<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-mls-extensions-10" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="MLS">The Messaging Layer Security (MLS) Extensions</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-mls-extensions-10"/>
    <author initials="R." surname="Robert" fullname="Raphael Robert">
      <organization>Phoenix R&amp;D</organization>
      <address>
        <email>ietf@raphaelrobert.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Messaging Layer Security</workgroup>
    <keyword>messaging layer security</keyword>
    <keyword>end-to-end encryption</keyword>
    <keyword>application api</keyword>
    <keyword>extension</keyword>
    <keyword>extensibility</keyword>
    <abstract>
      <?line 55?>

<t>The Messaging Layer Security (MLS) protocol is an asynchronous group
authenticated key exchange protocol. MLS provides a number of capabilities to
applications, as well as several extension points internal to the protocol. This
document provides a consolidated application API, guidance for how the
protocol's extension points should be used, and a few concrete examples of both
core protocol extensions and uses of the application API.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://mlswg.github.io/mls-extensions/draft-ietf-mls-extensions.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-mls-extensions/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Messaging Layer Security Working Group mailing list (<eref target="mailto:mls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/mls/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/mls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/mlswg/mls-extensions"/>.</t>
    </note>
  </front>
  <middle>
    <?line 64?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document defines extensions to MLS <xref target="RFC9420"/> that are not part of the
main protocol specification, and uses them to explain how to extend the core
operation of the MLS protocol. It also describes how applications can safely
interact with MLS to take advantage of security features of MLS.</t>
      <t>The MLS protocol is designed to be integrated into applications in order to
provide security services that the application requires. There are two
questions to answer when designing such an integration:</t>
      <ol spacing="normal" type="1"><li>
          <t>How does the application provide the services that MLS requires?</t>
        </li>
        <li>
          <t>How does the application use MLS to get security benefits?</t>
        </li>
      </ol>
      <t>The MLS Architecture <xref target="I-D.ietf-mls-architecture"/> describes the requirements
for the first of these questions, namely the structure of the Delivery Service
and Authentication Service that MLS requires. The next section of this document
focuses on the second question.</t>
      <t>MLS itself offers some basic functions that applications can use, such as the
secure message encapsulation (PrivateMessage), the MLS exporter, and the epoch
authenticator. Current MLS applications make use of these mechanisms to achieve
a variety of confidentiality and authentication properties.</t>
      <t>As application designers become familiar with MLS, there is interest in
leveraging other cryptographic tools that an MLS group provides:</t>
      <ul spacing="normal">
        <li>
          <t>HPKE (Hybrid Public Key Encryption <xref target="RFC9180"/>) and signature key pairs for
each member, where the private key is known only to that member, and the
public key is authenticated to the other members.</t>
        </li>
        <li>
          <t>A pre-shared key mechanism that can allow an application to inject data into
the MLS key schedule.</t>
        </li>
        <li>
          <t>An exporter mechanism that allows applications to derive secrets from the MLS
key schedule.</t>
        </li>
        <li>
          <t>Association of data with Commits as a synchronization mechanism.</t>
        </li>
        <li>
          <t>Binding of information to the GroupContext to confirm group agreement.</t>
        </li>
      </ul>
      <t>There is also interest in exposing an MLS group to multiple loosely coordinated
components of an application. To accommodate such cases, the above mechanisms
need to be exposed in such a way that the usage of different components do not
conflict with each other, or with MLS itself.</t>
      <t>This document defines a set of mechanisms that application components can use to
ensure that their use of these facilities is properly domain-separated from MLS
itself, and from other application components that might be using the same MLS
group.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document makes heavy use of the terminology and the names of structs in the
MLS specification <xref target="RFC9420"/>. In addition, we introduce the following new
terms:</t>
      <dl>
        <dt>Application:</dt>
        <dd>
          <t>The system that instantiates, manages, and uses an MLS group. Each MLS group
is used by exactly one application, but an application may maintain multiple
groups. This does not imply that it need be part of the Application Layer of
the networking stack.</t>
        </dd>
        <dt>Application component:</dt>
        <dd>
          <t>A subsystem of an application that has access to an MLS group.</t>
        </dd>
        <dt>Component ID:</dt>
        <dd>
          <t>An identifier for an application component. These identifiers are assigned by
the application.</t>
        </dd>
      </dl>
    </section>
    <section anchor="developing-extensions-for-the-mls-protocol">
      <name>Developing Extensions for the MLS Protocol</name>
      <t>MLS is highly extensible and was designed to be used in a variety of different
applications. As such, it is important to separate extensions that change the
behavior of an MLS stack, and application usages of MLS that just take advantage
of features of MLS or specific extensions (hereafter referred to as
<em>components</em>). Furthermore, it is essential that application components do not
change the security properties of MLS or require new security analysis of the
MLS protocol itself.</t>
    </section>
    <section anchor="the-safe-application-interface">
      <name>The Safe Application Interface</name>
      <t>The mechanisms in this section take MLS mechanisms that are either not
inherently designed to be used by applications, or not inherently designed to be
used by multiple application components, and adds a domain separator that
separates application usage from MLS usage, and application components' usage
from each other:</t>
      <ul spacing="normal">
        <li>
          <t>Public-key encryption operations are tagged so that encrypted data
will only decrypt in the context of a given component.</t>
        </li>
        <li>
          <t>Signing operations are similarly tagged so that signatures will only verify
in the context of a given component.</t>
        </li>
        <li>
          <t>Exported values include an identifier for the component to which they are
being exported, so that different components will get different exported
values.</t>
        </li>
        <li>
          <t>Pre-shared keys are identified as originating from a specific component, so
that different components' contributions to the MLS key schedule will not
collide.</t>
        </li>
        <li>
          <t>Additional Authenticated Data (AAD) can be domain separated by component.</t>
        </li>
      </ul>
      <t>Similarly, the content of application messages (<tt>application_data</tt>) can be
distinguished and routed to different parts of an application according to
the media type of that content using the content negotiation mechanism defined
in <xref target="content-advertisement"/>.</t>
      <t>We also define new general mechanisms that allow applications to take advantage
of the extensibility mechanisms of MLS without having to define extensions
themselves:</t>
      <ul spacing="normal">
        <li>
          <t>An <tt>app_data_dictionary</tt> extension type that associates application data with
MLS messages or with the state of the group.</t>
        </li>
        <li>
          <t>An AppEphemeral proposal type that enables arbitrary application data to
be associated with a Commit.</t>
        </li>
        <li>
          <t>An AppDataUpdate proposal type that enables efficient updates to
an <tt>app_data_dictionary</tt> GroupContext extension.</t>
        </li>
      </ul>
      <t>As with the above, information carried in these proposals and extensions is
marked as belonging to a specific application component, so that components can
manage their information independently.</t>
      <t>The separation between components is achieved by the application assigning each
component a unique component ID number. These numbers are then incorporated into
the appropriate calculations in the protocol to achieve the required separation.</t>
      <section anchor="component-ids">
        <name>Component IDs</name>
        <t>A component ID is a two-byte value that uniquely identifies a component within
the scope of an application.</t>
        <artwork><![CDATA[
uint16 ComponentID;
]]></artwork>
        <t>When a label is required for an operation, the byte string resulting from the
TLS Presentation Language encoding of the following data structure is used. The
<tt>base_label</tt> field is always the fixed string "MLS Component". The<tt>component_id</tt>
field identifies the component performing the operation. The <tt>label</tt> field
identifies the operation being performed.</t>
        <sourcecode type="tls"><![CDATA[
struct {
  opaque base_label<V>; /* = "MLS Component" */
  ComponentID component_id;
  opaque label<V>;
} ComponentOperationLabel;
]]></sourcecode>
      </section>
      <section anchor="safe-hpke">
        <name>Hybrid Public Key Encryption (HPKE) Keys</name>
        <t>This part of the Safe Application Interface allows components to make use of the
HPKE key pairs generated by MLS. A component identified by a ComponentID can use
any HPKE key pair for any operation defined in <xref target="RFC9180"/>, such as encryption,
exporting keys, and the PSK mode, as long as the <tt>info</tt> input to <tt>Setup&lt;MODE&gt;S</tt>
and <tt>Setup&lt;MODE&gt;R</tt> is set to ComponentOperationLabel with <tt>component_id</tt> set to
the appropriate ComponentID. The <tt>context</tt> can be set to an arbitrary Context
specified by the application designer and can be empty if not needed. For
example, a component can use a key pair PublicKey, PrivateKey to encrypt data as
follows:</t>
        <sourcecode type="tls"><![CDATA[
SafeEncryptWithLabel(PublicKey, ComponentID, Label, Context, Plaintext) =
  EncryptWithLabel(PublicKey, ComponentOperationLabel, Context, Plaintext)

SafeDecryptWithLabel(PrivateKey, ComponentID, Label, Context, KEMOutput,
  Ciphertext) =
  DecryptWithLabel(PrivateKey, ComponentOperationLabel, Context,
    KEMOutput, Ciphertext)
]]></sourcecode>
        <t>Where the fields of ComponentOperationLabel are set to</t>
        <sourcecode type="tls"><![CDATA[
component_id = ComponentID
label = Label
]]></sourcecode>
        <t>For operations involving the secret key, ComponentID <bcp14>MUST</bcp14> be set to the
ComponentID of the component performing the operation, and not to the ID of any
other component. In particular, this means that a component cannot decrypt data
meant for another component, while components can encrypt data that other
components can decrypt.</t>
        <t>In general, a ciphertext encrypted with a PublicKey can be decrypted by any
entity who has the corresponding PrivateKey at a given point in time according
to the MLS protocol (or application component). For convenience, the following
list summarizes lifetimes of MLS key pairs.</t>
        <ul spacing="normal">
          <li>
            <t>The key pair of a non-blank ratchet tree node. The PrivateKey of such a key
pair is known to all members in the node’s subtree. In particular, a
PrivateKey of a leaf node is known only to the member in that leaf. A member
in the subtree stores the PrivateKey for a number of epochs, as long as the
PublicKey does not change. The key pair of the root node <bcp14>SHOULD NOT</bcp14> be used,
since the external key pair recalled below gives better security.</t>
          </li>
          <li>
            <t>The external_priv, external_pub key pair used for external initialization. The
external_priv key is known to all group members in the current epoch. A member
stores external_priv only for the current epoch. Using this key pair gives
better security guarantees than using the key pair of the root of the ratchet
tree and should always be preferred.</t>
          </li>
          <li>
            <t>The init_key in a KeyPackage and the corresponding secret key. The secret key
is known only to the owner of the KeyPackage and is deleted immediately after
it is used to join a group.</t>
          </li>
        </ul>
      </section>
      <section anchor="signature-keys">
        <name>Signature Keys</name>
        <t>MLS session states contain a number of signature keys including the ones in the
LeafNode structs. Application components can safely sign content and verify
signatures using these keys via the SafeSignWithLabel and SafeVerifyWithLabel
functions, respectively, much like how the basic MLS protocol uses SignWithLabel
and VerifyWithLabel.</t>
        <t>In more detail, a component identified by ComponentID should sign and verify
using:</t>
        <sourcecode type="tls"><![CDATA[
SafeSignWithLabel(SignatureKey, ComponentID, Label, Content) =
  SignWithLabel(SignatureKey, ComponentOperationLabel, Content)

SafeVerifyWithLabel(VerificationKey, ComponentID, Label, Content,
  SignatureValue) =
  VerifyWithLabel(VerificationKey, ComponentOperationLabel, Content,
  SignatureValue)
]]></sourcecode>
        <t>Where the fields of ComponentOperationLabel are set to</t>
        <sourcecode type="tls"><![CDATA[
component_id = ComponentID
label = Label
]]></sourcecode>
        <t>For signing operations, the ComponentID <bcp14>MUST</bcp14> be set to the ComponentID of the
component performing the signature, and not to the ID of any other component.
This means that a component cannot produce signatures in place of another
component. However, components can verify signatures computed by other
components. Domain separation is ensured by explicitly including the ComponentID
with every operation.</t>
      </section>
      <section anchor="exported-secrets">
        <name>Exported Secrets</name>
        <t>The MLS Exporter functionality described in <xref section="8.5" sectionFormat="of" target="RFC9420"/> does not
provide forward security for exported secrets, because the <tt>exporter_secret</tt> is
not deleted after a secret has been derived.  In this section, we define a
forward-secure exporter for use by application components.</t>
        <t>The safe exporter is constructed from an Exporter Tree, a tree of secrets with
the same structure as the Secret Tree defined in <xref section="9" sectionFormat="of" target="RFC9420"/>, with
two differences: First, an Exporter Tree always has 2<sup>16</sup> leaves,
corresponding to the 16 bits of a ComponentID value. (As with the Secret Tree,
the nodes of the tree can be generated on-demand, for space-efficiency.) Second,
the root of the Exporter Tree is the <tt>application_export_secret</tt>, an additional
secret derived from the <tt>epoch_secret</tt> at the beginning of the epoch in the same
way as the other secrets listed in Table 4 of <xref target="RFC9420"/> using the label
<tt>"application_export"</tt>.</t>
        <t>This tree defines one exported secret per ComponentID.  The secret for a
ComponentID is the <tt>tree_node_secret</tt> at the leaf node for that ComponentID:</t>
        <artwork><![CDATA[
SafeExportSecret(ComponentID) = tree_node_[LeafIndex(ComponentID)]_secret
]]></artwork>
        <t>Upon generating an exported secret for a component, the MLS implementation <bcp14>MUST</bcp14>
regard that component's exported secret as "consumed", and delete any source key
material according to the deletion schedule in <xref section="9.2" sectionFormat="of" target="RFC9420"/>.</t>
      </section>
      <section anchor="pre-shared-keys-psks">
        <name>Pre-Shared Keys (PSKs)</name>
        <t>PSKs represent key material that is injected into the MLS key schedule when
creating or processing a commit as defined in <xref section="8.4" sectionFormat="of" target="RFC9420"/>. Its
injection into the key schedule means that all group members have to agree on
the value of the PSK.</t>
        <t>While PSKs are typically cryptographic keys which due to their properties add to
the overall security of the group, the PSK mechanism can also be used to ensure
that all members of a group agree on arbitrary pieces of data represented as
octet strings (without the necessity of sending the data itself over the wire).
For example, a component can use the PSK mechanism to enforce that all group
members have access to and agree on a password or a shared file.</t>
        <t>This is achieved by creating a new epoch via a PSK proposal. Transitioning to
the new epoch requires using the information agreed upon.</t>
        <t>To facilitate using PSKs safely, this document defines a new PSKType for
application components. This provides domain separation between pre-shared keys
used by the core MLS protocol and applications, and between those used by
different components.</t>
        <sourcecode type="tls-presentation"><![CDATA[
enum {
  // ...
  application(3),
  (255)
} PSKType;

struct {
  PSKType psktype;
  select (PreSharedKeyID.psktype) {
    // ...
    case application:
      ComponentID component_id;
      opaque psk_id<V>;
  };
  opaque psk_nonce<V>;
} PreSharedKeyID;
]]></sourcecode>
      </section>
      <section anchor="attaching-application-data-to-mls-messages">
        <name>Attaching Application Data to MLS Messages</name>
        <t>The MLS GroupContext, LeafNode, KeyPackage, and GroupInfo objects each have an
<tt>extensions</tt> field that can carry additional data not defined by the MLS
specification. The <tt>app_data_dictionary</tt> extension provides a generic container
that applications can use to attach application data to these messages. Each
usage of the extension serves a slightly different purpose:</t>
        <ul spacing="normal">
          <li>
            <t>GroupContext: Confirms that all members of the group agree on the application
data, and automatically distributes it to new joiners.</t>
          </li>
          <li>
            <t>KeyPackage and LeafNode: Associates the application data to a particular
client, and advertises it to the other members of the group.</t>
          </li>
          <li>
            <t>GroupInfo: Distributes the application data confidentially to the new joiners
for whom the GroupInfo is encrypted (as a Welcome message).</t>
          </li>
        </ul>
        <t>The content of the <tt>app_data_dictionary</tt> extension is a serialized
AppDataDictionary object:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
    ComponentID component_id;
    opaque data<V>;
} ComponentData;

struct {
    ComponentData component_data<V>;
} AppDataDictionary;
]]></sourcecode>
        <t>The entries in the <tt>component_data</tt> <bcp14>MUST</bcp14> be sorted by <tt>component_id</tt>, and there
<bcp14>MUST</bcp14> be at most one entry for each <tt>component_id</tt>.</t>
        <t>An <tt>app_data_dictionary</tt> extension in a LeafNode, KeyPackage, or GroupInfo can
be set when the object is created. An <tt>app_data_dictionary</tt> extension in the
GroupContext needs to be managed using the tools available to update
GroupContext extensions. The creator of the group can set extensions
unilaterally. Thereafter, the AppDataUpdate proposal described in the next
section is used to update the <tt>app_data_dictionary</tt> extension.</t>
        <t>Every implementation that advertises support for the <tt>app_data_dictionary</tt>
extension <bcp14>MUST</bcp14> understand and advertise the <tt>app_components</tt> component defined
in <xref target="negotiation"/>, and it <bcp14>MUST</bcp14> understand the <tt>safe_aad</tt> component defined in
<xref target="safe-aad"/>.</t>
      </section>
      <section anchor="appdataupdate">
        <name>Updating Application Data in the GroupContext</name>
        <t>Updating the <tt>app_data_dictionary</tt> with a GroupContextExtensions proposal is
cumbersome. The application data needs to be transmitted in its entirety, along
with any other extensions, whether or not they are being changed. And a
GroupContextExtensions proposal always requires an UpdatePath, which updating
application state never should.</t>
        <t>The AppDataUpdate proposal allows the <tt>app_data_dictionary</tt> extension to be
updated without these costs. Instead of sending the whole value of the
extension, it sends only an update, which is interpreted by the application to
provide the new content for the <tt>app_data_dictionary</tt> extension. No other
extensions are sent or updated, and no UpdatePath is required.</t>
        <artwork><![CDATA[
enum {
    invalid(0),
    update(1),
    remove(2),
    (255)
} AppDataUpdateOperation;

struct {
    ComponentID component_id;
    AppDataUpdateOperation op;

    select (AppDataUpdate.op) {
        case update: opaque update<V>;
        case remove: struct{};
    };
} AppDataUpdate;
]]></artwork>
        <t>An AppDataUpdate proposal is invalid if its <tt>component_id</tt> references a
component that is not known to the application, or if it specifies the removal
of state for a <tt>component_id</tt> that has no state present. A proposal list is
invalid if it includes multiple AppDataUpdate proposals that <tt>remove</tt> state for
the same <tt>component_id</tt>, or proposals that both <tt>update</tt> and <tt>remove</tt> state for
the same <tt>component_id</tt>. In other words, for a given <tt>component_id</tt>, a proposal
list is valid only if it contains (a) a single <tt>remove</tt> operation or (b) one or
more <tt>update</tt> operations.</t>
        <t>AppDataUpdate proposals are processed after any default proposals (i.e., those
defined in <xref target="RFC9420"/>), and any AppEphemeral proposals (defined in
<xref target="app-ephemeral"/>).</t>
        <t>When an MLS group contains the AppDataUpdate proposal type in the
<tt>proposal_types</tt> list in the group's <tt>required_capabilities</tt> extension, a
GroupContextExtensions proposal <bcp14>MUST NOT</bcp14> add, remove, or modify the
<tt>app_data_dictionary</tt> GroupContext extension. In other words, when AppDataUpdate
is in <tt>proposal_types</tt>, every member of the group supports the AppDataUpdate
proposal, and a GroupContextExtensions proposal could be sent to update some
other extension(s), but the <tt>app_data_dictionary</tt> GroupContext extension, if it
exists, is left as it was.</t>
        <t>A commit can contain a GroupContextExtensions proposal which modifies
GroupContext extensions other than <tt>app_data_dictionary</tt>, and can be followed by
zero or more AppDataUpdate proposals. This allows modifications to both the
<tt>app_data_dictionary</tt> extension (via AppDataUpdate) and other extensions (via
GroupContextExtensions) in the same Commit.</t>
        <t>A client applies AppDataUpdate proposals by component ID. For each
<tt>component_id</tt> field that appears in an AppDataUpdate proposal in the Commit,
the client assembles a list of AppDataUpdate proposals with that <tt>component_id</tt>,
in the order in which they appear in the Commit, and processes them in the
following way:</t>
        <ul spacing="normal">
          <li>
            <t>If the list comprises a single proposal with the <tt>op</tt> field set to <tt>remove</tt>:  </t>
            <ul spacing="normal">
              <li>
                <t>If there is an entry in the <tt>component_data</tt> vector in the
<tt>app_data_dictionary</tt> extension with the specified <tt>component_id</tt>, remove
it.</t>
              </li>
              <li>
                <t>Otherwise, the proposal is invalid.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>If the list comprises one or more proposals, all with <tt>op</tt> field set to
<tt>update</tt>:  </t>
            <ul spacing="normal">
              <li>
                <t>Provide the application logic registered to the <tt>component_id</tt> value with
the content of the <tt>update</tt> field from each proposal, in the order
specified.</t>
              </li>
              <li>
                <t>The application logic returns either an opaque value <tt>new_data</tt> that will
be stored as the new application data for this component, or else an
indication that it considers this update invalid.</t>
              </li>
              <li>
                <t>If the application logic considers the update invalid, the MLS client <bcp14>MUST</bcp14>
consider the proposal list invalid.</t>
              </li>
              <li>
                <t>If no <tt>app_data_dictionary</tt> extension is present in the GroupContext, add
one to the end of the <tt>extensions</tt> list in the GroupContext.</t>
              </li>
              <li>
                <t>If there is an entry in the <tt>component_data</tt> vector in the
<tt>app_data_dictionary</tt> extension with the specified <tt>component_id</tt>, then
set its <tt>data</tt> field to the specified <tt>new_data</tt>.</t>
              </li>
              <li>
                <t>Otherwise, insert a new entry in the <tt>component_data</tt> vector with the
specified <tt>component_id</tt> and the <tt>data</tt> field set to the <tt>new_data</tt> value.
The new entry is inserted at the proper point to keep the
<tt>component_data</tt> vector sorted by <tt>component_id</tt>.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Otherwise, the proposal list is invalid.</t>
          </li>
        </ul>
        <ul empty="true">
          <li>
            <t>NOTE: Putting large amounts of data into the <tt>app_data_dictionary</tt>
GroupContext extension may have a performance impact.</t>
          </li>
        </ul>
        <t>AppDataUpdate proposals do not require an UpdatePath. An AppDataUpdate proposal
can be sent by an external sender. Likewise, AppDataUpdate proposals can be
included in an external Commit. Applications can make more restrictive validity
rules for the update of their components, such that some components would not be
valid at the application when sent in an external Commit or via an external
proposer.</t>
        <t>To avoid storing large amounts of data in the <tt>app_data_dictionary</tt> GroupContext
extension, implementations <bcp14>MAY</bcp14> offer storing only a hash of the actual data in
the GroupContext extension.</t>
      </section>
      <section anchor="app-ephemeral">
        <name>Attaching Application Data to a Commit</name>
        <t>The AppEphemeral proposal type allows an application component to associate
application data to a Commit, so that the member processing the Commit knows
that all other group members will be processing the same data. AppEphemeral
proposals are ephemeral in the sense that they do not change any persistent
state related to MLS, aside from their appearance in the transcript hash.</t>
        <t>The content of an AppEphemeral proposal is a single <tt>component_id</tt> and the
<tt>data</tt> for that component. The proposal type is set in <xref target="iana-considerations"/>.</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
    ComponentID component_id;
    opaque data<V>;
} AppEphemeral;
]]></sourcecode>
        <t>An AppEphemeral proposal is invalid if it contains a <tt>component_id</tt> that is
unknown to the application, or if the <tt>data</tt> field is considered invalid by the
application logic registered to the indicated <tt>component_id</tt>.</t>
        <t>AppEphemeral proposals <bcp14>MUST</bcp14> be processed after any default proposals (i.e.,
those defined in <xref target="RFC9420"/>), but before any AppDataUpdate proposals.</t>
        <t>A client applies an AppEphemeral proposal by providing the <tt>data</tt> field to the
component identified by the <tt>component_id</tt>.
If a Commit references more than one AppEphemeral proposal for the same
<tt>component_id</tt> value, then they <bcp14>MUST</bcp14> be processed in the order in which they are
specified in the Commit.</t>
        <t>AppEphemeral proposals do not require an UpdatePath. An AppEphemeral proposal
can be sent by an external sender. Likewise, AppEphemeral proposals can be
included in an external Commit. Applications can make more restrictive validity
rules for ephemeral updates of their components, such that some components would
not be valid at the application when sent in an external Commit or via an
external proposer.</t>
      </section>
      <section anchor="safe-aad">
        <name>Safe Additional Authenticated Data (AAD)</name>
        <t>Both MLS <tt>PublicMessage</tt> and <tt>PrivateMessage</tt> messages can contain arbitrary
additional application-specific data. The corresponding <tt>authenticated_data</tt>
field that conveys this application-specific data appears in the
<tt>FramedContent</tt> struct for <tt>PublicMessage</tt> and directly in the <tt>PrivateMessage</tt>
struct.</t>
        <t>In an MLS <tt>PrivateMessage</tt>, the <tt>authenticated_data</tt> is also present in
intermediary structs: in the <tt>FramedContent</tt>, which is used to generate the
message signature and tags, and in the <tt>PrivateContentAAD</tt>, which is used as
the AAD input to the <tt>PrivateMessage.ciphertext</tt>.</t>
        <t>The Safe AAD framing allows multiple application components
to add AAD safely to the <tt>authenticated_data</tt> without conflicts or ambiguity.</t>
        <t>If the <tt>safe_aad</tt> component in the <tt>app_data_dictionary</tt> extension is present in
the GroupContext (see <xref target="negotiation"/>), the entire <tt>authenticated_data</tt> field is
framed as a <tt>SafeAAD</tt> struct such that the elements of <tt>aad_items</tt> are sorted in
increasing numerical order of the <tt>component_id</tt>. The struct is described below:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  ComponentID component_id;
  opaque aad_item_data<V>;
} SafeAADItem;

struct {
  SafeAADItem aad_items<V>;
} SafeAAD;
]]></sourcecode>
        <t>If <tt>safe_aad</tt> is present, but none of the "safe" AAD components have data to
send in a particular message, the <tt>aad_items</tt> is a zero-length vector.</t>
      </section>
    </section>
    <section anchor="negotiation">
      <name>Negotiating Extensions and Components</name>
      <t>MLS defines a <tt>Capabilities</tt> struct for LeafNodes (in turn used in
KeyPackages), which describes which extensions are supported by the
associated node.</t>
      <t>However, that struct (defined in <xref section="7.2" sectionFormat="of" target="RFC9420"/>) only has
fields for a subset of the extensions possible in MLS, as reproduced below.</t>
      <sourcecode type="tls-presentation"><![CDATA[
struct {
    ProtocolVersion versions<V>;
    CipherSuite cipher_suites<V>;
    ExtensionType extensions<V>;
    ProposalType proposals<V>;
    CredentialType credentials<V>;
} Capabilities;
]]></sourcecode>
      <ul empty="true">
        <li>
          <t>The "MLS Extension Types" registry represents extensibility of four
  core structs (<tt>GroupContext</tt>, <tt>GroupInfo</tt>, <tt>KeyPackage</tt>, and <tt>LeafNode</tt>)
  that have far reaching effects on the use of the protocol. The majority of
  MLS extensions in <xref target="RFC9420"/> extend one or more of these core structs.</t>
        </li>
      </ul>
      <t>Likewise, the <tt>required_capabilities</tt> GroupContext extension (defined in
<xref section="11.1" sectionFormat="of" target="RFC9420"/> and reproduced below) contains all non-default
extensions that are mandatory to support in its <tt>extension_types</tt> vector. Its
<tt>proposal_types</tt> vector contains any Proposals that are mandatory to support.
Its <tt>credential_types</tt> vector contains any mandatory credential types.</t>
      <artwork><![CDATA[
struct {
   ExtensionType extension_types<V>;
   ProposalType proposal_types<V>;
   CredentialType credential_types<V>;
} RequiredCapabilities;
]]></artwork>
      <t>Due to an oversight in <xref target="RFC9420"/>, the Capabilities struct does not include
MLS Wire Formats. Instead, this document defines two extensions:
<tt>supported_wire_formats</tt> (which can appear in LeafNodes), and
<tt>required_wire_formats</tt> (which can appear in the GroupContext).</t>
      <sourcecode type="tls-presentation"><![CDATA[
struct {
   WireFormat wire_formats<V>;
} WireFormats;

WireFormats supported_wire_formats;
WireFormats required_wire_formats;
]]></sourcecode>
      <t>This document also defines new components of the <tt>app_data_dictionary</tt> extension
for supported and required Safe AAD, media types, and components.</t>
      <t>The <tt>safe_aad</tt> component contains a list of component IDs. When present (in an
<tt>app_data_dictionary</tt> extension) in a LeafNode, the semantics are the list of
supported components that use Safe AAD. When present (in an
<tt>app_data_dictionary</tt> extension) in the GroupContext, the semantics are the list
of required Safe AAD components (those that must be understood by the entire
group). If the <tt>safe_aad</tt> component is present, even with an empty list, (in the
<tt>app_data_dictionary</tt> extension) in the GroupContext, then the
<tt>authenticated_data</tt> field always starts with the SafeAAD struct defined in
<xref target="safe-aad"/>.</t>
      <sourcecode type="tls-presentation"><![CDATA[
struct {
    ComponentID component_ids<V>;
} ComponentsList;

ComponentsList safe_aad;
]]></sourcecode>
      <t>The list of required and supported components follows the same model with the
new component <tt>app_components</tt>. When present in a LeafNode, the semantics are
the list of supported components. When present in the GroupContext, the
semantics are the list of required components.</t>
      <sourcecode type="tls-presentation"><![CDATA[
ComponentsList app_components;
]]></sourcecode>
      <t>Finally, the supported and required media types (formerly called MIME types) are
communicated in the <tt>content_media_types</tt> component (see
<xref target="content-advertisement"/>).</t>
      <section anchor="grease">
        <name>GREASE</name>
        <t>The "Generate Random Extensions And Sustain Extensibility" (GREASE) approach is
described in <xref section="13.5" sectionFormat="of" target="RFC9420"/>. Further, <xref section="7.2" sectionFormat="of" target="RFC9420"/>
says that:</t>
        <ul empty="true">
          <li>
            <t>"As discussed in Section 13, unknown values in <tt>capabilities</tt> <bcp14>MUST</bcp14> be ignored,
and the creator of a <tt>capabilities</tt> field <bcp14>SHOULD</bcp14> include some random GREASE
values to help ensure that other clients correctly ignore unknown values."</t>
          </li>
        </ul>
        <t>This specification adds the following locations where GREASE values for
components can be included:</t>
        <ul spacing="normal">
          <li>
            <t>LeafNode.extensions.app_data_dictionary.safe_aad</t>
          </li>
          <li>
            <t>LeafNode.extensions.app_data_dictionary.app_components</t>
          </li>
          <li>
            <t>LeafNode.extensions.app_data_dictionary</t>
          </li>
          <li>
            <t>KeyPackage.extensions.app_data_dictionary</t>
          </li>
          <li>
            <t>GroupInfo.extensions.app_data_dictionary</t>
          </li>
        </ul>
        <t>Unknown values (including GREASE values) in any of these fields <bcp14>MUST</bcp14> be ignored
by receivers. A random selection of GREASE values <bcp14>SHOULD</bcp14> be included in any of
these fields that would otherwise be present.</t>
      </section>
    </section>
    <section anchor="extensions">
      <name>Extensions</name>
      <section anchor="appack">
        <name>AppAck</name>
        <t>An AppAck object is used to acknowledge receipt of application messages. Though
this information implies no change to the group, it is conveyed inside an
AppEphemeral Proposal with a component ID <tt>app_ack</tt>, so that it is included in
the group's transcript by being included in Commit messages.</t>
        <sourcecode type="tls"><![CDATA[
struct {
    uint32 sender;
    uint32 first_generation;
    uint32 last_generation;
} MessageRange;

struct {
    MessageRange received_ranges<V>;
} AppAck;
]]></sourcecode>
        <t>An AppAck represents a set of messages received by the sender in the current
epoch. Messages are represented by the <tt>sender</tt> and <tt>generation</tt> values in the
PrivateMessage for the message. Each MessageRange represents receipt of a span
of messages whose <tt>generation</tt> values form a continuous range from
<tt>first_generation</tt> to <tt>last_generation</tt>, inclusive.</t>
        <t>AppAck objects are sent as a guard against the Delivery Service dropping
application messages. The sequential nature of the <tt>generation</tt> field provides a
degree of loss detection, since gaps in the <tt>generation</tt> sequence indicate
dropped messages. AppAck completes this story by addressing the scenario where
the Delivery Service drops all messages after a certain point, so that a later
generation is never observed. Obviously, there is a risk that AppAck messages
could be suppressed as well, but their inclusion in the transcript means that if
they are suppressed then the group cannot advance at all.</t>
      </section>
      <section anchor="content-advertisement">
        <name>Content Advertisement</name>
        <section anchor="description">
          <name>Description</name>
          <t>This section defines a minimal framing format so MLS clients can signal which
media type is being sent inside the MLS <tt>application_data</tt> object when multiple
formats are permitted in the same group.</t>
          <t>It also defines a new <tt>content_media_types</tt> application component which is used
to indicate support for specific formats, using the extensive IANA Media Types
registry (formerly called MIME types). When the <tt>content_media_types</tt> component
is present (in the <tt>app_data_dictionary</tt> extension) in a LeafNode, it indicates
that node's support for a particular (non-empty) list of media types. When the
<tt>content_media_types</tt> component is present (in the <tt>app_data_dictionary</tt>
extension) in the GroupContext, it indicates a (non-empty) list of media types
that need to be supported by all members of that MLS group, <em>and</em> that the
<tt>application_data</tt> will be framed using the application framing format described
later in <xref target="app-framing"/>. This allows clients to confirm that all members of a
group can communicate.</t>
          <ul empty="true">
            <li>
              <t>Note that when the membership of a group changes, or when the policy of the
 group changes, it is responsibility of the committer to ensure that the
 membership and policies are compatible.</t>
            </li>
          </ul>
          <t>As clients are upgraded to support new formats they can use these extensions to
detect when all members support a new or more efficient encoding, or select the
relevant format or formats to send.</t>
          <t>Vendor-specific media subtypes starting with <tt>vnd.</tt> can be registered with IANA
without standards action as described in <xref target="RFC6838"/>. Implementations which
wish to send multiple formats in a single application message, may be interested
in the <tt>multipart/alternative</tt> media type defined in <xref target="RFC2046"/> or may use or
define another type with similar semantics (for example using TLS Presentation
Language syntax <xref target="RFC8446"/>).</t>
          <ul empty="true">
            <li>
              <t>Note that the usage of IANA media types in general does not imply the usage of
 MIME Headers <xref target="RFC2045"/> for framing.</t>
            </li>
          </ul>
        </section>
        <section anchor="syntax">
          <name>Syntax</name>
          <t>MediaType is a TLS encoding of a single IANA media type (including top-level
type and subtype) and any of its parameters. Even if the <tt>parameter_value</tt> would
have required formatting as a <tt>quoted-string</tt> in a text encoding, only the
contents inside the <tt>quoted-string</tt> are included in <tt>parameter_value</tt>. Likewise,
only the second character of a <tt>quoted-pair</tt> is included in <tt>parameter_value</tt>;
the first escaping backslash ("") is omitted. MediaTypeList is an ordered list
of MediaType objects.</t>
          <sourcecode type="tls"><![CDATA[
struct {
    opaque parameter_name<V>;
    /* Note: parameter_value never includes the quotation marks of */
    /* an RFC 2045 quoted-string or the first "\" of a quoted-pair */
    opaque parameter_value<V>;
} Parameter;

struct {
    /* type is an IANA top-level media type, a "/" character,
     * and the IANA media subtype */
    opaque type<V>;

    /* a list of zero or more parameters defined for the subtype */
    Parameter parameters<V>;
} MediaType;

struct {
    /* must contain at least one item */
    MediaType media_type_list<V>;
} MediaTypeList;

MediaTypeList content_media_types;
]]></sourcecode>
          <t>Example IANA media types with optional parameters:</t>
          <sourcecode type="artwork"><![CDATA[
  image/png
  text/plain ;charset="UTF-8"
  application/json
  application/vnd.example.msgbus+cbor
]]></sourcecode>
          <t>For the example media type for <tt>text/plain</tt>, the <tt>media_type.type</tt> field would
be <tt>text/plain</tt>, <tt>media_type.parameters</tt> would contain a single Parameter with a
<tt>parameter_name</tt> of <tt>charset</tt> and a <tt>parameter_value</tt> of <tt>UTF-8</tt>.</t>
        </section>
        <section anchor="expected-behavior">
          <name>Expected Behavior</name>
          <t>An MLS client which implements this section <bcp14>SHOULD</bcp14> include the
<tt>content_media_types</tt> component (in the <tt>app_data_dictionary</tt> extension) in its
LeafNodes, with a <tt>media_type_list</tt> vector listing all the media types it can
receive. As usual, the client also includes <tt>content_media_types</tt> in the
<tt>app_components</tt> list (in the <tt>app_data_dictionary</tt> extension), and support for
the <tt>app_data_dictionary</tt> extension in its <tt>capabilities.extensions</tt> field in
its LeafNodes (including in LeafNodes inside its KeyPackages).</t>
          <t>When creating a new MLS group for an application using this specification, the
group <bcp14>MAY</bcp14> include a <tt>content_media_types</tt> component (in the
<tt>app_data_dictionary</tt> extension) in the GroupContext. (The creating client also
includes its <tt>content_media_types</tt> component in its own LeafNode as described in
the previous paragraph.)</t>
          <t>MLS clients <bcp14>SHOULD NOT</bcp14> add an MLS client to an MLS group with
<tt>content_media_types</tt> in its GroupContext unless all the members (after taking
into account any membership changes in the valid pending Proposals) advertise
support for all the required media types. As an exception, a client could be
preconfigured to know that certain clients support the required types. Likewise,
an MLS client is already forbidden from issuing or committing a
GroupContextExtensions Proposal which introduces required extensions which are
not supported by all members in the resulting epoch.</t>
        </section>
        <section anchor="app-framing">
          <name>Framing of application_data</name>
          <t>When an MLS group contains the <tt>content_media_types</tt> component (in the
<tt>app_data_dictionary</tt> extension) in its GroupContext, the <tt>application_data</tt>
sent in that group is interpreted as <tt>ApplicationFraming</tt> as defined below:</t>
          <sourcecode type="tls"><![CDATA[
  struct {
      MediaType media_type;
      opaque inner_application_content<V>;
  } ApplicationFraming;
]]></sourcecode>
          <t>The <tt>media_type.type</tt> <bcp14>MAY</bcp14> be zero length, in which case, the media type of the
<tt>inner_application_content</tt> is interpreted as the first MediaType specified in
the <tt>content_media_types</tt> component in the GroupContext.</t>
        </section>
      </section>
      <section anchor="selfremove-proposal">
        <name>SelfRemove Proposal</name>
        <t>The design of the MLS protocol prevents a member of an MLS group from removing
itself immediately from the group. (To cause an immediate change in the group, a
member must send a Commit message. However, the sender of a Commit message knows
the keying material of the new epoch and therefore needs to be part of the
group.) Instead, a member wishing to remove itself can send a Remove Proposal
and wait for another member to Commit its Proposal.</t>
        <t>Unfortunately, MLS clients that join via an external Commit ignore pending, but
otherwise valid, Remove Proposals. The member trying to remove itself has to
monitor the group and send a new Remove Proposal in every new epoch until the
member is removed. In a group with a burst of external joiners, a member
connected over a high-latency link (or one that is merely unlucky) might have to
wait several epochs to remove itself. A real-world situation in which this
happens is a member trying to remove itself from a conference call as several
dozen new participants are trying to join (often on the hour).</t>
        <t>This section describes a new <tt>SelfRemove</tt> proposal type. It is designed to be
included in external Commits.</t>
        <section anchor="proposal-description">
          <name>Proposal Description</name>
          <t>This document specifies a new MLS Proposal type called <tt>SelfRemove</tt>. Its syntax
is described using the TLS Presentation Language <xref target="RFC8446"/> below (its content
is an empty struct). It is allowed in external Commits and requires an
UpdatePath. SelfRemove proposals are only allowed in a Commit by reference.
SelfRemove cannot be sent as an external proposal.</t>
          <sourcecode type="tls-presentation"><![CDATA[
struct {} SelfRemove;

struct {
    ProposalType msg_type;
    select (Proposal.msg_type) {
        case add:                      Add;
        case update:                   Update;
        case remove:                   Remove;
        case psk:                      PreSharedKey;
        case reinit:                   ReInit;
        case external_init:            ExternalInit;
        case group_context_extensions: GroupContextExtensions;
        case self_remove:              SelfRemove;
    };
} Proposal;
]]></sourcecode>
          <t>The struct above reproduces the <tt>Proposal</tt> type from <xref target="RFC9420"/> with the
<tt>self_remove</tt> case added to show where SelfRemove fits. It is not the complete
extended set: the <tt>app_ephemeral</tt> and <tt>app_data_update</tt> proposal types defined
in this document extend the same enum.</t>
          <t>The description of behavior below only applies if all the members of a group
support this proposal in their capabilities; such a group is a
"self-remove-capable group".</t>
          <t>An MLS client which supports this proposal can send a SelfRemove Proposal
whenever it would like to remove itself from a self-remove-capable group.
Because the point of a SelfRemove Proposal is to be available to external
joiners (which are not yet members), these proposals <bcp14>MUST</bcp14> be sent in an MLS
PublicMessage.</t>
          <t>Whenever a member receives a SelfRemove Proposal, it includes it along with any
other pending Proposals when sending a Commit. It already <bcp14>MUST</bcp14> send a Commit of
pending Proposals before sending new application messages.</t>
          <t>When a member receives a Commit referencing one or more SelfRemove Proposals, it
treats the proposal like a Remove Proposal, except the leaf node to remove is
determined by looking in the Sender <tt>leaf_index</tt> of the original Proposal. The
member is able to verify that the Sender was a member.</t>
          <t>Whenever a new joiner is about to join a self-remove-capable group with an
external Commit, the new joiner <bcp14>MUST</bcp14> fetch any pending SelfRemove Proposals
along with the GroupInfo object, and include the SelfRemove Proposals in its
external Commit by reference. (An external Commit can contain zero or more
SelfRemove proposals). The new joiner <bcp14>MUST</bcp14> validate the SelfRemove Proposal
before including it by reference, except that it skips the validation of the
<tt>membership_tag</tt> because a non-member cannot verify membership.</t>
          <t>During validation, SelfRemove proposals are processed after Update proposals and
before Remove proposals. If there is a pending SelfRemove proposal for a
specific leaf node and a pending Remove proposal for the same leaf node, the
Remove proposal is invalid. A client <bcp14>MUST NOT</bcp14> issue more than one SelfRemove
proposal per epoch.</t>
          <t>The MLS Delivery Service (DS) needs to validate SelfRemove Proposals it receives
(except that it cannot validate the <tt>membership_tag</tt>). If the DS provides a
GroupInfo object to an external joiner, the DS <bcp14>SHOULD</bcp14> attach any SelfRemove
proposals known to the DS to the GroupInfo object.</t>
          <t>As with Remove proposals, clients need to be able to receive a Commit message
which removes them from the group via a SelfRemove. If the DS does not forward a
Commit to a removed client, it needs to inform the removed client out-of-band.</t>
        </section>
      </section>
      <section anchor="last-resort-keypackages">
        <name>Last-Resort KeyPackages</name>
        <t>Type: KeyPackage component</t>
        <section anchor="description-1">
          <name>Description</name>
          <t><xref section="10" sectionFormat="of" target="RFC9420"/> details that clients are required to pre-publish
KeyPackages so that other clients can add them to groups asynchronously. It also
states that they should not be re-used:</t>
          <ul empty="true">
            <li>
              <t>KeyPackages are intended to be used only once and <bcp14>SHOULD NOT</bcp14> be reused except
in the case of a "last resort" KeyPackage (see Section 16.8). Clients <bcp14>MAY</bcp14>
generate and publish multiple KeyPackages to support multiple cipher suites.</t>
            </li>
          </ul>
          <t><xref section="16.8" sectionFormat="of" target="RFC9420"/> then introduces the notion of last-resort
KeyPackages as follows:</t>
          <ul empty="true">
            <li>
              <t>An application <bcp14>MAY</bcp14> allow for reuse of a "last resort" KeyPackage in order to
prevent denial-of-service attacks.</t>
            </li>
          </ul>
          <t>However, <xref target="RFC9420"/> does not specify how to distinguish regular KeyPackages
from last-resort ones. The last_resort_key_package KeyPackage application
component defined in this section fills this gap and allows clients to
specifically mark KeyPackages as KeyPackages of last resort that <bcp14>MAY</bcp14> be used
more than once in scenarios where all other KeyPackages have already been used.</t>
          <t>The component allows clients that pre-publish KeyPackages to signal to the
Delivery Service which KeyPackage(s) are meant to be used as last-resort
KeyPackages.</t>
          <t>An additional benefit of using a component rather than communicating the
information out-of-band is that the component is still present in Add proposals.
Clients processing such Add proposals can authenticate that a KeyPackage is a
last-resort KeyPackage and <bcp14>MAY</bcp14> make policy decisions based on that information.</t>
        </section>
        <section anchor="format">
          <name>Format</name>
          <t>The purpose of the application component is simply to mark a given KeyPackage,
which means it carries no additional data.</t>
          <t>As a result, a <tt>last_resort_key_package</tt> component contains the <tt>component_id</tt>
with an empty <tt>data</tt> field.</t>
        </section>
      </section>
      <section anchor="multi-credentials">
        <name>Multi-Credentials</name>
        <t>Multi-credentials address use cases where there might not be a single credential
that captures all of a client's authenticated attributes. For example, an
enterprise messaging client may wish to provide attributes both from its
messaging service, to prove that its user has a given handle in that service,
and from its corporate owner, to prove that its user is an employee of the
corporation. Multi-credentials can also be used in migration scenarios, where
some clients in a group might wish to rely on a newer type of credential, but
other clients haven't yet been upgraded.</t>
        <t>New credential types <tt>MultiCredential</tt> and <tt>WeakMultiCredential</tt> are defined as
shown below. These credential types are indicated with the values <tt>multi</tt> and
<tt>weak-multi</tt> (see <xref target="iana-creds"/>).</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  CipherSuite cipher_suite;
  Credential credential;
  SignaturePublicKey credential_key;

  /* SignWithLabel(., "CredentialBindingTBS", CredentialBindingTBS) */
  opaque signature<V>;
} CredentialBinding;

struct {
  CredentialBinding bindings<V>;
} MultiCredential;

struct {
  CredentialBinding bindings<V>;
} WeakMultiCredential;
]]></sourcecode>
        <t>The two types of credentials are processed in exactly the same way. The only
difference is in how they are treated when evaluating support by other clients,
as discussed below.</t>
        <section anchor="credential-bindings">
          <name>Credential Bindings</name>
          <t>A multi-credential consists of a collection of "credential bindings". Each
credential binding is a signed statement by the holder of the credential that
the signature key in the LeafNode belongs to the holder of that credential.
Specifically, the signature is computed using the MLS <tt>SignWithLabel</tt> function,
with label <tt>"CredentialBindingTBS"</tt> and with a content that covers the contents
of the CredentialBinding, plus the <tt>signature_key</tt> field from the LeafNode in
which this credential will be embedded.</t>
          <sourcecode type="tls-presentation"><![CDATA[
struct {
  CipherSuite cipher_suite;
  Credential credential;
  SignaturePublicKey credential_key;
  SignaturePublicKey signature_key;
} CredentialBindingTBS;
]]></sourcecode>
          <t>The <tt>cipher_suite</tt> for a credential is NOT <bcp14>REQUIRED</bcp14> to match the cipher suite
for the MLS group in which it is used, but <bcp14>MUST</bcp14> meet the support requirements
with regard to support by group members discussed below.</t>
        </section>
        <section anchor="verifying-a-multi-credential">
          <name>Verifying a Multi-Credential</name>
          <t>A credential binding is supported by a client if the client supports the
credential type and cipher suite of the binding. A credential binding is valid
in the context of a given LeafNode if all of the following are true:</t>
          <ul spacing="normal">
            <li>
              <t>The <tt>credential</tt> is valid according to the MLS Authentication Service.</t>
            </li>
            <li>
              <t>The <tt>credential_key</tt> corresponds to the specified <tt>credential</tt>, in the same
way that the <tt>signature_key</tt> would have to correspond to the credential if
the credential were presented in a LeafNode.</t>
            </li>
            <li>
              <t>The <tt>signature</tt> field is valid with respect to the <tt>signature_key</tt> value in
the leaf node.</t>
            </li>
          </ul>
          <t>A client that receives a credential of type <tt>multi</tt> in a LeafNode <bcp14>MUST</bcp14> verify
that all of the following are true:</t>
          <ul spacing="normal">
            <li>
              <t>All members of the group support credential type <tt>multi</tt>.</t>
            </li>
            <li>
              <t>For each credential binding in the multi-credential:  </t>
              <ul spacing="normal">
                <li>
                  <t>Every member of the group supports the cipher suite and credential type
values for the binding.</t>
                </li>
                <li>
                  <t>The binding is valid in the context of the LeafNode.</t>
                </li>
              </ul>
            </li>
          </ul>
          <t>A client that receives a credential of type <tt>weak-multi</tt> in a LeafNode <bcp14>MUST</bcp14>
verify that all of the following are true:</t>
          <ul spacing="normal">
            <li>
              <t>All members of the group support credential type <tt>weak-multi</tt>.</t>
            </li>
            <li>
              <t>Each member of the group supports at least one binding in the
multi-credential. (Different members may support different subsets.)</t>
            </li>
            <li>
              <t>Every binding that this client supports is valid in the context of the
LeafNode.</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests the addition of various new values under the heading of
"Messaging Layer Security". Each registration is organized under the relevant
registry Type.</t>
      <t>This document also requests the creation of a new "MLS Component Types"
registry as described in <xref target="iana-components"/>.</t>
      <t>RFC EDITOR: Please replace XXXX throughout with the RFC number assigned to this
document</t>
      <section anchor="mls-extension-types">
        <name>MLS Extension Types</name>
        <section anchor="appdatadictionary-mls-extension">
          <name>app_data_dictionary MLS Extension</name>
          <t>The <tt>app_data_dictionary</tt> MLS Extension Type is used inside KeyPackage,
LeafNode, GroupContext, or GroupInfo objects. It contains a sorted list of
application component data objects (at most one per component).</t>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0006 (suggested)</t>
            </li>
            <li>
              <t>Name: app_data_dictionary</t>
            </li>
            <li>
              <t>Message(s): KP: This extension may appear in KeyPackage objects
            LN: This extension may appear in LeafNode objects
            GC: This extension may appear in GroupContext objects
            GI: This extension may appear in GroupInfo objects</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>Reference: RFC XXXX</t>
            </li>
          </ul>
        </section>
        <section anchor="supportedwireformats-mls-extension">
          <name>supported_wire_formats MLS Extension</name>
          <t>The <tt>supported_wire_formats</tt> MLS Extension Type is used inside LeafNode objects.
It contains a list of non-default Wire Formats supported by the client node.</t>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0007 (suggested)</t>
            </li>
            <li>
              <t>Name: supported_wire_formats</t>
            </li>
            <li>
              <t>Message(s): LN: This extension may appear in LeafNode objects</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>Reference: RFC XXXX</t>
            </li>
          </ul>
        </section>
        <section anchor="requiredwireformats-mls-extension">
          <name>required_wire_formats MLS Extension</name>
          <t>The <tt>required_wire_formats</tt> MLS Extension Type is used inside GroupContext
objects. It contains a list of non-default Wire Formats that are mandatory for
all MLS members of the group to support.</t>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0008 (suggested)</t>
            </li>
            <li>
              <t>Name: required_wire_formats</t>
            </li>
            <li>
              <t>Message(s): GC: This extension may appear in GroupContext objects</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>Reference: RFC XXXX</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="mls-proposal-types">
        <name>MLS Proposal Types</name>
        <section anchor="appdataupdate-proposal">
          <name>AppDataUpdate Proposal</name>
          <t>The <tt>app_data_update</tt> MLS Proposal Type is used to efficiently update
application component data stored in the <tt>app_data_dictionary</tt> GroupContext
extension.</t>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0008 (suggested)</t>
            </li>
            <li>
              <t>Name: app_data_update</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>External: Y</t>
            </li>
            <li>
              <t>Path Required: N</t>
            </li>
          </ul>
        </section>
        <section anchor="appephemeral-proposal">
          <name>AppEphemeral Proposal</name>
          <t>The <tt>app_ephemeral</tt> MLS Proposal Type is used to send opaque ephemeral
 application data that needs to be synchronized with a specific MLS epoch.</t>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0009 (suggested)</t>
            </li>
            <li>
              <t>Name: app_ephemeral</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>External: Y</t>
            </li>
            <li>
              <t>Path Required: N</t>
            </li>
          </ul>
        </section>
        <section anchor="selfremove-proposal-1">
          <name>SelfRemove Proposal</name>
          <t>The <tt>self_remove</tt> MLS Proposal Type is used for a member to remove itself from a
group more efficiently than using a <tt>remove</tt> proposal type, as the <tt>self_remove</tt>
type is permitted in external Commits.</t>
          <ul spacing="normal">
            <li>
              <t>Value: 0x000a (suggested)</t>
            </li>
            <li>
              <t>Name: self_remove</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>External: N</t>
            </li>
            <li>
              <t>Path Required: Y</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="iana-creds">
        <name>MLS Credential Types</name>
        <section anchor="multi-credential">
          <name>Multi-Credential</name>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0003 (suggested)</t>
            </li>
            <li>
              <t>Name: multi</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>Reference: RFC XXXX</t>
            </li>
          </ul>
        </section>
        <section anchor="weak-multi-credential">
          <name>Weak Multi-Credential</name>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0004 (suggested)</t>
            </li>
            <li>
              <t>Name: weak-multi</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>Reference: RFC XXXX</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="mls-signature-labels">
        <name>MLS Signature Labels</name>
        <section anchor="credentialbindingtbs">
          <name>CredentialBindingTBS</name>
          <ul spacing="normal">
            <li>
              <t>Label: "CredentialBindingTBS"</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>Reference: RFC XXXX</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="iana-components">
        <name>MLS Component Types</name>
        <t>This document requests the creation of a new IANA "MLS Component Types" registry
under the "Messaging Layer Security" group registry heading. Assignments to this
registry in the range 0x0000 to 0x7FFF are via Specification Required
policy <xref target="RFC8126"/> using the MLS Designated Experts. Assignments in the range
0x8000 to 0xFFFF are for private use.</t>
        <t>Template:</t>
        <ul spacing="normal">
          <li>
            <t>Value: The numeric value of the component ID</t>
          </li>
          <li>
            <t>Name: The name of the component</t>
          </li>
          <li>
            <t>Where: The object(s) in which the component may appear,
       drawn from the following list:
            </t>
            <ul spacing="normal">
              <li>
                <t>AD: SafeAAD objects</t>
              </li>
              <li>
                <t>AE: AppEphemeral proposals</t>
              </li>
              <li>
                <t>ES: Exporter Secret labels</t>
              </li>
              <li>
                <t>GC: GroupContext objects</t>
              </li>
              <li>
                <t>GI: GroupInfo objects</t>
              </li>
              <li>
                <t>HP: HPKE key labels</t>
              </li>
              <li>
                <t>KP: KeyPackage objects</t>
              </li>
              <li>
                <t>LN: LeafNode objects</t>
              </li>
              <li>
                <t>PS: PSK labels</t>
              </li>
              <li>
                <t>SK: Signature Key labels</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Recommended: Same as in <xref section="17.1" sectionFormat="of" target="RFC9420"/></t>
          </li>
          <li>
            <t>Reference: The document where this component is defined</t>
          </li>
        </ul>
        <t>The restrictions noted in the "Where" column are to be enforced by the
application. MLS implementations <bcp14>MUST NOT</bcp14> impose restrictions on where component
IDs are used in which parts of MLS, unless specifically directed to by the
application.</t>
        <t>Initial Contents:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">Where</th>
              <th align="left">R</th>
              <th align="left">Ref</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0000</td>
              <td align="left">RESERVED</td>
              <td align="left">N/A</td>
              <td align="left">-</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0001</td>
              <td align="left">app_components</td>
              <td align="left">LN,GC</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0002</td>
              <td align="left">safe_aad</td>
              <td align="left">LN,GC</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0003</td>
              <td align="left">content_media_types</td>
              <td align="left">LN,GC</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0004</td>
              <td align="left">last_resort_key_package</td>
              <td align="left">KP</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0005</td>
              <td align="left">app_ack</td>
              <td align="left">AE</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0A0A</td>
              <td align="left">GREASE</td>
              <td align="left">Note1</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x1A1A</td>
              <td align="left">GREASE</td>
              <td align="left">Note1</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x2A2A</td>
              <td align="left">GREASE</td>
              <td align="left">Note1</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x3A3A</td>
              <td align="left">GREASE</td>
              <td align="left">Note1</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x4A4A</td>
              <td align="left">GREASE</td>
              <td align="left">Note1</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x5A5A</td>
              <td align="left">GREASE</td>
              <td align="left">Note1</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x6A6A</td>
              <td align="left">GREASE</td>
              <td align="left">Note1</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x7A7A</td>
              <td align="left">GREASE</td>
              <td align="left">Note1</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x8000 - 0xFFFF</td>
              <td align="left">Reserved for Private Use</td>
              <td align="left">N/A</td>
              <td align="left">N</td>
              <td align="left">RFC XXXX</td>
            </tr>
          </tbody>
        </table>
        <ul empty="true">
          <li>
            <t>Note1: GREASE values for components <bcp14>MAY</bcp14> be present in GI, KP, and LN
objects.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security considerations</name>
      <section anchor="safe-application-interface">
        <name>Safe Application Interface</name>
        <t>The Safe Application Interface provides the following security guarantee: If an
application uses MLS with application components, the security guarantees of the
base MLS protocol and the security guarantees of each application component
analyzed in isolation, still hold for the composed application of the MLS
protocol. In other words, the Safe Application Interface protects applications
from careless component developers. It is not possible that a combination of
components (the developers of which did not know about each other) impedes the
security of the base MLS protocol or any other component. No further analysis of
the combination is necessary. This also means that any security vulnerabilities
introduced by one component do not spread to other components or the base MLS
implementation.</t>
      </section>
      <section anchor="appack-1">
        <name>AppAck</name>
        <t>When AppAck objects are received, they allow clients to detect if the Delivery
Service (or an intermediary) dropped application messages, since gaps in the
<tt>generation</tt> sequence indicate dropped messages. When AppAck messages are
accepted by the Delivery Service, but not received by some members, the members
who have missed the corresponding AppEphemeral proposals will not be able to
send or receive a commit message, because the proposal is included in the
transcript hash. Likewise, if AppAck objects and/or commits are sent
periodically by every member, other members will be able to detect a member that
is no longer sending on that schedule or whose handshake messages are being
suppressed by the DS.</t>
        <ul empty="true">
          <li>
            <t>Note: External Commits do not typically contain pending proposals (including
AppEphemeral proposals). Clients that send an AppAck component in an
AppEphemeral proposal will need to send a new AppAck component in an
AppEphemeral proposal (in the new epoch) after receiving an external Commit
until it has been incorporated into an accepted Commit.</t>
          </li>
        </ul>
        <t>The schedule on which AppAck objects are sent in AppEphemeral proposals is up to
the application, and determines which cases of loss/suppression are detected.
For example:</t>
        <ul spacing="normal">
          <li>
            <t>The application might have the committer include an AppAck whenever a Commit
is sent, so that other members could know when one of their messages did not
reach the committer.</t>
          </li>
          <li>
            <t>The application could have a client send an AppAck whenever an application
message is sent, covering all messages received since its last AppAck. This
would provide a complete view of any losses experienced by active members.</t>
          </li>
          <li>
            <t>The application could simply have clients send AppAck proposals on a timer, so
that all participants' state would be known.</t>
          </li>
        </ul>
        <t>An application using AppAck to guard against loss/suppression of application
messages also needs to ensure that AppAck messages and the Commits that
reference them are not dropped. One way to do this is to always encrypt Proposal
and Commit messages, to make it more difficult for the Delivery Service to
recognize which messages contain AppAcks. The application can also have clients
enforce an AppAck schedule, reporting loss if an AppAck is not received at the
expected time.</t>
      </section>
      <section anchor="content-advertisement-1">
        <name>Content Advertisement</name>
        <t>Use of the <tt>content_media_types</tt> component could leak some private information
visible in KeyPackages and inside an MLS group. This could be used to infer a
specific implementation, platform, or even version. Clients should carefully
consider the privacy implications in their environment of making a list of
acceptable media types available.</t>
        <t>Implementations need to be prepared to parse media types containing long
parameter lists, potentially containing characters which would be escaped or
quoted in <xref target="RFC5322"/>.</t>
      </section>
      <section anchor="selfremove">
        <name>SelfRemove</name>
        <t>An external recipient of a SelfRemove Proposal cannot verify the
<tt>membership_tag</tt>. However, an external joiner also has no way to completely
validate a GroupInfo object that it receives. An insider can prevent an External
Join by providing either an invalid GroupInfo object or an invalid SelfRemove
Proposal. The security properties of external joins do not change with the
addition of this proposal type.</t>
      </section>
      <section anchor="multi-credentials-1">
        <name>Multi-Credentials</name>
        <t>Using a Weak Multi Credential reduces the overall credential security to the
security of the least secure of its credential bindings.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9420">
          <front>
            <title>The Messaging Layer Security (MLS) Protocol</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
            <author fullname="R. Robert" initials="R." surname="Robert"/>
            <author fullname="J. Millican" initials="J." surname="Millican"/>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="K. Cohn-Gordon" initials="K." surname="Cohn-Gordon"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9420"/>
          <seriesInfo name="DOI" value="10.17487/RFC9420"/>
        </reference>
        <reference anchor="RFC9180">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC5322">
          <front>
            <title>Internet Message Format</title>
            <author fullname="P. Resnick" initials="P." role="editor" surname="Resnick"/>
            <date month="October" year="2008"/>
            <abstract>
              <t>This document specifies the Internet Message Format (IMF), a syntax for text messages that are sent between computer users, within the framework of "electronic mail" messages. This specification is a revision of Request For Comments (RFC) 2822, which itself superseded Request For Comments (RFC) 822, "Standard for the Format of ARPA Internet Text Messages", updating it to reflect current practice and incorporating incremental changes that were specified in other RFCs. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5322"/>
          <seriesInfo name="DOI" value="10.17487/RFC5322"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-mls-architecture">
          <front>
            <title>The Messaging Layer Security (MLS) Architecture</title>
            <author fullname="Benjamin Beurdouche" initials="B." surname="Beurdouche">
              <organization>Inria &amp; Mozilla</organization>
            </author>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Windy Hill Systems, LLC</organization>
            </author>
            <author fullname="Emad Omara" initials="E." surname="Omara">
         </author>
            <author fullname="Srinivas Inguva" initials="S." surname="Inguva">
         </author>
            <author fullname="Alan Duric" initials="A." surname="Duric">
              <organization>Wire</organization>
            </author>
            <date day="3" month="August" year="2024"/>
            <abstract>
              <t>   The Messaging Layer Security (MLS) protocol (I-D.ietf-mls-protocol)
   provides a Group Key Agreement protocol for messaging applications.
   MLS is meant to protect against eavesdropping, tampering, message
   forgery, and provide Forward Secrecy (FS) and Post-Compromise
   Security (PCS).

   This document describes the architecture for using MLS in a general
   secure group messaging infrastructure and defines the security goals
   for MLS.  It provides guidance on building a group messaging system
   and discusses security and privacy tradeoffs offered by multiple
   security mechanisms that are part of the MLS protocol (e.g.,
   frequency of public encryption key rotation).  The document also
   provides guidance for parts of the infrastructure that are not
   standardized by MLS and are instead left to the application.

   While the recommendations of this document are not mandatory to
   follow in order to interoperate at the protocol level, they affect
   the overall security guarantees that are achieved by a messaging
   application.  This is especially true in the case of active
   adversaries that are able to compromise clients, the delivery
   service, or the authentication service.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-mls-architecture-15"/>
        </reference>
        <reference anchor="RFC6838">
          <front>
            <title>Media Type Specifications and Registration Procedures</title>
            <author fullname="N. Freed" initials="N." surname="Freed"/>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <author fullname="T. Hansen" initials="T." surname="Hansen"/>
            <date month="January" year="2013"/>
            <abstract>
              <t>This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="13"/>
          <seriesInfo name="RFC" value="6838"/>
          <seriesInfo name="DOI" value="10.17487/RFC6838"/>
        </reference>
        <reference anchor="RFC2046">
          <front>
            <title>Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types</title>
            <author fullname="N. Freed" initials="N." surname="Freed"/>
            <author fullname="N. Borenstein" initials="N." surname="Borenstein"/>
            <date month="November" year="1996"/>
            <abstract>
              <t>This second document defines the general structure of the MIME media typing system and defines an initial set of media types. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2046"/>
          <seriesInfo name="DOI" value="10.17487/RFC2046"/>
        </reference>
        <reference anchor="RFC2045">
          <front>
            <title>Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies</title>
            <author fullname="N. Freed" initials="N." surname="Freed"/>
            <author fullname="N. Borenstein" initials="N." surname="Borenstein"/>
            <date month="November" year="1996"/>
            <abstract>
              <t>This initial document specifies the various headers used to describe the structure of MIME messages. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2045"/>
          <seriesInfo name="DOI" value="10.17487/RFC2045"/>
        </reference>
      </references>
    </references>
    <?line 1403?>

<section anchor="change-log">
      <name>Change Log</name>
      <t>RFC EDITOR PLEASE DELETE THIS SECTION.</t>
      <t>draft-10</t>
      <ul spacing="normal">
        <li>
          <t>remove AppAck ProposalType as it is now a Component conveyed in AppEphemeral
Proposals</t>
        </li>
        <li>
          <t>be more pedantic when discussing that a proposal in required_capabilities
implies all clients support it but not vice versa.</t>
        </li>
        <li>
          <t>correct location of GREASE values for advertising safe_add and
app_components in LeafNodes; only allow GREASE in GI, LN, and KP.</t>
        </li>
        <li>
          <t>the app_components component is now mandatory to implement if
app_data_dictionary is supported.</t>
        </li>
        <li>
          <t>the safe_add component is now mandatory to understand if
app_data_dictionary is supported.</t>
        </li>
        <li>
          <t>rename MediaType.media_type to MediaType.type, and
MediaTypeList.media_types to MediaTypeList.media_type_list</t>
        </li>
        <li>
          <t>clarify the behavior of an "empty" media type in application framing: if
media_type.type is zero length.</t>
        </li>
        <li>
          <t>unsafe AAD is no longer allowed when the safe_aad component is present in
the GroupContext</t>
        </li>
        <li>
          <t>rename "Safe Application API" to "Safe Application Interface"</t>
        </li>
        <li>
          <t>fix IANA registry names ("MLS Component Types", "MLS Extension Types") and
restore missing registry section headers</t>
        </li>
        <li>
          <t>correct stale field and struct names in prose (component_data,
app_data_dictionary, authenticated_data, required_wire_formats)</t>
        </li>
        <li>
          <t>reclassify last-resort KeyPackages as a KeyPackage component and fix various
inconsistencies and typos</t>
        </li>
      </ul>
      <t>draft-09</t>
      <ul spacing="normal">
        <li>
          <t>rename the component base label from "Application" to "MLS Component"</t>
        </li>
      </ul>
      <t>draft-08</t>
      <ul spacing="normal">
        <li>
          <t>clarify that SelfRemove is a proposal type, not an extension</t>
        </li>
      </ul>
      <t>draft-07</t>
      <ul spacing="normal">
        <li>
          <t>add AppAck to IANA considerations</t>
        </li>
        <li>
          <t>adapt Safe AAD scope</t>
        </li>
        <li>
          <t>remove targeted messages altogether with intention to publish it as a
separate document</t>
        </li>
        <li>
          <t>assign self_remove proposal to a non duplicate number (0x000a)</t>
        </li>
        <li>
          <t>refactor TargetedMessage to no longer use structs removed from when it
was a "safe extension"</t>
        </li>
        <li>
          <t>remove the no-longer needed targeted_messages_capability (now signaled using
support_wire_formats and required_wire_formats)</t>
        </li>
        <li>
          <t>add TargetedMessageTBS and CredentialBundleTBS to MLS Signature Labels IANA
registry</t>
        </li>
        <li>
          <t>add GREASE values for components</t>
        </li>
        <li>
          <t>fix safe exporter definition</t>
        </li>
        <li>
          <t>resolve TODOs from -06</t>
        </li>
        <li>
          <t>fix numerous typos</t>
        </li>
      </ul>
      <t>draft-06</t>
      <ul spacing="normal">
        <li>
          <t>Integrate notion of Application API from draft-barnes-mls-appsync</t>
        </li>
      </ul>
      <t>draft-05</t>
      <ul spacing="normal">
        <li>
          <t>Include definition of ExtensionState extension</t>
        </li>
        <li>
          <t>Add safe use of AAD to Safe Extensions framework</t>
        </li>
        <li>
          <t>Clarify how capabilities negotiation works in Safe Extensions framework</t>
        </li>
      </ul>
      <t>draft-04</t>
      <ul spacing="normal">
        <li>
          <t>No changes (prevent expiration)</t>
        </li>
      </ul>
      <t>draft-03</t>
      <ul spacing="normal">
        <li>
          <t>Add Last Resort KeyPackage extension</t>
        </li>
        <li>
          <t>Add Safe Extensions framework</t>
        </li>
        <li>
          <t>Add SelfRemove Proposal</t>
        </li>
      </ul>
      <t>draft-02</t>
      <ul spacing="normal">
        <li>
          <t>No changes (prevent expiration)</t>
        </li>
      </ul>
      <t>draft-01</t>
      <ul spacing="normal">
        <li>
          <t>Add Content Advertisement extensions</t>
        </li>
      </ul>
      <t>draft-00</t>
      <ul spacing="normal">
        <li>
          <t>Initial adoption of draft-robert-mls-protocol-00 as a WG item.</t>
        </li>
        <li>
          <t>Add Targeted Messages extension (*)</t>
        </li>
      </ul>
    </section>
    <section anchor="contributors" numbered="false" toc="include" removeInRFC="false">
      <name>Contributors</name>
      <contact initials="J." surname="Alwen" fullname="Joel Alwen">
        <organization>Amazon</organization>
        <address>
          <email>alwenjo@amazon.com</email>
        </address>
      </contact>
      <contact initials="K." surname="Kohbrok" fullname="Konrad Kohbrok">
        <organization>Phoenix R&amp;D</organization>
        <address>
          <email>konrad.kohbrok@datashrine.de</email>
        </address>
      </contact>
      <contact initials="R." surname="Mahy" fullname="Rohan Mahy">
        <organization>Rohan Mahy Consulting Services</organization>
        <address>
          <email>rohan.ietf@gmail.com</email>
        </address>
      </contact>
      <contact initials="M." surname="Mularczyk" fullname="Marta Mularczyk">
        <organization>Amazon</organization>
        <address>
          <email>mulmarta@amazon.com</email>
        </address>
      </contact>
      <contact initials="R." surname="Barnes" fullname="Richard Barnes">
        <organization>Cisco Systems</organization>
        <address>
          <email>rlb@ipv.sx</email>
        </address>
      </contact>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8192XLjVpbg+/0KjBwxprJJ5uK1lFWuklNKW52bOiXb4+ju
EEESFFEiARYASpbd2TG/MW/zLfMp8yVz1nvPBUBJWe6OHkdUpUgCdzn33LMv
o9HINXmzyg6S82WWvMnqOr3Mi8vkdXqbVclZNttWeXObDN68PttPjn9psqLO
y6J26XRaZdcHCXzv5uWsSNcwxLxKF80oz5rFaL2qR5l/fPT0iau303Ve48fm
dgMPnxyfv3SztMkuy+r2IKmbuXPFdj3NqgM3h68P3AzehAG29UHSVNvMwXSf
ubTK0oNkT1e2527K6uqyKrcb+HbX+vfcVXYLD84PXDJK1v6pFT1Vy1P4W1bM
R005gn/gz1l1u2lgwfhDutmsclgufIS/c3pW92c+TPMVjnSdFVvYQZLcv7Ik
YXjs/QQbwQe+w1fw+3War+B7AOVfEKbjsrrEr9NqtoSvl02zqQ8eP8an8Kv8
OhvrY4/xi8fTqryps8fw/mN87zJvltspD3hz+Tg+IXxgBVCvGzs0Pjjm98Z5
2Xrl8c7jHi+b9WrPuXTbLMuKYJ7kBRzj+3HyvoQTbmC2JGGkeZ9ulmm2sj/A
DtIi/5WAfZCcLsusyH9J3v/3I/o1Y7jgvH+p+OWK3h3PyrVDrGmqfLptZGae
5R9LmOJwdZMVjic4SJLDdfprSZ9lyCTFB/5a/iWlX2g8P8KrsqjSOfyzBLhe
hVFay9Ohrujx8RU//hfA6LReVnmRjedZGPR9uUyL5E26vA0Dhu+SFwDM7apB
rDjLqut8ltV2jgqfpEP/yyV+FS/4TVo1afJmi9jx6+3VXfteb1drfLp34+/z
2TKt5sm3aVXw/DTMi7yelcnZbd1ka7uqajX9S765Hte/wH0uqzWc4jVcBZcX
C/NpNIIrNa2bKp01zj2A9myqsiln5SrJ6wTAk9a3xWxZlUW5rfmSEbZlRYOX
NJsncOHhTsLKi8vMvzxGeoWfrvN5BuMkTHCScpHM0k1KlzeHH5rSmfteD2G6
5CZbrfDfOrvOqnQVbn+yKfOiqQHDm6wq4JemTGAlZtLzZV4jldyuYX12eqRw
5Sqf04othTk8PRkml1v4pZhlCQAuWZY3OKrTUT+tuyuol+V2NU+mWbKtszms
GqhYmiyyG5xoVmVNBu+k680KJoctT8tmCdelCksNQ9b0MgxDT+J2Wssb8xmu
8/l8lTn3SXIC166cb2dEMB1uOfFbnmcLwPzaDg9AwrP47bf/9v7liz98/uzJ
hw8wTdoAecuSogQwAULK3A4wqwiLrDfZLF/IWoZhofDkGsfNftms8AUCWcmT
zmkPuFlXbuD8aBuyM8EJOawTWMKqLmHN9QzoCIyL41h0AFwpkjpdZKtbR4cO
OJzcAJWkkfD00yuA1/w6LZoUsA+mURYDh5E224qhCk+PBffNChDBYe78sgCc
gMHgNHGSy4qQBP4s48XARoGxARID0gpqhelqoRoM2vYxVtnftjksBjE0A7Aj
6Jub0v1tC3xATykt6hsY/QbulqwL72i9nS3xHurSkFI793ScfA/Ampd8GtFk
ujb8Pl4W7l6X8mf37I4x4JgVxpdZE7Y5zQrAsAbe9uA8RJbYZDOENmDZn09G
R2PPqlLzI+BdOGqcUJaCiFs7vHr45SKvakVHWISH0JCI5OqWtwViCk8omHWU
rYDcVbdKvR3i6mGgU7gn+akLCjqVpAD0xY0GhDUXC5Y34ztaCFzhos/96gC7
cEAATLZawMuLrAIiUa6zZJrW+SxZbIuZnDPdvDaOw9BDOWkCjSOAZyJAZSgh
pRtgULyRwWmVXwOSMiHP9of+csGFLCu4J3xX8dtsU86WlmKX1Th5sa0qpBb4
SrSWNd4nPHsP/3WGlD2v14yicJpAlV2aXKcVHPItEfSyWAC+wfApimRMDGPQ
A0oCLUCKD5A6rCNUkysIAJsCUAFki3QN7CGt/E2n/QE0ciH9AHP4w62IPxAj
K/GBhKTI8hJFFYB5U5YrhXdBWyXu5bkC8sbk+9NXx8ng+9tplc+T0+0UVpW8
AoZ27EVSJZxPvwbCuU+bw/UScSHet0kBY5FzAGvOAEAAMmR1Q7zIVSYMis6L
HodNXBXlDaBYgchc8gr1HTk2GGrDi5FXYpYrfI93za8iYEfJIUyVjWqQIoQx
++PjaRDX0tUKyWwRHQKMmBd/BeRPUH4i4ofysqAVjlTPltl8u8p4nsKjWnsK
Gr6O0apBIg8woHsD3BHAVZVrHR4m6k5Q1+Us98yDFkXo8KJcr+Ga4T1JExVN
RIINS6Exvs2LOSHHIvEiEW8VJybhH8S+Bq89fEdYXK0FSdLLKiPCxHyDkY+4
lcFAgkGNU0QIBoOtUZYE7p+syrJGojUrgXXkBZ4eCALrTVkg0cOlxQcBpAhv
GTyyLlFYYaIwS4H08C1Pp+W1vZWuyDz3ouUQ6xJaktykt4EhbWvhkfMcCRQS
ALOUeYnCAAr1C1iMsFnCZ0KzIfC+wHqZ0I13SR9wMhnRcEs9WoTPzi0kEBkr
qqFV5hedVzE5WqQzFR1hYiYrAN55iYLLqM5AlqEbQviFuMUr5YtFX/Kl2bEQ
vov55bJh2Q7Plsg9sB4ajk4Y9g1iGODONV5JFeGOcPM5fWbmiEiNqnANSukP
Z+d7Q/43efuO/n5//E8/nLw/PsK/z74/fP3a/+HkibPv3/3w+ij8Fd588e7N
m+O3R/wyfJtEX7m9N4c/7/Ge996dnp+8e3v4eg/RIuJpLIV4uafaoNwKpBsk
aGHThErfvjj9P//76edCB589ffoHYOT84eunX30OH1Bi4dmIpvFHANstyvYZ
EPKcqA5K/nkDl4ikfBChgQji1QJwPvpnhMy/HiR/nM42Tz//Rr7ADUdfKsyi
Lwlm3W86LzMQe77qmcZDM/q+Bel4vYc/R58V7ubLP/55BdcjGT39+s/fuPbd
QdYLEnCWXt8alE/gXNZ5Ua7Ky1vP01EQItrBYlDNJ5uRCBKJ7HBMXuYHeRtO
YT7PWZa/oUMnPYJ51KJEwo0IX2Q3DqdFDnkY7smBY9NVTYooX5W8qJsUGX+D
9GmdFkBhaqMoWLo4To6RmvjPDnaP2lMyRf0RJHtAHbiG9moOk+m2abOqNdA0
vO0Nah5KaPli1qwBskiLqk0OKphQwLxJiFQCthuFJzEbFHW4XDgCctbciJ0I
9ji7GkfACEQDwXII9HYqcOmQdJ5+iQxrBpK4iPoGLs690MGSkyMaD8R9EqgW
OSwIJePWkH52El0BW8LjNV3rtBa9ZnrrWrL9GInXEchOq3KDuwu2xkRlcFzb
qWhJItkCagJZXN168xswNzzmm7SjRG2FB0VCouc5kb4/BkZPvGqI54Py3Rql
CkApHEvJeaTNkhjDxgbE+Wm2TK/zshK40xXA4xKdPFJpEDlFHeRx/roFPh7r
kA5+b6mOyPn0WtmlDJB4pQuUgaoMNlcxBIB+Pgos5dH+OHm5rZDprEEn1n0C
HrDAfCdfVJ7stxsUsSBRm1WKQoM3ODwJl3J1W+dqXnCxCqyM/BO622ega0dX
4gQZAzDdjFma4efKTVRjIjDi2B2eDwvKcuK6uJm8WBIeINfuwRsgBrFBqKz4
Ju96zelrXubqB6YgxHyO4gnLC4pghPVp4xTf6i7eeIGCP3axK0z0KT/i6I0g
QJG6wRrGiExmQcPwdhK+u4CGl7ClWlQDeRC+QSkYhOWbHHgpcdp5Rj8J/UcR
lqRZvArJJYjbllDg9GdiU2hNWOdrtGwjpYyn9opObSYFpStfoBX1obMes6Yw
B3Kw2qLgVsxW23lGRo2YyvFwSgvheG9AkVuSKIELhTmnGa5fdI/50K+0V6Sl
NaP5Ivyqb8JQvBpa4WmkNDFQ/NJQIgIszC9RfMfZ6WDTQBL8jLgc0pp2LOjT
xJvMVS3q07B43XhXEnhhtYKVsE4kzBuIxmGkDh6hdjQ4PDzaJ0karlKM33w/
7KGc6YkPwxEWfISW07J9ASjdxHx9gWg40ancPK8RKtu8XiKo4FoAUxMlNQAB
WW6PukOqTkVaGsj+DVGYeZ6So4bpFVJ7WV0Qx/WbIrssm7yl+4kWMgdKA/KP
PDoCAo/ksialDqQh537K1PyIjxPNvMwKsjh3SBirzC2Vtss4yOBi3VN2JCHT
qEMBgBJkW7RtXUDgLAiINdDlazFSgDiAB0CAv5jnRG/T6nZi7NIEMF6raM4t
KuY1aEAqptJytqrWsVkNua1sRIUTmh94wvEGVkXgQd5T1si7/KxZkU7R2J1W
07ypYHHdycmiMM3CAuc8cSo6vZkKEfqHDem/d8yVLeD25YQZ9GzNU6S7oBVp
/B50bJDyICD9ehgZDGZpVeUs0rASqmtivc9IBHnt1ml1xSRjCgJWcSlnbMhF
L9cIlCxWix3L1KIK21XlxTzbZMWceKJYt+W+489TEF+zLJIm0ILB9juiB22T
L4uMRF7hsWClgLVvi/xvW0uaT47EoaPyJ38S/oUGbCDyZQW01tvSVQwF2FV4
+rC71UwsmqrBBLkk2BqtpXhudogyCyrhYUmgdh/Ga8Qdo519NL2FCYngM5B5
Q8DMPJVnJ5G+i+iQF7TkelYyLWoZapz793//d7eFrT39Mizj5Og5fe9+QiCk
ySoFNMB1+B2INO9ZMFNgWiCocwh+YLfiilQrmTsngTxDmVFVFSC5Yhku1coV
q3F06YKhXLQtOjA3maZ1dkGLmySw+9Wc7Vs36W0tVvhfENq8oD0kGH6LezTE
xAPrIp9PnIwRoBmzctgsYq7Sb795trxP7EJca5DgRGLeL0PBTugEkmZVO95l
8hvc/nKTIqqG/f3xx2+eJ48fJX9qbyN59BieNyeX2C09D2P5YdyH8Pg7XdZr
/FUOHRDyTlPyAM3N+/htnfz2CTq2RsvNVfZBbAFWL90tiauF1Zqtyrbl3pFh
O5inmbOJJIDusMReFSProPwdA4Vtcy4tbpNoUMHkW3NCwnmTXC0PZDQPno0g
8w4dS2J4oihyBYfF6dmrZF3OMzISIQUVl0gyQeo3gbE3W5INJ2dZs9388c27
o+Nvzibk8LFfvZ8kpJ3QszuOjcl+jMrySodcGZgI1orgO1GhS+ZCOuG5oLAb
J9S/n/KqB4RgIINl6w2ID/mClB80XODVfVlWTvzKw4heqQE1DafDGAioNkzE
XYTIiF5aPgSmDyk63gifDsJ1QtwTrP0JAESgGpjxDCiGCf061I3CZOgRxj/3
kz/BHXrQOPGp9A7maFVHWXs0v7V7lvXq+M27bQOoM8RLn4MsU4VFPmzYXauk
WJkwvh3d8wJxBBGFI1FwF0aSPsYY6M/D4ifQMbNPx/zlT7xdnu0lGkOCgpcX
1+Xq2huyyf+CWBLBKyFra8BhpCD2ZyFK9xN0vseIs6Lc8MtAJpz46ILl6qQg
ipejFFAN2ZqwzlLvJI3xG8dUfZcUYXy0ESLUGht9b/kqa8lSMebTHPSeaz0m
swB/gRWKSkDXzZ+r0clFhPVY7TWwTJ9AigrbRwrboHG8JFugBEkAT4epiYGb
W0q7Z1WaAk5IPMrXWVCXnNEdvdA0KHc4NvaJdKDaBEOCxDzLhrGw4FagxQGZ
XoP4mv8KnHeVLzKc0astnpWQmK7uDaI0pPgXZTGartLiKgFEAEUWEKDKML4E
lFd63GwPLdfsn4Ix0NWJo3i/KJLQ1UrdmioZ4kD/93/+L7QWTnHkDvqgZSSe
A6SvLF3Qm31e10ym4BkA5Pg08kX+Ohg4ZEaQhspKhBIzESGgCW8ih3vd5l64
OI8i3jzNhr1xB5wk8pZI+HHtwUnhA45gOFCGxXKPCgiFQ/khqgyE6xUZu1Fx
RUxCfaRpTAzmWI5R375AJ/XQfNxOw4BkY8Od+rnI1ZWuxPPKUmUSDxa7u+VY
2UXaOtyZxCMQ7KIjEJjH49IZentR/O4PYiTAeXX1tH9SPiMIJCBBV0BDMg6P
KYyBofcw9G/GbzT0IFZQQACHg4n8jB4GNQgrlBFcFwQP1AoACU7T2RXK72kI
mDK0IJBpRo7wGdGyD5fhc+aX2xqf4pxW5NzL12RgaVD3IdM1jteocoCD/bWk
Jar2DyLtmQ93QMGV/QF1RgHGbDGoySCT0nvhIkRREmr18wyjyLzb6jXcu7eI
6OLOGie9jhYbDUaDezMQ7lGsksZi6U+zlhVco2FJRGvck2f3NAB++yMN4r93
PmxniErZBi3d1xkazdZIvlY5iNwSLShxPhE5Jg9YNBEJqa1JmM2gbwAOCYC4
iiW7WDS3PFmQjiBhIEDbbglz0SIG/jzvlpoKEY4e9HKvbFSo2Nba8oA+ywHf
t4ihLIEm/RFVeF7Ww8fcsbaegf+rxLW6Y5dn/ny3hJZ0JTS3U0LzF2O3hJa0
JTTWSu8WyTbiQjYXDyNIV6io0rAtEYtiDjFwa9i+2Yy/diB8YCsiVFtSGydH
kY2bTGKoYWL4iPiUkYjk6DGKaY89EI5yocjBYJQgque9FmccshQCHo818knJ
A4e9RUETv/12Jn6xr8dfICBC7K1yfx9DCsd0g2HfIXSVGK1MLxFTQ4yOSylI
BnVPjb664J9R13UsITOdZ7dkqoxjSfZIiivFMCxQJVF8sv47iggQS3TqZEkj
CUP0sV64MlxD7KUzJ6mGSLRe+LdyYhBM3TU2Bw7cw/Ec+ChSPeKnHMNLQWJk
rvbhN8GUJeIzHwy9HVseFPR/iAA/lPFugl9iltUHyUsMOB12FqTcHEH37I/1
dvPN0y//+Bj/RUERBIqhi3m2XKenXybTXHwd0Q0l8+M4GVhrs9nC0KmY6wPB
CR6iTwQDDgja82wNl3hIx1Fv4KqN1BY+ux3v46iwJh7QSi7x/nIxq1jXDh+Z
IhUBJfVeJyfIJDgUYvgmJHt5VJRws2l2mReFMU3SU16ohiN1GJ4mh8m0R08e
1RE+zXO09Sef4xgmmMWIakRS3WSvu429iQaoNQFFaooxad0uJJaxgcdKXSTh
R+qwgg7HvcAja+89KB4LcS7b4Zk7s5mFFsJoMDCPAI9Lwuj/jCLSSTHPfome
+VeZlhnJD/C9oonEJLa3ybqKUZNVhcQ4GfKM8X1GXuOq7BKpUuyUoGSIeFA4
wD283luQLCXojKkQ8ZS63FYzEsDcGtC3wpAH6/SjJdDzJE6qCzS+x+Nn0U1m
Ao1O2zN22pJBdXB69qoGgQP/AXFtw+ZyjoLVmTkSqJZYV43y73fCLrPCwQYZ
mAA4INcYvkOgRYCsc9p7L+X5evx5vOLkBDgIz8rOG5k2mtJy2o6qtEyvKVqP
IlMBiel2s0tD7hdsHN2aZPkgIJAz5naTozJ424qOJomY3evzbSYHkVc2rgRu
vhpCS8rEWQUWZX2Ew2C39T5YDjSuQ1wHGR6RNzu/P90ZBw6EsFuMsQ8W1E2e
zZgkktnGHyxHKpZwio34KQAF1LlKpDSj4+LFwhue/3OEs4TqX2esRt7kVbY/
JmnsTgtrd6u0M7hZmlngj85FR2eDv+Zmo6Bn1jWGiSZ0OSUMYZFTIDRRr5bf
zuNkSj5rpqqo26S0MHVOguIIym1NtNv418Mrmv1gaKn1L9IK58l2QwLReamh
t2gL5zcIx1gfE+tdTyAwzgcPnqP3FmPkd4gNHLfnE7bmHdlO/ZlxfHvto39E
h25ZxFpROuJm0LEAV2ofduT6IjaCj2m0Me43l4GaS+6mx4+T8XiMXucwy+Cz
fdQtBs+++GLffdDdP3fWTaUg2dRXDf2YwGZXGH8/ALrGZA2oGrAieWKfXjMT
JhQVbuc9oG/vdmlR0ie7tWBg+JL8Wknywfi78IeiBOFIfF7xgoKr67BpEC8B
E6y+fsS+fjoHSVAxsrP1wYOmJ5r/0Fgs+IjouRNAx6ScItGsOZKKb1LhJsHp
rv5Ln9+A7vpbI7bwfWfhmEm1oAvGc0fhsuLXuSfUwmQVErelCCAyf4CCsjO9
hy4+AawvMkLMFBqUwaGyzgfsm7gSZJJZdc1B9iuMVMc4sBBns60wBwAkjEcR
rA9Q68X8BsNfDP31tDwQppaTCtAD1zrU7J4SyQQzFowAoqAm1P1IrcRLj3Yk
Tkt51LZH6bEf+DSPngw0hUxqrLwYELXKSXLhYD6J6dF5gyDZt7exBwoi1kFy
ZNbdO7tNbAqWNrM5WA+KVDdLEYQD1ua18REMKFnlp2xF6U1yyPuiKpnYq+YB
2JdzdkVFttds7iRa5sg/LBfmYAflMjToPkoh5AAX0/Z+45QxQUviH81w5v3O
YoWYkB0aI+O8UdA6ZSneLNg/WPiEOxz7bb0HGUQMfRaTOUrMJix4fFGt8RLG
L2MQ0P1BVmTg7KdZMGw4fIzbEUsNJXMSWtKpkCqM/BtV8IfNiFadKHIJncG1
hMxydNDcsHDOekuvsVYBak7wHEdHuf7wJ0l+pEWVVUwLyN6a2YfdtsixeAEK
g7eSzEqmBpYBd4RuRZYRvkLoEldZONieeaUPuQdwYMdktWlpLkzcAl0AfR21
Fe8t6B3WBYAT5mxB06owsWEek5kwQpAQJkZGjAIPTWwi2h7IDt90xqcRUYa6
SNN5z1iY5/jbbxQpAg+o6kMA7mW8AuDorH/7BJaMe2bwfkBVUd7fDWnxa9qB
TKKAP9q8djMO/QLSxqjUIaMWYRuUSUFzEu0eDSVIX0GPBBkyRYcZm+SCOTIg
H2VU0ncSE95IXLBEBrE3jS4WHJq7b+li3/FiMCA7I+5p2iyHohttBVKR3Mph
kgWaDcUKL7R8B/5LwM5DyLuEtG/mPj5S1JkaOUWNkvJJUTdZOm9rNcCEVrFC
GNCasg7w4Zp9RiiS0BS6Tc2slRSwnhgVk/OuTFA51513y1zZ5G0pZlxb/IAM
6Mj/KlnTXC3U5jhsBJ1E3nkRHP20sO18Pniyz7EYPM7gqXyssjWoeYNn8lHl
8uiwvFl/J1frZZH9YwDnhGHwd5Xpo+fG5UaleS/G85IPlOfyR5HNzWO8lQOx
hf72gX/+8Ly9HeGru6Np6cAJahhjhNewFQVFDkyykMJVMjH5YkDB6+f9ui1c
IW5Io2rQq8/3h9WnK0eZa7gctke1ZvbpUoAB/JgIMGNKb5YNUMBCjjYVswtN
LahDMkj//kUKnjA8J2E5wdzcli7YAmTfxqoeyYSPakI4+/DxKHyBCRyliA4F
Fhz00ZFs/NRO9p3wruk289ZFB6lB2txHERHoAmzfr8jU4qiSwXSfZCJYHzke
/SaCA4rT3XpBl3IdEzRnBE9DgQ6QRQpgN08O8nE2HrKe7TrBgWQZ2xdRHt7v
jTGHQSJWCHg2yvQpeH2sobY2A9vD4g6hhOLJRb6a6LcX+C3wdIZyEWShT2sE
JROgC1vBxhC44QOYjma1on46lOtMuLUu5+j9otV8TPR6B49I4oz27OiyJ+1N
DsXvJVEwkeQnYlMPAJ2OokVv7tvxTCvlEJUPQh4KDK7F4gf1Pqd87mYn/WAY
8iUAxgIHB0CAHa+yBdln4WrcpITOarQlI4EPWLhv/cwg6XjguHdJ0XIGFEbS
u/ChDe7kuCs2O/2aVSUjQLWTWol5TOQIXotJRCFCtBtzgnQxQDNhNAcXtGhL
WvTgDlzetx6ckLpxKJo5MwKgwLuoh81EStDV8lJUMtfiA8asw2nkhMXpbpZW
qHcXVsTOL10SEKo1p6fwzQZc37U8cc0hc4iJsJPxuQQQfLC5aT7N3ayAIKt0
UmomCb0JQfoggpKt5oRvH60O561Ie/FkPGCjeg4n5UZBJBEBSuoPWPTQMaV0
RSEK8C71+hrklFK3IELHfegU8oZ8dHObc/GaZDxCFF7bO1zZTV5LIGKPXDLe
DRZmXXxj/MkNyabFAd1t2MCkyuI8dE6NNGsF3VV5mc9g3ZfogqxCsZUWdrKg
LQlV+F/TY8tRtsprCQmhgYZapJKBPDA9sNpalS6x2VZwVyW3lnJKSHjkpU1A
RJezJXTGpEKZYSqxjHN1vqI031HbWKzPTaIBMapsVZMJVo4UFBCb5s6CSJ2j
gstvC7kPp2qRs2db9vWs9XZwWMrNJkelyMfyXoxPwsg7c4Ns+QBLm/oQe7Tq
IXJwNagX6kDDqpb+9K2N2goUdpjx/0+XtVlmeq54b0gr4AmFFpftATyO9V1s
EMCyqlE31UM2pGts34T25fOWE7s6ExhlcJ+jLmTAc3WA8WJqWSJehMbjDaAQ
B13DYFdZtrEw3rHuXTZJomG7SJ1K8gE7v0HJ8PggOd02DRdNrdBivi63UivI
12a6w5b1zQ4RiepmsP9EY8Oo5GG+3qSz5g5xn4sQ+NoCkZlkvDth0/msGAAl
xcCH4GE0RWDu4Ov8KmPI7JpckoxFr5uLBOAHEvHD2sH4HUqHIgaBtZqqnCI3
WWnCqrHVFqUBNVwIkeF7m5sIuFpSlzgZHo33NrucBFsEDSyQ1bGeyn8kjisR
6S4dKSr5bsMvImEDfMjtml6X+Zzo9V0o8UCJOTIJRZbTOnlz+DNXrvOTsa0I
dfGlr005a7bqUpMEyZ1ptfe6CDXzly2URq3z1rRdOcdaZGxHVRQuwyGuJdfh
bGbqkHeLWxFVyER6BHmOzB11iF5gmTmO0aDE/WnWHoAkZZx5HO3JxSq1374X
sAGSoRLWrV5EqQaCGjPc4xrFlKJxbHGospUWiKO6eWlNAYYSqJVXIqnyxedZ
yCI7q/INGV2WXa9Uuiv7OzcCaj+BdkqgNQjKhIGeLzvKOKfrkX0gT4t0pCyd
EZSM3//xPi27t8hs1r/j2N7kDQ39VqwcHSb3mck6jEzCJXHnRPF4QrbJuoeI
qiKUdfgmE/k+G4s6zD7GrOM4fGKnWQf1+Gm2KKtMrTu9qm2P6rgT46a34n33
vouueGKMlXHsfFeIH7uTRSBCxuJJjIN0eRTt+teizIMCGfuUA5an+Op24XuX
NlllJl80Uip3n+BDuHT3vY9m0n1T/6fz6EAZtdDD38OqHbPq5Pezaud/Maya
MmUoafsBZVok+Rtdes59W0pVxQmniEnUjJiU41qvk1C4IzJjabicM3EvZm8j
X32C2RCTeBu9PIkqjLJ462xkDeYO3opOt3Nka6kh+v+ygusxl4yLifgt6FD7
NjsH1J1xwD5f19bmhdJzyoxYfNvPDEUU6m7Hl/AMah1XlaaUKFAIJP/owE8f
r944y9RhrVHZtFkt1hsSn4gNppcSdtbalAwL+NAZOaUSMAn8FNLde+AxDhmp
E+HbjIHw3gKWTkGCYjO8uzgWppNiuCe+KRlWXsnoAaT6JbVYKFWRSdfT/HJL
mYVOtPtez/adwuoO9bsraA7qLGt72aUQMjuU+1euHNYt6Gi5jOwEoYbnoPgZ
KAmNx2IyUZ0JbOYix0L8E3ZdsuZHmIQxFCTzFds1hoXBFWTyrgaBlgcIz0sm
5ErkEiRBSZsPiN95QOkKXa0NwpHNnsDXsbPT/OBfrOOXRECC4zVHG06KmX5B
9jne8x4+tkd4ZegxqaEiijvkMxxaEwK9lMrpZQ5AJ6ETbeajVVZcAuFkFZxL
sr5VbIjLGuLlexFm/+0TizWczxgCVicvIu+OoVga+YMCEODwtiq01KELoUDo
wZCwal/rnD+3nd7sYsmCZBfqIlHWtHM+U4qZGq9k0Btw/lUrRH6flbcl1nfg
JDb2L2KdyqzpxBTCCZY1F3XMC1UdKNaasrsEJx8kf2vdyB9RNykprYtm8M5s
Lo9wBpQik5T6ixo/hCf80VGIbFikf+BUZA8OoVVBJMwAsjBH7dEDM/9Rsdke
saD0N3Qd9zi/S2kQvl7viYQNDMIHn/sGC1LmC4tGlluKT0R5RuuyDiaWZgGZ
n/ggMfwQsEbcQxNFscm+1pGjq7JIMadbNOkMdHQiuUxHTa1Y2wcDY8P+Wkqs
vtT8spWqImldOzdYw7ovuWx3BBgQxEG6mjucojtsULEvV5H36dPx0zhHjsrI
tbBv32hbVB8P86BINbHxJL7kJGZIYUgbcTINA5OQo2CaVYevUBFK0+h4g8XK
F6YHdebUi793zggqBsVWeBS8a8wwQHieVGOJQ48u2o5LwuPrVei9KPEjOy+L
eexD8l6OuefmHHH6CCpLdNexeHaMXpLMavu+yE5CoV5WHogW/4Tc+yUlIoRw
p10ZBpjOF47/wE08Xb3AlI4LTmgAgA+YCs/YZiTuOk/SOQzBBXR+wMttmWT/
IfQRN8d7S+wUAubwK0DXmU9J/7aeR8/0Lt6H2EaVv0Phw1piuTx7fFggMvXr
CDyML6yUOFMhdGiqOYoM3MkU7RURjVlF/bXWZwxYQTEfKh8OSF+7z/u9347f
ZRvbGutXz3zlOp3Qhb0Z2HDxuDrI2X//SroOpd3rwYipDnTtugZsi+Hy9VjU
GNOuOMq0LL31gwVjLpW9P07uFNKNTJdhSJJEZUpdKlzUkMWg+8MOdm9XX98p
qEuMZt1Q+dCQNsvSqKciO2Nl/35zYd0Oea9fw56fm1rd9EWiwDOR7Iqy/sSo
REgfOknprWAkxsJnwcnvopvZiTxu4d592O0Mdvcupzte76G5nXcm7Pj+DKoW
GOOtCTBf5gXGmcte+mmNoTDJgAoDYh1jKX/z5uTNMf+2TxDAAKBtIeaY4Isk
PfyCRlL2HKCOiqbbWUd2n/0c370/Pjw75uPf+06NAu9hpeXaaiIYmXwG9xNt
NsdWgtxLBjzGPhedS8ka4HbUFHj6WauogK8xPrxDJ3A1V3dMMTnkm73DGjN3
Zls1R4bBh4larX3FZgBTJN+pQTO/LDCQYOi+8YVsQiZB2n6LL7XUM9Iy0GSs
qxhUAsdvZF4QK5bZapPYpiBSpIIsxjUbsdhkRCtprXy8J5wvbotAVcBxsSEQ
Z1WqaZLb9vBKFAAYydkqV0FdM9jiSRE8evPGJrWihy6OlWB8xCvx5Xj4i1Hm
1f3Pet3kvkfdDzF6DEJ9jQhszHGL26BLiC7awh43RdVqlmEHL6z+o9jA0dM5
twCKD0RwyBxCmMtFc3HwC/lqS/XES4kmCiomw0G4ouy23GwOZ1fqCII/TfqO
mv4AqgADoDKXGS9+s7N+Nupj5fYSa1mQB8kU8V2zx6MofU8DNrtJYjWXZmLb
K22R/HkgYUSm+NMoOiyNZCXmGrDYSXB1SquFADjnp/y0tg7B6a2kVlggizXc
b663DGuSYGXcz56JF+G5/Yo6vF1opQIMuTc/rtLWbx80i/Q9wqcdnm9/Uxya
X1T4sQ4OPjjByLWHJ2p0edOuSGzrOpJKTryLVrkyJyXHNMuV2KHNT1enE78t
9vywt4khr8hXY+OudzDJorR9SrxhvweLglgTpHB2PzckHvbNjbjI/TGbvNhi
j08CHvmM3aR9VBMKNGyd0WTI+FFjY1xyUIUbYxI8yNSKJdcw+x2le7autjv3
JXPA5k075cZeJRzvb1tRj8XSrkqLXSpzm5CuC9z0UirMrMoaLa6N1r7hYnqX
6SbkH9qReL5Z8Kw6WiSJH7ou2TbePSx+IZ6SmtT5KeUjVzYkYJYBKc1L5jZu
JyBqydRVDJOyPjOQQahTJwYqhYudUmfhyoW1U64GJSqVU8obno+Td9PrHA5a
BCsJOUuqvL7iUWQnOqkLEdwgglXiHuY2rT5am4qTEw74rEVLSExli5zo8623
gcqAqg2E1EM0C1B1/RklcgIctOQ3hyYcWkkMf8GuNjxf7hujapJhsO+u8yJf
o/9WHCRMjBGEIa5QSs2hH0cCwJ3pS5DXQhVFTK41jJTcUbYODasywjvIvej7
FYl2zskU2OOpMTIp6QKas3zSUtc5nq5fbO2PhomcS45a/TEaR+mR3pEnSxua
rFIRCK6z5OTw7SEQIQQGWUedN47eJX2LavEAedsZv8/gYa6ijmJPiUC8QwnY
QYP6p3E2aORuGKA1kVTbfa/MGM0iLN/dpy48dPnuPvXYbgIWe88KZZuhF2Dk
Xuhk+0sDVJEyHgFjeuT9Xa4HhTWwSbxmATEswrVulNddHBEl1mAwzkueQ63F
pjXo1TO9GHtLxbiQnGz0OQyffFs2oiT4tGt5cZlvbJkZlrW4uZB/dFPCTlRW
de0nWWZih7k1+5M8QBJRQ52BI12FBjJLoIwAnCYXaQHxBoA3pWIvhwEG+Nt2
c1mlcz5QRVy8+Uo5iIqasjR13CerdMzfeIMWiDoYExK194duGtpSgMAjGYy4
kwr+vJaay3jAZRXWUpKIBJv4Ef4pqxAVwDiKJXRJRSdLDiU+UKD+Nbzj66eb
QCb6FUmNU1czpUun2EwxZYqe1u2Ke38GTffLrz/7msottYIbmYiD7L/UtQaX
uG6CqIjEs/XIHkOKoNVmiRkWKNOckAmPBVt7nK4oNARDWSa2mU3ktcOVPnvy
+ZcfPhD4U+n4VzktwCcFrelNgoW0aDIWncEilCqSC9nuEuF8l4j6Fr76Rbs2
fo4z78c3hl1JUm+EiLy1rOS+EHa3t154zzHJ/z5LKX7f7/ML2CeuVi4+B8t8
kpzRopwjbnIunDWlXdiuFv5MWquyamdTbkbYDnjlODyUDG5Trpuj6YUl57li
RaE13AzUNI/RsqkheP6HCxKNJxI1RA44270DcIXLL5G3+G9bAOF8xBWoJoxD
WiJcb1HBcHLCOmorM7QHoNZTRtvqLMsEZDkdWdtRA7XCFumZWl9kbKxkPGmp
fN2Bn5MUyu234WKl1BxwCppjvcIA4MHev+zt4yAlyyrjxJ/ba4lkT6VBOkyg
VutwtqIP7FIXtfaQXxQ2ufQe3cePEkTVg6S1aJFtfdov7gA3LRc3ra6IZ1Cn
DxoFlgg4mSBSJhHkk6j9OOyVQWggqKN0Vkor0VpJ+m1bUYW5VXiENRAqe6Q1
SI25vnuP98JJcs568sjnPJhbICjeWhh+Ravxe/YCQ5RrGC6CJ04+pjEe2G/K
vCP79efbs19yRPgINaqvLrVYMJZDBw8YEiSqC1xwewaxv8dY1yONiaZ/LKSx
Q8uInpYbCZILO5KIGyDi2PcT62Kvgaw93oAmmtCVfrzBbhTJczybOmv+tPfD
+cvR13tx8a/Hf62pWJL9CrmcUOrxur6cbut/mE2B2vv6vyxi83oNgaMwuTCz
hraFvY7x/1TRZXI1zVqv2MfDZoW6mTxYIbLhrNmY5CbxlZxQFJSAYCI5wF3a
iQ8ReCZjJvbHv2y44uK30rCTbDEmlUuUFOXbqj+L/tayGT9EEv8Y7QEYgy9D
Xg/VjjZpYaT32q+45x1JVSxlGlZJCcZOLEjU4HRbbzHXj0RFiXTmTuJCtfp3
Yp1rtt4MXeaHbm5onU++IMEDyg5xSQhjvTdGYR9GV2B77TguSjmyda4rv8OH
baSU5u63KhqGPP6ezrfbUN8/sumza4pfw0wW32TyfgfP7/BijpPBufo8qARN
OF7nj1eqa9ytNjLE0ajuy+G3JFzHIT4ZGW+IblEtz/E+R7Cp6mC6RWBEZxpd
slbrYc5f3Yl+uKIokGdbrLCGZUB7VigGbJZqUuyW7Cg/DUu8bqk0/61VgESd
UlByKPYm0wYoElKzH0ouuUhll3n7nH900Shoe5Zxhyk0k/Gu1YDlAHqkWl5u
JVsCTfgs/6pFTcGo80bzyUxBAIuhS7osoMKc6oxN8/k8Kzj5Jq/rrQgZoiwS
uu8qFxEM+kwUtVG3aSNnVD1+CP2bKJbvVPwF5qG7HJuvmTy/FN099mDQdZDs
LNXa76238R9539oYOPRELzZQuOCxhrPkRbVqGsFtmpgUBNnwxJbwbQXeUvsR
I9L0yyqtqpp5AWrShV2ggEMLbSbdRZjYgS5zR2IGTJ1ENw55HYZ8ESwKNGyx
ILVgTHYuZdIDmyD7hk3aJBT3kKPtT3BGVS9bLd5TKQCP27xfbn2mhpSodiuS
OnHPhBIlEdrR1aIKA0R3uKKv7XDiK5RLA/rBORbno0ZpRXhQXW+23gvWcpFZ
SYwli0Ha8n2ZXgbGSVQuOg/63EEq+Iz3zFeklp2Hsry+iiFlTtnaaaY9IDO6
8X6IjvNAQhuHlNbm4gta6pir+dE22kfBjdzzuJuWjMfd83AzeBn1lTE6geHp
ZlsQqIeR9Zybq2MjmVZuqx+KnfVC+cmL4IJ3VnL9W6sU348uq7rt3SX11ird
uizyRiRrKWyKchBvH4HdGhwPn8vhhJMA/pUTw1FMIAMgvjansjupYaLwYbqt
WMvym5UqoeFw0AJQsBhMhafTZJlfLkdoHy1mGFVVXFETLyooIJW21oAKgMrA
erezq9v9ZE0BllIN3NGp1RmV55bWUx2YkEc9S1cj0GuoYUyzFd9QSDvLa7fE
yMaCy03fB2VpgY3MlHPmyOaPdETW4ublr8AlEJhsZs83qRo2w6CEIoMSpIdC
w5mX5bbaH3e8NxpKL86PQE8mcRIpRvBKNoXtEW8NHy1crIUDekzoOpF82GQo
ZxYk1dMoh1VcH3aBFFQsFjgXJXoEM/ru/q4URssWO+nmNcibWvVeJ9UiKCiP
mdW+giCVGkM9W7YhVPjB2VxBQ6vjBGVOBw+jeipH4RuCCGNn3hcv3tR4gM1i
NoGW3Bmn98EsqW1miAKcQbc2LDnU05Zp9OdO8T2Qkw+S3v8O5/NWBT4t1Nf9
TyvvRY9rwb7uf7qf6PFNfbVjJbYId2cO7C7WP8cJ/NJ63PdS67x1LL/0vESU
7kI6nl6YgOsd9bNaryPRuOiFhT1a/PyBK47zkRnBSE6d2nOH1ACROPX5idhN
kDrZ9AYfUDkxC5n4wxcfC7by4uAvg8KLnILQfdFD8feQj599eHNqhQGQ9Jq1
z1eVkA8v6Go9oIhk1bZubBzkLmkZ3iWMNS/HXnBSKoU8ZypWFaERfFUlnTpf
dDS24AtzQdHJbV3XQrz61gTwXNs2egE7dXsI0RFDdEQPrwRb9sb9Jh5TW87O
aMSTPmkRvVhs69VoLmq/tosz7VzV2H1r+ihxoReCRs+k1OeFRK+onrIv1CH8
XbMDkEYiitxmjQKaMxKjlvGhj5dPNMZC9FE2rBhGMpYRhBeLRanuX+swKn+J
rUmo+6QW05VKex1V2yc9z9n+osnaFHTAqiwtOJZ/y4XrjiS5/jpWu6aUiReT
3ujdfbUy8bkGSUhJ6tk2eWZdg/YXpgWmvM5V1hV1h2Ig4LBl36XHoFFNflNs
nMYq9Kosr8SgRaHnLORP8F2goPPsl4nK8GWVX2LEchCSqStmEB4VgaTTmfe7
yZg3aZC8YgwIJed5mJJTgqVV405c19N3Lf4/9CqHDEpHvMia2VLKivAR9sHb
Gbzyup5p1KCpzt5O2zuK2lzbekEkSSSDw67mYLPerTvD9Ykt+2Nf8snulPQL
LTTeR2wElY01M16awSIOp6yv8k0dTFqpkmXiOcH+ddGklxPfyI2b5gp6iKgk
qBFeGWOCFTmowsjD3TJau4BHt3hrMdfttQcYx0XI+tAgqn6R+u4Z5iaxQ0Bf
7XvNczP/Ettu28+a0ljJoS34RrZNtKhlrUIdYaG+tA519lJD17mYGDqRdoOj
s/2ganv06MfcxlMsN2ihgR6ixa/28YfEm6MzG5zYvkhiq20pk0N9U8y82lKk
uO3bfR3XaIbX5K/2ZBx9Qpe6jRVDr9Wb6CKlZAKJjsHDMUdkoiS1L2NjjHQs
Cou2YPExBtoakdqvrbnJR6pKuO8FkpumCBxdLZZO+1gCRHNULkbTlOJUQON7
ndbN6H2GKfzWLQF4AlLZgW1aEqLTumGGJivjSavRI7VzFWuIjewJ9mSqRTHa
IO+vlzaL3Id0ttIduCEfAxTrTyAoYVDQLmfLqiworFO4d1066c4bSkhJz1hR
ymBqjAjEbBALAIlBENG2CT28SKosKR6zmLfaUlcZPcIXAsbTUOmU05PTZA+j
htH6jJ35LHCpkoOH4Zfjr+GGvJD9vjn8GcbyVTYofoqBFcJ37MpNqJT/nXPM
E84xH0cHBpPFR0ZRqMbcTnyyVGqOOxjxDqKzSn0mF4HyMPZYoQGXtGaifgSn
eyCSSxwFGni+UTsooFORpytE4VrIFl3+q9pWCrBaj79FTKZvuVdxSf16gDhv
EYpVdkkBkBb/6aKavVKzZuakFPnN32I364uNrNg2+DE9g/raWcR+3UW+Wokm
cJmyka4TDhiaNGEXHgzqSFrQtx/lnASuEuvINnQKf7Usg6ugaSy2pv6E6m52
XC6dKDIx9VLF4Xy5NN1oe/U4vbnjHWzlGGMpXdVhTExGwzsDTmSjeOrGXk3s
Nt+PnayFmbJAU7hNCxLixQBlE0bgmvk61iG6UsxUzqauGHLK/TDToBz7UFhA
tNXKZhQezue29pfec1Mwj1TM6DGmeiZHVOJCoyuDLNTibKvlFGIA1ZuSKM85
YBR7z6YpkzZh4mGH6hmjz3zM0l3LF0PsjbbGbUtsXMnYqmX9TcMgYZAcF0+S
Q1VJIlCrcxmz5lT8dmhLnuy4hb0Z1OK2MYVnXJzKa0uoMV98g5RzFOoCYMt3
+soU0tB8BgpcRCKvl4flRzZSC5vxsSXhfSfd2jbc6Jlu3MI7bD+to+PGYl3a
qEvKhfsOjdiKj/xYuW+fZvzwGFmpMZ/avSSMxXXT2T8Lukh4W+jrUF9TY3xD
263Ix6BnChdlvsq861FfJZeKDo1ZisCTqMboDQtx/QN7a+6qvM28I0/fRpxM
uifRabUJawH4S/6HJ25DSTXh2mhy7/LgxeAjU2iRz4HaU4LypJGomIbvJzZO
Gz8c0sjiU7aAMImUGGZArLeYy9wqa5FMaDsB1cRg9lOWXnV/qUIUbVo7NNcV
UpcGeVOddYdnQUaLIXqdVVKfOGp3woUfbmDKkXwhtaW4BiWMWXO07L31mHYU
tkHDZtiIWeVz24GeDUCvMlv8A283xfE9fkQPhm7342GyF8b8Nid16/zbs71h
0vf1PkfbiY/aFyjTHPf2G7GVvfNzMuV/fRBgfFQf+XbPYRu7L9b34MOMsK+t
7ZKTI6VEYK9f3qTcoozkVhd6frNmydKQZiI13JSNzWEZIghzPZUmtQO9ojpc
cJs+reWRkGGYo5Yd11jjct26uFzjs9ZO4TMQIEOy6555TsG1J10huz9pJVZy
eJHMT9ZjST9clitThMzeEaA93J/GF6zDdsQiufswJNwbNtcV1dEOhzTcjzd2
Z0ZOE5e4H1nqyG+byO9FGVMRZgMn2haclceMivp7J5N+bGd64dNeOTFM6hVe
aw15Dbt2AoLOSMNks9oKq/QrxrsXVe6PgJIXLrhOLVA1UwaV/vlcu1X9l9CN
3oei/fVefoCrDUixK5poB/GwKtg9aoDvj//ph5P3x0cs8zRcyjRSvZzafkL8
hvc/5z6zmhMKycqzzrJGopH5DoraTNGhjBvaory09zQuydx/R38kMxsLv21x
hwrS9t6xOLTKR30tbGSn7ZzjWgyJK+AYmOillDnIztU7M1mUNNtEvHDixCEp
JODlQoUpCujx5Q2Yxm25MSyfq2Gtvp9UpzM7HpapYkqhuCzijHtG4jsTCot6
omEr+Yd5ffsLqqGbIMEOekT7JrLTR7ughzl0CouTC5e0v7vJKp/zr+5rX0bB
b8XPaWoxM2QE33AjoRxna4mckpAXMru3b9oax7Q/4/IwS8RDQyxRuSRao1iu
CW9NEfI7z/lwV5NfvS1t/JSZCR7alqcXIyW5rsXSqLfKo+T4YW2lootANyNe
DbmDQ5Z6dFF4ovPwTTio7iWxhPtjj8KKhd3zcNaT859xHmZ6OhQqAXAnZKM8
i/i8AGbtExsngyPfO1qXhlqTrih0lubKkTWGG+sR6/ByZ/O6QwTvPhVYkDkX
9wnnaryIqr63Q3CQCWS1oJCqyjjeNWo5W65mJlhDFbBYaMlSSSdze2+8nvc6
vYXfz7LZFuskinyl1R59+nxZXaYF9lo242kqZMh+RpvxuLfMWrRijhTnFbNf
j0pO+mpIUnIyjNtNc5TS+JoQQHWuMKfp+Ojk/N37g+QUz59iJFYpCLv/A/6D
qSssQIJ+Q68F4TsF9W7FXgk+WopiwXQHbA/o1sRkLtoTwBs/LCJEb6Bvd1Rf
XUXSBay5JCR3x+HAUd9lTTFD+7cpISc1erWwW7/VhiKdtWbFwDaORg+Sf26f
ruGPiF8HyZNfnjx58iWoi9vLS8oH3Yff3gIvO+gDDfwm7v1BvX+QvDo94PTn
uENLKC9oLFiyLheHzrx+e88Inlb1v//di3vej2L/d4xx8pAx7OkAGN5naFok
98JB8jN9IarZAWEloixjWH/Vw14k21X38X48a4MJa3b2lSA0FUejGpWdUr5K
BguVLSy+fNWLL/2rb6HMxx/4x8C6t3pkL6h3FMm8H9JRK5odt/VeaPfUW8W8
JmS/uIJeBmsLsrbO4+ve8+jdYus4/r7789AjUcrrg5EM4Y17acQR9d1os84o
toyVT/vHGGPu8HkHgZS2cX9Hv6EHwr21+D5oaZQif6Lu0Fqd9iB56wHULY/l
Eg8fE6F3J3Qo7EmsZv4d1+2V56tvaMCYOmRJbhD7hI+WoFrMEpMQA+UPO4ES
Zv87QbIzBSOOidwNDlb9Q1ZAX9ydJODFBSXIJpcW3tvkexJHYZBDzUKJ1uM0
aTqqkdMTwh3DMe0nsmHgu6H4tgvFn/2FNCYZupLJb58YSzEDu2tTiNf3We/6
SDr/KJqNttN7J/u8d7KgWnzEjAQAb1VKyGJXt82ewY5EdRHxmYMd1uqPnbol
J3vQB2n4Tn2hK32TxtErgvuq7y6I/bt1B+EzXmwXhQOzElG0loxmka79U5qS
R+lHdFZP8KEnv3z18uVL4nEYJXMW1a5UlHTiyZSaHk+fYYZAbFk9ythAAZcG
06+rpo7XY6d3T3752k//UqdfUNdzKkuHRAAVHPROYQS8cyPFMoqx454XYgMJ
hXF8IUJ4nBGPnkb7fPsheOIndFHxI8wvB1xE0ndHMkMGXjsMQum8Sm+KYK81
9T0B4gf03Cg5PDrwJYStWAu/HB/s6HIkDxyfHSAsUVSj06+yhi3U+gAKBTvl
5hHJy12RmH/7HjSC709fHZMVPhoUdYUd6sCIpMJeSX+UnMJqT89exYOdvTow
V/hVmGsU38UzPKO0blWe/apVqp/e8hcWD85fPXUI2xaynJvD4e7EfXzrJ/TF
F6UpgrZHyLCHnpHtumBLCvHWDH30s6yvJdqY8L7T2dAHDa7JfR/NyY2fKouH
J0dSgUk8S4x9G6pBjTVNsD2GpEJHoSncvkhiprprw65FOfENKWGH4UL/xpcI
j+bf6IL0pHHgTwQM+Pc9/i9b8Lfu30b+v38Y7fzvH8y/4TF4W2kOTvD++Oz4
/Y/HRz1zv318SP+O8DEhyYl//Sn9FlcpiF5//Xb43Qv49+fe15/RM1oVt2f2
u1//jJ7pyUt92Ouf0zO7wprgp1enPEz/61/4vcMbfcd2eLz79cMnDFapbNv3
Oha9edr/+tPDp7/n9WeHz37P658dfvZ7Xv/88PPf8/oXh1/8nte/PPzy97z+
1eFXv+d1YrMj5bJ4m7kwJzFbqQGb/FBncvHg/+MxuGrX04NuiWpbWl5C3kzo
1XcnQ8Bmjs9//dZ9EwoyuU+8IOM7T6r11Xe1MyrPCYbcLNJZZnuO9f0e4ptj
ZlzrbFgONoWngXVgK8Yi0j23GFWE9Jz1p97GZZp53R5P9X+H4V1xXrkWUtrx
Evk8eidzIGqubn9lnpDX5UqC8TnIDf3i3k9B71BcnhkoJLm70KnnpJDAgpuy
mst27gZow2V1TTdFjticpWiVri2znWN1KexoHaWw+VZPEkYHz0/zQtdo65wP
Gso000FwB9LbKucgYqqfwfkoBDfayj7y2UxO3Xkwq6+zcyAl9xmV+IrQIfZt
mSy4qn1CkK/RGE/VY6MlU4VbDAPBUulaUbIubc1ZHN6v43q7wnBiTWpzPtyX
BAq0+BoAlhJAi2GfyNZbi6y1bJjuysWyxzgqJ055Tz3lkbXa9FDiUShY2JTD
lEKO4mjWIFHnsxe4So5tZbifaIHivhSsnnrH7u56x0m33rHdTKhPXIHIM8MQ
8GAMbQe1apM473ujJyksTWx3WtGCPribZclu33WulYJbvSt39CWlUAyNQeSE
BW42V/qkM8Z+k7gw9Nk5zbKdixJSyBFg7b7Jpk8qHFT7lIv5Y1/7JdTEdnCr
8nIu4iNAITOu02Fi6zCE5tKaeyFYEUwyGM5DVzzBgB10rUoWjga31rNlNt+u
Mi57ipIwRi/WS+rDaouYU3ljZ6oz61GecZd6KsV33E4ql8sC0pdsSPO0NBvI
dhDW1CqMl+89PpMFIJGVVMfR1tn2RUeAcewYRpAgM+Y8Vvw/chitt+WrQ+xL
ghUjEhm2OnYpGI1rSOSEIxwSCTvXaFDEJc7y8XfGt/lFxhrOS3WQXbXV8x39
fckDS/Zv1wpYZjnApzrWpqBMrRXSHysGUL1VCr9sSMEZOxOFS5aA81Y4tK1S
sbQVcn1dLn+SNyHPUcCWcCtwW9k8vgpc0ImYDwXshYaTeRUwWZgUDEe98+KF
jPtWPQsxJj68p4V3YbVRlgf61qXWi187haBpmbhuawGmwXhxKF+Bx2cGhrEw
tBQftOxzzpPrHIv2Loin4SFl6H9AOoIEmyOTuJGyAOuOjUqYOu3X173C7cpe
AxZRJHCTr5Eq1aX2JsR92eoen3Lwoax9ymVvCklA6NRwk0kwiylqCtDBvLgm
lQuUCrm8N7rbussdtiQin1IqIpU+mxN/WvvsbeF04+RdkXFEUomUjVt30EzS
lAperW6B+kdVdFrNMYYcD3eF58xWcQyowKLjjZcVO0kfcFmxTtklOg8SzRPQ
ps9CUnmHkpUTnaxGg9tTdWIyMXistGWIgQIl12Smrgj5wjwlEqPHWalpnWkx
R0SJO6vy/xCyJe4rHsU4uUKLNgkDanc0KRnuOvdNSqMUoML0RgkBhiIN+v4F
6tXJsWqNTV+NhTYMB00bnJTiC6j9mXQxDTxJMulQ6F5sgdk5VZxEcIC1z265
v4s2FvI1FbLiOq9KMsJSGXeqmxdcnyJBEZ+3lSV9EQK0JLVMXCY3E+7NJtXs
QizTGQ0iCMTHDezXV+6k2QFhN2XDZvrAwCmjQgvSKqfwl5xqBWMKTeW4Wi5b
DNEq/cVnz55RfErkfyJ64Fkl4Fa+ybO7yjDEudFNT061qcTVzZnV+0Cikdxo
JadwcD5bN+1YZjU9w0eJjTG5L5eDxqumyXlp4eUh94+Ylg90mIk3VdrLRYvR
jObuTGX0swFWVEwgaDFIm/GiidJqd+wlMalr5quf2HCpuPhGw9FLO7J/fhDH
XfA2WScY/OVzJUsq/mRjlcOKJcetrQ9ytBp9m2mN7p7od2RjoxHVo0Z7xQve
2uvy0gY/JaevySRydPz6+Pw4Of/+5Cw5O35xfvLuLbw/r0BkGz19ggxRnJdC
5qIqQmkt8cik2xq/kGnDFElbLjHlEUZ4Jbi+cjanUu0sokgcsg+XS6NaK71d
dKkEMZdwIZi2KlNiTQJRpIhtIIlKx7AA6YnmW5p1u2eRK1cINdljyPpK1ULn
XLvY2nJtKdfnpgqUDiq2pddvWaZ8dYqLEHHTjhM5ARC4UcNcT4M5fLcvtsyG
YOscful3jy7NMIlRPHR4EA7QHu/rIY4D48Ihw/fivibYReWpx9YebV9p/UjV
hfHkVqmSuFDRh6se7lG23p6t85jHUpUU6DzgDbbqSOLmTAlJ3N62qLWTaKQ1
aoUv3xjD2+Z7u5z4cOco7sNDb69jzDo8PdlDYHR/8WauPXh/kf/C3lnvLcXx
QHXs9dYO+1t378upoMenrNiEgAjvx9Q85CX3LDC3B5BllWkbUqwdyAkbvAhU
aitUoAchtRLRadiPWsOk2+J02B9jtE+gA0SAhS5uk/6U1pqbD/RVKKC1Iuwk
HhaJSCGpRlhSR6XhW6A9ShKf/MGFA4udrGTX4hQcMjLumfPiU4xOY88P+bWL
8BkonuHsXF4kjv6gdk+FaTCsI32FI+ENDwoD4UXLUo3PpCCO+/a49Qw4ZCD1
TVpdUrFToz80JXy11FrnVPKAsAElJ8nXzrlsHdaCRbGKbGEaHDuSwFkbWGK2
VXKFl2S+ZZBlGm474BgVPmrAdyxUeS7L0+5vTWmuJNqjtKe8VrWg46A7Choz
lw7aowvtIbhnNk91DEYyHAqLKB/KlBcKkcB9brHf0I1kp2vGFsKA6WMcImj7
sXZwGQ+utbfzb8/oHRMRssUkWvy+KXtDTLgXTBJiMnjguzwgQkIEJOKxJ9cz
yUAEm7pcAXDO3x29qxmeoydfynsUz4Dx5PFN+RKREenUJaFCqA3RonA8HL80
Tasiq0frVT0C2oCRYX64L3g4NomExeGAnpSdkU4d7sWIsuNpX1JKArEdAEeY
b6pIU7Mm6mUwArWFbyImPVoZA3DhEvbA68ZnibbtHkkX/rlzyQgt9FrRe6CS
MMA65zu575/+zMmqseRK0im50tncXTuh3/ti2WSuZzjXQxf2VBfWq76aItv+
jSd8YuzHT+elr8DHv1clXPCGzlr9G/AOk+ufvqPGF2OZUm9F6B8Z4kgH//Jo
3/0/1DiQHTPqAAA=

-->

</rfc>
