<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-robert-mls-slim-01" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="SlimMLS">SlimMLS</title>
    <seriesInfo name="Internet-Draft" value="draft-robert-mls-slim-01"/>
    <author fullname="Raphael Robert">
      <organization>Phoenix R&amp;D</organization>
      <address>
        <email>ietf@raphaelrobert.com</email>
      </address>
    </author>
    <author fullname="Konrad Kohbrok">
      <organization>Phoenix R&amp;D</organization>
      <address>
        <email>konrad@ratchet.ing</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Messaging Layer Security</workgroup>
    <keyword>mls</keyword>
    <keyword>post-quantum</keyword>
    <keyword>bandwidth</keyword>
    <keyword>storage</keyword>
    <abstract>
      <?line 38?>

<t>This document defines SlimMLS, an extension to the Messaging Layer Security
(MLS) protocol for reducing wire and per-client storage overhead in groups that
use ciphersuites with large public keys, ciphertexts, signatures, and
credentials. SlimMLS replaces many large objects that appear in MLS
authenticated or transcript-hashed structures with typed hash references.
Clients resolve the referenced objects only when needed, using a per-message
carrier, a local cache, or an application-specific retrieval channel. The
extension is most useful when an independent Delivery Service can assist with
retrieval and per-recipient delivery, although local caching and delayed
fetching also help without such assistance. SlimMLS defines slim variants of
KeyPackage, Commit, Welcome, GroupInfo, and message framing. When placing a
signature outside an encrypted envelope would reveal the signer, SlimMLS keeps
the signature inside the ciphertext.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-robert-mls-slim/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Messaging Layer Security Working Group mailing list (<eref target="mailto:mls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/mls/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/mls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/raphaelrobert/slim-mls"/>.</t>
    </note>
  </front>
  <middle>
    <?line 54?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Post-quantum (PQ) signature and key encapsulation mechanism (KEM) primitives can
have substantially larger keys, ciphertexts, and signatures than their
classical counterparts. Large credentials can create similar pressure, including
in deployments that do not otherwise use large ciphersuite objects. In an MLS
group <xref target="RFC9420"/>, these values appear as larger LeafNodes, parent nodes,
Welcomes, Commits, GroupInfos, and messages. The increase is visible both on
the wire and in client storage.</t>
      <t>In MLS, many of these values are embedded in structures that are signed,
covered by tree hashes or parent hashes, or fed into transcript hashes. A
Delivery Service (DS) can already choose how to route messages, but it cannot
remove or replace authenticated bytes without invalidating the object. This
limits cache-aware delivery, server-assisted fanout, and operation with clients
that hold only part of the group state.</t>
      <t>SlimMLS addresses this by separating object identity from object delivery. The
authenticated or transcript-hashed structure carries a typed hash reference, and
the referenced object is delivered through a per-message carrier, a local cache,
or an application-specific retrieval channel. Recipients verify each object by
recomputing the reference before using it.</t>
      <t>The largest benefits come from deployments where the DS is an independent
service that can assist clients. In such deployments, the DS can omit
referenced objects a recipient already has, deliver only the update path
ciphertext objects each recipient needs, and supply GroupInfo separately from a
SlimWelcome. Deployments without an assisting DS still benefit from smaller
authenticated state, local caches of credentials and keys, and the ability to
defer fetching large objects until they are needed.</t>
      <t>The main protocol changes are:</t>
      <ul spacing="normal">
        <li>
          <t>SlimKeyPackages replace KeyPackages and batch the signatures needed to
authenticate multiple LeafNodes.</t>
        </li>
        <li>
          <t>SlimCommits preserve the RFC 9420 Commit and UpdatePath structure, replace
large path objects with hash references, and save one signature when a member
Commit contains a path that does not update the sender's signature key.</t>
        </li>
        <li>
          <t>SlimWelcomes adapt Welcome messages to slim KeyPackage references and
server-assisted GroupInfo delivery.</t>
        </li>
        <li>
          <t>Slim message framing and SlimGroupInfo define when signatures are represented
by references and when the raw signature must remain inside encrypted
plaintext to avoid revealing the sender.</t>
        </li>
      </ul>
      <t>This pattern is not new in MLS. <xref target="RFC9420"/> already uses RefHash-based
references such as KeyPackageRef and ProposalRef. SlimMLS generalizes the
mechanism.</t>
      <t>[[TODO: quantify wire and storage savings for representative PQ
ciphersuites once the specification stabilizes.]]</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses the TLS presentation language and notation of
<xref target="RFC9420"/>. Familiarity with MLS <xref target="RFC9420"/> is assumed.</t>
    </section>
    <section anchor="overview">
      <name>Overview</name>
      <t>A SlimMLS group is an MLS group whose GroupContext carries the <tt>slim_mls</tt>
extension (<xref target="slim-mls-extension"/>). In such a group:</t>
      <ul spacing="normal">
        <li>
          <t>In structures derived by mechanical substitution, each HPKEPublicKey,
SignaturePublicKey, Credential, HPKECiphertext, or signature is replaced with
a hash reference of the corresponding type. Structures specified explicitly in
this document define their own replacements and exceptions.</t>
        </li>
        <li>
          <t>The referenced large objects are retrieved per <xref target="large-object-retrieval"/> if
and when necessary.</t>
        </li>
      </ul>
    </section>
    <section anchor="ref-types">
      <name>Reference Computation</name>
      <t>All new references are computed in the same style as KeyPackageRef in <xref section="5.2" sectionFormat="of" target="RFC9420"/>, i.e., using RefHash instantiated with the relevant ciphersuite
hash function and a label unique to the referenced object type. Inputs are
TLS-encoded per <xref target="RFC9420"/>. For group-bound structures, the relevant
ciphersuite is the group's ciphersuite. For references contained in or computed
over a SlimKeyPackage, the relevant ciphersuite is
<tt>outer_key_package.cipher_suite</tt> of that SlimKeyPackage.</t>
      <t>The following reference types are defined:</t>
      <table>
        <thead>
          <tr>
            <th align="left">Referenced value</th>
            <th align="left">Reference type</th>
            <th align="left">RefHash label</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">HPKEPublicKey</td>
            <td align="left">HPKEPublicKeyRef</td>
            <td align="left">"MLS 1.0 SlimMLS HPKEPublicKey"</td>
          </tr>
          <tr>
            <td align="left">SignaturePublicKey</td>
            <td align="left">SignaturePublicKeyRef</td>
            <td align="left">"MLS 1.0 SlimMLS SignaturePublicKey"</td>
          </tr>
          <tr>
            <td align="left">Credential</td>
            <td align="left">CredentialRef</td>
            <td align="left">"MLS 1.0 SlimMLS Credential"</td>
          </tr>
          <tr>
            <td align="left">HPKECiphertext</td>
            <td align="left">HPKECiphertextRef</td>
            <td align="left">"MLS 1.0 SlimMLS HPKECiphertext"</td>
          </tr>
          <tr>
            <td align="left">Signature</td>
            <td align="left">SignatureRef</td>
            <td align="left">"MLS 1.0 SlimMLS Signature"</td>
          </tr>
          <tr>
            <td align="left">SlimKeyPackage</td>
            <td align="left">SlimKeyPackageRef</td>
            <td align="left">"MLS 1.0 SlimMLS KeyPackage Reference"</td>
          </tr>
        </tbody>
      </table>
      <t>Each reference is <tt>opaque&lt;V&gt;</tt> where <tt>V</tt> is the output length of the
ciphersuite hash function.</t>
      <t>For a SlimKeyPackageRef, the value input is the TLS-encoded SlimKeyPackage.
SlimKeyPackageRef is used to identify the recipient of a SlimWelcome; it is not
a large-object reference and has no corresponding LargeObjectCarrier entry.</t>
      <t>SignatureRef is used for signature fields that appear in slim structures unless
this document requires the raw signature to remain inside an encrypted envelope.
It is also used for detached signatures referenced by slim structures, such as
the SlimKeyPackage batch signature (<xref target="slim-key-package"/>).</t>
      <t>Some signature fields use SignatureOrRef, whose variant is constrained by the
wire envelope that carries the structure:</t>
      <artwork><![CDATA[
enum {
  reserved(0),
  signature(1),
  signature_ref(2),
  (255)
} SignatureOrRefType;

struct {
  SignatureOrRefType signature_type;
  select (SignatureOrRef.signature_type) {
    case signature:
      Signature signature;
    case signature_ref:
      SignatureRef signature_ref;
  };
} SignatureOrRef;
]]></artwork>
      <t>When <tt>signature_type = signature_ref</tt>, the raw signature bytes are resolved per
<xref target="large-object-retrieval"/>. When <tt>signature_type = signature</tt>, the raw
signature bytes are carried inline and <bcp14>MUST NOT</bcp14> be sent outside the encrypted
envelope in a LargeObjectCarrier.</t>
    </section>
    <section anchor="slim-structs">
      <name>SlimMLS Structs</name>
      <t>For every <xref target="RFC9420"/> struct not given an explicit replacement in this document
that embeds an HPKEPublicKey, SignaturePublicKey, Credential, HPKECiphertext, or
signature, SlimMLS defines a corresponding "Slim*" struct that is identical to
the original except that each occurrence of a large object is replaced by the
reference type from <xref target="ref-types"/> and that each occurrence of a struct for which
there exists a Slim equivalent is replaced by that equivalent.
Tree hashes and parent hashes are likewise computed over the slim encodings, so
the reference values stand in for the corresponding large objects in these
computations.</t>
      <t>The following signatures use SignatureOrRef because their correct presentation
depends on whether the signature is carried inside an encrypted envelope:</t>
      <ul spacing="normal">
        <li>
          <t>an encrypted GroupInfo carried in a SlimWelcome, whose signature remains
inline inside the encrypted GroupInfo plaintext, and</t>
        </li>
        <li>
          <t>a SlimPrivateMessage framing signature, which remains inline inside the
encrypted SlimPrivateMessageContent.</t>
        </li>
      </ul>
      <t>When either signature is carried inside an encrypted envelope, it <bcp14>MUST</bcp14> use the
<tt>signature</tt> variant.</t>
      <t>Welcome, KeyPackage, Commit, and UpdatePath are not derived solely by
mechanical substitution. They are replaced by the SlimWelcome struct
(<xref target="slim-welcome"/>), the SlimKeyPackage struct (<xref target="slim-key-package"/>), the
SlimCommit struct, and the SlimUpdatePath struct (<xref target="slim-commit"/>),
respectively.</t>
      <t>In a SlimMLS group, the slim struct is sent on the wire wherever <xref target="RFC9420"/>
would specify the original struct. Validation rules of <xref target="RFC9420"/> apply in
the same way. References are only replaced by the corresponding large objects if
functionally necessary (e.g. to verify a signature, encrypt a ciphertext, or
retrieve referenced signature bytes).</t>
      <t>The <xref target="RFC9420"/> structs affected, the large objects they embed, and the
SlimMLS replacements are listed below. Structs whose only embedded large
objects appear via a nested struct (e.g., proposals that carry a
LeafNode or KeyPackage) inherit slim variants implicitly via the slim
nested struct.</t>
      <table>
        <thead>
          <tr>
            <th align="left">RFC 9420 struct</th>
            <th align="left">Embedded large object(s)</th>
            <th align="left">SlimMLS replacement(s)</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">LeafNode</td>
            <td align="left">HPKEPublicKey, SignaturePublicKey, Credential, signature</td>
            <td align="left">HPKEPublicKeyRef, SignaturePublicKeyRef, CredentialRef, SignatureRef</td>
          </tr>
          <tr>
            <td align="left">ParentNode</td>
            <td align="left">HPKEPublicKey</td>
            <td align="left">HPKEPublicKeyRef</td>
          </tr>
          <tr>
            <td align="left">ParentHashInput</td>
            <td align="left">HPKEPublicKey</td>
            <td align="left">HPKEPublicKeyRef</td>
          </tr>
          <tr>
            <td align="left">Commit</td>
            <td align="left">UpdatePath</td>
            <td align="left">SlimUpdatePath</td>
          </tr>
          <tr>
            <td align="left">UpdatePath</td>
            <td align="left">LeafNode, UpdatePathNode</td>
            <td align="left">SlimLeafNode, SlimUpdatePathNode</td>
          </tr>
          <tr>
            <td align="left">UpdatePathNode</td>
            <td align="left">HPKEPublicKey, HPKECiphertext (vector)</td>
            <td align="left">HPKEPublicKeyRef, HPKECiphertextRef (vector)</td>
          </tr>
          <tr>
            <td align="left">Signature-bearing structs except SignatureOrRef cases</td>
            <td align="left">signature</td>
            <td align="left">SignatureRef</td>
          </tr>
          <tr>
            <td align="left">Add proposal</td>
            <td align="left">KeyPackage</td>
            <td align="left">SlimKeyPackage</td>
          </tr>
          <tr>
            <td align="left">Update proposal</td>
            <td align="left">LeafNode</td>
            <td align="left">SlimLeafNode</td>
          </tr>
          <tr>
            <td align="left">ratchet_tree extension</td>
            <td align="left">LeafNode, ParentNode</td>
            <td align="left">slim_ratchet_tree extension with SlimLeafNode, SlimParentNode</td>
          </tr>
        </tbody>
      </table>
      <t>The exact TLS presentation of each remaining slim struct is obtained by
mechanical substitution against <xref target="RFC9420"/> and is not repeated here.</t>
      <t>[[TODO: provide explicit TLS presentations for each slim variant in a
later revision.]]</t>
      <section anchor="slim-leaf-node">
        <name>SlimLeafNode</name>
        <t>SlimLeafNode replaces LeafNode. SlimLeafNodeTBS replaces the LeafNodeTBS input
defined in <xref section="7.2" sectionFormat="of" target="RFC9420"/>.</t>
        <t>SlimMLS uses the <tt>app_data_dictionary</tt> extension specified in <xref section="7.2.1" sectionFormat="of" target="I-D.ietf-mls-extensions"/> to carry SlimMLS-specific components in a
SlimLeafNode's <tt>extensions</tt> field.</t>
        <artwork><![CDATA[
struct {
  opaque sibling_hash<V>;
} SlimKeyPackageMerkleProofNode;

struct {
  uint32                         leaf_index;
  uint32                         tree_size;
  SlimKeyPackageMerkleProofNode  path<V>;
} SlimKeyPackageMerkleProof;

struct {
  HPKEPublicKeyRef      encryption_key_ref;
  SignaturePublicKeyRef signature_key_ref;
  CredentialRef         credential_ref;
  Capabilities          capabilities;

  LeafNodeSource leaf_node_source;
  select (SlimLeafNodeTBS.leaf_node_source) {
    case key_package:
      Lifetime lifetime;

    case update:
      struct{};

    case commit:
      opaque parent_hash<V>;
  };

  Extension extensions<V>;

  select (SlimLeafNodeTBS.leaf_node_source) {
    case key_package:
      struct{};

    case update:
      opaque group_id<V>;
      uint32 leaf_index;

    case commit:
      opaque group_id<V>;
      uint32 leaf_index;
  };
} SlimLeafNodeTBS;

struct {
  HPKEPublicKeyRef      encryption_key_ref;
  SignaturePublicKeyRef signature_key_ref;
  CredentialRef         credential_ref;
  Capabilities          capabilities;

  LeafNodeSource leaf_node_source;
  select (SlimLeafNode.leaf_node_source) {
    case key_package:
      Lifetime lifetime;

    case update:
      struct{};

    case commit:
      opaque parent_hash<V>;
  };

  Extension extensions<V>;

  /*
    For key_package leaves, this is a SignatureRef to the batch signature.
    For update and commit leaves, this is a SignatureRef to the normal
    SlimLeafNode signature over SlimLeafNodeTBS.
  */
  SignatureRef signature;

  select (SlimLeafNode.leaf_node_source) {
    case key_package:
      SlimKeyPackageMerkleProof proof;

    case update:
      struct{};

    case commit:
      struct{};
  };
} SlimLeafNode;
]]></artwork>
        <t>The <tt>proof</tt> field is present only when <tt>leaf_node_source = key_package</tt>. It is
not part of SlimLeafNodeTBS to avoid a circulare dependency. Update and commit
leaf nodes do not carry this field.</t>
        <t>For <tt>leaf_node_source = key_package</tt>, the <tt>signature</tt> field references the
SlimKeyPackage batch signature and validation <bcp14>MUST</bcp14> verify both this signature
and the embedded <tt>proof</tt> as described in <xref target="slim-key-package-merkle-tree"/>. This
allows clients to validate a key-package SlimLeafNode even when it appears in a
ratchet tree without the enclosing SlimKeyPackage. For leaf nodes whose source
is <tt>update</tt> or <tt>commit</tt>, the <tt>signature</tt> field is the normal SlimLeafNode
signature over SlimLeafNodeTBS, verified as in <xref section="7.3" sectionFormat="of" target="RFC9420"/> after
applying the slim substitutions in this document.</t>
      </section>
      <section anchor="slim-parent-structures">
        <name>SlimParentNode and SlimParentHashInput</name>
        <t>The following slim tree structures are used in tree-hash and parent-hash
computations:</t>
        <artwork><![CDATA[
struct {
  HPKEPublicKeyRef encryption_key_ref;
  opaque           parent_hash<V>;
  uint32           unmerged_leaves<V>;
} SlimParentNode;

struct {
  HPKEPublicKeyRef encryption_key_ref;
  opaque           parent_hash<V>;
  opaque           original_sibling_tree_hash<V>;
} SlimParentHashInput;
]]></artwork>
        <t>SlimParentNode replaces ParentNode. SlimParentHashInput replaces the
ParentHashInput defined in <xref section="7.9" sectionFormat="of" target="RFC9420"/>.</t>
      </section>
      <section anchor="slim-group-info">
        <name>SlimGroupInfo</name>
        <t>SlimGroupInfo is the slim replacement for the <xref target="RFC9420"/> GroupInfo struct. It
uses the same fields and verification rules as GroupInfo, except that
GroupInfo extensions use SlimMLS replacements and the signature is represented
as SignatureOrRef.</t>
        <artwork><![CDATA[
struct {
  GroupContext group_context;
  Extension extensions<V>;
  MAC confirmation_tag;
  uint32 signer;
} SlimGroupInfoTBS;

struct {
  GroupContext group_context;
  Extension extensions<V>;
  MAC confirmation_tag;
  uint32 signer;

  /*
    SignWithLabel(., "GroupInfoTBS", SlimGroupInfoTBS)
  */
  SignatureOrRef signature;
} SlimGroupInfo;
]]></artwork>
        <t>The signature is computed and verified as in <xref target="RFC9420"/>, except that the
to-be-signed content is SlimGroupInfoTBS. A standalone SlimGroupInfo, or a
SlimGroupInfo carried in <tt>WelcomeGroupInfo.info_type = plaintext</tt>, <bcp14>MUST</bcp14> use
<tt>signature_type = signature_ref</tt>. A SlimGroupInfo encrypted into
<tt>WelcomeGroupInfo.info_type = encrypted</tt> <bcp14>MUST</bcp14> use <tt>signature_type = signature</tt>
so that the raw signature is protected by the SlimWelcome encryption.</t>
      </section>
    </section>
    <section anchor="large-object-retrieval">
      <name>Large Object Retrieval</name>
      <t>References to large objects in SlimMLS structures, including nested structures
such as the SlimUpdatePath in a SlimCommit (<xref target="slim-commit"/>), and in GroupInfo
extensions defined by this document <bcp14>MUST</bcp14> be resolved to the corresponding large
objects when necessary for MLS operations or validation checks.</t>
      <t>SlimMLS defines three retrieval channels:</t>
      <ul spacing="normal">
        <li>
          <t>The LargeObjectCarrier (<xref target="large-object-carrier"/>), specified in this
document.</t>
        </li>
        <li>
          <t>A client-local cache of previously resolved objects.</t>
        </li>
        <li>
          <t>An application-specific fetch mechanism.</t>
        </li>
      </ul>
      <t>Applications can decide how or if they use one or more retrieval channels.</t>
      <t>On receipt of a SlimMLS structure, a client:</t>
      <ol spacing="normal" type="1"><li>
          <t>For every large-object <tt>*Ref</tt> it needs to process the structure, locates a
candidate object through any of the three channels above.</t>
        </li>
        <li>
          <t>Computes the reference of each candidate object under the appropriate
label (<xref target="ref-types"/>) and verifies that it equals the <tt>*Ref</tt> being
resolved. A candidate object whose reference does not match <bcp14>MUST NOT</bcp14> be
used for any cryptographic operation.</t>
        </li>
        <li>
          <t>If a required <tt>*Ref</tt> cannot be resolved through any channel, the client <bcp14>MUST</bcp14>
either request the missing object through an application-specific mechanism,
for example from the DS, or drop the message.</t>
        </li>
      </ol>
      <section anchor="large-object-carrier">
        <name>Large Object Carrier</name>
        <t>A client sending a SlimMLS struct over the wire <bcp14>MAY</bcp14> also send a
LargeObjectCarrier struct that contains a subset of the large objects referenced
by the SlimMLS struct, including nested structures such as the SlimUpdatePath in
a SlimCommit (<xref target="slim-commit"/>).</t>
        <t>This document does not define a single MLSMessage wrapper for
LargeObjectCarrier. When a carrier is sent on the wire, its encoding,
multiplexing, and association with the SlimMLS message are provided by the
application or DS protocol using SlimMLS.</t>
        <t>For each large-object reference type that appears in a slim structure, the
LargeObjectCarrier contains a vector of the corresponding large objects:</t>
        <artwork><![CDATA[
struct {
  HPKEPublicKey      hpke_public_keys<V>;
  SignaturePublicKey signature_public_keys<V>;
  Credential         credentials<V>;
  HPKECiphertext     hpke_ciphertexts<V>;
  Signature          signatures<V>;
} LargeObjectCarrier;
]]></artwork>
        <t>The carrier is NOT part of the signed structure. The DS <bcp14>MAY</bcp14> add, remove,
reorder, or substitute entries on a per-recipient basis, e.g., to omit objects
the recipient already has cached, or to deliver only the referenced
HPKECiphertexts a recipient needs from a SlimUpdatePath (see <xref target="slim-commit"/>).
The LargeObjectCarrier is optional in the SlimMLS wire protocol. The DS <bcp14>MAY</bcp14>
reject a message based on a missing LargeObjectCarrier, or on a
LargeObjectCarrier that is missing the large objects that clients will need to
process a message, if its local deployment policy requires senders to provide
those objects proactively.</t>
      </section>
    </section>
    <section anchor="slim-key-package">
      <name>SlimKeyPackage</name>
      <t>SlimKeyPackage applies the slim reference replacement to KeyPackage and
amortizes KeyPackage authentication across a batch of KeyPackages uploaded by
the same client. The signature around the KeyPackage is omitted, and the
per-KeyPackage LeafNode signature is replaced by a detached batch signature over
the root of a Merkle tree. The leaves of this tree are the SlimLeafNodeTBS
values of the SlimKeyPackages in the batch.</t>
      <t>In a SlimMLS group, an <xref target="RFC9420"/> KeyPackage <bcp14>MUST NOT</bcp14> be used to add a new
member: Add proposals <bcp14>MUST</bcp14> carry a SlimKeyPackage, and standalone KeyPackage
publication <bcp14>MUST</bcp14> use the <tt>mls_slim_key_package</tt> wire format
(<xref target="wire-formats"/>). A recipient <bcp14>MUST</bcp14> reject any Add proposal or wire-format
message carrying an <xref target="RFC9420"/> KeyPackage in the context of a group with the
<tt>slim_mls</tt> extension.</t>
      <t><tt>SlimLeafNodeTBS</tt> is the unsigned part of a SlimLeafNode. It carries neither
the <tt>signature</tt> field nor the key-package Merkle proof.</t>
      <t>A SlimKeyPackage is partitioned into an OuterSlimKeyPackage (the fields of a
KeyPackage other than the LeafNode and signature) and a SlimLeafNode. The
SlimLeafNode carries the SignatureRef of the detached batch signature and its
Merkle inclusion proof:</t>
      <artwork><![CDATA[
struct {
  ProtocolVersion  version;
  CipherSuite      cipher_suite;
  HPKEPublicKeyRef init_key_ref;
  Extension        extensions<V>;
} OuterSlimKeyPackage;

struct {
  ProtocolVersion       version;
  CipherSuite           cipher_suite;
  SignaturePublicKeyRef signature_key_ref;
  uint32                tree_size;
  opaque                merkle_root<V>;
} SlimKeyPackageBatchTBS;

struct {
  OuterSlimKeyPackage              outer_key_package;
  SlimLeafNode                     leaf_node;
} SlimKeyPackage;
]]></artwork>
      <t>A SlimKeyPackage carries no outer signature and no per-package LeafNode
signature. Authenticity of <tt>outer_key_package</tt> is provided by an
OuterKeyPackageHash component (<xref target="outer-key-package-hash"/>) placed in the
SlimLeafNode's <tt>app_data_dictionary</tt> extension. Authenticity of the
SlimLeafNodeTBS, including this component, is provided by the batch signature
referenced by <tt>leaf_node.signature</tt> and the Merkle inclusion proof in
<tt>leaf_node.proof</tt>.</t>
      <t>The HPKEPublicKey corresponding to <tt>init_key_ref</tt>, together with any large
objects referenced by the SlimLeafNode, is resolved per
<xref target="large-object-retrieval"/>.</t>
      <section anchor="slim-key-package-merkle-tree">
        <name>KeyPackage Batch Merkle Tree</name>
        <t>The Merkle tree for a SlimKeyPackage batch is computed under the hash function
of the SlimKeyPackage ciphersuite. A batch <bcp14>MUST</bcp14> contain at least one leaf. All
SlimKeyPackages in a batch <bcp14>MUST</bcp14> have the same <tt>version</tt>, <tt>cipher_suite</tt>, and
<tt>signature_key_ref</tt>.</t>
        <t>The leaf hash for a SlimLeafNodeTBS is computed over the TLS-encoded
SlimLeafNodeTBS:</t>
        <artwork><![CDATA[
HashWithLabel("SlimKeyPackageLeaf", SlimLeafNodeTBS)
]]></artwork>
        <t>The parent hash for two child hashes is computed over their TLS-encoded ordered
pair:</t>
        <artwork><![CDATA[
struct {
  opaque left<V>;
  opaque right<V>;
} SlimKeyPackageMerkleParentInput;

HashWithLabel("SlimKeyPackageNode", SlimKeyPackageMerkleParentInput)
]]></artwork>
        <t>The tree is built bottom-up from the ordered list of leaf hashes. At each level,
adjacent nodes are paired from left to right. If the final node at a level has
no sibling, it is promoted unchanged to the next level. The single node
remaining after this process is the Merkle root.</t>
        <t>The <tt>path</tt> entries in SlimKeyPackageMerkleProof are ordered from the leaf level
toward the root. To verify a proof, a recipient starts with the leaf hash of
<tt>leaf_node_tbs</tt>, <tt>leaf_index</tt>, and <tt>tree_size</tt>. At each level, if the current
level width is odd and the current index is <tt>width - 1</tt>, the current hash is
promoted unchanged and no path entry is consumed. Otherwise, the next path entry
is consumed as the sibling hash and the parent hash is computed with the sibling
on the left when the current index is odd, and on the right when the current
index is even. The index is then divided by two, rounding down, and the level
width is divided by two, rounding up. A proof is valid only if <tt>tree_size</tt> is
nonzero, <tt>leaf_index &lt; tree_size</tt>, all path entries are consumed, and the final
computed hash is the Merkle root.</t>
        <t>The batch signature is computed over:</t>
        <artwork><![CDATA[
SignWithLabel(., "SlimKeyPackageBatchTBS", SlimKeyPackageBatchTBS)
]]></artwork>
        <t>where <tt>version</tt> and <tt>cipher_suite</tt> are taken from <tt>outer_key_package</tt>,
<tt>signature_key_ref</tt> is taken from <tt>leaf_node_tbs</tt>, <tt>tree_size</tt> is taken from
the proof in <tt>leaf_node</tt>, and <tt>merkle_root</tt> is the Merkle root computed as
above.</t>
      </section>
      <section anchor="outer-key-package-hash">
        <name>OuterKeyPackageHash component</name>
        <artwork><![CDATA[
struct {
  opaque outer_key_package_hash<V>;
} OuterKeyPackageHash;
]]></artwork>
        <t><tt>outer_key_package_hash</tt> is the hash, under the SlimKeyPackage's ciphersuite
hash function, of the TLS-encoded <tt>outer_key_package</tt> of the SlimKeyPackage
in which the SlimLeafNode appears.</t>
        <t>An OuterKeyPackageHash is valid only if the SlimLeafNode's
<tt>leaf_node_source</tt> is <tt>key_package</tt> and <tt>outer_key_package_hash</tt> equals the
hash of the enclosing SlimKeyPackage's <tt>outer_key_package</tt>.</t>
        <t>The <tt>app_data_dictionary</tt> extension <bcp14>MUST</bcp14> contain exactly one
OuterKeyPackageHash component under component identifier TBD. A missing,
malformed, or duplicated OuterKeyPackageHash component makes the enclosing
SlimKeyPackage invalid.</t>
      </section>
      <section anchor="creation-and-processing">
        <name>Creation and Processing</name>
        <t>A sender constructs a SlimKeyPackage as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>Construct an OuterSlimKeyPackage with the desired version, cipher_suite,
HPKEPublicKeyRef for the init key, and extensions.</t>
          </li>
          <li>
            <t>Construct a SlimLeafNodeTBS with <tt>leaf_node_source = key_package</tt>. Add an
<tt>app_data_dictionary</tt> extension containing an OuterKeyPackageHash whose
value is the hash of the OuterSlimKeyPackage from step 1.</t>
          </li>
          <li>
            <t>Construct all other SlimLeafNodeTBS values in the batch in the same way.</t>
          </li>
          <li>
            <t>Build the KeyPackage batch Merkle tree over the SlimLeafNodeTBS values.</t>
          </li>
          <li>
            <t>Construct a SlimKeyPackageBatchTBS for the root, sign it with the signature
private key corresponding to <tt>signature_key_ref</tt>, and compute the
SignatureRef over the raw signature bytes.</t>
          </li>
          <li>
            <t>Emit each SlimKeyPackage with the common SignatureRef in
<tt>leaf_node.signature</tt> and the leaf's inclusion proof in <tt>leaf_node.proof</tt>,
optionally accompanied by a LargeObjectCarrier holding the referenced
HPKEPublicKey and the large objects referenced by the SlimLeafNode and the
batch signature bytes.</t>
          </li>
        </ol>
        <t>A recipient processes a SlimKeyPackage like a KeyPackage with the following
exceptions:</t>
        <ul spacing="normal">
          <li>
            <t>There is no outer signature to verify.</t>
          </li>
          <li>
            <t>There is no per-package LeafNode signature to verify.</t>
          </li>
          <li>
            <t>The SlimLeafNode <bcp14>MUST</bcp14> contain an <tt>app_data_dictionary</tt> extension with a valid
OuterKeyPackageHash component.</t>
          </li>
          <li>
            <t>The SlimLeafNode <bcp14>MUST</bcp14> have <tt>leaf_node_source = key_package</tt> and therefore
carry a <tt>proof</tt> field.</t>
          </li>
          <li>
            <t>The recipient resolves the batch signature bytes using <tt>leaf_node.signature</tt>,
computes SignatureRef over those bytes, and verifies that it equals
<tt>leaf_node.signature</tt>.</t>
          </li>
          <li>
            <t>The recipient verifies the Merkle inclusion proof in <tt>leaf_node.proof</tt>,
reconstructs the SlimKeyPackageBatchTBS, resolves the SignaturePublicKey
corresponding to <tt>signature_key_ref</tt>, and verifies the raw batch signature
bytes identified by <tt>leaf_node.signature</tt> using VerifyWithLabel label
"SlimKeyPackageBatchTBS".</t>
          </li>
          <li>
            <t>All large-object <tt>*Ref</tt> values are resolved per <xref target="large-object-retrieval"/>.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="slim-welcome">
      <name>SlimWelcome</name>
      <t>SlimWelcome makes two changes relative to the <xref target="RFC9420"/> Welcome:</t>
      <ol spacing="normal" type="1"><li>
          <t>The per-recipient EncryptedGroupSecrets is replaced by a
SlimEncryptedGroupSecrets (<xref target="slim-egs"/>), which permits the recipient to be
identified either by SlimKeyPackageRef or by leaf index.</t>
        </li>
        <li>
          <t>The <tt>encrypted_group_info</tt> field is replaced by an
<tt>optional&lt;WelcomeGroupInfo&gt;</tt> (<xref target="welcome-group-info"/>), where
WelcomeGroupInfo is a tagged union over an encrypted form and a
plaintext form.</t>
        </li>
      </ol>
      <t>With the exception of changes described in this section, SlimWelcomes are
processed just like regular Welcome messages.</t>
      <artwork><![CDATA[
struct {
  CipherSuite                cipher_suite;
  SlimEncryptedGroupSecrets  secrets<V>;
  optional<WelcomeGroupInfo> group_info;
} SlimWelcome;
]]></artwork>
      <section anchor="sender-and-ds-behavior">
        <name>Sender and DS Behavior</name>
        <t>The sender <bcp14>MUST</bcp14> construct <tt>SlimWelcome.secrets</tt> to contain one
SlimEncryptedGroupSecrets for every recipient it intends to add, in
the same order it would use under <xref target="RFC9420"/>.</t>
        <t>The DS <bcp14>MAY</bcp14> remove entries from <tt>SlimWelcome.secrets</tt> on a per-recipient basis,
e.g., to deliver to each recipient only its own entry.</t>
        <t>If the sender omits the <tt>group_info</tt> field (presence octet 0), the DS <bcp14>MUST</bcp14>
populate it with a plaintext WelcomeGroupInfo before delivering the SlimWelcome
to a recipient (<xref target="welcome-group-info"/>). In this mode, the GroupInfo used by the
sender to encrypt the SlimEncryptedGroupSecrets and the GroupInfo populated by
the DS <bcp14>MUST</bcp14> be byte-for-byte identical SlimGroupInfo objects.</t>
        <t>A DS that supplies large objects alongside a SlimWelcome can distinguish
between basic-processing delivery and update-capable delivery. Basic-processing
delivery contains the large objects needed for the recipient to validate the
SlimWelcome, derive the epoch secrets, receive subsequent MLS messages, and send
application messages. It can omit HPKE public keys that are only needed to
construct a future Commit with an update path. Update-capable delivery
additionally includes enough HPKE public keys for the recipient to construct an
update path without a later fetch, such as the HPKE public keys for the
recipient's copath resolution in the delivered tree. A recipient that has only
basic-processing state <bcp14>MUST</bcp14> resolve the missing HPKEPublicKeyRefs before
sending a Commit with an update path.</t>
      </section>
      <section anchor="slim-egs">
        <name>SlimEncryptedGroupSecrets</name>
        <t>SlimEncryptedGroupSecrets extends the <xref target="RFC9420"/>
EncryptedGroupSecrets to allow either of two recipient identifiers:</t>
        <artwork><![CDATA[
enum {
  reserved(0),
  slim_key_package_ref(1),
  leaf_node_index(2),
  (255)
} RecipientIdentifierType;

struct {
  RecipientIdentifierType recipient_type;
  select (SlimEncryptedGroupSecrets.recipient_type) {
    case slim_key_package_ref:
      SlimKeyPackageRef new_member;
    case leaf_node_index:
      uint32 leaf_node_index;
  };
  HPKECiphertext encrypted_group_secrets;
} SlimEncryptedGroupSecrets;
]]></artwork>
        <t>A recipient locates the entry intended for it by matching either its own
SlimKeyPackageRef or its leaf in the group's ratchet tree via the leaf index.</t>
        <t>The <tt>leaf_node_index</tt> recipient type <bcp14>MUST</bcp14> be used only when the
SlimEncryptedGroupSecrets is encrypted using a plaintext SlimGroupInfo as
context and the delivered SlimWelcome carries
<tt>WelcomeGroupInfo.info_type = plaintext</tt>. Otherwise, the sender <bcp14>MUST</bcp14> use
<tt>slim_key_package_ref</tt>.</t>
      </section>
      <section anchor="welcome-group-info">
        <name>WelcomeGroupInfo</name>
        <t>WelcomeGroupInfo is a tagged union over two presentations of the
SlimGroupInfo: an encrypted form or a plaintext form:</t>
        <artwork><![CDATA[
enum {
  reserved(0),
  encrypted(1),
  plaintext(2),
  (255)
} WelcomeGroupInfoType;

struct {
  WelcomeGroupInfoType info_type;
  select (WelcomeGroupInfo.info_type) {
    case encrypted:
      opaque encrypted_group_info<V>;
    case plaintext:
      SlimGroupInfo group_info;
  };
} WelcomeGroupInfo;
]]></artwork>
        <t>The <tt>encrypted</tt> variant is encrypted under a key derived from the joiner secret,
as in the <tt>encrypted_group_info</tt> field of the <xref target="RFC9420"/> Welcome. Its
plaintext is a SlimGroupInfo whose SignatureOrRef uses
<tt>signature_type = signature</tt>. A sender <bcp14>MUST NOT</bcp14> encrypt a SlimGroupInfo with
<tt>signature_type = signature_ref</tt> into this field.</t>
        <t>The <tt>plaintext</tt> variant carries a SlimGroupInfo in the clear. Its
SignatureOrRef <bcp14>MUST</bcp14> use <tt>signature_type = signature_ref</tt>, which is resolved per
<xref target="large-object-retrieval"/> before signature verification.</t>
        <t>The HPKE context used to encrypt and decrypt
<tt>SlimEncryptedGroupSecrets.encrypted_group_secrets</tt> depends on the GroupInfo
presentation. For the <tt>encrypted</tt> variant, the context is the
<tt>encrypted_group_info</tt> value, as in <xref target="RFC9420"/>. For the <tt>plaintext</tt> variant,
and for SlimWelcomes sent with <tt>group_info</tt> absent, the context is the
TLS-encoded SlimGroupInfo.</t>
        <t>The outer <tt>optional&lt;WelcomeGroupInfo&gt;</tt> in the SlimWelcome additionally allows
the sender to omit the GroupInfo. This mode is intended for server-assisted
deployments where the sender and recipient can obtain the exact GroupInfo by
some channel other than the SlimWelcome.</t>
        <t>A recipient that receives a SlimWelcome whose <tt>group_info</tt> field is
absent <bcp14>MUST</bcp14> consider the SlimWelcome invalid.</t>
      </section>
    </section>
    <section anchor="slim-commit">
      <name>SlimCommit</name>
      <t>SlimCommit is the SlimMLS replacement for the <xref target="RFC9420"/> Commit struct. Its
payload differs from RFC 9420 only by replacing large objects with references
and by using SlimProposal and SlimLeafNode where the RFC 9420 structures use
Proposal and LeafNode.</t>
      <t>A SlimMLS-aware sender <bcp14>MUST</bcp14> use a SlimCommit in place of an MLS Commit in a
group with the <tt>slim_mls</tt> extension.</t>
      <t>A SlimCommit is carried in either a SlimPublicMessage or SlimPrivateMessage
(<xref target="slim-framing"/>). It is part of the framed content exactly where <xref target="RFC9420"/>
would carry a Commit.</t>
      <t>A SlimCommit carries the normal <xref target="RFC9420"/> confirmation tag in its
SlimFramedContentAuthData. When the single-signature construction of
<xref target="single-sig-commits"/> applies, the authentication data contains the
confirmation tag but omits the framing signature field. Otherwise, the
authentication data contains the confirmation tag and a SignatureOrRef whose
variant is determined by the message envelope.</t>
      <artwork><![CDATA[
struct {
  HPKEPublicKeyRef  encryption_key_ref;
  HPKECiphertextRef encrypted_path_secret_refs<V>;
} SlimUpdatePathNode;

struct {
  SlimLeafNode       leaf_node;
  SlimUpdatePathNode nodes<V>;
} SlimUpdatePath;

struct {
  ProposalOrRef           proposals<V>;
  optional<SlimUpdatePath> path;
} SlimCommit;
]]></artwork>
      <t>The ProposalOrRef values in <tt>proposals</tt> use SlimProposal wherever <xref target="RFC9420"/>
ProposalOrRef contains a Proposal by value. <tt>path</tt>, when present, follows the
same path-population and path-validation rules as the <tt>path</tt> field of the
<xref target="RFC9420"/> Commit struct.</t>
      <section anchor="slimupdatepath">
        <name>SlimUpdatePath</name>
        <t>Each SlimUpdatePathNode carries an HPKEPublicKeyRef for the new ParentNode
public key and a vector of HPKECiphertextRefs. The
<tt>encrypted_path_secret_refs</tt> vector has the same order and cardinality as the
<tt>encrypted_path_secret</tt> vector in the corresponding <xref target="RFC9420"/>
UpdatePathNode.</t>
        <t>The DS <bcp14>MAY</bcp14> vary the LargeObjectCarrier on a per-recipient basis and include only
the HPKECiphertexts and HPKEPublicKeys that a recipient needs to process the
Commit.</t>
        <t>The HPKEPublicKeyRefs in SlimUpdatePath are also authenticated by the parent
hash in the committer's SlimLeafNode, as in <xref section="7.9" sectionFormat="of" target="RFC9420"/>, with
HPKEPublicKeyRef replacing HPKEPublicKey in the parent-hash computation. A
recipient validates resolved HPKECiphertexts by checking their references,
decrypting one path secret, deriving the path public keys, checking that the
derived public keys hash to the HPKEPublicKeyRefs in the SlimUpdatePath, and
verifying the Commit confirmation tag.</t>
      </section>
      <section anchor="slim-framing">
        <name>Slim Framing</name>
        <t>In a SlimMLS group, public and private message framing uses dedicated SlimMLS
structures. They are the same as <xref target="RFC9420"/> PublicMessage and PrivateMessage,
except that:</t>
        <ul spacing="normal">
          <li>
            <t>the framed content carries a SlimCommit or SlimProposal where <xref target="RFC9420"/>
carries a Commit or Proposal,</t>
          </li>
          <li>
            <t>the authentication data is a SlimFramedContentAuthData, whose signature is a
SignatureOrRef and whose signature field is omitted for single-signature
Commits.</t>
          </li>
        </ul>
        <t>SlimProposal is the slim variant of the <xref target="RFC9420"/> Proposal struct obtained
by the mechanical-substitution rule of <xref target="slim-structs"/>: an Add proposal
carries a SlimKeyPackage and an Update proposal carries a SlimLeafNode. Other
proposal variants are unchanged.</t>
        <artwork><![CDATA[
struct {
  opaque group_id<V>;
  uint64 epoch;
  Sender sender;
  opaque authenticated_data<V>;

  ContentType content_type;
  select (SlimFramedContent.content_type) {
    case application:
      opaque application_data<V>;
    case proposal:
      SlimProposal proposal;
    case commit:
      SlimCommit commit;
  };
} SlimFramedContent;

struct {
  /*
    SignWithLabel(., "FramedContentTBS", SlimFramedContentTBS)
  */
  optional<SignatureOrRef> signature;

  select (SlimFramedContent.content_type) {
    case commit:
      /*
        MAC(confirmation_key,
            GroupContext.confirmed_transcript_hash)
      */
      MAC confirmation_tag;
    case application:
    case proposal:
      struct{};
  };
} SlimFramedContentAuthData;

struct {
  ProtocolVersion    version = mls10;
  WireFormat         wire_format;
  SlimFramedContent  content;
  select (SlimFramedContentTBS.content.sender.sender_type) {
    case member:
    case new_member_commit:
      GroupContext context;
    case external:
    case new_member_proposal:
      struct{};
  };
} SlimFramedContentTBS;

struct {
  WireFormat         wire_format;
  SlimFramedContent  content;
  SlimFramedContentAuthData auth;
} SlimAuthenticatedContent;

struct {
  SlimFramedContent         content;
  SlimFramedContentAuthData auth;
  select (SlimPublicMessage.content.sender.sender_type) {
    case member:
      MAC membership_tag;
    case external:
    case new_member_commit:
    case new_member_proposal:
      struct{};
  };
} SlimPublicMessage;

struct {
  select (SlimPrivateMessage.content_type) {
    case application:
      opaque application_data<V>;
    case proposal:
      SlimProposal proposal;
    case commit:
      SlimCommit commit;
  };
  SlimFramedContentAuthData auth;
  opaque                    padding[length_of_padding];
} SlimPrivateMessageContent;

struct {
  opaque group_id<V>;
  uint64 epoch;
  ContentType content_type;
  opaque authenticated_data<V>;
  opaque encrypted_sender_data<V>;
  opaque ciphertext<V>;
} SlimPrivateMessage;
]]></artwork>
        <t>The optional <tt>signature</tt> field in SlimFramedContentAuthData <bcp14>MUST</bcp14> be
present whenever <tt>content_type</tt> is <tt>application</tt> or <tt>proposal</tt>. For
<tt>content_type = commit</tt>, <tt>signature</tt> <bcp14>MUST</bcp14> be absent if and only if the
single-signature construction of <xref target="single-sig-commits"/> applies.</t>
        <t>When present in a SlimPublicMessage, <tt>signature</tt> <bcp14>MUST</bcp14> use
<tt>signature_type = signature_ref</tt>. When present in a SlimPrivateMessage,
<tt>signature</tt> <bcp14>MUST</bcp14> use <tt>signature_type = signature</tt>. This ensures that a
SlimPrivateMessage framing signature is encrypted as part of
SlimPrivateMessageContent.</t>
        <t>When a framing signature is present, it is computed and verified as in
<xref target="RFC9420"/>, except that the to-be-signed content is SlimFramedContentTBS and
the WireFormat is either <tt>mls_slim_public_message</tt> or
<tt>mls_slim_private_message</tt>.</t>
        <t>For SlimPrivateMessage, the <tt>ciphertext</tt> field encrypts a
SlimPrivateMessageContent. The sender data encryption, content encryption,
padding, and decryption rules are otherwise the same as for PrivateMessage in
<xref target="RFC9420"/>.</t>
        <t>After decrypting a SlimPrivateMessage, the recipient reconstructs the
SlimFramedContent from the outer <tt>group_id</tt>, <tt>epoch</tt>, <tt>content_type</tt>, and
<tt>authenticated_data</tt> fields, the decrypted sender, and the decrypted content.
The reconstructed SlimFramedContent is used with the decrypted
SlimFramedContentAuthData for signature verification and, for commits, for
OuterUpdateHash verification when applicable, transcript hash computation, and
confirmation tag verification.</t>
        <t>For SlimPublicMessage, the membership tag is computed over the following
structure:</t>
        <artwork><![CDATA[
struct {
  SlimFramedContentTBS       content_tbs;
  SlimFramedContentAuthData  auth;
} SlimAuthenticatedContentTBM;
]]></artwork>
        <t>For commits, the input to the confirmed transcript hash is:</t>
        <artwork><![CDATA[
struct {
  WireFormat        wire_format;
  SlimFramedContent content;
} SlimConfirmedTranscriptHashInput;
]]></artwork>
      </section>
      <section anchor="slimmessage">
        <name>SlimMessage</name>
        <t>SlimMessage is the generic term for the two concrete wire presentations,
SlimPublicMessage and SlimPrivateMessage. Both presentations carry the same
SlimCommit structure. A DS <bcp14>MAY</bcp14> vary an associated LargeObjectCarrier on a
per-recipient basis, but it <bcp14>MUST NOT</bcp14> rewrite a SlimMessage or the SlimCommit
inside it without causing the normal SlimMLS authentication checks to fail.</t>
        <t>In a SlimMLS group, the <xref target="RFC9420"/> PublicMessage and PrivateMessage wire
formats <bcp14>MUST NOT</bcp14> be used. A SlimMLS-aware sender <bcp14>MUST</bcp14> emit a SlimPublicMessage
or SlimPrivateMessage in their place.</t>
      </section>
      <section anchor="single-sig-commits">
        <name>Single Signature Construction</name>
        <t>When a SlimCommit is sent by a member, contains a path, and the sender's
signature key is unchanged, the framing signature is omitted, and authenticity
is provided by the path leaf's SlimLeafNode signature in combination with an
OuterUpdateHash component placed in that SlimLeafNode's <tt>app_data_dictionary</tt>
extension. The confirmation tag is still present and processed as in
<xref target="RFC9420"/>.</t>
        <t>The OuterUpdateHash binds the framed SlimCommit (excluding the SlimLeafNode
itself, to avoid a circular dependency) and the GroupContext to the
SlimLeafNode:</t>
        <artwork><![CDATA[
struct {
  opaque outer_update_hash<V>;
} OuterUpdateHash;

struct {
  SlimUpdatePathNode nodes<V>;
} OuterSlimUpdatePath;

struct {
  ProposalOrRef                 proposals<V>;
  optional<OuterSlimUpdatePath> path;
} OuterSlimCommit;

struct {
  opaque      group_id<V>;
  uint64      epoch;
  Sender      sender;
  opaque      authenticated_data<V>;
  ContentType content_type;
  select (OuterFramedContent.content_type) {
    case commit:
      OuterSlimCommit commit;
  };
} OuterFramedContent;

struct {
  ProtocolVersion    version = mls10;
  WireFormat         wire_format;
  OuterFramedContent content;
  GroupContext       context;
} SlimFramedContentTBH;
]]></artwork>
        <t><tt>outer_update_hash</tt> is the hash, under the group's ciphersuite hash function,
of the TLS-encoded SlimFramedContentTBH. Fields of OuterFramedContent are
populated from the SlimFramedContent and SlimCommit being framed. The
SlimLeafNode in <tt>content.commit.path.leaf_node</tt> is omitted to prevent the
circular dependency that would arise from including the very component being
computed. The path field in OuterSlimCommit <bcp14>MUST</bcp14> be present when this
construction is used.</t>
        <t>The <tt>app_data_dictionary</tt> extension <bcp14>MUST</bcp14> contain exactly one OuterUpdateHash
component under component identifier TBD. A missing, malformed, or duplicated
OuterUpdateHash component makes the single-signature construction invalid.</t>
        <t>The OuterUpdateHash authenticates the Commit contents and path nodes that the
omitted framing signature would otherwise cover. The path leaf's SlimLeafNode
signature authenticates the SlimLeafNodeTBS, including the OuterUpdateHash
component and the parent hash. The referenced HPKECiphertext objects are not
signed directly, but are bound to the signed Commit by their
HPKECiphertextRefs.</t>
        <t>When the construction applies, the SignaturePublicKeyRef in
<tt>content.commit.path.leaf_node</tt> <bcp14>MUST</bcp14> equal the sender's current
SignaturePublicKeyRef. A sender that wishes to change its signature key <bcp14>MUST</bcp14>
instead emit a SlimCommit whose authentication data carries a framing
signature, so that the new key is bound by a signature under the old one.</t>
        <t>A SlimCommit without a path does not use this construction. Its authentication
data carries a framing signature.</t>
        <t>A SlimCommit whose sender type is not <tt>member</tt> does not use this construction.
Its authentication data carries a framing signature.</t>
      </section>
      <section anchor="sender-ds-and-recipient-behavior">
        <name>Sender, DS, and Recipient Behavior</name>
        <t>A committer constructs a SlimMessage carrying a SlimCommit as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>Perform the steps of an <xref target="RFC9420"/> commit, deriving the path's
HPKEPublicKeys, HPKECiphertexts, parent hashes, and the new epoch's key
schedule. Parent hashes are computed over the slim parent-hash inputs, with
HPKEPublicKeyRef replacing HPKEPublicKey.</t>
          </li>
          <li>
            <t>Build a SlimCommit containing the committed proposals and, if the commit
contains a path, a SlimUpdatePath. The SlimUpdatePath contains the
committer's new SlimLeafNode and SlimUpdatePathNodes whose
HPKEPublicKeyRefs and HPKECiphertextRefs correspond to the public keys and
ciphertexts in the RFC 9420 UpdatePath. The SlimLeafNode's parent hash <bcp14>MUST</bcp14>
authenticate the HPKEPublicKeyRefs in the SlimUpdatePath.</t>
          </li>
          <li>
            <t>Compute the confirmation tag for the new epoch as in <xref target="RFC9420"/>.</t>
          </li>
          <li>
            <t>If the single-signature construction applies, include a valid OuterUpdateHash
in <tt>path.leaf_node</tt> and leave the optional <tt>signature</tt> field absent. If the
construction does not apply, include the normal framing signature in
SlimFramedContentAuthData, using <tt>signature_type = signature_ref</tt> for
SlimPublicMessage and <tt>signature_type = signature</tt> for SlimPrivateMessage.</t>
          </li>
          <li>
            <t>Emit a SlimPublicMessage or SlimPrivateMessage, optionally accompanied by a
LargeObjectCarrier holding the referenced large objects needed to process
the Commit, such as the corresponding HPKEPublicKeys, HPKECiphertexts,
SlimLeafNode signature bytes, and any public-message framing signature
referenced by the SignatureOrRef.</t>
          </li>
        </ol>
        <t>If a LargeObjectCarrier is present, the DS <bcp14>MAY</bcp14> reduce it per recipient,
retaining only any HPKEPublicKeys the recipient must receive and enough
HPKECiphertexts for the recipient to decrypt one path secret and derive the
remaining path secrets it needs to process the Commit.</t>
        <t>For basic-processing delivery of a Commit with an update path, a recipient needs
enough ciphertext material to derive the epoch secrets and verify the Commit, but
does not necessarily need every HPKE public key referenced by the path. Such a
recipient can process the Commit, receive subsequent MLS messages, and send
application messages, but might not be able to construct its own Commit with an
update path until it resolves additional HPKEPublicKeyRefs. To make the
recipient immediately update-capable, the DS <bcp14>MAY</bcp14> include any updated HPKE
public keys in the recipient's copath that the recipient cannot derive from its
retained path secret. In a full tree with no blank nodes, this is one HPKE
public key for each non-committing recipient.</t>
        <t>A recipient processes a SlimMessage carrying a SlimCommit by:</t>
        <ol spacing="normal" type="1"><li>
            <t>Resolving the HPKECiphertextRefs required for the recipient, the
HPKEPublicKeyRefs that are functionally needed, and any SignatureRefs needed
for signature verification, per <xref target="large-object-retrieval"/>. For
SlimPrivateMessage, the recipient decrypts SlimPrivateMessageContent before
resolving references that appear only inside the encrypted content.</t>
          </li>
          <li>
            <t>If the authentication data contains a framing signature, verifying it per
<xref target="RFC9420"/> using SlimFramedContentTBS. If the SignatureOrRef uses
<tt>signature_type = signature_ref</tt>, the recipient first resolves the referenced
signature. If it uses <tt>signature_type = signature</tt>, the recipient uses the
inline signature. If the framing signature is absent, verifying
the <tt>path.leaf_node</tt> signature and OuterUpdateHash per
<xref target="single-sig-commits"/>.</t>
          </li>
          <li>
            <t>If the Commit contains a path, decrypting the resolved HPKECiphertext,
deriving the path public keys, and verifying that the derived public keys
hash to the HPKEPublicKeyRefs in the SlimUpdatePath.</t>
          </li>
          <li>
            <t>If the Commit contains a path, applying the path update and verifying parent
hashes over the slim encodings per <xref section="7.9.2" sectionFormat="of" target="RFC9420"/>.</t>
          </li>
          <li>
            <t>Processing the commit per <xref section="12.4" sectionFormat="of" target="RFC9420"/>, deriving the new
epoch, and verifying the confirmation tag. If confirmation tag validation
fails, the recipient <bcp14>MUST</bcp14> reject the commit.</t>
          </li>
        </ol>
        <t>The input to the confirmed transcript hash is
SlimConfirmedTranscriptHashInput (<xref target="slim-framing"/>). The interim transcript
hash is computed from the confirmed transcript hash and the confirmation tag
as in <xref target="RFC9420"/>.</t>
        <t>DSs that do not maintain the ratchet tree cannot determine the minimal
LargeObjectCarrier contents needed by each recipient. Strategies for such
deployments are out of scope.</t>
      </section>
    </section>
    <section anchor="optimizing-payload-sizes">
      <name>Optimizing Payload Sizes</name>
      <t>The separation of large objects and their references in structs that are sent
over the wire or stored locally allows a few performance optimizations. They are
up to the application to implement.</t>
      <section anchor="storing-partial-trees">
        <name>Storing Partial Trees</name>
        <t>SlimMLS clients need the slim public tree for MLS tree computations, but they
do not need to fetch every large object referenced by that tree. Tree hashes,
parent hashes, and GroupInfo validation are computed over SlimLeafNode and
SlimParentNode encodings, so the references to public keys and credentials are
the values committed to by those computations. A client can therefore defer
fetching large objects that are not functionally needed, such as HPKE public
keys outside the client's copath. This is especially relevant when joining a
group, where the DS can selectively include the public keys and credentials the
joiner needs immediately.</t>
      </section>
      <section anchor="omitting-cached-large-objects">
        <name>Omitting Cached Large Objects</name>
        <t>If the DS keeps track of the group's public state, clients that send a commit
with an update path only need to proactively provide the signature public key and
credential if either of them change as part of the commit.</t>
      </section>
      <section anchor="cross-group-credential-caching">
        <name>Cross-group Credential Caching</name>
        <t>If clients use the same credential across multiple groups, other clients can
cache them and pull new credentials selectively when they encounter credential
references they can't resolve. Whether this is a performance increase depends on
the context of the application.</t>
        <t>The DS can similarly deduplicate stored credentials.</t>
      </section>
      <section anchor="delayed-fetching-of-large-objects">
        <name>Delayed Fetching of Large Objects</name>
        <t>A client that has been offline for some time can fetch and process slim messages
first. It can wait to fetch large objects that are not relevant for processing
(such as HPKE public keys) until it has arrived at the current group state. The
client thus avoids downloading stale, intermediate large objects.</t>
      </section>
    </section>
    <section anchor="wire-formats">
      <name>Wire Formats</name>
      <t>SlimMLS defines new WireFormat values for the SlimMLS variants of each
<xref target="RFC9420"/> wire format. The MLSMessage struct defined in <xref target="RFC9420"/> is
correspondingly extended with the following cases:</t>
      <artwork><![CDATA[
struct {
  ProtocolVersion version = mls10;
  WireFormat wire_format;
  select (MLSMessage.wire_format) {
    case mls_slim_welcome:          SlimWelcome        slim_welcome;
    case mls_slim_key_package:      SlimKeyPackage     slim_key_package;
    case mls_slim_group_info:       SlimGroupInfo      slim_group_info;
    case mls_slim_public_message:   SlimPublicMessage  slim_public_message;
    case mls_slim_private_message:  SlimPrivateMessage slim_private_message;
  };
} MLSMessage;
]]></artwork>
      <t>In a SlimMLS group, the <xref target="RFC9420"/> wire formats <tt>mls_public_message</tt>,
<tt>mls_private_message</tt>, <tt>mls_welcome</tt>, <tt>mls_group_info</tt>, and <tt>mls_key_package</tt>
        <bcp14>MUST NOT</bcp14> be used. A SlimMLS-aware sender <bcp14>MUST</bcp14> emit the corresponding SlimMLS
wire format instead: <tt>mls_slim_public_message</tt> or <tt>mls_slim_private_message</tt>
for member-originated messages, <tt>mls_slim_welcome</tt> for Welcomes,
<tt>mls_slim_group_info</tt> for standalone GroupInfos, and <tt>mls_slim_key_package</tt>
for KeyPackages. A recipient <bcp14>MUST</bcp14> reject any RFC 9420 wire format received in
the context of a group that carries the <tt>slim_mls</tt> extension.</t>
    </section>
    <section anchor="slim-mls-extension">
      <name>The slim_mls Extension</name>
      <t>SlimMLS is signaled by a GroupContext extension named <tt>slim_mls</tt>. Presence
of this extension in the GroupContext means that all wire formats within the
group use SlimMLS replacements (<xref target="wire-formats"/>).</t>
    </section>
    <section anchor="slim-ratchet-tree-extension">
      <name>The slim_ratchet_tree Extension</name>
      <t>The <xref target="RFC9420"/> <tt>ratchet_tree</tt> GroupInfo extension carries LeafNode and
ParentNode objects. SlimMLS defines a <tt>slim_ratchet_tree</tt> GroupInfo extension
that conveys the same tree using SlimLeafNode and SlimParentNode objects:</t>
      <artwork><![CDATA[
struct {
    NodeType node_type;
    select (SlimNode.node_type) {
        case leaf:   SlimLeafNode leaf_node;
        case parent: SlimParentNode parent_node;
    };
} SlimNode;

optional<SlimNode> slim_ratchet_tree<V>;
]]></artwork>
      <t>The ordering, truncation, and validation rules are the same as for the
<tt>ratchet_tree</tt> extension in <xref section="12.4.3.3" sectionFormat="of" target="RFC9420"/>, except that tree
hash and parent hash computations use the slim node encodings. The large
objects referenced by the slim nodes are resolved per
<xref target="large-object-retrieval"/>.</t>
      <t>In a SlimMLS group, the <xref target="RFC9420"/> <tt>ratchet_tree</tt> extension <bcp14>MUST NOT</bcp14> be used.
A sender that would include <tt>ratchet_tree</tt> <bcp14>MUST</bcp14> instead include the
<tt>slim_ratchet_tree</tt> extension.</t>
    </section>
    <section anchor="slim-external-pub-extension">
      <name>The slim_external_pub Extension</name>
      <t>The <xref target="RFC9420"/> <tt>external_pub</tt> GroupInfo extension carries an
HPKEPublicKey that external joiners use when issuing an External
Init proposal (<xref section="12.4.3.2" sectionFormat="of" target="RFC9420"/>). SlimMLS defines a
<tt>slim_external_pub</tt> GroupInfo extension that conveys the same
information using an HPKEPublicKeyRef:</t>
      <artwork><![CDATA[
struct {
  HPKEPublicKeyRef external_pub_ref;
} SlimExternalPub;
]]></artwork>
      <t>In a SlimMLS group, the <xref target="RFC9420"/> <tt>external_pub</tt> extension <bcp14>MUST NOT</bcp14>
be used. A sender that would include <tt>external_pub</tt> <bcp14>MUST</bcp14> instead
include the <tt>slim_external_pub</tt> extension, populated with the
reference to the relevant HPKEPublicKey. The actual public key is
resolved per <xref target="large-object-retrieval"/>, as for any other HPKEPublicKeyRef.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The signing and transcript-hashing rules of <xref target="RFC9420"/> are preserved by
SlimMLS except where this document explicitly applies the SlimCommit
single-signature construction (<xref target="single-sig-commits"/>): every struct that was
authenticated under <xref target="RFC9420"/> remains authenticated, with large objects bound
through the collision-resistant hash references defined in <xref target="ref-types"/>. The
strength of the binding is therefore at most the collision resistance of the
ciphersuite hash.</t>
      <t>Large-object retrieval channels (<xref target="large-object-retrieval"/>) may be
unauthenticated. The hash-reference verification in step 2 of that section is
what provides authentication of the resolved objects, and is what binds them to
the signed and transcript-hashed slim structures. A Delivery Service or network
attacker that withholds, modifies, or substitutes entries in any channel can
only cause a recipient to fail to resolve a reference, which is functionally
equivalent to dropping the message, which the DS can already do under
<xref target="RFC9420"/>. An attacker may also surface unsolicited or malformed objects
through any channel. Recipients <bcp14>MUST NOT</bcp14> treat the contents of any retrieval
channel as authoritative metadata and <bcp14>MUST</bcp14> ignore objects whose hash does not
match any reference the recipient needs to resolve.</t>
      <t>A client that caches resolved large objects across groups <bcp14>MUST</bcp14> index its
cache by the tuple (reference type, ciphersuite hash function, reference value).
The same underlying object yields different reference values under different
hash functions, and a cached object <bcp14>MUST NOT</bcp14> be treated as authoritative across
ciphersuites whose hash functions differ.</t>
      <t>SlimKeyPackage batch signatures (<xref target="slim-key-package"/>) replace independent
LeafNode signatures with one signature over a Merkle root. A recipient <bcp14>MUST</bcp14>
verify both the Merkle inclusion proof and the batch signature before treating
the SlimLeafNodeTBS as authenticated. The signed SlimKeyPackageBatchTBS binds
the protocol version, ciphersuite, tree size, Merkle root, and
SignaturePublicKeyRef. Together with the SignWithLabel label and the Merkle leaf
and parent hash labels, this prevents a valid batch signature from being
replayed across protocols, ciphersuites, or signing keys. The Merkle proof is
carried in the SlimLeafNode only for <tt>leaf_node_source = key_package</tt>, so group
members that later validate the ratchet tree can verify the authenticity of the
leaf without having received the original SlimKeyPackage.</t>
      <t>All SlimKeyPackages whose key-package SlimLeafNodes share the same <tt>signature</tt>
field are linkable as members of the same publication batch. Deployments that
consider this
linkability sensitive can reduce batch sizes or publish independently signed
batches.</t>
      <t>SlimWelcome (<xref target="slim-welcome"/>) introduces two confidentiality changes
relative to the <xref target="RFC9420"/> Welcome:</t>
      <ul spacing="normal">
        <li>
          <t>When <tt>WelcomeGroupInfo.info_type</tt> is <tt>plaintext</tt>, the GroupInfo is visible to
the DS and to anyone observing the SlimWelcome on the wire. This variant is
appropriate only in deployments where the GroupInfo is not considered
confidential with respect to those parties (e.g., where the DS already
maintains group state).</t>
        </li>
        <li>
          <t>When <tt>SlimWelcome.group_info</tt> is absent (presence octet 0), the DS
chooses which WelcomeGroupInfo a joiner ultimately receives.</t>
        </li>
      </ul>
      <t>In both cases authenticity is unchanged: the joiner <bcp14>MUST</bcp14> verify the
SlimGroupInfo signature as under <xref target="RFC9420"/>, and a SlimWelcome that reaches a
recipient with <tt>group_info</tt> still absent <bcp14>MUST</bcp14> be rejected
(<xref target="welcome-group-info"/>).</t>
      <t>SlimPrivateMessage and encrypted SlimWelcome GroupInfo signatures are carried
inside the encrypted plaintext using the SignatureOrRef <tt>signature</tt> variant.
This prevents a visible LargeObjectCarrier signature from being tested against
known signature public keys to identify the hidden signer.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="slimmls-mls-extension-types">
        <name>SlimMLS MLS Extension Types</name>
        <t>IANA is requested to add the following entries to the "MLS Extension
Types" registry defined in <xref section="17.3" sectionFormat="of" target="RFC9420"/>:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">Message(s)</th>
              <th align="left">Recommended</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x000C</td>
              <td align="left">slim_mls</td>
              <td align="left">GC</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x000D</td>
              <td align="left">slim_ratchet_tree</td>
              <td align="left">GI</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x000E</td>
              <td align="left">slim_external_pub</td>
              <td align="left">GI</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
          </tbody>
        </table>
        <t>(Values are SlimMLS's suggested allocations. IANA may pick others.)</t>
        <t>The "Message(s)" abbreviations are those used in <xref section="17.3" sectionFormat="of" target="RFC9420"/>. "GC" denotes a GroupContext extension and "GI" denotes a
GroupInfo extension. RFC XXXX is to be replaced with the RFC number
assigned to this document upon publication.</t>
      </section>
      <section anchor="slimmls-wire-formats">
        <name>SlimMLS Wire Formats</name>
        <t>IANA is requested to add the following entries to the "MLS Wire
Formats" registry defined in <xref section="17.2" sectionFormat="of" target="RFC9420"/>:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">Recommended</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0007</td>
              <td align="left">mls_slim_welcome</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0008</td>
              <td align="left">mls_slim_key_package</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0009</td>
              <td align="left">mls_slim_group_info</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x000A</td>
              <td align="left">mls_slim_public_message</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x000B</td>
              <td align="left">mls_slim_private_message</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
          </tbody>
        </table>
        <t>(Values are SlimMLS's suggested allocations. IANA may pick others.)</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9420">
          <front>
            <title>The Messaging Layer Security (MLS) Protocol</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
            <author fullname="R. Robert" initials="R." surname="Robert"/>
            <author fullname="J. Millican" initials="J." surname="Millican"/>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="K. Cohn-Gordon" initials="K." surname="Cohn-Gordon"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9420"/>
          <seriesInfo name="DOI" value="10.17487/RFC9420"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-mls-extensions">
          <front>
            <title>The Messaging Layer Security (MLS) Extensions</title>
            <author fullname="Raphael Robert" initials="R." surname="Robert">
              <organization>Phoenix R&amp;D</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The Messaging Layer Security (MLS) protocol is an asynchronous group
   authenticated key exchange protocol.  MLS provides a number of
   capabilities to applications, as well as several extension points
   internal to the protocol.  This document provides a consolidated
   application API, guidance for how the protocol's extension points
   should be used, and a few concrete examples of both core protocol
   extensions and uses of the application API.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-mls-extensions-09"/>
        </reference>
      </references>
    </references>
    <?line 1408?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+V9a5PbxrXg9/4V2HHVeiZF0pbj3CTjxLljSU5UsSLFUpxN
JakhSGJmEIEAA4AaTWTlt9zfsr9sz7P7dKPJkZx7d+vWTlVikQT6cfr0eT/m
87kb67GpzouTF029ffrNixNXrlZ99dp+sy7H6rrr786Lur3qnNt067bcwkub
vrwa5323qvpxvm2G+QCvzD994Ib9alsPQ921490OHnzy+OXXrt1v4cFzt4Hh
zt26a4eqHfbDeTH2+8rBjD92ZV+VOHO13vf1eHfibrv+1XXf7XfnxdNqGMrr
ur0uvinvqr7Qh9yr6g4e25y7Yl7AIvA/u24Y53/fl+243+LnVdlubuvNeIMf
hrHry2uYsWr3sJCikAlODs1wAs/wPk7+COvBB36Nr+D327Ju4HuY99/rarxa
dP01fl326xv4+mYcd8P5J5/gU/hV/bpa6GOf4BefrPrudqg+gfc/wfeu6/Fm
v4I3+3J3U1YNw/YTgis8c+JcuR9vuh43C48XxdW+afgwvuU3im/pFfoRZinb
+h/lCAdxXjy/6aq2flN8+z8f0a8Vrx3X8+/RdIt1t52O/9uu7csN/OcG1vzq
/cd/Re/BDOP6phoXAD3nFouFc/P5vChXw9iX69G5lzf1UABm7bdVOxab6qpu
q6EQHJwVZVtUb0ZAGJiqGLtivKkOY8QpvHJW7Ppu7NZdU1x1fdFXm/0aH72t
+wpG2xS7qp+vmxpnE4woutdVf1PBJuuWkWKAecrR7YeqWNe7m6of9vUIy7qF
YyrgROGd3X7V1OsCkHCYyUMjrBQ+DPV1W477vhpw+Ru3hjXAbHXZDAvdGKxr
15RrGHJbtncyZLf6W7Ueee6i3O2qsscVweN0+jgGXskNwB/uTtkO677ejfOb
criBLwGg+zVNy8tEzN0U+CNMdlX1VQvTLdxD2voA3w1d87oigPrfN34NXdvc
FbcwZ9FWsPzNrNgPCMaS4LelE6iAQvR9XfWwz6Lp1mVTrEs47BkuEA4OttDg
iuHo5sOuWtdXALC+GuGV1/jsTdm2VbMoXt5ULhwyoMMWrjHMVwES8hpgsLrd
VLuqRUgWj6oGblR/Byffv67XcEg4G9AdeA337sIkeuI9TL+rGcX4ZVh0A1dq
f31j1k5bhFfgIUCtjbuqRvmyGbripmp2NEG3B+TZr29k0hJAF45WcRgvb/G6
7OsS4d1dud9Wd8/L9SsA3Kx42G239Tgr/lg1cOvgC6IsT4DOEtIUAuHiqi+3
MP+i+CPCAXGGVuM8khWwlqHeVHRT2nV/t0MMqdrXVdPtquK22zcbAPrrCnaI
Z40v4onpal9V1W5w+gsPWbc0In4ZMFtu7rbebJrKuY+KJ+3Yd3C78Hyde25I
b3H6/PdnZjzcEFwUXF+5G/YNoQRsETGgHuDx3z5+ive2BpDA2Qx4nu6mBOwE
hoLgxcvTyDXpc3cOZwj3Dm9Qi8uve7du8IzofLt9O1b9ruxHuIjf0JUzd5OQ
CD7DDYOhtki4YUlwDDDiDECybvYbJGJwIwETm+5uS/eILuumK9puLDqYsr+t
gWog5eBLbeiHXq4FgA6PCy82kZvi7dv/8e3XD3/++Wefvns3w4XD64C9e9iK
0IFy0N1/U5VXv+s2SF1gK4jRLX1ygkqDItdgkGqIsGqgO4d7gu3CVHDlXtdD
vWqqYgV7gMtPCOFJJmw5ppiAC09o/TOmX91Vsmh4sQKuvwHKgW8b2sTErRdE
3MxAIIDbCI+t7oCoVRVRLHgOSIhsj78gonJFwyEb8ORPfl4UF25CFk4fATsg
2tDARjd3QHK6DlZ5090iLwHgwKEoTGbFCm51PeILcJhAQ7awsoJ4CNHqIibC
qzvlCEgN6ha2XoOIg9cTgcdnjYCuB9cgZg9MHeflLW4/kKEBVgsUikkJDHxV
tjAiHxhc4Z5vC9F0PgW8rgDEmw5uNtFpRGk5A+ZfAHBYI5yS3vJys0FUJvjD
aQOshwre4uXyUouabsJ4BzSn2+qXukym0h/ChgpmDoAMWVbEvDHLfRAfZV74
brzpiUhHnKc4wHnch3Geb5UrwAWo+voKSBQMo8tY3QESwJXa7f2p+rUWqwrE
i0q4Yo3UEa8U3VHgQquqBS6ARw43kgFqiQYwtZ7p66MXuNuYv7lB8JeO2fA2
OX6iH8R+zJgzHQ6f7wDdXIarl0Xgg3on4FhmCm5GJxxov0NxHTALuGmgtH4g
AlMYC2UEpcJ7gP1doDyKaFUjiFUSUgqxWgAvN2CRy+R3jLCFLcE/mkZhyqMM
W+AIVZ9gJKH9zGIEMt6IygsvktXiVstV3SDaj53bIMgKz/RjsQy4R0089I7o
F8tFcu4g8rZB8ET8umYyeO7cj4jXBuY/eIJiv8PVrFBWLiJePMg8uLoiokDF
dt+M9Q5otucIC5lL6D+xLyQuNCQwmAI5jHAHmvAPdMrP4ZDDvZ3p8mA+EXXx
d4UC0aFEqpSTR4bdtVaQYOENSCxqgDCeTA064AgAQ3yksYWH4maBiwrqERjw
QvQfD2ZIODvdpjI8oG4lMAL56Ak6kniSwQKYzZqJ/BQT4hvw1lM+mS0VyWjP
+IN9BSU/3rU5QcQWgCkeBgggOCvQ33gl/A5RmPLW7Ha7h2vfV4ReIpV5IQ/G
gXMCdogXE/Zavu5qFfWUXjEAF6JmAbBBACIRGwHdVreiXywiCcSThj0yjG+r
q9/Acc9XIClsnFm2CMAGvPAobeZ534EmXjbwOYjF13B9e1jZP4gJVc6Lf7C6
P//lzy+fPXp2XpAAiXTYyx6qowF2waYGUeoEmCWKi8Xz37tIS+vataCPkH7m
oEAc8KbD/Iu//PUvf0UR9mEHcnKLv/IpPMIDrOkz32uUWtHIMBQnT//w4uXJ
jP9b/O4Z/fvbx7//w5NvHz/Cf7/4zcU33/h/OHnixW+e/eGbR+Ff4c2Hz54+
ffy7R/wyfFtEX7mTpxd/OuGLdfLs+csnz3538c0JHtcYKcyIW3D2K5TmULgF
JgdYXA5AypAvr1j++urh8//9Hw8+l1P+7MGDn8Mp84efPfjp5/AB8U9EDtX8
iKPcuaCIAsUForqrR6CjMzz5AQSptkBeBmf4oz8jZP56Xvxitd49+PxL+QI3
HH2pMIu+JJhNv5m8zEDMfJWZxkMz+j6BdLzeiz9FnxXu5stf/KrBKz5/8LNf
felS68WeBayqeAn4HlAUcK8BhrBHNEYIw93jb0EntPduUXwNlKWpSzRmMKHF
ixNdTRQWQCXZEuf5qHj2GkWF6ta5i3DRSAJkqSJ8vr1ByZdoFWA90QwV0HDF
S6SUl9tmWBpV/PTtW7VAzf23796dBQGkFCMa6Ib0XZDzgezA3SSxXm468mTS
5+pxj9ufsRTxm+e/ffycjClASGZA1F4o9QvfFg89B5/RCw+9SEJ6gVFdPXfd
sCkAmGbCrlRSXnc9LHTXtRuiliCjArEKGxDigcr0G5Qm6xHuRd2iTTBjsmJt
s8D7IPOzSIPnXb1ZVzsiKgsA08tY5I1lDGYVJKdWZLiA06cn5vzE3AuxiAtX
uDtlHm21RgaFDAsQ41u/24ckwDLCvf0IZp7jVod3gDJwn5EHWFaEcju9wISD
qGgJTHUY70DSmFB7eOTt2xcV2wB+svgMYWtV2XpRLdR0JIwE+Rir9KOckUjW
DWwL4GlIuaODu9q3ND5tFcT9clU1IIzVf99XahGcqhB8nE9a2AntysGVnMMT
3cbDNbp4gESEyfNVt2+tMW0Wrc4yGsQ1r3GBjGJ+4gENXEXiYaDCTwpjh8ov
bCqWEGcHIQJzuiWqrf0lsKbLHT+/4Ccu6ZEl4zdIVPGgIqledU3T3eJ5hAtB
CFGwVorIvIH7/H1AoQ2r9UVRmC/ppUL+vveHy6dz4O979/0885f98sj36WOw
1oiI6JqiLxFb5fsTpIoPFp96ihk9eOLXmqFERe5LHDoz6vTBExo10LIAGPOl
X2h+reHBEwvXhCoaCIQvdeQDEAgPnkwhYA4xfGmXehQCJ+YxHDVCTB01+vLI
Ws2bHhsRsu4xK6WKoHA9l92uBDLxi+++XIrOvfxuqfcWrhHcwaKp2mvUb4gp
RPc7oj5wffBOp1cVVsC3la9IjQRHJ7AkJ72L093CSyA/oKInlpirOyEDqmXD
Ekur+HyB1iqW5V1ZWDZhoIBEEzYCDyUMjwygz+jxh2xMAdViJPYRHbCu6yri
s8AYm83EVUHqlhEC9m0DPMnFDLOv/r6ve5E7YnUHjXKRspM1ai/cE9o32eT9
2jbViAp/ZAc2fAFNXvHqZqrBkBUqwUlWxcPKVBQCqjsXqouCEMAKVc4JXND+
66H4rCcsYQlMHAK4fnSFjj2zhRUdtiO1xxvvxf4TpDS/eCDQ//znP13V7rfF
W5ACRNHfnH56hiKUX8/pg/jzJUDk9DP67vSzn/zkzL1LlvkSqPoXzvFENPT0
dzPcSI+jGt0g2p3GDy/iB89ovAJ2NJgxzh0ThkBq/E9fZB7HHUxeQTyNnsA3
330x2d0XBDVHvpRlvLjil/EIy1kGP9nmy0Iauc9IlnCHZTTx2xyZK8zjcvPw
6aPYQHoH3mbVqlDpG4guiAcIxwnWAY9FqLllbjuJiZ5S03kPICASlvPxo4yI
NK8io3qkhgh+oBXhGsT8lv20LCZbAXiisLLpmnwDpKDE0v8PkP0D1GYTD1yZ
kDwKbfjRia6elgJrY3KL6snYES3o+vq6buEzS+78IFuG1+t977WIMpLeI91D
7nMsY7Hp8u3bIIS/EyvkofFlpUjfbm/q9Q0uDynEm3ogcy4ZppCeArZVbWYJ
OLD/eeFeGg8LuUati4UQrqlfVeTC8moAiahEfWgyZGhoiQHy2cX2e/X+oHhP
gi4ue6ppxRoPKxkDcN6gpwwTWdXQ9ClphYuwLvFr1sFoNgCaVcAdG9fRNoSC
AEIxtrMSPfZ37TDvIU03+iWY/8L7MZ9W0h8mYyY3AJGSe208rrmRvZ2PvSZz
Gf85qNigRT1NDJPmRhDS6HTTyWABYbrpiGQoQLRhilnVBLcPhtkM5RSiWnJI
LtDDpTJEnETBlXOUJ+ZqssB3ozczADVGD8Pqzh2wNpAD605tsfaS2qOSC+eU
3d/y18DqZ0VGSpDrmRcO6A0X7PHydHA84E8TC7wfbE0v4TgOLw/q2ADOO3a9
lrG1Zxbup4wCR8O8gXV4kitIAn6d6L6OIwTY2sHw8OSPx1oU34lrEwbr9w37
VGKDMfl8anYbk73gtrxbBPGcSQtZFlPgH6UNV07Fb/L/exNHcVotrhcoLorb
rrRILxiI5D9mFWpZsXJhwnTPhPRkuB1s4uoK1oXBMKP6+kzQDgY4IF/zB+y9
r7FFiIgsORtAVe5uF575MpUgKHnnOU3ivHmIJe3XdQmbAw43eocrQ2SGPigy
vQ9BeAToOHURoe0h4O8ZHBnAB1EzilWpt97ghVMpbrloxgXZCNSpJKuw6uDj
aA8CqNPh7JB1IFIxp5C7980D1oUPMyb8J76Lmq6He2aPHyj6BETNmDZyr9PX
kV1hFkvMuMDnJADklpg1qrzn3yHby70HKOtBUxLZ7v6fr0dId3ZMQ7s/8O/7
lPa/31vu2JwB2WbmqTzy5dcT3o9Xd2iMeD3pUxMETyxUp6+BHHT9WR6dp5ar
8Hy8Ao/S8xXQRpJ/hJ6K9J4Ii6hODjCnuU+HoZK1dB0HJSzpYrPxhDgdMrF7
fcBf1m72Psv5g8RyTFd0jEC933I+8H1cjkQEX1K0V3A2FTEKHyZMh5ZDHqwD
g5ObYYrjZpLvme9Xb0pgYxP/HQg8EvKCkjQhWSxsdatRDTmHJNCivEYpfExE
J1SV2B8PzK4ip4h4VP/i3eJwdK/J968qdrpA9ovTEi0rJ1XENTAoeiMwxg8E
YXF+fxSfn2j+DXyeY0DhOw4e87/7gGX9ZhG9//IrE9OMAoP9gayiTnwLkc+o
+GnqMzJBa96dugS55xJwuLzc1CwN9ndLc7rBVZeOvXjgYPRfPZk/ovj72JOJ
6vfYiYwkk4ZwMdRHu5ZENoKi3e3HQ7EMwyzZ6rdgm5wxnbH1ucDISkCZS9Sy
f/Hdl2SWim7y06p/1VTP+66j0WP72x40vx9/dhDv8cAuMXjszRf3P4y34nKo
/0GWtaNrKCgy577VxivN81iRxgFQ5LIS41zeixLMZObRvGskxHT558odh3Kh
tTQ8Z76F5RYeMV90+35dMfwQ4S8H+iKyZsYIvkifjQyaxh+n9slv6qtqrLco
7/M/aAHyPIc56aMMxrfv7BOsAeoTgkxssQm4RHZO+P/H/jYExKQH/hP3k1tk
vA1ZJCmll/VGVoh/gpkWXe/Z6fsNonbeeGv/HyHmf1us/ORHNAZamM0qcd+v
2e2OplkyclopTDz+iX9m4YeS6EFkq7zS9xyw7fpt2dAwEd8ziRZoOkmvELzw
o0/cIVfEwdv3wYd2kASjbECE+AcfYXgic5fEY4Ki0ZJmEmaHgBQBxOQKLdNt
Fb+0m1kuCvLcOZR2NGg9lSJ8JCOab/r1vuG4BI6NXt8tVJwNJ+xwVs6C0EwM
5ul04sqbETnuW99MYqGCdZI3ayI51K5zxFeIK3sdTGZk+RQ7FaVX0LL8407N
gd7mo4AuMYrKRPFNrYzzLSHCHPk6Opso2aBEo/mgweJkJOPFwMoK83KM5xV6
cegQa/XoiuAjIjVnZ2iItliqm45CexLvNl1Ecyhi/iaIO3TLM4ou0Rq15DM8
CHrxpfP1jJbsjl/NGcO8pnDIVDD8cSx0FuXViMHkaMb0obMk4Bv5fZg4sxZe
jDaKhIYFp5YMEbCZUs6DG/rdxNeBExOwjSe9pFwDCcqC3yjdwrhw6HPkQzmf
iKMTNpjngELSw9+UuE/EzH0LmHhdbS6Z2Bq5MUDmHp78gxczeUTt15cqeJPY
m0jfyfEInUvO0ms04btF9nCt6uPSHw8oPj+fKD6CTMHvIzjDkWmYhC1aWXhC
rgfhjPW7qust0jVNUoZY9p9QkusQ4vwkfoFIGF2ftbX7w0UyeYrGO+rC0IHR
s6suawMXkpfGbfoQeZgoCSWYYHMUysqy4po/fXFM8CiKpxcPMfTiqgaKQug2
ltcGqTlBUtHE72siVP5Xzx8kJITEH4HufoOxdaeLWXFiV3Uymyz0bCKVsOnL
yCXJ7gybj9176gQOCGHoqY30tK5yvARjN19Vc07yo/BHcU+na10UF+wwLhvM
HYl+5kTiBOONl3UpXjv/4wLviIZYeKcp8Bb1Prr7oj5wOfF8wZ+JmYfu+Jz+
4WVweB4L/nBD50GWxJqQgNWN5HDKeSoDvaRIDs5n5QiP4luf6vb2owOhKc4Z
7xzICBOvvF5cGzDls2Bj5xP+6DQdJOPZ9A5xsaZPXZyaZuqh6gwZUfq5uktC
rwnEKxOMI7J8xqfoXWhxrDTRSdylT7SkzFMjvYHos341GKuUBpeMN8iiJ0mF
A0UI4EXKBNidJpFCksVIEIiMWLhPuL9B0JgDXrJENzfZbQXJ/9XrutsP5FsV
OGiiMb52IBuSktwKm4RzER7jZOgNPLrhbFmASX3FPs79wFle8NW263MQgLGe
YRj8usL8XB+1GCETJm7yfgBeD1hi5DijKI5x+SPA0iWKpJRiiAcMlwIPL46H
45w/CppypOXA0ZPEq+HgmkTqk5Xl/HTNRbkCIXLhPltIwLzGJ9qsAbKvTsbe
Y4oVZxLu0MbeY2Q7roJjoU+jeJ8zS0nFSVtTjA77bCvd8qrCZPOi8IeKlGky
N0vWYZE+iW5LOokJFcOhfKwkgoGoR3eNFUAAHTz+L9yPQSy4olRRitPc6Io4
Lzq+bwasAkmW4yVdHOfHiSVyBEfE7Fh8gurEhOTjMFIeXT2iYugiG7vflFvM
fqSYKs59JX6xgSPgGTiIheWqiDzqdUyIo95GTKbRfPeKaUiKwSEoiiIrnl78
iaNR8Xl0t0+vvo05M/mPqGBUPnk7JsIhSsEZ+h8WcZQeF0fpsTtOjxeTuiyK
V5LtgvEW7TVAH1aj4Ue3PaqNPR5OBgASCVlq5nYuQgUDhQYfYTZzmuH6Bj9x
+scwdOvaZMRbqGiCJupK4jHxgXgGqRBJHr0I2bp7r8JiJqSEPOJNPxBRTUzc
BD6zmpxEF3PwTwYPzNmzQzOfjhRhwj2qHGs9N7tX1SVXpUEFSqXNTA5DkEem
j2eSE0z2tDyUyTWg2U1JjnT2oJ2FUD7RxqZAMtKowRakY7bSgciWHuRc1AJO
lm7jZoOJzFjCAeOnun6DxQIwhF01+orC3WvKF5XiAiHUflUONcg7HFMDTAcT
6vU0XByVb/LomSlvaJ6xmybVmwsdgzDOzGdWx8ny6dU9HaqqmF7XA/IGOiZ3
HD6l2Vx6WYhu6R2woANoEcKX/j5R5i9DSan2dC7aND6TQ3qNtNXXc+FTpa9v
AGujzDTOeld+79czQ1EECQULQqEGQrHrAJvvQoIBZz+r1ID0AM6OYqxkVvi2
DHF1H6UOdlG/bVifS41/RFiqSAtXQmH1cViCfakFFRekp5Gyoe0PIcGfPMbr
vqOts4kREN+WDNjDxkumcSHwjmHIB2pMkj2lteFTZjZED8Cg0cas4T0wj2Ts
4EmMcRkyL1JDKDJJvi1dJ4IgW67JhMVrZIMR32k0ZqBQVkpxjMSi5yS+WO5/
fBAaScyLOBAlWcZaq4WFjarXPBwgIhRnd+u4gsF5FNkx8DsSYjdJ4ePkda/Y
hp8cU11jHJaw2GK5bYZLCmOwRmm+qldoAKXAVPw4548DJeNeGNpB4+kNBqks
CkXBKPLwsrO1VO64osFB8AhwxcLBZymJxcKGXUghDjYPOIdlcoo+/2rfCgVX
ol5GB06+Ak1+aVmCdHkbcSvGLmvcFkQjU/pC06Nj3Md5KdlfqwrB/p9hbmXy
6CmOLYYxXKYp5MUlnwqtNxWuS1SQ6kxSV+PtvRRPgn/HZvpE/iRB+IP3jJRn
YEyyZ5IKyfZEu59KD8+F7H8HxJFCb17zP0gAIKb0ghLgmP2b3NIvcoZbrJhg
TbaPbUgP/iUWsHc5IMe2tckC6e/YKrNL/QBfbj5wIoqXmNiZ6Y89MJdI4bLR
El/hWU2Mhzk0i/4mOb4asXE04Mq7t6brEJlqcg/8Det4zgSt4GvkCLuEHQTf
C5Af5VlYtQBQdZqfvBRjlpfIy9YRBMI6KHnYh9ygRkKjRM4utOCjBi28h0nS
JC7neKzQdLnpGOQ6CooVcSW/sFm6k4wv2hZegieCz3FhCJdawPNXFjU08x77
AyUyPRb9kyIGXbG01xG9at01p7sQnfbFJt1UybRGxhAmVw/F++a6kaJtUOsr
tkHwDinzaCpQRR5M3qAREdhYkc/NtNbpYIKJcnZdVlKIE/UvZDjm5aycFSVF
DQwjGbrwHOC5pnEZiaO0r1PJQi+JLYVewSEsowR9TuJZTuiQnjB5TnkjfvtR
ON2QSc4yycYpOgsDwCsW3Agn8WbwcfEkmDfPgiJmMsXYuXTbFeubutlo8lhu
VXUfJUGTFgbr25V1P+VKQl+b6mqMPXt9fX2TJ64SB0FLEzfe8W3ivmSbR0Yx
2yYsxIp5+7oZ0X0/dts5SD3e6iR7opQOJCf+8KgmoaT1NRWoGDNXbv4GlEsr
NrKdoiQTGw2HO6cUaNwvGeFY8EDtrSWhArUyGgtncECbxcM5k0xwIBTbji8E
1yDzJvEWpTZ6VVUDMt/gsC4EtZIbnEmeql0irMmlRDa30HAQ0EeXXokWj0E+
RoWyfwRQHnIEKVqSG7vbsmeCSDMUL01mD1G/WaQhg1zday2yMbox3ZUhnJfj
asDbF+LF+O4VS8/Yl+khiZ274DxMjC1BcFMRadKXNhtPu+URKt33hsoN8GPz
4oGEM+gTtLR6cJnzUSaLyj3l32tmONX4KZ6NUlJ0Fo4xPOvMs2rrE5QofIDA
mNxee1E9BOUtJ9Y4QkVfk2yy0W6z0WJRfGiIsZPnnX8eg0u05qh8hUy42NSB
kd52s4K0VFz8prttQ6IcI4k/g4Nv7XdIz4WDDuzFYesLHKo5cw5Bav9R9V2E
HcUvgsSHmNI0Ada1r47D4A6rowvqPEgVxvlbk4ruKdUUsjh1+ealygkt0x+E
hEnRC+VEjPxxtRhStstXcBp0MzPS2yzHq2iL5rXJpYvAbR4lHU6lHPOeXk0j
UC8zcDQu6cGJ0wbljuPy5NuPDoiTh7jQBAo2fiQzl4jXU+jRe34j+GFmxJX4
8OIiQnH1o5lqgZah5kTtrMyDVYs5FziV8NSIjTpym4Xi5CalQ3w8uElgHe14
GS2MTvcQfIIDzAkdPxpihoL+dO/Kme5JF4hEPUr4gH0Bntyjk/Cphc9SpQXt
my+/eoSUR8ybM7ctG7SxiCl4s2ffAxzY8Rm2cEmGeN+puVHqDDPOP8Rq1VoZ
6zkzbKqzfyGmTykxwsmrqRhcDhJ0NrAL9qE+e8gO4pkFCC8ktQhZmUWKNzno
JkYCjUdC7QTtNDOpjKaWAfG8+hVMhF6a/P740gviz7iE+7BAEEDsXrmDIecq
DiW1fcIVVvTMQYnL047VrnhAvlSzKeAnbC9KNyeGTWvBjKqvYTa1+3xRfLVH
gTux4q6smkXyqlcK8vMs3E+msJ6yEH9mSHY5/xTFTCMyqMKLYXlcOIAKZk51
0in7mGn8LtJyuvZFEkTtN5EpwbJw/7YoHqNPhiS3Q3iKDhI46bicESPHUaUc
f/x4yCjlxUQpJ2xXHwuQkXKNeyrbWo3jGW8IFu6eFJTeTK5NWM4Br3BOYfd2
fBgtlTUEdM7ai0XMrzL0ASuBwLc5wPpgVRdqG2rcCws1GXOSz9ZfJA/mDExH
3ov3G+vt7b3Xns0gzNHUEHeIIB+ekDT9+6iRnkVPpcJd4V0FUSR9qAmpZyL2
liFnXJLSQOyzzmIxYuRaQ1hyNwodYDTK7FgsijtwSabLNQMcsWflrw7WV/cc
aiq2KCmaxTCZ2nVpz+9LdaIFI3VJDXiFQNlz+COGPD6J7whBvcTOoT8wziGx
nSKzmiYb7GR6KFjL25FKoN53qbGBYmfT6iXOllxXKYPsN1ynvK8arqQsxoLI
CSSvsYxAlqDIU/5YIx4pdO9FtYZ1DRMfIVF3WEP+aY0/qa4HCoVjSRXmoSrm
sbudih3jcOZwJLxodZcpItjR92QgIB2PBA2SEn2s5qVkmrVXnck6iNbPTEPp
/C/SGNAvl7gHAbcN1+bdVMwj07c4GWksr6/JIkChKVQO1BbRQTmS3UfEZn3B
b/wea+YoSfaEmArey8FG6SOcdlKJNmEwggukKifYFH/DouNE/fvqGvNvJqXV
p9HYeYdM3itzEA9wdfgPb/47BO4inJgaBbUmIuthGEnPEjCV9X5RfFUBya67
XmKc+TflHbKPpRlnIUtZUoawsBfUEQ6v/sqHMAZsRbMchj5z6CIFpdgqOWQT
I6GKivCgH5i1jKg6La9ZAlukLYmaJFj5zi78YFiL82EtGqEC/0w6OrCuh32L
bltfF1IskgK9zt/O5fQCnXIsP8ZNrsdqLD498w0qKChw1+2wD1DlJcrS4Pbk
okizDVmuyk5m1w6ha5Z/6DZS5Wq6CFvybuAwYRry+0vAmGxy9AHgfsr86auw
Zop2yRZ9fIbsHSMMkL+gG36O/zAF6OLQcx/GCyIbvEwMmvpr4MknhaObrr3m
ElwRJ6A4Xu6ksa+HG7eqxtuqagkT1vOd1xl9uwPaCOdnzSlFtalME5ivktec
f83HtU0lVulg4dUJS8t9apq64XwRMK7sxbRt1yF/ZkjPOLJYmkNhRCmGPYTw
P+1GUWGMjYn6C72Pnoy+SQpJ3LaXW+H7E9ENCM031kZfutqTKCbRk+JYsy1T
NElxAkEHJKD2ygJ7GSsMeaTg18lisiAzK2mdmTS0Tym44gOFeM+iQNBDMzg/
A9qgOhqOhA+uXCG6qGnKQ/E7VpHglkQld45zE/SiziwanRI6z2lAWGovGOTK
uxCAewTaPnMqfzVFGkLpwh2h36QjbIaJBOTyjyPFQS1IpQ80Cdx2lvZ7+9Bw
X7nWJOSHqrRy5dagYpD0ktRu9f2Lnvi5pgVcDzwUVjqt4noIRov4nbiga2YT
+exlFMva6vaSg6pMkddks/q2zfoPv0q68iQaNRXrhGyonJDdlw+OCKen+QRs
jSO/DDFyIWT1SJ0NSukUJDggDDNT3bnjH0UOpVG1bnyUX6v11qzAykbNZPtL
e/fwOJW17DlYU1Oyla4elNODqOk7PHpGHLOjcnAa/6XcLlCEmOlQTMk9uVIh
P2vi5rLyGWdtZZBryfd+Iiy8/SjD+n11yXulb7zEcWkdEyTi3z7PSOnkrI8l
9Hsuvh9Abrt/Obnn6dqnlzz3ROGhbS/34TOJrrNfWlLpIac1+Qod9KbfhL39
AexWdJeCA+mSbNEBk1FnSmcbpGUpnwyPWgzUu5j/1tUt2qAI22eu9CbWo8qf
GHdzWjAKD4MLZ1yr3Szsj1NyksxLTLI9lntIeYcW6zESNdSxTGbAvib3JTJK
n0RbAYG99v7WeXiGRn1JbrF4c4Hy9LzxZFfvk+IodhdW6d8/mEhF/mD4sunI
JhTKh6Rq0K6HGrVxpX9zDGqeox1gF8vCVAyO5HpniQMnro15RJ1FIbPsPnAH
MI+MPrNMZq2ZYXp0MyoegfwoUucpr4YdJnaOcjVUB1aVtioI1IEhzbbcowYQ
k1+gfCASdrkshTPkXfMqIvByEQtSz6g2t2W6SbM2l2+pOATFP7BIEvipRptY
S7DMm1Ew79xAnIuT2NKwXqtfx2ICib2ikAyJ7sWUIKMcY5EOOotggaitR1gH
MM4+m64l8qykfzhbYrgOVtQk6T5fESCqTCzErbzDtALQGq+uMHmCiKmv80qC
xUrL+E5L9hLWhXIphJ+rO5Njpb3hfJ0Mb1gPJ5hUldWy3y561wdSm95X0ls1
ER/i5OOa2yhzgXXukBV+KV0c1F4cCGq/KGKgm6R0EQWlQjfpNJohJ/c0LrLt
a01L+W62UowaoK7cCH81mfTqtmagZQo6q6+B15gu2YaaS2mVCC9sfQKUkXBj
GGGOQ3xNK5Ha4BhN+6gcS0nvG31o2TxQbq+w+p5n4RHB4kGKSNfacClJhEGH
TmRicJMVYvfeYJKa1EIXLphImu6+eaaQkFD+mBOyq9gIKJtqRPN1aO3hs6lC
F5N767McqIkyrY0aeArqw8LD8HFbiSUu1Zo0+ZhGlptY8iJXEJZiGLPDT2L5
6dIyoMKfT6NJrb3xYF+Siq+TMPoa+TAePfjRl374pS9D4slHvhB6PJTJ0/Tv
wUnSDAsJfpyxiiUCwUzDKdh+iPZdfGoudkCN06DvXqcV1cU+I0GVVg51Rwi2
N3wEeEkbpMyBeTGvPRyege3gQq0bFyxFgvYhZXWChNxU3Mo3KS4u9fUbDVUM
NnCKBij7DcbSYWB+OZGWzGh+IJ+VZF1/0aHGMIhN6a/Lnq9mxkd/yHguhSrI
bsemLjWrRdmc8FAEY7UrTrI844IGzlNrFW9jo5gE2SZ9ECjzPG1ObsI+OaLK
w2pLKX/YVTeO9J9WyUoqFM1Y85ggT5AF4vgFmdEUqCpMgSrs2G6cyGIHNgpC
CtTVHRfjEPN/bRvszZyI+lRSoBWDqOh9rBeq14B+MSbQmR1ViteoImktpbR+
cZBmT0YFr3A6HOjPwQs6fWiBHLGVcJWLr4V1iZinYkE+o1FWSIRFQnDSPsVU
4AlEaEENGcAF2cq0xvC3EpAhojuxIMPxZlaKmTlTAIhCQTJCS6xoCiS8UGSJ
c3yJC/NmeEvfmMlkOVbu9fOs0DJtzFJzAZGEu3OPzfhJ7yeWDFrpjxaLPk5b
XmsBGb9LW7dLxYac3cG/oHUnpM6081KF1pqeR7Wmkatwmw5CIm3o9I7sVjYp
1MWHEicp48Np9fD4+ZDOSIKV84/5ZhJUuU7D3Q/WSE6KvaLJ998+Z8cPyR8s
0bNgb1JDIqpHYT9aXVSOmuxggn9ZO3eEGAv7ZGQOM56kxCBmfgkLCMYwgYe1
hfkz1R/N83FpTiuxi+RjanRGS4+FroOVw6J3QgB5+rWvIBaksuhKfHmkxul7
QjTeqSwY/55ePDyN6qO94r7A4c+WXlvIo3D8Y1+2GO+w4/KAZ/IO7UMGzhZe
O3TE2QPMVkvNUpd7U1olfLb4ZQH65YNPccQ/1n31NWVn+81ixvYlZ2yrJB5N
Vyh6H8VsrLQmzy2kKTz/Z3owkusevgi+msv40OJu0qH4nZqQ32C3eQVdOtSH
A3aSRfuvQuvg0RFd0TVcWBqTvW2ZWeTvAyaLDy/itz/k5Bjd+Zvhpt4lyH78
bOwx/6Bzi5YfAyvaZSRD/Hehvu9zlvlkcfzboVW0vf4z95297K4u5Zu/euDl
mrDFQHw/rnmMBx5noBl3jyDd9JFQ9ceWV432YBR2X48mU+q3PQJYcW+q9Z00
b9Lhl3ZnnHZikIJrDOtRL8ma7qJXgPz6EsR2TepPFUttfSUJbz4Hxt1n6CqO
G7q0rZ7uyFdJjC5PZlHvV8fywNiJ1J4b/GjFSrHPV+2w7zVouHTToTMWuMhv
V3rzZublpPFgmR/M213EBnu4Vqk7Wqu0OFarNOVApNLhS4b54MbY6hsquEhp
LVHGEA2d+ZF363+VqmOZA2KrULhielcEkEMW9gq+wsQ6kjoU7ImzYEkO3zmh
RDPrPDM2ql7qnVB/UKsqXpE6Fh1/AnQ0QFNysdHTsxiZxDulAeJTC7RJxWYn
lRJFvM9ECikB3xIJScCf0j6BrtigZanVRmA4M2EP+otyZqJtZrGiaMcr1Vba
JpFKu/UeJnxx3+2oKDMsZ0a/C22hD5zFxlobpTNEr5DBUujjqkFwe6G5SC00
DKaJATxxxHrEjakWK6cqfbAPIVe3IKSSpM2tjwlYeBEjCQuzTo9z5ntlupdf
PRU+9bUF6Xijbd19dVlROCawqzOV+qYy6r0iqhca1eYt873006Vly8V0pB4l
Zz6opeEa2GVfrwt0S3hzLyUBdC1aySqtCGciX2Zu6sPy5e1j0a34CjsbxHEz
2oSB6cS0EypXj4mssVj+U0o8AnwP2GVdtlYf+n+0zyxGT/TVbV+P6vwzLji1
0/FanHSuldBCjJ/EZsJqrjN9B9DqltiYuDgwIsZVWTdHWrN+kC2NTsJJha9J
YTKtUJ13d1YI3owY4bLsRcyWdc8uUTFCcmmIULrxoRVr3n6UkWk8n469oiR6
UBYcU4KZ9ars1EBqnPYfD6apA3odkGKq7Wh2wLGXVrErTYEflynXQwZgSfGL
/F5mSEwP3a7q1lQa1ZpFhrKGzF1bkqgck+zofE5aqHDNfHrqcsVO2lgJUYU4
NvJqlsZUsBG3QbpK2MZmsOZYc0inIAr5QkdxopuDg62aq1muIYvpx3IWR76r
NYBpZVSJ5mDFF07k5oDeSZp92MhU5z7ikfSZuR/qlhQl7ZBzMjNu8FD6H9VN
mdks/eX1NvpLTZ6sY6d2T/o7qLu9j+2T1vqDTHXJLlPL5HTg/xpD2HQea22J
kNFICm/GA6al38QVHAw2HizeoAG8pmZDXH9q5jI1G3Jzg1rqywtm9kXpWT6b
xMu7U8lBmbOcDNUQl1ufqTeIbvK1P3tyPFI4fSjJYf0b5KnEQi7sIsuQAqZ9
HH5S9qgj0FJtLTUSYO8M4eQy5yoWSoIhEmhvEkjRTfVyawigOMeQokEpCyxr
/4slIVIa5H5IOYjiUDmIIwwllII4bmUIIWI50m8pxJC4H8dKO7EQvLkklfeA
eq/WhN3y+QY9cI2ivDm4DGc1TH26IvvgpPbesQPI1DZaSGqyz5BPcgN8tlSP
3GJ0ovJvgLLgibMQiT+uuFxuJydAT+mlumORyWUiIEQOEi0hnFIU2pSvSokV
/+65jCzgYXZ2JDL5ckvZgU1gMV/Pmqq1jZr9S2kJsdBFCXrYqbYqN1ag1Awc
8oRmA6e8a1DQJhz8rLCdTjDMRMQ7hjQJiWEVgcZ2iGttlcavhVQnwjlfnp4r
6UpVLAU/xTUmC3b5BduOgsmM7P8VSFJ0PU+5ZNl2ed8i3HQRB6AWLcJnss6o
wQEivU/oMVmtFyGwY1r0RaX9UOjX7iytA/O86imdgXBsrHaDREomAYL4bia0
4mOsHJAEv6TtvOELc2k1Y08RgyQgQOtXlNZfDFjydt+AqvjcviPFuFJzAjnU
bcQJqe6DhK6kKzsSvUJ54lxvJYKWKRtjw2lsWWgyy2gZOVYyRfyIVZ9Ehl34
WhMmvieKeaRRQvgOAiti6Mr+Y7l4CIVspnErGqkUEzITUaVE0IbCoFmoKIzh
38e/+Mjd3LaMRmTr0WmTEMsaPiTKRqrs+EoyU03KRrdxLmkmzh7r62iC81GW
64m5hoFJNZEJq4I9USRiQsYR5FT1nAncYX8Iex50VYJDYR2e3lDbwrAcY7bI
KMtUyeBIRIxUFrkvuwQNjepQm5gzjvkPfLZCYkDCmkSPDxgv8oHTs2N1d3Bx
7116J5+vHELzcLAgPMUZtXHs4X10T2GWsTmYkixYpZfv2zwN5oqKLmVKAaVN
86iTT74zhHefjDemusBmvyZj2I769QijwRYaSvXIA4YrnAQ4Wrv9FmtIaKI2
lfqiFOdJ34tshrOYxdNAPvFKaFq4qVtqHhoONovysZVo3j2c/06F6A8nG8eF
SGkiJ+nbgR5iYiisEwW17mAie/BT3UXYBTKo83dbO5XVkowuFSaSPO4MJnAa
+gvCVBfnwUyB8q/m1LPgvKUqoNIjitLeo2x1rSYRwzbKYN8D+W/wAH25n5BC
NGUHVCYWFSXBBp94vQXChhZkgFlcySDCdU++W32MWaGzrE44TiY9PrTts8Dl
Hkl04Kz8joPcnWpj0ZQKUWAlgaYJjXWxGNaqKdtXrI2FltV4EZKlcbkRDPVu
u1YMseRV88u5p9LXcaFwdcfC4Ld0EEoyM5KC7xI2uckz5VpTPu6LLKilhGg4
091AAm3xKqXKON5hj9jsvkJJ5P73gSDHHI9Cg4bDERlaoqDQHm0MfdMp2reI
krAB9jQQIWgnDsTPvPhxNCcloyVIp2M6RKbcuKZIXA/5V5OoMJ01l7EKw9yf
2hnDDSSvISlhFte4M50DnmAfH45PPiYypFNox1oWsBrsRxYPetBPoBmQHl7K
2SdCWtwFIbWreBDn4ju0g15ibolkf+MF571lY95JXLgneD0wERvBXmQi2HGw
HxDEbgXjQ9uJGmczJQ9N2sPqJB1B1oGdfCK1TRu/DXKLTSLC4rO0WTKIi6Hi
qVG1kncffLb4PM1iiCCK3X3U7D6F5lSZIFhMfeI+n4cIVFk3Q4q1tjNPWK4Y
7t7bwezu8wgXuXRCngJFkq0Z003KgXvT8uEl+OLnCQhcTqVyj14IHdx00pay
bn0SblT4wvNOyZvjAAIQ70CPOdRHjyyYIq2D2BOXsALhB9Y+VtdUJos6v61v
opRhimfZU9z9sOaMvI+KZ3Art/U/8PifSybsC+zSpYXDAIdLje9KSjAxZKK8
FARJiF4Rpoc0yMUNJHF5Y0d9BLCpmU+XRnIPSuuOTTIl1dPiBbKPPaRugByl
+GMlNPiqxjaZpl09zMO766nNHzbmGEJ7W+3Bxu3XvEWFyYjvyYFP8rGZjvMs
BcI7d06OW3q4SbNZ09+1SLsqitxajtoaDAcX65DLGItC6rZJpZuahFLzSNrg
3ZMcsU9WEQPvUquH7YVIQCePBicdBksQlijEzXRDDJ+F7+FLYviolUGxqSYw
FALSNKPaow0CNCsvqTpqlAJHKwbk9hIHT+zFVwnjw8g16rFKA/ZVA3KS+lSw
eAbJhU4CGUKCNkjQuAP2JVL7vMj6cAxqyLelLAdraUZal0ruKsk+5G5XtnXr
4IvQwRJeVWichEu+fqW5M+qSkxVQ1amZx2kuoEYtWtUwl9HwQuUv0SC1RaBG
EninAAsIcZKkC5tFG6ApDnVTbdXmXsa53Z4VUE3vbhi4co1txomwoNLeyH1k
O3sbhWemla6B2j2VgQIYzkUN9G04QMdNpGll5AjaU9/F2+jA7CFrRaE7ujj7
lqzN/lkXCb9YCLpsP/ayIEWkjjfaX4QysyxdqzEMCb3NofCGE0ajLecS4hay
OQkZgSrCzWmwDIx3sSlVNRtiMD+qmvIOfvhaLx0MnyCav6y+tNkKK+d1V1ck
chJLwSoNQI65zh5TOROlwbRTlWRHorEvP3db1mOgjUfuvL+VOKMpvXeaufd0
586CHo2rRoaJoqBIhtrMg1GMbgj7hv1u9wMHfAzUhgNZoFRwQwWaxAi5sfGq
iX2i3774WkKX3n4U9Sqc9lBHXDOefqGkVyZIC5/2qWTSgjvOiDbdEVnQMS2J
xfKgDeQT+aQgn7Ex3wHucBE4G6PpAxQpFiIT4ZcGNByPZkiiGDQcIyx6YZ6I
szs0eljKW52HcBWElBYNkT/75BeZQUwxrfMwSNKOLn0yN1Aob3JuVhP4cxgo
rvyUjhMHTJ9njctF5snsWHF89XlO4S9yT/oolnAeEhfyXpF9BhcHjgVPwsBn
HASexn/P+GE5Lv1oCsdobxT41lYYdz8gOHBqtJYXnFl9Ie7f86MR7cXhiHYM
X5SovznIm9cYSge3KhgMlyk6s2dAaxjNTLR8VECHJGXfVdWj2WAglGItL8Y0
bjveMtX7sCw8xD660fK9hitpI1RuYWwKqxyoHfMRh+XLb6ZdpiR8w5dz/7wh
mrX46RttLRDFOIVYlpaC/MLkqChzLV6nXXbDw7WpbqVDbauyVR7UNDFSI1mU
xou8ay2ukZQboqLeaafaaO+i/V2SGjEBgvxKfQEjaLxM79zSDrQ0ioFp9SGH
EmkCRgtQBuY3ovypFDDeO4Xjw+/a1+oKIaGM9hZsbxNH7XQNU/ZSFBQZg0Yx
bq8kgXxxJh3lYPvflW94yoiWLSWpfhVRhRfzMKtb5+kK+Wvzgs/2k3oyUQUX
/O7L6UlThGJIBsPaHxQiBftt1yHroJgWSOmnKSeIhcnxR5gdm4EWP178ODUF
RZlAMIDzNg7robZKXJC6UbZrIyVSOlrf01/Tvzit8X+8u+Z7saCD8JiwCpcE
BlFcl6pxyTD0soYEGVXP5e7HAWKnKafISKYXXn+dw6/3XHg70PELDypOXJKE
dqrvS3lIPlJSbeph2EtDoMfyEEC9HkP1g9MJTiWWybMMFREo3b/uLBVxyPnU
0iY1WqclfKaEYxLpYufnWlJSEle+h4c/RNhJzmGKac4IJUcwLR7GYpqzRoUc
DP2cM1Nt3Tck91dPDWNek4ojfQhFQcnHwDqjzNfouXuv/hszJUgoPrCWnQIf
rgIW8atA+8LyRg+l5B/TFLEtAnPnw7VWV4piIs8SkUHKKjWHUGrODlaVxTKG
empC2dRmgyXJuvWeKgFWb1A7rjHEVWJZvLolOTHHA2BO836Ps3Ox8AkO8llj
l76oNNG0wUHBjvwhDmjnkK1EMaZoQWC2PTncWRBrmhpRAA4Ey0KWSrSNMSLS
/+D7OfJI9NSQ3gvLpVRstTBgvgS50gZjooOtbLthjKcsdEquJjhSWHQcCw7n
/o3t8eKxRktNkqB0CLHOim15h1nP+zaCDaMsjj8PSB7l+ZHdudoVn/HCyO6l
gdHuFj+LMWsSkyhQ8KgvoGe2XGMwGbzsc0q2WBtf7WGSe5sgL+ZPIsuzBYcu
0ADD8RYvAHXrNZnA22q87fpXrhxHkNRDxOp4g3E7sIQt8Nkrir0ie77Uu6EC
+r4LLd5BLeOJNi6y5mFKVxVFbkjOFvXblYL0ZcAZU7DWmlwdOrvhZDROBbjC
Th1FW/Ujhz6LYpkqmx6I2R36QAj546Sd4gL7TcuG8bipnNew76+wSOW+hbXh
ZcWT6EMkuR6Lvwtm24sQIWrSx0ZsFqiuG3adUFznXcBJp3ArGStAcRu5MdC2
GkvyQ+P5Mom+bvFe+LqfZO2mi6exK46qo8sMnhJHPjEfp6M2wtTqRgZKUxMs
8biwoZPtm8o5qL8sAIZtmyJzjXs0hJ6adQAFmB3J3DBLJqvUGWf4kvRJh8j+
TrnVd5y9wSVTOW05ensQqucfiHt7atgXb1fPNpLY6PQ46ys+GYaBpTvRYfgp
ZG6pQzVpH+hJfejGZHqlIiUS5Y4gzBkfo5uGsUkF2M765KWrUdQNd6KBS5k0
bLHNl+dAJzH1P076ojGdJjihdVQ5mm1/WCYsRlthE+WKweKbIBKl0561ZOdL
215y10vW9bDf7cxulHOoD0Tmv+yu2SLujY1RwSbuIuZ3LKOi1uZSDYWe1IAh
SdMZfGBqCity83LmDZ0qGsLlLukmh2h3QnBFQEEbs5haeUnacdmZMrgp/Nmr
gkLSfW3zyBVHd9pJAjnTAm5qYhvGTDzINpzOpoEqd6auCpo7gKHzHC/Flp2R
FFIyVTUJNiBdatIv9Z6ZexLteCiGm0hrNRG+TiJ8e2yz2L6iYDnATt2v8GCu
IUoow7yZDnIBvDM4sRE0lPkkFaThFHjEmupoDigfE6FA8Eh4p+LDP1Cg7HkG
CpX3NxuOiq+Fo2crrV+nRmalEdphDuhDDSy4w+EHTSu/qsXngguRlmTuPXvN
zbl+yZEOElzqJdRET5s5YdviGtua41SuUIZcckg7cCWkUd0KJedMQykt+44m
LPGVhuq+MBoIzsD8e/KCSHBXkS9HHq2opQbWfFgUDmXBpMWz0SErwSAdm2NG
lG1OuW1X5IUV0QIG0siKwTp2zhYekGZvC2tQ9VFRR1p24Tpvum4glEfhZtJL
o9RWC+hz3HLopVZFZ8sF0XXyoMQ302Z4n9N8MhJxv3Cf4/YbNj5ryKgUylDt
iUqpdpYobEzstFI+513bGu2rSkzEcGoHm4u5XB0cDn7WcD+7oMxuJK2FyajL
BgyG5hOhSkESu2dTCQRrUXxJWINcjkxsTY5TFMAFSAC5RiQb3asWY3lzXnAS
6CQbkknxTb2Bj0xRejIKPbn43cVECdYqFqC94v+CiQiNn+j5x5dqDjnlxXBP
vcRNp7qAEJiTaCxHY51gZ0PQ3Pq7WDf0pp2fpqZCIEnfF99RH+ji++J35Tap
7fV9Ied9OpzBBxDAQS1mTyJ+Umnwe/f9XP78P8zf9wc/RJ9glOLTN59++ulD
GNw7Esxafv3QfPhTtEz0bvwv+CsKP8ojHSUyycMoTz5klMc6SmTne+9R3Ol3
oe+poMHHwEL319eCeA21ZOJAGkIFVJZ2NQZ/oBA1LM7YjnISTuIE7vAKUL4W
2y2zYySqVIcnd+bOqmYnv354AhgCVJucAQccLnjDT379xDzpMsa9RdhuPXAb
09Bj1AuA+Ey7RynAYZsLkky1j4s34Ox3KA4HuWAR3R3rgv+XLg0O5GSg97gx
n33YjYlvzw+8MB94X34KY6d+x3Ql9yL6z+wgRnD9oEF+bgcJrOfDVnJhB4nd
s+8/yFfRILEb9//WtXVwSCCVrl8hb7hYI29pqs01iVLu7TlfiGrzy5Orshmq
E/QKPHv0DHQWfRIk9P8DbIM77NXiAAA=

-->

</rfc>
