September" year="2009"/>
<abstract>
<t>This document describes the structure, content, construction, a
nd semantics of language tags for use in cases where it is desirable to indicate
the language used in an information object. It also describes how to register
values for use in language tags and the creation of user-defined extensions for
private interchange. This document specifies an Internet Best Current Practice
s for the Internet Community, and requests discussion and suggestions for improv
ements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="47"/>
<seriesInfo name="RFC" value="5646"/>
<seriesInfo name="DOI" value="10.17487/RFC5646"/>
</reference>
<reference anchor="RFC6838" target="https://www.rfc-editor.org/info/rfc6
838">
<front>
<title>Media Type Specifications and Registration Procedures</title>
<author fullname="N. Freed" initials="N." surname="Freed">
<organization/>
</author>
<author fullname="J. Klensin" initials="J." surname="Klensin">
<organization/>
</author>
<author fullname="T. Hansen" initials="T." surname="Hansen">
<organization/>
</author>
<date month="January" year="2013"/>
<abstract>
<t>This document defines procedures for the specification and regi
stration of media types for use in HTTP, MIME, and other Internet protocols. Th
is memo documents an Internet Best Current Practice.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="13"/>
<seriesInfo name="RFC" value="6838"/>
<seriesInfo name="DOI" value="10.17487/RFC6838"/>
</reference>
<reference anchor="RFC5234" target="https://www.rfc-editor.org/info/rfc5
234">
<front>
<title>Augmented BNF for Syntax Specifications: ABNF</title>
<author fullname="D. Crocker" initials="D." role="editor" surname="C
rocker">
<organization/>
</author>
<author fullname="P. Overell" initials="P." surname="Overell">
<organization/>
</author>
<date month="January" year="2008"/>
<abstract>
<t>Internet technical specifications often need to define a formal
syntax. Over the years, a modified version of Backus-Naur Form (BNF), called A
ugmented BNF (ABNF), has been popular among many Internet specifications. The c
urrent specification documents ABNF. It balances compactness and simplicity with
reasonable representational power. The differences between standard BNF and AB
NF involve naming rules, repetition, alternatives, order-independence, and value
ranges. This specification also supplies additional rule definitions and encod
ing for a core lexical analyzer of the type common to several Internet specifica
tions. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="68"/>
<seriesInfo name="RFC" value="5234"/>
<seriesInfo name="DOI" value="10.17487/RFC5234"/>
</reference>
<reference anchor="RFC1952" target="https://www.rfc-editor.org/info/rfc1
952">
<front>
<title>GZIP file format specification version 4.3</title>
<author fullname="P. Deutsch" initials="P." surname="Deutsch">
<organization/>
</author>
<date month="May" year="1996"/>
<abstract>
<t>This specification defines a lossless compressed data format th
at is compatible with the widely used GZIP utility. This memo provides informat
ion for the Internet community. This memo does not specify an Internet standard
of any kind.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="1952"/>
<seriesInfo name="DOI" value="10.17487/RFC1952"/>
</reference>
<reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8
446">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
e>
<author fullname="E. Rescorla" initials="E." surname="Rescorla">
<organization/>
</author>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies version 1.3 of the Transport Layer Secu
rity (TLS) protocol. TLS allows client/server applications to communicate over
the Internet in a way that is designed to prevent eavesdropping, tampering, and
message forgery.</t>
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 i
mplementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC9110" target="https://www.rfc-editor.org/info/rfc9
110">
<front>
<title>HTTP Semantics</title>
<author fullname="R. Fielding" initials="R." role="editor" surname="
Fielding">
<organization/>
</author>
<author fullname="M. Nottingham" initials="M." role="editor" surname
="Nottingham">
<organization/>
</author>
<author fullname="J. Reschke" initials="J." role="editor" surname="R
eschke">
<organization/>
</author>
<date month="June" year="2022"/>
<abstract>
<t>The Hypertext Transfer Protocol (HTTP) is a stateless applicati
on-level protocol for distributed, collaborative, hypertext information systems.
This document describes the overall architecture of HTTP, establishes common te
rminology, and defines aspects of the protocol that are shared by all versions.
In this definition are core protocol elements, extensibility mechanisms, and the
"http" and "https" Uniform Resource Identifier (URI) schemes. </t>
<t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7
232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
</abstract>
</front>
<seriesInfo name="STD" value="97"/>
<seriesInfo name="RFC" value="9110"/>
<seriesInfo name="DOI" value="10.17487/RFC9110"/>
</reference>
<reference anchor="NEW-ASN1" target="https://www.itu.int/rec/T-REC-X.680
">
<front> <front>
<title>Information technology -- Abstract Syntax Notation One (ASN.1 ): Specification of basic notation</title> <title>Information technology -- Abstract Syntax Notation One (ASN.1 ): Specification of basic notation</title>
<author> <author>
<organization>ITU-T</organization> <organization>ITU-T</organization>
</author> </author>
<date year="2021" month="February"/> <date year="2021" month="February"/>
</front> </front>
<seriesInfo name="ITU-T Recommendation" value="X.680"/> <seriesInfo name="ITU-T Recommendation" value="X.680"/>
<seriesInfo name="ISO/IEC" value="8824-1:2021"/> <seriesInfo name="ISO/IEC" value="8824-1:2021"/>
</reference> </reference>
<reference anchor="SVGT" target="https://www.w3.org/TR/2008/PR-SVGTiny12
-20081117"> <reference anchor="SVGT" target="http://www.w3.org/TR/2008/REC-SVGTiny12
-20081222/">
<front> <front>
<title>Scalable Vector Graphics (SVG) Tiny 1.2 Specification</title> <title>Scalable Vector Graphics (SVG) Tiny 1.2 Specification</title>
<author> <author>
<organization>World Wide Web Consortium</organization> <organization>World Wide Web Consortium</organization>
</author> </author>
<date year="2008" month="November" day="17"/> <date year="2008" month="December"/>
</front> </front>
<seriesInfo name="W3C" value="PR-SVGTiny12-20081117"/> <seriesInfo name="W3C" value="REC-SVGTiny12-20081222"/>
</reference> </reference>
<reference anchor="ISO15948"> <reference anchor="ISO15948">
<front> <front>
<title>Information technology -- Computer graphics and image process ing -- Portable Network Graphics (PNG): Functional specification</title> <title>Information technology -- Computer graphics and image process ing -- Portable Network Graphics (PNG): Functional specification</title>
<author> <author>
<organization>ISO/IEC</organization> <organization>ISO/IEC</organization>
</author> </author>
<date year="2004"/> <date year="2004" month="March"/>
</front> </front>
<seriesInfo name="ISO/IEC" value="15948:2004"/> <seriesInfo name="ISO/IEC" value="15948:2004"/>
</reference> </reference>
<reference anchor="JPEG"> <reference anchor="JPEG">
<front> <front>
<title>Information technology -- Digital compression and coding of c ontinuous-tone still images: JPEG File Interchange Format (JFIF)</title> <title>Information technology -- Digital compression and coding of c ontinuous-tone still images: JPEG File Interchange Format (JFIF)</title>
<author> <author>
<organization>ITU-T</organization> <organization>ITU-T</organization>
</author> </author>
<date year="2011" month="May"/> <date year="2013" month="May"/>
</front> </front>
<seriesInfo name="ITU-T Recommendation" value="T.871"/> <seriesInfo name="ITU-T Recommendation" value="T.871"/>
<seriesInfo name="ISO/IEC" value="10918-5:2013"/> <seriesInfo name="ISO/IEC" value="10918-5:2013"/>
</reference> </reference>
<reference anchor="GIF" target="https://www.w3.org/Graphics/GIF/spec-gif 89a.txt"> <reference anchor="GIF" target="https://www.w3.org/Graphics/GIF/spec-gif 89a.txt">
<front> <front>
<title>Graphics Interchange Format</title> <title>Graphics Interchange Format</title>
<author> <author>
<organization>CompuServe Incorporated</organization> <organization>CompuServe Incorporated</organization>
</author> </author>
<date year="1990" month="July" day="31"/> <date year="1990" month="July"/>
</front> </front>
<seriesInfo name="Version" value="89a"/> <seriesInfo name="Version" value="89a"/>
</reference> </reference>
<reference anchor="MP3"> <reference anchor="MP3">
<front> <front>
<title>Information technology -- Generic coding of moving pictures a nd associated audio information -- Part 3: Audio</title> <title>Information technology -- Generic coding of moving pictures a nd associated audio information -- Part 3: Audio</title>
<author> <author>
<organization>ISO/IEC</organization> <organization>ISO/IEC</organization>
</author> </author>
<date year="1998"/> <date year="1998" month="April"/>
</front> </front>
<seriesInfo name="ISO/IEC" value="13818-3:1998"/> <seriesInfo name="ISO/IEC" value="13818-3:1998"/>
</reference> </reference>
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2
119"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"
<front> />
<title>Key words for use in RFCs to Indicate Requirement Levels</tit <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"
le> />
<author fullname="S. Bradner" initials="S." surname="Bradner">
<organization/>
</author>
<date month="March" year="1997"/>
<abstract>
<t>In many standards track documents several words are used to sig
nify the requirements in the specification. These words are often capitalized.
This document defines these words as they should be interpreted in IETF document
s. This document specifies an Internet Best Current Practices for the Internet
Community, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8
174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba">
<organization/>
</author>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying tha
t only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="RFC5912" target="https://www.rfc-editor.org/info/rfc5
912"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"
<front> />
<title>New ASN.1 Modules for the Public Key Infrastructure Using X.5 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6151.xml"
09 (PKIX)</title> />
<author fullname="P. Hoffman" initials="P." surname="Hoffman"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6268.xml"
<organization/> />
</author> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8118.xml"
<author fullname="J. Schaad" initials="J." surname="Schaad"> />
<organization/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3709.xml"
</author> />
<date month="June" year="2010"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6170.xml"
<abstract> />
<t>The Public Key Infrastructure using X.509 (PKIX) certificate fo <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"
rmat, and many associated formats, are expressed using ASN.1. The current ASN.1 />
modules conform to the 1988 version of ASN.1. This document updates those ASN. <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9162.xml"
1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire />
changes to any of the formats; this is simply a change to the syntax. This doc <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9216.xml"
ument is not an Internet Standards Track specification; it is published for inf />
ormational purposes.</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9230.xml"
</abstract> />
</front>
<seriesInfo name="RFC" value="5912"/>
<seriesInfo name="DOI" value="10.17487/RFC5912"/>
</reference>
<reference anchor="RFC6151" target="https://www.rfc-editor.org/info/rfc6
151">
<front>
<title>Updated Security Considerations for the MD5 Message-Digest an
d the HMAC-MD5 Algorithms</title>
<author fullname="S. Turner" initials="S." surname="Turner">
<organization/>
</author>
<author fullname="L. Chen" initials="L." surname="Chen">
<organization/>
</author>
<date month="March" year="2011"/>
<abstract>
<t>This document updates the security considerations for the MD5 m
essage digest algorithm. It also updates the security considerations for HMAC-M
D5. This document is not an Internet Standards Track specification; it is publ
ished for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6151"/>
<seriesInfo name="DOI" value="10.17487/RFC6151"/>
</reference>
<reference anchor="RFC6268" target="https://www.rfc-editor.org/info/rfc6
268">
<front>
<title>Additional New ASN.1 Modules for the Cryptographic Message Sy
ntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)</title>
<author fullname="J. Schaad" initials="J." surname="Schaad">
<organization/>
</author>
<author fullname="S. Turner" initials="S." surname="Turner">
<organization/>
</author>
<date month="July" year="2011"/>
<abstract>
<t>The Cryptographic Message Syntax (CMS) format, and many associa
ted formats, are expressed using ASN.1. The current ASN.1 modules conform to th
e 1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to
conform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normativ
e version. There are no bits- on-the-wire changes to any of the formats; this i
s simply a change to the syntax. This document is not an Internet Standards Tra
ck specification; it is published for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6268"/>
<seriesInfo name="DOI" value="10.17487/RFC6268"/>
</reference>
<reference anchor="RFC8118" target="https://www.rfc-editor.org/info/rfc8
118">
<front>
<title>The application/pdf Media Type</title>
<author fullname="M. Hardy" initials="M." surname="Hardy">
<organization/>
</author>
<author fullname="L. Masinter" initials="L." surname="Masinter">
<organization/>
</author>
<author fullname="D. Markovic" initials="D." surname="Markovic">
<organization/>
</author>
<author fullname="D. Johnson" initials="D." surname="Johnson">
<organization/>
</author>
<author fullname="M. Bailey" initials="M." surname="Bailey">
<organization/>
</author>
<date month="March" year="2017"/>
<abstract>
<t>The Portable Document Format (PDF) is an ISO standard (ISO 3200
0-1:2008) defining a final-form document representation language in use for docu
ment exchange, including on the Internet, since 1993. This document provides an
overview of the PDF format and updates the media type registration of "applicati
on/pdf". It obsoletes RFC 3778.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8118"/>
<seriesInfo name="DOI" value="10.17487/RFC8118"/>
</reference>
<reference anchor="RFC3709" target="https://www.rfc-editor.org/info/rfc3
709">
<front>
<title>Internet X.509 Public Key Infrastructure: Logotypes in X.509
Certificates</title>
<author fullname="S. Santesson" initials="S." surname="Santesson">
<organization/>
</author>
<author fullname="R. Housley" initials="R." surname="Housley">
<organization/>
</author>
<author fullname="T. Freeman" initials="T." surname="Freeman">
<organization/>
</author>
<date month="February" year="2004"/>
<abstract>
<t>This document specifies a certificate extension for including l
ogotypes in public key certificates and attribute certificates. [STANDARDS-TRAC
K]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3709"/>
<seriesInfo name="DOI" value="10.17487/RFC3709"/>
</reference>
<reference anchor="RFC6170" target="https://www.rfc-editor.org/info/rfc6
170">
<front>
<title>Internet X.509 Public Key Infrastructure -- Certificate Image
</title>
<author fullname="S. Santesson" initials="S." surname="Santesson">
<organization/>
</author>
<author fullname="R. Housley" initials="R." surname="Housley">
<organization/>
</author>
<author fullname="S. Bajaj" initials="S." surname="Bajaj">
<organization/>
</author>
<author fullname="L. Rosenthol" initials="L." surname="Rosenthol">
<organization/>
</author>
<date month="May" year="2011"/>
<abstract>
<t>This document specifies a method to bind a visual representatio
n of a certificate in the form of a certificate image to a public key certificat
e as defined in RFC 5280, by defining a new "otherLogos" image type according to
RFC 3709. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6170"/>
<seriesInfo name="DOI" value="10.17487/RFC6170"/>
</reference>
<reference anchor="RFC7858" target="https://www.rfc-editor.org/info/rfc7
858">
<front>
<title>Specification for DNS over Transport Layer Security (TLS)</ti
tle>
<author fullname="Z. Hu" initials="Z." surname="Hu">
<organization/>
</author>
<author fullname="L. Zhu" initials="L." surname="Zhu">
<organization/>
</author>
<author fullname="J. Heidemann" initials="J." surname="Heidemann">
<organization/>
</author>
<author fullname="A. Mankin" initials="A." surname="Mankin">
<organization/>
</author>
<author fullname="D. Wessels" initials="D." surname="Wessels">
<organization/>
</author>
<author fullname="P. Hoffman" initials="P." surname="Hoffman">
<organization/>
</author>
<date month="May" year="2016"/>
<abstract>
<t>This document describes the use of Transport Layer Security (TL
S) to provide privacy for DNS. Encryption provided by TLS eliminates opportunit
ies for eavesdropping and on-path tampering with DNS queries in the network, suc
h as discussed in RFC 7626. In addition, this document specifies two usage prof
iles for DNS over TLS and provides advice on performance considerations to minim
ize overhead from using TCP and TLS with DNS.</t>
<t>This document focuses on securing stub-to-recursive traffic, as
per the charter of the DPRIVE Working Group. It does not prevent future applic
ations of the protocol to recursive-to-authoritative traffic.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7858"/>
<seriesInfo name="DOI" value="10.17487/RFC7858"/>
</reference>
<reference anchor="RFC9162" target="https://www.rfc-editor.org/info/rfc9
162">
<front>
<title>Certificate Transparency Version 2.0</title>
<author fullname="B. Laurie" initials="B." surname="Laurie">
<organization/>
</author>
<author fullname="E. Messeri" initials="E." surname="Messeri">
<organization/>
</author>
<author fullname="R. Stradling" initials="R." surname="Stradling">
<organization/>
</author>
<date month="December" year="2021"/>
<abstract>
<t>This document describes version 2.0 of the Certificate Transpar
ency (CT) protocol for publicly logging the existence of Transport Layer Securit
y (TLS) server certificates as they are issued or observed, in a manner that all
ows anyone to audit certification authority (CA) activity and notice the issuanc
e of suspect certificates as well as to audit the certificate logs themselves. T
he intent is that eventually clients would refuse to honor certificates that do
not appear in a log, effectively forcing CAs to add all issued certificates to t
he logs.</t>
<t>This document obsoletes RFC 6962. It also specifies a new TLS
extension that is used to send various CT log artifacts.</t>
<t>Logs are network services that implement the protocol operation
s for submissions and queries that are defined in this document.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9162"/>
<seriesInfo name="DOI" value="10.17487/RFC9162"/>
</reference>
<reference anchor="RFC9216" target="https://www.rfc-editor.org/info/rfc9
216">
<front>
<title>S/MIME Example Keys and Certificates</title>
<author fullname="D. K. Gillmor" initials="D. K." role="editor" surn
ame="Gillmor">
<organization/>
</author>
<date month="April" year="2022"/>
<abstract>
<t>The S/MIME development community benefits from sharing samples
of signed or encrypted data. This document facilitates such collaboration by def
ining a small set of X.509v3 certificates and keys for use when generating such
samples.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9216"/>
<seriesInfo name="DOI" value="10.17487/RFC9216"/>
</reference>
<reference anchor="RFC9230" target="https://www.rfc-editor.org/info/rfc9
230">
<front>
<title>Oblivious DNS over HTTPS</title>
<author fullname="E. Kinnear" initials="E." surname="Kinnear">
<organization/>
</author>
<author fullname="P. McManus" initials="P." surname="McManus">
<organization/>
</author>
<author fullname="T. Pauly" initials="T." surname="Pauly">
<organization/>
</author>
<author fullname="T. Verma" initials="T." surname="Verma">
<organization/>
</author>
<author fullname="C.A. Wood" initials="C.A." surname="Wood">
<organization/>
</author>
<date month="June" year="2022"/>
<abstract>
<t>This document describes a protocol that allows clients to hide
their IP addresses from DNS resolvers via proxying encrypted DNS over HTTPS (DoH
) messages. This improves privacy of DNS operations by not allowing any one serv
er entity to be aware of both the client IP address and the content of DNS queri
es and answers.</t>
<t>This experimental protocol has been developed outside the IETF
and is published here to guide implementation, ensure interoperability among imp
lementations, and enable wide-scale experimentation.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9230"/>
<seriesInfo name="DOI" value="10.17487/RFC9230"/>
</reference>
<reference anchor="OLD-ASN1" target="https://www.itu.int/rec/T-REC-X.208 /en"> <reference anchor="OLD-ASN1" target="https://www.itu.int/rec/T-REC-X.208 /en">
<front> <front>
<title>Specification of Abstract Syntax Notation One (ASN.1)</title> <title>Specification of Abstract Syntax Notation One (ASN.1)</title>
<author> <author>
<organization>CCITT</organization> <organization>CCITT</organization>
</author> </author>
<date year="1988" month="November"/> <date year="1988" month="November"/>
</front> </front>
<refcontent>CCITT Recommendation X.208</refcontent> <seriesInfo name="CCITT Recommendation" value="X.208"/>
</reference> </reference>
<reference anchor="ISO19005"> <reference anchor="ISO19005">
<front> <front>
<title>Document management -- Electronic document file format for lo ng-term preservation -- Part 1: Use of PDF 1.4 (PDF/A-1)</title> <title>Document management -- Electronic document file format for lo ng-term preservation -- Part 1: Use of PDF 1.4 (PDF/A-1)</title>
<author> <author>
<organization>ISO</organization> <organization>ISO</organization>
</author> </author>
<date year="2005"/> <date year="2005" month="October"/>
</front> </front>
<seriesInfo name="ISO" value="19005-1:2005"/> <seriesInfo name="ISO" value="19005-1:2005"/>
</reference> </reference>
<reference anchor="ISO32000"> <reference anchor="ISO32000">
<front> <front>
<title>Document management -- Portable document format -- Part 1: PD F 1.7</title> <title>Document management -- Portable document format -- Part 1: PD F 1.7</title>
<author> <author>
<organization>ISO</organization> <organization>ISO</organization>
</author> </author>
<date year="2008"/> <date year="2008" month="July"/>
</front> </front>
<seriesInfo name="ISO" value="32000-1:2008"/> <seriesInfo name="ISO" value="32000-1:2008"/>
</reference> </reference>
<reference anchor="SVGR" target="https://www.iana.org/assignments/media- types/image/svg+xml"> <reference anchor="SVGR" target="https://www.iana.org/assignments/media- types/image/svg+xml">
<front> <front>
<title>Media Type Registration for image/svg+xml</title> <title>Media Type Registration for image/svg+xml</title>
<author> <author>
<organization>World Wide Web Consortium</organization> <organization>World Wide Web Consortium</organization>
</author> </author>
<date/>
</front> </front>
</reference> </reference>
<reference anchor="SVGZR" target="https://github.com/w3c/svgwg/issues/70 1"> <reference anchor="SVGZR" target="https://github.com/w3c/svgwg/issues/70 1">
<front> <front>
<title>A separate MIME type for svgz files is needed</title> <title>A separate MIME type for svgz files is needed</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date/>
</front> </front>
</reference> </reference>
<reference anchor="PNGR" target="https://www.iana.org/assignments/media- types/image/png"> <reference anchor="PNGR" target="https://www.iana.org/assignments/media- types/image/png">
<front> <front>
<title>Media Type Registration for image/png</title> <title>Media Type Registration for image/png</title>
<author> <author>
<organization>World Wide Web Consortium</organization> <organization>World Wide Web Consortium</organization>
</author> </author>
<date/>
</front> </front>
</reference> </reference>
</references> </references>
</references> </references>
<section anchor="asn1-mods"> <section anchor="asn1-mods">
<name>ASN.1 Modules</name> <name>ASN.1 Modules</name>
<section anchor="asn1-mod-old"> <section anchor="asn1-mod-old">
<name>ASN.1 Modules with 1988 Syntax</name> <name>ASN.1 Modules with 1988 Syntax</name>
<t>This appendix contains two ASN.1 modules, both using the old <t>This appendix contains two ASN.1 modules, both using the old
syntax <xref target="OLD-ASN1"/>.</t> syntax <xref target="OLD-ASN1"/>.</t>
<t>The first ASN.1 module provides the syntax for the Logotype certifica <t>The first ASN.1 module provides the syntax for the logotype certifica
te te
extension. Only comments have changed in the module from RFC 3709, and extension. Only comments have changed in the module from <xref target="RFC3709"
/> and
the IMPORTS now come from <xref target="RFC5280"/>.</t> the IMPORTS now come from <xref target="RFC5280"/>.</t>
<t>The second ASN.1 module provides the Certificate Image <t>The second ASN.1 module provides the certificate image
object identifier. The module is unchanged from RFC 6170.</t> object identifier. The module is unchanged from <xref target="RFC6170"/>.</t>
<sourcecode type="asn.1" markers="true"><![CDATA[ <sourcecode type="asn.1" markers="true"><![CDATA[
LogotypeCertExtn LogotypeCertExtn
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-logotype(22) } id-mod-logotype(22) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AlgorithmIdentifier FROM PKIX1Explicit88 -- RFC 5280 AlgorithmIdentifier FROM PKIX1Explicit88 -- RFC 5280
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18) }; id-pkix1-explicit(18) };
-- Logotype Certificate Extension OID
id-pe-logotype OBJECT IDENTIFIER ::= id-pe-logotype OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-pe(1) 12 } security(5) mechanisms(5) pkix(7) id-pe(1) 12 }
-- Logotype Certificate Extension Syntax
LogotypeExtn ::= SEQUENCE { LogotypeExtn ::= SEQUENCE {
communityLogos [0] EXPLICIT SEQUENCE OF LogotypeInfo OPTIONAL, communityLogos [0] EXPLICIT SEQUENCE OF LogotypeInfo OPTIONAL,
issuerLogo [1] EXPLICIT LogotypeInfo OPTIONAL, issuerLogo [1] EXPLICIT LogotypeInfo OPTIONAL,
subjectLogo [2] EXPLICIT LogotypeInfo OPTIONAL, subjectLogo [2] EXPLICIT LogotypeInfo OPTIONAL,
otherLogos [3] EXPLICIT SEQUENCE OF OtherLogotypeInfo otherLogos [3] EXPLICIT SEQUENCE OF OtherLogotypeInfo
OPTIONAL } OPTIONAL }
-- Note: At least one of the OPTIONAL components MUST be present -- Note: At least one of the OPTIONAL components MUST be present
skipping to change at line 1709 skipping to change at line 1350
LogotypeImage ::= SEQUENCE { LogotypeImage ::= SEQUENCE {
imageDetails LogotypeDetails, imageDetails LogotypeDetails,
imageInfo LogotypeImageInfo OPTIONAL } imageInfo LogotypeImageInfo OPTIONAL }
LogotypeAudio ::= SEQUENCE { LogotypeAudio ::= SEQUENCE {
audioDetails LogotypeDetails, audioDetails LogotypeDetails,
audioInfo LogotypeAudioInfo OPTIONAL } audioInfo LogotypeAudioInfo OPTIONAL }
LogotypeDetails ::= SEQUENCE { LogotypeDetails ::= SEQUENCE {
mediaType IA5String, -- MIME media type name and optional mediaType IA5String, -- Media type name and optional
-- parameters -- parameters
logotypeHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue, logotypeHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
logotypeURI SEQUENCE SIZE (1..MAX) OF IA5String } logotypeURI SEQUENCE SIZE (1..MAX) OF IA5String }
LogotypeImageInfo ::= SEQUENCE { LogotypeImageInfo ::= SEQUENCE {
type [0] LogotypeImageType DEFAULT color, type [0] LogotypeImageType DEFAULT color,
fileSize INTEGER, -- In octets, 0=unspecified fileSize INTEGER, -- In octets, 0=unspecified
xSize INTEGER, -- Horizontal size in pixels xSize INTEGER, -- Horizontal size in pixels
ySize INTEGER, -- Vertical size in pixels ySize INTEGER, -- Vertical size in pixels
resolution LogotypeImageResolution OPTIONAL, resolution LogotypeImageResolution OPTIONAL,
skipping to change at line 1786 skipping to change at line 1427
END END
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="asn1-mod-new"> <section anchor="asn1-mod-new">
<name>ASN.1 Module with 2002 Syntax</name> <name>ASN.1 Module with 2002 Syntax</name>
<t>Some developers like to use the latest version of ASN.1 standards. T his <t>Some developers like to use the latest version of ASN.1 standards. T his
appendix provides an ASN.1 module to assist in that goal. It uses the ASN.1 appendix provides an ASN.1 module to assist in that goal. It uses the ASN.1
syntax defined in <xref target="NEW-ASN1"/>, and it follows the conventions syntax defined in <xref target="NEW-ASN1"/>, and it follows the conventions
established in <xref target="RFC5912"/> and <xref target="RFC6268"/>.</t> established in <xref target="RFC5912"/> and <xref target="RFC6268"/>.</t>
<t>This ASN.1 module incorporates the module from RFC 3709 and the modul <t>This ASN.1 module incorporates the module from <xref target="RFC3709"
e /> and the module
from RFC 6170.</t> from <xref target="RFC6170"/>.</t>
<t>Note that <xref target="NEW-ASN1"/> was published in 2021, and all of the features <t>Note that <xref target="NEW-ASN1"/> was published in 2021, and all of the features
used in this module are backward compatible with the specification used in this module are backward compatible with the specification
that was published in 2002.</t> that was published in 2002.</t>
<sourcecode type="asn.1" markers="true"><![CDATA[ <sourcecode type="asn.1" markers="true"><![CDATA[
LogotypeCertExtn LogotypeCertExtn-2022
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-logotype(TBD) } id-mod-logotype-2022(107) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
EXTENSION EXTENSION
FROM PKIX-CommonTypes-2009 -- RFC 5912 FROM PKIX-CommonTypes-2009 -- RFC 5912
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) } id-mod-pkixCommon-02(57) }
AlgorithmIdentifier{}, DIGEST-ALGORITHM AlgorithmIdentifier{}, DIGEST-ALGORITHM
FROM AlgorithmInformation-2009 FROM AlgorithmInformation-2009
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) } ; id-mod-algorithmInformation-02(58) } ;
-- Logotype Certificate Extension
ext-logotype EXTENSION ::= { ext-logotype EXTENSION ::= {
SYNTAX LogotypeExtn SYNTAX LogotypeExtn
IDENTIFIED BY id-pe-logotype } IDENTIFIED BY id-pe-logotype }
-- Logotype Certificate Extension OID
id-pe-logotype OBJECT IDENTIFIER ::= id-pe-logotype OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-pe(1) 12 } security(5) mechanisms(5) pkix(7) id-pe(1) 12 }
-- Logotype Certificate Extension Syntax
LogotypeExtn ::= SEQUENCE { LogotypeExtn ::= SEQUENCE {
communityLogos [0] EXPLICIT SEQUENCE OF LogotypeInfo OPTIONAL, communityLogos [0] EXPLICIT SEQUENCE OF LogotypeInfo OPTIONAL,
issuerLogo [1] EXPLICIT LogotypeInfo OPTIONAL, issuerLogo [1] EXPLICIT LogotypeInfo OPTIONAL,
subjectLogo [2] EXPLICIT LogotypeInfo OPTIONAL, subjectLogo [2] EXPLICIT LogotypeInfo OPTIONAL,
otherLogos [3] EXPLICIT SEQUENCE OF OtherLogotypeInfo otherLogos [3] EXPLICIT SEQUENCE OF OtherLogotypeInfo
OPTIONAL } OPTIONAL }
-- At least one of the OPTIONAL components MUST be present -- At least one of the OPTIONAL components MUST be present
( WITH COMPONENTS { ..., communityLogos PRESENT } | ( WITH COMPONENTS { ..., communityLogos PRESENT } |
WITH COMPONENTS { ..., issuerLogo PRESENT } | WITH COMPONENTS { ..., issuerLogo PRESENT } |
skipping to change at line 1858 skipping to change at line 1499
LogotypeImage ::= SEQUENCE { LogotypeImage ::= SEQUENCE {
imageDetails LogotypeDetails, imageDetails LogotypeDetails,
imageInfo LogotypeImageInfo OPTIONAL } imageInfo LogotypeImageInfo OPTIONAL }
LogotypeAudio ::= SEQUENCE { LogotypeAudio ::= SEQUENCE {
audioDetails LogotypeDetails, audioDetails LogotypeDetails,
audioInfo LogotypeAudioInfo OPTIONAL } audioInfo LogotypeAudioInfo OPTIONAL }
LogotypeDetails ::= SEQUENCE { LogotypeDetails ::= SEQUENCE {
mediaType IA5String, -- MIME media type name and optional mediaType IA5String, -- Media type name and optional
-- parameters -- parameters
logotypeHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue, logotypeHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
logotypeURI SEQUENCE SIZE (1..MAX) OF IA5String } logotypeURI SEQUENCE SIZE (1..MAX) OF IA5String }
LogotypeImageInfo ::= SEQUENCE { LogotypeImageInfo ::= SEQUENCE {
type [0] LogotypeImageType DEFAULT color, type [0] LogotypeImageType DEFAULT color,
fileSize INTEGER, -- In octets, 0=unspecified fileSize INTEGER, -- In octets, 0=unspecified
xSize INTEGER, -- Horizontal size in pixels xSize INTEGER, -- Horizontal size in pixels
ySize INTEGER, -- Vertical size in pixels ySize INTEGER, -- Vertical size in pixels
resolution LogotypeImageResolution OPTIONAL, resolution LogotypeImageResolution OPTIONAL,
skipping to change at line 1921 skipping to change at line 1562
id-logo-certImage OBJECT IDENTIFIER ::= { id-logo 3 } id-logo-certImage OBJECT IDENTIFIER ::= { id-logo 3 }
END END
]]></sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="examples"> <section anchor="examples">
<name>Examples</name> <name>Examples</name>
<section anchor="example-rfc3709"> <section anchor="example-rfc3709">
<name>Example from RFC 3709</name> <name>Example from RFC 3709</name>
<t>The following example displays a logotype extension containing one
Issuer logotype using direct addressing. The issuer logotype image is <t>The following example displays a logotype certificate extension conta
ining one
issuer organization logotype using direct addressing. The issuer organization l
ogotype image is
of the type image/gif. The logotype image is referenced through of the type image/gif. The logotype image is referenced through
one URI and the image is hashed with SHA-256. This example one URI, and the image is hashed with SHA-256. This example
is changed from RFC 3709 to use SHA-256 instead of SHA-1.</t> is changed from <xref target="RFC3709"/> to use SHA-256 instead of SHA-1.</t>
<t>The values on the left are the ASN.1 tag (in hexadecimal) and <t>The values on the left are the ASN.1 tag (in hexadecimal) and
the length (in decimal).</t> the length (in decimal).</t>
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
30 122: SEQUENCE { 30 122: SEQUENCE {
06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12) 06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12)
04 110: OCTET STRING, encapsulates { 04 110: OCTET STRING, encapsulates {
30 108: SEQUENCE { 30 108: SEQUENCE {
A1 106: [1] { A1 106: [1] {
A0 104: [0] { A0 104: [0] {
30 102: SEQUENCE { 30 102: SEQUENCE {
30 100: SEQUENCE { 30 100: SEQUENCE {
30 98: SEQUENCE { 30 98: SEQUENCE {
16 9: IA5String 'image/gif' 16 9: IA5String 'image/gif'
skipping to change at line 1961 skipping to change at line 1603
16 32: IA5String 'http://logo.example.com/logo.gif' 16 32: IA5String 'http://logo.example.com/logo.gif'
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="example-new"> <section anchor="example-new">
<name>Issuer Logotype Example</name> <name>Issuer Organization Logotype Example</name>
<t>The following example displays a logotype extension containing one <t>The following example displays a logotype certificate extension conta
Issuer logotype using direct addressing. The issuer logotype image is ining one
issuer organization logotype using direct addressing. The issuer organization l
ogotype image is
of the type image/jpeg. The logotype image is referenced through of the type image/jpeg. The logotype image is referenced through
one URI and the image is hashed with SHA-256.</t> one URI, and the image is hashed with SHA-256.</t>
<t>The values on the left are the ASN.1 tag (in hexadecimal) and <t>The values on the left are the ASN.1 tag (in hexadecimal) and
the length (in decimal).</t> the length (in decimal).</t>
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
30 124: SEQUENCE { 30 124: SEQUENCE {
06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12) 06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12)
04 112: OCTET STRING, encapsulates { 04 112: OCTET STRING, encapsulates {
30 110: SEQUENCE { 30 110: SEQUENCE {
A1 108: [1] { A1 108: [1] {
A0 106: [0] { A0 106: [0] {
30 104: SEQUENCE { 30 104: SEQUENCE {
30 102: SEQUENCE { 30 102: SEQUENCE {
30 100: SEQUENCE { 30 100: SEQUENCE {
16 10: IA5String 'image/jpeg' 16 10: IA5String 'image/jpeg'
skipping to change at line 2004 skipping to change at line 1646
16 33: IA5String 'http://logo.example.com/logo.jpeg' 16 33: IA5String 'http://logo.example.com/logo.jpeg'
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="example-embed"> <section anchor="example-embed">
<name>Embedded Image Example</name> <name>Embedded Image Example</name>
<t>The following example displays a logotype extension containing one <t>The following example displays a logotype certificate extension
Subject logotype using direct addressing. The subject logotype image containing one subject organization logotype using direct addressing.
uses image/svg+xml-compressed. The logotype image is embedded in the The subject organization logotype image uses image/svg+xml+gzip.
certificate extension with a "data:" URI and the image is hashed by The logotype image is embedded in the certificate extension with a
SHA-256. This technique produces a large certificate extension, but "data:" URI, and the image is hashed by SHA-256. This technique
offers reduced latency and improved privacy.</t> produces a large certificate extension but offers reduced latency
<t>The values on the left are the ASN.1 tag (in hexadecimal) and and improved privacy.</t>
the length (in decimal).</t> <t>The values on the left are the ASN.1 tag (in hexadecimal) and the
<artwork><![CDATA[ length (in decimal).</t>
30 2160: SEQUENCE { <sourcecode type=""><![CDATA[
30 2148: SEQUENCE {
06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12) 06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12)
04 2146: OCTET STRING, encapsulates { 04 2134: OCTET STRING, encapsulates {
30 2142: SEQUENCE { 30 2130: SEQUENCE {
A2 2138: [2] { A2 2126: [2] {
A0 2134: [0] { A0 2122: [0] {
30 2130: SEQUENCE { 30 2118: SEQUENCE {
30 2126: SEQUENCE { 30 2114: SEQUENCE {
30 2122: SEQUENCE { 30 2110: SEQUENCE {
16 24: IA5String 'image/svg+xml-compressed' 16 18: IA5String 'image/svg+xml+gzip'
30 49: SEQUENCE { 30 49: SEQUENCE {
30 47: SEQUENCE { 30 47: SEQUENCE {
30 11: SEQUENCE { 30 11: SEQUENCE {
06 9: OBJECT IDENTIFIER 06 9: OBJECT IDENTIFIER
: sha-256 (2 16 840 1 101 3 4 2 1) : sha-256 (2 16 840 1 101 3 4 2 1)
: } : }
04 32: OCTET STRING 04 32: OCTET STRING
: C5 AC 94 1A 0A 25 1F B3 16 6F 97 C5 52 40 9B 49 : C5 AC 94 1A 0A 25 1F B3 16 6F 97 C5 52 40 9B 49
: 9E 7B 92 61 5A B0 A2 6C 19 BF B9 D8 09 C5 D9 E7 : 9E 7B 92 61 5A B0 A2 6C 19 BF B9 D8 09 C5 D9 E7
: } : }
: } : }
30 2041: SEQUENCE { 30 2035: SEQUENCE {
16 2037: IA5String 16 2031: IA5String
: 'data:image/svg+xml-compressed;base64,H4sICIGpy2E' : 'data:image/svg+xml+gzip;base64,H4sICIGpy2EAA2xvZ'
: 'AA2xvZ28tY29weS5zdmcApVbbbhs3EH3nV0y3Lw2Q9fK2JLe' : '28tY29weS5zdmcApVbbbhs3EH3nV0y3Lw2Q9fK2JLewHDROU'
: 'wHDROUBRo2iBxW+RRlTa2UFkypIWV5ut7zlB2UqF9cuLlUkt' : 'BRo2iBxW+RRlTa2UFkypIWV5ut7zlB2UqF9cuLlUktyLmfOz'
: 'yLmfOzPD8xafbtdyPu/1qu5k17sw2sp/mm+V8vd2Ms2azbV5' : 'PD8xafbtdyPu/1qu5k17sw2sp/mm+V8vd2Ms2azbV5cmPNvX'
: 'cmPNvXv16efXh7WvZ31/L299e/vzTpTRt1/0RLrvu1dUref/' : 'v16efXh7WvZ31/L299e/vzTpTRt1/0RLrvu1dUref/7j+Ktd'
: '7j+KtdXawsete/9IYaW6m6e77rjscDmeHcLbdXXdX7zpu6t6' : 'Xawsete/9IYaW6m6e77rjscDmeHcLbdXXdX7zpu6t69vmxxo'
: '9vmxxon08AREdRDt7tpyWDRRSz7+tgp2b/ew/hEKI5WGoPKy' : 'n08AREdRDt7tpyWDRRSz7+tgp2b/ew/hEKI5WGoPKyW082s8'
: 'W082s8SmeWf13NzVyM66ub6ZZk+xXH+9X4+Hl9tOssWLly35' : 'SmeWf13NzVyM66ub6ZZk+xXH+9X4+Hl9tOssWLly3553ARpd'
: '53ARpd7txP+7uxx/2d+NiejefVttZ8+nNavkBj9yO40RLb8d' : '7txP+7uxx/2d+NiejefVttZ8+nNavkBj9yO40RLb8dpvpxP8'
: 'pvpxP8wtzuRvn07iUP/+Wu+20my9GcWfOPpfDbjVN44YLb8d' : 'wtzuRvn07iUP/+Wu+20my9GcWfOPpfDbjVN44YLb8dp3Mn7c'
: 'p3Mn7cb3aXGNCAICCc+a8+yLo/FpwfLP/uN3dzhqdriH5uwf' : 'b3aXGNCAICCc+a8+yLo/FpwfLP/uN3dzhqdriH5uwfbnj9a+'
: 'bnj9a+Uz2i/maK66utA+zZ435uFqvZ823R38Q1t32Lw3pZqT' : 'Uz2i/maK66utA+zZ435uFqvZ823R38Q1t32Lw3pZqThd/PpR'
: 'hd/PpRpaz5o2LNkocvCzaIm0vrQvSpog359lLy3my0ga+e3H' : 'paz5o2LNkocvCzaIm0vrQvSpog359lLy3my0ga+e3Hp+B4In'
: 'p+B4InjVFPD9awdhnrGEFW30Sl/Pnpvta2QBVxUEVxFbJ2VU' : 'jVFPD9awdhnrGEFW30Sl/Pnpvta2QBVxUEVxFbJ2VUFfYC01'
: 'FfYC01pUs+O4GK84V/k6CHUFyhvhiDVQF8Y5aPDbmnsrXbS7' : 'pUs+O4GK84V/k6CHUFyhvhiDVQF8Y5aPDbmnsrXbS74DANjg'
: '4DANjguwgENZLPwjUYVTRJQgEpiLR0ctiWj+Ig8rCvZAArxK' : 'uwgENZLPwjUYVTRJQgEpiLR0ctiWj+Ig8rCvZAArxKExEEWM'
: 'ExEEWMJLqMA1F+ggnsQDXgpQeomJPCVhtCRycNrAWxgAI+g1' : 'JLqMA1F+ggnsQDXgpQeomJPCVhtCRycNrAWxgAI+g1Qsr6IU'
: 'Qsr6IUxlomBswjydYBEgOeVCDoRreBjiFjX2SdSA60BP5DgQ' : 'xlomBswjydYBEgOeVCDoRreBjiFjX2SdSA60BP5DgQM63xoP'
: 'M63xoPlWHbNq+egAEeAzxyNAdCQz+sDEMOhaGisKJdSlS6gt' : 'lWHbNq+egAEeAzxyNAdCQz+sDEMOhaGisKJdSlS6gtWWm4M1'
: 'WWm4M1rQwP0egEBIhhFLoXuCJhR4mT5RJBaiLKqqFROUEzYr' : 'rQwP0egEBIhhFLoXuCJhR4mT5RJBaiLKqqFROUEzYr1idG0g'
: '1idG0gahwCzEnk+AMJLdp0FevQQ6VZ+SKOwGlOIJOh1MVjo0' : 'ahwCzEnk+AMJLdp0FevQQ6VZ+SKOwGlOIJOh1MVjo0eB6DRA'
: 'eB6DRA10SRpSY6il/eFFKAm+MKSIWNFqSo4OFnORfwH5wJHC' : '10SRpSY6il/eFFKAm+MKSIWNFqSo4OFnORfwH5wJHCMNM0ql'
: 'MNM0qlDRlcIwUEkDlgiSBhiEpBgMKOx5FdAYqI3KYewKKkAI' : 'DRlcIwUEkDlgiSBhiEpBgMKOx5FdAYqI3KYewKKkAItTABTk'
: 'tTABTkp5khI86kgbOgRywEBR0VGcwAjf8t9wqvdUMG6gLAbI' : 'p5khI86kgbOgRywEBR0VGcwAjf8t9wqvdUMG6gLAbI0QQ8Cb'
: '0QQ8CbzCTtCSn/DEhCbm++duQaiRG1mQkdWHnminHA+r5wpL' : 'zCTtCSn/DEhCbm++duQaiRG1mQkdWHnminHA+r5wpLvsJbCA'
: 'vsJbCALUKsDW5NAj43J+AD5vpfamUzJqiRJACmCWwIMhQq4H' : 'LUKsDW5NAj43J+AD5vpfamUzJqiRJACmCWwIMhQq4HmYGKai'
: 'mYGKaiiJPmIvpS80UzTtAjdSraApQZogslgFcJHw0y5WoEXD' : 'iJPmIvpS80UzTtAjdSraApQZogslgFcJHw0y5WoEXDYr/aTq'
: 'Yr/aTqfxk2qhcg3z6ETQL+S18llvHOZQvlEOVEVpzqCozE9V' : 'fxk2qhcg3z6ETQL+S18llvHOZQvlEOVEVpzqCozE9V6JZhh/'
: '6JZhh/lCslg7mUFY4AR7IlcApmgV6gz3DCSDe56fQ0SRS7el' : 'lCslg7mUFY4AR7IlcApmgV6gz3DCSDe56fQ0SRS7el0NJWO8'
: '0NJWO8mQ6mkc6ylPpaL7QUZ5IR/M/dEwoJiEp+L6iT4cdSyI' : 'mQ6mkc6ylPpaL7QUZ5IR/M/dEwoJiEp+L6iT4cdSyIp4ljDk'
: 'p4ljDkoaZpQlgMoz0ApahjTiTWbZYu9v+MUqVjY61j2Bxr68' : 'oaZpQlgMoz0ApahjTiTWbZYu9v+MUqVjY61j2Bxr68bPF3uS'
: 'bPF3uS1232qAyAQDMhr4MRyVZq5l2QcuwgY/oTozbgoIKycH' : '1232qAyAQDMhr4MRyVZq5l2QcuwgY/oTozbgoIKycH+yQxhz'
: '+yQxhzQsPJQ/ne9OmRKvYH1AeKA/EQRtzrmaYUiHUhpJOW4b' : 'QsPJQ/ne9OmRKvYH1AeKA/EQRtzrmaYUiHUhpJOW4breSaxZ'
: 'reSaxZ/TVc3ZAQJKOagAJiw6pRHVkBMIBa5E+SUMWi0ZNW1R' : '/TVc3ZAQJKOagAJiw6pRHVkBMIBa5E+SUMWi0ZNW1Rfn/xQX'
: 'fn/xQXywHXyMHN5G8WF6gZ2IVjANHMIJQ1lAJQE8MJjZHJiU' : 'ywHXyMHN5G8WF6gZ2IVjANHMIJQ1lAJQE8MJjZHJiUtQZAWz'
: 'tQZAWzmkisDywTVWSqLkkQG2NNB3wwyaerqRGLNKpvwUOhaQ' : 'mkisDywTVWSqLkkQG2NNB3wwyaerqRGLNKpvwUOhaQFiYcqv'
: 'FiYcqviSjvp1n8WnRRzXFs9IXDxiiDd8HU/ROoAGn9+QgTPE' : 'iSjvp1n8WnRRzXFs9IXDxiiDd8HU/ROoAGn9+QgTPEVu6HaN'
: 'Vu6HaN6i0VPuv1SCzwyZeHwBA1EjFYoAk2jJ3OFeJ5Gp1E+3' : '6i0VPuv1SCzwyZeHwBA1EjFYoAk2jJ3OFeJ5Gp1E+3Dlf3Aj'
: 'Dlf3Aj70bbvmag5oyKHunVyGPq6+EnvTua/JUn3iadMHlqUa' : '70bbvmag5oyKHunVyGPq6+EnvTua/JUn3iadMHlqUapsK2T8'
: 'psK2T8SwCBJUF1JnEmhu0ntBthJoQpZqumsBk5mA1hRc0LR5' : 'SwCBJUF1JnEmhu0ntBthJoQpZqumsBk5mA1hRc0LR5ZFerdj'
: 'ZFerdjksaCqt3IUWXcXW16vb6xdWyHLTgCaKXWKUKK1kOp9H' : 'ksaCqt3IUWXcXW16vb6xdWyHLTgCaKXWKUKK1kOp9HK5B3EL'
: 'K5B3ELjSdXb0loB5RYtS01L6h9yTPW51Wpqwgosr5I927aw6' : 'jSdXb0loB5RYtS01L6h9yTPW51Wpqwgosr5I927aw6401+Yf'
: '401+YfwDria4WoQwAAA==' : 'wDria4WoQwAAA=='
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="example-rfc6170"> <section anchor="example-rfc6170">
<name>Embedded Certificate Image Example</name> <name>Embedded Certificate Image Example</name>
<t>The following example displays a logotype extension containing one <t>The following example displays a logotype certificate extension
Certificate Image logotype using direct addressing. The Certificate containing one certificate image logotype using direct addressing.
Image logotype uses image/svg+xml-compressed. The logotype image The certificate image logotype uses image/svg+xml+gzip. The
is embedded in the certificate extension with a "data:" URI and the logotype image is embedded in the certificate extension with a
image is hashed by SHA-256. This example contains the image from "data:" URI, and the image is hashed by SHA-256. This example
Appendix B of RFC 6170, however, the media type used here is explicit contains the image from <xref target="RFC6170" sectionFormat="of" section="B"/>;
about the use of GZIP compression <xref target="RFC1952"/>.</t> however, the media
<t>The values on the left are the ASN.1 tag (in hexadecimal) and type used here is explicit about the use of GZIP compression
the length (in decimal).</t> <xref target="RFC1952"/>.</t>
<artwork><![CDATA[ <t>The values on the left are the ASN.1 tag (in hexadecimal) and the
30 2914: SEQUENCE { length (in decimal).</t>
<sourcecode type=""><![CDATA[
30 2902: SEQUENCE {
06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12) 06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12)
04 2900: OCTET STRING, encapsulates { 04 2888: OCTET STRING, encapsulates {
30 2896: SEQUENCE { 30 2884: SEQUENCE {
A3 2892: [3] { A3 2880: [3] {
30 2888: SEQUENCE { 30 2876: SEQUENCE {
30 2884: SEQUENCE { 30 2872: SEQUENCE {
06 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 20 3' 06 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 20 3'
A0 2870: [0] { A0 2858: [0] {
30 2866: SEQUENCE { 30 2854: SEQUENCE {
30 2862: SEQUENCE { 30 2850: SEQUENCE {
30 2858: SEQUENCE { 30 2846: SEQUENCE {
16 24: IA5String 'image/svg+xml-compressed' 16 18: IA5String 'image/svg+xml+gzip'
30 49: SEQUENCE { 30 49: SEQUENCE {
30 47: SEQUENCE { 30 47: SEQUENCE {
30 11: SEQUENCE { 30 11: SEQUENCE {
06 9: OBJECT IDENTIFIER 06 9: OBJECT IDENTIFIER
: sha-256 (2 16 840 1 101 3 4 2 1) : sha-256 (2 16 840 1 101 3 4 2 1)
: } : }
04 32: OCTET STRING 04 32: OCTET STRING
: 83 14 B3 26 9B D3 8B 0B 2A E6 6E 42 74 E2 A7 57 : 83 14 B3 26 9B D3 8B 0B 2A E6 6E 42 74 E2 A7 57
: 7A 40 B7 E1 2E 53 42 44 CC 7C AE 14 68 1B 0E B6 : 7A 40 B7 E1 2E 53 42 44 CC 7C AE 14 68 1B 0E B6
: } : }
: } : }
30 2777: SEQUENCE { 30 2771: SEQUENCE {
16 2773: IA5String 16 2767: IA5String
: 'data:image/svg+xml-compressed;base64,H4sICLXutU0' : 'data:image/svg+xml+gzip;base64,H4sICLXutU0AA0Nlc'
: 'AA0NlcnRJbWFnZURlbW8uc3ZnANVaW2/bOBZ+n19BqBigwdo' : 'nRJbWFnZURlbW8uc3ZnANVaW2/bOBZ+n19BqBigwdoS7xK9j'
: 'S7xK9jmeapB0EWHQHzez2WZZoR1tZMiQ5jvvr95CSL7Gl1Em' : 'meapB0EWHQHzez2WZZoR1tZMiQ5jvvr95CSL7Gl1Em8C9d9i'
: '8C9d9iERSPOd85+O5EB3+9jhL0YMuyiTPLh3iYgfpLMrjJJt' : 'ERSPOd85+O5EB3+9jhL0YMuyiTPLh3iYgfpLMrjJJteOv/66'
: 'eOv/661M/cFBZhVkcpnmmL50sd34b/TIsH6YoiS+da11UySS' : '1M/cFBZhVkcpnmmL50sd34b/TIsH6YoiS+da11UySSJwkqj2'
: 'Jwkqj21k41Q6CDbNyUMSTS+e+quYDz1sul+6SuXkx9YhSysP' : '1k41Q6CDbNyUMSTS+e+quYDz1sul+6SuXkx9YhSysPUo7QPK'
: 'Uo7QPK/rlKqvCx35Wvmu+a/uGYow9EOigh0Qvr/LHSwcjjDj' : '/rlKqvCx35Wvmu+a/uGYow9EOigh0Qvr/LHSwcjjDjGiGHQ9'
: 'GiGHQ914n0/sKlMf4Vwctk7i6X7/sGEYdNA5L/WeRT5IUDKm' : '14n0/sKlMf4Vwctk7i6X7/sGEYdNA5L/WeRT5IUDKmSbLVWN'
: 'SbLVWNoo2cqNCh1XyoKN8Nsuz0iqwVW8Qb1fOF0Vqp+PI06m' : 'oo2cqNCh1XyoKN8Nsuz0iqwVW8Qb1fOF0Vqp+PI06me6awqP'
: 'e6awqPeISzxn9goYzXYVxWIUWpfWLCMwcGoLpgy83n8wzGkb' : 'eISzxn9goYzXYVxWIUWpfWLCMwcGoLpgy83n8wzGkbR4Gtef'
: 'R4GtefENmMBznC7DEroKpOBpM8mIWVqPEYGtA+BvoMfS2E5u' : 'ENmMBznC7DEroKpOBpM8mIWVqPEYGtA+BvoMfS2E5uF1Wqu7'
: 'F1Wqu7R6FLvNFEelWReNolpiV3l2VpGntMW9nk6RKdf0+9Br' : 'R6FLvNFEelWReNolpiV3l2VpGntMW9nk6RKdf0+9BrFrMbeV'
: 'FrMbeVuWhtzbHvMR6UlobPyVpBWjXBk7six2vH5nCwY6nXCo' : 'uWhtzbHvMR6UlobPyVpBWjXBk7six2vH5nCwY6nXCo5xb7Yu'
: '5xb7YusvFVPqCOGh16fSxSxglmPkScLfvmDDmC4FlDc1wov8' : 'svFVPqCOGh16fSxSxglmPkScLfvmDDmC4FlDc1wov8IF2WZh'
: 'IF2WZhNlVumgEPRliimDD3PhGPyTgUUMC6lKqKAjxaptq1bo' : 'NlVumgEPRliimDD3PhGPyTgUUMC6lKqKAjxaptq1boUJvQFs'
: 'UJvQFsvi+LOJyxZkPE/vCwHuAmXmoj1AarnRBatzqkbv7cK5' : 'vi+LOJyxZkPE/vCwHuAmXmoj1AarnRBatzqkbv7cK5Ls2ORf'
: 'Ls2ORfwM/vsOG5lURZqXxOnDXPKZw5t5jVzIhFKO0B6D6hAR' : 'wM/vsOG5lURZqXxOnDXPKZw5t5jVzIhFKO0B6D6hARSXDR6F'
: 'SXDR6Fzqq7H7mQeJAOQiUSPvFIrUHOfuui3zrFI5dYVeAmpc' : 'zqq7H7mQeJAOQiUSPvFIrUHOfuui3zrFI5dYVeAmpcOcOb9u'
: 'OcOb9u63vLjae4kYX4yRifYPrTa2SlMigYdO+cEWeGADMLZL' : '63vLjae4kYX4yRifYPrTa2SlMigYdO+cEWeGADMLZLH96SH4'
: 'H96SH4R9xRYApl6q3Y02f+NzlRAl+cZSKhB6qSIVa80fsqMn' : 'R9xRYApl6q3Y02f+NzlRAl+cZSKhB6qSIVa80fsqMnWOqZJp'
: 'WOqZJpmsXwAPoyNaQ95uNIGasKPwhxGzQzOXzMIIzBKabmLI' : 'msXwAPoyNaQ95uNIGasKPwhxGzQzOXzMIIzBKabmLIil470z'
: 'il470zfSjWWn+kvpvLQ9g1l3yRIc8gukz0uysEcakcDfy3KM' : 'fSjWWn+kvpvLQ9g1l3yRIc8gukz0uysEcakcDfy3KMk+l0SO'
: 'k+l0SOXlOopltJL7EPtUlzZfP4tnM70k8xkKCySt92MwfIXP' : 'XlOopltJL7EPtUlzZfP4tnM70k8xkKCySt92MwfIXPoTe0pn'
: 'oTe0pnu4dYbp7hJ/kxWySN0ey0o/1qbiCsxDXJMWWo37QekB' : 'u4dYbp7hJ/kxWySN0ey0o/1qbiCsxDXJMWWo37QekBcAUFPS'
: 'cAUFPSGkPCnUJF5wwBacDK5cGlEp4BC2lYoJcrNNGVc7DzIq' : 'GkPCnUJF5wwBacDK5cGlEp4BC2lYoJcrNNGVc7DzIqxT4CKs'
: 'xT4CKsPlrAG8mL8whRejiQe9EmImIAoz3sds9NxP4RZEzugq' : 'PlrAG8mL8whRejiQe9EmImIAoz3sds9NxP4RZEzugqzb7c3Q'
: 'zb7c3Q89u3WQKY9aegbsA/AUJB/bJs6pfJt9BHFEuk5DWITz' : '89u3WQKY9aegbsA/AUJB/bJs6pfJt9BHFEuk5DWITzOH5uZS'
: 'OH5uZSThLUsDjQ5GE6RMsyihMTaQLfA6BIiAQMAhnHHN1sd6' : 'ThLUsDjQ5GE6RMsyihMTaQLfA6BIiAQMAhnHHN1sd61WtUhD'
: '1WtUhDVJiuhkrdBXd740+hLB9Vm1HjQe4ywLOBLWOMMiyQAX' : 'VJiuhkrdBXd740+hLB9Vm1HjQe4ywLOBLWOMMiyQAXNB8sm9'
: 'NB8sm9Gx2qdGgGkMG6wY8aLfqgH4dfnmrVc+pPrE/Z/QnZOs' : 'Gx2qdGgGkMG6wY8aLfqgH4dfnmrVc+pPrE/Z/QnZOs8C1Okb'
: '8C1Okb2/ggwLdxlDC1D6DFPZDD98txv8xQf5TEc7Ax6ZyaDf' : '2/ggwLdxlDC1D6DFPZDD98txv8xQf5TEc7Ax6ZyaDf6BC4Sy'
: '6BC4SylWKCMqtizp80+UMchATal63qHq0M3ZTs83Ob/XO6LY' : 'lWKCMqtizp80+UMchATal63qHq0M3ZTs83Ob/XO6LYsFzpGV'
: 'sFzpGVY5+iLxdWvwY+NaKoR/0iJIXL3dBjT2hG+wO+NXm53X' : 'Y5+iLxdWvwY+NaKoR/0iJIXL3dBjT2hG+wO+NXm53XStSh1e'
: 'StSh1eogfeojV35BTOaqh/cmPUe2Mdp91pQp2CjWOO2k7Oam' : 'ogfeojV35BTOaqh/cmPUe2Mdp91pQp2CjWOO2k7OamhjU1HB'
: 'hjU1HB3DLGm66n6iajz4bqn2oICmNFxDR/x2mC5s+rKhlkUA' : '3DLGm66n6iajz4bqn2oICmNFxDR/x2mC5s+rKhlkUA3Ne3P8'
: '3Ne3P8lgP0qJfjf9uvu+HWXSfFwNoH4uqGUmTadYMtOc7yjE' : 'lgP0qJfjf9uvu+HWXSfFwNoH4uqGUmTadYMtOc7yjEEd9EUh'
: 'Ed9EUhkwEEOcDSHKQ+yhnSvUYRH8miQo2FK5TCjWZZGWKB8i' : 'kwEEOcDSHKQ+yhnSvUYRH8miQo2FK5TCjWZZGWKB8iHPud16'
: 'HPud16wApnCvTOzjIFAj9TQdCxa+ddOTizaa1xJvD0qMrKx+' : 'wApnCvTOzjIFAj9TQdCxa+ddOTizaa1xJvD0qMrKx+Ydaj6i'
: 'Ydaj6iwJQG0vaSdYWpTv4HwVRAP3Z6ONjOJunEIeKRVmhujp' : 'wJQG0vaSdYWpTv4HwVRAP3Z6ONjOJunEIeKRVmhujpA2+wPm'
: 'A2+wPmQR9WFQAFhh9bGQzFEXX+WwOnXq8pV35P2Acdn0pGeb' : 'QR9WFQAFhh9bGQzFEXX+WwOnXq8pV35P2Acdn0pGebcMg7Og'
: 'cMg7OgQKaEdOKEAkFlk/9HuEKGBVwucc4AjnJ/LBYU09hVwW' : 'QKaEdOKEAkFlk/9HuEKGBVwucc4AjnJ/LBYU09hVwWY1F0Hl'
: 'Y1F0HlBUC2lbyIuYF58O8p+adMwUt9YAoX/IwRtAC9NAdBAy' : 'BUC2lbyIuYF58O8p+adMwUt9YAoX/IwRtAC9NAdBAyGuEB3V'
: 'GuEB3VR59u8/TGYx9/Xjz8bPB/Z/F9B0SghBK+4xxfiwtr0G' : 'R59u8/TGYx9/Xjz8bPB/Z/F9B0SghBK+4xxfiwtr0GXECqed'
: 'XECqedQQ9PRVpEAQ+26MidbGSmPm8RwRzcQsT17EPSmoorH3' : 'QQ9PRVpEAQ+26MidbGSmPm8RwRzcQsT17EPSmoorH3+av4Jc'
: '+av4Jcj78O/vIp/uzMEkHKAE6/F7VHHSj8HddR0Q3ymcGZfR' : 'j78O/vIp/uzMEkHKAE6/F7VHHSj8HddR0Q3ymcGZfRVjwfmO'
: 'VjwfmOnNn3GuWR+FzhcPmPqiptHcayacT28T8j3Cs0/LQCwo' : 'nNn3GuWR+FzhcPmPqiptHcayacT28T8j3Cs0/LQCwo6J2iYx'
: '6J2iYxP4R58AsobjFegusoJhuq7VNS2evRPcqASvQki+gbkB' : 'P4R58AsobjFegusoJhuq7VNS2evRPcqASvQki+gbkBYwETNP'
: 'YwETNPt/1A2pT6UErR1zMzUITZRvF5Lp5basO1fk2U4aBSjk' : 't/1A2pT6UErR1zMzUITZRvF5Lp5basO1fk2U4aBSjkji8quL'
: 'ji8quL3cDyW7TpI3unxezMcSTNhQJhfpGctKgKN2Amo7/7Sh' : '3cDyW7TpI3unxezMcSTNhQJhfpGctKgKN2Amo7/7ShSev4oX'
: 'Sev4oXicPSYS+6GkCm9a1Qw3VEchCUA+z5HtTcbQhK6F14YF' : 'icPSYS+6GkCm9a1Qw3VEchCUA+z5HtTcbQhK6F14YFUp+Yn7'
: 'Up+Yn7WgmzwpZCDf5DDiXT9B7U6RdHAHpdb7IqmLVjqZSLnT' : 'WgmzwpZCDf5DDiXT9B7U6RdHAHpdb7IqmLVjqZSLnTW61zjQ'
: 'W61zjQ7/G7D3hm9E846uTDZoNMADmLlm7IG2ieXfUtu1US9T' : '7/G7D3hm9E846uTDZoNMADmLlm7IG2ieXfUtu1US9TeNGUHi'
: 'eNGUHibE9Nv//2jRJGZfQmK3v7ykJJOv1IXjBsDCPpmgWppe' : 'bE9Nv//2jRJGZfQmK3v7ykJJOv1IXjBsDCPpmgWppe6sHxR3'
: '6sHxR3KVSQKqp+WIqammuJbtqkxZmMHry4oS/9pLhdCXKq8u' : 'KVSQKqp+WIqammuJbtqkxZmMHry4oS/9pLhdCXKq8uR0R+LD'
: 'R0R+LDEqCKRxqc5VXdvPvIP+ggwR0RkyBfO9iKZvrWGAKVdz' : 'EqCKRxqc5VXdvPvIP+ggwR0RkyBfO9iKZvrWGAKVdz31cuoc'
: '31cuocvoO/qemClFMYEFEH7oI+vpkek4s4bCMBqK+5mHQUlD' : 'voO/qemClFMYEFEH7oI+vpkek4s4bCMBqK+5mHQUlDpE/oyl'
: 'pE/oylpy+2/6pWXK31PEYagP04epV1cE50UMy6IQZeQM7+Ol' : 'py+2/6pWXK31PEYagP04epV1cE50UMy6IQZeQM7+Ol74Z+eH'
: '74Z+eHfpHNc7OjffQ/HeV0X8BopoDkGEkAAA=' : 'fpHNc7OjffQ/HeV0X8BopoDkGEkAAA='
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="example-full-cert"> <section anchor="example-full-cert">
<name>Full Certificate Example</name> <name>Full Certificate Example</name>
<t>The following example contains a certificate for Alice; it is <t>The following example contains a certificate for Alice; it is
essentially a renewal of the certificate that appears in <xref target="RFC9216"/ >. essentially a renewal of the certificate that appears in <xref target="RFC9216"/ >.
Of course, the serial number and issue dates are different. In Of course, the serial number and issue dates are different. In
addition, Alice's certificate now has a logotype extension. The addition, Alice's certificate now has a logotype certificate extension. The
extension contains URLs for two community logotype images, both at extension contains URLs for two community logotype images, both at
fictional URLs. The extension also contains URLs for two subject fictional URLs. The extension also contains URLs for two subject
logotype images, both at fictional URLs. An implementation would organization logotype images, both at fictional URLs. An implementation would
display at most three of these images, both of the community logotype display at most three of these images, both of the community logotype
images and one of the subject logotype images. Direct addressing is images and one of the subject organization logotype images. Direct addressing i s
used for all of the images, and the images are hashed by SHA-256.</t> used for all of the images, and the images are hashed by SHA-256.</t>
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIFpTCCBI2gAwIBAgITN0EFee11f0Kpolw69Phqzpqx1zANBgkqhkiG9w0BAQ0F MIIFpTCCBI2gAwIBAgITN0EFee11f0Kpolw69Phqzpqx1zANBgkqhkiG9w0BAQ0F
ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo
U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yMjA2 U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0yMjA2
MTUxODE4MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8G MTUxODE4MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8G
A1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkq A1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/ hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/
pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwX pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwX
urhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVB urhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVB
DpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2w DpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2w
skipping to change at line 2249 skipping to change at line 1893
bXBsZS9sb2dvLmdpZjBmMGQWCmltYWdlL2pwZWcwMTAvMAsGCWCGSAFlAwQCAQQg bXBsZS9sb2dvLmdpZjBmMGQWCmltYWdlL2pwZWcwMTAvMAsGCWCGSAFlAwQCAQQg
vct7dXJtjBszpCzerHly2krZ8nmEClhYas4vAoDq16UwIxYhaHR0cDovL3d3dy5z vct7dXJtjBszpCzerHly2krZ8nmEClhYas4vAoDq16UwIxYhaHR0cDovL3d3dy5z
bWltZS5leGFtcGxlL2xvZ28uanBnMA0GCSqGSIb3DQEBDQUAA4IBAQBbjdCNVFA/ bWltZS5leGFtcGxlL2xvZ28uanBnMA0GCSqGSIb3DQEBDQUAA4IBAQBbjdCNVFA/
emCc5uKX5WSPrdvRFZSs57SEhE0odxvhTrOs13VM8Om0TxhNJ0Pl6d9CJdbUxtFw emCc5uKX5WSPrdvRFZSs57SEhE0odxvhTrOs13VM8Om0TxhNJ0Pl6d9CJdbUxtFw
SSnSu9fnghDO7OZDJnPiIYLNY5eTTzY6sx85mde9TLaBTE7RZf0W7NV0hqDqcfM+ SSnSu9fnghDO7OZDJnPiIYLNY5eTTzY6sx85mde9TLaBTE7RZf0W7NV0hqDqcfM+
9HnQrU4TtPSvtPS5rr5SvqkaMM0k89bpbkgZlh9HH14+x+DIeT0dLythiXJvkVod 9HnQrU4TtPSvtPS5rr5SvqkaMM0k89bpbkgZlh9HH14+x+DIeT0dLythiXJvkVod
qEfyZTcdplQHQ4szWO7lsjmvHrUIbS1tdAJnah8AZRZfqiJEFeiUp06hvAWnPc3y qEfyZTcdplQHQ4szWO7lsjmvHrUIbS1tdAJnah8AZRZfqiJEFeiUp06hvAWnPc3y
1TMwYI8onfwPIVzyT6YLgjiT6PuLwSB/wtlhI+vWfdINaHdotegjawLm/3jZ+ceN 1TMwYI8onfwPIVzyT6YLgjiT6PuLwSB/wtlhI+vWfdINaHdotegjawLm/3jZ+ceN
tu39FvbV0uKJ tu39FvbV0uKJ
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork> ]]></sourcecode>
<t>The following displays the logotype extension from Alice's <t>The following displays the logotype certificate extension from Alice
's
certificate. The values on the left are the ASN.1 tag (in hexadecimal) certificate. The values on the left are the ASN.1 tag (in hexadecimal)
and the length (in decimal).</t> and the length (in decimal).</t>
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
30 464: SEQUENCE { 30 464: SEQUENCE {
06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12) 06 8: OBJECT IDENTIFIER logotype (1 3 6 1 5 5 7 1 12)
04 450: OCTET STRING, encapsulates { 04 450: OCTET STRING, encapsulates {
30 446: SEQUENCE { 30 446: SEQUENCE {
A0 227: [0] { A0 227: [0] {
30 224: SEQUENCE { 30 224: SEQUENCE {
A0 111: [0] { A0 111: [0] {
30 109: SEQUENCE { 30 109: SEQUENCE {
30 107: SEQUENCE { 30 107: SEQUENCE {
30 105: SEQUENCE { 30 105: SEQUENCE {
skipping to change at line 2355 skipping to change at line 1999
16 33: IA5String 'http://www.smime.example/logo.jpg' 16 33: IA5String 'http://www.smime.example/logo.jpg'
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="changes"> <section anchor="changes">
<name>Changes Since RFC 3709 and RFC 6170</name> <name>Changes since RFCs 3709 and 6170</name>
<t>This appendix summarizes the changes since RFC 3709. The changes are:< <t>This appendix summarizes the changes since <xref target="RFC3709"/>. T
/t> he changes are:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Combine RFC 3709 and RFC 6170 into one document, and encourage <li>Combine RFCs 3709 and 6170 into one document, and encourage
implementers to support the "data" URI scheme (data:...) that was implementers to support the "data" URI scheme (data:...) that was
originally specified in RFC 6170. Merging RFC 3709 and RFC 6170 lead originally specified in RFC 6170. Merging RFCs 3709 and 6170 led
to many editoral changes throughout the document.</li> to many editorial changes throughout the document.</li>
<li>Drop SHA-1 as the mandatory-to-implement hash algorithm, and encoura ge <li>Drop SHA-1 as the mandatory-to-implement hash algorithm, and encoura ge
use of the one-way hash function that is employed by the certificate use of the one-way hash function that is employed by the certificate
signature algorithm.</li> signature algorithm.</li>
<li>RFC 3709 required client applications to support both direct and ind irect <li>RFC 3709 required client applications to support both direct and ind irect
addressing. This requirement is changed to <bcp14>SHOULD</bcp14> support both d irect and addressing. This requirement is changed to <bcp14>SHOULD</bcp14> support both d irect and
indirect addressing to allow implementations to be more privacy preserving.</li> indirect addressing to allow implementations to be more privacy preserving.</li>
<li>Update the reference for language tags to be RFC 5646 instead of <li>Update the reference for language tags to be RFC 5646 instead of
the now obsolete RFC 3066.</li> the now obsolete RFC 3066.</li>
<li>Update the reference for the URI Generic Syntax to be RFC 3986 inste ad <li>Update the reference for the URI Generic Syntax to be RFC 3986 inste ad
of the now obsolete RFC 2396.</li> of the now obsolete RFC 2396.</li>
<li>Update the reference for the application/pdf media type to be RFC 81 18 <li>Update the reference for the application/pdf media type to be RFC 81 18
instead of the now obsolete RFC 3778.</li> instead of the now obsolete RFC 3778.</li>
<li>No longer require support for the FTP scheme (ftp://...) URI.</li> <li>No longer require support for the FTP scheme (ftp://...) URI.</li>
<li>Require support for the HTTP scheme (http://...) URI and the <li>Require support for the HTTP scheme (http://...) URI and the
HTTPS scheme (https://...) URI.</li> HTTPS scheme (https://...) URI.</li>
<li>Provide syntax of the "data" URI scheme using modern ABNF.</li>
<li>Require support for the compressed SVG image format with the <li>Require support for the compressed SVG image format with the
image/svg+xml+gzip media type.</li> image/svg+xml+gzip media type.</li>
<li>Media types <bcp14>MUST</bcp14> follow the ABNF <xref target="RFC523 4"/> that is <li>Media types <bcp14>MUST</bcp14> follow the ABNF <xref target="RFC523 4"/> that is
provided in Section 4.2 of <xref target="RFC6838"/>. This change resolves provided in <xref target="RFC9110" sectionFormat="of" section="8.3.1"/>. This c hange resolves
Errata ID 2679.</li> Errata ID 2679.</li>
<li>Remove the requirement that the LogotypeData file name have <li>Remove the requirement that the LogotypeData file name have
a file extension of ".LTD". This change resolves Errata ID 2325.</li> a file extension of ".LTD". This change resolves Errata ID 2325.</li>
<li>Encourage, instead of requiring, each logotype to be represented by <li>Encourage, instead of requiring, each logotype to be represented by
at least one image.</li> at least one image.</li>
<li>Encourage the inclusion of text-based audio data suitable for <li>Encourage the inclusion of text-based audio data suitable for
processing by a text-to-speech software using the MIME type of processing by a text-to-speech software using the media type of
"text/plain;charset=UTF-8".</li> "text/plain;charset=UTF-8".</li>
<li>Encourage the use of dithering if an image needs to be scaled.</li> <li>Encourage the use of dithering if an image needs to be scaled.</li>
<li>Require that the logotype extension not contain more than one certif icate <li>Require that the logotype certificate extension not contain more tha n one certificate
image logotype.</li> image logotype.</li>
<li>Privacy-related topics that were previously discussed in the Securit y <li>Privacy-related topics that were previously discussed in the Securit y
Considerations section are now covered in a separate Privacy Considerations Considerations section are now covered in a separate Privacy Considerations
section. Additional topics are covered in both sections.</li> section. Additional topics are covered in both sections.</li>
<li>Provide ASN.1 modules for both the older syntax <xref target="OLD-AS N1"/> and the most <li>Provide ASN.1 modules for both the older syntax <xref target="OLD-AS N1"/> and the most
recent ASN.1 syntax <xref target="NEW-ASN1"/>.</li> recent ASN.1 syntax <xref target="NEW-ASN1"/>.</li>
<li>Provide additional references.</li> <li>Provide additional references.</li>
<li>Provide additional examples.</li> <li>Provide additional examples.</li>
<li>Several editorial changes to improve clarity.</li> <li>Several editorial changes to improve clarity.</li>
<li>The example in Appendix B.1 was changed to use SHA-256 instead of SH A-1.</li> <li>The example in <xref target="example-rfc3709"/> was changed to use S HA-256 instead of SHA-1.</li>
</ul> </ul>
</section> </section>
</back> <section anchor="acks" numbered="false">
<!-- ##markdown-source: <name>Acknowledgments</name>
H4sIAJ2dlmMAA+y96XbiWLIw+l9PoZv1o5zHYDMbsr869zDa2EwGPPbqdZcA <ul spacing="normal">
AbKFhCUBxnnye5b7LPfJbkTsQVtCuLKq+wzfOp3dq9tI2lPs2DFH7HQ6rfmB <li><t>Acknowledgments from RFC 3709</t>
4cz+H8N2HfObHngbU7PWHv3lB7lMppLJaTN36hgreD3zjHmQtsxgnraN1dpP <t>This document is the result of contributions from many
e/Np/iJTmVh+OpvRpkbwTfeDmeZOfNc2A9P/puPrlF7KXsBr1/FNx9/A019x professionals. The authors appreciate contributions from all members
oF+1tfVN0/XAncKTven/Cj981ws8c+4rT/Yr9UFgBTZM5de2E5ieYwb641kx of the IETF PKIX Working Group. We extend a special thanks to <contact fullname
U9EHm4ltTfUbc6+3nbln+DDCNNh48GnHXbjBfm36uuXwr+umF1hzCyaMXRqT ="Al
iWduf/dDzd9MVpbvW64zhq++6e3muKUZnml800fmdONZwV573cFzPrV0A+Gl Arsenault"/>, <contact fullname="David Cross"/>, <contact fullname="Tim Polk"/>,
zaDxNz2XyeXSWfhvVtOMTbB0vW9aWmdwHQXm3HD0kQENfd91YNWut4COGr45 <contact fullname="Russel Weiser"/>, <contact fullname="Terry Hayes"/>, <contac
1UeuvQlgUF+v1uCNmG3sJbxZu7CZNoI0rbdcz391LGfhT/aO3p6Z1GtaHzXT t fullname="Alex
uVxev8jonY0zg0dTd+ME3h4m0YRf5sqwbNxE/98Mw0jDCGdTdyUnOtz4vn7l Deacon"/>, <contact fullname="Andrew Hoag"/>, <contact fullname="Randy Sabett"/>
bnzb3ItJ3lsLy5YASOmdTl2ZZfQtbidsrwl4UsyWdICPY/pby7ZNfegaNB34 , <contact fullname="Denis Pinkas"/>, <contact fullname="Magnus Nystrom"/>, <con
6pt+BfCbuU5Kv6/SFGcEQEQiZcJ3o3DCSzanf9vicPFZj2Emrqe3YOCVIYFb tact fullname="Ryan
XRkfrqM/mBOYnre1pqavTC9byZb1crDUq1tTTmtkGgFgX0p/CKdVKWcz2WPT Hurst"/>, and <contact fullname="Phil Griffin"/> for their efforts and support.<
miMyw9j/ZtBgkVl1YEsMbwYLh1MB+GDLic3cialMJV8o6gPDe8WpOBtlNoAy /t>
19A4pdeV6RSz2aNQsj021r8ZOATNRrOcueutjMDamog5w1a9WMnm+J+lbDEr <t><contact fullname="Russ Housley"/> thanks the management at RSA Labor
/syVyvzPcjYr/sTjLb+9yPA/L8pF8UElWxKdVXLZkvwzT9/2O410ddSjMYAQ atories, especially
GN4CF7wMgrX/7fx8t9udWcHmzHKCc8+cno/Tw2Y9/XiWy5TPTYc1YdRgtDan <contact fullname="Burt Kaliski"/>, who supported the development of this specif
7JjCUdDduV6dAPSMaaCP9k5gvOs9N2Dv+o6pn8CQZ9mv1IE4ivh3msG/Xm+P ication. The
x/SAndxspVzGY4tPgBIBGQsAiKIJfa0PTQDmynRmbBSaI3zQHvWzlUym+E2d vast majority of the work on this specification was done while
7L/SD11vuNMNNAl0QEpjYdKfQJDZy6ZtTgPPdYCmzcR3cwvOCdst/D8daPYi Russ was employed at RSA Laboratories.</t>
DaRmpa890wccZoPLPgBpAj0LKOCbCJNBo6Vnzwr6CfxxXk0fBwDMWlk+MIEi </li>
/YQRLNNHfPnGB4APETzwQTr7jX8Hz/LwZ+aPL3kApN+YwBLDBbO1HiyIreTi <li><t>Acknowledgments from RFC 6170</t>
p+df/mz+NFs2f/xudH85/AQdYd5nMMi5AXxg4eAs/fOVObOMNHGOc2sF6zr3 <t>The authors recognize valuable contributions from members of the PKIX
t4vT95WtgqCLH+nIOABZFhaiJ+0WbuRho4RVPbiePdMfrJlJNKsONB8AZm1W working group, the CA Browser Forum, and <contact fullname="James Manger"/>, for
ylrnBhA/tojnI6tYWMFyM8Gzf77LT3HQ3eIcuNoGJn+RyapTrgLI1gbM09S7 their
7W5TxxXSfKHRB2EjcEpfd0xzZs4SZjHo/QNAuXYWfwyMosHfBUInThNzZUHc review and sample data.</t>
ihfFoqB+lbKgaLl85UL8mSmIp/lMJi+aleTTUjlflv3mC/zPbKUoKGW5IL+t </li>
ADnHP3vNhz9BKUvlTNIxbAuaD4ALzOnScW13sQ/P2c9QT3GGDkjvxPCBaDm8 <li><t>Additional Acknowledgments</t>
ydEzOr5Lq0QWxKNsGmTNIwcVv44R2W96uD46yuftZv2bXi7nCnSac1l2EMbH <t>Combining RFCs 3709 and 6170 has produced an improved
QbbLEwKOh+d4+M8HwzR+bzl7kNPwSTabvYiwmalhE4W6B+IMCHfpGeulNfX1 specification. The authors appreciate contributions from all members
E2j3VceWQJdyUZj8PciIkwDWk+bTOATMQx6WfGzeyH2KlUI5kRT/Hg7U3dV6 of the IETF LAMPS Working Group. We extend a special thanks to
A8xFX4hFgp7AjhiwGxekJZjIIoF698xg54K0EgIH6IBEl9bGmeKYhq37PwMl <contact fullname="Alexey Melnikov"/> for his guidance on media types. We exten
vq9RmBSO03OGBGzZ/MvrQfPyT4GgAcIkCNQgS62QwaLgT0AASQuXDriOsoDl d a special
bED4TAegQIHIBrIsA5IvJoXD6y1k3aQXTJeGAyBsMdZ2ct1qt44z4oNDArhw thanks to <contact fullname="Tim Geiser"/> for his careful checking of the new e
nBsnHpLxWfkiewCfDIi36SJAKJuHd5ft1u8eErGd5/DxOW5demHNyxXjLHgP xamples in
VODKbT9c7VGBC1ENZXAE0dT11i7yHJWjZCuVTDpzkc5nj6z93vR8Wi7MCB51 Appendices <xref target="example-rfc6170" format="counter"/> and <xref target="e
B/k/teOXpgNdT5UdXrlb/GttkTLJDgEwLHdq4RRhNTPL1S2l26iwkgcuip/8 xample-full-cert" format="counter"/>. We extend a special thanks to <contact fu
PHrDUj8RV/j25cuwfflv9K2WTqdB3WIUW9PGS2DJUoLiZwwnrk9DXVY330GG llname="Corey Bonnell"/>,
9SXjdKb2Bles2aoKvGY69Svo1EpbDoMg8KwJEIjIq7PY8NIQgKyMbAHUGH+g <contact fullname="Daniel Kahn Gillmor"/>, <contact fullname="Roman Danyliw"/>,
unDGJr+yZjPb1LRfEGc8d7YhCqF//8XCnz/4miLkQvc367VNAqSvf//OOfSP <contact fullname="Paul Wouters"/>, <contact fullname="Paul Kyzivat"/>, <contact
Hyl9B8i3RApF8onG1pBOXIMKEFTTeNc2SBVAterDjv+VwLMB+dlytGBpStU+ fullname="Shuping Peng"/>,
xahhkDAPEA9+/IhPIxlcSu+62vtZfBsT4EiD4V8wmApT9gL/+vHjTPv+nZ1A <contact fullname="Sheng Jiang"/>, <contact fullname="Rob Wilton"/>, <contact fu
H76CyWyB2yAq+JvVyvD2iOA4Lv9GB2ybmvSEgU3wdO3Y7o3hU8bv55yuY5dR llname="Éric Vyncke"/>, <contact fullname="Donald Eastlake 3rd"/>, and <contact
VIN1BK4+sRBpVJSChzCSBjMCGhrQXECh5T9OcBL+ZvICjPbrGbANz13hvAGK fullname="Dan Harkins"/>
08Des8ML/dva1jJ3axcwJQXdwVgLlyj2BnjrxNSN6dIyt3BQJ3sdpUw8y9i1 for their careful review and helpful comments.</t>
OirOgg8FkwL6twSutwMxGfbXV2YM07hyd9Cbl6I+8HyjWiUtT1rU8gSM76b9 </li>
VV8asJHQynbX5iy2/YYHk9y7ABqcuzaXzBGnBkjhejOYC0BqZZoBDYrCts8I </ul>
E7xy9IXtTmDBDmO6hNfaEjDFg4U4JjCmCHHC7YNpMJkZmik0UE4bDrGmmL0Q </section>
Pz1fX238gACKLB4mNMMxVpYTQWh97QIogNqkNGMN6Lb2kErSbm984IkpJJ0b </back>
z0AssxEk7BihPYR0PeSnSMdgN2EWNROewYhwNu09EWGAOBxjwJKV8WoitrC1
AVhnQBuInO2WbP8MDb+2phsbYBxHR7RtAriC5Z7Gh/7NrcH0TdpzCzV81GnE
rCM9rIw9QsJ8N3D9M32OuOkjXgBEZ9Z8bnqAXBqAGUkWKhEI0tHeD0zchqkq
PpH6hD/wNEbAKheihwvRItMAlPDZYfVAAZvTXOBPz3zbACwEeSEoseWwTTjT
uhsgTfzoq9iB0oxB3QDqRRAVpqluKCKZCeukxdEoKzxojioZ/kVfhofFiqIh
rtoN4NBZTGSkecLwHmDfGk4DQma5WcHUaav4Jk1dOL/Uno8CUL3Cr3xc9pwd
lPD0RQZ04BUuZeF6FqP+mr9fTVzbh1PddWGMJetJ8naS+mzzXTkYCDPPZIeT
6IMJpM/ea3xqH7SWkIPirIHKvuIQfJ64D0T4aFkAF2eBWwiiEezFXqzxw2Q4
BavaWniEzfc1CgNwbJS+EA05DmrqWnGlrjO34DhBpxZyd4AaoCZMnajLGYlL
e31u7ujAAYvxgEPBGg3bxkkYQKltJA7eijNK3BNmgqZ5GgvPJCoAXNGYTs11
gDtmoMiCdtSUDgQGcZc+RnHUdaBjVChdsaVAvKwtPzxawkLjew57XQUmwogA
Q17LF4iACDUBsoKIA6vj5lzB8Dy2iDWTLLQt7IHrIULCwQTcgh0LGEF1TEEP
fHfjTUkIQmgCRMQC0SS3gA23GawnQHZN00HLu0VnAYmlul3UH0MTXUUTDajc
zCTsSAmw8V/YQiIRLLvGF0aH0PZdfY2WPh9Hg2PKGJkUiyyknyQzQE+hWBf7
amp4M3i/BmQHWRs/neFueL/6IPxMQTAECo7Lhk3n32oLAyQQIvesLZvl3rCJ
IsMjgHv76FyAVyKScjKEiMM+3RMNWro2sjnDjxA7XKePAgV/szJXE9PThMgC
WLUB1ECuPFZ/07nwTLKIOoxnAnP3pyB+ISaglKFxgFPXoLK7hKwLz92sP11F
ioTi5d4nwQNPXCrEbhTjomefExjYX5DdbCLvprMk5kfERlNJGjZgJ4PLgkc3
FjmUac/ZuvcaLpfQgu0245doGANGgF1yNMPR4VC7O2C8CyIGICN5PtFebeMw
1QQoD7DSzVqIfsi2SCSMMIO1jUOCqAZ8ZmvYOCUPVogTN0OrtfnOpcqUtpPM
krMcmKjPZcWIwhFRJXT9wST6hEdY5XxpkDiRR0UBFBfofZoLW4T2yy+qJ493
ENvo779g8zR1+4OJtihsEXNizEjdr5m5BmT2iaAtUSZwQHPENZDgr0V1DY8I
w4zmKPh65AsaCKVkU98C72YylsZGJfkL8XKuH/TKmlDfKC3ClADFthbsAD92
wOfgBfBusaWM3QC1FJIwUSyLmL8/JSJMYgDQamJxKBzDUdrYwYFkn7wPnCST
iOwkIDpQsaW1WBI9ZGJXinNKkqoMLg/hyda0JqDN2mac10epJbISjvHfNO1f
yISGxxoXE50QAJykSLZQ/s5kkpO7g10D7ZoTlZ05QcHpDDscmEjJ0+g4k7iM
cJoA6jowwXTgpsXf+kktV/uago7Ut4K34tv61xRnQnBkAkmu+EpowKYYBHkR
kN4pP6WS3PokQTJxi79HKgeUbR32cudIeQUYTzjDCOBOrDPzLAUymJNuNtqR
d1+plwcLNweaTW0LzzeSBwTclDFCpCWCa0kuCw1JkIqMxF8yMi/RmaGWgRiL
/IfRbegUdTlSsxnGMWqNG48YMd/Yv4t9mpAMgXgg+kkED0BhYFsOMFzHhG4c
Ft/5cuAUzkJjGOPrnJfAaGzerEH8OBBBRjsF98iT4gdqBlDoF9gymBkc6xVO
rWV5fsB0SKk2i2kc6M7uHLimxgWqJTqM4dM5atNMasZNlNowLZYkIBTZaAiN
z17a54l7xvVzN9SomWWDJHTqTpujLDOzkdO2A6Ek4HthGhacTiefpKDnIbvT
Dsgn4gpyXiaDWQuOLUsDhBof9AaHUSmmeuKc3Zmx/zWGxTNXwzni1n66szGu
QpskDQSzDchiIFO5zBLjkbLkzQ0marc2HsI9hfR9Hx0dya9y1JBcI6JH9XuU
4gX9Roai9AAcBA0SuMCZS8DeAS3EuYD46PqxnuAxAwZABdg452kjweMQRmqo
imBmjAkCN0PHDZC2jUoSfUCtHS4jsi5S9PkUFAaEC4yrhLvIEaOGbEA8tEAn
7CiiETRAL4cTPwdZ0iUDenRv2g7MaoVCJomgtKsJs9SmbFoRHQ/PJped4qCb
W3bA1BEy7pHMw5RPC5W5iKqqrgbw422DojwcCFQQkOMukWyByhU7QkKX5Rut
0DoVLugjYEdwJWx84a4QWq7Q4cptLIYQgbksw1QQoTSDGAZHZ6qh9M1gi93t
ADvMgIEyiPSfIjk4ACRDZRCdrvhjirPXOJkmMxn1N3VtF8Bhc5soY0BSxdK0
tmKbEjTet1YWyu1oEoU9JvqUKJExusTQiks+SD0Q9aOaEtMCZzBRGHVj+VG5
ihap2Itj0iRqbhGxlZs/NWZGE1SC0zAhJbqrieVIWgl6cihIjIlCAkLI4wXb
NXG5rLhhQRbhDHaWbZPGQLSDY7RBVhOJZn5ouILzFRo7sLM4cwHaaxEL85hd
zFohlA3ScYyAvQCM1QwOsCnramqbsCeGN12CZIPEilP40NYov1c0Wo3ZlYiZ
cnXGJQspWrMEFwGpwF2RG0SZKejXXlQqT6L+TK1Q9CWYOzMSWKuIzE3kGFhY
oEj5jANhXJ3B1k7mJdVARagnHJhMUIhMy5/CCTQZm5ezUJwi3bvRWO/1xySR
Omi5QHUbe4QT7JCOJhev4CTJv8CpdVCLLB4KZEjPBRPSv38fcZpdQjhKzwUa
OBLgGXapzl+aCX2pT+CRAjad5nZt9eAhtUTNgnpANWSKUiUX5LjlUCPTrdCm
DRsNZcGSSZtERyLjWweLUtcxjuCGYu0MPRDSDCxwNyaSaARBhvUz12TSCAg9
7L2yZuEkwCnR0m2mScGZUy3ACqNIoZiS1IO7WSwDrlLRUWRsHWgw2aYjtgku
/DJw4WH1TF3o0IxFiYONZIpvbNT0i/SBGbKJ5UVaS7IAKDrZBMxCgWYa0jrJ
Nck4nSpQUGDae4A0Z+va27jQzag2jSV5gp8S6lF0u2Zk7iRxbA4KEAMESGrA
eIAKc6hJ/pkkVTLvDghn/msqnIgUqUn2tZD4GN7EwiAe2BTeDYaxRvpSUU87
AifB8eAUc8GXL53AjJ/NJN5oMBZJjq7OrJdkzXg3pxvGWSlaEj2cxnSJenQK
v0SFCAgJZ8mGrcVRCmQaNK8wCweTDJmYavloMWHM1UAdExipu6MdYV4+6bvA
qZK8jyjIyJYbNTswHZJZS7XQzsgPXQIh51pjHPlCuhxxRgg9g5wwcBpghSB7
zbitSRASZhlHyAADJVULoxvIjXYwGG723J1u+FoSCBvz+XAejgYLdbvVnWR7
RVQjuXMFUBr363CUPjAvM4B57ODGzoQQjz8HnKYCjnQGbMTdAuhfQUBK+sAC
7Gg02CSYMTPZEP/5/t03p2QtIOqJYsiYqDtzzH3/hQzxXMxAX9oObQL6F2RS
X1Ls/5FZ4d/D5u1de9hs4N+jq2qnI//Q+Bejq/5dpxH+Fbas97vdZq/BGiPz
izzSvnSrT1+YIPilPxi3+71q5wuzVqqu6tAsJVk3shwfCCIzwhLDqNUH/9//
my3A2v8vjJjLZtGNzX6UsxcFcqCbXOwkuYD9RIcCuhZNIunkpZgaawzSQdnK
57ojbh+aMf6KkPnbN/1/TabrbOFf+QNccOShgFnkIcHs8MlBYwbEhEcJw0ho
Rp7HIB2db/Up8lvAXXmICKM3hNeRIiNJQIskM8R0Qyl3JcdWMJHAPzTWBkv0
+1DGCCoJUnCivsgMV5dmePESn7YR+z2MeDEcQbnV9yPBgZM/iNr35aicjaCf
G4VasnILT2LoHGgHmmL0C81WcN6I9GMLLjMdWpRjWp6/QeqDHkMyXtCqmCOO
C+yHk0S12U2T5iSsR9xlH36sOvoXINmKL1R6BtBHzzQqZHbU9OYzlx7tIw1J
cWmi70noPULCKtxxwsugOHmk7VLIBGwsELpI6EDkws80sezQ38Cmq+ptXFfU
T5jR1tfv26MqAbRroGeiDh1hWEc9Bl4BTtF3ROUOV6Up4A2lQiaeWWvhMIm1
joMd5aFP8JLcbeEv6VHidnMt0khiGFI6xUUpVsVCHBjMVZxCTegz3P+zk+C7
KyRbZXQ9OjrITMaM+XaFyHbkeHM3fjRoEzUJQKcZswippIL51KJdcLwi9ji1
QQfA0CJ1qSKKYUL+JZcL9mJZnJsePte4XGJafNApYaPojQdByM/lC1JcQGJ2
0jTbHz804VcW3IzYsSSlegM1zpB8plED/R0SunP52hXbAEb6Gd94LC1psXgy
WCgh/kSqJSUsJpIQ4xKGlbChYrniLzWigLIrhKpgGrjd1JLi98JP5hGzLYel
ahGi4Apyyk/E0USnsqHfDdtcAY+6VYTZSKBUZOFseDyS6R0c9aXhL4VTVw40
45M/RFmGAuRGme7ToYSHUU0BjE/r98yVG8SHZWRMp5DHjceoBWYoxjUXHm2k
8Q+kJfogXOZwdooFAa2OZjBdagfrTyWou4zy0Uhrd72xSYOKfqXJvlNRq5ri
3KYOMP7HjGpQ/A2nqtrRWXM/E3OjsTgxV85L8eRI1kzYqmlVNK86lC9h71M6
OupnM+FgjO5CEtSIL84s4B6BBtTI41L1ieHHjir1a87SdAB+/PgaGhSsFf5p
zgRmaCFGMBsid9du1rj/5s6UCBCN6hOBTkSiQMinmEGcpoNRhwBAj5RAopNo
nzzUfJGk81gwdk4ZuQL6Gafeuo9kGRj4htgSZZXhQsMQMoZrGEEAY3EvIFlm
YfKII34qFu1ApDWkqDg+mh8CDXVX1fwcnVt0agrD4aIst7jB+BprxyWZnTWD
/xeaZimjr61302YQz2UiPw2QylGjlAbGQlF9nS2Kr1X4OcxCzfyAIcHCNc+Z
ZyYe6WGQJQUDrn08BmTeViCqS4hijA/PnOXBLIaz2GDcPgFMlwDTpLETx/9J
gMnDAkeLOSoV8q5H4t4UNXKyZw0CNw3cxIStFM4Pin6CAYSPj3YRPuVGgii9
D/kwhiOYk6h/h/FgFB5YK+rGoqiOKRNfcLVfDDv4giYQEba8NeyNyWN0r8bd
DkegE2u1+IphH8irSOmmI89hKVpNeFgheSkEN6W4eAzIl3OeKeNjF1+UsGna
BYPzPuRkcxXs0heLWEpPDohHqPMA3UBLhxm6dQHwUVlRPR08koGOlvqceLIm
jsbW8CzDYS5rDy2J9v7YGQcE61iv5s7C1F0L45E+WYel4FrSTFW0JHO2k4Ct
JD0kzTR6ZlTudgYI56/dV+hvhZ6SRewgyePC3FYsSgf3j/UvAsc/GYC76I8D
HgU3+VaLL1bnpmnef0TSjGDUIcNJHXBALqUTsDEClYXgMNXQ3/BYGW6oFkAV
boiD3Q63GRNbbAR29AhK7wI3DcZWmUih8WjJdtFGKlmP7DuTBZ19DDgnvmnG
D4Sh0M/AWjGCw4M/utUn9O1tbCDGGFGOorWYODy01pGoV5hIyMCi8j861BGk
LKgnhekTSMpFZ5RAlaANhb3syNBI0W68ESO/h3p3SkezuRVImGkHU2bwTTwN
h/1hLFKEtwqug1wxgko04MSMn1pD5cGK5M+2CkPueaSNiiicm4iowZgZ0p3P
0xiSGUsbIBcuRmMvoqJXTJdpSlH1+y+oA0k9hnunwswhAgtLBGXi4Qp9yFMJ
MikNJsqU3KIZDscz39ioaUYPuHEzyRMHyDcxI6f5SFqSpjihSOdLTrlRknTO
jg7K91DRqCfsgDMjPzlgaONC25L3TdP+N/zDXC1rlgbtUHas92vXzfpYbzea
vXG71W4Odf3bt994Vtd3IDvuSfarMlpaRf+T/FfQR2cnpa/MouqYwQnP3Wdp
Yqy0xknxK1BqDCGz/JWPv9av1vvJxVc2Gxwgm9N/sDmyrU72d6IdDV2Q0CmK
G7B/nYgEzwP1FF0tWBINFPo3k+R1yis7kOqRKh7HdKHhTlypEbBwpOSOYhSc
DsYBoRV9HvSQOogZTewkOjVNTEVXpiK8L7HnAmtjOTgTd3MgqR9YhtjkQMEG
yQyzm4QqbSVp8JyI6HqXEzeNGsbPDlP0xbrwF5PMIvpIKItwyiT6JE2dSXQH
Xae4UYe53KWlM2QEqrYvQw/OMMU2DjMOZ59FTHBx9WXjB4w3onkXExeMUOXk
+bYKUCTT9FQ85duUsIHhRvExiLfKlj5zKNN58dD1h6sQNoow4YQkBBkep245
d9YyxsTFA9pgTVpKgJYqEmZ8KeTdPJy2gJWmwiqGWYfyI4WyKeDjA3laROLA
zIMjp1CdgmIBjHRKCBi4GsMw5Pksb+8AzbjBiwiSGg7K7DihdxtE9kgCAVP4
dWNrWDb3QzPjEAuPYZK1EGGg743Dw6o0ssuww0TxtKiU4L7DlLlthjXiBz/w
0BrJ7Jlo8OJnVeiXqC6ih/kAMgQB3ocwH12Nx4MRjz7RT0SW9dnZ2VeNC7P4
ReQD/l7n7xvVcVW+Jzsif8/yQSvlEvK1SJ7iF/zsC82dN1TJPTlPRah30haf
cdEkRk49E9irCeSAZUVJZoDMAp1QZCuVIeS0LJoiFrTgKatyvfTZuDNiX2D1
C8zkxUIjmwmDc4BBAOTo51qFT+JQ4E5ZCtcnPIXERTHrKDw0Dg8aFit4wMQQ
7w43k/l1uf0piryaEnioSj09N1DCW47vPBnsLI8LWkrkkLCiR+MuMUpOBmIY
jP2TzuGYgqi2RMwOGqtEuN1RxBLpjIaPtnHuQGPghLFAnpjZDMl9l/VENDwm
+zFaKM1x3HobmAuPeVo+E7QozCQqXDFxU0hUQv4AGdJBwUkfNW/vmr16U/+O
YpCU1vE7X9f/mvmb3nwcdNr19jj8tN+Ssi8ZHYRVPEUCG+l/+J4JVX/NKl0c
b8a1Fdnur7mfaka7yidLzfJHJtwXH4p+pNR3+E+MACKeFhkaAVa/6rcFuDhy
y38ILtEADy0DiBP9DAEiPhpKd4AyFB33w71hLCX8l7gd9E0EQowlKXOE4ZOa
kg0peenU6ZEJNUxgSjZBX86fPUrJbwh27F+kz8h2qiOyuRyOSGv5nRENaQuL
jhjayJJGFJ0ejklllKhIEq8cUS2OAo9k3nSaFXOiT5hBgNyDLDWcqZGfoBn+
gy4wSnmFQYhYM0+e7CukDOouj9rPTf0ke3bWrT5+xY3DL6r2ourM7lGQTKmt
kUF93lou42CnJaZH4RCEIDjAdWpHMGo0W9W7zpgHPWM7LNowQvu+gF9v3Lxs
DlO0dox9ngYmWpEzv20cGQiJDd/VVvGGVxi3hvKhzZwHqMuSzRtb7j9reY8c
YJrYLjRkJyDrMHwZOV/SQCvgUvibAtwQ12hwrPeA1av0jmg1NhYx+BMcEf58
2qDVLjxjjwWTzJPM1xSDLSqh8Z1TphinVM5mVcOgB5UKhGChqYWNMTWL6jWg
awehQ/uPMp8CWCTQYoZscb0NZpWymAkbnV0uZoJSeQrH9GOn+wiW/WlsQYPU
2FodbbiybGDzlMuT1ByVfce0/cTmka9Tn59o+Dz728p1gMHnfqPMUfir8Nvb
hkpyosAO+t8QRXwGxXwIRYlW1MuIp+vhJrB5/6Ow7YAVJuyDICSC8B2YXThr
m6usJcqnFewM2dzhSCDvjkjv4xTvjxE82ZpTvJ8jeEc2boB+GxILF6ZixFX5
8rGmXN/zIqqmpsWmnLD8JftC9lUV4eJtaQ1Lie9YH+xfvz5ugoQzHrZ7l9IU
RV6ADVfDDyRvpsIgoE5UsH1lVhEWw64J0dujbIaoVk4ipjShGDK5P6quUxeN
5jANG+7OhG4v1SJu/lSBihZyxU0oBGLBQoVPzBf+h4gQK6enCVMjV9HPIvBI
gIbxM2NqsTEbCSCJjDlWPg7xHkWCuKyhVMMw31HZskCtF1bQfcR+kmjzgWZA
Itw9j9IP80oxzVgqkYmYSXpelauhYfRZaJZiDhtjulS7Ek484ETTDYsW4eaY
3RKz1qWBRXbNlfVkm5VMOFGKgEk0icRlWAvHYHYhDAEkwxiBJ5wvs/HRuNUn
uSJmaVCMbVK99TXuyGOdRWNoOAgY4qhupNCGLfcgpbHMIEWtx6hkSi49UOos
WXCB2faUwTAzg3IwV4YwqShvP4uPIf9SWFQU7TM+QwnGs4S1nVwFUYdYjFzx
E5wYbcKjhUJpGMBgz6LuUFZUylloYmNlPHo8Uwa7r9Z6LZHtki+ERbUomFsk
9hTOcjhnVoirnC//+IGmWbHY6G6HgrQMz+Kr5mYBWT8jnnFD4BD+kx+p0Gao
/WQH9LHsQFAeyazVHJ9U1K0fGIvIUeEQKaHdhtNK1W3AVq144w8jCXF+oO7/
qxJALJp/Y6UPokp+mJWdimw7isQ0szAuRCVJoheL8vPg1LIybfFQK11xCBtz
EO/onMcrjbCZcEu46g/EIgwo+BymYmEpqXo1+oSFJ0pvFbQ7jHeLjSmNzGj/
4WEumAF8ADvSLskgHAtYCR35kVjpWJJr2KOmR0zKKuz3IT9hISQynBmmxAoz
eSSvsrh9HkE9ojRfQYEAhtOliynHgXTtUq7rxDfF+YceBJCj/ln/L/iaZ0Xi
VtI8KBkhNM1peggqw5r5qqE3LBXC6QUmIMmZh/5NXa50jhn8MsqW95uSRk3G
oT/tAZN34x2c4QHgMcl9NbI3ehQUY1VsK9Rdip2CQMYi/+pHvOt8zQlTpKgO
PxBwTPHaSERUGJypb8I9fKnp0SBmMiv4geuFQRiR96GDVm4RP3aMTJ8QO2c+
ReOI1zfi6I0ena98ZQq4jp1VflKj7X/irMbi/v5VJjJ8snuqzfCPbR9v+d95
/0T4xj90A1WI/Qfv4JiCkFlxL39prWVsowL/GBD4kecvtcQw/pAyHO2cYz5V
1mMQU54m5wZwj1BC8IvGHJ/hUCSuwkrDQAbWswin5mUbeXohpjvjbRhSUo+0
oQJzS3P6mgwQJRLI06a2Ya18VlNRLjBhxsTQ3U3giwhjf+pSOJx2GI6PSfrO
FvdbeLEPLYHff2HSEer6P7hgE9GUDpuoIWPcfS3PFHXGBI1QXpPnLOpBU5wY
MlAGdxUwloqXWqxSD4KdGQsRIsz4R6fGj516T9RzNmeSM5IVEItYRCReEe5L
qzXCiM2MfvJheu7XCLlxXLVnLdKzKvmJ/rDMDPYiAgAQw8Q0OXL7psZfMumC
eVajVR2pf/4VpymHal88mPHgC+7ZmyCeGDzhe26p7J4NpFiplYw4uecpHlDG
b88QKgQLc9rrVCWVYhTwPOLblUGB5bMNChFMVFKrDrDJkfCEcVmYJg7TCwNE
FFMtI5DkopttnJkoPooJjdH9FBHLGhYuSRb9z1hWjEDtg1EYtDSAlruyAlJY
BWTVIWBwLP24D6XLeN1OEcol3KBtFnfx/ZdYYD5F5x6iJsM/ri6JmKFkgw9L
jGWtOMnnjEjZYtl7cgYG04SRL3GH76GzFzaXcRhm3uF65oG/XJOqi0IjKNaC
1ZlAakRZxUoIGPax8Wy0en37jXX57Yv+V6aL0qz/Br++/AUDuEuFL/DrS+oL
8yfruvIVtv4rU5K/nH9Bkssb/8sJtP4Sorj+VQzLjW3Q8F9gBtOl4ZGtWX6I
b0IG+OW3L+xAquY4meSjYImakZPgyj0Adwi/VIwwThX6jR77PaWOjpdKlHmo
slvOgQ0qGp6HbhFeS1pXvVoRI4ScU+dMjKW6sTmmiX6VYMOIa0sG4dL9TKpF
aWsqscgsywnZnr6jOlPk4Z6YmMG8NGbhiFgwDgWAhFg6A0nIayzwSBov8ST2
+uPmN73qH4nxCKujsqh6gxtGmfGT5flrRKvoJUAmdbDZvsg5sPdUMMG2gICI
/Ly9Bm1A1XEWwPnoDXC8IJAlbZkhC6Pc2SbjWqAF0X2es3smVhFPd1PqIU4N
pGUbn8fNSdqOCbFEfzR1u2Ll05TEWgrkVgIyeCcHoeCy2ghWDRBM+KCM1cRE
k9GGw1YEJnECSb4KJQGbh7qyJMPQLuLH4kuVsIDD1CclVvbHV5Gkx21mmggQ
DigKkUdTq7WIZClinaeICdaNSVBYgyzF+VoQlqP1U9H6qEhIQDIETohlp5Ls
n1pMrldLaUcqlSg1KkNeJPJOY0HjJGkAN9rM5yijSnO1UpNYFAUCIMmgZKXm
tTCFqgVaSUIWEOYYgSZQz1TL5LEM6OlBbBFNAVPhE7Nc1a45+eG1QcieIUVA
QBWMx2Y1dKWxTEWWdFYIr4YstisHY+YUKUaF2JOSce+REGZNSPEzikxOiw4P
02wjgcz4bUIAMzqFvlNo8av1rucy6DkLG8jOk7xwYVvqOys9QdWDRVIUn5RZ
Y3bbEBISFTUpubN+AKkXwPZkJRBuxU3AU0ATpgwdFneOtxC6nHJ6Y+NpWI9a
1PUPlRk9qsxEFfdozLvMK4ra4zox+LBEqOg3B4hyzF6nfWav+ylrnXbcWieV
g4PpsLzliMVOS7LY/TF7naZa2xJG/EnTnXZouvussyNWPDrZanR6zZi+Yn1p
xaEWPei58KCrqDYJ2/3cudeOpy6Io6n0+RNHX/38906yml5g/t46PjvaGi/K
J3NoQy6CsorSm1Rg4qeUXFznFMwoCoQwt5HEqoRGHJ/C/jVFMGTVsyeAqa8s
aZLLJ1hfT5TNJ2bGjxUlga+FiBGf8yenXwTnqiRAC4tgfA7WJOxjbqVkxMsn
Ix5b9z8M57Drtpra9ynKhV//Hsblj2JcdAFRZCN6klReUDu4vGay5yorqf+m
gX5GLETMMzpj9y4EsmiwKCKrn9y1v/5D9jq6IJRAeDpwtHAVbiRbGrsphurJ
sksicEP4vKUAKCONo8tm3rh/0auiAqkMOeY1dKZU9JYHIMlyzqo7f0YeF6VK
nuhKziu86yTkpuGNPLJ1WAgNP4sMQeVrTCpoyqpfy/nyMGqRvSZ98ViCjCc2
RWsC8kI1OCxW5Z2p9eAwIoTfVPPTc6fSvtGps2e/+jGbszJrsgeRfZ65wnkx
XSdiZYpV2SNVlJkgafc/qdQNBK8tZtqVF7BqFBKl3Ft0ZLswa5R2gGVc2DFr
vR/RtpSaraoctQqZJWfh5NUTt7mMo/pLVJWLnDR+Wwu665dY8dZZULwMK+ZM
JBra70zbTgtJPLTGktFGIoEAiLSIwETuHCp+TqtV1BYs6A06aNqdA1cEbHh1
3J1tzjBfh3TTY1f1pA56okp/qGRiF/SWEmR0gaUMjXgkk3DAiMpNsSpVct4C
h+nmOMNmkY2piEeiZ6woA4nuhk7pZjClLGWHJ1lg8Y74VLEKhtgTekf3xPBK
JphkO2fxZyTyUYlzUj2NiWnLtGkya/Gdv2vzXCLcT2Fh4gX+pIYfgcaJ3Lqv
migDIMrkBPJWFBUPBGtX1wFqsnq5Err9j0PSiNbXlVIuxc0scctc4fUwJV6T
RkJIRcdABFRE4hQOKbpgngYvqxgIIq0dEukkcQXWj3zJDy0b4Qli3pPDMWXP
PlmcD7MT48q87Jt7cbjnh+q9yFpHhh/epIX0AuCkEf3hRqT4BQCWzIrj5PhA
Y48eooVFJnpjBsgaJwn8AIrguIi9UWNl6wy6jctPgCOrXKcst86MCfHHzDUf
f8p9vtFL03gP0XpBvmC/zBTDBVT8bhOtJ8rgvTTttR8BEbvKwNVB4APiHAhF
lL9mt5WJbtcbj2q4J1aoYedms5ZZpdKzJyulGtHJY7iosGV4K8ItqjUbSury
uhu68khEP0I7Fdv+FJJHstmOtkvYExZfd7iD6sLInBc/mtG8JDLqcuGPFyjR
+K4lSFJBHHQJcXD8Ch9Nqx5elsECdC4lXO9w09uhQHkJEqUQNtU+CTlQN5du
uYSTz8urUEnNo5CMNIwVxz8YMfQuibL1vIg7z/wkisQN9wl1gkWxDCpOQAb/
I1cZkG0tYj39+dIA0RtLY5fzHDP+HdYHiYJCi15LKEV5EROnWF/DkoCH9W81
NePPUwoxi3vSpmGFR5OuklKPtupA15QLpmKW4Ejt6ghR9cyF4c1I3GElJjV2
lxnDWyNhwmyr7titpSI19PsvsOy05aS5kegHFgWz9cFNG/loxLYvIlCi4JPX
PFDO4ZYV5dVkQYNjdyOKOt31qiyxe0QIE8wS5QWHfRy7oUAsUMnBTGmhJ0wJ
p2G10sO7Kykcgvl5q/OAJpbQLd0SIa6ywfPHdRQeXYnJzrLw3J6tTNRgjXEG
fIgrDssLHJo/wonT9QNJLlJxK4kwq4ktQO9CaOCjEuWcJ5OEGS98HRzpAtQd
1GatgEUWKp+p6dgyNdcIncOh2h420uQBA0DR96CVeh7eUhHeNihL1jChihCJ
SB751BxXS9DBd8anxYJQQN54FCopPBS+xm9sEWW+EMIhqjL9wvX9NOuGsByj
vNnNjOyCU7xxlkKLSVqo8rtiwk0TF0WFmyXq9oTFovGupqjwbs2PHStWPNun
iChe0Qoddkv0T2osogpaML3zZONQCUEYFW9x2X/VIwpA6PgJqQ9I12hFDyU8
EtdMES4vAqvn1oLfloOX3vjuWeRKbi1UACKBQRIvfDfEf3FcYgulWqBccWac
jkuvpHJNsDDi4V26UgXR+P1J7I6gpYtac+ymN1ZrwDKjDfmaAZVQ6URDArFn
Y33wOcAxYCKUo0Qf42qMpH3DSmUbx2EFT+AUOUpo/8F58ZVLYdXFKTfJUSg0
Rutzne2zKXI8IbO4HIG7HtnhnsXqRKX08CJl7j1jtDKVEN+LS0np7H88Dc+Q
I5PxYjhwLOqAVf1XLljRZO463295OZ4RczvyWsyuO9P45clKEj0TGFCt/Kw5
QC2wyawClCXeyZaFVEcKXoGGaKzRKCzvJuHQnLnT19B7hffjUQXAmd6p9pRp
pZi3SrYCmYW9E7X1cKvERAxbXGbNoKReIyB8UcrlQDHqKbzqCs7v+eYxwo2a
ABbSoHQTRRBR5HVNVOLFelQRNKVDGvAdCi9IiFwopfGh/IOxRMViw1aG/aOI
SDgTue2HF0Q0pFshIheL3KLQBItkglJGomwKpFLpE3N0pV6my9ReJHFh6TIf
rffyNnkS38nOwF4cNFTLnjlhgc8I3xMV4rS4X1AY86N+kITSbxFrNb+/Xd0n
dl3ki0iJYpMkHizMaREVK3KvdLLLRR0NOauhEUXkTkF5CY201kWj0uqMUhLN
E2jErldDQB3hFPGgEKD+ETMr1+DVus0xbV7Q31C01EwKnGTlpy2MWMCLM9mx
Jqirx4Qp4YfXOKnUWlGrwkuxgmVkeippTOkYtAJygMb2g+914JnGipm1KHJF
Zxt5JiP1jkgNMUEtQXg9etF6KGQclDuMlCQk2+BhMIkRxEwWoHMwnxCrH+fL
GF9ZQa7qWExz4vWgwnsYBB/gqB1GojH7PoZW+pyLcBurGnopfcPRUFaZ0MVR
mPXFr+KdiWoteLJ45bBIPhY3UfqxME/eF2aUk2YRin+aetPwLCRHMrZFzJYb
RDUFOw+qiWNFRy5283MbmYSm/bso04f//p2tVaknQQ/Dkn7hs2FYM+sn/v17
OLP/mz2Aga8HzUv5nuZ1/rI2F0qjs5f14n9NvPN/PRMv/h3kYmz34wc9ZyGe
GUpHOzJwpJYRG/iy3Qrfs4EXIFCrA0d+i4Gh3c+Omzzw6P4yfM8G9reL0/eV
LQeG34cDQ7uxHBl+DI8Oi9/HSuyJgU/1y+f2ID7w6eLDWvOBPxis4a+zxUfi
wM+fjJy44kHvYMVrZ6E2Oov8Fituj/rZYqVQloNDR8fGTlzxoKHsseIeOF/P
5mLgWcIew8D5XCaTkQPjTCqZTFHd+XI2CzPDFSvni1b8/ZseoVZpRizourLf
vkTo2pcfIihyLKIxxabgfYMok+D5VwJd8dZHOOhYn1ycJrQpsAKoWK2JOOre
DESwqbwdnGhtu9qrnskgAKzYQXO7B+EJaAy3Q4L2Cfv8NQzkRiKUilyjJl5p
yizZRVtMPkJkG1sOOdSRvkk8CkNziC5TvzAxXuVLEfbUFAoZMozdKp4U1ZmO
BJ0Mp0zEA46FN5MMeQytFl71jnc0t7GoQLTkn8ruuRtO5KhIR284PD7C7ail
9DoJ6o1UNH9YpAdnC2fZswLLEGYQOPvJxfzKLnv+VZjXowNoejhEUaQgxwZ4
7HaUQgBcHMNRaUdkTi+mL8xR/zjJvGeqX5ljnBxzzgzdn/heP2n2O1/DsFAm
domgaCbdshhrHhytQitEOKQ+KmKHIMDLvVDqF4iKFcyY5VVV8UAsMqmKoSjd
bAoLPDeOMTRamgb6TFiEPgab1JnhOT2mzLzIOVNfN7EeBCzmm44UkRpr4mpV
VDkZblOFFy5mSUSIUnJ+uytfJSE4EV6iHNlKMYdF8Q7viiSqLqEFUqHzx2Cl
J8BKU2AVlrhAcUMFCgcZIySOewAR/p7NTVKByJTie4t3LCvz55e7Reo3aAed
JIXZH0BBXJ9AcAXt0qWrrOm8A5aGSOpHYWxMoEsFupGBZbm/Ty/6SMh76ETy
HsI+I6GDSuGAOJw0ZnwR7r3ImU2hZdBlSXi8AanvSqFJcXg1eXh/7+iGp3Fi
BStjHSfz2BxZtsqARdZQmIvFJWze0wC1GmQkDXEzHJcoT4AHf1Xui1NJpMpo
NTm80CFItp4IMTWxPoPgLTDGeVVX2fQZahCsRluoQURKIGD9haicTIRE2qep
bUSYwRG7gzx/xbrRvn+HR3iBHTPmhEUugC58oS/PVyC2fuEVOzOZPCYixYeO
VR0OL5JQ6/4mDoGfnoOeZTl/wQ32zeC3u3ErXf5ydrC+Qz1AXQlF5CSOK3H+
Z4eOV28VdrlPbrzQedImqjPsogqlUAir4B/qcdFSFzylKJ1QRi9W+oYVNFcq
jsgSF1yvxtmdYVdCK8NEzZQs3MVLSIs6XNLrrWQbxsaWTuUwPVP2r9TZ4j19
0hFZBnj5HrwJnlUBp2AevIqB7/D3X6S74Bh6/2Rlf5bcoJ0kJf2muIM0Fab2
kgREOPWVR/cqthbcPW6xcXVjNbEWGwrB8sUxnlhMx45kSMvKyOR/5zgXTk+G
qMRCXED//RIpRULYGMmuIQcz2ZZEIRUrYLKgnBHlAWORZh7o58nCIBbdPBop
sRy1yNBVs0tqjdZGb/9pXZsz1cWNNhi6tS80JlEkHoZf2swBCSRwA7sdBuLA
ejHMi6W48LsSRGNRe4V5fRlrtyOjkflo53q+ye9O9HU4WpgXFZkBPzI7YQCl
6w15AR2S+A3dBj0jIItM9H4TJ6F8AUMGsrEH6BuGthhRIgVVg0VjMxsgoprc
JRlJx65cMElOoAtAlbgRccFW6O4yyLwlN0AJwkAvuPTCicriMfOUoQUeyD50
46QrL4OmnxOW1DBzKdsZHVxV/+B2NS0E5glRIHdloumV3VALB3hrUogH3YTL
Y/LWLnD68L5lcn36mpLYApPkBs+d5yqXP/hKsBpfI8tjpausmE2M+cXJ8Ko7
5k5xj5MnzUNxKh4uxy45XvEjxlBFpBDPTEPYPSmKIHTsALmx6ALtMGqZV49Y
L/c+BbwA9tnI9UNfqHjDCxKY8alg5Sp2A7Qm1EUCmrjfN361b6x5PI5CXIJM
6jRjEdH7kGW4sNIOgUUBpxjS6eA1ARvUVnnwCQILZhGYfvxKYIaTBHsfXUPB
Er0THKWEEc/Dmbv6jofWse1Rxkbfj0A5cX2niMWT4V5oafbZzTbQh0hvnHtA
djY2ldWBzRMAicTITPbojFliRUy612FizIDc8IvR2eWidMBSQlvFZ2i/ZIsP
s+7icYTMOKFTmQiGpvRI3jnOC02Q4RXrx2MqEkA+GsEzJQBOTDZ/6a5DCXG1
ZuTK5TZ5ig81KUCDXEwgk4g7wPlNMglXDZorzGGVVteIJ5I8bRh6s9xwfipf
LYTl5CAtlZwPPHCFLLrWQbTj8WARETppsEcsJEc4E3AaGuwz8f+twhQTgrxi
USH06ZzCtAJXk+Z9ThZ4XBGHLRB+gy6aCQXBaN01TlMoTtGWdwk7Jl1fw4v7
84gIEUMB6GqRviDTT+V1YhHnxK/KHU2MGorAfMIXgC0DGIsB0JiLHcdSoa6M
eyRkTCyBOYGj6xAJRdH1qLO0GNUFnNE2a5RuCZbSrWJbE8/w+EceSsXkl8cb
tETtRXYzJ5xrTSZ/M7OVr1LGWKU+J7IEurYejidQ3A9T8yz/1VcTIZXbhNZu
wLIobLweAmvBYMI19cn5GXBaPJhoQNREAC5iJV3VjsoB7IFEUdXjELJdHW9h
N1m0O8h7M8QnjRk5uNXqAvFSucVAGyaXBmF7yS/hULMOUGxURCoeJKlkfyRF
l1JuI29AJdMkcQfNPcXSvrTIlb6ic6qxZNuK/13N1eeZ9hP0hQIBAyVLWMXC
XY6l95PqGr1GRA5I4R9MApqbbDk7JPOy+kw0J1YpWXNQ6EBjVQmI9EylTQVr
B0RmRkYDMTXuILJsdrWWxoXaw9osPDJfBAZyPZZJMmxtAFaNC1YUimOQZUpR
4I6XOuElrNjNS6wLFVwx+22kJCy6iau+vOInwkGO3O7AR+DoO8F4Hl6LgKXa
SL4hSX1iMDG/kNWlyxW0yO2M8U95rU3aMUMU1Q1LYwIiJzGK7cZGgsQZO6Ik
hYwiBzSmr2FeCCtImS1mqfJJG2PQ8IVix2RLknuJV0MI0BI14MCmmhamvSaf
OQ3Czh8P+aUZzJKhHNbsUAsuyiOKdLd+EDrJLgVnrtUVhb46/KI9FkwXcDTA
+C9/D8iDRnseeoICBJZOYrf4JYRlhnQwxQKyUjxVxcUUGX47xtTyppvVVmp4
atyJGmAe61GP13EIbyiTdSbCkEA6oOol2p+Sd4r7wJg9kNywyhnshezq86hW
hhDcuBWNQoReYE7sjncuYBzcPuLM0qQFU8QY94cYsjYIqxq3NijfTBPvRbHP
CLZTRA5fSMh22FpYosBe9QTJawp4+G3U6ENSukXZLCxwCRYVhnMoAWyHx05c
jxxwmVyK6DH0tW3gAzwv7HMAy7PLUUqm6MgwIdJbWYh3YqxbbKdHFo/qFmYT
LTCnSzJy65EgaSHWs8JEoLnZB3scjTSN1hAL7dq8LgI3rPtCq1BgmmKx1gz/
NEYVmIbGtH9MuV54JjNkBfLoKvffKg49Hl4ZC4sVkTVSgxPy6MaxgKge3C+u
1hfmduhoZAtzkviJN4TjekDUZ7WMFcuTpvhaVas9jhwvLczZbLxikbBaRfwr
dCMPc6KIdvxSJXOm3jGL9Cfgqg3mv2sopZNVhEs7wvMTJReKYhkaPGUNDBHp
GtpIDutITMPINza5hFvVQfeJw+TI1eKHYUZofsbbtSJ3pSeOIoQrccNY9Ip5
qngm7hBisAn3P7wfXTBiEVSvENrkpWElgoM0TkaeOFTV6LF4jQgegKrJfFkR
aSfhhRKXAC43fBENQY0CVDjLFfgUz2NAsT6wFkxtY5HV8IUjJ4hM6+h97RyY
4pp30m3kUQd6ocTTG1EApvkXoJtrrHVYiwef+2FuMEs8DrkT0zcCSv2n3Cc2
C89dbOJnnkn3WG9QkjhGkPeCtLN8PRyTJ6NKMuOzJAVOXigBwMIMgZDa6Tom
kdB3qG8yDRIZpsEyHNBeidmz+sTD8KozOZSrEFpRKBPY/IxK4aOi5TpW4LIC
l7zcD1my+RwwvlSPk2JVlVOliLEH3IKAB2yO35pWynE3/h2b6AEj5erkzJza
ZPnFwl6An5QOZMMZR7d2XKZQI9bpCokNMXM1KQ3znkEB0oluIBWiFQo3gSoH
yakBC5K0Q5b9p3O6dV95toTlM8hQagRDI88MjZDM9pY6NLyRyXtCFQ7RO8MR
RBMlDwFThoS9CNotUoWZVMhXyGyxRJnNsovUjNDBTVtLqj8aDiGRnJl0UYQK
Dcvc/KCJYiDyPgSl3Cm3skQSKEgpZ8GNA0z4mCY4cDATRHhwIolxBi9oTnoc
N2NwBTnFUiWiVE5bsyHSPpJkdnNmNE0xIu9ItQdOtSvDXE1WouIgJSl247Zx
EAqKt+rg2WIEyXo1bWuJwffSRKUiNI9W2JoYt/3ZrHnNpk+kZlm/QFREZveU
C08Ij6M9vOUWsY6czZy5Rqnmjse2yqBjmEhtr+0MHqVu8AwAkTXCg/JT5P6Y
8E5QzI3npPP8OXLerAxMKhO5V4cCq1DNlADcmBmOiY2icBP5d97XzF4h4uJF
eH6cMPAZo6cDfRVC1BJT/+TWhYhPhtnKsByISY4sdHMcqr3Mq4vpEhuPnV4C
cFzUwE41lkyQOgZivnMceaLpqmTC8Fjg+/5Ma5KvK3EgMUg0PVKEu8kbjpNu
A2ahI6xysgSjLsDI2QRLKORWMZioljwNiXxcSmDFqyhKPzGqV4OFeft1IOXc
g+PALLZ0G2UKEGcmi3wy/d7lt6m7jkYFEolqU73brSUNrmQ1D9vw488Cy/mM
YXodOONY/THFZQUWbvDHegN5eOM5pHKLpcnbONmNmsSIxTJcfjkwj+LGFSB1
HTGfEybIEZhlLkmSkMkxPKViu0sGdaxnffzE6n/gxGpHTyzxFopKSkWO5+Fs
SR01Uet2BGMRRvDwgttoE4oXTzqAYagNuWt4+RQx7k7B04NDpOvyFGnxTN9E
uvJ3n6iEfeFHiRNWNpk/cpYopC/iORRbSC5pwjto2eiNQhkwNBM33DET0i7K
xfKPH3iTb8O94nJbLp/BmIKlNRNOELRiKDWaBWFQpAKBn1pcLRHmb25mtDwp
3JwpRc4Ta8GGRcqTKy5Lu0KcYEl8iu0jQ34SDXhNAYK+9KIfdMQd5XLb6DuA
CukWIhSPlBtZOQCUywnwj7mVUD1F5PfBGVoIZUUmeyoXpFDJ30ZoK+AXR8+E
XIGOdRZYlww7BWZa5EJgNjytHAUwOTZ57iimipkKSdQEYf9M4yJemgUfRC6L
kjoWo5I7rJtEEciYch51LGoCoT+LT5RhnckL0pLusG87kTvXj/BEEd8SUeX5
9uAHeIDNdyE9qlmE6v3x3N6RkEscvXlNW7jshmlJsw/JGgf/VCQ/KbKZ4p0A
DiJjmvBqbnE7SNJs1ZmKsuxyT7WodV4m0TPoqKYXdfGKDSmaJHzAAOJsnXeG
6dS8LqVw0ERzqOTFZDwGQ2AFEWGCiVy/clE741su3QYkMCl64fKx+7t+n94c
s/kA1jGbB0fgGK2WRj3SunD6gtowMk80J5nhxan+PAkPGFFgnmxe2ljNNNN1
tjSJccm2wri7l2+TqP7Ba5KyA69cMMDK9If+iqjJRHhrGVkhhOPXVWFMsC4E
Kfjyyxx6w9KFID59ETLIWSzdmAA1dd1XC92aZjowFixWS0TQxzzeiSZTvBFx
wxy5LDjoQLMTAkOM4mvJrIML6CJHjkPikHpFfXlkG0bWGe1LOKXJ7m2xEEal
7Dlq33Qu0cLQGenZs7x6x3wkSUDNchZidChrRMv2iWJm2CfekO4vjVeJpaxu
01KaEkR7mbzKrZl7wTJQ/Po9zTGsoZE0H7mQA5GBIWvoeFAJKa+jxjcEs8lt
V9x9GIja7dxsRxX0iHuLZZzpLCmz2qseGi0swzF+aFqLy1qINtVR7yyrd10M
NmLOMMN3sumVO0vDaxSSsCuN10A0/UhYG9ObY6VD9ZN+u/FVCnQr6loL37OL
MeCb2CeqacMmQ3LIRL+Mum1NRtNiu8FN+1FMO0wY+sLzqEClPQGsOiudZc+K
8J+LswyW5RALN99ZIUS071LAh0i5kaGNcG7CWoxqNQz9BKbyVWNl/PxwOF7B
fc5crnhdbv4iU0HxCv8uZS8yDJK6Cklts54JNUFMhXQ73k1CZWo//JKVA+WJ
M7HVnuVyVLkV91GKKAmflcoHn7H6KPwihFiD7FmW9QufHe82lwGUihcdT/ws
l1TROPHLfEIhWpb384tenYqajyte9ggd7D+o6n/8HZ1yuT3sy7Q3n+LPHzy6
SGZBWD7nlT4GhdJt1A4rV0UHivrCBGV0tsxZzodhC9EDa37i1dXomzOnMns9
1hyFmJVJyKRx8avdHLcYfj8AiUE0vQS4rPHOH87rZ6gQs5R2ErFfCW2qtlb1
fNMxYLIpvWFsgc3UseJNSh9bK33g2q8pfbgBGmxDTxaVRhmbHiDvlbFHVlS1
zXetAfooqltVB4TQnX7lGqCKDIGa7vWRMTED7NoEVUsfWM6rAa26xsLZ+Hpv
D+fABQVsuDcc7WoDahxTXAdLy4YVYGyt9FpZwA/n8LdwETMpDmOLYHowJnAM
cy+XhiQiPIxwzoajqt4B1YTUTMZFZYa/Vtt4gX5j2Jb/aqUoQDMU/MmggVZ3
dy0C+Q9vveTWyy2WLFwZL64X1pBlkYVu4l2ZWLFo5jIDBBA8Wgk+k/d1JUyc
X01xFEmRbihIij9/MOeOwK6w/gBKxrww7iGSMgwTq0Dk0nYcufDQraWTqua5
OyxxAKRyw7OdrilkFMjhAjFG7qDGI8doA0m2ERE9tKQwQTT5eKbDFFI0oVPN
D5yOPJvYr4QBShT8jqcZq7HB9EUtYef+zpPXqXYHoz929DQ8OVjC37Qd69Xd
EpAQQ0REHaJMqGv4yf1p4VHG83pJR1R2xWMoZVUzsZfIxLlsiXwMaxdCr9a7
XjsrEAxrQEJ/j3TUXQ+mX8OyNbad0hqGYwGRuDGWjn4JKvUKvXVDF+tfwKu9
be1S+gDIDEAJ6+X4/NfN/gPLY6X00XKzxikOTGeR0kYgvy70axA+kJK4E/3B
sgMkMU3Pmur3e2eKUloDMWGmN+HU2SS24dxhNCBOuBNM1GakQ4BCQUCU7gg6
dHcaJUlp6XSaarETi1DEHMJALuQILhF5TYJutlIu6yN2BVX4fdq1Z4JNGALS
YVjgzuVdMZEGADMBmU0JyIXmGr/X6vv3fqeRhs+z5EIcS+OX2oNwGPOaFayl
kJukb0SVgdUqTH0WS8hAwpKc0E62UCIl2CgRrsh0EToP3UF/OB7pWA55igYT
+k6Jl+Lz9k289+WTiR/UvdcOK84LPxaTRDFMWcw1Qg55ZXqQQJ2zrNSJcQDU
i0F2+A6N3ZPsV6XwfVpNtDjJY57j7KT0lRWEB1Eevkahg6XwALU/KX5V3Mr4
C+9TObn4ymWlkwz7PiY5neRyX/HGlUaz1e61x+1+b4Qg7LTr7bE+rl6OsE6+
VmtetnuaxmGL/VSF1ULJfG8N+12i09kmv9Ad0BEQGsGAsKfx/561/onlshXj
u2xaXDN/ki3Dmv+Cpy3Ex7AGCYj5mhaVF5PuniHA/J3r+anVwCZB71m8E+PY
lNmZ16LmFrzgYNS8vWv26k39Ow4Yu/xZ/2vmb3rzkW+2/LTfCi84xCTB/gDR
otpJ0c0K4R249O+vWaWL483Um1epWe6nmikXWbFm+SMT7osPRT9i8xP+iREQ
ngDOHmil3/SqKPisVMWTH2IEITyXV9yHUVAhyGnyCPL6Vb8tAM6No/IfAlxG
dKE+TSB1op8hSMVHMm5dVwrWYsuE3WWRtuG/xA1ll2GoMGY5scocYfikpizj
+T8IeDStI0sSoW/wLxYNl5LfEPTZv0ifEZRSYchWczgiQeN3RjRk/mx0xDCv
NmlE0enhmGHoH/vXrhZBqyd/CoCYEqMVo68MXhX3dH6C6vgPulBuL9XDm6Hp
IkIVT0bt5ybaIM661cevuPX4BRB6UKvu0YSdUlujkfbz1nIZKhTCXTmEQxAp
CxU9LdSOYAScqnrXwXImNoh42E5kU4t27d64edkcpmjtbYfV1AC5JvPbxpEV
G7Dhu9oq3vAK+NsHSkk2v8vW0dfWu2kTDPeftbxHyWGa2E5x1x0i6zB8GTmh
MpVcwKXwNwW4Ia7pktmWCiXQ2XirsbGIwZ/giPDn0wYetvCMPVbsMYFxphhs
kevEd06ZYpzWOZtVDYP/VDoSgoWmFjYGoEzw4zWIDQQd2n9UBRXAIpMQM2SL
68nsT5oh3gyN0UBoaXVMP3a6j2DZn8YWkap/rOHKwnQJEiuTmsvc/qTmka9T
+udHGr7P/rZyHTel536jAkzwV+G3t41BAynJ/wyM+RCMEq+olxFXwXAX2MT/
Ueh2wI8TNkJQEkH5DkQszh3nKneKCgsKeoac8nAkUL2YmZSTvD9G8WRrTvJ+
juId2biBbXA/xMJUymWqrP1Y02h2PzdiK1x4HE2iikgLolyAxW0tzKWNbdm/
RnOYRvfMLN6QrKVaDCwJIF6yL+R8E/SDlPiO9cH+9evjJohy42G7d8llCnbp
aaRaBMrkPgnl+Pj4ZV6/J4iTTHYgi/+EGM6upfyTd1Jqf/IGPK3ZA01EqzeH
43S7W71sprv9xl2n+QdUDqby/aGlfqouhob2k1L5QHGUonlccYQXpJRXO52/
MGQGXYxK4WCaTWCuwkgUX3hftMNL3P4rtTCcykku85VuiqOdoevivn/j6Zl4
dtJYuAGkrN9+BXph/vpDOzDUMDtNLpPJJdhp0HmlaZRFyg2+aP/ECFeeAsx9
pAEmz6P7loepsgFkTXme6qJJW480axhO1N7BnWLi5kkj0DFIguWAb3xuB6EW
wgAUSUHrNR+4LUgW0WDx6jw/KbycWwtvfVPS1yrZHE/EZPmEuVKZm2cACyIT
DfNe+aSSbEAyi4UjUNwEg1SSrVKdOtm7KeZZTC6XyWV5eLhtC3WGZ8r6mijj
raAqq4YLZxsDy0nfAZSb2GpJNNXiy+IrEobN5P47G4rGtcafsRQ1H8fN3gi+
hr+lgShdp7hK5Px+GhZeCWUJQAoa/u8yE/1xKxFfLb5mc0tncifFi6/sNuIE
bvYdkL7RvmyOxulq57I/bI+vumKJ4eehE5aW+V+4MiNpTrhGJOP6X46ZljQ0
zoZ2MLmbjF3hEKOn3rj6KJtyRA1pdEOvPcXcr5zR/x9me/un6e0faXqTYu2f
NR6xDk70Bzh5er0PBKcH+DECnDg7O0vFAT4YNkfwGlD93+X8jrRU4PwHWqlg
/gPNFDCHrb7+TzYrJiMGm4VEhz+KDax5MoT/aXv8p+3xn7bH/3G2x39aHKNf
f3qK/2lv/Ke98f80e+P3uHqW0r+DMPDjxz8NkX/UEPnTpjil4R+0k4FKxanD
919EbBgLdOIvDsJg+VeRSFi1lDN/LyoM+GpRs7A6jZJ/DBRdY/f6hh+yMKjD
JCee8xP7Wt5cIYo+y4d4AczBDVWiNrpyioKlhzdMaijz4vkXNi35LS9WR6al
0VU1nSuWRG0bvmCN3WUfDUMimHErIm9GpURNg0qD4KMsj4wSiVX8qjxzztJL
pC0QuOZCPwEuuoQB8VbZlWF/lfFXeHM6TA3fi3fcqqXlM6BJ576pJzlTAtQt
f0tCJwmmkyzgUgkQuAj/uYD/z+a+apmCns1mvkXPbQrTLYy1T0X+AZFoxAx2
r45ZhR4ypW/EakBOgAf4VeEbYz6Zv4l2OfZEbUrPM/x57IVeKYsX6pssrrAi
3yg0+1eJGL9S+4LyVazrwkX4Kv4um1XeHcC2or48hDKn/ZGPdH9pEH6c5HSY
fbmQQZhncBcKQA6kKSra6AduiZ7PqU/VvUlqVKrqxbJezOi5pl6s6KULvVXR
Gw29kdXLVb3V1GsNPdPQa1n8u5RJ6qJa1LN5PVvTGy0909JrOb3W1FsZvQao
AvMtYu+1Kn5Qa+nZSlIXPxIe/iDQ5guJO4JbGlmosqfLIFh/Oz9H5D3j5/EM
tFb2gLY6abCDZ4ePDp7EH8R+R39Gfqk/frCjSYSW0z7FyMUIaEhqmYfivzOZ
xXu8/sPo7H8GfSz8A+lj7mfoI1HRA/pYjtPH0gF9LByhj7lk+qgQzvhhymY+
oY+4o/9TCWS2qZdbeqWkt4Ao5pGWFfN6s6XXYbvreqWlA2cHYpdhFDSf1EWt
oFfqeg7+twqD6/Wi3qzoGXgCMkEF/wv9Vht6qaFX4fkfJZDF4wQy/ycIJNvr
pNEOnv2XUMimSJRnQvAhgaRE5H8MiRzx6zF+kkb68c9ZOhy5cY/d/XaUUMYK
AmiJmdvi0hjK2v725VMyOtlrMWGVlcPC0os8R4aggiUYjpX9w2LBlF7u89ov
M/KFY2UzdtNutBzDfwK1zmVLmUNy/WfpdS5bKP0EwYbPcnGKnYOneU6yc5xk
w5O4TAuPMolEO5fNlZKpdo4k9uQjrucKn9DtQ3RjVPwzMv4pHf8dQv6TlPzP
kfJEWv77xDzSDEhvFYg2MOaqnqnqOZBcQWDN47glIPIX+EExp8MUKjUAUlIX
laZ+UdMrOb0E2FPVaxkdtr5UB8EWxdsaEPMy0HDsqFHRmxeJk/+R9JTIeS5T
yB6j57lM/iKJoCd09ivRg2NI8Be8A6pUSF0V/Ha9fbne55q/JnVSrebet8+5
cvCUq+zMUfFjtppW1/eTyWTp55tXeec+s893drnbyvwmd90xEzvZXTWG/bva
0M1ZtfeH0+HQHhu5u9brft1+uC9ugosPu5a7e2tVppuOffcaJHay76zm/Y9B
o/xuzCfBbD/YnGffNsXX7IW/y/nr89Xq9L68neW6fs74mNwXEzuZrga97eM2
WzLnj8uLh+1zPnveyVUq5vn2Y7weD4PseWbY8bab7OwOxNTzxE4uXk5vgtmj
sfPNwDyvtJ+Mh9KqZF5ceC/+tLEyr6adyezxcfZ48bHelIJSYieV7er93XUy
5eqwORs2gotgvX9oDIejj4vTYLHOTc7N3fmyedMuPly6g5t9YicPmXLOL49W
5sM8m+993O+7pdJmUnp+fj19f7w6rTwWTq/sStD3/YeOvc8nw6SYrw7Xs4vg
fXB6sXl/P8/NTnuW+WLO74PguXzq9Izta+2lsu8XADST8iyxk/V2/T4o74KP
zXDrZC6su8H56cPmNJdZ7SuX04d5f7CeNyYv971C4el4J/muczGd5I3Hy169
2q7Xp6dG+XTfcc9b6928Mzjf9PKzj+XbzLOuipvdPLGTifNSMU7vPnLW+cq4
AXgE1dOP50K+uGm9bZ/LufwwX77NBvlcZ5dfP7+NEztZzs4H6+Ha+Ci6uU7v
1Z1u6x9Ge5XZerfb0dpd5IsVu7PPr/aZhXFq5q+Sl3NaK7Sdl/vWoFExdrOl
4102Ww/5zMg+HzjrbWDkbmv373fN+/fW5Dp3f5fYSWv+VM9k13f+ab9weVMu
3J+/lupXd639cru0Gve3rfJT0Rg0JivH9x4no4vETgqNau9lsdktmr3nzmD3
cvd0Px5e3y6aa6szzEwD6+HltL0oe/Xtc7Xqvd8kdtJ8bzYfutedt2412zpd
LBz/tvG4WN+a7up6UL9fBvXhftrzqg/vi2r7dJFN7OTW90rtu3fbXdX83ct+
9lRrLvrmfb3hDj2z9mK1Xh5zo9moWsrUBsXG4jaxk24p/+4O7IerSe/t1FxU
m2b1433fq87qtx+nfqPZ7S+NS8u/uZ6N7FFpkUxPHh5WhW7Wu90NMuaiWWsv
l62O+7ipXy+HhdW4OLyuGVbn5u2tBaSr+fHkJXaStWaXgALLXf2j6byeVgE8
s3WmZW5vb0v3z6ejm/7u0u63r/vLbPf+xc0kdmLWSo1hNZsZDdejp5Jln5ut
1k11ddq9GbUfeq23kVvot5z+cL67Ku6ur+rJMOl1M292Y2hP27u75mvDXlij
2tJqrmuL7k3/vdiaVZ/e2vmbJ3N3c/NabSd2EoyrtfHruvi6bJdLr4tJfzHc
75q1Yeb+crqrvszLQWX3tp3ddS9Li051ktxJ5va2XJ981MdBfeScN5rL+mR1
ejrb3BrW8DK7un2dPVw5K8u5qp56xd26k9jJ1r+e1Kuduxu/8VDsVV8K+evT
aqO4Xc+N1d3H9Zs1vK7WV/WHXbu7vH0rJB/A1dPljWFZ14NVe7selTN3H+Og
+jIbeUZ1ffvsLnx70ZpeX+0y++KD23xsJHby5J0b47f5+2vubTld5D9KzfFt
53SULdv29qr/fLu1m/375v36463ufjQr94mdlK6fl8tzuw4jXqzuWk+F6vCi
bQMnXS3uS4uPfKM+apjF0vwWkGB0YdrJgO1dP/TLq9vS6nVa2tuDtdG5uL17
LraH593zWXPnXsN2n3ZK1rgwnY32ybuzLtgvjVfXeF7f2ouu+5Gpro3ly9ga
P0yenzaV7Wn37u3+5amUfcnV3r1SOZnGDlr5zSiby+feqvvqbaO79Ard4f7+
+a1o526nQGiezt2x+zFZuO2b/TR5d073t+/Lj1t/cH177piV/mp4s326ylbN
m+p583YYfHgr4+nOurpbrq/7D4VJYieeOTLen8/H99P8c/X2+qZvLKrX1q60
Hl7dv9a67ZpRbJ6O7roPVua595AdJnYyd87fbx/3u6vHffeqV7wsP7RKi+dc
+/6l2rvqtq9vs3b1+rZZ7l6/PF9dW8mEOrh9rj58rF4tv7Hfje8fRm+d19fb
y1yvV8vvdnvD9N6Gl53ezXq7uwP6lEzZWtbT9G1rjV6266xTfnCGw4/Hll9p
PzbeLasxK1/dnQ/7bvXSqZzeLsaDZJntflO6MnolK3M/2Gyzo/rHbv9sXu1q
1WzzpfXkVl9zL9f5fsu8Ll6us83TfGInDXuer75cZCaTLYiQRXd/c7Vx7veX
g7fSadPZjjfG+fWdk7eMWffKfrszkpHNv8mNy6NdvXZ918peO83VcpNxglqw
vHZvgfluVn7ttbiqZpfDaaYzTJZPnlumN3t59Y36W5Bv3z08Th8fsqXtpPQ+
e9hfdcaLunHz+HBzd3OTfe2vK8nIdlOs5Zudl9HscZKx3Vpx+BSMMtlOaVnZ
jwcPxezD+m23cH2v2K7kLoxdssxWyGRPn+a7hmcZhQf3dletVn/7LenLROk+
4dnho4Mn8Qex39GfkV+JFpODdPoE60m0XMjfaT85HPAnLSlKQ+2g4R+1pmg/
ff3zcWuKdmhNOeL6S7jtiV39FVbY4Ddj8fJOS3FpQ6yyIEW5i1qeIm9eMybu
JlCLmtK948rt0eod5P8Z9pdKNsFc/qftL5XMzzgUc+VKKW5/yeNTZgzA6Bf+
XZk7BGMWlXI5wXIezpz+HU7/1+iscxkdyCeaecoX0noeGnrKJWnPORi+pFgt
4u+KZYVufGbu+bMGn98x+fye0ed3zT4/bfj5s6afI8af3zf/lPN6toD2nlwJ
DTyNvF6u6ZmanqvqzZJeauqFnH5R0Js5vXqhFxNtNxdVtA7VLvRmlhn8sU2h
oNfr+kVdrzZxgFIZnZ2Zpl4rHVlAogFImIAuLi6ObBYagS4u8pFG/yAzUOdx
E9wlqyjVaqZnT53h9eSh5TzfDe3JQ3kDIpdT7d0bD7nzSb/2fOpkK7W3mrXY
zdzETkYX7zeVl5VprGuZ5sPV7dWH+ZF7eH52h9nguWvdFl+2W69SrI86F5d2
trlK7KRcr8wqVnM4GvRn5eJpv9is5U8rL8tO5qm72VvjQWeZt54W83Wn671c
XyfrfmZ/e14qZbvn01bteXn/Ol07q1WnmPFn+cLkfNz2r0pPrjU6nRnZ7N1+
NErs5Hr3+vaSy74WsrelemPS2991R+PRqXn6tnlqfGSBWp2WRpvH1/fK03K0
9weJndy5F7eDm3PPvnnb1t/zxYftanNqnG8un9xdpdm3FsvM7dY771yNdtOX
l8ZLYieX1uXVLRBhJ3Pu39jdeeF+Nw1eL6zS48W5f9l8mvWqxc75gzkcF9t3
jZtkwI4mnfuHnuvmpm+9+jL7uHdveuWev/nIWG+7+4fy7SQ777cy92/r00E7
U0ruxCwZu7eB2R59vDuVhfv08fh0//4AQtt6/tCpd3fTS7ezXuzLeae8+7h8
TZbph4XLwJw3e6tu7cOpXzSannuz7tfW3fKq/XD/Nmg+XQbV09rW7c5HuWZx
kyxJZx/eNhfDUquz7bWapv0wNHuuvbbu83bufn3pBN2HivNaGt7M5pnTSi1Z
vW953Yl5v3lYBh+Tq213WLqz3clgf7+uPbw81l4vfOs9t70qOvXdU8l5rCej
ffF9cvG08bet+8FbvX+5zJbmo/fR+8JeDV5H0858u2o0VvVCy25Mszt3m6xx
tVtwUpY9+36zWjQHQ9uyoFV+sLwc7MeLu7tuvQQYdFN9eTfWwVt2kjyTu+vt
bcvfWqed/vX+/fl10Dzf1ndXm+rqceW+ZKuG5wxrRvDx9jrZXkxvksXxjp9D
U0T3fOv3L4v23fD57fG97zQeBzfPu2JQfLn/aC9bN/1MrdQoLavJGtfosQFb
8/H2dnF1sbo1r6v9W+tuNNi22t7dVX++2Vj5D6/VLs6e7s3qaj1N7KQ/7U8q
m1J+23kxzMLr02NhP7TmTwNvbORGdtdaPM36p9Pmg3lZbXQ7z8mGhqtKaXRV
GFbeh0/VtV16yz9lcvPT3oc9rNqn0+fRzbJWehu1741yZu6/dZ1kW1L/7fl6
vfIfd9WBu+8Zt5Xipte+NPybwW75fvlx+9F//Oi22x+1G2Oy6iRr5pZduMh8
zEcvDw/O6et2ve3cVhZZO78ftqflxeb1I7PZ+82p8TptzPf5m25iJ6+ndmbU
f7T77toOrjsXzUFwZ388zweFwOleZF7L76839f0oqOS6u3n7MZkouWMzs3Y2
hdnTZH2xvD5/fX/Yj3oZc59xz7NvE6vuvzcer7sPD27+4tZ8rSWb2qt3rcHo
8nVQd+6uW8XdrmZMGzfF6aXdXBdq9Zz95F5PvV7v8n560fhovyV28j4u1G/8
ge1VL8urTnm3HJov1q1Zaa7aq3bV/cj7M7/Sex8Uhs/Nj80iuZOPycU0f1uu
bPIPtzdPFcNcTPzqefXuunY+ufZL6/l1UKldtZqb12LjoT3+SEa2q+LmeTRe
du78xstt8bJZGnb9vbXsjo3bzrxaqrWt6m23unSurnpZf5asQGYfgrtl4/7a
2ixfvVntcXZRyJwuO7XK/Sp79XJrFva7Tr/Weeh3u9b+tvqY2EmvVvZXlcv3
3NvscnH52r0s7Z7KRmf+trgqzObOyrufnq4HXvP8+fzWee77R9hotv86yZ0v
FrvO7N1u1LONUqM1eG40KuXgfVt+v50Xx83pRfW99Lw3Gsmm9lKtXhjt7Yeb
evctsD7W5czpXXe6rI4Nu5R/u3rLdPPPY7+c70/OH/ulzlNiJ37rY315/1Q8
tTqg0G93T6c948Ydnmes6/ZjJz+rvYxzy8vTXf+097gq5pNhMgpGy6zpLuam
+3KfL9bGfeNteT5dDe7MXHe2rmTXt+tc/eWh38+9XvSNZOa1fLnLXtXyjc7l
qlRySpbx8lGYvDk5t11f9VrvjeH5e25VL/qn3s3Sfr2rJnaS75n5QdleDDJv
1/OXeWWz3ZxePTyO5q1dz70qbN4u71ZjY/bUDfrTi/1LsgWnOas075avu2az
P22Mrm5uT/dLZ7S9expelVfWrZtr3RTHsJzn58uHm1rZSqZsg80sW9pV1059
O+5/vLRb1ZfK+HZWfzdOZ7P+2PowjOz79baReet6N++nydbPmfFSsnbXt5eZ
rTGaPT2sx9vC1e5+WB3kn0v93kv/euM02+bN8H613Lysk6XH3OlusLodVh5a
t9XWclmZXN5+tJqPj6cPu77z+FZew54NctXpzMmsL81kqWDaXVz0F7c3RnPW
v2lWX1v263nlatO8uazd7zbTaaH64lyfd2pPd5nK8n73kLycbCtzZdfugPxM
9u3NU6tY7pfXp8asu7sLKk9V9/G8vRsG1XqlV53Vqslet8sNyJz3w2JlUz4f
Xz69V84fXz7Kk0ENTlyrUsuMFsvazWnh/X1u7QIvc5nYyWOz/mbObm8rg+H9
ulm9Pc2VutZscjlaDVbl4W74Mb31x1mg36OV63pXyUa6U2NbuJ6+XJT759v2
+nzz0W2+Xt1Um6Xz1sX91dXopXw1mw0zt/n9anr5PE/mxfcvu/mq7/Sc/OXm
YXja+lhOB6vBm7UOrqbG3piOc+Vx+SVf9zPnndv6Llm0KF3nrCekw8Vy1Xcn
Ly1zsfHd6+Xm7eK+N8qZ2+Fg+lYdbW9frdPF5AjLeNo1x71BcJ6t5tbj0l3T
G2Y/uh937fHzcNsqdtZF0Fb62flr7q5g1EYvr4mdvFjlt00n//+3d23NiipX
+J1fQZ3zksTMCIqClcpDc1NUVARUeFNA8cJFQFBT+e/pbvCy99bJ5NSpSlLJ
lO6xoG90r17drNXr+xzxMmeNWGmewrN3VR3dGPla31/HXScbbAajBggits7q
/mt94uVMtNg6E93Sa+3uXgg6S1ormjPJ8QUT1K6tXmY4K80ftGWaseTX2624
ZoXsfBNci9gWxHVLFLcLo8OzZnvq9kAvdlescgyGs93R1ofha0/kvE1fdxpb
77Ji0w86Ese0T4ZoRyMViMHwELBKt7H1FmszO9Gm3nldiDfqmr3tSuqM8nq9
sZv2oTBowaCZs5d9vz/OaWWx41NRmMTBZh7Hr7347bR3njYHM10bwHeAuXJc
BsGpv8qO+7MdqL3kwkR6vRMPfVdYDI7c6235lJrWhqJ0FAbT89FpzRZuPsmV
SQ2uQ/DW/sKvx53twM6TeRcMZu7rtbhJO6fIyaNx/egFwkFWLUmWemyk1PJ4
7+2ZlFkJKn8c1FpBTzMPr/06sVSPLof4UmvU2/F8MWjS8MViCfU248Uz2pFa
lKle2opme5rK1savXTIsY9e83jrujRx2vFuvtXrPm1ELjo/iSNx3pT0yEb+0
EL8zALw5F/L14r/TnCyfDocPpuSvRuQ1TIIDVd6akZ84fZ5NsQiiFiAe6b+U
XB8EMlSEGUboxlwWoVcs74AgzzlL4gkovsskvcObdBp0G1lBxyh08JTciNHT
khQ0LOMK8cE1TJHt3pkY3S3mUMHo+UpIPNikcOM+0TUgmFsENP3KIl6Bgn+x
kKeItaTko0Hov/dI+c989RUS8DIj1iW1Mmw3ylkZuh/lYj7114VXxxKJd0WT
X4oGGCn7ibimpA0jbkShMA+iREEnuL0bYED6qdzbGH15stKUXiK4P+ENvD48
iVojvqAQKzFgbnQ+VRG3+j+cgCwH9KvVvjJhf0P/MGIKiUCeFFkRgCHhqwR8
aZNjQxB4pbEBhcKDjWKMKEn2PJpeU4M4OhTtzsQ/XuPjmb6CEb/ZH/39ttsp
KB5olEwAkZ+pGlUIhSXONG0gFdP+dDbtqlOpEMtrQ6nwVc2kNfPCL6ZX6awK
XBfQpgTOakSYDTlzuueDIp15Y8bD5vUNTedFe9GnlnM7thoy/L9zUiSZdrt+
7gQHyjPARi6oi7oDDUI1zPNYlBjV8JddwF1U0YTf/WV0BY2RoZ3HclSMrxJc
UFJcq+Crkm7OzOlOmqqA6xL44llVDEkembK6mVHOWb6CGb8ZzXigGuJeTpfz
EWph7gaz1IK/Yb/xyq7sD+LRIZIMwFgAGgdQAmEzgL8lkE30flveMPKuNQrC
zmSfWBG1M/ZrIWeMNagTsTuuD4axveqPgZRQqcKC3XLM8nT3pJpy39ON02EZ
jNZCITri3mo3J9r8UBOVYcp2z7NiQZwS33Ltw3LW8h3zOAPOfpJ7rsg79WZy
ZcS6l8rrtCaxmipngVsbUExaA5whjMZ0Q5zOeEKMVxOmL4sdP3W4OBGzuBvI
ezZxqSO3OYb+mZ83pjbwhsdrf6wuL4KWFSl9ZPfZfsRPGwVhL1qKAKVbpq2+
7C+YXRL2iri+lYbd43E5WrjNugU3v6wme86I5ZptZTJx14aqbyfTWuwJROL3
7WKoe8Vqvhj2veZMzVe5tot4NZasw7LPm8pgP6avGj05dqhwd0j7w3GhiEAD
fMQoAuGLggAiUIgASt2UMoDWq/NAKYAIFmgoezqQJBGMVVB0hUDo6kA+IJFX
gVT0NpZIwExTnncK2ZIMa36Gkgc7skHHq7l5she+v1rwqW0AoyzMlEQRDPjN
JuE3ksxrjkjwsHR8U+N4sOYkKDwCn4Kip+EWjXkeLuTDvHEdKhm8pvf63mkw
P2pQNjd2YF8JlccTw1UKzVL5JZD7UrELi55cXEJO20e2YS3t8zly86mNBIwC
ljIoLJ7XzB7QConYbHoCupEfBZ65wu+Az9UuVSyvfCxv4hibt/XO0enOQlWU
iuEVDPnNYePvN7ytqRIBNpKkDOqw7Xb3QluHrH/otKx9LdkdpRUdCRQznDci
1mRzn8unzUwVNvN+4FNwv9ceXjpNwm06j87SW/C3li/ntG83ZtdhedbytAz5
MKpapXaduTA/ZNbcPQwbbkzYO4AUBFIofUuxFTA3RTiMPC8Iyl7p8sk6C5Jt
J6CkYGNY7Q0rtSNbUpj51R7kl8uQoE5hDAsJ5e0scnvTYrzlcrfpNofBjLHm
dLHqmqdVsx9WrcnK1sEhbhzgq0hvRkRKT1eV3kTtmoV1tvpVghwleNVpuM+6
sWUKLduuhy5BWUkt1xrnOty8QZ2xFtlBjRvOrtOZ0O6ynK0K6lyZPzoN9dmz
oBFl53XSVcPNh4ELH4cP1K42F4JbR8WFPXcK1QA5UmvC/CbOGlQ42obInYx1
F/0M7nqvsXD1kt7h0tgnNhcGknDwrWXK5CASj3TbLJSz5S97U8oRo3wI2+Je
WldiBYcEDt/B65ba+XnoVEB1Bf3Y1ZVVU9QkXtRMABi4dmj8aucKo5kMVRrc
uDqt02DRmuuTBMqrbOtpi9UlX6Ii95z7RjJOaTjJuXFAGWd/1Kcmh7bbEfru
yjxnckHoeqifOutw44tjdmyL/XCyVazhyGp5hnG12umZawWu1zGGS96Q2Km9
pubsaEb5R/HorNUa0emFWmIyBtS+Ofy2kqSl58f9UlWpPddZxav9xj74nV6P
ZmpnqEw9g3KHl8zfLvr5HooOcZTWF9tw3Pig9TQmvc7H7CHdBXkvMZWVTmcu
6IdLnwM2rPu47cNFc2vGVNvPwTycOM0LQRtqYSlcFK6LiTK7Xoy2NdzstkZ7
choWOl8vsoMP9/TztauMlj03yrzNblkMg3pzZ9ccb0Rkp2ZHzlcz6jTol8u4
NBK/LuLlxvXjLvRxiiF7Pi3w2E3hmN1qr/cceVFtu36TQ524bUt+7FBn2r9f
+BnT+hlvOsN8caZTZKNROiEf/uyb6/ljOvruHH4KS7v7gz+Hnz0cm5/vvI9i
eo5M+9nQtB/Gpv04OO2fRKf9ZHjab4tPexmg9k8j1ACOQaMpVBHTJgWehPU2
WjjsrEOyIim1SK5DNiXknm6CV0VwDIp/aAGSamCvOPzbJkVAchIpMqQkkTKH
3Nu8SNKwOPFl41+FqFUxagz1emhwkNrzcYcXUWpFUdyD1EIvq5eb+lus2stQ
tTfRcl+u/VT8GngW6CcZZ9/JeOutjDffyvgHIfu58PT/KRHnOLJDkRyNPkAk
ZZ5st5E0N2T0Q4Q6rEPCgWJEJLHgZZS6JJAMvMeRbQYd2WhyZIsnm3DGABS3
0xDQURCxgSIz4afd/ldFvPlmaLCIsz8v4lGywbL9DQ/9u3D131XCP174EqFZ
RraVi8EjsK2a0Y/l4T4hPks9/XqiQN30aqL8H6vhvxir4TeHIqMZkAaIvb2a
B78HWMP/I+F/X/GD0gX3Fiz8QGFpoHB1TkCS0mySgEEaVJRQdCXbQXfFl/sM
qGzFDik3UCK456BKgeaQZAtYm8P9B0eREkzGQln9N4vfm+3Ff0Ik/K+kgOGF
UlLfIgC01/SHf/u1BCFKv3DPpacgWCbba4XlXSUj0w+F3cjQq5slceyfyJJ0
8V2d2zCLsF33Roda2mMx8XRSssPebcsV/XVFtPmGf/wP+BDj9+/f/0jeULth
GVGy3WxD7Be4Q+ghu/8dbJwkVS/ZvKeGPHgYOg/xdC/DC+m52yxKEEd59bQV
OsnttPWdThf1gJhEcYnXhPjfK6JRF5FzXr5laOmuno/8yC7/tSeqM9yY4i/0
vhXLS5llfQqxSZ688cDf2UBXl8+uD1gMIlXG2OiPunA770+OqIO3iBO+4o2G
cnCooNA/jAC23N8O5SO/SAVgC+v4dEa/4iOGd2+Utze8K1ic3hubQ/FdqcQT
MO6TUR8h4aMX9E+uB9y+FUKUT7wbrgD54GDHz2k++JDv+DLYOXDHNURk6VVB
d/jCB/YWkgO/dOREqzQ6eFkl3VS7/eMK0BUkq10v9BAtZcUo8Kip2eHuNSGx
Xb+uqdHs/ERNT8NWj931c7TAo0aOpjncxXdksdfPxrIcrnEUkYcIkbTeBvQ+
brdqZWNyn4xrrDDxbITPXUrZm2w94ylfpWlvGe9xFSROpn9Il/5sDY+zzKQ+
696CLTC0+h34nyA/RovUNtdt/NRzuAL1QbJawhqXtqLSosOP5Bt5ZZP5+99v
cxIWXLE6YMWje+WMZb43UJ+XdApcE9EpVPOlnCAlBmzuofxSkiDARUUkG222
Uz1qEOW38X/ML1znM3knRmrE2I4YEBiRdKJJWl56GLJgS375PjTEX9404rkJ
zUYLN0G6Kag/PwtR2RqMSuwtHf8JkxFLXuJVMNAl0giJfISfoKM/Fl566BDT
/a2hGYK5R2fS3QruEvPZp6cthohF41p2uVMpjBVyCeNMUOfCRcCDrUqjdVYg
W9yDOxUDKOOW4on+C8pRjw/LbfgX2BlJ6mV/NQ35G/fLi/ZV+hmuDb6Hdwzb
dUkjjBKEnufelEqKsHPd77D8J3G9D9oLC2MYZTd3banaEKsu7quPqn37IfoJ
N3FSKsFviXfAZPdZFG+dtFocPawlvXyLyLAvyNDpnNL0EfikV/CWsGgBKlco
vUmlZtNKgFHvlcytuZeUGeEoeAhEGqqOqvJPmQnylh15jx8czlXTUJFPxeH1
oEqfVo+EJ9JHFlw8zXHaigIXQdZ+JcF94hxJ0UIF1xU0YypGllv6B9vIhwof
bNIPdZu+S3HDxMT3dRS0hS7ijcP2eecQ3YBw4HK7RJ2NM5T++vL4A+yEJ8Jl
GjORPK2fP0aI/AdRsHAt6U0BAA==
</rfc> </rfc>
 End of changes. 180 change blocks. 
1704 lines changed or deleted 646 lines changed or added

This html diff was produced by rfcdiff 1.48.