<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-gray-lamps-composite-fndsa-lms-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="composite-fndsa-lms">Composite FN-DSA and LMS Digital Signature Algorithm for use in X.509 Public Key Infrastructure</title>
    <seriesInfo name="Internet-Draft" value="draft-gray-lamps-composite-fndsa-lms-00"/>
    <author fullname="John Gray">
      <organization>Entrust</organization>
      <address>
        <postal>
          <street>2500 Solandt Road – Suite 100</street>
          <city>Ottawa, Ontario</city>
          <code>K2K 3G5</code>
          <country>Canada</country>
        </postal>
        <email>john.gray@entrust.com</email>
      </address>
    </author>
    <author initials="J. P." surname="Fiset" fullname="Jean-Pierre Fiset">
      <organization>Crypto4a</organization>
      <address>
        <postal>
          <country>Canada</country>
        </postal>
        <email>jp@crypto4a.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Limited Additional Mechanisms for PKIX and SMIME</workgroup>
    <keyword>composite</keyword>
    <keyword>fn-dsa</keyword>
    <keyword>lms</keyword>
    <abstract>
      <?line 52?>

<t>This document defines a composite signature scheme combining the FN-DSA (Falcon) digital signature algorithm with the Leighton-Micali Signature (LMS) scheme defined in RFC 8554. This construction is designed for use within X.509 Public Key Infrastructure (PKI) and follows the composite signature paradigm defined in <xref target="I-D.ietf-lamps-pq-composite-sigs"/>.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://johngray-dev.github.io/draft-gray-lamps-composite-fndsa-lms/draft-gray-lamps-composite-fndsa-lms.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-gray-lamps-composite-fndsa-lms/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Limited Additional Mechanisms for PKIX and SMIME Working Group mailing list (<eref target="mailto:spasm@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/spasm/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/spasm/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/johngray-dev/draft-gray-lamps-composite-fndsa-lms"/>.</t>
    </note>
  </front>
  <middle>
    <?line 57?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document defines a composite signature scheme combining:</t>
      <ul spacing="normal">
        <li>
          <t>FN-DSA (Falcon), a lattice-based signature algorithm</t>
        </li>
        <li>
          <t>LMS, a stateful hash-based signature algorithm <xref target="RFC8554"/></t>
        </li>
      </ul>
      <t>The reason for this choice of algorithm combination:</t>
      <ul spacing="normal">
        <li>
          <t>Both FN-DSA and LMS are believed to be quantum resistant algorithms (PQ/PQ Hybrid).</t>
        </li>
        <li>
          <t>They use completely different hardness problems (lattice based versus stateful hash based).</t>
        </li>
        <li>
          <t>If relevent attacks or implementations bugs are found in either algorithm there is resiliency.</t>
        </li>
        <li>
          <t>FN-DSA can help mitigate the risk of operational errors that lead to state failure in LMS.</t>
        </li>
        <li>
          <t>Combined together they produce a compact PQ/PQ composite signature ideally suited for high value assets in constrained environments.</t>
        </li>
      </ul>
      <t>The composite construction presents a single algorithm interface while internally invoking both primitives.</t>
      <t>This specification follows the composite design framework described in <xref target="I-D.ietf-lamps-pq-composite-sigs"/>.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="overview-of-the-composite-fn-dsa-lms-scheme">
      <name>Overview of the Composite FN-DSA-LMS Scheme</name>
      <t>Composite FN-DSA-LMS is a hybrid signature scheme formed by combining FN-DSA and LMS.</t>
      <t>The construction follows the composite signature combiner approach:</t>
      <t><tt>
M' := Prefix || Label || len(ctx) || ctx || PH(M)
</tt></t>
      <t>Both component algorithms independently sign <tt>M'</tt>.</t>
      <section anchor="pre-hashing">
        <name>Pre-hashing</name>
        <t>Composite FN-DSA-LMS uses a pre-hash function PH:</t>
        <t>PH(M)</t>
        <t>This is incorporated into the message representative:</t>
        <t><tt>
M' := Prefix || Label || len(ctx) || ctx || PH(M)
</tt></t>
      </section>
      <section anchor="prefix-label-and-context">
        <name>Prefix, Label, and Context</name>
        <t>Prefix:
Always set to "CompositeAlgorithmSignatures2025" as in <xref target="I-D.ietf-lamps-pq-composite-sigs"/>.</t>
        <t>Label:
Unique per algorithm OID (defined in Algorithm Identifier section below)</t>
        <t>ctx:
Application-defined context (0–255 bytes).</t>
      </section>
    </section>
    <section anchor="composite-functions">
      <name>Composite Functions</name>
      <section anchor="key-generation">
        <name>Key Generation</name>
        <artwork><![CDATA[
Composite-FNDSA-LMS.KeyGen() -> (pk, sk)

Steps:

1. Generate component keys:

(fndsaPK, fndsaSK) = FNDSA.KeyGen()
(lmsPK, lmsSK)     = LMS.KeyGen()

2. Output:

pk = SerializePublicKey(fndsaPK, lmsPK)
sk = SerializePrivateKey(fndsaSK, lmsSK)
]]></artwork>
      </section>
      <section anchor="sign">
        <name>Sign</name>
        <t>Signing follows a similar procedure as in <xref target="I-D.ietf-lamps-pq-composite-sigs"/>.</t>
        <artwork><![CDATA[
Composite-FNDSA-LMS.Sign(sk, M, ctx) -> s

Steps:

1. Check:
   if len(ctx) > 255: error

2. Compute:
   M' := Prefix || Label || len(ctx) || ctx || PH(M)

3. Deserialize keys:
  (fndsaSK, lmsSK) = DeserializePrivateKey(sk)

4. Sign:
  fndsaSig = FNDSA.Sign(fndsaSK, M')
  lmsSig   = LMS.Sign(lmsSK, M')

5. Output:
  s = SerializeSignatureValue(fndsaSig, lmsSig)
]]></artwork>
      </section>
      <section anchor="verify">
        <name>Verify</name>
        <artwork><![CDATA[
Composite-FNDSA-LMS.Verify(pk, M, s, ctx) -> boolean

Steps:

1. Deserialize:
   (fndsaPK, lmsPK) = DeserializePublicKey(pk)
   (fndsaSig, lmsSig) = DeserializeSignatureValue(s)

2. Compute:
   M' := Prefix || Label || len(ctx) || ctx || PH(M)

3. Verify:
  FNDSA.Verify(fndsaPK, M', fndsaSig)
  LMS.Verify(lmsPK, M', lmsSig)

Both FNDSA.Verify() and LMS.Verify() MUST verify correctly.
]]></artwork>
      </section>
      <section anchor="serialization-of-public-and-privates-keys-and-sigantures">
        <name>Serialization of Public and Privates Keys and Sigantures</name>
        <section anchor="public-key">
          <name>Public Key</name>
          <artwork><![CDATA[
SerializePublicKey(fndsaPK, lmsPK):
return fndsaPK || lmsPK
]]></artwork>
        </section>
        <section anchor="private-key">
          <name>Private Key</name>
          <artwork><![CDATA[
SerializePrivateKey(fndsaSK, lmsSK):
return fndsaSK || lmsSK
]]></artwork>
        </section>
        <section anchor="signature">
          <name>Signature</name>
          <t>LMS signatures are variable length. Parsing relies on the fixed size of the FN-DSA signature.</t>
          <artwork><![CDATA[
SerializeSignatureValue(fndsaSig, lmsSig):
return fndsaSig || lmsSig
]]></artwork>
        </section>
      </section>
    </section>
    <section anchor="use-within-x509-and-pkix">
      <name>Use within X.509 and PKIX</name>
      <t>Composite FN-DSA-LMS is used identically to other composite algorithms.</t>
      <ul spacing="normal">
        <li>
          <t>Public key encoded as BIT STRING</t>
        </li>
        <li>
          <t>Signature encoded as BIT STRING</t>
        </li>
        <li>
          <t>Raw serialized values used without ASN.1 wrapping</t>
        </li>
      </ul>
    </section>
    <section anchor="algorithm-identifiers">
      <name>Algorithm Identifiers</name>
      <section anchor="id-fndsa512-lmsm24-shake">
        <name>id-FNDSA512-LMS_M24-SHAKE</name>
        <ul spacing="normal">
          <li>
            <t>Label: <tt>COMPSIG-FNDSA512-LMS_M24-SHAKE</tt></t>
          </li>
          <li>
            <t>PH: SHAKE256</t>
          </li>
          <li>
            <t>FN-DSA: FN-DSA-512</t>
          </li>
          <li>
            <t>LMS: LMS_SHAKE_M24_H10</t>
          </li>
        </ul>
      </section>
      <section anchor="id-fndsa512-lmsm32-shake">
        <name>id-FNDSA512-LMS_M32-SHAKE</name>
        <ul spacing="normal">
          <li>
            <t>Label: <tt>COMPSIG-FNDSA512-LMS_M32-SHAKE</tt></t>
          </li>
          <li>
            <t>PH: SHAKE256</t>
          </li>
          <li>
            <t>FN-DSA: FN-DSA-512</t>
          </li>
          <li>
            <t>LMS: LMS_SHAKE_M32_H10</t>
          </li>
        </ul>
      </section>
      <section anchor="id-fndsa1024-lmsm32-shake">
        <name>id-FNDSA1024-LMS_M32-SHAKE</name>
        <ul spacing="normal">
          <li>
            <t>Label: <tt>COMPSIG-FNDSA1024-LMS_M32-SHAKE</tt></t>
          </li>
          <li>
            <t>PH: SHAKE256</t>
          </li>
          <li>
            <t>FN-DSA: FN-DSA-1024</t>
          </li>
          <li>
            <t>LMS: LMS_SHAKE_M32_H15</t>
          </li>
        </ul>
        <t>TODO:  Define other combinations here.  We want to keep the list as small as possible.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="lms-statefulness-requirement">
        <name>LMS Statefulness Requirement</name>
        <t>LMS private keys are stateful.</t>
        <t>Each invocation of LMS.Sign <bcp14>MUST</bcp14> use a unique leaf index. Reuse of a leaf index results in catastrophic loss of security.</t>
      </section>
      <section anchor="hybrid-security">
        <name>Hybrid Security</name>
        <t>Composite FN-DSA-LMS is EUF-CMA secure if at least one component remains secure.</t>
      </section>
      <section anchor="suf-cma">
        <name>SUF-CMA</name>
        <t>Composite FN-DSA-LMS is NOT SUF-CMA secure.</t>
      </section>
      <section anchor="key-reuse">
        <name>Key Reuse</name>
        <t>Component keys <bcp14>MUST NOT</bcp14> be reused between:</t>
        <ul spacing="normal">
          <li>
            <t>composite vs standalone</t>
          </li>
          <li>
            <t>multiple composites</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is requested to assign OIDs under:</t>
      <t>1.3.6.1.5.5.7.6</t>
      <t>TODO for each combination</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="I-D.ietf-lamps-pq-composite-sigs">
        <front>
          <title>Composite Module-Lattice-Based Digital Signature Algorithm (ML-DSA) for use in X.509 Public Key Infrastructure</title>
          <author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
            <organization>Entrust Limited</organization>
          </author>
          <author fullname="John Gray" initials="J." surname="Gray">
            <organization>Entrust Limited</organization>
          </author>
          <author fullname="Massimiliano Pala" initials="M." surname="Pala">
            <organization>OpenCA Labs</organization>
          </author>
          <author fullname="Jan Klaußner" initials="J." surname="Klaußner">
            <organization>Bundesdruckerei GmbH</organization>
          </author>
          <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
            <organization>Cisco Systems</organization>
          </author>
          <date day="21" month="April" year="2026"/>
          <abstract>
            <t>   This document defines combinations of US NIST Module-Lattice-Based
   Digital Signature Algorithm (ML-DSA) in hybrid with traditional
   algorithms RSASSA-PKCS1-v1.5, RSASSA-PSS, ECDSA, Ed25519, and Ed448.
   These combinations are tailored to meet regulatory guidelines in
   certain regions.  Composite ML-DSA is applicable in applications that
   use X.509 or PKIX data structures that accept ML-DSA, but where the
   operator wants extra protection against breaks or catastrophic bugs
   in ML-DSA, and where existential unforgeability (EUF-CMA) level
   security is acceptable.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-pq-composite-sigs-19"/>
      </reference>
      <reference anchor="I-D.ietf-lamps-fn-dsa-certificates">
        <front>
          <title>Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for the Fast-Fourier Transform over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA)</title>
          <author fullname="Jake Massimo" initials="J." surname="Massimo">
            <organization>AWS</organization>
          </author>
          <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis">
            <organization>AWS</organization>
          </author>
          <author fullname="Sean Turner" initials="S." surname="Turner">
            <organization>sn3rd</organization>
          </author>
          <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
            <organization>Cloudflare</organization>
          </author>
          <date day="20" month="May" year="2026"/>
          <abstract>
            <t>   Digital signatures are used within X.509 certificates and Certificate
   Revocation Lists (CRLs), and to sign messages.  This document
   specifies the conventions for using, the forthcoming, FIPS 206, the
   Fast-Fourier Transform over NTRU-Lattice-Based Digital Signature
   Algorithm (FN-DSA), in Internet X.509 certificates and CRLs.  The
   conventions for the associated signatures, subject public keys, and
   private key are also described.

            </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-fn-dsa-certificates-00"/>
      </reference>
      <reference anchor="RFC8554">
        <front>
          <title>Leighton-Micali Hash-Based Signatures</title>
          <author fullname="D. McGrew" initials="D." surname="McGrew"/>
          <author fullname="M. Curcio" initials="M." surname="Curcio"/>
          <author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
          <date month="April" year="2019"/>
          <abstract>
            <t>This note describes a digital-signature system based on cryptographic hash functions, following the seminal work in this area of Lamport, Diffie, Winternitz, and Merkle, as adapted by Leighton and Micali in 1995. It specifies a one-time signature scheme and a general signature scheme. These systems provide asymmetric authentication without using large integer mathematics and can achieve a high security level. They are suitable for compact implementations, are relatively simple to implement, and are naturally resistant to side-channel attacks. Unlike many other signature systems, hash-based signatures would still be secure even if it proves feasible for an attacker to build a quantum computer.</t>
            <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. This has been reviewed by many researchers, both in the research group and outside of it. The Acknowledgements section lists many of them.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8554"/>
        <seriesInfo name="DOI" value="10.17487/RFC8554"/>
      </reference>
      <reference anchor="RFC9858">
        <front>
          <title>Additional Parameter Sets for HSS/LMS Hash-Based Signatures</title>
          <author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
          <author fullname="Q. Dang" initials="Q." surname="Dang"/>
          <date month="October" year="2025"/>
          <abstract>
            <t>This document extends HSS/LMS (RFC 8554) by defining parameter sets that use alternative hash functions. These include hash functions that result in signatures with significantly smaller sizes than the signatures that use the RFC 8554 parameter sets and should have sufficient security.</t>
            <t>This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not candidates for any level of Internet Standard; see Section 2 of RFC 7841.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9858"/>
        <seriesInfo name="DOI" value="10.17487/RFC9858"/>
      </reference>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>
    <?line 295?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA61Za3LbRhL+P6fopX5Y3BKgh83EYcVOZD0sRqKkiHIelUpF
Q2BIzgoEYMyANO0ktXfYC+xZ9ih7kv16BgRBWSorySYpERj09OPrx3RPgiAQ
VttEdal1kE3zzGir6Pg8OBzsk0xjOusP6FCPtZUJDfQ4lbYsFO0n46zQdjKl
UVZQaRTplH4IOztf0GU5THREp2pBvXRUSGOLMuJNLSGHw0LNIClaSgpGaWxk
kExNS0TSKnBddMnYWIg4i1I5hV5xIUc2GBdyESRympvgnt3Bzo4w5XCqjdFZ
ahc59vWOro+JNkgmJoNMncYqV/iT2tYWtVSsLUyQCb/09l/hB5a0elfXxy2R
ltOhKroihkpdEWWpUakpTZdgixKw4KmQhZLgOlBRCSAWLTHPittxkZU5Vs/0
FOrFtB9DChQCdn0VTWSqzdQ4yC5Pez84fAf9Xv+oJW7VAgzirqCAavv4ZZQG
sJGfYKaYqbSERkR/XhKRh6f1PRTW6ZheMyten0qdYN3k0ky/1sqOwqwY8wdZ
RBN8mFibm+72NtPxkp6pcEm2zQvbwyKbG7XtOGzzTsTNpBxi7z+ySepcGKvZ
9mM8yrsTwG9sQ3KTS+h5hzp7FL9HEYUTO01aQsjSTrKCnQEtiEZlkvhYbH0D
DYCYXLTcF1gOqN9Lhr5LRyniw1j3RXk0WeOQhX6t/McQYh0B8kIpGLfX2dmh
QZbARZauMhnTf//5LxqUnIe7CGumjRBhXbqwVs7lFl2kVhY681+yEnzx8UCm
MpbVWgxVT/dO6enrztIGnSJ8vwkv6Vgb5VX0Jn2jZBpcalUgrVffYBh4Fovc
Zs/kmkH511G1XJtyVwmRZsUUmMxcqPaCQxcmFez52wbyRo/NPTQ+6INIFVaP
NBcGR3V1fPC803lWPX7xvPO8K4RORytpIgxDIYIgIDkEwDKyQlxPtCFUk3IK
F1CsRjpVhuQqzcjUdc1EEzVV/GmoU04OO6mr4eaxTFAK2hRX5XC1TdblcI6/
btOZ0uOJzdKgD/0T3aidmyip7aUkr07M5RMmEZsXktOYq44rnQgtYgsUywPp
suKyqE9XXdpEAWi7AjDKkgT56dS7z/hcFhK2TZtK/fQp7/0MvB3gUx3HiRJi
AwrYIou95n8Nfjg0uAv/FvaiMFgdqWAoDdS8xw/YBpSZ1FhEDxKYJtJMHt5A
P1XB9TNrrAjV3QB3xto6b0wyCKRs1Nji1fS5z4q+yuD7O0cnjgkaqkSrGeTa
DM/0tpSpLacQYTS0Ayg1SwNvfbt9+S2dLIaFjtshuEKbhfM3A5Yoq5IFInA0
UgXjOZFFDDwN5UU2TBRzqMAhb+tMFTi51mHwnxz33gh6JNCO1UB9iW4Nn4Oa
RbHDnHWGhuXYOFtGSHUXGAr6qqKBBr8qDlS2Cwan0SJceS+SKU1UkiNMrB5D
FxeFhTa3jGmWq0JWxxcKUVZwkEpLiZIONac9jVCA2GmQDmiZ+YHzgEN2rJw+
ltHKXfipKshQBMijel/I6VjJBJCa0p2j7PAJMpdmMinBwaAgGpbo01E6aSqd
6SJLGR8T+nhZsV7L2xxgMBUHIuI5aUacTq0qRhJ6zic6Uf49dcrodJa5s3nI
IZUXfMijvnlhgNjkKvKFUbsgvS+vfb0g1IKp4t6EF6JCD/9IXm8A4ZRjwwUB
x/Qh56/rNIw3HI0LcediqNV/M7jmbop/6fzCPV8dffumd3V0yM+Dk/2zs/pB
VBSDk4s3Z4erp9XOg4t+/+j80G/GKq0tiVZ//0d8Ya1aF5fXvYvz/bMW22bX
Kg5HrU88BzA8wn6WRqzh8erg8j//3n1GHz78DYVgb3f3i99+q16e737+DC/z
iUq9tCyFi/wrh5uQea5kwVzgPER6zqeDAS0cNcnmHPiFApx//4mR+blLXw6j
fPfZy2qBDV5bXGK2tugw+3jlo80exHuW7hFTo7m2fgfpdX33f1x7X+LeWPzy
qwRJQsHu869euhC6QAmaaTXnROcQvTtmBFwnB67yC3HvR835M3El8ePDgk9/
+HC4aJza60W4TtFGYn7qLPS8uMDlqCYS/a8QNzc3ov+Eui/oskAavKNff6Uz
ierOD4lKNyP7rs3P+OWfy5PNftvtEu5ocHJStV7wG2MJVyFO2Zv+kxvovLHB
cgIu2LDpAWhwMDA4eUWIVjX1Bl6eQGOvga8Z/F8aZUWeodS6oEdWsPlTHB9y
zEdeVa2WvdRfsNfrjj1bfodPHBQTq96hJfPfumI/mcsFskRZTtHVAFqPl3XX
ZPZ29jotTqnHFi8ntyvepPotCnm+dlZd9A5ps9HlrMbZHjsCpRXkRnkkwSab
A0VYCY3zPKnqbrBkEHmzaHMHnftep4NYRMPaDn39rJ1WecY4dLhRe63S6tgT
4vfff185ODg+r/wbgg5km20KXtJmfrtF5haqDKzCPCTEbrhkohrRhZLMHzfd
WHN5ukXuYXDaphfkONdcxSaGHqbAD3/nf15QU64QeyFdlDYvLVjmt/g8UDw2
6/fK95ygXEly7NrCrNMVegYNa8JBLdCZzXCwn2EW/nL6LpOTD80pz5p8okcq
dh3b4yPgIUxZzKYBlv0tciEMbM0aqAcTFd3ymEF6tIr0l5jVOl3foDhcmHlp
3ZBDfzxRxNMQx6lZolS5jeguSICyQdYA04UCxgW2hzf6fXpcu9kZWnPrP2nz
TA2eIFn62ZE4OZ5AdFbuxozadGOdi99xa7S5lLZVsVw58zvsGC0ext9/d9EM
D5iVE4ZZho4vXXNFw3SH891Yu4NOHZL5bXtF3lRzfcMdo0z7/+RYbyMz8K6o
bK6V7z/Zqv3FijZwqVKSKZbIimq0aHBq16dbveCaiZl7QzXAPB/hSAlXOVbZ
7JtGHMbVzMh8qqgyXJd8owe5PKag8vLmjcaA6R376SrQFWi1yiKlat1hxl+W
Gm0sxd7H9cGasc52sGQ7aLCtnSr4iKwPdT/BzCREYFRi/43tJKRLWXBvznOQ
Bk2WulMR3naT4nu17FuqpqJmF95R+VP5cUdxJGGluR5XqtObu2O9881p74eH
G6OShzztTq3IzQ44SDM3Cq3amlW7wZcjS1dy544pLYtdO0yvetc0uL7qnb8G
yeq24iGKKzmnOotiPy5V2rAFWWlpf3Ae7tK8QAvlGpiNe89Zfx7q2BeIzu4e
W/ZLf+9ZgAb39IgV9kc53aAnvRz0Xj9AecOmnXTJvex1PquHz+4SMmzxFwNd
/vOLI+T9v5zs7tyvxdO9x2qxpPyzWjzd+0iL3R2Y9jg1Pib9tB685yFFOujc
ry8OL7rkJz61iqnllYfxYw3R94hZvsVA4N0qlbtcSbSxbv6Z8kiEB0Si0cg6
P1Uub825IzQIXt8F+Uhw00B1W+FuNq7U21IX7jZCuITOq6px62oVTwIVOZgf
oVV343NUl7nlMefrI9+kSCp9V4jTZuQ68HchxPAnvuBpLPNlRplUNwDS8rVa
lk+QPAnsYWJTWeL7dX9tU5v3cNYevTkODvr7frviLsPfdgA19HCNXq7ga9fU
VIReysBvfpg7T3CDNQlh3XQ6M6utdbdIyzmUx+RCuSweKjtXyt9srUrJzF0l
pbFMsBtfpkBH50ljiDLOw7398/2PvOsW3Q0RwDfW34hJ44YetOQoH8C8cOf+
0/CzcDfs4N/Pw898LLq7GcX+bURhdfk4lNGtKzDRbZrNExWP3eWM+ND1/ytH
xS9aIwzlqvVbxUzWlADnfzy2V/AGGwAA

-->

</rfc>
