<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-klrc-aiagent-auth-03" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="AI-Auth">AI Agent Authentication and Authorization</title>
    <seriesInfo name="Internet-Draft" value="draft-klrc-aiagent-auth-03"/>
    <author fullname="Pieter Kasselman">
      <organization>Defakto Security</organization>
      <address>
        <email>pieter@defakto.security</email>
      </address>
    </author>
    <author fullname="Jean-François Lombardo">
      <organization>AWS</organization>
      <address>
        <email>jeffsec@amazon.com</email>
      </address>
    </author>
    <author fullname="Yaroslav Rosomakho">
      <organization>Zscaler</organization>
      <address>
        <email>yrosomakho@zscaler.com</email>
      </address>
    </author>
    <author fullname="Brian Campbell">
      <organization>Ping Identity</organization>
      <address>
        <email>bcampbell@pingidentity.com</email>
      </address>
    </author>
    <author fullname="Nick Steele">
      <organization>OpenAI</organization>
      <address>
        <email>steele@openai.com</email>
      </address>
    </author>
    <author fullname="Aaron Parecki">
      <organization>Okta</organization>
      <address>
        <email>aaron@parecki.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <keyword>OAuth</keyword>
    <keyword>WIMSE</keyword>
    <keyword>SPIFFE</keyword>
    <keyword>Secure Signals Framework</keyword>
    <keyword>AI Agent Authentication and Authorization</keyword>
    <abstract>
      <?line 125?>

<t>This document proposes best practices for authentication and authorization of AI agent interactions. It leverages existing standards such as the Workload Identity in Multi-System Environments (WIMSE) architecture and OAuth 2.0 family of specifications. Rather than defining new protocols, this document describes how existing and widely deployed standards can be applied or extended to establish agent authentication and authorization. By doing so, it aims to provide a framework within which to use existing standards, identify gaps and guide future standardization efforts for agent authentication and authorization.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://PieterKas.github.io/agent2agent-auth-framework/draft-klrc-aiagent-auth.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/PieterKas/agent2agent-auth-framework"/>.</t>
    </note>
  </front>
  <middle>
    <?line 129?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The rapid emergence of AI agents as autonomous workloads has sparked considerable innovation in authentication and authorization approaches. However, many of these efforts develop solutions in isolation, often reinventing existing mechanisms unaware of applicable prior art. This fragmentation risks creating incompatible implementations, duplicated development effort, and missed opportunities to leverage decades of established identity and authorization standards.</t>
      <t>This document aims to help close that gap by providing a comprehensive model demonstrating how existing, well-established standards and some emergent specifications can be composed and applied to solve agent authentication and authorization challenges. Rather than proposing new protocols, this work focuses on integrating proven standards into a coherent framework tailored to the specific requirements of AI agent workloads.</t>
      <t>By doing so, this document serves two complementary goals:</t>
      <ol spacing="normal" type="1"><li>
          <t><strong>Consolidation of prior art</strong>: It establishes a baseline by showing how existing standards address the core identity, authentication, authorization, monitoring and observability needs of agent-based systems. Implementers and standards developers can reference this framework to avoid redundant work and ensure interoperability.</t>
        </li>
        <li>
          <t><strong>Foundation for future work</strong>: As the agent ecosystem matures, having such a framework aids in identifying gaps and clarifies where extensions or profiles of existing standards are needed. This provides a foundation for more focused standardization efforts in areas needing novel work rather than variations of existing approaches.</t>
        </li>
      </ol>
    </section>
    <section anchor="document-status">
      <name>Document Status</name>
      <t>This document profiles existing standards and emerging specifications from the IETF, CNCF, and OpenID Foundation, as well as third-party protocols and mechanisms, for the AI agent use case. It defines best current practices for combining these and identifies new requirements specific to agent authentication and authorization.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="agents-are-workloads">
      <name>Agents are workloads</name>
      <t>An Agent is a workload that iteratively interacts with a Large Language Model (LLM) and a set of Tools, Services and Resources. An agent performs its operations until a terminating condition, determined either by the LLM or by the agent's internal logic, is reached. It may receive input from a user, or act autonomously. <xref target="fig-ai-agent-workload"/> shows a conceptual model of the AI Agent as a workload and illustrates the high-level interaction model between the User or System, the AI Agent, the Large Language Model (LLM), Tools, Services, and Resources.</t>
      <t>In this document, Tools, Services, and Resources are treated as a single category of external endpoints that an agent invokes or interacts with to complete a task. Communication within or between Tools, Services, and Resources is out of scope.</t>
      <figure anchor="fig-ai-agent-workload">
        <name>AI Agent as a Workload</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="416" viewBox="0 0 416 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,176 L 8,240" fill="none" stroke="black"/>
              <path d="M 80,176 L 80,240" fill="none" stroke="black"/>
              <path d="M 136,32 L 136,80" fill="none" stroke="black"/>
              <path d="M 144,176 L 144,240" fill="none" stroke="black"/>
              <path d="M 184,88 L 184,112" fill="none" stroke="black"/>
              <path d="M 184,144 L 184,168" fill="none" stroke="black"/>
              <path d="M 216,88 L 216,112" fill="none" stroke="black"/>
              <path d="M 216,144 L 216,168" fill="none" stroke="black"/>
              <path d="M 248,176 L 248,240" fill="none" stroke="black"/>
              <path d="M 272,32 L 272,80" fill="none" stroke="black"/>
              <path d="M 312,176 L 312,240" fill="none" stroke="black"/>
              <path d="M 408,176 L 408,240" fill="none" stroke="black"/>
              <path d="M 136,32 L 272,32" fill="none" stroke="black"/>
              <path d="M 136,80 L 272,80" fill="none" stroke="black"/>
              <path d="M 8,176 L 80,176" fill="none" stroke="black"/>
              <path d="M 144,176 L 248,176" fill="none" stroke="black"/>
              <path d="M 312,176 L 408,176" fill="none" stroke="black"/>
              <path d="M 88,192 L 104,192" fill="none" stroke="black"/>
              <path d="M 120,192 L 136,192" fill="none" stroke="black"/>
              <path d="M 256,192 L 272,192" fill="none" stroke="black"/>
              <path d="M 288,192 L 304,192" fill="none" stroke="black"/>
              <path d="M 88,224 L 104,224" fill="none" stroke="black"/>
              <path d="M 120,224 L 136,224" fill="none" stroke="black"/>
              <path d="M 256,224 L 272,224" fill="none" stroke="black"/>
              <path d="M 288,224 L 304,224" fill="none" stroke="black"/>
              <path d="M 8,240 L 80,240" fill="none" stroke="black"/>
              <path d="M 144,240 L 248,240" fill="none" stroke="black"/>
              <path d="M 312,240 L 408,240" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="312,192 300,186.4 300,197.6" fill="black" transform="rotate(0,304,192)"/>
              <polygon class="arrowhead" points="264,224 252,218.4 252,229.6" fill="black" transform="rotate(180,256,224)"/>
              <polygon class="arrowhead" points="224,168 212,162.4 212,173.6" fill="black" transform="rotate(90,216,168)"/>
              <polygon class="arrowhead" points="192,88 180,82.4 180,93.6" fill="black" transform="rotate(270,184,88)"/>
              <polygon class="arrowhead" points="144,192 132,186.4 132,197.6" fill="black" transform="rotate(0,136,192)"/>
              <polygon class="arrowhead" points="96,224 84,218.4 84,229.6" fill="black" transform="rotate(180,88,224)"/>
              <g class="text">
                <text x="168" y="52">Large</text>
                <text x="228" y="52">Language</text>
                <text x="184" y="68">Model</text>
                <text x="232" y="68">(LLM)</text>
                <text x="184" y="132">(2)</text>
                <text x="216" y="132">(3)</text>
                <text x="44" y="196">User</text>
                <text x="112" y="196">1</text>
                <text x="172" y="196">AI</text>
                <text x="208" y="196">Agent</text>
                <text x="280" y="196">4</text>
                <text x="360" y="196">Tools</text>
                <text x="44" y="212">or</text>
                <text x="196" y="212">(workload)</text>
                <text x="356" y="212">Services</text>
                <text x="44" y="228">System</text>
                <text x="112" y="228">6</text>
                <text x="280" y="228">5</text>
                <text x="360" y="228">Resources</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
                +----------------+
                | Large Language |
                |   Model (LLM)  |
                +----------------+
                      ^   |
                      |   |
                     (2) (3)
                      |   |
                      |   v
+--------+       +------------+       +-----------+
|  User  |--(1)->|  AI Agent  |--(4)->|   Tools   |
|   or   |       | (workload) |       | Services  |
| System |<-(6)--|            |<-(5)--| Resources |
+--------+       +------------+       +-----------+
]]></artwork>
        </artset>
      </figure>
      <ol spacing="normal" type="1"><li>
          <t>Optional: The User or System (e.g. a batch job or another Agent) provides an initial request or instruction to the AI Agent.</t>
        </li>
        <li>
          <t>The AI Agent provides the available context to the LLM. Context is implementation, and deployment, specific and may include User or System input, system prompts, Tool descriptions, prior Tool, Service and Resource outputs, and other relevant state.</t>
        </li>
        <li>
          <t>The LLM returns output to the AI Agent facilitating selection of Tools, Services or Resources to invoke.</t>
        </li>
        <li>
          <t>The AI Agent invokes one or more external endpoints of selected Tools, Services or Resources. A Tool endpoint may itself be implemented by another AI agent.</t>
        </li>
        <li>
          <t>The external endpoint of the Tools, Services or Resources returns a result of the operation to the AI Agent, which may send the information as additional context to the Large Language Model, repeating steps 2-5 until the exit condition is reached and the task is completed.</t>
        </li>
        <li>
          <t>Optional: Once the exit condition is reached in step 5, the AI Agent may return a response to the User or System. The AI Agent may also return intermediate results or request additional input.</t>
        </li>
      </ol>
      <t>As shown in <xref target="fig-ai-agent-workload"/>, the AI agent is a workload that needs an identifier and credentials so it can be authenticated by the Tools, Services, Resources, Large Language Model, System and the User (via the underlying operating system or platform, similar to existing applications and services). Once authenticated, these parties determine if the AI Agent is authorized to access the requested Large Language Model, Tools, Services or Resources. If the AI Agent is acting on behalf of a User or System, the User or System needs to delegate authority to the AI Agent, and the User or System context is preserved and used as input to authorization decisions and recorded in audit trails.</t>
      <t>This document describes how AI Agents should leverage existing standards defined by SPIFFE <xref target="SPIFFE"/>, WIMSE, OAuth and OpenID SSF <xref target="SSF"/>.</t>
    </section>
    <section anchor="agent-identity-management-system">
      <name>Agent Identity Management System</name>
      <t>This document defines the term Agent Identity Management System (AIMS) as a conceptual model describing the set of functions required to establish, maintain, and evaluate the identity and permissions of an agent workload. AIMS does not refer to a single product, protocol, or deployment architecture. AIMS may be implemented by one component or distributed across multiple systems (such as identity providers, provisioning services, authorization servers, policy engines, and runtime enforcement points).</t>
      <t>An Agent Identity Management System ensures that the right Agent has access to the right resources and tools at the right time for the right reason. An Agent identity management system depends on the following components to achieve its goals:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Agent Identifiers:</strong> Unique identifier assigned to every Agent.</t>
        </li>
        <li>
          <t><strong>Agent Credentials:</strong> Cryptographic binding between the Agent Identifier and attributes of the Agent.</t>
        </li>
        <li>
          <t><strong>Agent Credential Provisioning:</strong> The mechanism for provisioning credentials to the agent at runtime.</t>
        </li>
        <li>
          <t><strong>Agent Authentication:</strong> Protocols and mechanisms used by the Agent to authenticate itself to Large Language Models or Tools (resource or server) in the system.</t>
        </li>
        <li>
          <t><strong>Agent Authorization:</strong> Protocols and systems used to determine if an Agent is allowed to access a Large Language Model or Tool (resource or server).</t>
        </li>
        <li>
          <t><strong>Agent Observability and Remediation:</strong> Protocols and mechanisms to dynamically modify the authorization decisions based on observed behavior and system state.</t>
        </li>
        <li>
          <t><strong>Agent Authentication and Authorization Policy:</strong> The configuration and rules for each of the Agent Identity Management System.</t>
        </li>
        <li>
          <t><strong>Agent Compliance:</strong> Measurement of the state and functioning of the system against the stated policies.</t>
        </li>
      </ul>
      <t>The components form a logical stack in which higher layers depend on guarantees provided by lower layers, as illustrated in <xref target="fig-agent-identity-management-system"/>.</t>
      <figure anchor="fig-agent-identity-management-system">
        <name>Agent Identity Management System</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="560" viewBox="0 0 560 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,240" fill="none" stroke="black"/>
              <path d="M 128,32 L 128,240" fill="none" stroke="black"/>
              <path d="M 408,32 L 408,240" fill="none" stroke="black"/>
              <path d="M 552,32 L 552,240" fill="none" stroke="black"/>
              <path d="M 8,32 L 552,32" fill="none" stroke="black"/>
              <path d="M 128,80 L 408,80" fill="none" stroke="black"/>
              <path d="M 128,112 L 408,112" fill="none" stroke="black"/>
              <path d="M 128,144 L 408,144" fill="none" stroke="black"/>
              <path d="M 128,176 L 408,176" fill="none" stroke="black"/>
              <path d="M 128,208 L 408,208" fill="none" stroke="black"/>
              <path d="M 8,240 L 552,240" fill="none" stroke="black"/>
              <g class="text">
                <text x="68" y="52">Policy</text>
                <text x="216" y="52">Monitoring,</text>
                <text x="320" y="52">Observability</text>
                <text x="484" y="52">Compliance</text>
                <text x="216" y="68">&amp;</text>
                <text x="272" y="68">Remediation</text>
                <text x="264" y="100">Authorization</text>
                <text x="268" y="132">Authentication</text>
                <text x="260" y="164">Provisioning</text>
                <text x="264" y="196">Credentials</text>
                <text x="260" y="228">Identifier</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+--------------+----------------------------------+-----------------+
|    Policy    |     Monitoring, Observability    |    Compliance   |
|              |          & Remediation           |                 |
|              +----------------------------------+                 |
|              |          Authorization           |                 |
|              +----------------------------------+                 |
|              |          Authentication          |                 |
|              +----------------------------------+                 |
|              |          Provisioning            |                 |
|              +----------------------------------+                 |
|              |           Credentials            |                 |
|              +----------------------------------+                 |
|              |           Identifier             |                 |
+--------------+----------------------------------+-----------------+
]]></artwork>
        </artset>
      </figure>
    </section>
    <section anchor="agent_identifiers">
      <name>Agent Identifier</name>
      <t>Agents <bcp14>MUST</bcp14> be uniquely identified in order to support authentication, authorization, auditing, and delegation.</t>
      <t>The Workload Identity in Multi-System Environments (WIMSE) identifier as defined by <xref target="WIMSE-ID"/> is the primary identifier for agents in this framework.</t>
      <t>A WIMSE identifier is a URI that uniquely identifies a workload within a trust domain. Authorization decisions, delegation semantics, and audit records rely on this identifier remaining stable for the lifetime of the workload identity.</t>
      <t>The Secure Production Identity Framework for Everyone (<xref target="SPIFFE"/>) identifier is a widely deployed and operationally mature instance of the WIMSE identifier model <xref target="WIMSE-ID"/>. A SPIFFE identifier (<xref target="SPIFFE-ID"/>) is a URI in the form of <tt>spiffe://&lt;trust-domain&gt;/&lt;path&gt;</tt> that uniquely identifies a workload within a trust domain.</t>
      <t>An agent participating in this framework <bcp14>MUST</bcp14> be assigned exactly one WIMSE identifier, which <bcp14>MAY</bcp14> be a SPIFFE ID.</t>
    </section>
    <section anchor="agent_credentials">
      <name>Agent Credentials</name>
      <t>Agents <bcp14>MUST</bcp14> possess credentials that provide a cryptographic binding to the agent identifier. These credentials are considered primary credentials that are provisioned at runtime. An identifier alone is insufficient unless it can be verified to be controlled by the communicating agent through a cryptographic binding.</t>
      <t>WIMSE defines two credential formats in <xref target="WIMSE-CRED"/>: the Workload Identity Token (WIT) and the transport-layer X.509 Workload Identity Certificate (WIC), both of which bind a cryptographic key to a workload identifier for use in authentication. SPIFFE defines three credential formats: the X.509-SVID <xref target="SPIFFE-X509-SVID"/>, WIT-SVID <xref target="SPIFFE-WIT-SVID"/>, and JWT-SVID <xref target="SPIFFE-JWT-SVID"/>. X.509-SVID is compatible with WIC, while WIT-SVID profiles WIT. JWT-SVIDs are short-lived bearer credentials used for JWT-based authentication. The choice of credential format depends on the deployment’s trust model and integration requirements.</t>
      <t>Agent credentials <bcp14>SHOULD</bcp14> be short-lived to minimize the risk of credential theft, <bcp14>MUST</bcp14> include an explicit expiration time after which it is no longer accepted, and <bcp14>MAY</bcp14> carry additional attributes relevant to the agent (for example trust domain, attestation evidence, or workload metadata).</t>
      <t>Deployments can improve the assurance of agent identity by protecting private keys using hardware-backed or isolated cryptographic storage such as TPMs, secure enclaves, or platform security modules when such capabilities are available. These mechanisms reduce key exfiltration risk but are not required for interoperability.</t>
      <t>In some cases, agents <bcp14>MAY</bcp14> need secondary credentials to access a proprietary or legacy environment that is not compatible with the X.509, JWT or WIT it is provisioned with. In these cases an agent <bcp14>MAY</bcp14> exchange their primary credentials through a credential exchange mechanisms (e.g., OAuth 2.0 Token Exchange <xref target="OAUTH-TOKEN-EXCHANGE"/>, Transaction Tokens <xref target="OAUTH-TXN-TOKENS"/> or Workload Identity Federation). This allows an agent to obtain a credential targeted to a specific environment by leveraging the primary credential in its possession.</t>
      <t><strong>Note</strong>: Static API keys are an antipattern for agent identity. They are bearer artifacts that are not cryptographically bound, do not convey identity, are typically long-lived and are operationally difficult to rotate, making them unsuitable for secure agent authentication or authorization.</t>
    </section>
    <section anchor="agent_credential_provisioning">
      <name>Agent Credential Provisioning</name>
      <t>Agent credential provisioning refers to the runtime issuance, renewal, lifecycle state and rotation of the credentials an agent uses to authenticate and authorize itself to other agents. Agents may be provisioned with one or more credential types as described in <xref target="agent_credentials"/>. Unlike static secrets, agent credentials are provisioned dynamically and are intentionally short-lived, eliminating the operational burden of manual expiration management and reducing the impact of credential compromise.</t>
      <t>Credential provisioning is also the assessment point to confirm that the Agent and its runtime environment satisfy the posture requirements. In this document, posture assessment refers to the evaluation of signals about the Agent, its software, deployment context, runtime environment, and operational state. These signals can influence whether a credential is issued, which identifier is bound to the credential, what type of credential is issued, what attributes are included in the credential, and how long the credential remains valid.</t>
      <t>Posture assessment mechanisms are deployment and risk specific. They may include hardware-backed evidence, trusted execution environment (TEE) evidence, software integrity measurements, supply-chain provenance, platform or orchestration-layer metadata, workload placement information, configuration state, operator assertions, or other environment-specific signals. Depending on the risk involved, a single signal may be sufficient, while higher-risk deployments may require multiple independent signals before credentials are issued or renewed.</t>
      <t>Deployed workload identity systems commonly perform some form of posture assessment as part of credential provisioning. For example, SPIFFE implementations can evaluate platform and environment-specific information about a workload before binding it to a SPIFFE identifier and issuing an SVID. At a high level, a provisioning component gathers workload and execution context signals, verifies them according to local policy, and, if verification succeeds, issues short-lived credentials for subsequent authentication and authorization.</t>
      <t>An Agent Identity Management System may incorporate multiple posture assessment mechanisms and implementations. The selection of mechanisms depends on deployment constraints, such as the underlying platform, available identity signals, and desired level of trust assurance. This document does not require any particular posture assessment mechanism, evidence format, or verifier architecture.</t>
      <t>Agent credential provisioning must operate autonomously, scale to high-churn environments, and integrate closely with the posture assessment mechanisms used to establish trust in the Agent at each issuance or rotation event.</t>
      <t>Agent credential provisioning typically includes two phases:</t>
      <ol spacing="normal" type="1"><li>
          <t><strong>Initial Provisioning</strong>: The process by which an agent first acquires a credential bound to its identity. This often occurs immediately after deployment or instantiation and is based on verified properties of the agent (e.g., deployment context, posture assessment results, or orchestration metadata).</t>
        </li>
        <li>
          <t><strong>Rotation/Renewal</strong>: The automatic refresh of short-lived credentials before expiration. Continuous rotation ensures that credentials remain valid only for the minimum necessary time and that authorization state reflects current operational conditions.</t>
        </li>
      </ol>
      <t>The use of short-lived credentials provides a significant improvement in the risk profile and risk of credential exposure. It provides an alternative to explicit revocation mechanisms and simplifies lifecycle management in large, automated environments while removing the risks of downtime as a result of credential expiry.</t>
      <t>Deployed frameworks such as <xref target="SPIFFE"/> provide proven mechanisms for automated, short-lived credential provisioning at runtime. In addition to issuing short-lived credentials, <xref target="SPIFFE"/> also provisions ephemeral cryptographic key material bound to each credential, further reducing the risks associated with compromising long-lived keys.</t>
      <t>The Large Language Model <bcp14>MUST NOT</bcp14> have access to an agent's credentials or to credentials that may be needed to access tools and services. This prevents the Large Language Model from using, exposing, or being manipulated via prompt injection into disclosing the credentials.</t>
    </section>
    <section anchor="agent_authentication">
      <name>Agent Authentication</name>
      <t>Agents may authenticate using a variety of mechanisms, depending on the credentials they possess, the protocols supported in the deployment environment, and the risk profile of the application. As described in the WIMSE Architecture <xref target="WIMSE-ARCH"/>, authentication can occur at either the transport layer or the application layer, and many deployments rely on a combination of both.</t>
      <section anchor="transport-layer-authentication">
        <name>Transport Layer Authentication</name>
        <t>Transport-layer authentication establishes trust during the establishment of a secure transport channel. The most common mechanism used by agents is mutually-authenticated TLS (mTLS), in which both endpoints present X.509-based credentials and perform a bidirectional certificate exchange as part of the TLS negotiation. When paired with short-lived workload identities, such as those issued by SPIFFE or WIMSE, mTLS provides strong channel binding and cryptographic proof of control over the agent’s private key.</t>
        <t>mTLS is particularly well-suited for environments where transport-level protection, peer authentication, and ephemeral workload identity are jointly required. It also simplifies authorization decisions by enabling agents to associate application-layer requests with an authenticated transport identity. One example of this is the use of mTLS in service mesh architectures such as Istio or LinkerD.</t>
        <section anchor="limitations">
          <name>Limitations</name>
          <t>There are scenarios where transport-layer authentication is not desirable or cannot be relied upon. In architectures involving intermediaries, such as proxies, API gateways, service meshes, load balancers, or protocol translators, TLS sessions are often terminated and re-established, breaking the end-to-end continuity of transport-layer identity. Similarly, some deployment models (such as serverless platforms, multi-tenant edge environments, or cross-domain topologies) may obscure or abstract identity presented at the transport layer, making it difficult to bind application-layer actions to a credential presented at the transport layer. In these cases, application-layer authentication provides a more robust and portable mechanism for expressing agent identity and conveying attestation or policy-relevant attributes.</t>
        </section>
      </section>
      <section anchor="application-layer-authentication">
        <name>Application Layer Authentication</name>
        <t>Application-layer authentication allows agents to authenticate independently of the underlying transport. This enables end-to-end identity preservation even when requests traverse proxies, load balancers, or protocol translation layers.</t>
        <t>The WIMSE working group defines WIMSE Proof Tokens and HTTP Message Signatures as authentication mechanisms that may be used by agents.</t>
        <section anchor="wpt">
          <name>WIMSE Proof Tokens (WPTs)</name>
          <t>WIMSE Workload Proof Tokens (WPTs, <xref target="WIMSE-WPT"/>) are a protocol-independent, application-layer mechanism for proving possession of the private key associated with a Workload Identity Token (WIT). WPTs are generated by the agent, using the private key matching the public key in the WIT. A WPT is defined as a signed JSON Web Token (JWT) that binds an agent’s authentication to a specific message context, for example, an HTTP request, thereby providing proof of possession rather than relying on bearer semantics.</t>
          <t>WPTs are designed to work alongside WITs <xref target="WIMSE-CRED"/> and are typically short-lived to reduce the window for replay attacks. They carry claims such as audience (aud), expiration (exp), a unique token identifier (jti), and a hash of the associated WIT (wth). A WPT may also include hashes of other related tokens (e.g., a Transaction Token) to bind the authentication contexts to specific transaction or authorizations details.</t>
          <t>Although the draft currently defines a protocol binding for HTTP (via a Workload-Proof-Token header), the core format is protocol-agnostic, making it applicable to other protocols. Its JWT structure and claims model allow WPTs to be bound to different protocols and transports, including asynchronous or non-HTTP messaging systems such as Kafka and gRPC, or other future protocol bindings. This design enables receiving systems to verify identity, key possession, and message binding at the application layer even in environments where transport-layer identity (e.g., mutual TLS) is insufficient or unavailable.</t>
        </section>
        <section anchor="http-message-signatures">
          <name>HTTP Message Signatures</name>
          <t>The WIMSE Workload-to-Workload Authentication with HTTP Signatures specification <xref target="WIMSE-HTTPSIG"/> defines an application-layer authentication profile built on the HTTP Message Signatures standard <xref target="HTTP-SIG"/>. It is one of the mechanisms WIMSE defines for authenticating workloads in HTTP-based interactions where transport-layer protections may be insufficient or unavailable. The protocol combines a workload's Workload Identity Token (WIT) (which binds the agent's identity to a public key) with HTTP Message Signatures (using the corresponding private key), thereby providing proof of possession and message integrity for individual HTTP requests and responses. This approach ensures end-to-end authentication and integrity even when traffic traverses intermediaries such as TLS proxies or load balancers that break transport-layer identity continuity. The profile mandates signing of some request components (e.g., method, request-target, content digest, and the WIT itself) and supports optional response signing. Note that @request-target covers only the request-target string (typically path + query) and not the method, scheme, or authority; those are only protected if separately covered (e.g., @method, @scheme, @authority).</t>
        </section>
        <section anchor="limitations-1">
          <name>Limitations</name>
          <t>Unlike transport-layer authentication, application-layer authentication does not inherently provide channel binding to the underlying secure transport. As a result, implementations <bcp14>MUST</bcp14> consider the risk of message relay or replay if tokens or signed messages are accepted outside their intended context. Deployments typically mitigate these risks through short token lifetimes, audience restrictions, nonce or unique identifier checks, and binding authentication to specific requests or transaction parameters.</t>
        </section>
      </section>
    </section>
    <section anchor="agent_authorization">
      <name>Agent Authorization</name>
      <t>Agents act on behalf of a user, a system, or on their own behalf as shown in <xref target="fig-ai-agent-workload"/> and need to obtain authorization when interacting with protected resources.</t>
      <section anchor="agent-mission">
        <name>Agent Mission</name>
        <t>An Agent receives a Mission from a User, a System, or another Agent. The Mission is the task or objective the Agent will pursue. It is typically expressed in natural language and may require decomposition as it is mapped from a broad objective into specific resource requirements and corresponding access requests. The translation of a mission into authorization requirements is expected to occur as a planning step before the Agent requests authorization. The process through which the mission is translated into authorization requriements is out of scope of this specification. Once the required resources and their associated authorization requirements are determined, the Agent <bcp14>SHOULD</bcp14> use the mechanisms described in this section to obtain access.</t>
      </section>
      <section anchor="leverage-oauth-20-as-a-delegation-authorization-framework">
        <name>Leverage OAuth 2.0 as a Delegation Authorization Framework</name>
        <t>The widely deployed OAuth 2.0 Authorization Framework <xref target="OAUTH-FRAMEWORK"/> is a mechanism for delegated authorization that enables an Agent to obtain limited access to a protected resource (e.g., a service or API), intermediated by an Authorization Server, often with the explicit approval of the authenticated User. An Agent uses OAuth 2.0-based mechanisms to obtain authorization from a User, a System, or on its own behalf. OAuth 2.0 defines a wide range of authorization grant flows that supports these scenarios. In these Oauth 2.0 flows, an Agent acts as an OAuth 2.0 Client to an OAuth 2.0 Authorization Server, which receives the request, evaluate the authorization policy and returns an access token, which the Agent presents to the Resource Server (i.e. the protected resources such as the LLM or Tools in <xref target="fig-ai-agent-workload"/>, which can evaluate its authorization policy and complete the request.</t>
      </section>
      <section anchor="use-of-oauth-20-access-tokens">
        <name>Use of OAuth 2.0 Access Tokens</name>
        <t>An OAuth access token represents the authorization granted to the Agent. In many deployments, access tokens are structured as JSON Web Tokens (JWTs) <xref target="OAUTH-ACCESSTOKEN-JWT"/>, which include claims such as 'client_id', 'sub', 'aud', 'scope', and other attributes relevant to authorization. The access token includes the Agent identity as the 'client_id' claim as defined in <xref section="2.2" sectionFormat="of" target="OAUTH-ACCESSTOKEN-JWT"/>.</t>
        <t>When the Agent is acting on-behalf of another User or System, the User or System identifier is conveyed in the 'sub' claim as defined in <xref section="2.2" sectionFormat="of" target="OAUTH-ACCESSTOKEN-JWT"/>. These identifiers <bcp14>MUST</bcp14> be used by resource servers protected by the OAuth 2.0 authorization service, along with other claims in the access token, to determine if access to a resource should be allowed. The access token typically includes additional claims to convey contextual, attestation-derived, or policy-related information that enables fine-grained access control. The resource server uses the access token and the information it contains along with other authorization systems (e.g. policy based, attribute based or role based authorization systems) when enforcing access control. JWT access tokens can be validated directly by resource servers while other formats that are opaque to the resource server can be validated through a mechanism that calls back to the authorization server (the mechanism is called introspection despite the word having nearly the opposite meaning). This framework supports both models and does not require a specific token format, provided that equivalent authorization semantics are maintained.</t>
        <t>A resource server in receipt of tokens opaque to it are able to obtain authorization and other information from the token through OAuth 2.0 Token Introspection <xref target="OAUTH-TOKEN-INTROSPECTION"/>. The introspection response provides the active state of the token and associated authorization attributes equivalent to those conveyed in structured tokens.</t>
      </section>
      <section anchor="obtaining-an-oauth-20-access-token">
        <name>Obtaining an OAuth 2.0 Access Token</name>
        <t>OAuth 2.0 defines a number authorization grant flows in support of different authorization scenarios. The appropriate flow depends on the specific authorization scenario and the nature of User involvement. The following subsections describe the most relevant flows for Agent authorization.</t>
        <section anchor="user_delegates_authorization">
          <name>User Delegates Authorization</name>
          <t>When a User delegates authorization to an Agent, the Authorization Code Grant as described in Section 4.1 of <xref target="OAUTH-FRAMEWORK"/> is the appropriate mechanism. This redirection-based flow involves an interactive authorization process, typically in a web browser, in which the user authenticates to the authorization server and explicitly approves the requested access. Users <bcp14>SHOULD</bcp14> be authenticated using phishing-resistant authentication mechanisms such as a passkey. Once the user has approved the request, the authorization server returns an authorization code to the Agent via the redirect.</t>
          <t>The Agent, acting as an OAuth client, then makes a token request to the authorization server to redeem the authorization code for an access token. When making this token request, the Agent authenticates itself directly to the authorization server using the credentials described in <xref target="agent_credentials"/> with a compatible OAuth client authentication mechanism, and not with the use of static, long-lived client secrets. Compatible OAuth client authentication mechanisms are defined in <xref target="OAUTH-CLIENTAUTH-JWT"/>, <xref target="OAUTH-CLIENTAUTH-MTLS"/> and <xref target="OAUTH-SPIFFE"/>. The OAuth client authentication step is distinct from, and occurs after, the user authentication and approval described above. The resulting access token reflects the authorization delegated to the Agent by the User and can be used by the Agent to access resources on behalf of the user. The use of OAuth negates the need for the Agent to have access to a User's credentials when accessing a resource on the User's behalf.</t>
        </section>
        <section anchor="agent_obtains_own_access_token">
          <name>Agent Obtains Own Authorization</name>
          <t>Agents obtaining access tokens on their own behalf can use the Client Credentials Grant as described in <xref section="4.4" sectionFormat="of" target="OAUTH-FRAMEWORK"/> or the JWT Authorization Grant as described in <xref section="2.1" sectionFormat="of" target="OAUTH-CLIENTAUTH-JWT"/>. When using the Client Credentials Grant, the Agent authenticates itself using the credentials described in <xref target="agent_credentials"/> with a compatible OAuth client authentication mechanism listed in previous section, and not with the use of static, long-lived client secrets. When using the JWT Authorization Grant, the Agent will be identified in the subject of the JWT assertion.</t>
        </section>
        <section anchor="agents-accessed-by-systems-or-other-agents">
          <name>Agents Accessed by Systems or Other Agents</name>
          <t>Agents themselves can act in the role of an OAuth protected resource and be invoked by a System (e.g. a batch job or another Agent). The System obtains an access token using an appropriate mechanism and then invokes the Agent presenting the access token.</t>
        </section>
        <section anchor="oauth-20-security-best-practices">
          <name>OAuth 2.0 Security Best Practices</name>
          <t>The Best Current Practice for OAuth 2.0 Security as described in <xref target="OAUTH-BCP"/> are applicable when requesting and using access tokens.</t>
        </section>
      </section>
      <section anchor="txn-tokens-risk-reduction">
        <name>Risk Reduction with Transaction Tokens</name>
        <t>Resources servers, whether they are LLMs, Tools or Agents (in the Agent-to-Agent case) may be composed of multiple microservices that are invoked to complete a request. The access tokens presented to the Agent, LLM or Tools can typically be used with multiple transactions and consequently have broader scope than needed to complete any specific transaction. Passing the access token from one microservice to another within an invoked Agent, LLM or the Tools increases the risk of token theft and replay attacks. For example, an attacker may discover and access token passed between microservices in a log file or crash dump, exfiltrate it, and use it to invoke a new transaction with different parameters (e.g. increase the transaction amount, or invoke an unrelated call as part of executing a lateral move).</t>
        <t>To avoid passing access tokens between microservices, the Agent, LLM or Tools can exchange the received access token for a transaction token, as defined in the Transaction Token specification <xref target="OAUTH-TXN-TOKENS"/>. The transaction token allows for identity and authorization information to be passed along the internal call chain of microservices. The transaction token issuer enriches the transaction token with context of the caller that presented the access token (e.g. IP address, etc.), transaction context (transaction amount), identity information and a unique transaction identifier. This results in a downscoped token that is bound to a specific transaction and cannot be used as an access token, with another transaction, or within the same transaction with modified transaction details (e.g. change in transaction amount). Transaction tokens are typically short-lived, further limiting the risk in case they are obtained by an attacker by limiting the time window during which these tokens will be accepted.</t>
        <t>A transaction token <bcp14>MAY</bcp14> be used to obtain an access token to call another service (e.g. another Agent, Tool or LLM) by using OAuth 2.0 Token Exchange as defined in <xref target="OAUTH-TOKEN-EXCHANGE"/>.</t>
      </section>
      <section anchor="cross-domain-access">
        <name>Cross Domain Access</name>
        <t>Agents often require access to resources that are protected by different OAuth 2.0 authorization servers. When the components in Figure 1 are protected by different logical authorization servers, an Agent <bcp14>SHOULD</bcp14> use OAuth Identity and Authorization Chaining Across Domains as defined in <xref target="OAUTH-ID-CHAIN"/>, or a derived specification such as the Identity Assertion JWT Authorization Grant <xref target="OAUTH-JWT-ASSERTION"/> or , Transaction Token Authorization Grant Profile for OAuth Identity and Authorization Chaining <xref target="OAUTH-TXN-ASSERTION"/>, to obtain an access token from the relevant authorization servers. The agent first exchanges its current access token or transaction token for a JWT authorization grant (Section 2.3 of <xref target="OAUTH-ID-CHAIN"/>) and then presents that grant to obtain an access token for the target resource (Section 2.4 of <xref target="OAUTH-ID-CHAIN"/>).</t>
        <t>When using the Identity Assertion JWT Authorization Grant <xref target="OAUTH-JWT-ASSERTION"/>, the identity assertion (e.g. the OpenID Connect ID Token or SAML assertion) for the target end-user is used to obtain a JWT assertion as described in <xref section="4.3" sectionFormat="of" target="OAUTH-JWT-ASSERTION"/>, which is then used to obtain an access token as described in <xref section="4.4" sectionFormat="of" target="OAUTH-JWT-ASSERTION"/>.</t>
        <t>OAuth Identity and Authorization Chaining Across Domains (<xref target="OAUTH-ID-CHAIN"/>) provides a general mechanism for obtaining cross-domain access that can be used whether an identity assertion like a SAML or OpenID Connect token is available or not. The Identity Assertion JWT Authorization Grant <xref target="OAUTH-JWT-ASSERTION"/> is optimized for cases where an identity assertion like a SAML or OpenID Connect token is available from an identity provider that is trusted by all the OAuth authorization servers as it removes the need for the user to re-authenticate. This is typically used within enterprise deployments to simplify authorization delegation for multiple software-as-a-service offerings.</t>
      </section>
      <section anchor="human-in-the-loop">
        <name>Human in the Loop</name>
        <t>An OAuth authorization server <bcp14>MAY</bcp14> conclude that the level of access requested by an Agent requires explicit user confirmation. In such cases the authorization server <bcp14>SHOULD</bcp14> either decline the request or obtain additional authorization from the User. An Agent, acting as an OAuth client, can use the OpenID Client Initiated Backchannel Authentication (CIBA) protocol (<xref target="OpenIDConnect.CIBA"/>). This triggers an out-of-band interaction allowing the user to approve or deny the requested operation without exposing credentials to the agent (for example a push notification requesting the user to approve a request through an authenticator application on their mobile device).</t>
        <t>Interactive agent frameworks may also solicit user confirmation directly during task execution (for example tool invocation approval or parameter confirmation). Such interactions do not by themselves constitute authorization and <bcp14>MUST</bcp14> be bound to a verifiable authorization grant issued by the authorization server. The agent <bcp14>SHOULD</bcp14> therefore translate user confirmation into an OAuth authorization event (e.g., step-up authorization via CIBA) before accessing protected resources.</t>
        <t>This model aligns with user-solicitation patterns such as those described by the Model Context Protocol (<xref target="MCP"/>), where an agent pauses execution and requests user confirmation before performing sensitive actions. The final authorization decision remains with the authorization server, and the agent <bcp14>MUST NOT</bcp14> treat local UI confirmation alone as sufficient authorization.</t>
        <t><strong>Note:</strong> Additional specification or design work may be needed to define how out-of-band interactions with the User occur at different stages of execution. CIBA itself only accounts for client initiation, which doesn't map well to cases that envision the need for User confirmation to occur mid-execution.</t>
      </section>
      <section anchor="tool-to-service-access">
        <name>Tool-to-Service Access</name>
        <t>Tools expose interfaces to underlying services and resources. Access to the Tools can be controlled by OAuth and augmented by policy, attribute or role based authorization systems (amongst others). If the Tools are implemented as one or more microservices, it should use transaction tokens to reduce risk as described in <xref target="txn-tokens-risk-reduction"/> to avoid passing access tokens around within the Tool implementation.</t>
        <t>Access from the Tools to the resources and services <bcp14>MAY</bcp14> be controlled through a variety of authorization mechanisms, including OAuth. If access is controlled through OAuth, the Tools can use OAuth 2.0 Token Exchange as defined in <xref target="OAUTH-TOKEN-EXCHANGE"/> to exchange the access token it received for a new access token to access the resource or service in question. When the Tool needs access to a resource protected by an authorization server other than the Tool's own authorization server, the OAuth Identity and Authorization Chaining Across Domains (<xref target="OAUTH-ID-CHAIN"/>) can be used to obtain an access token from the authorization server protecting that resource.</t>
        <t><strong>Note:</strong> It is an anti-pattern for Tools to forward access tokens it received from the Agent to Services or Resources. It increases the risk of credential theft and lateral attacks.</t>
      </section>
      <section anchor="privacy">
        <name>Privacy Considerations</name>
        <t>Authorization tokens may contain user identifiers, agent identifiers, audience restrictions, transaction details, and contextual attributes. Deployments <bcp14>SHOULD</bcp14> minimize disclosure of personally identifiable or sensitive information in tokens and prefer audience-restricted and short-lived tokens. Where possible, opaque tokens with introspection <bcp14>SHOULD</bcp14> be preferred when claim minimization is required.</t>
        <t>Agents <bcp14>SHOULD</bcp14> request only the minimum scopes and authorization details necessary to complete a task. As recommended in <xref target="OAUTH-BCP"/>, resource servers avoid logging full tokens and instead log token identifiers or hashes. When authorization context is propagated across services, derived or down-scoped tokens (such as transaction tokens) <bcp14>SHOULD</bcp14> be used to reduce correlation and replay risk.</t>
        <t>Implementations <bcp14>MUST</bcp14> ensure that user identity information delegated to agents is not exposed to unrelated services and that cross-domain authorization exchanges only disclose information required for the target authorization decision.</t>
      </section>
      <section anchor="oauth-20-discovery-in-dynamic-environments">
        <name>OAuth 2.0 Discovery in Dynamic Environments</name>
        <t>In dynamic Agent deployments (e.g., ephemeral workloads, multi-tenant services, and frequently changing endpoint topology), Agents and other participants <bcp14>MAY</bcp14> use OAuth discovery mechanisms to reduce static configuration and to bind runtime decisions to verifiable metadata.</t>
        <section anchor="authorization-server-capability-discovery">
          <name>Authorization Server Capability Discovery</name>
          <t>An Agent that needs to obtain tokens can discover authorization server endpoints and capabilities using OAuth 2.0 Authorization Server Metadata <xref target="OAUTH-SERVER-METADATA"/> and/or OpenID Connect Discovery <xref target="OpenIDConnect.Discovery"/>. This allows the Agent to learn the authorization server issuer identifier, authorization and token endpoints, supported grant types, client authentication methods, signing keys (via jwks_uri), and other relevant capabilities without preconfiguring them.</t>
        </section>
        <section anchor="protected-resource-capability-discovery">
          <name>Protected Resource Capability Discovery</name>
          <t>When an Agent is invoking a Tool, the Agent <bcp14>MAY</bcp14> use OAuth 2.0 Protected Resource Metadata <xref target="OAUTH-RESOURCE-METADATA"/> to discover how the resource is protected, including the resource identifier and the applicable Authorization Server(s) that protects Tool access. This enables an Agent to select the correct issuer/audience and token acquisition flow at runtime, even when resources are deployed or moved dynamically.</t>
          <t>A Tool that attempts to access and OAuth protected resource <bcp14>MAY</bcp14> use OAuth 2.0 Protected Resource Metadata <xref target="OAUTH-RESOURCE-METADATA"/> in a similar way as an Agent. Similarly, a System may use <xref target="OAUTH-RESOURCE-METADATA"/> when accessing an Agent.</t>
        </section>
        <section anchor="client-capability-discovery">
          <name>Client Capability Discovery</name>
          <t>Other actors (e.g., Authorization Servers, registrars, or policy systems) may need to learn about any entities (System, Agent, Tool) that acts as OAuth clients. Where supported, they <bcp14>MAY</bcp14> use Client ID Metadata Documents <xref target="OAUTH-CLIENT-METADATA"/>, which allow a client to host its metadata at a URL-valued client_id so that the relying party can retrieve client properties (e.g., redirect URIs, display information, and other registered client metadata) without prior bilateral registration.</t>
          <t>As an alternative, entities acting as OAuth clients <bcp14>MAY</bcp14> register their capabilities with authorization servers as defined in the OAuth 2.0 Dynamic Client Registration Protocol <xref target="OAUTH-REGISTRATION"/>.</t>
        </section>
      </section>
    </section>
    <section anchor="agent_monitoring_and_remediation">
      <name>Agent Monitoring, Observability and Remediation</name>
      <t>Because agents may perform sensitive actions autonomously or on behalf of users, deployments <bcp14>MUST</bcp14> maintain sufficient monitoring and observability to reconstruct agent behavior and authorization context after execution. Observability is therefore a security control, not solely an operational feature.</t>
      <t>Any participant in the system, including the Agent, Tool, System, LLM or other resources and service <bcp14>MAY</bcp14> subscribe to change notifications using eventing mechanisms such as the OpenID Shared Signals Framework <xref target="SSF"/> with either the Continuous Access Evaluation Profile <xref target="CAEP"/> or Risk Incident Sharing and Coordination <xref target="RISC"/> to receive security and authorization-relevant signals. Upon receipt of a relevant signal (e.g., session revoked, risk level change, subject disabled, token replay suspected, risk elevated), the recipient <bcp14>SHOULD</bcp14> remediate by attenuating access, such as terminating local sessions, discarding cached tokens, re-acquiring tokens with updated constraints, reducing privileges, or re-running policy evaluation before continuing to allow access. Recipients of such signals <bcp14>MUST</bcp14> ensure that revoked or downgraded authorization is enforced without undue delay. Cached authorization decisions and tokens that are no longer valid <bcp14>MUST NOT</bcp14> continue to be used after a revocation or risk notification is received.</t>
      <t>To support detection, investigation, and accountability, deployments <bcp14>MUST</bcp14> produce durable audit logs covering authorization decisions and subsequent remediations. Audit records <bcp14>MUST</bcp14> be tamper-evident and retained according to the security policy of the deployment.</t>
      <t>At a minimum, audit events <bcp14>MUST</bcp14> record:</t>
      <ul spacing="normal">
        <li>
          <t>authenticated agent identifier</t>
        </li>
        <li>
          <t>delegated subject (user or system), when present</t>
        </li>
        <li>
          <t>resource or tool being accessed</t>
        </li>
        <li>
          <t>action requested and authorization decision</t>
        </li>
        <li>
          <t>timestamp and transaction or request correlation identifier</t>
        </li>
        <li>
          <t>posture assessment or risk state influencing the decision</t>
        </li>
        <li>
          <t>remediation or revocation events and their cause</t>
        </li>
      </ul>
      <t>Monitoring / Observability systems <bcp14>SHOULD</bcp14> correlate events across Agents, Tools, Services, Resources and LLMs to detect misuse patterns such as replay, confused deputy behavior, privilege escalation, or unexpected action sequences.</t>
      <t>End-to-end audit is enabled when Agents, Users, Systems, LLMs, Tools, services and resources have stable, verifiable identifiers that allow auditors to trace "which entity did what, using which authorization context, and why access changed over time."</t>
      <t>Implementations <bcp14>SHOULD</bcp14> provide operators the ability to reconstruct a complete execution chain of an agent task, including delegated authority, intermediate calls, and resulting actions across service boundaries.</t>
    </section>
    <section anchor="agent_auhtentication_and_authorization_policy">
      <name>Agent Authentication and Authorization Policy</name>
      <t>The configuration and runtime parameters for Agent Identifiers <xref target="agent_identifiers"/>, Agent Credentials <xref target="agent_credentials"/>, Agent Credential Provisioning <xref target="agent_credential_provisioning"/>, Agent Authentication <xref target="agent_authentication"/>, Agent Authorization <xref target="agent_authorization"/> and Agent Monitoring, Observability and Remediation <xref target="agent_monitoring_and_remediation"/> collectively constitute the authentication and authorization policy within which the Agent operates.</t>
      <t>Because these parameters are highly deployment and risk-model-specific (and often reflect local governance, regulatory, and operational constraints), the policy model and document format are out of scope for this framework and are not recommended as a target for standardization within this specification. Implementations <bcp14>MAY</bcp14> represent policy in any suitable “policy-as-code” or configuration format (e.g., JSON/YAML), provided it is versioned, reviewable, and supports consistent evaluation across the components participating in the end-to-end flow.</t>
    </section>
    <section anchor="agent_compliance">
      <name>Agent Compliance</name>
      <t>Compliance for Agent-based systems <bcp14>SHOULD</bcp14> be assessed by auditing observed behavior and recorded evidence (logs, signals, and authorization decisions) against the deployment’s Agent Authentication and Authorization Policy <xref target="agent_auhtentication_and_authorization_policy"/>. Since compliance criteria are specific to individual deployments, organizations, industries and jurisdictions, they are out of scope for this framework though implementers <bcp14>SHOULD</bcp14> ensure strong observability and accountable governance, subject to their specific business needs.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This document composes existing specifications to enable authentication and authorization between AI agents. The security considerations of each referenced specification apply in full.</t>
      <t>In addition to the guidance included in existing specifications, additional security best practices and profiles have been developed for the Oauth protocol famility. The OAuth 2.0 Security Best Current Practice <xref target="OAUTH-BCP"/> which captures current guidance on threats and mitigations that have emerged since the original OAuth 2.0 specifications were published. The FAPI 2.0 Security Profile  <xref target="OpenIDConnect.FAPI"/> defines a high-assurance profile of OAuth 2.0 suitable for high security applications.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>This document composes existing specifications to enable authentication and authorization between AI agents.</t>
      <t>In addition to the the privacy considerations in <xref target="privacy"/>, the privacy considerations in each referenced specification apply in full.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
    <section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank:</t>
      <ul spacing="normal">
        <li>
          <t>Sean O'Dell for providing valuable input and feedback on this work.</t>
        </li>
        <li>
          <t>Karl McGuinness for his blog posts on mission shaping as a pre-cursor to authorization <xref target="MissionShaping"/></t>
        </li>
      </ul>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="SPIFFE" target="https://spiffe.io/docs/latest/spiffe-about/overview/">
          <front>
            <title>Secure Production Identity Framework for Everyone</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="SPIFFE-ID" target="https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md">
          <front>
            <title>SPIFFE-ID</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="OpenIDConnect.AuthZEN" target="https://openid.net/specs/authorization-api-1_0.html">
          <front>
            <title>Authorization API 1.0</title>
            <author initials="O." surname="Gazitt" fullname="Omri Gazitt" role="editor">
              <organization>Asserto</organization>
            </author>
            <author initials="D." surname="Brossard" fullname="David Brossard" role="editor">
              <organization>Axiomatics</organization>
            </author>
            <author initials="A." surname="Tulshibagwale" fullname="Atul Tulshibagwale" role="editor">
              <organization>SGNL</organization>
            </author>
            <date year="2026"/>
          </front>
        </reference>
        <reference anchor="OpenIDConnect.Discovery" target="https://openid.net/specs/openid-connect-discovery-1_0-final.html">
          <front>
            <title>OpenID Connect Discovery 1.0</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="OpenIDConnect.CIBA" target="https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html">
          <front>
            <title>OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="OpenIDConnect.FAPI" target="https://openid.net/specs/fapi-security-profile-2_0-final.html">
          <front>
            <title>FAPI 2.0 Security Profile</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="MCP" target="https://modelcontextprotocol.io/specification">
          <front>
            <title>Model Context Protocol</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="SSF" target="https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html">
          <front>
            <title>OpenID Shared Signals Framework Specification 1.0</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="CAEP" target="https://openid.net/specs/openid-caep-1_0-final.html">
          <front>
            <title>OpenID Continuous Access Evaluation Profile 1.0</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="A2A" target="https://github.com/a2aproject/A2A">
          <front>
            <title>Agent2Agent (A2A) Protocol</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="ACP" target="https://www.agenticcommerce.dev/docs">
          <front>
            <title>Agentic Commerce Protocol</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="AP2" target="https://github.com/google-agentic-commerce/AP2">
          <front>
            <title>Agent Payments Protocol (AP2)</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="RISC" target="https://openid.net/specs/openid-risc-1_0-final.html">
          <front>
            <title>OpenID Risk Incident Sharing and Coordination Profile 1.0</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="SPIFFE-X509-SVID" target="https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md">
          <front>
            <title>The X.509 SPIFFE Verifiable Identity Document</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="SPIFFE-JWT-SVID" target="https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md">
          <front>
            <title>The JWT SPIFFE Verifiable Identity Document</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="SPIFFE-WIT-SVID" target="https://github.com/spiffe/spiffe/blob/draft-wit-svid/standards/WIT-SVID.md">
          <front>
            <title>The WIT SPIFFE Verifiable Identity Document</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="WIMSE-ID">
          <front>
            <title>Workload Identifier</title>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>Palo Alto Networks</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   This document defines a canonical identifier for workloads, referred
   to as the Workload Identifier.  A Workload Identifier is a URI that
   uniquely identifies a workload within the context of a specific trust
   domain.  This identifier can be embedded in Workload Identity
   Credentials, including X.509 certificates and JWT-based tokens, to
   support authentication, authorization, and policy enforcement across
   diverse systems.  The Workload Identifier format ensures
   interoperability, facilitates secure identity federation, and enables
   consistent identity semantics.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-identifier-03"/>
        </reference>
        <reference anchor="WIMSE-CRED">
          <front>
            <title>WIMSE Workload Credentials</title>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="2" month="July" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones up to complex multi-service, multi-cloud, multi-
   tenant deployments.

   This document defines the credentials that workloads use to represent
   their identity.  They can be used in various protocols to
   authenticate workloads to each other.  To use these credentials,
   workloads must provide proof of possession of the associated private
   key material, which is covered in other documents.  This document
   focuses on the credentials alone, independent of the proof-of-
   possession mechanism.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-workload-creds-02"/>
        </reference>
        <reference anchor="OAUTH-TOKEN-EXCHANGE">
          <front>
            <title>OAuth 2.0 Token Exchange</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="January" year="2020"/>
            <abstract>
              <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8693"/>
          <seriesInfo name="DOI" value="10.17487/RFC8693"/>
        </reference>
        <reference anchor="OAUTH-TXN-TOKENS">
          <front>
            <title>Transaction Tokens</title>
            <author fullname="Atul Tulshibagwale" initials="A." surname="Tulshibagwale">
              <organization>CrowdStrike</organization>
            </author>
            <author fullname="George Fletcher" initials="G." surname="Fletcher">
              <organization>Practical Identity LLC</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   Transaction Tokens (Txn-Tokens) are designed to maintain and
   propagate user identity, workload identity and authorization context
   throughout the Call Chain within a trusted domain during the
   processing of external requests (e.g. such as API calls) or requests
   initiated internally within the Trust Domain.  Txn-Tokens ensure that
   this context is preserved throughout the Call Chain thereby enhancing
   security and consistency in complex, multi-service architectures.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-transaction-tokens-09"/>
        </reference>
        <reference anchor="WIMSE-ARCH">
          <front>
            <title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The increasing prevalence of cloud computing and micro service
   architectures has led to the rise of complex software functions being
   built and deployed as workloads, where a workload is defined as
   software executing for a specific purpose, potentially comprising one
   or more running instances.  This document discusses an architecture
   for designing and standardizing protocols and payloads for conveying
   workload identity and security context information.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch-07"/>
        </reference>
        <reference anchor="WIMSE-WPT">
          <front>
            <title>WIMSE Workload Proof Token</title>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from basic
   deployments to complex multi-service, multi-cloud, multi-tenant
   systems.  This document specifies the Workload Proof Token (WPT), a
   mechanism for workloads to prove possession of the private key
   associated with a Workload Identity Token (WIT).  The WPT is a signed
   JWT that binds the workload's authentication to a specific HTTP
   request, providing application-level proof of possession for
   workload-to-workload communication.  This specification is designed
   to work alongside the WIT credential format defined in draft-ietf-
   wimse-workload-creds and can be combined with other WIMSE protocols
   in multi-hop call chains.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-wpt-01"/>
        </reference>
        <reference anchor="WIMSE-HTTPSIG">
          <front>
            <title>WIMSE Workload-to-Workload Authentication with HTTP Signatures</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>Palo Alto Networks</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones to complex multi-service, multi-cloud, multi-tenant
   deployments.  This document defines one of the mechanisms to provide
   workload authentication, using HTTP Signatures.  While only
   applicable to HTTP traffic, the protocol provides end-to-end
   protection of requests (and optionally, responses), even when service
   traffic is not end-to-end encrypted, that is, when TLS proxies and
   load balancers are used.  Authentication is based on the Workload
   Identity Token (WIT).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-http-signature-04"/>
        </reference>
        <reference anchor="HTTP-SIG">
          <front>
            <title>HTTP Message Signatures</title>
            <author fullname="A. Backman" initials="A." role="editor" surname="Backman"/>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <author fullname="M. Sporny" initials="M." surname="Sporny"/>
            <date month="February" year="2024"/>
            <abstract>
              <t>This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9421"/>
          <seriesInfo name="DOI" value="10.17487/RFC9421"/>
        </reference>
        <reference anchor="OAUTH-FRAMEWORK">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="OAUTH-ACCESSTOKEN-JWT">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens</title>
            <author fullname="V. Bertocci" initials="V." surname="Bertocci"/>
            <date month="October" year="2021"/>
            <abstract>
              <t>This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9068"/>
          <seriesInfo name="DOI" value="10.17487/RFC9068"/>
        </reference>
        <reference anchor="OAUTH-TOKEN-INTROSPECTION">
          <front>
            <title>OAuth 2.0 Token Introspection</title>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <date month="October" year="2015"/>
            <abstract>
              <t>This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7662"/>
          <seriesInfo name="DOI" value="10.17487/RFC7662"/>
        </reference>
        <reference anchor="OAUTH-CLIENTAUTH-JWT">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="OAUTH-CLIENTAUTH-MTLS">
          <front>
            <title>OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens</title>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8705"/>
          <seriesInfo name="DOI" value="10.17487/RFC8705"/>
        </reference>
        <reference anchor="OAUTH-SPIFFE">
          <front>
            <title>OAuth SPIFFE Client Authentication</title>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Scott Rose" initials="S." surname="Rose">
              <organization>NIST</organization>
            </author>
            <author fullname="Stian Thorgersen" initials="S." surname="Thorgersen">
              <organization>IBM</organization>
            </author>
            <author fullname="Nancy Cam-Winget" initials="N." surname="Cam-Winget">
              <organization>Cisco Systems</organization>
            </author>
            <date day="15" month="June" year="2026"/>
            <abstract>
              <t>   This specification profiles the Assertion Framework for OAuth 2.0
   Client Authentication and Authorization Grants [RFC7521], the JWT
   Profile for OAuth 2.0 Client Authentication and Authorization Grants
   [RFC7523], and OAuth 2.0 Attestation-Based Client Authentication
   [I-D.draft-ietf-oauth-attestation-based-client-auth] to enable the
   use of SPIFFE Verifiable Identity Documents (SVIDs) as client
   credentials in OAuth 2.0.  It defines how OAuth clients with SPIFFE
   credentials can authenticate to OAuth authorization servers using
   their JWT-SVIDs, WIT-SVIDs, or X.509-SVIDs without the need for
   client secrets.  This approach enhances security by enabling seamless
   integration between SPIFFE-enabled workloads and OAuth authorization
   servers while eliminating the need to distribute and manage shared
   secrets such as static client secrets.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-spiffe-client-auth-02"/>
        </reference>
        <reference anchor="OAUTH-BCP">
          <front>
            <title>Best Current Practice for OAuth 2.0 Security</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="A. Labunets" initials="A." surname="Labunets"/>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="240"/>
          <seriesInfo name="RFC" value="9700"/>
          <seriesInfo name="DOI" value="10.17487/RFC9700"/>
        </reference>
        <reference anchor="OAUTH-ID-CHAIN">
          <front>
            <title>OAuth Identity and Authorization Chaining Across Domains</title>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Kelley Burgin" initials="K." surname="Burgin">
              <organization>MITRE</organization>
            </author>
            <author fullname="Michael J. Jenkins" initials="M. J." surname="Jenkins">
              <organization>NSA-CCSS</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <date day="26" month="June" year="2026"/>
            <abstract>
              <t>   This specification describes a mechanism for preserving identity and
   authorization information across trust domains that use the OAuth 2.0
   Framework.  A JSON Web Token (JWT) authorization grant, obtained
   through an intra-domain OAuth 2.0 Token Exchange, facilitates the
   cross-domain acquisition of an access token.  The relevant identity
   and authorization information is chained throughout the flow by being
   conveyed in the respective artifacts exchanged at each step of the
   process.  Chaining across multiple domains is achieved by using the
   same protocol every time a trust domain boundary is crossed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-chaining-16"/>
        </reference>
        <reference anchor="OAUTH-JWT-ASSERTION">
          <front>
            <title>Identity Assertion JWT Authorization Grant</title>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <author fullname="Karl McGuinness" initials="K." surname="McGuinness">
              <organization>Independent</organization>
            </author>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <date day="21" month="May" year="2026"/>
            <abstract>
              <t>   This specification provides a mechanism for an application to use an
   identity assertion to obtain an access token for a third-party API by
   coordinating through an identity provider that the downstream
   Resource Authorization Server already trusts for single sign-on
   (SSO), using Token Exchange [RFC8693] and JWT Profile for OAuth 2.0
   Authorization Grants [RFC7523].  This pattern is informally referred
   to as Cross-App Access (XAA).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-assertion-authz-grant-04"/>
        </reference>
        <reference anchor="OAUTH-TXN-ASSERTION">
          <front>
            <title>Transaction Token Authorization Grant Profile for OAuth Identity and Authorization Chaining</title>
            <author fullname="George Fletcher" initials="G." surname="Fletcher">
              <organization>Practical Identity LLC</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Sean O'Dell" initials="S." surname="O'Dell">
              <organization>CVS Health</organization>
            </author>
            <date day="20" month="June" year="2026"/>
            <abstract>
              <t>   This specification defines a profile of the OAuth Identity and
   Authorization Chaining Across Domains
   [I-D.ietf-oauth-identity-chaining] mechanism that uses a Transaction
   Token (Txn-Token) [I-D.ietf-oauth-transaction-tokens] as the subject
   token in a Token Exchange [RFC8693] request to obtain a JWT
   Authorization Grant for crossing a trust boundary.

   A Txn-Token is scoped to a single trust domain and represents the
   full authorization context of an in-progress transaction, regardless
   of whether that transaction was initiated by a human user calling an
   external API, by an internal system event, or by an automated
   workload.  This profile specifies how a service operating within that
   trust domain can present its Txn-Token to obtain a JWT Authorization
   Grant that carries the necessary context across a trust boundary,
   enabling an access token to be issued for a partner service, without
   exposing internal trust-domain credentials or token formats beyond
   the trust boundary.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-fletcher-transaction-token-chaining-profile-01"/>
        </reference>
        <reference anchor="OAUTH-SERVER-METADATA">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="OAUTH-RESOURCE-METADATA">
          <front>
            <title>OAuth 2.0 Protected Resource Metadata</title>
            <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <author fullname="A. Parecki" initials="A." surname="Parecki"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9728"/>
          <seriesInfo name="DOI" value="10.17487/RFC9728"/>
        </reference>
        <reference anchor="OAUTH-CLIENT-METADATA">
          <front>
            <title>OAuth Client ID Metadata Document</title>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <author fullname="Emelia Smith" initials="E." surname="Smith">
         </author>
            <date day="1" month="March" year="2026"/>
            <abstract>
              <t>   This specification defines a mechanism through which an OAuth client
   can identify itself to authorization servers, without prior dynamic
   client registration or other existing registration.  This is through
   the usage of a URL as a client_id in an OAuth flow, where the URL
   refers to a document containing the necessary client metadata,
   enabling the authorization server to fetch the metadata about the
   client as needed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-client-id-metadata-document-01"/>
        </reference>
        <reference anchor="OAUTH-REGISTRATION">
          <front>
            <title>OAuth 2.0 Dynamic Client Registration Protocol</title>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="M. Machulak" initials="M." surname="Machulak"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <date month="July" year="2015"/>
            <abstract>
              <t>This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7591"/>
          <seriesInfo name="DOI" value="10.17487/RFC7591"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="MissionShaping" target="https://notes.karlmcguinness.com/notes/the-mission-shaping-problem/">
          <front>
            <title>The Mission Shaping Problem</title>
            <author initials="K." surname="McGuinness" fullname="Karl McGuinness">
              <organization/>
            </author>
            <date year="2026"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 455?>

<section anchor="document-history">
      <name>Document History</name>
      <t>[[ To be removed from the final specification ]]
  -03</t>
      <ul spacing="normal">
        <li>
          <t>Editorial updates</t>
        </li>
        <li>
          <t>Clarify relationship between WIMSE and SPIFFE credentials (https://github.com/PieterKas/agent2agent-auth-framework/issues/136)</t>
        </li>
        <li>
          <t>Clarify that LLMs should not have access to Agent credentials: https://github.com/PieterKas/agent2agent-auth-framework/issues/127</t>
        </li>
        <li>
          <t>Update use of normative language (https://github.com/PieterKas/agent2agent-auth-framework/issues/123)</t>
        </li>
      </ul>
      <t>-03</t>
      <ul spacing="normal">
        <li>
          <t>Include reference to CIBA (see https://github.com/PieterKas/agent2agent-auth-framework/issues/131)</t>
        </li>
      </ul>
      <t>-02</t>
      <ul spacing="normal">
        <li>
          <t>Add Aaron Parecki from Okta as co-author.</t>
        </li>
        <li>
          <t>Add reference to phishing resistent credentials (e.g. FIDO passkeys/authenticators) - see https://github.com/PieterKas/agent2agent-auth-framework/issues/106</t>
        </li>
        <li>
          <t>Fold attestation section into provosioning section. Change terminology to posture management.</t>
        </li>
        <li>
          <t>Clarify Oauth authentication mechanisms when an Agent acts as and OAuth client.</t>
        </li>
        <li>
          <t>Update Security Considerations section</t>
        </li>
        <li>
          <t>Add section on Agent Mission (see issue https://github.com/PieterKas/agent2agent-auth-framework/issues/107)</t>
        </li>
      </ul>
      <t>-01</t>
      <ul spacing="normal">
        <li>
          <t>Add Nick Steele from OpenAI as co-author.</t>
        </li>
      </ul>
      <t>-00</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8V96XIbV5bmfzxFthQxJlUJ0JK3sqa62jBF2Sxr4ZBUu6qX
USeAJJgmkInJTJBmqdTRrzERMxHzb95j5k36SeZ8Z7lLZoKUyjXViqgyAeRy
77nnnvU7547H41FbtKv8afJgepxMl3nZJtNte0n/LeZZW1RlkpUL/qqqiz/y
Nw9G2WxW59d8zxg/PRjRtfmyqm+fJkV5UY1Gi2peZmt67KLOLtrx1aqej7Mi
w/PHGd0x/vSzUbOdrYumoSe2txu69Pjo/HmSPEyyVVPRs4tykW9y+r+yfZAm
D/JF0dIQshU+HE+/pf9UNf11ev78wajcrmd5/XS0oGE8Hc2rssnLZts8Tdp6
m49opJ+N6Ll1nj1NpqdHU/pwU9VXy7rabp4mP36X/EifinKZfIdvRlf5Lf28
eDpKxslrzA9//Hj88uwIf5ydHD9/Ln/l822dJ2fFsqQxJ89rmjGei98+mJqj
67zc0qAfJokbDz4ITeKB0dfrrFjhkm/yn7P1ZpVP5tUa32f1/PJpctm2m+bp
wUHw4wE9jh5dtJfbGVH1pMjbvP4haw54MZ4ES3Jh439AN6yIkk1LN9gj3Y0T
edakqO54xMGOdZ9ctuvVg9EoYxKAwvSuJLnYrlbCL/KahN7T5Kt1VvLPVb3M
SqXX0+RZfpFdtZWQv2hv+ZJcCPNgw/d/s5BrJo1e86D/pt/lWTmmNSv/7/+u
iiZ5Ua1nWb2oBl44/fEsfMdP+cUFPfebbJ39sSp5AXoP/0NWV80qu05Oq6Za
Z1eXQ8/9h2aerfI6fPZtbdd/80f5dfj539JOKJNDWuVZvloNPPsEXHOMzdOh
0GyuN32zoUsKvWL4La+K+VVy1ub5Kh94xWvandPj8NkNX/pNRT9kxfAjp0SY
MjmhvTi/KoYeetVm4SMzXP/NRq7nR47Kql7T1de0aRLdjU/5FpNkui9P6mqx
nfOuM0L4PZpckPQ4us7r26rMH8jtWb3MW7+Jmk1xcZGDz0maNQeyI/TbcTar
tu1BRQ+4LvKbAzeS8fGzaDDu28FX6FbCNpXn2n9mq2p2QBQoD5qWRAYxZnPg
HjVZL+hpIP/xs8OqLPN5O4FM+YejV9G7IzmTTE+Ok8eTTwfHgRUrFpMyx/xy
mmwW3jrONsX48dtPefPy/W770r9xIiv7el0XyXfZH4u25e+TpK4wChHc+hUt
No2L9nbdVtHdz7LrYkFsXTUNTfa+B/xcVGCBeRM9Y9puV8n5dtVcFrNseZMp
1+5+ztl3r17wZ9YbyZNPn3zZI+yzopljmW8j0so1iV6UuIs+nMLyxXguTxgv
7Akg9PiiII1i5I7Hc3j87fSuoRyuCgjb47JoC5oV0TSbX80vM/p11VVGz1fV
DVHvsKLd8tEDl/cU9p7xzL+HRb1/D02yzkMGimf0nDgzmhG+SJ5MPnUSHlv5
otDlvHeAF2BXE/zjjdw6ftIl68vDk+itL6sFUYgG1eY/t3hjW82r1eAr17h0
Lldu9ELICby/uNBZQyScPR9aqrNLEmeLvt2QnIX3f/SKNPzYRp7qVXGfoQ6n
Ryc7WKgtym21bZLpfJ43DQnIbLWV0egSfDyfZPmmP4Tpk5iJ2VZ6IhbTHv24
f/cCBHIze5LREvxEjHRA9+HRnXXlhxZzmt16ndfz/O4n39zcTDK5Y643TBb5
NasAPPzkSf/hpM5u1/Tfxj2a5nDyZP++oS+rakmcqa8b2/sO6F669fT47HBo
lU6L5io5LuesupmXoOphVx5WZLUSlX/RetUkiPrrpbrn9198+vX47O87Ou7B
+WWe/H5Cv+l1yd/nNfFxNqP3O9X7rJpvQaVhZftRmtANA5rQj+53P57vGBz9
8lcamo0hHtmPx7tGRr/8/xqZmOA3RTtuSLcGY7TRYIxw1wJz6qU4ZMRVsA77
w9XfE70AXEbjXQ8Pr6zIYppcZfVqPV9uC5L2TcOD5R8OSEWM1QGE7MLzIK3x
vIOdVsYP9LTk5fw7fVxXe08mk9FoPB4n2axp62zejkbnl2TdL5SOCb1gUzV5
k8zImKNPdElBoo7NwazvqkV2UFJdwK/j/Up+LvkZGZuXzSQ5bpNVTuqbfmuS
/OeiaUEdR/Kk2c4vk6xJWiw5CeVVlS38Khdl8nK7aovx2S2Z0OvkqLwuyOwV
mbLHnuc+e3hFS3IOti3Gxq4p68mLbF2sbjG8SAPRuE4zemNNryVvgXwi0tY0
rDK/SUxtNSn9GBJokTfzuiDqJJdkHLip4IU3JHLoNeSWr6pbUmB+enN6/IxG
tdmQVbCAY06aEb77IiFHjShNXF00l0q6++g8Sb6lt1RMwSpNCrqjWDd4Eo2a
WJlelDj1RqOiCZTJzWVBJKZrtk0+sAL0GKb2xW2yzDYNv5R4kp51sWWK2pW2
1uTkVXWrjPFhwxbOWxeLBZkq5JQfl61zQcCHeVITly/Itclpo5SkigKGasAe
9LyqrNbQwDfKJbQO9ENDHtAVUROhDRp0zVKCtkB1LYMhAtzLvbQ6dZXNL2lP
Jt9XN2DXNCEXmxmH7gXddNKk8fJVtSHyr7bMSXhBQZ/4SSndQKub1HlRXuOV
RGhH8XUOI7BoaMG2ZXZDJgkez5wx51Fv6gIkrdtJwluTVnIJzpNBkvq5In6q
84yfVpQkLzb0N88XMQ13KS3pYstPhZWrI2YWllmkTAIIGHDkZkNfbWGs5sxJ
tlvpxnlGPI9BOj6lG8wxHqCj46lJV7gYm17mq00yX5Gcwc5rwXHJ7Fa5l3dT
gmnVOS1YQ5I3YYOShrKmaZHY4qmH2y9NbshjH4cD9JsPI2yqdW581XakgO1O
vLICMXhKulVptLSsNIQP4/GEFne1ystl3hEuIld3SRf1uOdbSF5m1zZf6jxB
lTygKn6smEL0cIzJb/U2K1ZVLaOGJLV5Eif+t21R5yIwQyntdhGtVSRUYqFH
/ug1+OKmYiopl5E7t6zIln46Gj2eJI8ekX1MtCoWThk4Vn706ClUgF8fWpVk
ljX5qihzLH1Dq9ld1HAJF4sa9jYmBWfJsV/aWZE0Xg7av1XJcVEV0dUMU8lm
xQq8W+bkD/D24wAcBkSswjoGOssmmtfKRG48upvwA5inzi+wFPNcyBYsCC3U
dUUijRZlS/cqxflpiMBiJng+HqWDooV4AmI+r3ADUxIiVqUw7gYxp0ILWcR8
XsmgSVrhKuKqy+yaKchqNRhQVixEVqmwx0VO3s9XGSwsWpwbsJboqIa3CI1A
HUWRBANLRDeAnvlC5ZbqIqz0RTyXNVZQuH2xU69AYpOUa/ihvG9oG6yEfHWw
sa5pzLqPw4EFwhyqxuzE5IyE47YZsHpkbkMTK1Uj8dex5LioqzUvBGLzaXL4
6vC5iFX1RfwiplBfEFJi5RT1Ykwqq731okDEsdMOKZMKz3abFZp7TjzK5hRb
K2ankS9fyzxCe4226kwsGtFeeIEuPBYZgigSDE5cgG0/VKU/hFvMWg4EwRXP
2I7iz6LVr/JbrBvR8sHLN2fnSFDgv8mr1/z36dF/eXN8evQMf599P33xwv0x
0ivOvn/95sUz/5e/8/D1y5dHr57JzfRtEn01evBy+ocHsiIPXp+cH79+NX3x
AKwVizfwLs15pruRFA9UZtaMzNhb4J5vD0/+z/96/Hny7t3fnD4/fPL48dfv
3+uHXz/+6nP6QNumlLdVJRmC8pEoeDsidsyzmpmaWGBOZk6bQfrDdCGZVybY
cETNR/8Iyvzz0+Q3s/nm8ee/1S8w4ehLo1n0JdOs/03vZiHiwFcDr3HUjL7v
UDoe7/QP0Weje/Dlb/6O5f748a//7rcjsNBULTyVcKyRRtNSwwcFZIh9LxZD
AecCTtnq1nkaDZu6dOkL+Fn0/+VyCwtGAld7L1683BcOJnXWQlicV6yBzxCj
xp7Bj6d5U23rOdQ3vV92AQlnOIEkk6A9N/xmMPuWmJ72c0KvX3NYgXYaGaCL
Qjb8IpcfiHvyggUWKTpsaBoJBKp+4nd80sg0ymyVrKplMU8xa5J/JMEWvN/X
2S19nucwh4pys21F+GSQCjXn+ogEgYG8up0Qc14Uy3FWSAhlbCQkTgXTNWxE
kNbatFt6rdhYYur69FwW0Z4lyGq1ZSMsFx10WSwvxzAXV6HPp4+b5e1Nnpd8
4RsaKMYpTlwavUc+7V64tLtYaWe1RqPjzq6+7xbZ9TCkea+DLWgBVxCxkqsV
faKLQs7ahoyjthH+y0rn5l5XVzkryA4ftmYrtfDH2qy5mnCMjYxsFafqmYEV
lEz3jJhmV22ZdZs58SFN+l//9V+zrLleatTe//vVuPPvV71L/tSl958GLkmi
7TNwyQe8SP7912Todv+eHb/tPdlP9j7b//gb+bfrkRvfr4YGPPTlr0Z0JzNr
8qfxeO/x/vi39IXbEfzl5/KlLBiPAZ9oJeW18vo92zf7wZdO2vA9GtD402/G
e1/uj8d/SoJ/+PIL/tJzwJ/+rPkQl4zePU0eDkoDiV/97YN4y1sQ5sF7Nu5f
b8Cx2eppct7byclePllO2KBvydz8qZqxNCorlnn8zP3AGoR3g5zIio0PWC+8
d0ikaDJSnRcbzwT28Hkok9yzWHxek9PDjrMmHOx+YtiJS1fQzom9Y9laEqoR
aeGsH7bDMuiV+Wq76M2WhW+qbgLGst60jQgbDQ5t1P0W9wc/uC0dbWhsZnqW
bnMhV52TKIWfQAZoSzv8M5k7VAZZJdu6bPSuLpmSi2wOB0LUEHlW+dzcsK6e
o0F5jqLHiAybjD7v0NnJNtLVZrYPCESII34dydG7XkUaVahktwqVW7r5gm0v
528toBsdA6n5Oxl9IePrDcGU1p3zNOpl9FezXbmbnD7vEjTVkBkG2dCr+EcX
DoY1zH5pIRujx30DqiylV280cEPMQ17Xk/EXakW0PLGi9QZEYAAwf+AKaBF8
b4plMRl9GW7O1+KD3vWoouR3J1/ECljtC9BISLQBSMhmE2+BDpvgTmCS7HbW
g2ty2oiBldi8FrbdA6LxXiI1NjUzmEa302hJY29owCoUfz4rvZdTi2NL7je+
QDaRxgnSaEDW+zfCdANslHomSncsq0oGWyWm1t51kfEn8gDzesWetvIall/u
gFu9ylrwFEmUYk2SrOaIcODGrpy3yTEIHdX+RBY7mkGqjh48S3h4zgJNio5Z
VzTOkZNwUSYJTVyk60TfD8/27j1+PPCmOc+lAskvM9rsiLgMmoMdUSvrSaOj
9+ZLsJMOmvzm3m6NqO+fMfcagPw6DmTJfuLoQ9aoMQ0SRIG8BWmDxpGdLG9y
YGX7ZFviX7IcSe/0Q5xxesBGx+y9XS18WHUg0CAePbOhZrzevZM/wPuc5Ug1
qRGEGM7OnuO6s+fv30+cK+VTJy+zkl4noQ8mSG+8EkZg6ULMcu/9yd6URrIv
VkLPfdDpa8zBHK2LbSmJIIs3xGkPRNlJaND/ZBVzyaqLJIsCzRuwc9NYtMdZ
4SYGSMXQ4Gh2CG9UrQTmeG3NuN9IxiF1cRd2nbwdEKWR9HEQcH39BK3IIeMS
t+EhtKI09y37E3MgdZI1slZ0lwUVkz1LdLlpqTFTs71Af2JyosGdDxBH18HB
fHVFkuGWlOASCyiUq6FMEOmGmprLsomW3oeULe9fXYlKqpfD0oDcu1bvQ6bF
BEUV/Fp7nwqbkG3i6HYelMWz7J6sQSrLe/k2qLUflIpJAbpyZBwPuKhWKwkX
O/o3IsMuixzuMX20wPSj5NGjcNLQCc3TR4+SN2VBYi7SFA2wIcqbDFZS+9M/
49ArEjzjsL7dtNWyzjZkKSTE9RyoDH3e7qslANEqnzTO3d79IqSQHVfgpdC9
LkzIRI34JtR1ukgay2uNPcIXxYgnPP9kR0BSBKbqSLlZhabpH7Pl6OshzcGa
QhymvdqZwLVy9L6E5WyrdMfoNkB/iLa3eHysLAKtl4VBJLBNpO52xIp0nIPD
DAf2OsomiGkvhs99tMQwb8tsTXRbrW4hPJF55cXaoYUkOQGDfqZKDMr0mhMs
jgjmNexa3z68OjlhMWKMRQKdrK9t7a+utysNJ8OAjBj2DjkS8TKM1SIjTYG3
vKR9v5WIsz2MB80vM0XB5sJFwA7Ewxl8RH/9QgRgkYsOzkNZAHuK1pYDabSD
6Pr5VeJy4AhY0U5cZbfI34hsAWGJA2ryvPLc5S6Y3cEzdjUHbH0AbBHYq2ys
mgwbexk2lgmwdnbRmk7QpBdD6f/rX8JhikTXz+IdCNdYwivt8Kdd4tfDBS46
URP9959Cdh6+xL7pPuVDZnT/U4KPMdP+x48l2FP/oWMJtcOOS/5qYwnV43/4
WAKde99Y/jK7MQqy3SMNXMztHjGK6NvDvhHx7iG/4K03Xpr3I3U0OF00g9sJ
+wbpEbuIpRW8GLaImy1DPu7Ln7Ozw8JE4mXsh0nm7/zPx2pFVlfo+Lx79zd8
yfj42d8ej59Niry9GN8U6yYf+3vev4c2hybY1MUaMITgeQ6P1Lg8n0t/wwYW
Ryq8gwMJb06Pxebt0y2KM2jMPkPlFKmjRQXXZdIRT05rpwHFyIAgPgAoP9VE
KtxIcSzhGAGgpgMOBlejzqNURxFRTrOiV8VFzma16kk3QleyIiv00cUeyZ53
O/d7dOpi3DhyaSE0sWUYg8AR3UwxXIzq65JdHMZ372y9SUMmU/N8g+vccPia
fb9chXkDpOzpJf8i2M6nBwe/4bUZy9r89uA3m6y9/O2//ILlZddJc4EIrcyL
jcGvuogP237Omch/zubtStzFLg0sxPhy+ge+x2Z//Cxw5UOhahs/MPLjjb8h
rxOGbeQFYN4eGTgfdFoiV8GPkEN9gB0Ez0PezHB2MMN0D/ZeieucawJW8Q4I
vL5QBqxAHTA+eZ8XF7DqAHcoV5iKj9ZdMwBYDPiZxPtrcgW9VzL36TXEzsRH
uayr7fJy18SJ0LIqLhACjJP3viTc24ihp7Lp8PSoJ52Mg8a4t3n//ukOKOt5
dUWuIcnB830f1SWzs4EwHrOVqVDx/r2Hed0K+CTHEw7302RWtWyTCx9hTr2J
An3BEZCOhHDSErCSHj5yYrzoA0R1ng9QRibKQ2bQtAtaeTC8hK/OOz/bN/gV
lDBkuL/CvoFkCF6g8W8FPXKulYjBe2mV+xc5TA99M3FPF/ZtLpnahbhR9E0d
sS97kiAN7hLHq0sd9jguq0IEXI8s3ZCFDzD9+7/990ali0hAzqkb3g8IzwCS
A8nDXByOTrEas3gatMTk8xbr4o+5Rlmaq87Q6OuLNhVBYckt2ln5z4gx0zaj
PwrLhUCzZBcoNRXWKtiDLityh8oltuwcgT+EnDF+CLB5VpMUCIL7QZjDZbUi
MbPHXqWU4kYCN8W9CA8KIgyCizQJR+ocE6/zNltkbYbA1jNHXcHjFWsGTcqr
GnI3TRFlcaRJMKcI9gnQsrjG1qINAxZgOGJWLwDR5eItAW4LyhdQ42iXNeRz
IYBg8b3zk5ek5xtRvjT6VXaNIF0Q8E+sBAt8wE428ELygHm2Ea+tUJyCy3Ka
QA5iCcAWzgVllf9MLN8aI4EDiP4CzeNoqAZfLwytEOMOj0vByQJjBiNF9Qqt
LQLxGG+FUPVtN8bkgikAudYkFHENvQKWD0conQWo4B0JznY3sZMjKdej0ANQ
/FFo6N7rEVw8SRjukSsirvGhYAw3/xnEWTIDFPUODeXVgtsg7r6AupzcToNi
ApHgR3YpaYXX0zfn34/PX/9w9Gp89PvD76evvjv6W6DCvvz6M0i3c8h3hcXw
3U1w1+9fyZ1nXqNUXCve+rvGLd9Fdi+I0tMLz/OFGmD7ir3kSFdAFFqkaoYA
ezxfKUjRiJhPgIcLhgCI5Cwspt+nJgNKiVPU+BDv4NGjV7SzgFUF5JKeiqJF
3lrMzwgutTCjkMsNigic9Qo+v+VrVUDD8LpgeI2zLpiLwm3IBugMoEuyvCvl
svI6vw0Bw4D93G70YogzlaBslNd5x5xdFDBIkDAmIpGwoL2PfMWVkmNNZkqz
Lbxtrlt+ED+pNTQxfPLOgO+Axfc2DPe+7+mHOBrMCRAfrdf0QEEyMWOJWudl
fpOtUnYn5rfzVRiN49kqhoDNq9AILD0otekFgkOgaBgWloy+CJaJpcY0vdLd
4hHsIGTa203eiNsYgDPfvetbxmQ2vClXxZXMCUI6p59bE209ozYcQRidNcaA
yCwdYwTKN03yVeEggBGqgAY825LPzUQk/2/LYsbp2SDXIWlGEuX2DNJigPTF
OpzrIqp10QD9dbhj1VkCNJXpP9qTPhMkuLTyoqjXPsmjwB9YIrQgPovk5UBD
4200RE37nF28yFJJ+vg7uy4YQsyPuS+fBYhE6325dYAfVspjaqqLFpo4DXN1
mttNh0acdl1TjY2r/rSXsblQXqy2DN8nDSwcGkm3hjcMllltocgnZnFjM/K3
4WJQl7i1s4TR8yDJvJ0kXMaW2cL82/CRmBLyypBanR81UtAkRNNiQcxx0qd+
oNbwpjDrCeaDvWBKQOVviIPqGkPeLmPbjX1dEn5iswWss3d+dLQfXG1LqVYv
W0A+KQCrabvZrG7HNNai1PIXkVbOdKqQ4Qe4X20ddZzMJky9mUi3aB40gO6k
nTxHI1JdmKXiTCBcLQ7g4FXME8GUxk5VKhtNkmds7yvMwdnfQFCtWEC4BLTc
YULPu7vmv0h2Ysy3LwK7VvA5vOF8WjnoAeQ4epZfxBJT2YpZTnA4JPMBHVK7
GfK2GzxySTW41AxmVxC0WIgWcxnY4SSYESPp8HwonibJc2/3py7iExev8cZ0
QAC38FI4M7AQETCLBUjg8CpJLNZRSOZyINbEEpAIJeVCCRcBJ1M8C8vClhB2
YSfj6kAAS65LaWK8tN8UBkXRlUotoNGIIUFmNNenczBmVSFzJTl+3vcpsply
g1oT5CnMAZBJZW2byB0Ml5/Nku2sAa7nw4o6PgQpoKKhqjcVcmGeKQeYIhQ8
IHG81uJNR5DF4IbAk45FPzZ/oQLDVw8HcCsPrfIgUc/gtggS127YMRIYO8wd
9kad76hmtUfNeICJ7EhUiUpocAsI110kSJ0o1FgByxhlhTrGn/Td/5j11hil
iK08wv4TTdAdiYstgc+fXwKZF+wcnbgFHnIpx0TRirlidy+jJdt97bKQrAhx
D6TcOGls9iZLn8q59XnZ3jtDb6mrGpII3eYSXp8VHh4roDi0nOF5nLO7UrF3
OrtV7e0sVzKBsMZzXsEm1vlOqcP2CH0SQPC5uLeak50PVLEiHWEncrwkYFIF
NsPT8XutCHL5LqK5YVec3X01tjVEIt7nkM0zaF0x2DLt6ccwWsLVhae6Cgen
4gAYtcBD3DkIlho9joOLu+SKilVvzk7CFil+oUNIUXi/WCxisEjFlCU3OJK1
BQAQawdvUwJSpQI9ewXHjDS9gABpXDFcaPs5KKyhBRD0vGNqQfEiBAULXdgQ
ElhSe8LreY01ejMq1n5EoaphPNlxgF4HI64YyoxCJoF9aiSuzq+rua1cJDob
yE5RGt5lC7wIGtUKXn1qS5lHCrNRK4NIX12boyE15TTkRXUjdnQW46TjqRT1
bWg7uNyH7+LgE0gu76BVzMFstKOEjDHdsRKxMAgzCORuWKyR96lq7R0LmoZj
Yt/IPbhJ8s0lCjzBJr3IOUZXRxKBJVpolF9sa4XuB86b0JT2ZjWXNlMsV533
hsuC0APiIsqYg4AkqwFEXW8eQPBMln0SZ3wqzvD2EjJqc0qVbgj6rRyUSkGH
roSXhXSzuziLa9A4VpoKl/NfXNHE+onWerOVeCnw0FItQUz6k6p6rmVHb6+V
FMd3wgxBgKQDurC4SGzMuGQYY9LDiITEczMuF87b29jGSNXICMz3mHjECBrc
SjUGZrguTaN7dy0Q1T1vtCcvTNZ7lPcEpd1RZMMnT6dhhxOXjZqeHn7fzUbB
iOC8Skw02NSst1gzS01ilIASmFOiUjgYlvygLSNg7ISuieWuM604dh49slNY
wocSAuU3vOA3xKs5Ou9kwDrjDvsGaJ5gWxu7uB8NUpZZDM5PS/uuiaG5rppW
/ZoASGnoRsMOALwLYDM5onGVwPmLs2RvTf+/n3pMGefhfEkMI81pNJK1EnUf
R88WzqHKyC9ZkAUyN1UVZPlcQDrwqrhEgcZQ5stK7YpJ8iNSB5uMjViWNKEc
7Hp3RR7ZzGjDod6hh55z9J0R55iqV1pkUSD2YA3zzKWSKotQeNIdFSP9NU2b
oHuft2w4DRZkXIhN+EVFE9jRMEfR1wMBVk1bdHRZXkfpUzbfLaUDP3+T97hJ
MeZO5vd9X7jLP2EhV87llhpcVhyBBt6J1UTSA0xpWWgR1qYMwo2lDK81F1bC
XHYqUzwne1v0dZm75BmzBceVxAcS40YIWppUJ2ZHi6FAiHiNfdzQYLDoL4ry
Kq8Zf0Db9kWxLtRJg3KCtYns6ZxmVxfVwAIM7V5N97CPxT4YWhMQ+9B3M1gi
3GdluwEbQ6lH45MAikAtrKqojviXVvtn/gL5BdSI3GS3nHnzc8avEgfIVnBD
ak3EWTM6Hv8KkR/U8RHNNIshgRMx963GW/MEdR42m0mTWZ27lADkwLitxoCV
zsUeLkTjdAnlF/NMan/YcUOAJdAia8FOu8oBwSEzNMIcXBo2e9/jFpEyEu2L
Zd5x9kBzlCQoKob4cVMBH5s3+6wsq1nDMhNGmbYGC2sUWJwJhmNAYbiECJmu
Ub5EAAk9bte2YBKFiYy9u9/TzfqlQ8+OmS8w5DmRUFcz9uwhgOm5zI8xmp7M
GPSa8QiSqAJF0klijPoUNbiJQzVjl+n2UV3RgNNAmQ7qwOl9U7GknhcoEfbe
hwJX1rEqDIY4UqptxwIKHU88s8brXV97P11S005I0bNQg5L7zfch28uZEWbq
ilVzoy28ubu3g5vIbyesRDRnCvJ/f35+kryET7jUxuIiJ6Q3WEitEGwfGL+x
mlcxN/CyvR9PzmlrvHt4s2nfK0TIZV77V6beHqOPPXAQPeP9viQ+HV3GwYoN
MfJAjQdiWi7HamscKNGev5HdjUAiu4HGzuMicuR1WAWZSe5l68zy8D1rVHq7
H7YkBsVbcubqObB89HAIf4N3ZuZN09+/O3v9Kvkxn9lofvfj+b6sE0SGTy+y
mdBZ2ThZvVZmcHGRizC4TM9hllHWZeu9zqNeY85QCUgbNhiCdevKFzkT7YCc
AI8ZAaHerHpIWi3BvwNIDuRoHNAR4DH4oJpT9PGtDphHUR0M7SSSVDc8sZr0
AlybFiUNjSZpBHkzX3F7NVMTgJdykHGP/tpPw6TjHv29jzC2gCETRhdEkMuf
2mJfUaoo+nJlHwF/AZuxd9Ne7ttKuzJgny9igx3EVf9YHMFW942EtrI+PGLf
qQ4riAl9GFlnFoC+YVHwiG6SnctgtVZzuqIfAPtgTw39Py1axJhWET1+izrz
FqRnPuKqXr+rxiwJxsLEl3lG0nY/VShibfFdxa/Ips+WJbkf6O/iVWbQ/M/l
yJ2HCcOzYUCMdEiw7pa63Iohg2qQzSzYSBetgDrOtTdUWIvk1AHSB7xgrNOa
23J+SVYDAng055KkEc9bdpmvXPZ89kN2cZVJu8jTk8MgX6Ydy7q0tNiC7Ben
hqS1TfgCGjyHR0PsxpV3xJ0lbwLAuSLtsPMqiqwo73EhIsPMmFRcQdiG+z2Y
KhCUpcdniUbZoacCtedYiJSvE9KdIAfLcH5UoOqiFmRe7eCys+PvuqoHvWbH
jd1NgsdxeflBxhOHKWbbAoFAEe67VLAVMmNIuGaM0Zw+P/z68yePAcU45o3A
oA4RJoGGjiG43V6ztKi+22chEl2d6rDL7I619O6gg5rctX6WNBCmlYBGhBH/
pLkH1rvnwbhBl75Pgppf1mBebe4HCz1A2D2vg0mqSGuGRQewuP+hmi3cMT7/
LoDABW3ABfg8VJlW/y4NIWz3Wns9F9wPzMiB/KJ/k7cmaZ0uVHazMdl0XDwP
pZT4w8+F9BqITU01GuB+7d7F3gtzy8t8vQbHAnfBMX6pOWT3y1pVBDWFJgly
0iCL1K4YC4QuFbWEzGCxZDvDwn0CYQT+SfDeGi9EHzGN97heGzqISQLgnMzr
m/g1CR+B0EiupPWtGuxn1J/TLPa8UYHSh+RXCV1V38oA4HbL7pOJNHMEQtJA
bba3/1mjQuz+cvJf9hA2HJq9bLJaMl48HvpWifONPfQbe+o37pn7AyEFRWfd
HT/4ACfPpWOLUnqirlxdfS9SpUCdwDPqRgs5BGvpj7QHTOBYvNU/RFBr21cw
dG4Tb62h+YbYPEjEi5Wo1yoaUsHUaO3DFqPgVhlvtpCuxrB5GGXioq5+kYmg
xVL7JTSWejCAK5uVauJZzVCTevOwRpKwmCvapaw0TbvtlcfTipLJKZztdG3P
Mo9azrL4QDA5MM/AO2tUaHeD+z6QFsb23bcutM+YuLiViLTAy9R0EBukVCKi
q4xem31IlxnZJLkY4QaajYbH0sspHignSG+/ReqgKd1Dm6E2hvfICu3lB06z
pvHa0O+NzubMzyZqpiUyzG7SkB93BsK8Z5xaUfC7vOqmWK1I3dTNNjc17JlH
wx2Sa2CVgxaEluWxXliGc1jk0iW5sA5IAs9eo7/lwiYwqyGi/Ug4yRMwhtbU
R71HJbYSajdNThkfyazDWAIv/drIUPY6uETPR8Tj540sEBZWsiBs7NNkS2vJ
ZDltTzyvBuMW7CG2wPaa9ljnBLZfHR2yWCtDgyRt5wYZ9vdzYd3I5Jv4Lk8O
0N9pwMGMH/hqd9BFXFdrVJkGE9cyk22Td621TnoKA8xd6zbbMrx6sgNeWNMb
D6Jnyj/ztZGxAPAnxZ2z+xuXHPqn7LjLo+ufn05fHv34+vQHGKJffvX511I6
mnWCK9ZeqEsp1sHmobhOEn6SAP1KtxeXkB2QA97TtaA0vXJ6csz5I98qS5ue
dSZ1xtFe6yjvwDkOKcCG2HXmGnfGeQOIkqDFCmO1HfnUhI67UgxKvN2CqRLk
vxeyk2B5vEONJUxqzmRh10YPX6LpQnLBsU0muDORRJ25bEMQ/X2duaMdcF/q
F4cLBDJeLT8QOfNJE+a72McoLZvYiefAzErjzkTxNLQdjxjL2mqu9JxxhVbA
Xj5YI0OOdzs8tGsMKGNJ9ooJSWxLOHe0S4R605ay0l3l7iZqMogIXll0xVs4
G9fENKCE7Os3kmYKCCqzlcAoVJ12qwqIAJvIzbpHROYF379e1d1x2cs5p9FD
tajP4iMcaowjjA2HGBHQNdEwPTw8OjuToh36iT3VT7/8taeQhbE6cbVP5GCv
t8XikzT5pNnO8B+ypvgTpPYnYTvHHTVwA7okIpLHujle8VkI+TYYhwwxrKRn
DjhTofxk8kSWaWDa3JaEk8fBm4KObePAzFIb5AP6tsUAeUmZeDADE+2XjVlB
/EH/A9/3QAP8Tvpqw6xgC2mEO9BGvQ5bBeDmHMHVWhSeurKCziPe273GQ4FO
8GORLnCo9ZZeRANrP4B4DNtMruwQDS1sUt9gy+UBPiU1JudESlOi3JSaIR4r
Hak4LMR4CVStV2qavpeBdoiqxT/dGZjvG75H2lG2XKHQo2uH/tYrjdvKqiRi
XZX6/WQYypoPL0x8kW7vOftisEtLtMCwdBNDbDWWJlZvnvFhFqgGYnzG6naQ
sQRRp0FPLRd3JWrVJpMQu4rPmH69F/myRG+hCG6SOALA0fmVq6EdaAtHrn9o
qvHuy7hCvsBkYUcqVKHZFCrS0ZnfzosocwZdtFzBxGY+npbBPLbSQt/qwOlp
Br9omprR1D10dHi0ADjEgM+uz5KwIV1NpMjLHsDTEi5MUmsWyCUM0x5Ni1KU
90bQMup4u2UoZF1ctH3I3vHyO2Rhd9iD7lNdqm5l6HFE6U556PGr89PXZydH
h+iJD53z1ZdfPlGB1lkjFxeK2x2LSyWQV7X5/K7bafMHeiigMnMSAj2hiA7U
qBBPlP1rJpQWRgyr/NGQ6SdHT99h8+GV2osGEFSXr+iwgLcCzyW6z7XGoAIe
0623982cB5/iRJTEWPFiVmFar7N2XrZvNcgFFHNLKIkDJI4R4GROucuc4FRM
l71ZaAiMX6XOD9GoG/xANOOtuSRNNwoi2lrbp7qruo5L5Sxideminw9prybf
8Rp06yhNAX8+eQyqvHvXcaR8751wCZzEUSFBzGOINvUyeJGUvNoEXAMo1z1L
WrzqNNKEcCLImJvVRF5Y6f5EM8E7RTHBvLlTSEpVjjhQgO2zCxWb+k7/TZjQ
YdOF2MOS2PyGJo18OKnYpmDA/x1wBJehTTa0X4F98x49z4TbbMqgFrH/sXNK
ocsRn0eFpQ7N6cT6EtsaKRjDuuiK5Rd6UGJo8sthiF/xtjZjXuLkd1Fbctl5
vh64hEfH6Z7YVVJAoyuzLpr4hWGcIl53rTV2CvuukW2HIMcfUFZs2IqggUFI
qZ1Ln7oAvPPjrQyB65PTEBKuz9KSZT464qNeZqGdwLhWTXT44vjo1Tn/qY7P
V1884UYFQ5e8PH9xxs0Mvvr0C42OussEK9ptXKAngOsByPjKFNxdA+foG/LC
3Bd5LsebqCslpTZcXpMObnhT2i4a4hcxm9E2ctYrUHLeBDSe0sKRPqP4wFC0
hdSBYBHMLrKYccMNUi2MaW57FLu2ycgAt6FDXapkZzWVK/w1enS3GIAH1CkF
YNtXrhEAvG9p6k9l+aSx6I0oKOtuKub665tuUMoC9GI8NW+rm/KtvOMtk9TF
6itvNEQG9lB0HkS0YKMGbMLWV8PqynuMn08+9x5jqK6UarDy41nc98QnogKH
Ng0YmiWUFyG7hnyvqPprS6FkVTRar4D6jgJQj8bw0r9AQHXosYPeITk4LzEL
3HgXIiBjC8kD2yHsoVlNdsijdhC3QtfVcaQVf+3TJY0xI321JopD089Z3/ga
rkow1E7lDQRxOe2V65kYEqv9iPNPZH/r9bptukrPalTKYdPKbNbSncvRCyQa
7SNVKuTyprk7NP5baO4TOzGOjQD+6lDr5+wnFjwD9/d3jqqFbw9POJz21aef
QmPUeYhwCpGkVjmgEw9FhDgdfJb3aW6dC5krh7rpPGx/tiY5XDk/ru2e9yN/
BIhrnW5tHlprMfPixUs9woW5RxlmLyxmBbpBS1XJoN03KIk7NBT5X6uAXhfA
Wtv5CC4WYLwTnwxlIdVeJMiVkXTUTxpHe8HL3lI2NcSkcgMKErCWaiu1HJzu
YT3CSTuAGznzxMhHXyjmh1veDqLuJslJ1jRD/CduM2A/IVXEQ5EdYj0XS0eg
eJp4ogW2cfCtxZws7W7ueH5hTVRijGTUbSAr9QcgbLNbrj2rzCmIxg3jnNvD
STf3eE3ZIVlVy0TKuACuB0xysV1vUt+FC5H1VDk817YDMkc4xvlNlBjnFQvg
ei5PrvLFJi8uf3Bjtq62pVSR28NJlpQW7QNfhPVD2o+AjQFcUfPhDdc5ABrn
dl7pRlcz5sdBWqR3cmbYisuSKh1Cs/0fzUhDqnFwmNmgu/d7aLhuVy0zPXuP
Nzg9Q59ChH9sAUaxUoZWKl9krgeLO7iPKS1dSyANQiLtGgTXXaGqqS7ml3YM
R+8qrR2V7hHWjAlxvTrR5p5OTnR3n/DO8YkdoUvc2c4ngIsFb7FH7/XZaj/1
1Il6bDA22ADEwW1x71COBcgJQLxlUGHMEmbhtq0AZB1gNRtG9aqZrUVDdnZL
P8Mm5VMiWIL7pXegCBo2MGhv9Xcft+EvrN4qs1gpo4eVksrNRTmwBaHlu2vX
7EZ5+8phziOHlcN4/lz3umgosRlcktjJMPRnC+/m8m0FjGuRpIuTNLmNySwv
Ax5xILXPd9qX1no9WKy0Y7ZAP7CMUbKbiFezKLSD9Jg01JnhOEEavKj+nd31
uvmhoVZ7cvDNQzK9ceTKM6lvErtw5BwRPZBd49HOZ/JuWdiy1ueJvDy+K1sE
MFPismgBaJAG8hxthvLk8V3PtoMKBp8cJLcDSIYM5zgUXJ0Y36V6XtN5QJem
R1G12Y6fjYmax6+6zrzrYT7X5yFOwAJbE0wdCRwmpd3opma77/TC3DjQcXV6
dnZ0ygHyXYNxzgCHF/445niy+HoD7RYH33iiGFBv3H4IMaO+jfE4L8hAmqN1
U69xo6PdWIGnfJbZzv3k8gy+lmyY484NW6ytTEzXykG11gYjenYHjBcqYHay
BqL0e94f/iwMCRvHcGWTuSZBbp+2kzzgjpmqdafwVQ+Y8a/8fMcrLW3tHc6P
4rYBZrMD5oJEuz1HJBnnjOXQrcOqLOGf0p/nRtez6csX/p797uQAkOawVdH0
BGrs4N4Z5PjMhyR6o1fcQiNLcY/U/sBISuclRPY/W/LsDXFOUJ8pJWirDjbL
h5Ci+lV3Xl3WRuE318GvHFpIhhtnslTY9/FqmkkWtIviGhj1zX45gzHAb9Ny
k2aJ50nzWilc+AsNWcBaZVjNKSeMOVvL2vXBlFitAizEoJxRlCd3jBkKRzJT
syqNGiWo9RdhTZ1nylU4fNJ60YTFzlLVJQX2t8OxWM7Eoi2oO1pN2wmSUhhn
Ywexg27lciO2Db7frtm/FLBUVW0CdNJQaoAbWleKAHJtMl17sBib6qF7DjHK
HaUcSI9JpE03FfJz7Do9OwjF0DhU42uvjkU+54PTg5xQ4rZI1Hq7D9+zWK+H
A96Z7AmjscZzEvCTZluY9Ldkghq8vlO5tHd4/O1039fRYO/zU5RxJ/gdYly4
pK2L5ZJ5rQQCdlxdjGdWN2IHimeWiQ2ZTtNkcoZfGRVF5EH3T2Y6QGutR83u
Y9KipuSo0iG3nkSAt3CC2NXQSDKfFDMsR9TNAbo2KE1zkfB1NYM5ssjBvvvc
jTtIkIqW952WXLFlU+1gMZ8Cs14pQIj7ZoRx83VY5QgeWC7FoUprH4iIHk8r
d7ZllFxQgKUtlyUF4mKt6NRXtNu2y+LcOF5RW4H7Jz3RWJQNmSO+U8muTRMa
Rrp/sHsU2G1o7AGKCTx7WC5wIyRD8iJXNd5uOpcgsSpsryByn3YZLg5g1rcC
zmJZavcPDGys66oZcWmT3XSatnj9rdSQnkx25vVJsPleHp7Qbku9prHTTBjB
5blC4meKeO9TSCemrWukeKZEMcB1bk0dFDdR9MWQ9UdxnWpdkmFoFX0JlfZ1
txZYbZ1nrfbHfHMcj08OEkGdh6/v6yIwpDE5jqKbeoEZOzEsTbg8lYFOvb5Z
4kBxJ94d0iqYnGAjreuSd/qalut/fESO++cR/1hiiCuv0BR0q2faWcpFzk+X
sIbYfEBclZ+gycGGO+aIT96YW4uKV6Z8pLzf9JbXFUasi8XYj0o6OJGIQAzc
DjJXB1sifSxWNRJ2kemx4lGJlcZNtZbQHQgeHSbqo4a90138sbfZdunPYHX9
UR0s8AMAgcletkZpfisYLxylfBwcIC6h+uCs1yw+Ab0T/CTZq6hOVpf9+I+v
5efITt/u3p27eM8S8Y6AbFaz3AwCWxxfiUvWENyRu5whIBPtgBLjFnAW/AnW
wYMTgy5qMYnDnmq+rJxXj6mswy+aoefyZWmHFXyw488ODyXcWjGIQ8dY69bH
pcUTRmS+G+GKzseODwXFbqC3i1XgmnG5xdBDyYfgwFE4qAfdURNQY5lIyNgz
P5GKi2Gx6c35v5SPFvpXHxC2GJxFcM4KiySjQSSQpTZNz4YYh4dDOIalDzco
Mo/3QbSGNg6Hk9h1Unm7I6HUPTKH6WepEksrsVA8QQX2/BYql8tBtUT03cON
/PB+FJNdhwuFomhoUbIBkD3tncG1u1pzIEydWnpPQeFhH6KofFQtI3dmkDZh
VDQkafhGzzmwgZg/7DV+hO/28W60VpKDt23YYxu2ds+KW51wuhebpuamww2g
DKlH7GrAur3s4GM9Ik/eVov3X2plgU5MR+dPHp+4mLA+wDlSVlRtzWc5T9EM
5IQsIxB0p40yurC0uYgYh/ut11LDG8inb2GMpX0guUj6VbXkRhsXW9bjjqbo
JJxn/LtJrqD8oaq134qKny7OTkxC6USyybTYTfa+12UW0oX9QwJmHGZqgg5k
fSW3H6yGiQlVelzUufIWv2Znsdfg5AwVV0tPAZETwfboZKAibJbv2ggHRMyR
hRghlgeNbBDtRRwGlGJz34VSmS10c8QsHx2nFET6hq1eRVE7TfZME88Mbn0m
p41Eh2XiOCY9hURFWRgnUU+k38aw2wsuOEceByzXLuvPEwSjWdvKRHvCoZmE
1Vo7ILw799COhPJ6eeFmEpcSKgPo2Sv9k6WtyY8d3uH7J1rrl0Lbs0nvagP+
DFTtJYd2YNatJ6yvtebVFj3s9VdQ6+FBAEOqy7f1lCRkcDRXN3s1OLaXOv4A
N3l0+vdHp+OXR+fTZ9PzKcMrP3/8ucArD/pRPs8r3TCK+0Xy3P7op0gBrvKs
LnfrZk1Ch+dS9j11ETmOFmnQ+VbD/DiXJ92JPkNjCNylnTb4JCjupvTTzVXz
dltbwynXK0pSHxG5LYqzgWAVdrJjmJQ5TpxF5WopB1lDZGRwNjwjJwQUAVsj
hKnF3I5lHnhLf5FPj85evzk9PIqW+euvnvxaDFLHc/AiI7OyCGrVQis6vig+
tKK9jEBWQ3y41+wbWoAf3oh5ajD3qClgWOss5zJoZrNGTEkZ5sBZJZ4/uJu+
dgdgyL9v2Z1GnQSdy+HOoRG9s2bQe3D6EqemeaStHpaTrzdtdO5cudgN2/vY
xduxdojdl9y+jvt0JjfZrYZNtUY1aOCZhSdk4N13PbWLz7UHCjsbqHSIhQXi
SGq4qp06GFr3BpbGskBPT+vMKCV1rj4O47SOFyIq9ASVEn1spWFwsmf1nkEi
XxnKaq7DCLKz6JyYSAXMYAti0eRnnvrP9HiNpgtE91uokxBWjHmxGJuSGNsZ
HT4hJs3RMpNMAE6jZAc5UrsLbIpDhV+MURLtwK1vyRzjY7Q0/m+tAKEMb1lz
1DnZtcTX9vDgHAddEiuzwJHFMLGKRnrChKcRhXIPK8U9dfSJ7uSGQPoVaLBe
mEdiq2u+fvdkgdQvog/4R2vFi2Kv1nh0T/Duzg51QFqBjaPmi671aTBQH50M
BOZ3x2fnp1NXGvfF148F22GCuCoL4nZuMf96xh1KdVeAgKe5NFIoAoD62t3x
li55W/tL3o++zeeIfprpiE3gzjjqBjWjs1W074EH8cNGbdLIPGM71goVw2ik
H5GsejQNNprkZJstcYw4gnjPdVHVA46ImfVy8EgQRoypIxlhDYBn/txRDcGk
bDM31YrPMCmjczMu8swOonEn3LAR6JDaKhViNRXIiNQViis20Bh9IOjEfIhC
O62uqwxuFSZgzOriiDwfMtAvrQqyVmeXGXbTmZ6OFTYJOTt7bjD6oBl+cISJ
hs2O/DF1hhp59+5wenQiiBMGKR+Xc1bJ/D5b3cOKD3QybOLp8dmhKH8NVvil
6K2tbyTsjhh7s6mi0tYs6Vzj0hPWxTRnOG0qgQ1JXgpBU4ewJ3kElQ/pbO0Z
IJ6abbNRA4Rv5hfRR+1uSaMoNkWQYLGdlXMki3R0CYK5eGXQbl77aMsBGIjh
W7Ntlo3zTE7AmmfzS+d5ppxb5nN6pIOXDwlsN1I3HR0H5Q7iQBSGVmupJ+/S
U8gWKaWNLqvA4ABCOzZNW8VJpzBVHWoindqsOWrPM7JD13p+q9LeXGkykRe9
eDQbXKhK16w4hPu2XGxhEdEiTEjvMxWGHcrGm13Rkah2QrMcq+PSJjqxXFGs
gqBkuZElwXEzIBMWPEp5Ftafk8Mn55Ur2EXHA8VXkgGN+OcyUGmau1AxNCAg
SVuyi7jY1prvWxSMhmuks5y1GNs1+eBQs0C0I6/AD4IsrRe+NUSbrUm0jeX4
LcOKt67bgT98jQWbbU1lFYXd+jlAJrbcgYrDRamOXk9M4XfKAJ6ORo86VaPd
EB9d4MMZtjX3ttpVQ2SsZO8cxIpuCQPRnMGVQ1cyLYnBW62U3BW1DgSzhKJ0
NbeGA5ES1yHW99T1LRF9PCeawMB5VMZMUq1ux2yakgjeHKyevMvxo5LTt7Vi
pT0aeVsgOeioO0vzqGiyAefuWRL2khCHVn2kLkic+hAxvxWlIYk296BFWRcN
jIZeRlbkphwsyXuLGGWLI8ZVe6deGCU5zmbTfcKt9lxnMiW3MLUkiY/CxpoL
abcmbpqGO20eb8QK0SKoNKxpSXck4KTyg88xyNMw5BJGFkW0iCDEACo9v7XO
iPMeiImt4blFseAjTa1tuNrfQzaLSIiby1vXjoMV00KPCcERTw/64UFdUuvt
aAd2KoBmhxXlQ7PBUYyG0vdHZGfNVWjG9HqCQYKF/bqkJUdqFHWVpWowRrFV
wTdwW9PdRxr1szQnInp8P8TL1l/PFm1E27ciqt5zKVc/3mZxtqCyxPcpOA5W
3MoNAy6AN9U9qLoZrkvsX9g50bp3U3yitXtAhzx2XxxZii8PSlSDq333BKlf
/mhv4t293sR7ovdqJf0OuS+qw7xY1K2z0J2WB7LQmsfttgnTAx7BOua0CJo/
WEnofpz0uArbZCV2Ht2YUSb+tNQ99j0UE8/Vz2qMLbH9SjsbfLnlU1Fu+2cp
B/aWmoQ6BYWzcBcYPSxTu6BzFUPY3VDC5lFLGeuKL81jfPKEuyVoeJ1PM9Ve
064lpyXA+80SexkGdnXtgCYdNaczYfXqQe7//m//Q3smZc0YTQr+/d/+J1d5
RZtKJ6ZWNxqOHfxh+vLFftDXRuQ1HOWi4v6KqLjNb0TgRv2AuaNswz2EA6tU
xUinrMD5Ya2cjMO/Bx2YEXkLz5aH/Cv4AE53nLz76v0o+NnJA+3a0VGlM9Pu
mrGGOuA+Ybx9uFgu8FXF+sn9QdHJHky7ND56dYd9t09iGRnptmN18YEQHyk+
332c+HyPaF45F4orYcgh5XMApdGcb2YUds2O2tNV9ZJ8Uj2BAIpjsUUKVDXw
T2RaNgufx3VVPvfsDz29wKNTfGcSdT70fK6qJ9CcMU7sHe5yszbF7CUDy81u
BiUO1cyZE+YnV/sbJ7wVyuZ2vBbFAhdUCFIy2pRsP4gNc79otJrD6bGd2aKn
BfsgRph6B5wq4/6NDLOa9wpUECXnDY/8KsMso3MkwW3LbbHgVQ+PYt8xlTSE
3bpBzWApb6y0WlPiHDlQm2uGKS3gkXOG1TKI0tfSoWYvsjUvYNg9o1/C3avX
jvLMrt/jRrrJW1mImyTDwoCpk3FqM2lZJph+PF4kGWGdNYV1qqEVWjLIzw+r
s8g3nNDf6hlZMofnOKUrmoJFVHqpLVwanlcgBxm7I5nDMxSDIZgEB0X5zG4f
YvGoW2HmYfDGX5eXB/mP1akOrsPejCIwcMn79J5LP24nPEyOp6+m95ADvYnK
Sq40xCdrmvlVWd2QU7KU5PW5SzbiOHTA46TVO0fTyyv2ic9ygG0/eQbAojvj
iI1vVoDsiJSbrZgxFySEuP1dpXoeAnFCT/khq1fJy/l326JkaSUr3yQzACXg
lHK7EWvI3FxmG8O8w5Ueo7WMnJeadQxI7bB9Jne8fz8ajcdjbsGHCVuyIvme
2IJspFGSJP/0j//0j+RxybF2kslyaCRBxMYr8M//THeNP/1shJsfJUfsXcFg
lrBWI18frjI+BsXc7uay2DhWkpMzQCA9uDEEtu/h9I/m6cHBkuyj7WxCvHxw
UsBg/CFrDpgFn0iDWM6mOD1zIAfKHzz+7Mv9eAwsEdglVtAjLLVOH5pp50Dv
5mnyS8fx5CsZxhumizUlKSWDQi93/cp/8YyffLY/ihblWItA3DbCFBmmu9fk
+S+e2WeP9X1P9H3TBZkxWQ3zhSyC+VUhLPT6ClkqmIlj4dOJvzwamrUiS6QV
WWcptJTt+fGz19Z9jIYZVieQ5TVO/hIz+/RLGeHzarWIDsuzZuEMt8eer8w1
1F8mgCcyVpODxYxJ4alphMkfdz2JuVPU567GN9YMqd8qehGlwyYRr+0weWys
fhVsWpU93zr0M58wVX45Tb9SbnkccMurgqTiWZvnVvwFPQoVE3EL3/bp6P8B
5oY2HNLMAAA=

-->

</rfc>
