<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ni-agent-entity-discovery-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="draft-ni-agent-entity-discovery">DNS-based Entity-Level Discovery and End-to-End Connection for AI Agents</title>
    <seriesInfo name="Internet-Draft" value="draft-ni-agent-entity-discovery-00"/>
    <author initials="Y." surname="Ni" fullname="Yuan Ni">
      <organization>Huawei</organization>
      <address>
        <email>niyuan1@huawei.com</email>
      </address>
    </author>
    <author initials="C. P." surname="Liu" fullname="Chunchi Peter Liu">
      <organization>Huawei</organization>
      <address>
        <email>liuchunchi@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <keyword>next generation</keyword>
    <keyword>unicorn</keyword>
    <keyword>sparkling distributed ledger</keyword>
    <abstract>
      <?line 55?>

<t>This document defines a new DNS resource record type, Agent Entity Discovery (AED), to publish agent-specific trust anchors or direct match constraints for verifying an agent's certificate or token. This enables the cross-domain users or agents to authenticate, and establish secure, end-to-end connections directly with a private-domain agent entity.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://NiYuan224.github.io/draft-ni-agent-entity-discovery/draft-ni-agent-entity-discovery.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ni-agent-entity-discovery/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/NiYuan224/draft-ni-agent-entity-discovery"/>.</t>
    </note>
  </front>
  <middle>
    <?line 61?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>AI agents are evolving from isolated, single-domain components into collaborative entities interacting across domain boundaries. This shift requires agent-specific credential associations, such as private-domain trust anchors, to be securely exchanged or published for cross-domain authentication. For instance, SPIFFE Federation allows disparate domains to securely exchange their trust bundles via the bundle endpoint, enabling agents to cryptographically verify other agents' credentials.  However, such a federation relies on out-of-band pre-configuration between participating organizations, and is therefore not suitable for dynamic, internet-scale discovery and authentication.</t>
      <t>Conversely, existing internet-scale mechanisms such as DNSSEC <xref target="RFC4033"/> and DANE <xref target="RFC6698"/> only secure identities at the domain level. Consequently, a client cannot differentiate among multiple agents that are served from the same domain name, leading to risks of impersonation and lateral movement.</t>
      <t>To bridge this gap, this document introduces a mechanism that re-anchors trust at the agent entity level rather than at the domain name level. By extending DNS Resource Records (RRs) to publish agent-specific credential associations, a cross-domain client can retrieve these records during the discovery phase and establish an end-to-end connection directly to the target AI agent, rather than the domain name that hosts it.</t>
      <t>The credential association defined in this mechanism provides two functions, inheriting the definition of certificate associations of <xref target="RFC6698"/>: it functions either as a credential trust anchor used to cryptographically verify the signature of an agent's presented credential (either via certification path validation or JWT signature verification), or as a credential constraint used to perform a direct match against the agent's credential.</t>
    </section>
    <section anchor="term">
      <name>Conventions and Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
    </section>
    <section anchor="workflow">
      <name>Workflow</name>
      <t>This section outlines the workflow for establishing a secure, end-to-end connection directly with a private-domain agent entity (see Figure 1).</t>
      <t>A private-domain administrator (e.g. a private-domain identity server) publishes agent-specific AED (Agent Entity Discovery) RRs to the DNS server. Then, a client can query and parse these records, and use the retrieved credential associations to verify the target agent during the connection.</t>
      <artwork><![CDATA[
+--------+      +----------+    +--------+      +--------+
| Client |      |DNS Server|    | Agent  |      | Admin  |
+--------+      +----------+    +--------+      +--------+
    |               |               |               |
    |               |1. Register AED                |
    |               |<------------------------------|
    |               |               |               |
    |2.Query AED    |               |               |
    |-------------->|               |               |
    |               |               |               |
    | Answer  AED   |               |               |
    |<--------------|               |               |
    |               |               |               |
    |3.TLS handshake|               |               |
    |<------------------------------>               |
    |  (Validate X.509/RPK/PSK etc.)|               |
    |               |               |               |
    |4.Application credential validation (Optional) |
    |<-------------------------------               |
    |               |               |               |
    |               |               |               |
]]></artwork>
      <t><em>Figure 1: Workflow of Agent Entity-Level Discovery and End-to-End Connection</em></t>
      <ol spacing="normal" type="1"><li>
          <t>Registration: The private-domain administrator constructs a dedicated QNAME (as defined in <xref target="QNAME"/>) for the internal agent and publishes its AED RRs (as defined in <xref target="RR"/>) to the DNS server.</t>
        </li>
        <li>
          <t>Discovery: A client sends a DNS query for the agent's specific QNAME with the AED QTYPE, and extracts the agent's credential associations from the recevied AED RRs. The client also obtains the agent's network location (IP address and port) via A/AAAA or SRV RRs. Subsequent TLS handshake messages SHOULD be sent to this obtained address.</t>
        </li>
        <li>
          <t>Connection: The client initiates a direct TLS connection to the agent. During the handshake, the client validates the credential presented by the agent against the credential associations.</t>
        </li>
        <li>
          <t>Application credential validation (Optional): If additional application-layer authentication is required inside the secure tunnel, the agent presents an application-layer token, then the client utilizes the credential associations from the AED RR to verify the token signature.</t>
        </li>
      </ol>
    </section>
    <section anchor="QNAME">
      <name>Domain Names for AED RR</name>
      <t>The QNAME for an AED RR is constructed by prepending the agent identifier (agent_id) as the left-most label to the base domain name, as shown below:</t>
      <artwork><![CDATA[
<agent_id>.<base_domain_name>
]]></artwork>
      <t><em>Figure 2: Domain Names for AED</em></t>
      <t>For example, to request AED RRs for an AI agent identified as "agent-007" hosted at "www.example.com", the QNAME "agent-007.www.example.com" is used.</t>
      <t>To maintain flexibility, the internal structure and generation mechanism of the "agent_id" label are left open to deployment-specific choices or future specifications. However, any abstract identifier used MUST be mapped to a valid DNS label. Examples of such identifiers MAY include:</t>
      <ul spacing="normal">
        <li>
          <t>a WIMSE workload identifier;</t>
        </li>
        <li>
          <t>a W3C DID;</t>
        </li>
        <li>
          <t>an encoded application-layer path component, etc.</t>
        </li>
      </ul>
    </section>
    <section anchor="RR">
      <name>The AED RR</name>
      <t>This section defines a new DNS RR type: AED, which is used to associate a set of trust anchors or credential constraints with a specific AI agent entity, thus enabling a client to authenticate that AI agent.</t>
      <section anchor="aed-rdata-wire-format">
        <name>AED RDATA Wire Format</name>
        <t>The RDATA for an AED RR consists of a one-octet Usage field, a one-octet Selector field, a one-octet Matching Type field, and a variable-length Credential Association Data field.</t>
        <artwork><![CDATA[
                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Usage      |   Selector    |  Matching Type|               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               /
   /                                                               /
   /         Credential Association Data (variable)                /
   /                                                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
        <t><em>Figure 3: AED RDATA Wire Format</em></t>
        <section anchor="the-usage-field">
          <name>The Usage Field</name>
          <t>A one-octet value, called "usage", specifies how the association data is to be used for agent authentication. The usages defined in this document are:</t>
          <t>0 -- Certificate Trust Anchor: Usage 0 is used to specify a certificate or public key that MUST serve as a domain-specific trust anchor for TLS certification path validation of the presented agent certificate during the TLS handshake.</t>
          <t>1 -- JWT Trust Anchor: Usage 1 is used to specify a JSON Web Key (JWK) that MUST serve as a domain-specific trust anchor to verify the signature of an application-layer JSON Web Token (JWT) presented by the agent inside the tunnel.</t>
          <t>2 -- Certificate Constraint: Usage 2 is used to specify a certificate or the public key that MUST directly match the certificate presented by the agent during the TLS handshake.</t>
          <t>3 -- JWT Constraint:  Usage 3 is used to specify a JWT that MUST directly match the JWT presented by the agent inside the tunnel.</t>
          <t>4 -- RPK Constraint: Usage 4 is used to specify a raw public key (RPK) that MUST directly match the RPK presented by the agent during a TLS handshake <xref target="RFC7250"/> and be used to verify the agent's possession of the private key via the CertificateVerify signature.</t>
          <t>5 -- PSK Constraint: Usage 5 is used to specify a pre-shared key (PSK) identity. The PSK MUST be pre-established out-of-band and stored securely by both the client and the agent so that the client can use the PSK identity to select the correct key during a TLS-PSK handshake <xref target="RFC8446"/>. The record MUST contain only the identity string, never the secret key material.</t>
        </section>
        <section anchor="the-selector-field">
          <name>The Selector Field</name>
          <t>A one-octet value, called "selector", specifies which part of the trust anchor or credential is contained in the credential association data.  The selectors defined in this document are:</t>
          <t>0 -- Full credential: The full binary or textual structure of the credential or trust anchor.</t>
          <ul spacing="normal">
            <li>
              <t>For X.509 certificates (usages 0 and 2): The DER-encoded binary structure of the full X.509 Certificate <xref target="RFC5280"/>.</t>
            </li>
            <li>
              <t>For JWT trust anchors (usage 1): The UTF-8 encoded JSON string of the JWK <xref target="RFC7517"/>.</t>
            </li>
            <li>
              <t>For JWT constraints (usage 3): The  ASCII string representing the full JWT compact serialization <xref target="RFC7519"/>.</t>
            </li>
            <li>
              <t>For PSK constraints (usage 5): The opaque string representing the PSK identity <xref target="RFC8446"/>.</t>
            </li>
          </ul>
          <t>1 -- SubjectPublicKeyInfo: DER-encoded binary structure of the public key.</t>
          <ul spacing="normal">
            <li>
              <t>For X.509 certificates (usages 0 and 2): The SubjectPublicKeyInfo field within the certificate, encoded in DER binary format <xref target="RFC5280"/>.</t>
            </li>
            <li>
              <t>For RPK constraints (usage 4): The DER-encoded RPK structure <xref target="RFC7250"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="the-matching-type-field">
          <name>The Matching Type Field</name>
          <t>A one-octet value, called "matching type", specifies how the credential association is presented and matched. The types defined in this document are the same as Section 2.1.3 of <xref target="RFC6698"/>:</t>
          <t>0 -- Exact match on selected content.</t>
          <t>1 -- SHA-256 hash of selected content.</t>
          <t>2 -- SHA-512 hash of selected content.</t>
          <t>The following constraints apply to this document:</t>
          <t>For JWT Trust Anchors (Usage 1): Matching type 1 or 2 is NOT RECOMMENDED unless the companion application protocol explicitly guarantees that the plain-text JWK is delivered alongside the token. Without the plain-text JWK, the client cannot obtain the public key material needed to verify the JWT signature.</t>
          <t>For PSK Constraints (Usage 5): The matching type MUST be set to 0. The client requires the raw, unhashed PSK identity to construct the TLS ClientHello message.</t>
        </section>
        <section anchor="the-credential-association-data-field">
          <name>The Credential Association Data Field</name>
          <t>This variable-length field contains the credential association data to be matched, constructed according to the preceding fields:</t>
          <ul spacing="normal">
            <li>
              <t>The Usage field exemplifies the use of the credential association data.</t>
            </li>
            <li>
              <t>The Selector field determines whether the credential association data contains the full structure or the SubjectPublicKeyInfo of the credential.</t>
            </li>
            <li>
              <t>The Matching Type field determines the data's representation: the raw data, or its cryptographic hash.</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="dnssec-dependency">
        <name>DNSSEC Dependency</name>
        <t>All AED RRs MUST be authenticated via DNSSEC <xref target="RFC4033"/>. Clients MUST reject AED RRs that do not have a valid DNSSEC validation chain.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC6698">
        <front>
          <title>The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA</title>
          <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
          <author fullname="J. Schlyter" initials="J." surname="Schlyter"/>
          <date month="August" year="2012"/>
          <abstract>
            <t>Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain's TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6698"/>
        <seriesInfo name="DOI" value="10.17487/RFC6698"/>
      </reference>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
      <reference anchor="RFC1034">
        <front>
          <title>Domain names - concepts and facilities</title>
          <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
          <date month="November" year="1987"/>
          <abstract>
            <t>This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.</t>
          </abstract>
        </front>
        <seriesInfo name="STD" value="13"/>
        <seriesInfo name="RFC" value="1034"/>
        <seriesInfo name="DOI" value="10.17487/RFC1034"/>
      </reference>
      <reference anchor="RFC1035">
        <front>
          <title>Domain names - implementation and specification</title>
          <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
          <date month="November" year="1987"/>
          <abstract>
            <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
          </abstract>
        </front>
        <seriesInfo name="STD" value="13"/>
        <seriesInfo name="RFC" value="1035"/>
        <seriesInfo name="DOI" value="10.17487/RFC1035"/>
      </reference>
      <reference anchor="RFC4033">
        <front>
          <title>DNS Security Introduction and Requirements</title>
          <author fullname="R. Arends" initials="R." surname="Arends"/>
          <author fullname="R. Austein" initials="R." surname="Austein"/>
          <author fullname="M. Larson" initials="M." surname="Larson"/>
          <author fullname="D. Massey" initials="D." surname="Massey"/>
          <author fullname="S. Rose" initials="S." surname="Rose"/>
          <date month="March" year="2005"/>
          <abstract>
            <t>The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="4033"/>
        <seriesInfo name="DOI" value="10.17487/RFC4033"/>
      </reference>
      <reference anchor="RFC5280">
        <front>
          <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
          <author fullname="D. Cooper" initials="D." surname="Cooper"/>
          <author fullname="S. Santesson" initials="S." surname="Santesson"/>
          <author fullname="S. Farrell" initials="S." surname="Farrell"/>
          <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
          <author fullname="R. Housley" initials="R." surname="Housley"/>
          <author fullname="W. Polk" initials="W." surname="Polk"/>
          <date month="May" year="2008"/>
          <abstract>
            <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5280"/>
        <seriesInfo name="DOI" value="10.17487/RFC5280"/>
      </reference>
      <reference anchor="RFC7250">
        <front>
          <title>Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
          <author fullname="P. Wouters" initials="P." role="editor" surname="Wouters"/>
          <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
          <author fullname="J. Gilmore" initials="J." surname="Gilmore"/>
          <author fullname="S. Weiler" initials="S." surname="Weiler"/>
          <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
          <date month="June" year="2014"/>
          <abstract>
            <t>This document specifies a new certificate type and two TLS extensions for exchanging raw public keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The new certificate type allows raw public keys to be used for authentication.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="7250"/>
        <seriesInfo name="DOI" value="10.17487/RFC7250"/>
      </reference>
      <reference anchor="RFC8446">
        <front>
          <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
          <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
          <date month="August" year="2018"/>
          <abstract>
            <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
            <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8446"/>
        <seriesInfo name="DOI" value="10.17487/RFC8446"/>
      </reference>
      <reference anchor="RFC7517">
        <front>
          <title>JSON Web Key (JWK)</title>
          <author fullname="M. Jones" initials="M." surname="Jones"/>
          <date month="May" year="2015"/>
          <abstract>
            <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="7517"/>
        <seriesInfo name="DOI" value="10.17487/RFC7517"/>
      </reference>
      <reference anchor="RFC7519">
        <front>
          <title>JSON Web Token (JWT)</title>
          <author fullname="M. Jones" initials="M." surname="Jones"/>
          <author fullname="J. Bradley" initials="J." surname="Bradley"/>
          <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
          <date month="May" year="2015"/>
          <abstract>
            <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="7519"/>
        <seriesInfo name="DOI" value="10.17487/RFC7519"/>
      </reference>
      <reference anchor="RFC4279">
        <front>
          <title>Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)</title>
          <author fullname="P. Eronen" initials="P." role="editor" surname="Eronen"/>
          <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
          <date month="December" year="2005"/>
          <abstract>
            <t>This document specifies three sets of new ciphersuites for the Transport Layer Security (TLS) protocol to support authentication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys, shared in advance among the communicating parties. The first set of ciphersuites uses only symmetric key operations for authentication. The second set uses a Diffie-Hellman exchange authenticated with a pre-shared key, and the third set combines public key authentication of the server with pre-shared key authentication of the client. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="4279"/>
        <seriesInfo name="DOI" value="10.17487/RFC4279"/>
      </reference>
    </references>
    <?line 240?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA7VaWZfbNrJ+56/AkR/S7Ujq3YtuJmeUXmLFdnenJcc3TzkU
CUkYU4QuQbZa4zi//X5VAElQUi92ZuSTNBegUKjlqwXsdDpBrvJE9sTZ5bAz
Do2MxXmKR6vOO3krE3GmTKRvZbYSYUqv4k6uO/gjTnWayihXOhUTnYn+QPSn
Ms1NEI7HmbztiTgLJ3knVZ2QnnekpRqX9IIozOVUZ6ueUOlEB0GsozScy0cn
dvb3A1OM58oYLJ6vFpgyOB9dCPFMhInRPdFSaSwXEv9L81ZbtGSscp2pMKGb
Qf8n/AHHrcHN6KIVpMV8LLNeEIOdXhDp1MjUFKYn8qyQAfZxFIBuJsOe6N+c
93Gz1NmnaaaLRU98/Fl8xJ1Kp+JnehJ8kiu8jnuB6IhU3uUCW5BZSGKiR0Wq
Ip3xpVmE2aeEZmJneabGRQ7ZJzKeyiy4lWkBbp4JUS1EN3azzRXxeB6qhIb8
U96F80Uiu5Ge0/Mwi2Y9Mcvzhent7Xkv90AOpFU+K8YQ16X6vQjTw8PjvUdE
38KsBHIyOWaVdKvZXUuwq/RjdB57353l86QVBGGRz3RGwsTC1jhoLXGpcK+z
aZiqf7Nse+JNES4lPZZWGqlaYeTBP2f8nCXikzmdFWk0U+Ja5jIT71TxKMFE
FZGd1KCZ6myOGbfQlhA3F6cvXrx+5S4PDw5eu8tXBy+P3eXB/pF3eeIuj/eP
jtzlyeGrfXf58vCkvHx1fPyifHpy8LK+LJc4PnyJy4B8qeIo6Ha7QdDpdEQ4
ho2FUR4Eo5kyAr5WzCF1EcuJSqURIax1SRggMml0kUUSFzDVmG2ubX3bIYOH
CTv987Pdtsi1WBTjRJmZsAo1CxmpiYrIiUwO6IigR0NeFyvQzWGyeTQT5G1g
SwE2GERAU01WZNtQMlP6zohIZjnRgt0RgVx/kmlX8DZkGo4TcJ/PpIgybUwn
1tBWKgoj7XJMxBCDZEtkZ0SnzWAGMw4t00ZGRYan0sIb/hBrDt6M4zlZiSUM
HKJaZOoWVMrFeA1hbRjitgKfqzhOZAA3HKR5puOCaQUBcNLxBEwR8lYnt7Tf
SabnQhlN3hW3hcGzpFoAhrbQKU+CqDTukyQc64y1bBdWkt9J0jHLj8UhHIGx
LtI4zDDICc7M1CSHhv+vwNbMutKiTBJ0AjBFaIyOFLuEAVtwATxaF0BDyWwN
Y+lkCqHJu2gWplOAG/ThzAQ3pO+GzjwFYbWuuMAABfsAXahmeD24uDgXF+DM
wimwPtFLUg4hKRmHpcPK3licTERljtMxpEFmc6tCNh17T9pfaAixbe2KxViZ
T5StFrmeZuFiBg4TkLbGKjQolHb2nSc6iFq80UsE0awUnJjU3IM70hmudJF3
9ASxF1a3yGQHljdR08KNG8t8KWUqsEeIRi1CVq8PVcZas2I3yCTkKkWqc6yp
yL4lSzpeAfdU1LZGkkpoG7uQIm6E9zUVBAGCPF4aSBJCuUOcosXXSMwliViZ
uansAzgyPD8Vnz87ZPvyhcmf9S/P7UNCSTzUKeRodSVUXBlymLNanF0klId0
Kd8wsFcMImZCEUF+cLsoTGmzsZpMsHmSPCwhnGvwOS+SXCHiVVqcgTB5HcDh
liyQfI4WMggJ5WoUHtpYM4xpq1B8pswn6Gki1HwBUejUWR/2Q86awUnmkCCh
KQQ2gu1nKmaDg0am4aJtryrEVQ4OGHQr2VnmoP0SKp1PWUn4CGPlIWAeZHeY
lq7Ji3ZQCu0n8oAchk2bIXS/KdH9htHdiJ2bG7P7AIDfiwVh03trdWAXSGew
PjFlyjgCCRQZi3TmW91ihpRzDY1BYisQ1zgMdolMHmZTmYsSUtsNoaxLhAU8
04ZAlDXFMWPb5lxQhEulVne1lhaZvoWhQj1LLSbIBpwwVIp1VV7tjwgopgXD
8QOYL0N653kD8uC8pimkssBiWNIVnz7WUpiLHwQntm41hc2Si2E9L64Ca5Dq
UtLpkd9xyxI01nzTRoA8M3EbJiq291j+l48jjzov6Ubvcoa9znsd7ivO4VKU
r2BcIzEIp4TknvFTHlARoiD7TDA2pVZYZEAjmc1VqhM9XYnPz+CZ8y9Wy8jJ
KWeHCbbefxiOqAigv+Lyiq9vzn/9MLg5P6Pr4Zv+u3fVRTli+Obqw7uz+qqe
eXr1/v355ZmdjKdi7dH7/u8tC8+tq+vR4Oqy/65VmVUFCYRJNmgytEIxpBVI
D5YWoTKwpvjT6bU4OLYWQ6kl8JOvKbfE9RLIbZdiVLW3kB+QfbGQIcVSCpnw
0AXiQkIeTHmAXqaCwoaVKZUWE4RVlyYa53gIUQmniaSPpRvDcaXyWo6WDydS
X5NHiR0jpbigOCjFwS64628Mj6FuKp1CFHcw3O60u0nTRZWVxfxst0pANpIe
ZLJIZ7emubsCIFmCDqGoJUa5FMvcBz9EKBdMEbHNGgZa/RT2cYWT8X0gS0t6
juzgzorJQ9NawhDTX3/9FXzfcb/vBf+qe/fk3vffB3+KU7uXP+2rP2m7Q94u
P/nTVQLVe9EnNeDi76xqKTV/j95vn3XQRWibwiwAYqTSp836ofPg755ZT+Pw
sPsr24Tj5omzmgz8+I3SeOKsfmqWkJdj8Ymz1mT2X+XwqDt6NxQIwrGZhZ/k
t3G4/vvxPg53frNhTor/7Z7sv967uX67dz18K2QedXf/o/s67vYXi6QMsR4M
eIF252pBf8Nk94n76vwnOfzqWQRAz0vg7lURhZIPH12f3l58HgSVU2euOUNh
/cFwYFMNFN2UgsQy5uwrFr9e9t+fix0OrVWO9/kzP/7yZZdDGkGqLXEIjpll
hvMqcCgQJU+hoLBB6uaG6GzGiiA47Na77Yl+GTSQg8XEJI21waNkokx8qhBl
uefgSe+Jh19Hv1+fu3bGHXd4zD1JUzOyVLUPIpO8VeDe7YiDWskbtVOFHue2
rPbIovqjNEAk2pnuzuAaGoiRUtpkbKGzfJezyP5eHz9KB4c3v9kVhsXYlXKi
4dZItI3BEka4PIvbCBjF4kQ+Ylmh3MguBakedT1T6fnMcwZOzco6uaTVvHzE
aYk3BeXUEbXiqG0DrCXofLLqN1WSrTPp8cqr1/wk9h49YAPHXfE1GNATgwlt
X9l7Su7KuZ0kXFHF0CjiqS/g+jxkoQYJka0KbNWdF5BG0va4dpsxXCpsEOfu
Gw9PfdEUuUrUvzcls93mrKmtZzdEuS4nupSOnlnXvkT9ZhuEbubnZ9ZjbX5v
3YJeg2U3AruuIMDqBftauEK43qxNDycKO9vhJ3+oeJcSYxqSyEnemaNiRKE/
BlY5c6FDkma3oEqkMUovezYJ+6Gk92P3B5ryh53yB035sYGSh72tGwXuUQvM
te25rUaKRMZdoU+558H6drh6aNkMd3//ZYsLX3qai9Zyuex6ZwEtq3wrxHpK
d30YiZSqNtvkIHbJF8UkkXdqDO3nq3YTOq3waYMECPU5iFdOIybQlFYpqpaT
NBVEJH2hF5LdNJaLRK/mzc7ETCvqokAGk4LXKV8536rbb2G6qjrgvs65CuVa
EEgzpzqJi9LQuh5DMjPUFedWElyzc5erpmIEqjxsO0qKmHruzzH/4+D98Jwr
pUSHsTf4f9z7o1NxNjizd9TuiHRM6tnwN666q/5vm1OQgEu1Ue1In58h6qyV
bJuNffI4Pj/CrDbqQ0W7MFUlXrqq5DIuZ92sN++31vKmLOfqUmrQqOXILgrj
NVVL1FjrytsWTTmZAOCZ3eFZf9QXH4Fg1BOeh7l1e/u46fbElaIWD7U6UAjL
job/5+IDhRUBBSRxu/FiKBMIjExo8917akUQwyOIrRpAbVLYR6aot9pJZDrF
5k9rwfS9RtJZmId2oqvMxD2/gy3/Drf8OxJHTGOf3x+JY3EiXoiX4pV4/TXP
iMb3nb/5LyjTPyvcKh2sRGrvG1JcTxf3vomTbUT27hPtE39rRB5S6E6p/d1H
iPwNTv6+dvwIc9Tb7kjPCUmeWSyxWrwgY6VmS+0GwMIC4Yf6ikCKVkHjEDSc
twNiEPpsSPVbqCQoZVxbizFmUh7HbZz00PKFTfzWW69+jwzYui9Q3Zx6/dQR
Q1SfIarn9rDvw5plcyXC9XNEzucjbg4y7nAY4GTd9i1tuN5+ksl74WTy4Rap
DW91emi37zPitXEaqTDw4oD2Si3WbXs82L7HX4ZXl+KjHIu32NbOLx/f7n7D
5pp52Ub7eCNGVYuOOIXDsqPd+3JiLwO1qScVRutKPa1iS7ndwyeplIW9Ta1V
49F2lzlJ9abew+sDujkqdeOz6ng9ukc1GP0gRzTgK6R2TCzcXL/dIq3j7Rxk
4dIXzw4m7z7MEpF/WDjhWgXHHWn6bMEd+ZXO37Sp6ghCGyP5M57aV7ioZwbL
41nPNH6zNPwq4YTkQN2ZTTmcbJcDHbKCWyqIWA6YvFs1ii0aEb0yL6ThVZub
TrG981r6zyDW4XF15AwxjbUr0cs6GsNq0Rltpe4NoM5x2Ramtau2NZ9lUzx1
nd6M61hi21dAh+asKYE+GPnyxW7HfcrBO0KKxIk7nxJwwl61yHOi2EbCeCuz
skjMpF1uTmed7uylihlVqH88bBg3tBE5bBJKR9ul/htA1Mw4bUnnGgAqfaDU
5OjTFcxiue7TQstFQSckFVHbT5jQw7FKw2zFKCPv8qJR3zjePWZ01tgJhCbE
c/6igTuKPvoYseNi3z7byeGuXfXs/KZT1gVu8Y0VmTNL0cdP1j99RgT91ysz
ADUyeruwOHArfhhddF5VtQijujWJcjnEE+fgJwcvN2j7FYGjfOQoi/7wdDAo
qaEQt5hSoitvw5KYL6hEM2xq7vuGasnXjSXJ5LcseeKW1IsQtfK9SzaczPcX
F3eHxfhfsJtrhksE00E60b0n6aRG2G/R+rZ1bQXBVVZp9jWhdqUwvAN/JV/2
K7B7TIFwfYvsjreYHg2t9+jBe9fDgWal9DgYzMvxVJBuzSXvcWzlH1uT3JiS
jC3MEbWH/bz+3ANp0NCVyofdg+7R+mG8AwTU/dWhNIZaNJF8qpnbItWay5t+
5/DkBTDYzLhFsDnusBx3cnD40DiubSeaPm4iCflqotRrVTVDy331bJ9oPVOE
Vj9U7v3eFziSR4znlGrtyFoUaUIdXBtr4Ispf+ritScXmc51pBMh7+ihonxh
WoRZCPalqePaIqH8kqCSUYPYlYlCXCG9JTqd1gmN/Z7vI6wbkXXL5PZaoKTP
fWwjeD3hK2MUIpiMN5KOxtcKXSu0Zt5QiawEkYadVgkBdUdAer/RKq++peOm
erhsQ5akZbCxHtCrxmSVWtoz1zcSSi974N3aux6qRZ2vcetnvSlhYcPFzIda
s7Zas6Wac6h2o30aRpQ/uA+iXEkTSX7Aixhue9VVpF1Z3sk5jIT9OucSb1uo
3IjbJalmawb2k/MHHpw2SPedz8M7amydg4yH1nb6VrzdYLLiaUtLyGeMv/3B
yt+ZOuK4EytnFvyaP46hU6TGdzsMCq65N6RkksyFjFOVHw0abom5j+vO3Bfu
0QpQi62VPeHSSv3OWsy59OZXeV1neW5WJkkWFSV25ljzx4SzkErHui9KhLxK
N5pBztyyH/Qv+xtcN785xj5B044Mo/IchL+aHYfRJ6LSjz6lekkfw9MME3zu
2c/0ZfyP1iRMjGxRv/Pq7AoEypFwmf8H5ROUj88wAAA=

-->

</rfc>
