<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.3.8) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-autocrypt-openpgp-v2-cert-03" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="Autocrypt v2 Certificates and TSKs">Autocrypt v2 OpenPGP Certificates and Transferable Secret Keys</title>

    <author initials="D. K." surname="Gillmor" fullname="Daniel Kahn Gillmor">
      <organization abbrev="ACLU">American Civil Liberties Union</organization>
      <address>
        <email>dkg@fifthhorseman.net</email>
      </address>
    </author>
    <author initials="H." surname="Krekel" fullname="Holger Krekel">
      <organization>merlinux gmbh</organization>
      <address>
        <email>holger@merlinux.eu</email>
      </address>
    </author>
    <author initials="F." surname="Ziegelmayer" fullname="Friedel Ziegelmayer">
      <organization>n0 Inc.</organization>
      <address>
        <email>me@dignifiedquire.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>int</area>
    <workgroup>openpgp</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<?line 70?>

<t>This document describes the "Autocrypt v2 Certificate",
a standard structure for an OpenPGP certificate for Internet messaging.
It offers defense against store-now-decrypt-later attacks from quantum computers
through post-quantum hybrid cryptography.
It also enables reliable deletion ("Forward Secrecy") of received messages
even when adversaries capture encrypted messages in transit
and later compromise the user's message archive and secret keys.
The design uses deterministically ratcheted rotating encryption subkeys
with predictable expiration combined with coordinated secret key material destruction.
This document also describes the structure, use, and maintenance of
the OpenPGP Transferable Secret Key that corresponds with the Autocrypt v2 Certificate.</t>



    </abstract>

    <note title="About This Document" removeInRFC="true">
      <t>
        The latest revision of this draft can be found at <eref target="https://autocrypt2.codeberg.page/autocrypt-v2-cert/"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-autocrypt-openpgp-v2-cert/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        OpenPGP Working Group mailing list (<eref target="mailto:openpgp@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/openpgp/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/openpgp/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://codeberg.org/autocrypt2/autocrypt-v2-cert/"/>.</t>
    </note>


  </front>

  <middle>


<?line 84?>

<section anchor="introduction"><name>Introduction</name>

<t>An OpenPGP certificate can be structured in a bewildering variety of ways.
The "Autocrypt v2 Certificate" is a modern OpenPGP structure
that aims toward robustness, cryptographic resilience, and straightforward deployment in the Internet messaging context.</t>

<t>An OpenPGP implementation that produces and can handle certificates and secret keys
structured in this way can provide the user with reasonable protection
against a variety of plausible attacks,
while slotting cleanly into existing mechanisms for
end-to-end cryptographically protected email and other messaging systems.</t>

<t>This mechanism also enables an archiving messenger to support
robust deletion of a received message in a way that the deleted message will not be recoverable,
even by an adversary who can capture messages in transit,
and later compromises the user's message archive and secret keys.</t>

<section anchor="requirements-language"><name>Requirements Language</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

</section>
<section anchor="terminology"><name>Terminology</name>

<t><list style="symbols">
  <t>"OpenPGP certificate" or just "certificate" refers to an OpenPGP Transferable Public Key (see <xref section="10.1" sectionFormat="of" target="RFC9580"/>).
This specification distinguishes between outgoing certificates
as distributed by the keyholder, with a fixed structure and size,
and incoming certificates as received and stored by a peer.
This specification does not prescribe any particular mechanism for
how certificates are transferred between parties.</t>
  <t>"Transferable Secret Key" or just "TSK" refers to an OpenPGP Transferable Secret Key (see <xref section="10.2" sectionFormat="of" target="RFC9580"/>).</t>
  <t>"Component key" refers to a single cryptographic object found within an OpenPGP certificate.
A certificate's primary key is a "component key", and any subkey in the certificate is also a "component key".</t>
  <t>"Keyholder" is the party that has legitimate access to the secret key material corresponding to the component keys in a certificate.
The keyholder can sign messages that can be verified with the certificate, decrypt messages that were encrypted to the certificate, and update the certificate itself over time.</t>
  <t>"User Messaging Agent" or UMA refers to a program used to compose, send, receive, and render messages.
This term is similar to "Mail User Agent" (MUA),
but the variation in naming emphasizes that
Autocrypt v2 certificates do not prescribe a specific transport mechanism
nor do they prescribe a particular message content format.
A Keyholder may have one or more UMAs
that share access to the same secret key material,
messaging inbox,
and other account details.</t>
  <t>"Peer" means a party who communicates with the keyholder via messages, as well as potentially with other peers.
The peer does not have access to the keyholder's asymmetric secret key material,
but typically has access to a copy of each message exchanged between the peer and keyholder.</t>
  <t>"Reliable Deletion" refers to the property that enables a keyholder
to render a message unrecoverable after deletion,
even if an attacker has archived all messages in transit
and subsequently obtains the keyholder's secret key material and message archive.
Reliable deletion therefore requires the destruction of both
secret key material and message cleartext.
This property is commonly referred to as "Forward Secrecy";
however, this specification uses the term "Reliable Deletion"
to emphasize the keyholder's ability to permanently delete messages.</t>
</list></t>

</section>
<section anchor="goals"><name>Goals</name>

<t>A certificate following this specification has the following goals:</t>

<t><list style="symbols">
  <t>Post-quantum confidentiality.
It should defend against a store-now-decrypt-later attack from a cryptographically relevant quantum computer.</t>
  <t>Size matters.
When network conditions are constrained by limited bandwidth, high latency, or intermittent connectivity,
there often is a heightened need for encryption with reliably deletable messages.
To preserve availability under such conditions, the size of cryptographic material should be minimized
and it should be possible to include transmission of a few dozen certificates in a single message
without impairing common messaging infrastructure.</t>
  <t>Computational resources matter.
It should be possible to promptly encrypt a single message to
up to a few dozen of these certificates with low-powered devices.
The same hardware should be able to quickly and cheaply verify a signature from one of these certificates.
And with access to the corresponding secret keys,
it should be inexpensive to decrypt a message encrypted to one, or to sign a message with one.</t>
  <t>Reliable deletion.
The keyholder should be able to robustly and permanently delete
an encrypted message received some time in the past,
rendering it unrecoverable even to
a powerful attacker in the future (see <xref target="deletable-threat-model"/>).</t>
  <t>No network synchronization needed.
The keyholder should be able to encrypt and decrypt messages with local key material only,
without requiring network synchronization between their own devices or with peers.
To the extent that a keyholder has multiple UMAs of their own,
each UMA should be able to operate independently with no ongoing network synchronization between them
beyond the initial configuration.</t>
  <t>Backward compatibility.
It must be possible for a keyholder with an Autocrypt v1 key
to sign a message that is encrypted to an Autocrypt v2 certificate, and vice versa.
It must also be possible to encrypt a message to a mixed group of Autocrypt v1 and v2 certificates
(though such a message may not meet the "Reliable deletion" goal).</t>
  <t>Drop-in OpenPGP replacement for existing peers.
The keyholder might need to update
their OpenPGP implementation, UMA(s), and regular workflow
to use the secret key material to meet these goals successfully.
But a peer whose UMA supports Autocrypt v1.1 already
only needs to update their OpenPGP implementation in order to interoperate.</t>
  <t>Minimize unnecessary metadata.
A certificate of this form need not leak information that
the keyholder might consider sensitive.
There is no intent to forbid inclusion of sensitive information if the keyholder desires,
but the standard certificate should be suitably generic.</t>
</list></t>

</section>
<section anchor="non-goals"><name>Non-Goals</name>

<t>This specification does not attempt to accommodate all possible scenarios
that might occur with OpenPGP, email, or other messaging systems.
The following concerns are explicitly not in-scope for this specification:</t>

<t><list style="symbols">
  <t>No support for legacy OpenPGP clients.
The keyholder needs to use an up-to-date OpenPGP implementation, and expects their peers to do the same.
There is no attempt at backward compatibility for a peer with a legacy OpenPGP implementation.</t>
  <t>No in-cert human-readable identifiers.
There is no attempt to store a “real name" or other human-readable identity information in the certificate.
If human-readable identity information is to be associated with the certificate,
it is expected to be supplied elsewhere,
such as with a local petname system, or some external cryptographic bindings.</t>
  <t>No in-cert transport-layer addressing.
There is no attempt to bind transport-layer routing information (e.g., email addresses) to the certificate.
Information about how to get an encrypted message to the keyholder is presumed
to be transmitted via some other channel, such as the <spanx style="verb">Autocrypt</spanx> header field.</t>
  <t>No defense against quantum impersonation.
While the certificate is designed to defend against store-now-decrypt-later attacks,
it does not defend against an adversary with a cryptographically relevant quantum computer
that breaks the signing key and updates the certificate
in order to compromise future messages encrypted to the certificate.
Such an attacker must expose themselves to the peer at least
(putting the attacker at risk due to visibility),
and these attacks cannot take place retroactively.</t>
  <t>No transitioning from old certs.
There is no specific support for transitioning older or alternative OpenPGP certificate formats
to the structure defined in this specification.
Such a migration path may be defined in future specifications,
but this document is limited to new adopters going forward.</t>
  <t>No certificate discovery and no refresh.
This specification does not define a mechanism
to request a refreshed certificate from a peer.
Reliable message deletion depends on timely updates of each correspondent's certificate,
but imposing a particular mechanism
is unlikely to accommodate the constraints of diverse messaging implementations.
That said, this specification does not preclude
the use of discovery or refresh mechanisms.</t>
  <t>No coordinated deletion of messages.
This specification addresses unilateral deletability,
protecting against a future attacker who compromises the keyholder's UMA or secret key storage.
Messages are typically stored in multiple locations,
across peers, devices, and UMAs.
Guaranteeing deletion of all copies of a message,
including through negotiated “disappearing messages” mechanisms,
is outside the scope of this draft.</t>
  <t>No post-compromise security.
Some messaging schemes attempt to defend against
an attacker who has compromised the user's secret key material
at some point in the past,
typically by regularly mixing new entropy into the secret key material
and coordinating those updates across the user's shared devices.
This specification does not defend against such an attacker.
In the case of past key compromise, the user may need to move to an entirely new certificate.</t>
</list></t>

</section>
</section>
<section anchor="certificate-structure"><name>Certificate Structure</name>

<t>An Autocrypt v2 certificate is composed of a specific sequence of version 6 OpenPGP packets.
The precise requirements for these packets including algorithm IDs, key flags,
and binding signatures are detailed in <xref target="packet-composition"/>.</t>

<figure title="Autocrypt v2 Certificate Structure"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="192" width="464" viewBox="0 0 464 192" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 8,32 L 8,144" fill="none" stroke="black"/>
<path d="M 456,48 L 456,144" fill="none" stroke="black"/>
<path d="M 8,32 L 440,32" fill="none" stroke="black"/>
<path d="M 8,64 L 456,64" fill="none" stroke="black"/>
<path d="M 24,160 L 440,160" fill="none" stroke="black"/>
<path d="M 440,32 C 448.83064,32 456,39.16936 456,48" fill="none" stroke="black"/>
<path d="M 24,160 C 15.16936,160 8,152.83064 8,144" fill="none" stroke="black"/>
<path d="M 440,160 C 448.83064,160 456,152.83064 456,144" fill="none" stroke="black"/>
<g class="text">
<text x="28" y="52">A.</text>
<text x="72" y="52">Primary</text>
<text x="120" y="52">Key</text>
<text x="176" y="52">(Ed25519)</text>
<text x="52" y="84">B.</text>
<text x="92" y="84">Direct</text>
<text x="136" y="84">key</text>
<text x="168" y="84">sig</text>
<text x="232" y="84">(cert+sign,</text>
<text x="292" y="84">no</text>
<text x="336" y="84">expire)</text>
<text x="28" y="100">C.</text>
<text x="76" y="100">Fallback</text>
<text x="140" y="100">Subkey</text>
<text x="248" y="100">(ML-KEM-768+X25519)</text>
<text x="52" y="116">D.</text>
<text x="92" y="116">Subkey</text>
<text x="152" y="116">binding</text>
<text x="200" y="116">sig</text>
<text x="256" y="116">(encrypt,</text>
<text x="308" y="116">no</text>
<text x="352" y="116">expire)</text>
<text x="28" y="132">E.</text>
<text x="76" y="132">Rotating</text>
<text x="140" y="132">Subkey</text>
<text x="248" y="132">(ML-KEM-768+X25519)</text>
<text x="52" y="148">F.</text>
<text x="92" y="148">Subkey</text>
<text x="152" y="148">binding</text>
<text x="200" y="148">sig</text>
<text x="256" y="148">(encrypt,</text>
<text x="328" y="148">expires</text>
<text x="372" y="148">in</text>
<text x="416" y="148">max_rd)</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
.------------------------------------------------------.
| A. Primary Key (Ed25519)                              |
+-------------------------------------------------------+
|    B. Direct key sig (cert+sign, no expire)           |
| C. Fallback Subkey (ML-KEM-768+X25519)                |
|    D. Subkey binding sig (encrypt, no expire)         |
| E. Rotating Subkey (ML-KEM-768+X25519)                |
|    F. Subkey binding sig (encrypt, expires in max_rd) |
 '-----------------------------------------------------'

]]></artwork></artset></figure>

<section anchor="encryption-subkey-rotation"><name>Encryption subkey rotation</name>

<t>The expiring encryption subkey is rotated on a regular schedule.
The window of subkey validity (from creation and binding to expiration) is known as <spanx style="verb">max_rd</spanx>.
When the current subkey has only <spanx style="verb">min_rd</spanx> time left until expiration,
the keyholder adds a new rotating subkey.
A rotating subkey <spanx style="verb">N+1</spanx> is created exactly at <spanx style="verb">min_rd</spanx> away
from the end of the validity window of rotating subkey <spanx style="verb">N</spanx>.
By convention, <spanx style="verb">max_rd</spanx> is 10 days (864000 seconds), and <spanx style="verb">min_rd</spanx> is 5 days (432000 seconds).
See <xref target="determining-minmaxrd"/> for the formal definition and concrete guidance about <spanx style="verb">min_rd</spanx> and <spanx style="verb">max_rd</spanx>.</t>

<t>In order for the keyholder to use the same TSK across multiple UMAs without explicit network coordination,
the values of <spanx style="verb">min_rd</spanx> and <spanx style="verb">max_rd</spanx> <bcp14>MUST</bcp14> be known to the keyholder's UMAs.
See <xref target="custom-ratcheting-schedules"/> for more information.</t>

<t>This arrangement means the validity window of each subsequent rotating subkey overlaps with
the validity window of the prior rotating subkey.
See <xref target="subkey-validity-windows"/> for more discussion about temporal layout of subkey validity windows.</t>

</section>
<section anchor="fixed-creation-timestamp"><name>Fixed Creation Timestamp</name>

<t>The primary public key and fallback encryption subkey use a fixed, well-known key creation timestamp of
0x6a44587f (1782863999 seconds past the UNIX epoch, which is 2026-06-30T23:59:59Z).
This document refers to this special timestamp as <spanx style="verb">T_ac2</spanx>.</t>

<t>The direct key signature over the primary key and
the subkey binding signature for the fallback encryption subkey
will initially be <spanx style="verb">T_ac2</spanx>, but <bcp14>MAY</bcp14> be any later time.
This allows the keyholder to offer revised metadata in these signatures in a way that
a peer can determine which collection of metadata is more recent.</t>

<t>This fixed creation timestamp offers two advantages:</t>

<t><list style="symbols">
  <t>it avoids publishing the creation time of the primary key (and fallback key), which otherwise would leak unnecessarily, and</t>
  <t>it offers a reasonably distinct signal that the secret key in question follows this specification,
so it can be safely rotated.</t>
</list></t>

<t>Historical note: <spanx style="verb">T_ac2</spanx> was chosen as the last timestamp congruent with the publication date of <xref target="RFC9980"/> in UTC.</t>

</section>
<section anchor="packet-composition"><name>Packet Composition</name>

<t>An outbound certificate consists of the following six packets:</t>

<t><list style="symbols">
  <t>A. "Primary" Public Key Packet (packet type ID 6), version 6, public key algorithm Ed25519 (algorithm ID 27), creation time <spanx style="verb">T_ac2</spanx></t>
  <t>B. Direct Key Signature (packet type ID 2), version 6, signature type 0x1f, hashed subpackets include:  <list style="symbols">
      <t>signature creation time (<spanx style="verb">T_ac2</spanx> or later)</t>
      <t>key flags: certify, sign</t>
      <t>issuer fingerprint (fingerprint of A)</t>
      <t>features: SEIPDv2</t>
      <t>preferred AEAD ciphersuites: AES-256+OCB ## TBD: do we need this?</t>
      <t>no expiration subpacket</t>
    </list></t>
  <t>C. "Fallback" Public Subkey Packet (packet type 14), version 6, public key algorithm ML-KEM-768+X25519 (algorithm ID 35) (see <xref section="4.2" sectionFormat="of" target="RFC9980"/>), creation time <spanx style="verb">T_ac2</spanx></t>
  <t>D. Subkey binding signature (packet type ID 2), version 6, signature type 0x18, hashed subpackets include:  <list style="symbols">
      <t>signature creation time (<spanx style="verb">T_ac2</spanx> or later)</t>
      <t>key flags: encrypt to storage, encrypt to comms</t>
      <t>issuer fingerprint (fingerprint of A)</t>
      <t>no expiration subpacket</t>
    </list></t>
  <t>E. "Rotating" Public Subkey Packet (packet type 14), version 6, public key algorithm ML-KEM-768+X25519 (algorithm ID 35) (see <xref section="4.2" sectionFormat="of" target="RFC9980"/>), creation time <spanx style="verb">T_ac2</spanx> or later</t>
  <t>F. Subkey binding signature (packet type ID 2), version 6, signature type 0x18,
containing exactly the following four hashed subpackets, in the order listed:  <list style="symbols">
      <t>signature creation time (same as creation time of E), critical</t>
      <t>key expiration time: <spanx style="verb">max_rd</spanx> (by convention, 10 days = 864000 seconds), critical</t>
      <t>key flags: only encrypt to comms is set, critical</t>
      <t>issuer fingerprint (fingerprint of A), not critical</t>
    </list></t>
</list></t>

</section>
<section anchor="certificate-size"><name>Certificate Size</name>

<t>An outbound certificate is 2938 octets in binary form.</t>

<t>A certificate for a peer should be merged into the locally cached certificate
which may thus contain multiple rotating subkeys and grow accordingly.</t>

</section>
<section anchor="openpgp-format"><name>Use of OpenPGP format</name>

<t>OpenPGP has two different packet framing formats:
the "OpenPGP format" (<xref section="4.2.1" sectionFormat="of" target="RFC9580"/>) and
the "Legacy format" (<xref section="4.2.2" sectionFormat="of" target="RFC9580"/>).
Autocrypt v2 certificates and TSKs use only the OpenPGP format.</t>

<t>This is particularly relevant for the deterministic ratcheting step described in <xref target="ac2-ratchet"/>
because that step needs a canonical octet-string representation of several OpenPGP packets.</t>

</section>
</section>
<section anchor="identifying-an-autocrypt-v2-transferable-secret-key"><name>Identifying an Autocrypt v2 Transferable Secret Key</name>

<t>Peers interacting with an Autocrypt v2 certificate do not need to identify it as
an Autocrypt v2 certificate at all.
They simply need to apply common OpenPGP semantics to the certificate.</t>

<t>However, all UMAs operated by the keyholder
need to identify an Autocrypt v2 Transferable Secret Key (TSK)
in order to perform aligned key ratcheting <xref target="ac2-ratchet"/>
and achieve reliable deletion for the keyholder.</t>

<section anchor="identification-by-tsk-structure"><name>Identification By TSK Structure</name>

<t>A Transferable Secret Key (TSK) is identified as an Autocrypt v2 TSK
if its internal structure corresponds to the packets defined in <xref target="packet-composition"/>.
The keyholder's UMA must recognize this structure to perform the aligned
key ratcheting necessary for reliable deletion.</t>

<t>In particular, a AC2 TSK detection algorithm can simply confirm that the following predicates are all true:</t>

<t><list style="symbols">
  <t>The input is is a well-formed v6 TSK.</t>
  <t>The primary key is Ed25519.</t>
  <t>The primary key does not expire.</t>
  <t>The primary key is marked with a direct key signature that confirms it is capable of handling SEIPD v2.</t>
  <t>The primary key creation time is 0x6a44587f (2026-06-30T23:59:59Z)</t>
  <t>It has a ML-KEM-768+X25519 subkey (the "fallback" subkey) which meets all of the following conditions:
  <list style="symbols">
      <t>The fallback subkey is created at the same time as the primary key.</t>
      <t>The fallback subkey is marked for encryption for communication and storage.</t>
      <t>The fallback subkey does not expire.</t>
      <t>The fallback subkey creation time is 0x6a44587f (2026-06-30T23:59:59Z)</t>
    </list></t>
  <t>It has at least one ML-KEM-768+X25519 subkey ("rotating" subkey) whose binding signature matches
the canonical list of subpackets in Packet F of <xref target="packet-composition"/>.</t>
</list></t>

</section>
<section anchor="determining-minmaxrd"><name>Determining min_rd and max_rd</name>

<t>The subkey rotation cadence is derived from
the Key Expiration Time subpacket (<xref section="5.2.3.13" sectionFormat="of" target="RFC9580"/>)
found in Packet F of <xref target="packet-composition"/>.</t>

<t>By definition, the value of the Key Expiration Time subpacket
(which is measured as an integer number of seconds) is <spanx style="verb">max_rd</spanx>.
The default value for <spanx style="verb">max_rd</spanx> is 864000 seconds.
<spanx style="verb">max_rd</spanx> represents the maximum remaining validity duration
that a peer might find in a keyholder's certificate,
which occurs if the peer retrieves a copy immediately after a new subkey is created.</t>

<t><spanx style="verb">min_rd</spanx> is derived from <spanx style="verb">max_rd</spanx>.
By convention, <spanx style="verb">min_rd</spanx> is half of <spanx style="verb">max_rd</spanx>.
In particular, when <spanx style="verb">max_rd</spanx> is the default value of 864000 seconds,
<spanx style="verb">min_rd</spanx> is 432000 seconds.
<spanx style="verb">min_rd</spanx> represents the minimum remaining validity duration
that a peer is guaranteed to find in a keyholder's certificate at any time,
provided the keyholder is following the standard rotation schedule.
This worst case occurs when the peer retrieves
the certificate just before the next subkey rotation.
It is the "floor" of the validity window available to a peer.</t>

<t>Anyone designing a similar system with a different ratcheting cadence
where <spanx style="verb">min_rd</spanx> that is anything other than half of <spanx style="verb">max_rd</spanx>
<bcp14>MUST</bcp14> explicitly coordinate <spanx style="verb">min_rd</spanx> somehow with all other UMAs
and <bcp14>MUST</bcp14> set <spanx style="verb">max_rd</spanx> to something other than 864000.</t>

</section>
</section>
<section anchor="reliable-deletion-strategy"><name>Reliable Deletion Strategy</name>

<t>An Autocrypt v2 certificate evolves over time,
as new rotating encryption subkeys are added to it.
It also sees older rotating encryption subkeys expire and potentially be removed.
This requires reasonable behavior by the keyholder and their peers.</t>

<section anchor="keyholder-certificate-and-secret-key-management"><name>Keyholder Certificate and Secret Key Management</name>

<t>The keyholder must update the certificate regularly by
ratcheting its secret key material forward to a new subkey.
Since the ratchet is deterministic, based on time and the old key material,
and the ratcheting schedule is standardized,
each UMA that the keyholder uses will ratchet forward in the same
way, without needing any additional network coordination.</t>

<section anchor="ac2-ratchet"><name>Subkey Ratchet</name>

<t>Each successive encryption-capable subkey is derived deterministically from the subkey before it.</t>

<t>This section describes how to derive
the secret key material and a deterministic subkey binding signature
for the new encryption-capable subkey based on the following values:</t>

<t><list style="symbols">
  <t><spanx style="verb">secret_key</spanx>, the Transferable Secret Key to be ratcheted.</t>
  <t><spanx style="verb">start</spanx>, the creation timestamp for the new subkey, represented as a number of seconds
elapsed since 1970-01-01T00:00:00Z, as a big-endian, 32-bit unsigned integer.</t>
</list></t>

<t>Note that both <spanx style="verb">start</spanx>, and the non-secret parts of <spanx style="verb">secret_key</spanx>
(that is, <spanx style="verb">secret_key</spanx> with <spanx style="verb">get_public()</spanx> applied to all its Secret Key packets)
are publicly visible.</t>

<t>The ratchet function relies on several deterministic subfunctions:</t>

<t><list style="symbols">
  <t><spanx style="verb">get_primary_key(TSK) -&gt; K</spanx>
 takes a Transferable Secret Key and
 returns the Secret Key packet of its primary key.</t>
  <t><spanx style="verb">get_last_rotating_subkey(TSK) -&gt; (K, sbs)</spanx>
 takes a Transferable Secret Key and
 returns the Secret Subkey packet and corresponding Subkey Binding Signature packet of
 the latest-expiring subkey that has the canonical list of subpackets
 described in Packet F of <xref target="packet-composition"/>.</t>
  <t><spanx style="verb">extract_secret_key_material(K) -&gt; M</spanx> retrieves 96 octets of secret key material <spanx style="verb">M</spanx> from
an OpenPGP ML-KEM-768+X25519 secret key packet <spanx style="verb">K</spanx>.
The octets of <spanx style="verb">M</spanx> are structured exactly as they are on the wire.
(32 octets of X25519 key material + a 64 octet seed of ML-KEM-768).</t>
  <t><spanx style="verb">get_public(K) -&gt; P</spanx> takes an OpenPGP Secret Key (or Subkey) packet and produces
the corresponding OpenPGP Public Key (or Subkey) packet in OpenPGP format.</t>
  <t><spanx style="verb">make_secret_subkey(M,T) -&gt; K</spanx> takes 96 octets of secret key material <spanx style="verb">M</spanx> and
OpenPGP timestamp <spanx style="verb">T</spanx> and produces a ML-KEM-768+X25519 secret subkey packet
with creation time <spanx style="verb">T</spanx>.</t>
  <t><spanx style="verb">normalize_x25519_scalar(M) -&gt; M</spanx>
takes 96 octets of OpenPGP ML-KEM-768+X25519 secret key material, and
normalizes the first 32 octets, which are an X25519 secret key.
The full 96 octets are returned after normalization.
Normalization clears the three least-significant bits of the first octet,
clears the most-significant bit of the 32nd octet, and
sets the second-most-significant bit of the 32nd octet,
as described in <spanx style="verb">decodeScalar25519</spanx> in <xref section="5" sectionFormat="of" target="RFC7748"/>.</t>
  <t><spanx style="verb">get_expiration_duration(S) -&gt; secs</spanx>
takes a Signature packet with a hashed Key Expiration subpacket and
returns the contents of the hashed Key Expiration subpacket,
represented as four octets, interpretable as a big-endian unsigned integer number of seconds.</t>
  <t><spanx style="verb">bind_subkey(P,K,T,subp,salt) -&gt; S</spanx>
takes primary Ed25519 secret key <spanx style="verb">P</spanx>, public subkey <spanx style="verb">K</spanx>,
timestamp <spanx style="verb">T</spanx>,
an ordered list of OpenPGP signature subpackets <spanx style="verb">subp</spanx>,
and a 16-octet <spanx style="verb">salt</spanx>, and
produces an OpenPGP v6 Subkey Binding Signature <spanx style="verb">S</spanx> using an Ed25519 signature.
Ed25519 signatures are deterministic as described in <xref section="8.2" sectionFormat="of" target="RFC8032"/>.</t>
</list></t>

<t>The next secret subkey and subkey binding signature are derived via <xref target="HKDF"/> using SHA2-512,
with the following construction,
where <spanx style="verb">||</spanx> represents concatenation:</t>

<figure><artwork><![CDATA[
AC2_Ratchet(secret_key
            start)
            -> (next_secret_subkey, subkey_binding_sig):
  primary_key = get_primary_key(secret_key)
  (base_subkey, oldsbs) = get_last_rotating_subkey(secret_key)
  max_rd = get_expiration_duration(oldsbs)

  salt = start || get_public(base_key)
  info = "Autocrypt_v2_ratchet" || get_public(primary_key) || max_rd
  IKM = extract_secret_key_material(base_key)
  IKM = normalize_x25519_scalar(IKM)
  L = 160
  ks = HKDF_SHA2_512(salt, info, IKM, L)
  bssalt = SHA2_512(ks[0:64])[0:16]
  new_secret = normalize_x25519_scalar(ks[64:160])
  new_subkey = make_secret_subkey(new_secret, start)
  subpackets = [ sig_creation=start,
                 key_expiration=max_rd,
                 key_flags=EncryptComms,
                 issuer_fingerprint=primary_key.fingerprint ]
  binding_sig = bind_subkey(primary_key,
                            get_public(new_subkey),
                            subpackets, bssalt)
  return (new_subkey, binding_sig)
]]></artwork></figure>

<t>The <spanx style="verb">"Autocrypt_v2_ratchet"</spanx> string is 20 octets as represented in US-ASCII.</t>

<figure><artwork><![CDATA[
000  41 75 74 6f 63 72 79 70 |Autocryp|
008  74 5f 76 32 5f 72 61 74 |t_v2_rat|
010  63 68 65 74             |chet|
014
]]></artwork></figure>

<t>Note that a UMA without access to the secret key material of the primary key
can still use parts of <spanx style="verb">AC2_Ratchet</spanx> to derive the new secret key subkey
without producing the subkey binding signature.
Such a UMA would be able to decrypt incoming new messages.</t>

<section anchor="ac2ratchet-diagram"><name>AC2_Ratchet Diagram</name>

<t>The core of the algorithm above can be visualized as follows:</t>

<figure title="AC2_Ratchet Diagram"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="800" width="512" viewBox="0 0 512 800" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 8,32 L 8,64" fill="none" stroke="black"/>
<path d="M 16,480 L 16,512" fill="none" stroke="black"/>
<path d="M 16,672 L 16,720" fill="none" stroke="black"/>
<path d="M 16,752 L 16,784" fill="none" stroke="black"/>
<path d="M 24,64 L 24,336" fill="none" stroke="black"/>
<path d="M 40,96 L 40,128" fill="none" stroke="black"/>
<path d="M 56,368 L 56,392" fill="none" stroke="black"/>
<path d="M 64,128 L 64,336" fill="none" stroke="black"/>
<path d="M 64,512 L 64,552" fill="none" stroke="black"/>
<path d="M 72,592 L 72,664" fill="none" stroke="black"/>
<path d="M 80,160 L 80,192" fill="none" stroke="black"/>
<path d="M 104,96 L 104,128" fill="none" stroke="black"/>
<path d="M 120,480 L 120,512" fill="none" stroke="black"/>
<path d="M 136,368 L 136,392" fill="none" stroke="black"/>
<path d="M 152,432 L 152,472" fill="none" stroke="black"/>
<path d="M 176,192 L 176,280" fill="none" stroke="black"/>
<path d="M 176,320 L 176,336" fill="none" stroke="black"/>
<path d="M 192,672 L 192,720" fill="none" stroke="black"/>
<path d="M 208,32 L 208,64" fill="none" stroke="black"/>
<path d="M 216,368 L 216,392" fill="none" stroke="black"/>
<path d="M 296,512 L 296,552" fill="none" stroke="black"/>
<path d="M 296,672 L 296,720" fill="none" stroke="black"/>
<path d="M 312,592 L 312,744" fill="none" stroke="black"/>
<path d="M 328,480 L 328,512" fill="none" stroke="black"/>
<path d="M 328,752 L 328,784" fill="none" stroke="black"/>
<path d="M 400,160 L 400,192" fill="none" stroke="black"/>
<path d="M 408,96 L 408,128" fill="none" stroke="black"/>
<path d="M 432,32 L 432,64" fill="none" stroke="black"/>
<path d="M 504,32 L 504,64" fill="none" stroke="black"/>
<path d="M 8,32 L 504,32" fill="none" stroke="black"/>
<path d="M 8,64 L 504,64" fill="none" stroke="black"/>
<path d="M 40,96 L 408,96" fill="none" stroke="black"/>
<path d="M 40,128 L 408,128" fill="none" stroke="black"/>
<path d="M 80,160 L 400,160" fill="none" stroke="black"/>
<path d="M 80,192 L 400,192" fill="none" stroke="black"/>
<path d="M 120,288 L 240,288" fill="none" stroke="black"/>
<path d="M 120,320 L 240,320" fill="none" stroke="black"/>
<path d="M 80,352 L 120,352" fill="none" stroke="black"/>
<path d="M 192,352 L 200,352" fill="none" stroke="black"/>
<path d="M 48,400 L 232,400" fill="none" stroke="black"/>
<path d="M 48,432 L 232,432" fill="none" stroke="black"/>
<path d="M 16,480 L 328,480" fill="none" stroke="black"/>
<path d="M 16,512 L 328,512" fill="none" stroke="black"/>
<path d="M 40,560 L 96,560" fill="none" stroke="black"/>
<path d="M 240,560 L 360,560" fill="none" stroke="black"/>
<path d="M 40,592 L 96,592" fill="none" stroke="black"/>
<path d="M 240,592 L 360,592" fill="none" stroke="black"/>
<path d="M 16,672 L 296,672" fill="none" stroke="black"/>
<path d="M 16,720 L 296,720" fill="none" stroke="black"/>
<path d="M 16,752 L 328,752" fill="none" stroke="black"/>
<path d="M 16,784 L 328,784" fill="none" stroke="black"/>
<path d="M 120,288 C 111.16936,288 104,295.16936 104,304" fill="none" stroke="black"/>
<path d="M 240,288 C 248.83064,288 256,295.16936 256,304" fill="none" stroke="black"/>
<path d="M 120,320 C 111.16936,320 104,312.83064 104,304" fill="none" stroke="black"/>
<path d="M 240,320 C 248.83064,320 256,312.83064 256,304" fill="none" stroke="black"/>
<path d="M 40,352 C 31.16936,352 24,344.83064 24,336" fill="none" stroke="black"/>
<path d="M 40,352 C 48.83064,352 56,359.16936 56,368" fill="none" stroke="black"/>
<path d="M 80,352 C 71.16936,352 64,344.83064 64,336" fill="none" stroke="black"/>
<path d="M 120,352 C 128.83064,352 136,359.16936 136,368" fill="none" stroke="black"/>
<path d="M 192,352 C 183.16936,352 176,344.83064 176,336" fill="none" stroke="black"/>
<path d="M 200,352 C 208.83064,352 216,359.16936 216,368" fill="none" stroke="black"/>
<path d="M 48,400 C 39.16936,400 32,407.16936 32,416" fill="none" stroke="black"/>
<path d="M 232,400 C 240.83064,400 248,407.16936 248,416" fill="none" stroke="black"/>
<path d="M 48,432 C 39.16936,432 32,424.83064 32,416" fill="none" stroke="black"/>
<path d="M 232,432 C 240.83064,432 248,424.83064 248,416" fill="none" stroke="black"/>
<path d="M 40,560 C 31.16936,560 24,567.16936 24,576" fill="none" stroke="black"/>
<path d="M 96,560 C 104.83064,560 112,567.16936 112,576" fill="none" stroke="black"/>
<path d="M 240,560 C 231.16936,560 224,567.16936 224,576" fill="none" stroke="black"/>
<path d="M 360,560 C 368.83064,560 376,567.16936 376,576" fill="none" stroke="black"/>
<path d="M 40,592 C 31.16936,592 24,584.83064 24,576" fill="none" stroke="black"/>
<path d="M 96,592 C 104.83064,592 112,584.83064 112,576" fill="none" stroke="black"/>
<path d="M 240,592 C 231.16936,592 224,584.83064 224,576" fill="none" stroke="black"/>
<path d="M 360,592 C 368.83064,592 376,584.83064 376,576" fill="none" stroke="black"/>
<polygon class="arrowhead" points="320,744 308,738.4 308,749.6" fill="black" transform="rotate(90,312,744)"/>
<polygon class="arrowhead" points="304,552 292,546.4 292,557.6" fill="black" transform="rotate(90,296,552)"/>
<polygon class="arrowhead" points="224,392 212,386.4 212,397.6" fill="black" transform="rotate(90,216,392)"/>
<polygon class="arrowhead" points="184,280 172,274.4 172,285.6" fill="black" transform="rotate(90,176,280)"/>
<polygon class="arrowhead" points="160,472 148,466.4 148,477.6" fill="black" transform="rotate(90,152,472)"/>
<polygon class="arrowhead" points="144,392 132,386.4 132,397.6" fill="black" transform="rotate(90,136,392)"/>
<polygon class="arrowhead" points="80,664 68,658.4 68,669.6" fill="black" transform="rotate(90,72,664)"/>
<polygon class="arrowhead" points="72,552 60,546.4 60,557.6" fill="black" transform="rotate(90,64,552)"/>
<polygon class="arrowhead" points="64,392 52,386.4 52,397.6" fill="black" transform="rotate(90,56,392)"/>
<g class="text">
<text x="108" y="52">&quot;Autocrypt_v2_ratchet&quot;</text>
<text x="244" y="52">public</text>
<text x="304" y="52">primary</text>
<text x="352" y="52">key</text>
<text x="396" y="52">packet</text>
<text x="468" y="52">max_rd</text>
<text x="72" y="116">start</text>
<text x="136" y="116">prior</text>
<text x="196" y="116">rotating</text>
<text x="260" y="116">public</text>
<text x="316" y="116">subkey</text>
<text x="372" y="116">packet</text>
<text x="112" y="180">prior</text>
<text x="172" y="180">rotating</text>
<text x="236" y="180">subkey</text>
<text x="292" y="180">secret</text>
<text x="356" y="180">material</text>
<text x="224" y="228">input</text>
<text x="8" y="244">-</text>
<text x="40" y="244">-</text>
<text x="56" y="244">-</text>
<text x="80" y="244">-</text>
<text x="96" y="244">-</text>
<text x="112" y="244">-</text>
<text x="128" y="244">-</text>
<text x="144" y="244">-</text>
<text x="160" y="244">-</text>
<text x="192" y="244">-</text>
<text x="208" y="244">-</text>
<text x="224" y="244">-</text>
<text x="240" y="244">-</text>
<text x="256" y="244">-</text>
<text x="272" y="244">-</text>
<text x="288" y="244">-</text>
<text x="304" y="244">-</text>
<text x="320" y="244">-</text>
<text x="336" y="244">-</text>
<text x="352" y="244">-</text>
<text x="368" y="244">-</text>
<text x="384" y="244">-</text>
<text x="400" y="244">-</text>
<text x="416" y="244">-</text>
<text x="432" y="244">-</text>
<text x="448" y="244">-</text>
<text x="464" y="244">-</text>
<text x="180" y="308">normalize_x25519</text>
<text x="28" y="372">info</text>
<text x="108" y="372">salt</text>
<text x="192" y="372">IKM</text>
<text x="76" y="420">HKDF</text>
<text x="140" y="420">H=SHA2_512</text>
<text x="208" y="420">L=160</text>
<text x="44" y="500">64</text>
<text x="80" y="500">bytes</text>
<text x="196" y="500">96</text>
<text x="232" y="500">bytes</text>
<text x="68" y="580">SHA2_512</text>
<text x="300" y="580">normalize_x25519</text>
<text x="8" y="628">-</text>
<text x="24" y="628">-</text>
<text x="40" y="628">-</text>
<text x="56" y="628">-</text>
<text x="88" y="628">-</text>
<text x="104" y="628">-</text>
<text x="120" y="628">-</text>
<text x="136" y="628">-</text>
<text x="152" y="628">-</text>
<text x="168" y="628">-</text>
<text x="184" y="628">-</text>
<text x="200" y="628">-</text>
<text x="216" y="628">-</text>
<text x="232" y="628">-</text>
<text x="248" y="628">-</text>
<text x="264" y="628">-</text>
<text x="280" y="628">-</text>
<text x="296" y="628">-</text>
<text x="328" y="628">-</text>
<text x="344" y="628">-</text>
<text x="360" y="628">-</text>
<text x="376" y="628">-</text>
<text x="392" y="628">-</text>
<text x="408" y="628">-</text>
<text x="424" y="628">-</text>
<text x="440" y="628">-</text>
<text x="456" y="628">-</text>
<text x="236" y="644">output</text>
<text x="36" y="692">16</text>
<text x="68" y="692">byte</text>
<text x="108" y="692">salt</text>
<text x="144" y="692">for</text>
<text x="172" y="692">v6</text>
<text x="240" y="692">...</text>
<text x="52" y="708">subkey</text>
<text x="112" y="708">binding</text>
<text x="160" y="708">sig</text>
<text x="240" y="708">(discard)</text>
<text x="44" y="772">next</text>
<text x="100" y="772">rotating</text>
<text x="164" y="772">subkey</text>
<text x="220" y="772">secret</text>
<text x="284" y="772">material</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
+------------------------+---------------------------+--------+
| "Autocrypt_v2_ratchet" | public primary key packet | max_rd |
+-+----------------------+---------------------------+--------+
  |
  | +-------+-------------------------------------+
  | | start | prior rotating public subkey packet |
  | +--+----+-------------------------------------+
  |    |
  |    | +---------------------------------------+
  |    | | prior rotating subkey secret material |
  |    | +-----------+---------------------------+
  |    |             |
  |    |             |   input
- | - -| - - - - - - | - - - - - - - - - - - - - - - - - -
  |    |             |
  |    |             v
  |    |     .----------------.
  |    |    | normalize_x25519 |
  |    |     '-------+--------'
  |    |             |
   '-.  '------.      '--.
 info |    salt |     IKM |
      v         v         v
    .------------------------.
   |   HKDF H=SHA2_512 L=160  |
    '-------------+----------'
                  |
                  v
 +------------+-------------------------+
 |  64 bytes  |        96 bytes         |
 +-----+------+---------------------+---+
       |                            |
       v                            v
   .--------.               .----------------.
  | SHA2_512 |             | normalize_x25519 |
   '----+---'               '---------+------'
        |                             |
- - - - | - - - - - - - - - - - - - - | - - - - - - - - -
        |                 output      |
        v                             |
 +---------------------+------------+ |
 | 16 byte salt for v6 |    ...     | |
 | subkey binding sig  | (discard)  | |
 +---------------------+------------+ |
                                      v
 +--------------------------------------+
 | next rotating subkey secret material |
 +--------------------------------------+
]]></artwork></artset></figure>

</section>
</section>
<section anchor="ratcheting-schedule"><name>Ratcheting Schedule</name>

<t>This section describes a straightforward algorithm for
a keyholder's UMA to decide when to create a new encryption-capable subkey.
A UMA can execute this algorithm at any time,
and <bcp14>SHOULD</bcp14> execute it in at least two specific cases:</t>

<t><list style="symbols">
  <t>When preparing to extract an OpenPGP certificate for publication or transmission to a peer, and</t>
  <t>When receiving an encrypted message that is encrypted
to a key that the implementation does not know about.
In this case, to account for minor clock skew
between a keyholder's own devices, a UMA <bcp14>MAY</bcp14> allow
a small lookahead (e.g., several minutes) when checking
if it is time to ratchet forward to a new subkey.</t>
</list></t>

<t>Note that this algorithm is specifically about new subkey creation.
Please see <xref target="key-destruction-timing"/> for recommendations about subkey destruction.</t>

<t>Knowing when to produce a new secret subkey requires knowledge of four distinct values.
All timestamps referenced here are values computed in the OpenPGP standard,
that is, as an integer number of seconds elapsed since 1970-01-01T00:00:00Z.</t>

<t>Two values are taken from the Autocrypt v2 TSK:</t>

<t><list style="symbols">
  <t><spanx style="verb">base_start</spanx>, the creation timestamp of the most recent rotating subkey.</t>
  <t><spanx style="verb">max_rd</spanx>, the number of seconds that the rotating subkey will expire.</t>
</list></t>

<t>One value is derived from the above:</t>

<t><list style="symbols">
  <t><spanx style="verb">min_rd</spanx> is typically half of <spanx style="verb">max_rd</spanx> (see <xref target="determining-minmaxrd"/>)</t>
</list></t>

<t>And a final value is taken from general consensus:</t>

<t><list style="symbols">
  <t><spanx style="verb">now</spanx>, the current "wall-clock" timestamp.</t>
</list></t>

<t>Add new rotating subkeys with the following routine:</t>

<t><list style="numbers" type="1">
  <t>If <spanx style="verb">now &lt; base_start</spanx>, abort.
(something is probably wrong with the system clock or the secret key material)</t>
  <t>Let <spanx style="verb">next_start</spanx> be <spanx style="verb">base_start + max_rd - min_rd</spanx>.</t>
  <t>If <spanx style="verb">now &lt; next_start</spanx>, terminate successfully (no need to ratchet).</t>
  <t>Generate new secret subkey <spanx style="verb">next_key</spanx>, using key material deterministically derived from
the certificate's primary key, the most recent rotating secret subkey, <spanx style="verb">max_rd</spanx>, and <spanx style="verb">next_start</spanx>.
Bind <spanx style="verb">next_key</spanx> as an encryption-capable subkey,
using a deterministic subkey binding signature packet.
<spanx style="verb">next_key</spanx>'s creation timestamp (and the subkey binding signature) is <spanx style="verb">next_start</spanx>.
See <xref target="ac2-ratchet"/> for how to deterministically derive the new secret key and subkey binding signature.</t>
  <t>Restart this process, using the new subkey.</t>
</list></t>

<t>Note that the recursive nature of the above scheduler may end up generating multiple secret subkeys
if the device has been offline for a long time.</t>

</section>
<section anchor="custom-ratcheting-schedules"><name>Custom Ratcheting Schedules</name>

<t>While this specification defines a 10-day validity window with a 50% overlap as the standard convention,
a system could be designed with a different rotation window
or a different overlap algorithm.
Such a system <bcp14>MUST</bcp14> guarantee
that all the keyholder's own UMAs
follow an identical adjusted rotation schedules and key destruction logic
in order to maintain synchronization.</t>

<t>A peer receiving an incoming certificate produced under a custom schedule
does not need to be aware of the keyholder's specific rotation logic.
Because these certificates adhere to standard OpenPGP structures,
the peer will properly handle them by merging the new subkeys into their local cache
using standard OpenPGP semantics (see <xref target="receiving-and-merging"/>).
As long as the primary key remains constant,
the peer's UMA will simply see a sequence of valid encryption subkeys
and can continue to encrypt messages following the logic described in <xref target="encrypting-to-v2"/>.</t>

</section>
<section anchor="key-destruction-timing"><name>Timing of Secret Key Destruction</name>

<t>To achieve reliable deletion,
a keyholder <bcp14>SHOULD</bcp14> destroy the secret key material for a rotating encryption subkey
as soon as it is no longer required for decryption.
Because message delivery is not instantaneous,
a subkey should be retained for a grace period beyond its validity window.
This document refers to this grace period as <spanx style="verb">max_latency</spanx>.
<spanx style="verb">max_latency</spanx> accounts for the maximum expected transit time of the underlying transport mechanism.
For example, a <spanx style="verb">max_latency</spanx> of 10 days (864000 seconds) is reasonable for Internet mail,
as it is double the maximum delivery timeout (see <xref section="4.5.4.1" sectionFormat="of" target="RFC5321"/>).</t>

<t>The destruction process is tied to the successful retrieval and processing of messages.
A UMA <bcp14>SHOULD</bcp14> follow this routine:</t>

<t><list style="numbers" type="1">
  <t>Track Transport Endpoints: For every transport endpoint associated with a certificate,
the UMA maintains a <spanx style="verb">last_checked</spanx> timestamp and an expected maximum delivery <spanx style="verb">max_latency</spanx>.</t>
  <t>Determine the Safety Horizon: The UMA calculates an <spanx style="verb">oldest_update</spanx> timestamp,
which is the minimum value of <spanx style="verb">(last_checked - max_latency)</spanx> across all associated transport endpoints.</t>
  <t>Destroy Expired Material: Any rotating secret subkey with an expiration time earlier than
the <spanx style="verb">oldest_update</spanx> is destroyed.</t>
</list></t>

<t>In cases of persistent transport unreachability,
a UMA must balance the need for decryption with the goal of reliable deletion.
If a transport endpoint remains inaccessible for a prolonged period,
the UMA <bcp14>SHOULD</bcp14> eventually disassociate that endpoint from the certificate.
Failing to do so would prevent <spanx style="verb">oldest_update</spanx> from advancing,
indefinitely stalling key destruction and widening the window of recoverability (see <xref target="recoverability-window"/>).
Once the UMA gives up on fetching messages from an inaccessible transport,
it can proceed with the standard destruction of the corresponding secret key material.</t>

</section>
<section anchor="autocrypt-v2-tsk-and-certificate-timeline"><name>Autocrypt v2 TSK and Certificate Timeline</name>

<t>The following diagram illustrates the timeline for evolution of an Autocrypt v2 TSK and Cert.</t>

<figure title="Autocrypt V2 TSK and Certificate Timeline"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="464" width="528" viewBox="0 0 528 464" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 32,184 L 32,208" fill="none" stroke="black"/>
<path d="M 40,296 L 40,304" fill="none" stroke="black"/>
<path d="M 48,56 L 48,96" fill="none" stroke="black"/>
<path d="M 88,192 L 88,256" fill="none" stroke="black"/>
<path d="M 104,80 L 104,168" fill="none" stroke="black"/>
<path d="M 104,184 L 104,264" fill="none" stroke="black"/>
<path d="M 104,280 L 104,336" fill="none" stroke="black"/>
<path d="M 136,48 L 136,416" fill="none" stroke="black"/>
<path d="M 160,64 L 160,144" fill="none" stroke="black"/>
<path d="M 160,176 L 160,240" fill="none" stroke="black"/>
<path d="M 160,272 L 160,320" fill="none" stroke="black"/>
<path d="M 160,352 L 160,400" fill="none" stroke="black"/>
<path d="M 480,80 L 480,128" fill="none" stroke="black"/>
<path d="M 504,288 L 504,304" fill="none" stroke="black"/>
<path d="M 512,368 L 512,384" fill="none" stroke="black"/>
<path d="M 520,192 L 520,224" fill="none" stroke="black"/>
<path d="M 136,64 L 464,64" fill="none" stroke="black"/>
<path d="M 64,112 L 104,112" fill="none" stroke="black"/>
<path d="M 160,144 L 464,144" fill="none" stroke="black"/>
<path d="M 104,176 L 120,176" fill="none" stroke="black"/>
<path d="M 136,176 L 504,176" fill="none" stroke="black"/>
<path d="M 48,224 L 88,224" fill="none" stroke="black"/>
<path d="M 160,240 L 504,240" fill="none" stroke="black"/>
<path d="M 104,272 L 120,272" fill="none" stroke="black"/>
<path d="M 136,272 L 488,272" fill="none" stroke="black"/>
<path d="M 56,320 L 104,320" fill="none" stroke="black"/>
<path d="M 160,320 L 488,320" fill="none" stroke="black"/>
<path d="M 136,352 L 496,352" fill="none" stroke="black"/>
<path d="M 160,400 L 496,400" fill="none" stroke="black"/>
<path d="M 120,64 C 111.16936,64 104,71.16936 104,80" fill="none" stroke="black"/>
<path d="M 464,64 C 472.83064,64 480,71.16936 480,80" fill="none" stroke="black"/>
<path d="M 64,112 C 55.16936,112 48,104.83064 48,96" fill="none" stroke="black"/>
<path d="M 464,144 C 472.83064,144 480,136.83064 480,128" fill="none" stroke="black"/>
<path d="M 104,176 C 95.16936,176 88,183.16936 88,192" fill="none" stroke="black"/>
<path d="M 504,176 C 512.83064,176 520,183.16936 520,192" fill="none" stroke="black"/>
<path d="M 48,224 C 39.16936,224 32,216.83064 32,208" fill="none" stroke="black"/>
<path d="M 504,240 C 512.83064,240 520,232.83064 520,224" fill="none" stroke="black"/>
<path d="M 104,272 C 95.16936,272 88,264.83064 88,256" fill="none" stroke="black"/>
<path d="M 120,272 C 111.16936,272 104,279.16936 104,288" fill="none" stroke="black"/>
<path d="M 120,272 C 111.16936,272 104,264.83064 104,256" fill="none" stroke="black"/>
<path d="M 488,272 C 496.83064,272 504,279.16936 504,288" fill="none" stroke="black"/>
<path d="M 56,320 C 47.16936,320 40,312.83064 40,304" fill="none" stroke="black"/>
<path d="M 488,320 C 496.83064,320 504,312.83064 504,304" fill="none" stroke="black"/>
<path d="M 120,352 C 111.16936,352 104,344.83064 104,336" fill="none" stroke="black"/>
<path d="M 496,352 C 504.83064,352 512,359.16936 512,368" fill="none" stroke="black"/>
<path d="M 496,400 C 504.83064,400 512,392.83064 512,384" fill="none" stroke="black"/>
<polygon class="arrowhead" points="144,416 132,410.4 132,421.6" fill="black" transform="rotate(90,136,416)"/>
<g class="text">
<text x="140" y="36">Time</text>
<text x="52" y="52">max_rd</text>
<text x="200" y="84">primary</text>
<text x="248" y="84">key</text>
<text x="272" y="84">+</text>
<text x="316" y="84">fallback</text>
<text x="380" y="84">subkey</text>
<text x="440" y="84">created</text>
<text x="192" y="100">first</text>
<text x="252" y="100">rotating</text>
<text x="316" y="100">subkey</text>
<text x="376" y="100">created</text>
<text x="188" y="116">cert</text>
<text x="248" y="116">generated</text>
<text x="188" y="132">cert</text>
<text x="260" y="132">distribution</text>
<text x="340" y="132">begins</text>
<text x="36" y="180">min_rd</text>
<text x="184" y="196">new</text>
<text x="236" y="196">rotating</text>
<text x="300" y="196">subkey</text>
<text x="360" y="196">derived</text>
<text x="448" y="196">(AC2_Ratchet)</text>
<text x="184" y="212">new</text>
<text x="228" y="212">subkey</text>
<text x="328" y="212">deterministically</text>
<text x="424" y="212">bound</text>
<text x="460" y="212">to</text>
<text x="492" y="212">cert</text>
<text x="188" y="228">cert</text>
<text x="268" y="228">redistribution</text>
<text x="356" y="228">begins</text>
<text x="48" y="292">max_latency</text>
<text x="192" y="292">first</text>
<text x="252" y="292">rotating</text>
<text x="316" y="292">subkey</text>
<text x="376" y="292">expires</text>
<text x="192" y="308">peers</text>
<text x="236" y="308">drop</text>
<text x="280" y="308">first</text>
<text x="332" y="308">subkey</text>
<text x="380" y="308">from</text>
<text x="428" y="308">merged</text>
<text x="476" y="308">cert</text>
<text x="188" y="372">msgs</text>
<text x="276" y="372">recv'd+processed</text>
<text x="364" y="372">from</text>
<text x="400" y="372">all</text>
<text x="460" y="372">transports</text>
<text x="200" y="388">destroy</text>
<text x="256" y="388">first</text>
<text x="316" y="388">rotating</text>
<text x="380" y="388">secret</text>
<text x="436" y="388">subkey</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
                Time
    max_rd       |
      |       .- +--+--------------------------------------.
      |      |   |  | primary key + fallback subkey created |
      |      |   |  | first rotating subkey created         |
       '-----+   |  | cert generated                        |
             |   |  | cert distribution begins              |
             |   |  +--------------------------------------'
             |   |
  min_rd    .--- +--+-------------------------------------------.
    |      | |   |  | new rotating subkey derived (AC2_Ratchet)  |
    |      | |   |  | new subkey deterministically bound to cert |
     '-----+ |   |  | cert redistribution begins                 |
           | |   |  +-------------------------------------------'
           | |   |
            '-+- +--+-----------------------------------------.
 max_latency |   |  | first rotating subkey expires            |
     |       |   |  | peers drop first subkey from merged cert |
      '------+   |  +-----------------------------------------'
             |   |
              '- +--+------------------------------------------.
                 |  | msgs recv'd+processed from all transports |
                 |  | destroy first rotating secret subkey      |
                 |  +------------------------------------------'
                 v

]]></artwork></artset></figure>

</section>
</section>
<section anchor="receiving-and-merging"><name>Receiving and Merging Certificates</name>

<t>An outbound Autocrypt v2 certificate always has the same primary key,
but new encryption-capable subkeys appear on a regular basis.
A peer UMA that encounters a certificate
<bcp14>SHOULD</bcp14> merge the known subkeys into the locally cached certificate,
using a mechanism like <spanx style="verb">sop merge-certs</spanx> (<xref section="5.2.6" sectionFormat="of" target="I-D.dkg-openpgp-stateless-cli"/>).</t>

<t>A peer that replaces but does not merge certificates
may end up encrypting a message to a subkey with a wider window of recoverability than necessary.</t>

<section anchor="minimization-and-pruning-of-autocrypt-v2-certificates"><name>Minimization and pruning of Autocrypt v2 certificates</name>

<t>To ensure good data hygiene and minimize storage use,
implementations should regularly prune Autocrypt v2 certificates,
for example when merging incoming certificates.
According to the ratcheting schedule algorithm (<xref target="ac2-ratchet"/>),
a merged Autocrypt v2 certificate typically can contain
at most two valid rotating subkeys at any given time.</t>

<t>Because expired subkeys can no longer be used for encryption,
it is <bcp14>RECOMMENDED</bcp14> that implementations drop all expired encryption subkeys
(and their corresponding subkey binding signatures) from certificates on a continuous basis.
This maintenance strategy keeps the certificate size minimal
while allowing communication with reliable deletion.</t>

<t>Note that deletion of secret key material
(as opposed to the public key material in certificates)
happens at a different cadence, see <xref target="key-destruction-timing"/>.</t>

</section>
</section>
<section anchor="encrypting-to-v2"><name>Encrypting to an Autocrypt v2 Certificate</name>

<t>When encrypting a message to an Autocrypt v2 certificate,
the peer should encrypt the message to only one of the encryption-capable subkeys.</t>

<t>If any rotating encryption subkey is valid,
the peer <bcp14>MUST NOT</bcp14> encrypt to the fallback encryption subkey.</t>

<t>If no rotating encryption subkey is valid,
and the peer has no way to update the certificate,
the peer <bcp14>MAY</bcp14> encrypt the message to the fallback encryption subkey.</t>

<t>If more than one rotating encryption subkey is currently valid,
the peer <bcp14>SHOULD</bcp14> encrypt to the valid rotating encryption subkey with the nearest expiration date.
This hastens the time when the message becomes reliably deletable.</t>

</section>
<section anchor="message-deletion"><name>Message Deletion</name>

<t>When a message is to be deleted,
the UMA <bcp14>MUST</bcp14> delete all known copies of the message,
as well as any set-aside session keys.
It <bcp14>MUST</bcp14> also remove traces of the message from
any index it may have created, as indexing tends
to create an equivalent copy of the indexed content.
The message will be unrecoverable by the adversary
once the rotating subkey's secret key material
has been destroyed (see <xref target="key-destruction-timing"/>).</t>

<section anchor="message-processing"><name>Keyholder Processing of Encrypted Messages</name>

<t>To facilitate robust deletion of some messages
while retaining the ability to read others from its archive,
a UMA needs to plan how to process a message upon ingestion.</t>

<t>When the keyholder first receives an encrypted message,
their UMA typically places the message in an archive visible to the UMA.
If the archive contains only the original ciphertext as received,
then the message will be useless in the archive when the rotating subkey's secret key material is destroyed
(see <xref target="key-destruction-timing"/>).
The goal is to have the message available in the archive when access is desired,
and to be able to safely remove it from the archive when deletion is desired.</t>

<t>There are at least three sensible ways to handle the message so that it can be deleted safely in the future:</t>

<t><list style="symbols">
  <t>Archiving cleartext</t>
  <t>Stashing session keys</t>
  <t>Re-encrypting</t>
</list></t>

<section anchor="archiving-cleartext"><name>Archiving Cleartext</name>

<t>The simplest model is that the keyholder's UMA retains the cleartext of each message,
entirely discarding the in-transit form.</t>

<t>The UMA can re-visit the content of such a message trivially,
regardless of whether the asymmetric secret key used for decryption has been destroyed or not.</t>

<t>This approach presumes that the message archive is not typically accessible
to the adversary.</t>

</section>
<section anchor="stashing-session-keys"><name>Stashing Session Keys</name>

<t>In this approach, the keyholder's UMA retains the in-transit form of the message,
but associates the OpenPGP session key of the encrypted content with the message.
For example, the UMA could store the session keys in a separate look-aside table, indexed by Message-ID.</t>

<t>In this case, the UMA can access the cleartext of the message
by decrypting it with the set-aside session key, even when the asymmetric secret key has been destroyed.</t>

<t>This approach can be used where the adversary has regular access to the archive,
effectively treating the archive as though it were as at-risk as the message in transit.
But the area where the session keys are stored
<bcp14>MUST NOT</bcp14> be typically accessible to the adversary.
If message cleartext is indexed, the session key storage <bcp14>MUST</bcp14> be
at least as secure from the adversary as the message index.</t>

</section>
<section anchor="re-encrypting"><name>Re-Encrypting</name>

<t>Finally, if the UMA retains some other long-term secret key for archival access,
it can process each message by re-encrypting it to the long-term archival key.
This can be done either by prepending each OpenPGP Encrypted Message
with a new Public Key Encrypted Session Key (PKESK) packet (See <xref section="5.1" sectionFormat="of" target="RFC9580"/>)
that contains the existing message's session key,
or by unwrapping the SEIPD packet entirely,
and re-encrypting it to the long-term archival key.</t>

<t>This approach presumes that the message archive is not typically
accessible to the adversary.
If the archive were regularly accessible to the adversary,
the adversary could store the re-encrypted message before deletion.
Then, during the compromise of the user's long-term key,
the adversary could unlock their copy of the previously deleted message.</t>

</section>
</section>
<section anchor="summary-of-message-processing-strategies"><name>Summary of Message Processing Strategies</name>

<texttable title="Message Archiving Strategies">
      <ttcol align='right'>Archiving Strategy</ttcol>
      <ttcol align='left'>raw message retained?</ttcol>
      <ttcol align='left'>simple indexing</ttcol>
      <ttcol align='left'>OpenPGP packet handling</ttcol>
      <ttcol align='left'>Deletable if adversary can access archive</ttcol>
      <c>Archived Cleartext</c>
      <c>N</c>
      <c>Y</c>
      <c>N</c>
      <c>N</c>
      <c>Stashed Session Key</c>
      <c>Y</c>
      <c>N</c>
      <c>N</c>
      <c>Y</c>
      <c>Re-encrypted Message</c>
      <c>N</c>
      <c>N</c>
      <c>Y</c>
      <c>N</c>
</texttable>

</section>
</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>See the discussion of quantum impersonation in <xref target="non-goals"/>.</t>

<t>A message encrypted to the long-term fallback encryption subkey can not be reliably deleted,
because an adversary who captures the message
and in the future exfiltrates the keyholder's secret key material will be able to decrypt their stored copy of the message.</t>

<section anchor="deletable-threat-model"><name>Reliable Deletion Threat Model</name>

<t>The threat model for reliable deletion of messages has three core expectations:</t>

<t><list style="symbols">
  <t>The adversary has access to any message in transit,
and can retain the in-transit form of each message indefinitely.</t>
  <t>At some point in the future,
the adversary can compromise the keyholder's UMA to be able to get access to their secret key material.</t>
  <t>The archive maintained by the keyholder's UMA is subject
to the same level of threat as the keyholder's secret key storage.</t>
</list></t>

<t>The goal for the keyholder is that
when the adversary compromises either the keyholder's archive or the keyholder's secret key material (or both),
any message that has been deleted by the keyholder is in fact unrecoverable by the adversary.</t>

</section>
<section anchor="the-cleartext-is-the-targeted-asset"><name>The Cleartext Is The Targeted Asset</name>

<t>Some "Forward Secrecy" schemes emphasize key ephemerality so heavily
that they lose track of the adversary's goal.</t>

<t>This document uses the "Reliable Deletion" framing because
the adversary wants to compromise the confidentiality of the message itself,
which means the key is only an intermediate target.</t>

<t>Many UMAs are effectively systems both for messaging and for archiving.
For archiving UMAs, exfiltration of the archive is often
as easy as (or even easier than) exfiltration of the secret key.
This means that confidentiality protection needs to consider
being able to delete the message cleartext
from the archive as well as the relevant secret key material.</t>

</section>
<section anchor="key-destruction-time-based-vs-message-based"><name>Key Destruction: Time-based vs. Message-based</name>

<t>Automated encryption key destruction is a necessary component to achieving reliable deletion.
There are two main approaches to scheduling key destruction: time-based and message-based.</t>

<t>Some messaging protocols (e.g., <xref target="Double-Ratchet"/>) ratchet keys on every message (or nearly every message).
This message-based key destruction schedule gives
a narrower window of temporal availability for each key, and fewer messages are encrypted to each key.</t>

<t>The time-based approach used in this specification is simpler
and relies primarily on all UMAs controlled by a single keyholder to have a shared sense of the global clock.</t>

<t>While the temporal window of key availability is often wider in the time-based approach,
its simplicity means much less inter-client coordination.
And the narrower temporal window of key validity offered by the message-based approach
is often not the limiting factor in the temporal window of message recoverability (see <xref target="recoverability-window"/>.</t>

</section>
<section anchor="recoverability-window"><name>The Window of Recoverability</name>

<t>Any message system offering reliable deletion has a frame of time during which the message
cannot be robustly deleted because it can be recovered by an attacker.
For example, in a scheme where each message is encrypted to its own unique key,
if one of the recipients of the message has not yet received the message,
a copy of that key must be available on the lagging recipient's device.</t>

<t>An adversary who is capable of:</t>

<t><list style="symbols">
  <t>capturing a copy of the message in transit, and</t>
  <t>preventing its delivery to one of the recipients, and</t>
  <t>compromising the recipient's device</t>
</list></t>

<t>will be able to recover the message cleartext even if
all other parties involved with the message
have deleted it long ago.</t>

<t>Realistically, a message is only deleted
once every cleartext copy of it has been destroyed, and
every system with access to the message's secret key
has destroyed the secret key.
At a minimum, a message that is in flight is not yet deletable,
and for a message sent to a group, message deletion is only
as robust as the slowest, most detached and uncoordinated member of the group.</t>

<t>Automated message deletion policies
(such as "disappearing messages" functionality common in many messenger apps)
can assist in message deletion, but they are similarly bound by
the duration of secret key retention.</t>

<t>Schemes with rapid key rotation tend to need
more complex internal state,
and are more likely to result in unreadable messages.
For initial messages, these schemes might require
all parties to a communication to be online at the same time,
or require any offline participants to distribute
some introductory key material ("prekeys") to a
reliably online third party.
A "prekey" scheme is itself at risk of attacks that can
cause initial messages to lose the desired deletability property,
or can expose additional metadata to an attacker
(see, for example, <xref target="PREKEY-POGO"/>).</t>

<t>This document accepts a wider window of message recovery (at most 20 days, by default)
which lets implementers avoid the need for any network synchronization between the keyholder's UMAs.
This tradeoff provides a decentralized and robust way to achieve reliable deletion.</t>

</section>
<section anchor="system-clock-reliance"><name>System Clock Reliance</name>

<t>A wrong system clock can have security implications for a system interacting with Autocrypt v2 keys and certificates.
A UMA should confirm that its system clock is within a reasonable range of the global consensus on what time it is.</t>

<t>There are at least four possible security- and usability-relevant failures
that could happen as a result of a broken system clock:</t>

<t><list style="symbols">
  <t>With a system clock set too far in the past,
a UMA might encrypt a message to an actually-expired encryption subkey.
If the recipient has already destroyed their secret key material according to schedule,
such a message would be undecryptable.</t>
  <t>With a system clock set too far in the future,
a UMA might decide that no rotating encryption subkey is available for a peer,
and therefore encrypt a message to the fallback encryption key,
thereby losing the reliable deletion property for that message.</t>
  <t>With a system clock set too far in the future, the UMA of a keyholder with an Autocrypt v2 secret key
might ratchet their secret key very far forward and
destroy secret key material that is still being used to encrypt messages to them.
This would render all incoming messages undecryptable.</t>
  <t>With minor clock skew (on the order of minutes) between multiple devices of a single keyholder,
one device might ratchet "ahead" of another. If the lagging device receives a message
encrypted to a subkey it has not yet generated, it may experience a transient decryption
failure until its local clock reaches the rotation threshold.
To mitigate this, a UMA <bcp14>MAY</bcp14> ratchet ahead by a small lookahead
when it encounters an unknown subkey (see <xref target="ratcheting-schedule"/>).</t>
</list></t>

<section anchor="avoiding-system-clock-skew"><name>Avoiding System Clock Skew</name>

<t>There are several ways to try to ensure that the local system clock matches
the general consensus about what time it is.
Broadly, the UMA (or the device on which it runs) can glean an understanding about the consensus time
from dedicated time servers,
from servers that it otherwise communicates with directly,
or from the peers that send it messages.</t>

<t>An attacker in control of any of these sources of time consensus might use their influence to try
to defeat reliable deletion (e.g., by forcing a message to be encrypted to the fallback key,
or by delaying secret key deletion),
or to create a denial of service (e.g., by encouraging encryption of messages to an already deleted subkey,
or by encouraging early deletion of a secret key).</t>

<t>One approach to learning about the local clock's skew from consensus time is
to use <xref target="NTP"/> against one or more known-good time servers.</t>

<t>Another approach is to glean a reasonable time bounds from the transport layer the UMA connects with.
For example, when using using <xref target="TLS"/> (or <xref target="QUIC"/> with the <xref target="TLS"/> handshake),
it's possible to infer a range of plausible times the server operator thinks it could be by looking at the
<spanx style="verb">Validity</spanx> member (from <spanx style="verb">notBefore</spanx> to <spanx style="verb">notAfter</spanx>) of the server's <xref target="X.509"/> certificate.
Narrower <spanx style="verb">Validity</spanx> members are more common today than they were in the past
and can help to detect a clock skew that is greater than the bounds of <spanx style="verb">Validity</spanx>.</t>

<t>To the extent that the server participates in <xref target="Certificate-Transparency"/>,
the UMA could also determine reasonable time bounds from timestamp member of the SignedCertificateTimestamp extension.
If the server offers a stapled <xref target="OCSP"/> response via the OCSP Status Request extension,
the various timestamps (e.g. <spanx style="verb">producedAt</spanx> and <spanx style="verb">thisUpdate</spanx> and <spanx style="verb">nextUpdate</spanx>) in a stapled OCSPResponse
can also be used as an estimate of the server's rough sense of the wall clock.
Estimates like these based on information provided from the server in the TLS handshake
are valuable because the UMA has typically not yet authenticated to the server during the handshake,
which makes a targeted attack from the server in this context less likely.</t>

<t>The UMA can also get a rough estimate of their correspondents' view of the wall clock time
by looking, for example, at the <spanx style="verb">Date</spanx> header in recently-received e-mail messages.</t>

<t>These methods can generate estimates of the likelihood of clock skew.
In the event that the keyholder's UMA believes that its clock is substantially advanced beyond the consensus time,
it <bcp14>MAY</bcp14> postpone secret key deletion until it is more confident in its clock alignment.</t>

</section>
</section>
</section>
<section anchor="usability-considerations"><name>Usability Considerations</name>

<t>The keyholder needs to regularly update their certificate,
and re-transmit it to those peers who might want to write them a confidential message.</t>

<t>Refreshing the encryption-capable subkeys might be done
with a suitable invocation of <spanx style="verb">sop update-key</spanx> (see <xref section="5.2.5" sectionFormat="of" target="I-D.dkg-openpgp-stateless-cli"/>).</t>

<t>After subkey rollover, re-transmission to peers might be done with <xref target="Autocrypt"/> or some other in-band communication process.
Alternately, if the keyholder's peers refresh certificates before sending mail,
the updated certificate could be uploaded to keyservers using <xref target="HKP"/> or a comparable protocol.</t>

<t>If a peer is willing to encrypt to an expired encryption key,
they will create a message that the keyholder cannot decrypt,
because the keyholder regularly destroys the secret key material associated with expired subkeys.
The peer <bcp14>MUST NOT</bcp14> encrypt to an expired encryption key.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document does not require any action from IANA.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC9580">
  <front>
    <title>OpenPGP</title>
    <author fullname="P. Wouters" initials="P." role="editor" surname="Wouters"/>
    <author fullname="D. Huigens" initials="D." surname="Huigens"/>
    <author fullname="J. Winter" initials="J." surname="Winter"/>
    <author fullname="Y. Niibe" initials="Y." surname="Niibe"/>
    <date month="July" year="2024"/>
    <abstract>
      <t>This document specifies the message formats used in OpenPGP. OpenPGP provides encryption with public key or symmetric cryptographic algorithms, digital signatures, compression, and key management.</t>
      <t>This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws.</t>
      <t>This document obsoletes RFCs 4880 ("OpenPGP Message Format"), 5581 ("The Camellia Cipher in OpenPGP"), and 6637 ("Elliptic Curve Cryptography (ECC) in OpenPGP").</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9580"/>
  <seriesInfo name="DOI" value="10.17487/RFC9580"/>
</reference>
<reference anchor="RFC9980">
  <front>
    <title>Post-Quantum Cryptography in OpenPGP</title>
    <author fullname="S. Kousidis" initials="S." surname="Kousidis"/>
    <author fullname="J. Roth" initials="J." surname="Roth"/>
    <author fullname="F. Strenzke" initials="F." surname="Strenzke"/>
    <author fullname="A. Wussler" initials="A." surname="Wussler"/>
    <date month="June" year="2026"/>
    <abstract>
      <t>This document defines a post-quantum public key algorithm extension for the OpenPGP protocol, extending RFC 9580. Given the generally assumed threat of a cryptographically relevant quantum computer, this extension provides a basis for long-term secure OpenPGP signatures and ciphertexts. Specifically, it defines composite public key encryption based on ML-KEM (formerly CRYSTALS-Kyber), composite public key signatures based on ML-DSA (formerly CRYSTALS-Dilithium), both in combination with Elliptic Curve Cryptography (ECC), and SLH-DSA (formerly SPHINCS+) as a standalone public key signature scheme.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9980"/>
  <seriesInfo name="DOI" value="10.17487/RFC9980"/>
</reference>
<reference anchor="RFC7748">
  <front>
    <title>Elliptic Curves for Security</title>
    <author fullname="A. Langley" initials="A." surname="Langley"/>
    <author fullname="M. Hamburg" initials="M." surname="Hamburg"/>
    <author fullname="S. Turner" initials="S." surname="Turner"/>
    <date month="January" year="2016"/>
    <abstract>
      <t>This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7748"/>
  <seriesInfo name="DOI" value="10.17487/RFC7748"/>
</reference>
<reference anchor="RFC8032">
  <front>
    <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
    <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
    <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
    <date month="January" year="2017"/>
    <abstract>
      <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8032"/>
  <seriesInfo name="DOI" value="10.17487/RFC8032"/>
</reference>
<reference anchor="HKDF">
  <front>
    <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
    <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
    <author fullname="P. Eronen" initials="P." surname="Eronen"/>
    <date month="May" year="2010"/>
    <abstract>
      <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5869"/>
  <seriesInfo name="DOI" value="10.17487/RFC5869"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">

<reference anchor="Autocrypt" target="https://autocrypt.org/">
  <front>
    <title>Autocrypt - Convenient End-to-End Encryption for E-Mail</title>
    <author initials="V." surname="Breitmoser" fullname="Vincent Breitmoser">
      <organization></organization>
    </author>
    <author initials="H." surname="Krekel" fullname="Holger Krekel">
      <organization></organization>
    </author>
    <author initials="D. K." surname="Gillmor" fullname="Daniel Kahn Gillmor">
      <organization></organization>
    </author>
    <date year="2019" month="February" day="10"/>
  </front>
</reference>
<reference anchor="Double-Ratchet" target="https://signal.org/docs/specifications/doubleratchet/">
  <front>
    <title>The Double Ratchet Algorithm</title>
    <author initials="T." surname="Perrin" fullname="Trevor Perrin">
      <organization></organization>
    </author>
    <author initials="M." surname="Marlinspike" fullname="Moxie Marlinspike">
      <organization></organization>
    </author>
    <author initials="R." surname="Schmidt" fullname="Rolfe Schmidt">
      <organization></organization>
    </author>
    <date year="2025" month="November" day="04"/>
  </front>
</reference>


<reference anchor="RFC5321">
  <front>
    <title>Simple Mail Transfer Protocol</title>
    <author fullname="J. Klensin" initials="J." surname="Klensin"/>
    <date month="October" year="2008"/>
    <abstract>
      <t>This document is a specification of the basic protocol for Internet electronic mail transport. It consolidates, updates, and clarifies several previous documents, making all or parts of most of them obsolete. It covers the SMTP extension mechanisms and best practices for the contemporary Internet, but does not provide details about particular extensions. Although SMTP was designed as a mail transport and delivery protocol, this specification also contains information that is important to its use as a "mail submission" protocol for "split-UA" (User Agent) mail reading systems and mobile environments. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5321"/>
  <seriesInfo name="DOI" value="10.17487/RFC5321"/>
</reference>

<reference anchor="I-D.dkg-openpgp-stateless-cli">
   <front>
      <title>Stateless OpenPGP Command Line Interface</title>
      <author fullname="Daniel Kahn Gillmor" initials="D. K." surname="Gillmor">
         <organization>American Civil Liberties Union</organization>
      </author>
      <author fullname="Daniel Huigens" initials="D." surname="Huigens">
         <organization>Proton AG</organization>
      </author>
      <date day="26" month="June" year="2026"/>
      <abstract>
	 <t>   This document defines a generic stateless command-line interface for
   dealing with OpenPGP messages, certificates, and secret key material,
   known as sop.  It aims for a minimal, well-structured API covering
   OpenPGP object security and maintenance of credentials and secrets.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-dkg-openpgp-stateless-cli-16"/>
   
</reference>
<reference anchor="PREKEY-POGO">
  <front>
    <title>Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp's Handshake Mechanism</title>
    <author fullname="Gabriel K. Gegenhuber" initials="G." surname="Gegenhuber">
      <organization/>
    </author>
    <author fullname="Philipp É. Frenzel" initials="P." surname="Frenzel">
      <organization/>
    </author>
    <author fullname="Maximilian Günther" initials="M." surname="Günther">
      <organization/>
    </author>
    <author fullname="Aljosha Judmayer" initials="A." surname="Judmayer">
      <organization/>
    </author>
    <date year="2025"/>
  </front>
  <seriesInfo name="DOI" value="10.48550/ARXIV.2504.07323"/>
<refcontent>arXiv</refcontent></reference>
<reference anchor="NTP">
  <front>
    <title>Network Time Protocol Version 4: Protocol and Algorithms Specification</title>
    <author fullname="D. Mills" initials="D." surname="Mills"/>
    <author fullname="J. Martin" initials="J." role="editor" surname="Martin"/>
    <author fullname="J. Burbank" initials="J." surname="Burbank"/>
    <author fullname="W. Kasch" initials="W." surname="Kasch"/>
    <date month="June" year="2010"/>
    <abstract>
      <t>The Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet. This document describes NTP version 4 (NTPv4), which is backwards compatible with NTP version 3 (NTPv3), described in RFC 1305, as well as previous versions of the protocol. NTPv4 includes a modified protocol header to accommodate the Internet Protocol version 6 address family. NTPv4 includes fundamental improvements in the mitigation and discipline algorithms that extend the potential accuracy to the tens of microseconds with modern workstations and fast LANs. It includes a dynamic server discovery scheme, so that in many cases, specific server configuration is not required. It corrects certain errors in the NTPv3 design and implementation and includes an optional extension mechanism.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5905"/>
  <seriesInfo name="DOI" value="10.17487/RFC5905"/>
</reference>
<reference anchor="TLS">
  <front>
    <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <date month="August" year="2018"/>
    <abstract>
      <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
      <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8446"/>
  <seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="QUIC">
  <front>
    <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
    <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
    <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
    <date month="May" year="2021"/>
    <abstract>
      <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9000"/>
  <seriesInfo name="DOI" value="10.17487/RFC9000"/>
</reference>
<reference anchor="X.509">
  <front>
    <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
    <author fullname="D. Cooper" initials="D." surname="Cooper"/>
    <author fullname="S. Santesson" initials="S." surname="Santesson"/>
    <author fullname="S. Farrell" initials="S." surname="Farrell"/>
    <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <author fullname="W. Polk" initials="W." surname="Polk"/>
    <date month="May" year="2008"/>
    <abstract>
      <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5280"/>
  <seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="Certificate-Transparency">
  <front>
    <title>Certificate Transparency</title>
    <author fullname="B. Laurie" initials="B." surname="Laurie"/>
    <author fullname="A. Langley" initials="A." surname="Langley"/>
    <author fullname="E. Kasper" initials="E." surname="Kasper"/>
    <date month="June" year="2013"/>
    <abstract>
      <t>This document describes an experimental protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. The intent is that eventually clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs.</t>
      <t>Logs are network services that implement the protocol operations for submissions and queries that are defined in this document.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6962"/>
  <seriesInfo name="DOI" value="10.17487/RFC6962"/>
</reference>
<reference anchor="OCSP">
  <front>
    <title>X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP</title>
    <author fullname="M. Myers" initials="M." surname="Myers"/>
    <author fullname="R. Ankney" initials="R." surname="Ankney"/>
    <author fullname="A. Malpani" initials="A." surname="Malpani"/>
    <author fullname="S. Galperin" initials="S." surname="Galperin"/>
    <author fullname="C. Adams" initials="C." surname="Adams"/>
    <date month="June" year="1999"/>
    <abstract>
      <t>This document specifies a protocol useful in determining the current status of a digital certificate without requiring CRLs. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="2560"/>
  <seriesInfo name="DOI" value="10.17487/RFC2560"/>
</reference>

<reference anchor="HKP">
   <front>
      <title>OpenPGP HTTP Keyserver Protocol</title>
      <author fullname="Daphne Shaw" initials="D." surname="Shaw">
         <organization>Jabberwocky Tech</organization>
      </author>
      <author fullname="Andrew Gallagher" initials="A." surname="Gallagher">
         <organization>PGPKeys.EU</organization>
      </author>
      <author fullname="Daniel Huigens" initials="D." surname="Huigens">
         <organization>Proton AG</organization>
      </author>
      <date day="29" month="April" year="2026"/>
      <abstract>
	 <t>   This document specifies a series of conventions to implement an
   OpenPGP keyserver using the Hypertext Transfer Protocol (HTTP).  As
   this document is a codification and extension of a protocol that is
   already in wide use, strict attention is paid to backward
   compatibility with these existing implementations.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-gallagher-openpgp-hkp-10"/>
   
</reference>

<reference anchor="I-D.brown-pgp-pfs">
   <front>
      <title>Forward Secrecy Extensions for OpenPGP</title>
      <author fullname="Ian Brown" initials="I." surname="Brown">
         </author>
      <author fullname="Ben Laurie" initials="B." surname="Laurie">
         <organization>A.L. Digital Ltd</organization>
      </author>
      <date day="8" month="October" year="2001"/>
      <abstract>
	 <t>The confidentiality of encrypted data depends on the secrecy of the
key needed to decrypt it. If one key is able to decrypt large
quantities of data, its compromise will be disastrous. This memo
describes three methods for limiting this vulnerability for OpenPGP
messages: reducing the lifetime of confidentiality keys; one-time
keys; and the additional use of lower-layer security services.
	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-brown-pgp-pfs-03"/>
   
</reference>



    </references>

</references>


<?line 1098?>

<section anchor="historical-notes"><name>Historical notes</name>

<t>Prior work on "forward secrecy" in OpenPGP dates back decades,
including <xref target="I-D.brown-pgp-pfs"/>.
Much of the guidance in that document is useful, and it is worth reading.
As far as the authors are aware, the mechanisms described there were never widely adopted,
and no tooling is currently available to make certificates compliant with the policies or "single-use" subpackets outlined there.
That specification also never grappled with the complexities of coordinating ephemeral subkeys across multiple UMAs,
or considering how "reply all" would work in a group messaging context for single-use keys.</t>

</section>
<section anchor="design-choices"><name>Design Choices</name>

<section anchor="subkey-validity-windows"><name>Subkey Validity Windows</name>

<t>When designing the subkey rotation mechanism,
it's possible to create back-to-back, overlapping, or superset validity windows.</t>

<section anchor="back-to-back-validity-windows"><name>Back-to-Back Validity Windows</name>

<t>With back-to-back validity windows,
Each subkey is valid for a period that doesn't overlap with any other subkey.</t>

<figure title="Back-to-Back Validity Windows"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="240" width="536" viewBox="0 0 536 240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 56,32 L 56,64" fill="none" stroke="black"/>
<path d="M 56,192 L 56,224" fill="none" stroke="black"/>
<path d="M 144,32 L 144,96" fill="none" stroke="black"/>
<path d="M 232,64 L 232,128" fill="none" stroke="black"/>
<path d="M 320,96 L 320,160" fill="none" stroke="black"/>
<path d="M 408,128 L 408,192" fill="none" stroke="black"/>
<path d="M 56,48 L 88,48" fill="none" stroke="black"/>
<path d="M 112,48 L 144,48" fill="none" stroke="black"/>
<path d="M 144,80 L 176,80" fill="none" stroke="black"/>
<path d="M 200,80 L 232,80" fill="none" stroke="black"/>
<path d="M 232,112 L 264,112" fill="none" stroke="black"/>
<path d="M 288,112 L 320,112" fill="none" stroke="black"/>
<path d="M 320,144 L 352,144" fill="none" stroke="black"/>
<path d="M 376,144 L 408,144" fill="none" stroke="black"/>
<path d="M 408,176 L 432,176" fill="none" stroke="black"/>
<path d="M 56,208 L 528,208" fill="none" stroke="black"/>
<polygon class="arrowhead" points="536,208 524,202.4 524,213.6" fill="black" transform="rotate(0,528,208)"/>
<g class="text">
<text x="100" y="52">K0</text>
<text x="188" y="84">K1</text>
<text x="276" y="116">K2</text>
<text x="364" y="148">K3</text>
<text x="456" y="180">...</text>
<text x="20" y="212">Time</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
      .          .
      +----K0----+
      '          |          .
                 +----K1----+
                 '          |          .
                            +----K2----+
                            '          |          .
                                       +----K3----+
                                       '          |
                                                  +--- ...
      .                                           '
Time  +---------------------------------------------------------->
      '
]]></artwork></artset></figure>

<t>In this arrangement, it is unambiguous which subkey to encrypt to, and validity windows can be shorter.
But toward the end of one subkey's validity window, the keyholder needs to distribute the next subkey as well as the current subkey,
in case an incoming message is produced after the cutover.
When the keyholder does this, they are distributing two subkeys (which makes the certificate larger).</t>

<t>Also, the upcoming subkey will have a creation time and signature creation time in the future,
and peer implementation support for subkeys with creation times or subkey binding times in the future is dubious.
Some peers may reject the subkey for being "from the future", and strip it before storing the certificate.
Those peers won't have it available when they need it,
and might end up having to encrypt to the fallback subkey.
Other peers may ignore the creation timestamps, and go ahead and encrypt to the subkey before its validity window begins.</t>

<t>Policy needs a decision about when to start distributing the new subkey,
but that decision does not affect the wireformat.</t>

<t>If keyholder's UMA X distributes the new subkey earlier than keyholder's UMA Y,
and a peer encrypts a message to the new subkey before the new subkey is valid,
keyholder's UMA Y may need to trial-ratchet until it finds the right subkey.</t>

</section>
<section anchor="overlapping-validity-windows"><name>Overlapping Validity Windows</name>

<t>With overlapping validity windows, each subsequent rotating subkey's validity starts during the validity
window of the prior rotating subkey.</t>

<figure title="Overlapping Validity Windows"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="240" width="536" viewBox="0 0 536 240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 56,32 L 56,64" fill="none" stroke="black"/>
<path d="M 56,192 L 56,224" fill="none" stroke="black"/>
<path d="M 144,64 L 144,96" fill="none" stroke="black"/>
<path d="M 184,32 L 184,64" fill="none" stroke="black"/>
<path d="M 232,96 L 232,128" fill="none" stroke="black"/>
<path d="M 272,64 L 272,96" fill="none" stroke="black"/>
<path d="M 320,128 L 320,160" fill="none" stroke="black"/>
<path d="M 360,96 L 360,128" fill="none" stroke="black"/>
<path d="M 408,160 L 408,192" fill="none" stroke="black"/>
<path d="M 448,128 L 448,160" fill="none" stroke="black"/>
<path d="M 56,48 L 112,48" fill="none" stroke="black"/>
<path d="M 136,48 L 184,48" fill="none" stroke="black"/>
<path d="M 144,80 L 192,80" fill="none" stroke="black"/>
<path d="M 216,80 L 272,80" fill="none" stroke="black"/>
<path d="M 232,112 L 280,112" fill="none" stroke="black"/>
<path d="M 304,112 L 360,112" fill="none" stroke="black"/>
<path d="M 320,144 L 368,144" fill="none" stroke="black"/>
<path d="M 392,144 L 448,144" fill="none" stroke="black"/>
<path d="M 408,176 L 472,176" fill="none" stroke="black"/>
<path d="M 56,208 L 528,208" fill="none" stroke="black"/>
<polygon class="arrowhead" points="536,208 524,202.4 524,213.6" fill="black" transform="rotate(0,528,208)"/>
<g class="text">
<text x="124" y="52">K0</text>
<text x="204" y="84">K1</text>
<text x="292" y="116">K2</text>
<text x="380" y="148">K3</text>
<text x="496" y="180">...</text>
<text x="20" y="212">Time</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
      .               .
      +-------K0------+
      '          .    '          .
                 +------K1-------+
                 '          .    '          .
                            +------K2-------+
                            '          .    '          .
                                       +------K3-------+
                                       '          .    '
                                                  +-------- ...
      .                                           '
Time  +---------------------------------------------------------->
      '
]]></artwork></artset></figure>

<t>The validity window for any subkey in this scheme is wider than back-to-back.
Keyholder only needs to distribute a single rotating subkey.</t>

<t>Policy needs a decision about how much the validity windows should overlap, which affects the wireformat.
This document records the convention that the validity windows overlap by 50% (new subkey created halfway through the prior subkey's validity).</t>

<t>The keyholder's UMAs can blindly coordinate subkey distribution by
only distributing subkeys whose validity window is currently active.</t>

</section>
<section anchor="superset-validity-windows"><name>Superset Validity Windows</name>

<t>With superset validity windows, each rotating subkey has an identical creation time,
but each subsequent subkey has a later expiration date.</t>

<figure title="Superset Validity Windows"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="240" width="536" viewBox="0 0 536 240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 56,32 L 56,224" fill="none" stroke="black"/>
<path d="M 144,32 L 144,64" fill="none" stroke="black"/>
<path d="M 232,64 L 232,96" fill="none" stroke="black"/>
<path d="M 320,96 L 320,128" fill="none" stroke="black"/>
<path d="M 408,128 L 408,160" fill="none" stroke="black"/>
<path d="M 56,48 L 88,48" fill="none" stroke="black"/>
<path d="M 112,48 L 144,48" fill="none" stroke="black"/>
<path d="M 56,80 L 128,80" fill="none" stroke="black"/>
<path d="M 152,80 L 232,80" fill="none" stroke="black"/>
<path d="M 56,112 L 176,112" fill="none" stroke="black"/>
<path d="M 200,112 L 320,112" fill="none" stroke="black"/>
<path d="M 56,144 L 232,144" fill="none" stroke="black"/>
<path d="M 256,144 L 408,144" fill="none" stroke="black"/>
<path d="M 56,176 L 432,176" fill="none" stroke="black"/>
<path d="M 56,208 L 528,208" fill="none" stroke="black"/>
<polygon class="arrowhead" points="536,208 524,202.4 524,213.6" fill="black" transform="rotate(0,528,208)"/>
<g class="text">
<text x="100" y="52">K0</text>
<text x="140" y="84">K1</text>
<text x="188" y="116">K2</text>
<text x="244" y="148">K3</text>
<text x="456" y="180">...</text>
<text x="20" y="212">Time</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
      .          .
      +----K0----+
      |          '          .
      +---------K1----------+
      |                     '          .
      +---------------K2---------------+
      |                                '          .
      +----------------------K3-------------------+
      |                                           '
      +----------------------------------------------- ...
      |
Time  +---------------------------------------------------------->
      '
]]></artwork></artset></figure>

<t>This scheme relies on the keyholder's machines delaying generation of each subsequent rotating subkey,
as a prematurely-generated (and distributed) subkey might get used by a peer.</t>

</section>
<section anchor="validity-window-conclusion"><name>Validity Window Conclusion</name>

<t>Decision: better to go with overlapping,
so that the common case is a certificate with only a single rotating subkey.</t>

</section>
</section>
<section anchor="ed25519-for-primary-key"><name>Ed25519 for Primary Key</name>

<t>Why not go with PQ/T primary key?
Because signatures from all PQ/T keys are very large,
and each cert needs at least three signatures in it.</t>

<t>Why not go with Ed448 primary key?
Because Ed25519 implementations have endured significantly more scrutiny than Ed448 implementations.
Also, Ed25519 is already mandatory-to-implement in OpenPGP, and signatures are marginally smaller.</t>

</section>
<section anchor="balancing-rotation-and-reliable-deletion-timing"><name>Balancing Rotation and Reliable Deletion Timing</name>

<t>The default 5-day rotation period, 10-day expiration, and 20-day deletion
schedule balance reliability with security.
The 10-day buffer after expiration accounts for potential message
transmission delays in systems like SMTP.
Deleting the secret key material after 20 days ensures that reliable
message deletion occurs in the near future.
This timeline prevents secret keys from being stored longer than necessary
while remaining compatible with the pace of modern email.</t>

</section>
<section anchor="no-explicit-annotations"><name>No Explicit Annotations</name>

<t>An Autocrypt v2 certificate is identifiable by its structure and parameterization alone.
There is no attempt to mark a certificate explicitly as an attempt at Autocrypt v2.</t>

<t>The design goal of interop with peers with a merely upgraded OpenPGP implementation
suggests that an explicit indicator would be unnecessary.</t>

</section>
<section anchor="seed-free-ratcheting"><name>Seed-free Ratcheting</name>

<t>When ratcheting a secret subkey forward,
this design only uses secret entropy from
the current ratcheting subkey's secret key material.</t>

<t>Introducing additional data in the form of a seed would require special coordination
between cooperating peers for the initial synchronization of that seed,
which complicates the goal of minimizing network synchronization.</t>

<t>For example, a keyholder that adds another UMA to their account currently needs
to transfer an OpenPGP TSK to the new UMA.
How would a distinct seed be transmitted to the other UMA in such a way that it would
not be be accidentally re-transmitted to a peer by legacy tooling that extracts
an OpenPGP certificate from the TSK?</t>

<t>Another choice of additional seed material could be the secret key material of the
primary key itself, or of the fallback's secret key material.
By not including any of that secret key material in the input to the ratchet,
we enable the keyholder to distribute these two long-term keys to their various UMAs
via a tamper-resistant hardware device.</t>

</section>
</section>
<section anchor="test-vectors"><name>Test vectors</name>

<section anchor="key-and-certificate-created"><name>Key and Certificate Created</name>

<t>At
2026-07-01T17:33:45Z,
this Autocrypt v2 secret key was created, with the associated certificate.</t>

<section anchor="initial-certificate"><name>Initial Certificate</name>

<t>This outbound certificate is distributed to peers that the key holder wants to communicate with.</t>

<figure><sourcecode type="application/pgp-keys" name="initial.cert"><![CDATA[
-----BEGIN PGP PUBLIC KEY BLOCK-----

xioGakRYfxsAAAAgcRJVRUdqGTNMnwwTeQZv+o8XiaDdVTTpXnjPNH2FR4zCkgYf
GwgAAAAzBYJqRFh/ApsDAh4IIiEGVsEF0JnaJfhSKus9nc+IvOBp9aMRF6K7T1Ya
v6vmHKEDJwkCAAAAADqFENl3uzg/tNOjW2+khGm+tpsVwFezqZ9N64SfSylWouMq
267PJtdf8y+mx3g4BbY0R3N5eTZiIpscbzy8p+PJ5+Hh7edI6p1hrbFxVSY/SjUI
zsQKBmpEWH8jAAAEwMnQyYCYyPLlqXKM8d+oKEe+a1maw5IdqzQRl3fDQA8WlOlA
/Ywqa+MA9Ni7ZMBE9pBRUKefJGZOu2NuNIJSzsB4c1tYPDqrMSR29JqqnOxXpISJ
VOmIxhC1j5VAKqnO4AuJ8zEa3imhDxUr4JORP8eRi5gwkgu8BMQJfDA9kBgeYzQz
x5JMJ5Mh/dW8/WOLdzIE77I8L6dX2NB0v6uAV0A6eFy+LCuivxV/aDRH/9SW1tDG
WocNMYqQ75JkFSpE4RVcYvVBE1iO6XBInjGAm/hSzwE6RglwbpQdy3WaJfYsVuqL
QgRpqZhuKmu18vaij0JGHRhAEDNJuvmBtdgnCneezGtbOPF4zcax5Da+EekANUKh
aClxZjSAFpAcpii0GElEQIpYxaWas6C2fsNxmhsh57d/U0p0SAAiOrmVLrdCC6kp
CNuqRiQ8jAC0+/tmZRe3YVi6lBiNHlVXtcoUCOCH4jWiMAMB04sTb1uz+3EtAJkt
ECDJ5muyIHhCBBQMKBKI9rMCujJfIQApZ1IHq8qOl2G1NfcdGfsUQ9sbnKZRyik6
5FBMIOsco+Q7XppgxyehKSmEpxJfwCtfC6YIosud5GSDOZMzCVQViDUawRk58KII
S8YDRNq9SrdqY9uLx4gq23Jyvfmkald7EsbAaOKbPQNgPaRpJTO7W9QGmFdCL4Kk
O4hOoVZHltq5Pko+/zYQick7kro5pvPDUaVhxuEu/GIlZWNoR9fO4TIItZwmIjwR
5YN0MVC7CyFEaBySPHhYZDdJJ7dj+EKncGts02cO7HmM8WUDPAAELlViZ/k10KjH
5oO+jWM6YBZrkLOPVngJSMB43EpJICeYSsGc2qCNK5NMtLvNSGsvsuUdr/WDtANT
rWI2XOw9oVs9APpuiKrHT+OGQTKnK+lKhUlJMEV6Iqt/6jt2ereLCzgls8B1fceG
6disSDiz6jKn/1APsSInlcsQqyR8MwoaE5g1tKx8SGFL3xK3VvMrSMED/8g4bsGa
yfEOM7lKrOIrv8nCyXrINOdrW5SgmmmOl2GR63l0qdybFsqZ0BFmlWWlTRFKekRo
meMB21yZXbc/qVhqILS41oYtUhSxFjBBbClKcAlHIzxNJeJaofALanq2VbKEbnBT
pCm+0HhH8Xu+/ACtZew8QliFrcoRsPM2zcy/nqPAN4QsvRFkykoDiDcId3cjwfAA
EKWKIshR5jNZoSwS+fcKcGk1hoYBhVY0WhQiZTSwNZsOOqaujNNhLgKZ5bebExqz
AkIrEhozfSS0ZBtzjCs1IMRchHOhzgpv3HWl0ZuwtxKu9MY1h+dOjbqxFai7IwOs
3xC0PMN03GIWkcNL8UACrLNEFPW6sVwE1ROXcTy5Lde63WsmxipfJEtdWfEqrvxZ
97yDKfRMGILApbY2CFuAPkYLiQd+lFGwytNxYbqI7pJKOdlVZ5s/7kBhlCwSedZ9
1uK/3JijNotlNrt/7atasaSk2kKjFpRGpUvArJRJGdVJszm5sBZ0PTWn94Zxunaz
ICo15jhCENG++qdEJ6ZbGHwMX8O7LWNXHUClYtRVTUR0mSFE2mwxLPFeeRJlIOkY
FzqWfDCMwXTwl1BLbyLQWhk/JW9MNw+ewkrxPD7CiwYYGwgAAAAsBYJqRFh/ApsM
IiEGVsEF0JnaJfhSKus9nc+IvOBp9aMRF6K7T1Yav6vmHKEAAAAAuV0Qz5l1AOOR
vovCj4Bu3eC92HlxHDLjXEZq/38loDYMHyjrUBUxYFOr1tWqk8dsonwGn/hEzsW+
4T/1SDccLQchb/vD4GUd4v2JFW6eKNY+8wTOxAoGakVPeSMAAATAmCRkirW5CYNd
ucEJs50OewXTIDpd+1BRD883x65KmmpbY8VABXdlc4unIE7ynMNXTJvWkV8jUE3H
URen4k9UUlzRkF3uwKh46VCn94Shmw7rs5wU44QXc7ays0Ypa3XFVnjoMEo+C8N5
NqLQipIHpmJjgEjVGh8/E10g5FCTc2sx8XAjdzxpbLRclKagpAUlabPjYIOowoOI
ZTs9Cx05wgy491pEcFUvWAWbdLbxVh9tq1MdV2FJdiU8OhvIg2LHdK2KAK7h8gBQ
waSIy0n+mhy/1HJ3gcf8FxTKfMQPAh2Ym0W5oVqc1HTYAlEucgKVZZl55TX1bDnd
9QDr52rNEcf5FFIySbxZbDc/ummER8T6oIXXmbLtURKdind4WStWV4XEBGEvoB2g
65igKI+vl8bH8z0V2XznScIfKM5qNEm1e5JcugGaew9BxaNKuot6dLT+8n7IoTqO
LHQzg5SxccCNWsLStwHbQ2I2OXYPQCleRMwbOIDrUIsFqQzXd4nZN6S0y3gFOYig
Qcmmljx5A24eaam4pJ0I4APVlYnRypCyKWrMyiOYrKQZy3cYoUpycMMKwXR2YS9q
QawPI57Wso67KsQAjYvWB397t0sRzE3FF6eRwlkIZly32rJ86MDJ4FXoQWkE2YTG
Jrh3Co8K2cWWJYjzPDdAMJ6LksEb3LXYcGPhGT1mJaGY6wWLG083oJpIeDFMXBOe
CRfO5ouqRR8196wRySod5kRKKgKiqy4PIiLzIQCuSLcnCUBwqX47FLQBkbvG0M+c
sK6N1ykFVjCed4CDMyf5Acho8nH96XbdunPWWXzyas2boiLDx8HoQDdpkXepucWN
SQ+uoLViZLyW9Ypa+2mMCHroyRnJUywu1yUNpIB+x7KW4Fx0YD8kShJq1WBEuEH8
Am19mmUkk7ljBsdLG5o5QwkxiASBRWu42IH6hcF1q5TxZqwBmDxj5AKqUxDoyBLl
3EEdlnz/+MzwcAPxZQU/+VeEdbTHfLUI1CXtJCpVSMjJ83poSxPtfHx0Anc41wcT
+IRp8BJZtF2QCgZC8Q3I2rtsE7nIt4pZRYV0RbGvwMxznH2Z97P1cCmyccYJaXGW
kghwNb6dcInPtXr81WRxcIBx44ggWgFwkLdSho68pmg60cWcioEKxGwBBIcaQq+p
JDDoqVC2AU8cATkHdZhzrI8aRXffWX4xsJ0/4a/1NI0F0mxvZRfO1Qjg0ofYpkPS
OmnyjDlYKCmZRKvzlYkv0LL0V6RhCw2uaKDhg3siZzgfBUocGwZ8kaTY7K/60qC4
x5oqIlnctCN58chMOHU7YGNzaUCvgbUTUWsHIGt7yLf+AikpmTq9IjkyjLkuak0b
VCQpEwHyBSiRVqo2CFmGdzU6wR8dAFiusQfLYCLF8X85l4DkEYpwsYitUIs+PMB2
UoOVu1ZJhbB20rrmTMSZ92EGuBivy4rJos5tI3t7Z8gRkD9N2LymR3xT2xgv9p+R
NxglSM2WlxMzED/MqDq20apCd5pBQTdEq7ep3BTGtAtO5a2Y8sxrmcqD4TsPN7Cm
MVdSUXno9U1RKjKgOI+Xwn7MXAsNJ0df2ZnmozWT1I66ccOovlX5XMlghOsmtPBD
iZiJLCICOcKRBhgbCAAAADIFgmpFT3kFiQANLwACmwQiIQZWwQXQmdol+FIq6z2d
z4i84Gn1oxEXortPVhq/q+YcoQAAAAAcPRDjNtQHkZBvJC02Qn1fsEFWdrHIbvPZ
XkrPWa5CkP2yb2TMdEH8pqp3bIGapgzDoyvWZzlcBK6xxF+AVQqSrwOaHYx/Ahht
nMSP0IHrw5wmCQ==
-----END PGP PUBLIC KEY BLOCK-----

]]></sourcecode></figure>

</section>
<section anchor="initial-tsk"><name>Initial TSK</name>

<t>This secret key is made available only to the keyholder's own devices.</t>

<figure><sourcecode type="application/pgp-keys" name="initial.key"><![CDATA[
-----BEGIN PGP PRIVATE KEY BLOCK-----

xUsGakRYfxsAAAAgcRJVRUdqGTNMnwwTeQZv+o8XiaDdVTTpXnjPNH2FR4wAET8I
Q3fQeNm71dOZSkB/260JmbL1QIX/q4ugYzBOFKLCkgYfGwgAAAAzBYJqRFh/ApsD
Ah4IIiEGVsEF0JnaJfhSKus9nc+IvOBp9aMRF6K7T1Yav6vmHKEDJwkCAAAAADqF
ENl3uzg/tNOjW2+khGm+tpsVwFezqZ9N64SfSylWouMq267PJtdf8y+mx3g4BbY0
R3N5eTZiIpscbzy8p+PJ5+Hh7edI6p1hrbFxVSY/SjUIx8RrBmpEWH8jAAAEwMnQ
yYCYyPLlqXKM8d+oKEe+a1maw5IdqzQRl3fDQA8WlOlA/Ywqa+MA9Ni7ZMBE9pBR
UKefJGZOu2NuNIJSzsB4c1tYPDqrMSR29JqqnOxXpISJVOmIxhC1j5VAKqnO4AuJ
8zEa3imhDxUr4JORP8eRi5gwkgu8BMQJfDA9kBgeYzQzx5JMJ5Mh/dW8/WOLdzIE
77I8L6dX2NB0v6uAV0A6eFy+LCuivxV/aDRH/9SW1tDGWocNMYqQ75JkFSpE4RVc
YvVBE1iO6XBInjGAm/hSzwE6RglwbpQdy3WaJfYsVuqLQgRpqZhuKmu18vaij0JG
HRhAEDNJuvmBtdgnCneezGtbOPF4zcax5Da+EekANUKhaClxZjSAFpAcpii0GElE
QIpYxaWas6C2fsNxmhsh57d/U0p0SAAiOrmVLrdCC6kpCNuqRiQ8jAC0+/tmZRe3
YVi6lBiNHlVXtcoUCOCH4jWiMAMB04sTb1uz+3EtAJktECDJ5muyIHhCBBQMKBKI
9rMCujJfIQApZ1IHq8qOl2G1NfcdGfsUQ9sbnKZRyik65FBMIOsco+Q7Xppgxyeh
KSmEpxJfwCtfC6YIosud5GSDOZMzCVQViDUawRk58KIIS8YDRNq9SrdqY9uLx4gq
23Jyvfmkald7EsbAaOKbPQNgPaRpJTO7W9QGmFdCL4KkO4hOoVZHltq5Pko+/zYQ
ick7kro5pvPDUaVhxuEu/GIlZWNoR9fO4TIItZwmIjwR5YN0MVC7CyFEaBySPHhY
ZDdJJ7dj+EKncGts02cO7HmM8WUDPAAELlViZ/k10KjH5oO+jWM6YBZrkLOPVngJ
SMB43EpJICeYSsGc2qCNK5NMtLvNSGsvsuUdr/WDtANTrWI2XOw9oVs9APpuiKrH
T+OGQTKnK+lKhUlJMEV6Iqt/6jt2ereLCzgls8B1fceG6disSDiz6jKn/1APsSIn
lcsQqyR8MwoaE5g1tKx8SGFL3xK3VvMrSMED/8g4bsGayfEOM7lKrOIrv8nCyXrI
NOdrW5SgmmmOl2GR63l0qdybFsqZ0BFmlWWlTRFKekRomeMB21yZXbc/qVhqILS4
1oYtUhSxFjBBbClKcAlHIzxNJeJaofALanq2VbKEbnBTpCm+0HhH8Xu+/ACtZew8
QliFrcoRsPM2zcy/nqPAN4QsvRFkykoDiDcId3cjwfAAEKWKIshR5jNZoSwS+fcK
cGk1hoYBhVY0WhQiZTSwNZsOOqaujNNhLgKZ5bebExqzAkIrEhozfSS0ZBtzjCs1
IMRchHOhzgpv3HWl0ZuwtxKu9MY1h+dOjbqxFai7IwOs3xC0PMN03GIWkcNL8UAC
rLNEFPW6sVwE1ROXcTy5Lde63WsmxipfJEtdWfEqrvxZ97yDKfRMGILApbY2CFuA
PkYLiQd+lFGwytNxYbqI7pJKOdlVZ5s/7kBhlCwSedZ91uK/3JijNotlNrt/7ata
saSk2kKjFpRGpUvArJRJGdVJszm5sBZ0PTWn94ZxunazICo15jhCENG++qdEJ6Zb
GHwMX8O7LWNXHUClYtRVTUR0mSFE2mwxLPFeeRJlIOkYFzqWfDCMwXTwl1BLbyLQ
Whk/JW9MNw+ewkrxPD4AaGZh9fcInOX2yYpJXNKEnHCNh08uWEosBWRDzpeOVGja
b3dBAAafhaFGEhx4WqVYOan5ZDw/WNqlTVIRdLWvDuQjHvRMLCoqgQ/E+04G6uS6
arNh3q8Bzija4mELayyhwosGGBsIAAAALAWCakRYfwKbDCIhBlbBBdCZ2iX4Uirr
PZ3PiLzgafWjEReiu09WGr+r5hyhAAAAALldEM+ZdQDjkb6Lwo+Abt3gvdh5cRwy
41xGav9/JaA2DB8o61AVMWBTq9bVqpPHbKJ8Bp/4RM7FvuE/9Ug3HC0HIW/7w+Bl
HeL9iRVunijWPvMEx8RrBmpFT3kjAAAEwJgkZIq1uQmDXbnBCbOdDnsF0yA6XftQ
UQ/PN8euSppqW2PFQAV3ZXOLpyBO8pzDV0yb1pFfI1BNx1EXp+JPVFJc0ZBd7sCo
eOlQp/eEoZsO67OcFOOEF3O2srNGKWt1xVZ46DBKPgvDeTai0IqSB6ZiY4BI1Rof
PxNdIORQk3NrMfFwI3c8aWy0XJSmoKQFJWmz42CDqMKDiGU7PQsdOcIMuPdaRHBV
L1gFm3S28VYfbatTHVdhSXYlPDobyINix3StigCu4fIAUMGkiMtJ/pocv9Ryd4HH
/BcUynzEDwIdmJtFuaFanNR02AJRLnIClWWZeeU19Ww53fUA6+dqzRHH+RRSMkm8
WWw3P7pphEfE+qCF15my7VESnYp3eFkrVleFxARhL6AdoOuYoCiPr5fGx/M9Fdl8
50nCHyjOajRJtXuSXLoBmnsPQcWjSrqLenS0/vJ+yKE6jix0M4OUsXHAjVrC0rcB
20NiNjl2D0ApXkTMGziA61CLBakM13eJ2TektMt4BTmIoEHJppY8eQNuHmmpuKSd
COAD1ZWJ0cqQsilqzMojmKykGct3GKFKcnDDCsF0dmEvakGsDyOe1rKOuyrEAI2L
1gd/e7dLEcxNxRenkcJZCGZct9qyfOjAyeBV6EFpBNmExia4dwqPCtnFliWI8zw3
QDCei5LBG9y12HBj4Rk9ZiWhmOsFixtPN6CaSHgxTFwTngkXzuaLqkUfNfesEckq
HeZESioCoqsuDyIi8yEArki3JwlAcKl+OxS0AZG7xtDPnLCujdcpBVYwnneAgzMn
+QHIaPJx/el23bpz1ll88mrNm6Iiw8fB6EA3aZF3qbnFjUkPrqC1YmS8lvWKWvtp
jAh66MkZyVMsLtclDaSAfseyluBcdGA/JEoSatVgRLhB/AJtfZplJJO5YwbHSxua
OUMJMYgEgUVruNiB+oXBdauU8WasAZg8Y+QCqlMQ6MgS5dxBHZZ8//jM8HAD8WUF
P/lXhHW0x3y1CNQl7SQqVUjIyfN6aEsT7Xx8dAJ3ONcHE/iEafASWbRdkAoGQvEN
yNq7bBO5yLeKWUWFdEWxr8DMc5x9mfez9XApsnHGCWlxlpIIcDW+nXCJz7V6/NVk
cXCAceOIIFoBcJC3UoaOvKZoOtHFnIqBCsRsAQSHGkKvqSQw6KlQtgFPHAE5B3WY
c6yPGkV331l+MbCdP+Gv9TSNBdJsb2UXztUI4NKH2KZD0jpp8ow5WCgpmUSr85WJ
L9Cy9FekYQsNrmig4YN7Imc4HwVKHBsGfJGk2Oyv+tKguMeaKiJZ3LQjefHITDh1
O2Bjc2lAr4G1E1FrByBre8i3/gIpKZk6vSI5Moy5LmpNG1QkKRMB8gUokVaqNghZ
hnc1OsEfHQBYrrEHy2AixfF/OZeA5BGKcLGIrVCLPjzAdlKDlbtWSYWwdtK65kzE
mfdhBrgYr8uKyaLObSN7e2fIEZA/Tdi8pkd8U9sYL/afkTcYJUjNlpcTMxA/zKg6
ttGqQneaQUE3RKu3qdwUxrQLTuWtmPLMa5nKg+E7DzewpjFXUlF56PVNUSoyoDiP
l8J+zFwLDSdHX9mZ5qM1k9SOunHDqL5V+VzJYITrJrTwQ4mYiSwiAjkAoNfHW/ZS
GRonYC/yjFWxppDkkws8HKbdm4ncr6jhGHKcrDYOdOJcnNaNqffg0un/l4Fm9n4J
yoKSFRdc3rktMaRVYkYyKsxQrDHrtmZhYMLox9t1djjZah5GvxE/eZguwpEGGBsI
AAAAMgWCakVPeQWJAA0vAAKbBCIhBlbBBdCZ2iX4UirrPZ3PiLzgafWjEReiu09W
Gr+r5hyhAAAAABw9EOM21AeRkG8kLTZCfV+wQVZ2schu89leSs9ZrkKQ/bJvZMx0
QfymqndsgZqmDMOjK9ZnOVwErrHEX4BVCpKvA5odjH8CGG2cxI/QgevDnCYJ
-----END PGP PRIVATE KEY BLOCK-----

]]></sourcecode></figure>

</section>
</section>
<section anchor="after-new-subkey-added"><name>After New Subkey Added</name>

<t>After
2026-07-06T17:33:45Z
(<spanx style="verb">min_rd</spanx> after the initial key creation), a new rotating subkey is added.</t>

<t>The new subkey is derived via HKDF as described in <xref target="ac2-ratchet"/>, with the following parameters:</t>

<t>Salt:</t>

<figure><sourcecode type="text/plain" name="salt.hexdump"><![CDATA[
000  6a 4b e6 f9 ce c4 0a 06  6a 45 4f 79 23 00 00 04
010  c0 98 24 64 8a b5 b9 09  83 5d b9 c1 09 b3 9d 0e
020  7b 05 d3 20 3a 5d fb 50  51 0f cf 37 c7 ae 4a 9a
030  6a 5b 63 c5 40 05 77 65  73 8b a7 20 4e f2 9c c3
040  57 4c 9b d6 91 5f 23 50  4d c7 51 17 a7 e2 4f 54
050  52 5c d1 90 5d ee c0 a8  78 e9 50 a7 f7 84 a1 9b
060  0e eb b3 9c 14 e3 84 17  73 b6 b2 b3 46 29 6b 75
070  c5 56 78 e8 30 4a 3e 0b  c3 79 36 a2 d0 8a 92 07
080  a6 62 63 80 48 d5 1a 1f  3f 13 5d 20 e4 50 93 73
090  6b 31 f1 70 23 77 3c 69  6c b4 5c 94 a6 a0 a4 05
0a0  25 69 b3 e3 60 83 a8 c2  83 88 65 3b 3d 0b 1d 39
0b0  c2 0c b8 f7 5a 44 70 55  2f 58 05 9b 74 b6 f1 56
0c0  1f 6d ab 53 1d 57 61 49  76 25 3c 3a 1b c8 83 62
0d0  c7 74 ad 8a 00 ae e1 f2  00 50 c1 a4 88 cb 49 fe
0e0  9a 1c bf d4 72 77 81 c7  fc 17 14 ca 7c c4 0f 02
0f0  1d 98 9b 45 b9 a1 5a 9c  d4 74 d8 02 51 2e 72 02
100  95 65 99 79 e5 35 f5 6c  39 dd f5 00 eb e7 6a cd
110  11 c7 f9 14 52 32 49 bc  59 6c 37 3f ba 69 84 47
120  c4 fa a0 85 d7 99 b2 ed  51 12 9d 8a 77 78 59 2b
130  56 57 85 c4 04 61 2f a0  1d a0 eb 98 a0 28 8f af
140  97 c6 c7 f3 3d 15 d9 7c  e7 49 c2 1f 28 ce 6a 34
150  49 b5 7b 92 5c ba 01 9a  7b 0f 41 c5 a3 4a ba 8b
160  7a 74 b4 fe f2 7e c8 a1  3a 8e 2c 74 33 83 94 b1
170  71 c0 8d 5a c2 d2 b7 01  db 43 62 36 39 76 0f 40
180  29 5e 44 cc 1b 38 80 eb  50 8b 05 a9 0c d7 77 89
190  d9 37 a4 b4 cb 78 05 39  88 a0 41 c9 a6 96 3c 79
1a0  03 6e 1e 69 a9 b8 a4 9d  08 e0 03 d5 95 89 d1 ca
1b0  90 b2 29 6a cc ca 23 98  ac a4 19 cb 77 18 a1 4a
1c0  72 70 c3 0a c1 74 76 61  2f 6a 41 ac 0f 23 9e d6
1d0  b2 8e bb 2a c4 00 8d 8b  d6 07 7f 7b b7 4b 11 cc
1e0  4d c5 17 a7 91 c2 59 08  66 5c b7 da b2 7c e8 c0
1f0  c9 e0 55 e8 41 69 04 d9  84 c6 26 b8 77 0a 8f 0a
200  d9 c5 96 25 88 f3 3c 37  40 30 9e 8b 92 c1 1b dc
210  b5 d8 70 63 e1 19 3d 66  25 a1 98 eb 05 8b 1b 4f
220  37 a0 9a 48 78 31 4c 5c  13 9e 09 17 ce e6 8b aa
230  45 1f 35 f7 ac 11 c9 2a  1d e6 44 4a 2a 02 a2 ab
240  2e 0f 22 22 f3 21 00 ae  48 b7 27 09 40 70 a9 7e
250  3b 14 b4 01 91 bb c6 d0  cf 9c b0 ae 8d d7 29 05
260  56 30 9e 77 80 83 33 27  f9 01 c8 68 f2 71 fd e9
270  76 dd ba 73 d6 59 7c f2  6a cd 9b a2 22 c3 c7 c1
280  e8 40 37 69 91 77 a9 b9  c5 8d 49 0f ae a0 b5 62
290  64 bc 96 f5 8a 5a fb 69  8c 08 7a e8 c9 19 c9 53
2a0  2c 2e d7 25 0d a4 80 7e  c7 b2 96 e0 5c 74 60 3f
2b0  24 4a 12 6a d5 60 44 b8  41 fc 02 6d 7d 9a 65 24
2c0  93 b9 63 06 c7 4b 1b 9a  39 43 09 31 88 04 81 45
2d0  6b b8 d8 81 fa 85 c1 75  ab 94 f1 66 ac 01 98 3c
2e0  63 e4 02 aa 53 10 e8 c8  12 e5 dc 41 1d 96 7c ff
2f0  f8 cc f0 70 03 f1 65 05  3f f9 57 84 75 b4 c7 7c
300  b5 08 d4 25 ed 24 2a 55  48 c8 c9 f3 7a 68 4b 13
310  ed 7c 7c 74 02 77 38 d7  07 13 f8 84 69 f0 12 59
320  b4 5d 90 0a 06 42 f1 0d  c8 da bb 6c 13 b9 c8 b7
330  8a 59 45 85 74 45 b1 af  c0 cc 73 9c 7d 99 f7 b3
340  f5 70 29 b2 71 c6 09 69  71 96 92 08 70 35 be 9d
350  70 89 cf b5 7a fc d5 64  71 70 80 71 e3 88 20 5a
360  01 70 90 b7 52 86 8e bc  a6 68 3a d1 c5 9c 8a 81
370  0a c4 6c 01 04 87 1a 42  af a9 24 30 e8 a9 50 b6
380  01 4f 1c 01 39 07 75 98  73 ac 8f 1a 45 77 df 59
390  7e 31 b0 9d 3f e1 af f5  34 8d 05 d2 6c 6f 65 17
3a0  ce d5 08 e0 d2 87 d8 a6  43 d2 3a 69 f2 8c 39 58
3b0  28 29 99 44 ab f3 95 89  2f d0 b2 f4 57 a4 61 0b
3c0  0d ae 68 a0 e1 83 7b 22  67 38 1f 05 4a 1c 1b 06
3d0  7c 91 a4 d8 ec af fa d2  a0 b8 c7 9a 2a 22 59 dc
3e0  b4 23 79 f1 c8 4c 38 75  3b 60 63 73 69 40 af 81
3f0  b5 13 51 6b 07 20 6b 7b  c8 b7 fe 02 29 29 99 3a
400  bd 22 39 32 8c b9 2e 6a  4d 1b 54 24 29 13 01 f2
410  05 28 91 56 aa 36 08 59  86 77 35 3a c1 1f 1d 00
420  58 ae b1 07 cb 60 22 c5  f1 7f 39 97 80 e4 11 8a
430  70 b1 88 ad 50 8b 3e 3c  c0 76 52 83 95 bb 56 49
440  85 b0 76 d2 ba e6 4c c4  99 f7 61 06 b8 18 af cb
450  8a c9 a2 ce 6d 23 7b 7b  67 c8 11 90 3f 4d d8 bc
460  a6 47 7c 53 db 18 2f f6  9f 91 37 18 25 48 cd 96
470  97 13 33 10 3f cc a8 3a  b6 d1 aa 42 77 9a 41 41
480  37 44 ab b7 a9 dc 14 c6  b4 0b 4e e5 ad 98 f2 cc
490  6b 99 ca 83 e1 3b 0f 37  b0 a6 31 57 52 51 79 e8
4a0  f5 4d 51 2a 32 a0 38 8f  97 c2 7e cc 5c 0b 0d 27
4b0  47 5f d9 99 e6 a3 35 93  d4 8e ba 71 c3 a8 be 55
4c0  f9 5c c9 60 84 eb 26 b4  f0 43 89 98 89 2c 22 02
4d0  39                                              
4d1
]]></sourcecode></figure>

<t>Info:</t>

<figure><sourcecode type="text/plain" name="info.hexdump"><![CDATA[
000  41 75 74 6f 63 72 79 70  74 5f 76 32 5f 72 61 74
010  63 68 65 74 c6 2a 06 6a  44 58 7f 1b 00 00 00 20
020  71 12 55 45 47 6a 19 33  4c 9f 0c 13 79 06 6f fa
030  8f 17 89 a0 dd 55 34 e9  5e 78 cf 34 7d 85 47 8c
040  00 0d 2f 00                                     
044
]]></sourcecode></figure>

<t>IKM:</t>

<figure><sourcecode type="text/plain" name="ikm.hexdump"><![CDATA[
000  a0 d7 c7 5b f6 52 19 1a  27 60 2f f2 8c 55 b1 a6
010  90 e4 93 0b 3c 1c a6 dd  9b 89 dc af a8 e1 18 72
020  9c ac 36 0e 74 e2 5c 9c  d6 8d a9 f7 e0 d2 e9 ff
030  97 81 66 f6 7e 09 ca 82  92 15 17 5c de b9 2d 31
040  a4 55 62 46 32 2a cc 50  ac 31 eb b6 66 61 60 c2
050  e8 c7 db 75 76 38 d9 6a  1e 46 bf 11 3f 79 98 2e
060
]]></sourcecode></figure>

<t>The HKDF output is:</t>

<figure><sourcecode type="text/plain" name="ks.hexdump"><![CDATA[
000  0b 3a 6d 0c 6c 5c 0f ec  73 59 a8 6b dc 1d 7e 11
010  c7 6c 3d 9d 80 65 75 40  26 73 a6 68 17 17 f5 e2
020  a2 62 b9 2f 65 5e 59 1e  9b 20 ed 63 89 64 6e 8e
030  66 b9 9f dd 3c b2 f7 0b  66 6b 6a f0 69 27 17 3c
040  a0 69 66 14 26 34 1b 83  50 f4 a2 13 db 9c 57 26
050  13 66 75 42 06 14 d8 51  b3 2d 8f 00 b9 02 27 87
060  36 d9 3c 09 48 8e c9 a0  ea ee c5 50 ca 17 24 61
070  c5 10 d5 98 e6 ee c7 a6  c1 f7 5b 6f 00 27 50 e9
080  35 9c e4 c7 8d a7 a6 88  d7 91 10 4a 2e 77 d3 57
090  c6 32 bd 80 f2 77 0d 0a  ba e4 c5 9b 56 64 d8 ea
0a0
]]></sourcecode></figure>

<t>The first 64 octets of this is fed through SHA2_512 to create the salt for the subkey binding signature.</t>

<t>The remaining octets are used to initialize the new subkey's secret key material.</t>

<t>This results in a new TSK and a new cert.</t>

<section anchor="new-subkey"><name>Certificate With New Subkey</name>

<t>This updated outbound certificate should be distributed to the keyholder's peers starting on
2026-07-06T17:33:45Z.</t>

<figure><sourcecode type="application/pgp-keys" name="old-subkey-removed.cert"><![CDATA[
-----BEGIN PGP PUBLIC KEY BLOCK-----

xioGakRYfxsAAAAgcRJVRUdqGTNMnwwTeQZv+o8XiaDdVTTpXnjPNH2FR4zCkgYf
GwgAAAAzBYJqRFh/ApsDAh4IIiEGVsEF0JnaJfhSKus9nc+IvOBp9aMRF6K7T1Ya
v6vmHKEDJwkCAAAAADqFENl3uzg/tNOjW2+khGm+tpsVwFezqZ9N64SfSylWouMq
267PJtdf8y+mx3g4BbY0R3N5eTZiIpscbzy8p+PJ5+Hh7edI6p1hrbFxVSY/SjUI
zsQKBmpEWH8jAAAEwMnQyYCYyPLlqXKM8d+oKEe+a1maw5IdqzQRl3fDQA8WlOlA
/Ywqa+MA9Ni7ZMBE9pBRUKefJGZOu2NuNIJSzsB4c1tYPDqrMSR29JqqnOxXpISJ
VOmIxhC1j5VAKqnO4AuJ8zEa3imhDxUr4JORP8eRi5gwkgu8BMQJfDA9kBgeYzQz
x5JMJ5Mh/dW8/WOLdzIE77I8L6dX2NB0v6uAV0A6eFy+LCuivxV/aDRH/9SW1tDG
WocNMYqQ75JkFSpE4RVcYvVBE1iO6XBInjGAm/hSzwE6RglwbpQdy3WaJfYsVuqL
QgRpqZhuKmu18vaij0JGHRhAEDNJuvmBtdgnCneezGtbOPF4zcax5Da+EekANUKh
aClxZjSAFpAcpii0GElEQIpYxaWas6C2fsNxmhsh57d/U0p0SAAiOrmVLrdCC6kp
CNuqRiQ8jAC0+/tmZRe3YVi6lBiNHlVXtcoUCOCH4jWiMAMB04sTb1uz+3EtAJkt
ECDJ5muyIHhCBBQMKBKI9rMCujJfIQApZ1IHq8qOl2G1NfcdGfsUQ9sbnKZRyik6
5FBMIOsco+Q7XppgxyehKSmEpxJfwCtfC6YIosud5GSDOZMzCVQViDUawRk58KII
S8YDRNq9SrdqY9uLx4gq23Jyvfmkald7EsbAaOKbPQNgPaRpJTO7W9QGmFdCL4Kk
O4hOoVZHltq5Pko+/zYQick7kro5pvPDUaVhxuEu/GIlZWNoR9fO4TIItZwmIjwR
5YN0MVC7CyFEaBySPHhYZDdJJ7dj+EKncGts02cO7HmM8WUDPAAELlViZ/k10KjH
5oO+jWM6YBZrkLOPVngJSMB43EpJICeYSsGc2qCNK5NMtLvNSGsvsuUdr/WDtANT
rWI2XOw9oVs9APpuiKrHT+OGQTKnK+lKhUlJMEV6Iqt/6jt2ereLCzgls8B1fceG
6disSDiz6jKn/1APsSInlcsQqyR8MwoaE5g1tKx8SGFL3xK3VvMrSMED/8g4bsGa
yfEOM7lKrOIrv8nCyXrINOdrW5SgmmmOl2GR63l0qdybFsqZ0BFmlWWlTRFKekRo
meMB21yZXbc/qVhqILS41oYtUhSxFjBBbClKcAlHIzxNJeJaofALanq2VbKEbnBT
pCm+0HhH8Xu+/ACtZew8QliFrcoRsPM2zcy/nqPAN4QsvRFkykoDiDcId3cjwfAA
EKWKIshR5jNZoSwS+fcKcGk1hoYBhVY0WhQiZTSwNZsOOqaujNNhLgKZ5bebExqz
AkIrEhozfSS0ZBtzjCs1IMRchHOhzgpv3HWl0ZuwtxKu9MY1h+dOjbqxFai7IwOs
3xC0PMN03GIWkcNL8UACrLNEFPW6sVwE1ROXcTy5Lde63WsmxipfJEtdWfEqrvxZ
97yDKfRMGILApbY2CFuAPkYLiQd+lFGwytNxYbqI7pJKOdlVZ5s/7kBhlCwSedZ9
1uK/3JijNotlNrt/7atasaSk2kKjFpRGpUvArJRJGdVJszm5sBZ0PTWn94Zxunaz
ICo15jhCENG++qdEJ6ZbGHwMX8O7LWNXHUClYtRVTUR0mSFE2mwxLPFeeRJlIOkY
FzqWfDCMwXTwl1BLbyLQWhk/JW9MNw+ewkrxPD7CiwYYGwgAAAAsBYJqRFh/ApsM
IiEGVsEF0JnaJfhSKus9nc+IvOBp9aMRF6K7T1Yav6vmHKEAAAAAuV0Qz5l1AOOR
vovCj4Bu3eC92HlxHDLjXEZq/38loDYMHyjrUBUxYFOr1tWqk8dsonwGn/hEzsW+
4T/1SDccLQchb/vD4GUd4v2JFW6eKNY+8wTOxAoGakvm+SMAAATApzmMW/yCk3LT
TS1nkQLD+Ua4hYNAJpEqhlmXXgHAj0JBiFbWxLPfy0jbEFDlrMBVhXKggbwVtwYz
cbSGBy2i3KlxIpYUsDwg5BVdGo2xG3RwHEObMVAPgSfcsXwGMXkcXK2Yp7e4W07l
MHh2Ob5guXZN+HWw40ql9j2qcMdY0lhfIwAVR0Olo3kLXMMp0k/U1Mj7bA26QcSt
o04Pcm9VwXdsMlOMe7MBWVY/C3+6wyIk9rMGO6sOFkVPyHmdCXUB2KWwOIjQUiwl
Jis9CpRE5603UBJr26k1GMPRJK0L2T7yZ5ELI1Ee67FqSD+OWBMLhqaL7AI+ylcZ
arpcErQs7IflfDm0py2wuHgDOiQnaRN3aA66hgr0K4pZ8zO1UM2RRB4bNqhv4LE+
kyiwaQLNA8OV/Enmk7ax5EF3ADlIto0o5VqmqVRUUHLtGTRbClUvoTe5fBBU+C1O
AlRXaE3NoiTOhrGd+C4jqXX1AKPFmBE+Cjv5Z2tSWn1rdHk1oKIoaQn8OqaJoA/5
K8jPhxpjQU3fSBL7MANSU2C3GhwmMML8ccgwR3Ve2I9B9K9tKjm0oJdQ2QsqdA3j
4DaP8aMyElGOJpB/0W7d6xbNc7SLcYltpMGiqZObWwd8BFsAKoArkahMhgQQvKfa
CkWO4nOMDMKF5MiDUVNkyZCyAg7wuFBYmxsxpHaKwphSIsTliHaxQkUaJxRa4gVB
66ppumZmgWBxMTV1JWNQ5K6BE0ma0RIXmEQGu7SwW2+eInZYnG7wYVjtpSDvRQul
45Dw5AFjMLSWF5rxEjT2Cw9Mpk75cFAsEwRH9Gj7YoULt46vB4/DYykAYIYKwWyf
67+RWjWs2M1/hFBP5T0/y1LMU2bOkmspKxmgqzMIu3Blt8/JomXhGwD8czl20rFV
IgG6cT+xQVhCsxp1pbAtS2MMopF85RQQGZiWihdPhR8VIApRQD+W9AWiFYu82jin
jInh6kWPh6VJZ51F2V6tRh4RNIlAiY9IOwLShXTPIE3hO5McIlBFcnk5RVZ8QwsF
AFqxlVjfiWtIaRpuyW+0tRM7NitW9mT8RiTVNAKoegV9GMvphsXJ60Uhuo5yC5tC
dY/PNz1hGpi19RdVl0NoC4KVxF8243vUpI0DIQeAkkAJGhK6WnoAjK+dxgitm6yP
2DI9e8048l7v63iD97EH42pq1iDYICaNBshMMAL3nK+UBCdW6b90GIO3+CGtlGod
YMPsLI1VcVbVUQVv8E0C5j20SDakC3a7MIaeykeSuJKXaK1apm6rl3PBBmQGWEI9
Fyw2eamj90HulMfT2EMBQE/St5yt1QHl8H49yWnocR7qZXgtRU70h3x7M1jS44fr
4WaZVrTqasOGnE4wCFGzZmBx12k3lWyhZ3yx9gNiQSTAmDL3/BMz6avUbJ1wHHSC
a6spNXD0SzV8FYMHUxCnpJDUpX+TNImisUoFhnF6izgEFRAFBZeu60OedmUEoVtW
/H+d9rZus4J/FVAIwwzbys3cyqjtRB9g+l4X0zqvak3a5bX8uGx/l00Id5cTgRqF
y5TaSSZ5C5L/WgOB4h9m6LqBYSLP4kUEiBz1Z8F6F/qs0WfL2DLWCoMPX7sd7bXZ
OEI21oczw8KRBhgbCAAAADIFgmpL5vkFiQANLwACmwQiIQZWwQXQmdol+FIq6z2d
z4i84Gn1oxEXortPVhq/q+YcoQAAAAChlBCFOtHzS6ZbYgNa4t1Lbw/WOHl6TW+W
S49juf+HbDngK7OLH8myXJtTvFWR8OVA+IG8Re0hRtqYVYnvl/jMPFw6PWwU44X9
jNEWMnF7vyOfBA==
-----END PGP PUBLIC KEY BLOCK-----

]]></sourcecode></figure>

</section>
<section anchor="tsk-with-new-subkey"><name>TSK With New Subkey</name>

<t>Every device of the keyholder should be able to derive this exact secret key from the TSK found in <xref target="initial-tsk"/>.</t>

<figure><sourcecode type="application/pgp-keys" name="new-subkey-added.key"><![CDATA[
-----BEGIN PGP PRIVATE KEY BLOCK-----

xUsGakRYfxsAAAAgcRJVRUdqGTNMnwwTeQZv+o8XiaDdVTTpXnjPNH2FR4wAET8I
Q3fQeNm71dOZSkB/260JmbL1QIX/q4ugYzBOFKLCkgYfGwgAAAAzBYJqRFh/ApsD
Ah4IIiEGVsEF0JnaJfhSKus9nc+IvOBp9aMRF6K7T1Yav6vmHKEDJwkCAAAAADqF
ENl3uzg/tNOjW2+khGm+tpsVwFezqZ9N64SfSylWouMq267PJtdf8y+mx3g4BbY0
R3N5eTZiIpscbzy8p+PJ5+Hh7edI6p1hrbFxVSY/SjUIx8RrBmpEWH8jAAAEwMnQ
yYCYyPLlqXKM8d+oKEe+a1maw5IdqzQRl3fDQA8WlOlA/Ywqa+MA9Ni7ZMBE9pBR
UKefJGZOu2NuNIJSzsB4c1tYPDqrMSR29JqqnOxXpISJVOmIxhC1j5VAKqnO4AuJ
8zEa3imhDxUr4JORP8eRi5gwkgu8BMQJfDA9kBgeYzQzx5JMJ5Mh/dW8/WOLdzIE
77I8L6dX2NB0v6uAV0A6eFy+LCuivxV/aDRH/9SW1tDGWocNMYqQ75JkFSpE4RVc
YvVBE1iO6XBInjGAm/hSzwE6RglwbpQdy3WaJfYsVuqLQgRpqZhuKmu18vaij0JG
HRhAEDNJuvmBtdgnCneezGtbOPF4zcax5Da+EekANUKhaClxZjSAFpAcpii0GElE
QIpYxaWas6C2fsNxmhsh57d/U0p0SAAiOrmVLrdCC6kpCNuqRiQ8jAC0+/tmZRe3
YVi6lBiNHlVXtcoUCOCH4jWiMAMB04sTb1uz+3EtAJktECDJ5muyIHhCBBQMKBKI
9rMCujJfIQApZ1IHq8qOl2G1NfcdGfsUQ9sbnKZRyik65FBMIOsco+Q7Xppgxyeh
KSmEpxJfwCtfC6YIosud5GSDOZMzCVQViDUawRk58KIIS8YDRNq9SrdqY9uLx4gq
23Jyvfmkald7EsbAaOKbPQNgPaRpJTO7W9QGmFdCL4KkO4hOoVZHltq5Pko+/zYQ
ick7kro5pvPDUaVhxuEu/GIlZWNoR9fO4TIItZwmIjwR5YN0MVC7CyFEaBySPHhY
ZDdJJ7dj+EKncGts02cO7HmM8WUDPAAELlViZ/k10KjH5oO+jWM6YBZrkLOPVngJ
SMB43EpJICeYSsGc2qCNK5NMtLvNSGsvsuUdr/WDtANTrWI2XOw9oVs9APpuiKrH
T+OGQTKnK+lKhUlJMEV6Iqt/6jt2ereLCzgls8B1fceG6disSDiz6jKn/1APsSIn
lcsQqyR8MwoaE5g1tKx8SGFL3xK3VvMrSMED/8g4bsGayfEOM7lKrOIrv8nCyXrI
NOdrW5SgmmmOl2GR63l0qdybFsqZ0BFmlWWlTRFKekRomeMB21yZXbc/qVhqILS4
1oYtUhSxFjBBbClKcAlHIzxNJeJaofALanq2VbKEbnBTpCm+0HhH8Xu+/ACtZew8
QliFrcoRsPM2zcy/nqPAN4QsvRFkykoDiDcId3cjwfAAEKWKIshR5jNZoSwS+fcK
cGk1hoYBhVY0WhQiZTSwNZsOOqaujNNhLgKZ5bebExqzAkIrEhozfSS0ZBtzjCs1
IMRchHOhzgpv3HWl0ZuwtxKu9MY1h+dOjbqxFai7IwOs3xC0PMN03GIWkcNL8UAC
rLNEFPW6sVwE1ROXcTy5Lde63WsmxipfJEtdWfEqrvxZ97yDKfRMGILApbY2CFuA
PkYLiQd+lFGwytNxYbqI7pJKOdlVZ5s/7kBhlCwSedZ91uK/3JijNotlNrt/7ata
saSk2kKjFpRGpUvArJRJGdVJszm5sBZ0PTWn94ZxunazICo15jhCENG++qdEJ6Zb
GHwMX8O7LWNXHUClYtRVTUR0mSFE2mwxLPFeeRJlIOkYFzqWfDCMwXTwl1BLbyLQ
Whk/JW9MNw+ewkrxPD4AaGZh9fcInOX2yYpJXNKEnHCNh08uWEosBWRDzpeOVGja
b3dBAAafhaFGEhx4WqVYOan5ZDw/WNqlTVIRdLWvDuQjHvRMLCoqgQ/E+04G6uS6
arNh3q8Bzija4mELayyhwosGGBsIAAAALAWCakRYfwKbDCIhBlbBBdCZ2iX4Uirr
PZ3PiLzgafWjEReiu09WGr+r5hyhAAAAALldEM+ZdQDjkb6Lwo+Abt3gvdh5cRwy
41xGav9/JaA2DB8o61AVMWBTq9bVqpPHbKJ8Bp/4RM7FvuE/9Ug3HC0HIW/7w+Bl
HeL9iRVunijWPvMEx8RrBmpFT3kjAAAEwJgkZIq1uQmDXbnBCbOdDnsF0yA6XftQ
UQ/PN8euSppqW2PFQAV3ZXOLpyBO8pzDV0yb1pFfI1BNx1EXp+JPVFJc0ZBd7sCo
eOlQp/eEoZsO67OcFOOEF3O2srNGKWt1xVZ46DBKPgvDeTai0IqSB6ZiY4BI1Rof
PxNdIORQk3NrMfFwI3c8aWy0XJSmoKQFJWmz42CDqMKDiGU7PQsdOcIMuPdaRHBV
L1gFm3S28VYfbatTHVdhSXYlPDobyINix3StigCu4fIAUMGkiMtJ/pocv9Ryd4HH
/BcUynzEDwIdmJtFuaFanNR02AJRLnIClWWZeeU19Ww53fUA6+dqzRHH+RRSMkm8
WWw3P7pphEfE+qCF15my7VESnYp3eFkrVleFxARhL6AdoOuYoCiPr5fGx/M9Fdl8
50nCHyjOajRJtXuSXLoBmnsPQcWjSrqLenS0/vJ+yKE6jix0M4OUsXHAjVrC0rcB
20NiNjl2D0ApXkTMGziA61CLBakM13eJ2TektMt4BTmIoEHJppY8eQNuHmmpuKSd
COAD1ZWJ0cqQsilqzMojmKykGct3GKFKcnDDCsF0dmEvakGsDyOe1rKOuyrEAI2L
1gd/e7dLEcxNxRenkcJZCGZct9qyfOjAyeBV6EFpBNmExia4dwqPCtnFliWI8zw3
QDCei5LBG9y12HBj4Rk9ZiWhmOsFixtPN6CaSHgxTFwTngkXzuaLqkUfNfesEckq
HeZESioCoqsuDyIi8yEArki3JwlAcKl+OxS0AZG7xtDPnLCujdcpBVYwnneAgzMn
+QHIaPJx/el23bpz1ll88mrNm6Iiw8fB6EA3aZF3qbnFjUkPrqC1YmS8lvWKWvtp
jAh66MkZyVMsLtclDaSAfseyluBcdGA/JEoSatVgRLhB/AJtfZplJJO5YwbHSxua
OUMJMYgEgUVruNiB+oXBdauU8WasAZg8Y+QCqlMQ6MgS5dxBHZZ8//jM8HAD8WUF
P/lXhHW0x3y1CNQl7SQqVUjIyfN6aEsT7Xx8dAJ3ONcHE/iEafASWbRdkAoGQvEN
yNq7bBO5yLeKWUWFdEWxr8DMc5x9mfez9XApsnHGCWlxlpIIcDW+nXCJz7V6/NVk
cXCAceOIIFoBcJC3UoaOvKZoOtHFnIqBCsRsAQSHGkKvqSQw6KlQtgFPHAE5B3WY
c6yPGkV331l+MbCdP+Gv9TSNBdJsb2UXztUI4NKH2KZD0jpp8ow5WCgpmUSr85WJ
L9Cy9FekYQsNrmig4YN7Imc4HwVKHBsGfJGk2Oyv+tKguMeaKiJZ3LQjefHITDh1
O2Bjc2lAr4G1E1FrByBre8i3/gIpKZk6vSI5Moy5LmpNG1QkKRMB8gUokVaqNghZ
hnc1OsEfHQBYrrEHy2AixfF/OZeA5BGKcLGIrVCLPjzAdlKDlbtWSYWwdtK65kzE
mfdhBrgYr8uKyaLObSN7e2fIEZA/Tdi8pkd8U9sYL/afkTcYJUjNlpcTMxA/zKg6
ttGqQneaQUE3RKu3qdwUxrQLTuWtmPLMa5nKg+E7DzewpjFXUlF56PVNUSoyoDiP
l8J+zFwLDSdHX9mZ5qM1k9SOunHDqL5V+VzJYITrJrTwQ4mYiSwiAjkAoNfHW/ZS
GRonYC/yjFWxppDkkws8HKbdm4ncr6jhGHKcrDYOdOJcnNaNqffg0un/l4Fm9n4J
yoKSFRdc3rktMaRVYkYyKsxQrDHrtmZhYMLox9t1djjZah5GvxE/eZguwpEGGBsI
AAAAMgWCakVPeQWJAA0vAAKbBCIhBlbBBdCZ2iX4UirrPZ3PiLzgafWjEReiu09W
Gr+r5hyhAAAAABw9EOM21AeRkG8kLTZCfV+wQVZ2schu89leSs9ZrkKQ/bJvZMx0
QfymqndsgZqmDMOjK9ZnOVwErrHEX4BVCpKvA5odjH8CGG2cxI/QgevDnCYJx8Rr
BmpL5vkjAAAEwKc5jFv8gpNy000tZ5ECw/lGuIWDQCaRKoZZl14BwI9CQYhW1sSz
38tI2xBQ5azAVYVyoIG8FbcGM3G0hgctotypcSKWFLA8IOQVXRqNsRt0cBxDmzFQ
D4En3LF8BjF5HFytmKe3uFtO5TB4djm+YLl2Tfh1sONKpfY9qnDHWNJYXyMAFUdD
paN5C1zDKdJP1NTI+2wNukHEraNOD3JvVcF3bDJTjHuzAVlWPwt/usMiJPazBjur
DhZFT8h5nQl1AdilsDiI0FIsJSYrPQqUROetN1ASa9upNRjD0SStC9k+8meRCyNR
Huuxakg/jlgTC4ami+wCPspXGWq6XBK0LOyH5Xw5tKctsLh4AzokJ2kTd2gOuoYK
9CuKWfMztVDNkUQeGzaob+CxPpMosGkCzQPDlfxJ5pO2seRBdwA5SLaNKOVapqlU
VFBy7Rk0WwpVL6E3uXwQVPgtTgJUV2hNzaIkzoaxnfguI6l19QCjxZgRPgo7+Wdr
Ulp9a3R5NaCiKGkJ/DqmiaAP+SvIz4caY0FN30gS+zADUlNgtxocJjDC/HHIMEd1
XtiPQfSvbSo5tKCXUNkLKnQN4+A2j/GjMhJRjiaQf9Fu3esWzXO0i3GJbaTBoqmT
m1sHfARbACqAK5GoTIYEELyn2gpFjuJzjAzCheTIg1FTZMmQsgIO8LhQWJsbMaR2
isKYUiLE5Yh2sUJFGicUWuIFQeuqabpmZoFgcTE1dSVjUOSugRNJmtESF5hEBru0
sFtvniJ2WJxu8GFY7aUg70ULpeOQ8OQBYzC0lhea8RI09gsPTKZO+XBQLBMER/Ro
+2KFC7eOrwePw2MpAGCGCsFsn+u/kVo1rNjNf4RQT+U9P8tSzFNmzpJrKSsZoKsz
CLtwZbfPyaJl4RsA/HM5dtKxVSIBunE/sUFYQrMadaWwLUtjDKKRfOUUEBmYlooX
T4UfFSAKUUA/lvQFohWLvNo4p4yJ4epFj4elSWedRdlerUYeETSJQImPSDsC0oV0
zyBN4TuTHCJQRXJ5OUVWfEMLBQBasZVY34lrSGkabslvtLUTOzYrVvZk/EYk1TQC
qHoFfRjL6YbFyetFIbqOcgubQnWPzzc9YRqYtfUXVZdDaAuClcRfNuN71KSNAyEH
gJJACRoSulp6AIyvncYIrZusj9gyPXvNOPJe7+t4g/exB+NqatYg2CAmjQbITDAC
95yvlAQnVum/dBiDt/ghrZRqHWDD7CyNVXFW1VEFb/BNAuY9tEg2pAt2uzCGnspH
kriSl2itWqZuq5dzwQZkBlhCPRcsNnmpo/dB7pTH09hDAUBP0recrdUB5fB+Pclp
6HEe6mV4LUVO9Id8ezNY0uOH6+FmmVa06mrDhpxOMAhRs2ZgcddpN5VsoWd8sfYD
YkEkwJgy9/wTM+mr1GydcBx0gmurKTVw9Es1fBWDB1MQp6SQ1KV/kzSJorFKBYZx
eos4BBUQBQWXrutDnnZlBKFbVvx/nfa2brOCfxVQCMMM28rN3Mqo7UQfYPpeF9M6
r2pN2uW1/Lhsf5dNCHeXE4EahcuU2kkmeQuS/1oDgeIfZui6gWEiz+JFBIgc9WfB
ehf6rNFny9gy1gqDD1+7He212ThCNtaHM8MAoGlmFCY0G4NQ9KIT25xXJhNmdUIG
FNhRsy2PALkCJ0c22TwJSI7JoOruxVDKFyRhxRDVmObux6bB91tvACdQ6TWc5MeN
p6aI15EQSi5301fGMr2A8ncNCrrkxZtWZNjqwpEGGBsIAAAAMgWCakvm+QWJAA0v
AAKbBCIhBlbBBdCZ2iX4UirrPZ3PiLzgafWjEReiu09WGr+r5hyhAAAAAKGUEIU6
0fNLpltiA1ri3UtvD9Y4eXpNb5ZLj2O5/4dsOeArs4sfybJcm1O8VZHw5UD4gbxF
7SFG2phVie+X+Mw8XDo9bBTjhf2M0RYycXu/I58E
-----END PGP PRIVATE KEY BLOCK-----

]]></sourcecode></figure>

</section>
<section anchor="merged-certificate"><name>Merged Certificate</name>

<t>A peer that had received the original certificate and then the subsequent certificate
would have merged the two into this object:</t>

<figure><sourcecode type="application/pgp-keys" name="new-subkey-added.cert"><![CDATA[
-----BEGIN PGP PUBLIC KEY BLOCK-----

xioGakRYfxsAAAAgcRJVRUdqGTNMnwwTeQZv+o8XiaDdVTTpXnjPNH2FR4zCkgYf
GwgAAAAzBYJqRFh/ApsDAh4IIiEGVsEF0JnaJfhSKus9nc+IvOBp9aMRF6K7T1Ya
v6vmHKEDJwkCAAAAADqFENl3uzg/tNOjW2+khGm+tpsVwFezqZ9N64SfSylWouMq
267PJtdf8y+mx3g4BbY0R3N5eTZiIpscbzy8p+PJ5+Hh7edI6p1hrbFxVSY/SjUI
zsQKBmpEWH8jAAAEwMnQyYCYyPLlqXKM8d+oKEe+a1maw5IdqzQRl3fDQA8WlOlA
/Ywqa+MA9Ni7ZMBE9pBRUKefJGZOu2NuNIJSzsB4c1tYPDqrMSR29JqqnOxXpISJ
VOmIxhC1j5VAKqnO4AuJ8zEa3imhDxUr4JORP8eRi5gwkgu8BMQJfDA9kBgeYzQz
x5JMJ5Mh/dW8/WOLdzIE77I8L6dX2NB0v6uAV0A6eFy+LCuivxV/aDRH/9SW1tDG
WocNMYqQ75JkFSpE4RVcYvVBE1iO6XBInjGAm/hSzwE6RglwbpQdy3WaJfYsVuqL
QgRpqZhuKmu18vaij0JGHRhAEDNJuvmBtdgnCneezGtbOPF4zcax5Da+EekANUKh
aClxZjSAFpAcpii0GElEQIpYxaWas6C2fsNxmhsh57d/U0p0SAAiOrmVLrdCC6kp
CNuqRiQ8jAC0+/tmZRe3YVi6lBiNHlVXtcoUCOCH4jWiMAMB04sTb1uz+3EtAJkt
ECDJ5muyIHhCBBQMKBKI9rMCujJfIQApZ1IHq8qOl2G1NfcdGfsUQ9sbnKZRyik6
5FBMIOsco+Q7XppgxyehKSmEpxJfwCtfC6YIosud5GSDOZMzCVQViDUawRk58KII
S8YDRNq9SrdqY9uLx4gq23Jyvfmkald7EsbAaOKbPQNgPaRpJTO7W9QGmFdCL4Kk
O4hOoVZHltq5Pko+/zYQick7kro5pvPDUaVhxuEu/GIlZWNoR9fO4TIItZwmIjwR
5YN0MVC7CyFEaBySPHhYZDdJJ7dj+EKncGts02cO7HmM8WUDPAAELlViZ/k10KjH
5oO+jWM6YBZrkLOPVngJSMB43EpJICeYSsGc2qCNK5NMtLvNSGsvsuUdr/WDtANT
rWI2XOw9oVs9APpuiKrHT+OGQTKnK+lKhUlJMEV6Iqt/6jt2ereLCzgls8B1fceG
6disSDiz6jKn/1APsSInlcsQqyR8MwoaE5g1tKx8SGFL3xK3VvMrSMED/8g4bsGa
yfEOM7lKrOIrv8nCyXrINOdrW5SgmmmOl2GR63l0qdybFsqZ0BFmlWWlTRFKekRo
meMB21yZXbc/qVhqILS41oYtUhSxFjBBbClKcAlHIzxNJeJaofALanq2VbKEbnBT
pCm+0HhH8Xu+/ACtZew8QliFrcoRsPM2zcy/nqPAN4QsvRFkykoDiDcId3cjwfAA
EKWKIshR5jNZoSwS+fcKcGk1hoYBhVY0WhQiZTSwNZsOOqaujNNhLgKZ5bebExqz
AkIrEhozfSS0ZBtzjCs1IMRchHOhzgpv3HWl0ZuwtxKu9MY1h+dOjbqxFai7IwOs
3xC0PMN03GIWkcNL8UACrLNEFPW6sVwE1ROXcTy5Lde63WsmxipfJEtdWfEqrvxZ
97yDKfRMGILApbY2CFuAPkYLiQd+lFGwytNxYbqI7pJKOdlVZ5s/7kBhlCwSedZ9
1uK/3JijNotlNrt/7atasaSk2kKjFpRGpUvArJRJGdVJszm5sBZ0PTWn94Zxunaz
ICo15jhCENG++qdEJ6ZbGHwMX8O7LWNXHUClYtRVTUR0mSFE2mwxLPFeeRJlIOkY
FzqWfDCMwXTwl1BLbyLQWhk/JW9MNw+ewkrxPD7CiwYYGwgAAAAsBYJqRFh/ApsM
IiEGVsEF0JnaJfhSKus9nc+IvOBp9aMRF6K7T1Yav6vmHKEAAAAAuV0Qz5l1AOOR
vovCj4Bu3eC92HlxHDLjXEZq/38loDYMHyjrUBUxYFOr1tWqk8dsonwGn/hEzsW+
4T/1SDccLQchb/vD4GUd4v2JFW6eKNY+8wTOxAoGakVPeSMAAATAmCRkirW5CYNd
ucEJs50OewXTIDpd+1BRD883x65KmmpbY8VABXdlc4unIE7ynMNXTJvWkV8jUE3H
URen4k9UUlzRkF3uwKh46VCn94Shmw7rs5wU44QXc7ays0Ypa3XFVnjoMEo+C8N5
NqLQipIHpmJjgEjVGh8/E10g5FCTc2sx8XAjdzxpbLRclKagpAUlabPjYIOowoOI
ZTs9Cx05wgy491pEcFUvWAWbdLbxVh9tq1MdV2FJdiU8OhvIg2LHdK2KAK7h8gBQ
waSIy0n+mhy/1HJ3gcf8FxTKfMQPAh2Ym0W5oVqc1HTYAlEucgKVZZl55TX1bDnd
9QDr52rNEcf5FFIySbxZbDc/ummER8T6oIXXmbLtURKdind4WStWV4XEBGEvoB2g
65igKI+vl8bH8z0V2XznScIfKM5qNEm1e5JcugGaew9BxaNKuot6dLT+8n7IoTqO
LHQzg5SxccCNWsLStwHbQ2I2OXYPQCleRMwbOIDrUIsFqQzXd4nZN6S0y3gFOYig
Qcmmljx5A24eaam4pJ0I4APVlYnRypCyKWrMyiOYrKQZy3cYoUpycMMKwXR2YS9q
QawPI57Wso67KsQAjYvWB397t0sRzE3FF6eRwlkIZly32rJ86MDJ4FXoQWkE2YTG
Jrh3Co8K2cWWJYjzPDdAMJ6LksEb3LXYcGPhGT1mJaGY6wWLG083oJpIeDFMXBOe
CRfO5ouqRR8196wRySod5kRKKgKiqy4PIiLzIQCuSLcnCUBwqX47FLQBkbvG0M+c
sK6N1ykFVjCed4CDMyf5Acho8nH96XbdunPWWXzyas2boiLDx8HoQDdpkXepucWN
SQ+uoLViZLyW9Ypa+2mMCHroyRnJUywu1yUNpIB+x7KW4Fx0YD8kShJq1WBEuEH8
Am19mmUkk7ljBsdLG5o5QwkxiASBRWu42IH6hcF1q5TxZqwBmDxj5AKqUxDoyBLl
3EEdlnz/+MzwcAPxZQU/+VeEdbTHfLUI1CXtJCpVSMjJ83poSxPtfHx0Anc41wcT
+IRp8BJZtF2QCgZC8Q3I2rtsE7nIt4pZRYV0RbGvwMxznH2Z97P1cCmyccYJaXGW
kghwNb6dcInPtXr81WRxcIBx44ggWgFwkLdSho68pmg60cWcioEKxGwBBIcaQq+p
JDDoqVC2AU8cATkHdZhzrI8aRXffWX4xsJ0/4a/1NI0F0mxvZRfO1Qjg0ofYpkPS
OmnyjDlYKCmZRKvzlYkv0LL0V6RhCw2uaKDhg3siZzgfBUocGwZ8kaTY7K/60qC4
x5oqIlnctCN58chMOHU7YGNzaUCvgbUTUWsHIGt7yLf+AikpmTq9IjkyjLkuak0b
VCQpEwHyBSiRVqo2CFmGdzU6wR8dAFiusQfLYCLF8X85l4DkEYpwsYitUIs+PMB2
UoOVu1ZJhbB20rrmTMSZ92EGuBivy4rJos5tI3t7Z8gRkD9N2LymR3xT2xgv9p+R
NxglSM2WlxMzED/MqDq20apCd5pBQTdEq7ep3BTGtAtO5a2Y8sxrmcqD4TsPN7Cm
MVdSUXno9U1RKjKgOI+Xwn7MXAsNJ0df2ZnmozWT1I66ccOovlX5XMlghOsmtPBD
iZiJLCICOcKRBhgbCAAAADIFgmpFT3kFiQANLwACmwQiIQZWwQXQmdol+FIq6z2d
z4i84Gn1oxEXortPVhq/q+YcoQAAAAAcPRDjNtQHkZBvJC02Qn1fsEFWdrHIbvPZ
XkrPWa5CkP2yb2TMdEH8pqp3bIGapgzDoyvWZzlcBK6xxF+AVQqSrwOaHYx/Ahht
nMSP0IHrw5wmCc7ECgZqS+b5IwAABMCnOYxb/IKTctNNLWeRAsP5RriFg0AmkSqG
WZdeAcCPQkGIVtbEs9/LSNsQUOWswFWFcqCBvBW3BjNxtIYHLaLcqXEilhSwPCDk
FV0ajbEbdHAcQ5sxUA+BJ9yxfAYxeRxcrZint7hbTuUweHY5vmC5dk34dbDjSqX2
Papwx1jSWF8jABVHQ6WjeQtcwynST9TUyPtsDbpBxK2jTg9yb1XBd2wyU4x7swFZ
Vj8Lf7rDIiT2swY7qw4WRU/IeZ0JdQHYpbA4iNBSLCUmKz0KlETnrTdQEmvbqTUY
w9EkrQvZPvJnkQsjUR7rsWpIP45YEwuGpovsAj7KVxlqulwStCzsh+V8ObSnLbC4
eAM6JCdpE3doDrqGCvQrilnzM7VQzZFEHhs2qG/gsT6TKLBpAs0Dw5X8SeaTtrHk
QXcAOUi2jSjlWqapVFRQcu0ZNFsKVS+hN7l8EFT4LU4CVFdoTc2iJM6GsZ34LiOp
dfUAo8WYET4KO/lna1JafWt0eTWgoihpCfw6pomgD/kryM+HGmNBTd9IEvswA1JT
YLcaHCYwwvxxyDBHdV7Yj0H0r20qObSgl1DZCyp0DePgNo/xozISUY4mkH/Rbt3r
Fs1ztItxiW2kwaKpk5tbB3wEWwAqgCuRqEyGBBC8p9oKRY7ic4wMwoXkyINRU2TJ
kLICDvC4UFibGzGkdorCmFIixOWIdrFCRRonFFriBUHrqmm6ZmaBYHExNXUlY1Dk
roETSZrREheYRAa7tLBbb54idlicbvBhWO2lIO9FC6XjkPDkAWMwtJYXmvESNPYL
D0ymTvlwUCwTBEf0aPtihQu3jq8Hj8NjKQBghgrBbJ/rv5FaNazYzX+EUE/lPT/L
UsxTZs6SaykrGaCrMwi7cGW3z8miZeEbAPxzOXbSsVUiAbpxP7FBWEKzGnWlsC1L
YwyikXzlFBAZmJaKF0+FHxUgClFAP5b0BaIVi7zaOKeMieHqRY+HpUlnnUXZXq1G
HhE0iUCJj0g7AtKFdM8gTeE7kxwiUEVyeTlFVnxDCwUAWrGVWN+Ja0hpGm7Jb7S1
Ezs2K1b2ZPxGJNU0Aqh6BX0Yy+mGxcnrRSG6jnILm0J1j883PWEamLX1F1WXQ2gL
gpXEXzbje9SkjQMhB4CSQAkaErpaegCMr53GCK2brI/YMj17zTjyXu/reIP3sQfj
amrWINggJo0GyEwwAvecr5QEJ1bpv3QYg7f4Ia2Uah1gw+wsjVVxVtVRBW/wTQLm
PbRINqQLdrswhp7KR5K4kpdorVqmbquXc8EGZAZYQj0XLDZ5qaP3Qe6Ux9PYQwFA
T9K3nK3VAeXwfj3JaehxHupleC1FTvSHfHszWNLjh+vhZplWtOpqw4acTjAIUbNm
YHHXaTeVbKFnfLH2A2JBJMCYMvf8EzPpq9RsnXAcdIJrqyk1cPRLNXwVgwdTEKek
kNSlf5M0iaKxSgWGcXqLOAQVEAUFl67rQ552ZQShW1b8f532tm6zgn8VUAjDDNvK
zdzKqO1EH2D6XhfTOq9qTdrltfy4bH+XTQh3lxOBGoXLlNpJJnkLkv9aA4HiH2bo
uoFhIs/iRQSIHPVnwXoX+qzRZ8vYMtYKgw9fux3ttdk4QjbWhzPDwpEGGBsIAAAA
MgWCakvm+QWJAA0vAAKbBCIhBlbBBdCZ2iX4UirrPZ3PiLzgafWjEReiu09WGr+r
5hyhAAAAAKGUEIU60fNLpltiA1ri3UtvD9Y4eXpNb5ZLj2O5/4dsOeArs4sfybJc
m1O8VZHw5UD4gbxF7SFG2phVie+X+Mw8XDo9bBTjhf2M0RYycXu/I58E
-----END PGP PUBLIC KEY BLOCK-----

]]></sourcecode></figure>

<t>After
2026-07-11T17:33:45Z
(when the first subkey expires and is no longer usable),
the peer can prune the merged certificate,
which should bring it back to the certificate found in <xref target="new-subkey"/>.</t>

</section>
</section>
<section anchor="old-subkey-removed"><name>Old Subkey Removed</name>

<t>When the key and certificate are no longer useful, they can be removed.</t>

<section anchor="tsk-with-old-subkey-removed"><name>TSK With Old Subkey Removed</name>

<t><spanx style="verb">max_latency</spanx> after the old rotating subkey expires (that is, any time after
2026-07-21T17:33:45Z),
the keyholder's device checks for all incoming messages and processes them.</t>

<t>Once they have all been received and processed, the keyholder's device destroys the expired rotating secret subkey, leaving this TSK.</t>

<figure><sourcecode type="application/pgp-keys" name="old-subkey-removed.key"><![CDATA[
-----BEGIN PGP PRIVATE KEY BLOCK-----

xUsGakRYfxsAAAAgcRJVRUdqGTNMnwwTeQZv+o8XiaDdVTTpXnjPNH2FR4wAET8I
Q3fQeNm71dOZSkB/260JmbL1QIX/q4ugYzBOFKLCkgYfGwgAAAAzBYJqRFh/ApsD
Ah4IIiEGVsEF0JnaJfhSKus9nc+IvOBp9aMRF6K7T1Yav6vmHKEDJwkCAAAAADqF
ENl3uzg/tNOjW2+khGm+tpsVwFezqZ9N64SfSylWouMq267PJtdf8y+mx3g4BbY0
R3N5eTZiIpscbzy8p+PJ5+Hh7edI6p1hrbFxVSY/SjUIx8RrBmpEWH8jAAAEwMnQ
yYCYyPLlqXKM8d+oKEe+a1maw5IdqzQRl3fDQA8WlOlA/Ywqa+MA9Ni7ZMBE9pBR
UKefJGZOu2NuNIJSzsB4c1tYPDqrMSR29JqqnOxXpISJVOmIxhC1j5VAKqnO4AuJ
8zEa3imhDxUr4JORP8eRi5gwkgu8BMQJfDA9kBgeYzQzx5JMJ5Mh/dW8/WOLdzIE
77I8L6dX2NB0v6uAV0A6eFy+LCuivxV/aDRH/9SW1tDGWocNMYqQ75JkFSpE4RVc
YvVBE1iO6XBInjGAm/hSzwE6RglwbpQdy3WaJfYsVuqLQgRpqZhuKmu18vaij0JG
HRhAEDNJuvmBtdgnCneezGtbOPF4zcax5Da+EekANUKhaClxZjSAFpAcpii0GElE
QIpYxaWas6C2fsNxmhsh57d/U0p0SAAiOrmVLrdCC6kpCNuqRiQ8jAC0+/tmZRe3
YVi6lBiNHlVXtcoUCOCH4jWiMAMB04sTb1uz+3EtAJktECDJ5muyIHhCBBQMKBKI
9rMCujJfIQApZ1IHq8qOl2G1NfcdGfsUQ9sbnKZRyik65FBMIOsco+Q7Xppgxyeh
KSmEpxJfwCtfC6YIosud5GSDOZMzCVQViDUawRk58KIIS8YDRNq9SrdqY9uLx4gq
23Jyvfmkald7EsbAaOKbPQNgPaRpJTO7W9QGmFdCL4KkO4hOoVZHltq5Pko+/zYQ
ick7kro5pvPDUaVhxuEu/GIlZWNoR9fO4TIItZwmIjwR5YN0MVC7CyFEaBySPHhY
ZDdJJ7dj+EKncGts02cO7HmM8WUDPAAELlViZ/k10KjH5oO+jWM6YBZrkLOPVngJ
SMB43EpJICeYSsGc2qCNK5NMtLvNSGsvsuUdr/WDtANTrWI2XOw9oVs9APpuiKrH
T+OGQTKnK+lKhUlJMEV6Iqt/6jt2ereLCzgls8B1fceG6disSDiz6jKn/1APsSIn
lcsQqyR8MwoaE5g1tKx8SGFL3xK3VvMrSMED/8g4bsGayfEOM7lKrOIrv8nCyXrI
NOdrW5SgmmmOl2GR63l0qdybFsqZ0BFmlWWlTRFKekRomeMB21yZXbc/qVhqILS4
1oYtUhSxFjBBbClKcAlHIzxNJeJaofALanq2VbKEbnBTpCm+0HhH8Xu+/ACtZew8
QliFrcoRsPM2zcy/nqPAN4QsvRFkykoDiDcId3cjwfAAEKWKIshR5jNZoSwS+fcK
cGk1hoYBhVY0WhQiZTSwNZsOOqaujNNhLgKZ5bebExqzAkIrEhozfSS0ZBtzjCs1
IMRchHOhzgpv3HWl0ZuwtxKu9MY1h+dOjbqxFai7IwOs3xC0PMN03GIWkcNL8UAC
rLNEFPW6sVwE1ROXcTy5Lde63WsmxipfJEtdWfEqrvxZ97yDKfRMGILApbY2CFuA
PkYLiQd+lFGwytNxYbqI7pJKOdlVZ5s/7kBhlCwSedZ91uK/3JijNotlNrt/7ata
saSk2kKjFpRGpUvArJRJGdVJszm5sBZ0PTWn94ZxunazICo15jhCENG++qdEJ6Zb
GHwMX8O7LWNXHUClYtRVTUR0mSFE2mwxLPFeeRJlIOkYFzqWfDCMwXTwl1BLbyLQ
Whk/JW9MNw+ewkrxPD4AaGZh9fcInOX2yYpJXNKEnHCNh08uWEosBWRDzpeOVGja
b3dBAAafhaFGEhx4WqVYOan5ZDw/WNqlTVIRdLWvDuQjHvRMLCoqgQ/E+04G6uS6
arNh3q8Bzija4mELayyhwosGGBsIAAAALAWCakRYfwKbDCIhBlbBBdCZ2iX4Uirr
PZ3PiLzgafWjEReiu09WGr+r5hyhAAAAALldEM+ZdQDjkb6Lwo+Abt3gvdh5cRwy
41xGav9/JaA2DB8o61AVMWBTq9bVqpPHbKJ8Bp/4RM7FvuE/9Ug3HC0HIW/7w+Bl
HeL9iRVunijWPvMEx8RrBmpL5vkjAAAEwKc5jFv8gpNy000tZ5ECw/lGuIWDQCaR
KoZZl14BwI9CQYhW1sSz38tI2xBQ5azAVYVyoIG8FbcGM3G0hgctotypcSKWFLA8
IOQVXRqNsRt0cBxDmzFQD4En3LF8BjF5HFytmKe3uFtO5TB4djm+YLl2Tfh1sONK
pfY9qnDHWNJYXyMAFUdDpaN5C1zDKdJP1NTI+2wNukHEraNOD3JvVcF3bDJTjHuz
AVlWPwt/usMiJPazBjurDhZFT8h5nQl1AdilsDiI0FIsJSYrPQqUROetN1ASa9up
NRjD0SStC9k+8meRCyNRHuuxakg/jlgTC4ami+wCPspXGWq6XBK0LOyH5Xw5tKct
sLh4AzokJ2kTd2gOuoYK9CuKWfMztVDNkUQeGzaob+CxPpMosGkCzQPDlfxJ5pO2
seRBdwA5SLaNKOVapqlUVFBy7Rk0WwpVL6E3uXwQVPgtTgJUV2hNzaIkzoaxnfgu
I6l19QCjxZgRPgo7+WdrUlp9a3R5NaCiKGkJ/DqmiaAP+SvIz4caY0FN30gS+zAD
UlNgtxocJjDC/HHIMEd1XtiPQfSvbSo5tKCXUNkLKnQN4+A2j/GjMhJRjiaQf9Fu
3esWzXO0i3GJbaTBoqmTm1sHfARbACqAK5GoTIYEELyn2gpFjuJzjAzCheTIg1FT
ZMmQsgIO8LhQWJsbMaR2isKYUiLE5Yh2sUJFGicUWuIFQeuqabpmZoFgcTE1dSVj
UOSugRNJmtESF5hEBru0sFtvniJ2WJxu8GFY7aUg70ULpeOQ8OQBYzC0lhea8RI0
9gsPTKZO+XBQLBMER/Ro+2KFC7eOrwePw2MpAGCGCsFsn+u/kVo1rNjNf4RQT+U9
P8tSzFNmzpJrKSsZoKszCLtwZbfPyaJl4RsA/HM5dtKxVSIBunE/sUFYQrMadaWw
LUtjDKKRfOUUEBmYlooXT4UfFSAKUUA/lvQFohWLvNo4p4yJ4epFj4elSWedRdle
rUYeETSJQImPSDsC0oV0zyBN4TuTHCJQRXJ5OUVWfEMLBQBasZVY34lrSGkabslv
tLUTOzYrVvZk/EYk1TQCqHoFfRjL6YbFyetFIbqOcgubQnWPzzc9YRqYtfUXVZdD
aAuClcRfNuN71KSNAyEHgJJACRoSulp6AIyvncYIrZusj9gyPXvNOPJe7+t4g/ex
B+NqatYg2CAmjQbITDAC95yvlAQnVum/dBiDt/ghrZRqHWDD7CyNVXFW1VEFb/BN
AuY9tEg2pAt2uzCGnspHkriSl2itWqZuq5dzwQZkBlhCPRcsNnmpo/dB7pTH09hD
AUBP0recrdUB5fB+Pclp6HEe6mV4LUVO9Id8ezNY0uOH6+FmmVa06mrDhpxOMAhR
s2ZgcddpN5VsoWd8sfYDYkEkwJgy9/wTM+mr1GydcBx0gmurKTVw9Es1fBWDB1MQ
p6SQ1KV/kzSJorFKBYZxeos4BBUQBQWXrutDnnZlBKFbVvx/nfa2brOCfxVQCMMM
28rN3Mqo7UQfYPpeF9M6r2pN2uW1/Lhsf5dNCHeXE4EahcuU2kkmeQuS/1oDgeIf
Zui6gWEiz+JFBIgc9WfBehf6rNFny9gy1gqDD1+7He212ThCNtaHM8MAoGlmFCY0
G4NQ9KIT25xXJhNmdUIGFNhRsy2PALkCJ0c22TwJSI7JoOruxVDKFyRhxRDVmObu
x6bB91tvACdQ6TWc5MeNp6aI15EQSi5301fGMr2A8ncNCrrkxZtWZNjqwpEGGBsI
AAAAMgWCakvm+QWJAA0vAAKbBCIhBlbBBdCZ2iX4UirrPZ3PiLzgafWjEReiu09W
Gr+r5hyhAAAAAKGUEIU60fNLpltiA1ri3UtvD9Y4eXpNb5ZLj2O5/4dsOeArs4sf
ybJcm1O8VZHw5UD4gbxF7SFG2phVie+X+Mw8XDo9bBTjhf2M0RYycXu/I58E
-----END PGP PRIVATE KEY BLOCK-----

]]></sourcecode></figure>

</section>
</section>
</section>
<section numbered="false" anchor="acknowledgements"><name>Acknowledgements</name>

<t>The following people have contributed in various ways to this draft,
offering reviews, suggestions, corrections, and implementation notes:</t>

<t><list style="symbols">
  <t>Ramakrishnan Muthukrishnan</t>
  <t>Heiko Schäfer</t>
</list></t>

</section>
<section numbered="false" anchor="document-history"><name>Document History</name>

<section numbered="false" anchor="changes-from-draft-autocrypt-openpgp-cert-v2-02-to-draft-autocrypt-openpgp-cert-v2-03"><name>Changes from draft-autocrypt-openpgp-cert-v2-02 to draft-autocrypt-openpgp-cert-v2-03</name>

<t><list style="symbols">
  <t>new goal: reduce metadata leaks</t>
  <t>canonicalize rotating subkey binding signature subpackets, rather than copy from previous generation</t>
  <t>fix a generic, shared creation date for primary key and fallback key</t>
  <t>provide explicit AC2 TSK detection logic</t>
  <t>explicitly reference <xref target="RFC9980"/></t>
  <t>minor editorial cleanup</t>
</list></t>

</section>
<section numbered="false" anchor="changes-from-draft-autocrypt-openpgp-cert-v2-01-to-draft-autocrypt-openpgp-cert-v2-02"><name>Changes from draft-autocrypt-openpgp-cert-v2-01 to draft-autocrypt-openpgp-cert-v2-02</name>

<t><list style="symbols">
  <t>adjust description of <spanx style="verb">max_rd</spanx> and <spanx style="verb">min_rd</spanx></t>
  <t>acknowledge reviewers</t>
  <t>correct default value of <spanx style="verb">min_rd</spanx></t>
  <t>offer mitigation for small clock skew between MUAs of the same user</t>
</list></t>

</section>
<section numbered="false" anchor="changes-from-draft-autocrypt-openpgp-cert-v2-00-to-draft-autocrypt-openpgp-cert-v2-01"><name>Changes from draft-autocrypt-openpgp-cert-v2-00 to draft-autocrypt-openpgp-cert-v2-01</name>

<t><list style="symbols">
  <t>rename <spanx style="verb">delay</spanx> to <spanx style="verb">max_latency</spanx></t>
  <t>clean up some lingering terminology that should have been <spanx style="verb">max_rd</spanx></t>
  <t>align timeline diagram with text</t>
  <t>refocus abstract</t>
  <t>test vector descriptions: correct when old secret subkey gets removed</t>
</list></t>

</section>
</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA9S96VLrWJco+F9PoUtGR8IFg21sY05X1lcewfMIBioqDrIk
28KyZCR54pysuA/SHdHP0o9yn6T3WnvQlmxzDl/1jegmvy8TbGkPa6+95iGR
SCiBFdjmN7WwClzd2y0DdZ1WO0vT6d511ZLpBdbE0rXA9FXNMdShpzn+xPS0
sW2qA1P3zEBtmDtf0cZjz1zHhtl/fdDwFcPVHW1BpjQ8bRIkNP5GwiWzLqfL
xDqd0MmbieS1Aq9OXW/3TbWciasoZIZrxVp639TAW/lBOpm8TaYVzTM1eCJQ
Nq43n3ruavlNZaMpc3NHPjW+qTUnMD3HDBJlmFfxV+OF5fuW6wx3S7KaWmVY
VRQ/IOv8rtmuQz7amb6ytL6p/05WeKH6rhd45sQnv+0W8Mt/KHNPWxjuxvnu
LgMykP9NUVXH9APT+O7a3wMyrv9NTV2o2oVqKQrZ6cz1yDMJ8phK1ku+LF+q
jUv1zrLthevhxxQ2Zc2xTFttaDMn8q3rTQmQF6ZHoOqoJWtt2WrTGgOgCYwf
HLIKfE6cR6n5gB+YC82yCczn03+bWJNgRlbik8+cSwKRyIruyYo8c27a0mru
XXtqevLnuA6yDNtyVlt1uhjP5Flm+Py/8e8vzVVkiuql+mKZU9NeaDtT3nXV
s0yDbDv+Lc7mJMkR6pfyPAvz3wxr6hAcM433leWZl7q7UNamszLhKBgmnDB0
PiEfBXjWJyOCJ5YzVe/gCficjnfCkObfLDOYXJJZ4SvN02fkq1kQLP1vV1fw
JHxkrc1L/tgVfHA19tyNb16xMa7gXc9cutK7umuY5Kym9B2O+OnwV477+LIN
9yaQXg/fuBQjLbWpefB9uDDeQgvIOgksxL38hvALNG9qkqH3RsaV0UfidCGh
llyHwNYynUCtOEYicBPkP+RX/J5gnkpmVCuJFoEQDmGQDXxT08nUbSKZTqSS
FDP5LYAfihT8+B8tR4fBi55pBQvXZ6fPsObxcu+L6Ov7WHoQpWNvHbtphy9o
2V0R0pfoa4E+M48A0ycoqdkISULr/Ct/aeqUDAKNIJ/BEB4d4SoCqHQ2kUol
kpl9QIlFs1UPye0mwO6anmc5hx9puVvLVFsa3EF/ac3Nw4/1XXtCaLk+W1hG
IJ/8cGay7apsu2rBJsTYCmYLRUkkEoTI+IGn6YGiDGeWr5LNrhZwfobp6x4h
Sr4akDFOjvGEkwtFU5Hgap5BfvFWerDyTMQiQtw4E9LDN/ArTsfJ7fd9bUqu
8aVSC1R3QvgSWYQ5MR3fVLWpRrYdkGFdz0w47iZhmPSKwLUiEwSBps99deK5
C/V9pTnBaqES6rFckW99JZgRyjCdqUvXDxL869lu7FmGisO4U09bznY4tWb7
rmo6wBR9cuVtC9kjIWQm3orTk6rrbWCPyDH13ckZWS15UDfJ5TTYPgivMcnt
Ujcz8i/NWJNVaB4QdV1bIlhMes+kFwiGEj5IOLIVKMBe6c5gE2RTFgECgH9F
bsufPn9HZaQL2bFPGTjhkP6lAsdNDo7gLrwCgCSDLSzH8gMCe9veqQxlyQI8
NyDITOinGd59wk9hIGVD8ENdeqZh6QHCwdwuLQ9xH5Y2thwyAD6ku4QvW44G
I4ZLIaSYTGxpNqwGcYK8eRnDMIR4FM0E/lzA+i9wg4RWE2RxNEJWCMQVeIxj
1RFJhgylBWRlnmf6S9cxfLpUePMYGl/Sy0Cuj2GbivIHIKjnGnThilI4jMnA
vsfSqg04TI18tLFsg+yfAHcN5x/sAFc2Gj+i47dJJQDS1AVhDF44pRhfwY1p
1oJAy0Vk9NwxEaGIuEIkGgmlLZ1gpm/ZhMzrDIxwy63pLJgwNDbMpe3u8CAA
A8mq9u8kgSH5bBtcRiBgLZa2CS9SfMA1LRFYTEIEsMzIL+RQ9Lj0KKGrEoVb
AMhBYISvk/HWlhEiPz1BIiL6Ll5ReCAw6elwKqHJwF7a2sq34ElGJC6Uzcwi
f/q2GyDa67apOeRGEOwiF38LV4R8ujB1snTLJyAmkFJMyiJNx4iCF+8SWwNZ
PooyuD+XrNiTIOjviCS5IOdOkV8MH6U3ZMf0TtMl+L7pABckC/NXyyWRWRV6
0CE9IlvU9qgPRT+AIR5KMGMETHqCYKatOm4AeEted9f09lxQujXe4VIY4doR
OubicXDydYBoXRykWv6XyJbyxx9q30ThD/DKV5uaM12RVxS8LkBQQPz31ZPW
w2B4ckH/q7Y7+Hu/0nuo9Stl+H1wX2g2xS8Ke2Jw33lolsPfwjdLnVar0i7T
l8mnauQj5aRVeD6h9+ek0x3WOu1C80Qga0jJCGjIWY3hAAgcCOEEkGtETWLU
DRG8WOr+3/9XKqP++PHf+tVSOpW6/ftv9kc+dZMhfwDboLO5gJn0TwLInaIt
l6bm4fmS8yPHYQUEgcizvurPiPKiEqwDIvbf/x0g8x/f1H8Z68tU5l/ZB7Dh
yIccZpEPEWb7n+y9TIF44KMD0whoRj6PQTq63sJz5G8Od+nDf/kHEYdMNZHK
/+NfFcSeIbI513anO0LJhbYg058TooGob3CJTiKfEi0QZA5yfpK8EuEsXSI/
EYoKnOXUN01yZgNKetRU8jIFVxHO8DabT/799xnoNnjVIxKjalD6srL8Gbkc
YzPYmOS+uatg6iIxkugkqCs+vkBQZwWYNN7hdSL3gChlhDVcUHKoqRNra8pS
F94s64NcZxV/J7I4uY6x8WF0QTkoa3A9OoumLk3TO7YFl7wLpIPgN0Vr8jah
ghoZWl8RfUqibhMUwAlmxmaGi8JAi1MyOOAYJlACcnZHuLp0fsNB43fOTZII
9s8tvXduMHeJUDDXgTs9hxmlOQhcnSlwtAiXdcdvZEiy3ZVDBSK4oQeFBQBq
Qf6AEMalZy2AzAKBQ8Z/okfmp7QAgEwFM86pZRkE3gNWsvcy3VCD4wyKFvAy
wJoxiBnBBNucWoEF8pqq6YSD425RFjsgzYUyFSAVezAyrU95UGzjQxl7kaOg
jCrYCRXYqDRFeA/aAkKhTRrsQmUaQOzdjRkRrvnK5BcBlKslaGn7MAx8056o
wAyJ4rQwKegeQO5oCU5emJItIhI+tAoRzCA8j+DDAtgdTo0AAfGVsHHjgt81
ugKPfCQEBMB4dtVATocT8q0FmCZgmBPQwVVcBZv7tPVQOIO7TcgCbgIEHno5
CdSJKoji/GJJzpUQAQoaQDtZ2ozcR8ONX2hx5+k9BdkjvNZgGSP7NxC6u8hr
ESpA2T0Kjw5cDjBhUPwX6Ehwakfwj0gDBHUAqEQzNwGyQP7wSP0ZUIsYThJt
9xBiAkxCmctyxu6Wk0AqkJFhyBUF+SkgQGWEpmvCtVgQMdBnO2ASj7tYrBwG
IoGFIf6uLU0cILLgjUmYMvnv0oUNWygc4nt0cqCpPr8G8EdIShEC0T2Kef4E
Sr1bLEzCB/Rju0ZM2C2ZRAoXOhyNXEN3idKwqekzcS7mFo5zKpHfgK8LACbm
p0Dqc1W4zERPmSrii567NAVJERJtOA4cqMsRX0BOXTmS/KlqExAguXgLO0OB
1JqgQIoiPPke90elSAMloUNaND13QjF9IlKS8yBwcccB6Ah78D1E41DnjEqs
cHb9PZMAnK05AbT1qOzqM4lbaLwA+jHBAfL6r2YCbcSjuhajCAKu5HfASBQJ
EfQeJTMEFntGif+dcl0CO++CCqlRHr7iojnSmwOHSw9L0JB9jBwTrRIO2yUY
Q+61QwFM1QyJrIFQducSzkRUx5j1x7bdDbKP/eXB+cKM4UNTGOMbYGJXtuIQ
2jIh+iFeNrIcAFoNSIa7sg1qPjLUUC/83H5EzUfaAQXPI7takwn3bEt4NQYA
H3KYAbvdIzD6EP0Z/BewQMNCWyEKPeRPVMAdKmfZhMqjYEdQYGMZwexCnRHl
HNUoR99dAEFEVYI8hjSUvO+A7LImm71ACgkMzyWXxqGSw8wE5d6E8R2T/AuM
bJJhh6nPeNrstPDcI3zIRYpuekCS1mAhZ2e9wpvrr/SZtK0LSpABBgTLo1KR
wHB2IIRDgBFqQR42uGQaSF8Sbkl1dYJVRGS1VwYTE5lzh2q7E3NDCOcH2XGE
h6G8wYQzth0yB2yYSNdgrNAsj9oy4A5F2MTE04TsjEdawvNFXCSrJ8BwVx5Y
NegpR7Estm5QfJdwFRjU9xZFHiLvr5aUMoebIXsjkPRjthI8MHIHEksXZBtA
6rWlm4KNICckHNLYAHqFS9LYcghB0uf2jtpjZqa2JL+jZLXDhU0djZppAfWR
Ax9aBfJsJtjGuFRUEpS0ecDOyOESnN8ScdgHzT9whfwWMoKI2EbWgtgPpg8Q
ETXJcgEM1aEHtUeN96XMfZhQGwoDyj71Qszct9CGupLvEpiDfMjl8CVBnwv0
EDnM3Ed2HuVryMXw5ImEAUc5WdkhP2PjTFZ4GExJEbczEcw8UwsSYA60uYrS
dgWN8XeOPvNcx/qg1BMuvmn8DiQEjjrGvkDNUI+QwCi7AgZ0IV0tyvVg18cW
JMkXlqeCmYJhMZwwtTEL0YiiFWGAQO6onVPaAjCGxcoOrKVNpUSGsHRYFBdA
xAHJfH+3wEdRzCentISjwkPH+R3AOKqC/8YmQAAemzuC9LhYQtICqhURZjRd
Ufs4HlKRHC/yZWAY5GNKSBn9WIAOK1MP9JVIm6XXzZHl9hR8TXlz7FogqAgL
iNyi6MvpfUUITkFFK5+8KFQkY3QtJGchHYM/0PKAzlk4ishScYJ03KZxClhD
eBzykXA00ANAEl6YJtVpTvbu9glKART9y0QqSlihhu2ZS1vT0WxIeR435EaE
7hC2C2CTlEWSfVB9kPJTgkqHLdwXgFan/hlX4Kao5QCuTAiBpoeyYo6aQ2Ie
+ZpvjjyFAg0AAagpIQY2okVxFTDjC2ggvkkxmdp+/Qh0Lwl8bUIWDEAHlAlh
M364m0/3AhTH9QxqW0YJg10OBG6LMWlCw4i0AQfkkX0QYkTG1fYMGPQKWmgo
X1CQwkESQXauCsc1cxBQEO+dA4hFFpIoYBABE7WHKNxYoCHhGoEguDDL2DKo
fMCFAvFaZEJrEpsMXGKEW8mas3BZyhsKSYe/sgIUlYjiDXEaVKBtu06CCbWf
2cdAWCCyAF4UHcUOPBfQV8TN8nWiKXmW61OfDgWHq+srdv3Z8V1Q1wKyxKOu
hWFEYiYwJXticidhvbalW0DvYGWWk/CJTkhJzr78/Y0xGIZ4+JRtTjV9F1q0
wKcUHLhYIRaC45ZoGktwnODGj10ruE4gG+iBz5AWLy1KCaG+H8cIDl0CtfFB
MsvoKb1M1E4a20R0IZytEuAAMqizFREMEnDFkApRNWNiheRkbylAlUHFIDP9
z//xf5A3bfTLn4SndnBM0O1ktN0z7iFtnvzeyz7zQGi+7+oW+mMPGtCoeAYM
AyFP6SBi/JKgCviybN/cwCbhUUqsfQFHlAqWZuCgIQYREHETRSNg3h4IzlFt
YGyhkOjH4SwMTEQb24E2ZhjkkvoYC3AUzjDY3puECwVMohcAOTUvp5cX3DNH
hzb9swOmQYSy9KY2BukGbNfk2akZHJYK49YaFVV2018tUMehQGVKTAAvgtUI
wUQxAmwwjkluNgcxjPYqKP0r0eg0GJYgnm1w0MUDI7heShCaoCdRWrgoPEJf
5wFbMY0OoKce05N/EWXBMEdQubiWHfEbUnT5gkbNrX5jguZzFgwAUWHkVIGZ
hsZbP74rWJbE1KTICSZWC8H2M/swAG2AJyGZm1AoIvfEpdx94Zv22gwNX2gx
Q4bnA4M7JRsJqGHDDMcgD3iWP1eNFeLM2vIZmTrjFkoqF/BYFp2gBYFuoM1N
FUUbArPAczVQ/k0QFigmMGMXOW6YkapxNuVme2RKmHRluh4dgKIw0E0b7zDy
1CPBO+Sa+BTDIyEbgBBo3+Du0QhrCeELvI6FkhCaPUMBcBx5m51bNOQqZN6y
55X8zm0pAShGG4KE7hIsMiqV6lm4AwebvBXD8lFPo9jlgIlyQi7w7FfuL7pS
FGFDuzhaON9XJtqb2EBmVLpgZibuYRNiLqcowrBItRSi4jiobZJrw1Gfm3JD
7ZsA4U8/TuDH1PDhAi2N2+bDJZMdrhzbmsMEMVGFavjMZBXgvIYFl9uU7ScR
LsqwDgz3mmUcND7KDkQ08jCpECQGnIGfB8FDBkIpHkMcoRRxJIdD7LlUopML
FkA2bSFhw+gkVLXxPgLgeFQJgE1YDxk6ihvNXASRSAfZRAqiO7DEUBUAykqW
BitrcWKErlBhuGcuWIL8QssFXiswX9M9IjlS+eiCa9FUggJtGEa+W2nkSgem
CauPxIlAxIC7tCj+CM0L6Tka2yjNorFyjjl1Ayo+EFGGHAmNPOBxKbD0//k/
/k/pWC4oJhGW6fOAHSpicu0AI8T54WEonkSiCZBWHlONB8AcJfFWJxQXABUy
/yjLofaayLGAmSAc3ZCDUA5oZjBAQHnykhCLIG7WCY9nvON6H/mDqL7UXrAh
HIWQ5iWLITqi/zEqL9CWQhtYCr/V7HDlxYLvK2bz+5QgRfh4jI1R+YbeaY1e
NdghLjIE1kUYa4UqOdOQFy4126EMFBAtChXOTZR1Kn/IQWzqQMSrQdjYMUME
82sAczUoYoZ8Ch03GO+HRgrYbU6woyXsKmB6D5ASQCRPDh+i2g1wVfashOga
D39Va2VygwAIE1ub+jSOicmqoYWUXlTqNqQX9McPOmiCLh5Z6N9/EyD8+Eaj
bv86Gt4XQubkb+U///M/VU3z11PlMvFP/VwqP9XCpdplQQQY5lAx0tls6vZM
/fTnp3L+z02ZOCdzkp/ipVom0NYZebOm6imc7DmA7QJYKcaLmmeROX+qpUu1
Su4TqG1EGMCIhtNWM9GotBI3ufz50+G1/6Rzli/5O9IhETGfCnUHZ4U3K5dq
n0e6fnnO6i/mpBOiD2Khbb97xhl5U/3znwLtnwqgBNoZKvGIXBasC6GowxmL
xj0YuguXCp+FO+WgKELNVUBNjZVt0luzIbsh+g1YUOhra822DNApT1FK0cHu
jFxTuhOBK4UBn8FMcwdsuoTmvtLdv14q6ARDUrMiIooT8AmAMqO16nVhOfAo
NaTb5gQs5gHR0cKxL5SoZkVYN7i4gOyIoGU67KVSiH+kvrbPU69IXGAToNBu
ifAMVv8gnFzbaDsFt4pWZ8dg9uQQECGI9icg+ywC7YRMCmrK4ACAeVNJ1dB2
vnqaz2WSySTwBAhCZvZDsQTyZJY9mLlOyw9eKgPmCGDR2840Qf5DpvCMv//m
1I2K4jYVRy1xWmD+gfhDdbqyDAyapvpsuHVcBD8vpcZ1Jz5sCHfZrgn6/nDQ
4LwqaovnHgFubZK8oJzp8VMl8F1RQeTgglSMViTqAEWtAyERVNyhANKJfuYu
EiymHcDE0dxncMKoEskswONwNc+DEAjUIWgAyJHDR3E7jCXYQwYQWG1tSWGg
HBmEhklYINbG8ZduhP6V4K8m6KuRTYB0vKLeUHqgIBW5IMTa2g7+PnCZ2TDU
eFlFi32J3+whuX5+oC2WCuOjlIssaawj17knnFzvUxq089EIxAuMgEnQM0Ox
gs8S8FkgdD+5zWmZTDZ/M1FPUzf5dD53fXt7y9GeCiUAqod27Uk1l64+IwPP
LHIA5MTSyXQukcwlrpPD9PW37C3538tZPKVAjkzh8hJY4MUqgFYNv2t6+vWS
7tuIsDHmFaWBYBJUGDjwfP09hsB9qfxeHoWZgtHXzG1ko9rLVnOBOlur8Kyy
qEpqeqHBaBRjwb7r799QTJkhG1+jwMuN9UyU9U1ZkolEhyvMQgpRd5zQmAzc
umvbph4qVnxMn6IiOESdgF8lGoN68MTpYWxcsAwR1QSUBzQxEwqhrV0LzhzQ
zZ9xq0lkFOnmiEM4jSAl+eSMowha1TYgCm7QiI9uiNCPYdk7pL90drY0Lcwo
2LEIXYILNPUrDKGXZHoCQdTxaZ4cP5G4ZI6GUxfm4Qki2gTkZsaYCeDuLVD4
QLkAAd78xtGAnA7hW6AcONwkaOOtEEAlV2XqISUS1l16ZZlOwPwyP35AZOst
RLbCoh+GJUoEuii6YpwDE13VH38ckGdRcidUZYyBrZGcF3DZ+AF3wEqOB9/a
cnkbT5nIpidMOD2RY6jZGk7ps5jNSWRxNUeOUgj7FxFCJER2Jt4SNJCkeDV9
c3YRQx0GT/TFClkVJh+I6xqfPx2dP7zX+EBym5pcgBQDVh1ym6OKhUk2DFl5
0lvR9ZzyAwaPClztM/q8UD++MSDv6Mz0W8v3V2gChmwQcg3IqZ/Kf4DjlQ00
Mekl/6YOKrVueZ2mHy9FwFihUiirurUktwScW/BkoTJIpLO5806pqEIMfbH8
DRwvG5NpfwSx/0GHcWTRL9w+hsyQU+ZCvThmJjQfOulU5jfOeU9Aj534dfYs
HtKdkSK6Ee8/w4mDusQ/ixf5/7V4wR3wzMkElhv5MzDa+V9Gl08OlChMJ1xj
+v/FgQrYweoPamz//MkSaEEYs4ZCuNAkonRv4q68fQy44NYkKl0TLkdI/y/R
AeVszd9nhBXcvYVpnCGKSGcID34L5ejTcVRB4UrJX+qeVrI/LMM81NfiqIZB
6mYQf+23cO8CzVXiRWBIEeuI9WEeZzwgA95e51VXD+gFgxMGuQCE+8v9MFPh
A5aCEE1vikYcplegO9OGjEM9ZqxXqFCxQGFp5XMkCPWemCBPkxunHpH3wY4O
Ss8UnTVkiw/U5sbNV1QXIWyXl8qgHxCWy5/AKFgiNRkWiCnA6xniTjwa4s+c
MN9QHj2JDnyinkbuEE1QCvNchBx70qRO8SOvpaOvEU37aBYBrwpCDfkOuyDR
ZXFpEbykwh0hOwS59BxJWVZD1Y4QP3OpRhLqfvwg159rf3//rYxNXaMKK5h1
4XEalKCBHOY6KG4h9iQgtYoM6ZkY8MpjYzCgZI2OgT1bI6QE00CAHVoRY3bN
I3lHitLFiAaMtNGoY+FAdFfULsqSMrgFlsUf7FBq9pXP3oSgOdtGEw+oM4ul
HRpytSX8xYJgRWYxVA8hcPYPekSVex5JDi4EGnVHo4X2U9KUveX+JojUU4I6
Z4rswiVzYEgRUWPRVY0GsBAR4seOOVL6zCJLPZC4v2fWoJeSHSaXm4s7tG7I
luvPFwyILCJDINdzf7+DhmJNILeIHj/oFKGzVM5O5/5kJjpIntBjtubhvlGE
Oqsh9HTq0MB9INRiPgms6J6moFVioA2jvibog9sLsgVzUXh/CWKohRJuFe8t
pR4hY6eJXguKeM7EwsmZVhXyT1pnQOQHAq6RZZuoQwwxzHK5Qk8vBrqjpQH2
ASEVOZj6kj0Xy6ZjusKhb4XnhNpvjwxAfp/zKBrtsKGAFRrArfksrkbXlgg0
Qk0wCR4NzyCTE6Q4NFOU1ZMBZDPJQasHGaRGk/e0A4IVs0+cIo2fCMmcfnzG
tGUISESbwr4aF4b4f6OsfSjbNEIzMzevci1Z48HRTHGV9nj56UAMzrGMBfgz
TMTi1k3Jk3pkwL2zPfrkfwnwLOwDY+ePn8GJJwTpEP7g+tsXThd4C33mEg8Z
FgiOzLYX6hZcEK9SXf+IQ4qQuXJoQlapvZXV1AApkcggB03M1DIW8zyQJRno
k8MgIg8D4sGAjrIEkMVKKIuCbTFcsCxZZIlkcX2Zuo4KFwrNn/3dfRV3ktH7
gltuV8Jg9OlqlFNhUlyQE8TqE5R6A5WGqgvOajGGYJiJkJHh4dBkjmZDc6IR
UZDNC7gqewCiIvalIr4TAge9IuRja7FakI8XTMMQpluDhZOzkh9UkqVRohPL
YYVGZBYQCQFhJjEIJ/V5OCyOALFEwCh9nhxoLQghBX8/OEgwB486WvbuOYG7
7LqQUUCCzZ5bJHxjpkGK7UR6OMZLsGiODMZgD9Dk9ShsLyKLivpRLsPv4nCH
OOcvwJ0MPeXRFSjk/PIIUBRzdkhaLhRWzcTYjxiUs+GkoGRx6WS3HZRHcT0/
YF58eribmZy/KY5XiYf+vdGkA0xXhO8ccxvErzjWQWJwP5nYruudHHOLsfww
m2UD0JgmorrtgB7SGEMae8TzmWmsaMhMuWYjCR+MwCgYfCr5CVmCAwFngIZi
Gj9JPnb2cEpB95EU9BwGC4UDQsAHRHfStQALxAEx9xiII45BVNwQF8H0Ql7a
m57iIioHe5mUIEtC4cPd50EQ5trFmEKRe36hEGoUcXXu12eicpJhMIk7CAtY
+SaMhdj12fuUN9I8KClnGWvCQMSHwfBNJLZKlXfG5kxbgy8rrgLwYEZLZDwD
BwozvmVVHx6VROqW5mjUG6dEZVsq1R5J2w9DcsY7RUIkELkPJWLw0keIsiGR
u1QGULMOh2ejUAonKaIX6ljzqU+dyjgsBQhiLqMp2fwbWXNllxhNJ+yKQyrk
hSKSloRYHO4cU3XRYcQXxdfPDEsgcSkbbXch/K+gg1HtdAfoYbE8xkPeWDyc
P7itjNeG+/GHrFopSoV6PzFXBSJCQ1RKcDE3ZBScJewXHROOdu47o3TIElYB
n4kHYTUwFn5Nx1SOhFbR8hgxk8Ex/5zCNUEauHVsI+E5R6Ri6rdGneSVruQ7
efqVSh9H65BhELgouXaJLweE5bH3DjjN5EXSFV2E3IuJKvsSCuS/gRcaLJCI
y6nbm2QimSL/GyaT3/B/Lxf05bE1hXpWlkb483U6McaURRYUzkQgcixtN2Dq
DSSwh8vm6E3E0wQ7EeDh1KMvAUY5ZXT7IvIxJbqvU/IntROfnr2iacJiVgrw
j5LRJCAyqfcMKsQy4zLkslqYR8O8uOKGrByKSKC6mhhByy06e0jCn2WHikui
KguslCr5iX9VG6+gQUA4NgDv2EmDUU2FRFCCaSyYYG8LACLYW0Qx4lODm+87
J9nf6cmLNZw2LlR/7J/9F5fCLjtbDQ0WkbN42fdFdnNCV5lYP86PTkmoapoQ
cUjs7oiiMr9SYWCciCnvt+R+AioitYAd7XuIUt85MTilsGq9SkLubY6bi+ld
2SMgr+Rx1GJUuWzPAYUufJcB47XxypOgwilgOMzHDivbiegjhMoOv2bUZcP0
09PrtDQGmzGyzHNy3rkMfQh4PIYrhas8C/GI3SoKi+4rx5Zwb7Ihi9CaAVNL
JaTgtfy4KhrBET6MXBNrfxgpQVOYfxMgT81NfnQMxVsXQ3bN2FJ/68gojvMp
Qur5OnyNbOGwgYQO6su3gaU17zmYXunCHQy1Ijz7+xbH+O4TvNa80xZDOUU9
tPrfQichObBNialYJQwLJH6BIDzaAQVAR90bjqMkJJZKi9EwagMIArAQVPP4
PCI7oy1/QOuRsFIhM880qbkj4dNKzTpY7MeWFAWAy8TZ0GcWvr1w91/jb12n
IfAOX2K7902molHGlvjNtxVaMk2mKK+GCfWVB3hQCKZXalEVpgjuXby5yeQ5
fYErFDrVvnNt8HSAB00W5Ydnre1TSKbeMGdgzA4RGkToXmUKzWolCXj+YgRa
dCAiFaAXkiOJKENIa+tE2f4eu9+XJygwQITi97R70bgYXsACLnzNDhAcgxAW
nKfxAA0JwV+7r8IpzCMoG68YXy/fW5oNRZ0AZGmcZwhPhQC1ZAh7hd9feR6V
pqZyCUoiX2GNrxyppOKkYrx17ji7ex28EumbuXnEjvjXcFf2PhRh4pKMEcfI
EPXyoWs7n7xOI/INhVIeIU+slNFhhzadk0rdkF7448d/u2+Uq3+RcbP5HJSX
pNsY3BfSiWwqfaGIoKGIvVcULLrgyvfPnxGjCQSVQmkaniUMgcqFUvo70xtO
Q3asyFHUKDSeRT4CaQa2GWUDF2yP39kev5M9nn3DoxMSmfqXGpfRwmlhklMQ
3cWARIkCkYm9dVC8ir7ObKL0+UM0gI0ILnxAL/Ik7k/9+VOVOC8ugg0Jgafk
sTAf4Ps6/Z3Jqiex96R9ncFXdDmQutFokTE+E3zkKenTx/gV+RYeapJHUjko
5T6HiADAme+AI98JjpzC3i5w6Rcw2oXahFfGPtuzeG7u/3vyWy7zH2fkP6nc
fwDrMjdsfZ8sgbyWy5AXkv9xxl+h6P2XekA8CIe8CLFJogB/qf8O9+E759t/
4UMXEZTDHwBYeKh/UegeeQ7DH/5iQfglCHo48CANePguxTj8JR3hpRz7ALCR
EJssWqas0lsHppF+JGQJwXb2+TtyPAo9wjPBeVRpmAt5gWc0EQEo0uth3H1V
mQcdA3OFlOFHmBLEHQ4ShUGpVrukJAOMs2ompd5k1ZuMmpuouWv1Jq3e3Ko3
SfUnn+kneS6vwhPZiXqTA+EHfkmruRR8+JOvhDyXIuORMXJ5NYdDyj8/YaXw
TIZuJ9RoNTS5cKPJr6te7sehKujZDMA4s/JNSQOWiOJraL8INXopJ5BHBNNV
UB4lDMFHKP6lwnJocQPxOje8ko+o+gpTRkqy/fGHKq1QLVsaFK6kR627nvCg
hC5cbQwJYLw0p+Wv8E4ziQMDYL9FMp/2R4+kOh3NO/osIUl8B9lHx4gpFzFk
1yoTtzgxxbynIxP95vyQGUT+r57Hv/r0B98j/zB+Ec8FiApHfNF8nvOvzqPy
RarySn//3f0FspUx7BX34sgsn4IyfCVyV498DHQWvP9EGv2pJtQE/kv8E/3r
yD9fmnAd/XgvMe8y8v3PPSYXH5dnggmQ/Hl8OeThS/HGpcrfJ1OiGIEvIA+m
rwKj/8lo/zrcQGQrB3Yg7wRHAuav3v/F2bra/IvwZraiWCabdLB/HuA6Pw98
RlZxfmSIfcwgy8ll1PEOIkFCABEtln0UznMuD3Z4zHM6Jntlf2UH1r3+7CmE
pwDnZezbI5gioBrH64OIQ8ENC/8zNvyfkW1F4P/p1siwv3dZDnz7yQyEYUFI
ThR6n4MvPLVDBxX+Ac/9JMIpnjnFdzCJE3UNl3F5ecnWhM/t80n46hRypTRI
xqTP/e68v/UTx+jjP4jRqNL9BiH97TFZjugf3GeD+h13MP3440Au3N9HnSza
XleQkPFDBXdtL8iMShmQ6E8dzy4LD2AOtaNuFUjUhPdBkDC3pr4KWISaJGnI
HnP0D9KeAvxxC82KIvAGAmRFwjh4xKkdH/NPiQy6pDULMGcVNafPuhHJGTS8
NAovPSr82zx9CGegNSGZieBAcaB4UT5aIQThGfr6YqXZROQS5NHRJD+Ruo9x
ZZik74pa1pgaaEFBbt12IaxpbkI1Ol6vMHp4UvHFCyY/QrYZZpWB/UT1F+B7
sV13rkHlIV4/ibtPyETkEPwzeu4Es3TovQY67oTFvaHFFMqgxLyVe95WSRKP
oYCcSAV+Q5roKIWjcDXvUukCFoC4DikD5KuEVHY5QZZCFseyJyEkckGgbNBq
GmxQHi0mtydSGg41iXDcZoYjvv6IYUa4xuG0bNOYovCMVjiRSUadhgT3bSkH
0adZihDqYGDbDjTjsLxYVg5J+HjDFkDUbXyhCLfaL4KWfsMhCFYncovY1FiQ
hGjgTuiujcezUk8ZNbN87sZkegSYb1m64H7qa0IEWNBh9rcgbkqcgKJbnAf4
KR2HB4DFA5NQlwENhq5cChWSa6ZHY0jCMqyHsq/PIJzDwMRXcK2LaSXIYclA
WhYU6hOumIORoAmHF0uNP9mQBSTw8p6EsIM4GsM4lO0uFaMPzXe09hlsMHUJ
xeJgHvVf1MghERB4SEvI3kQcCy0xPsbcx43n8sh0VD9psA4lK8whfUAxPoMp
m2BupRY9nA2TWsPZ1XOufCVYAOLrZXSl0rsXKgU51mKUKmSqp44rAtkZfTnD
Ye4Q1oF54ILSRVEnPTWDRpT6/SiFSFSjqsbDTaL9Oi4+wW95GRcSkmOiu7Rd
PBEwP0trZdf6KCNFcw8zTv9m4APTKHG2cKI//UP39pT7948NRmMh45ugWeyR
sHykvSKK4zCsD9lFPjN445H3TYpYASuSr2PzMwqSaOREjNVg4vLKw0AWnug9
CUmECNOhBXBMrDjHLjNtDcZzfyIH7CssvpJyV3R/j7G3z2SCXYpoJpINF4z1
FgHprYSlCw4Jcb6i8Op9+yV/MDUABLdUMmFoe6n+3AGVTf5vvDIBD8cOC56G
8ZnQupFddW5LEvUB9yP1eEwinUrBbYVfi+k4Nxe2KjYFhtWJMEoWXwmMMZbL
AJIKxuJRGodMDhMtIJRAMyCQ0TwQIenz5hWRBgy2O7X0SHIJthOEVK5YnWfM
IGNBlJJsd6iDEpcLDFYZX1NpIQqxFkWIcpxogZUOK7W7k70NCylW7AlXfakU
RT7TXnl4zUDJAXNC2bnudQv0acUNVgcVis9isV9kedicj3y7gCg+SIvbvz2+
yJOzPFb4E/PkFHrV9ucVuUSMgQo4JjTw5NJJaCqZT+/DfqYAC8n1qVeKjBfu
gWkguBOWVALzaNFqUXAfDnW05H0JwdFKRNlIaWtRIDIajYunEHfh8aHJrgI3
sU6zQPs/IMoco0MncoRFWULFH38cEVOJFOYeT2C6kLUwrhPhKO7uqMWa0pzj
EaAQY+q7LhYZoNI7YbBwJIj+KNjShAxmUsb7wdFRqldoYbk+y2fFhfHENMd0
Vz7SFqbtivxLcEhjahNd39SD8pYEJS3X4HXVIaYgRtR+UeQjMgqvRcQaabyy
2Hv+J9edRIkwEYIfVsOldTEjFSjwmtuY+HegK9KlUsXC4xqoc6BcRackYxyr
CITVmsLI2mhjXCj7rIjzoQ2HI0sW8Ielgk6zl0CdvczQ9M9/gEf4Op2iTQRo
AkOImYyJUiUurI4aSmA8oopFXLLnGbqHDgaq4jMUZdQbjygiow49yMEZCjhW
HAOr70FPcYAj3ZL42mRf7xU21uJVL3HRmAnHSDzwyVf0/KK+arKiU6wSDHZW
C899D6oxPCIrL4syKRhUp02g1+g94XYfrkNbLVMThw0JDTQxVn2Fe0tWQEOY
pQXgikUqipyVIFIdXk/lxYMAHa4IwiZpKSYNe08J2OxDzmeLpyQDw0nIcy1G
K76pBWd3RHgVuaqxPHPVhIbULAqeQz6+U1psGObE5JGaQ600WH4Qku59Wthd
LBf6ZhAqKKpxamFW41izNR6hLbrbhKQpVFyguD5ty7yXuViDCoMH0IozHKJ1
0DDnsCMDwXOkiQajLpQXSTgOzT2CFRVoLV8cgso6YbEZhCYaSa6tkvvNLFQG
pBcwd97Sw0H3oEmLx0IZHXASXijQywJToEysHkrWwDUc+WZr2LyFSE+cp0lV
zXiTElozPeTZ0qesDhVSjQ4/ANj/1ILoSmj9QHRek4iwcn1QtlYnClIBerL2
gPf41U25TLkQKWIttPajEA/wPMaG4yYLBIGceQDZYCCXK7Gy+Qb1VqpEvFj5
mLrBot/Y8zQ/ce3aK1FXdT/hV8x2pBzk4+drirhK44ZneAg/ZPp01PzOjfSX
CeEz/PXPZfTln/T/PyMC2fnhvEnTiE8t3qaxgHGTDX9L8gfQnz+ZAZ69jaXh
mdYlPR77iVnrxdz4tmidamH7lilc7994+zeB9ueBlyF8iGZXqtQX9IVDkE5C
QFLs54AVSNgpTiVn+xnf1OEhxJtxPZyW2QhoYWwOF34iUahClvYv4BoH7c8v
gnYfvj8FfMOfPwlkvwZfAl2Jdf4KU3lRz/1d/RSr4hcFqzsYRK9iY7EhkAKy
aiMyZLkj7/yrYDmCdFGwfBHpLvdIDN3Uwp9ig+D1n8Y5E/W4PZXm5jNC7h/y
meEIXD2JwzciW+yjixjhC5s44Iheh4VU+5IqT0QepueWZE36xx+H9dRoIZrj
JTfsDUj2POkBs+BlM6EyZh6MoxY9X2XNvSP1WscakZAuuUlCpIiRUUB/ocXr
5Ho1TCJBnKMWBizGGFflPyl5c6Fws2LYxhmqw6uvPkFvHBj7dviv8YTuHKoY
tUT50phPE7ysjQ/F7myCPAndtqjiwXaDO2GNm3wsfCjsJXT9kc5RkjEuVL7j
7agi8iqKPN5xWQdzN0WpCyY4sN5HYamBpbdymIpztPQNqu5g4/dA9iT6J9ZJ
nO2mlunQJEHe95BXLoB4MSIBRUvncxU5TGiEyc3j814ok1DlpO4qbsQ52PKb
IBKvSsS1u0P5iaEn7jRmzT0DeZwRtKN3IfSpcEsLkawV6G7kMoctNc/s106i
rl+QKh1uJOXWBpPpK/xZGDo0VoxN2nU5WjwCRUyif0gt5plLNgZ3pNya8CUd
tBxxk7jlxYXQI1ZqotfTIsoymcHLzYxP7srn9xstG6ivmg6qOD7LGibEw1zu
9Tqh/TYRpzQbsvzx0EQgt1wtQ+74GangEprE5SYBhwrXn0LN5iUt0M5r1ITF
3YSxyYo25DxTZkDQHHqskoWY5Xdf/MJpexkpgU0RNi5qy8Lzjz/2bHIKLUN9
lFx80h0vNJmyOynqn83kTp60zFXYOPMT8g667wTx+7g9DpAV74Y0P9rL252h
XIEtmH1WXpbOBI1Mfmci7unByYB/kRexOKx7JN9aXlvh+RhgfmeJC1qFANI9
HPMXq2XOUnu3ByCuhEfBEyMx+2MKddMhTNf0A9m4YaBqjpeSQCQwnVAHDCst
8M2OIbAAc+PjbXUpCrNWH6IiAMPKEBVFzy7af1SyL+DZs57KQJ4oMw+beEjL
QBshb0AOWOabQULDXhy+SUNYKBbWAjos1gmgaf4gy+l7I1IHKAwFRoYtGCBF
s3amxWH0AX6LFxS61ShSLBC5eu8ri5wEbV1Me5BjxAu8Yho83YnWUgkbvJJN
jOONwVmVAdFbSnFFrn6UjRzp8SH8ccIYxW0dxwjQGZMIGsLq3o0YPCsi3Ec0
c/nxB9tEIrSNUrv+RNNB6MByBdh+Nkp1w5YnRJig9JwaybnBRuq3DQ3gaPUJ
ZmKxAtENnZvLRBc+Ilw53P3K7btS7/Ul9pub0lLGl0pYtj90NTDhnTa/9Q/G
OSHCWkw8FcyfyXUyRkHglsPXynO3+Y0lb6N5DrfLHmHCgx+WEySCyRRDLmgN
W2iVThMOaHNeXEr0fgp88lEM5SE1fApxn38LjyLmTOXXGDTk1kh6yfHyyIsL
C6gcWhbLSWD92jyTk2tXDvfnVaXpVbYkQ2NkLIFv4WjUB8Aij8KIOszzxJaa
MAPqNbh07iwUi/ddJk6JCteMgvE1Rfoa02LQuCQUU3ine2ihHmi0+LdMqrC9
cyJk3jxxQYxQEiPQQlUo1fkgZpJlUGt6vJoGcx7Su8XEKj6KKPMvsFp0umGB
pPwyWuSImXuIFR0Njf4QE5gAzA7khE6a9h5peBt4ZBdwUS4UIu+T0RE5yXPk
tIIZKzyv+bvFApwuuoyMQtSVbN8H6JsL2b2itgYRxqB93Ix3J5TAI5CR4Qtz
5IVXObTfKuyyCjrM80nEEQ7YETbgCBUetchnv/jlecSAu8fmQE8UJnY/Gh0X
Yk9MHgt5Tcj32Ygxtx1nvTQSgrbzpO7VEDNZr3kILgWCDsGSjNUi278Q/I0w
LcYbErXyZQgNFsMpIQ3PPoojpLRQZbwTB47VbSSL+SFef0Gbjgv6dhiX9vFm
D2HY3Uaso3mhEQzAIbi9IppFJbiSSYR/1rmQIL7Ju1+FKId2E+w8BvtCmgSK
QwJ7Jmp7XIRhyKVSZH18CQXTpMVFTotWYoDGaooQpsfmQfRW99G7Jlyb0slY
Pj/ji/h8QsNnLUwUQVg1n/Y5MyUKLYC4t0cyOr9bhAxWJDJYBf4HfQxYxJF8
g6TOoqAaJ8DQKx83erQQ5uDExX1HHTHk8GQiSFueSVQYzkfYkPgEYkQU7YcU
xSlDAMnetHBB4x1GZJtUT8ZZ+M3dk6UUZsIBk5lUYyJ8TiIz6mm3UYESKbzO
4CDi/87GSx8rvFxnSHREu3C2bWT+4U1SaJmrlbPxyK3guEurebJJOa+gHPqr
IPsvk2jlVzgckQdMT66a9cmrVBUJsTROFcN9SlHvrKxTaGsg3NG5gJJ6HHJS
5z8eWkEb3oXwQbAfmnzlYDgqt8SESgW4TC135XMNLFyRKHK1QHss1ExhS5Uk
elanzQJrXuiz4w+GUkf43Mnfyt7HO7Rce5pIuBTBLv+APBUUUUKN6WeswHRY
KfYnVRepZDiRgRAyC3acyiF7+LefRwzl+58fe/JzJwLbOrQSElQRtt7es8NT
Y/7z3ieHn8RvFJQmYrf8wCDHhvps8GelLyMtP+DjK98f/PAy6MqVPyDwC5tZ
qiXW1p5aGRVs8gSYKvVwIrh4sHkzjTKD6lqgPfhoDisInNrrYBzem086NVGT
aUAjsGRbBegVvGh6tH8ztDjVlrSyhSyKaI4RFe4JBZ1YtuQvj0Q2HtCjuFYW
T1qm95r1QZWvt3yXD5RZHM5ArFBbKPtDQVt2exIBfpFApYCVtKUfMT3hYIVr
OaCJOXVAKcLcaBoqpIU1w4Z70lAoBYH5ZF9u4aVKqLqAYahHRN8IL5aDPbA0
S+FQ21J6IBesbFOUckiE95AcHlUssee5LM9Z3pGICwYDxl543NWB8vBsHgho
Xo3fCBiVsIG0hn0AiYhITxyPSPsUmUQV6FDN3u9ex/RAJZSDJYYSdu9lMkp8
Nr6n+LBHsBpqYEGhPPCTSCcvCqIxSZtyp73CmShVgqko+IXxi14C2HRIfGs+
fjDUvCmOXvB9aOSC3XRPqiwJC2NS9d2J6KprLpZkXeBNQJf3Ej71NDQ1Ee1+
ZmpriwgXXAzZEULjU3PhXATN80X96eMRcGFGxGmueHPkk71beyJaWTDyE+P4
Gw1L9bpxvMVS6watVwpLjRkurcA37Qkvfxz29WOmZLQlsZwpj5U9JpobwI0s
vgUHh00OQG+QFRcawO7TSoiYdSeaFGM7MiFak0+oVin+xAEvQiIpRTRJEp07
IRoq2HGJuoAawSkNhHTgAx5nd3ZwFLn0F3UmsV3zwvQStHh3a9cJ7YQ6Y1WE
D+B+BFVG27MM3NBus2dnkizQVDhkPT2OhWnFY6O/YXBTgpbeXPuXQnnGTxRs
PbKgvTxD5haPdbNoj1DewACLBzoYYsijqzFdat8jFprCwEUJREwI5CbCiPlH
DwTYfUPXAFs4unvlhV+yWxiiC5yAq7u2z9Mrf/woY2Bvoi88rSKBEnVYsjEa
EcuPAVADPBfQmkf+4kycv7SCPSAJVy9G8CkEYJrnuZuIt1w0lmQ2SmqARg8r
MCW0MCDem/Ce4JZ4a2T5hD/NyLQMKa7voGnBYsaRaKoLfIBSs8cUKyzoSUMr
LPS9hV1JQKXzoGch0lYoOu1M7VifRLTAaryzNlg5hQ4ytd0xGJZBv7gMs2/M
EBIhcDBFSYYLv74s6IDx4gObBXWb7QmKU+/YTV2AdZDZp8kVgWAJ6jWRa/UW
eNVVflpHViYi57HBYchqokjBV6SItaNKCeKktbBQcwVe5Ia72Z8t1HK+EEYa
sq+RGKgfHQDDcQ68i8XFQwM0TSnCXR681aw7BnAZeszgwWOKKOUOslRLJCQu
H6OPRtIkuXgcmrrZ+hiuyW3WI/ZEaipEbsvsU1GRzo9eFqyluIHafNb7yqRa
MNH/JA8zNDpfWnKRQD4Wdd4G6s4U/hoj5iKUJGqNEWRaEF5yRLCqpLY2nVKY
svn+9FluG1Z4j2kJkYYnKBVTvYE63Q/I8bI0zDLqWcyzxUp3h3kN7uH98/eE
cMDNC/tLVpS4vsGO7zBro0zXmihhWXjsUIDNU7FSu7FnR1aQsnB8IXhCU5um
LgFX39RsEWx5EXX9ojTCXqNOTUrPw8Vw6FnBAWstBQJ9JVJcP2KIlc1anBej
SzT0FsSliAJEbbBcBHnJvKYBSKo2NqKwQrQTahc1g9H4eXFbOReGBmmr5YWc
QSRcUwAOEIGYl5TH09mE3PkEUzCEyCBzYNgazLFywuL+wHh58jhSdJjnUhYc
9qZcukCGCQ88pf4ZXz2BGH4MxZOj2U9EUWkqRLEOWtjxnVEkE0ORyKv+GRYG
03zIbsBHYrPSNr8BrwPMmiOIONzxDuVgXnEwFpcDXb0d5q8dMDGeRvloS4t1
yeIZhOCSB5CDnKdguAVcFhu8+WEvKozpwDwY6D8DD0G8n82czT603bAcmpdh
4PUJU32qyBywj7H4FC3ivilUDNqthKWT4Y3idwlxIRquRDVQggQQah9vKYR2
WDYQatY8t5a2D7GWXF0QEcqmgvqxBXKBsQJetospbCeE6oCEdXKGy1GEZYSt
gYgkRG+CCbB4CXucK1B4EVDbgMWiswIyApAVcOlbcxTGO2KAggmpPjUzuUuW
3yCLS+pL0wuoAZrWTIEwLLmov+jKTAOaOBdC1/SFOpFZ0Y8f/+j2K43Kc6Lb
uev8Ve7ULlPJy0w+m01ead6Ttb5MZ5OZy+TNdfqaZ4jJihyQlGXgHwisjEkB
0J+ZRfulacrbhYrOK+zhcsb0Mht7GPFIPAxlhWbQVMDh2T1wyrxvQSxTV1Q4
OWBh4CF1hMMYJsESlbVe8TFbHvL0PV7ADoRKSmtY1NPRFEwqtgwokS2hFRo1
WmhWQlCDFk+I1EzQsTfJ2qR+HxQTUexjYYeUPLI39noDRmLT5ry3ZCycE80p
LEQt0lsNhUx5LRalEpYjt7uG+E9nuicB84oVIAtsUPfH1lhA6g/HDGC9E4Ka
1IvAd5ugBNrnMlzY5JHIGmBT5J4YWD2NFqRFihnVgaukjj0XSmrIe6EVfqiD
KLJH6NYSuBBtI2RW6CaP5jaaRoa0iIeKxaMBCfQxiytxNAwUC/HE5BAqY9pA
HXdRfnrYXhZ2BpWUSrTXxSIERGFHyDvFhbCgst/efGgKlLfPKjch7H8ZJRjK
hWErVW6+BMGI+noOQhRXcMAczcpX4NtjNCmFgltcfucUkBn2NJGl/U+AQThL
Ea9CrfBgJ05JTlI5C2MK+d7JIsmD+UT5LKw3zdMfDuEAl6Jo8VBqdFmxANu9
fHQKywUt6o7tn2iUOK06AK0yeLC3eOUIysTrRKmnrtydGEg5L/DEqasod8HK
RlHoxVVrOFDa8wmrX0QBdoKlpE5oshyK05f8FnEtg70XhpkJsVqNKkgixp9J
w1zyFKliFzxQEez0noUVAVjGJ97WMGaGDM0IEQEXOQekmazCAUIIE1GZ8TIU
qWaEOsGm8ThcFTTlqcbqmMk1tfjuaR0tapCIFteCbgNglbaiCR0ga8lpG0Kb
PlDTTUQpFoB3oiNS5k8DqAUmEWxexosHdQVUvWKpC8LbTIEQuVa8LyGyiXhl
I1ZMa49VFD1XM+xdePNORXdfPG5kL5j6TJBl5RCsA45JEEtzKBgIZmE2KLVJ
uisRVMXmhcmoHdJgzUMNugDf9EA9vaBfsr84Z6Qq3QasyaH0yaVo2uDTpjKX
MHHSDC/aUdjE+gRyRd1CKHhhGDy1Q1F854ovSMSES/I4W1hkuA96X1iRDwsG
mdi0mAU9JAVtsRMTE2biNJLZEMdIJPW9MPfxAX+hIMtSdAMZT9vFsmr5HGf4
kFzmD5KJaZI1ABcOM1wGIrNHTZ0S3Zd9aozhCq7JwgZZbSO6oMgwqB7J7jlN
WucZq/4lDIogWZNXnCjeSHcbNGGgfzRDI4JPBHMB3HAYRGJuD7tYR/82mf37
b6LOQ8gIbfcJDgDgfXhVE5j2I6MeogW1HYhl0SBQht+yFIYvovLnhzgXZqmT
g2GmChqa5jgERSm+xsxNSE9oAhf9N9nCsDmALeQzmRzZAlxB8mHvoVaCT2+T
yST5VFgzfvwgj5MPIBLBn2lz8wwMllD0yg1jRAh6Yr0bITwubaLhWHwnvHUH
wIG1isZ7bzlzrGMhqgwh93fneEp4RMrrIzNdvnJV/pS2liSgLKKsgfW04c8C
9C95PQs9IDAdWSjZ3NNlNnmLx5aGiJ9oxn2bG0/35vJDDZip94FraCxRDLV1
jJyRJEtRT2Zm2kte4gqKTMo8lvP6Kd4dTwzHDxxKPIilXGK4OI1JopUROFFm
8BS6boDWKNiulAaToAU1NKgruAMI5G5z6b//DlMKKOwx+N8QdSw+xURRKiNq
WxlgfShp6qF4EFfu83ILMi5MJjRlkTy3BDM9WXynNMAbls7m4KhoYpVvYiML
eBW+h+jSgFzPPpT4wVQNNgHd11rzIPBHrq2IxEh95RWaCgFtCPQKTPqB1VIQ
ddjYB2fMWMvWBhP32WqoPQeAxgMhWX02Ir+BTLeHhB7GMkbcC1DljzsXKuw9
n6ZWUvYgWs5BoWfolsQEYNozNGyeR2HJsJDc1vCuKryEJOvQKOpG4dFjHIMI
euSCk7Yi32NZLYk/sDmkkC0xh3CrsuY3AXc4Uw54eJ0Wdc6ANRN9HNTAFAuc
Rvhi0AEDXwy6kcw7MAD/SZDE3OzDl4oFIXGJ2UHYfXotIxaAIEaXSQv42aCn
MuO5mYDyOzKnH+JJQe1E16BBjlzwFKsVdnncpDUDxkA+CQnCJY0DNmndEPVo
lPoYfF1rU4gtfqjJE0aJRZZov05aD8QUxZP2ZSSM8QShlFDxAPyhh5i8kIKx
KTKlgsxzDOAJF4Bd4xeYuKP8oT5w/X4v3mkYiW4QvuYw8jBMMIOzlVPMWBAl
K8EbiBBKsH5RWQy8DlRsgigB+HbjWQGrZqZFnN6Sztg3JyC+c6z+JBubjs1C
WHk4qr+yWEyes3Z1YZ3F1Gi6mcQcqjfGSjBBdnT2t7OjsS+X6Mlr22BSu5Cg
IQoSU0BEFkoZ+Y8fQpclJJXgvhQWbDmJMe35J9tdWewv1KhFuzCEGIkAYxkx
6ZweBWM0t5XFffoswJdWroL3KWQitqtQBlgtbaIkUNIDgGeiupBe7hvdvwBq
U4Lq2pTsQMBuNl/S3aERGYLx4WS4b53lW4rOzeAAYjYXKVWQFzXaiynAlbMK
s0LojfhAorE7zHfItMswni76VIj6zDggupztW4lida5iCdA0tehohujRfeGV
rRXahQO3VTb2ilR82d6uUXRGEg9jgGEhkVBBk4Bh7y2IyMICjeRNCKTtYgMJ
tN6S9064fcTnYUhSg0CD4hCwEAJEghEQmO7o9spgiABIMPZA1obDX04wKLIF
JjNuvVxZBiZPI8uBxGa+GQvwyZysaHc9RuHIqjA1WjMwXqfgowmHOZyAK7pM
IMSKjazQKy+JIPf0QkMWFQ0d0K/RPI5k2V0GPGfLccEqhRgYyWaNdNAGnhq9
U+iusTQ5b4V7rADzT6gdJkF2dyL3QyIaj40BeLg2wBVQXCOBFcht6XqnENVu
yz5N5iWyApZoGoYhgC7Go8TCxH1agkyYijDaCX0WDMfgNchCPIFyDzuwWZ0w
KxbiBspd6KyTgmS4wAC8O9wmy2Il2FbGEqVqaeaCWYra5inR5MI0Cy/wWV5j
2I8c71y06Xl4tAf0HUYAADkhtRz+e8ErnS5RwIA1riB+1wzidQtZyx21yN6G
/x5aIsBenmFvnAvehzmSwS3sslj4kOG96Tt/hrVYmYFzxziASMEOw9w/XduB
clRS3wtePgaDxRtJjBvnVW7k0Oi9F6Qf+m5Kflf6+e1h9kZMHxnxvzj43jzX
v57nyJS/+05sSmiAsX8Uv55ZASXta3WYYj//ys+WFtcR+X0e2gKA2l4w+rpy
tMXYmmKZC6oy8PbAMgemFDmO6jzIxidEOICYGszzcmkjAZTbUKZGQZZn68bG
iGUahuJn6BxmrsZt2GUxGsDIC7Rzs5RFaxdG6gFLkRyiHDDtrEpHCOASXh5K
rEYOS43GIhIgLK0FVApaWzAKeyorXTiyJEvZoIJ5KDsSok43vlqyBcql8lnw
W7S7LVbaFkXCo9/F/EhYDwflqWjLCkL60E6FpFquUR8tLa6Kr0W1FPp5NJUA
xJDVGDT6Sxo4yeRcDWIfIGhcpt8wJXWfnAjNk45zQlELALoElOTiKYgoPA9J
tgsNZeXCBfqJ4CJvhjyaB5HvqIcaIvlpdR/qVsTqROStfTkzYnTlBLhDI4vE
7sgh8MSq/ZrsNNxJnbrMoQB/xCbgsKUbPVBCl1VrI4jSBSFixy4F+sQt1Cq4
IZ82vqAV1qNIOYs0pVdoIIsWhEMIyVHD2Gmqm1voKKQdoGuTPVX3SbqVfmyO
SJXRvTefWegKxUsGEH/fESmNx+AT+zSsiLI3BR4OL+EdgHTOKyKFKvPEop0q
TNVDZBBMFlh/JxQVjnF+SZrYZ/w0ZhCUfqxxvVerTqZ+eGa+bLrhXylSbO/M
PNzcLSIVfLbsz4UC+rcsGQjh4KB4cBn/+4iMwKWEXwoKvzHggbHTx8f+f2Oa
AzNe/9aMn03+T0oQ+PP/GTFiKKEpp1U8/IffTx4eLgKvaBQSUgVZbr5Uwoot
GFx5iPMLD/Y+/n9OGkGLwVjtYH/JooAbu8yiSzsSQn+PEsbrmUNYiOgDzpoz
hLaGvcm4eD/eYaOH03iDJOgrpNkTDGuaUYtqeO/3CAevCB6PpKKiGNEmDSjo
JkItRS3RSDFQKMtj76IcQwgEyF/jpxxVhjHVRqTrMn3qCMU8qm8xchmv5zlj
nZJEE4kIj6WcLE5n5VdVG703e2WiJIJ5dMn/tAol6SQHyEx4AQVZPPyufHk/
GyZGB39vxK8Nzue4PvDhb88jT/n5PEd/JNr3838BPQspFUtZcfcDFRcQagh9
XITrnbeZoWblX3B9LPkF5cnNBcru9i4RFkzGcoUhwTPOOC5TWRXcLOjHwrgU
kJ3YrYthLlgJdXvlY92yMiOF3yA4KKD5NEQe3cTklwuFFwZipiTwpKLiZMXK
lbJXMR/vOEGGMoAGbY8JPKHLyqoSKg+GHerJ4svo9q6GcuHVf4gCkmFdxrCG
LT4taoRgGBfqUlSmRPBj2V7GC2IVksIB0Ttyub+aipHJ5A8vh+8oXooSdQ6i
SazQ1gv2KgAVUkd0yfi6B2SVOaXpBLExLpkaKKYIwxMXUFkdoqCBWYrXJDPs
RVQdZB5xzZvSmiM0gokhi1rEevxwVn1uRYO3DyRnY0Es3nECo4DVLDYuEuY3
VlqfNzQKqSxdUZp+zF1Vikhg4z0BaFgM9UMh7HkQKjWUs2HHqwlGLkxilDzS
D2TpBlG/kRJxvOBlxTPnCaHowx20ht1LhW6ZmxgPmfVxahYWzQKvmIePR/Yo
e0kKrg4Nq7iaDGl/TMflYc68OD1LoZHTPBi6Ux2Z5dWzqqnRArii7tyC1Z1D
p0pAi4AJ47NGG+xA7rznqPAsy+Vsu9BTAnPa1AL4QrhfoXC8zCaGzyM/nlg8
0RkDl3nvIlqBV4P0LYAfL8tL1m/yhE3atEYLIDktoEZ0bx4jMyZbmL1jfnv+
OIG6vLawKQpYlnkXCYzMdpkZldkHqDtwYWJ5sNVy6qELi/syohdS8VdTKLHH
jpm6ZiigwAqiY3SMFOwbLUkMTdWMxAQoTtgljFm0peK9IhwqtItsWKNIVvBt
6lBKi/nY7GEIhIfsIiz1KJu85LLAn5TDw5pWgehZL+UlYE4Ct+uwYgawRvAy
sPBV6ldCrwQGE4aZjgoPPiUfLnnfNQp5nuDPkyniSQE8tw1m4qEK1Imii9oU
/GBZUWYY/EiOAdlfrKmPlEyKh2kAY2BxXqyEAnVn8/asoXSLXAQLqAE5QToU
ur+gH4RkqsBiiPfQyY3G64TNRBGEY5N3pw2kqI1wFUCcaDA5lf5p2COOpbAU
R8iF03W8fUjZJW+7CLVFmwrEUZhTTd8JBxYtQU776UJLrcMNdbk1juzsH2Es
nI7uGsSGEFlwT4JECtfwMRpKDRiK3J6CpfyDhZGZN7i17RjiFnesWxV3MYpQ
Te1gxjpHZmxEH6ueTRANmLbGWzNFMo6j9mafppdHCh1J9TV4KBN2voMQKAiw
gcIwCcImLIz5ICKCZ2ATOZGO+Yc6hLCotQkZTr5IrY/3FylRrZAcRqCkk+lc
InkDjWBTN9+ur79lsi+MWByJgyeo5IeFXwVHkPzUEXMqSpM1dkulVTDhWJTU
j7EDSWQNQxxkf7vKo/al2hA8hJdFRIJGRmNtdcKmEg7hHn+dMIJxCfNxdWwp
knGuwKc8x6qT8FOs3NXaKqB096HYrJXURuVZLTY7pQZ+rShby73T5v3nydYv
kJ+p3q8/9h+M97thu+VsNkOz97I+d/NPllY2HofD5ZPz1m3fp6v9zEdpPn2e
KHebKbz4UXyuv/ers6vC0i8XZplazarcPfqVarLuaPXJbNBY+beOfl5bd4rL
W63Vr+YaN8PUs6asc+vFfaNSrm/mJRipUH6vVtr29epjehW0O2+j9Pl8drc4
D5b+46Zqfry/3LZzmcFksLNH7qr1rqRzN916YEzyu/PF9nqaKY6fk/3rdtYc
vli1pa+PP3b55Xm3nj2/n92YRi23TM28cXX7OHi+Grw91JQPv9coLpaV0X3+
jcxf2bSc3u659LzrNu33p0Yrb5y7jYp5rqUW2iZbM94/en37elLuFfIju2MX
lKvnzbt23irctq2bl1axcrss9h8a5qR+99JZpdurdq0++PCLGT0VPHfL715r
0E/f1t/fnc72aVkb1JXHzqK2nZVSb9nHQoN8nCms6vmPinZtLWbl7YOXqXf6
3bzZt7LTzXy6yhdbvfqkXLidF6fm80fvQ9lm6616tjW7Mkb5q1GnaXzUKjc3
tXwzZzyl28XkOrcqPCYLObO6O2+WVtZ6+3illfv3V7eDUSoo3ykjV2+3nt97
N9n6vDpYVjL9R/15/VispKxO7qlYc97uCour2eBjU8n1p/ZmvOwZu+sROdpn
/3H13lR60/7y/WW2aixWqfxas96S9bv7/qxQKbfrq/WiGBhTp0Q4x8ddMO50
q5kPXdtmy9p5xZwX2g+NmaKV7O3L26BQXRb0pWUl7yp2pVdbPm+1kebnSumJ
394uZv4se2NcPSSXyUGhYHW8xWPTM0ql3HyplNqr977VI2dYSp5fBYuXvnn9
/Gjl7KLVvrcfnwLdfSh1SveZt5HVKrSKyYw/HKdWH+fXlaBQnwdKpVSuZxer
Xe1+VioWe61GsVG79Vql1Vt9UusVli+p2v17/r1jp+9S7Ylu3E38h96tP3Ya
L/2dNc8p2WqxVev4unveu3laLqfbnTlrDBaV5bY+2ZSCSSn3XHP9lZG9G5Q7
L62P0mPv0So/aJv+PJtv1GrKIP9c7rffbwee8f58u2puM9P39HV9t54s5ppt
3FT8cUHrNMbdXnva1frL+rBzM7rt3S2qRqmZacyVTmbWcR9f7u3gPdudu+dX
H889S5/fzD03u1x3yVyPs+2qsrq6q9kvo7bbv510MsNaLXjZLGpvm76SfW4n
W4+lm9KuWtGKu0H3fvb8Ujbq9Rvj7bzScPS7wE+m9c7N/aKVHz2Uu+S+NO1H
6+Vqnko23u6VrNs5fxu1cs/FF2/e7HQfnWl90CpmrivLeq1kPg/8Oz39Xmo3
su1W0Fy3B3f+2l89GN7VqBwU2kPFG9XST53Nrfvo3xa6y5XV8O6H55273rDh
NM7txuzBrrcqj7nae3CVewvSRHRtlj6mtp8vpia6eafkCOkdlK2P3FvDuUoV
uv6g5ti633vf9fOtjatVstNU0NjmB3fV5vW2cf24bnmDVqV8lZ9mxv6dpuwm
lU7rxm54nZq3zjul3ZNXa3cMb5QdTBeLBZx/P3dtJ9+N3bjqv78ki9WFPRrZ
w361Yc77LtF7WsV0avfyNNav3h9n77XmIJNyn4OH2WBbfSsWxyW7oRfs+9rH
tl0365o7KTQ15z39OG5Uxk5xqCxLi/Pk/ew+/7Q6vyqUghdzk+/ZVtXT3b7f
baU/9N2V894ttDM9f92vzndzt2yV9Zpxrb9tJoWCUmmMGjV/1s++tV/cwWZw
PtEb+t08NXOfi7PH5+Ro1rNehoNN+8XvdN611Vu7PWtOGy/ZsTmubN8/lMK8
5lVm7sdkMEi+FIOPt5KfqrX6+uy+M/uYLtfX9yM7+bLaBNvG6rb1nJqdG523
8fu2qlk3tU3HV663pWS31U5e39VGc73dzD8USl6zXal2RzlCyCupfudJH+6y
TcPMXY/8xdZaTuqVwBhNKu/eevui3N7syo1Jv3VXaxaW4+d0qboqdOfPTatn
nNvVu80uaG+fx++1m2W90THsx5esf3UzL87s0mZgGi+3SmrVuLquW29tN7Db
XnB1QyR5XxvM0/PGW3XZv1s+rAtevV+/Mx7r/sci6xdfkt3hyLnNvGxXjvah
1EpuKvs2K1Xad+fn70alnnsZ391vWk/5zk1z1H66fyjZz0H/cfjQTy4G1Up6
sdk2u1XT7NftWmf+rFQ/3keTcqm1eRpu7FSxOd41e6PZ/Ko+um21N+fmZu5t
u+WbkrV5fmZ81Jf4aEv5XSbKeCiyz9VjsveRtVOFTqevrN116S1TXF2bpdv0
vb29Lzffniov71fXedstP7fud2/eQ/Fh+1zteKlg9D7PG77rbO6cq1nlwx+d
K5nhVWpQ1vVmT5+Nr9blzN2DkVmn69VRzmy0n8/zm2FnWwAZ4rFrDlpk/mFh
UerPLXJbSs9tQ1nplbqfTXZMAoRaeWmcp4r9cj5/vc1lG4sFOdj8Y6H4ZNh6
ZuUQnrVzWu2nYX09mj/m3x4q1/fKQ990MvPbhwf7oz+vXq82jVkm91gixzSY
LTY3np/dPGQyvSf9Rtv5yeeldv1UfXTe3FbFPS/l21ml/d7sWcva/XJRf5tW
3h7vZvmrSio5zVZLQz3tb/NPhTfjY7scN/u63dCmy8KDrY27b8+1jrtxOzXl
ZejflrbJ7Ga6y9ymlhW9+rAeFUZjoznePs5ug/dUy3hMV+uG9ZDvzNa1abp5
bzTSjULjZpafFnvKRhvUdknnfDHbXaXu69dTfZKvboeNSavXLczSz4vkKOs+
vuup++Fzwa6s9Gnj8eXFzmaHT6lx2TGU217Zy6a9dkWfZKvV2m4w3r6My/rV
arGo9PPDnFt7elqMm8FDv0FUACMzGgSjx8xTpXhXWbvF9FTJZa1po3a+tvPj
+/xH8jH99OEM9Nqk0cq+tyuLlJmt66vpnWZubotbrd1YuUHOaA7P885NzR2+
d5Tmfe9jmh1sdb3UHvnNQbC5H/fStXTn6bnbK9lmv7UZd2pl76HmV997H09G
xnlp5wbJ3fW02nm2pkpPXyzst222kM6YmrbILOvJWqbQfbSfnf5uWdo1Rl5r
Z3WevUbvZXetP7sPy53eajU2T/308+D2Xelpm24tezPy3dxNw+8V3p7Xo+L1
7U2Q9PsfletqNWf2N/a89mLvrtNePZ9rleuZ6pPbG80r6efhnVL3ZtclN99I
66NR/fnto1s2Cq16rjn3K+Pr5tOzfted3Q1Ti7p295zbjJp3yfy1W1/WzHK1
9VTsmEqpP+lkXSJk9POp29ymvxu4RnbebzSmDet9l+nWrOZHrVdaDZq6U3oo
bt6fMjfVZq84H6/vkq1zXfEbuXZqN68+vpVMI1Mqt3aTbIEoknnn/jb3NDZW
Tnc0evrYaX567FrN8jZ/7/bKxnL+ZC5X+qitDHrnK7dJuG1zN7olqH6eXrRK
95676zv1h91mldo9tJe14vn2pjHKVLfJ53J+PpjV31OjYmVVuc8rhUXqdrF4
mM9v7LeibzTvsm62t5lvrcKg2B+tMunafW6mV1Pv2eH25X1TXJS3b1kikj5s
y+6u2LSV60rFsJ2Pq/PWx0YvdLcvvYer80ezYoyH95PmQy1VegrqpeXjoPVW
z18v3cG2G0zut8mCo2dSG32onNf6y3yx/hJU073S9KWU713X0l7gV26cWpBZ
vvSfH5P98d1609p+OPfpl9ubbkovLXa6/lzXnu5Gynw627THOUOvOd3gycun
Rv2tXituM5npdDStbuZNYzBzc/nlYppL6iPdciuN7d2mWKzpWu/9fKnUy2X3
/bGULjzk9cJwfm+8zD68Wl7rP00mo6fM1q8nrzLaVapdS1aTi+36hRx7qvc2
TbqT5+W8O1A6C2f3VrafGyUiYzbWH/bzfJ1sNpOPuf6stEmvtEZ5Nr32rZeP
6aT44Op3m5f8XBs+3zSucsn3UoZI6+57zXb0oNTO5vVZq3P/cPN81/7QHkrr
6fhh+DDy72t3wc2uOTkvWPPlYvh+W3ub796a85U2T46Vx1JvWdnc74oDq//4
7hLeuLgzPh4ITuaNQtVa+b1J87nUrOaf8lk7U55Xnpcb/9kKyO087xLZRHlw
O4+r1Et9Ni6mk563GLYGL7fpyt2qaK13Ga/u+tmgdh3cvOSn/Xn5tp1u7hb9
6+0wvZ2ub5fnfaW9ndqDVnpkb1sfRHRqvZff00ltWTKyy2JvaFTeb8zldXF4
FxSCTlZLP+f9rbfQ38uZod9t35QWSuvRGDw8Oe7tQ6rfeGtMO7Xzp41z03oq
+O160pikX5yF+zEapmq5nK533LX9lH1q2dNZx18E3WJZsV6serNUK3X0Rr84
m45ReSzXqtPFsjq8nletXqHd3BRKi03PqvVeRpveU29huPZ5tfae+0gbykfG
ymfunJS7rTy5XtAlgtrV+/mz7vaQj+rdfvmtHfTu5y/Fdb2UTPec1ITw4pHh
3dfG6+6L8jT3uiMtW5p307txetgyyA1bvi+vx7U7bTn9IDdmPXr5sPViI7fd
Vs8Lj733gbfpaPfP26vCbBYoTmvQTdbuvU12syj1/vqL6uyVdvkzjZ31Agxt
EmBx+/EHMwskAn/+N/fbhSYP7MplRKtj0cI4cV8epGuzDPlfGCCgfMwX7A/9
2mNhWNk3QDz4/6QBYlOoDPM1pXc96ZntxU3K6LwM5sWrdC5ZJ7ww1as9Xb1n
VtPnj2Kn2miiteKQsUL5irXikLFC+Yq14pCxQvmKtWKb73txY4XyFWvFIWOF
8hVrxSFjhfIVa8UhY4XyFWvFIWOF8hVrxSFjhfIVa8UhY4XyFWvFIWOF8hVr
xSFjhfIVa8UhY4XyFWvFIWOF8hVrxSFjhfIVa8UhY4XyFWvFIWOF8hVrxSFj
hfIVa8UhY4XyFWvFIWOF8hVrxSFjhfIVa8UhY4XyFWvFIWOF8hVrxSFjhfIV
a8UhY4XyFWvFIWOF8hVrxSFjhfIVa8UhY4XyFWvFIWOFsm+tyBS0u5fZ7YSI
352n9O55WX9qNyrOfak9S+ZXo4rrF0f98sfS7DzevWnK+NooFgraZKZV7yqz
bWb0/vjc0ZzsS3lzNWq/28PHWt9ojtblVe/tft1vNUvu+7R3VTlPZu5yq0FO
0bz27Po9X/yw3rTMotLUdrvZxvXv7op+DRhwszAqofywaYzLpdqsaI+LRaP0
kraeMg+W5yndl+suUcym2mT0Vumb1ip5O7rzzr3sbDdDFt60jUrr/MXold/m
41xz454XxsH1dG3Msnp/s1Myqe2dtr69qmuFdLmYd3OpwmNrVCQy+fjxfdm9
Hzfq+eLyKtNv3VTXq8rV7cP0+r6UvK+Nrm4250VbuTebt0ROXznW26i7blUY
CwcplbLw+nT+UntPrXqL8hO5UaVxxyg7fjW5K+SeJkFPeehdddt5czVYLt9H
6W61V3i8fnnqNJe7Yie//Cg/Jnfj1LI6qaWK7W2q8rQ8r3cfq3WdXAbjxi+5
itmxe8srs+KSC5S76ejVTqdSve6kfa991xgFqe3jSyZXLja603XZHGpWsvY+
KOZerOdMsZbquxOlu20btU6/N79ue61JdVO71vPaaJd8qg8WbqNXrY8WH5l0
qfzeapStu4ebbs83OnqtteoaWv+++Kg0U9Pq4nqQzj8+T8ZaMLx/NGaDp2e7
W3bHu1rb2l4PAmtaWmUmtcJD625utYL61dLV17f9nZG5v1euivrDziG6xqZm
LOpBdaVVNafdT6YL9X7TqZUISXsxzYfU7WiTvZ48FHLnRPLp39+f9/uD1nyR
V0ajzXX3ZrmcVSaV8/dSNZVd7G4eKwPneXltVufeo21Wt4X+rJkrGG5n9eyW
rK6Xndxtr1q3VcPOK9mkU7rfvXW0t349eFoNnppuceH43Z4+eht4703TGSSv
1vXzXaOSe7O2yVam8+A/3RfeHr1S0tOLSjrZttpvdrqcLCyf5sPW3YdVyKVK
zaI2b6WuzXp6aM6DVpApDhc1t3JfXy6f82avvbpfLJarxsBQSp1COfUyqif1
955v2e8fLfdt0djN7/Tg+q5RbehOuVwieGMsKmttfueXdx0z5TU6q51XKdTS
TSU1Na7MG6NZ0bftbd905nr9pXT3oge377tJ562wM4uPuUp1WWwvKltLyxib
924pcKq2NarlPzbXSq9cMq1ss3h3u0ul74tvmf789sUazRYdv2ptg247V9IG
99PtsLoZOtP508dKa77PHybtielX9Pk7uQsvlYHlklvur8q7mpXfVQre3Lqu
b+yC3rDPO9tBsvByd7MNyl2HyH5vhr4sPj5vHMcsTD9ajnLeu69p3fr2yrTT
1+PlR8q28/mF117katYmPynmKoVr7aV6/T52qm8P8673Xko9LwZ5ez1qjNbB
UnkrzHK51vxl99jym4Ful7VBYeKbO3tVJEJS4apecQda8DjtN2fFq0I9mLws
7Xq9k33ejO8H25WmdB5a9dbztDJ9ePRWbat47j4VDW31kCeSX+Flmn8+75Xe
7VYv15oOssa2eP/ykr+6emvl7wtlIoRUle6V/TS7HyW317tUqd2zbwa998eH
t9pu0s5pFX9487Qlanz9utPW7ytXVkWbFAajcd+YF9y73rry/7T3bcvKY0l6
93oKhedmHHQZnQ8T4QtJIA4CgQAh4GZaZwQSEpJAQEe/jd/EL+bMxf6r/qrZ
5ek9tmMuvDsqOn420jpkfvllriTXWjb1tK9yoC/E5yy2PNczo6H3qJXBPBQf
apHEL3UHC5vLeGTA8jyvJpNw4PUuO2P6krdS396eqXBnaGG8mEzMUg+nBu+W
/uJuHcpFOzYvk6tuNKtGc9bj0dm6X9dOJ1m506bmcqwNRZ339lQoPZej85bn
2bw3D4xo2Rvd1c3a1qNpE3Du7tW6E8G2xpx1GDCnqlLKTvSMtCrcda2I3pSa
qcZTNePz3mnsushSYW/LkyIUxt3WGuvNCFYjZ27xvPdaK73NY9/Kpgd+5pzi
ZDzZDI4steD0U8jlWi2M2CFr1vpTr2Ml4/vppLIOZ+m+nojzEjx2Udkj1jlb
q7mupG553vpXOz0eqOMlZBfNMBk7+r6uh+Mnp2WPxOwvDrEm6iMrnI0m9daY
LU8vLcqtQR603nrvdVFrSeL5NaSKJDrqdbqvlZv19GeLYG3LMZdMhgetv4ky
pTpHiqs2+1nfT86bcD91T3ZehZv5Q+u/rFSi2nZ0dS6x77hDfmXd+GvUuY/a
mW1uXlssZ3NfvFhpbygPXnFXncydm5uitNza7rp8QgS1pHJl2nuZ3WywjsY7
tTiI1zl7VteL22U8uM7EbW/7mu4nm3pabzpHKPbZusu0E8DITsZe/7CmRqvy
sjf6z5PpPapqcD53jTK2gqgQLmEtnY6jsRXWg/0iWkzDi+3b1yRJmdulnwtm
oV6EKfUsrbW5ikK+BubyV9v9ef+0modTD8Y1LGqO+/msfKgtG51OB/8oju6P
YT8+pLeuGhIPTqEDnqfowrfL2PGmmsbcNc0K9E9c+WeenPqdK9c7FaJhjtXi
1XmknGebg5Fse52zPXBNeLwpah6vGxVifcvpB9P7Yf5gKCd5FtdL1KSHazGY
L06WergsIOSr6/FwJ+hbo7LumlhGp7FijEZc+Jj0nTS+Dy7GfvqHhM2fpDg+
Mjb0+0AMO+5+7O/WoohUseDffytkkX4rZKH++a9FdvnXOvrrT3sxf1SM/bo/
gpxr9nHH3B83C2DNLPbyURH4+31iuKEdj4fB+pyxNTBp/+fjAMiZTH7I/dgj
9ve//1Qtk5Q/rmn/taoRLxFa+3n7L5+njRr46r8d40d0K6qPvBFui+9XuZ9d
KIZhaFryaSGgY4lOVDqM6VCgGZ9mpPcXIi0ktKzSHE/Ds/ifQDEsvBUytKrQ
nEBLAq34dCDSgUozKk0rPC1G+CFk8XPA02pEMzHFcPCWHNCMSEc8lrDyPj6Y
BLQIX4jwcEKHCc3LdCjTfkwLPq36FMO/RygGtMTTIQyHwRZkmZZEaI6nlYD2
ZWxOAPFwtBrSIU8xAjYp00JIqwEdSbTK0mKCk8C+hAi7gB5ZGd+NOZyjCPMi
A+FoMaQjllYZHB5e28TQvgJ9KXSs4vvwSiLTikD78FBAMRK8xcR0HJC5hjQr
0DGP30PzOMJAogMOvxMkmlNpKaBlkWJklKFIixJpWKFhnjBjPqaZAL7gUea8
RPscHTEoX5WjGZliFHjLl2iJQ2nAB0GhI5FmfZpNaJpPaJYIH6QRCzhUFdoB
aagow4DmWTphaegY5AAC5ENaAn1JIR0IOGdVwKZ9mCAgAEYI/6I5EZ+BscOM
YJ6gWxBFyBEtKwrqgId2Ixw0G9G8SjEBzgsGC60qKCcRQCRgpyLoiwM5K6g/
0IosoGRgQKJEMSBjnIIU0T7ggcfGQH0SSwswQlnCccBwATFsQIcK9i5xFBNh
XzK25EcoJIAnACdmEQj4ASQAIITpwFDDANtKAIcxvKVCSzDChI5gbBxKQ2Gx
KToJUW2gwtCn5ZAYQ0Iz0FeCI4wQ8zB2gaAd9A+zA42TVgQ6gqlxiCsuxkbh
LRbtSxVRTqqKKo1hHiKdiCh1EBcdRfgBngL0xDICPYwoFu2LJeMBk4SxACZ5
DocfwFuiii+DmYC6Ax/VA1ATZIpF+4LxJj7qUAErk7FTgB6wCkE7h5YIYoLZ
AuagHS6gWLQvACFIG17B6QoodlCU/56wT8YG04Z/cCB5+CKhWLQvFSxVIoPk
EQIs9KiizHAiMFYAAWgUXgFOgXnxAsUS41ORK4AHVGJoMAOGRXUQakhogUWr
8Hk0BvhOgRGifck+wQvMjli5HCMKQP4ICSWmuRC/5nkEBsA4YCkW7Utm0XiV
CNUEw4nACmXsjo5AhQghNDHQAgAMu2YoFu0LbFSMEbRhiHDjFTQ0kAHCSSH8
5auIb5Av4kalWLQvmDvoxCeDBKzJBOY88iERHc5LRftSJUSyDG+hgBkYRUyz
MaoRWgWTgRZASzQDpMDg12DeACBFRUoKfYpF+4L+QK3IJT4OEqAKFg0qov0Q
32dVMgKAMZGRAG+hfSHOGaQWoHcwCxAYzBt0jcpGqmfxdYawpBoDaVIs2hd0
BAIOAprzCTyIPEEMyKoMSCBBxYFYwYUgZEOKjT8oVvzgV+BeED7ADeZESxLR
ukxHPjYNcAHuC0HyaF8goZgQBfwNhgMyATRGKEMBocZJKCCYF0wAcMj44L3f
koe+VEISIGxEI7EPdBWAbpiLQtAGcwZ1RiHFoX0BCMFeQSBApMAYIDPAMIwO
W0FiV1DloEJ4F94SEopD+0IVMwhXIF5QMTAquBiYEBIvdAT+DuaMl3BIxDHB
CNG+gC7AFNDwZZQxS7AA8kT7gicBaoB2+AzsAYTvBxSH9gUsgtrg8D+YFMd+
8Bv2DQLkZOwOHoQ5AHTkmOLQvoCPWQJCNCsWFQeSI0SZIFUFpAlQIaAXAAQ8
z0lvBniLChFNeB6MiUM+VLEhMDZJIYYH3ApjVimO2JeEBAZmCl4O4CAS80fu
JTyGROmT0QPmgCZCluLQvlC5DEoS9AsjhB4R+SpxhzAwIAiYNgwSBA1KAp7n
iP8SkP1Ay8CXwGFg0RA5oP9SQgQWEAQCSSXgBwPmKY74rxDFiHMFlo2IK2CQ
PXA8AD9oDgFH2APEwIOW0b44ohDgS5gH2B98AyoC6CEowUGAmsBRyRHiAJid
EygO7QucLcwC4MQQVhQIcJDZgAWAbUBZABcAKGAanI0Ako/efhlaBijC34C6
kYRBJuArwREClYF/BFCiYRJM8oBetC8ErUDw4hN3yZDZwwhh0OBjohCHiu5K
IiqBeaF9JQrSRUIgA9SCbYuIcXQloGiRRDXQN1IYmHZI8czbUkDA4OJAhuBK
QDgAVfTmAukSpA3oBPkDQnDOPMWjfcGT0LNMRMsQDwtECopA0gBjgaFAX6A/
GA2L7EDxaF8YiUTIb+8QVOBwkKA47AgZI0DfxxJBh2gFFI/2hXhQ0cpAetAd
emcgs4QEqTBhmYRlqC8VLTCAEaJ9AZAwFiIuEj2FhCpCRMEHkBtGXIQgwG6D
GEiZ4tG+4A9AxmBM6MV8hAMiRCBv4XcM/iMm0RFMSPQpnsSH5EvkbRm9uSIR
Ug3fwZyCXiwijg/GCZNRWIpH+2II5UpE+YgaGSM9kAnODWwGNMETxfskLg0k
ilfefUE8y5K3AHpI0iLxDiAHABIwJ0sCe1BJlBDJo32BUQA8Af3gfQAOMRFg
gtgQ0CoxaudwKFKCoGFB8mhfQHWR+OGs4HsYISAZ5oSAh888iU+AEcBIYSii
QvHEvhQUO2gDzApgDvB5uzj0RBHxbYmAaPRJLMIEFI/2hfYbo7QwJGGRo8Dz
cMg2BFvAsDBIgQR2YHgMSAPtCxCokhgQBhaHZFI+Do3Qi4I4Vwn3csRFgXfg
4zcOORKDJ4T8gOShB7RKoFeJ+AwQpkToF1pEfSVvS8EAnEWjZsiiBIP9gH5j
FWMXhrjt9+R5nxKIfUXYOYiHJ3ICaHMkYkInChMRBWJyKjbNYGhLCWhfMFcQ
I65rJCQBCGQYEtMhttDYRBQ+urwEeYBhKAHtC6JvkCFYBwwvJFNBeoZ54cIg
wUGoxAEAuYCXUmCE/BvzAaEuCLPfQRCsU8DJon2BD0BAExWCecJoBJUS0L7A
GAPyPcZdPnF0JKD+MEPULHHoGKXA0i+gBPFtyxgocSRsjIgW3jIELYMYWbIw
A4CCcECjQUgJ0ntNJCBjIRlCcAdNApQSwKGaoIx4EgsBfyFlIStSgvyOYFni
6VjSJFCFT2wRFyZgjz4xNpkgBOhUYClBeccAb9wGxHNFZMUH7EGcboDrUGBg
nywVAPkQEQkf6y+YN4RqCok3eBLtYpSCHllC2xMJNQB6cJ2gUIL/5iiYKC4p
fIQH/IknMTgJvt9xMIk/oF8wD06mBLQvEAWsdiOCMhA7RNMAB3BPSOLIOz7h
O7KWA2YTRUpA+0IPEKLwcaEnYPiDARfoC6AN5gz2CTOC/0efSlY3AtoXhrhf
+R+8xf44/Csp/yRrgUcY/ztZC4F4SfTbCTFHDsVGghIBJw+wA3nhPzhEmvyR
tYAnJbJsld8RJfEyxNYEtA0wAaQO5uM/jvnIWpDFE7g8TIeQVRqGiyBPzC8k
uBZgCVlgW8gv76wFEi2uD1BrECbB60ClMYgLVhcQO2KuQ0CvpJBGlfCdtcCe
I0QvTvIfkScjCB/ytOZ/Js5z8e9IE4dIEi9igGYDOIQZgpvAGBBJIvkgcfHt
WqW3NFVCFAAsgB/QARCvTyJCjPwUYhnoqBQSX4Nwubc0wceBG0LCilENMVkH
klW0hJ7GJ+zw9icgLYhdiDRVskSHWAiGJ5NIG20JeBz8NEuWGpi2iQl9ggdj
39IE3hcxhsTcC+CBI+slpBkcAUtyNhI2ChCBaYbcOwcUE78QBQRhEglcyFoL
F2rQUJAgDfEkL4Y5sBhzQL+dRENyeuWtxY1+WfMnKjk3/45GUKQ+MiCgS3rb
eIIODB0P0DxIVQoI90QoDpb9yMrJJDkQkZU+Q4BOUmZoyuj+SbSBCQ4ZqSX+
0AiwLYgIJUecO+ATeoC5oh4xlxSRbJOKYQ6sVpX4Iysn4SuAf9A4aB+9tkyy
VyjPAOUFxAE+kiPd8R/49snf4BEgTRgUmABYHHAiagW8PgyFJRQOgABC5KS3
RuBv8ArOhUMrY4k7B1rE1BSoWyHmgglIDrtT5HdWDjCGy/KQLJQUpL6QWCMd
+ySxJ5IMkY/Dw0Qm+2tWDkQZkZgJ2BMflElMA940IRYike6gI3gd1kIkK8eT
4C0mkTOimLwCLpOkYVhsEdd4ZIEVgQbld1YuJLAMiLIS4mvA+Bn0QD5pi2TK
wKdK7/jFx6zcb0hLsrpp8bsybOMfN3ripvgGYo3o12N71mON+1cRGOy3s0jJ
3lg/b3/dEP2Hg/V+PcLhI4P927b+j65wA+mPG4c+UuN4DfjvT0X7013fpFDy
fU1X8z6+FV/Cksr3aWz4CXdafuwD/XkXKjm856ds/t/+CR7+5d3fjxLMHydG
f7pL9OOQpSD+42bRz8+qJgeikYlfPv2x4E/KNaGRj0H9ArIr73H0vXX0e+vo
99bR762j31tHv7eOfm8d/d46+p++dfRe9D62jlavYu71n8aZn22ozZq9nJ3Z
oOf6wnFva9NqeD3mxW6XjjXwEXpmBh5ILXkyp2BoDvJ6rm+POytNg27bdvsX
FQbrkf7kMt7KH+AO3GbQpaK+jUYl9xjxq248XATzrbZM10nY7LrRfHcOdxa3
r+RY8Bg5p+bjI7cIxPS2O9i9sdcJzDVXT9w1nEd7Jj8mk07brphFXvLn2W4+
r5hz32XnJznQOMkJ1y1VMsIyLNRtt4uaeb6Yx/Jc97b7vsH3pO45OYOPGC2k
ZmGet8vnuIiMnatzltctJifHzbqcmmaNalSroSgxvKtPa046s6P5cjW1mBm3
kZ8HcTibsMNYks3retBbePp8drz6M1mb9J55eKD8ugqHtdPIkyRPBgVTPbnu
Nk4Hi8y5+Cub9zVJOqY1YwnVQXktWHfOrVa6ENjX412YDXvU+Zl1vjOzNWWx
7Q8vxVkG7zs0eW2QT9qSKcXttbhC4OeOZ+1oswKCcu/lJhYTXXd7BrugtHy1
84e8XWabxbEeRT1DOF13O1azlmahD3vG6S4euHbtXdg6Gp/Z0pqUvnNRgFym
pdYXKUs5LY+PCiTCJ2t9Js81e+1yBj86dsV8PlPCMO1W/DbmJqquWmprnQqm
nEYO5zTXSONPlDDwl4o/fw7z0WJa6X3GkyPpEdihvJ6F+7yt5qPselgEXhcp
utloVqnVZ/84P6aOc7cSnzLO3kK4LOaDuWWKc/C7W/v8PBhPLZW7m6nvi0fz
qMa+1VXH9aTZ5NnYfzhn158+Vr6QbnVKkqrqVhyK1NMf882WnXq2I1qSPmQK
n1lNdsXQGd3kdQcRazy5HPaXkdztt6e2Wg/uK+eWU4I46ETNPM1na88U68fw
tOGMTp1XZ1kMTa0ZdquxOjrJ+9KdtYJ014X+YP88a/vJ3uq8Z0JJcm/lnbyG
m7P9o6kvxQ3Tf7KzucsFi3PRVNajSK+v+eTG63mr9KdlsTuOuoESvnKOqc0t
NUlHUrjpPZzt0YDZslWgtWtuPi8rUxFXjjM6ZF52jJbHlbKdaNXKGfQ8VfMy
c39TuFN2oU6Ty1E6e8ujtJ0eRNbktlK7Ogore5Jr2V6dLLrZ+rjbLCdD/rgQ
5+Ek183wchZX24PidI1Jaeb1kW9PSea1E4hgbk+vx7SruWxnracWG2WVbbY2
KC9Ot+pofq+OzW4qMe7xVopPQ2wNKtr3l/aLPY6qjFVX0TZn7NIQrO3DVDiB
v7vVhBlMnFg7n7Xp6GhJ3qXUTlYveqRZW0jPJcUNJmqsMIKSy3eJzwaqPBwL
XHVls8F+Yvi23hznc23GQ7Th6kbkSYHKjCYLvmeM2nxURtR+vmzAXrfhNti6
zvauDBlDPHHMeuCfDd6X5xM/fp7j9W1q7XyL9atCqnN+qeuFM/KGE5Uynx0X
+8VJZca3fJ5suOFcd4b9dSs+W9YZ58pYUJ8w7nAlXw+7tF25MnPkH/KcPa0F
IakpwfMP23pz9ZvF6DIUOsMcvQ6F/mC5M597z+OBfz7U1M6c9UYrBjO+r89f
kn93gynbjcdrg/KlprJ3A2b92iomuAH3YVyq6cCtdr2NPSmyxi3N48WUslc6
NFeaqR/im8Qs4qhwh+W29aj+uBep9eHWCNO+udUmXfcKng0fPq+ndqWraS8X
dszrevfPvC8GO+U2evRzhplEYrhJV1eTeoobf70+iIY463vpQheOaiHNrvp+
PVsKZ3eY6S/2oJiS2b82jJfMuMHMM8r5cic3kRzsDtRiOOHYMnx1yr/ZOjoT
7//HW0eNY64b5qIdv9bg9vep7QstOws6WF2Nc2nj9TxqLainW9IbB4NLasmL
2Vgpnrtpu7mb3gp4VutNRsoqZo6r9rrf7i/3vH+aL81OWnp42MFOpU720Jtf
TPn+XCS69tWto5jf+EP6gqKG5NzQHzfa/uHGrJ+SFT8u+XlXD77zPPHDD393
2tjPp6bhreqXj3rCn7ep/v1PMha/pVF+edcufu80/d5p+r3T9Hun6fdO0++d
pt87Tb93mn7vNP3eafq90/R7p+n3TtPvnabfO02/d5r+f7DTFD05pb/zU29X
boXiybwraWU/GYZpD+LQ6Pr56DbxBo7hr6zycMhZQe8mquHsjx7brF8Ur7QT
7qE7ov/Stvvts5yMFDMIR3N+xBzTsC3bZxWuLc+cacpk4Wx3q6vdrFom1B+D
4mU61EAYXviZqegnUxybz7awYv5mtgtxowvRqejtZzm3SY5ss7CtKtmr18tg
7NnT/e4510w3GlCVb4sG+xpY0XTJ2ptJj+vs23k8rH17MeCn921o8sFgujmN
bzDE3Ft2bf/WzLPp0n/pp1tNDY4Hc6McxYuTs1qU5c0gmzDmpJmu9/XSubqr
RdzarLb21Vtlr04DZr1uDfXcU4p4ZTztFTW+3R7+Oe2f8nRjCH6R9Tpj2VS7
kXeFBb3FzBbPsbjrxNYK22Z2FLRXeZ5y503EpYtbubco1bhZXjJ/tduBfXad
ePTyy6BnPJbVHKLFs/FyloM8eUzFCsKeeKVHnSauZ75tLbZ+dc1damvqT3l1
Zryu2s6kIX/bAW6WabtJp+6WO9ovf3J+lf7jkqS3iZSzqmOcHod0tUxLuedF
NeXmlerzK9H2jcwanaf9wbXIfG3ZW98nLyH094xp80y67r20gZvbafsow+lp
YPTH48l8GLHUrs2WTrK+B+sS5mnsXPs8sy6OLfQ07tQfnebH6eqU+U6imjc+
brzXbsFk/Gga+Bu9vBYbqmCbcaKtAs24apY4KjeT/XA4e164tDJPt+nrpL2M
Y7yZpKy5OcwLp0knC2V2BLNrArBejsoaa+9ms6G4P3KNOzVHWeh6t4npxLer
H1TFoTTTcDNko/X25C7Wt3RlT4t2uDbF41CvbwzVmO39kk05b/q4KSNzL/tu
KjPuDJYDjrIApn0ZTH6MfWU1YdS0WW6sw6K3052ZPh+u+quS6nGWacjxou7i
ZcfNK21kjCCkaS69W/+8LdnaPtmJsHI2PVddKu36ZdrFq5rW1ro5lFbzooxZ
2x2CZPn0p7kAXqw/notA2Y/teqLfLsN+45p7p577ke91M7c9DSxrlSxcd6gX
+7wsd9RGcBNzrVmuq/Xzu2OWRw8W/qVQCc+pEIMghThfe3G0ivK4dvfxcLOe
OpNiuR40BlNuGer11G1hc9uMjamz2k3FhbuFZeJ8pju63xy2e17I6/Xo7AdN
fm9n7mbx2tfb++HcH+7P7MYxqOu4NJPVaSbtA/MZt+YkuC7C9BY4F2/5eoXq
fnXdt4m72x6iga/djDxcJfbNlllrbWvP4ZhKp1PNWJXrW15J2uR5v4T7Cab2
T2r6XO7u9mI5jeVeK6T9+KH37Kvf7lPO0IqTE4BzhaWvKj7vueZctreiH+nZ
oO2nx/qwuo69wUAGe93uTI/dDs2gr9vaba+2w5SrtJa7vYzRpanG1LnO1jmX
td71cLuK0atzDmc9PxrLVdjYl6IqoVm52owZ9TjQXH3J1HFYR64uJnpvGeYV
JY2HsVRshZm7XaiTSIlf9p65LcZSzyyKrc9IRT04Vo/FXDuuGu6QhlFU2eK2
Kb1IaZL9gNqfh2dYWD3VfreZ94qaHT0jIEwmLW61tdmCo2jYRPcGOjt3Kmnt
sNa2f36tp2VtWvr+8KDishF03XV0x9vVt3ZwuRxy3TKD7f3RvyQ+F9QLI3ls
HWM+n3NKbfPzaym7TrJfVrGpziWq5iqbu3lsf3ZsEjGyjXG8GwpD/xjeXO58
LmLntu6z5SCNJ8nhlkmpN8xevampT9JQ9RKdio+JVNvm5QlqY9PrYMD25HHM
sdzmaNitP54rc4gI88I09sxIsB3Vmmw48bGbHu0icicjyrRBOE9uqc3OBiwa
OG7TTdcTeVou6ttjO7DM5+r4WA22xSK4PaRAV9n2rhmRI228UJzHNlVJ/oQV
h846E3mGTUbzmtOUS2gbdX1+HFrvYJ+uP1z5b578XvQ+PDn1FVf+O09ujdzh
xJUoJrFnVd5mGltnvNveB+peiHeVHYiH2YlbiH0hahaxVjdCkzyDaViwC2V7
GHeiOxDS4GFS8toccdVxm8W9XW/eKbtBqQb65nRMuDmz2j/D3a0/EZXhlw6N
+Cd6HtdpHP3+5hHtfaMNuU7k6OMdRGFMTnIgt+fUGbnl7He1pljN2v64u/un
q/h+eoZ6X9FDLm4r3p3iw3jLS3YhVal43UmAF1f/SSn5v/nh5rvQ9LvQ9LvQ
9LvQ9LvQ9LvQ9LvQ9LvQ9D+70PT7jpLvO0q+7yj5vqPk+46S7ztKvu8o+fod
JaE8BHu4rnuBOOk0TZ8bl8X+EfQn1iZsbXvmxSutWYqrOjNTRivO6yus2g5R
rIXG0jmPJts2GDZqf7a2G8ddeE1nemZ4NfS77vH6yX60k/145s/C626Y5cd1
tzQGZ8rcMv4pGAbRWAsdsXm4Wk+fqs9Hou0fMdhVfcgurXwMNje3i8d78V4Y
YnTmhSgYnNbXHUct/ap7sKe1Z8K6S9+OHck7xU4bds/LeqNu3OeybQZBpT8s
7rRJ1WfA7vSI656u8JBhiAdqe1JmiVwPJtmGa7q9fO0Eb+X2J/GBmUbOeF8F
mpDZ+npmuIX1Yqx8uLnUm8gZFvfgunH3VKcOz7VzPyzv08vZaU7uCmICr5os
BXE/7G6jqrw32km2to/8esu7dWu8mmNvqyyC9WUWgDXG2lyaGlE15KNyUF9H
xt2pM+C4ubx1XgdzOD423HXUT5uNtLFmeqU1zKATd8o69jdtPT5TEHtoCzfj
TutT7l39amuunPDGHGyzsbbr3tGWc2VoboSZKxhbMyoh6simc2nUHHhhli0q
KkpcrVS8/XAjWIt+fvHZqZ94LRNvvLTMjpWRdFJVFumgf66f8954VNj6JlIn
w3vTaex0Q+1noT829l13fzyeA30cbeX9iRkzNcdcYZ5pzg4OxrNiBvEytcv+
o3xN1u5eKM7j/ipo+ZoyG/bVTtpH5nHnzreqs9gGOt8NvU67psZtdR0+R7pu
KJVaWqu9nIVCB0up3fk5sVcut5lS59nEGNwNwTWzYPQanaOyNgpzkj0W3iSq
TWO1Ki+mWWe6O66vRSEdCl/fj4cPe+fmexaQWJfDzfpQr4bHeL/SfLmd6UEg
ClmUZ2Fw14/egoOgWjUNaXc6LwdnzZt37XS/K+7Dtb3cz6gB8yw297xzjW6j
DxPGX7bZ0bnxp6syPin2yXL09JjWejDt13fR9G3/tX/tekN32M+Xm/6McpvH
5tBIa/95rke+Uc+7TA5HHv9SiuwQDwPwdq/FLlg3WzfTguqxlE3dG1qv0cXL
G4OdUfvumZ13r9zUtQNEEZbJ9Mzxw02N3NSWYsDo/mSbyS9YwMfzLB5fV/ve
uHLzy8XdHXZXdkSNj0Mmc43piUllrbXMaK6km3gonx9d5g63z3iTQ2j7GBid
q3n1aOvZvanPHKtRIU8Dec1SELNzFhtwh+VjNLVdRrseJX3H7J+9YvQIL/Vq
PZJOl8msYKbsCYLwpTf0i9mONVlv53DpjEqr3XD3Ck6xuj6fnPlRF4y1o539
YV35cWrMa5EfGRYX1JP+fn5i5dfm9Nzd+nU8WfLgdE6UX8D63U7TacmMnsOu
0+5xWIvOcMoGsGh09qmcCBOfc/0jm3a9rjltt49tu13pXr/bOLOCWgariX11
ZlHddMdKtlaiJZwrgNP2WgTX2y5UhqODdtg7J2Y3GxzEq7/knVhyH+py73Sm
Rm1Ui7/Aql6Ld11y4qd+fHyMb1UeG6y5ua/Hybh5efbsdOzdj4cq99pFBZzj
h5uTNnEDu6D24/HO38SwGDcvyWzMadxUn86N/fyeKMPXsrqqq+ay08JoMq2v
zzMLjmJm77pt2kWboRWfqbO9zhNxzmS+9Vin3ijcXWcLzdkONdfMJbl2RJE7
OOujxwZKIvJcW0iv9KJsXe00GNh3i3pFL+u6YIdjbiDtjslmcVWvm6jO2+Qp
BOPebuMc+fyx0Eflbpbb1RSIb3a+q74mjLMxhI7UrTSPk6afrZz1ZLzcXrpd
uetdX6uDct/P272Vdmpye/BtG50F5xR4RwiGf/4FgPrjTwBf/QWA+uNPAF/9
BYD6408A/8FfAP43mzV+fzQ0y/58NHT3I53/Pnzj49yM+FFlddyQhH/W0Jf3
Fe1xTd8a3LjxX/Fu9Pj980HoX+iqvl3eh2V8pPx/+kHgL1R3zMLjr1s/ajx8
ImtpvI3+xzEVP//G8NM2j59Owvg7OTqDXkALHwdlrN7HUFCU92MG549L3n/3
i0Ud/270cXLL/4JPP8nAA3IUCDnO4g97Wj7r6a+F//jXHJq9hM+fz9Iu4dk/
Hpn9Q4L/TH5eyZq/wNCedJsV8fvFX9XB/aSOD7n+fGrHx06a8BiH54Ycb+Ln
OYgnLAvsrYibxk8/NFXVZQifY7wiPi5gRotLGL8nS36PwTeDGKT16y89P78V
/eXfHBny0XkUNy0svUizHxP7ecLv/Trvef+FzmP/jn8mP/SAOP/xA0W+N+h8
b9D53qDzvUHne4PO9wad7w063xt0vjfofG2Dzj9c1Ut9Vtb7lape6rOy3q9U
9VKflfV+paqX+qys9ytVvdRnZb1fqeqlPivr/UpVL/VZWe9Xqnqpz8p6v1LV
S31W1vuVql7qs7Ler1T1Up+V9X6lqpf6rKz3K1W91GdlvV+p6qU+K+v9SlUv
9VlZ71eqeqnPynq/UtVLfVbW+5WqXuqzst6vVPVSn5X1fqWql/qsrPcrVb3U
Z2W9X6nqpT4r6/1KVS/1WVnvV6p6qc/Ker9S1Ut9Vtb7lape6rOy3q9U9VKf
lfV+par3pw06/7GcHvVZWe9XcnrUZ2W9/w+qev/2L5dbEUD4H/33/5L4eRP/
l79T/0Rr4flSdnkcpXERX9rm42Dd3+5Zi8sqj9/poLC8/HpebHah736dlbeG
7nzM9HxU6ka1n7R/ocokiUniro7vWdw1f6GbW5rGDWZo4ENY1mA5Hx9IzrCA
XnAAJIdDX8o2xpOjf6FXfuGDWTbHi3+h57f2ePvxCb4cx9m5pNfh8X/+D+ju
z6Y4KMMbNk2Ps6Yt6+efPPdPtHH0L5gaI6fIkIn84t/aMqyfVftLWcUXTC1h
svCXO/cLQ44T/nef4nESeJxvWvr5v4A4oluIWc8WqLz1Mfl1buCJ0L+Ulyx8
HyL8x9TgvzmUGL+o/PActyC+2m+P76rsC8i1+jgEp0LBo3bS+BLXRKrQTZI9
aP/9pywEnRx9zMz9uM6Pjt751Brezgq/fv6aIQUh5ST/ikf2/IIZwHsWkdRe
noVZS2sGRzKhUdy+1UrnZZqF8OiPR/InzB2UFGOG8W9/W5mGqirM3/8OjxTZ
BbqMowyUgzcMhiCUCwRc/3fUxP5DauJQTX50ujXtx12EFZlGmdAkiUvuQgRB
/LgYEZ/+zXI+UB7XRJVvbEMziX/LWzCT/Ba/G/r1XWIeMPE2S9+SR6E3BeZb
w7wEOTdngEwQtx1mX+eu1vw4GqnxC3Lw9J+h/aviYf4h8bAoHtAddv7XKM79
51/xvd/lt3HqqDn6VtENLOrpPMMcOkntxjUqGTDxfO8e+MjtE1YhCeYfQka5
5gBzkviGBvCQaj+t/eLjDsj40ZKRJGDTDQ3BSFv7If4J+AJEDXIHQf6kwOZf
ftUH+eECM++/yz+DMbTNj5w+9b8AQKebAwZ+AQA=

-->

</rfc>

