<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.3.8) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-core-observe-multicast-notifications-15" category="std" consensus="true" submissionType="IETF" updates="7252, 7641" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Observe Multicast Notifications">Observe Notifications as CoAP Multicast Responses</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-core-observe-multicast-notifications-15"/>
    <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <author initials="R." surname="Höglund" fullname="Rikard Höglund">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>rikard.hoglund@ri.se</email>
      </address>
    </author>
    <author initials="C." surname="Amsüss" fullname="Christian Amsüss">
      <organization/>
      <address>
        <postal>
          <street>Hollandstr. 12/4</street>
          <city>Vienna</city>
          <code>1020</code>
          <country>Austria</country>
        </postal>
        <email>christian@amsuess.com</email>
      </address>
    </author>
    <author initials="F." surname="Palombini" fullname="Francesca Palombini">
      <organization>Ericsson AB</organization>
      <address>
        <postal>
          <street>Torshamnsgatan 23</street>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>francesca.palombini@ericsson.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>WIT</area>
    <workgroup>CoRE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 158?>

<t>The Constrained Application Protocol (CoAP) allows clients to "observe" resources at a server and to receive notifications as unicast responses upon changes of the resource state. In some use cases, such as those based on publish-subscribe, it would be convenient for the server to send a single notification addressed to all the clients observing the same target resource. This document updates RFC7252 and RFC7641, and it defines how a server sends observe notifications as response messages over multicast, synchronizing  all the observers of the same resource on the same shared Token value. Besides, this document defines how the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) can be used to protect multicast notifications end-to-end between the server and the observer clients.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
  Constrained RESTful Environments Working Group mailing list (core@ietf.org),
  which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/core/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
  <eref target="https://github.com/core-wg/observe-multicast-notifications"/>.</t>
    </note>
  </front>
  <middle>
    <?line 162?>

<section anchor="intro">
      <name>Introduction</name>
      <t>The Constrained Application Protocol (CoAP) <xref target="RFC7252"/> has been extended with a number of mechanisms, including resource Observation <xref target="RFC7641"/>. This enables CoAP clients to register at a CoAP server as "observers" of a resource, and hence to be automatically notified with an unsolicited response upon changes of the resource state.</t>
      <t>CoAP supports group communication <xref target="I-D.ietf-core-groupcomm-bis"/>, e.g., over IP multicast. This includes support for Observe registration requests over multicast, in order for clients to efficiently register as observers of a resource hosted at multiple servers.</t>
      <t>However, in a number of use cases, using multicast messages for responses would also be desirable. That is, it would be useful that a server sends observe notifications for the same target resource to multiple observers as responses over IP multicast.</t>
      <t>For instance, in the publish-subscribe architecture for CoAP <xref target="I-D.ietf-core-coap-pubsub"/>, multiple clients can subscribe to a topic, by observing the related resource hosted at the responsible broker. When new data is published on that topic, it would be convenient for the broker to send a single multicast notification at once, addressed to all the subscriber clients observing the resource related to that topic.</t>
      <t>A different use case concerns clients observing the same registration resource at the CoRE Resource Directory <xref target="RFC9176"/>. For example, multiple clients can benefit from observation for discovering (to-be-created) groups that use the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) <xref target="I-D.ietf-core-oscore-groupcomm"/>, by retrieving from the Resource Directory updated links and descriptions to join those groups through the respective Group Manager <xref target="I-D.tiloca-core-oscore-discovery"/>.</t>
      <t>More in general, multicast notifications would be beneficial whenever several CoAP clients observe the same target resource at a CoAP server, and thus they could all be notified at once by means of a single response message. However, CoAP does not originally define response messages addressed to multiple clients, e.g., over IP multicast. This document fills this gap and provides the following twofold contribution.</t>
      <t>First, it updates <xref target="RFC7252"/> and <xref target="RFC7641"/>, by defining a method to deliver observe notifications as CoAP responses addressed to multiple clients, e.g., over IP multicast. In particular, the group of potential observers entrusts the server to manage the Token space for multicast notifications. Building on that, the server provides all the observers of a target resource with the same Token value to bind to their own observation, by sending a unicast informative response to each observer client. That Token value is then used in every multicast notification for the target resource under that observation.</t>
      <t>Second, this document defines how to use Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/> to protect multicast notifications end-to-end between the server and the observer clients. This is also achieved by means of the unicast informative response mentioned above, which additionally includes parameter values used by the server to protect every multicast notification for the target resource by using Group OSCORE. This provides a secure binding between each of such notifications and the observation of each of the clients.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<t>Readers are expected to be familiar with terms and concepts described in CoAP <xref target="RFC7252"/>, group communication for CoAP <xref target="I-D.ietf-core-groupcomm-bis"/>, Observe <xref target="RFC7641"/>, Concise Data Definition Language (CDDL) <xref target="RFC8610"/>, Concise Binary Object Representation (CBOR) <xref target="RFC8949"/>, Object Security for Constrained RESTful Environments (OSCORE) <xref target="RFC8613"/>, Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/>, and Constrained Resource Identifiers (CRIs) <xref target="I-D.ietf-core-href"/>.</t>
        <t>This document additionally defines the following terminology.</t>
        <ul spacing="normal">
          <li>
            <t>Traditional observation: a resource observation associated with a single observer client, as defined in <xref target="RFC7641"/>.</t>
          </li>
          <li>
            <t>Group observation: a resource observation associated with a group of clients. The server sends multicast notifications for the group-observed resource to all the observer clients at once. For example, such notifications can be transported over UDP and IP multicast.</t>
          </li>
          <li>
            <t>Phantom request: the CoAP request message that the server would have received to start a group observation on one of its resources. A phantom request is generated inside the server and does not hit the wire.</t>
          </li>
          <li>
            <t>Informative response: a CoAP response message that the server sends to a given client via unicast, providing the client with information on a group observation.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-prereq">
      <name>Prerequisites</name>
      <t>In order to use multicast notifications as defined in this document, the following prerequisites have to be fulfilled.</t>
      <ul spacing="normal">
        <li>
          <t>The server and the clients need to be on a network where multicast notifications can reach a sufficiently large portion of the clients.  </t>
          <t>
This document focuses on a network setup where the clients are capable of listening to multicast traffic and can directly receive multicast notifications.  </t>
          <t>
Alternative network setups may leverage intermediaries such as proxies, e.g., in order to accommodate clients that are not able to directly listen to multicast traffic. How the method specified in this document can be used in such setups is discussed in <xref target="I-D.ietf-core-multicast-notifications-proxy"/>.</t>
        </li>
        <li>
          <t>The server needs to be provisioned with multicast addresses whose Token space is placed under its control. On general purpose networks, unmanaged multicast addresses such as "All CoAP Nodes" (see <xref section="12.8" sectionFormat="of" target="RFC7252"/>) are not suitable for this purpose.</t>
        </li>
        <li>
          <t>The server and the clients need to agree out-of-band that multicast notifications may be used.  </t>
          <t>
This document does not describe a way for a client to influence the server's decision to start group observations and thus to use multicast notifications. This is done on purpose.  </t>
          <t>
That is, the method specified in this document is expected to be used in situations where sending individual notifications is not feasible, or is not preferred beyond a certain number of clients observing a target resource.  </t>
          <t>
If applications arise where a negotiation between the clients and the server does make sense, those applications can specify additional means for clients to opt in for receiving multicast notifications.</t>
        </li>
      </ul>
    </section>
    <section anchor="sec-variants">
      <name>High-Level Overview of Available Variants</name>
      <t>The method defined in this document fundamentally enables a server to set up a group observation. This is associated with a phantom observation request that is generated by the server and to which the multicast notifications of the group observation are bound.</t>
      <t>Consistent with the scope of this document, the following assumes a network setup where the clients participating in the group observation are capable of listening to multicast traffic. In such a setup, the clients directly receive multicast notifications from the server. Alternative network setups that rely on intermediaries such as proxies are discussed in <xref target="I-D.ietf-core-multicast-notifications-proxy"/>.</t>
      <t>While the server can provide the phantom request in question to the interested clients as they reach out for registering to the group observation, the server may alternatively distribute the phantom request in advance by alternative means (e.g., see <xref target="appendix-different-sources"/>). Clients that have already retrieved the phantom request can immediately start listening to multicast notifications.</t>
      <t>The rest of this section provides an overview of the available variants to enforce a group observation, which differ as to whether exchanged messages are protected end-to-end between the observer clients and the server.</t>
      <ul spacing="normal">
        <li>
          <t>Variant without end-to-end security - Messages pertaining to the group observation are not protected. This basic case is defined in <xref target="sec-server-side"/> and <xref target="sec-client-side"/> from the server and the client side, respectively. An example is provided in <xref target="sec-example-no-security"/>.</t>
        </li>
        <li>
          <t>Variant with end-to-end security - Messages pertaining to the group observation are protected end-to-end between the clients and the server, by using the security protocol Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/>. This case is defined in <xref target="sec-secured-notifications"/>. An example is provided in <xref target="sec-example-with-security"/>.  </t>
          <t>
If the participating endpoints using Group OSCORE also support the concept of Deterministic Client <xref target="I-D.ietf-core-cacheable-oscore"/>, then the possible early distribution of the phantom request can specifically make available its smaller, plain version. Consequently, all the clients are able to produce the same protected phantom request to use (see <xref target="deterministic-phantom-Request"/>).</t>
        </li>
      </ul>
    </section>
    <section anchor="sec-server-side">
      <name>Server-Side Requirements</name>
      <t>The server can, at any time, start a group observation on one of its resources. Practically, the server may want to do that under the following circumstances:</t>
      <ul spacing="normal">
        <li>
          <t>In the absence of observations for the target resource, the server receives a registration request from a first client wishing to start a traditional observation on that resource.</t>
        </li>
        <li>
          <t>When a certain number of traditional observations has been established on the target resource, the server decides to make the corresponding observer clients part of a group observation on that resource.</t>
        </li>
      </ul>
      <t>The server maintains an observer counter for each group observation to a target resource, as a rough estimation of the observers actively taking part in the group observation.</t>
      <t>The server initializes the counter to 0 when starting the group observation and increments it after a new client starts taking part in that group observation. The server is expected to keep the counter up-to-date over time, for instance by using the method described in <xref target="sec-rough-counting"/>. This allows the server to possibly terminate a group observation if, at some point in time, not enough clients are estimated to be still active and interested.</t>
      <section anchor="ssec-server-side-request">
        <name>Request</name>
        <t>Assuming that the server is reachable at the address SRV_ADDR and port number SRV_PORT, the server starts a group observation on one of its resources as defined below. The server intends to send multicast notifications for the target resource to the multicast IP address GRP_ADDR and port number GRP_PORT.</t>
        <ol spacing="normal" type="1"><li>
            <t>The server composes a phantom observation request, i.e., a GET request with an Observe Option set to 0 (register).</t>
          </li>
          <li>
            <t>The server selects an available value T, from the Token space of a CoAP endpoint used for messages that have:  </t>
            <ul spacing="normal">
              <li>
                <t>As source address and port number, the IP multicast address GRP_ADDR and port number GRP_PORT.</t>
              </li>
              <li>
                <t>As destination address and port number, the server address SRV_ADDR and port number SRV_PORT, intended for accessing the target resource.</t>
              </li>
            </ul>
            <t>
This Token space is under exclusive control of the server.</t>
          </li>
          <li>
            <t>The server processes the phantom observation request above, without transmitting it on the wire. The request is addressed to the resource for which the server wants to start the group observation, as if it was sent by the group of observers, i.e., with GRP_ADDR as source address and GRP_PORT as source port.</t>
          </li>
          <li>
            <t>Upon processing the self-generated phantom registration request, the server interprets it as an Observe registration request from the group of potential observer clients. In particular, from then on, the server <bcp14>MUST</bcp14> use T as its own local Token value associated with that observation, with respect to the (previous hop towards the) clients.</t>
          </li>
          <li>
            <t>The server does not immediately reply to the phantom observation request with a multicast notification sent on the wire. The server stores the phantom observation request as is, throughout the lifetime of the group observation.</t>
          </li>
          <li>
            <t>The server composes a CoAP response message INIT_NOTIF as the initial multicast notification for the target resource, in response to the phantom observation request. This message is formatted like other multicast notifications (see <xref target="ssec-server-side-notifications"/>) and <bcp14>MUST</bcp14> include the current representation of the target resource as its payload.  </t>
            <t>
The server stores the message INIT_NOTIF and does not transmit it. The server considers this message as the latest multicast notification for the target resource, until it transmits a new multicast notification for that resource as a CoAP message on the wire, after which the server deletes the message INIT_NOTIF from its local storage.</t>
          </li>
        </ol>
      </section>
      <section anchor="ssec-server-side-informative">
        <name>Informative Response</name>
        <t>After having started a group observation for a target resource, the server proceeds as follows.</t>
        <t>For each traditional observation ongoing on the target resource, the server <bcp14>MAY</bcp14> cancel that observation. Then, the server considers the corresponding clients as now taking part in the group observation, for which it increases the corresponding observer counter accordingly.</t>
        <t>The server sends to each of such clients an informative response message, encoded as a unicast response with response code 5.03 (Service Unavailable). As per <xref target="RFC7641"/>, such a response does not include an Observe Option. The response <bcp14>MUST</bcp14> be a Confirmable message sent as a separate response (see <xref section="5.2.2" sectionFormat="of" target="RFC7252"/>), <bcp14>MUST NOT</bcp14> have link-local source or destination addresses, and <bcp14>MUST NOT</bcp14> provide link-local or site-local addresses in the transport-specific information specified in its payload (see below).</t>
        <t>The Content-Format of the informative response is set to "application/informative-response+cbor", which is registered in <xref target="content-format"/>. The payload of the informative response is a CBOR map, whose fields use the CBOR abbreviations that are defined in <xref target="informative-response-params"/>.</t>
        <t>When using the method specified in this document, the CBOR map conveyed as the payload of the informative response includes the following parameters with the semantics defined below. Other specifications may define different uses of the informative response for providing alternative information that is relevant to other protocols and applications.</t>
        <ul spacing="normal">
          <li>
            <t>'tp_info', with value a CBOR array. This includes the transport-specific information required to correctly receive multicast notifications that are bound to the phantom observation request. Typically, this comprises the Token value associated with the group observation, as well as the source and destination addressing information of the related multicast notifications. The CBOR array is formatted as defined in <xref target="sssec-transport-specific-encoding"/>.  </t>
            <t>
This parameter <bcp14>MAY</bcp14> be omitted in particular setups where the server is aware that effective transport-specific information is available to clients through alternative means than the 'tp_info' parameter of the informative response. For example, this could be the case in particular scenarios where notifications are protected end-to-end between the server and clients using Group OSCORE (hence, in a way suitable to send those over multicast), but they are ultimately delivered to observer clients over a unicast transport, e.g., through a proxy.  </t>
            <t>
Otherwise, such as in the setup considered in this document, this parameter <bcp14>MUST</bcp14> be included.</t>
          </li>
          <li>
            <t>'ph_req', with value the byte serialization of the transport-independent information of the phantom observation request (see <xref target="ssec-server-side-request"/>), encoded as a CBOR byte string. The value of the CBOR byte string is formatted as defined in <xref target="sssec-transport-independent-encoding"/>.  </t>
            <t>
This parameter <bcp14>MAY</bcp14> be omitted if the phantom request is, in terms of transport-independent information, identical to the registration request from the client. Otherwise, this parameter <bcp14>MUST</bcp14> be included.  </t>
            <t>
Note that the registration request from the client can indeed differ from the phantom observation request in terms of transport-independent information, but still be acceptable for the server to register the client as taking part in the group observation.</t>
          </li>
          <li>
            <t>'last_notif', with value the byte serialization of the transport-independent information of the latest multicast notification for the target resource, encoded as a CBOR byte string. The value of the CBOR byte string is formatted as defined in <xref target="sssec-transport-independent-encoding"/>.  </t>
            <t>
This parameter <bcp14>SHOULD</bcp14> be included, in order to avoid unnecessary delays for the client in obtaining a first multicast notification and possibly populating its cache.  </t>
            <t>
In network setups where a proxy is deployed between the clients and the server (see <xref target="I-D.ietf-core-multicast-notifications-proxy"/>), this avoids such unnecessary delays at the proxy if the proxy is the intended recipient and consumer of the informative response, in turn avoiding delays for the clients in obtaining a first multicast notification.</t>
          </li>
          <li>
            <t>'next_not_before', with value the number of seconds that will minimally elapse before the server sends the next multicast notification for the group observation of the target resource, encoded as a CBOR unsigned integer. This parameter <bcp14>MAY</bcp14> be included.  </t>
            <t>
This information can help a new client to align itself with the server's timeline, especially in scenarios where multicast notifications are regularly sent. Also, it can help synchronizing different clients when orchestrating content distribution through multicast notifications.</t>
          </li>
          <li>
            <t>'ending', with value the time when the group observation of the target resource is planned to be canceled, encoded as a CBOR integer or as a CBOR floating-point number. The value is the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds, analogous to what is specified for NumericDate in <xref section="2" sectionFormat="of" target="RFC7519"/>. This parameter <bcp14>MAY</bcp14> be included.</t>
          </li>
        </ul>
        <t>The CBOR map conveyed as the payload of the informative response <bcp14>MAY</bcp14> include further parameters.</t>
        <t>The CDDL notation <xref target="RFC8610"/> provided below describes the payload of the informative response.</t>
        <figure anchor="informative-response-payload">
          <name>Format of the Informative Response Payload</name>
          <sourcecode type="cddl"><![CDATA[
informative_response_payload = {
 ? 0 => [1* tp_info_element],  ; 'tp_info'    (transport-specific
                               ;               information)
 ? 1 => bstr,                  ; 'ph_req'     (transport-independent
                               ;               information)
 ? 2 => bstr,                  ; 'last_notif' (transport-independent
                               ;               information)
 ? 3 => uint,                  ; 'next_not_before'
 ? 4 => ~time                  ; 'ending'
 * (int / tstr) => any
}

tp_info_element = any
]]></sourcecode>
        </figure>
        <t>Upon receiving a registration request to observe the target resource, the server does not create a corresponding individual observation for the requesting client. Instead, the server considers that client as now taking part in the group observation of the target resource, of which it increments the observer counter by 1. Then, the server replies to the client with the same informative response message defined above, which <bcp14>MUST</bcp14> be a Confirmable message sent as a separate response (see <xref section="5.2.2" sectionFormat="of" target="RFC7252"/>).</t>
        <t>Note that this also applies when, with no ongoing traditional observations on the target resource, the server receives a registration request from a first client and decides to start a group observation on the target resource.</t>
        <section anchor="sssec-transport-specific-encoding">
          <name>Transport-Specific Message Information</name>
          <t>The CBOR array specified in the 'tp_info' parameter of an informative response is formatted according to the following CDDL notation.</t>
          <figure anchor="tp-info-general">
            <name>General Format of 'tp_info'</name>
            <sourcecode type="cddl"><![CDATA[
tp_info = [
    tpi_server: CRI-no-local,  ; Addressing information of the server
  ? tpi_details                ; Further information about the request
]

tpi_details = (
  + elements  ; The number, format, and encoding of the elements
              ; depend on the scheme-id and authority of the CRI
              ; specified by tpi_server
)

CRI-no-local = [
  scheme-id,
  authority
]

scheme-id = nint  ; -1 - scheme-number

authority = [?userinfo, host, ?port]
userinfo  = (false, text .feature "userinfo")
host      = (host-ip // host-name)
host-name = (*text) ; lowercase, NFC labels
host-ip   = (bytes .size 4 //
               (bytes .size 16, ?zone-id))
zone-id   = text
port      = 0..65535
]]></sourcecode>
          </figure>
          <t>The following holds for the two elements 'tpi_server' and 'tpi_details'.</t>
          <ul spacing="normal">
            <li>
              <t>The 'tpi_server' element <bcp14>MUST</bcp14> be present and specifies:  </t>
              <ul spacing="normal">
                <li>
                  <t>The transport protocol used to transport a CoAP response from the server, i.e., a multicast notification in this document; and</t>
                </li>
                <li>
                  <t>The addressing information of the server, i.e., the source addressing information of the multicast notifications that are sent for the group observation.      </t>
                  <t>
Such addressing information <bcp14>MUST</bcp14> be equal to the source addressing information of the informative response sent by the server (see <xref target="ssec-server-side-notifications"/>).</t>
                </li>
              </ul>
              <t>
This element specifies a CRI <xref target="I-D.ietf-core-href"/>, of which both 'scheme' and 'authority' are given, while 'path', 'query', and 'fragment' are not given.  </t>
              <t>
Consistent with <xref section="5.1.1" sectionFormat="of" target="I-D.ietf-core-href"/>, the CRI scheme is given as a negative integer 'scheme-id'. In particular, a 'scheme-id' with value ID denotes the CRI scheme that has CRI scheme number equal to (-1 - ID). The latter identifies the corresponding registered URI scheme, per the associated entry in the "Uniform Resource Identifier (URI) Schemes" registry <xref target="IANA.URI.Schemes"/> defined in <xref target="RFC7595"/> and updated in <xref section="11.1" sectionFormat="of" target="I-D.ietf-core-href"/>.  </t>
              <t>
The combination of URI scheme and 'authority' component determines the CoAP transport used to distribute multicast notifications for the group observation. Note that:  </t>
              <ul spacing="normal">
                <li>
                  <t>If the 'authority' component specifies a host-ip, then the 'scheme-id' (hence the URI scheme) is sufficient to identify the transport.</t>
                </li>
                <li>
                  <t>If the 'authority' component specifies a host-name, then the consumer of the CRI has to resolve the host-name and consider the result together with the 'scheme-id' (hence the URI scheme) in order to identify the transport. For instance, DNS resolution can be used (e.g., as defined in <xref target="RFC9953"/>).</t>
                </li>
              </ul>
              <t>
The identified transport determines what elements are required in the 'tpi_details' element of the 'tp_info' array, as well as what information they convey, their encoding, and their semantics. Those elements are specified in the 'Transport Information Details' column of the "CoAP Transport Information" registry for the entry associated with the identified CoAP transport (see <xref target="iana-coap-transport-information"/>)</t>
            </li>
            <li>
              <t>The 'tpi_details' element <bcp14>MAY</bcp14> be present and specifies transport-specific information related to a pertinent request message, i.e., the phantom observation request in this document.  </t>
              <t>
The exact format of 'tpi_details' depends on the CoAP transport, which is identified according to the CRI conveyed by the 'tpi_server' element, as described above.  </t>
              <t>
In the "CoAP Transport Information" registry defined in <xref target="iana-coap-transport-information"/>, the entry corresponding to the identified CoAP transport specifies the list of elements composing 'tpi_details' for that transport, as indicated in the 'Transport Information Details' column. Within 'tpi_details', its elements <bcp14>MUST</bcp14> be ordered according to what is specified in the 'Transport Information Details' column of the "CoAP Transport Information" registry.</t>
            </li>
          </ul>
          <t><xref target="transport-protocol-identifiers"/> defines an entry to be registered in the "CoAP Transport Information" registry, for the transport "CoAP over UDP". When such a transport is used, i.e., CoAP responses are transported over UDP as per <xref target="RFC7252"/> and <xref target="I-D.ietf-core-groupcomm-bis"/>, the full encoding of the 'tp_info' CBOR array is defined in <xref target="ssssec-udp-transport-specific"/>.</t>
          <t>If a future specification defines the use of CoAP multicast notifications transported over different transport protocols, then that specification must perform the following actions, unless those have been already performed for different reasons:</t>
          <ul spacing="normal">
            <li>
              <t>Define the elements in 'tpi_details', as to what information they convey, their encoding, and their semantics.</t>
            </li>
            <li>
              <t>Register an entry in the "CoAP Transport Information" registry defined in <xref target="iana-coap-transport-information"/> of this document.</t>
            </li>
            <li>
              <t>Register an entry in the "Uniform Resource Identifier (URI) Schemes" registry <xref target="IANA.URI.Schemes"/> defined in <xref target="RFC7595"/> and updated in <xref section="11.1" sectionFormat="of" target="I-D.ietf-core-href"/>, where the value in the 'CRI Scheme Number' column is (-1 - ID). In particular, ID is the negative integer to be used as 'scheme-id' for CRIs conveyed by the 'tpi_server' element and possibly by elements in 'tpi_details'.</t>
            </li>
          </ul>
          <section anchor="ssssec-udp-transport-specific">
            <name>UDP Transport-Specific Information</name>
            <t>When CoAP multicast notifications are transported over UDP as per <xref target="RFC7252"/> and <xref target="I-D.ietf-core-groupcomm-bis"/>, the server specifies the 'tp_info' CBOR array as follows.</t>
            <ul spacing="normal">
              <li>
                <t>In the 'tpi_server' element, the CRI has 'scheme-id' with value -1 ("coap"), while 'authority' conveys addressing information pertaining to the server, i.e., the source addressing information of the multicast notifications that are sent for the group observation.  </t>
                <t>
This information consists of the IP address SRV_ADDR (expressed as a literal or as a host-name to be resolved) and the port number SRV_PORT of the server hosting the target resource, from where the server will send multicast notifications for the target resource.</t>
              </li>
              <li>
                <t>The 'tpi_details' element <bcp14>MAY</bcp14> be omitted in particular setups where the server is aware that effective client-side transport-specific information is available to clients through alternative means than the 'tp_info' parameter of the informative response.  </t>
                <t>
Otherwise, such as in the setup considered in this document, this element <bcp14>MUST</bcp14> be present and it includes the following two elements:  </t>
                <ul spacing="normal">
                  <li>
                    <t>'tpi_client' is a CRI, with the same format of 'tpi_server' (see <xref target="sssec-transport-specific-encoding"/>). In particular, the CRI has 'scheme-id' with value -1 ("coap"), while 'authority' conveys the destination addressing information of the multicast notifications that the server sends for the group observation.      </t>
                    <t>
This information consists of the IP multicast address GRP_ADDR (expressed as a literal or as a host-name to be resolved) and the port number GRP_PORT, where the server will send multicast notifications for the target resource.</t>
                  </li>
                  <li>
                    <t>'tpi_token' is a CBOR byte string, whose value is the Token value of the phantom observation request generated by the server (see <xref target="ssec-server-side-request"/>). Note that the same Token value is used for the multicast notifications bound to that phantom observation request (see <xref target="ssec-server-side-notifications"/>).</t>
                  </li>
                </ul>
              </li>
            </ul>
            <t>The CDDL notation in <xref target="tp-info-udp"/> describes the format of the 'tp_info' CBOR array when CoAP is transported over UDP, according to this document. The definition of 'scheme-id' and 'authority' is the same as in <xref target="tp-info-general"/>.</t>
            <figure anchor="tp-info-udp">
              <name>Format of 'tp_info' with UDP as Transport Protocol</name>
              <sourcecode type="cddl"><![CDATA[
tp_info_coap_udp = [
  tpi_server: CRI-no-local, ; Source addressing information
                            ; of the multicast notifications
  tpi_client: CRI-no-local, ; Destination addressing information
                            ; of the multicast notifications
  tpi_token: bstr           ; Token value of the phantom request and
                            ; associated multicast notifications
]

CRI-no-local = [
  scheme-id,
  authority
]
]]></sourcecode>
            </figure>
            <t>The CBOR diagnostic notation in <xref target="tp-info-udp-example"/> provides an example of the 'tp_info' CBOR array when CoAP is transported over UDP, according to this document.</t>
            <t>In the example, SRV_ADDR is 2001:db8::ab, SRV_PORT is 5683 (omitted in the CRI of 'tpi_server' as it is the default port number when CoAP is transported over UDP), GRP_ADDR is ff35:30:2001:db8::23, and GRP_PORT is 61616.</t>
            <figure anchor="tp-info-udp-example">
              <name>Example of 'tp_info' with UDP as Transport Protocol</name>
              <sourcecode type="cbor-diag"><![CDATA[
[ / tp_info /
  [ / tpi_server /
    -1,        / scheme-id -- equivalent to "coap" /
    h'20010db80000000000000000000000ab'  / host-ip /
  ],
  [ / tpi_client /
    -1,        / scheme-id -- equivalent to "coap" /
    h'ff35003020010db80000000000000023', / host-ip /
    61616                                   / port /
  ],
  h'7b'                                / tpi_token /
]
]]></sourcecode>
            </figure>
          </section>
        </section>
        <section anchor="sssec-transport-independent-encoding">
          <name>Transport-Independent Message Information</name>
          <t>For both the parameters 'ph_req' and 'last_notif' in the informative response, the value of the CBOR byte string is the concatenation of the following components defined in <xref section="3" sectionFormat="of" target="RFC7252"/>, in the order specified below.</t>
          <t>When defining the value of each component, "CoAP message" refers to the phantom observation request for the 'ph_req' parameter and to the corresponding latest multicast notification for the 'last_notif' parameter.</t>
          <ul spacing="normal">
            <li>
              <t>A single byte, with value the content of the Code field in the CoAP message.</t>
            </li>
            <li>
              <t>The byte serialization of the complete sequence of CoAP options in the CoAP message.</t>
            </li>
            <li>
              <t>If the CoAP message includes a non-zero length payload, the one-byte Payload Marker (0xff) followed by the payload.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="ssec-server-side-notifications">
        <name>Notifications</name>
        <t>Given an ongoing group observation for a target resource, the server sends multicast notifications intended to all the clients taking part in the group observation. In particular, each such multicast notification is formatted as follows.</t>
        <ul spacing="normal">
          <li>
            <t>It <bcp14>MUST</bcp14> be a Non-confirmable message.</t>
          </li>
          <li>
            <t>It <bcp14>MUST</bcp14> include an Observe Option, as per <xref target="RFC7641"/>.</t>
          </li>
          <li>
            <t>It <bcp14>MUST</bcp14> have the same Token value T of the phantom registration request that started the group observation.  </t>
            <t>
That is, every multicast notification for a target resource is not bound to the observation requests from the different clients, but instead to the phantom registration request associated with the whole set of clients taking part in the group observation of that resource.  </t>
            <t>
The Token value T is specified by an element of 'tpi_details', within the 'tp_info' parameter of the informative response sent to the observer clients. In particular, when transporting CoAP over UDP, the Token value is specified by the element 'tpi_token' (see <xref target="ssssec-udp-transport-specific"/>).</t>
          </li>
          <li>
            <t>It <bcp14>MUST</bcp14> be sent from the same IP address SRV_ADDR and port number SRV_PORT where the corresponding informative responses are sent from by the server (see <xref target="ssec-server-side-informative"/>). That is, redirection <bcp14>MUST NOT</bcp14> be used.  </t>
            <t>
Note that, in most cases, such SRV_ADDR and SRV_PORT are those to which original observation requests are sent to by clients (see <xref target="ssec-client-side-request"/>), unless those requests are sent to a multicast address (see <xref target="I-D.ietf-core-groupcomm-bis"/>).  </t>
            <t>
The addressing information above is conveyed through the CRI specified by the element 'tpi_server', within the 'tp_info' parameter of the informative response (see <xref target="sssec-transport-specific-encoding"/>).</t>
          </li>
          <li>
            <t>It <bcp14>MUST</bcp14> be sent to the IP multicast address GRP_ADDR and port number GRP_PORT.  </t>
            <t>
The addressing information above is conveyed through the CRI specified by an element of 'tpi_details', within the 'tp_info' parameter of the informative response. In particular, when transporting CoAP over UDP, the CRI is conveyed by the element 'tpi_client' (see <xref target="ssssec-udp-transport-specific"/>).</t>
          </li>
        </ul>
        <t>For each target resource with an active group observation, the server <bcp14>MUST</bcp14> store the latest multicast notification. This applies also to the initial multicast notification INIT_NOTIF composed at Step 6 of <xref target="ssec-server-side-request"/>.</t>
        <t>It can happen that the stored latest multicast notification for a group observation reaches an age that is greater than its indicated maximum age, i.e., the option value of its Inner Max-Age Option, if present, or 60 seconds otherwise (see <xref section="5.6.1" sectionFormat="of" target="RFC7252"/>). When this happens, the server <bcp14>MUST</bcp14> compose and send a new multicast notification for the same group observation, whose payload specifies the current representation of the target resource.</t>
      </section>
      <section anchor="ssec-server-side-congestion">
        <name>Congestion Control</name>
        <t>In order to not cause congestion, the server ought to conservatively control the sending of multicast notifications. In particular:</t>
        <ul spacing="normal">
          <li>
            <t>The multicast notifications <bcp14>MUST</bcp14> be Non-confirmable messages.</t>
          </li>
          <li>
            <t>In constrained environments such as low-power, lossy networks (LLNs), the server <bcp14>SHOULD</bcp14> only support multicast notifications for resources whose representation is small in size. Following related guidelines from <xref section="3.6" sectionFormat="of" target="I-D.ietf-core-groupcomm-bis"/>, this can consist, for example, in having the payload of multicast notifications as limited to approximately 5% of the IP Maximum Transmit Unit (MTU) size, so that it fits into a single link-layer frame when using IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN) (see <xref section="4" sectionFormat="of" target="RFC4944"/>).</t>
          </li>
          <li>
            <t>The server <bcp14>SHOULD</bcp14> provide multicast notifications with the smallest possible IP multicast scope that fulfills the application needs. For example, following related guidelines from <xref section="3.6" sectionFormat="of" target="I-D.ietf-core-groupcomm-bis"/>, site-local scope is always preferred over global scope IP multicast, if this fulfills the application needs. Similarly, realm-local scope is always preferred over site-local scope, if this fulfills the application needs. Ultimately, it is up to the server administrator to explicitly configure the most appropriate IP multicast scope.</t>
          </li>
          <li>
            <t>Following related guidelines from <xref section="4.5.1" sectionFormat="of" target="RFC7641"/>, the server <bcp14>SHOULD NOT</bcp14> send more than one multicast notification every 3 seconds and <bcp14>SHOULD</bcp14> use an even less aggressive rate when possible (see also <xref section="3.1.2" sectionFormat="of" target="RFC8085"/>). Furthermore, a goal for an appropriate transmission rate of multicast notifications is the avoidance of a possible "broadcast storm" problem <xref target="MOBICOM99"/>. This prevents a following considerable increase of the channel load, whose origin would be likely attributed to a router rather than to the server.</t>
          </li>
        </ul>
      </section>
      <section anchor="ssec-server-side-cancellation">
        <name>Cancellation</name>
        <t>At a certain point in time, the server might want to cancel a group observation of a target resource. For instance, the server realizes that no clients or not enough clients are interested in taking part in the group observation anymore. <xref target="sec-rough-counting"/> defines a possible approach that the server can use to make an assessment in this respect. Another reason is that the group observation has reached its ending time, as originally scheduled by the server.</t>
        <t>In order to cancel the group observation, the server sends a multicast response with response code 5.03 (Service Unavailable), signaling that the group observation has been terminated. The response has the same Token value T of the phantom registration request, it has no payload, and it does not include an Observe Option.</t>
        <t>The server sends the response to the same multicast IP address GRP_ADDR and port number GRP_PORT used to send the multicast notifications related to the target resource. Finally, the server releases the memory and network resources allocated for the group observation, and it especially frees up the Token value T used at its CoAP endpoint.</t>
      </section>
    </section>
    <section anchor="sec-client-side">
      <name>Client-Side Requirements</name>
      <section anchor="ssec-client-side-request">
        <name>Request</name>
        <t>A client sends an observation request to the server as described in <xref target="RFC7641"/>, i.e., a GET request with an Observe Option set to 0 (register). The request <bcp14>MUST NOT</bcp14> have link-local source or destination addresses. If the server is not configured to accept registrations on that target resource specifically for a group observation, this would still result in a positive notification response to the client as described in <xref target="RFC7641"/>, in the case that the server is able and willing to add the client to the list of observers.</t>
        <t>In a particular setup, the information typically specified in the 'tp_info' parameter of the informative response (see <xref target="ssec-server-side-informative"/>) can be pre-configured on the server and the clients. For example, the destination multicast address and port number where to send multicast notifications for a group observation, as well as the associated Token value to use, can be set aside for particular tasks (e.g., enforcing observations of a specific resource). Alternative mechanisms can rely on using some bytes from the hash of the observation request as the last bytes of the multicast address or as part of the Token value.</t>
        <t>In such a particular setup, the client might also have an early knowledge of the phantom request, hence it would be possible for the server to safely omit the parameter 'ph_req' from the informative response to the observation request (see <xref target="ssec-server-side-informative"/>). In this case, the client can include a No-Response Option <xref target="RFC7967"/> with value 16 in its Observe registration request, which results in the server suppressing the informative response. As a consequence, the observation request only informs the server that there is one additional client interested to take part in the group observation.</t>
        <t>While the considered client is able to simply set up its multicast address and start receiving multicast notifications for the group observation, sending an observation request as above allows the server to increment the observer counter. This helps the server to assess the current number of clients interested in the group observation over time (e.g., by using the method defined in <xref target="sec-rough-counting"/>), which in turn can play a role in deciding to cancel the group observation (see <xref target="ssec-server-side-cancellation"/>).</t>
      </section>
      <section anchor="ssec-client-side-informative">
        <name>Informative Response</name>
        <t>Upon receiving the informative response defined in <xref target="ssec-server-side-informative"/>, the client has to identify the CoAP transport used to distribute multicast notifications for the group observation.</t>
        <t>To this end, the client relies on the element 'tpi_server' within the 'tp_info' parameter of the informative response (see <xref target="sssec-transport-specific-encoding"/>).</t>
        <t>In particular, the client considers the CRI conveyed by 'tpi_server' and identifies the CoAP transport, by assessing together the 'authority' component and the URI scheme determined from 'scheme-id' (see <xref target="sssec-transport-specific-encoding"/>).</t>
        <t>After that, the client parses the remainder of the 'tp_info' array, i.e., the information conveyed by 'tpi_details', according to what is specified in the 'Transport Information Details' column of the "CoAP Transport Information" registry for the entry associated with the identified CoAP transport (see <xref target="iana-coap-transport-information"/>).</t>
        <t>Then, the client performs the following steps.</t>
        <ol spacing="normal" type="1"><li>
            <t>The client configures an observation of the target resource. To this end, it relies on a CoAP endpoint used for messages having:  </t>
            <ul spacing="normal">
              <li>
                <t>As source address and port number, the server address SRV_ADDR and port number SRV_PORT intended for accessing the target resource. These are conveyed through the CRI specified by the element 'tpi_server', within the 'tp_info' parameter of the informative response (see <xref target="sssec-transport-specific-encoding"/>).      </t>
                <t>
If the port number is not present in the CRI, the client <bcp14>MUST</bcp14> use as SRV_PORT the default port number defined for the identified CoAP transport (e.g., the default port number is 5683 when the transport is CoAP over UDP).</t>
              </li>
              <li>
                <t>As destination address and port number, the IP multicast address GRP_ADDR and port number GRP_PORT. These are conveyed through the CRI specified by a dedicated element of 'tpi_details', within the 'tp_info' parameter of the informative response. In particular, when transporting CoAP over UDP, such an element is 'tpi_client' (see <xref target="ssssec-udp-transport-specific"/>).      </t>
                <t>
If the port number is not present in the CRI, the client <bcp14>MUST</bcp14> use as GRP_PORT the default port number defined for the identified CoAP transport (e.g., the default port number is 5683 when the transport is CoAP over UDP).</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The client rebuilds the phantom registration request as follows.  </t>
            <ul spacing="normal">
              <li>
                <t>The client uses the Token value T that is specified by a dedicated element of 'tpi_details', within the 'tp_info' parameter of the informative response. In particular, when transporting CoAP over UDP, such an element is 'tpi_token' (see <xref target="ssssec-udp-transport-specific"/>).</t>
              </li>
              <li>
                <t>If the 'ph_req' parameter is not present in the informative response, the client uses the transport-independent information from its original Observe registration request.</t>
              </li>
              <li>
                <t>If the 'ph_req' parameter is present in the informative response, the client uses the transport-independent information specified in the parameter.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>If the informative response includes the parameter 'ph_req' and the transport-independent information specified therein differs from the one in the original Observe registration request, then the client checks whether a response to the rebuilt phantom registration request can, if available in a cache entry, be used to satisfy the original observation request. If this is not the case, the client <bcp14>SHOULD</bcp14> explicitly withdraw from the group observation.</t>
          </li>
          <li>
            <t>The client stores the phantom registration request, as associated with the observation of the target resource. In particular, the client <bcp14>MUST</bcp14> use the Token value T of this phantom registration request as its own local Token value associated with that group observation, with respect to the server. The particular way to achieve this is implementation specific.</t>
          </li>
          <li>
            <t>If the informative response includes the parameter 'last_notif', the client rebuilds the latest multicast notification, by using:  </t>
            <ul spacing="normal">
              <li>
                <t>The same Token value T used at Step 2; and</t>
              </li>
              <li>
                <t>The transport-independent information specified in the 'last_notif' parameter of the informative response.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>If the informative response includes the parameter 'last_notif', the client processes the multicast notification rebuilt at Step 5 as defined in <xref section="3.2" sectionFormat="of" target="RFC7641"/>. In particular, the value of the Observe Option is used as initial baseline for notification reordering in this group observation.  </t>
            <t>
Note that the multicast notification rebuilt at Step 5 specifies a maximum age that is relative to the time when the server composed the notification, i.e., not to the time when the server sent the present informative response. Consequently, the client could consider the rebuilt multicast notification fresh beyond the point in time that was intended by the server. However, the next multicast notification sent for the group observation will supersede the rebuilt one and will indicate a reliable maximum age that the client can refer to.</t>
          </li>
          <li>
            <t>If a traditional observation to the target resource is ongoing, the client <bcp14>MAY</bcp14> silently cancel it without notifying the server.</t>
          </li>
        </ol>
        <t>In addition to 'tpi_server', further elements of the 'tp_info' array can convey a CRI. The client <bcp14>MUST</bcp14> treat any CRI within the 'tp_info' array as invalid, if the 'authority' component is a host-name such that, when resolved, its combination with the URI scheme indicates multiple transports (see <xref target="sssec-transport-specific-encoding"/>). As a possible way to verify if that is the case, the client can rely on DNS resolution (e.g., as defined in <xref target="RFC9953"/>).</t>
        <t>If any of the expected fields in the informative response are absent, malformed, or invalid, the client <bcp14>MAY</bcp14> try sending a new registration request to the server (see <xref target="ssec-client-side-request"/>). If the client chooses not to, then the client <bcp14>SHOULD</bcp14> explicitly withdraw from the group observation. Exceptions apply, for example, in particular setups where effective transport-specific information is available to clients through alternative means than the 'tp_info' parameter of the informative response.</t>
        <t><xref target="appendix-different-sources"/> describes possible alternative ways for clients to retrieve the phantom registration request and other information related to a group observation.</t>
      </section>
      <section anchor="ssec-client-side-notifications">
        <name>Notifications</name>
        <t>After having successfully processed the informative response as defined in <xref target="ssec-client-side-informative"/>, the client will receive, accept, and process multicast notifications about the state of the target resource from the server, as responses to the phantom registration request and with Token value T.</t>
        <t>The client relies on the value of the Observe Option for notification reordering, as defined in <xref section="3.4" sectionFormat="of" target="RFC7641"/>.</t>
      </section>
      <section anchor="ssec-client-side-cancellation">
        <name>Cancellation</name>
        <t>At a certain point in time, a client might no longer be interested in receiving further multicast notifications about a target resource. When this happens, the client can simply "forget" about being part of the group observation for that target resource, as per <xref section="3.6" sectionFormat="of" target="RFC7641"/>.</t>
        <t>When, later on, the server sends the next multicast notification, the client will not recognize the Token value T in the message. Since the multicast notification is a Non-confirmable message, it is optional for the client to reject it with a Reset message (see <xref section="3.5" sectionFormat="of" target="RFC7641"/>).</t>
        <t>If the server has canceled a group observation as defined in <xref target="ssec-server-side-cancellation"/>, the client simply forgets about the group observation and frees up the used Token value T for that endpoint, upon receiving the multicast error response defined in <xref target="ssec-server-side-cancellation"/>.</t>
      </section>
    </section>
    <section anchor="sec-web-linking">
      <name>Web Linking</name>
      <t>The possible use of multicast notifications in a group observation <bcp14>MAY</bcp14> be indicated by a target attribute "gp-obs" in a web link <xref target="RFC8288"/> to a resource, e.g., using a CoRE link-format document <xref target="RFC6690"/>.</t>
      <t>The "gp-obs" attribute is a hint, indicating that the server might send multicast notifications for observations of the resource targeted by the link. Note that this is simply a hint, i.e., it does not include any information required to participate in a group observation and to receive and process multicast notifications.</t>
      <t>A value <bcp14>MUST NOT</bcp14> be given for the "gp-obs" attribute and any present value <bcp14>MUST</bcp14> be ignored by the recipient.  The "gp-obs" attribute <bcp14>MUST NOT</bcp14> appear more than once in a given link-value; occurrences after the first <bcp14>MUST</bcp14> be ignored by the recipient.</t>
      <t>The example in <xref target="example-web-link"/> shows a use of the "gp-obs" attribute: the client does resource discovery on a server and gets back a list of resources, one of which includes the "gp-obs" attribute indicating that the server might send multicast notifications for observations of that resource. The CoRE Link-Format notation from <xref section="5" sectionFormat="of" target="RFC6690"/> is used.</t>
      <figure anchor="example-web-link">
        <name>The Web Link</name>
        <artwork><![CDATA[
REQ: GET /.well-known/core

RES: 2.05 Content
    </sensors/temp>;gp-obs,
    </sensors/light>;if="sensor"
]]></artwork>
      </figure>
    </section>
    <section anchor="sec-example-no-security">
      <name>Example</name>
      <t>The following example refers to two clients C1 and C2 that register to observe a resource /r at a server S, which has address SRV_ADDR and listens to the port number SRV_PORT. Before the following exchanges occur, no clients are observing the resource /r , whose representation has value "1234".</t>
      <t>The server S sends multicast notifications to the IP multicast address GRP_ADDR and port number GRP_PORT. The server starts the group observation upon receiving a registration request from a first client that wishes to start a traditional observation on the resource /r.</t>
      <t>The following notation is used for the payload of the informative responses:</t>
      <ul spacing="normal">
        <li>
          <t>The application-extension identifier "cri" defined in <xref section="3.6" sectionFormat="of" target="I-D.ietf-cbor-edn-literals"/> is used to notate a Concise Diagnostic Notation (CDN) literal for a CRI.</t>
        </li>
        <li>
          <t>'bstr(X)' denotes a CBOR byte string with value the byte serialization of X, with '|' denoting byte concatenation.</t>
        </li>
        <li>
          <t>'OPT' denotes a sequence of CoAP options. This refers to the phantom registration request specified by the 'ph_req' parameter, or to the corresponding latest multicast notification specified by the 'last_notif' parameter.</t>
        </li>
        <li>
          <t>'PAYLOAD' denotes a CoAP payload. This refers to the latest multicast notification specified by the 'last_notif' parameter.</t>
        </li>
      </ul>
      <figure anchor="example-no-oscore">
        <name>Example of Group Observation</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="1296" width="552" viewBox="0 0 552 1296" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,48 L 8,432" fill="none" stroke="black"/>
              <path d="M 8,464 L 8,672" fill="none" stroke="black"/>
              <path d="M 8,704 L 8,832" fill="none" stroke="black"/>
              <path d="M 8,864 L 8,1120" fill="none" stroke="black"/>
              <path d="M 8,1184 L 8,1280" fill="none" stroke="black"/>
              <path d="M 32,1120 L 32,1184" fill="none" stroke="black"/>
              <path d="M 512,48 L 512,432" fill="none" stroke="black"/>
              <path d="M 512,464 L 512,672" fill="none" stroke="black"/>
              <path d="M 512,704 L 512,832" fill="none" stroke="black"/>
              <path d="M 512,864 L 512,1136" fill="none" stroke="black"/>
              <path d="M 512,1168 L 512,1280" fill="none" stroke="black"/>
              <path d="M 32,32 L 192,32" fill="none" stroke="black"/>
              <path d="M 304,32 L 496,32" fill="none" stroke="black"/>
              <path d="M 80,208 L 496,208" fill="none" stroke="black"/>
              <path d="M 80,256 L 496,256" fill="none" stroke="black"/>
              <path d="M 32,448 L 192,448" fill="none" stroke="black"/>
              <path d="M 304,448 L 496,448" fill="none" stroke="black"/>
              <path d="M 32,688 L 192,688" fill="none" stroke="black"/>
              <path d="M 304,688 L 496,688" fill="none" stroke="black"/>
              <path d="M 32,848 L 192,848" fill="none" stroke="black"/>
              <path d="M 304,848 L 496,848" fill="none" stroke="black"/>
              <path d="M 8,1120 L 32,1120" fill="none" stroke="black"/>
              <path d="M 48,1152 L 192,1152" fill="none" stroke="black"/>
              <path d="M 320,1152 L 496,1152" fill="none" stroke="black"/>
              <path d="M 8,1184 L 32,1184" fill="none" stroke="black"/>
              <path d="M 68,232 L 80,256" fill="none" stroke="black"/>
              <path d="M 68,232 L 80,208" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="504,688 492,682.4 492,693.6" fill="black" transform="rotate(0,496,688)"/>
              <polygon class="arrowhead" points="504,256 492,250.4 492,261.6" fill="black" transform="rotate(0,496,256)"/>
              <polygon class="arrowhead" points="504,32 492,26.4 492,37.6" fill="black" transform="rotate(0,496,32)"/>
              <polygon class="arrowhead" points="56,1152 44,1146.4 44,1157.6" fill="black" transform="rotate(180,48,1152)"/>
              <polygon class="arrowhead" points="40,848 28,842.4 28,853.6" fill="black" transform="rotate(180,32,848)"/>
              <polygon class="arrowhead" points="40,448 28,442.4 28,453.6" fill="black" transform="rotate(180,32,448)"/>
              <g class="text">
                <text x="12" y="36">C1</text>
                <text x="208" y="36">[</text>
                <text x="248" y="36">Unicast</text>
                <text x="288" y="36">]</text>
                <text x="512" y="36">S</text>
                <text x="540" y="36">/r</text>
                <text x="40" y="52">GET</text>
                <text x="52" y="68">Token:</text>
                <text x="100" y="68">0x4a</text>
                <text x="60" y="84">Observe:</text>
                <text x="104" y="84">0</text>
                <text x="156" y="84">(register)</text>
                <text x="64" y="100">Uri-Path:</text>
                <text x="120" y="100">"r"</text>
                <text x="52" y="116">&lt;Other</text>
                <text x="116" y="116">options&gt;</text>
                <text x="136" y="148">(</text>
                <text x="152" y="148">S</text>
                <text x="200" y="148">allocates</text>
                <text x="256" y="148">the</text>
                <text x="312" y="148">available</text>
                <text x="376" y="148">Token</text>
                <text x="424" y="148">value</text>
                <text x="468" y="148">0x7b</text>
                <text x="496" y="148">)</text>
                <text x="56" y="180">(</text>
                <text x="72" y="180">S</text>
                <text x="104" y="180">sends</text>
                <text x="140" y="180">to</text>
                <text x="180" y="180">itself</text>
                <text x="216" y="180">a</text>
                <text x="256" y="180">phantom</text>
                <text x="336" y="180">observation</text>
                <text x="416" y="180">request</text>
                <text x="476" y="180">PH_REQ</text>
                <text x="76" y="196">as</text>
                <text x="116" y="196">coming</text>
                <text x="164" y="196">from</text>
                <text x="200" y="196">the</text>
                <text x="228" y="196">IP</text>
                <text x="280" y="196">multicast</text>
                <text x="352" y="196">address</text>
                <text x="420" y="196">GRP_ADDR</text>
                <text x="464" y="196">)</text>
                <text x="540" y="260">/r</text>
                <text x="336" y="276">GET</text>
                <text x="348" y="292">Token:</text>
                <text x="396" y="292">0x7b</text>
                <text x="356" y="308">Observe:</text>
                <text x="400" y="308">0</text>
                <text x="452" y="308">(register)</text>
                <text x="360" y="324">Uri-Path:</text>
                <text x="416" y="324">"r"</text>
                <text x="348" y="340">&lt;Other</text>
                <text x="412" y="340">options&gt;</text>
                <text x="192" y="372">(</text>
                <text x="208" y="372">S</text>
                <text x="248" y="372">creates</text>
                <text x="288" y="372">a</text>
                <text x="320" y="372">group</text>
                <text x="392" y="372">observation</text>
                <text x="452" y="372">of</text>
                <text x="476" y="372">/r</text>
                <text x="496" y="372">)</text>
                <text x="224" y="404">(</text>
                <text x="240" y="404">S</text>
                <text x="292" y="404">increments</text>
                <text x="352" y="404">the</text>
                <text x="404" y="404">observer</text>
                <text x="472" y="404">counter</text>
                <text x="248" y="420">for</text>
                <text x="280" y="420">the</text>
                <text x="320" y="420">group</text>
                <text x="392" y="420">observation</text>
                <text x="452" y="420">of</text>
                <text x="476" y="420">/r</text>
                <text x="496" y="420">)</text>
                <text x="12" y="452">C1</text>
                <text x="208" y="452">[</text>
                <text x="248" y="452">Unicast</text>
                <text x="288" y="452">]</text>
                <text x="512" y="452">S</text>
                <text x="44" y="468">5.03</text>
                <text x="52" y="484">Token:</text>
                <text x="100" y="484">0x4a</text>
                <text x="88" y="500">Content-Format:</text>
                <text x="304" y="500">application/informative-response+cbor</text>
                <text x="60" y="516">Max-Age:</text>
                <text x="104" y="516">0</text>
                <text x="52" y="532">&lt;Other</text>
                <text x="116" y="532">options&gt;</text>
                <text x="60" y="548">Payload:</text>
                <text x="104" y="548">{</text>
                <text x="48" y="564">/</text>
                <text x="88" y="564">tp_info</text>
                <text x="128" y="564">/</text>
                <text x="168" y="564">0</text>
                <text x="184" y="564">:</text>
                <text x="200" y="564">[</text>
                <text x="328" y="580">cri'coap://SRV_ADDR:SRV_PORT/',</text>
                <text x="344" y="596">cri'coap://GRP_ADDR:GRP_PORT/',</text>
                <text x="252" y="612">0x7b</text>
                <text x="204" y="628">],</text>
                <text x="48" y="644">/</text>
                <text x="100" y="644">last_notif</text>
                <text x="152" y="644">/</text>
                <text x="168" y="644">2</text>
                <text x="184" y="644">:</text>
                <text x="232" y="644">bstr(0x45</text>
                <text x="280" y="644">|</text>
                <text x="304" y="644">OPT</text>
                <text x="328" y="644">|</text>
                <text x="356" y="644">0xff</text>
                <text x="384" y="644">|</text>
                <text x="428" y="644">PAYLOAD)</text>
                <text x="32" y="660">}</text>
                <text x="12" y="692">C2</text>
                <text x="208" y="692">[</text>
                <text x="248" y="692">Unicast</text>
                <text x="288" y="692">]</text>
                <text x="512" y="692">S</text>
                <text x="540" y="692">/r</text>
                <text x="40" y="708">GET</text>
                <text x="52" y="724">Token:</text>
                <text x="100" y="724">0x01</text>
                <text x="60" y="740">Observe:</text>
                <text x="104" y="740">0</text>
                <text x="156" y="740">(register)</text>
                <text x="64" y="756">Uri-Path:</text>
                <text x="120" y="756">"r"</text>
                <text x="52" y="772">&lt;Other</text>
                <text x="116" y="772">options&gt;</text>
                <text x="216" y="804">(</text>
                <text x="232" y="804">S</text>
                <text x="284" y="804">increments</text>
                <text x="344" y="804">the</text>
                <text x="396" y="804">observer</text>
                <text x="464" y="804">counter</text>
                <text x="240" y="820">for</text>
                <text x="272" y="820">the</text>
                <text x="312" y="820">group</text>
                <text x="384" y="820">observation</text>
                <text x="444" y="820">of</text>
                <text x="468" y="820">/r</text>
                <text x="488" y="820">)</text>
                <text x="12" y="852">C2</text>
                <text x="208" y="852">[</text>
                <text x="248" y="852">Unicast</text>
                <text x="288" y="852">]</text>
                <text x="512" y="852">S</text>
                <text x="44" y="868">5.03</text>
                <text x="52" y="884">Token:</text>
                <text x="100" y="884">0x01</text>
                <text x="88" y="900">Content-Format:</text>
                <text x="304" y="900">application/informative-response+cbor</text>
                <text x="60" y="916">Max-Age:</text>
                <text x="104" y="916">0</text>
                <text x="52" y="932">&lt;Other</text>
                <text x="116" y="932">options&gt;</text>
                <text x="60" y="948">Payload:</text>
                <text x="104" y="948">{</text>
                <text x="48" y="964">/</text>
                <text x="88" y="964">tp_info</text>
                <text x="128" y="964">/</text>
                <text x="168" y="964">0</text>
                <text x="184" y="964">:</text>
                <text x="200" y="964">[</text>
                <text x="328" y="980">cri'coap://SRV_ADDR:SRV_PORT/',</text>
                <text x="344" y="996">cri'coap://GRP_ADDR:GRP_PORT/',</text>
                <text x="252" y="1012">0x7b</text>
                <text x="204" y="1028">],</text>
                <text x="48" y="1044">/</text>
                <text x="100" y="1044">last_notif</text>
                <text x="152" y="1044">/</text>
                <text x="168" y="1044">2</text>
                <text x="184" y="1044">:</text>
                <text x="232" y="1044">bstr(0x45</text>
                <text x="280" y="1044">|</text>
                <text x="304" y="1044">OPT</text>
                <text x="328" y="1044">|</text>
                <text x="356" y="1044">0xff</text>
                <text x="384" y="1044">|</text>
                <text x="428" y="1044">PAYLOAD)</text>
                <text x="32" y="1060">}</text>
                <text x="32" y="1092">(</text>
                <text x="56" y="1092">The</text>
                <text x="132" y="1092">representation</text>
                <text x="204" y="1092">of</text>
                <text x="232" y="1092">the</text>
                <text x="284" y="1092">resource</text>
                <text x="332" y="1092">/r</text>
                <text x="376" y="1092">changes</text>
                <text x="420" y="1092">to</text>
                <text x="460" y="1092">"5678"</text>
                <text x="496" y="1092">)</text>
                <text x="12" y="1140">C1</text>
                <text x="208" y="1156">[</text>
                <text x="256" y="1156">Multicast</text>
                <text x="304" y="1156">]</text>
                <text x="512" y="1156">S</text>
                <text x="12" y="1172">C2</text>
                <text x="88" y="1172">(</text>
                <text x="144" y="1172">Destination</text>
                <text x="248" y="1172">address/port:</text>
                <text x="376" y="1172">GRP_ADDR/GRP_PORT</text>
                <text x="456" y="1172">)</text>
                <text x="60" y="1204">2.05</text>
                <text x="68" y="1220">Token:</text>
                <text x="116" y="1220">0x7b</text>
                <text x="76" y="1236">Observe:</text>
                <text x="124" y="1236">11</text>
                <text x="68" y="1252">&lt;Other</text>
                <text x="132" y="1252">options&gt;</text>
                <text x="76" y="1268">Payload:</text>
                <text x="140" y="1268">"5678"</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
C1 --------------------- [ Unicast ] ------------------------> S  /r
|  GET                                                         |
|  Token: 0x4a                                                 |
|  Observe: 0 (register)                                       |
|  Uri-Path: "r"                                               |
|  <Other options>                                             |
|                                                              |
|               ( S allocates the available Token value 0x7b ) |
|                                                              |
|     ( S sends to itself a phantom observation request PH_REQ |
|       as coming from the IP multicast address GRP_ADDR )     |
|        .---------------------------------------------------- |
|       /                                                      |
|       \                                                      |
|        `---------------------------------------------------> |  /r
|                                       GET                    |
|                                       Token: 0x7b            |
|                                       Observe: 0 (register)  |
|                                       Uri-Path: "r"          |
|                                       <Other options>        |
|                                                              |
|                      ( S creates a group observation of /r ) |
|                                                              |
|                          ( S increments the observer counter |
|                            for the group observation of /r ) |
|                                                              |
C1 <-------------------- [ Unicast ] ------------------------- S
|  5.03                                                        |
|  Token: 0x4a                                                 |
|  Content-Format: application/informative-response+cbor       |
|  Max-Age: 0                                                  |
|  <Other options>                                             |
|  Payload: {                                                  |
|    / tp_info /    0 : [                                      |
|                        cri'coap://SRV_ADDR:SRV_PORT/',       |
|                          cri'coap://GRP_ADDR:GRP_PORT/',     |
|                            0x7b                              |
|                       ],                                     |
|    / last_notif / 2 : bstr(0x45 | OPT | 0xff | PAYLOAD)      |
|  }                                                           |
|                                                              |
C2 --------------------- [ Unicast ] ------------------------> S  /r
|  GET                                                         |
|  Token: 0x01                                                 |
|  Observe: 0 (register)                                       |
|  Uri-Path: "r"                                               |
|  <Other options>                                             |
|                                                              |
|                         ( S increments the observer counter  |
|                           for the group observation of /r )  |
|                                                              |
C2 <-------------------- [ Unicast ] ------------------------- S
|  5.03                                                        |
|  Token: 0x01                                                 |
|  Content-Format: application/informative-response+cbor       |
|  Max-Age: 0                                                  |
|  <Other options>                                             |
|  Payload: {                                                  |
|    / tp_info /    0 : [                                      |
|                        cri'coap://SRV_ADDR:SRV_PORT/',       |
|                          cri'coap://GRP_ADDR:GRP_PORT/',     |
|                            0x7b                              |
|                       ],                                     |
|    / last_notif / 2 : bstr(0x45 | OPT | 0xff | PAYLOAD)      |
|  }                                                           |
|                                                              |
|  ( The representation of the resource /r changes to "5678" ) |
|                                                              |
+--+                                                           |
C1 |                                                           |
   | <------------------ [ Multicast ] ----------------------- S
C2 |      ( Destination address/port: GRP_ADDR/GRP_PORT )      |
+--+                                                           |
|    2.05                                                      |
|    Token: 0x7b                                               |
|    Observe: 11                                               |
|    <Other options>                                           |
|    Payload: "5678"                                           |
|                                                              |
]]></artwork>
        </artset>
      </figure>
    </section>
    <section anchor="sec-rough-counting">
      <name>Rough Counting of Clients in the Group Observation</name>
      <t>This section specifies a method that the server can use to keep an estimate of still active and interested clients, without creating undue traffic on the network.</t>
      <section anchor="feedback-divider-option">
        <name>Feedback-Divider Option</name>
        <t>This section defines the new CoAP option Feedback-Divider. By including the option in an outgoing message, a sender endpoint elicits a stochastic reaction and thereby a feedback from the message recipient(s) that would otherwise not react.</t>
        <t>If the sender endpoint triggering a feedback is a client sending a request, the Feedback-Divider Option included in the request triggers the recipient server(s) to send a response with some probability. In particular, the Feedback-Divider Option stochastically overrides the possible response suppression performed by the server(s). Such an influence affects response suppression that can otherwise be performed, e.g., according to: default processing; the No-Response Option <xref target="RFC7967"/>, if present in the request; an unmatching filter from the URI query component, when the request is sent over multicast and targets the /.well-known/core resource (see <xref section="4.1" sectionFormat="of" target="RFC6690"/>).</t>
        <t>If the sender endpoint triggering a feedback is a server sending a response, the feedback elicitation is currently limited to using observe notifications. In particular, the Feedback-Divider Option included in an observe notification triggers the recipient client(s) to send with some probability a new request to the server. Such a request includes the Observe Option set to 0 (register) and is addressed to the same target resource for which the observe notification was sent. That is, a reacting client (re-)registers a regular unicast observation on the same target resource.</t>
        <t>This document specifically defines how the Feedback-Divider Option is used when the sender endpoint triggering a feedback is a server sending multicast notifications. Note that it is not so useful to include the Feedback-Divider Option in an observe notification sent over unicast to a single client. That is, the server can more efficiently query a single client by means of an observe notification sent as a Confirmable message, thereby eliciting an Acknowledgement message in return.</t>
        <t>The Feedback-Divider Option has the properties summarized in <xref target="fd-table"/>, which extends Table 4 of <xref target="RFC7252"/>. The option is not Critical, not Safe-to-Forward, and integer valued. Since the option is not Safe-to-Forward, the 'N' column indicates a dash for "not applicable".</t>
        <table align="center" anchor="fd-table">
          <name>The Feedback-Divider Option. C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable</name>
          <thead>
            <tr>
              <th align="left">No.</th>
              <th align="left">C</th>
              <th align="left">U</th>
              <th align="left">N</th>
              <th align="left">R</th>
              <th align="left">Name</th>
              <th align="left">Format</th>
              <th align="left">Length</th>
              <th align="left">Default</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">TBD18</td>
              <td align="left"> </td>
              <td align="left">x</td>
              <td align="left">-</td>
              <td align="left"> </td>
              <td align="left">Feedback-Divider</td>
              <td align="left">uint</td>
              <td align="left">0-1</td>
              <td align="left">(none)</td>
            </tr>
          </tbody>
        </table>
        <t>Note to RFC Editor: In the table above, please replace TBD18 with the registered option number. Then, please delete this paragraph.</t>
        <t>The Feedback-Divider Option is of class E for OSCORE <xref target="RFC8613"/><xref target="I-D.ietf-core-oscore-groupcomm"/>.</t>
      </section>
      <section anchor="ssec-rough-counting-client-side">
        <name>Processing on the Client Side</name>
        <t>Upon receiving a response with a Feedback-Divider Option, a client that supports the option and is interested in continuing receiving multicast notifications for the target resource <bcp14>SHOULD</bcp14> acknowledge its interest, as described below.</t>
        <t>The client picks an integer random number I, from 0 inclusive to Z = (2<sup>Q</sup>) exclusive, where Q is the value specified in the option. If I is different from 0, the client takes no further action. Otherwise, the client should wait a random fraction of the Leisure time (see <xref section="8.2" sectionFormat="of" target="RFC7252"/>) and then registers a regular observation on the same target resource.</t>
        <t>To this end, the client essentially follows the steps that got it originally subscribed to group notifications for the target resource. In particular, the client sends an observation request to the server, i.e., a GET request with an Observe Option set to 0 (register). The request <bcp14>MUST</bcp14> be addressed to the same target resource and <bcp14>MUST</bcp14> have the same destination IP address and port number used for the original registration request, regardless of the source IP address and port number of the received multicast notification.</t>
        <t>Since this Observe registration is only done for its side effect of looking as an attempted observation at the server, the client <bcp14>MUST</bcp14> send the unicast request as a Non-confirmable message and with the maximum No-Response setting <xref target="RFC7967"/>. In the request, the client <bcp14>MUST</bcp14> include a Feedback-Divider Option, whose value <bcp14>MUST</bcp14> be set to 0. As per <xref section="3.2" sectionFormat="of" target="RFC7252"/>, this is represented with an empty option value (a zero-length sequence of bytes). The client does not need to wait for responses and can keep processing further notifications on the same Token.</t>
        <t>The client <bcp14>MUST</bcp14> ignore the Feedback-Divider Option, if the multicast notification is retrieved from the 'last_notif' parameter of an informative response (see <xref target="ssec-server-side-informative"/>). A client includes the Feedback-Divider Option only in a re-registration request triggered by the server as described above and <bcp14>MUST NOT</bcp14> include it in any other request.</t>
        <t><xref target="appendix-pseudo-code-counting-client"/> and <xref target="appendix-pseudo-code-counting-client-constrained"/> provide a description in pseudo-code of the operations above performed by the client.</t>
      </section>
      <section anchor="processing-on-the-server-side">
        <name>Processing on the Server Side</name>
        <t>In order to avoid needless use of network resources, a server <bcp14>SHOULD</bcp14> keep a rough, updated count of the number of clients taking part in the group observation of a target resource. To this end, the server updates the value COUNT of the associated observer counter (see <xref target="sec-server-side"/>), for instance by using the method described below.</t>
        <section anchor="request-for-feedback">
          <name>Request for Feedback</name>
          <t>When it wants to obtain a new estimated count, the server considers a number M of confirmations that it would like to receive from the clients. It is up to applications to define policies about how the server determines and possibly adjusts the value of M.</t>
          <t>Then, the server computes the value Q = max(L, 0), where:</t>
          <ul spacing="normal">
            <li>
              <t>L is computed as L = ceil(log2(N / M)).</t>
            </li>
            <li>
              <t>N is the current value of the observer counter, possibly rounded up to 1, i.e., N = max(COUNT, 1).</t>
            </li>
          </ul>
          <t>Finally, the server sets Q as the value of the Feedback-Divider Option, which is sent within a successful multicast notification.</t>
          <t>If several multicast notifications for the same group observation are sent in a burst fashion, it is <bcp14>RECOMMENDED</bcp14> for the server to include the Feedback-Divider Option only in the first notification of such a burst.</t>
        </section>
        <section anchor="collection-of-feedback">
          <name>Collection of Feedback</name>
          <t>The server collects observation requests from the clients, for an amount of time of MAX_CONFIRMATION_WAIT seconds. During this time, the server regularly increments the observer counter when adding a new client to the group observation (see <xref target="ssec-server-side-informative"/>).</t>
          <t>It is up to applications to define the value of MAX_CONFIRMATION_WAIT, which has to take into account the transmission time of the multicast notification and of observation requests, as well as the leisure time of the clients, which may be hard to know or estimate for the server.</t>
          <t>If this information is not known to the server, it is <bcp14>RECOMMENDED</bcp14> to define MAX_CONFIRMATION_WAIT as follows.</t>
          <t>MAX_CONFIRMATION_WAIT = MAX_RTT + MAX_CLIENT_REQUEST_DELAY</t>
          <t>where MAX_RTT is as defined in <xref section="4.8.2" sectionFormat="of" target="RFC7252"/> and has default value 202 seconds, while MAX_CLIENT_REQUEST_DELAY is equivalent to MAX_SERVER_RESPONSE_DELAY defined in <xref section="3.1.5" sectionFormat="of" target="I-D.ietf-core-groupcomm-bis"/> and has default value 250 seconds. In the absence of more specific information, the server can thus consider a conservative MAX_CONFIRMATION_WAIT of 452 seconds.</t>
          <t>If more information is available in deployments, a much shorter MAX_CONFIRMATION_WAIT can be set. This can be based on a realistic round trip time (replacing MAX_RTT) and on the largest leisure time configured on the clients (replacing MAX_CLIENT_REQUEST_DELAY), e.g., DEFAULT_LEISURE = 5 seconds, thus shortening MAX_CONFIRMATION_WAIT to a few seconds.</t>
        </section>
        <section anchor="processing-of-feedback">
          <name>Processing of Feedback</name>
          <t>Once MAX_CONFIRMATION_WAIT seconds have passed, the server counts the R confirmations that have arrived as observation requests to the target resource, since the time when the latest multicast notification with the Feedback-Divider Option has been sent. In particular, the server considers an observation request as a confirmation from a client only if the request includes a Feedback-Divider Option with value 0.</t>
          <t>Then, the server computes a feedback indicator as E = R * (2<sup>Q</sup>). According to what is defined by application policies, the server determines the next time when to ask clients for their confirmation, e.g., after a certain number of multicast notifications has been sent. For example, the decision can be influenced by the reception of no confirmations from the clients, i.e., R = 0, or by the value of the ratios (E/N) and (N/E).</t>
          <t>Finally, the server computes a new estimated count of the observers. To this end, the server first considers COUNT' as the current value of the observer counter at this point in time. Note that COUNT' could be greater than the value COUNT used at the beginning of this process, if the server has incremented the observer counter upon adding new clients to the group observation (see <xref target="ssec-server-side-informative"/>).</t>
          <t>In particular, the server computes the new estimated count value as COUNT' + ((E - N) / D), where D &gt; 0 is an integer value used as dampener. This step has to be performed atomically. That is, until this step is completed, the server <bcp14>MUST</bcp14> hold the processing of an observation request for the same target resource from a new client. Finally, the server considers the result as the current observer counter, which can be taken into account for possibly canceling the group observation (see <xref target="ssec-server-side-cancellation"/>).</t>
          <t>This estimate is skewed by packet loss, but it gives the server a sufficiently good estimation for further counts and for deciding when to cancel the group observation. It is up to applications to define policies about how the server takes the newly updated estimate into account and determines whether to cancel the group observation.</t>
          <t>As an example, if the server currently estimates that N = COUNT = 32 observers are active and considers a constant M = 8, it sends a notification with Feedback-Divider with value Q = 2. Then, out of 18 actually active clients, 5 send a re-registration request based on their random draw, of which one request gets lost, thus leaving 4 re-registration requests received by the server. Also, no new clients have been added to the group observation during this time, i.e., COUNT' is equal to COUNT. As a consequence, assuming that a dampener value D = 1 is used, the server computes the new estimated count value as 32 + (16 - 32) = 16 and keeps the group observation active.</t>
          <t>To produce a most accurate updated counter, a server can include a Feedback-Divider Option with value Q = 0 in its multicast notifications, as if M is equal to N. This will trigger all the active clients to state their interest in continuing receiving notifications for the target resource. Thus, the amount R of arrived confirmations is affected only by possible packet loss.</t>
          <t><xref target="appendix-pseudo-code-counting-server"/> provides a description in pseudo-code of the operations above performed by the server, including example behaviors for scheduling the next count update and deciding whether to cancel the group observation.</t>
        </section>
      </section>
    </section>
    <section anchor="sec-secured-notifications">
      <name>Protection of Multicast Notifications with Group OSCORE</name>
      <t>A server can protect multicast notifications by using the security protocol Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/>, thus ensuring that they are protected end-to-end for the observer clients. This requires that both the server and the clients interested in receiving multicast notifications from that server are members of the same OSCORE group.</t>
      <t>In some settings, the OSCORE group to refer to can be pre-configured on the clients and the server. In such a case, a server which is aware of such pre-configuration can simply assume a client to already be a member of the correct OSCORE group.</t>
      <t>In any other case, the server <bcp14>MAY</bcp14> communicate to clients what OSCORE group they are required to join, by providing additional guidance in the informative response as described in <xref target="sec-inf-response"/>. Note that clients could already be members of the right OSCORE group, if they previously joined it to securely communicate with the same server or with other servers to access their resources.</t>
      <t>Both the clients and the server <bcp14>MAY</bcp14> join the OSCORE group by using the approach defined in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> and based on the ACE framework for Authentication and Authorization in constrained environments <xref target="RFC9200"/>. When doing so, the server has to join the group (also) with the roles of Requester and Responder. Instead, a client can join the group with any permitted role or combination of roles, unless it intends to send its original observation requests (see <xref target="ssec-client-side-request"/>) protected with Group OSCORE. In such a case, the client has to join the group (also) as a Requester. Further details on how to discover the OSCORE group and join it are out of the scope of this document.</t>
      <t>If multicast notifications are protected using Group OSCORE, then the original registration requests and related unicast (notification) responses <bcp14>MUST</bcp14> also be protected, including and especially the informative responses from the server. An exception is the case discussed in <xref target="deterministic-phantom-Request"/>, where the informative response from the server is not protected.</t>
      <t>In order to protect unicast messages exchanged between the server and each client, including the original client registration (see <xref target="sec-client-side"/>), alternative security protocols than Group OSCORE can be used, such as OSCORE <xref target="RFC8613"/> and/or DTLS <xref target="RFC9147"/>. However, it is <bcp14>RECOMMENDED</bcp14> to use OSCORE or Group OSCORE, in order to reduce the number of libraries that the clients and the server have to support.</t>
      <section anchor="sec-inf-response">
        <name>Signaling the OSCORE Group in the Informative Response</name>
        <t>This section describes a mechanism for the server to communicate to the client what OSCORE group to join, in order to decrypt and verify the multicast notifications protected with Group OSCORE. The client <bcp14>MAY</bcp14> use the information provided by the server to start the ACE joining procedure described in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/>. The mechanism defined in this section is <bcp14>OPTIONAL</bcp14> to support for the client and server.</t>
        <t>In addition to what is defined in <xref target="sec-server-side"/>, the CBOR map in the informative response payload contains the following fields, whose CBOR abbreviations are defined in <xref target="informative-response-params"/>.</t>
        <ul spacing="normal">
          <li>
            <t>'join_uri', with value the URI for joining the OSCORE group at the respective Group Manager, encoded as a CBOR text string. If the procedure described in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> is used for joining, this field specifically indicates the URI of the group-membership resource at the Group Manager.</t>
          </li>
          <li>
            <t>'sec_gp', with value the name of the OSCORE group, encoded as a CBOR text string.</t>
          </li>
          <li>
            <t>Optionally, 'as_uri', with value the URI of the authorization server associated with the Group Manager for the OSCORE group, encoded as a CBOR text string.</t>
          </li>
          <li>
            <t>Optionally, 'hkdf', with value the HKDF Algorithm used in the OSCORE group, encoded as a CBOR text string or integer. The HKDF Algorithm is specified by the HMAC Algorithm value, which is taken from the 'Value' column of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/>. For example, the HKDF Algorithm HKDF SHA-256 is specified as the HMAC Algorithm HMAC 256/256.</t>
          </li>
          <li>
            <t>Optionally, 'cred_fmt', with value the format of the authentication credentials used in the OSCORE group, encoded as a CBOR integer. The value is taken from the 'Label' column of the "COSE Header Parameters" Registry <xref target="IANA.COSE.Header.Parameters"/>. Consistent with <xref section="2.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>, acceptable values denote a format that provides the public key and a comprehensive set of information related to the public key algorithm, including, e.g., the used elliptic curve (when applicable).  </t>
            <t>
At the time of writing this specification, acceptable formats of authentication credentials are CBOR Web Tokens (CWTs) and CWT Claim Sets (CCSs) <xref target="RFC8392"/>, X.509 certificates <xref target="RFC5280"/>, and C509 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>. Further formats may be available in the future, and they would be acceptable to use as long as they comply with the criteria above.  </t>
            <t>
[ As to C509 certificates, there is a pending registration requested by draft-ietf-cose-cbor-encoded-cert. ]</t>
          </li>
          <li>
            <t>Optionally, 'gp_enc_alg', with value the Group Encryption Algorithm used in the OSCORE group to encrypt messages protected with the group mode, encoded as a CBOR text string or integer. The value is taken from the 'Value' column of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/>.</t>
          </li>
          <li>
            <t>Optionally, 'sign_alg', with value the Signature Algorithm used to sign messages in the OSCORE group, encoded as a CBOR text string or integer. The value is taken from the 'Value' column of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/>.</t>
          </li>
          <li>
            <t>Optionally, 'sign_params', encoded as a CBOR array and including the following two elements:  </t>
            <ul spacing="normal">
              <li>
                <t>'sign_alg_capab': a CBOR array, with the same format and value of the COSE capabilities array for the algorithm indicated in 'sign_alg', as specified for that algorithm in the 'Capabilities' column of the "COSE Algorithms" Registry <xref target="IANA.COSE.Algorithms"/>.</t>
              </li>
              <li>
                <t>'sign_key_type_capab': a CBOR array, with the same format and value of the COSE capabilities array for the COSE key type of the keys used with the algorithm indicated in 'sign_alg', as specified for that key type in the 'Capabilities' column of the "COSE Key Types" Registry <xref target="IANA.COSE.Key.Types"/>.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>The values of 'sign_alg', 'sign_params', and 'cred_fmt' provide an early knowledge of the format of authentication credentials as well as of the type of public keys used in the OSCORE group. Thus, the client does not need to ask the Group Manager for this information as a preliminary step before the (ACE) join process, or to perform a trial-and-error exchange with the Group Manager upon joining the group. Hence, the client is able to provide the Group Manager with its own authentication credential in the correct expected format and including a public key of the correct expected type, at the very first step of the (ACE) join process.</t>
        <t>The values of 'hkdf', 'gp_enc_alg', and 'sign_alg' provide an early knowledge of the algorithms used in the OSCORE group. Thus, the client is able to decide whether to actually proceed with the (ACE) join process, depending on its support for the indicated algorithms.</t>
        <t>As mentioned above, since this mechanism is <bcp14>OPTIONAL</bcp14>, all the corresponding fields are <bcp14>OPTIONAL</bcp14> in the informative response. However, the 'join_uri' and 'sec_gp' fields <bcp14>MUST</bcp14> be present if this mechanism is used. If any of the fields are present without the 'join_uri' and 'sec_gp' fields present, the client <bcp14>MUST</bcp14> ignore these fields, since they would not be sufficient to start the (ACE) join procedure. When this happens, the client <bcp14>MAY</bcp14> try sending a new registration request to the server (see <xref target="ssec-client-side-request"/>). If the client chooses not to, then the client <bcp14>SHOULD</bcp14> explicitly withdraw from the group observation.</t>
        <t><xref target="self-managed-oscore-group"/> describes a possible alternative approach, where the server self-manages the OSCORE group, and provides the observer clients with the necessary keying material in the informative response. The approach in <xref target="self-managed-oscore-group"/> <bcp14>MUST NOT</bcp14> be used together with the mechanism defined in this section for indicating what OSCORE group to join.</t>
      </section>
      <section anchor="sec-server-side-with-security">
        <name>Server-Side Requirements</name>
        <t>When using Group OSCORE to protect multicast notifications, the server performs the operations described in <xref target="sec-server-side"/>, with the following differences.</t>
        <section anchor="ssec-server-side-request-oscore">
          <name>Registration</name>
          <t>The phantom registration request <bcp14>MUST</bcp14> be protected with Group OSCORE, using the group mode of Group OSCORE (see <xref section="7" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
          <t>An exception is the case discussed in <xref target="deterministic-phantom-Request"/>, where the participating endpoints using Group OSCORE also support the concept of Deterministic Client <xref target="I-D.ietf-core-cacheable-oscore"/> and the protected phantom request is computed using the pairwise mode of Group OSCORE.</t>
          <t>In accordance with the group mode of Group OSCORE, the server protects the phantom registration request as defined in <xref section="7.1" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/> by using its own Sender Context, i.e., like if it was the actual sender. As a consequence, the server consumes the current value of its Sender Sequence Number SN in the OSCORE group and hence updates it to SN* = (SN + 1).</t>
          <t>Consistent with that, the OSCORE Option value in the phantom registration request specifies:</t>
          <ul spacing="normal">
            <li>
              <t>In the 'kid' field, the Sender ID of the server in the OSCORE group.</t>
            </li>
            <li>
              <t>In the 'Partial IV' field, the Partial IV encoding the previously consumed Sender Sequence Number value SN of the server in the OSCORE group, i.e., (SN* - 1).</t>
            </li>
          </ul>
        </section>
        <section anchor="ssec-server-side-informative-oscore">
          <name>Informative Response</name>
          <t>The value of the CBOR byte string in the 'ph_req' parameter encodes the phantom observation request as a message protected with Group OSCORE (see <xref target="ssec-server-side-request-oscore"/>). Consequently, the following applies:</t>
          <ul spacing="normal">
            <li>
              <t>The specified Code is 0.05 (FETCH) <xref target="RFC8132"/>.</t>
            </li>
            <li>
              <t>The sequence of CoAP options will be limited to the outer, non encrypted options.</t>
            </li>
            <li>
              <t>A payload is always present, as the ciphertext followed by the countersignature.</t>
            </li>
          </ul>
          <t>Note that, in terms of transport-independent information, the registration request from the client typically differs from the phantom request. Thus, the server has to include the 'ph_req' parameter of the informative response. An exception is the case discussed in <xref target="deterministic-phantom-Request"/>.</t>
          <t>Similarly, the value of the CBOR byte string in the 'last_notif' parameter encodes the latest multicast notification as a message protected with Group OSCORE (see <xref target="ssec-server-side-notifications-oscore"/>). This applies also to the initial multicast notification INIT_NOTIF composed at Step 6 of <xref target="ssec-server-side-request"/>.</t>
          <t>Optionally, the informative response includes additional parameters that provide information about the OSCORE group to join (see <xref target="sec-inf-response"/>).</t>
        </section>
        <section anchor="ssec-server-side-notifications-oscore">
          <name>Notifications</name>
          <t>The server <bcp14>MUST</bcp14> protect every multicast notification for the target resource with Group OSCORE.</t>
          <t>The group mode of Group OSCORE defined in <xref section="7" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/> <bcp14>MUST</bcp14> be used. In particular, the process described in <xref section="7.3" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/> applies, with the following additions when building the two OSCORE external_aad structures to encrypt and sign the multicast notification (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
          <ul spacing="normal">
            <li>
              <t>The 'request_kid' element contains the value of the 'kid' field in the OSCORE Option value of the protected phantom registration request.</t>
            </li>
            <li>
              <t>The 'request_piv' element contains the value of the 'Partial IV' field in the OSCORE Option value of the protected phantom registration request.</t>
            </li>
            <li>
              <t>The 'request_kid_context' element contains the value of the 'kid context' field in the OSCORE Option value of the protected phantom registration request, i.e., the Group Identifier value (Gid) of the OSCORE group used as ID Context.</t>
            </li>
          </ul>
          <t>Note that these same values are used to protect each and every multicast notification sent for the target resource under this group observation.</t>
        </section>
        <section anchor="ssec-server-side-cancellation-oscore">
          <name>Cancellation</name>
          <t>When canceling a group observation as defined in <xref target="ssec-server-side-cancellation"/>, the multicast response with error code 5.03 (Service Unavailable) is protected with the group mode of Group OSCORE, as per <xref section="7.3" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>. The server <bcp14>MUST</bcp14> use its own Sender Sequence Number as Partial IV to protect the error response and <bcp14>MUST</bcp14> include the Partial IV in the OSCORE Option value of the response.</t>
        </section>
      </section>
      <section anchor="sec-client-side-with-security">
        <name>Client-Side Requirements</name>
        <t>When using Group OSCORE to protect multicast notifications, the client performs as described in <xref target="sec-client-side"/>, with the following differences.</t>
        <section anchor="ssec-client-side-informative-oscore">
          <name>Informative Response</name>
          <t>Upon receiving the informative response from the server, the client performs the same steps defined in <xref target="ssec-client-side-informative"/>, with the following additions.</t>
          <t>When performing Step 2, the client expects the 'ph_req' parameter to be included in the informative response, which is otherwise considered malformed. An exception is the case discussed in <xref target="deterministic-phantom-Request"/>.</t>
          <t>After completing Step 2, in any other case than the one discussed in <xref target="deterministic-phantom-Request"/>, the client decrypts and verifies the rebuilt phantom registration request as defined in <xref section="7.2" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>, with the following differences.</t>
          <ul spacing="normal">
            <li>
              <t>The client <bcp14>MUST NOT</bcp14> perform any replay check. That is, the client skips Step 3 in <xref section="8.2" sectionFormat="of" target="RFC8613"/>.</t>
            </li>
            <li>
              <t>If decryption and verification of the phantom registration request succeed:  </t>
              <ul spacing="normal">
                <li>
                  <t>The client <bcp14>MUST NOT</bcp14> update the Replay Window in the Recipient Context associated with the server. That is, the client skips the second bullet of Step 6 in <xref section="8.2" sectionFormat="of" target="RFC8613"/>.</t>
                </li>
                <li>
                  <t>The client <bcp14>MUST NOT</bcp14> take any further process as normally expected according to <xref target="RFC7252"/>. That is, the client skips Step 8 in <xref section="8.2" sectionFormat="of" target="RFC8613"/>. In particular, the client <bcp14>MUST NOT</bcp14> deliver the phantom registration request to the application and <bcp14>MUST NOT</bcp14> take any action in the Token space of its unicast endpoint where the informative response has been received.</t>
                </li>
                <li>
                  <t>The client stores the values of the 'kid', 'Partial IV', and 'kid context' fields from the OSCORE Option value of the phantom registration request.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>If decryption and verification of the phantom registration request fail, the client <bcp14>MAY</bcp14> try sending a new registration request to the server (see <xref target="ssec-client-side-request"/>). If the client chooses not to, then the client <bcp14>SHOULD</bcp14> explicitly withdraw from the group observation.</t>
            </li>
          </ul>
          <t>After successful decryption and verification, the client performs Step 3 in <xref target="ssec-client-side-informative"/>, considering the decrypted phantom registration request.</t>
          <t>If the informative response includes the parameter 'last_notif', the client also decrypts and verifies the latest multicast notification rebuilt at Step 5 in <xref target="ssec-client-side-informative"/>, just like it would for the multicast notifications transmitted as CoAP messages on the wire (see <xref target="ssec-client-side-notifications-oscore"/>). If decryption and verification succeed, the client proceeds with Step 6, considering the decrypted latest multicast notification. Otherwise, the client proceeds to Step 7.</t>
        </section>
        <section anchor="ssec-client-side-notifications-oscore">
          <name>Notifications</name>
          <t>After having successfully processed the informative response as defined in <xref target="ssec-client-side-informative-oscore"/>, the client will decrypt and verify every multicast notification for the target resource as defined in <xref section="7.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>, with the following difference.</t>
          <t>For both decryption and signature verification, the client <bcp14>MUST</bcp14> set the external_aad structure defined in <xref section="3.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/> as follows. The particular way to achieve this is implementation specific.</t>
          <ul spacing="normal">
            <li>
              <t>The 'request_kid' element takes the value of the 'kid' field from the OSCORE Option value of the phantom registration request (see <xref target="ssec-client-side-informative-oscore"/>).</t>
            </li>
            <li>
              <t>The 'request_piv' element takes the value of the 'Partial IV' field from the OSCORE Option value of the phantom registration request (see <xref target="ssec-client-side-informative-oscore"/>).</t>
            </li>
            <li>
              <t>The 'request_kid_context' element takes the value of the 'kid context' field from the OSCORE Option value of the phantom registration request (see <xref target="ssec-client-side-informative-oscore"/>).</t>
            </li>
          </ul>
          <t>Note that these same values are used to decrypt and verify each and every multicast notification received for the target resource under this group observation.</t>
        </section>
      </section>
    </section>
    <section anchor="sec-example-with-security">
      <name>Example with Group OSCORE</name>
      <t>The following example refers to two clients C1 and C2 that register to observe a resource /r at a server S, which has address SRV_ADDR and listens to the port number SRV_PORT. Before the following exchanges occur, no clients are observing the resource /r , whose representation has value "1234".</t>
      <t>The server S sends multicast notifications to the IP multicast address GRP_ADDR and port number GRP_PORT. The server starts the group observation upon receiving a registration request from a first client that wishes to start a traditional observation on the resource /r.</t>
      <t>Pairwise communication over unicast is protected with OSCORE, while S protects multicast notifications with Group OSCORE. Specifically:</t>
      <ul spacing="normal">
        <li>
          <t>C1 and S have a pairwise OSCORE Security Context. In particular, C1 has 'kid' = 0x01 as Sender ID and SN_1 = 101 (i.e., 0x65) as Sender Sequence Number.</t>
        </li>
        <li>
          <t>C2 and S have a pairwise OSCORE Security Context. In particular, C2 has 'kid' = 0x02 as Sender ID and SN_2 = 201 (i.e., 0xc9) as Sender Sequence Number.</t>
        </li>
        <li>
          <t>C1, C2, and S are members of the OSCORE group with name "myGroup" and with 'kid context' = 0x57ab2e as Group ID.  </t>
          <t>
In the OSCORE group, S has 'kid' = 0x05 as Sender ID and SN_5 = 501 (i.e., 0x01f5) as Sender Sequence Number.</t>
        </li>
      </ul>
      <t>The following notation is used for the payload of the informative responses:</t>
      <ul spacing="normal">
        <li>
          <t>The application-extension identifier "cri" defined in <xref section="3.6" sectionFormat="of" target="I-D.ietf-cbor-edn-literals"/> is used to notate a Concise Diagnostic Notation (CDN) literal for a CRI.</t>
        </li>
        <li>
          <t>'bstr(X)' denotes a CBOR byte string with value the byte serialization of X, with '|' denoting byte concatenation.</t>
        </li>
        <li>
          <t>'OPT' denotes a sequence of CoAP options. This refers to the phantom registration request specified by the 'ph_req' parameter, or to the corresponding latest multicast notification specified by the 'last_notif' parameter.</t>
        </li>
        <li>
          <t>'PAYLOAD' denotes an encrypted CoAP payload. This refers to the phantom registration request specified by the 'ph_req' parameter, or to the corresponding latest multicast notification specified by the 'last_notif' parameter.</t>
        </li>
        <li>
          <t>'SIGN' denotes the countersignature appended to an encrypted CoAP payload. This refers to the phantom registration request specified by the 'ph_req' parameter, or to the corresponding latest multicast notification specified by the 'last_notif' parameter.</t>
        </li>
      </ul>
      <figure anchor="example-oscore">
        <name>Example of Group Observation with Group OSCORE</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="2272" width="552" viewBox="0 0 552 2272" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,48 L 8,752" fill="none" stroke="black"/>
              <path d="M 8,784 L 8,1184" fill="none" stroke="black"/>
              <path d="M 8,1216 L 8,1456" fill="none" stroke="black"/>
              <path d="M 8,1488 L 8,1936" fill="none" stroke="black"/>
              <path d="M 8,2000 L 8,2256" fill="none" stroke="black"/>
              <path d="M 32,1936 L 32,2000" fill="none" stroke="black"/>
              <path d="M 512,48 L 512,752" fill="none" stroke="black"/>
              <path d="M 512,784 L 512,1184" fill="none" stroke="black"/>
              <path d="M 512,1216 L 512,1456" fill="none" stroke="black"/>
              <path d="M 512,1488 L 512,1952" fill="none" stroke="black"/>
              <path d="M 512,1984 L 512,2256" fill="none" stroke="black"/>
              <path d="M 32,32 L 152,32" fill="none" stroke="black"/>
              <path d="M 352,32 L 496,32" fill="none" stroke="black"/>
              <path d="M 56,320 L 496,320" fill="none" stroke="black"/>
              <path d="M 56,368 L 496,368" fill="none" stroke="black"/>
              <path d="M 432,640 L 448,640" fill="none" stroke="black"/>
              <path d="M 32,768 L 152,768" fill="none" stroke="black"/>
              <path d="M 344,768 L 496,768" fill="none" stroke="black"/>
              <path d="M 32,1200 L 152,1200" fill="none" stroke="black"/>
              <path d="M 352,1200 L 496,1200" fill="none" stroke="black"/>
              <path d="M 32,1472 L 152,1472" fill="none" stroke="black"/>
              <path d="M 344,1472 L 496,1472" fill="none" stroke="black"/>
              <path d="M 8,1936 L 32,1936" fill="none" stroke="black"/>
              <path d="M 48,1968 L 136,1968" fill="none" stroke="black"/>
              <path d="M 392,1968 L 496,1968" fill="none" stroke="black"/>
              <path d="M 8,2000 L 32,2000" fill="none" stroke="black"/>
              <path d="M 44,344 L 56,368" fill="none" stroke="black"/>
              <path d="M 44,344 L 56,320" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="504,1200 492,1194.4 492,1205.6" fill="black" transform="rotate(0,496,1200)"/>
              <polygon class="arrowhead" points="504,368 492,362.4 492,373.6" fill="black" transform="rotate(0,496,368)"/>
              <polygon class="arrowhead" points="504,32 492,26.4 492,37.6" fill="black" transform="rotate(0,496,32)"/>
              <polygon class="arrowhead" points="440,640 428,634.4 428,645.6" fill="black" transform="rotate(180,432,640)"/>
              <polygon class="arrowhead" points="56,1968 44,1962.4 44,1973.6" fill="black" transform="rotate(180,48,1968)"/>
              <polygon class="arrowhead" points="40,1472 28,1466.4 28,1477.6" fill="black" transform="rotate(180,32,1472)"/>
              <polygon class="arrowhead" points="40,768 28,762.4 28,773.6" fill="black" transform="rotate(180,32,768)"/>
              <g class="text">
                <text x="12" y="36">C1</text>
                <text x="168" y="36">[</text>
                <text x="208" y="36">Unicast</text>
                <text x="252" y="36">w/</text>
                <text x="292" y="36">OSCORE</text>
                <text x="328" y="36">]</text>
                <text x="512" y="36">S</text>
                <text x="540" y="36">/r</text>
                <text x="44" y="52">0.05</text>
                <text x="96" y="52">(FETCH)</text>
                <text x="52" y="68">Token:</text>
                <text x="100" y="68">0x4a</text>
                <text x="60" y="84">Observe:</text>
                <text x="104" y="84">0</text>
                <text x="156" y="84">(register)</text>
                <text x="56" y="100">OSCORE:</text>
                <text x="132" y="100">[kid:0x01,</text>
                <text x="208" y="100">Partial</text>
                <text x="276" y="100">IV:0x65]</text>
                <text x="52" y="116">&lt;Other</text>
                <text x="104" y="116">class</text>
                <text x="144" y="116">U/I</text>
                <text x="196" y="116">options&gt;</text>
                <text x="44" y="132">0xff</text>
                <text x="96" y="148">Encrypted_payload</text>
                <text x="176" y="148">{</text>
                <text x="60" y="164">0x01</text>
                <text x="108" y="164">(GET),</text>
                <text x="76" y="180">Observe:</text>
                <text x="120" y="180">0</text>
                <text x="176" y="180">(register),</text>
                <text x="80" y="196">Uri-Path:</text>
                <text x="140" y="196">"r",</text>
                <text x="68" y="212">&lt;Other</text>
                <text x="120" y="212">class</text>
                <text x="152" y="212">E</text>
                <text x="196" y="212">options&gt;</text>
                <text x="32" y="228">}</text>
                <text x="136" y="260">(</text>
                <text x="152" y="260">S</text>
                <text x="200" y="260">allocates</text>
                <text x="256" y="260">the</text>
                <text x="312" y="260">available</text>
                <text x="376" y="260">Token</text>
                <text x="424" y="260">value</text>
                <text x="468" y="260">0x7b</text>
                <text x="496" y="260">)</text>
                <text x="56" y="292">(</text>
                <text x="72" y="292">S</text>
                <text x="104" y="292">sends</text>
                <text x="140" y="292">to</text>
                <text x="180" y="292">itself</text>
                <text x="216" y="292">a</text>
                <text x="256" y="292">phantom</text>
                <text x="336" y="292">observation</text>
                <text x="416" y="292">request</text>
                <text x="476" y="292">PH_REQ</text>
                <text x="76" y="308">as</text>
                <text x="116" y="308">coming</text>
                <text x="164" y="308">from</text>
                <text x="200" y="308">the</text>
                <text x="228" y="308">IP</text>
                <text x="280" y="308">multicast</text>
                <text x="352" y="308">address</text>
                <text x="420" y="308">GRP_ADDR</text>
                <text x="472" y="308">)</text>
                <text x="540" y="372">/r</text>
                <text x="220" y="388">0.05</text>
                <text x="272" y="388">(FETCH)</text>
                <text x="228" y="404">Token:</text>
                <text x="276" y="404">0x7b</text>
                <text x="236" y="420">Observe:</text>
                <text x="280" y="420">0</text>
                <text x="332" y="420">(register)</text>
                <text x="232" y="436">OSCORE:</text>
                <text x="308" y="436">[kid:0x05,</text>
                <text x="384" y="436">Partial</text>
                <text x="460" y="436">IV:0x01f5,</text>
                <text x="288" y="452">kid</text>
                <text x="376" y="452">context:0x57ab2e]</text>
                <text x="228" y="468">&lt;Other</text>
                <text x="280" y="468">class</text>
                <text x="320" y="468">U/I</text>
                <text x="372" y="468">options&gt;</text>
                <text x="220" y="484">0xff</text>
                <text x="272" y="500">Encrypted_payload</text>
                <text x="352" y="500">{</text>
                <text x="236" y="516">0x01</text>
                <text x="284" y="516">(GET),</text>
                <text x="252" y="532">Observe:</text>
                <text x="296" y="532">0</text>
                <text x="352" y="532">(register),</text>
                <text x="256" y="548">Uri-Path:</text>
                <text x="316" y="548">"r",</text>
                <text x="244" y="564">&lt;Other</text>
                <text x="296" y="564">class</text>
                <text x="328" y="564">E</text>
                <text x="372" y="564">options&gt;</text>
                <text x="208" y="580">}</text>
                <text x="276" y="596">&lt;Countersignature&gt;</text>
                <text x="232" y="628">(</text>
                <text x="248" y="628">S</text>
                <text x="280" y="628">steps</text>
                <text x="324" y="628">SN_5</text>
                <text x="356" y="628">in</text>
                <text x="384" y="628">the</text>
                <text x="424" y="628">Group</text>
                <text x="476" y="628">OSCORE</text>
                <text x="276" y="644">Security</text>
                <text x="348" y="644">Context:</text>
                <text x="404" y="644">SN_5</text>
                <text x="472" y="644">502</text>
                <text x="496" y="644">)</text>
                <text x="192" y="692">(</text>
                <text x="208" y="692">S</text>
                <text x="248" y="692">creates</text>
                <text x="288" y="692">a</text>
                <text x="320" y="692">group</text>
                <text x="392" y="692">observation</text>
                <text x="452" y="692">of</text>
                <text x="476" y="692">/r</text>
                <text x="496" y="692">)</text>
                <text x="224" y="724">(</text>
                <text x="240" y="724">S</text>
                <text x="292" y="724">increments</text>
                <text x="352" y="724">the</text>
                <text x="404" y="724">observer</text>
                <text x="472" y="724">counter</text>
                <text x="248" y="740">for</text>
                <text x="280" y="740">the</text>
                <text x="320" y="740">group</text>
                <text x="392" y="740">observation</text>
                <text x="452" y="740">of</text>
                <text x="476" y="740">/r</text>
                <text x="496" y="740">)</text>
                <text x="12" y="772">C1</text>
                <text x="168" y="772">[</text>
                <text x="208" y="772">Unicast</text>
                <text x="252" y="772">w/</text>
                <text x="292" y="772">OSCORE</text>
                <text x="328" y="772">]</text>
                <text x="512" y="772">S</text>
                <text x="44" y="788">2.05</text>
                <text x="104" y="788">(Content)</text>
                <text x="52" y="804">Token:</text>
                <text x="100" y="804">0x4a</text>
                <text x="56" y="820">OSCORE:</text>
                <text x="96" y="820">-</text>
                <text x="136" y="820">(empty)</text>
                <text x="60" y="836">Max-Age:</text>
                <text x="104" y="836">0</text>
                <text x="52" y="852">&lt;Other</text>
                <text x="104" y="852">class</text>
                <text x="144" y="852">U/I</text>
                <text x="196" y="852">options&gt;</text>
                <text x="44" y="868">0xff</text>
                <text x="96" y="884">Encrypted_payload</text>
                <text x="176" y="884">{</text>
                <text x="60" y="900">5.03</text>
                <text x="116" y="900">(Service</text>
                <text x="208" y="900">Unavailable),</text>
                <text x="104" y="916">Content-Format:</text>
                <text x="324" y="916">application/informative-response+cbor,</text>
                <text x="68" y="932">&lt;Other</text>
                <text x="120" y="932">class</text>
                <text x="152" y="932">E</text>
                <text x="200" y="932">options&gt;,</text>
                <text x="64" y="948">0xff,</text>
                <text x="72" y="964">Payload</text>
                <text x="112" y="964">{</text>
                <text x="64" y="980">/</text>
                <text x="104" y="980">tp_info</text>
                <text x="144" y="980">/</text>
                <text x="184" y="980">0</text>
                <text x="200" y="980">:</text>
                <text x="216" y="980">[</text>
                <text x="344" y="996">cri'coap://SRV_ADDR:SRV_PORT/',</text>
                <text x="360" y="1012">cri'coap://GRP_ADDR:GRP_PORT/',</text>
                <text x="268" y="1028">0x7b</text>
                <text x="220" y="1044">],</text>
                <text x="64" y="1060">/</text>
                <text x="100" y="1060">ph_req</text>
                <text x="136" y="1060">/</text>
                <text x="184" y="1060">1</text>
                <text x="200" y="1060">:</text>
                <text x="248" y="1060">bstr(0x05</text>
                <text x="296" y="1060">|</text>
                <text x="320" y="1060">OPT</text>
                <text x="344" y="1060">|</text>
                <text x="372" y="1060">0xff</text>
                <text x="400" y="1060">|</text>
                <text x="280" y="1076">PAYLOAD</text>
                <text x="320" y="1076">|</text>
                <text x="356" y="1076">SIGN),</text>
                <text x="64" y="1092">/</text>
                <text x="116" y="1092">last_notif</text>
                <text x="168" y="1092">/</text>
                <text x="184" y="1092">2</text>
                <text x="200" y="1092">:</text>
                <text x="248" y="1092">bstr(0x45</text>
                <text x="296" y="1092">|</text>
                <text x="320" y="1092">OPT</text>
                <text x="344" y="1092">|</text>
                <text x="372" y="1092">0xff</text>
                <text x="400" y="1092">|</text>
                <text x="280" y="1108">PAYLOAD</text>
                <text x="320" y="1108">|</text>
                <text x="356" y="1108">SIGN),</text>
                <text x="64" y="1124">/</text>
                <text x="108" y="1124">join_uri</text>
                <text x="152" y="1124">/</text>
                <text x="184" y="1124">4</text>
                <text x="200" y="1124">:</text>
                <text x="340" y="1124">"coap://myGM/ace-group/myGroup",</text>
                <text x="64" y="1140">/</text>
                <text x="100" y="1140">sec_gp</text>
                <text x="136" y="1140">/</text>
                <text x="184" y="1140">5</text>
                <text x="200" y="1140">:</text>
                <text x="248" y="1140">"myGroup"</text>
                <text x="48" y="1156">}</text>
                <text x="32" y="1172">}</text>
                <text x="12" y="1204">C2</text>
                <text x="168" y="1204">[</text>
                <text x="208" y="1204">Unicast</text>
                <text x="252" y="1204">w/</text>
                <text x="292" y="1204">OSCORE</text>
                <text x="328" y="1204">]</text>
                <text x="512" y="1204">S</text>
                <text x="540" y="1204">/r</text>
                <text x="44" y="1220">0.05</text>
                <text x="96" y="1220">(FETCH)</text>
                <text x="52" y="1236">Token:</text>
                <text x="100" y="1236">0x01</text>
                <text x="60" y="1252">Observe:</text>
                <text x="104" y="1252">0</text>
                <text x="156" y="1252">(register)</text>
                <text x="56" y="1268">OSCORE:</text>
                <text x="132" y="1268">[kid:0x02,</text>
                <text x="208" y="1268">Partial</text>
                <text x="276" y="1268">IV:0xc9]</text>
                <text x="52" y="1284">&lt;Other</text>
                <text x="104" y="1284">class</text>
                <text x="144" y="1284">U/I</text>
                <text x="196" y="1284">options&gt;</text>
                <text x="44" y="1300">0xff</text>
                <text x="96" y="1316">Encrypted_payload</text>
                <text x="176" y="1316">{</text>
                <text x="60" y="1332">0x01</text>
                <text x="108" y="1332">(GET),</text>
                <text x="76" y="1348">Observe:</text>
                <text x="120" y="1348">0</text>
                <text x="176" y="1348">(register),</text>
                <text x="80" y="1364">Uri-Path:</text>
                <text x="140" y="1364">"r",</text>
                <text x="68" y="1380">&lt;Other</text>
                <text x="120" y="1380">class</text>
                <text x="152" y="1380">E</text>
                <text x="196" y="1380">options&gt;</text>
                <text x="32" y="1396">}</text>
                <text x="224" y="1428">(</text>
                <text x="240" y="1428">S</text>
                <text x="292" y="1428">increments</text>
                <text x="352" y="1428">the</text>
                <text x="404" y="1428">observer</text>
                <text x="472" y="1428">counter</text>
                <text x="248" y="1444">for</text>
                <text x="280" y="1444">the</text>
                <text x="320" y="1444">group</text>
                <text x="392" y="1444">observation</text>
                <text x="452" y="1444">of</text>
                <text x="476" y="1444">/r</text>
                <text x="496" y="1444">)</text>
                <text x="12" y="1476">C2</text>
                <text x="168" y="1476">[</text>
                <text x="208" y="1476">Unicast</text>
                <text x="252" y="1476">w/</text>
                <text x="292" y="1476">OSCORE</text>
                <text x="328" y="1476">]</text>
                <text x="512" y="1476">S</text>
                <text x="44" y="1492">2.05</text>
                <text x="104" y="1492">(Content)</text>
                <text x="52" y="1508">Token:</text>
                <text x="100" y="1508">0x01</text>
                <text x="56" y="1524">OSCORE:</text>
                <text x="96" y="1524">-</text>
                <text x="136" y="1524">(empty)</text>
                <text x="60" y="1540">Max-Age:</text>
                <text x="104" y="1540">0</text>
                <text x="52" y="1556">&lt;Other</text>
                <text x="104" y="1556">class</text>
                <text x="144" y="1556">U/I</text>
                <text x="196" y="1556">options&gt;</text>
                <text x="48" y="1572">0xff,</text>
                <text x="96" y="1588">Encrypted_payload</text>
                <text x="176" y="1588">{</text>
                <text x="60" y="1604">5.03</text>
                <text x="116" y="1604">(Service</text>
                <text x="208" y="1604">Unavailable),</text>
                <text x="104" y="1620">Content-Format:</text>
                <text x="324" y="1620">application/informative-response+cbor,</text>
                <text x="68" y="1636">&lt;Other</text>
                <text x="120" y="1636">class</text>
                <text x="152" y="1636">E</text>
                <text x="200" y="1636">options&gt;,</text>
                <text x="64" y="1652">0xff,</text>
                <text x="72" y="1668">Payload</text>
                <text x="112" y="1668">{</text>
                <text x="64" y="1684">/</text>
                <text x="104" y="1684">tp_info</text>
                <text x="144" y="1684">/</text>
                <text x="184" y="1684">0</text>
                <text x="200" y="1684">:</text>
                <text x="216" y="1684">[</text>
                <text x="344" y="1700">cri'coap://SRV_ADDR:SRV_PORT/',</text>
                <text x="360" y="1716">cri'coap://GRP_ADDR:GRP_PORT/',</text>
                <text x="268" y="1732">0x7b</text>
                <text x="220" y="1748">],</text>
                <text x="64" y="1764">/</text>
                <text x="100" y="1764">ph_req</text>
                <text x="136" y="1764">/</text>
                <text x="184" y="1764">1</text>
                <text x="200" y="1764">:</text>
                <text x="248" y="1764">bstr(0x05</text>
                <text x="296" y="1764">|</text>
                <text x="320" y="1764">OPT</text>
                <text x="344" y="1764">|</text>
                <text x="372" y="1764">0xff</text>
                <text x="400" y="1764">|</text>
                <text x="280" y="1780">PAYLOAD</text>
                <text x="320" y="1780">|</text>
                <text x="356" y="1780">SIGN),</text>
                <text x="64" y="1796">/</text>
                <text x="116" y="1796">last_notif</text>
                <text x="168" y="1796">/</text>
                <text x="184" y="1796">2</text>
                <text x="200" y="1796">:</text>
                <text x="248" y="1796">bstr(0x45</text>
                <text x="296" y="1796">|</text>
                <text x="320" y="1796">OPT</text>
                <text x="344" y="1796">|</text>
                <text x="372" y="1796">0xff</text>
                <text x="400" y="1796">|</text>
                <text x="280" y="1812">PAYLOAD</text>
                <text x="320" y="1812">|</text>
                <text x="356" y="1812">SIGN),</text>
                <text x="64" y="1828">/</text>
                <text x="108" y="1828">join_uri</text>
                <text x="152" y="1828">/</text>
                <text x="184" y="1828">4</text>
                <text x="200" y="1828">:</text>
                <text x="340" y="1828">"coap://myGM/ace-group/myGroup",</text>
                <text x="64" y="1844">/</text>
                <text x="100" y="1844">sec_gp</text>
                <text x="136" y="1844">/</text>
                <text x="184" y="1844">5</text>
                <text x="200" y="1844">:</text>
                <text x="248" y="1844">"myGroup"</text>
                <text x="48" y="1860">}</text>
                <text x="32" y="1876">}</text>
                <text x="32" y="1908">(</text>
                <text x="56" y="1908">The</text>
                <text x="132" y="1908">representation</text>
                <text x="204" y="1908">of</text>
                <text x="232" y="1908">the</text>
                <text x="284" y="1908">resource</text>
                <text x="332" y="1908">/r</text>
                <text x="376" y="1908">changes</text>
                <text x="420" y="1908">to</text>
                <text x="460" y="1908">"5678"</text>
                <text x="496" y="1908">)</text>
                <text x="12" y="1956">C1</text>
                <text x="152" y="1972">[</text>
                <text x="200" y="1972">Multicast</text>
                <text x="252" y="1972">w/</text>
                <text x="288" y="1972">Group</text>
                <text x="340" y="1972">OSCORE</text>
                <text x="376" y="1972">]</text>
                <text x="512" y="1972">S</text>
                <text x="12" y="1988">C2</text>
                <text x="140" y="1988">(Destination</text>
                <text x="248" y="1988">address/port:</text>
                <text x="380" y="1988">GRP_ADDR/GRP_PORT)</text>
                <text x="60" y="2020">2.05</text>
                <text x="120" y="2020">(Content)</text>
                <text x="68" y="2036">Token:</text>
                <text x="116" y="2036">0x7b</text>
                <text x="76" y="2052">Observe:</text>
                <text x="120" y="2052">2</text>
                <text x="72" y="2068">OSCORE:</text>
                <text x="148" y="2068">[kid:0x05,</text>
                <text x="224" y="2068">Partial</text>
                <text x="300" y="2068">IV:0x01f6]</text>
                <text x="76" y="2084">Max-Age:</text>
                <text x="120" y="2084">0</text>
                <text x="68" y="2100">&lt;Other</text>
                <text x="120" y="2100">class</text>
                <text x="160" y="2100">U/I</text>
                <text x="212" y="2100">options&gt;</text>
                <text x="60" y="2116">0xff</text>
                <text x="112" y="2132">Encrypted_payload</text>
                <text x="192" y="2132">{</text>
                <text x="76" y="2148">2.05</text>
                <text x="140" y="2148">(Content),</text>
                <text x="92" y="2164">Observe:</text>
                <text x="136" y="2164">-</text>
                <text x="180" y="2164">(empty),</text>
                <text x="84" y="2180">&lt;Other</text>
                <text x="136" y="2180">class</text>
                <text x="168" y="2180">E</text>
                <text x="216" y="2180">options&gt;,</text>
                <text x="80" y="2196">0xff,</text>
                <text x="92" y="2212">Payload:</text>
                <text x="156" y="2212">"5678"</text>
                <text x="48" y="2228">}</text>
                <text x="88" y="2244">&lt;Signature&gt;</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
C1 ---------------- [ Unicast w/ OSCORE ]  ------------------> S  /r
|  0.05 (FETCH)                                                |
|  Token: 0x4a                                                 |
|  Observe: 0 (register)                                       |
|  OSCORE: [kid:0x01, Partial IV:0x65]                         |
|  <Other class U/I options>                                   |
|  0xff                                                        |
|  Encrypted_payload {                                         |
|    0x01 (GET),                                               |
|    Observe: 0 (register),                                    |
|    Uri-Path: "r",                                            |
|    <Other class E options>                                   |
|  }                                                           |
|                                                              |
|               ( S allocates the available Token value 0x7b ) |
|                                                              |
|     ( S sends to itself a phantom observation request PH_REQ |
|       as coming from the IP multicast address GRP_ADDR  )    |
|     .------------------------------------------------------- |
|    /                                                         |
|    \                                                         |
|     `------------------------------------------------------> |  /r
|                        0.05 (FETCH)                          |
|                        Token: 0x7b                           |
|                        Observe: 0 (register)                 |
|                        OSCORE: [kid:0x05, Partial IV:0x01f5, |
|                                 kid context:0x57ab2e]        |
|                        <Other class U/I options>             |
|                        0xff                                  |
|                        Encrypted_payload {                   |
|                          0x01 (GET),                         |
|                          Observe: 0 (register),              |
|                          Uri-Path: "r",                      |
|                          <Other class E options>             |
|                        }                                     |
|                        <Countersignature>                    |
|                                                              |
|                           ( S steps SN_5 in the Group OSCORE |
|                             Security Context: SN_5 <-- 502 ) |
|                                                              |
|                                                              |
|                      ( S creates a group observation of /r ) |
|                                                              |
|                          ( S increments the observer counter |
|                            for the group observation of /r ) |
|                                                              |
C1 <--------------- [ Unicast w/ OSCORE ] -------------------- S
|  2.05 (Content)                                              |
|  Token: 0x4a                                                 |
|  OSCORE: - (empty)                                           |
|  Max-Age: 0                                                  |
|  <Other class U/I options>                                   |
|  0xff                                                        |
|  Encrypted_payload {                                         |
|    5.03 (Service Unavailable),                               |
|    Content-Format: application/informative-response+cbor,    |
|    <Other class E options>,                                  |
|    0xff,                                                     |
|    Payload {                                                 |
|      / tp_info /    0 : [                                    |
|                          cri'coap://SRV_ADDR:SRV_PORT/',     |
|                            cri'coap://GRP_ADDR:GRP_PORT/',   |
|                              0x7b                            |
|                         ],                                   |
|      / ph_req /     1 : bstr(0x05 | OPT | 0xff |             |
|                              PAYLOAD | SIGN),                |
|      / last_notif / 2 : bstr(0x45 | OPT | 0xff |             |
|                              PAYLOAD | SIGN),                |
|      / join_uri /   4 : "coap://myGM/ace-group/myGroup",     |
|      / sec_gp /     5 : "myGroup"                            |
|    }                                                         |
|  }                                                           |
|                                                              |
C2 ---------------- [ Unicast w/ OSCORE ]  ------------------> S  /r
|  0.05 (FETCH)                                                |
|  Token: 0x01                                                 |
|  Observe: 0 (register)                                       |
|  OSCORE: [kid:0x02, Partial IV:0xc9]                         |
|  <Other class U/I options>                                   |
|  0xff                                                        |
|  Encrypted_payload {                                         |
|    0x01 (GET),                                               |
|    Observe: 0 (register),                                    |
|    Uri-Path: "r",                                            |
|    <Other class E options>                                   |
|  }                                                           |
|                                                              |
|                          ( S increments the observer counter |
|                            for the group observation of /r ) |
|                                                              |
C2 <--------------- [ Unicast w/ OSCORE ] -------------------- S
|  2.05 (Content)                                              |
|  Token: 0x01                                                 |
|  OSCORE: - (empty)                                           |
|  Max-Age: 0                                                  |
|  <Other class U/I options>                                   |
|  0xff,                                                       |
|  Encrypted_payload {                                         |
|    5.03 (Service Unavailable),                               |
|    Content-Format: application/informative-response+cbor,    |
|    <Other class E options>,                                  |
|    0xff,                                                     |
|    Payload {                                                 |
|      / tp_info /    0 : [                                    |
|                          cri'coap://SRV_ADDR:SRV_PORT/',     |
|                            cri'coap://GRP_ADDR:GRP_PORT/',   |
|                              0x7b                            |
|                         ],                                   |
|      / ph_req /     1 : bstr(0x05 | OPT | 0xff |             |
|                              PAYLOAD | SIGN),                |
|      / last_notif / 2 : bstr(0x45 | OPT | 0xff |             |
|                              PAYLOAD | SIGN),                |
|      / join_uri /   4 : "coap://myGM/ace-group/myGroup",     |
|      / sec_gp /     5 : "myGroup"                            |
|    }                                                         |
|  }                                                           |
|                                                              |
|  ( The representation of the resource /r changes to "5678" ) |
|                                                              |
+--+                                                           |
C1 |                                                           |
   | <----------- [ Multicast w/ Group OSCORE ] -------------- S
C2 |       (Destination address/port: GRP_ADDR/GRP_PORT)       |
+--+                                                           |
|    2.05 (Content)                                            |
|    Token: 0x7b                                               |
|    Observe: 2                                                |
|    OSCORE: [kid:0x05, Partial IV:0x01f6]                     |
|    Max-Age: 0                                                |
|    <Other class U/I options>                                 |
|    0xff                                                      |
|    Encrypted_payload {                                       |
|      2.05 (Content),                                         |
|      Observe: - (empty),                                     |
|      <Other class E options>,                                |
|      0xff,                                                   |
|      Payload: "5678"                                         |
|    }                                                         |
|    <Signature>                                               |
|                                                              |
]]></artwork>
        </artset>
      </figure>
      <t>The two external_aad structures used to encrypt and sign the multicast notification above include 'request_kid' = 0x05, 'request_piv' = 0x01f5, and 'request_kid_context' = 0x57ab2e. These values are specified in the 'kid', 'Partial IV', and 'kid context' fields of the OSCORE Option value of the phantom observation request, which is encoded in the 'ph_req' parameter of the unicast informative response to the two clients. Thus, the two clients can build the two same external_aad structures for decrypting and verifying this multicast notification and the following ones in the group observation.</t>
    </section>
    <section anchor="informative-response-params">
      <name>Informative Response Parameters</name>
      <t>This document defines a number of fields used in the informative response specified in <xref target="ssec-server-side-informative"/>.</t>
      <t>The table below summarizes them and specifies the CBOR key to use as abbreviation, instead of the full descriptive name. Note that the media type "application/informative-response+cbor" <bcp14>MUST</bcp14> be used when these fields are transported.</t>
      <table align="center" anchor="_table-informative-response-params">
        <name>Informative Response Parameters.</name>
        <thead>
          <tr>
            <th align="left">Name</th>
            <th align="left">CBOR Key</th>
            <th align="left">CBOR Type</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">tp_info</td>
            <td align="left">0</td>
            <td align="left">array</td>
            <td align="left">
              <xref target="ssec-server-side-informative"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">ph_req</td>
            <td align="left">1</td>
            <td align="left">byte string</td>
            <td align="left">
              <xref target="ssec-server-side-informative"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">last_notif</td>
            <td align="left">2</td>
            <td align="left">byte string</td>
            <td align="left">
              <xref target="ssec-server-side-informative"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">next_not_before</td>
            <td align="left">3</td>
            <td align="left">unsigned integer</td>
            <td align="left">
              <xref target="ssec-server-side-informative"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">ending</td>
            <td align="left">4</td>
            <td align="left">integer or float</td>
            <td align="left">
              <xref target="ssec-server-side-informative"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">join_uri</td>
            <td align="left">5</td>
            <td align="left">text string</td>
            <td align="left">
              <xref target="sec-inf-response"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">sec_gp</td>
            <td align="left">6</td>
            <td align="left">text string</td>
            <td align="left">
              <xref target="sec-inf-response"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">as_uri</td>
            <td align="left">7</td>
            <td align="left">text string</td>
            <td align="left">
              <xref target="sec-inf-response"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">hkdf</td>
            <td align="left">8</td>
            <td align="left">integer or text string</td>
            <td align="left">
              <xref target="sec-inf-response"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">cred_fmt</td>
            <td align="left">9</td>
            <td align="left">integer</td>
            <td align="left">
              <xref target="sec-inf-response"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">gp_enc_alg</td>
            <td align="left">10</td>
            <td align="left">integer or text string</td>
            <td align="left">
              <xref target="sec-inf-response"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">sign_alg</td>
            <td align="left">11</td>
            <td align="left">integer or text string</td>
            <td align="left">
              <xref target="sec-inf-response"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">sign_params</td>
            <td align="left">12</td>
            <td align="left">array</td>
            <td align="left">
              <xref target="sec-inf-response"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">gp_material</td>
            <td align="left">13</td>
            <td align="left">map</td>
            <td align="left">
              <xref target="self-managed-oscore-group"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">srv_cred</td>
            <td align="left">14</td>
            <td align="left">byte string</td>
            <td align="left">
              <xref target="self-managed-oscore-group"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">srv_identifier</td>
            <td align="left">15</td>
            <td align="left">byte string</td>
            <td align="left">
              <xref target="self-managed-oscore-group"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">exi</td>
            <td align="left">16</td>
            <td align="left">unsigned integer</td>
            <td align="left">
              <xref target="self-managed-oscore-group"/> of [RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">exp</td>
            <td align="left">17</td>
            <td align="left">integer or float</td>
            <td align="left">
              <xref target="self-managed-oscore-group"/> of [RFC-XXXX]</td>
          </tr>
        </tbody>
      </table>
      <t>Note to RFC Editor: In the table above, please replace "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t>
    </section>
    <section anchor="transport-protocol-identifiers">
      <name>Transport Protocol Information</name>
      <t><xref target="ssssec-udp-transport-specific"/> defines the transport-specific information that the server specifies as elements of 'tpi_details' within the 'tp_info' parameter of the informative response defined in <xref target="ssec-server-side-informative"/>, when CoAP responses are transported over UDP.</t>
      <t><xref target="_table-transport-information"/> defines the corresponding entry that <xref target="iana-coap-transport-information"/> registers in the "CoAP Transport Information" registry defined in this document.</t>
      <table align="center" anchor="_table-transport-information">
        <name>CoAP Transport Information for CoAP over UDP.</name>
        <thead>
          <tr>
            <th align="left">CoAP Transport</th>
            <th align="left">Transport Information Details</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">CoAP over UDP</td>
            <td align="left">tpi_client,tpi_token</td>
            <td align="left">
              <xref target="ssssec-udp-transport-specific"/> of [RFC-XXXX]</td>
          </tr>
        </tbody>
      </table>
      <t>Note to RFC Editor: In the table above, please replace "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t>
    </section>
    <section anchor="sec-operational-considerations">
      <name>Operational Considerations</name>
      <t>This section compiles the operational considerations that hold for this document.</t>
      <section anchor="logging">
        <name>Logging</name>
        <t>When performing its normal operations, it is desirable that the server produces timestamped logs about the following, to the extent afforded by its available memory, computing, and energy resources:</t>
        <ul spacing="normal">
          <li>
            <t>The start of a group observation, as corresponding to the issue and local processing of a phantom observation request (see <xref target="ssec-server-side-request"/>).</t>
          </li>
          <li>
            <t>The release and retraction of group observation data as available through different means (see <xref target="appendix-different-sources"/>).</t>
          </li>
          <li>
            <t>The addition of a new client as a participant in a group observation, with the consequent sending of an informative response (see <xref target="ssec-server-side-informative"/>).</t>
          </li>
          <li>
            <t>The execution of a procedure to (roughly) assess the number of clients that are still participating in a group observation, together with the settings and the outcome of such procedure (e.g., see <xref target="sec-rough-counting"/>).</t>
          </li>
          <li>
            <t>The evolution of the (rough) number of clients participating in a group observation throughout its duration.</t>
          </li>
          <li>
            <t>The termination of a group observation (see <xref target="ssec-server-side-cancellation"/>).</t>
          </li>
        </ul>
        <t>A group observation can be effectively characterized by the target resource, the phantom registration request, and the transport-specific information according to which multicast notifications are sent for that group observation.</t>
        <t>Although log entries are produced by the server, the storage, management, controlled sharing, and disposal of logs are entrusted to a designated storage point that can be the server itself or instead a separate trusted entity.</t>
        <t>Besides what is compiled above, the server could produce additional information to log. Further details about what the server logs, with what granularity, and based on what triggering events and conditions are application-specific and left to operators to define.</t>
        <t>The server <bcp14>MUST NOT</bcp14> log any secret or confidential information pertaining to a group observation. For example, if Group OSCORE is used to protect multicast notifications (see <xref target="sec-secured-notifications"/>), such information includes:</t>
        <ul spacing="normal">
          <li>
            <t>The OSCORE Master Secret used in the OSCORE group.</t>
          </li>
          <li>
            <t>The symmetric keying material derived from the OSCORE Master Secret and used in the OSCORE group, i.e., the Sender/Recipient Keys.</t>
          </li>
          <li>
            <t>The Signature Encryption Key used in the OSCORE group.</t>
          </li>
          <li>
            <t>The private key associated with the server's authentication credential used in the group.</t>
          </li>
          <li>
            <t>Rekeying messages that are exchanged in the group.</t>
          </li>
          <li>
            <t>If applicable, administrative keying material used to protect the group rekeying process.</t>
          </li>
        </ul>
        <t>It is up to the application to specify for how long a log entry is retained from the time of its creation and until its deletion. Different retention policies could be enforced for different group observations. For a given group observation, the oldest log entries are expected to be those deleted first, and different retention policies could be enforced depending on whether the group observation is currently ongoing or has been terminated.</t>
        <t>It is out of the scope of this document what specific semantics and data model are used by the server for producing and processing the logs. Specific semantics and data models can be defined by applications and future specifications.</t>
        <t>It is expected that the logs produced are made available for secure access by authorized external management applications and operators.</t>
        <t>In particular, logged information could be retrieved in the following ways.</t>
        <ul spacing="normal">
          <li>
            <t>By accessing logs at the designated storage point through polling. This can occur in an occasional, regular, or event-driven way.</t>
          </li>
          <li>
            <t>Through notifications sent by the designated storage point according to an operator-defined frequency.</t>
          </li>
          <li>
            <t>Through notifications asynchronously sent by the designated storage point, throttling them in order to prevent congestion and duplication and to not create attack vectors.</t>
          </li>
        </ul>
        <t>From the perspective of an individual management application or network operator, knowledge gained from the logged information can be useful for planning, adjusting, and (fine-)tuning the allocation of network resources. Also, it can help understand how to (re-)configure the server in terms of which pre-conditions have to be met for starting a group observation for a target resource.</t>
        <t>Some of the logged information can be privacy-sensitive. This especially holds for the metadata about a client, i.e., addressing information of the client and, when applicable, (an identifier of) the client's authentication credential that is used to authenticate with the server when using secure communication. If external management applications and operators obtain such metadata, they become able to track a given client, as to its interactions with one or multiple servers and its participation in group observations under such servers.</t>
        <t>Therefore, the logged information that is effectively provided to external management applications and operators <bcp14>SHOULD</bcp14> be redacted by the designated storage point, by omitting any privacy-sensitive information element that could enable or facilitate the impairment of clients' privacy, e.g., by tracking clients across different group observations and different servers. Exceptions could apply, e.g., if the designated storage point can verify that the management application or operator in question is specifically authorized to obtain such privacy-sensitive information and appropriately entitled to obtain it according to enforced privacy policies.</t>
      </section>
      <section anchor="management-and-distribution-of-keying-material">
        <name>Management and Distribution of Keying Material</name>
        <t>When using Group OSCORE to protect multicast notifications, the management and distribution of the keying material used in the OSCORE group is entrusted to the Group Manager that is responsible for the group.</t>
        <t>A possible realization of Group Manager is the one defined <xref target="I-D.ietf-ace-key-groupcomm-oscore"/>. In such case, the server can optionally help clients, by including in the informative response additional information for joining the group through the responsible Group Manager (see <xref target="sec-inf-response"/>).</t>
        <t><xref target="self-managed-oscore-group"/> describes how, in simple settings, the server can be responsible to set up and manage the OSCORE group, acting as the corresponding Group Manager.</t>
      </section>
      <section anchor="access-control">
        <name>Access Control</name>
        <t>In order to enforce access control for a client accessing a target resource, it is fundamentally required that secure communication is used between the client and the server hosting the resource, with the server authenticating the client.</t>
        <t>This particularly applies to traditional observation requests that are sent protected to the server and result in a protected response like the informative response.</t>
        <t>When receiving such a protected request, the server can enforce access control after having successfully authenticated the requesting client, according to the access rights that are granted to the client's identity.</t>
        <t>In particular, access control can be enforced by using the ACE framework <xref target="RFC9200"/>, with a granularity that takes into account the resource specifically targeted at the server, the operation requested by sending a request to that resource, and the specific permission(s) that the requesting client is authorized to have according to its corresponding access token. Furthermore, the interactions between a client and the server are secured as per the specific transport profile of ACE used, such as <xref target="RFC9203"/> and <xref target="I-D.ietf-ace-group-oscore-profile"/>.</t>
      </section>
    </section>
    <section anchor="sec-security-considerations">
      <name>Security Considerations</name>
      <t>In addition to the security considerations from <xref target="RFC7252"/>, <xref target="RFC7641"/>, <xref target="I-D.ietf-core-groupcomm-bis"/>, <xref target="RFC8613"/>, and <xref target="I-D.ietf-core-oscore-groupcomm"/>, the following considerations hold for this document.</t>
      <section anchor="unprotected-communications">
        <name>Unprotected Communications</name>
        <t>If communications are not protected, the server might not be able to effectively authenticate a new client when it registers as an observer. <xref section="7" sectionFormat="of" target="RFC7641"/> specifies how, in such a case, the server must strictly limit the number of notifications sent between receiving acknowledgements from the client, as confirming to be still interested in the observation; i.e., any notifications sent in Non-confirmable messages must be interspersed with confirmable messages.</t>
        <t>This is not possible to achieve by the same means when using the communication model defined in this document, since multicast notifications are sent as Non-confirmable messages. Nonetheless, the server might obtain such acknowledgements by other means.</t>
        <t>For instance, the method defined in <xref target="sec-rough-counting"/> to perform the rough counting of still interested clients triggers (some of) them to explicitly send a new observation request to acknowledge their interest. Then, the server can decide to terminate the group observation altogether, in the case that not enough clients are estimated to be still active.</t>
        <t>If the method defined in <xref target="sec-rough-counting"/> is used, the server <bcp14>SHOULD NOT</bcp14> send more than a strict number of multicast notifications for a given group observation, without having first performed a new rough counting of active clients. Note that, when using the method defined in <xref target="sec-rough-counting"/> with unprotected communications, an adversary can craft and inject multiple new observation requests including the Feedback-Divider Option, hence inducing the server to overestimate the number of still interested clients and thus to inappropriately continue the group observation.</t>
      </section>
      <section anchor="protected-communications">
        <name>Protected Communications</name>
        <t>If multicast notifications for an observed resource are protected using Group OSCORE (see <xref target="sec-secured-notifications"/>), it is ensured that those are securely bound to the phantom registration request that started the group observation of that resource. Furthermore, the following applies.</t>
        <ul spacing="normal">
          <li>
            <t>The original registration requests and related unicast (notification) responses are also protected, including and especially the informative responses from the server. An exception is the case discussed in <xref target="deterministic-phantom-Request"/>, where the informative response from the server is not protected.  </t>
            <t>
Protecting informative responses from the server prevents on-path active adversaries from altering the conveyed IP multicast address and serialized phantom registration request.</t>
          </li>
          <li>
            <t>A re-registration request, possibly including the Feedback-Divider Option to support the rough counting of clients (see <xref target="sec-rough-counting"/>), is also protected.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document has the following actions for IANA.</t>
      <t>Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t>
      <section anchor="media-type">
        <name>Media Type Registrations</name>
        <t>This document registers the media type "application/informative-response+cbor" for error messages as informative response defined in <xref target="ssec-server-side-informative"/>, when carrying parameters encoded in CBOR. This registration follows the procedures specified in <xref target="RFC6838"/>.</t>
        <ul spacing="normal">
          <li>
            <t>Type name: application</t>
          </li>
          <li>
            <t>Subtype name: informative-response+cbor</t>
          </li>
          <li>
            <t>Required parameters: N/A</t>
          </li>
          <li>
            <t>Optional parameters: N/A</t>
          </li>
          <li>
            <t>Encoding considerations: Must be encoded as a CBOR map containing the parameters defined in <xref target="ssec-server-side-informative"/> of [RFC-XXXX].</t>
          </li>
          <li>
            <t>Security considerations: See <xref target="sec-security-considerations"/> of [RFC-XXXX].</t>
          </li>
          <li>
            <t>Interoperability considerations: N/A</t>
          </li>
          <li>
            <t>Published specification: [RFC-XXXX]</t>
          </li>
          <li>
            <t>Applications that use this media type: The type is used by CoAP servers and clients that support error messages as informative response defined in <xref target="ssec-server-side-informative"/> of [RFC-XXXX].</t>
          </li>
          <li>
            <t>Fragment identifier considerations: N/A</t>
          </li>
          <li>
            <t>Additional information: N/A</t>
          </li>
          <li>
            <t>Person &amp; email address to contact for further information: CoRE WG mailing list (core@ietf.org) or IETF Applications and Real-Time Area (art@ietf.org)</t>
          </li>
          <li>
            <t>Intended usage: COMMON</t>
          </li>
          <li>
            <t>Restrictions on usage: None</t>
          </li>
          <li>
            <t>Author/Change controller: IETF</t>
          </li>
          <li>
            <t>Provisional registration:  No</t>
          </li>
        </ul>
      </section>
      <section anchor="content-format">
        <name>CoAP Content-Formats Registry</name>
        <t>IANA is asked to add the following entry to the "CoAP Content-Formats" registry <xref target="IANA.CoAP.Content.Formats"/> within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t>
        <t>Content Type: application/informative-response+cbor</t>
        <t>Content Coding: -</t>
        <t>ID: TBD (value between 0 and 255)</t>
        <t>Reference: [RFC-XXXX]</t>
      </section>
      <section anchor="iana-coap-options">
        <name>CoAP Option Numbers Registry</name>
        <t>IANA is asked to enter the following option number to the "CoAP Option Numbers" registry <xref target="IANA.CoAP.Option.Numbers"/> within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t>
        <table align="center">
          <name>Registrations in the CoAP Option Numbers Registry</name>
          <thead>
            <tr>
              <th align="left">Number</th>
              <th align="left">Name</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">TBD18</td>
              <td align="left">Feedback-Divider</td>
              <td align="left">[RFC-XXXX]</td>
            </tr>
          </tbody>
        </table>
        <t>For the Feedback-Divider Option, the preferred value range is 0-255. In particular, 18 is the preferred option number.</t>
        <t>Note to RFC Editor: In the table above, please replace TBD18 with the registered option number. Then, please delete this paragraph and the previous paragraph.</t>
      </section>
      <section anchor="iana-target-attributes">
        <name>Target Attributes Registry</name>
        <t>IANA is asked to register the following entry in the "Target Attributes" registry <xref target="IANA.Target.Attributes"/> within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>Attribute Name: gp-obs</t>
          </li>
          <li>
            <t>Brief Description: Observable resource supporting group observation</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: <xref target="sec-web-linking"/> of [RFC-XXXX]</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-informative-response-params">
        <name>Informative Response Parameters Registry</name>
        <t>This document establishes the "Informative Response Parameters" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t>
        <t>The registration policy is either "Private Use", "Standards Action with Expert Review", or "Specification Required" or "Expert Review" per <xref target="RFC8126"/>. "Expert Review" guidelines are provided in <xref target="iana-review"/>.</t>
        <t>All assignments according to "Standards Action with Expert Review" are made on a "Standards Action" basis per <xref section="4.9" sectionFormat="of" target="RFC8126"/> with "Expert Review" additionally required per <xref section="4.5" sectionFormat="of" target="RFC8126"/>. The procedure for early IANA allocation of "standards track code points" defined in <xref target="RFC7120"/> also applies. When such a procedure is used, IANA will ask the designated expert(s) to approve the early allocation before registration. In addition, working group chairs are encouraged to consult the expert(s) early during the process outlined in <xref section="3.1" sectionFormat="of" target="RFC7120"/>.</t>
        <t>The columns of this registry are:</t>
        <ul spacing="normal">
          <li>
            <t>Name: This is a descriptive name that enables easier reference to the item. The name <bcp14>MUST</bcp14> be unique. It is not used in the encoding of the item.</t>
          </li>
          <li>
            <t>CBOR Key: This is the value used as the CBOR map key of the item. These values <bcp14>MUST</bcp14> be unique. The value can be a positive integer, a negative integer, or a text string. Different ranges of values use different registration policies <xref target="RFC8126"/>. Integer values from -256 to 255 as well as text strings of length 1 are designated as "Standards Action With Expert Review". Integer values from -65536 to -257 and from 256 to 65535 as well as text strings of length 2 are designated as "Specification Required". Integer values greater than 65535 as well as text strings of length greater than 2 are designated as "Expert Review". Integer values less than -65536 are marked as "Private Use".</t>
          </li>
          <li>
            <t>CBOR Type: This contains the CBOR type of the item, or a pointer to the registry that defines its type, when that depends on another item.</t>
          </li>
          <li>
            <t>Reference: This contains a pointer to the public specification for the item, if one exists.</t>
          </li>
        </ul>
        <t>This registry has been initially populated by the entries in <xref target="_table-informative-response-params"/>.</t>
      </section>
      <section anchor="iana-coap-transport-information">
        <name>CoAP Transport Information Registry</name>
        <t>This document establishes the "CoAP Transport Information" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t>
        <t>The registration policy is "Expert Review" <xref target="RFC8126"/>. "Expert Review" guidelines are provided in <xref target="iana-review"/>.</t>
        <t>The columns of this registry are:</t>
        <ul spacing="normal">
          <li>
            <t>CoAP Transport: This field contains a text string. The value <bcp14>MUST</bcp14> be unique and it uniquely identifies the transport used for CoAP messages.</t>
          </li>
          <li>
            <t>Transport Information Details: This field contains a list of text strings, where two adjacent strings are separated by a single comma character. Each text string is the name of an element that provides transport-specific information related to a pertinent CoAP request. Optional elements are prepended by '?' and <bcp14>MUST</bcp14> be specified next to each other as last ones.</t>
          </li>
          <li>
            <t>Reference: This contains a pointer to the public specification for the item, if one exists.</t>
          </li>
        </ul>
        <t>This registry has been initially populated by the entry in <xref target="_table-transport-information"/>.</t>
      </section>
      <section anchor="iana-review">
        <name>Expert Review Instructions</name>
        <t>"Standards Action with Expert Review", "Specification Required", and "Expert Review" are three of the registration policies defined for the IANA registries established in this document. This section gives some general guidelines for what the experts should be looking for, but they are being designated as experts for a reason, so they should be given substantial latitude.</t>
        <t>Expert reviewers should take into consideration the following points:</t>
        <ul spacing="normal">
          <li>
            <t>Point squatting should be discouraged. Reviewers are encouraged to get sufficient information for registration requests to ensure that the usage is not going to duplicate one that is already registered and that the point is likely to be used in deployments. The zones tagged as "Private Use" are intended for testing purposes and closed environments. Code points in other ranges should not be assigned for testing.</t>
          </li>
          <li>
            <t>Specifications are required for the "Standards Action With Expert Review" range of point assignment. Specifications should exist for "Specification Required" ranges, but early assignment before a specification is available is considered to be permissible. When specifications are not provided, the description provided needs to have sufficient information to identify what the point is being used for.</t>
          </li>
          <li>
            <t>Experts should take into account the expected usage of fields when approving point assignment. The fact that there is a range for Standards Track documents does not mean that a Standards Track document cannot have points assigned outside of that range. The length of the encoded value should be weighed against how many code points of that length are left, the size of device it will be used on, and the number of code points left that encode to that size.</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="I-D.ietf-core-groupcomm-bis">
          <front>
            <title>Group Communication for the Constrained Application Protocol (CoAP)</title>
            <author fullname="Esko Dijk" initials="E." surname="Dijk">
              <organization>IoTconsultancy.nl</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="10" month="February" year="2026"/>
            <abstract>
              <t>   The Constrained Application Protocol (CoAP) is a web transfer
   protocol for constrained devices and constrained networks.  In a
   number of use cases, constrained devices often naturally operate in
   groups (e.g., in a building automation scenario, all lights in a
   given room may need to be switched on/off as a group).  This document
   specifies the use of CoAP for group communication, including the use
   of UDP/IP multicast as the default underlying data transport.  Both
   unsecured and secured CoAP group communication are specified.
   Security is achieved by use of the Group Object Security for
   Constrained RESTful Environments (Group OSCORE) protocol.  The target
   application area of this specification is any group communication use
   cases that involve resource-constrained devices or networks that
   support CoAP.  This document replaces and obsoletes RFC 7390, while
   it updates RFC 7252 and RFC 7641.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-groupcomm-bis-18"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-groupcomm">
          <front>
            <title>Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <date day="23" month="December" year="2025"/>
            <abstract>
              <t>   This document defines the security protocol Group Object Security for
   Constrained RESTful Environments (Group OSCORE), providing end-to-end
   security of messages exchanged with the Constrained Application
   Protocol (CoAP) between members of a group, e.g., sent over IP
   multicast.  In particular, the described protocol defines how OSCORE
   is used in a group communication setting to provide source
   authentication for CoAP group requests, sent by a client to multiple
   servers, and for protection of the corresponding CoAP responses.
   Group OSCORE also defines a pairwise mode where each member of the
   group can efficiently derive a symmetric pairwise key with each other
   member of the group for pairwise OSCORE communication.  Group OSCORE
   can be used between endpoints communicating with CoAP or CoAP-
   mappable HTTP.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-groupcomm-28"/>
        </reference>
        <reference anchor="I-D.ietf-ace-key-groupcomm-oscore">
          <front>
            <title>Key Management for Group Object Security for Constrained RESTful Environments (Group OSCORE) Using Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <date day="14" month="March" year="2026"/>
            <abstract>
              <t>   This document defines an application profile of the Authentication
   and Authorization for Constrained Environments (ACE) framework, to
   request and provision keying material in group communication
   scenarios that are based on the Constrained Application Protocol
   (CoAP) and are secured with Group Object Security for Constrained
   RESTful Environments (Group OSCORE).  This application profile
   delegates the authentication and authorization of Clients, which join
   an OSCORE group through a Resource Server acting as Group Manager for
   that group.  This application profile leverages protocol-specific
   transport profiles of ACE to achieve communication security, server
   authentication, and proof of possession of a key owned by the Client
   and bound to an OAuth 2.0 access token.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-key-groupcomm-oscore-21"/>
        </reference>
        <reference anchor="I-D.ietf-core-href">
          <front>
            <title>Constrained Resource Identifiers</title>
            <author fullname="Carsten Bormann" initials="C." surname="Bormann">
              <organization>Universität Bremen TZI</organization>
            </author>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <date day="21" month="November" year="2025"/>
            <abstract>
              <t>   The Constrained Resource Identifier (CRI) is a complement to the
   Uniform Resource Identifier (URI) that represents the URI components
   in Concise Binary Object Representation (CBOR) rather than as a
   sequence of characters.  This approach simplifies parsing,
   comparison, and reference resolution in environments with severe
   limitations on processing power, code size, and memory size.

   This RFC updates RFC 7595 by adding a column on the "URI Schemes"
   registry.


   // (This "cref" paragraph will be removed by the RFC editor:) After
   // approval of -28 and nit fixes in -29, the present revision -30
   // contains two more small fixes for nits that were uncovered in the
   // RPC intake process.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-href-30"/>
        </reference>
        <reference anchor="I-D.ietf-cbor-edn-literals">
          <front>
            <title>Concise Diagnostic Notation (CDN)</title>
            <author fullname="Carsten Bormann" initials="C." surname="Bormann">
              <organization>Universität Bremen TZI</organization>
            </author>
            <date day="15" month="June" year="2026"/>
            <abstract>
              <t>   This document formalizes and consolidates the definition of the
   Concise Diagnostic Notation (CDN) of the Concise Binary Object
   Representation (CBOR), addressing implementer experience.

   Replacing CDN's previous informal descriptions, it updates RFC 8949,
   obsoleting its Section 8, and RFC 8610, obsoleting its Appendix G.

   It also specifies registry-based extension points and uses them to
   support text representations such as of epoch-based dates/times and
   of IP addresses and prefixes.


   // (This cref will be removed by the RFC editor:) -26 is intended to
   // address the May/June 2026 Working Group Last Call comments on -25
   // and the ensuing WG discussions.  Specifically, this update: • is
   // going further with the idea to entirely replace the non- backwards
   // compatible update considered for the RFC 8610/G.4 concatenation by
   // two new application extensions (temporarily named b1/t1), and to
   // add related application-oriented extensions that deprecate the
   // original streamstring syntax. • includes the float'' application-
   // extension so that the entire CBOR format can be covered. • now
   // uses rules closer to those of markdown for handling data
   // transparency in raw strings, simplifying their implementation. •
   // adds security considerations. • proactively reserves the
   // application-extension identifier "pragma" for potential future
   // standardization. • This update does not address certain comments
   // that propose some editorial restructuring requiring moving text
   // around; this is best done in a next revision after the technical
   // comments are addressed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cbor-edn-literals-26"/>
        </reference>
        <reference anchor="RFC4944">
          <front>
            <title>Transmission of IPv6 Packets over IEEE 802.15.4 Networks</title>
            <author fullname="G. Montenegro" initials="G." surname="Montenegro"/>
            <author fullname="N. Kushalnagar" initials="N." surname="Kushalnagar"/>
            <author fullname="J. Hui" initials="J." surname="Hui"/>
            <author fullname="D. Culler" initials="D." surname="Culler"/>
            <date month="September" year="2007"/>
            <abstract>
              <t>This document describes the frame format for transmission of IPv6 packets and the method of forming IPv6 link-local addresses and statelessly autoconfigured addresses on IEEE 802.15.4 networks. Additional specifications include a simple header compression scheme using shared context and provisions for packet delivery in IEEE 802.15.4 meshes. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4944"/>
          <seriesInfo name="DOI" value="10.17487/RFC4944"/>
        </reference>
        <reference anchor="RFC6838">
          <front>
            <title>Media Type Specifications and Registration Procedures</title>
            <author fullname="N. Freed" initials="N." surname="Freed"/>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <author fullname="T. Hansen" initials="T." surname="Hansen"/>
            <date month="January" year="2013"/>
            <abstract>
              <t>This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="13"/>
          <seriesInfo name="RFC" value="6838"/>
          <seriesInfo name="DOI" value="10.17487/RFC6838"/>
        </reference>
        <reference anchor="RFC7120">
          <front>
            <title>Early IANA Allocation of Standards Track Code Points</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <date month="January" year="2014"/>
            <abstract>
              <t>This memo describes the process for early allocation of code points by IANA from registries for which "Specification Required", "RFC Required", "IETF Review", or "Standards Action" policies apply. This process can be used to alleviate the problem where code point allocation is needed to facilitate desired or required implementation and deployment experience prior to publication of an RFC, which would normally trigger code point allocation. The procedures in this document are intended to apply only to IETF Stream documents.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="100"/>
          <seriesInfo name="RFC" value="7120"/>
          <seriesInfo name="DOI" value="10.17487/RFC7120"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC7595">
          <front>
            <title>Guidelines and Registration Procedures for URI Schemes</title>
            <author fullname="D. Thaler" initials="D." role="editor" surname="Thaler"/>
            <author fullname="T. Hansen" initials="T." surname="Hansen"/>
            <author fullname="T. Hardie" initials="T." surname="Hardie"/>
            <date month="June" year="2015"/>
            <abstract>
              <t>This document updates the guidelines and recommendations, as well as the IANA registration processes, for the definition of Uniform Resource Identifier (URI) schemes. It obsoletes RFC 4395.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="35"/>
          <seriesInfo name="RFC" value="7595"/>
          <seriesInfo name="DOI" value="10.17487/RFC7595"/>
        </reference>
        <reference anchor="RFC7641">
          <front>
            <title>Observing Resources in the Constrained Application Protocol (CoAP)</title>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a RESTful application protocol for constrained nodes and networks. The state of a resource on a CoAP server can change over time. This document specifies a simple protocol extension for CoAP that enables CoAP clients to "observe" resources, i.e., to retrieve a representation of a resource and keep this representation updated by the server over a period of time. The protocol follows a best-effort approach for sending new representations to clients and provides eventual consistency between the state observed by each client and the actual resource state at the server.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7641"/>
          <seriesInfo name="DOI" value="10.17487/RFC7641"/>
        </reference>
        <reference anchor="RFC7967">
          <front>
            <title>Constrained Application Protocol (CoAP) Option for No Server Response</title>
            <author fullname="A. Bhattacharyya" initials="A." surname="Bhattacharyya"/>
            <author fullname="S. Bandyopadhyay" initials="S." surname="Bandyopadhyay"/>
            <author fullname="A. Pal" initials="A." surname="Pal"/>
            <author fullname="T. Bose" initials="T." surname="Bose"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>There can be machine-to-machine (M2M) scenarios where server responses to client requests are redundant. This kind of open-loop exchange (with no response path from the server to the client) may be desired to minimize resource consumption in constrained systems while updating many resources simultaneously or performing high-frequency updates. CoAP already provides Non-confirmable (NON) messages that are not acknowledged by the recipient. However, the request/response semantics still require the server to respond with a status code indicating "the result of the attempt to understand and satisfy the request", per RFC 7252.</t>
              <t>This specification introduces a CoAP option called 'No-Response'. Using this option, the client can explicitly express to the server its disinterest in all responses against the particular request. This option also provides granular control to enable expression of disinterest to a particular response class or a combination of response classes. The server MAY decide to suppress the response by not transmitting it back to the client according to the value of the No-Response option in the request. This option may be effective for both unicast and multicast requests. This document also discusses a few examples of applications that benefit from this option.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7967"/>
          <seriesInfo name="DOI" value="10.17487/RFC7967"/>
        </reference>
        <reference anchor="RFC8085">
          <front>
            <title>UDP Usage Guidelines</title>
            <author fullname="L. Eggert" initials="L." surname="Eggert"/>
            <author fullname="G. Fairhurst" initials="G." surname="Fairhurst"/>
            <author fullname="G. Shepherd" initials="G." surname="Shepherd"/>
            <date month="March" year="2017"/>
            <abstract>
              <t>The User Datagram Protocol (UDP) provides a minimal message-passing transport that has no inherent congestion control mechanisms. This document provides guidelines on the use of UDP for the designers of applications, tunnels, and other protocols that use UDP. Congestion control guidelines are a primary focus, but the document also provides guidance on other topics, including message sizes, reliability, checksums, middlebox traversal, the use of Explicit Congestion Notification (ECN), Differentiated Services Code Points (DSCPs), and ports.</t>
              <t>Because congestion control is critical to the stable operation of the Internet, applications and other protocols that choose to use UDP as an Internet transport must employ mechanisms to prevent congestion collapse and to establish some degree of fairness with concurrent traffic. They may also need to implement additional mechanisms, depending on how they use UDP.</t>
              <t>Some guidance is also applicable to the design of other protocols (e.g., protocols layered directly on IP or via IP-based tunnels), especially when these protocols do not themselves provide congestion control.</t>
              <t>This document obsoletes RFC 5405 and adds guidelines for multicast UDP usage.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="145"/>
          <seriesInfo name="RFC" value="8085"/>
          <seriesInfo name="DOI" value="10.17487/RFC8085"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC8132">
          <front>
            <title>PATCH and FETCH Methods for the Constrained Application Protocol (CoAP)</title>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="A. Sehgal" initials="A." surname="Sehgal"/>
            <date month="April" year="2017"/>
            <abstract>
              <t>The methods defined in RFC 7252 for the Constrained Application Protocol (CoAP) only allow access to a complete resource, not to parts of a resource. In case of resources with larger or complex data, or in situations where resource continuity is required, replacing or requesting the whole resource is undesirable. Several applications using CoAP need to access parts of the resources.</t>
              <t>This specification defines the new CoAP methods, FETCH, PATCH, and iPATCH, which are used to access and update parts of a resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8132"/>
          <seriesInfo name="DOI" value="10.17487/RFC8132"/>
        </reference>
        <reference anchor="RFC8288">
          <front>
            <title>Web Linking</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="October" year="2017"/>
            <abstract>
              <t>This specification defines a model for the relationships between resources on the Web ("links") and the type of those relationships ("link relation types").</t>
              <t>It also defines the serialisation of such links in HTTP headers with the Link header field.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8288"/>
          <seriesInfo name="DOI" value="10.17487/RFC8288"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9203">
          <front>
            <title>The Object Security for Constrained RESTful Environments (OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework</title>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="M. Gunnarsson" initials="M." surname="Gunnarsson"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. It utilizes Object Security for Constrained RESTful Environments (OSCORE) to provide communication security and proof-of-possession for a key owned by the client and bound to an OAuth 2.0 access token.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9203"/>
          <seriesInfo name="DOI" value="10.17487/RFC9203"/>
        </reference>
        <reference anchor="IANA.COSE.Algorithms" target="https://www.iana.org/assignments/cose/cose.xhtml#algorithms">
          <front>
            <title>COSE Algorithms</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.COSE.Key.Types" target="https://www.iana.org/assignments/cose/cose.xhtml#key-type">
          <front>
            <title>COSE Key Types</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.COSE.Header.Parameters" target="https://www.iana.org/assignments/cose/cose.xhtml#header-parameters">
          <front>
            <title>COSE Header Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.CoAP.Content.Formats" target="https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#content-formats">
          <front>
            <title>CoAP Content-Formats</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.CoAP.Option.Numbers" target="https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#option-numbers">
          <front>
            <title>CoAP Option Numbers</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.Target.Attributes" target="https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#target-attributes">
          <front>
            <title>Target Attributes</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.URI.Schemes" target="https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml#uri-schemes-1">
          <front>
            <title>Uniform Resource Identifier (URI) Schemes</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-core-coap-pubsub">
          <front>
            <title>A publish-subscribe architecture for the Constrained Application Protocol (CoAP)</title>
            <author fullname="Jaime Jimenez" initials="J." surname="Jimenez">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Michael Koster" initials="M." surname="Koster">
              <organization>Dogtiger Labs</organization>
            </author>
            <author fullname="Ari Keränen" initials="A." surname="Keränen">
              <organization>Ericsson</organization>
            </author>
            <date day="2" month="July" year="2026"/>
            <abstract>
              <t>   This document describes a publish-subscribe architecture for the
   Constrained Application Protocol (CoAP), extending the capabilities
   of CoAP communications for supporting endpoints with long breaks in
   connectivity and/or up-time.  CoAP clients publish on and subscribe
   to a topic via a corresponding topic resource at a CoAP server acting
   as broker.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-coap-pubsub-21"/>
        </reference>
        <reference anchor="I-D.tiloca-core-oscore-discovery">
          <front>
            <title>Discovery of OSCORE Groups with the CoRE Resource Directory</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Christian Amsüss" initials="C." surname="Amsüss">
         </author>
            <author fullname="Peter Van der Stok" initials="P." surname="Van der Stok">
         </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Group communication over the Constrained Application Protocol (CoAP)
   can be secured by means of Group Object Security for Constrained
   RESTful Environments (Group OSCORE).  At deployment time, devices may
   not know the exact security groups to join, the respective Group
   Manager, or other information required to perform the joining
   process.  This document defines how a CoAP endpoint can use
   descriptions and links of resources registered at the CoRE Resource
   Directory to discover security groups and to acquire information for
   joining them through the respective Group Manager.  A given security
   group can be used to protect communications in multiple application
   groups, which are separately announced in the Resource Directory as
   sets of endpoints sharing a pool of resources.  This approach is
   consistent with, but not limited to, the joining of security groups
   based on the ACE framework for Authentication and Authorization in
   constrained environments.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-tiloca-core-oscore-discovery-19"/>
        </reference>
        <reference anchor="I-D.ietf-core-coral">
          <front>
            <title>The Constrained RESTful Application Language (CoRAL)</title>
            <author fullname="Christian Amsüss" initials="C." surname="Amsüss">
         </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>ARM</organization>
            </author>
            <date day="4" month="March" year="2024"/>
            <abstract>
              <t>   The Constrained RESTful Application Language (CoRAL) defines a data
   model and interaction model as well as a compact serialization
   formats for the description of typed connections between resources on
   the Web ("links"), possible operations on such resources ("forms"),
   and simple resource metadata.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-coral-06"/>
        </reference>
        <reference anchor="I-D.ietf-core-cacheable-oscore">
          <front>
            <title>End-to-End Protected and Cacheable Responses for the Constrained Application Protocol (CoAP) using Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
            <author fullname="Christian Amsüss" initials="C." surname="Amsüss">
         </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   When using the Constrained Application Protocol (CoAP), exchanged
   messages can be protected end-to-end also across untrusted
   intermediary proxies.  This can be achieved with Object Security for
   Constrained RESTful Environments (OSCORE) or, in the case of group
   communication, with Group Object Security for Constrained RESTful
   Environments (Group OSCORE).  However, this sidesteps the proxies'
   abilities to cache responses from the origin server(s).  This
   document restores cacheability of end-end protected responses at
   proxies, by using Group OSCORE and introducing consensus requests,
   which any client in an OSCORE group can send to one server or
   multiple servers in the same group.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-cacheable-oscore-01"/>
        </reference>
        <reference anchor="I-D.ietf-cose-cbor-encoded-cert">
          <front>
            <title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Shahid Raza" initials="S." surname="Raza">
              <organization>University of Glasgow</organization>
            </author>
            <author fullname="Joel Höglund" initials="J." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Martin Furuhed" initials="M." surname="Furuhed">
              <organization>IN Groupe</organization>
            </author>
            <author fullname="Lijun Liao" initials="L." surname="Liao">
              <organization>NIO</organization>
            </author>
            <date day="30" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a CBOR encoding of X.509 certificates.  The
   resulting certificates are called C509 certificates.  The CBOR
   encoding supports a large subset of RFC 5280 and common certificate
   profiles, and it is extensible.

   Two types of C509 certificates are defined.  One type is an
   invertible CBOR re-encoding of DER-encoded X.509 certificates with
   the signature field copied from the DER encoding.  The other type is
   identical except that the signature is computed over the CBOR
   encoding instead of the DER encoding, thereby avoiding the use of
   ASN.1.  Both types of certificates have the same semantics as X.509
   while providing comparable size reduction.

   This document also specifies CBOR-encoded data structures for
   certification requests and certification request templates, new COSE
   headers, as well as a TLS certificate type and a file format for
   C509.  This document updates RFC 6698 by extending the TLSA selectors
   registry to include C509 certificates.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-20"/>
        </reference>
        <reference anchor="I-D.ietf-core-multicast-notifications-proxy">
          <front>
            <title>Using Proxies for Observe Notifications as CoAP Multicast Responses</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Christian Amsüss" initials="C." surname="Amsüss">
         </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <date day="22" month="April" year="2026"/>
            <abstract>
              <t>   The Constrained Application Protocol (CoAP) allows clients to
   "observe" resources at a server and to receive notifications as
   unicast responses upon changes of the resource state.  Instead of
   sending a distinct unicast notification to each different client, a
   server can alternatively send a single notification as a response
   message over multicast, to all the clients observing the same target
   resource.  When doing so, the security protocol Group Object Security
   for Constrained RESTful Environments (Group OSCORE) can be used to
   protect multicast notifications end-to-end between the server and the
   observer clients.  This document describes how multicast
   notifications can be used in network setups that leverage a proxy,
   e.g., in order to accommodate clients that are not able to directly
   listen to multicast traffic.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-multicast-notifications-proxy-01"/>
        </reference>
        <reference anchor="I-D.ietf-ace-group-oscore-profile">
          <front>
            <title>The Group Object Security for Constrained RESTful Environments (Group OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document specifies a profile for the Authentication and
   Authorization for Constrained Environments (ACE) framework.  The
   profile uses Group Object Security for Constrained RESTful
   Environments (Group OSCORE) to provide communication security between
   a client and one or multiple resource servers that are members of an
   OSCORE group.  The profile securely binds an OAuth 2.0 access token
   to the public key of the client associated with the private key used
   by that client in the OSCORE group.  The profile uses Group OSCORE to
   achieve server authentication and proof of possession of the client's
   private key.  Also, it provides proof of the client's membership to
   the OSCORE group by binding the access token to information from the
   Group OSCORE Security Context, thus allowing the resource server(s)
   to verify the client's membership upon receiving a message protected
   with Group OSCORE from the client.  Effectively, the profile enables
   fine-grained access control paired with secure group communication,
   in accordance with the Zero Trust principles.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-group-oscore-profile-06"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC6690">
          <front>
            <title>Constrained RESTful Environments (CoRE) Link Format</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <date month="August" year="2012"/>
            <abstract>
              <t>This specification defines Web Linking using a link format for use by constrained web servers to describe hosted resources, their attributes, and other relationships between links. Based on the HTTP Link Header field defined in RFC 5988, the Constrained RESTful Environments (CoRE) Link Format is carried as a payload and is assigned an Internet media type. "RESTful" refers to the Representational State Transfer (REST) architecture. A well-known URI is defined as a default entry point for requesting the links hosted by a server. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6690"/>
          <seriesInfo name="DOI" value="10.17487/RFC6690"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC8392">
          <front>
            <title>CBOR Web Token (CWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8392"/>
          <seriesInfo name="DOI" value="10.17487/RFC8392"/>
        </reference>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC9176">
          <front>
            <title>Constrained RESTful Environments (CoRE) Resource Directory</title>
            <author fullname="C. Amsüss" initials="C." role="editor" surname="Amsüss"/>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="M. Koster" initials="M." surname="Koster"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>In many Internet of Things (IoT) applications, direct discovery of resources is not practical due to sleeping nodes or networks where multicast traffic is inefficient. These problems can be solved by employing an entity called a Resource Directory (RD), which contains information about resources held on other servers, allowing lookups to be performed for those resources. The input to an RD is composed of links, and the output is composed of links constructed from the information stored in the RD. This document specifies the web interfaces that an RD supports for web servers to discover the RD and to register, maintain, look up, and remove information on resources. Furthermore, new target attributes useful in conjunction with an RD are defined.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9176"/>
          <seriesInfo name="DOI" value="10.17487/RFC9176"/>
        </reference>
        <reference anchor="RFC9200">
          <front>
            <title>Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)</title>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE-OAuth. The framework is based on a set of building blocks including OAuth 2.0 and the Constrained Application Protocol (CoAP), thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to better serve the IoT use cases.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9200"/>
          <seriesInfo name="DOI" value="10.17487/RFC9200"/>
        </reference>
        <reference anchor="RFC9953">
          <front>
            <title>DNS over CoAP (DoC)</title>
            <author fullname="M. S. Lenders" initials="M. S." surname="Lenders"/>
            <author fullname="C. Amsüss" initials="C." surname="Amsüss"/>
            <author fullname="C. Gündoğan" initials="C." surname="Gündoğan"/>
            <author fullname="T. C. Schmidt" initials="T. C." surname="Schmidt"/>
            <author fullname="M. Wählisch" initials="M." surname="Wählisch"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document defines a protocol for exchanging DNS queries (OPCODE 0) over the Constrained Application Protocol (CoAP). These CoAP messages can be protected by (D)TLS-Secured CoAP or Object Security for Constrained RESTful Environments (OSCORE) to provide encrypted DNS message exchange for constrained devices in the Internet of Things (IoT).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9953"/>
          <seriesInfo name="DOI" value="10.17487/RFC9953"/>
        </reference>
        <reference anchor="MOBICOM99" target="https://people.eecs.berkeley.edu/~culler/cs294-f03/papers/bcast-storm.pdf">
          <front>
            <title>The Broadcast Storm Problem in a Mobile Ad Hoc Network</title>
            <author initials="S." surname="Ni" fullname="Sze-Yao Ni">
              <organization/>
            </author>
            <author initials="Y." surname="Tseng" fullname="Yu-Chee Tseng">
              <organization/>
            </author>
            <author initials="Y." surname="Chen" fullname="Yuh-Shyan Chen">
              <organization/>
            </author>
            <author initials="J." surname="Sheu" fullname="Jang-Ping Sheu">
              <organization/>
            </author>
            <date year="1999" month="August"/>
          </front>
          <seriesInfo name="Proceedings of the 5th annual ACM/IEEE international conference on Mobile computing and networking" value=""/>
        </reference>
      </references>
    </references>
    <?line 1409?>

<section anchor="appendix-different-sources">
      <name>Different Sources for Group Observation Data</name>
      <t>While the clients usually receive the phantom registration request and other information related to the group observation through an informative response (see <xref target="ssec-server-side-informative"/>), the server can also make the same group observation data available through different means, such as those described in <xref target="appendix-different-sources-pubsub"/> and <xref target="appendix-different-sources-introspection"/>.</t>
      <t>In such a case, the server has to first start the group observation (see <xref target="ssec-server-side-request"/>), before making the corresponding data available.</t>
      <t>When distributed through different means than informative responses, the group observation data has to specify the time when the group observation is planned to be canceled by the server. In particular, the server commits to keeping the group observation ongoing until the scheduled cancellation time is reached. Before that time, the server might however retract the advertised group observation data and thus make it not available to new clients.</t>
      <t>After a client has obtained the group observation data from different sources than an informative response, the client can simply set up the right multicast address and start receiving multicast notifications for the group observation. Consequently, the server will not receive an observation request from that client, will not follow-up with a corresponding informative response, and thus its observer counter (see <xref target="sec-server-side"/>) is not incremented to reflect the presence of the new client.</t>
      <section anchor="appendix-different-sources-pubsub">
        <name>Topic Discovery in Publish-Subscribe Settings</name>
        <t>In a Publish-Subscribe scenario (e.g., see <xref target="I-D.ietf-core-coap-pubsub"/>), a group observation can be discovered along with topic metadata.</t>
        <t>To this end, together with the topic metadata, the server has to publish the same information associated with the group observation that would be conveyed in the informative response returned to observer clients (see <xref target="ssec-server-side-informative"/>).</t>
        <t>This information especially includes the phantom observation request associated with the group observation, as well as the addressing information of the server and the addressing information where multicast notifications are sent to.</t>
        <t><xref target="discovery-pub-sub"/> provides an example where a group observation is discovered. The example assumes a CoRAL namespace <xref target="I-D.ietf-core-coral"/> that contains properties analogous to those in the Content-Format "application/informative-response+cbor".</t>
        <t>Note that the information about the transport protocol used for the group observation is not expressed through a dedicated element equivalent to 'tp_id' of the informative response (see <xref target="sssec-transport-specific-encoding"/>). Instead, it is expressed through the scheme and authority components of the two URIs specified as 'tp_info_server' and 'tp_info_client', where the former specifies the addressing information of the server (like 'tpi_server' in <xref target="ssssec-udp-transport-specific"/>), and the latter specifies the addressing information where multicast notifications are sent to (like 'tpi_client' in <xref target="ssssec-udp-transport-specific"/>).</t>
        <figure anchor="discovery-pub-sub">
          <name>Group Observation Discovery in a Pub-Sub Scenario</name>
          <artwork><![CDATA[
Request:

    GET </ps/topics?rt=oic.r.temperature>
    Accept: 65087 (application/coral+cbor)

Response:

    2.05 Content
    Content-Format: 65087 (application/coral+cbor)

    rdf:type [ = <http://example.org/pubsub/topic-list>,
           topic [ = </ps/topics/1234>,
               tp_info_server <coap://[2001:db8::1]>,
               tp_info_client <coap://[ff35:30:2001:db8::123]>,
               tp_info_token "7b"^^xsd::hexBinary,
               ph_req "0160.."^^xsd::hexBinary,
               last_notif "256105.."^^xsd::hexBinary,
               ending "2051251201"^^xsd::unsignedLong,
           ]
    ]
]]></artwork>
        </figure>
        <t>With this information from the topic discovery step, the client can already set up its multicast address and start receiving multicast notifications for the group observation in question.</t>
        <t>In heavily asymmetric networks like municipal notification services, discovery and notifications do not necessarily need to use the same network link. For example, a departure monitor could use its (costly and usually switched off) cellular uplink to discover the topics it needs to update its display to, and then listen on a LoRaWAN interface for receiving the actual multicast notifications.</t>
      </section>
      <section anchor="appendix-different-sources-introspection">
        <name>Introspection at the Multicast Notification Sender</name>
        <t>For network debugging purposes, it can be useful to query a server that sends multicast responses as matching a phantom registration request.</t>
        <t>Such an interface is left for other documents to specify on demand. <xref target="discovery-introspection"/> shows an example of a possible interface, as relying on the already known Token value of intercepted multicast notifications associated with a phantom registration request.</t>
        <figure anchor="discovery-introspection">
          <name>Group Observation Discovery with Server Introspection</name>
          <artwork><![CDATA[
Request:

GET </.well-known/core/mc-sender?token=6464>

Response:

2.05 Content
Content-Format: application/informative-response+cbor

{
  / tp_info /    0 : [
                      [ / tpi_server /
                       -1, / scheme-id -- equivalent to "coap" /
                        h'20010db80000000000000000000000ab' / host-ip /
                      ],
                      [ / tpi_client /
                       -1, / scheme-id -- equivalent to "coap" /
                       h'ff35003020010db80000000000000023', / host-ip /
                       61616 / port /
                      ],
                      h'7b' / tpi_token /
                     ],
  / ph_req /     1 : h'0160...528c', / elided for brevity /
  / last_notif / 2 : h'256105...4fa1', / elided for brevity /
  / ending /     4 : 2051251201
}
]]></artwork>
        </figure>
        <t>For example, a network sniffer could offer sending such a request when unknown multicast notifications are seen in the network. Consequently, it can associate those notifications with a URI, or decrypt them if it is a member of the correct OSCORE group.</t>
      </section>
    </section>
    <section anchor="appendix-pseudo-code-counting">
      <name>Pseudo-Code for Rough Counting of Clients</name>
      <t>This appendix provides a description in pseudo-code of the two algorithms used for the rough counting of active observers, as defined in <xref target="sec-rough-counting"/>.</t>
      <t>In particular, <xref target="appendix-pseudo-code-counting-client"/> describes the algorithm for the client side and <xref target="appendix-pseudo-code-counting-client-constrained"/> describes an optimized version for constrained clients. Finally, <xref target="appendix-pseudo-code-counting-server"/> describes the algorithm for the server side.</t>
      <section anchor="appendix-pseudo-code-counting-client">
        <name>Client Side</name>
        <artwork><![CDATA[
input:  int Q, // Value of the FEEDBACK-DIVIDER Option
        int LEISURE_TIME, // DEFAULT_LEISURE from RFC 7252,
                          // unless overridden

output: None


int RAND_MIN = 0;
int RAND_MAX = (2^Q) - 1;
int I = randomInteger(RAND_MIN, RAND_MAX);

if (I == 0) {
    float fraction = randomFloat(0, 1);

    Timer t = new Timer();
    t.setAndStart(fraction * LEISURE_TIME);
    while(!t.isExpired());

    Request req = new Request();
    // Initialize as NON and with maximum
    // No-Response settings, set options ...

    Option opt = new Option(OBSERVE);
    opt.set(0);
    req.setOption(opt);

    opt = new Option(FEEDBACK-DIVIDER);
    opt.set(0);
    req.setOption(opt);

    req.send(SRV_ADDR, SRV_PORT);
}
]]></artwork>
      </section>
      <section anchor="appendix-pseudo-code-counting-client-constrained">
        <name>Client Side (Optimized Version)</name>
        <artwork><![CDATA[
input:  int Q, // Value of the FEEDBACK-DIVIDER Option
        int LEISURE_TIME, // DEFAULT_LEISURE from RFC 7252,
                          // unless overridden

output: None


const unsigned int UINT_BIT = CHAR_BIT * sizeof(unsigned int);

if (respond_to(Q) == true) {
    float fraction = randomFloat(0, 1);

    Timer t = new Timer();
    t.setAndStart(fraction * LEISURE_TIME);
    while(!t.isExpired());

    Request req = new Request();
    // Initialize as NON and with maximum
    // No-Response settings, set options ...

    Option opt = new Option(OBSERVE);
    opt.set(0);
    req.setOption(opt);

    opt = new Option(FEEDBACK-DIVIDER);
    opt.set(0);
    req.setOption(opt);

    req.send(SRV_ADDR, SRV_PORT);
}

bool respond_to(int Q) {
    while (Q >= UINT_BIT) {
        if (rand() != 0) return false;
        Q -= UINT_BIT;
    }
    unsigned int mask = ~((~0u) << Q);
    unsigned int masked = mask & rand();
    return masked == 0;
}
]]></artwork>
      </section>
      <section anchor="appendix-pseudo-code-counting-server">
        <name>Server Side</name>
        <artwork><![CDATA[
input:  int COUNT, // Current observer counter
        int M, // Desired number of confirmations
        int MAX_CONFIRMATION_WAIT,
        Response notification, // Multicast notification to send

output: int NEW_COUNT // Updated observer counter


int D = 4; // Dampener value
int RETRY_NEXT_THRESHOLD = 4;
float CANCEL_THRESHOLD = 0.2;

int N = max(COUNT, 1);
int Q = max(ceil(log2(N / M)), 0);
Option opt = new Option(FEEDBACK-DIVIDER);
opt.set(Q);

notification.setOption(opt);
<Finalize the notification message>
notification.send(GRP_ADDR, GRP_PORT);

Timer t = new Timer();
t.setAndStart(MAX_CONFIRMATION_WAIT); // Time t1
while(!t.isExpired());

// Time t2

int R = <number of requests to the target resource
         received between t1 and t2, and including
         the FEEDBACK-DIVIDER Option with value 0>;

int E = R * (2^Q);

// Determine after how many multicast notifications
// the next count update will be performed
if ((R == 0) || (max(E/N, N/E) > RETRY_NEXT_THRESHOLD)) {
    <Next count update with the next multicast notification>
}
else {
    <Next count update after 10 multicast notifications>
}

// Compute the new count estimate
int COUNT_PRIME = <current value of the observer counter>;
int NEW_COUNT = COUNT_PRIME + ((E - N) / D);

// Determine whether to cancel the group observation
if (NEW_COUNT < CANCEL_THRESHOLD) {
    <Cancel the group observation>;
    return 0;
}

return NEW_COUNT;
]]></artwork>
      </section>
    </section>
    <section anchor="self-managed-oscore-group">
      <name>OSCORE Group Self-Managed by the Server</name>
      <t>For simple settings, where no pre-arranged group with suitable memberships is available, the server can be responsible to set up and manage the OSCORE group used to protect the group observation.</t>
      <t>In such a case, a client would implicitly request to join the OSCORE group when sending the observe registration request to the server. When replying, the server includes the group keying material and related information in the informative response (see <xref target="ssec-server-side-informative"/>).</t>
      <t>In addition to what is defined in <xref target="sec-server-side"/>, the CBOR map in the informative response payload contains the following fields, whose CBOR abbreviations are defined in <xref target="informative-response-params"/>.</t>
      <ul spacing="normal">
        <li>
          <t>'gp_material': this element is a CBOR map, which includes what the client needs in order to set up the Group OSCORE Security Context.  </t>
          <t>
This parameter has as value a subset of the Group_OSCORE_Input_Material object, which is defined in <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> and extends the OSCORE_Input_Material object encoded in CBOR as defined in <xref section="3.2.1" sectionFormat="of" target="RFC9203"/>.  </t>
          <t>
In particular, the following elements of the Group_OSCORE_Input_Material object are included, using the same CBOR abbreviations from the OSCORE Security Context Parameters Registry, as in <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>.  </t>
          <ul spacing="normal">
            <li>
              <t>'ms', 'contexId', 'cred_fmt', 'gp_enc_alg', 'sign_alg', and 'sign_params'. These elements <bcp14>MUST</bcp14> be included.</t>
            </li>
            <li>
              <t>'hkdf' and 'salt'. These elements <bcp14>MAY</bcp14> be included.</t>
            </li>
          </ul>
          <t>
The 'group_senderId' element of the Group_OSCORE_Input_Material object <bcp14>MUST NOT</bcp14> be included.  </t>
          <t>
Note that no information is provided as related to the AEAD Algorithm, or to the Pairwise Key Agreement Algorithm and its parameters. In fact, the clients and the server do not need to use the pairwise mode of Group OSCORE as per <xref section="8" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/> and do not need to compute a shared secret in this OSCORE group.  </t>
          <t>
It follows that:  </t>
          <ul spacing="normal">
            <li>
              <t>In the Common Context of the Group OSCORE Security Context, the parameter AEAD Algorithm and the parameter Pairwise Key Agreement Algorithm are not set (see <xref section="2.1.1" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/> and <xref section="2.1.10" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
            </li>
            <li>
              <t>Aligned with the previous point, when building the two OSCORE external_aad structures to process messages protected with Group OSCORE in this OSCORE group, (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), the elements 'alg_aead' and 'alg_pairwise_key_agreement' within the 'algorithms' arrays are set to the CBOR simple value <tt>null</tt> (0xf6).</t>
            </li>
          </ul>
        </li>
        <li>
          <t>'srv_cred': this element is a CBOR byte string, with value the original byte serialization of the server's authentication credential used in the OSCORE group. In particular, the original byte serialization complies with the format specified by the 'cred_fmt' element of 'gp_material'.</t>
        </li>
        <li>
          <t>'srv_identifier': this element is encoded as a CBOR byte string, with value the Sender ID that the server has in the OSCORE group.</t>
        </li>
        <li>
          <t>'exi': this element has as value the residual lifetime of the keying material of the OSCORE group specified in the 'gp_material' parameter, encoded as a CBOR unsigned integer.  </t>
          <t>
The value represents the residual lifetime of the keying material in seconds, i.e., the number of seconds between the current time at the server and the time when the keying material expires. Upon receiving the informative response containing the 'exi' parameter, a client determines the expiration time of the keying material by adding the number of seconds specified in the 'exi' parameter to its current time.</t>
        </li>
      </ul>
      <t>If the server has a reliable way to synchronize its internal clock with UTC, then the server includes also the following field:</t>
      <ul spacing="normal">
        <li>
          <t>'exp': this element has as value the expiration time of the keying material of the OSCORE group specified in the 'gp_material' parameter, encoded as a CBOR integer or as a CBOR floating-point number.  </t>
          <t>
The value is the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds, analogous to what is specified for NumericDate in <xref section="2" sectionFormat="of" target="RFC7519"/>.</t>
        </li>
      </ul>
      <t>If a client has a reliable way to synchronize its internal clock with UTC and the 'exp' parameter is present in the informative response, then the client <bcp14>MUST</bcp14> use the 'exp' parameter value as expiration time for the group keying material.</t>
      <t>Note that the informative response does not require to include an explicit proof of possession of the server's private key. Although the server is also acting as Group Manager and a proof-of-possession evidence of the Group Manager's private key is included in a full-fledged Join Response (see <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>), such proof of possession will be achieved through every multicast notification that the server sends, as protected with the group mode of Group OSCORE and including a signature computed with its private key.</t>
      <t>A client receiving an informative response uses the information above to set up the Group OSCORE Security Context, as described in <xref section="2" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>. Note that the client does not obtain a Sender ID of its own, hence it installs the Security Context like a "silent server" would, i.e., without a Sender Context. From then on, the client uses the received keying material to process the incoming multicast notifications from the server.</t>
      <t>Since the server is also acting as the Group Manager, the authentication credential of the server provided in the 'srv_cred' element of the informative response is also used in the 'gm_cred' element of the external_aad structure for encrypting and signing the phantom request and multicast notifications (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
      <t>Furthermore, the server complies with the following points.</t>
      <ul spacing="normal">
        <li>
          <t>The server <bcp14>MUST NOT</bcp14> self-manage OSCORE groups and provide the related keying material in the informative response for any other purpose than the protection of the phantom requests and the multicast notifications in group observations that it hosts, according to the method defined in this document.  </t>
          <t>
The server <bcp14>MAY</bcp14> use the same self-managed OSCORE group to protect the phantom request and the multicast notifications of multiple group observations that it hosts.</t>
        </li>
        <li>
          <t>The server <bcp14>MUST NOT</bcp14> provide in the informative response the keying material of other OSCORE groups it is or has been a member of.</t>
        </li>
      </ul>
      <t>Upon expiration of the group keying material as indicated in the informative response by the 'exp' parameter (if present) and the 'exi' parameter:</t>
      <ul spacing="normal">
        <li>
          <t>The server <bcp14>MUST</bcp14> stop using the keying material and <bcp14>MUST</bcp14> cancel the group observations for which that keying material is used (see <xref target="ssec-server-side-cancellation"/> and <xref target="ssec-server-side-cancellation-oscore"/>). If the server creates a new group observation as a replacement or follow-up using the same OSCORE group, then the following applies:  </t>
          <ul spacing="normal">
            <li>
              <t>The server <bcp14>MUST</bcp14> update the OSCORE Master Secret.</t>
            </li>
            <li>
              <t>The server <bcp14>MUST</bcp14> update the ID Context used as Group Identifier (Gid), consistent with <xref section="12.2" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>.</t>
            </li>
            <li>
              <t>The server <bcp14>MAY</bcp14> update the OSCORE Master Salt.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>The client <bcp14>MUST</bcp14> stop using the keying material and <bcp14>MAY</bcp14> re-register the observation at the server.</t>
        </li>
      </ul>
      <t>Before the keying material has expired, the server can send a multicast response with response code 5.03 (Service Unavailable) to the observing clients, protected with the current keying material. In particular, while it is analogous to the informative response defined in <xref target="ssec-server-side-informative"/>, this response has the following differences:</t>
      <ul spacing="normal">
        <li>
          <t>It additionally contains the parameters mentioned above, for the next group keying material to be used; and</t>
        </li>
        <li>
          <t>It <bcp14>MAY</bcp14> omit the 'tp_info' and 'ph_req' parameters, since the associated information is immutable throughout the observation lifetime.</t>
        </li>
      </ul>
      <t>The response has the same Token value T of the phantom registration request and it does not include an Observe Option. The server <bcp14>MUST</bcp14> use its own Sender Sequence Number as Partial IV to protect the error response and <bcp14>MUST</bcp14> include the Partial IV in the OSCORE Option value of the response.</t>
      <t>When some clients leave the OSCORE group and forget about the group observation, the server does not have to provide the remaining clients with any stale Sender IDs, as normally required for Group OSCORE (see <xref section="12.2" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>). In fact, only two entities in the group have a Sender ID, i.e., the server and possibly the Deterministic Client, if the optimization defined in this appendix is combined with the use of phantom requests as Deterministic Requests (see <xref target="deterministic-phantom-Request"/>). In particular, both of them never change their Sender ID during the group lifetime and they both remain part of the group until the group ceases to exist.</t>
      <t>As an alternative to renewing the keying material before it expires, the server can simply cancel the group observation (see <xref target="ssec-server-side-cancellation"/> and <xref target="ssec-server-side-cancellation-oscore"/>), which results in the eventual re-registration of the clients that are still interested in the group observation.</t>
      <t>For applications that require backward security or forward security, it is <bcp14>REQUIRED</bcp14> to use an actual group joining process through a dedicated Group Manager, e.g., the ACE joining procedure defined in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/>. The server can facilitate the clients by providing them with information about the OSCORE group to join, as described in <xref target="sec-inf-response"/>.</t>
    </section>
    <section anchor="deterministic-phantom-Request">
      <name>Phantom Request as Deterministic Request</name>
      <t>In some settings, the server can assume that all the approaching clients already have the exact phantom observation request to use, together with the transport-specific information required to listen to corresponding multicast notifications.</t>
      <t>For instance, the clients can be pre-configured with the phantom observation request, or they may be expected to retrieve it through dedicated means (see <xref target="appendix-different-sources"/>). In either case, the server would already have started the group observation, before the associated phantom observation request was disseminated.</t>
      <t>Then, the clients can set up the multicast address and group observation for listening to multicast notifications.</t>
      <t>If Group OSCORE is used to protect the group observation (see <xref target="sec-secured-notifications"/>) and the OSCORE group supports the concept of Deterministic Client <xref target="I-D.ietf-core-cacheable-oscore"/>, then the server and clients in the OSCORE group can also independently produce the protected phantom observation request.</t>
      <t>In such a case, the unprotected version of the phantom observation request can be made available to the clients as a smaller, plain CoAP message. As above, this can be pre-configured on the clients, or they can obtain it through dedicated means (see <xref target="appendix-different-sources"/>). In either case, the clients and the server can independently protect the plain CoAP message by using the approach defined in <xref target="I-D.ietf-core-cacheable-oscore"/>, thus all produce the same protected Deterministic Request. The latter is used as the actual phantom observation request that the protected multicast notifications will match under the group observation in question.</t>
      <t>When receiving the Deterministic Request, the server can clearly understand what is happening. In fact, as the result of an early check, the server recognizes the phantom request among the stored ones. This relies on a byte-by-byte comparison of the incoming message minus the transport-related fields, i.e., by considering only: i) the outer REST code; ii) the outer options; and iii) the ciphertext from the message payload.</t>
      <t>If the server recognizes the received Deterministic Request as one of its self-generated deterministic phantom requests, then the server does not perform any Group OSCORE processing on it. This opens for replying with an unprotected response, although not indicating any OSCORE-related error. In particular, the server replies with an informative response that is not protected.</t>
      <t>Note that the phantom registration request is, in terms of transport-independent information, identical to the same Deterministic Request sent by any client that wishes to take part in the group observation. Thus, if the server receives such a phantom registration request, the informative response may omit the 'ph_req' parameter (see <xref target="ssec-server-side-informative"/>). If a client receives an informative response that includes the 'ph_req' parameter and this specifies transport-independent information different from the one of the sent Deterministic Request, then the client considers the informative response malformed.</t>
      <t>When using a Deterministic Request as a phantom observation request, the observer counter at the server (see <xref target="sec-server-side"/>) is not reliably incremented when new clients start participating in the group observation.</t>
      <t>That is, the clients can simply set up the right multicast address and port number, and then start listening to multicast notifications bound to the Deterministic Request. Hence, the observer counter at the server is not incremented as new clients start listening to multicast notifications.</t>
      <t>Furthermore, the security identity associated with the sender of any Deterministic Request in the OSCORE group is exactly the same one, i.e., the pair (SID, OSCORE ID Context), where SID is the OSCORE Sender ID of the Deterministic Client in the OSCORE group, which clients in the group rely on to produce Deterministic Requests.</t>
      <t>The setting described above requires the server and all the clients interested in taking part in the group observation to support the approach defined in <xref target="I-D.ietf-core-cacheable-oscore"/>. On the other hand, its use allows clients to start from a smaller, unprotected version of the phantom observation request, which does not need to be verified as a request generated by the server. Therefore, in applications where the OSCORE group is configured for the use of Deterministic Requests and observer clients are expected to support the approach defined in <xref target="I-D.ietf-core-cacheable-oscore"/>, servers that start group observations are encouraged to do so by using Deterministic Requests as corresponding phantom observation requests.</t>
      <t>If the optimization defined in <xref target="self-managed-oscore-group"/> is also used, the 'gp_material' element in the informative response from the server also includes the following elements from the Group_OSCORE_Input_Material object:</t>
      <ul spacing="normal">
        <li>
          <t>'alg', as per <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>.</t>
        </li>
        <li>
          <t>'det_senderId', encoded as a CBOR byte string. This parameter specifies the Sender ID of the Deterministic Client in the OSCORE group.</t>
        </li>
        <li>
          <t>'det_hash_alg', encoded as a CBOR integer or text string. This parameter specifies the hash algorithm used in the OSCORE group to produce Deterministic Requests. This parameter takes values from the "Value" column of the "COSE Algorithms" Registry <xref target="IANA.COSE.Algorithms"/>.</t>
        </li>
      </ul>
      <t>Note that, like in <xref target="self-managed-oscore-group"/>, no information is provided as related to the Pairwise Key Agreement Algorithm and its parameters. In fact, the clients and the server will not need to compute a shared secret in this OSCORE group. It follows that:</t>
      <ul spacing="normal">
        <li>
          <t>In the Common Context of the Group OSCORE Security Context, the parameter Pairwise Key Agreement Algorithm is not set (see <xref section="2.1.10" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
        </li>
        <li>
          <t>Aligned with the previous point, when building the two OSCORE external_aad structures to process messages protected with Group OSCORE in this OSCORE group, (see <xref section="3.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), the element 'alg_pairwise_key_agreement' within the 'algorithms' arrays is set to the CBOR simple value <tt>null</tt> (0xf6).</t>
        </li>
      </ul>
      <t>If a Deterministic Request is used as a phantom observation request for a group observation, the server does not assist clients that are interested in taking part in the group observation but do not support Deterministic Requests. This is consistent with the fact that the setup in question already relies on a lot of agreed pre-configuration.</t>
      <t>Therefore, the following holds when a group observation for a target resource relies on a Deterministic Request as a phantom observation request.</t>
      <ul spacing="normal">
        <li>
          <t>Every client that is interested to take part in such a group observation: has to support Deterministic Requests; and has to know the phantom observation request, as a result of pre-configuration or following its retrieval through dedicated means (see <xref target="appendix-different-sources"/>).</t>
        </li>
        <li>
          <t>The server does not simultaneously run a parallel group observation for the same target resource, as associated with a different phantom observation request and intended to clients that do not support Deterministic Requests.</t>
        </li>
        <li>
          <t>If the server receives an observation request for the target resource that differs from the specific Deterministic Request associated with the group observation for that target resource, then the server replies as usual with an informative response, including: the transport-specific information, the phantom request (i.e., the expected Deterministic Request), and (optionally) the latest notification.</t>
        </li>
      </ul>
    </section>
    <section anchor="sec-document-updates" removeInRFC="true">
      <name>Document Updates</name>
      <section anchor="sec-14-15">
        <name>Version -14 to -15</name>
        <ul spacing="normal">
          <li>
            <t>Updated semantics of informative response:  </t>
            <ul spacing="normal">
              <li>
                <t>Admit absence of 'tp_info' in particular setups.</t>
              </li>
              <li>
                <t>When using CoAP over UDP, admit the absence of 'tpi_details' in particular setups.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Behavior/considerations related to the maximum age of notifications conveyed in the 'last_notif' parameter of an informative response.</t>
          </li>
          <li>
            <t>The 'last_notif' parameter should be included in the informative response.</t>
          </li>
          <li>
            <t>Clarifications:  </t>
            <ul spacing="normal">
              <li>
                <t>Message processing with Group OSCORE: the phantom registration request is typically protected with the group mode, with the exceptional case of Deterministic Requests.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Fixed CDDL notations of  </t>
            <ul spacing="normal">
              <li>
                <t>Payload of the informative response.</t>
              </li>
              <li>
                <t>'tp_info_coap_udp'.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Added Operational Considerations.</t>
          </li>
          <li>
            <t>Update references.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-13-14">
        <name>Version -13 to -14</name>
        <ul spacing="normal">
          <li>
            <t>Clarified expected roles in the OSCORE group for clients and server.</t>
          </li>
          <li>
            <t>The HKDF Algorithm of Group OSCORE is specified as the corresponding HMAC Algorithm.</t>
          </li>
          <li>
            <t>Generalized semantics of the Multicast-Response-Feedback-Divider Option and renamed it as Feedback-Divider.</t>
          </li>
          <li>
            <t>Clarified pre-conditions and advantages of using deterministic phantom requests.</t>
          </li>
          <li>
            <t>Removed unnecessary normative language.</t>
          </li>
          <li>
            <t>Fixes and simplifications in the example with Group OSCORE.</t>
          </li>
          <li>
            <t>Updated references.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-12-13">
        <name>Version -12 to -13</name>
        <ul spacing="normal">
          <li>
            <t>Content on proxies moved out to the new document draft-ietf-core-multicast-notifications-proxy.</t>
          </li>
          <li>
            <t>Clarified avoidance of link-local addresses.</t>
          </li>
          <li>
            <t>Alignment with the update to the "Uniform Resource Identifier (URI) Schemes" IANA registry made by draft-ietf-core-href-26.</t>
          </li>
          <li>
            <t>Revised value syntax for the 'Transport Information Details' column of the new IANA registry "CoAP Transport Information".</t>
          </li>
          <li>
            <t>Suggested range and value for the registration in the IANA registry "CoAP Option Numbers".</t>
          </li>
          <li>
            <t>Updated references.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-11-12">
        <name>Version -11 to -12</name>
        <ul spacing="normal">
          <li>
            <t>Changed CBOR type of 'ending' and 'exp' to be integer or float.</t>
          </li>
          <li>
            <t>Avoid limiting the informative response to this protocol.</t>
          </li>
          <li>
            <t>Transport identified by (scheme-id, authority) in the CRI of 'tpi_server'.</t>
          </li>
          <li>
            <t>Renamed 'sign_enc_alg' to 'gp_enc_alg', now aligned with draft-ietf-ace-key-groupcomm-oscore.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-10-11">
        <name>Version -10 to -11</name>
        <ul spacing="normal">
          <li>
            <t>Do not rule out original observation requests sent over multicast.</t>
          </li>
          <li>
            <t>Defined 'ending' parameter for the informative response payload.</t>
          </li>
          <li>
            <t>Group observation data available on different sources can be removed.</t>
          </li>
          <li>
            <t>Initial description of a scenario with a reverse-proxy.</t>
          </li>
          <li>
            <t>Minor fixes in examples.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-09-10">
        <name>Version -09 to -10</name>
        <ul spacing="normal">
          <li>
            <t>Fixed section numbers of referred documents.</t>
          </li>
          <li>
            <t>Revised registration policies in the IANA considerations.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-08-09">
        <name>Version -08 to -09</name>
        <ul spacing="normal">
          <li>
            <t>Revised 'tp_info' also to use CRIs for transport information.</t>
          </li>
          <li>
            <t>Section restructuring: impact from proxies on rough counting of clients.</t>
          </li>
          <li>
            <t>Revised and repositioned text on deterministic phantom requests.</t>
          </li>
          <li>
            <t>Fixes in the examples with message exchanges.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-07-08">
        <name>Version -07 to -08</name>
        <ul spacing="normal">
          <li>
            <t>Fixed the CDDL definition 'srv_addr' in 'tp_info'.</t>
          </li>
          <li>
            <t>Early mentioning that 'srv_addr' cannot instruct redirection.</t>
          </li>
          <li>
            <t>The replay protection of multicast notifications is as per Group OSCORE.</t>
          </li>
          <li>
            <t>Consistently use the format uint for the Multicast-Response-Feedback-Divider Option.</t>
          </li>
          <li>
            <t>Fixed consumption of proxy-related options in a ticket request sent to the proxy.</t>
          </li>
          <li>
            <t>Possible use of the option Proxy-Cri or Proxy-Scheme-Number in a ticket request.</t>
          </li>
          <li>
            <t>Explained non-provisioning of some parameters in self-managed OSCORE groups.</t>
          </li>
          <li>
            <t>Use of 'exi' for relative expiration time in self-managed OSCORE groups.</t>
          </li>
          <li>
            <t>Improved notation in the examples of message exchanges with proxy.</t>
          </li>
          <li>
            <t>Clarifications and editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-06-07">
        <name>Version -06 to -07</name>
        <ul spacing="normal">
          <li>
            <t>Added more details on proxies that do not support the Multicast-Response-Feedback-Divider Option.</t>
          </li>
          <li>
            <t>Added more details on the reliability of the client rough counting.</t>
          </li>
          <li>
            <t>Added more details on the unreliability of counting new clients, when the phantom request is obtained from other sources or is an OSCORE Deterministic Request.</t>
          </li>
          <li>
            <t>Revised parameter naming.</t>
          </li>
          <li>
            <t>Fixes in IANA considerations.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-05-06">
        <name>Version -05 to -06</name>
        <ul spacing="normal">
          <li>
            <t>Clarified rough counting of clients when a proxy is used</t>
          </li>
          <li>
            <t>IANA considerations: registration of target attribute "gp-obs"</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-04-05">
        <name>Version -04 to -05</name>
        <ul spacing="normal">
          <li>
            <t>If the phantom request is an OSCORE Deterministic Request, there is no parallel group observation for clients that lack support.</t>
          </li>
          <li>
            <t>Clarification on pre-configured clients.</t>
          </li>
          <li>
            <t>Clarified early publication of phantom request.</t>
          </li>
          <li>
            <t>Fixes in IANA considerations.</t>
          </li>
          <li>
            <t>Fixed example with proxy and Group OSCORE.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-03-04">
        <name>Version -03 to -04</name>
        <ul spacing="normal">
          <li>
            <t>Added a new section on prerequisites.</t>
          </li>
          <li>
            <t>Added a new section overviewing alternative variants.</t>
          </li>
          <li>
            <t>Consistent renaming of 'cli_addr' to 'cli_host' in 'tp_info'.</t>
          </li>
          <li>
            <t>Added pre-requirements for early retrieval of phantom request.</t>
          </li>
          <li>
            <t>Revised example with early retrieval of phantom request.</t>
          </li>
          <li>
            <t>Clarified use, rationale and example of phantom request as Deterministic Request.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-02-03">
        <name>Version -02 to -03</name>
        <ul spacing="normal">
          <li>
            <t>Distinction between authentication credential and public key.</t>
          </li>
          <li>
            <t>Fixed processing of informative response at the client, when Group OSCORE is used.</t>
          </li>
          <li>
            <t>Discussed scenarios with pre-configured address/port and Token value.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-01-02">
        <name>Version -01 to -02</name>
        <ul spacing="normal">
          <li>
            <t>Clarifications on client rough counting and IP multicast scope.</t>
          </li>
          <li>
            <t>The 'ph_req' parameter is optional in the informative response.</t>
          </li>
          <li>
            <t>New parameter 'next_not_before' for the informative response.</t>
          </li>
          <li>
            <t>Optimization when rekeying the self-managed OSCORE group.</t>
          </li>
          <li>
            <t>Security considerations on unsecured multicast notifications.</t>
          </li>
          <li>
            <t>Protection of the ticket request sent to a proxy.</t>
          </li>
          <li>
            <t>RFC8126 terminology in IANA considerations.</t>
          </li>
          <li>
            <t>Editorial improvements.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-00-01">
        <name>Version -00 to -01</name>
        <ul spacing="normal">
          <li>
            <t>Simplified cancellation of the group observation, without using a phantom cancellation request.</t>
          </li>
          <li>
            <t>Aligned parameter semantics with core-oscore-groupcomm and ace-key-groupcomm-oscore.</t>
          </li>
          <li>
            <t>Clarifications about self-managed OSCORE group and use of Deterministic Requests for cacheable OSCORE.</t>
          </li>
          <li>
            <t>New example with a proxy, Group OSCORE and a deterministic phantom request.</t>
          </li>
          <li>
            <t>Fixes in the examples and editorial improvements.</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowldegment">
      <name>Acknowledgments</name>
      <t>The authors sincerely thank <contact fullname="Carsten Bormann"/>, <contact fullname="Klaus Hartke"/>, <contact fullname="Jaime Jiménez"/>, <contact fullname="Adrian Kastrati"/>, <contact fullname="Matthias Kovatsch⁩"/>, <contact fullname="John Preuß Mattsson"/>, <contact fullname="Jim Schaad"/>, <contact fullname="Ludwig Seitz"/>, and <contact fullname="Göran Selander"/> for their comments and feedback.</t>
      <t>The work on this document has been partly supported by the Sweden's Innovation Agency VINNOVA and the Celtic-Next projects CRITISEC and CYPRESS; and by the H2020 project SIFIS-Home (Grant agreement 952652).</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y963rb1rUo+l9PgSN/Z0tKSepiy7HVJl2KpCTatWVXkpt2
t/m8QRKUUJMAFwBaVuKsZzlPsX/tX2e/2BnXeQEmQEqWV7N6qrVSSyQwL2OO
Oe6Xfr+/9v4gery2VqXVNDmIXg3LpHifRGd5lU7SUVyleVZGcRkd5Yevo5eL
aQUfllV0npRz+CYp1+LhsEje2zftM94Ya+N8lMUzmGJcxJOqnybVpD/Ki6Sf
84v9mb7Yz9wX+9O4SspqbS2dFwdRVSzKam9n5/nO3lpcJPFB9MPp5drN1QEs
8Pwk+iEv3qXZVfRdkS/ma+9uDqLTrEqKLKn6xzjtGgx6EJXVeK1cDGdpWcIM
1e0cVnV6cvnt2mI+xskOoi/39vd60ZdPn+yurY3yMQx5EC1gwc/W1uJFdZ0X
B2sR/fTl3yhKM3jv5SC6TKf5KDYf855fxsUor3+VFzDq+enFSXT4jfmwrIok
gTWelvHk73kxLq/iKs6ivT3zxCitbg+iP6RlZYeCNcIsFyf93adPoic7zueL
rCrg8YubZJxk5vNkFqfTg2iGyxpUtKx/K9JBmYS3dT6Ivv8//+tqusjGtY2d
p+/iYtz89h+/t4JWNrjOaWFduzsaRIez8v/877Ksbe7ouoCVpLDE+ve4vca2
vs+n0zgbw5+DaHdv+0ltV39Kkyyrb2t3Zy+wo0NA8iKN61sa6Xr+LZ6Vi6Qs
B6N8Ft7Tt4PodTzNZ8M0S2u7+raIs1FSjuLAE3RsJ0U6Kss8Cx3dZV6U1/Es
06N7/DmObqIrHMx1hf+WyKJoy2tZXsyAPLxP8BRO+8cDS06u8OrDQ7P+MC2b
X+el/5T3RDxK+u+SW2cMfrw5zHWRTPxPh3nRT8ZZf5oCwYmnNPX5t0dPnj95
Ir8+ffb4mfz65e7ejv4KpEZ/3X++r78C6dFfnz/9Un59tvNMH3i2u/fU/PpY
R3i290ynePZ0d8f++lh/ff7kufz6fG+HPj09PDscHL26OBkcTq/yIq2uZyUj
t0/qCDfwYfobCSWcFGyUb5XwDxwnsuPwV3FxhbhzXVXz8mB7++bmZgBIHA9g
xO0YaPBVNkuyqtwe5WVC/zP4cF3Npo9idxy7zD8kt4NLINqfuEoYJqJhPm2R
iC/IQrwlfp/E46QYvI4LuHKAD5+4VB4ussN92pKvabj+3B2O1w5MHv4HWGZW
Db6lO/YJK0eJQQbry2B3XTfcNLvK+t+ym5FMMTFT2L28mqMMMThbzIafdAi4
FR4rkrE+x05ymqGfmRloI5c0yeCwApYwXFSfgPY8UmRH+hyb4OH6sTsJ7ePN
+engYnSdzD5hB2+yFI8Zxc98UYyS6BTYBwqLcDs2YYKtSGa4284WRdov+UX3
d9mR80kf5ME0m7Rzn1Eez/vzxRDES/2SxSuP+4xT+Pd9AhwwMAAwj8DHMSwg
Hk6TMEcqE2FAGbLccX+UFFVzkDYJe17kH/ylICMkJqgrhkcm6TQR1rG/90x5
y9Onzw0n299V3vLs8XNlSc93n3xpfv3yqWU++trz5/vEh16++ub06NXL589D
2FETby4G/b8MorO6aHPxU9L/S5zbL2qv/WXQB2Hvskyyq9qbf1n0j66TxPuu
+fLFAGRCR17Rd6/7F9e3IA45X9Ze/u+D/utBdHGdLGov//c4u+q/Rp3FfKm3
9TqJvinyeEzK1EWFeP+6yAEHZjBmFEcv8yEcSXQI4nc+is6S6ga0HxoBFKo0
KRFRD/CVUZKgClNG+SSqYNT96jqKs2wRT6PDo5fbpycnJzAi6kmEEPAx0NRJ
UgA2JRGQPJkIBKL5osKlgpQbZTxfKuDiC7v7/Pnz/s6z4O2bJ/l8mgySZFQO
gL69S6bAx5PxYvs/RovpNCm2R+Xe8yf9yc7j7Xk8RwIzJFwtceeD+XiytoZ3
vSJMvTh58e1BtP5XwJ/+n+Hnx/W1tX6/H8VDkFTjEaiLCD7gPvhnmiXj6HA+
nwrGI0yqfJRPo02k7FtRPJ3mN2U0mqZIDqIqj9ZFK12PCiE1oAVXAHT6tCAI
wGNFMkqADkRZXV1eZKwDF6onRwv4FyR4OO7EHISODeI1gG8AympU5rMkWpQA
7Rje6kXlYnSNA8JlgA+H8OEYjwRIzDQtr/tAZ8oRENqkF6VVdJMvpuNoiEeV
vU8y3E0ExIrmkoXDogHFx7gTOLqpv/QoHo9hTTgHPAdQoTcVLAwSPH8aD9BX
ztjsA+7WdVpGoOovkLBGok+rmEtQE+G2R3/AmsfJBM6njK7zGwteXKJOGICu
QjUCklzGBFB8y9A3ANttBtpSnqU/4XrNVmTEwpwA7cIcA0DAfAhqTgFwuMzf
JVn0Pp4uYHffwKUa46lU3jbdLTCoR8AzqttornhG9ojo1fDvyQiusn6NR+Oi
6PnJxeVkMY1OsvcprJ14U7Qp714cvTo/2QK0yPCAF3JGOAOOabZeAxbAsV/l
fTzxIVzYJMlcZCAsdsCiRz3gyzRLx+Npsrb2CK0oRT5ejAhJHkU/P0rxg1/u
dst+/lnw4Jdfoms4xSGuJvkAwhuwrOgmRaoUsfCDxzNL8Lak5QzgnWaj6QJp
mD0rtjfxTDwyYNUvvwgKJhkySzFbOfe6SK5AQ8Wt42WmbxUWpbn0RbmOC4jN
ZIys10QPYRCAP3CnHGWAEWDWrcDcbCKD61/mAAdQBccWWVegAGtrvKTFfJ4X
sGLiwUh4Z0RQZLMdCu8vv/SiZHA16PGNOH1tMUMgw6CEFcgkhIVqvGPwFDxR
kfz7Iimr5uUC7pMXqJDgqw5wkwkgHv4FILGALv1bZ6EK96VEAMWCvsAd5DAQ
Ab/PbxL4tce8zqKFQxsXSMIc1DfUANdlKS9TRRAl6eRg62mByIHwgKnT0ied
MD7eweraJfdd9MgQ2ABBRKiYvVkwOCSsDBzU2hqoSyg3VGgHIQjgBA2aH8XF
6DrF+78oEqEmgD11BHFkUkQPsx49OSQpdkwk/PA/83TUi4a3NaJfJGiNHYeO
ULAZN5UCdKNhAZSzGEQ/wLUBYeEGJYQYoK3bYD5GYJbZljAwHrDJwMKkD5eU
E/SCPM3st2hhb2aHumV42S4WjugwGqcTEpIqg5O4bBC9s7KLZ9bumEwjECQr
ttFujlMQMED8uWUKh/IzUjjEjuRDPINDbDnOYZIBTwLYFflM1sDzITBV+8BV
bQJzGAKKFAlucosJTsk7xV19bnZWx9W6eQ4RdojUBLTJhOBIW8JlBaDE8sY4
mqbZu5JoNtx2OOY531Q4wr/ndJlQljJbhX+vrg3+wlAo0fEyX4K2eAU4wsvs
0uTgXNbWXsJHeFuvAPygxvVa2bLBcz6oUQoy9w1clISJzXt82+ddSntaKU2d
ofWEuy9wi8kt2lyJCk5xWsOw5JYgjGdJnAmFlptVF7MGkSHKNNE4B/IFQwE3
SK/SjFghy0IBCc27hnWkXca0jKgFSui0ZPHrKp7TFgEr36NURqCZ5CjK0327
yeGPMV5JtkSgIQgoa1oQC7PCqSuW4HiOMEG4RzsirQc2A6hDGxgn0xTX2iqi
EoAskb/v7kEjmMcF/LWYxkWPtsgyAZzTPEe7F6KO5SzwAXrIyprIPyM8pg9Z
oC3noOLTjW1BURB2F+mURC4h0z13TAP0oGQdN7CTBCODu45QTfJUmgl9TVIA
6U3mkiw6A6T4fASqWDlWGItsKIPEoC/V5Fnh9O6sKUEoYzkabixi9W0bK1EO
VN/UIkMhiGils2BAMiCJeTbuVBNyIq8uMVyBFn5GiV+Ew5LlJAAikFsAjUsX
8L1O8OMuYQ1IVoaAyz0gaSlqr+NxynYFoA9G/DSGQz6Rko8C5vMxV7d7rwOC
0VhGdOEsW7UYzAwuITTEhxVsjEoTVsFrF9wDIy8CntQ3HK0ZsOHRo+gyKWZp
lk/zq9voEepPlf3gF1Ki3gGJvkGfaLT+8s3F5XqP/43OXtHv5yd/fHN6fnKM
v198f/jihfllTZ64+P7VmxfH9jf75tGrly9Pzo75Zfg08j5aW395+Jd15hbr
r15fnr46O3yxzjKni72gDYvuQ6aiObBkPOhyjVnskO/RN0ev/9//Z/cJ4PL/
BVR0b3f3OWAt//Fs98sn8AeyOZ4tzwAf+E/kUGvxfJ7EBcn7QFRG8TytABl7
SE3La6QK1yBtATy/+CtC5seD6HfD0Xz3ydfyAW7Y+1Bh5n1IMGt+0niZgRj4
KDCNgab3eQ3S/noP/+L9rXB3Pvzd76fISPu7z37/9dra2jn5bEo6huQDSinM
S+A8JvEsnaYAOSaygFmMoCSMzoEXeCckKoLheb2gktmqTDS0TVUdPbYJYuAo
BYpwjDL/MTFQGvYFKL8L5ESbR8fHL8QkgJ5K96VvQJSAuy7i5XkCqAb0v+KF
bR598+pcX3z+5Dkv4T6CqBVBxUWKQ92RIDMie3M1PRMw19H5adkUdtGJTHKj
L+N49FKZRk24seQDL0R0WcT6jkuTDlxt26VVcVnmIHRW1u4iIl+NL9Dl4yUQ
8riGFpyXwXW/GY0c47CgxFe423ic0ntxUfCax57WXZdLjCAtEm9NiwrQeLG0
wcFmJRpKUGHFgd4cv6ZTr6nsX0Svr+OsAuVE7CYHotCRHEifqDAsiqTdLasD
1zExU7Io090G/b+oLKRcXoP/nyDw0qq0JupBdBjN/VUgS2d1pKIjRANmXSAw
cvx1ysu6SZnQgvjZZPMHqmfUZfzGtvgQyaBwBSNkcgbR+9TIcT3hw6ohyxOE
IkbG4A0H4IDMNXpdJLjXtExRmkfmCvy8P6dPf1lbO1VjlYhcbTjlI7rH+3q1
2zf3ZqRjE0q8mKKCkoz5UjbFLkXCLDHUm3YmzhTkhkX7EhEjC5Ix4L4uHGPb
FOWeCJFUBBFfAInqShT8QpYnd+oyqQC4vAB3qchwgBejxQxHnqJVj9QhVWRo
oXBLcD3Md2CZY9LJyQ7IHpI2NQNXdzgV3xMqUu5ygALEsDvSh69E8JglY+B1
KRkw2TWC7ss0MVpU6hx4PEI6naOiZw2VZNkrSGeLaFuoz+l6eX/BzZH6S7AR
PRCNBaxGN6Ql10yfZrxU2RI+lpZwAqXS1Dt4aYXuOqiFqFQKLtFdKlkEpytk
96AKaAlHjNYPVw1EaXgKv4xFo0GaQmpzPh1Er4w5I5ovijm+K2eEFtiMNctx
cCY9oPXDqVgzznKQRdajzTJBgeEiYYfC7t7gGeKWkUm2zPmUCxAC8YyY5JP5
kBax6g2LrwqYK19U/XzSH/JTcbv2hPgm5xa4OIZQqkQF9+cmZoEjVtoFkwLl
ApWGvAVmhRtIX0Z0Opa2Nyha6VhtOumVVdjGxAkyBzCRtWyvhq3oMPFlSoO4
abVQmxWRBtXEUVcCuo0+ZB+CKUNoksRkB+5FaMrmz4BuTpICvWrD5DYnGy4G
KoDg5Nj3m5bThjWBtng6iWLrbEI6hbIjLxKp2hWsinmHqwYbqiboIthDBzuL
39H+yqQnJkJvAjKTEwxvHRFN1OOaJySfo4osfggkgL6jok4CH0Xfp1fX/RdA
6KbRq/e47+QGgXH4Pk6nhP9/gv3FOLoyuPfygTjh5JDbWBiwpmwc428kVap7
LHY0bSBPESBjiM1a40BDilNxw5VOVPSoGAsd+cNX78WJzlYCwtSWWykcrSkH
IZkY5rA18pyBcIPEu3KsTaN8nvDrHfwcdgWflyswQ7bFpfO44jvQsayVeSa7
/RfM1XHenjflqpzUGsYZuoMutkonUyQwKqy2m63SZj6RYf1wjfEjzsnjXRID
DLu26kJrFtEvQizxEVplQt4mc4nFtM0yEdB4uXDseRR4B0/Is2UizY8trFDp
QgcNRa+1rS4ev4/Fbu68KsRgkwURZnJo1QBa+aFv3EV9kdaBzw2iI1cqIVEy
nsJ+xsbnkYyDa0AIpjM6tQqXzPykBdPq9OaSfR2VuRmlcGJrFMtI2VE6hCuI
DS1S0kP2VhTS0f0QAjLfbN44nRZediBUCWpe7AkfOx6CIlFzH3zcYsds6nMe
JSexQGglkQHECmco48vqRy913jnzoC58MfKIWZ/QxCFwuRH7/tKapoxEmhfV
R6XLeBfwc168fl67uTVZJsKneo5vanoLdztT3TWytkxnYvkSbmRftyyiowuc
h4LM0lMLH1bPGmg7/YyrWmPkTDpOA+28Y59M4WurQhNh5sOT5BC6nx5ngP3P
8xR33LQ/s4Vdoy8IOmyow4t2nLBpB/M8RkIcmg79WjAo2qHIm0ELyUt2wCdx
4ZIyRzMM0RKRDjmehSQhe99RHyhnMQbp9VBTALigp4ckA+S6OAzqob1GyBgi
h6pYc4ogcjyYFmvqCxLRV9SEsQuTvjzbP+dnkYiiAHXBN+0COQp+BVyT7Xwq
L7lXkSmg5UU98p5mIJykMzQG3d3u8hqDDhl6Dd5yE7NWMJYIAnUbuSLIKC1A
NuGAj/KATS9MdWF2CsOc+GpCi8vDm1wkhpJscs3AHqY7cTRBl6i1vJTXct8V
DFXYuGjCNxyx/AsO9wjJ9S2jlE4oWImqnhMa0r071KbI7ZszvvJNKtgqxY7L
Oq/AS8r+yeDR1ndz6Z4j3Gb4jzmjGRfzmCQOimSQ5rAcTlPfRkxnQnEHKOWo
kWtSc6XGQu9hAEprpPW3SZ3+gsniHk/Tn8R2rEuF9eyQ04WPV2lvgK5jeGY2
0muUAiZMKJ6LgnmUNeEYZXN5cUC19ey7NY3zXZLMvWUu5shGyG5DRle+mBMn
LMrnHUb9cTwdTLsJyn0aFx42TEJCfmvORqadt2Jfx9lDqJJOiGBQqC6Redo0
rRBlhCSjg3VpoByyUa/hT6CUfLwCaZVu2WEo1I2dhWWNfvXlAgMdO0TVhYHg
217TksVior7ylVhmoovzP709PD4+5/AJ5EJyTfGL16/OL717Jmd8B3Lo2lKH
CcDZP3pM12GTFQVyLTPyB0LqfF3x9LXZ2Xfnr8M7wy9wZwDdXW81GNSeU4RG
lyrbi9JBAiJ9HH13cmnop0Z7qgtMMoRQkaZrtqmqCLKovZp/YwrIT9TElasx
NAGgbwRC10pHdIusaCpdsJWGgjhUYjNqxAHKJiDLHQLrlgAhgVENNHzWrjPj
TtDUScaI4pkXRR6eSWXc1XGREUZ2Go8Awcy1DxmG+H7X7JvMc0HpmALNeJ+o
edOEgavy8Ng7pTnmTpAp0xWbQqYODXgQjYOcRrO0YjNBpeyM/CoRa1/GO+OF
Bnmhh7hfaxxRX5FqXsyeW9RbuIHphCIq0XuOpFpML8brZriM4jZhsz3yIN7o
wTtf45kB4J4Mojdz1iDdAwI8n/St/ccKek1xxEMPE2PAnKd0r1m7LLMkPMp6
GmthVfoykjNvGRRXgKIo7RiJHMYhYBTg1AsnqtvF6jFBAl3R4fSgN2GD79N8
gSFBwP7ymxjjP+CbLcd5s+9hpLFAu7p/kcyRZ+VLsVRsdi1RNIQmDUw1XAAU
jRXuQSlmZ2K7dBXgjWk6SZA/thryYJ9P28hy2Nd4enZ6+fbs1eXpt2IGUonn
jjFC5C9yA8iW7FDEB11GSnwKWDuHnYIYmpN5o42piUrT4Og1lXSLbhthnwRM
sXS0KCjeuPBjIgSqjYhQxth5fDvN47HSxtCJhoDq+oWVnMF4tVMif3IhEZk6
jBwIF+6483mgoDbFW6+zliJzdg4U+xsXtNEVOVjdEzm2QVjHwJKrdoAQjcDF
8O1H6GFILElrrptcK6O0iG5O4ByKb7QU4NdIL4mgY0xVQNJiD1OXOjTnPD8S
vlivLCWRgDSTdiXuKjdBnt0K18vDv6CyPEqmDfpGWOGTThc36oqZY8DN0KW6
gnbTc7ghIiJqJnGZhEZvqGfoBS7wq+mtrySZAAUv1M8aq9rCHAk5epFk2zK+
1TP+LMWnv/DJaH+w8zjaRFNFCmj6JjOi39YAZag5RZo7YVTiFTCDWOovRKEh
fKp0IS8QBSE35VGegZ4/IzlTsZsIfsxeIAzHrJw3ay7a/cHeYM/30fYijbpj
uzUG3fflckj8TxESC9FTb6gbvq2OAGcAeBODK+Qv61EW7DAxOX01W3nBIp6n
0yGBvCnSSLYGJnfNqU+glDR47GQmJ9697vgFt51n+/rsbzAZe13t36SKsSKg
iqlfs4CV0sQsc8kq4DC/eXUezeJ5T5z5sNfpuDQJG/Q112VKhe+YoAfPKBpa
O2f0l+K3oRDpmpLd7kju2elhdZzEc8sXpFp1fxof7NvHbJkBx7mXzIBNp6OG
svmKWLCxaFrPviQneIk7ZedykOjYCCXX1eMinDo6C2Ah78Xax3KAmrJZfHb9
yWQt26jmb3GgDREQRZqUEyyK+LaetbcC+hds/iR9gijjSu5DgyHkT11NErqd
W5MnGt5BaEMvfOnorm3ycZvWcpOgYUQMM8LOOY+nTkfYA+uEiGlGJedrdcRN
JA58fQmuHu1YEv9uwpsLLbA9yYSJ2Ih25JQY2oUaIA9ltQ11wVrnsrXYxDcU
ZY0nkQCKsnloyWnja8aCgCduHIpsX2y6J2F8JqMG+5yld1yGWsikHLkkMhEb
JseLv9lRksVFmut+azF3q/iOHKeY7i3gVNmk7FzJFsWYHBM5pHYmDunwc1mB
iQ1ZR7mlxeDnM1aqJMOHr1HDkkzDWKZvzkiD0Az0yY1+S0hCZOkmLROb1Z/q
FiuKwGaJqYWw+hgmjF3oAgccbsyv38Ll9IkJjj+8rQiOZBD2dQaDXGk2TtBT
TfFAzWvVpfS1KTWFcdHUZCW6fryoCv30fCl5vTJf/ZG73VNnM/Wruuyuhl1k
lCWcSXA9ezO64QaPUwA4yi/GrtNlt9BUJQdLlp85bOcsr5zI21Xm4NgBWDFs
V3zz5omuY77j/vFisZ0bBdARejidSD7X7G5yxZ01xgGvQthwAHg/hTv4lkjL
Z8H9eyqyvxqUr2G85LE4mFQLmn2fpxgKmiVoycNUDKCF8a21yMsR4TtDjQ9Q
N2JbNjZZd8W7Ms/nwBzENor++tG1xPRl9UAljecjKspO/fk0v01WCS9QunSn
aKUtuXYEBAmGCoBCrpssa+L+odYoMVqD3JXOGaU5JwdjzTr5LFOaRZHxIhBM
wQMo73ICfFGy5ANdlLfDBMZKmrfF+mtLymEUufAGrzG64GccPjiN51iNhgbx
fEWsUONAMNOyGxNwKAUtWaGrtMiwfFfCnrMrDHcL03WfWIosbW84ksLrZDr3
3ZqUPwLDI3om04mrckgoL1ozMT8LlkZSmeQ2NuSd1myDgmg1ykhTSm+tMF6v
zCkz2SzKr2Jj1RY9f/Lj5gVcH6b5aFphzdKP+1BppD0iDHCDA3ubKEGG2xsN
L1n1zCSoPMuMz5NNR0hsmqcph4h6v/1wAsoi7qnPzi5GTZduylVr4iyxs93n
X+70d3bh/y93dg7o//9H9ObySAyMdJxGk8XP0du8zW5cOPucSPA0AT1WhkWz
RTzNr/KFRLKx0mcHQbw+w9udjo7RmEJ0Wi0oxnqyjzmRK6Cr0VPuq0rjkGoo
miwK1kdtuT6Z4fj4BWIDn6WTj2fDoEirNq71leeHCf7D/kSj8Xjq1s57q8+9
1bG+in5ei34f7URffR39dfeLSLSTt4A0KAP/2Iui3zo6C/xsNnUjU16t5ee3
tb8dYrCFs+/i7FhErBd6VyXsqDa7w3w/dQF73QtwRJ3PtIDHuIBFikpHaAF1
FoKvPMFX/oMIRegVoSxr0RfRJt7k7aiC/W3hS3F2u/bL2lrtqAEV8AsHfdZ+
PogetZirGHuoat5X674hL2iYf81vrMO85LK0EfotcVJWAVxqIzcWWq6ogpFQ
nm3aSZuom/cr6xa2NnJ0VYJoHI9bbetx5YjMq1rTWxktfO7b2GdiTEiaZvXh
bbQbMPyjNzLluCxHWPQLQHTZ1Y2Y6xUR+JyWbKBUrhZliiDMeSOcok4byHLj
MGmNZ1vBk3KfwDy2gpmQt84YxcD85Kh6hInCQjEu1Jj0Un1djlgUPRLv1TLz
l8Om2JxWMw63GpnanCu+zqOOG0UmaxD2+FaI1ci0QEr+yuUo5+lbBv9BdHR+
ipHR5F0grnLYaVLk12CU39Mo4wRE7mnZJHTfCpN1hwAkXlTu3V77EcmdHeWr
aBNG/k0kpK/EgS6NVNMTaLDLRMGuC9N31uorYWZg6hlS8do+KHVkhKbCqhhn
rXrn+WljAHuMGDdiQLe2tbbmAk+gayborUV2fNypnfqrKEPaD2P3d6O+vsK7
1K4KuCgY8fcL1NcBiD2qL9aLfo/Y9+Oafhwh0Kg2MNwq1DMGEyC2WMJjXR9Z
31rDV3k78DT+0U/n0fY2DdnH4qv8CP2Kj3yBQ23B+gDDkgJtmb3o7Nsj0P5B
ACrXdAQaDrX0MhqU6U8JML/t7TrP9R7YfQo7+CnPEAxbW2vyGw2EU65R1JMs
dGcweLq//3i/wfuqObmO+5qLKezuO/nTsj1z39blcto7c52jl8jYK25yi3Qb
9ow3CEs2HBzdMMmW3mPKrJU0S0wCva74U1IcWp9eNnTEBvhrGUv7VT3eo5Yb
YQPxWnTLuuX0t7gcu4Zu34E/h+uC6HxtqUuldOvYhWxYePgXC66VE5pIQQwk
xNoTV1pbkMi6AWG+rWRpYIo1KOnxm6PGszs/baly4YgWwxw46QYTAEE2c/03
CF5ULYA4P/D4jXlcXYNaugHks7jdYEq4MSniK5x+w6Tm0Eu0vHomoMv8dwe7
uJLwEoUaCnGi1EWqWxBzCMqVev5YWd0wxG2jEVEWu9+6GvXpMRBnWK7oUc5s
ErpZup+JamuOfZNo5+nxFqvBU2SThVia6Qia0RCO6/mNGbhHsQb4sOOZw9ph
t8q211cutb6uMgxWKaxXegc9slE+ZP/5viRDab0+T1He7TgiwT6qRT1UfyA8
a3fWwCeKJMu4/haHdSvokc5YwqOkyMn9W6n8iB8GY+RIontfaHZQeEHuzRH2
4iTyuAi0eW2yye1Wt8j6YOpAUOI5n9Gtb98e3GctyBad1dQNl4ik17HU1C3z
qehGlqOqtTPVZBd4DOAJL1xxBqDRCFbZqGOebtlj5NdMPT674IUtjJ1P09ol
PTNQ2QZL0Vsal9iLNXYQxUEjMgEZHso2PfG9W+nXslFDMgWGVjQm2dnzf7N1
yYsxoCKOaAaiY0kLIw5qqUf8zARFIIVAh6e3vKZ0bhQCT/4/1hUDk17MDDNZ
pzsTfMWhAno9mJ6EXP8OXGu3UNgQdmngurWuicNMBmfkSSQNAIs1LSiRLA+f
MAVfY8qATDOOufRq+LhCwjKnmSuPGNxKPsSjSqR7kducjbAAb5RJH0pOYJED
yYayhFfU2A2F24cEOLkKmjlDare6Y1Y/dT+waNn59RwM8fmVpnu3oohzkMgC
U05jNmjOkcM4kg9REybqgJE88GOk63e9EYPoB0BmeMWbpEf+LLMUldqIdNVP
qGk+/nxXEk7z55/tSaj43U9tjTLDqCnukQ+G7fZ+7NrKc/asomEe5Be1ita6
FIeWKEf7WMrFIPWK1UupFm1FudwISree65IKdmRYWADZravXlj778UJ1PyzK
zIvxPGAoIYkFK5XABKSgekFpXnE3DN6DeTlsuU2hqG/buoSaylVpuHdc1ead
LWBogBUJeL5dJSYhjEr7TDHrg6NmKMCTkjS1OoG8LV4Puw6MyoX3KYX1mMPt
XEtF1LwyseNN+RR+hzOem6rzWU2c/Qw0rFFXZMkSfpUSdc8JRBOvmpAhZB88
p/S8MqQHtuwoIjXNBxQc9cvVFSantBAcuiv2UcXG89NyJX7lBxMMb9uRi42e
j4g6BCyfYYtnx22WiNjOO/pZyJO61z3WFyRPXvS/ySIPs31Xjm9RV+GYN9fx
EqxvGX3c0x/wuMo2G0SzfsQ/0MLS9P2zmcAEADt5pCYrcTP5MJfsPDICSHdH
46i2+o4yS9KFxlsmFiWU0+jbm2iQloxGyU1rBItSQMZ90mcHKwnODxO56lQ5
+RVFsT5MKGaX8TM1CRqBovSGWomFgM6Bt7sh0f3np72av6ymJuhNNka7pVHK
TTr9cJcfR1o9PrvzKru0jvSfZUbTVS51R2Lzw15vzY7tPex9NVhSYUT9hpMC
4gQLaiqIFxnjhuCvEMfbVqdteXzvoBaG2qjyLyK92WUbFJzkAxjqPkHHAYP1
ZSPOhcQjdakAsyehyo1vsReuldPeGFEgDUjmwPF7dZXcFRWJBo9tZWy82s4t
rFsx5UAJrkys7PrFJUS6Rpsb9C1e47ewU/HYtXtDfxtddHHkzuiS3y655DIx
U7vmxMdLichDzE636IBCbLyXOy6LyW52OpyHV+BYu9pW8ePdXKhtjkA8y0bM
i0VUIuMidlq1R1uyrbuO+3EaX2U5FZxqvSBaAsvGhbGdQKpmfb57QgWcK7aX
cd6Jkc3gsb2dnd2D8fDZwUE87FnxCr7Zf/rscbTpyDHK7+o8lLKk9X7BhYzR
SO1S9aXrB+ZoGAqGL0we7x883jmwa9t73POrJ8BTT3fh/+oXFlu44mms/RVj
pCSAAZ3L/LcuOmJ/c3/XRGhtOz7+fh/9RSkgsjgFmIXLS9cbuK4dWNdO8Cce
buBwxl8OL/3Yc1Yg0SiftAKE0M7O453wSvYeb/RqK4gYXF1XzyyDjs4s+3rj
y+HG8pcMXYA3O6+c3gO9eif2Atzl7vmhOKdO+sEdonGCEf+c8k0uVqJgNm/S
xC4Sb3HjCOV2hGPRrWGgI01BPERoSM08ac+pcKauppr9TI0Uj72YLNP0jt0+
TjgKpXiKIm5aM3mLpGRuM11PbD9it0fbyoQi55aXy1BhxUDOKhixTZH0zder
5Yp44Dejkm52qK0YEMSNYGwN79azwKxyyv41JM7Zq9H12nNgEExY9iDiIn4j
a4PMpWla27ink8bnVuuJYdtZ/6ekyCOgAVewBQnTZHzCCBhak4RiRi/jAnv7
be58mEy2BGmsGGorWMA9OPPkxXCRBV8GXFv7jr34ttrBfQosdLekMPkegca5
KyUy1fUzwmJSTtsiXWrZQZ7Zp3ICJs/gKEbNoEnvwdaCAj3fbmVbf+ib3P4g
JPNfNsWoUHAtmael9EWX9UYqmi9tBNVsPiblx73E5sB9d0ooN1ItOJ0t5Vjc
Ou0I7ivk9wQVjXqcVm6h89XjdeOaWnh5XQe450/C2sSZ63OuGd5v2IN1DxsK
m9s8SHZUV+LcEWVbFLzpuoF6DVW1vgvHgeApwtb80eWB2arfCLYVmrgyRNuQ
6a+tIJlbFrwW292EVOlYJ3HG1RRrt0jML1tOo9oi4XLgJiYM62e4/QqMGk4M
dJZTdVfbSNzbnNkQm+5yrn/ErmXt6Bi+J2ZPaBW5NZjsbsex/Xl5wJ5bKThg
HDDYBDP5apZyG7bRYoAix3aUOk4Gt/cnRV11Yp1oDJ90ce5isQuhrdy5TyjX
93AA+kzE5X70A1eXNv1H3gGqlXV1umHLJ4X6WWLxRrZ0dxeYpxOkclv0aaeI
qOVJJfeAEhFMBfzOAmdOrSqpnkbtXS+qZB49RYB3WfBQz5bEQypY75jycN3j
FeTaUC4ClSBlU4FpEIVRlZQcU7ANP63cKIxZ/CGdLWZRLcSGpVEr4+NLp1mG
wI0/9A+vrLiSTtQWT61Hnu6YrMBcjf7NlJCn7CB1UkI4NIFsEQyRsnmkAmYO
L+Ke1EvrlAnDCRbLx7E0ncl39d2p8BvLyUc59pmnx46k2GVYWB6ZB2vdsiiN
KV5wW2t5xAMCkoaKq8xkshGqVqzFNfnRTEMqWiuyePf9QJWWNklb6WGLWGv8
niOnK1/idv5Tjw9Iy/05xvr34NeyvDV9jaLNFy/Oyi1vr5I0Tz0rtXZ7lynf
FsO9EVbnnVwqFdUpZzj9iWqrqKasAWhXi3RMScYimDq68uBp058fcByn3LVG
fCIckWPsaGmmheccHavjnAhk6SzV2Lg5NQiRain7/7fjcHkpd/hSywa+AcoV
bb68fLNFmwVhRAz82KKc7z8xftF8uRBYfEuFKWLNPuaiL6ev3z9l0v8Cju81
Hl/0Q4qFl4ADvgbFnhKyDoHARGfmOJ++yH94fXi2Vb/4T+TSP3n+5Ily3MvG
mWt9stZm3sZVRzXyMbRGa/B7fJqb0dC+pVEcX26nKhR386oV2pk8OGY4tdV4
UZTydoMlBmyPJgLy1TQfmqfc3fS46gEqoUv2cgE4Q2nuKL7G09lqE9eXuPp8
b0wNn55YdhdzP/wA5B9uJwAqW06kLvmAw6QVE69JerUQXk0SNKH6vEBlLnCi
hDV3ub1PBvuW3UilvyalQcmeHYYsN8Rca7uFubBW/NjwOpLveaAFcSh8Iovo
lsRXVyT9ocyFW6LbZVCWrgiJHS5W7ZqcyWc7z/aJQUq2Gy4P8x2ucjgqkgMy
D2BSxbOkxmc0XweJEVMi1b2IMy16bda2PiyARjHo4eRm63g34QuE7stX35we
vXr53EmuL3DPVD7UNUOyZ58bW0gVSWMNu8aCBdOILVVMuFkTkhadw4SKvAKa
xJVkCUigMFwxlGhgg9cq2Hg4J0yZaiBM+cxa2LHzCFYIrZxuCrVi8w7SzFJk
xdppQqp0BrNDA93Z67Hzzrh4Y6WHQIyHZQtgFW217p1GTbjSVawbcXaLaDRo
KdlvI1MtKhCKkWReixtAhrdgVZbbmFDvWcD3mdSsISIilZix9QsX6uO4RUbA
uKWsNsVKsEg75khfCVmm04hLozWjjIAPLaZ1X/rAF7FMOdVlKgQbH13V+H51
RpH2X8EKvZYB4Y1SuKdphDCuVRa9jh2P9J2tfkSZrylh3VqGJXRmhSKnoSKu
7uL05uHa7tcnwKQDSem4du7vpAuEZPHoW0aI2q2a2uK1swRw/5ZWosWPnE4K
U+SBlRM5ESqbyIBzKtFMiiRhvtcwES5EL0T89boJUBsd7jjU0UbH7VzV0qki
ZPoBQmZ6hjAqZ0GXS41P13qXe8VxP7Ejg1eG/76VbAfqBrGRcKQ1qQwxlia0
2N3JvQelaTdTNyx4fZha1GoR7ZklcYk1Sa6i6oeY/sBN/1wJoX45bNGIDhBL
7ldcNps7o+RGhDgbU3STeO8BNO7wMplmaZimA0wH40Z0Yc83CyGUtMjoyqUF
lhvfOs2tmis2L5K+c5CaS2+rUTounkZpTD8irmmrq9MdsSmv0BIliA+1wqmO
78G9/NxWq6cbxFsRU3AmVbm1J1HF5TvTxZAb/Nm62oq/KEeYUE5F3y2/6+Qs
QYkqLWfau5obTrImR+1zOE/eGOOBJVz7bZDqThWxoJWVvNoI+VEIcwifdnyq
0UFGP0k8CeOgIDALViQPc3fGTBqrvcvyG2DvV23BQr2IUxmxB4fKjkZ6adZA
LOMJQWcmLdgtRhvvs4FSELnb/VoruxlOM7UZqOPfKxgp3Dg6y/umlo4QWKYa
z59+CcKa47HefRpJBe6u3h2azsY0zInEZfa+mM/VWN1uMj4sqdROpm7sXisw
yILDg/jtn4S+FaSUoqrlNPk1FQ+NaIvgRvFyWXVK2/rUiSnW4UrTHK9MZ3Mq
BEc9eBFiYZrBZV+W9hTukhbUItfCgTHulfwAwQ5ZpiZQzfXHJYFE8cLadfUX
WQb3jJnNns811SHsCdV2YEqgwn3Aaq0f6yrFlsmhlFKL1JF2igkUoMqRasjV
doStdQnqrffLU+W4T+HSXhGu8OT3iqjVqmolBLXstK47711yyeb20qs/R448
CO8S5AeI6K0A+AMavIXThnxv/3mut0C0vBJDr7FFPcm2UUilVpyhnsk7vJWr
wYgmufG0v2CevgoeTsUDk5A+Zhbh5dPfadPcjoTdx86OARCqrMDlj1PqpdWW
w259NrWwfB9ETv7fPyor9j8nUZ2V1cwHKCdP1rNDgPDNS9uhzuIby6ANpanF
/RN59yt179XyBnLsEuDucau3jzN21VVjKO7Q0w1hgSbMIvmv47jnuFJtDewA
QBREzRaycckefpi2Y3FpQcZKRTM+Wem9YnMHzmpt+vBAGjVtar16Gdmez133
eLfWf/eMWrgzAsSwJPUn/zoiFFjTsPESaXnfiIQHxCxj6/q1YdaeR/+KZLhI
p2O/91xLyJ0TBBlh2pQzzCLUl+QyqhoM578UAt05Ei5yKwE145rDWNQeGV4H
7vKa+qaPmgkx69INV1rxZ1xtQw5xg7UfG/Pf8lZGAX1eRbm7rIIUVNRNKEDV
sZygwmpC5lcArFvaSeSM62T0jrJ7SQSNG6YFvohV9x2kburpxO0eT/3A0WnC
glbPFAEgs0eVlqJsdMUcCqTTUjFU7ZLewYrH0/Hm4h0dF/FNoz+op5A88QhO
oNVlGIKoKgeExlVEtHb1wlDoJq3SehPLiOAd+5SGYpEC3UrFgSWdyozJDHvt
kJH7Ok0oEpzPCO0ZRKo8DB5xQ9P73Bqvx4enNDrsoTNKzZoKDhz2EHBgLdzQ
uT1TQVJeuAfRCKd7LMlSf/qwcPJ7GbeEEegV183vN6qk2ZCAPS+EIYjSXt5Q
zSejGcGUzcqBjUO4zxgxQQJHbV3kMuWAVcaxloxwPw955W265e+cEEQjHpCX
j7pxiZvPa4pgrGASdomf+ZjHWjERro4BSjWsWY4WEh6O1M5ZqV/RqIpoaK5V
3eOttgUlwqjXQJBvc5PP7oQY8PZvYie9xfdmR9/nN8l7le+7en50F+iQ/PgF
KMYAv8RbOZlixclkAkWJPU1TDvyrn5cLEXI7TMgGCQjyJd2puLUbatiJywZh
yhzySfXhX6IyndI5qIUwrUwTcNr/re2Ebf3/alnG+XwNVfs0mJI2YTOLhvW9
x75lKOR7DIxYSIUxthhZQfpRUFY1FWPSDG5qOu5pJ5uw6Sn1KyKQSMq2IsJj
rY3ARdDcAp2GMzpGKz1IMXRTSqUS1vJuhS0OvcAQ4UcATjRiphNzhYMSg+uW
qpWMXKVMJCJTZgppg9zBneykH2eHPErabDzkMOVZPOVaWhSxbA6jhmloozK2
ewo0bmtW4FCU5SkZhssYMTCnxttMq5pi4v1krOjkAzrBOY50Pp/eNoNR2wrN
/Bo7IWI9PYoKH6cf+iZZrC9RG141CRux5Ex/o92czBqxjGpViAi1TM/F0u5V
vdK8V7cyxB07kidd1KgnT/o9qhdkq8NyebdGpBh3oHmjWl6Hj8P3R9xwXAN1
SuhJEAXHusi87YHKpuZ+WUnAYYiqN0qLx6WTt7VSjl8mcrQnP0p4UtCp0SUR
dUg9TTJk5bAnvhzWFWfoAv4OcYax7wzPctAsMizoNqxH+1n3lDKy7jMKhCK2
5F049Fp8pesAL3h1XYYaJibOUMAbTvINRd04Sa61QGoXrj+QGX9KmSvB8Lwl
MlATu5HGAsjyqwz7BDQVPmEgmrAbXaRaHLk9J7g131ejoTmVRoJ1nRURCfo7
KnypBlKhgzIxJW/r0fOPB/seiIQhOmBBl6K2/QpGowbJQ7sL1YOgoAFjgXvp
Q/GlYz8kjjQPH9YGN9Q50oOHGx5XC/ekKDjNYxWvq78NirT7IRlGL9KMomM1
uO4mGfan/JkUaDHcQ8qDtqefB+FruoqpNZOMm4L9JoQ5Wr+a9+G1dR4GVkEh
cNINbO/ZM2BoHORsG/KRbMR+d3QqnZ9w1JzUTdLyLTzE06fPd2jXuCMzl52e
BUsCuazUC0/1QpyXxkfVo5RYlRCSzzu3agyu2a9dxdYLwS2zKtLewrGptzUm
bHtvs0CTzqUVXBD/OSFde3OvwNzQSys46yYAc58CvdEBGFPnl+zWaJbOEIgg
2O/OgsX0rBxwvmhgPDM5EmkQ2dwshZHulxZFeEHT/TbKRxz8QaGtE235yn2O
lq6F8UcLsNBFkz/MxQFELa8xaiXWCxMGx4FLSOhQDYqM03KUUzYF+UudeD8i
M8N49I4KxXFAo4nU7ZGeattnudaZEMp/BjyPa05TvpZIY/pSIcqUd6plpCgd
54uqphm/OtHa+ckfDyjYdnuAsYZ9DIDLtjHBaA2+uziI9gY7+5RrmEgTut9t
wy7KvCi3q2Q2//q3DIZe7bsp7vfr36aTr9b5o/VGAZ76MWv1Hdyk0lEqqxNp
PR6lqPpmlgM9BtwDlbbRFkcxyikMc2O1h6NdOvyjPYWw9iq2TeEsYYy2CzQq
GbS50DAj5IRB7/iUGpVYcTPgLB9E39hGq+6yMbgSffZ0q3pudgZql7w6ZVzu
CnvhnERcI5OF9d29x0/W/TD7iyUFUD4tM91Nu6MYt7KFldd48h0aqEkj2/La
b6DWZgoSgd2B26COOLZaWq264QrdMUuT5+qksAG6IjLQkLY29Dpokutt0n8t
3Q8riCXjrC+FLEt7myWjl21ncEtHmAh9bEu/nelmNo+Oz7ZMJUwOOUYLEzWJ
xap5m3/e2jBNbJqVKFdrwP1ncTJs/O2jDIav0rNeISme9tXrS3fKtmJFEn8Y
rvAURJRG4EjTw0hGmXvUemoO3V70aeP14V9evDo89uCKG9PSR6GNPdT0bgm6
OC7fX60BzeuHfqK/YiovzfVj+An4+RpIBdyWtY8RcYv7/nzEAS65VuPOhyfx
/QYQFfvAy/24ywBvirT/Oq6uD6L1Yv0+K/gd1RpWDP367gN8yk9zgE04HU0q
0mRLtZm5CtHOhy+H0dbDrWDTMBCMMeW22nFn9bXX378FkcNZQUxWZTIuqOWm
m9ts1WEwaMPZrh9ngO1Pg0EU/e1TB4j+5z128HX0UW/kSj8t13Z1XDDXFnDo
XgO0XNvVB2i5tqsP0HJtP8ONlB+8INw0uGxL3AXR7QFvZOsqlvX9XbKCdiff
A24BONTvgpd1FQ7Vjy5wBZQle+8VPAR3EmVJ1LMDVxTcDjW7/g3Kd+4AUvwG
78n9VvDJ3EkqOB5EP99zBZFb6hb/3IkO4BTvMkDoB2TmDYzLPtjeVn3rQBWq
7Y3e8gG8IZSlHKjCokMsQeU6BbzLFn4M9F9vH2A7suId/LEXcYXrTUDOfSD/
IEDD/2J5TfhHhM0tZ4BfVprrrltYeQDQrsMX9R8mcO7s3m+Afwmcrd+twluW
rGA5b3kgbPwVMZf7YuK/mAv+8y/mEvz5/xNz+Yik5/K6Ye+sO4eAfqhFFWvW
7z/98tn6w0irv+n3f/NJA4C4+ymL+Igm948hogaX4aVRoFuJGpA0oImygs1Q
n45ttOoeGNV72+SWGDz4ZBjQ9ORj+JQBWlTT1QcwDH73rnRZBrg/VZQBDFUU
FL3zAPf/+djqmsnyfl6OyEvR6IzwHXHrV5Zbs6/mnKKyjiQnm2y5Jg+cbmbj
PXHq1JK50SyPPluxiXuhvJwO3lEj6l2SzCmxpuSqcbgMLqkipV0ph9cGuZh6
4BrlSTo7rn+RjRcUo4YNudV9IBV9OCrn2yQZo/+wf5y+pwBdDvyprd9tCopR
fo6BuzHCIPrmVnyN6uiRJ1Oud7+ouOC9iQGJyQqHEaaaA5pQHB+Z1ascCCB5
A7DKlfVQYxweRQ5MZH5rgdPYEOOm3Sy3xNVCwci26CoHu8CwbpiIv5SqSK+u
OMzbmYvCA5ziQer3sXksbZBVN6wJxDdBkjyR5jTL0gU9aAe5VnT162xR0RIs
OhcP02la3QbD3ttWY+FL9WzQy1ykJoRfIz1skXWtfJFnTrtVLwAbljqILiQ3
DKScKbtFYgqZLMND0eHgDbBHg6VJdAKN7XDTsg9sVh9HJ8DHv6VldNcCcavx
1o4AsyrgysCVG12TSTfF8EiLVxgqDA9Se2jTycPEy5vu2iUHllOinGMJRqSN
OS4IH294rC3Tr1cENZUZ2Re+dS9kdaLCFFndNDTzMF8940OUwhiAGk6dVY6x
UVdzV+Xc1a+CySOv1YhquRZ899xrEbwLJio5EIisWGpPzg2QWF6ui8mw8aHb
emuUvtOI7MwL8bs7Sqa/VUxqKBNuxCbF9WOhelglkqkNzN/f0jWU7GymAOWF
qIEBh3FoQQMh8SYsyqvypQT/Or/pPkFx5DpZI/fFyNZSzDYUioMFkWiXVDZq
sphKARgKfOpGtVYMs7dVQegW/mWwO0dS49kUZJQgf035njCFqL2PJJLju7FI
VddCYvazBkIlleXxDZVyOYcjU/SJTtG2vcHg7UWhhQnb4KI1E7E4agK3NsFa
1LNZXKQ/qWN/Mu5XuBJuzIwYTCEB4zK6pAU+4ULuplA5B07kBkHwvI6KlFgM
5xtdxJOkX+VoBriJCy2zKB2Zydc3dgNL/aEaL5Mj+cx2gjZZHHE0xtpdePPW
8U2xNsCaMY7kIyDWAOXH6Aj+ewP/ncF/5/gvXhdPxIwkWOlj9IJbB33ERuLE
fVB+vfzmePcZ6SIfow/wX19+bwD9Y7TAS4Hf7fR3eejNDDgJGYlQdlVgu+FE
LWc3iI6+snB989WbDAt29aKzr87yI8xt/QO2KT//6jyZgzhI247iaXqVfbU+
SlB6RJGXL1eO3CU6GadVXhxog2ZeBxVe6kVzqg6J6uo0hmPhHZskGqVHWJOO
D4uDaQgVMvP2OKG+TpwwGhfxVRHPr5cgaFpyNaa4LKMTOstXF0evzk8kEvTp
7uNffql34WCp39aY1hD010ZSUMp4JAkkWHHOhKT7snytvOSbZrCPK4zFbRtx
Qta5vRAXbC9dDBeG4sevY+X6NFtwHedVa2zVuY9kyMSWWkiPA56p59dc1IZm
TsrAPMVEbJLo+JoWsFiQiyRo6lSaQu8wMS4lLfF/RF9Fm3u/g71+/cffbeM/
Wxgjxg9oS9o/aiYUe/kbmaq5YDvIPNRPwzZC4im9CGwsgEYlXDXYn3WGgdte
2Q3YviaN4CZOMe5K9jQpRNEQa8yLJC2p+DZV+PKFs2c255S7NKh2kkUhJn0H
5txSkAoljaySkqq5Uw8NC/Uwal3lxCrdyr+LoZ4tnApbqldr9duRFb560dTP
UBh1mKwod+FxBJqCuQVinCK89WBAL4TOFAMIp97Dp8CPqJy59lLnJXSMb+x9
FGzdFl0L6KDcMG2pW0jpoCi45ZKrjNebCmlyrhrONM1zCu2PuflJhRGw1DTU
jf6uvHNzjps7xmjpYRWV3BJ9bVkeNieJtHNJjXXVNDhzEmgcPW2gbMhTqt21
2OqPrSTX7T9texYxflGSZj3Bxr/MPRN8b8y0WqUAzTMAvVu/C8xmHGGDwb40
GHRjAqk06JaXE2si97FLAFUaQzI0cVI4GGFQzCSbkNV0DXnzb7FLUsiq6BNx
BhvFsncJyybntj2jRxMDx1Y7bi8owHaA+9a+hXOytS4dBa1NYJBimkR0++F0
VNZJGj3FPR4oBSeVemBagSJcykWNMcm24jrtWhfGycCcl8linPex9nldlPjl
Fxp3tYf7Ts8Y2+mYygHhUo124wxhqtXOEy3tzLtpWGxEuWkRji4kyhrm80vE
Uy8EwlqidpLW0KgU3nOCzln+YMtmRAIW5jKNKQGIdqyLblbgXLUZYSBxr8FE
ZTk8syt1HL16c2bKxDslSRreYEVaH2epeufE6VjQUgK0LmE9cqqV4+uK1NJM
NuX+CSVH9lMeJBs01DQswPO1UlMMMlZoviR4CmWW2HhRqNkkih0k3Kwfc6tt
A0WnbYnjtqWlsbUAGBtqponmvantQJZlSkIqFyTbImjK478vyso9C1jrS69E
oVPLYuEf2x9BwASGsvmiF+1siUBJUewvuPMavUAFPV7Ak7C36eY0v9rbPIu2
o5db3F3nzGTiSxFYLyG2jgA9u/ICm3fC6AyUXZVyzmRNhFK9aJeatgUq7pdo
Cvyj1o/2Ju1gaJTJIyZGqaAQOynQ7RIEiM8l1sVo7dZmhcBwOzDbEZHmHC4w
kWECGjazDMKP85OjVy9fnpwdnxwHCkqvYqhR8k1GScqV8HgPukLYakfzyxU6
AkE4MTK7vUSXLvLQI+WSLqvGl6JtY2aGOKH0j6h5+Oe3R6/Ovj09f3l4efrq
7O0Ph6eX2uRmEB0vCr71iFT1liiiBtAOu4NOyKCGNTlMZQW/ev3qFX9r3JSa
6i27yf5dDG3YTSLSutPcMWvE5JyUCbfPjsKvQ7CgIgKT4Ak16slPXaUsn/iH
x2ubxbco8F2DVE5uNVB9MW/CuNV8BFWrOingXgUHFNHITt/Qaho4b0EYRhOv
HGD4ka/o1fPLy+g3PMiL05OzS4w7f3Nycfn2+OTF4V/W1lh11ifTsjUZ/8mg
rqISmK/5eTJh8Unv7ewpFhMAp0nr9DgfJpXCi4KS+OTFyfmfTs7hyYvXr84u
TuTRlhyhXU7U7mwK1rbQ/R173URJoLIlLGiTQTZUjKNhuq2uF6WtTBR7LQNb
zg/Gf7Jv4MQoQxO2Fv2got3zaX47Y9TEfjnYRfsatEDkzMFpbDcEybKRD7Aa
1ZiTQKkLEvtFuYc0yIJioWAjHVIOwQ82SohUN0UhCW6ed4GaTSVMA11/tBA6
bKl/7vjk28M3Ly7fvjg5vXhzfgKovG9RiqDN287MaI2dk+l9AuTOgvhRTTh1
CfwrPPROisx6/xwLWo9r0sRCqe95SDbi1gpFQXp53MI3wsWZsKORGq/9olrd
+VFGR+6y1lMPJHYTBWwzTRmwvaS+t2vNTxQ2w2xYrRM1/1irxu3m2e10inCu
M4gN9twcA5HmPPqibjUEJTBUkluJCwYCOF33VBD1pnbkT9IzsCiGczjYDuCd
wXphDWnhwcj4oSlN3NYmsTpLm2RVO7hAZ5ZRSlxSLrrxm7s558lcJZwsr2Fs
U35hWfQcwLlD2YIyjCdmknYIV/xk+4xJxObZ9kmbuOocXUADqYvLZbvyJRmw
BkNJTt5Qvr6SEB5pXQSvKozrKpRBR9rmxGvvW1f7tLgifj5MrtIsE0LDczDt
MVYRp5CIkeKk3lBjnZQaLGKcFeLKh5DiOu6+oyaFjkrrbiqQfhNtbp5E/QiQ
YDs6VjUqOo6+Rnu+Z/XnV7VI4hgwOMlMjw00QatA6IZvAGjzGTuWHT8qWjmm
DGF6UfQ19BD5+MLW23w6VkelwwlaqJunyARrLLkydbghmt9TQZpZ1ZC0qRyy
5Cm3GKXizBeLqa2RKpBcgkWNBJ/SxIPgbwRbBOm75IaJxxxoLGwf2wn3QGki
pR+rYHjdUFCFdHzYV3k+1uFSKVKkFkfhm1S/hnqQSUcSJaNdbUkewIzADh5B
bViqGpHs5l1w4yodwq+FhJctc23tkNDe1oLzrr4NitFZRWZA1Z9JylfR4z1L
DLm0ng3ec000ZN/DJpkv4aVnpFRoZ8WmcNDguw7DRVvInnpcEXJwP3af4bQL
cgLJ/IZD7NtwsrCd1EibzAnFO4Zl9Xq2qgj6G/QFCm4CRKtE2psmXKHtSdsU
pfV81Ip4Hk7LnMpHuFSTRDJio0BSrd+neXHGDSWc2aEQPFZfYgoeoY9CzZpA
YlzMTDGU2BA7gfYxQHtX41/uSX8BRYD27j4F2vt4bwsHfErogWbStmITfIrs
IARaOF6gj0t6AmPNDbwCnmGVqsi5as9Sv0kdqdCpW+v/5Ek3pJvDDXnpAfZM
uAJVFROTO6Z5s77m4aLUviDejZimbulW9/eKvstLQEI+GjHjnBPPEJnel6CQ
z5GnjFAerguSTo1/dGjoClZ+hrU11pcPZK03ZgcTXKtlYoYJ1kLMC4aF9HlV
vkKSLmMeI4ZQRUu3V6SJpIZV1s5mo/T9Go6EPhIozbEaWvqG6t0k42Y9Rxc/
5zxJqyztWda1gg69lY/yqT/x8sgQIVVJVirNYEHwlmi2rAX5SzbGqKMkc/zB
hvurkVwqYlC9LWEJw1w7sduqTa5+3VassNVGy5J+XJkBC+rXOkRuon5nFHsE
ArRV6S2IwZHiapV74T7E9v+JQYX2hpOmpI/sRYm27V/IRW0N2TFm6/iGygCJ
EdcdnambU0uR6G/iRM0AV5+CFD8mo14sezamP6yCAkjT3LX109lKuypZHv4F
qfWMnNmVV6CVNEwfOooTbj21v4P+QTXc+aqTtda26MN+67GUHsNp28uRet1O
8abAoyYLDp3hVrPRFbJq44CkhgQF1exyt6BiDFVcA3KxKAHMuANqHc2BtHg/
qeO8hYqxShBaCehyET0YsirmSGdZbqqXFtYVCEfxjV6EMPbQYeBimnjpXXjT
ZNszLJpbHo+S/rvk1jEl8pUXa6Ir0kSHRycY6zNLyG2Jt/pwAZ9nlWuPPuSy
01IliBmS+mOBKLxPizxjOz7XYd7bwbqCXDJ0nHNTUQ/pREEyW+U9bmI7zy0n
oi6fcidR8Q4K5eCIiTFfNviUelS7hUhrw0qswi0yk1laIZWhVoJ54VXDxqpx
OCFqZeTSTSspr16a+GqvP0rQGLa8sLNDTxtMokk+LLJ0A41sWQZOoM2JpiJt
cfC4SYnITSG9Jo4hcGl0DARDErUwJg14ZZ4Ya4DGS4vtt62UrMc7GHvdzTo1
rDujiviWaBllDbrZdCfbcqJFSFWmxrBDZ35XYsDhnKbcbVSprFcixq70GLqX
mKhMOh2K6gSgLigOi66iqltknO5LNZ3+ueKAWhda6WFtYtv+R3ZTa1ev0oLC
xnSN01p0aP6pbhK/qwGBAakI45cLIe9MTMFk52icCAA3NBQjANx62g3JRGp7
e/KJsFnWIRj5y0CAK653G+7s8eWLC6Ezu08oSMo0Owj6ojAyQ0aDt30ETB0g
AjdbiL3a2jKn6bCIi1QFmQ7SzaF1uca0cjzJRXoFEFSIyip4CXKJO9qO1jlg
Ix9NS5nHtqFzwOFcY+4OQQnwd+XmLmBASi5u52xHkPL97f7Lspu8XdrZkddp
Px3XcyQKQz0wyZQGVK6FC6WYGDSGjdGLUxMhVuCHvCALPYefVi6sMeLwNbpV
Dl84Z1yv1EyNgI0f1W8nUbfWGyHHC6Bhek+V+2bxvFNk0lqGqBsCI673rORW
Bxr9RyPGwyGKPA519hYTqj3Qpxi2kmLHv4g2EORv4UJLkzWnmCCmhSE09FCa
vKVSE+JcugYwYryMM6BUBfYzR0VwLLkfuN4KdTauXWiaIXzKYXvlIGWhEt1I
0PKzf2wKhe7PLV/eF0HzOp07Yba8R29jDDg46LdX8ybYqGGHVp33pNRucOCg
r6ReOJpsN+Ky/Vw0oMsT4ky4X7NPlrd+g+OftLzrd+NJc3Hf/+H42+hweoUd
Ta5nfDYB2XfJbNybg0zzfJ1rw9abCNLMLw+PnEdoSU5gEdusbVTnn/D7Zi/b
VxcndpDSaWAL6Hh4djjABwb2ASQ3DadXbbH058X3h/29/af+ysXqXls5/QnP
bsN/TbCPgKe9ncyqJuilHriDGo7Ij69xfH15p0PxToHnCgDzRTxMpmFgfg+y
PKDcaw2cBZieh2DKzw3scwha7L5ERXslqt5GWuxxL4blVhBuZkEhC7T8Usp+
oqeWAUZSgDFpEUVaDKfpKHqHijFZktH0WSTXWC/2PUdaw9wtDUHqA+i5OrKY
+lvxUTqMZDpFG9oILfAwwSZHSZm0Lm4meSjBRxIYdFOklTEGGzInKTl207xG
zs9rRwnkHHTeWOKZIqxB7Tn64bJk/yn8Fh1N43QWXaApfPPo6AK+YUHu8XOK
KP/zYH/nOXmOeR2JKI77e8926BxwmMAjzgkCb+KiuoyFfXySLpjoPboViX/y
YlHoAiwq4CI9leJuJQYUH7XwEOkxLqmxhlxBznyW/jrM/gssypvGbLMk+P/t
r2hNR9N6fRuSw8jpn3PJ+wypPUytxkU8qfodmx5Ef/uxcfGv5m/hmbeAT82r
z+T9JCOhDudbToFxIwm/YHWLmpxnNdIZrO2uNLuVWjwY6W3AqATZPAwhktoR
PeqgQdEPvrMweABu9Y/aOUt2G6HlSv8xykd1NUIrXWIhdm2FRk0b+xaeb0fx
PB5uHHij9WoWNCGnpFK4QQ60PRoAU9fJAUqLUSkktmzd9M6AQ3APM3a5puke
4r7I8D1yZlkO5iAfqoHZggGI+dvqdp58VljQ98g2cCZ9Cf7WdHSd5N4wM2Ov
DrI/wCuX8EobxOD7AX1v+o4Io8U2zs6CajiKsLHSjE0AyaKEIoltRqesxso3
XYzMRtNqKyqBpOXJ7RKQ61prS2bCcKo2kboWY0vXb45dqWZpFmNPOQwIGdoO
A5ug9G6xfc5E43AFdHGSUdF82FgfoNXnNjhq/2kT7ik0x9XZZGffs/vX2Rqy
K2GJCv3mcDSLdrltBbwCU90Vtj2fvQiOsc4VkGqODvMmnltP9S9qEsIBVgRD
eakJvyYGip7i809CPoObKyCfuXB3Qh4HwuSXTFyvpAlgoKW7tzuEFtz+VrKY
KAmyZrCwhMCulQM+kKTDcWnyl43iTEvHTuLYQ3rGn+0X4ZdeiygsGtNJhz2j
1rLUmhoE/KxA66iax2hq2EwCK6ReKZHfCtJZlb6rBaNWmFZeCaRhmnzCMjGm
FxP/qsIlUgaMaDZRRr5Rq36SaOZY1nftv3wDSowkwKLz/RnRkLGnl3kNG+Nw
y0b1hbk2dZNcZMYtA3KadHWyqlzdl20vWZbgxUKqDFSIPNMxSfzTbpRG6mJ8
dWLxa9+q2zdKxM0rJgA2b3ippZLz70wTo1YTr9in2fhIpR/O2aXLfrxHNlrB
htzhMtx2PYSaTb+O65FojZZxjknYl1aBMBEgAY9wzVhq4GIlUy2MwP5WTi10
LsMj23TR3ZlgvZoKpcdbV4MSS4Fard09x2NrNSOn8B5Dq1ZM4ctVTBWo5H8G
X5TtjEaBNVK/qAydMTnYlK0w9c9wMbj6Y3dGLS9Sj0IZYXUWZHi+c1qMvAJT
ewSmrpjJZ7TAnccp10sLwVdM8RQ5T3EIAW21/o6PnrwasfZ0th1tST/6kouX
LTtU6+NXEeqCC0lRxeAPpt8d5akCx0u5BThJHCQeSOGpUCCfsx/8fDFLWiLN
cWqZ9kIz98+k79VZ0DZACUr0nGYUcxzFxdkXWPkE3voN53/WDXTco9oZ75Vb
RkCmWqlLEDdtkjSojXfpWDg2jy7bOT02zmxxqgbEMnec13gbAKqnf/KGsx9H
2u5asNbEkwiIx22Q5B0CZJYuSM98E6HZZzgiDWtxGwaJm+vY8Qicr23W20Wp
0tdovCQWA/9CtObXaP2LDkLZGuNdI8sokxwpVlcaqm5pPxlBnQ5eVqU9wksO
xGMHy9RufntyefS9miR3H++JjYReaelgxRGcw8StAEjsakGxpRnsWgxkpvxT
SYMeGkcdyvdTajBtxEiNpE/nQILJSMSbcYoTcPRqqRapgVaroruDR5Qg58Qz
NE24gf2T/M9ZyrXUv/a2bI4oB+qU1sAjdupEQtQosqvH+LE9bp5zAIe6ung/
VJgFlYyZpZRszEtcDePDRTxcrO9OYftkvPdkJRf7KQBA0JxZsOAhwICIUsuK
Ts9OL9+CaHn6LZftlFyfC1SPn3LpurbLR2B0zYdtx+akxtnoPwM+CaBQ5dmz
fJgOwSFB1Q018QMClRbWm6cHiWAQpF5yPEl0KrcmZERogWZbgbFmvANP0CH8
heWFlaQFlUBFzW2mQmnH2pocbaWSxyvNI+gWlLb1pEvOfBku0qnhh2gjll1i
rUTQ16ZvY6CDcNkWI6RlpetWoNgJtK2TmhOGe6PP9UpuPS5wQdR9Q3D6LYkI
YsD2Iyg8CuGIEjXm7IkquYlNaIitTWJrWI1ZzDx9v9JiGvLIZ1wTbPztiMXO
VQEVmecfdnEqAllz46ntwSklp75Lx1uhOAqTpQfCn0jRLgcVgw1Z4cUKiJYh
9fUYYhBTIedxN1UgY1IbaViQHEiaejCrAOt3OAltbVTMTXqzRIz0cJtH92AN
3e1G/fqObFumvA1qp7KJZoQUdvkmM37WrShd4iJsKl1xvRbZiiTK61JLZBG9
tjUlqi6Dw2SOJO+cNq6y1kTeVMByhRrn7eWobmQbMruwStxldnFNcg9tdtFq
lmp2CQffe2GdK5palmkl7q6CWkmtsGirqFGLjw3vi76ncH0qC9nE/5bltGzX
8LqBHIFMhN+RILXn16gk30TZJv9yenC9Dn5os05ckq0Mr8mTWC4xnnKK1EPK
zYeU3S+5yO4O03oySWSyyTEL8q62JwdgEmZa2jjTNNG8YxQsqvsaX/ZWC/5Z
iuFfeNGraqw1zjeACpUJAfX/Ohm9q1XL1nqh71JARQLmY3+dtkINhzuzKWKi
YNFUDAaMLQS13EaCZbGSMXnpo35wC5IRh0Od8w5+AB0yv1GsPDcV54WHBsMG
NUa+fdv8FFYkAUlxOuXIKNFBlsGidfFUdQmBr7nZKvbG6KqAy4RqrHEUut0T
6vW6O0/r2ZIVdtSINUsdA3/WxIvOMxOlzi3n4RVhNHuWGr1yTtwnuJzHI2PK
04wAU4t+SeKBqdGhOckB0JdVXrgF6EpPXO55gqp4T5vioWNS6JIQlwmtD3BB
JiCx/LP51Jh8OxXxOoAUZp4uiVrGLJUZKcuWyZYrHaftRqDIq3Nq+aZrnPFW
TtaQdh7SbbFRDqM2kf3VNo5FG8Ucr0UkVQFoy46QcnCVVGQkG6MJJ5OcvBuQ
B1uRqdU2tOQqCB/wT5uDCcTRyZS46zg7gdhWXtxMgj4BnOLLZXabpdtVBL/m
0goWzzVAgitit6FWUBlaIpv6sgpZgwN5MfcyG7VLLiuGLXdKLljJCEsfYeZp
DT+MVbmdHkjBa9GKgmactup2Ky3eLQZIPMby0OgGBBEKfbnGKsuRlqHGzGhS
lwSvJZo5aMOwtgtbMqXVwvOpDKn1yobQaWuJHahtvU0j0D962UFTUQe463ai
//T1r2r+Cd3vlSxBpp7Lfa1BkTbpa68iof396saBS48MaG0MKmnAFbdubH7/
0S5H2u8xNLTVABda5vr6sV30NlUcs9Ws3eqnWtpfu67SuFNy9po6X27Jf23K
Ooi+sQGO7rK14WeO5VyoBo5Juyw0UEf5k7tCTXirtRTFNTJCre/uPX6yPvAs
/xdSbKiVZ/MGTl+7rcxkx9pZs9HVQDttesYpCvZqq2qzaHZVafPVxVpAzmmm
Aoz3OiltSBlGg8bGERNouuHADeDxWoMobL4oPev2hGqa9NR0x7VSL2ywRBss
AzmhF07aHfluBS8vpPykje+QO3ChWcVq0q0rXzAAnjgT96+4V3NcOoEANPzZ
210sNwTfbbKFeefD0/0t58GayZBIH1yWT1zbXn1te8G17WElK3dto+dL17aL
w/dkgYGaKJ5pnE6CEhDXZ7d0Iuu2SYVPqHGZ+1/Gwz0SVsQIf0yq4WkoZuGi
vsX94Bb3sTiqu8Wd3cmSA/DJG6BWrLYur0uJ+tw7vMw2TMBRs/vU1YuKUKbW
ybA+KtL1NjHnqS/mUHrOOOtPMSUIdBIn7RRuJi044eZmI8Sa4zS+ynKKkzrT
zWweHZ9tRTIA1+COjs5POZOU+jv/eWtDMtNMzobrx66ls/BXFK6o2Z+w5D+L
3Ljxt48yGL5Kz2IoFywzU34E0756felO2RYmYar/GHaz1DxVT81s2ko1zJ3E
Ui/GuFupaw4ddOzzBqU9trNJN6KD9ihI9V93jxen353ZDfJUfnhJxEW9JHnh
nwwCTovkKI7L91fYvjvQePuNcLubbSVrP0aBDtxfA5kD1omtm72woju3bv7o
dL9+Et+j9/NHp/u115zzLgPQTg+ivwLRPkBK3HMcXAfIGX/sHkDaZ3OTujfb
p3dppE0DUJ/6e/7QACeKrG+V/P98twEilhQ2vzu53OrdZwUt57DSWDLAmyLt
v46r64NovVi/0yL8NubaLPCup/DLXaYMr+AhB9hEQQbYva3EYDN52dwthbax
b/zWw61g0ygFGMpWYdg+CnsdwY6vv8eC8M4KYopVplQY1XC7NYhoy13BoElx
VvrRAbY/FQZ/+2Qg/s/77eBr7BzKhDX8sxq57cAFQ24Bae41wGrktmuAGrnd
r5FblIR7K6GzI6gfqJRuSHXHAKvR644BVqPXHQOsRq87YbAKve4cYBV63TnA
KvS6c4BV6HXHAKvR6y48OKrJgEFW8RlIu/tD5JaiNEgtFH+mZ/hatoK64n3A
Q/0OKOI+qNgPyBsefgDc/oiK85fB6C3QsraLz74FXMWylkxLVqD692fdAkjt
v6szvbDUHuSPF7iCPWIhhCpZdUeZ/YEkduEA/WiTmmjeZRE0wMv4Q//wikjX
/VbwTyGxtwcgLhOeZQDBgT53Nz9wrUHboZJov0ETT88ZoIWAryC7G6VjMrmr
uuEN8PrOwKsNgNJiNX+L22W5cScC0eROA4R+RkW6Mcrj+cH2tjoGDtTyv73R
Wz6AN4TKyQdqWechlhKUJVJe5wA/rnIuDhDZqiGy9y4Akcx1ZAD9iGnw2PMe
L83H8ABtP2KcgtfQhNPEbGcF1vgBf+zZFTz5T1uBptATFJ7ACtblAGe3373c
xvJ8xB221ejcqw/ASfcCxH0cwNinO35kgPvrr78G9fdo79dmkAL5+l4DPLhB
aq+mIY2e/8sgtcIA/zJIfcrPP4e8vPdrkpfvTVD+OeTl+wl6/5KXnQH+JS+v
NMS/5OV/ycsdP/8U8vJH5MKX1414L5t1ZyLDNKKsyqP1/adfPlt/GOb6m37/
N580wNFu9CmL+IjpGR89Bg+UyHalAvbumVHrTB7YO8gHuoLNY+zTJg1RxEG1
jVFtB8ZNta3kZMus4JNhQNPfX8SQAVbz6nQMYGTlvTu+bwZY7tV5GtZaZID7
yygh5nonGcVhrned2xvg/jKKuY0+JqzO6s0A5iCNsLjaIGaA+8ooZoD7yihm
AJFRDpRY3XGATyTrAIGLTn/Q8gHu//PRjdRZ+/kgeqTBzhzFHVVpNU2+Wtcg
aZtH7uhPjTjTdQmOptLFLfUoNEzvLkUpuE+hJob7yQcc+9irhfh/Fal/l3Lj
gnH0NuKS4odLL0DdhjylTsmrlRPv/GDQrnD7QJyDk42shaPbC0XJcCZ8OJSM
o93jbVy6W1PIDVenPkFYYcR8Q5H7bYcpjXkp4UWaPnEUvymE33aiUobOxpnm
ma31HQ7YD2a+2/4E0c+PutqrSGcfbasloabU/dZ0IpLDcwvKBuHpIceyJtoS
UcvV7ocJbDcqF7NZXKQ/cbjNjO+A1lmjaSnelGpDm/L4bmsZzBGnrmym5uqC
kqWk9+d77nridvOj25WM05jrL6+vpFKuewVwpPOyU3+VboopisWJrGeILy6l
4b1g0Wr5FWtT16gRnKekUq01jCMfg7+2PrPKz5rRLO0KduyvXAK8STOXHjVX
efpvFycvvv3llzXVvJwBdu2vbjDxp0ziKFcywN7DT4KtXXGSt1Ir+2P02I61
yJB+02Xg5u33nERSgZ1VPrG/6tjYIByYdnXfSYwmaAbYt7+6PQTq4GqUxqoN
LBqi89LThxmY2w65L335MANjIW7/pWdBeLtzrDSwFpG3oz1vDlz7WWlgWzJc
X9rdaQx8nxVr5XG7mt3dhxuYOZAOvGcG7qIzK4DC1EeWgR+b97GvWeDn45Li
yLWlF+/f4kk6MHlifu0iLHeawUkBwRn2H3aG5EMa+W/vPjW/dtGtO8wwr8/w
pfm1i2itOgPK5iQ79DukGxXXl4hIg/UonsKev1ofJeg6QXmdRYQcy2xEJ+O0
yosDTThikUVq1IMWEHPS3xRrX6ybFa7b3Ggcw0pTzUZI0hB8mlSSaoyrvyri
+TUJeJcqSVD/b2qybTYEL//8yNbf1F6XfYs/KOIhMyB2sBjP+/ZpXQTVOmex
j/bXeMCrmWjkJk0sNBIaSGPamYVaGlTz9K00gd0gaKi4LmLGikU5l5QPq5dP
QmmMUkZsM9WaPMaZhW+OX1MJeMYit4ap2WsNMH5uCGyzuGVo/PxzCijbR+Np
60DqATXS/Dot0h6uc6ZOa516sXWn/21UG+BjeDCsiU19eLvEyWWS4h0lyb4s
TgFNPBmwQdq94q8VhdD7BGwJkrYQgCDE9eq3A5m0NG+Vv3I68Err0wNvO5JC
GVrBQlKzc/tIf+Q9Um/hivW10ql2H3BG9l9j/L7OTXkRHwUfPYpe5FdXcB2a
hcmwBhBXQXIq62ujXNDJ0oJ7jtTICZAwbIZbUgO5sopnc6z+kV+VTrFWox73
VIen5MkqiicT7B1LCVk4v83YmCWzvLjtSQ13epWS6bOkuLq1jdJtAWdKZMYm
Pk21u8cJFi4x0Fq4Zbngmn2YNzLViiCkyC/L4lhSidotgFAkjG3cnBrwf6Su
h6Y3fxxXMenJBhTVNTx0dW0KdWBjtTgz/cM5Dy/90Dff9wU47hJMg1naF1Yp
0mI41C5Dq/lTHegwDG0PO1NX29Q9wkGzMDNoA5PHBuw6kw/JaGEXapu4wolt
Ehymt5j3W2I+DK7GXlA1/nATLzR+VVh7xe9U0La7ZgONMqnwDdu9GbAZsJEs
X9R62q5tk/su2urDtNA+RXbAEN7+3udTsz8clTe1FdjHKgtX5MCbhhcIlmNT
ccleQ0X1YgvR5hBtJ+TX+aQ+EoG3pSV3ArhHzXqxpv11jCieoGnI5FrWClv0
lmaCmoaLywQcr1Abmxy7+sw7xVcBT4IlsabY5gduHJAxEhvSxLSoR1pX6zct
Jc2B1YAU3ItYGp5R1Xa0pxZA/OCVEoBiyNg4hf2USGknQithdJxpUUrF+JhI
LtrV8V0eO+K6bLRuAbtDiCX1jJq6sFENk6+RJSF7kpFRyqxuYY/fJCU1s9Fm
08JfTC8nZ+ARVauSvbsVuz32neNGbFNNkSOFCdzUmAbuWSjKDZ9CnGHNA1gb
A2gYo6UOjfP0ZpFeXXGVqeS96aiO1QFTe65ubr7BEyLtyYTKrzFXyzkPmeW0
QbOsNxbNw3PHmnlwIwosPUidMCapbUrmtCBPCix0LNgXuF61Rr5praq3k/G/
pCKrW92cqriAxuU9AHe0x5TJXaAWRzOcUiZ+GVMBlwveYmvzMcNfb2cg+Bfc
XM1ra4Tlv6iCTa04jz8BHkR7g2BbtpnLOWzbOpJ/SG5tRU3bbtNpSoo22aXr
n8Mi8SJQ79zWkpQbZUcvOncOO/h5ogDR0myG/2htmsBb2GrM9OEFlB9z5dOC
mWcdxHUMsc6FQme3fepO6T5zVfzKr1lBFV/oanBryOv8RtrVGlJ3G1G6PuK0
e6baHRh5DKUfqfiLHG7KrAcFYUL4YyOowEDcJA5IF5YlTEqhJsgxEElHUonD
yjaNC1TyDYKrBaDJgrwbmfN0jEJZnWLbtn85k8uc9FMU2cdcGEcJ8p2W7HXN
M733gtGZSFu5cw5wRoB1Lp1dTflM5dDkd+DDQ5Kp/V5GuXbsdN0+RBYNlSsT
YDqAskwXSYLEstlTW6PKY1gEcabn6u5yBF98DumzrbbTOn6pbEi1XpjGQTd+
nNsn+5qTxVN7QMoiiB8aTkulaeKxm8yNq2cCSA2YQQ7EaaVlPfI48fI5nLi5
KsMMuOmTW3YHFsB31hJRgwEovWOJOXOlrecP+7XQ3f7mVtZFFSmIu/POOjg6
S/iAcViWXYpmIGypqBVXUsbf45I4bw8FJl4s8hZkif1xQdcDViE0j4f0WQjJ
PoILravx5CmcV0DV11OeFFzTpWumuLzNRvBNxm2OVpm4R3CoqqlgIfXfRfWQ
O5cWtE/kxFcYeaTq98IvfMuVcyRFEgBfxaN30XtAMT7qb01zmqRAjCRyq9rL
OH2fjhetiIOwzpLqJi/eGZj0nJaeVzWaGcIjvi5wJbHSKl3DaZxlLBeOsUao
ERE3Edb9rWphGq5KcQOR5HUlRhUeRIfTMieFHae5TqZzrh4HqjH23QJaTzoU
DErSzNXCb4HodghiKXqOvdeskEVlrJiOgijA1xC17rZGAlyOqCb3Y6MdUaK6
YUQMe3QLok5WpnhMcisSIiRUqhnNHKUtowpMi5VnEjlj0aNUuJAQNVal7Gy5
V2QXACUWSZc7b8Zejad8suW80ykyVCJdKwN3nkzqsgfPy8X6hbx59dWobOvd
aBscBzJyFgoVPsQvsdM9KbPaRxaNEu8Mk1XQxVrUgnwAYreQymxYwx1AT9Iq
xtbwLngFqa++ct3pJmeX6oa0PHmdJfKC/LO9NhRRsLpKp7QL4qCcu0FJSicT
eR/HxI2Wkip4IMfavMxAb5vo6i3Y1Lok1Y2YSZIR6NGnEo+wUbbWVU9nWCiO
HrfGgA2doBexrQEXiEeG85t6h6MixyY+HbJUTdhRoEcn2gtApR0El5ksnXRz
DLyyUvbSRmm00lAFPOIEafoiJpVOcT+Xn1ONSYvH3ZDG/VEfVXgMVooF3TMy
LbvjpDUmZ+Q6GduIfmwyfelsBYY/RkE9HRorzh9YAn8p0vqnd92Y+fONa/Ph
I0ENIdRykYKvHLuCLZagnbj1MonFLlURy1VYDm1DXWCsbm04fyxpJEHtHURY
cJp5YoA6LNwW9TW1Vqn0IZ0u9onwrQ8kgbDFAWk+sjVBeLoFtv13V6hTi9UC
99noaW7EMYkLN1Dx99rZbGzVTsXAlalRRkmlio3NsQGBob8S1ONQa+eWmjxL
QK1Geo30KeQO8zbDeH7I0vQRG61ILjbil1wRlbjFsCU8XrmnkXobbF/9CBOg
+DFVZMbDLLihjQj/IaZnmOcQxJ3Er3iv5kFtJpiT9ORF8/caTNbl1fIwDzcQ
h4vVBKa3pn8eM8hghVSxVrpmZyllXhnN052fXAAlXH+26NrnDK5Slfg2TNaO
Mrb4K10bfyCxn9ZwqOUI49b66K60Mha4MsE2TKfnE1ISU3n4Ir26dqGCJj4H
HEZ4YsGKbJI1Pay2TjU0K602LXBxuMOjExC8AbNIJqZuHc/3dnZMyfPYNTEK
k6K608C+ctrDIqs81PHZEaMzt0KsW36Nt0zBw4uzPSG8FhCxeykMCqumPUdj
QIla3ma5ZZlpA+7UItRjkVxk1j0MstV4d14gSq5cY6qdGUnLk/H0wsUt140x
ncyQ2o3L24kx2iNmTlIOvsZjwussdkp4T4/qsTR1rrELImRKPmUgikV95FXx
CflWtdJ107F6mll3mLmdMljNnUrKnNP8pSd/PH2yy3/4VestZxumpXma+770
6vtrLdLv2xVqK+ry7b7JLBU4csloSQ00PMrK9jHUlc07HsWY4f2l74dWS3AF
bk+X8VyKpMiktko4RZogGx9q459aA0sDUSc4xXBGJm8NuWCGDTVQMBqhYY16
7db8gSHThyC1Uzp7ZBR4DoSpNbgV3zHoy+wlZ/2XPYt0X/i+i+zhMIbfqt4J
ykFgJfDCWZ71ZWRxeYsBmbY2lPtYoqVCLdWhx5VxpdwbxghqTj8Etf5hTDP7
jh1dk0UDl+ey7bAtkgXubor1fJf62ABwbVvEkO4MraZT+CCAdq683zihofYU
o61I0wr0ecWmfznoutf5uBaIFPDLkkguXbmIzpLcp9+Tp7d+0sbLzD4pdMuw
PWOLbVakfpoePMgE5HKEYgjojKwFCQZICzMZpXNkDTY+hhsyZp1dLcctpud4
ql7tniKotmHjm51kvF+nXj5ymVlsLea8/5guvW3DszJ8RXzzNiHqNjraCDwz
ruofI6/hC+1c4jYsm3S7BPC2oBVIxBougS8nneiJNE+b92mzS5wG2rUbszIE
6N4uHMLsU2EkEMCNUAuPi1s64FEBIhmbUbK/G2UR1YMWNCodJQjX9m2SjIeA
V/1jNGgCHDlxpwfKE17cNBPDv3MmqBu/J6yj069R0tZLwDLBQrp4+3o3ym1p
tmhBTmZYr7vYVefRG24ydrrjFG6j2IACvpIHlRWVJCsXRjNht5GVeGB3Qzhh
I8x2d2gj3QYNpSJEByt4eIJhQDZrtK43nk0QAa9S1EpCs5eicEzpSmt21aa7
661a4CV1x3JkAotbFIBlza9tKkpZ77n5YN0me8t60tUmNjxRd0N9CATpPEtw
1/LV9YBNt/rzGLUJJhN6bVN9Bwiu7YUF+P8+uYWdBUv5Uq6UFNpf3v3si+gQ
/uqHw2SE49+uRgXIdrCYk2QeZnl6uTc74pl6pIB4mMLJbYdnhyGBHONtG7lr
12KYcHB7ZK84DjUIB3S+9oM3ARvZUcb9N3EPnyGe81H0khLPKO/r3DkJTNmj
nLQ+5qQ1dmmlYOYbd05eQ2Bwl2EjIcblQ0Vej+Ki4AACm4HoZGtippup4e8g
nzTiYuqncXBlPaMQAP702eNn0qGUAIcJfV4lGPzmYjGs7JetoOBwCzEZ2fUe
RGfbh/jdKzEThr47wT011amD6KUI27rp2PTJwPQT6WOud8oB0h1A7QVCEygu
wurmAXzhMaiA+hoY7RQZM1khhuhIaI4qMHi9GE6x88/YR/sDJ0obKY3rKCG2
tCjlPljkPeDgQjw0Y6G75ehs1w/khWQq1Xl4XG6C5Fu4uHT7HL9dC1QOg6Zh
CzTYCyD8f4uSWZxODf0GikS4MWJHqHaU9UY4ykHm+OG7CF+kWIAUeS/q+/+G
BoBBXlxtoUPk9OTyWx/sCLvzJJ72LzHu5rBI4mgTBAj7mh47NeBYICBhulcv
X74640vCcjSNhe2i+AHUuWjHZDjaPqLgJBujiJHysBLaNDrTONbAu/cHEQzC
fcnxqP0CT6VSxVsgiCP5isGBRhfkDMg0ynfiCx3Xc6clQ4NlqvXQDE6ixc8/
E4PApwby1ECeEqnb5m1kuH5CpvOTi0t0vZ9k79Miz1ih3MSD2nISjJxp1AMi
UxARW7GSlX3piEjPQdQHMBzD1fnmONrkLHo1SOzQke/t78PJmqwP72IqzIWL
c5sjB+SPlM1yWovUoQgBnnIlaqDnx5U7ekfgT9hyAvzQQB76HAfwUVYQfWzk
ZruZMlRTAgC8+ww/bshAHy1I4cmfD2oJJJqF4rN32UcX+DH15FtxmrWqX8ws
caXIwBgBCrqDcDw7fTj9Rgsw2EZa1l70zqpFQloh5YWBZIQjFVMaE4gVQt4O
ikfGNoyScpovGpLTJXuDDit2ZCZBvGUbez82D4WQ13YeDJAORbjGdE2s5UcG
9pHPgbNf2CUQ0h5EV3AzhyUGiYHWMImOtdQBklapScJOVnVCMM/ELTbURmzj
xiT8qE7Cv4g8IoLM8yYZ9oELvWOrhJeahSe0rCqFQ9rpsO5SowLTgljyYFRe
lt/pQPLBj+TSoLpIsuTqp6jXJCUWvv5aQoXflMl6L1q/wPCpuBiX0SGbrOnK
nHzAyG9Y/fs0uVmnOLz1C0+ZUEl1nb7znyd3CfsGdveeov+7/sDVIsUe8JnN
PODoFpKG6AQKepLknUM00ZUYnDGTQBDHDbTSBmycJapBzXfWMSI/LWXdarx/
Mniure1pGzxyfSvW9+66fOsj7XsjSYdfk2FDOhC5ZIki+KFw66VZLYcxoSTP
oSllrRkfehp293bQ2YTKq9pSIvKpWk+qzGqslzQpdXIGQlSPhUlou+Svyzn2
5D2bKHjBzlql7ISLf0TxFUKgk+XFO3vZR9dxWmhyCGjfGHIzFtGTXMg0i5me
54OVG3WFo3oxnngaaki4q84XAoncjlE+Xcyy0qjI5grBMiiJgCmZ+hziRr0W
lvY5vgluFeANHHVhGLSm3lXJjE+Z3jEVWrL03xcJQKVS440b2pKoFqfpxzgI
9bOU4ix2Xfg1s1gaIHYK0qBih3kA7iB+6aT6ai7NYOKFjtHqotFHlB3fI6Py
Vex/xiGQttyCFxwvfWsnOuuCDGI2EL1OpdDO5BGNU0nMl/fJBgVixFOEMUgT
uOmbhJDWXQNNOU2yK7iru4RcDjLDo02C8UOTYLRM/nR//zFND8v4ksO/8XNZ
E367yqr2gqsKU9fGQq4o9Ldgj8KqM3ovBadfsv0p5yPC2wIDJqjFO3ndZSoW
Yy9FlU5LtTQ4aEratYOjgk1E16yQbq4n3TpNf0ffP77f02pH9N2c2pSRoYs9
aOb+OOKCv5rGfHM0IoxqhjONF+NlphOKAEs+wMKMe9Ks0yQ+pFlasSV5ns8X
bKEWT6WmcBC9Wlo2ggMCHtXz693c8br40pH6v1R6WakOwH+m4FJnuA8nWKzE
D3x4CAJxw3YHjTwiaOmpT2kleFj+QpO2mm9qpS5sD1+a3fGFf9FdVaFteWSb
wS069MG4G27QWvH3eEQhs0I72BvE6ZWc+IJ+8aspO9NjmwQ7iE6wFbxbc0fY
EzE+Tj7wAoTlTMplia/q1qHEQzxkOFWyNlAxDfYdWKOoKfXBx55I91ZY+cbv
NwjwehbWiosFs8hkgDtgkgG3F2t1UaG7XyvpuHUJR0uBDyYZ3uUAfOGigGLU
d2/D2tqKikAbn+Lwn4ZsTN6sIjGEPsz1TeaNAIvkUXkUv7c0KlB5JPIKSaDL
HP7CmIUrrKYAmOGQBJzAJOuyZAkPX2v60zTPSTydYObLkKs7ECGAL/Fzn2fq
++yrBw5boohb5vyWHZW9+OViiHI85U1g0nm1GGPEgQCMjwE1UXkPw/c4es+z
69bsAqwEEJl6TaHq5b8vYo7at/OjE1KE64GcTBIUu9GoUC4mEzyUrIrqkcRh
ByxZ3EpOthHAkj1W5VvOCMSUZEll4vhpDcuOpwC48a1rn2Fri4zFEfjwIIaN
Tm8lbEOFZuD50/x2prUyk+gnKlBZxZRTURdMaMupmpUJ2STqcL4oQOBN1Kqf
l5RLblnYAG2cqnNR3hYRCxFxBdQaTFZKwSpnAvaKeCmCtBijLirmryScilUN
rpRktBndeFCfRJZGBIcmadXieS+M9qLZmWFVs4trxC1163gwbSRUNeE1Gu8J
36sS2gSCuLCJT/dU+1S7keXgWZJwE1oKBW3BUwzUYJ56ay+6wSG+xcpb6VBO
fCJgr50bNGuyOBmzbQ1SzaXCNep19I4DcXISjyqD0Kx2x3KEeCL2xC9Ju1fC
hiQu4TuEkWA8Qtz6OKpu+CxBRxDVoCJoyHgwNhIDZ+fViYYg9FndhCy9WBpy
k6RXSH1jzAIsK0q3m2Hsn2OLMKPLkHi2WJxAoqPSn2j+cUL9NkAKIoODXmYq
YyNmVqdWiDM61zlg3Zs+13hjHBnOst/vR2iXRj+91UIvOHuQIN2sjXyMCXVo
oe2oMoMR6ek0cYImUZVdiLkHAy2T5VEylJFVd6G5Ek44ckZTNT6t+kwjxo6M
Q7NY4vApbrKtUs+yMj021FmTzzn3QyTudrj2QVwCnmjiojueTNH8y+msItqc
tgfOXnNSH4fEcdmkMGyXFzjqKd0DUNmwFzfi3IeRJi+YjCaKiApXNyJdOhif
02tZL80lu9MqB6Q0oA9Vi/6GM/QpC9cQZS58U8+ab/hmXJwBkT9lXv8uSeZ+
OpEX6SUFALhsAo0wArKxwNnceju8aJJ9Y3xgEH3DkGYyCV8GomaB5iTvydZG
JaboAYpRqlKkIG0YrDF8hO8pR4Y6aJ07od0okh9SvohJC0CAc7hua3gbTUN2
ICfzUMgOx32GT7rnkBS6lpQldaupTyQu08ZbwqsIt22od1c8YThGkSKZuNQV
JkM6ACfSjIBSAmcCEn2yJqFkmPUp4eTmTRZS+zClZKj4NycMEHNYiG2NFmJe
fKO5sHBRVdY0PcjUmTaZaj0RbooyMoqIPXRx4eVz0N2OUVSGgUnDkniS/gUQ
KqJp0YXWzOpmGUraOBUjME4JqnZcpLlfWcvPnCATjtLIrV4wBV3LU8iqkT9T
vRP2etKONC0alc2cNacEs8CbBcH850M0dc4bsUzDy0wNVJ0JMTTAlRuVKkwM
YVduI1z3RZFpgquiRC2Ib2n5NbabuznLNtJTawh5bDyE7ivtsefZY4lGdaXm
O4lzHQ+zpWZpTkKVU3KmIsQtIlCfuayxuqA5RvpF8KghzEIF22DVQErX8UsA
BBA4KYwsPz98QWaeco4u9yYKg/qNWQicFi52kznFclVUwiYDfL3KOcCa5QcT
jOAGxqwaS2iiBVTy9xDU1Gv0cre4gq2xt7XyUEoo+IBkpHTYOrqHxpJBqEYu
VKlAfubz4Oqy443OirIGixGNm1axvvqFEJXJigMqs4nkbqxJ2e6M7Y2SR0dx
czOYLzGiOpv+3pyfupGNgLRaEPetVI3iBhr6oaQ2usHKlHZQ1JojrIT2m5QN
SqV5dTIJiOusvbpllQUQKKpV5175Frnrkv2uti7AQLdli4R2H2BcdhR9d3IZ
/W57Xv5/7V1rchvJkf7PU7TpiCU4C0AAKFIa6uHgkNAIHonUgJTGsw6bbhJN
smMANAINSKRlOmJPsr99gb2Ab7In2cpXVVb1A6Bm5sc6dqxwEEA/6pGVlZmV
+X2PUNXmv5svXmTpZXveXiQTLLIEjhm8EkqVZ4v9aG+38/RJ1NDSj4sKxR1z
qUiC+AVIF8RLB78IKQpXPQ/umY+u9vFs5o/Ri+j5zWIBDGy8+CE57xFtStSJ
FgSWXzY3VLYS7SN4s+vro25v57F/HV7rCVr0nPne/tjrdLr7o4un+/vdP1Xf
xaaTvevqamd3f6ezr+7u7dTcT5i/m08uNv/859t8tL9/k9x+k5qd+a5wC5NE
bHa6e512e/X1iu9hs7e71+3srnMXl9Ru9jq73Z751+nKPYKC/sZs795tf9qg
/w+JggpbgOR+lTjB2uhBcwVMleiUjRTI/fqBdrtgC3XwaTjl9pXGNE1mBetW
In1s3oKF9ysZthp5g5zFmyT+mGJIy+L8McAQBRYjLM5JZ/HYJ8DJiR3U+GSu
c9BEvyEjAmWaJpCNYIbMvAiCVcIKY80lwTSCPKUANxH2EXC+II46yaaQ5cZI
JfAEGKvGZZZDyR0hDVL4ITdWCLhPRqlebUfgXYHrFkGgdfoTxly51W6WcnSB
JJS2nI0gOIr4dmlu3EQIsFrdOsVjo2RKSTNvsmH8w8Ex1UldwX5PQWGZJtS7
lwsEmCqfsTanYilvXgrOHU3fsR5/gktcZW778QHKVJSxHiUXS0SEtjFeCyHl
kKrMSBh5meMhFxeMEWIDnCe7zqhCInAnzdBTAfyK6pZTjFRM1cClHM2CAaSo
kAv6Ke8efEuAphtBRbFb0EE4BKJ0nzyzjqCFpVDWvhYNU6juYmA/nDBelFCk
OSXeQEeAhXfCRmQkrHLTDEzilaNRvj3S1tgGs7mFbYF9KXk0AaseROB3qKtf
7D3ee/zS2/a8Le+LGHmNwbxRTmMbqmf+7494sRgs0aOKy6JWtwmcpGiJtdJR
1GoFpiHSm25WPyC62YKtrGO2sk7pf/HFlnkDIIO00lnlc/5U2GeCjrCS/vU6
crMFW3Ons9Mp709vZ6u5Rkeiva75H5Dlgu3+4O7ebD3B8XJw/xWPwCeUUPLe
bNH2397tPb3EFifjVI6SkPbLGNmPNkrJdM1UshnQfnwVd+vvZjuA3gxEuM4g
2Liv2eo9zbDOho9L9pTk2NPLkvCtNijRqPkUFTBvTxn+LWAgHJQVf5mKiqek
XOrNbjz15sgMvieMTrHStvqG/UX/WayCjEuD2URMegePncDZO3lMMaDv2yo5
DuleLkJg3d9G7/JkOcpaePQHkzRE9+pQ1RIechjC26BmdBucUbiaQo5AyEXK
HfdOu8wYqNu1mxaPr8GLu5nkvrNaWeUtsZIc9f7KSu4iQI2KyZd1qUVqw8N7
oi2FG2qbyPoFT6CCYH/Ng7EyjPOKvJcwYtYEK0uhg3JArW5wNe6vUszMXd0d
Gq01uiNEMyke4ENiFvXvFPq3UhJk2PydMJ3OlmbDgi03+t7ohkfRB01D+arf
P/rm4PC71tHgw+CoP+S0F6u+4LY3/cHp+2H//Gzwto9POOq/Onj/5uycfyBz
HaooAOulSknCf+be5RQz/kBLzNPRKJlubGTLBbaRyqw24JXDg+Oj87eDYyDp
fKa+OfiD+abR+/P321Er6tIvA/OV8ZhH2YRTCxtyd9Petf3MPPcqaphrzRO3
o8/YSCJluhJaCXnMK/i60WlGXbgNLoRqMjNF5gqI7uKnhvkNflq0jdtxMB2d
gm/RsM/6yhs1vvYTHPc1frNop3n/dgan441teQVbLKDh+DX8jbzIjN2Asnfg
vBMwQk6OUehRNU3i23SynMiVx1nL1gc4bDRwkLi+KTLbBb2YC3PM9/xe+qJx
8s1pf/hBmm5+ho42OvzZNBM+87XmV+lH4TmhhD30gfTDdNQ4HX5AduxmBH8h
PfazYNMK10zjxC7nD7Sct9deR56W+L++prAvHuNZ9H5wfHb+zeDMzNbh64Mh
/vkVHnlnVw19pawdPmMxFk7DLD+zjhbzZfL/S+lfaCltXGTZOFLzjAIuU4xD
HjW+j16+sMIjv6FYg4yYUWxsR79BJUvnK9FVPM6TZ/ay76OWu5++vsf/96Rz
AvUiL6K/Nxp/7yy3o+fPTTuelV9m/nxB1/9bRO+XYcDXyyW4kxTVBduoa26x
vJVXq4PDk/fHZ7igDwm8vnDY6KmBt7T2gSQKEpFUegphP6GA+Xcc/OH88OT4
1WD49uBscHJ8/sPB4MzpByuq2nzFl7wtZ2JGRMzpyGkMeMlx/4dz7Anc+B5D
OaNiR2irPjKj//gZdgM4rKaS2k+7dv9s+OP5cf8PZ+dnr4f909cnb+j6DVIY
hwfHh/033m+ddu8ZPfkY5/W2wWMKKgQFkr++TNJxY5xd9xrHxqF5u73djGAF
VC3CksUjCwdEa0OPSmH5PEdjD7QFOhJ6ADmF+mX4ACOI3w7f8TKDv3iZbVRo
QF/7lU7zNg4zlrYvuhtVKtBe0mNbCgLmTrR0fiW6AD7gqNtp+IReQYh2KX7X
azLIEqOmuFtqdj/SrRQB6rzkGe6bpg2NgkeLjpp+xEg2ieBrSj5YhZcH95Bz
d7sgyZTYo2SBWfQq3MUaQzYB//a3qAFi1H9k7MTjR/3t6GWpuG6Ljnt+XPIK
PqvFt5e38KVROonRgNVPoY52O1VdhCdANw+R0i1xWQb4EIGe2rDq5/zd0GyU
MOtMoOEzz4fr+CUtK7fmX3iP+XczZn1jbR9vm1V2VJglS+KRcR5OeeQcx969
4nlh5dtRPqx5yktPs6M+3+AP9tnPAhUv3jdFK04BXZjAe22aEm8BgH5ZBT1M
MYsC2DAd+02RZKEFdL5IWkPNRtnIl+lCaPmg7v0mneVecusvAlhcw3PjI4eF
2W02GYkSJ6B7jL+ngPYA57n4SozASHRGiVUFlpfG8uWEXainv0PaBjUEXsYE
vSmE7NbAXD5h0xrn4KuyOQKIU2H5KgQ5vDQh6oEtkaxryCy+MxvfyK9ac2n3
lP0LggUhKHxifIEhPBXT8hqzqrzrq2hLcUVv7XOmDmcUpBq0p8n0FXYObJ4z
Swmd7mhyEZVR5gHGaYxZKOAhA1lwopkKF5J/zD9STjHWMSSWvwcfd06POx+A
hXUuQPFG1ADezzY3mB4p091r78DD1kBRJ4A2YNYc5UrSy18bojwVYmCuTLhn
C4UJqJdGoSQbUuExKF7h9YaBaw9wykZNhbSIJ4MlIhTyjYVzVYZe0CS0oS8a
Xeq1kcNJvtWMthDg5nYwwr+ZKR7+duTu8EkY2bfI1thSROpbUnNsx0rqr2QU
7BuB4p6TTPJ4vCi58+DH4o2Qk7SF/TinMyLTWLti1p8Xy4pXeIFLJZpmvgrL
XVUCHanpLO6D/sFRdCBRQ4xD8y/v4nT+KTUdA0q3g+t5Qm2112puEeECBzmE
AgJ9nO44O1kd2wNo/9B5Ju+bcCzZW/xxCHfw1JOUCvhmApHz33fJFk+MLJCA
v0WkeFKqFQTWYXFJfihhZ+2zJAwk+WsyyaZW0PVcVq0GRp+xSsufBAfgYi9Y
PRdcmQLKjvclGSijMEhlrDVYwX2ddW7clrVxMCYv2pqwDoKGiFpwg79YpmO7
w8NhAY+SEMWcxzGkVUDtH+LYkQ2C2AkWp8whi+K7fBbHkolshqOy0368Vtdo
quza3jLq4zxO4hFrAPgogntuVNV5LJPjk7a78xBzo7Hp7uQkyZoxqFTZGKTd
6y/T5Xj8l6jRub3aI87arXz+8Rz0W/WWe3G3SLiytandI7SmBJyULmLAy5JE
t7WZF721UrYJ1b0SFiISOlhxIaWl0vvYmHY6XatMzwZx4+NA5kpGqQgsWDdg
nNAxOHI5mirHuIrhciu5TcNXe2YJHoQB5Stkn4zTq0QIHeGH0DLlrz072UN2
xAHSQ+H0RrOkvzrUlRDbSKRKwI0Bjbnni/xhzQSA8AT4yXJNIKpQi+lHnzqE
PUl8rj++lm3YKxcJX5pgiMJsO+9nmcaRr7SUAwRJnCk9XNZ3EexbdhrwRaoW
pGIQoPB8ZFVbsfPFefMbYIki1MA4nG8lenBoPU7RCfyEWVCRMPxBOMlShCEl
/Ti7/IkE+/3ZYZMypcqcIyyzKvEc9lmmZytles1R+qUlmgUZATnslxgKhOgq
VTlafDYt61L5X5gntGa7Xz/ptDpd8++s09nHf/8BQ6jLhWyr4XuIuzyiaiCz
wjIEFxgnxnezC8PLIBc30D0EjmyPlxPT58sjTHTTtnFP4IF2u1/T+feVX/fz
xTJhFxtOspJGtBwTYUioWlRKpLg1aKSKWRc+lD2zvCAtfoJkIDTVufIeSqmU
oHKlMiGho3xTxhmFIsB6MIOJFcnIXV+2ASqOYiBzZBJyvXB4yTheJ5+SCrPZ
6VUt80+9KgFjXFX3ePf5r47S3Nr5lPAKbECtK6QoGEW/hzDKMAhIPNybEqrq
snGRiCfTV7jE/QRzcsrDi4X9EpMT0eELLDc34+Vmv44JI6qHcE6zGc+PQT9E
zRiwpLE0KnqRirrUZc5qPijA+Jg8JBzBiSteQam3eFfZmorhQK8mK9TMwxEr
s4RJoLNPjk8A1moOjF45mzCBI44JxHG0maeYD0fzs0nBOtm6hbDBvkoiLpFQ
tk4jwdDkVtoxtBH+UO0rM57G2vS6NmE6wK3f2DhFqpPaJVhYTtTIamvWL/DQ
ADyovKzBHfrqpYIk7dEm8tb1pPwJ5e4OgesxnzrD/IPQWxQ5m6/qSrVXcNQ/
1OUBEpeQ8cCV1hZMdh/dw3HU0x02YKHi4N7Wnwvl9UckUkEJoghFiYlZOfJE
QyFcNJw8HWE9K/mhxDLg9Hwwji5IUTWY5ZypBAyywGTQvIR/rchMEjJFcWxI
huvgRz8LXx8f+CZTEJovE4y6/gidC/ibqzpWOakybXVTU2EC0kz5kkAZj5qP
XWU/mkagma/sBp7LipA+zJlUu9U1UJzMwFBppFdi/mxrE0kb7PtlA5MvspkK
mZYdNeB1dUdbAv4DsWicisJi4MTKqkMIXb9uQzu1VzlrAMmN9apHPL6ciXpK
qI3I+EQkY9Jwc1VQHQSP/aiMNR0LlCoUZWsVRpfPN5UH8TZGDOJTDOO1V99m
9k3ZDAWNkraMgYOnb3ybjoxVhBAxOcKGo8ZzyrTba6+3qZe0B9Z4ZS/i8cIu
N21PryNV5sGWmITLaLx50iaZeYlFMSg+7kYM9IAuCgv/iUarWGlCY6ScbaMZ
dtudnahxSpVJ0fupPaTcFhVJLUwddXKzzEYUlzj0C8KgEyUUceq0X7Bb5TQ8
hKaDQff41iJnipT7XCaEczVY+Ii73hGdIrCAZWOuAWkkfHDxhjAJoFzBOXCp
ZzD9/DoQgkz496QMlqOVVCOg9Fcu/HFoJLnimOD8IJ1MlguNqyK1yVq6JEJk
4RGDQcLVr2t2zop7cQUWTaqsYOXPnfDpMOPdF9c8F6NBPj8bsqeYom86zPj1
pm3vQHrMcA4+hFsqcWM42mJR3NIEuEbd7ccDOUPFy5IIeWMR+E1OScZJ/LHk
GB5hWzNMp3E14SVl/GqR2rFCdCXqlLKuJhwBkxdTGcIUCiHjsQp6kr82BUHw
wKIVOJHH5PVQ1bitjouyKaClfcqIIJzRRl1PiU/VNU3HGFXE0JIvwfdHmr6K
M3gtezqn5DMkSmCd2bIHBAmbXKTemQZIFbjIBQMyD145lF94fFbwaW0XdNlF
ZqGuJkYRoP4ljPkFchM6P1DBTNOA2XAtGy539DCafHyJbzy5mBaDXQO/AMHl
ARgb+NNYyoCkWlPSoIhZYiyCqi2J4YjShcRpizsJQcjUGUK/ioEjp/zE/Wxl
DYnFlsiy4rN7SemNJtDB45sK5tGyNBnI9YkLbD4SqAIosE/xfOS4b9GGmnvf
CYjCsP/9+8GwfySnpzAvVMpKLxYSdeduF+EfAieZkF2g7cAK7D0Awde9TXIt
Dvkzf6rNMgc6JDF6ZCiN7U3KiYVowuGcUiSM0P2BZpZFXYos8FQgxSt2aPFR
yhds9Pm39UuVcp6ySQ1FPMGOsKSMSbYReS+mMlx7NM4VrTei+5NbAIuqg3Wh
SS/FxFmFUCsE75mUSuNxuAY6qq6FflXgdZU+cIbZDDFUplfpNXI1ujPg6r5Q
ugFop0l8h7xfAl2IugXgVD+iArG4ZFZ+CZeMlUMNHh6rVaaTKOCvUY6aNwu1
7JAWZC0wmOom7FOM9ep5QvywIzKQpsVBVJHGcqyBonaEvZjmkoMO1RM4CEKr
4kGuSvFbh6jT+sf+oQ7xpTDDZDaF4mzQpWU7cxGOB6DWEDNYdErx7EqzmpXl
E1r0wHRKeOtYnQndHS3Z6HWuRs0UVmD4aSJZqewLTNoyeeD1ggQfHrSblgf0
qXOwvEA9G9caMsMUunY7gg2ZfAU0WspXYaYPZnK33i4RIg3jyb/K8qpI/bnE
EHwwFy6EVegl7A/O5xUFWrEb1YjNMkctrCce3RE3f6U7AWOOEmaPrBfByaId
t1ZTW0hX+5qqaByesiBIg5GqUbIeVAhnvOpT79JuFHanyzFh5uKrkK/Fnkbe
4GQjLrw1zmObCwA0J4yRjg8wY335k/d405zsGk4cfXwy681NMgkGLTIS0CS3
nJYYWkb4DsjKaF3ctTA7A6LO8TzN3fJyhwcsJ+bDMkClb0kcWfJfyWW4cIyM
hCwxvtuP0m3yCpYw0cAKgMGLZ1Hq/cC1Wc/IJ5XfLtOZkX0MJ9kjC2kWZ+YW
zvCDUbJnJuX2CIA6ThM57MGIMKGFQ+88U6XglRR1pnUOhWodPD9vY2CzkXE3
UsEsz4xc5IyiQknW4jl6ilDBI8qhKbntqFroSOOOX2WnCD3tOkxPeKU9d6g6
xxOU7pBl2D9Wq402pDmxs5shpXRZhVdv1Za2qpqM4HxJARmrWcpnEs/SIUsE
sIhp3yOMQWa0yAjSGf2zSl/CTMcyt56sk6iEwOSZN6mml83qYBjYYS56VIgX
rZvzHunkBNu0+nnTSfolb6adROVL5KsnR0Gc2qXJK4mGDkrNKjWml9MgOiOv
G7sx1QSJaqadK65e1XG9cewibApW1D9XXwkyyjkhCBtp0UYxoUoByTKIFa29
dBYzHXelL3tGC63Egn0QJiwCo1D2jUJxorasY9T6vO8VO/jrxDosK8ayBJYV
4l+FYVrT3i45Q2XXnjTG4q4UoZOyw2mXvasQnTJbF8EVzXbN0S9UQkbWdaQM
ElWjximEz/hWdxSyLYVH5mdJjLKJDirdoCqyVtYmCbMEJjq1F6CdIiqIEbOs
PHzG8WR2tZWvTxka7NXmoV8gXrd7uRelIYzsWkUbkrN/mfnZjk7o+XTgadY7
gmESwVhMWeU2sJSxiBGBvbP/v8zTkPG3W76kwBs/wTzFImg6CBxnVgRo22cg
G1coyunUj2M5YM1QHpUfIscZHDytCJQi7nwImovMHyou8POnpGlpsQk4DYe8
5Ai2yDkyyoAxxTolVd3Ig6hKzRzlzjasikmDeq+qIbz3ck5omfupkzb5uS57
wk+1EZ9ZbcglxUT2ptVlK5RCypU3YSHHg4p+zGOMwetKaMryQVVGdzssD/OB
V79Ys7mW3MT5DdcU1WamBoxbNY2CJyocn6p0+zUUZ/gesC1zjyIQHrqJOCOb
TC0mI7F5eHLadwUm+aZibWOqaXNB212A02Mt7Sblma2S3ubDipV+tZIkiwP/
RUVCJQVCv2R10Mpes+FSVfuzdg3Pv34Bz88q2EHergfU66APVGHAuVhSrQ/A
bF1rHvcCgU6+KB5TfYHpA7xKXDcn+22tkhE6JZUrg9uGJhOC0VvOdAxL8Wm5
0M84oxgTzMvIi2c698MaI/7edJM5mqOKYHkcYlN47/4yT42omTAdWjv1qWd0
hr49++mFVu5b1pTacacgFF8KkIWrjUG29CSIVxhZl7aF7t8ilyMYCG38nAhx
kCRn5dWsHtOWeJoYBQMJBkuYAtB7xugdV8yf9W2CaaTuFeBdXQCglilhSuVQ
yLQG2l+voPWWAar88ohMFRsJ9yaUR3optlsnQcuJXpWIrsNnQa+E1RgOXhgl
lHhbzOxRtYG3pkvR3w9isGUHkc3SyHDD+anW2i/tK6PpN7KZZFVRHBYshcAN
x2PfI6EcI8whgr+EgIkk4bYoGS+/3/i8bzx/41Sm0/nV5T1COTHEW9TqPkYm
5e5u9Ft5QPex+XgPMy9wRjkAIC8AtxoBiYtDhVmNZp8dQYwtvrAkLy5RK9Ux
UFKZeZvuUkElPCRBrOz3R+/MgIwkZuc/Mz0fEdNq5XO/ir5JbmKzx88fedSN
BduLEcwippTzAzEhNcqWQ5TVMTw6OigbF6sjKu503G66GqbKoSFOZ9NP10Qe
+LcSmHcx7oL9sb9OmBgInSHo646wyitamu7L5BYOQFFm8aSs2hHG9r9Kb80j
D4+O3sBg26xt6sc7hvyoqUZgoXFMGFk8O1+OZlQqezCCMTyZ8XSbJh160992
Yh1Zuvi8ZGAJ52IEGPCYlzwB+51cxHawgnZoBT1WK2jHfLxXD4WzAFn982yc
lJ/rInyqsuRtRivJ0Ovvjl4p8zisKUoDAhH0Czx//fXbg0P3AHzut0TPirCP
3iqHuy0MmkX1a70yxgsk9bSOUvBm5pIPSEAzwEKDaY3m9eGVbX84eJumHFLq
bjz6aN4fM189KYT6YyDmBgbdNoqWU8H+v6PsPhSbcTy9XsLBssgeDy3i93hl
ECTLzMkTLp62Voe/lOD0SHB2lOD0zEcSHEJRB/vNPOAWNi3qJmYNke6CGK5l
nhzN46tFy/kMNoLrZzW04Gl3wWTEH7N0FLN+BdqC1jiDkx+OanM/0YuaeIaw
5HtTezbfT1M8exvKpq9Tz98PB9vRKeKXG7dbswvfUdLAxV2hEzdmqFu9PZ7n
j0gxx6yYd0ZUbq21sVVLyL0VRAFg4PwG1BGuE2/s8vqaLF4iDYVZppZYDGit
UVmeyl7CK4YydfPNOsnqryVGXRKjnhKjrvlIYnRDOFvo1iGhDOygBEXF2dNY
H0LRUxXYwUJjmnYQDiMVZiuuLUJfMLOZ0DkFPOkWvwCDsA0LZN903EjbMmyH
w4Hd6blylUWANAxB3AgEDhI8eZA44DfE2udXclUVh3vAgHdowLtqwDvmIw74
EZnV8+UYj9cdUkRZkJSO6tDescsV23HEYVI7U85ksFzmNZBZpNorqBhtao53
kChciRZXDbUN2f+E/+pBpCO7hWXQY69kDrm8AKllVczbdAqyhGo3tdwYP09t
dr6m4e+44e98bT7eO+tCeMjpEC4nKEfTUYh4WZIPT6mUU6LrVXxZtCO+uAdP
sQemI64HT83He90iVeOACAaUE3sIPGEoAm5hOVVFmoo7Dw46xarQgTHtgagF
el6yo8BVBeR6x8LpGkPb+yzLUy7noKjfdJ39+ZXMvtpgOeNB8kmMCYl66mcO
6xMa1qdqWJ+Yj0owULmA6YnnEARdh8WwsNOhM2GHnfQBpgNxFQtpP+NmqjuY
7xkySGGsTc9H6ZwmwNptWEJm7WlePZX1mLkcJRTMj0MbiYIcp9yxvpkmLQEN
QlTD+nabsshBvpcTu7pxDdtEFoFvxjpt8+yfkoV1GoStjeKqsvLfCfMNH43J
SZB5+jt89OE8hX2GPpBZ0OLqlZK3CE34mIgFptm0hQH1nOcFUC4gc1nVHiF0
S0WVKfsBOW+HUPxIGUBjUqghiMPqZw1ILkfWqSlIPEx6KO+0DAom2cNFf49E
/4kS/T3z8d75RHBgH7HbrK3KsmDQFwhR+UvILoJUDciSv/MrDgLds+Ixy2nw
IKuzVCpD04HqhIGYVFEIoxKkg2vZ9zIqu5/K1JanXWid6LZkY5RI+62yq9oz
1rIwOrs0nXtqOnfNx8ClrNTdEitGwZKoPEppsVX7UaEmhKJo8YL5s6PN61nL
2BGb67efgkodFVTqPDYf71U4sWR+Vow+RtHmCZ0LrQqoerHOsRFaEe7iOqPV
4OUX6z1QufC4GyAB76UdraAf60kBqVzP26S5ghVfUPzrjTmFIToqDNHZMR+V
CqBCZzGOqNeYZ2K2dfHxyi78CIWsVBClC6U+mnGJ7Si5YxKMA7BAbpmR5K0S
rHT4BKX3JVstvXk2J+73dC7H8YAbgePuovYVoy4L0xvWNe91k4xFKBI9Shju
1FK6FRJ/K4ptHjBvFAXoqChAp2c+kjcBD53SNAjEWDXoByafoXQyWIwImk59
LQ/gRh44C6vRsrqKNjfrcol0t+IC2J3MW0YcP3iEmwq0TtXJhsNAXmxHebEA
UtW7L9kWoddlOwi+YvBO2VbGs5upIGwx/RITgDlSuCryemzWhLtzC0qYIaJ7
TqUzW7WeGT7gRGfCfKIsd64upDOKCgtDzPolEwh78ewM8pS5gKUmbe8rsLQC
sJAKQy5WBsnw1eHTbm8vIhHPxtn13c/f3ch/7ij/uQOQZDjVpxyYAyWsihz9
sk7vyFhQfSQtVZaod7te65INoMLwNvKJUlx65k4hyrrgQWi8YYFfNdAJcYjW
5Y3hPiZpXnpDAEn0tBxPWbOIMhXXu2g1Hlq98RkdXMLxLAB2kaJGQhD6bpTg
d3DwxC54MnqxOUUSW1iHFPDJqUYfEyYB0ean6PPnz4fxHCv4voEVNJ3eQy6N
+fq7cbzMo9fxfPFTIt/9PgbL/Pfp5J//mCZ/lW8PRrApRd/FZNHI12+NNXOT
Gm39XWbkJr+8+Z///Id9UHYDTkmy/Od/RXBdnmf2xebxELOM45F882Y5+pRe
m+WYLuilVKL7+dt//rdxyQE0P4bsK/OTKIQUAYYmNqx/xWY0Z4Ain18WIOg4
qBg43YLcY7JeXArj6SfQ+1t5NDAeKBs+B9fJ9PIu+jA4Pj75cGCzgQ4T0Aot
ZFMwswipazlEEs4Gp32CyTv88d2wf3pKp+/8gte9Tq8j10eng1eD09Zr8LEa
35qOLiKbYRJ9vdvb2+1ttzf+Fz/tWqAoYgIA

-->

</rfc>
