<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lake-ra-06" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="RA-EDHOC">Remote attestation over EDHOC</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-lake-ra-06"/>
    <author initials="Y." surname="Song" fullname="Yuxuan Song">
      <organization>Inria</organization>
      <address>
        <email>yuxuan.song@inria.fr</email>
      </address>
    </author>
    <author initials="G." surname="Selander" fullname="Göran Selander">
      <organization>Ericsson AB</organization>
      <address>
        <email>goran.selander@ericsson.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Lightweight Authenticated Key Exchange</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 60?>

<t>This document specifies how to perform remote attestation as part of the lightweight authenticated Diffie-Hellman key exchange protocol EDHOC (Ephemeral Diffie-Hellman Over COSE), based on the Remote ATtestation procedureS (RATS) architecture.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://lake-wg.github.io/ra/draft-ietf-lake-ra.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-lake-ra/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Lightweight Authenticated Key Exchange Working Group mailing list (<eref target="mailto:lake@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/lake/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/lake/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/lake-wg/ra"/>.</t>
    </note>
  </front>
  <middle>
    <?line 64?>

<section anchor="introduction">
      <name>Introduction</name>
      <!--Discuss remote attestation and mention some use cases.-->
<t>Remote attestation is a security process that verifies and confirms the integrity and trustworthiness of a remote target (e.g., device, system, group of devices) in the network.
This process helps establish a level of trust in the remote system, e.g., before allowing the device to join the network or get access to some sensitive information and resources.
The use cases that require remote attestation include secure boot and firmware management, cloud computing, network access control, etc.</t>
      <!--Summarize RATS architecture {{RFC9334}} and main roles.-->
<t>The IETF working group Remote ATtestation procedureS (RATS) has defined an architecture <xref target="RFC9334"/> for remote attestation.
The three main roles in the RATS architecture are the Attester, the Verifier and the Relying Party.
The Attester generates evidence (a set of claims) concerning its identity and integrity, which must be appraised by the Verifier for its validity.
Then, the Verifier produces the attestation result, which is consequently used by the Relying Party for the purposes of reliably applying application-specific actions.</t>
      <!--Discuss the two RATS models and say that this specification supports both models.-->
<t>One type of interaction model defined in the RATS architecture is called the background-check model.
It resembles the procedure of how employers perform background checks to determine the prospective employee's trustworthiness, by contacting the respective organization that issues a report.
In this case, the employer acts as the Relying Party, the employee acts as the Attester and the organization acts as the Verifier.
The Attester conveys evidence directly to the Relying Party and the Relying Party forwards the evidence to the Verifier for appraisal.
Once the attestation result is computed by the Verifier, it is sent back to the Relying Party to decide what action to take based on the attestation result.
Another model is called the passport model, where the Attester communicates directly with the Verifier.
The Attester presents the evidence to the Verifier and gets an attestation result from the Verifier.
Then the Attester conveys the attestation result to the Relying Party.
This specification employs both the RATS background-check model and the passport model.</t>
      <t>This document specifies the protocol between the Attester and the Relying Party.
The details of the protocol between the Relying Party and the Verifier in the background-check model, and the protocol between the Attester and the Verifier in the passport model are out of scope.
The establishment of the secure association may be provided by EDHOC, TLS, and the communication may be secured through protocols such as OSCORE, TLS or other security protocols that support secure message exchange with the Verifier.</t>
      <!--Discuss EAT-->
<t>One way of conveying attestation evidence or the attestation result is the Entity Attestation Token (EAT) <xref target="RFC9711"/>.
It provides an attested claims set which can be used to determine a level of trustworthiness.
This specification relies on the EAT as the format for attestation evidence and the attestation result.</t>
      <!--Summarize EDHOC {{RFC9528}}. Mention EAD fields of EDHOC.-->
<t>Ephemeral Diffie-Hellman over COSE (EDHOC) <xref target="RFC9528"/> is a lightweight authenticated key exchange protocol for highly constrained networks.
In EDHOC, the two parties involved in the key exchange are referred to as the Initiator (I) and the Responder (R).
EDHOC supports the transport of external authorization data, through the dedicated EAD fields.
This specification delivers EAT through EDHOC.
Specifically, EAT is transported as an EAD item.
This specification also defines new EAD items needed to perform remote attestation over EDHOC in <xref target="bg"/> and <xref target="pp"/>.</t>
      <!--Discuss implementation aspects such as the internal attestation service running on the Attester.
Root of trust. Separation between secure and non-secure worlds.-->
<t>For the generation of evidence, the Attester incorporates an internal attestation service, including a specific trusted element known as the "root of trust".
Root of trust serves as the starting point for establishing and validating the trustworthiness appraisals of other components on the system.
The measurements signed by the attestation service are referred to as the Evidence.
The signing is requested through an attestation API.
How the components are separated between the secure and non-secure worlds on a target is out of scope of this specification.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The reader is assumed to be familiar with the terms and concepts defined in EDHOC <xref target="RFC9528"/>, RATS architecture <xref target="RFC9334"/> and CBOR <xref target="RFC8949"/>.</t>
    </section>
    <section anchor="overview">
      <name>Overview</name>
      <t>EDHOC provides the benefit of minimal message overhead and reduced round trips for lightweight authentication between an Initiator and a Responder.
However, authentication ensures only identity-level security, and additional integrity assurance may be required through remote attestation.
This specification describes how to perform remote attestation over the EDHOC protocol, following the RATS architecture.
More importantly, by integrating remote attestation with EDHOC, attestation can be run in parallel with authentication, improving the efficiency and maintaining lightweight properties.</t>
      <t>Remote attestation protocol elements are carried within EDHOC's External Authorization Data (EAD) fields.
EDHOC <xref target="RFC9528"/> supports one or more EAD items in each EAD field.</t>
      <t>The Attester can act as either the EDHOC Initiator or the EDHOC Responder, depending on the attesting target.
In the background-check model, the Attester exchanges evidence with the Relying Party during the EDHOC session.
In the passport model, the Attester exchanges the attestation result with the Relying Party during the EDHOC session.
<xref target="attestation-dimensions"/> defines two independent dimensions for performing remote attestation over EDHOC:</t>
      <ol spacing="normal" type="1"><li>
          <t>Target (see <xref target="iot"/>, <xref target="net"/>) defining the entity that undergoes the attestation process (EDHOC Initiator or EDHOC Responder), which could be a constrained device or not.</t>
        </li>
        <li>
          <t>Model (see <xref target="bg"/>, <xref target="pp"/>) defining the attestation model in use based on the RATS architecture (background-check model or passport model).</t>
        </li>
      </ol>
      <t>This document specifies the cases that are suited for constrained IoT environments.
See this document <xref target="I-D.ietf-iotops-7228bis"/> as a reference for classification of IoT devices.</t>
      <t>The remote attestation operation defined in this document preserves the properties of EDHOC:</t>
      <ol spacing="normal" type="1"><li>
          <t>The EDHOC protocol is not modified, the remote attestation elements are carried within EDHOC EAD fields.</t>
        </li>
        <li>
          <t>The attestation protocol is performed in parallel but does not interfere with the authentication flow.</t>
        </li>
        <li>
          <t>The privacy and security properties of EDHOC are not changed.</t>
        </li>
      </ol>
    </section>
    <section anchor="assumptions">
      <name>Assumptions</name>
      <t>In the background-check model, the Verifier is assumed to support verification of at least one evidence format provided by the Attester.
The Verifier is assumed to be provisioned with the Attester's attestation public key and the reference values required for evidence validation prior to the attestation procedure.
It is assumed that the Relying Party also has knowledge about the Attester, so it can narrow down the evidence type selection and send to the Attester only one format of the evidence type.</t>
      <t>In the passport model, the authentication credential of the Verifier is assumed to be stored at the Attester and the Relying Party.
Also, the Attester and the Relying Party consider the Verifier a trusted source of the issued attestation result that they obtain.
If timestamps are used to ensure freshness in the passport model, synchronized time between the Attester and Relying Party is assumed.
For detailed time considerations, refer to <xref section="A" sectionFormat="of" target="RFC9334"/>.
If a nonce is used to ensure freshness, the device that generates the nonce is assumed to be able to generate a random byte string that is not predictable.</t>
      <section anchor="reuse-of-edhoc">
        <name>Reuse of EDHOC</name>
        <t>This specification reuses several components of EDHOC.</t>
        <ul spacing="normal">
          <li>
            <t>EAD is the External Authorization Data message field of EDHOC messages, see <xref section="3.8" sectionFormat="of" target="RFC9528"/>.
This specification specifies four new EAD items in background-check model, and four new EAD items in passport model (see <xref target="attestation-dimensions"/>).</t>
          </li>
          <li>
            <t>ID_CRED_I is used to identify the authentication credential of the Initiator in the authentication session.</t>
          </li>
          <li>
            <t>EDHOC hash algorithm of the selected cipher suite is used to generate the attestation_binder_m3 (see <xref target="attestation-binder"/>) when Evidence is sent in EDHOC message_3.</t>
          </li>
          <li>
            <t>EDHOC_Exporter is used to generate the attestation_binder_m4 (see <xref target="attestation-binder"/>) when Evidence is sent in EDHOC message_4.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="attestation-dimensions">
      <name>Remote Attestation in EDHOC</name>
      <t>This section specifies two independent dimensions that characterize the remote attestation process over EDHOC.</t>
      <ol spacing="normal" type="1"><li>
          <t>Target: Defines the entity that undergoes the attestation process.</t>
        </li>
        <li>
          <t>Model: Defines the attestation models based on RATS architecture.
This specification supports both the RATS background-check model (see <xref target="bg"/>) and the passport model (see <xref target="pp"/>).
The corresponding EAD items for background-check model and the passport model are independent of each other.</t>
        </li>
      </ol>
      <t>When transferred over CoAP <xref target="RFC7252"/>, the EDHOC protocol can be performed according to two possible message flows, namely the EDHOC forward message flow and the EDHOC reverse message flow (see <xref section="A.2.2" sectionFormat="of" target="RFC9528"/>).
In this specification, both flows are supported to perform remote attestation.</t>
      <section anchor="iot">
        <name>Target: Initiator Attestation (I)</name>
        <t>The Initiator acts as the Attester.</t>
      </section>
      <section anchor="net">
        <name>Target: Responder Attestation (R)</name>
        <t>The Responder acts as the Attester.</t>
      </section>
      <section anchor="bg">
        <name>Model: Background-check Model (BG)</name>
        <t>In the background-check model, the Attester sends the evidence to the Relying Party.
Evidence contains a set of claims about the current status of the Attester, including configurations, health, or construction that have security relevance (see <xref section="8.1" sectionFormat="of" target="RFC9334"/>).
The Relying Party transfers the evidence to the Verifier and gets back the attestation result from the Verifier.</t>
        <t>An EDHOC session is established between the Attester and the Relying Party.
A negotiation of the evidence type is required before the Attester sends the evidence.
All three parties must agree on a selected evidence type.</t>
        <t>The Attester first sends a list of the proposed evidence types to the Relying Party.
The list is formatted as an Attestation proposal in an EDHOC EAD item.
The Relying Party relays the list to the Verifier and receives at least one supported evidence type from the Verifier in return.
If the Relying Party receives more than one evidence type, a single evidence type should be selected by the Relying Party based on its knowledge of the Attester.
The Relying Party then sends it back within the Attestation request to the Attester.</t>
        <t>A nonce, at least 8 bytes long <xref target="RFC9711"/>, is required to guarantee the freshness of the attestation procedure.
The nonce is generated by the Verifier and sent to the Relying Party.
The Relying Party includes the nonce in the same Attestation request sent to the Attester, together with the selected evidence type.</t>
        <t>Once the Attester receives the Attestation request, it can call its attestation service to generate the evidence, with the nonce value as one of the inputs.</t>
        <t>The EAD item Remote Attestation BG with ead_label TBD1 conveys a different ead_value, namely Attestation_proposal, Attestation_request, or Evidence, depending on the EDHOC message where the EAD item is included.
Specifically, if the EAD item Trigger Remote Attestation BG (see <xref target="trigger-bg"/>) is not included in EDHOC message_1, these three values are carried in EDHOC message_1, message_2, and message_3, respectively (see <xref target="iot-attestation"/>).
In contrast, if Trigger Remote Attestation BG is included in EDHOC message_1, the exchange is shifted by one message: Attestation_proposal is carried in message_2, Attestation_request in message_3, and Evidence in message_4 (see <xref target="r_bg"/>).</t>
        <section anchor="attestation-proposal">
          <name>Attestation_proposal</name>
          <t>The Attester indicates to the Relying Party its proposal to do remote attestation, together with the Proposed_EvidenceType object that specifies which types of attestation claims the Attester supports.
The Proposed_EvidenceType is encoded in CBOR in the form of a sequence (see <xref target="RFC8742"/>).</t>
          <t>The EAD item Remote Attestation BG for an attestation proposal is:</t>
          <ul spacing="normal">
            <li>
              <t>ead_label = TBD1</t>
            </li>
            <li>
              <t>ead_value = Attestation_proposal, which is a CBOR byte string:</t>
            </li>
          </ul>
          <artwork><![CDATA[
Attestation_proposal = bstr .cborseq Proposed_EvidenceType

;This defines an array, the elements of which are
;to be used in the CBOR Sequence Proposed_EvidenceType:

Proposed_EvidenceType = [ + content-format ]

content-format = uint
]]></artwork>
          <t>where</t>
          <ul spacing="normal">
            <li>
              <t>Proposed_EvidenceType is a CBOR sequence of an array that carries all the supported evidence types by the Attester.</t>
            </li>
            <li>
              <t>There <bcp14>MUST</bcp14> be at least one item in the array.</t>
            </li>
            <li>
              <t>content-format is an indicator of the format type (e.g., application/eat+cwt with an appropriate eat_profile parameter set), from <xref target="IANA-CoAP-Content-Formats"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="attestation-request">
          <name>Attestation_request</name>
          <t>As a response to the attestation proposal, the Relying Party signals to the Attester the supported and requested evidence type.
In case none of the evidence types is supported, the Relying Party rejects the previous message with an error indicating support for another evidence type.</t>
          <t>The EAD item Remote Attestation BG for an attestation request is:</t>
          <ul spacing="normal">
            <li>
              <t>ead_label = TBD1</t>
            </li>
            <li>
              <t>ead_value = Attestation_request, which is a CBOR byte string:</t>
            </li>
          </ul>
          <artwork><![CDATA[
Attestation_request = bstr .cborseq Selected_EvidenceType

;This defines an array, the elements of which are
;to be used in the CBOR Sequence Selected_EvidenceType:

Selected_EvidenceType = [
  content-format: uint,
  nonce: bstr .size (8..64)
]
]]></artwork>
          <t>where</t>
          <ul spacing="normal">
            <li>
              <t>content-format is the evidence type selected by the Relying Party and supported by the Verifier.</t>
            </li>
            <li>
              <t>nonce is generated by the Verifier and forwarded by the Relying Party.</t>
            </li>
          </ul>
        </section>
        <section anchor="evidence">
          <name>Evidence</name>
          <t>The Attester calls its local attestation service to generate and return a serialized Entity Attestation Token (EAT) <xref target="RFC9711"/> as Evidence.</t>
          <t>The EAD item Remote Attestation BG is:</t>
          <ul spacing="normal">
            <li>
              <t>ead_label = TBD1</t>
            </li>
            <li>
              <t>ead_value is the serialization of a COSE_Sign1 structure protecting an EAT.
For remote attestation over EDHOC, the EAT <bcp14>MUST</bcp14> be formatted as a CBOR Web Token (CWT) <xref target="RFC8392"/> containing attestation-oriented claims.
The complete set of attestation claims for the EAT is specified in <xref target="RFC9711"/>.
An example is provided in <xref target="firmware"/>.</t>
            </li>
          </ul>
          <t>A minimal claims set is defined as the payload of COSE_Sign1 when the Attester operates under constrained message size requirements and/or limited computational resources:</t>
          <artwork><![CDATA[
minimal-claim-set = {
10 => bstr .size (8..64)  ;eat_nonce
256 => bstr .size (7..33)  ;ueid
273 => measurements-type  ;measurements
}

measurements-type = [+ measurements-format]
measurements-format = [
      content-format: uint,
      content: bytes
]
]]></artwork>
          <t>where</t>
          <ul spacing="normal">
            <li>
              <t>eat-nonce is the nonce generated by the Verifier (see <xref target="attestation-request"/>), which is included by the Attester within the Evidence.</t>
            </li>
            <li>
              <t>The "measurements" claim could be a CoSWID <xref target="RFC9393"/>, a CoRIM <xref target="I-D.ietf-rats-corim"/> or other claim formats, and <bcp14>MUST</bcp14> be identified by CoAP Content Format.
An example as CoSWID is shown in <xref target="firmware"/>.</t>
            </li>
          </ul>
          <section anchor="attestation-binder">
            <name>Attestation binder</name>
            <t>The signing of the Evidence <bcp14>MUST</bcp14> also take as input an attestation binder.
By doing so, the attestation binder cryptographically binds the attestation to the authentication and ensures that the attester is the authenticated peer.
The attestation binder prevents relay attacks whereby an attacker relays Evidence generated in a different session.</t>
            <t>The Relying Party has to provide the Verifier with the Evidence together with the attestation binder.
Otherwise, the Verifier would lack the information for verifying the signed EAT.</t>
            <t>When Evidence is sent in EDHOC message_3 in EAD_3, the attestation binder is computed using HKDF-Expand defined in <xref target="RFC5869"/>.</t>
            <artwork><![CDATA[
attestation_binder_m3 = HKDF-Expand(0, attest_info, hash_length)

attest_info = [ H_12, "attestation", ID_CRED_I ]

H_12 = H(H(message_1), message_2)
]]></artwork>
            <t>where</t>
            <ul spacing="normal">
              <li>
                <t>0 denotes an all-zero byte string of length hash_length used as the PRK input to HKDF-Expand.</t>
              </li>
              <li>
                <t>hash_length is the length in bytes of the output of the EDHOC hash algorithm of the selected cipher suite.</t>
              </li>
              <li>
                <t>attest_info is a CBOR array containing H_12, the text string "attestation" and ID_CRED_I.</t>
              </li>
              <li>
                <t>H() is the EDHOC hash algorithm of the selected cipher suite.</t>
              </li>
            </ul>
            <t>When Evidence is sent in EDHOC message_4, the attestation binder is derived using EDHOC_Exporter defined in <xref target="RFC9528"/>.</t>
            <artwork><![CDATA[
attestation_binder_m4 = EDHOC_Exporter (exporter_label, context, length)
]]></artwork>
            <t>where</t>
            <ul spacing="normal">
              <li>
                <t>exporter_label = 2</t>
              </li>
              <li>
                <t>context = "attestation"</t>
              </li>
              <li>
                <t>length is the length in bytes of the output of the EDHOC hash algorithm of the selected cipher suite.</t>
              </li>
            </ul>
            <t>The signature in COSE_Sign1 is computed over a Sig_structure containing protected header, externally supplied data (external_aad) and payload using a private attestation key.
The COSE Unprotected Header is empty.
The message to be signed is:</t>
            <artwork><![CDATA[
[ "Signature1", body_protected, external_aad, payload ]
]]></artwork>
            <t>where</t>
            <ul spacing="normal">
              <li>
                <t>body_protected is the same CBOR byte string as the protected header in COSE_Sign1</t>
              </li>
              <li>
                <t>external_aad is set to attestation_binder_m3 when Evidence is carried in EDHOC message_3, and to attestation_binder_m4 when Evidence is carried in EDHOC message_4</t>
              </li>
              <li>
                <t>payload is the same CBOR byte string as the payload in COSE_Sign1</t>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="trigger-bg">
          <name>Trigger Remote Attestation BG</name>
          <t>The EAD item Trigger Remote Attestation BG is used when the Relying Party triggers the Attester to start a remote attestation in the background-check model.
This EAD item can only be carried in EDHOC message_1.
The Attester <bcp14>MUST</bcp14> reply with an EAD item Remote Attestation BG, with the ead_value Attestation_proposal in <xref target="attestation-proposal"/>.
The ead_value <bcp14>MUST</bcp14> not be present, as the ead_label serves as the trigger.</t>
          <t>The EAD item Trigger Remote Attestation BG is:</t>
          <ul spacing="normal">
            <li>
              <t>ead_label = TBD3</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="pp">
        <name>Model: Passport Model (PP)</name>
        <t>In the passport model, the Attester sends the evidence to the Verifier.
After the Attester receives the attestation result from the Verifier, the Attester sends the attestation result to the Relying Party.
The attestation result may carry a boolean value indicating compliance or non-compliance with a Verifier's appraisal policy, or may carry a set of claims to indicate the results in different aspects (<xref section="8.4" sectionFormat="of" target="RFC9334"/>).</t>
        <t>An EDHOC session is established between the Attester and the Relying Party.
The Attester and the Relying Party should decide from which Verifier the Attester obtains the attestation result before transferring it to the Relying Party.
The Attester first sends a list of the Verifier identities that it can get the attestation result from.
The Relying Party selects one trusted Verifier identity and sends it back within a Result request.</t>
        <t>Regarding the freshness in passport model, the Attester could either establish a real-time connection with the selected Verifier, or use a pre-stored attestation result from the selected Verifier.
If the attestation result is not obtained via a real-time connection, it <bcp14>MUST</bcp14> include a time stamp and/or expiry time to indicate its validity.
Time synchronization is out of scope of this specification.</t>
        <t>Once the Attester obtains the attestation result from the selected Verifier, it sends the attestation result to the Relying Party.</t>
        <t>The EAD item Remote Attestation PP with ead_label TBD2 conveys a different ead_value, namely Result_proposal, Result_request, or Result, depending on the EDHOC message where the EAD item is included.
Specifically, if the EAD item Trigger Remote Attestation PP (see <xref target="trigger-pp"/>) is not included in EDHOC message_1, these three values are carried in EDHOC message_1, message_2, and message_3, respectively (see <xref target="i_pp"/>).
In contrast, if Trigger Remote Attestation PP is included in EDHOC message_1, the exchange is shifted by one message: Result_proposal is carried in message_2, Result_request in message_3, and Result in message_4 (see <xref target="network-attestation"/>).</t>
        <section anchor="result-proposal">
          <name>Result_proposal</name>
          <t>An attestation result proposal contains the identification of the credentials of the Verifiers to indicate Verifiers' identities.
The identification of credentials relies on COSE header parameters <xref target="IANA-COSE-Header-Parameters"/>, with a header label and credential value.</t>
          <t>The EAD item Remote Attestation PP for the attestation result proposal is:</t>
          <ul spacing="normal">
            <li>
              <t>ead_label = TBD2</t>
            </li>
            <li>
              <t>ead_value = Result_proposal, which is a CBOR byte string:</t>
            </li>
          </ul>
          <artwork><![CDATA[
Result_proposal = bstr .cbor Proposed_VerifierIdentity
Proposed_VerifierIdentity = [ + VerifierIdentity ]

VerifierIdentity = {
  label => any
}

label = int / tstr
]]></artwork>
          <t>where</t>
          <ul spacing="normal">
            <li>
              <t>Proposed_VerifierIdentity is defined as a list of one or more VerifierIdentity elements.</t>
            </li>
            <li>
              <t>label corresponds to a COSE header parameter as defined in <xref target="IANA-COSE-Header-Parameters"/>, such as kid (4) or x5t (34). Profiles using this specification <bcp14>MUST</bcp14> specify which label values are acceptable.</t>
            </li>
          </ul>
        </section>
        <section anchor="result-request">
          <name>Result_request</name>
          <t>As a response to the attestation result proposal, the Relying Party signals to the Attester the trusted Verifier.
In case none of the Verifiers can be trusted by the Relying Party, the session is aborted.</t>
          <t>The EAD item Remote Attestation PP for an attestation result request is:</t>
          <ul spacing="normal">
            <li>
              <t>ead_label = TBD2</t>
            </li>
            <li>
              <t>ead_value = Result_request, which is a CBOR byte string:</t>
            </li>
          </ul>
          <artwork><![CDATA[
Result_request = bstr .cbor Request_structure

Request_structure = {
  selected_verifier: VerifierIdentity,
  ? nonce: bstr .size (8..64)
}
]]></artwork>
          <t>The nonce is optional and depends on whether the Relying Party requires an attestation result based on a real-time interaction with the Verifier.
If the Relying Party can accept and evaluate a cached attestation result with a timestamp, the nonce does not need to be included in the result request.
Otherwise, the Relying Party generates a random nonce and sends it to the Attester.
The Attester must forward the nonce together with the evidence to the Verifier, which must include the nonce in the Attestation Result that it produces and provides to the Attester.</t>
        </section>
        <section anchor="result">
          <name>Result</name>
          <t>The attestation result is generated and signed by the Verifier as a serialized EAT <xref target="RFC9711"/>, and <bcp14>MUST</bcp14> be protected using a COSE_Sign1 structure.
The Relying Party can decide what action to take with regard to the Attester based on the information elements in attestation result.</t>
          <t>The EAD item Remote Attestation PP is:</t>
          <ul spacing="normal">
            <li>
              <t>ead_label = TBD2</t>
            </li>
            <li>
              <t>ead_value is the serialization of a COSE_Sign1 structure protecting an EAT.</t>
            </li>
          </ul>
        </section>
        <section anchor="trigger-pp">
          <name>Trigger Remote Attestation PP</name>
          <t>The EAD item Trigger Remote Attestation PP is used when the Relying Party triggers the Attester to start a remote attestation in the passport model.
This EAD item can only be carried in the EDHOC message_1.
The Attester <bcp14>MUST</bcp14> reply with an EAD item Remote Attestation PP, with the ead_value Result_proposal in <xref target="result-proposal"/>.
The ead_value <bcp14>MUST</bcp14> not be present, as the ead_label serves as the trigger.</t>
          <t>The EAD item Trigger Remote Attestation PP is:</t>
          <ul spacing="normal">
            <li>
              <t>ead_label = TBD4</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="attestation-combinations">
      <name>Instantiation of Remote Attestation Protocol</name>
      <t>We use the format (Target, Model) to denote instantiations.
In particular:</t>
      <ul spacing="normal">
        <li>
          <t>I means that the EDHOC Initiator is the Attester.</t>
        </li>
        <li>
          <t>R means that the EDHOC Responder is the Attester.</t>
        </li>
        <li>
          <t>BG denotes the background-check model.</t>
        </li>
        <li>
          <t>PP denotes the passport model.</t>
        </li>
      </ul>
      <t>For example, (I, BG) represents the Initiator as an Attester performing attestation using the background-check model.
The four possible instantiations are therefore: (I, BG), (R, PP), (R, BG), and (I, PP).
In the remainder of this section we provide examples of these instantiations, starting with two instances of constrained Initiator followed by two instances of constrained Responder.</t>
      <section anchor="iot-attestation">
        <name>(I, BG): EDHOC Initiator Attestation in the Background-check Model</name>
        <t>In this instantiation, the constrained EDHOC Initiator acts as the RATS Attester and the EDHOC Responder acts as the RATS Relying Party.
An overview of EDHOC Initiator attestation in the background-check model is illustrated in <xref target="fig-iot-bg-fwd"/>.
The Attester and the Relying Party communicate by transporting messages within EDHOC External Authorization Data (EAD) fields.
An external entity plays the role of the RATS Verifier (V).
The EAD items specific to the background-check model are defined in <xref target="bg"/>.</t>
        <t>The Attester starts the attestation by sending an Attestation proposal in EDHOC message_1.
The Relying Party generates EAD_2 with the received evidence type(s) and nonce from the Verifier, and sends an Attestation request to the Attester.
The Attester generates the Evidence with the nonce embedded and signs the EAT with the attestation binder as an input, then sends the Evidence to the Relying Party in EAD_3.
The Relying Party computes the attestation binder and forwards the Evidence together with the attestation binder to the Verifier.
The Verifier evaluates the Evidence and sends the Attestation result to the Relying Party.</t>
        <t>A common use case for (I, BG) is to attest an IoT device (EDHOC Initiator) to a network server (EDHOC Responder).
For example, a simple illustrative example is the performance of remote attestation to verify that the latest version of firmware is running on the IoT device before the network server allows it to join the network (see <xref target="firmware"/>).</t>
        <figure anchor="fig-iot-bg-fwd">
          <name>Overview of EDHOC Initiator attestation in background-check model. EDHOC is used between A and RP.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="720" width="768" viewBox="0 0 768 720" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,96" fill="none" stroke="black"/>
                <path d="M 64,104 L 64,704" fill="none" stroke="black"/>
                <path d="M 232,96 L 232,704" fill="none" stroke="black"/>
                <path d="M 272,32 L 272,96" fill="none" stroke="black"/>
                <path d="M 400,32 L 400,96" fill="none" stroke="black"/>
                <path d="M 480,96 L 480,704" fill="none" stroke="black"/>
                <path d="M 560,32 L 560,96" fill="none" stroke="black"/>
                <path d="M 672,64 L 672,96" fill="none" stroke="black"/>
                <path d="M 720,96 L 720,704" fill="none" stroke="black"/>
                <path d="M 760,64 L 760,96" fill="none" stroke="black"/>
                <path d="M 8,32 L 272,32" fill="none" stroke="black"/>
                <path d="M 400,32 L 560,32" fill="none" stroke="black"/>
                <path d="M 8,64 L 272,64" fill="none" stroke="black"/>
                <path d="M 400,64 L 560,64" fill="none" stroke="black"/>
                <path d="M 672,64 L 760,64" fill="none" stroke="black"/>
                <path d="M 8,96 L 272,96" fill="none" stroke="black"/>
                <path d="M 400,96 L 560,96" fill="none" stroke="black"/>
                <path d="M 672,96 L 760,96" fill="none" stroke="black"/>
                <path d="M 232,160 L 472,160" fill="none" stroke="black"/>
                <path d="M 480,224 L 712,224" fill="none" stroke="black"/>
                <path d="M 488,272 L 720,272" fill="none" stroke="black"/>
                <path d="M 240,304 L 480,304" fill="none" stroke="black"/>
                <path d="M 72,400 L 232,400" fill="none" stroke="black"/>
                <path d="M 64,448 L 224,448" fill="none" stroke="black"/>
                <path d="M 232,480 L 472,480" fill="none" stroke="black"/>
                <path d="M 480,576 L 712,576" fill="none" stroke="black"/>
                <path d="M 488,608 L 720,608" fill="none" stroke="black"/>
                <path d="M 480,624 L 504,624" fill="none" stroke="black"/>
                <path d="M 488,656 L 504,656" fill="none" stroke="black"/>
                <path d="M 240,686 L 472,686" fill="none" stroke="black"/>
                <path d="M 240,690 L 472,690" fill="none" stroke="black"/>
                <path d="M 504,624 C 512.83064,624 520,631.16936 520,640" fill="none" stroke="black"/>
                <path d="M 504,656 C 512.83064,656 520,648.83064 520,640" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="720,576 708,570.4 708,581.6" fill="black" transform="rotate(0,712,576)"/>
                <polygon class="arrowhead" points="720,224 708,218.4 708,229.6" fill="black" transform="rotate(0,712,224)"/>
                <polygon class="arrowhead" points="496,656 484,650.4 484,661.6" fill="black" transform="rotate(180,488,656)"/>
                <polygon class="arrowhead" points="496,608 484,602.4 484,613.6" fill="black" transform="rotate(180,488,608)"/>
                <polygon class="arrowhead" points="496,272 484,266.4 484,277.6" fill="black" transform="rotate(180,488,272)"/>
                <polygon class="arrowhead" points="480,688 468,682.4 468,693.6" fill="black" transform="rotate(0,472,688)"/>
                <polygon class="arrowhead" points="480,480 468,474.4 468,485.6" fill="black" transform="rotate(0,472,480)"/>
                <polygon class="arrowhead" points="480,160 468,154.4 468,165.6" fill="black" transform="rotate(0,472,160)"/>
                <polygon class="arrowhead" points="248,688 236,682.4 236,693.6" fill="black" transform="rotate(180,240,688)"/>
                <polygon class="arrowhead" points="248,304 236,298.4 236,309.6" fill="black" transform="rotate(180,240,304)"/>
                <polygon class="arrowhead" points="232,448 220,442.4 220,453.6" fill="black" transform="rotate(0,224,448)"/>
                <polygon class="arrowhead" points="80,400 68,394.4 68,405.6" fill="black" transform="rotate(180,72,400)"/>
                <g class="text">
                  <text x="72" y="52">Constrained</text>
                  <text x="144" y="52">EDHOC</text>
                  <text x="208" y="52">Initiator</text>
                  <text x="440" y="52">EDHOC</text>
                  <text x="504" y="52">Responder</text>
                  <text x="64" y="84">Attestation</text>
                  <text x="144" y="84">Service</text>
                  <text x="184" y="84">|</text>
                  <text x="228" y="84">Attester</text>
                  <text x="456" y="84">Relying</text>
                  <text x="512" y="84">Party</text>
                  <text x="716" y="84">Verifier</text>
                  <text x="312" y="148">EDHOC</text>
                  <text x="376" y="148">message_1</text>
                  <text x="264" y="180">EAD_1</text>
                  <text x="296" y="180">=</text>
                  <text x="388" y="180">Attestation_proposal</text>
                  <text x="248" y="196">{</text>
                  <text x="308" y="196">types(a,b,c)</text>
                  <text x="368" y="196">}</text>
                  <text x="512" y="212">Body:</text>
                  <text x="544" y="212">{</text>
                  <text x="604" y="212">types(a,b,c)</text>
                  <text x="664" y="212">}</text>
                  <text x="516" y="260">Body:{</text>
                  <text x="592" y="260">types(a,b),</text>
                  <text x="664" y="260">nonce</text>
                  <text x="696" y="260">}</text>
                  <text x="312" y="292">EDHOC</text>
                  <text x="376" y="292">message_2</text>
                  <text x="264" y="324">EAD_2</text>
                  <text x="296" y="324">=</text>
                  <text x="384" y="324">Attestation_request</text>
                  <text x="248" y="340">{</text>
                  <text x="296" y="340">types(a),</text>
                  <text x="360" y="340">nonce</text>
                  <text x="392" y="340">}</text>
                  <text x="108" y="372">type(a),</text>
                  <text x="172" y="372">nonce,</text>
                  <text x="120" y="388">attestation</text>
                  <text x="196" y="388">binder</text>
                  <text x="108" y="436">Evidence</text>
                  <text x="168" y="436">(EAT)</text>
                  <text x="312" y="468">EDHOC</text>
                  <text x="376" y="468">message_3</text>
                  <text x="264" y="500">EAD_3</text>
                  <text x="296" y="500">=</text>
                  <text x="340" y="500">Evidence</text>
                  <text x="248" y="516">{</text>
                  <text x="272" y="516">EAT</text>
                  <text x="296" y="516">}</text>
                  <text x="516" y="548">Body:{</text>
                  <text x="564" y="548">EAT,</text>
                  <text x="592" y="564">attestation</text>
                  <text x="668" y="564">binder</text>
                  <text x="704" y="564">}</text>
                  <text x="516" y="596">Body:{</text>
                  <text x="592" y="596">att-result:</text>
                  <text x="660" y="596">AR{}</text>
                  <text x="688" y="596">}</text>
                  <text x="556" y="644">verify</text>
                  <text x="604" y="644">AR{}</text>
                  <text x="336" y="676">application</text>
                  <text x="404" y="676">data</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
+--------------------------------+               +-------------------+
|  Constrained EDHOC Initiator   |               |  EDHOC Responder  |
+--------------------------------+               +-------------------+             +----------+
| Attestation Service | Attester |               |   Relying Party   |             | Verifier |
+--+------------------------+----+               +---------+---------+             +-----+----+
       |                    |                              |                             |
       |                    |                              |                             |
       |                    |       EDHOC message_1        |                             |
       |                    +----------------------------->|                             |
       |                    | EAD_1 = Attestation_proposal |                             |
       |                    | { types(a,b,c) }             |                             |
       |                    |                              | Body: { types(a,b,c) }      |
       |                    |                              +---------------------------->|
       |                    |                              |                             |
       |                    |                              | Body:{ types(a,b), nonce }  |
       |                    |                              |<----------------------------+
       |                    |       EDHOC message_2        |                             |
       |                    |<-----------------------------+                             |
       |                    | EAD_2 = Attestation_request  |                             |
       |                    | { types(a), nonce }          |                             |
       |                    |                              |                             |
       | type(a), nonce,    |                              |                             |
       | attestation binder |                              |                             |
       |<-------------------+                              |                             |
       |                    |                              |                             |
       | Evidence (EAT)     |                              |                             |
       +------------------->|                              |                             |
       |                    |       EDHOC message_3        |                             |
       |                    +----------------------------->|                             |
       |                    | EAD_3 = Evidence             |                             |
       |                    | { EAT }                      |                             |
       |                    |                              |                             |
       |                    |                              | Body:{ EAT,                 |
       |                    |                              |        attestation binder } |
       |                    |                              +---------------------------->|
       |                    |                              | Body:{ att-result: AR{} }   |
       |                    |                              |<----------------------------+
       |                    |                              +---.                         |
       |                    |                              |    | verify AR{}            |
       |                    |                              |<--'                         |
       |                    |       application data       |                             |
       |                    |<============================>|                             |
       |                    |                              |                             |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="network-attestation">
        <name>(R, PP): EDHOC Responder Attestation in the Passport Model</name>
        <t>In this instantiation, the constrained EDHOC Initiator acts as the RATS Relying Party and the EDHOC Responder acts as the RATS Attester.
An overview of the message flow is illustrated in <xref target="fig-net-pp-fwd"/>.
The EAD items specific to the passport model are defined in <xref target="pp"/>.</t>
        <t>The Relying Party asks the Attester to do a remote attestation by sending a trigger_pp (see <xref target="trigger-pp"/>) in EDHOC message_1.
The Attester replies to the Relying Party with a Result proposal in EAD_2.
Then the Relying Party selects a trusted Verifier identity and sends it as a Result request.
How the Attester negotiates with the selected Verifier to get the attestation result is out of scope of this specification.
A fourth EDHOC message is required to send the Result from the Attester to the Relying Party.</t>
        <t>One use case for (R, PP) is when a network server (EDHOC Responder) needs to attest itself to a client (e.g., an IoT device (EDHOC Initiator)).
For example, the client needs to send some sensitive data to the network server, which requires the network server to be attested first.</t>
        <figure anchor="fig-net-pp-fwd">
          <name>Overview of EDHOC Responder attestation in passport model. EDHOC is used between RP and A. The dashed line illustrates a logical connection that does not need to occur in real time.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="480" width="680" viewBox="0 0 680 480" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,96" fill="none" stroke="black"/>
                <path d="M 128,96 L 128,464" fill="none" stroke="black"/>
                <path d="M 248,32 L 248,96" fill="none" stroke="black"/>
                <path d="M 320,32 L 320,96" fill="none" stroke="black"/>
                <path d="M 392,96 L 392,464" fill="none" stroke="black"/>
                <path d="M 464,32 L 464,96" fill="none" stroke="black"/>
                <path d="M 552,64 L 552,96" fill="none" stroke="black"/>
                <path d="M 616,96 L 616,464" fill="none" stroke="black"/>
                <path d="M 672,64 L 672,96" fill="none" stroke="black"/>
                <path d="M 8,32 L 248,32" fill="none" stroke="black"/>
                <path d="M 320,32 L 464,32" fill="none" stroke="black"/>
                <path d="M 8,64 L 248,64" fill="none" stroke="black"/>
                <path d="M 320,64 L 464,64" fill="none" stroke="black"/>
                <path d="M 552,64 L 672,64" fill="none" stroke="black"/>
                <path d="M 8,96 L 248,96" fill="none" stroke="black"/>
                <path d="M 320,96 L 464,96" fill="none" stroke="black"/>
                <path d="M 552,96 L 672,96" fill="none" stroke="black"/>
                <path d="M 128,144 L 384,144" fill="none" stroke="black"/>
                <path d="M 136,208 L 392,208" fill="none" stroke="black"/>
                <path d="M 128,288 L 384,288" fill="none" stroke="black"/>
                <path d="M 392,352 L 416,352" fill="none" stroke="black"/>
                <path d="M 440,352 L 456,352" fill="none" stroke="black"/>
                <path d="M 480,352 L 496,352" fill="none" stroke="black"/>
                <path d="M 520,352 L 536,352" fill="none" stroke="black"/>
                <path d="M 560,352 L 576,352" fill="none" stroke="black"/>
                <path d="M 592,352 L 608,352" fill="none" stroke="black"/>
                <path d="M 400,384 L 424,384" fill="none" stroke="black"/>
                <path d="M 448,384 L 464,384" fill="none" stroke="black"/>
                <path d="M 488,384 L 504,384" fill="none" stroke="black"/>
                <path d="M 528,384 L 544,384" fill="none" stroke="black"/>
                <path d="M 560,384 L 576,384" fill="none" stroke="black"/>
                <path d="M 600,384 L 616,384" fill="none" stroke="black"/>
                <path d="M 136,416 L 392,416" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="616,352 604,346.4 604,357.6" fill="black" transform="rotate(0,608,352)"/>
                <polygon class="arrowhead" points="408,384 396,378.4 396,389.6" fill="black" transform="rotate(180,400,384)"/>
                <polygon class="arrowhead" points="392,288 380,282.4 380,293.6" fill="black" transform="rotate(0,384,288)"/>
                <polygon class="arrowhead" points="392,144 380,138.4 380,149.6" fill="black" transform="rotate(0,384,144)"/>
                <polygon class="arrowhead" points="144,416 132,410.4 132,421.6" fill="black" transform="rotate(180,136,416)"/>
                <polygon class="arrowhead" points="144,208 132,202.4 132,213.6" fill="black" transform="rotate(180,136,208)"/>
                <g class="text">
                  <text x="64" y="52">Constrained</text>
                  <text x="136" y="52">EDHOC</text>
                  <text x="200" y="52">Initiator</text>
                  <text x="352" y="52">EDHOC</text>
                  <text x="416" y="52">Responder</text>
                  <text x="104" y="84">Relying</text>
                  <text x="160" y="84">Party</text>
                  <text x="396" y="84">Attester</text>
                  <text x="596" y="84">Verifier</text>
                  <text x="648" y="84">(2)</text>
                  <text x="216" y="132">EDHOC</text>
                  <text x="280" y="132">message_1</text>
                  <text x="176" y="164">EAD_1</text>
                  <text x="208" y="164">=</text>
                  <text x="260" y="164">trigger_pp</text>
                  <text x="216" y="196">EDHOC</text>
                  <text x="280" y="196">message_2</text>
                  <text x="176" y="228">EAD_2</text>
                  <text x="208" y="228">=</text>
                  <text x="280" y="228">Result_proposal</text>
                  <text x="160" y="244">{</text>
                  <text x="232" y="244">Verifier(1,2,3)</text>
                  <text x="304" y="244">}</text>
                  <text x="216" y="276">EDHOC</text>
                  <text x="280" y="276">message_3</text>
                  <text x="176" y="308">EAD_3</text>
                  <text x="208" y="308">=</text>
                  <text x="276" y="308">Result_request</text>
                  <text x="160" y="324">{</text>
                  <text x="220" y="324">Verifier(2),</text>
                  <text x="296" y="324">nonce</text>
                  <text x="328" y="324">}</text>
                  <text x="468" y="340">Evidence</text>
                  <text x="512" y="340">+</text>
                  <text x="544" y="340">nonce</text>
                  <text x="500" y="372">Result</text>
                  <text x="216" y="404">EDHOC</text>
                  <text x="280" y="404">message_4</text>
                  <text x="176" y="436">EAD_4</text>
                  <text x="208" y="436">=</text>
                  <text x="244" y="436">Result</text>
                  <text x="160" y="452">{</text>
                  <text x="184" y="452">EAT</text>
                  <text x="208" y="452">}</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
+-----------------------------+        +-----------------+
| Constrained EDHOC Initiator |        | EDHOC Responder |
+-----------------------------+        +-----------------+          +--------------+
|        Relying Party        |        |     Attester    |          | Verifier (2) |
+--------------+--------------+        +--------+--------+          +-------+------+
               |                                |                           |
               |        EDHOC message_1         |                           |
               +------------------------------->|                           |
               |   EAD_1 = trigger_pp           |                           |
               |                                |                           |
               |        EDHOC message_2         |                           |
               |<-------------------------------+                           |
               |   EAD_2 = Result_proposal      |                           |
               |   { Verifier(1,2,3) }          |                           |
               |                                |                           |
               |        EDHOC message_3         |                           |
               +------------------------------->|                           |
               |   EAD_3 = Result_request       |                           |
               |   { Verifier(2), nonce }       |                           |
               |                                |     Evidence + nonce      |
               |                                +---  ---  ---  ---  --- -->|
               |                                |          Result           |
               |                                |<---  ---  ---  --- ---  --+
               |        EDHOC message_4         |                           |
               |<-------------------------------+                           |
               |   EAD_4 = Result               |                           |
               |   { EAT }                      |                           |
               |                                |                           |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="r_bg">
        <name>(R, BG): EDHOC Responder Attestation in the Background-check Model</name>
        <t>In this instantiation, the constrained EDHOC Responder acts as the RATS Attester and the EDHOC Initiator acts as the RATS Relying Party.
An overview of the message flow is illustrated in <xref target="fig-r-bg"/>.
The EAD items specific to the background-check model are defined in <xref target="bg"/>.</t>
        <t>The Relying Party initiates the procedure by sending trigger_bg in EAD_1 of message_1.
The Attester responds with an Attestation proposal in EAD_2 of message_2, indicating the evidence types it can provide.
The Relying Party forwards this proposal to the Verifier, which selects its supported evidence types and provides a nonce.
The Relying Party then sends an Attestation request in EAD_3 of message_3, which contains the nonce generated from the Verifier.
Upon receipt of the Attestation request, the Attester generates the Evidence with the nonce embedded and signs the EAT with the attestation binder as an input.
Evidence is carried in EAD_4 of message_4.
The Relying Party forwards the Evidence to the Verifier together with the attestation binder and receives an Attestation result.</t>
        <t>Note that this is a post-handshake attestation since EDHOC completes the authenticated key exchange after message_3.
Therefore, the attestation binder in this instantiation is derived using EDHOC_Exporter (see <xref target="attestation-binder"/>).</t>
        <figure anchor="fig-r-bg">
          <name>Overview of EDHOC Responder attestation in background-check model. EDHOC is used between A and RP.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="784" width="768" viewBox="0 0 768 784" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,64 L 8,96" fill="none" stroke="black"/>
                <path d="M 56,104 L 56,768" fill="none" stroke="black"/>
                <path d="M 96,64 L 96,96" fill="none" stroke="black"/>
                <path d="M 208,32 L 208,96" fill="none" stroke="black"/>
                <path d="M 288,96 L 288,768" fill="none" stroke="black"/>
                <path d="M 368,32 L 368,96" fill="none" stroke="black"/>
                <path d="M 496,32 L 496,96" fill="none" stroke="black"/>
                <path d="M 536,96 L 536,768" fill="none" stroke="black"/>
                <path d="M 696,96 L 696,768" fill="none" stroke="black"/>
                <path d="M 760,32 L 760,96" fill="none" stroke="black"/>
                <path d="M 208,32 L 368,32" fill="none" stroke="black"/>
                <path d="M 496,32 L 760,32" fill="none" stroke="black"/>
                <path d="M 8,64 L 96,64" fill="none" stroke="black"/>
                <path d="M 208,64 L 368,64" fill="none" stroke="black"/>
                <path d="M 496,64 L 760,64" fill="none" stroke="black"/>
                <path d="M 8,96 L 96,96" fill="none" stroke="black"/>
                <path d="M 208,96 L 368,96" fill="none" stroke="black"/>
                <path d="M 496,96 L 760,96" fill="none" stroke="black"/>
                <path d="M 288,144 L 528,144" fill="none" stroke="black"/>
                <path d="M 296,224 L 536,224" fill="none" stroke="black"/>
                <path d="M 64,288 L 288,288" fill="none" stroke="black"/>
                <path d="M 56,336 L 280,336" fill="none" stroke="black"/>
                <path d="M 288,368 L 528,368" fill="none" stroke="black"/>
                <path d="M 544,448 L 688,448" fill="none" stroke="black"/>
                <path d="M 544,496 L 696,496" fill="none" stroke="black"/>
                <path d="M 296,528 L 536,528" fill="none" stroke="black"/>
                <path d="M 64,608 L 288,608" fill="none" stroke="black"/>
                <path d="M 56,656 L 280,656" fill="none" stroke="black"/>
                <path d="M 288,672 L 312,672" fill="none" stroke="black"/>
                <path d="M 296,704 L 312,704" fill="none" stroke="black"/>
                <path d="M 296,750 L 528,750" fill="none" stroke="black"/>
                <path d="M 296,754 L 528,754" fill="none" stroke="black"/>
                <path d="M 312,672 C 320.83064,672 328,679.16936 328,688" fill="none" stroke="black"/>
                <path d="M 312,704 C 320.83064,704 328,696.83064 328,688" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="696,448 684,442.4 684,453.6" fill="black" transform="rotate(0,688,448)"/>
                <polygon class="arrowhead" points="552,496 540,490.4 540,501.6" fill="black" transform="rotate(180,544,496)"/>
                <polygon class="arrowhead" points="536,752 524,746.4 524,757.6" fill="black" transform="rotate(0,528,752)"/>
                <polygon class="arrowhead" points="536,368 524,362.4 524,373.6" fill="black" transform="rotate(0,528,368)"/>
                <polygon class="arrowhead" points="536,144 524,138.4 524,149.6" fill="black" transform="rotate(0,528,144)"/>
                <polygon class="arrowhead" points="304,752 292,746.4 292,757.6" fill="black" transform="rotate(180,296,752)"/>
                <polygon class="arrowhead" points="304,704 292,698.4 292,709.6" fill="black" transform="rotate(180,296,704)"/>
                <polygon class="arrowhead" points="304,528 292,522.4 292,533.6" fill="black" transform="rotate(180,296,528)"/>
                <polygon class="arrowhead" points="304,224 292,218.4 292,229.6" fill="black" transform="rotate(180,296,224)"/>
                <polygon class="arrowhead" points="288,656 276,650.4 276,661.6" fill="black" transform="rotate(0,280,656)"/>
                <polygon class="arrowhead" points="288,336 276,330.4 276,341.6" fill="black" transform="rotate(0,280,336)"/>
                <polygon class="arrowhead" points="72,608 60,602.4 60,613.6" fill="black" transform="rotate(180,64,608)"/>
                <polygon class="arrowhead" points="72,288 60,282.4 60,293.6" fill="black" transform="rotate(180,64,288)"/>
                <g class="text">
                  <text x="248" y="52">EDHOC</text>
                  <text x="312" y="52">Initiator</text>
                  <text x="560" y="52">Constrained</text>
                  <text x="632" y="52">EDHOC</text>
                  <text x="696" y="52">Responder</text>
                  <text x="52" y="84">Verifier</text>
                  <text x="264" y="84">Relying</text>
                  <text x="320" y="84">Party</text>
                  <text x="540" y="84">Attester</text>
                  <text x="584" y="84">|</text>
                  <text x="640" y="84">Attestation</text>
                  <text x="720" y="84">Service</text>
                  <text x="360" y="132">EDHOC</text>
                  <text x="424" y="132">message_1</text>
                  <text x="320" y="164">EAD_1</text>
                  <text x="352" y="164">=</text>
                  <text x="404" y="164">trigger_bg</text>
                  <text x="360" y="212">EDHOC</text>
                  <text x="424" y="212">message_2</text>
                  <text x="320" y="244">EAD_2</text>
                  <text x="352" y="244">=</text>
                  <text x="444" y="244">Attestation_proposal</text>
                  <text x="304" y="260">{</text>
                  <text x="364" y="260">types(a,b,c)</text>
                  <text x="424" y="260">}</text>
                  <text x="88" y="276">Body:</text>
                  <text x="120" y="276">{</text>
                  <text x="180" y="276">types(a,b,c)</text>
                  <text x="240" y="276">}</text>
                  <text x="88" y="324">Body:</text>
                  <text x="120" y="324">{</text>
                  <text x="176" y="324">types(a,b),</text>
                  <text x="248" y="324">nonce</text>
                  <text x="280" y="324">}</text>
                  <text x="360" y="356">EDHOC</text>
                  <text x="424" y="356">message_3</text>
                  <text x="320" y="388">EAD_3</text>
                  <text x="352" y="388">=</text>
                  <text x="440" y="388">Attestation_request</text>
                  <text x="304" y="404">{</text>
                  <text x="352" y="404">types(a),</text>
                  <text x="416" y="404">nonce</text>
                  <text x="448" y="404">}</text>
                  <text x="584" y="420">types(a),</text>
                  <text x="652" y="420">nonce,</text>
                  <text x="592" y="436">attestation</text>
                  <text x="668" y="436">binder</text>
                  <text x="580" y="484">Evidence</text>
                  <text x="640" y="484">(EAT)</text>
                  <text x="360" y="516">EDHOC</text>
                  <text x="424" y="516">message_4</text>
                  <text x="320" y="548">EAD_4</text>
                  <text x="352" y="548">=</text>
                  <text x="396" y="548">Evidence</text>
                  <text x="304" y="564">{</text>
                  <text x="328" y="564">EAT</text>
                  <text x="352" y="564">}</text>
                  <text x="88" y="580">Body:</text>
                  <text x="120" y="580">{</text>
                  <text x="148" y="580">EAT,</text>
                  <text x="168" y="596">attestation</text>
                  <text x="244" y="596">binder</text>
                  <text x="280" y="596">}</text>
                  <text x="88" y="644">Body:</text>
                  <text x="120" y="644">{</text>
                  <text x="176" y="644">att-result:</text>
                  <text x="244" y="644">AR{}</text>
                  <text x="272" y="644">}</text>
                  <text x="364" y="692">verify</text>
                  <text x="404" y="692">AR</text>
                  <text x="428" y="692">{}</text>
                  <text x="392" y="740">application</text>
                  <text x="460" y="740">data</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
                         +-------------------+               +--------------------------------+
                         |  EDHOC Initiator  |               |  Constrained EDHOC Responder   |
+----------+             +-------------------+               +--------------------------------+
| Verifier |             |   Relying Party   |               | Attester | Attestation Service |
+----------+             +---------+---------+               +----+-------------------+-------+
      |                            |                              |                   |
      |                            |      EDHOC message_1         |                   |
      |                            +----------------------------->|                   |
      |                            | EAD_1 = trigger_bg           |                   |
      |                            |                              |                   |
      |                            |                              |                   |
      |                            |      EDHOC message_2         |                   |
      |                            |<-----------------------------+                   |
      |                            | EAD_2 = Attestation_proposal |                   |
      |                            | { types(a,b,c) }             |                   |
      | Body: { types(a,b,c) }     |                              |                   |
      |<---------------------------+                              |                   |
      |                            |                              |                   |
      | Body: { types(a,b), nonce }|                              |                   |
      +--------------------------->|                              |                   |
      |                            |      EDHOC message_3         |                   |
      |                            +----------------------------->|                   |
      |                            | EAD_3 = Attestation_request  |                   |
      |                            | { types(a), nonce }          |                   |
      |                            |                              | types(a), nonce,  |
      |                            |                              | attestation binder|
      |                            |                              |------------------>+
      |                            |                              |                   |
      |                            |                              | Evidence (EAT)    |
      |                            |                              |<------------------+
      |                            |      EDHOC message_4         |                   |
      |                            |<-----------------------------+                   |
      |                            | EAD_4 = Evidence             |                   |
      |                            | { EAT }                      |                   |
      | Body: { EAT,               |                              |                   |
      |        attestation binder }|                              |                   |
      |<---------------------------+                              |                   |
      |                            |                              |                   |
      | Body: { att-result: AR{} } |                              |                   |
      +--------------------------->|                              |                   |
      |                            +---.                          |                   |
      |                            |    | verify AR {}            |                   |
      |                            |<--'                          |                   |
      |                            |                              |                   |
      |                            |       application data       |                   |
      |                            |<============================>|                   |
      |                            |                              |                   |
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="i_pp">
        <name>(I, PP): EDHOC Initiator Attestation in the Passport Model</name>
        <t>In this instantiation, the EDHOC Initiator acts as the RATS Attester and the constrained EDHOC Responder acts as the RATS Relying Party.
An overview of the message flow is illustrated in <xref target="fig-i-pp"/>.
The EAD items specific to the passport model are defined in <xref target="pp"/>.</t>
        <t>The Attester initiates the procedure by sending a Result proposal in EAD_1 of message_1, indicating the Verifier identities it can communicate with.
The Relying Party selects a Verifier and sends a Result request in EAD_2 of message_2, together with a nonce.
The Attester interacts with the selected Verifier to obtain an Attestation Result.
How the Attester negotiates with the selected Verifier to get the attestation result is out of scope of this specification.
The Attester then returns the Result in EAD_3 of message_3, after which the Relying Party can decide whether to continue with EDHOC message_4 or application data exchange.</t>
        <figure anchor="fig-i-pp">
          <name>Overview of EDHOC Initiator attestation in passport model. EDHOC is used between A and RP.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="664" viewBox="0 0 664 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,64 L 8,96" fill="none" stroke="black"/>
                <path d="M 72,96 L 72,384" fill="none" stroke="black"/>
                <path d="M 128,64 L 128,96" fill="none" stroke="black"/>
                <path d="M 192,32 L 192,96" fill="none" stroke="black"/>
                <path d="M 264,96 L 264,384" fill="none" stroke="black"/>
                <path d="M 336,32 L 336,96" fill="none" stroke="black"/>
                <path d="M 416,32 L 416,96" fill="none" stroke="black"/>
                <path d="M 536,96 L 536,384" fill="none" stroke="black"/>
                <path d="M 656,32 L 656,96" fill="none" stroke="black"/>
                <path d="M 192,32 L 336,32" fill="none" stroke="black"/>
                <path d="M 416,32 L 656,32" fill="none" stroke="black"/>
                <path d="M 8,64 L 128,64" fill="none" stroke="black"/>
                <path d="M 192,64 L 336,64" fill="none" stroke="black"/>
                <path d="M 416,64 L 656,64" fill="none" stroke="black"/>
                <path d="M 8,96 L 128,96" fill="none" stroke="black"/>
                <path d="M 192,96 L 336,96" fill="none" stroke="black"/>
                <path d="M 416,96 L 656,96" fill="none" stroke="black"/>
                <path d="M 264,144 L 528,144" fill="none" stroke="black"/>
                <path d="M 272,224 L 536,224" fill="none" stroke="black"/>
                <path d="M 80,288 L 96,288" fill="none" stroke="black"/>
                <path d="M 112,288 L 128,288" fill="none" stroke="black"/>
                <path d="M 144,288 L 160,288" fill="none" stroke="black"/>
                <path d="M 176,288 L 192,288" fill="none" stroke="black"/>
                <path d="M 208,288 L 224,288" fill="none" stroke="black"/>
                <path d="M 240,288 L 264,288" fill="none" stroke="black"/>
                <path d="M 72,320 L 96,320" fill="none" stroke="black"/>
                <path d="M 112,320 L 128,320" fill="none" stroke="black"/>
                <path d="M 144,320 L 160,320" fill="none" stroke="black"/>
                <path d="M 176,320 L 192,320" fill="none" stroke="black"/>
                <path d="M 208,320 L 224,320" fill="none" stroke="black"/>
                <path d="M 240,320 L 256,320" fill="none" stroke="black"/>
                <path d="M 264,336 L 528,336" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="536,336 524,330.4 524,341.6" fill="black" transform="rotate(0,528,336)"/>
                <polygon class="arrowhead" points="536,144 524,138.4 524,149.6" fill="black" transform="rotate(0,528,144)"/>
                <polygon class="arrowhead" points="280,224 268,218.4 268,229.6" fill="black" transform="rotate(180,272,224)"/>
                <polygon class="arrowhead" points="264,320 252,314.4 252,325.6" fill="black" transform="rotate(0,256,320)"/>
                <polygon class="arrowhead" points="88,288 76,282.4 76,293.6" fill="black" transform="rotate(180,80,288)"/>
                <g class="text">
                  <text x="224" y="52">EDHOC</text>
                  <text x="288" y="52">Initiator</text>
                  <text x="472" y="52">Constrained</text>
                  <text x="544" y="52">EDHOC</text>
                  <text x="608" y="52">Responder</text>
                  <text x="52" y="84">Verifier</text>
                  <text x="104" y="84">(2)</text>
                  <text x="260" y="84">Attester</text>
                  <text x="504" y="84">Relying</text>
                  <text x="560" y="84">Party</text>
                  <text x="352" y="132">EDHOC</text>
                  <text x="416" y="132">message_1</text>
                  <text x="312" y="164">EAD_1</text>
                  <text x="344" y="164">=</text>
                  <text x="416" y="164">Result_proposal</text>
                  <text x="296" y="180">{</text>
                  <text x="368" y="180">Verifier(1,2,3)</text>
                  <text x="440" y="180">}</text>
                  <text x="352" y="212">EDHOC</text>
                  <text x="416" y="212">message_2</text>
                  <text x="312" y="244">EAD_2</text>
                  <text x="344" y="244">=</text>
                  <text x="412" y="244">Result_request</text>
                  <text x="296" y="260">{</text>
                  <text x="356" y="260">Verifier(2),</text>
                  <text x="432" y="260">nonce</text>
                  <text x="464" y="260">}</text>
                  <text x="132" y="276">Evidence</text>
                  <text x="176" y="276">+</text>
                  <text x="208" y="276">nonce</text>
                  <text x="164" y="308">Result</text>
                  <text x="352" y="324">EDHOC</text>
                  <text x="416" y="324">message_3</text>
                  <text x="312" y="356">EAD_3</text>
                  <text x="344" y="356">=</text>
                  <text x="380" y="356">Result</text>
                  <text x="296" y="372">{</text>
                  <text x="320" y="372">EAT</text>
                  <text x="344" y="372">}</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
                       +-----------------+         +-----------------------------+
                       | EDHOC Initiator |         | Constrained EDHOC Responder |
+--------------+       +-----------------+         +-----------------------------+
| Verifier (2) |       |    Attester     |         |       Relying Party         |
+-------+------+       +--------+--------+         +--------------+--------------+
        |                       |                                 |
        |                       |        EDHOC message_1          |
        |                       +-------------------------------->|
        |                       |   EAD_1 = Result_proposal       |
        |                       |   { Verifier(1,2,3) }           |
        |                       |                                 |
        |                       |        EDHOC message_2          |
        |                       |<--------------------------------+
        |                       |   EAD_2 = Result_request        |
        |                       |   { Verifier(2), nonce }        |
        |   Evidence + nonce    |                                 |
        |<-- --- --- --- --- ---+                                 |
        |        Result         |                                 |
        +--- --- --- --- --- -->|        EDHOC message_3          |
        |                       +-------------------------------->|
        |                       |   EAD_3 = Result                |
        |                       |   { EAT }                       |
        |                       |                                 |
]]></artwork>
          </artset>
        </figure>
      </section>
    </section>
    <section anchor="mutual-attestation">
      <name>Mutual Attestation in EDHOC</name>
      <t>In this section we demonstrate mutual attestation over EDHOC combining the cases  (I, BG), see <xref target="iot-attestation"/>, and (R, PP), see <xref target="network-attestation"/>, which is potentially the most relevant mutual attestation example for constrained IoT environments.
This demonstrates combined mutual authentication with mutual attestation at a reduced message overhead and number of round trips.</t>
      <section anchor="i-bg-r-pp">
        <name>(I, BG) - (R, PP)</name>
        <t>In this example, the mutual attestation is performed in EDHOC forward message flow, by one IoT device attestation in background-check model and another network service attestation in passport model.
The process is illustrated in <xref target="fig-mutual-attestation-BP"/>.
How the Network service connects with the Verifier_1 and potential Verifier_2 is out of scope in this specification.</t>
        <t>The first remote attestation is initiated by the IoT device (A_1) in background-check model.
In parallel, the IoT device (A_1) requests the network service (A_2) to perform a remote attestation in passport model.
EAD_2 carries the EAD items Attestation request and Result proposal.
EAD_3 carries the EAD items Evidence and Result request.
EAD_4 carries the EAD item Result for the passport model.</t>
        <figure anchor="fig-mutual-attestation-BP">
          <name>Overview of mutual attestation of (I, BG) - (R, PP). EDHOC is used between A and RP. The dashed line illustrates a logical connection that does not need to occur in real time.</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="608" width="952" viewBox="0 0 952 608" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,96" fill="none" stroke="black"/>
                <path d="M 128,96 L 128,592" fill="none" stroke="black"/>
                <path d="M 248,32 L 248,96" fill="none" stroke="black"/>
                <path d="M 360,32 L 360,96" fill="none" stroke="black"/>
                <path d="M 432,96 L 432,592" fill="none" stroke="black"/>
                <path d="M 504,32 L 504,96" fill="none" stroke="black"/>
                <path d="M 616,64 L 616,96" fill="none" stroke="black"/>
                <path d="M 672,96 L 672,592" fill="none" stroke="black"/>
                <path d="M 720,64 L 720,96" fill="none" stroke="black"/>
                <path d="M 840,64 L 840,96" fill="none" stroke="black"/>
                <path d="M 896,96 L 896,592" fill="none" stroke="black"/>
                <path d="M 944,64 L 944,96" fill="none" stroke="black"/>
                <path d="M 8,32 L 248,32" fill="none" stroke="black"/>
                <path d="M 360,32 L 504,32" fill="none" stroke="black"/>
                <path d="M 8,64 L 248,64" fill="none" stroke="black"/>
                <path d="M 360,64 L 504,64" fill="none" stroke="black"/>
                <path d="M 616,64 L 720,64" fill="none" stroke="black"/>
                <path d="M 840,64 L 944,64" fill="none" stroke="black"/>
                <path d="M 8,96 L 248,96" fill="none" stroke="black"/>
                <path d="M 360,96 L 504,96" fill="none" stroke="black"/>
                <path d="M 616,96 L 720,96" fill="none" stroke="black"/>
                <path d="M 840,96 L 944,96" fill="none" stroke="black"/>
                <path d="M 128,160 L 424,160" fill="none" stroke="black"/>
                <path d="M 432,224 L 664,224" fill="none" stroke="black"/>
                <path d="M 440,240 L 672,240" fill="none" stroke="black"/>
                <path d="M 136,304 L 432,304" fill="none" stroke="black"/>
                <path d="M 128,384 L 424,384" fill="none" stroke="black"/>
                <path d="M 432,432 L 664,432" fill="none" stroke="black"/>
                <path d="M 432,448 L 456,448" fill="none" stroke="black"/>
                <path d="M 472,448 L 488,448" fill="none" stroke="black"/>
                <path d="M 504,448 L 520,448" fill="none" stroke="black"/>
                <path d="M 536,448 L 552,448" fill="none" stroke="black"/>
                <path d="M 568,448 L 584,448" fill="none" stroke="black"/>
                <path d="M 600,448 L 616,448" fill="none" stroke="black"/>
                <path d="M 640,448 L 672,448" fill="none" stroke="black"/>
                <path d="M 688,448 L 704,448" fill="none" stroke="black"/>
                <path d="M 728,448 L 744,448" fill="none" stroke="black"/>
                <path d="M 768,448 L 784,448" fill="none" stroke="black"/>
                <path d="M 800,448 L 816,448" fill="none" stroke="black"/>
                <path d="M 832,448 L 848,448" fill="none" stroke="black"/>
                <path d="M 864,448 L 888,448" fill="none" stroke="black"/>
                <path d="M 440,496 L 672,496" fill="none" stroke="black"/>
                <path d="M 440,528 L 464,528" fill="none" stroke="black"/>
                <path d="M 488,528 L 504,528" fill="none" stroke="black"/>
                <path d="M 528,528 L 544,528" fill="none" stroke="black"/>
                <path d="M 568,528 L 584,528" fill="none" stroke="black"/>
                <path d="M 608,528 L 624,528" fill="none" stroke="black"/>
                <path d="M 648,528 L 672,528" fill="none" stroke="black"/>
                <path d="M 688,528 L 704,528" fill="none" stroke="black"/>
                <path d="M 728,528 L 744,528" fill="none" stroke="black"/>
                <path d="M 768,528 L 784,528" fill="none" stroke="black"/>
                <path d="M 800,528 L 816,528" fill="none" stroke="black"/>
                <path d="M 840,528 L 856,528" fill="none" stroke="black"/>
                <path d="M 872,528 L 896,528" fill="none" stroke="black"/>
                <path d="M 136,576 L 432,576" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="896,448 884,442.4 884,453.6" fill="black" transform="rotate(0,888,448)"/>
                <polygon class="arrowhead" points="672,432 660,426.4 660,437.6" fill="black" transform="rotate(0,664,432)"/>
                <polygon class="arrowhead" points="672,224 660,218.4 660,229.6" fill="black" transform="rotate(0,664,224)"/>
                <polygon class="arrowhead" points="448,528 436,522.4 436,533.6" fill="black" transform="rotate(180,440,528)"/>
                <polygon class="arrowhead" points="448,496 436,490.4 436,501.6" fill="black" transform="rotate(180,440,496)"/>
                <polygon class="arrowhead" points="448,240 436,234.4 436,245.6" fill="black" transform="rotate(180,440,240)"/>
                <polygon class="arrowhead" points="432,384 420,378.4 420,389.6" fill="black" transform="rotate(0,424,384)"/>
                <polygon class="arrowhead" points="432,160 420,154.4 420,165.6" fill="black" transform="rotate(0,424,160)"/>
                <polygon class="arrowhead" points="144,576 132,570.4 132,581.6" fill="black" transform="rotate(180,136,576)"/>
                <polygon class="arrowhead" points="144,304 132,298.4 132,309.6" fill="black" transform="rotate(180,136,304)"/>
                <g class="text">
                  <text x="64" y="52">Constrained</text>
                  <text x="136" y="52">EDHOC</text>
                  <text x="200" y="52">Initiator</text>
                  <text x="392" y="52">EDHOC</text>
                  <text x="456" y="52">Responder</text>
                  <text x="116" y="84">A_1/RP_2</text>
                  <text x="428" y="84">RP_1/A_2</text>
                  <text x="668" y="84">Verifier_1</text>
                  <text x="892" y="84">Verifier_2</text>
                  <text x="168" y="132">EAD_1</text>
                  <text x="200" y="132">=</text>
                  <text x="256" y="132">Attestation</text>
                  <text x="344" y="132">proposal,</text>
                  <text x="252" y="148">trigger_PP</text>
                  <text x="504" y="212">Attestation</text>
                  <text x="588" y="212">proposal</text>
                  <text x="524" y="260">EvidenceType(s),</text>
                  <text x="620" y="260">NonceI</text>
                  <text x="168" y="276">EAD_2</text>
                  <text x="200" y="276">=</text>
                  <text x="256" y="276">Attestation</text>
                  <text x="340" y="276">request,</text>
                  <text x="236" y="292">Result</text>
                  <text x="300" y="292">proposal</text>
                  <text x="168" y="356">EAD_3</text>
                  <text x="200" y="356">=</text>
                  <text x="248" y="356">EvidenceI</text>
                  <text x="236" y="372">Result</text>
                  <text x="296" y="372">request</text>
                  <text x="364" y="372">(nonceR)</text>
                  <text x="476" y="420">EvidenceI,</text>
                  <text x="568" y="420">attestation</text>
                  <text x="644" y="420">binder</text>
                  <text x="744" y="436">EvidenceR</text>
                  <text x="792" y="436">+</text>
                  <text x="828" y="436">nonceR</text>
                  <text x="512" y="484">Attestation</text>
                  <text x="588" y="484">result</text>
                  <text x="740" y="548">Result</text>
                  <text x="804" y="548">(nonceR)</text>
                  <text x="168" y="564">EAD_4</text>
                  <text x="200" y="564">=</text>
                  <text x="236" y="564">Result</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
+-----------------------------+             +-----------------+
| Constrained EDHOC Initiator |             | EDHOC Responder |
+-----------------------------+             +-----------------+             +------------+              +------------+
|         A_1/RP_2            |             |    RP_1/A_2     |             | Verifier_1 |              | Verifier_2 |
+--------------+--------------+             +--------+--------+             +------+-----+              +------+-----+
               |                                     |                             |                           |
               |  EAD_1 = Attestation proposal,      |                             |                           |
               |          trigger_PP                 |                             |                           |
               +------------------------------------>|                             |                           |
               |                                     |                             |                           |
               |                                     |                             |                           |
               |                                     |   Attestation proposal      |                           |
               |                                     +---------------------------->|                           |
               |                                     |<----------------------------+                           |
               |                                     |   EvidenceType(s), NonceI   |                           |
               |  EAD_2 = Attestation request,       |                             |                           |
               |          Result proposal            |                             |                           |
               |<------------------------------------+                             |                           |
               |                                     |                             |                           |
               |                                     |                             |                           |
               |  EAD_3 = EvidenceI                  |                             |                           |
               |          Result request (nonceR)    |                             |                           |
               +------------------------------------>|                             |                           |
               |                                     |                             |                           |
               |                                     |EvidenceI, attestation binder|                           |
               |                                     +---------------------------->|    EvidenceR + nonceR     |
               |                                     +--- --- --- --- --- ---  ----+ ---  ---  --- --- --- --->|
               |                                     |                             |                           |
               |                                     |    Attestation result       |                           |
               |                                     |<----------------------------+                           |
               |                                     |                             |                           |
               |                                     |<---  ---  ---  ---  ---  ---+ ---  ---  --- ---  --- ---+
               |                                     |                             |     Result (nonceR)       |
               |  EAD_4 = Result                     |                             |                           |
               |<------------------------------------+                             |                           |
               |                                     |                             |                           |
]]></artwork>
          </artset>
        </figure>
      </section>
    </section>
    <section anchor="verifier">
      <name>Verifier</name>
      <t>The Verifier maintains an explicit trust relationship with the Attester, whereby the Verifier is provisioned with the Attester's attestation public key prior to the remote attestation process.
This explicit relationship may be established through various means, such as manufacturer provisioning, trusted certification authorities, or direct configuration.
Reference values used for comparison against received evidence should also be provided to the Verifier before the attestation.
The evaluation policy employed by the Verifier varies according to specific use cases and should be determined prior to the attestation; such policy definition is out of scope in this specification.</t>
      <t>The Verifier maintains an implicit trust relationship with the Relying Party, established through mechanisms such as web PKI with trusted Certificate Authority (CA) certificates, enabling the Relying Party to trust the attestation result that is generated by the Verifier.</t>
      <section anchor="processing-in-the-background-check-model">
        <name>Processing in the Background-check Model</name>
        <t>The Verifier is connected with the Relying Party and is responsible for evaluating evidence forwarded by the Relying Party.
After the Relying Party receives the EDHOC message carrying the Attestation_proposal (message_1 in (I, BG) or message_2 in (R, BG)) from the Attester, it extracts and transmits the Attestation proposal to the Verifier.
If the Verifier does not support any evidence type for evaluation, it returns an empty list.
Otherwise, alongside the selected evidence type, the Verifier generates a random nonce and sends both elements to the Relying Party.</t>
        <t>When the Relying Party receives the EDHOC message carrying the Evidence (message_3 in (I, BG) or message_4 in (R, BG)), it forwards the evidence and the attestation binder (see <xref target="attestation-binder"/>) to the Verifier for evaluation.</t>
        <t>The evidence evaluation process <bcp14>MUST</bcp14> include the signature verification, nonce validation, and comparison of measurement values against trusted reference values.
An example evaluation procedure for evidence formatted as an Entity Attestation Token (EAT) protected by a COSE_Sign1 structure is as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>Decode the COSE_Sign1 structure and extract constituent components: headers, payload, signature.</t>
          </li>
          <li>
            <t>Verify the signature using the Attester's attestation public key.
The Verifier reconstructs the Sig_Structure, with the attestation binder as the external_aad.</t>
          </li>
          <li>
            <t>Verify that the nonce exists in the Verifier's local nonce list. If the nonce is found, validation passes and the nonce is removed from the list to prevent replay attacks.</t>
          </li>
          <li>
            <t>Compare the received evidence measurement values against the reference value.
The attestation result is returned to the Relying Party, with result generation conforming to the attestation token format defined in <xref target="RFC9711"/>.</t>
          </li>
        </ol>
      </section>
      <section anchor="processing-in-the-passport-model">
        <name>Processing in the Passport Model</name>
        <t>When the Attester utilizes a cached attestation result previously generated by the Verifier, real-time re-evaluation by the Verifier is not required but the attestation result is supposed to be still fresh and valid.
If the Attester receives result_request from the Relying Party and performs real-time attestation with the Verifier, the Verifier then generates the attestation result formatted as an Entity Attestation Token (EAT).
The token uses the "Software Measurement Results (measres)" claim as defined in <xref target="RFC9711"/>, and incorporates the nonce generated by the Relying Party as an input parameter.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This specification builds on EDHOC <xref target="RFC9528"/> and uses EDHOC EAD fields.
The general security and privacy considerations about EAD fields apply to this specification too.</t>
      <t>EAD_1 is not resistant to either active attackers or passive attackers, because neither the Initiator nor the Responder has been authenticated.</t>
      <t>Although EAD_2 is encrypted, the Initiator has not been authenticated, rendering EAD_2 vulnerable against active attackers.</t>
      <t>When included in EAD_1 or EAD_2, the EAD items defined in this document could reveal sensitive information about the Attester, due to their very specific purpose and conveyed information.
The leaking of the data in EAD_1 and/or EAD_2 may be used by attackers for malicious purposes.
Data in EAD_3 and EAD_4 are protected between the Initiator and the Responder in EDHOC.</t>
      <t>The risks discussed above are lower in the case of mutual attestation where the Responder is the Attester.
For the mutual attestation at the EDHOC Responder, only the Attestation_proposal/Result_proposal in EAD_2 is not protected against active attackers.
Both the Attestation_request/Result_request in EAD_3 and the Evidence/Result in EAD_4 are protected.</t>
      <t>The privacy considerations of remote attestation refer to <xref section="11" sectionFormat="of" target="RFC9334"/>.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="edhoc-external-authorization-data-registry">
        <name>EDHOC External Authorization Data Registry</name>
        <t>IANA is requested to register the following entry in the "EDHOC External Authorization Data" registry under the group name "Ephemeral Diffie-Hellman Over COSE (EDHOC)".</t>
        <figure anchor="fig-ead-labels">
          <name>EAD labels.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="272" width="776" viewBox="0 0 776 272" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,256" fill="none" stroke="black"/>
                <path d="M 264,32 L 264,256" fill="none" stroke="black"/>
                <path d="M 328,32 L 328,256" fill="none" stroke="black"/>
                <path d="M 528,32 L 528,256" fill="none" stroke="black"/>
                <path d="M 768,32 L 768,256" fill="none" stroke="black"/>
                <path d="M 8,32 L 768,32" fill="none" stroke="black"/>
                <path d="M 8,62 L 768,62" fill="none" stroke="black"/>
                <path d="M 8,66 L 768,66" fill="none" stroke="black"/>
                <path d="M 8,112 L 768,112" fill="none" stroke="black"/>
                <path d="M 8,160 L 768,160" fill="none" stroke="black"/>
                <path d="M 8,208 L 768,208" fill="none" stroke="black"/>
                <path d="M 8,256 L 768,256" fill="none" stroke="black"/>
                <g class="text">
                  <text x="36" y="52">Name</text>
                  <text x="296" y="52">Label</text>
                  <text x="384" y="52">Description</text>
                  <text x="576" y="52">Reference</text>
                  <text x="44" y="84">Remote</text>
                  <text x="120" y="84">Attestation</text>
                  <text x="180" y="84">BG</text>
                  <text x="292" y="84">TBD1</text>
                  <text x="348" y="84">BG</text>
                  <text x="384" y="84">model</text>
                  <text x="368" y="100">related</text>
                  <text x="448" y="100">information</text>
                  <text x="568" y="100">Section</text>
                  <text x="628" y="100">5.3.1,</text>
                  <text x="684" y="100">5.3.2,</text>
                  <text x="736" y="100">5.3.3</text>
                  <text x="44" y="132">Remote</text>
                  <text x="120" y="132">Attestation</text>
                  <text x="180" y="132">PP</text>
                  <text x="292" y="132">TBD2</text>
                  <text x="348" y="132">PP</text>
                  <text x="384" y="132">model</text>
                  <text x="368" y="148">related</text>
                  <text x="448" y="148">information</text>
                  <text x="568" y="148">Section</text>
                  <text x="628" y="148">5.4.1,</text>
                  <text x="684" y="148">5.4.2,</text>
                  <text x="736" y="148">5.4.3</text>
                  <text x="48" y="180">Trigger</text>
                  <text x="108" y="180">Remote</text>
                  <text x="184" y="180">Attestation</text>
                  <text x="244" y="180">BG</text>
                  <text x="292" y="180">TBD3</text>
                  <text x="368" y="180">trigger</text>
                  <text x="412" y="180">to</text>
                  <text x="448" y="180">start</text>
                  <text x="384" y="196">attestation</text>
                  <text x="444" y="196">in</text>
                  <text x="468" y="196">BG</text>
                  <text x="568" y="196">Section</text>
                  <text x="624" y="196">5.3.4</text>
                  <text x="48" y="228">Trigger</text>
                  <text x="108" y="228">Remote</text>
                  <text x="184" y="228">Attestation</text>
                  <text x="244" y="228">PP</text>
                  <text x="292" y="228">TBD4</text>
                  <text x="368" y="228">trigger</text>
                  <text x="412" y="228">to</text>
                  <text x="448" y="228">start</text>
                  <text x="384" y="244">attestation</text>
                  <text x="444" y="244">in</text>
                  <text x="468" y="244">PP</text>
                  <text x="568" y="244">Section</text>
                  <text x="624" y="244">5.4.4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+-------------------------------+-------+------------------------+-----------------------------+
| Name                          | Label | Description            | Reference                   |
+===============================+=======+========================+=============================+
| Remote Attestation BG         | TBD1  | BG model               |                             |
|                               |       | related information    | Section 5.3.1, 5.3.2, 5.3.3 |
+-------------------------------+-------+------------------------+-----------------------------+
| Remote Attestation PP         | TBD2  | PP model               |                             |
|                               |       | related information    | Section 5.4.1, 5.4.2, 5.4.3 |
+-------------------------------+-------+------------------------+-----------------------------+
| Trigger Remote Attestation BG | TBD3  | trigger to start       |                             |
|                               |       | attestation in BG      | Section 5.3.4               |
+-------------------------------+-------+------------------------+-----------------------------+
| Trigger Remote Attestation PP | TBD4  | trigger to start       |                             |
|                               |       | attestation in PP      | Section 5.4.4               |
+-------------------------------+-------+------------------------+-----------------------------+
]]></artwork>
          </artset>
        </figure>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9711">
          <front>
            <title>The Entity Attestation Token (EAT)</title>
            <author fullname="L. Lundblade" initials="L." surname="Lundblade"/>
            <author fullname="G. Mandyam" initials="G." surname="Mandyam"/>
            <author fullname="J. O'Donoghue" initials="J." surname="O'Donoghue"/>
            <author fullname="C. Wallace" initials="C." surname="Wallace"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>An Entity Attestation Token (EAT) provides an attested claims set that describes the state and characteristics of an entity, a device such as a smartphone, an Internet of Things (IoT) device, network equipment, or such. This claims set is used by a relying party, server, or service to determine the type and degree of trust placed in the entity.</t>
              <t>An EAT is either a CBOR Web Token (CWT) or a JSON Web Token (JWT) with attestation-oriented claims.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9711"/>
          <seriesInfo name="DOI" value="10.17487/RFC9711"/>
        </reference>
        <reference anchor="RFC9528">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9528"/>
          <seriesInfo name="DOI" value="10.17487/RFC9528"/>
        </reference>
        <reference anchor="RFC8742">
          <front>
            <title>Concise Binary Object Representation (CBOR) Sequences</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document describes the Concise Binary Object Representation (CBOR) Sequence format and associated media type "application/cbor-seq". A CBOR Sequence consists of any number of encoded CBOR data items, simply concatenated in sequence.</t>
              <t>Structured syntax suffixes for media types allow other media types to build on them and make it explicit that they are built on an existing media type as their foundation. This specification defines and registers "+cbor-seq" as a structured syntax suffix for CBOR Sequences.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8742"/>
          <seriesInfo name="DOI" value="10.17487/RFC8742"/>
        </reference>
        <reference anchor="RFC9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC8392">
          <front>
            <title>CBOR Web Token (CWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8392"/>
          <seriesInfo name="DOI" value="10.17487/RFC8392"/>
        </reference>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9393">
          <front>
            <title>Concise Software Identification Tags</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="J. Fitzgerald-McKay" initials="J." surname="Fitzgerald-McKay"/>
            <author fullname="C. Schmidt" initials="C." surname="Schmidt"/>
            <author fullname="D. Waltermire" initials="D." surname="Waltermire"/>
            <date month="June" year="2023"/>
            <abstract>
              <t>ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles. SWID tag representations can be too large for devices with network and storage constraints. This document defines a concise representation of SWID tags: Concise SWID (CoSWID) tags. CoSWID supports a set of semantics and features that are similar to those for SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory-efficient format.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9393"/>
          <seriesInfo name="DOI" value="10.17487/RFC9393"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC9668">
          <front>
            <title>Using Ephemeral Diffie-Hellman Over COSE (EDHOC) with the Constrained Application Protocol (CoAP) and Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="M. Tiloca" initials="M." surname="Tiloca"/>
            <author fullname="R. Höglund" initials="R." surname="Höglund"/>
            <author fullname="S. Hristozov" initials="S." surname="Hristozov"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <date month="November" year="2024"/>
            <abstract>
              <t>The lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC) can be run over the Constrained Application Protocol (CoAP) and used by two peers to establish a Security Context for the security protocol Object Security for Constrained RESTful Environments (OSCORE). This document details this use of the EDHOC protocol by specifying a number of additional and optional mechanisms, including an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9668"/>
          <seriesInfo name="DOI" value="10.17487/RFC9668"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="I-D.ietf-iotops-7228bis">
          <front>
            <title>Terminology for Constrained-Node Networks</title>
            <author fullname="Carsten Bormann" initials="C." surname="Bormann">
              <organization>Universität Bremen TZI</organization>
            </author>
            <author fullname="Mehmet Ersue" initials="M." surname="Ersue">
         </author>
            <author fullname="Ari Keränen" initials="A." surname="Keränen">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Carles Gomez" initials="C." surname="Gomez">
              <organization>Universitat Politecnica de Catalunya</organization>
            </author>
            <date day="29" month="June" year="2026"/>
            <abstract>
              <t>   The Internet Protocol Suite is increasingly used on small devices
   with severe constraints on power, memory, and processing resources,
   creating constrained-node networks.  This document provides a number
   of basic terms that have been useful in research and standardization
   work for constrained-node networks.

   This document obsoletes RFC 7228.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-iotops-7228bis-09"/>
        </reference>
        <reference anchor="I-D.ietf-rats-corim">
          <front>
            <title>Concise Reference Integrity Manifest</title>
            <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
              <organization>Fraunhofer SIT</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
              <organization>arm</organization>
            </author>
            <author fullname="Ned Smith" initials="N." surname="Smith">
              <organization>Independent</organization>
            </author>
            <author fullname="Wei Pan" initials="W." surname="Pan">
              <organization>Huawei Technologies</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Remote Attestation Procedures (RATS) enable Relying Parties to assess
   the trustworthiness of a remote Attester and therefore to decide
   whether or not to engage in secure interactions with it.  Evidence
   about trustworthiness can be rather complex and it is deemed
   unrealistic that every Relying Party is capable of the appraisal of
   Evidence.  Therefore that burden is typically offloaded to a
   Verifier.  In order to conduct Evidence appraisal, a Verifier
   requires not only fresh Evidence from an Attester, but also trusted
   Endorsements and Reference Values from Endorsers and Reference Value
   Providers, such as manufacturers, distributors, or device owners.
   This document specifies the information elements for representing
   Endorsements and Reference Values in CBOR format.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-rats-corim-10"/>
        </reference>
        <reference anchor="I-D.ietf-lake-edhoc-psk">
          <front>
            <title>EDHOC Authenticated with Pre-Shared Keys (PSK)</title>
            <author fullname="Elsa Lopez-Perez" initials="" surname="Lopez-Perez">
              <organization>Inria</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Rafael Marin-Lopez" initials="R." surname="Marin-Lopez">
              <organization>University of Murcia</organization>
            </author>
            <author fullname="Francisco Lopez-Gomez" initials="F." surname="Lopez-Gomez">
              <organization>University of Murcia</organization>
            </author>
            <date day="16" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a Pre-Shared Key (PSK) authentication method
   for the Ephemeral Diffie-Hellman Over COSE (EDHOC) Lightweight
   Authenticated Key Exchange (LAKE) protocol.  The PSK method provides
   mutual authentication, ephemeral key exchange, identity protection,
   and quantum resistance while incurring lower computational costs than
   the public-key authentication methods specified for EDHOC.  It is
   suited for systems where nodes share a PSK provided out-of-band
   (external PSK) and enables efficient session resumption with less
   computational overhead when the PSK is provided from a previous EDHOC
   session (resumption PSK).  This document details the PSK message
   flow, key derivation changes, message formatting, processing, and
   security considerations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-edhoc-psk-08"/>
        </reference>
        <reference anchor="IANA.CWT.Claims" target="https://www.iana.org/assignments/cwt">
          <front>
            <title>CBOR Web Token (CWT) Claims</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA-CoAP-Content-Formats" target="https://www.iana.org/assignments/core-parameters">
          <front>
            <title>CoAP Content-Formats</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="I-D.ietf-lake-authz">
          <front>
            <title>Lightweight Authorization using Ephemeral Diffie-Hellman Over COSE (ELA)</title>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
              <organization>INRIA</organization>
            </author>
            <author fullname="Geovane Fedrecheski" initials="G." surname="Fedrecheski">
              <organization>INRIA</organization>
            </author>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   Ephemeral Diffie-Hellman Over COSE (EDHOC) is a lightweight
   authenticated key exchange protocol intended for use in constrained
   scenarios.  This document specifies Lightweight Authorization using
   EDHOC (ELA).  The procedure allows authorizing enrollment of new
   devices using the extension point defined in EDHOC.  ELA is
   applicable to zero-touch onboarding of new devices to a constrained
   network leveraging trust anchors installed at manufacture time.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-authz-08"/>
        </reference>
        <reference anchor="IANA-COSE-Header-Parameters" target="https://www.iana.org/cose/header-parameters">
          <front>
            <title>COSE Header Parameters</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
    <?line 848?>

<section anchor="firmware">
      <name>Example: Device Onboarding: Firmware Version Check</name>
      <t>The goal in this device onboarding example is to verify that the firmware running on the device is the latest version, and is neither tampered with nor compromised.
The objective of onboarding is both authentication and integrity verification.
If either one is compromised, the objective fails.
In particular, if the attestation private key is leaked, the device firmware can no longer be trusted, so the value of valid authentication is significantly reduced.</t>
      <t>In this example, a device acts as the Attester, currently in an untrusted state.
The Attester needs to generate the evidence to attest itself.
A gateway that can communicate with the Attester and can control its access to the network acts as the Relying Party.
The gateway will finally decide whether the device can join the network or not depending on the attestation result.
The attestation result is produced by the Verifier, which is a web server that can be seen as the manufacturer of the device.
Therefore it can appraise the evidence that is sent by the Attester.
The remote attestation session starts with the Attester sending EAD_1 in EDHOC message 1.</t>
      <t>An example of the EAD_1 in EDHOC message_1 could be:</t>
      <artwork><![CDATA[
[60,61,258]
]]></artwork>
      <t>If the Verifier and the Relying Party can support at least one evidence type that is proposed by the Attester, the Relying Party will include in the EAD_2 field the same evidence type, alongside a nonce for message freshness.</t>
      <artwork><![CDATA[
(258, h'a29f62a4c6cdaae5')
]]></artwork>
      <t>The Evidence in EAD_3 field is an Entity Attestation Token (EAT) <xref target="RFC9711"/>, with the measurements claim formatted in CoSWID <xref target="RFC9393"/>.
The Evidence is protected by a COSE_Sign1 structure, where the payload of COSE_Sign1 contains the following claims:</t>
      <artwork><![CDATA[
{
/eat-nonce/                 10: h'a29f62a4c6cdaae5',
/ueid/                      256: 'aaabbcc',
/measurements/              273: [
  /CoAP Content-Format ID/        [ 258,
  /evidence in CoSWID/              {
                                      0: 'tagID'             /tag-id/
                                      12: 0                  /tag-version/
                                      1: "DotBot firmware"   /software-name/
                                      2: {                   /entity/
                                          31: "Attester"     /entity-name/
                                          33: 1              /role, must be "tag-creator" which is 1/
                                          },
                                      3: {                   /evidence/
                                          17: [              /file/
                                               {
                                                24: "partition0-nrf52840dk.bin",   /fs-name/
                                                7: [                               /hash of file/
                                                    1,                             /alg SHA-256/
                                                    h'06294f6806b9c685eea795048579cfd02a0c025bc8b5abca42a19ea0ec23e81a'
                                                    ]                              /hash value/
                                                }
                                               ]
                                          }
                                    }
                                  ]
                                 ]
}
]]></artwork>
      <t>The Sig_structure to compute the signature of COSE_Sign1 is:</t>
      <artwork><![CDATA[
Sig_structure = [
    "Signature1",
    h'a10127',      /ED25519 algorithm, same as the protected header in COSE_Sign1/
    h'7b4c94f32a0e6db86d915a444f76525fc32912b2e07dd481a96f627ee98a110c',      /attestation_binder_m3/
    h'A30A48A29F62A4C6CDAAE519010047616161626263631901118182190102A50045746
    16749440C00016F446F74426F74206669726D7761726502A2181F684174746573746572
    18210103A11181A218187819706172746974696F6E302D6E72663532383430646B2E626
    96E078201582006294F6806B9C685EEA795048579CFD02A0C025BC8B5ABCA42A19EA0EC
    23E81A',                                                                   /same as the payload in COSE_Sign1/
]
]]></artwork>
      <t>The complete resulting COSE object is:</t>
      <artwork><![CDATA[
18([
    /*protected header*/
    h'a10127',

    /*unprotected header*/
    {},

    /*payload*/
    h'A30A48A29F62A4C6CDAAE519010047616161626263631901118182190102A50045746
    16749440C00016F446F74426F74206669726D7761726502A2181F684174746573746572
    18210103A11181A218187819706172746974696F6E302D6E72663532383430646B2E626
    96E078201582006294F6806B9C685EEA795048579CFD02A0C025BC8B5ABCA42A19EA0EC
    23E81A',

    /*signature*/
    h'd4100901f4c3e51312c3110c6ddc8dcf7f68d8f5d3791c19133f2f0ac158c1f5ee6ed
    afe9d7c3d6eb3d2d197f82e733d375fdda9fb258b304961dfc38558950d'
])
]]></artwork>
      <t>which has the following base16 encoding:</t>
      <artwork><![CDATA[
D28443A10127A05890A30A48A29F62A4C6CDAAE51901004761616162626363190111818
2190102A5004574616749440C00016F446F74426F74206669726D7761726502A2181F68
417474657374657218210103A11181A218187819706172746974696F6E302D6E7266353
2383430646B2E62696E078201582006294F6806B9C685EEA795048579CFD02A0C025BC8
B5ABCA42A19EA0EC23E81A5840D4100901F4C3E51312C3110C6DDC8DCF7F68D8F5D3791
C19133F2F0AC158C1F5EE6EDAFE9D7C3D6EB3D2D197F82E733D375FDDA9FB258B304961
DFC38558950D
]]></artwork>
      <t>The Relying Party (co-located with the gateway) then treats the Evidence as opaque and sends it together with the attestation_binder_m3 to the Verifier.
Once the Verifier sends back the Attestation Result, the Relying Party can be assured of the version of the firmware that the device is running.</t>
    </section>
    <section anchor="re-attestation">
      <name>Re-attestation</name>
      <t>The trust relationship established during the initial EDHOC exchange may become outdated over time due to changes in Attester state.
To maintain a valid trust relationship, a peer may require updated assurance periodically.
This section presents two re-attestation approaches: re-attestation during EDHOC resumption and re-attestation using OSCORE.</t>
      <section anchor="intra-handshake-re-attestation-using-edhoc-resumption-with-psk">
        <name>Intra-handshake Re-attestation using EDHOC Resumption with PSK</name>
        <t>Remote attestation can be applied during EDHOC session resumption using EDHOC-PSK, as defined in <xref section="6" sectionFormat="of" target="I-D.ietf-lake-edhoc-psk"/>.
This enables re-attestation without public key based authentication.</t>
      </section>
      <section anchor="post-handshake-re-attestation-using-oscore">
        <name>Post-handshake Re-attestation using OSCORE</name>
        <t>Post-handshake attestation can be performed after an EDHOC session using Object Security for Constrained RESTful Environments (OSCORE) <xref target="RFC8613"/>.
In such a case, EDHOC is specifically used to establish an OSCORE Security Context (see Appendix A.1 of <xref target="RFC9668"/>).
OSCORE provides application-layer protection for RESTful message exchanges, for example the Constrained Application Protocol (CoAP), which can be used to carry attestation information.</t>
        <t>Post-handshake attestation decouples the attestation process from the initial handshake, enabling re-attestation throughout the session lifetime and guaranteeing the runtime integrity.</t>
        <section anchor="flight-1">
          <name>Flight 1</name>
          <t>The CoAP client (Attester) initiates attestation with a CoAP request where:</t>
          <ul spacing="normal">
            <li>
              <t>The request method is POST.</t>
            </li>
            <li>
              <t>The Uri-path is "./well-known/attest".</t>
            </li>
            <li>
              <t>The payload is the Attestation_proposal CBOR sequence, where Attestation_proposal is constructed as defined in <xref target="attestation-proposal"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="flight-2">
          <name>Flight 2</name>
          <t>The CoAP server (Relying Party) receives the request, processes it as described in <xref target="bg"/>, and then prepares Attestation_request as defined in <xref target="attestation-request"/>.
The CoAP server replies with a CoAP response where:</t>
          <ul spacing="normal">
            <li>
              <t>The response code is 2.04 Changed.</t>
            </li>
            <li>
              <t>The payload is the Attestation_request CBOR sequence, as defined in <xref target="attestation-request"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="flight-3">
          <name>Flight 3</name>
          <t>The CoAP client (Attester) receives the response, processes it as described in <xref target="bg"/>, and then generates the evidence.
The CoAP client sends a CoAP request where:</t>
          <ul spacing="normal">
            <li>
              <t>The request method is POST.</t>
            </li>
            <li>
              <t>The Uri-path is "./well-known/attest".</t>
            </li>
            <li>
              <t>The payload is the Evidence CBOR sequence, as defined in <xref target="evidence"/>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="differences-between-intra-handshake-and-post-handshake-attestation">
        <name>Differences between Intra-handshake and Post-handshake Attestation</name>
        <t>Intra-handshake attestation embeds evidence exchange into the authentication handshake, cryptographically tying identity to device state and blocking unauthenticated and untrusted devices from completing the handshake.
Post-handshake attestation separates attestation from the authentication handshake, providing modularity that allows attestation mechanisms to be integrated independently of the handshake protocol.
This section compares the two different types of remote attestation methods in terms of performance and security properties.</t>
        <section anchor="performance-properties">
          <name>Performance properties</name>
          <t>Intra-handshake attestation provides round-trip efficiency as attestation occurs within the handshake, requiring no additional round trips.
The intra-handshake attestation defined in this document does not modify the EDHOC protocol itself, though other intra-handshake designs may require changes.
Post-handshake has higher modularity which allows the attestation process to be integrated independently, but it requires additional round trips.</t>
        </section>
        <section anchor="security-properties">
          <name>Security properties</name>
          <t>Remote attestation provides security properties including evidence integrity, freshness guarantees, and replay protection.
Besides, intra-handshake attestation is cryptographically bound to the authentication process, and trust is established before the session begins.
Post-handshake attestation guarantees the runtime integrity which can obtain dynamic measurements during device execution, and can be repeatedly performed throughout the session which has the continuous assurance.</t>
        </section>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank Thomas Fossati, Malisa Vucinic, Ionut Mihalcea, Muhammad Usama Sardar, Michael Richardson, Geovane Fedrecheski, John Mattsson and Marco Tiloca for the provided ideas and feedback.</t>
      <t>Work on this document has in part been supported by the Horizon Europe Framework Programme project OpenSwarm (grant agreement No. 101093046).</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+19a3PbRrbgd1X5P+DKHyLFJCU+9JxJ7tB6JNpJYq2kTGoq
lXKBAChiTAK8AGhZI3t/y/6K/QG7f2zPo99okJQsT7J7r1KxLaDRffr06fPu
0+12+8VGlVbT5DjYvEpmeZUEYVUlZRVWaZ4F+fukCM5Ov39zsvliIxyNiuQ9
Nhy25bMorJLbvLg/DsoqfrHxYiPOoyycQXdxEY6rdppU4/Y0fJe0i7C9u/9i
o1yMZmlZQufV/RyaXZzdnL/YyBazUVIcw+fQH/wV5VmZZOWiPA6qYpG82IBh
+wBBkYQw/nUSLYq0uofx7/Li3W2RL+bw+If0dlLdJfhnMFxUkySrUoQvDv6a
3AdnH6JJmN0m8NG75B6+i2HwrEqKLKnapwgsDhun2e1xsACgD2HQJFsgNEHw
6CGCgKe3+QsACH0G32EP9GIWplN4gUj5C6Knkxe39CIsogm8mFTVvDze2cF2
+Ch9n3Rkux18sDMq8rsy2cEedujL27SaLEai0/bd7U4R0vNpiEtp9Cned/iD
TppDy536SnUm1Wy6icsZwiRzXJigjR0GwXgxnfIC/33xYRFmwXWe3fKrNIPl
+nvHeAIQh1n6T6IlxHaRhvwiEUi4pz46JXzxlxRfd8bFpm+w7/7P/ypwsGQa
ZnFSGAN+13Ge2oOeFWlUQv/B8LU9NFAtjiw+/Usi2nWifAYQZHkxgx7e8/IH
wdX5ydFBt2v8ttc71L8dHgx6xrt+f2C8OxocGb/1j4yWe4f7+C7Nxp7x+kd9
47v9rvHb0f6+MfpBb0/2edE+JWJpp3mVz8v2Qa93OEpL920RVmU7yot05r4h
CkjiSR615+U7+Xb407Bz8stN52QapjNAOj2I7ir9un2SDy/hD9hRWdU+p+nI
YWEzMIvBNoHTRjUJi9sEaFWS6t3dXScNs5DJHjjGbTaDz8odADtpz8MC6AJ2
b+mDH6n2n8cmcG+uz9rfJyGsdPtSfVoDD1oF3Cq4dAZYAWCUw4ac8AAmbC82
2u12EI7KqgijCn+/maRlAFxygbMJynkSpeM0KYNJfhdUeTBPCqSFoKgz47AM
oOsqyMcBcJ5gavCi0OJFp+kYuoT5Tqcz2DTA7oJEsKZgXgBhRPmUuXqwdTaf
JLOkCKfuV2+Q9SNGtlvBKCyhWwABxxViYnijIYNOoyReFMl1sHU1vLneJl6W
VklUwcOORMMsjeNpgr+9RNZb5PEiwu/xyZ//rd0+TctoUZbeuWdxgAjDf5f5
LAkWZRJEAFbZabe/fbHhkV2A5jAohahgEKHvahJWAUyNkY7dgqwZp8WspMml
QJu39AG+AtlTViAqqkma4ceA+VBCx+QQbCWd204riJP3aZS0gvK+rJJZiwUG
tucX5Tb0TAOAtEGZ1RGEIMGaJNN5GSDso2laTmCYafI+mdJaIxDyczG4HIYH
HyVAMjD56TS/Q1mDDXlcpKh/5PbQwCADhDyMGCE5IxTlbYocKFDcSOC9SMp8
UUBjAtpAPSOzSP5jkRaJb9XSLJou4oRXIQlGeV5Rj4jvOxDmIAuz8DbBhW0F
0TRf4GrM5osKZtFS8ApAYZ2AZKYw6SrqSJK5XsxmYZH+E8gS6M4iu+DhQfDi
T5+YfkJABPQgaQbngupHcCdkNC/aWvQ9gc0YJ2Mgixj6bh4XMOlBjEBkNSmS
xABLLnJ9KogrfDOkPpKiRb/9jcm4YFqlrTm9x4kA86ruxSDyE1jzDPY5/BIA
acRJBtSxhRuEGEpEjH0bkRyBSoSdpBUAFOOeE7tB7Y1WcDdJo0kwQ8IcAXTz
eRGmyCJG9zZgOH3s5304TeNUwpQ54M+JEyS8A036AcpbTCs5XEo0UAK5AVDT
e6RDNaI1cxoWn84XxTxHQoUZFsk0hc11j9ByW/wHckwYqS34cATEhr+XHZcn
YXdAjrw2szxOpsw9yvCet0GF21l2w+CXi/kcmEcJhF9NxEdMem+yhBREBAzR
WvCw3EYRViM5ICZgtye86qMwIh04i9vRJInecS8wgwvcnGUyG00FbhUd47go
cJLZfJrfg6RSckd3FlBnxCBilGazNEtkLzhP4hWig+Sr0mWWLVwa3LM4NcGU
ABr5oamlMQLBKlggS4ZWiDWEP2OsIrNhkpHw4jKVKBBra2+1S6x2aifI7WLB
YLaUlOluIZjO++Te2EAxML4IaRGQVCdD77ZE4gTeF/NIqifRgbVzxL4KcS3f
UCPv/uCNgWyzvgNbsP3wfYnKBq6tH1Ja4whAga0WVmITUFNQp2zxXx8foBtm
QOEANdOvTZ5zUN5wQfklbubE4WYI/WyRkfZSapzegZGydDnmSN2gEi7HJK4C
yLuS+HQdeeMin3lGyVwIeeUbVsCHVCnibZ7AlClYgtrd/i2sCMhGYWeZGik2
KOt4I5CgiTuVZcICNjpYR6VUMb0d+WlcoVswLf+MWnpKa8Ho9mojgsRiviAB
Vkb5PBGzUGoU4UbMRegg0EEepbwWM+DdIwIFaYf2DmnFreDmh2sNqqZO4yPu
DhvAJG8naj6w3guQVcBI3lyfvLk6o75Q5eINYuqjoj0xPyEqJJQzYKCgGGm1
3bcXbAF1NrxRouUOYEShTkRLos4gWbVRhJD0MxR8c8ayf2g0uMnfwVptwWDb
Qs8Bq/jTJxY2ApHGTgMEsWZBegaL8QjejhKW3pZscXVeLUv8WwklOsp2Jg0A
SbJvVl+ZhfomLhfWy8pcvZLtJJ4r2Pww1+BHYYicDU9BlU2mMW0YasjivdGo
yqVRBSjE5ttmx2yxNJt1fjsOZzmB1lOStmhnku4glOeSxagga6nEoBmZkr75
Pp++15qGNUJIOv04KQpeKIHciwyshLCCUbcutg1mAvsSHSmgIG/DmIw1pQDR
wEWY8eYFZCUf0PMGCGIHkxTCcViFLbWn2I6JxfQ1tv3kAAwBFIuCdoLqghfl
xca1bDqdgoqALZDGJUSoxBPV4higZc38I4TTMhfKWQkIvlPN8bckZjQtMeC1
NxUR/vAwuhWWycPDfE6byN7SKcgKMo6k/Y/Kk2Yw0l5lPBrjlElBxl+xyEiT
z23uCuNcoSUm9xk60NBnQd9KdizZJUCXoX7MvwJJIf6JyM8F/xB2BU1wrDZZ
y2boYAnmoIuz/RFmS+FuCbuRGJdaAoYVcJwwToJ3WX6XSTxsFuaMNt0pUteJ
0u9gwIKU0jnYxswolMygUWHWZLKESnV1XQFKN6O9z8wdlbA8I41EoJztdCGW
ZklYAhLJixWgP0ura77Va9h/ZwLBolPsh6y1kgxx5rmS+h2NZ3h5AV99j44m
FmsSWhyqZBpAmAyJvIwMcJKh9IPA+KYkZqnr7qAO+35OUC4RC2Ub6hS3VEq/
86SQD6GHvgw2f/z5+mazxX8HP72hf1+d/fefL67OTvHf198Pf/hB/WNDtLj+
/s3PP5zqf+kvT978+OPZT6f8MTwNrEcbmz8O/77Jon/zzeXNxZufhj9sMns0
9S2yx3MUY0TIoIgyD9kA6RcV6YhZ6uuTy//9P7sD2N7/Bky+1+0ewX7nXw67
B+geuCNjGEfLM9R4pW18vwH0lYSk9wDLApk5TyugtRZSQTlBwkcturOx8fWv
iJnfjoM/j6J5d/CteIATth5KnFkPCWf1J7WPGYmeR55hFDat5w6mbXiHf7d+
l3g3Hv7536eoIbS7h//+7Qarv7g5yFOLUhNMxxnvEliScThLwdYvtNKEGoZy
9kXJvCpNG7sm4VtrOJNOXr+54ofo3xfM+yV5Td+nyR3+xv0qpYi0YuCV45S2
Cag86QwYoFT1UDigA1m43NAhAn+TIV4V6bwkLtWgHJiMG/a8FtHYV6iFM+9+
ULLALnQ+x2hbQdoU0KF0+7RZIZNKK1NqGMe0VwF2w1sKKwDSNEqkfiy8gpoX
NXjBPGKcd9A6HnESqMQUJapJJ2oBrkxfaG01YeQf0WMKAhY4eojeJHJX8HyY
6XuGI3oSqpT5XGi0IG6RnJCNgvE75eY2mls4JBKEgCwB7TBKgZ3fKw8lGGDE
0M2lhk8AC6iyEZl5nN1KHRTSkXl6FBZFCmuAkEhC/woUJKl8DS3l6xSUL1Tt
T7e1nlXbG1qnA9mBJsQMEakVIRgmCUE/UdpaR25XbUuH5G1BVpakJDj1EmrS
zc3HioLR0z5PsthQaxgNhFESRdJx1GyDWpqJ1HcNr47iG7apG8MmEOsm1NuE
Atl6QNfV0TBQg9X1+GEfHoxu2nE6Qx8+SFFYJqmmorqfZow0lFy6ETEUsbka
CF4rrMe4ikHQ7QQ3Iu5RJsgU07xCfvnwAPbGp0/bPKyibrYfycBd4Ord5p7Z
yxDIlocCnNXflq7gKF9MY3I9W0aPCHrAh1mOdBAEPbDWyFUg4EWVuyX0bQda
Eybhx8oo1mFHv2qSYavBeYPYtehhe6XjxoiqkEq2SFGtwHUyZ3mR3wBq36dF
zhFRNG+SxNFQHh4aQsEov9jLCqolkTv1P8UQq2LCIJ9wFBG86miJWyeRuVT+
La+1CQq56Uj9Fo4fwcuU0WwQV42Xo3iHxUQMIp7ilhkGs6z7VYzPNiCJNG7q
pKgGFTuDJ6R4+gh03BipGGEi3Q+xqLeuI1XHIIVosD4PNi/S96Fg9qYryMUI
TQKHYJYRC+1iiHrOXCjKa7E57UCztCTpbuJAqF50ILwpWCkVMXfFD4U/xfST
OfbkTfNQ0sGGPEesiPU1yCNrCRZghUVkAUjfgqZUsMkwRKB0CzLcJJTSYKN1
TFF85H5eE7MGcFFZkHIMp+beRJMfg31obU6TGP0iIzR0zCm0AmgEWh0Ktgwo
D/SWGFV02y2N4Z4SqDRSgdUyyWIJpRITpIAh+gXWhfvS6qdjrL5P5jhUGAGu
8NdwKntrXqsSOC+aMvYMG53GQ8BPa42mxMDSWMh67ZtXVj2HmCV8FAuKvZ52
sU6AoxGqSriQ8A1INWg4m/P2l75FVmqDMXw7Iavd60bGqH0WgZqapf/E76Cv
Zq+0PSuNvg47RNiBLnuRk6YZgPFGlIyAPTwM56TGfAiGOGdlW/B0QjS2I4rz
NU2lJbxjHOVHpOj4Lr5RHdjLG46mZLnKxigIYFr5DDY15hVUQtegeBxxIODe
cRqhc4TJ7uVLwAGKRcmrlFBzvbMLFGYlWhtAeKZvZKzcci82vmbdUfg2liim
0k4iDq4ZpXgM+GABfy32V79zKBHLXlsvkFr8joH+HJ8eEMuyKIb/CydCIdSO
JjUNVYKvg4vTtydgmr+9MBecbbDx/XobWmtNgsSdL7TO+LVAHDA1sE6mt4Dm
ajLTURJkUOi2T+cUr0AVxARLEY7DWt+OUMss3s76vjnzS1S50MWhfFgqMqlk
tFjOt30N6duzD+SjLR4FxuBZwBgIwStzQqzcFuk4eNmwunpjCJo0lL1mrZz2
Hoh9TAlIKALRoPBIvVkr6R1HST9mz5rgCI/Sxi3l2e6npieXWkP2Wdq+bWcl
RqyKghqquw44+PcZqfVCH4nyomDDAVma3qSoNDwq3koixVwtdHOjjUteX0L6
LxQwxnCC8NdyoAfTHcl2xgxNNDzqvgrpPNDqZhgB5AQzqgYYrclh7yLfViwQ
tEpgeJgZO703+hSZBVY7NSduUiA7Lu2uJPK0SOr0Oj2Le24b2RjWUrZ4CQki
YbPMRURlqetGihJJqJp/mXsMI0wPL9HGlBaI4dryZHa4veqolNXrFfaKBqvs
Vbdb1qvYC69d2hEG5uvvsFug0jVVc6VWoBroz2FwtS3FsCivJs04w9FI4DKU
UzAuCrIwYdYLFdHXKquOsVAC5O1CaSmTJJxWk1agzM5FpLN0JuH7RJsuBYiL
9+T227LF72Gna+k1clM6aSdix6ybwcEJLH7viS+PAxNTbKcJsnoV6nFiHauV
XRD3t3mVKnOpruCnhnUi0jJXrDUp0dOAcwFlYJYy68JbfERBFiWW62aA5Vob
pwUFu3AQDCWXyn5AIzMv3R7K5syVhD9PS2GI6CDp0BYX0C25gil+qgztVMe9
7DUHkglFIg0N4FvsIomSlOJ1pj2qWYuN89rKIzBFAuJHWgceIMQAM14hDM1n
zlq2EO/wybRmxE2k90ktizcLUUlFzIDU9qOzE/0bY0IhWFzGVORtCVeG/lRS
PwX9XDOSiZ+tgJZG4yGp+WUwzWEoI3+jZREu6lcLUECyKmHy1QaUAL7Jpr4x
LQ+po9XTQoXxuyRvykWIyCS2bBsRoQQp6MWIOYCRN5sDJ0HNVjkiluwtlXSn
NpginIZ1aEk/AGYa0ML7QruuAquD5goqniM5PHDbkbNd2MbZfFFpn5zcbD4d
9fV33GESxm+n4Qik1M3r065KZgtB7xyTb6WiJjSa0iuMjt7Kbd6ynqo5o6dW
TaHmoLdUaiP9T0GelnJ941qqRjq2294U6e0tLIR/tkIKVdyozSpjKr11PERd
y++SQC5lQrbwMpl+RN8n8p+9ljidICyXlpHmCmjUjvK2QQpKpaKs9pAIZ7xi
cgaamuags3dQUZukY7H7kHxEy2PvwnLOppqsMTfPgpst+jx7bUrpV8oEK97S
Qgg96qUfANuMko8/1UQcKOIiUdSbyYpbTvWJ6WW5R/v0sYFLISDfyqncUH72
6B+wkqz6aPONgxAsQMlrasQCWQ+zhb4wdwRn84+EikkW5WJxKbwsOByp0HT0
hHPftbYlTp5J3K7BDignLnP5tySBY/bIaHbxDTEM+Yy50TcNnEEl6YcMveFQ
on7/h/MD8slHB98EeFgq6ESjHAyV//BjC/v7E0dShGVKhzCKUOZ/y2AAoI3h
gt0Mn7ATjJwIArkE6rXEq3cwgt6/aN8EvwavaA/jiTbhsf0N2zvPvgkWaVb5
kPBigzgiY76RNAROFQEgOYgZC48Bbd6SskVIqvmVpdLjvP8aQxPA7ChvBH2E
ptLFDFr4lHA4+sCZXSpyumhnYuRurAgXvbU4B3FOyjhzsZOE1avoTsQ9cTZz
JIIiRakI75AkxumUlGI+T4e2znaL9b2Hh8ZThzIZw+E0knnZjEY8JT4DFMmR
MbQGy6QhgCDIvc56MBUL88Fcj769HKzfykwtV+dAiQBqI4r/xGthlMTZZW8+
MIrkH5QmyFo/fJyD+aekr8B1UhS54qX4rYwIMYPgfDa/sfF4DqPExlMYjFIy
Po+/SBhc9nIttL9/CXvxDkbAe98ge0E/nL3bjomVtPAFKYnHYkYl+gq3Djud
/cH2i43fVvKa+h5uilc1GTikxivCdpR84hNr2gLCcdUwjtrNSsl4eCnBrOsH
qDeWpAZM86ghMdYKgNB+RGORBCywnymFgdZPfkf93MjKXGuXrLkVxKJIsHSc
lpLI314Dx+kG7KHB6BA6FRM+bkXJzDciKrU0tUN4JYc3SgDYBj/T8C/JSM7/
5Bc5fzzMDvMX3ijnoEE7B4GU6SMAyi2LWc24ddlx5VGe5PE9kaYt9a6Ys6bN
QwdD4GQfQuww4MO0HKCmdvKQqRAHQ5VxZ5xISI1TnIJjhvfTPKQAk4Hiu9qB
IM57AM5ArnQrP0PyWtqQwqgWqQlZvENZfDNK7OBDW6FIplPHbBu4mQC/TeC3
EfpvgocXG93d4JtvPSwgCP6EQpR24IuN3t6+2+yg0+n3sdkiSWNocdDHFmaS
cpt4QPAn89mLDdpy9WbAq17ZXzMZ/eY0VgrRr/JgfSN7M14es+NiHb4Gs24r
vqNN6WYO5AkUSa3g07Yhd5Tx5ahQpmvG4AOkVgWb5uQ3mfbM9KWT/PqXi1OZ
XnrUR18MPr26+NHM4dEFG2C/qdNE3BvjrWRDTO5hET5MGVyz8ELAapK9e4D6
BSSpTDD2baKXjlIVcETN0alEmE2yQpmiLtQZxcUJVEqwoFOGYcmuDVd74N5g
+Nf3YM2RriJSDuqtgqi4n4NtV4TzCXsQ6EU9cCVVOztKigiUibAqISRUlmfp
fgPInSfKhecBB/Uv2vnk9cQWIR6pJWod3YuZwiPyLJFfVGFH0yu6Vg1PjQ7l
+hxlmKuCkRdmhTahK1tXDVI3g72Yf4Nt7lJ5Cld3SHQ8lV55s3AA8nDKLrqX
+XXixANLJREyWyMQTI+Gp+hoaFhz8/jrAj22wfd/PT1vn32Y43oaaWm0ybDk
iqDmOiPxB7S/MTvc2pXJv29xvi0KpL+dJtltNdmmkjn6JdmH37/t9lrBptH1
ZssI+ZO1iG1wmK3vt5RDZ9twMW2v5Hq7MFFQ24WqOp22/5kUuZXUAduPoTQh
ZmVVyL7Lq7+KLQgUZEyZmJn5kdgJ8rdMeJXFBs8X1XyhAg+Pzjag0UwkapWf
7V1D3WDcYldV8qGSM7VwTZtaoZs6/35rW2WcPAG6tWl3sIxk4a/0vaJYJ9PB
JVqVw7Iu0Q6Ampw+txLxL9Y3WyxaP4BlpYh3lWS1OoAResqO+IAS3cI7vvoX
kYsWMyGXR8hM3c1kD6T1hgG8eKu1ZoOehAINLbmWT0sdVARJgqbOFAVqTIny
8s3bMIw5L0HqjrykIWd7Onr3u0QGOOgY6M+ZHvJ7dZ4lmc1VHERqkyI9j5lo
2qQk/hpsXks8dDcxOh/fv1VD6Okg0C0F8Gqlyu5H2SUYe3GNcaVJO7i0l4Xp
SQPDu4g4j58J1zJ2Gn3zwiXd0NPgET0NEEqJpLXmLNvaU2Xzdbl3/+GlEbWo
WZErIwPEx5WZ4obZ6WPHK41pwHgOUpc0Mul06TF+mdWjwIsogDqlkz/NMRO3
fgMpgEUyl7UejAO4/oka8TFtI/vDGZmj0auAwidZJEB1QGBghIhSlamkREsu
qDbP7ROkAqV1c3/VQvnN/r6dYnIp849EasnlJaaWzOdmasnSsybNKSWGe2Y4
lt5Jf3hznSSLxnF9qbvNwV5PazxHhqQEWjIWjpomQB3CKaK9luRMSMNMHvrI
2sYTpikF6lfGod1gnk/T6J4il+ZAdjJNlatoE0HOkFGap1bH5ansLTP5ZVBL
fnnmVJSblY1kmoKo60Irx6asUt9th8aIM4oaFk8ms8gcN64QtWxN10hK0Qkb
fOAwlXaXCKLjQaMllOjNFGAlgSPmMrncHUcewPDkV9BpSRxAuADEgbvbUKTk
TZx08qXbkO18cchNrTUx3HDalinimSCbekaC3mVAp5hzjTpF0lY5+s37s9aF
zoTxfCYi5EwC8NH7NGwAkvIbiGHK2m4hp7pT9r10cIGimMJ+ohfmJnJLgdGH
KvdeCJ61D5LXszNW0HAzdmhaT2Feq529l5eeHIzemjkYTItGkFU8MDMvrkSR
tN8t7wJm6ORd8Om6P0bexVuZE/yIZAuY0XMlWzgr2JxnYa+sJ8VC8CVfgoUo
9lJPMJGqpwvFw0smazvPYugtkKU+Ukmn5OsR/kV9dgyf6oMJpcvjbXGqnn5l
8H7Bz+tdm93qqj9kQAnbQtdcVZFhb8lXdK8KvUB8yXuSagPoUxVEiutubxmu
WIa7JsWv54Y+azv+8WFPd7HNkKfOMJArcCFEopHi4L4SaQ61x+S68jR+4NrT
NMlvAbX3Imgg5401V3aCCoBaPyGiNowdutF6hXksvfaRDNySG4jB0ccEiEJD
P1kFYWk7ZVbQmKzR8y6Ng63BNkL0Ya8KtvqD7Q5OChMbSuEo8FSOJAnLj+4F
BTC0Bo/Esqhz81zWS5eHqF1uJjmsTHFwSPexmQ6uztWQ1KDZgjgAIb/zRYBb
QmorvTkcUcz5MTvUX/1vVWpC0/78jKwEZ5Gs3XnFD7VzirVP56HcYlKNeSvq
GRfHNYqnONq/L0sU+OSD8WZi5PHmcxGhZHf6nNQk1FcnHDuo04cIejaVXFSJ
0aaOaZZB9VW78+ZxcykJ3Accu8FV4lONURhN/DqyYP/qyGjLCBKqo91Yz0tV
+NFqgLYCDfvAiY7YEOpTmeqkJQ9lWSD17G3LgqLjAPJ0j4a2Hr1psvatir1S
c9cdefLKr4zjtmmlS/SSn1OVtPEknWs+pPiPcmf5TQ8d6SKcWIWxdJpI6aRn
DG/sBHYz+Kldj9IV60uX8JqPSFFLSqESpgsyB2vcz6oTYcbCVLpQ6tsO6zKx
NVnUM6SMrHRXAjTaXSncUut6wVi3/kLuylqh1LXclDVj6bNdlZeXXldlzRhA
TcLVxH8/B+USIhvIqv0llkvSJ6B8vciTjXZSQJTPRmnGZ8yIYH7hSvLkUeGc
kC0+t9dit+c2VwfFoCbe9KHHFTUt6axUtJiGhQD5AtNPMiNy7xaUSWvn+r4O
rvwf6ROBvo9ef6eirUud5F8jSs2WnkK+5+QvoSyMVrB10QrwHCFQmlnb2Dj1
aJzASqzyPeZukHrlUv99wifY1elSG8ey5HxBfr9jCRmAeNWCWYl/0BPkvPga
nupSSAXes0IIVA4c6eZSFXflvKWtWLpAtHSlRt5NdGwaW0T8kVUWRyGJq38J
IbLsE7MwGvnfxSyPa6QzrPOahnOgdF7VssSV0558Csb8WF8wAXKHtcqc4xHp
ms/XJdfaF7VDjJz7h0XqdBUFY8R1Y0DkIZlOFwh7pXPubrHcUHt02x7fxYqV
rfBUG+W/aclkWVZsIes7OKV81q9gRklOorWwAufqBCJeuyAtEsKWTgr7mzyy
qk+O61Kk+TLE4M6xbEU8/VI/q0mkXfc3ju5JLRQC2aQ7U2z4xVWT6on5Mz0t
kESUx8k+3yq3ZZ3PyHOosmVorA5gzWcQrQnbBUpUANY58pbMRkkcG8qgaA76
3pIkJcEYKXuFtlVmuHPPHK3YPVrI+UV+dZAzBzzLJIbV2cu1sVanVnmCcjem
0ivtGadrvRCu1r7KWT2kvZZn6g4XMo2l1ElLHTSnOpKqBFitONs2+0rkFS2k
exSyla7X1nHkG56o5WxdyTnoEgmdwktCkoVaKM65eLQ9GJtzy7TY5qvO8HEp
VBN1yQwebbUrIRsTMw5pO5Oh63SkdVa7REd4XnV+5LbKzgnCsHx/i7+9aq/4
eRXYP74PXr3Y+Bhg8majlAiCj04/8LsrGIKPzwVPUwsC1KTGa5Fu/1HzAA+g
zo5zJ/NRbweeQeMkXi2fgfEvT4tXYgYGXLUf78N1X3/8/ft2hMaz9L2cpL79
TLiRMXcbThx+Lk4e+DzVVtgataLt4JPz+rP6Xv518DqP748bAPi8vpcux7d/
ABps7JtwYqAEDAtWCD59dt9/XoaUNfe8vXd66w29Cu6lgNVY2eP6Fkqf9zDd
Z6+lWidzlYJl36zf9/Kv1+6bVFoFX+tZ+/Zocs/Vt48klhPCHwTfSjvl83HP
2LePp60QLF9CXvafpe8vLy/xvIJaDN+0ntj3A9lgn3wv/yg0+JS+hdyBubWe
vW/x42EXn/7Qcl7gBOBus0V5HAyvHj7R4v8BZHHDD+Kk0zzy56/lR2l1EjKe
r2/AyVfNb9fr2yiswOcT1hl6pX7yzZKfz+VVy79e1TfHqR+Og5e2z5Hvcv5m
8836Ps4GH7m8qUkEq2R67pCTsS47mwHYq5x2NU1vs282IzztXGx+kr5kdpQf
1yxxjy/ZSfim6oS1jK7n9CP7L/Fb6Uw2XHuOHxmbWEUlm9zDMLP2fG65h5s9
rJ5CnJZnVV2bVffcheW7egQxzv3hQ9PpKkNnb+fzhrzGlQcbMFCYNlUoEvkH
V26GGLshex3j+kl/ZnO4bl4zxcxr6czy/icFrSxqKJzs/gxZrpnQmI69btbu
kIJO8hoVRTFO9TkujD6RAVPtjDbX0u/hxOsPbecmb0McguLNq52WlPxhukLT
CtAxZo9nNMWiBqqczXInac3/SfuUe1CD0GSdK7iJg4s52uDKTA6VYuPxXIpS
34yrmPPv3bOD0km5XB9Vlke9GXn7lnklFQv/WOMrK12Ry8bVYsB5yY5S/nF9
irZQ4X8oYrLljeFw3Opte2B1f62B86r2Sr98pWB9lMRb0eBjc3cNTr9HdrfK
c7xUGfBDJ317Brv1gL92d0t/ngV3vXqD9bpb7uZZbt83465XzxZ+EnTw/4Mi
+a1uq9fqb6/rzvm9lqJfb7BWd1+IjPu1xNAnQecsRa/mXPsiS6F8Ba/EaE/t
DpEbBJ4/LIv0kdDRj1ADjHdP6O7PXsjoH0u4sXMgeK3x/mUsYKDorgn8tbt7
snfn+VmAlYksLTxtNjRbeIbhYptYTtpVg2V3dUnq85CvaopDOpVJ905qQ4ZO
GuS3eErKPLpHYeha8nAeRQtRjBqLkaazZC2j0UhAWmo0NiYgUb3VR1uLa5h9
jqG4rn35GdYi1/D9Mpk4bhpIKowgMjxlUWvTNJSayuhWWmtU5H6JGSjOlciU
0cZsHhLnRle9lnnK2c7s5iKQfEBWJNJ5U1eMtJTUronrywyXxmValc21Q63k
b3FJ0ar65Q25QjLrxpx1X1/vZ5w0c8t3+Qr9/zynrqMknavDxZ5RneO5/6qE
JPPmBqfcBDFxAwWDVUtZz2YyLPQ1Mo7s8vru2qh89J/yKpHJNWnJ51uAfqr2
BDooJ1Svy/iyTBEg5gqywJ+vWpZ9wTzVHzBv/LmR+abNhXN8HG1lOZ1lVwE1
GcaNEmp1TsxqPdOjcVjisZbh44rMj76MICPZxzFbG3N2PmsGZmqOC92KrB78
3UgK8mYNrTWDpqwe0cY7VXcNliosT3BUf3xMx4+xz9fr+AkhxnUhdm12kIS1
CT2p46U/f9yOH+MgWLPjx+eEPGbx3ISQpclU63b86Ewqo+MlqVCftXjL0PiE
fIp/BbnVUKHt/8/peBk7eEoaxWdskOVumz8Ed+s/JmPq0Rtk3XSpZyI3Z9TW
s3Vc18yep2PPgv4xpHTz63re0/N07GFgj0LFYxxXfwjRNHhM3tL6O++Rbi0P
P/akBj0LufnSgv6zyjxPqtH/ezJveQLS5+LYyD4KnPSjp3e8NPXoD6x4Pybf
aV1UPDrZ6UuiwusER2/oE9zfXyLBSR2XNVKclh6XraU4UWWuFV7qx5+HfZRf
+7m81GlbJCI9YzaTmtkajunGbCLbP11zKvvqL8r7C40zuehPXFprMTTqdOhD
ok7qUZOj23Zb2l5lAwlcHWZVihJXAHQdm1fSsfm75j5ZEyIPOd87U5qpTg1+
cfaVinvn6qdUzaIloihPTl70NFsIh7arD+JucnmodM0+0ie6LElnRZ5PY58f
m/OJAl/e0bLkIgnNZ8HppgWZ7NvMJLLg5B9vMpIJp0wKcmHxJBKtyEXS+GwS
Oyujs2ZEd2UnTd7LdTpZ6WL+dk1IpFfSmw2z7nSW5sA8CieNP09HbM9osUYn
q7IN1qUTJ83Izm15AmLrGS1uJ75klMch9s8ircP5f4X90zAdJ7niUZC88kAR
mOZHk2/sX753+k1pJOsv8RIr+9n2jlclRtXrCTn/62WErK0KBz8uqgWWI7FH
4V4fXs7obWMyv1EZJ05mLNpA7eKvGm5tC7iektTkMN25DHSVnoZLh0WxHlnC
Z0n1WKOy4TyvuCzqlGuyzfISlbpp8h60dR+Usp4Dpl9bFXrymyDJ3qdFnskq
nOKSRTXpUswLr1ETHdtXNJEu4xkz5MJgWKRO38CG6MJKnlzXZDEbcTkiMoUw
hjUvncI/QVsix1wfK33bMzbiiGtWmMWCZb0+04JoyfrARtb4WsYazUDey2mm
e3t68BRBE3ZDWTaaMHUSbb++JHNE6sw/OaOK9KeyXq0RhDFliki60S96NWVZ
BvTr5b0Rai4d76v3Viq7SNUKNDPxh2+720tMX1lADGhaFm2vfS2kXT3DXjTp
UQ0UsfCNVelqi8EyVV7XW1kGoy9Rxij9LBUb0Uu/oRerTkzt+Ae7Wn1fqtMW
op6xp1jZ0w8Q0M/nnCIQcuLpRwmaIGh+7+gM9jvjsEEA9LJzdWlqaa5Io9+g
SXdnKJq5743N40jDj+b+Wf84gg2z70yCfv9qyXxfyfnab9eQ2atbLXvrTSz1
FAQxKhV/iRHlj0x5uLx8VJ+PHXGlYoc/q45ePmrE32Ud/7AjelM0v9iIK45x
f4ERVxzA/hIjBtqsu+E6c63gJzTuLlb00cgBnCwWnd65DlxPxqrrY12zz0eP
uNJ6X7VS/z/tx2cc0S2OcfHFR5Q/jiN8i1wbV9vPPeJ/yQ7VSq1xy5er8gVG
XIOTS5iupHPr6rNH9Hm66GQT8Id27aST+P8ph7HWaPXFKMdT4PILjvi7yMen
vf2sOXpP6gUNlKO8qF9wjoJJmswxWMLJG8++rT9iw7v/HBLZ6031eoF87lWf
b3Jc96KtdKz+bkftlE0tXU0quod1y/n0UYiuTAyRYg1YLLlBl7RTZfJJOtd+
Lxn+a6mL3e3gesmHprAwLd564H6GF1OaVsdiBEPSUZl5keaq1oXHvyScetKP
qoC1wMT7LUeJddVkNSnyxe0keB/CAIuSS+DrS4tmYbYYh3Q/RKFBT7Pblqo8
EiWFcUVXyFW4MX+ArqSL0wJWC1cNiGpRSJ/eVUIX3UXqqjeiCfYSz+YAS4l9
3SLuK0+RanGhZTgtc3HJB76Ja+egjJK+BrLkrQpcUpmwR3eA4mXL0/zec+UI
YgepMIpycfljrlM6ZI0RPhQnQBuhAx9WdEauLGv1DEj+xIgWw1MGSCqdmo/w
jfoJFssrryRY53IlH2nMEkwFSEtMYxFkcZeMgsu/XohuBCGcKEJIZDH26j7Y
OhluGzSCZJFkOIYIVzinBXMBbUOCBV9CY14U4yyV9OJf8n6gu0mXnZGtoZDu
CCcWY27QepEkqlNDV2fRlQlIupKgoJ2iVOH6b7jNyrp61704ybh/1y6RQ1fU
Svx5j3Bs6TA8zF7y4rwwosj4nE8Yb9eL6tAlmMmHivNsKKEKK/HP0qpeaLzp
OKm+qEnhVvFqcawUL4SzD5ZaeBR3jMrUGOTBeBs63e9mX7YUTvPstkzFTUYq
a8fqumXDssZtTKMcL+uUN/Y01hn6xV+jad0F1FnjOv7rX7SBuWiEGus0aGI6
+xsOTS47/ljjnvZaKG6jxjEZqIgpWffB0lrIK+g5ZVVwLhn7pxtgxRO6d1Ez
f0p6Ckv4EtGvbrsTIkHynMKRI/KWB446ugBSshzPSm/PGSIjFod0z7h2lknf
N/k7WF9O6de3SY3um65RSimxkC8e4St0up3gNIlygRHvR3RlGe83jpOm1QKn
jQgBVQHo71hcRAj8U1wt39LIhWn3Orxw9w7a9QUwK5UM984BoGAKxywise0B
6rfXEubWqjPPRJPivo23YYhX9PUNIEW1fnGy+kNa8q1YJgUCpNMclT5uRPs+
EExF3Uk3RpbeMkiJolVCGlstUW16bx4bp4siMXJXJO8R21isDVQkmA7ICqSl
QSc4IZKUt367isgyEqUPLPJsvuKcoEM2p5UYRzKL68aoteBd+D0qVuLaH88F
jhXRrrhTyUowVdelNQtMO03X4nQqy21RpXgJW7n0mj1ELyqX0/tmud0y7v8r
kraxcz06NIoQVSRutFiWjkmSplQ3+MHGmk752m6iD6IaLamMeg2CeRd2vpMi
nbpCIMK/pTERE6RaaNyRR5QFapch8MzocfxK0BtTwaIU3W5e5+OKrsP40aDe
K3Gj/RaSNIy2vRlE0zCd1a47dS7aA2afF0AmCmq3SINP7zFLIuibVeUtxcF1
AiYczgvDwbDTCnER1cPLUrxpR9Ybce1c7fLU0SKd8g2VIv+GoN/rHX76RMAT
TsQ9QsNTfVMQYo1ngJepCWC45EX6PozuA3t4vIQUJqK7oHxa1mbrQFV5TjPl
AKYi5zKlnHf8SFwTH9IF1oId4S14eUG8zXrYArKOQrRBMvEZpTCoqHmWS+1S
xskngPwRmt5WQQa+FGYKajvq/BxaQUMyi4r7ObxvOf1iL3wRndsTbmUciKov
UD/vF1PEJerJkju6c9OalHXXNieuF9xPy8luMMiS0Bzn0WLGUhNNMGTqtH6y
lKJ5ESOvmK3zxgtZSSMtUF251zbefFEgGxFKCt7XTuOq/gTNTJPwHV0uw+yE
MqnVNODbHTkVaYqzK+TeWGNUT2YhGm5ojotxET2nRmd9AoR9X2Fh3nIp3Sr2
YunLttRddmJLKK0OtK53gMK0jBYlAgUIwvWBzvECtUIKBSqm6ff66Gvll12Z
dy7o0Z+4pXVl1UeL72lssnV2PDcpKupFAtW4WUJ7r3PLE2Md+N1xcl6tNTA1
+B07cd9ZGoXpBh7iv9+INAikyoeHa+H26tJRDmRk/f5ACvAAb6F2+KWQ7Kvv
SbtKboH5FPeU6Yb9iCKsXDQUBi+ogeAtrNqSlZvBR5IyNleOsyn6gW8WfOcV
slkwyedBBhIAephPQBgh0z1Nx8BJ298n0+kMBAX6G/k2bi6sur35tBwko+LH
qgYNbzHX5ycEdomz9Qe6LPMjKP1lVKR0ZbLdQHu/vP7YV8uOn8HPK+fvxgYN
b3EOnts6X39ngHjz+rSLf8NDzjp8lL/ZzIhqwpL8m/xSNjflF5Le9zr9TrdF
f/X4r/7qXK/nWWn/zagWlnr4Nzz8/bE0YCwNGEuDfx2WltwjC+RDWOojqCJv
St/f++xYcjIuJUXbtDRwP//dsQTkQ1ga/C5YkhRt09LvgiVvJCoJ4zbdP1zK
8BOqgPykwzEc+Jrye1kUnrH75xgYMGXovslGeUh+++PgXF4F+DdxPeAJ+YIf
Xqrr+6SYvs1ZmWDVknvKVU/WTYX1OwjVjYPOdYOiH6EW2TcVtqRfWSnyMEJS
SDd0JoIjYIGmJakTCGU++kfC6gzoBAZ4qXBfOjnzbLFVyS1ZNKZLjo1gMTLm
pZMjXA3HurcebRym09rty60gHdcsV1J3gOAxigV9ooosuxPYUMjCw4tZHqAz
l4I30s3XCkr2bfAl2DBTstvdyaGlld5mNKWsmt7LQwAdbwZ/qLLujbPA2hgA
ow9ENPbCh0gXmfQ54sRqp1JVDXdp+NouWbeCPNW/v4Vmd6GgGt9JW9snQbYH
tQJQ8inVZwwjcrs69eGt082Ov5pIWwx8R86QNKPzHO6pUb0+OGjt1ksyLdGp
NBcnjwWF150WS71eQF98UKPmD1KHTkIKN8mC9hJX6Mwh05OnaQUqpflF4JvF
BOWRZjDPizAt3UUSwSW8bVvCY1guN/7Ia4leM/ybL/Gtr5s8mi3sfefKiKDL
lrf2Wgvo/c3hUSQCjMeOCizY5q/7u639bqu3d/ib73U9KtNwEzOgSYVpKty2
QLzIF+x4jcQZm196HfVGqndNZCeDBIKs2GQj7wk7sFHHduI3OsoTyquJdXSE
nXoZx8B9E98CjLSCyVdh72i83wsH0X4Uh2Gy99W2H003ZmxG2XwMYbpOsMBy
lSmyMDzGpfCwaaceDHOSX/9ycSo+7h/1dTEBo27oGnGIlmGPi4ABUpbR1Cqt
qo06gqlsIK6HFxs7SVi1Cf07NR2ju3vsw3ALvlokaVz/gH56e/vHwVdhGI5G
UUSNTSQ5H/UO+sfBr5gms3OSDy/R5MWzRe1zdnJfnKr2vwa44tQyMdaREez0
+rCkCKf1AxP8qgpvL07tWik78KwNE1y3m27vONitP6ZuhDqwfl/HweZpXr0G
biwl6Sb2VQo3bxuN67V762ENHg9kfKvM2t3gTx8hk4xg0+zmcSBRX7DqXfvR
Dl7Z3gpmmC4A0mATcRcVCTq8NrX06D5qmE+tdVv3m/AknUGPGbZ7ADTtdDRO
p4/rhH7WJmT90xvAMpEShyxst50V473e4WA3ftcZpdlmi4ApH79k/FOfWe1n
ZxKWE76n+ylTpp9u/co+a4hwehtcfz9sA6954giTr3b3e0eD8f7h7v7oKNo/
3EuS8OBob3dwuHdwFI3j3V64G+329kbR4WgvHEXhoBd2j5JwN4l6/eSwG371
tIF/W/6asUea8RNm9unRn/z2qP20XuO1mq0zMLT51CzOMX6tY+5UF2U2X1Ru
poItJlO/LKRO7Q6/YbkUBJvXsq/upmAoIBW7u93ewVeCTnfOTnt7e90jUGpu
MVFqMmuxzhOq4j5CwnPYnySXAmpHdnowGkRAk30gvWQ/Hh3ux0fdvXAwGIwP
9vd6e+Oo3zvq9ka9ZPcgjgdAg0f7IJoPkuToMOx2dyMFjqHRvuUQ/ttZXw0z
7O8OB4fD3tH5fm84ONk/OR0OzwD63e7u7uBgv0v/9eC//n4fn3a7h93DHr3v
Dfegzd7BYJ876+4fDI4Gg92T3d3d7v75YLB/fjAY9PDP3u7+/v7RQW//9AD6
hL/34OsedHW+fzjoHgygj72DPv3ZE53BIDBGf0gjUtvDg8Pu0cEufg8tj/D/
/fP9s/5u73T/DPrc7+/1e/3D/qC/uz/Yf907A6i5s6P9s92Dw95udw/+oL1+
jnv99dEJ7PWzs6Ha6yfnpwAYzKC39/rk8PXe8PXJcNAbdo/OhrtnJ9xZr38G
AH21nCut97Nj0YVQ5Vxy8Oj6iuxlGXZhdqGSR750tuaXEHj3cEtQ9M7XLkF+
veMSNnbCbRdZU+uHT0YzMZev/4vMPpvMNFIVG9NojQeAP0DSeBD1k71uv9uL
+rj59+M4Ooyj8QHItPhwvBf3D466Ufeo2++Pe+PdMAIQo+4Y5Nx+EnNn4Tg5
ig+ifryfjPpxLwYcjA97yUG/Dx/vjeM4PBqPQO0e9XcHR/vdGBjQ4d7eIUwp
Bun3m8fUIiplbW0SurbIKCyT7j4GoXNy33GCgLeTU1BZBrBCSIvDXRhy90nU
9GLDpacnUtKLDZeWnkhFAJFDR0+koBcbLg0x9eyBrncqSOR8cNI/IxI5QRI5
2T89PTk8PTk/gBFOD8/3TpFEXmycEJGc9853hycAxUn3HMbdPzsdnp8dnR6c
9AH61/3T3ilM7vywdwbkAR/unZ+eDo/OXwN5vGbygFU7P5EEcrqEg9n+g60o
b2NemJWhK3xa25xIU6Ed4FySAdSVz8P/WJgpnpgdveyuDC0LPemtb9hpZLhS
RN5oGL2rpclybNjnDhHerLBEkzeW7h9hBcpflY9UuZi1K1n4mEUg+CoxD21I
DHpywM1c73hRyDRBLqYxFW4ndUUHJyxEeDllvqhiQj7VoKFMJ5E6wW0pj0+7
v6S7NFfp6UEoHLh1qNAvO08olf1e5ngFizmPRygKEetzwHiOBQyn03t55kHW
zpmDmOOM3TuMXLetFIM5SCZMVCuP3VcCBTxtlJSzuXKZO005p/LN9cmbqzOZ
P3eRVUVo3Ily5ftEpTbIzonmLq//ip1c1X2LkjSwOp9eJe5F+h0NUI1B2tBp
q5a7JQM8+0hWF+3TTppU4/YU4G0n8SSP2vPynXA4Ue4PpuyU7uwRZkyeMU6n
IJ923fEqsdC+K8aLF0YlfnDZfLOMQIaur8OVEMPMQYjokpUblUqGrkKzusjV
2fXNeAFkblQhCrYYEOG7O9zvsvvtIhMnHyj9paVPMqnELnSgL0SaodpXCBp3
aGW0VcmHihOxh3Nynn8Ihh3K6WCn3/7+IV9GI77V1yzpIo2wZvd8IqcSS4rz
k3OSLlG5ecsWZz0LBzNlIRuoGBrFHy+hxzzKp8EWete21TVMjHs5RUpgd+KI
Zi7U0nWMgYss5lNPkqPMIldZlpIXqY6MwyMOVYrTKjKrSxLDNB0nnIsJ2/h2
EQL7qJJE8jrgnPRShcQE0b4Mzqfp7aQKupJ/kq9R3vgredu2UZG1lusZ8jcy
a4i8saTAfB1wJIGfz0D45ORRvnxzfdORr38u0vY8rMiFtdnZuUum0/a7LL/L
hKW2qVoqi6B2NEPnRJ28fnMFKIERqfY/e4a9Lfn4C9u0nGVqMRDz4ID8RuUQ
K6z1LKzJy5Utqbdtn49QZRsECSTy1uqYcmhG5q1tLRmxIFaPydmlL21rKeyi
jXKum4DKK7vtVaSjPolnGcULyu8H7PU6u4PghLZdvM4aSWidJVoXeAvv/RXU
6qCcIX8szu0cZenu7NQHlrV/f5dtoLS+FXiV8OtEeEw94+ysUmVTusIdkeFw
uKGtc9W+MIvi4TVypXGORupYwIZEDr8d2DbYH2Xj5rdFOJ8IsVPRplLXvuPV
9qwZkuJFoI5AW6a81EVmX8JGOdAqsM3fCfYrnAaSUyoQOkt5e4n7scYPFT9v
nhcLORxtlseYS0BzQV03pIM0Vn/GiURO62f+LRKkOCTNsXuhPWtg50K+uUoj
nzwSRI2KYyzIoBIXHvrTM5ls+eBKgsn/0EwoKKE+TCZkPzJMPAiZlGrjXhpt
9etVBKQ0Aj7OiOULg2QMegjsu4iT683T2HggmtmZCLYaeGcVG/Ge5UEYxxQD
ADlgF0a8IVncDFBjJrY68QerKs8msfYkF0IkRKBhRJnnXNfQHQwmS9ctmlaB
0G3qBIl+hAkwRLQiNDGxIiOoqUnzWE5OLTpskqrDJ2UzxuQCX9cXv0HXV4vq
oRcRLbdOliqdpaVD31rDKVvCcKETTVpPxFznBGPoZWvpiqIeUGM1I56il0cJ
DApBQXYdmhCGjWkcxpba2Si5TTPPCpqQ6Cn5VTZDQxUl3+P7LJyBZWKF2oXt
JHhj8gGQbJw7ZPUWsJXgqsNUtZXRoFjaLitRYB1T9pWRKuzxYYQCa5rEtwQI
5rVx/dEk/mZzHE7LZFPlnPHpedirlOIxTd+JAwlh9g6EXD6D0c5z0O2rtBX8
CBZ0GQZ/W0SghEat4CLPAMQf00k4jZIQ3i8m4WwGEvHnMpyFwXVYxJih9SOA
HSbT4Ar/LuISUfBdkr8PsyQ4T2JQEcA4fgf9/7d8ksEgVVWWwgr+MSyiPLhJ
0feiS0PKs/fwR8iH7sZJEqMPhM90ULKQyxcQbymnjvEJEn3RrEgg+R5zx/Hg
zgJ3QXCOZ4Qo8QgsFKDJ2YyGJhvvDWzQ67uwmAVbt0gqQXhbJHyq6ae8E6DT
7ai/O9jfFvvy/wJx1Hjv6wYBAA==

-->

</rfc>
