<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.3.8) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-tiloca-ace-oscore-gm-kem-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.33.0 -->
  <front>
    <title abbrev="KEMs via the OSCORE Group Manager">Quantum-Resistant Key Encapsulation Mechanisms (KEMs) via the OSCORE Group Manager Using Authentication and Authorization for Constrained Environments (ACE)</title>
    <seriesInfo name="Internet-Draft" value="draft-tiloca-ace-oscore-gm-kem-00"/>
    <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE AB</organization>
      <address>
        <postal>
          <street>Isafjordsgatan 22</street>
          <city>Kista</city>
          <code>164 40</code>
          <country>Sweden</country>
        </postal>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>ACE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 136?>

<t>RFC 9594 defines a Key Distribution Center (KDC) to provision keying material for secure group communication, using the Authentication and Authorization for Constrained Environments (ACE) framework. An instance of KDC is the Group Manager for provisioning keying material in group communication scenarios that use the Constrained Application Protocol (CoAP) and the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE). To make the pairwise mode of Group OSCORE post-quantum secure, it is possible to rely on a quantum-resistant Key Encapsulation Mechanism (KEM) as the Pairwise Key Agreement Algorithm used to derive pairwise keys. This document extends the interface of the ACE-based Group Manager to enable the exchange of KEM public keys and KEM ciphertexts among group members via the Group Manager, thus making the derivation of pairwise keys in Group OSCORE post-quantum secure.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Authentication and Authorization for Constrained Environments Working Group mailing list (ace@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/ace/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://gitlab.com/crimson84/draft-tiloca-ace-oscore-gm-kem"/>.</t>
    </note>
  </front>
  <middle>
    <?line 140?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Building on Object Security for Constrained RESTful Environments (OSCORE) <xref target="RFC8613"/>, the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) <xref target="I-D.ietf-core-oscore-groupcomm"/> provides end-to-end security for the Constrained Application Protocol (CoAP) <xref target="RFC7252"/> when used in group communication setups <xref target="I-D.ietf-core-groupcomm-bis"/>. An OSCORE group is associated with a Group Manager, i.e., an entity responsible for managing identifiers and keying material in the group and for handling the join process to add group members, among other tasks.</t>
      <t>As a notable feature, two group members can exchange messages protected with the pairwise mode of Group OSCORE (see <xref section="8" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), achieving pairwise data confidentiality and source authentication by means of integrity tags. That is, the message sender performs authenticated encryption of the CoAP message by using a symmetric pairwise key that is exclusively shared with another group member as the intended message recipient. Symmetric pairwise keys are derived from a pairwise shared secret, which in turn is computed from the asymmetric keys of the message sender and recipient, ensuring authenticated key agreement.</t>
      <t>In the event that a Cryptographically Relevant Quantum Computer (CRQC) is constructed, drop-in replacements are not available for the Pairwise Key Agreement Algorithm (see <xref section="2.1.10" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>), which is used to compute the shared secret from which pairwise keys are derived (see <xref section="2.5.1" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>). In particular, the available Pairwise Key Agreement Algorithms are based on a direct Elliptic Curve Diffie-Hellman Static-Static key agreement <xref target="NIST-800-56A"/>.</t>
      <t>At the time of writing, there is no standardized Diffie-Hellman/Non-Interactive Key Exchange (DH/NIKE) that can be used for post-quantum secure establishment of the shared secret, which makes the pairwise mode of Group OSCORE vulnerable to quantum attacks. This can be addressed by using a quantum-resistant Key Encapsulation Mechanism (KEM), such as ML-KEM <xref target="FIPS203"/>, as the Pairwise Key Agreement Algorithm used to derive pairwise keys <xref target="I-D.tiloca-core-group-oscore-kem"/>.</t>
      <t>Building on the Authentication and Authorization for Constrained Environments (ACE) framework <xref target="RFC9200"/>, the specification <xref target="RFC9594"/> defines a Key Distribution Center (KDC) to provision keying material for secure group communication.</t>
      <t>The specification <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> is an application profile of <xref target="RFC9594"/> and defines an instance of KDC, i.e., the Group Manager for provisioning keying material in group communication scenarios that use CoAP and the security protocol Group OSCORE.</t>
      <t>This document extends the interface of the Group Manager defined in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> to enable the exchange of KEM public keys and KEM ciphertexts among group members via the Group Manager. This facilitates the use of a KEM-based Pairwise Key Agreement Algorithm, thus making the derivation of pairwise keys in Group OSCORE post-quantum secure.</t>
      <t><xref target="sec-profile-reqs"/> updates how the requirements listed in <xref section="A" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> are additionally fulfilled.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<t>Readers are expected to be familiar with:</t>
        <ul spacing="normal">
          <li>
            <t>The terms and concepts related to Concise Data Definition Language (CDDL) <xref target="RFC8610"/>, Concise Binary Object Representation (CBOR) <xref target="RFC8949"/>, and CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/><xref target="RFC9053"/>.</t>
          </li>
          <li>
            <t>The terms and concepts related to CoAP <xref target="RFC7252"/> and group communication for CoAP <xref target="I-D.ietf-core-groupcomm-bis"/>.</t>
          </li>
          <li>
            <t>The terms and concepts for protection and processing of CoAP messages through OSCORE <xref target="RFC8613"/> and through Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/> in group communication scenarios. These especially include:  </t>
            <ul spacing="normal">
              <li>
                <t>Group Manager, as the entity responsible for one or more groups where communications are secured with Group OSCORE.</t>
              </li>
              <li>
                <t>Authentication credential, as the set of information associated with an entity, including that entity's public key and parameters associated with the public key.</t>
              </li>
              <li>
                <t>Group mode: the mode of Group OSCORE providing group-level data confidentiality and providing source authentication through a signature embedded in the protected CoAP message (see <xref section="7" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
              </li>
              <li>
                <t>Pairwise mode: the mode of Group OSCORE used for providing pairwise secure communication between two members of an OSCORE group (see <xref section="8" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
              </li>
              <li>
                <t>Pairwise keys: symmetric keys used to process messages with the pairwise mode of Group OSCORE.</t>
              </li>
              <li>
                <t>Pairwise Key Agreement Algorithm: the algorithm used in Group OSCORE for computing a pairwise shared secret from which pairwise keys are derived (see <xref section="2.1.10" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The alternative derivation of pairwise keys as defined in <xref target="I-D.tiloca-core-group-oscore-kem"/>, for the case where the Pairwise Key Agreement Algorithm used in the OSCORE group is a quantum-resistant Key Encapsulation Mechanism (KEM).</t>
          </li>
        </ul>
        <t>Furthermore, readers are expected to be familiar with:</t>
        <ul spacing="normal">
          <li>
            <t>The terms and concepts described in the ACE framework for authentication and authorization <xref target="RFC9200"/>. The terminology for entities in the considered architecture is defined in OAuth 2.0 <xref target="RFC6749"/>. This includes Client (C), Resource Server (RS), and Authorization Server (AS).  </t>
            <t>
Unless otherwise indicated, the term "endpoint" is used here following its OAuth definition <xref target="RFC6749"/>, aimed at denoting resources such as /token and /introspect at the AS, and /authz-info at the RS. The CoAP definition, which is "[a]n entity participating in the CoAP protocol" <xref target="RFC7252"/>, is not used in this document.</t>
          </li>
          <li>
            <t>The terms and concepts related to the message formats and processing specified in <xref target="RFC9594"/>, for provisioning and renewing keying material in group communication scenarios by using the ACE framework, through a Key Distribution Center (KDC) acting as Resource Server.  </t>
            <t>
These include the abbreviations REQx and OPTx denoting the numbered mandatory-to-address and optional-to-address requirements, respectively. In particular, the abbreviations REQx and OPTx refer to the requirements initially specified in <xref section="A" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> and possibly updated in <xref target="sec-profile-reqs"/> of the present document.</t>
          </li>
          <li>
            <t>The terms and concepts related to the application profile of <xref target="RFC9594"/> specified in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/>, which defines the Group Manager as an instance of KDC to provision keying material for Group OSCORE. These especially include:  </t>
            <ul spacing="normal">
              <li>
                <t>Requester: member of an OSCORE group that sends request messages to other members of the group.</t>
              </li>
              <li>
                <t>Responder: member of an OSCORE group that receives request messages from other members of the group. A responder may reply, by sending a response message to the requester which has sent the request message.</t>
              </li>
              <li>
                <t>Monitor: member of an OSCORE group that is configured as a responder and never sends response messages protected with Group OSCORE. This corresponds to the term "silent server" used in <xref target="I-D.ietf-core-oscore-groupcomm"/>.</t>
              </li>
              <li>
                <t>Signature-only group: an OSCORE group that uses only the group mode (see <xref section="7" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
              </li>
              <li>
                <t>Pairwise-only group: an OSCORE group that uses only the pairwise mode (see <xref section="8" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>).</t>
              </li>
              <li>
                <t>GROUPNAME: The text string used in URIs to identify a group. Once established, it is invariant. Its value coincides with the group name of the associated group.</t>
              </li>
              <li>
                <t>NODENAME: The text string used in URIs to identify a member of a group. Once established, it is invariant. Its value coincides with the node name of the associated group member.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>Finally, this document uses the following term:</t>
        <ul spacing="normal">
          <li>
            <t>KEM-based group: an OSCORE group that uses the pairwise mode and uses a KEM as Pairwise Key Agreement Algorithm.</t>
          </li>
        </ul>
      </section>
      <section anchor="notations">
        <name>Notations</name>
        <t>Throughout this document, examples for CBOR data items are expressed in CBOR extended diagnostic notation as defined in <xref section="8" sectionFormat="of" target="RFC8949"/> and <xref section="G" sectionFormat="of" target="RFC8610"/> ("diagnostic notation"). Diagnostic notation comments are often used to provide a textual representation of the parameters' keys and values.</t>
        <t>In the CBOR diagnostic notation used in this document, constructs of the form e'SOME_NAME' are replaced by the value assigned to SOME_NAME in the CDDL model shown in <xref target="fig-cddl-model"/> of <xref target="sec-cddl-model"/>. For example, {e'kem_ciphertext': h'ccfa0151...1948', e'kem_pubkey_hash': h'55fc1eaa...ae05'} stands for {37: h'ccfa0151...1948', 38: h'55fc1eaa...ae05'}.</t>
        <t>Note to RFC Editor: Please delete the paragraph immediately preceding this note. Also, in the CBOR diagnostic notation used in this document, please replace the constructs of the form e'SOME_NAME' with the value assigned to SOME_NAME in the CDDL model shown in <xref target="fig-cddl-model"/> of <xref target="sec-cddl-model"/>. Finally, please delete this note.</t>
      </section>
    </section>
    <section anchor="sec-overview">
      <name>Overview of New Operations</name>
      <t>This document extends the interface of the Group Manager defined in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> as follows.</t>
      <t>When a node exchanges a Token Transfer Request and Token Transfer Response with the Group Manager (see <xref section="5.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, the node can ask the Group Manager to provide information about the KEM-based groups that the node has been authorized to join. This is defined in <xref target="sec-token-transferring"/>.</t>
      <t>When a node joins a KEM-based group (see <xref section="6" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>):</t>
      <ul spacing="normal">
        <li>
          <t>The Join Request sent to the Group Manager can include a KEM public key of the node to be stored at the Group Manager. This is defined in <xref target="sec-send-join-request"/> and <xref target="sec-receive-join-request"/>.</t>
        </li>
        <li>
          <t>The Join Response from the Group Manager specifies the KEM used as Pairwise Key Agreement Algorithm in the group, together with corresponding parameters. This is defined in <xref target="sec-send-join-response"/> and <xref target="sec-receive-join-response"/>.</t>
        </li>
      </ul>
      <t>When a member of a KEM-based group retrieves updated keying material from the Group Manager (see <xref section="9.1" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>), the Key Distribution Response from the Group Manager specifies the KEM used as Pairwise Key Agreement Algorithm in the group, together with corresponding parameters. This is defined in <xref target="sec-retrieve-keying-material"/>.</t>
      <t>When a signature verifier retrieves from the Group Manager data required to verify signatures of messages protected with the group mode of Group OSCORE and sent to a KEM-based group (see <xref section="9.6" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>), the Signature Verification Data Response from the Group Manager specifies the KEM used as Pairwise Key Agreement Algorithm in the group, together with corresponding parameters. This is defined in <xref target="sec-retrieve-sig-verif-data"/>.</t>
      <t>According to the new resources defined in <xref target="sec-interface"/>, a member P of a KEM-based group can perform the following actions by interacting with the Group Manager:</t>
      <ul spacing="normal">
        <li>
          <t>Upload at the Group Manager an own KEM public key intended to any and exactly one other member of the group. This is defined in <xref target="sec-nodename-kem-pub-keys-post"/>.</t>
        </li>
        <li>
          <t>Retrieve the number of own KEM public keys that are currently stored at the Group Manager as intended to other members of the group. This is defined in <xref target="sec-nodename-kem-pub-keys-get"/>.</t>
        </li>
        <li>
          <t>Discard all its own KEM public keys stored at the Group Manager as intended to other members of the group. This is defined in <xref target="sec-nodename-kem-pub-keys-put"/>.</t>
        </li>
        <li>
          <t>Retrieve from the Group Manager a KEM public key that a specific other group member Q uploaded at the Group Manager as intended to other members of the group. This is defined in <xref target="sec-kem-pub-keys"/>.</t>
        </li>
        <li>
          <t>Upload at the Group Manager a KEM ciphertext, which is intended to a specific other group member Q and is computed by P using a KEM public key of Q. This is defined in <xref target="sec-nodename-kem-ciphertexts"/>.</t>
        </li>
        <li>
          <t>Retrieve from the Group Manager the KEM ciphertext that a specific other group member Q uploaded at the Group Manager as intended to P. This is defined in <xref target="sec-kem-ciphertexts"/>.</t>
        </li>
      </ul>
      <t><xref target="sec-interactions"/> defines the operations that the group member P can perform by accessing the new resources above.</t>
      <t>Editor's note: further extend the interface at the Group Manager, to also cover the case where the KEM-based group is specifically a pairwise-only group.</t>
    </section>
    <section anchor="sec-token-transferring">
      <name>Token Transferring</name>
      <t>In addition to what is defined in <xref section="5.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, the following applies to the exchange of Token Transfer Request and Token Transfer Response originally defined in <xref section="3.3" sectionFormat="of" target="RFC9594"/>.</t>
      <ul spacing="normal">
        <li>
          <t>The Token Transfer Request <bcp14>MAY</bcp14> additionally contain the following parameter, which, if included, <bcp14>MUST</bcp14> have the corresponding values defined below (OPT2):  </t>
          <ul spacing="normal">
            <li>
              <t>'pqkem_info' defined in <xref target="pqkem-info"/> of this document, with value the CBOR simple value <tt>null</tt> (0xf6) to request information about the quantum-resistant KEM used as Pairwise Key Agreement Algorithm, the KEM algorithm parameters, the KEM key parameters, and the exact format of authentication credentials used in the KEM-based groups that the Client has been authorized to join. This is relevant if the joining node supports the pairwise mode of Group OSCORE <xref target="I-D.ietf-core-oscore-groupcomm"/>.</t>
            </li>
          </ul>
          <t>
Alternatively, the joining node may retrieve this information by other means.</t>
        </li>
        <li>
          <t>If the 'pqkem_info' parameter is present in the Token Transfer Response, the following applies for each element 'pqkem_info_entry'.  </t>
          <ul spacing="normal">
            <li>
              <t>'id' is associated exclusively with OSCORE groups that are KEM-based groups.</t>
            </li>
            <li>
              <t>'pqkem_alg' takes value from the "Value" column of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/>.</t>
            </li>
            <li>
              <t>'pqkem_parameters' has the same format and value of the COSE capabilities array for the KEM algorithm indicated in 'pqkem_alg', as specified for that algorithm in the "Capabilities" column of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/>.</t>
            </li>
            <li>
              <t>'pqkem_key_parameters' has the same format and value of the COSE capabilities array for the COSE key type of the keys used with the KEM algorithm indicated in 'pqkem_alg', as specified for that key type in the "Capabilities" column of the "COSE Key Types" registry <xref target="IANA.COSE.Key.Types"/>.</t>
            </li>
            <li>
              <t>'cred_fmt' takes value from the "Label" column of the "COSE Header Parameters" registry <xref target="IANA.COSE.Header.Parameters"/>. To align with <xref section="2.4" sectionFormat="of" target="I-D.ietf-core-oscore-groupcomm"/>, acceptable values denote a format of authentication credential that provides the public key as well as a comprehensive set of information related to the public key algorithm. The same considerations provided in <xref section="3.3" sectionFormat="of" target="RFC9594"/> on acceptable formats currently available for the 'cred_fmt' element of 'sign_info' apply.</t>
            </li>
          </ul>
          <t>
The Group Manager omits the 'pqkem_info' parameter in the Token Transfer Response even if 'pqkem_info' is included in the Token Transfer Request, in the case that all the OSCORE groups that the Client is authorized to join are not KEM-based groups.</t>
        </li>
      </ul>
      <t>Note that, other than through the above parameters as defined in <xref section="3.3" sectionFormat="of" target="RFC9594"/>, the joining node may have obtained such information by alternative means. For example, information conveyed in the 'pqkem_info' parameter may have been pre-configured, or the joining node may early retrieve it, e.g., by using the approach described in <xref target="I-D.tiloca-core-oscore-discovery"/> to discover the OSCORE group and the link to the associated group-membership resource at the Group Manager.</t>
      <section anchor="pqkem-info">
        <name>'pqkem_info' Parameter</name>
        <t>The 'pqkem_info' parameter is an <bcp14>OPTIONAL</bcp14> parameter of the request and response messages exchanged between the Client and the /authz-info endpoint at the RS (see <xref section="5.10.1" sectionFormat="of" target="RFC9200"/>).</t>
        <t>This parameter allows the Client and the RS to exchange information about a quantum-resistant KEM as well as about the authentication credentials and public keys to accordingly use for deriving shared secrets. Its exact semantics and content are application specific.</t>
        <t>In application profiles that build on <xref target="RFC9594"/>, this parameter is used to exchange information about the KEM as well as about the authentication credentials and public keys to be used with it, in the groups indicated by the transferred access token as per its 'scope' claim (see <xref section="3.2" sectionFormat="of" target="RFC9594"/>).</t>
        <t>When used in the Token Transfer Request sent to the KDC (see <xref section="3.3" sectionFormat="of" target="RFC9594"/>), the 'pqkem_info' parameter specifies the CBOR simple value <tt>null</tt> (0xf6). This is done to ask for information about the KEM and about the authentication credentials used to compute shared secrets and pairwise keys, in the groups that the Client has been authorized to join or interact with.</t>
        <t>When used in the following Token Transfer Response from the KDC (see <xref section="3.3" sectionFormat="of" target="RFC9594"/>), the 'pqkem_info' parameter is a CBOR array of one or more elements. The number of elements is at most the number of groups that the Client has been authorized to join or interact with. Each element contains information about KEM parameters and about authentication credentials for one or more groups and is formatted as follows.</t>
        <ul spacing="normal">
          <li>
            <t>The first element 'id' is a group name or a CBOR array of group names, which is associated with groups for which the next four elements apply. Each specified group name is a CBOR text string and is hereafter referred to as 'gname'.</t>
          </li>
          <li>
            <t>The second element 'pqkem_alg' is a CBOR integer or a text string that indicates the KEM algorithm used in the groups identified by the 'gname' values.  </t>
            <t>
For application profiles of <xref target="RFC9594"/> that use the 'pqkem_info' parameter, it is <bcp14>REQUIRED</bcp14> to define specific values that 'pqkem_alg' can take, which are selected from the set of quantum-resistant KEM algorithms of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/>.</t>
          </li>
          <li>
            <t>The third element 'pqkem_parameters' is a CBOR array that indicates the parameters of the KEM used in the groups identified by the 'gname' values. Its content depends on the value of 'pqkem_alg'.  </t>
            <t>
For application profiles of <xref target="RFC9594"/> that use the 'pqkem_info' parameter, it is <bcp14>REQUIRED</bcp14> to define the possible values and structure for the elements of 'pqkem_parameters'.</t>
          </li>
          <li>
            <t>The fourth element 'pqkem_key_parameters' is a CBOR array that indicates the parameters of the key used with the KEM in the groups identified by the 'gname' values. Its content depends on the value of 'pqkem_alg'.  </t>
            <t>
For application profiles of <xref target="RFC9594"/> that use the 'pqkem_info' parameter, it is <bcp14>REQUIRED</bcp14> to define the possible values and structure for the elements of 'pqkem_key_parameters'.</t>
          </li>
          <li>
            <t>The fifth element 'cred_fmt' either is a CBOR integer indicating the format of authentication credentials used in the groups identified by the 'gname' values or is the CBOR simple value <tt>null</tt> (0xf6), which indicates that the KDC does not act as a repository of authentication credentials for group members. Its acceptable integer values are taken from the "Label" column of the "COSE Header Parameters" registry <xref target="IANA.COSE.Header.Parameters"/>, with some of those values also indicating the type of container to use for exchanging the authentication credentials with the KDC (e.g., a chain or bag of certificates).  </t>
            <t>
For application profiles of <xref target="RFC9594"/> that use the 'pqkem_info' parameter, it is <bcp14>REQUIRED</bcp14> to define specific values to use for 'cred_fmt', consistent with the acceptable formats of authentication credentials.</t>
          </li>
        </ul>
        <t>If 'pqkem_info' is included in the Token Transfer Request, the KDC <bcp14>SHOULD</bcp14> include the 'pqkem_info' parameter in the Token Transfer Response, as per the format defined above. Note that the field 'id' of each 'pqkem_info_entry' specifies the name or array of group names to which that 'pqkem_info_entry' applies. As an exception, the KDC <bcp14>MAY</bcp14> omit the 'pqkem_info' parameter in the Token Transfer Response even if 'pqkem_info' is included in the Token Transfer Request, in the case that none of the groups that the Client is authorized to join uses a KEM algorithm to derive shared secrets.</t>
        <t>The CDDL notation <xref target="RFC8610"/> of the 'pqkem_info' parameter is given below.</t>
        <sourcecode type="cddl"><![CDATA[
pqkem_info = pqkem_info_req / pqkem_info_resp

pqkem_info_req = null                   ; in the Token Transfer
                                        ; Request to the KDC

pqkem_info_resp = [+ pqkem_info_entry]  ; in the Token Transfer
                                        ; Response from the KDC

pqkem_info_entry =
[
  id: gname / [+ gname],
  pqkem_alg: int / tstr,
  pqkem_parameters: [any],
  pqkem_key_parameters: [+ parameter: any],
  cred_fmt: int / null
]

gname = tstr
]]></sourcecode>
        <t>This format is consistent with every KEM algorithm currently registered by <xref target="I-D.ietf-jose-pqc-kem"/>, i.e., with algorithms that have only the COSE key type as their COSE capability. <xref target="sec-future-cose-algs"/> of this document describes how the format of each 'pqkem_info_entry' can be generalized for possible future registered algorithms that have a different set of COSE capabilities.</t>
      </section>
    </section>
    <section anchor="sec-group-joining">
      <name>Group Joining</name>
      <t>Building on <xref section="6" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, this section specifies additions to the joining process that are relevant when the joined group is a KEM-based group.</t>
      <section anchor="sec-send-join-request">
        <name>Send the Join Request</name>
        <t>In addition to what is defined in <xref section="6.1" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, the following applies at a joining node when sending a Join Request message for joining a KEM-based group.</t>
        <t>If the joining node requests to (re-)join the group not exclusively as a monitor, the Join Request message <bcp14>MAY</bcp14> include the following parameter:</t>
        <ul spacing="normal">
          <li>
            <t>'client_kem_pubkey': encoded as a CBOR byte string, whose value is a KEM public key newly generated by the joining node and whose CBOR label is registered in <xref target="iana-ace-groupcomm-parameters"/>.  </t>
            <t>
Consistent with the KEM used as Pairwise Key Agreement Algorithm in the group, the joining node generates the specified KEM public key and the corresponding KEM private key.  </t>
            <t>
As associated with the group in question, the joining node stores the generated key pair, together with the SHA-256 hash <xref target="SHA-256"/> of the KEM public key as the corresponding identifier.</t>
          </li>
        </ul>
        <t>Editor's note: once also covered the case of a KEM-based group that is a pairwise-only group, explain here that other (to-be-defined) resources at the Group Manager are used by the joining node in such case, so that the joining node remains able to prove possession of its own private key upon joining the group, through a MAC used as PoP evidence and encoded by the 'client_cred_verify' parameter of the Join Request.</t>
      </section>
      <section anchor="sec-receive-join-request">
        <name>Receive the Join Request</name>
        <t>In addition to what is defined in <xref section="6.2" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, the following applies at the Group Manager when receiving a Join Request message for joining a KEM-based group.</t>
        <t>If the joining node is going to join the group exclusively as a monitor, then the Group Manager silently ignores the 'client_kem_pubkey' parameter, if present.</t>
        <t>Otherwise, in the case that the 'client_kem_pubkey' parameter is present in the Join Request, the Group Manager retrieves the joining node's KEM public key specified therein.</t>
        <t>If the Group Manager is currently storing the maximum admitted number of KEM public keys for that joining node in the group, the Group Manager <bcp14>MUST</bcp14> reply with a 5.03 (Service Unavailable) error response. The response <bcp14>MUST</bcp14> have Content-Format set to "application/concise-problem-details+cbor" <xref target="RFC9290"/> and is formatted as defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>. Within the Custom Problem Detail entry 'ace-groupcomm-error', the value of the 'error-id' field <bcp14>MUST</bcp14> be set to 13 ("Reached limit of KEM public keys").</t>
        <t>If the KEM public key is not compatible with the KEM used as Pairwise Key Agreement Algorithm in the group, the Group Manager <bcp14>MUST</bcp14> reply with a 4.00 (Bad Request) error response. The response <bcp14>MUST</bcp14> have Content-Format set to "application/concise-problem-details+cbor" <xref target="RFC9290"/> and is formatted as defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>. Within the Custom Problem Detail entry 'ace-groupcomm-error', the value of the 'error-id' field <bcp14>MUST</bcp14> be set to 14 ("KEM public key incompatible with the group configuration").</t>
        <t>In the case that the Group Manager replies with a 4.00 (Bad Request) error response with Content-Format "application/ace-groupcomm+cbor", the format of the CBOR map conveyed in the response payload is updated as follows (OPT4), consistent with the fact that the group is a KEM-based group:</t>
        <ul spacing="normal">
          <li>
            <t>Differently from the case considered in <xref section="6.2" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> in which the group is not a KEM-based group, the CBOR map <bcp14>MUST NOT</bcp14> contain the parameters 'ecdh_info' and 'kdc_dh_creds'.</t>
          </li>
          <li>
            <t>The CBOR map <bcp14>MUST</bcp14> contain the 'pqkem_info' parameter, whose CBOR label is registered in <xref target="iana-ace-groupcomm-parameters"/>. This parameter has the same format of 'pqkem_info_resp' defined in <xref target="pqkem-info"/> and includes a single element 'pqkem_info_entry', which pertains to the OSCORE group that the joining node has tried to join with the Join Request.</t>
          </li>
        </ul>
        <t>Editor's note: once also covered the case of a KEM-based group that is a pairwise-only group, explain here that other (to-be-defined) resources at the Group Manager are used by the joining node in such case, so that the joining node remains able to prove possession of its own private key upon joining the group, through a MAC used as PoP evidence and encoded by the 'client_cred_verify' parameter of the Join Request.</t>
      </section>
      <section anchor="sec-send-join-response">
        <name>Send the Join Response</name>
        <t>If the processing of the Join Request is successful and the group targeted by the Join Request is a KEM-based group, the Group Manager proceeds as defined in <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, with the following modifications.</t>
        <t>In the case that the joining node has not taken exclusively the role of monitor, the Group Manager performs also the following actions.</t>
        <t>After having registered the joining node NODENAME as a member of the OSCORE group GROUPNAME as described in <xref section="4.3.1" sectionFormat="of" target="RFC9594"/>, the handler that processed the Join Request creates two additional resources associated with the joining node, unless those resources already exist (i.e., in the case of a group re-joining):</t>
        <ul spacing="normal">
          <li>
            <t>/ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys (see <xref target="sec-nodename-kem-pub-keys"/>). Upon creating the resource, its representation is set to the CBOR unsigned integer encoding the value 0.</t>
          </li>
          <li>
            <t>/ace-group/GROUPNAME/nodes/NODENAME/kem-ciphertexts (see <xref target="sec-nodename-kem-ciphertexts"/>).</t>
          </li>
        </ul>
        <t>When the Group Manager sends the Join Response, the following applies:</t>
        <ul spacing="normal">
          <li>
            <t>If the joining node has not taken exclusively the role of monitor, the Join Response <bcp14>MUST</bcp14> include the 'max_kem_pubkeys' parameter, which is registered in <xref target="iana-ace-groupcomm-parameters"/> of this document.  </t>
            <t>
The parameter is encoded as a CBOR unsigned integer, and it specifies the maximum number of KEM public keys that the Group Manager stores as associated with the same Client within the group.</t>
          </li>
          <li>
            <t>The content of the 'key' parameter is updated as follows (REQ17), consistent with the fact that the group is a KEM-based group:  </t>
            <ul spacing="normal">
              <li>
                <t>Differently from the case considered in <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> in which the group is not a KEM-based group, the parameters 'ecdh_alg' and 'ecdh_params' <bcp14>MUST NOT</bcp14> be included.</t>
              </li>
              <li>
                <t>The 'pqkem_alg' parameter <bcp14>MUST</bcp14> be included, specifying the KEM used as Pairwise Key Agreement Algorithm in the group for computing the shared secret to derive the pairwise keys for the pairwise mode. This parameter takes values from the "Value" column of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/>.</t>
              </li>
              <li>
                <t>The 'pqkem_params' parameter <bcp14>MUST</bcp14> be included, specifying the parameters of the KEM used as Pairwise Key Agreement Algorithm. This parameter is a CBOR array, which includes the following two elements:      </t>
                <ul spacing="normal">
                  <li>
                    <t>'pqkem_alg_capab': a CBOR array, with the same format and value of the COSE capabilities array for the KEM algorithm indicated in 'pqkem_alg', as specified for that algorithm in the "Capabilities" column of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/>.</t>
                  </li>
                  <li>
                    <t>'pqkem_key_type_capab': a CBOR array, with the same format and value of the COSE capabilities array for the COSE key type of the keys used with the KEM algorithm indicated in 'pqkem_alg', as specified for that key type in the "Capabilities" column of the "COSE Key Types" registry <xref target="IANA.COSE.Key.Types"/>.</t>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
        </ul>
        <t>The format of 'key' defined above is consistent with every KEM algorithm currently registered by <xref target="I-D.ietf-jose-pqc-kem"/>, i.e., with algorithms that have only the COSE key type as their COSE capability. <xref target="sec-future-cose-algs-key"/> of this document describes how the format of the 'key' parameter can be generalized for possible future registered algorithms that have a different set of COSE capabilities.</t>
        <t>If the Join Request included the 'client_kem_pubkey' parameter and the joining node has not joined the group exclusively as a monitor, the Group Manager performs the following actions:</t>
        <ul spacing="normal">
          <li>
            <t>The Group Manager stores the KEM public key specified in the 'client_kem_pubkey' parameter, as the latest KEM public key generated by the joining node and pertaining to the group.  </t>
            <t>
Furthermore, the Group Manager associates the KEM public key with the OSCORE Sender ID assigned to the joining node in the group. The assigned OSCORE Sender ID is specified by the 'group_senderId' parameter within the 'key' parameter of the Join Response (see <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>). The Group Manager <bcp14>MUST</bcp14> keep this association up-to-date over time, in the event that the joining node changes its OSCORE Sender ID in the group.</t>
          </li>
          <li>
            <t>The Group Manager updates the representation of the resource at /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys to reflect the number of currently stored KEM public keys generated by the group member NODENAME and pertaining to the group. That is, if such number is N upon receiving the Join Request, the updated resource representation is the CBOR unsigned integer encoding the value (N + 1).</t>
          </li>
        </ul>
        <t>Editor's note: once also covered the case of a KEM-based group that is a pairwise-only group, explain here that other (to-be-defined) resources at the Group Manager are used by the joining node in such case. That allows the joining node to compute and include in the Join Request a KEM ciphertext. Building on that, the Group Manager remains able to prove possession of its own private key, through a MAC used as PoP evidence and encoded by the 'kdc_cred_verify' parameter of the Join Response.</t>
      </section>
      <section anchor="sec-receive-join-response">
        <name>Receive the Join Response</name>
        <t>Upon receiving a Join Response resulting from having joined a KEM-based group, the joining node proceeds as defined in <xref section="6.4" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, with the following modifications.</t>
        <ul spacing="normal">
          <li>
            <t>If the group is a pairwise-only group, the PoP evidence is a MAC. The joining node recomputes the MAC through the same process that is taken by the Group Manager when computing the value of the 'kdc_cred_verify' parameter (see <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>), with the difference that ... TBD  </t>
            <t>
Editor's note: once also covered the case of a KEM-based group that is a pairwise-only group, explain here that other (to-be-defined) resources at the Group Manager are used by the joining node in such case. That allows the joining node to compute and include in the Join Request a KEM ciphertext. Building on that, the Group Manager remains able to prove possession of its own private key, through a MAC used as PoP evidence and encoded by the 'kdc_cred_verify' parameter of the Join Response.</t>
          </li>
          <li>
            <t>When processing the 'key' parameter of the Join Response, the following applies:  </t>
            <ul spacing="normal">
              <li>
                <t>If both the parameters 'ecdh_alg' and 'pqkem_alg' are absent, the parameter Pairwise Key Agreement Algorithm in the Common Context of the Group OSCORE Security Context is not set.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The joining node <bcp14>MUST NOT</bcp14> use the pairwise mode of Group OSCORE to process messages in the group, if the 'key' parameter of the Join Response does not include both the parameters 'alg' and 'ecdh_alg' or both the parameters 'alg' and 'pqkem_alg'.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-retrieve-keying-material">
      <name>Retrieve Updated Keying Material</name>
      <t>Building on <xref section="9.1" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, the following two subsections define additions to the operations by which a member of a KEM-based group retrieves updated security parameters and group keying material from the Group Manager.</t>
      <section anchor="sec-retrieve-group-keying-material">
        <name>Get Group Keying Material</name>
        <t>This section builds on and updates what is defined in <xref section="9.1.1" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>.</t>
        <t>After successfully processing a Key Distribution Request as a GET request to the endpoint /ace-group/GROUPNAME, the Group Manager composes the Key Distribution Response as defined in <xref section="9.1.1" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, with the following modifications.</t>
        <ul spacing="normal">
          <li>
            <t>If the requesting group member does not have exclusively the role of monitor, the Key Distribution Response <bcp14>MUST</bcp14> include the 'max_kem_pubkeys' parameter, whose encoding and semantics is the same as in the Join Response (see <xref target="sec-send-join-response"/> of the present document).</t>
          </li>
          <li>
            <t>The 'key' parameter is formatted as defined in <xref target="sec-send-join-response"/> of the present document, with the difference that it does not include the 'group_SenderId' parameter.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-retrieve-group-keying-material-sid">
        <name>Get Group Keying Material and OSCORE Sender ID</name>
        <t>This section builds on and updates what is defined in <xref section="9.1.2" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>.</t>
        <t>After successfully processing a Key Distribution Request as a GET request to the endpoint /ace-group/GROUPNAME/nodes/NODENAME, the Group Manager composes the Key Distribution Response as defined in <xref section="9.1.2" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, with the following modifications.</t>
        <ul spacing="normal">
          <li>
            <t>If the requesting group member does not have exclusively the role of monitor, the Key Distribution Response <bcp14>MUST</bcp14> include the 'max_kem_pubkeys' parameter, whose encoding and semantics is the same as in the Join Response (see <xref target="sec-send-join-response"/> of the present document).</t>
          </li>
          <li>
            <t>The 'key' parameter is formatted as defined in <xref target="sec-send-join-response"/> of the present document. If the requesting group member has exclusively the role of monitor, then the 'key' parameter does not include the 'group_SenderId' parameter.  </t>
            <t>
Note that, in any other case, the current Sender ID of the group member is not specified as a separate parameter, but instead by the 'group_SenderId' parameter within the 'key' parameter.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-retrieve-sig-verif-data">
      <name>Retrieve Signature Verification Data</name>
      <t>Building on <xref section="9.6" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, the following defines additions to the operations by which a signature verifier retrieves from the Group Manager data required to verify signatures of messages protected with the group mode of Group OSCORE and sent to a group.</t>
      <t>After successfully processing a Signature Verification Data Request as a GET request to the endpoint /ace-group/GROUPNAME/verif-data, the Group Manager composes the Signature Verification Data Response as defined in <xref section="9.6" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, with the following modifications.</t>
      <ul spacing="normal">
        <li>
          <t>Of the parameters present in the Join Response message (see <xref target="sec-send-join-response"/> of the present document), only the parameters 'gkty', 'key', 'num', 'exp', 'exi', and 'ace_groupcomm_profile' are present in the Signature Verification Data Response.  </t>
          <t>
The 'key' parameter includes only the following data:  </t>
          <ul spacing="normal">
            <li>
              <t>The parameters 'hkdf', 'contextId', 'cred_fmt', 'gp_enc_alg', 'sign_alg', and 'sign_params'. These parameters <bcp14>MUST</bcp14> be present.</t>
            </li>
            <li>
              <t>The 'alg' parameter. This parameter <bcp14>MUST NOT</bcp14> be present if the group is a signature-only group. Otherwise, it <bcp14>MUST</bcp14> be present.</t>
            </li>
            <li>
              <t>The 'ecdh_alg' parameter. This parameter <bcp14>MUST NOT</bcp14> be present if the group is a signature-only group or is a KEM-based group. Otherwise, it <bcp14>MUST</bcp14> be present.</t>
            </li>
            <li>
              <t>The 'pqkem_alg' parameter. This parameter <bcp14>MUST NOT</bcp14> be present if the group is not a KEM-based group. Otherwise, it <bcp14>MUST</bcp14> be present.</t>
            </li>
          </ul>
        </li>
      </ul>
    </section>
    <section anchor="sec-interface">
      <name>Interface at the Group Manager</name>
      <t>In addition to what is specified in <xref section="8" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, this document extends the interface at the Group Manager by defining the new sub-resources specified in <xref target="sec-nodename-kem-pub-keys"/>, <xref target="sec-kem-pub-keys"/>, <xref target="sec-nodename-kem-ciphertexts"/>, and <xref target="sec-kem-ciphertexts"/>.</t>
      <t>The Group Manager hosts those resources for each KEM-group that it is responsible for.</t>
      <t>In addition to what is defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>, each handler of each new resource performs the following verifications.</t>
      <ul spacing="normal">
        <li>
          <t>The handler verifies that the requesting Client is a current member of the group. If the verification fails, the handler replies with a 4.03 (Forbidden) error response. The response <bcp14>MUST</bcp14> have Content-Format set to "application/concise-problem-details+cbor" <xref target="RFC9290"/> and is formatted as defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>. Within the Custom Problem Detail entry 'ace-groupcomm-error', the value of the 'error-id' field <bcp14>MUST</bcp14> be set to 0 ("Operation permitted only to group members").</t>
        </li>
        <li>
          <t>The handler verifies that the requesting Client has not exclusively the role of monitor in the group. If the verification fails, the handler replies with a 4.00 (Bad Request) error response. The response <bcp14>MUST</bcp14> have Content-Format set to "application/concise-problem-details+cbor" <xref target="RFC9290"/> and is formatted as defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>. Within the Custom Problem Detail entry 'ace-groupcomm-error', the value of the 'error-id' field <bcp14>MUST</bcp14> be set to 1 ("Request inconsistent with the current roles").</t>
        </li>
        <li>
          <t>The handler verifies that the OSCORE group identified by GROUPNAME is currently active (see <xref section="8.2" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>). If the verification fails, the handler replies with a 5.03 (Service Unavailable) error response. The response <bcp14>MUST</bcp14> have Content-Format set to "application/concise-problem-details+cbor" <xref target="RFC9290"/> and is formatted as defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>. Within the Custom Problem Detail entry 'ace-groupcomm-error', the value of the 'error-id' field <bcp14>MUST</bcp14> be set to 9 ("Group currently not active").  </t>
          <t>
The method to set the current group status is out of the scope of this document, and it is defined for the administrator interface of the Group Manager specified in <xref target="I-D.ietf-ace-oscore-gm-admin"/>.</t>
        </li>
      </ul>
      <t><xref target="sec-methods-gm"/> provides a summary of the CoAP methods that are permitted to use for accessing the new resources at the Group Manager, for nodes with different roles in the group (REQ11).</t>
      <section anchor="sec-nodename-kem-pub-keys">
        <name>/ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys</name>
        <t>The Group Manager creates this resource after successfully processing a Join Request, if and only if both the following conditions hold:</t>
        <ul spacing="normal">
          <li>
            <t>The OSCORE group GROUPNAME is a KEM-group.</t>
          </li>
          <li>
            <t>The resource does not already exist and, through the processed Join Request, the node NODENAME has joined the group GROUPNAME not exclusively as a monitor.  </t>
            <t>
This takes into account the case where the node re-joins the group possibly changing roles (i.e., sometimes exclusively as a monitor, while sometimes not), which does not result in re-creating the resource and re-initializing its representation.</t>
          </li>
        </ul>
        <t>The resource representation is a CBOR unsigned integer, which encodes the number of KEM public keys that are generated by the node NODENAME as a member of the group GROUPNAME and are currently stored at the Group Manager as intended to other members of the group. When creating the resource, its representation is set to the CBOR unsigned integer encoding the value 0 (see <xref target="sec-send-join-response"/>).</t>
        <t>This resource implements the POST, GET, and PUT handlers.</t>
        <t>Each handler of this resource verifies that the node name of the requesting Client is equal to NODENAME used in the url-path. If the verification fails, the handler replies with a 4.03 (Forbidden) error response.</t>
        <section anchor="sec-nodename-kem-pub-keys-post">
          <name>POST Handler</name>
          <t>The handler expects a POST request whose payload is a CBOR map, which includes a KEM public key generated by the requesting Client and intended to any and exactly one other member of the group (see <xref target="sec-upload-kem-pub-key"/>).</t>
          <t>If all verifications succeed, the handler replies with a 2.04 (Changed) response specifying the updated resource representation, i.e., the updated number of KEM public keys that the Group Manager currently stores as generated by the node NODENAME and pertaining to the group GROUPNAME. The payload of the response is formatted as defined in <xref target="sec-upload-kem-pub-key"/>.</t>
        </section>
        <section anchor="sec-nodename-kem-pub-keys-get">
          <name>GET Handler</name>
          <t>The handler expects a GET request.</t>
          <t>If all verifications succeed, the handler replies with a 2.05 (Content) response specifying the current resource representation, i.e., the number of KEM public keys that the Group Manager currently stores as generated by the node NODENAME and pertaining to the group GROUPNAME. The payload of the response is formatted as defined in <xref target="sec-counter-kem-pub-keys"/>.</t>
          <t>The Group Manager <bcp14>SHOULD</bcp14> make the resource at /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys also observable <xref target="RFC7641"/>, thus making it possible for the node NODENAME to subscribe for updates about the resource representation, instead of limiting the node to only rely on polling.</t>
        </section>
        <section anchor="sec-nodename-kem-pub-keys-put">
          <name>PUT Handler</name>
          <t>The handler expects a PUT request, whose payload is the CBOR unsigned integer encoding the value 0 (see <xref target="sec-delete-kem-pub-keys"/>).</t>
          <t>If all verifications succeed, the handler replies with a 2.04 (Changed) response specifying the updated resource representation, i.e., the updated number (0) of KEM public keys that the Group Manager currently stores as generated by the node NODENAME and pertaining to the group GROUPNAME. The payload of the response is formatted as defined in <xref target="sec-delete-kem-pub-keys"/>.</t>
        </section>
      </section>
      <section anchor="sec-kem-pub-keys">
        <name>/ace-group/GROUPNAME/kem-pub-keys</name>
        <t>The Group Manager creates this resource upon establishing the OSCORE group GROUPNAME, if and only if the  group is a KEM-group.</t>
        <t>This resource implements the POST handler.</t>
        <section anchor="sec-kem-pub-keys-post">
          <name>POST Handler</name>
          <t>The handler expects a POST request whose payload is a CBOR map, specifying a set of OSCORE Sender IDs associated with members of the group (see <xref target="sec-retrieve-kem-pub-keys"/>).</t>
          <t>If all verifications succeed, the handler replies with a 2.04 (Changed) response specifying a set of KEM public keys, each of which generated by a member of the group indicated in the request. The payload of the response is formatted as defined in <xref target="sec-retrieve-kem-pub-keys"/>.</t>
        </section>
      </section>
      <section anchor="sec-nodename-kem-ciphertexts">
        <name>/ace-group/GROUPNAME/nodes/NODENAME/kem-ciphertexts</name>
        <t>The Group Manager creates this resource after successfully processing a Join Request, if and only if both the following conditions hold:</t>
        <ul spacing="normal">
          <li>
            <t>The OSCORE group GROUPNAME is a KEM-group.</t>
          </li>
          <li>
            <t>The resource does not already exist and, through the processed Join Request, the node NODENAME has joined the group GROUPNAME not exclusively as a monitor.  </t>
            <t>
This takes into account the case where the node re-joins the group possibly changing roles (i.e., sometimes exclusively as a monitor, while sometimes not), which does not result in re-creating the resource.</t>
          </li>
        </ul>
        <t>This resource implements the POST handler.</t>
        <section anchor="sec-nodename-kem-ciphertexts-post">
          <name>POST Handler</name>
          <t>The handler expects a POST request whose payload is a CBOR map, specifying a KEM ciphertext computed by the requesting Client for another member of the group, together with related information associated with that group member (see <xref target="sec-upload-kem-ciphertext"/>).</t>
          <t>The handler verifies that the node name of the requesting Client is equal to NODENAME used in the url-path. If the verification fails, the handler replies with a 4.03 (Forbidden) error response.</t>
          <t>If all verifications succeed, the handler replies with a 2.04 (Changed) response that has no payload.</t>
        </section>
      </section>
      <section anchor="sec-kem-ciphertexts">
        <name>/ace-group/GROUPNAME/kem-ciphertexts</name>
        <t>The Group Manager creates this resource upon establishing the OSCORE group GROUPNAME, if and only if the  group is a KEM-group.</t>
        <t>This resource implements the POST handler.</t>
        <section anchor="sec-kem-ciphertexts-post">
          <name>POST</name>
          <t>The handler expects a POST request whose payload is a CBOR map, specifying the OSCORE Sender ID associated with a specific member of the group that computed a KEM ciphertext intended to the requesting Client (see <xref target="sec-retrieve-kem-ciphertext"/>).</t>
          <t>If all verifications succeed, the handler replies with a 2.04 (Changed) response, specifying a KEM ciphertext intended to the requesting Client, together with related information associated with the requesting Client. The payload of the response is formatted as defined in <xref target="sec-retrieve-kem-ciphertext"/>.</t>
        </section>
      </section>
      <section anchor="sec-methods-gm">
        <name>Permitted Methods</name>
        <t><xref target="tab-methods"/> below extends Table 2 of <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> and summarizes the CoAP methods that are permitted for accessing different resources at the Group Manager, for (non-)members of a group with group name GROUPNAME, and considering different roles. The last two rows of the table apply to a node with node name NODENAME.</t>
        <t>The table uses the following abbreviations.</t>
        <ul spacing="normal">
          <li>
            <t>G = CoAP method GET</t>
          </li>
          <li>
            <t>P = CoAP method POST</t>
          </li>
          <li>
            <t>Pu = CoAP method PUT</t>
          </li>
          <li>
            <t>Type1 = Member as a Requester and/or Responder</t>
          </li>
          <li>
            <t>Type2 = Member as a Monitor</t>
          </li>
          <li>
            <t>Type3 = Non-member (authorized to be signature verifier)</t>
          </li>
          <li>
            <t>Type4 = Non-member (not authorized to be signature verifier)</t>
          </li>
        </ul>
        <table align="center" anchor="tab-methods">
          <name>Permitted CoAP Methods on the Group Manager Resources</name>
          <thead>
            <tr>
              <th align="left">Resource</th>
              <th align="left">Type1</th>
              <th align="left">Type2</th>
              <th align="left">Type3</th>
              <th align="left">Type4</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">/ace-group/GROUPNAME/kem-pub-keys</td>
              <td align="left">P</td>
              <td align="left">-</td>
              <td align="left">-</td>
              <td align="left">-</td>
            </tr>
            <tr>
              <td align="left">/ace-group/GROUPNAME/kem-ciphertexts</td>
              <td align="left">P</td>
              <td align="left">-</td>
              <td align="left">-</td>
              <td align="left">-</td>
            </tr>
            <tr>
              <td align="left">/ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys</td>
              <td align="left">G P Pu</td>
              <td align="left">-</td>
              <td align="left">-</td>
              <td align="left">-</td>
            </tr>
            <tr>
              <td align="left">/ace-group/GROUPNAME/nodes/NODENAME/kem-ciphertexts</td>
              <td align="left">P</td>
              <td align="left">-</td>
              <td align="left">-</td>
              <td align="left">-</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="sec-operations-clients">
        <name>Operations Supported by Clients</name>
        <t>Building on what is defined in <xref section="4.1.1" sectionFormat="of" target="RFC9594"/> and in <xref section="8.6" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, and with reference to the additional resources at the Group Manager defined in <xref target="sec-interface"/> of the present document, a Client with node name NODENAME that supports the pairwise mode of Group OSCORE and joins a KEM-based group GROUPNAME not exclusively as a monitor is expected to support all the operations available at such additional resources and the corresponding interactions with the Group Manager (REQ12), i.e.:</t>
        <ul spacing="normal">
          <li>
            <t>POST request to /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys, in order to upload at the Group Manager an own KEM public key as intended to any and exactly one other member of the group GROUPNAME.</t>
          </li>
          <li>
            <t>GET request to /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys, in order to retrieve the number of own KEM public keys that are currently stored at the Group Manager as intended to other members of the group GROUPNAME.</t>
          </li>
          <li>
            <t>PUT request to /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys, in order to discard all its own KEM public keys stored at the Group Manager as intended to other members of the group GROUPNAME.</t>
          </li>
          <li>
            <t>POST request to /ace-group/GROUPNAME/kem-pub-keys, in order to retrieve from the Group Manager a set of KEM public keys, each of which generated by another member of the group GROUPNAME.</t>
          </li>
          <li>
            <t>POST request to /ace-group/GROUPNAME/nodes/NODENAME/kem-ciphertexts, in order to upload at the Group Manager a KEM ciphertext computed by the requesting Client for another member of the group GROUPNAME, together with related information associated with that group member.</t>
          </li>
          <li>
            <t>POST request to /ace-group/GROUPNAME/kem-ciphertexts, in order to retrieve from the Group Manager a KEM ciphertext intended to the requesting Client, together with related information associated with the requesting Client.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-interactions">
      <name>Additional Interactions with the Group Manager</name>
      <t>This section defines the possible interactions with the Group Manager, in addition to those specified in <xref target="I-D.ietf-ace-key-groupcomm-oscore"/>.</t>
      <t>These additional interactions are relevant only for members of a KEM-based group that support the pairwise mode of Group OSCORE and have not exclusively the role of monitor in the group.</t>
      <section anchor="sec-upload-kem-pub-key">
        <name>Upload a KEM Public Key</name>
        <t>A group member can upload at the Group Manager an own KEM public key, intended to any and exactly one other member of the group. To this end, the group member sends a KEM Public Key Upload Request to the Group Manager.</t>
        <t>That is, the group member sends a CoAP POST request to the endpoint /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys at the Group Manager defined in <xref target="sec-nodename-kem-pub-keys-post"/>, where GROUPNAME is the name of the OSCORE group and NODENAME is the node name of the group member.</t>
        <t>The request <bcp14>MUST</bcp14> have Content-Format "application/ace-groupcomm+cbor". The payload of the request is formatted as a CBOR map, which <bcp14>MUST</bcp14> contain the following field with the value specified below:</t>
        <ul spacing="normal">
          <li>
            <t>'client_kem_pubkey': encoded as a CBOR byte string, whose value is the binary representation of a KEM public key newly generated by the requesting Client.</t>
          </li>
        </ul>
        <t>If the Group Manager is currently storing the maximum admitted number of KEM public keys for that joining node in the group, the Group Manager <bcp14>MUST</bcp14> reply with a 5.03 (Service Unavailable) error response. The response <bcp14>MUST</bcp14> have Content-Format set to "application/concise-problem-details+cbor" <xref target="RFC9290"/> and is formatted as defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>. Within the Custom Problem Detail entry 'ace-groupcomm-error', the value of the 'error-id' field <bcp14>MUST</bcp14> be set to 13 ("Reached limit of KEM public keys").</t>
        <t>If the KEM public key is not compatible with the KEM used as Pairwise Key Agreement Algorithm in the group, the Group Manager <bcp14>MUST</bcp14> reply with a 4.00 (Bad Request) error response. The response <bcp14>MUST</bcp14> have Content-Format set to "application/concise-problem-details+cbor" <xref target="RFC9290"/> and is formatted as defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>. Within the Custom Problem Detail entry 'ace-groupcomm-error', the value of the 'error-id' field <bcp14>MUST</bcp14> be set to 14 ("KEM public key incompatible with the group configuration").</t>
        <t>If all verifications succeed, the Group Manager performs the following actions:</t>
        <ul spacing="normal">
          <li>
            <t>The Group Manager stores the KEM public key specified in the 'client_kem_pubkey' parameter, as the latest KEM public key generated by the requesting Client and pertaining to the group.  </t>
            <t>
Furthermore, the Group Manager associates the KEM public key with the OSCORE Sender ID of the requesting Client in the group. The Group Manager <bcp14>MUST</bcp14> keep this association up-to-date over time, in the event that the requesting Client changes its OSCORE Sender ID in the group.</t>
          </li>
          <li>
            <t>The Group Manager updates the resource representation to reflect the number of currently stored KEM public keys generated by the requesting Client and pertaining to the group. That is, if such number is N upon receiving the KEM Public Key Upload Request, the updated resource representation is the CBOR unsigned integer encoding the value (N + 1).</t>
          </li>
        </ul>
        <t>Then, the Group Manager replies with a 2.04 (Changed) KEM Public Key Upload Response, which <bcp14>MUST</bcp14> have Content-Format "application/cbor". The payload of the response specifies the latest, just updated resource representation, i.e., the CBOR unsigned integer encoding the value (N + 1).</t>
        <t>After receiving the KEM Public Key Upload Response, the group member stores the KEM public key uploaded at the Group Manager, the corresponding KEM private key, and the SHA-256 hash <xref target="SHA-256"/> of the KEM public key as the corresponding identifier.</t>
        <t><xref target="fig-kem-pub-key-req-resp"/> gives an overview of the exchange described above,  while <xref target="fig-kem-pub-key-resp-ex"/> shows an example of KEM Public Key Upload Request-Response.</t>
        <figure anchor="fig-kem-pub-key-req-resp">
          <name>Message Flow of KEM Public Key Upload Request-Response</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="568" viewBox="0 0 568 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,64 L 24,160" fill="none" stroke="black"/>
                <path d="M 536,64 L 536,160" fill="none" stroke="black"/>
                <path d="M 32,96 L 528,96" fill="none" stroke="black"/>
                <path d="M 32,144 L 88,144" fill="none" stroke="black"/>
                <path d="M 480,144 L 528,144" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="536,96 524,90.4 524,101.6" fill="black" transform="rotate(0,528,96)"/>
                <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" fill="black" transform="rotate(180,32,144)"/>
                <g class="text">
                  <text x="24" y="36">Group</text>
                  <text x="536" y="36">Group</text>
                  <text x="28" y="52">Member</text>
                  <text x="536" y="52">Manager</text>
                  <text x="176" y="84">KEM</text>
                  <text x="220" y="84">Public</text>
                  <text x="264" y="84">Key</text>
                  <text x="308" y="84">Upload</text>
                  <text x="368" y="84">Request</text>
                  <text x="84" y="116">POST</text>
                  <text x="300" y="116">/ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys</text>
                  <text x="112" y="148">KEM</text>
                  <text x="156" y="148">Public</text>
                  <text x="200" y="148">Key</text>
                  <text x="244" y="148">Upload</text>
                  <text x="312" y="148">Response:</text>
                  <text x="372" y="148">2.04</text>
                  <text x="432" y="148">(Changed)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
Group                                                           Group
Member                                                         Manager
  |                                                               |
  |                 KEM Public Key Upload Request                 |
  |-------------------------------------------------------------->|
  |     POST /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys     |
  |                                                               |
  |<------- KEM Public Key Upload Response: 2.04 (Changed) -------|
  |                                                               |
]]></artwork>
          </artset>
        </figure>
        <figure anchor="fig-kem-pub-key-resp-ex">
          <name>Example of KEM Public Key Upload Request-Response</name>
          <artwork><![CDATA[
   Request:

   Header: POST (Code=0.02)
   Uri-Host: "kdc.example.com"
   Uri-Path: "ace-group"
   Uri-Path: "g1"
   Uri-Path: "nodes"
   Uri-Path: "c101"
   Uri-Path: "kem-pub-keys"
   Content-Format: 261 (application/ace-groupcomm+cbor)
   Payload (in CBOR diagnostic notation):
   {
     e'client_kem_pubkey': h'4199...6c5a' / elided for brevity /
   }


   Response:

   Header: Changed (Code=2.04)
   Content-Format: 60 (application/cbor)
   Payload (in CBOR diagnostic notation):
     5
]]></artwork>
        </figure>
      </section>
      <section anchor="sec-counter-kem-pub-keys">
        <name>Retrieve Number of Available Own KEM Public Keys</name>
        <t>A group member can retrieve from the Group Manager the number of own KEM public keys that the Group Manager currently stores as pertaining to the group. To this end, the group member sends a KEM Public Key Number Request to the Group Manager.</t>
        <t>That is, the group member sends a CoAP GET request to the endpoint /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys at the Group Manager defined in <xref target="sec-nodename-kem-pub-keys-get"/>, where GROUPNAME is the name of the OSCORE group and NODENAME is the node name of the group member.</t>
        <t>The 2.05 (Content) KEM Public Key Number Response <bcp14>MUST</bcp14> have Content-Format "application/cbor". The payload of the response specifies the current resource representation, i.e., it is a CBOR unsigned integer encoding the number of KEM public keys that the Group Manager currently stores as generated by the node NODENAME and pertaining to the group GROUPNAME.</t>
        <t><xref target="fig-kem-pub-key-num-req-resp"/> gives an overview of the exchange described above,  while <xref target="fig-kem-pub-key-num-resp-ex"/> shows an example of KEM Public Key Number Request-Response.</t>
        <figure anchor="fig-kem-pub-key-num-req-resp">
          <name>Message Flow of KEM Public Key Number Request-Response</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="568" viewBox="0 0 568 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,64 L 24,160" fill="none" stroke="black"/>
                <path d="M 536,64 L 536,160" fill="none" stroke="black"/>
                <path d="M 32,96 L 528,96" fill="none" stroke="black"/>
                <path d="M 32,144 L 88,144" fill="none" stroke="black"/>
                <path d="M 480,144 L 528,144" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="536,96 524,90.4 524,101.6" fill="black" transform="rotate(0,528,96)"/>
                <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" fill="black" transform="rotate(180,32,144)"/>
                <g class="text">
                  <text x="24" y="36">Group</text>
                  <text x="536" y="36">Group</text>
                  <text x="28" y="52">Member</text>
                  <text x="536" y="52">Manager</text>
                  <text x="176" y="84">KEM</text>
                  <text x="220" y="84">Public</text>
                  <text x="264" y="84">Key</text>
                  <text x="308" y="84">Number</text>
                  <text x="368" y="84">Request</text>
                  <text x="80" y="116">GET</text>
                  <text x="292" y="116">/ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys</text>
                  <text x="112" y="148">KEM</text>
                  <text x="156" y="148">Public</text>
                  <text x="200" y="148">Key</text>
                  <text x="244" y="148">Number</text>
                  <text x="312" y="148">Response:</text>
                  <text x="372" y="148">2.05</text>
                  <text x="432" y="148">(Content)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
Group                                                           Group
Member                                                         Manager
  |                                                               |
  |                 KEM Public Key Number Request                 |
  |-------------------------------------------------------------->|
  |     GET /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys      |
  |                                                               |
  |<------- KEM Public Key Number Response: 2.05 (Content) -------|
  |                                                               |
]]></artwork>
          </artset>
        </figure>
        <figure anchor="fig-kem-pub-key-num-resp-ex">
          <name>Example of KEM Public Key Number Request-Response</name>
          <artwork><![CDATA[
   Request:

   Header: GET (Code=0.01)
   Uri-Host: "kdc.example.com"
   Uri-Path: "ace-group"
   Uri-Path: "g1"
   Uri-Path: "nodes"
   Uri-Path: "c101"
   Uri-Path: "kem-pub-keys"


   Response:

   Header: Content (Code=2.05)
   Content-Format: 60 (application/cbor)
   Payload (in CBOR diagnostic notation):
     5
]]></artwork>
        </figure>
      </section>
      <section anchor="sec-delete-kem-pub-keys">
        <name>Discard Own KEM Public Keys</name>
        <t>A group member can request the Group Manager to delete from its local storage all the KEM public keys generated by the group member and pertaining to the group. To this end, the group member sends a KEM Public Key Discard Request to the Group Manager.</t>
        <t>That is, the group member sends a CoAP PUT request to the endpoint /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys at the Group Manager defined in <xref target="sec-nodename-kem-pub-keys-put"/>, where GROUPNAME is the name of the OSCORE group and NODENAME is the node name of the group member.</t>
        <t>The request <bcp14>MUST</bcp14> have Content-Format "application/cbor". The payload of the request is the CBOR unsigned integer encoding the value 0.</t>
        <t>If the Group Manager receives a KEM Public Key Discard Request whose payload is different from the CBOR unsigned integer encoding the value 0, the Group Manager <bcp14>MUST</bcp14> reply with a 4.00 (Bad Request) error response.</t>
        <t>If all verifications succeed, the Group Manager performs the following actions.</t>
        <t>First, the Group Manager deletes from its local storage all the KEM public keys generated by the node NODENAME and pertaining to the group GROUPNAME. Then, the Group Manager updates the resource representation to be the CBOR unsigned integer encoding the value 0.</t>
        <t>Finally, the Group Manager replies with a 2.04 (Changed) KEM Public Key Discard Response, which <bcp14>MUST</bcp14> have Content-Format "application/cbor". The payload of the response specifies the latest, just updated resource representation, i.e., the CBOR unsigned integer encoding the value 0.</t>
        <t>After receiving the KEM Public Key Discard Response, the group member deletes from its local storage all its own KEM public keys that it uploaded at the Group Manager as pertaining to the group GROUPNAME, as well as the corresponding KEM private keys and SHA-256 hashes <xref target="SHA-256"/> of the KEM public keys as the corresponding identifiers.</t>
        <t><xref target="fig-kem-pub-key-discard-req-resp"/> gives an overview of the exchange described above, while <xref target="fig-kem-pub-key-discard-resp-ex"/> shows an example of KEM Public Key Discard Request-Response.</t>
        <figure anchor="fig-kem-pub-key-discard-req-resp">
          <name>Message Flow of KEM Public Key Discard Request-Response</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="568" viewBox="0 0 568 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,64 L 24,160" fill="none" stroke="black"/>
                <path d="M 536,64 L 536,160" fill="none" stroke="black"/>
                <path d="M 32,96 L 528,96" fill="none" stroke="black"/>
                <path d="M 32,144 L 80,144" fill="none" stroke="black"/>
                <path d="M 480,144 L 528,144" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="536,96 524,90.4 524,101.6" fill="black" transform="rotate(0,528,96)"/>
                <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" fill="black" transform="rotate(180,32,144)"/>
                <g class="text">
                  <text x="24" y="36">Group</text>
                  <text x="536" y="36">Group</text>
                  <text x="28" y="52">Member</text>
                  <text x="536" y="52">Manager</text>
                  <text x="168" y="84">KEM</text>
                  <text x="212" y="84">Public</text>
                  <text x="256" y="84">Key</text>
                  <text x="304" y="84">Discard</text>
                  <text x="368" y="84">Request</text>
                  <text x="80" y="116">PUT</text>
                  <text x="292" y="116">/ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys</text>
                  <text x="104" y="148">KEM</text>
                  <text x="148" y="148">Public</text>
                  <text x="192" y="148">Key</text>
                  <text x="240" y="148">Discard</text>
                  <text x="312" y="148">Response:</text>
                  <text x="372" y="148">2.04</text>
                  <text x="432" y="148">(Changed)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
Group                                                           Group
Member                                                         Manager
  |                                                               |
  |                KEM Public Key Discard Request                 |
  |-------------------------------------------------------------->|
  |     PUT /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys      |
  |                                                               |
  |<------ KEM Public Key Discard Response: 2.04 (Changed) -------|
  |                                                               |
]]></artwork>
          </artset>
        </figure>
        <figure anchor="fig-kem-pub-key-discard-resp-ex">
          <name>Example of KEM Public Key Discard Request-Response</name>
          <artwork><![CDATA[
   Request:

   Header: PUT (Code=0.03)
   Uri-Host: "kdc.example.com"
   Uri-Path: "ace-group"
   Uri-Path: "g1"
   Uri-Path: "nodes"
   Uri-Path: "c101"
   Uri-Path: "kem-pub-keys"
   Content-Format: 60 (application/cbor)
   Payload (in CBOR diagnostic notation):
     0


   Response:

   Header: Changed (Code=2.04)
   Content-Format: 60 (application/cbor)
   Payload (in CBOR diagnostic notation):
     0
]]></artwork>
        </figure>
      </section>
      <section anchor="sec-retrieve-kem-pub-keys">
        <name>Retrieve KEM Public Keys of Group Members</name>
        <t>A group member can retrieve from the Group Manager a KEM public key generated by another group member. To this end, the group member sends a KEM Public Key Retrieval Request to the Group Manager.</t>
        <t>That is, the group member sends a CoAP POST request to the endpoint /ace-group/GROUPNAME/kem-pub-keys at the Group Manager defined in <xref target="sec-kem-pub-keys-post"/>, where GROUPNAME is the name of the OSCORE group.</t>
        <t>The request <bcp14>MUST</bcp14> have Content-Format "application/ace-groupcomm+cbor". The payload of the request is formatted as a CBOR map, which <bcp14>MUST</bcp14> contain the following field with the value specified below:</t>
        <ul spacing="normal">
          <li>
            <t>'peer_identifiers': encoded as a CBOR array. Each element of the array is a CBOR byte string, whose value is the OSCORE Sender ID of a member of the group GROUPNAME.  </t>
            <t>
The array <bcp14>MUST NOT</bcp14> be empty, <bcp14>MUST NOT</bcp14> include an element that specifies the OSCORE Sender ID of the requesting Client, and <bcp14>MUST NOT</bcp14> include multiple elements that specify the same OSCORE Sender ID.</t>
          </li>
        </ul>
        <t>When receiving a KEM Public Key Retrieval Request, the Group Manager <bcp14>MUST</bcp14> reply with a 4.00 (Bad Request) response if the CBOR array REQ_ARRAY conveyed as request payload is empty, or any of its elements specifies the OSCORE Sender ID of the requesting Client, or it includes multiple elements that specify the same OSCORE Sender ID.</t>
        <t>Otherwise, if all verifications succeed, the Group Manager performs the following actions.</t>
        <ul spacing="normal">
          <li>
            <t>The Group Manager composes a CBOR array RESP_ARRAY of N elements, where N is the number of elements of REQ_ARRAY. Each element of RESP_ARRAY is provisionally set to the CBOR simple value <tt>null</tt> (0xf6).</t>
          </li>
          <li>
            <t>The Group Manager sequentially considers the elements of REQ_ARRAY.  </t>
            <t>
When considering the i-th element of REQ_ARRAY, the Group Manager checks whether it is currently storing any KEM public key that was uploaded by the group member NODENAME of the group GROUPNAME identified by the OSCORE Sender ID specified by the array element under consideration.  </t>
            <t>
If the Group Manager is not storing any such KEM public key, the Group Manager moves on to consider the next element of REQ_ARRAY (if any).  </t>
            <t>
Otherwise, the Group Manager sets the i-th element of RESP_ARRAY as a CBOR byte string, whose value is the binary representation of the oldest KEM public key stored for the identified group member.  </t>
            <t>
Then, the Group Manager deletes that oldest KEM public key from its local storage, and it updates the representation of the resource at /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys to reflect the number of currently stored KEM public keys generated by the group member NODENAME and pertaining to the group. That is, if such number is N upon receiving the KEM Public Key Retrieval Request, the updated resource representation is the CBOR unsigned integer encoding the value (N - 1).  </t>
            <t>
After that, the Group Manager moves on to consider the next element of REQ_ARRAY (if any).</t>
          </li>
        </ul>
        <t>Then, the Group Manager replies with a 2.04 (Changed) KEM Public Key Retrieval Response, which <bcp14>MUST</bcp14> have Content-Format "application/ace-groupcomm+cbor". The payload of the response is formatted as a CBOR map, which <bcp14>MUST</bcp14> contain the following field with the value specified below:</t>
        <ul spacing="normal">
          <li>
            <t>'kem_pubkeys': specifying the CBOR array RESP_ARRAY.</t>
          </li>
        </ul>
        <t><xref target="fig-kem-pub-key-retrieval-req-resp"/> gives an overview of the exchange described above,  while <xref target="fig-kem-pub-key-retrieval-resp-ex"/> shows an example of KEM Public Key Retrieval Request-Response.</t>
        <figure anchor="fig-kem-pub-key-retrieval-req-resp">
          <name>Message Flow of KEM Public Key Retrieval Request-Response</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="568" viewBox="0 0 568 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,64 L 24,160" fill="none" stroke="black"/>
                <path d="M 536,64 L 536,160" fill="none" stroke="black"/>
                <path d="M 32,96 L 528,96" fill="none" stroke="black"/>
                <path d="M 32,144 L 72,144" fill="none" stroke="black"/>
                <path d="M 488,144 L 528,144" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="536,96 524,90.4 524,101.6" fill="black" transform="rotate(0,528,96)"/>
                <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" fill="black" transform="rotate(180,32,144)"/>
                <g class="text">
                  <text x="24" y="36">Group</text>
                  <text x="536" y="36">Group</text>
                  <text x="28" y="52">Member</text>
                  <text x="536" y="52">Manager</text>
                  <text x="160" y="84">KEM</text>
                  <text x="204" y="84">Public</text>
                  <text x="248" y="84">Key</text>
                  <text x="304" y="84">Retrieval</text>
                  <text x="376" y="84">Request</text>
                  <text x="140" y="116">POST</text>
                  <text x="296" y="116">/ace-group/GROUPNAME/kem-pub-keys</text>
                  <text x="96" y="148">KEM</text>
                  <text x="140" y="148">Public</text>
                  <text x="184" y="148">Key</text>
                  <text x="240" y="148">Retrieval</text>
                  <text x="320" y="148">Response:</text>
                  <text x="380" y="148">2.04</text>
                  <text x="440" y="148">(Changed)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
Group                                                           Group
Member                                                         Manager
  |                                                               |
  |               KEM Public Key Retrieval Request                |
  |-------------------------------------------------------------->|
  |            POST /ace-group/GROUPNAME/kem-pub-keys             |
  |                                                               |
  |<----- KEM Public Key Retrieval Response: 2.04 (Changed) ------|
  |                                                               |
]]></artwork>
          </artset>
        </figure>
        <figure anchor="fig-kem-pub-key-retrieval-resp-ex">
          <name>Example of KEM Public Key Retrieval Request-Response</name>
          <artwork><![CDATA[
   Request:

   Header: POST (Code=0.02)
   Uri-Host: "kdc.example.com"
   Uri-Path: "ace-group"
   Uri-Path: "g1"
   Uri-Path: "kem-pub-keys"
   Content-Format: 261 (application/ace-groupcomm+cbor)
   Payload (in CBOR diagnostic notation):
   {
     / peer_identifiers / 15: [h'01', h'02', h'03']
   }


   Response:

   Header: Changed (Code=2.04)
   Content-Format: 261 (application/ace-groupcomm+cbor)
   Payload (in CBOR diagnostic notation):
   {
     e'kem_pubkeys': [
                       h'acb6...976e', / elided for brevity /
                       h'bbf2...ae88', / elided for brevity /
                       null
                     ]
   }
]]></artwork>
        </figure>
      </section>
      <section anchor="sec-upload-kem-ciphertext">
        <name>Upload a KEM Ciphertext</name>
        <t>A group member P can upload at the Group Manager a KEM ciphertext intended to another group member Q, with such KEM ciphertext computed by P using a KEM public key of Q. To this end, the group member sends a KEM Ciphertext Upload Request to the Group Manager.</t>
        <t>That is, the group member P sends a CoAP POST request to the endpoint /ace-group/GROUPNAME/nodes/NODENAME/kem-ciphertexts at the Group Manager defined in <xref target="sec-nodename-kem-ciphertexts"/>, where GROUPNAME is the name of the OSCORE group and NODENAME is the node name of the group member P.</t>
        <t>The request <bcp14>MUST</bcp14> have Content-Format "application/ace-groupcomm+cbor". The payload of the request is formatted as a CBOR map, which <bcp14>MUST</bcp14> contain the following fields with the value specified below:</t>
        <ul spacing="normal">
          <li>
            <t>'kem_ciphertext': encoded as a CBOR byte string, whose value is the KEM ciphertext computed by P and intended to Q. The KEM ciphertext encapsulates a shared secret computed by P and intended to Q.  </t>
            <t>
Consistent with what is specified in <xref section="3" sectionFormat="of" target="I-D.tiloca-core-group-oscore-kem"/>, P uses the shared secret to derive its Pairwise Sender Key associated with Q. That is, such Pairwise Sender Key is used by P for processing outgoing messages protected with the pairwise mode of Group OSCORE and intended to Q.</t>
          </li>
          <li>
            <t>'kem_pubkey_hash': encoded as a CBOR byte string, whose value is the SHA-256 hash <xref target="SHA-256"/> of Q's KEM public key that P used to compute the ciphertext specified in the 'kem_ciphertext' parameter.</t>
          </li>
          <li>
            <t>'group_senderId': encoded as a CBOR byte string, whose value is the OSCORE Sender ID of Q in the group.</t>
          </li>
        </ul>
        <t>When receiving a KEM Ciphertext Upload Request, the Group Manager <bcp14>MUST</bcp14> reply with a 4.00 (Bad Request) response if any of the following conditions holds:</t>
        <ul spacing="normal">
          <li>
            <t>The 'group_senderId' parameter specifies an OSCORE Sender ID that is not associated with any current member of the group.</t>
          </li>
          <li>
            <t>The 'group_senderId' parameter specifies the OSCORE Sender ID of the requesting Client. The Group Manager ultimately identifies the requesting Client (and thereby determines its Sender ID in the group) by means of the secure communication association that it has with the requesting Client.</t>
          </li>
        </ul>
        <t>If the KEM ciphertext specified in the 'kem_ciphertext' parameter of the KEM Ciphertext Upload Request is not compatible with the KEM used as Pairwise Key Agreement Algorithm in the group, the Group Manager <bcp14>MUST</bcp14> reply with a 4.00 (Bad Request) error response. The response <bcp14>MUST</bcp14> have Content-Format set to "application/concise-problem-details+cbor" <xref target="RFC9290"/> and is formatted as defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>. Within the Custom Problem Detail entry 'ace-groupcomm-error', the value of the 'error-id' field <bcp14>MUST</bcp14> be set to 15 ("KEM ciphertext incompatible with the group configuration").</t>
        <t>Otherwise, if all verifications succeed, the Group Manager stores a tuple composed of the following elements, as pertaining to the group GROUPNAME:</t>
        <ul spacing="normal">
          <li>
            <t>The KEM ciphertext specified in the 'kem_ciphertext' parameter of the KEM Ciphertext Upload Request.</t>
          </li>
          <li>
            <t>The hash of the KEM public key of Q specified in the 'kem_pubkey_hash' parameter of the KEM Ciphertext Upload Request.</t>
          </li>
          <li>
            <t>The OSCORE Sender ID of Q in the group specified in the 'group_senderId' parameter of the KEM Ciphertext Upload Request, as identifying the intended consumer of the KEM ciphertext.</t>
          </li>
          <li>
            <t>The OSCORE Sender ID of P in the group as identifying the producer of the KEM ciphertext, which the Group Manager determines as the current Sender ID of the requesting Client in the group.</t>
          </li>
        </ul>
        <t>The Group Manager <bcp14>MUST</bcp14> keep up-to-date the stored tuple over time, in the event that any of the two group members P and Q changes its OSCORE Sender ID in the group.</t>
        <t>If a new KEM ciphertext is uploaded at the Group Manager together with the same consumer Sender ID and producer Sender ID for which another KEM ciphertext is already stored for the group GROUPNAME, then the latest uploaded KEM ciphertext and accompanying hash of the KEM public key <bcp14>MUST</bcp14> overwrite the current ones in the tuple stored for those two Sender IDs.</t>
        <t>Finally, the Group Manager replies with a 2.04 (Changed) KEM Ciphertext Upload Response, which has no payload.</t>
        <t><xref target="fig-kem-ciphertext-upload-req-resp"/> gives an overview of the exchange described above,  while <xref target="fig-kem-ciphertext-upload-resp-ex"/> shows an example of KEM Ciphertext Upload Request-Response.</t>
        <figure anchor="fig-kem-ciphertext-upload-req-resp">
          <name>Message Flow of KEM Ciphertext Upload Request-Response</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="568" viewBox="0 0 568 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,64 L 24,160" fill="none" stroke="black"/>
                <path d="M 536,64 L 536,160" fill="none" stroke="black"/>
                <path d="M 32,96 L 528,96" fill="none" stroke="black"/>
                <path d="M 32,144 L 88,144" fill="none" stroke="black"/>
                <path d="M 480,144 L 528,144" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="536,96 524,90.4 524,101.6" fill="black" transform="rotate(0,528,96)"/>
                <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" fill="black" transform="rotate(180,32,144)"/>
                <g class="text">
                  <text x="24" y="36">Group</text>
                  <text x="536" y="36">Group</text>
                  <text x="28" y="52">Member</text>
                  <text x="536" y="52">Manager</text>
                  <text x="176" y="84">KEM</text>
                  <text x="236" y="84">Ciphertext</text>
                  <text x="308" y="84">Upload</text>
                  <text x="368" y="84">Request</text>
                  <text x="68" y="116">POST</text>
                  <text x="296" y="116">/ace-group/GROUPNAME/nodes/NODENAME/kem-ciphertexts</text>
                  <text x="112" y="148">KEM</text>
                  <text x="172" y="148">Ciphertext</text>
                  <text x="244" y="148">Upload</text>
                  <text x="312" y="148">Response:</text>
                  <text x="372" y="148">2.04</text>
                  <text x="432" y="148">(Changed)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
Group                                                           Group
Member                                                         Manager
  |                                                               |
  |                 KEM Ciphertext Upload Request                 |
  |-------------------------------------------------------------->|
  |   POST /ace-group/GROUPNAME/nodes/NODENAME/kem-ciphertexts    |
  |                                                               |
  |<------- KEM Ciphertext Upload Response: 2.04 (Changed) -------|
  |                                                               |
]]></artwork>
          </artset>
        </figure>
        <figure anchor="fig-kem-ciphertext-upload-resp-ex">
          <name>Example of KEM Ciphertext Upload Request-Response</name>
          <artwork><![CDATA[
   Request:

   Header: POST (Code=0.02)
   Uri-Host: "kdc.example.com"
   Uri-Path: "ace-group"
   Uri-Path: "g1"
   Uri-Path: "nodes"
   Uri-Path: "c101"
   Uri-Path: "kem-ciphertexts"
   Content-Format: 261 (application/ace-groupcomm+cbor)
   Payload (in CBOR diagnostic notation):
   {
         e'kem_ciphertext': h'1388...aa42', / elided for brevity /
        e'kem_pubkey_hash': h'9bef...ccd2', / elided for brevity /
     / group_senderId / 21: h'07'
   }


   Response:

   Header: Changed (Code=2.04)
]]></artwork>
        </figure>
      </section>
      <section anchor="sec-retrieve-kem-ciphertext">
        <name>Retrieve a KEM Ciphertext</name>
        <t>A group member P can retrieve from the Group Manager the KEM ciphertext that a specific other group member Q computed and uploaded at the Group Manager as intended to P. To this end, the group member P sends a KEM Ciphertext Retrieval Request to the Group Manager.</t>
        <t>That is, the group member P sends a CoAP POST request to the endpoint /ace-group/GROUPNAME/kem-ciphertexts at the Group Manager defined in <xref target="sec-kem-ciphertexts-post"/>, where GROUPNAME is the name of the OSCORE group.</t>
        <t>The request <bcp14>MUST</bcp14> have Content-Format "application/ace-groupcomm+cbor". The payload of the request is formatted as a CBOR map, which <bcp14>MUST</bcp14> contain the following field with the value specified below:</t>
        <ul spacing="normal">
          <li>
            <t>'group_senderId': encoded as a CBOR byte string, whose value is the OSCORE Sender ID of Q in the group.</t>
          </li>
        </ul>
        <t>When receiving a KEM Ciphertext Retrieval Request, the Group Manager <bcp14>MUST</bcp14> reply with a 4.00 (Bad Request) response if any of the following conditions holds:</t>
        <ul spacing="normal">
          <li>
            <t>The 'group_senderId' parameter specifies an OSCORE Sender ID that is not associated with any current member of the group.</t>
          </li>
          <li>
            <t>The 'group_senderId' parameter specifies the OSCORE Sender ID of the requesting Client. The Group Manager ultimately identifies the requesting Client (and thereby determines its Sender ID in the group) by means of the secure communication association that it has with the requesting Client.</t>
          </li>
        </ul>
        <t>Otherwise, if all verifications succeed, the Group Manager checks whether it is storing a tuple pertaining to the group GROUPNAME such that both the following conditions hold:</t>
        <ul spacing="normal">
          <li>
            <t>The OSCORE Sender ID of the producer of the KEM ciphertext is the Sender ID specified in the 'group_senderId' parameter of the KEM Ciphertext Retrieval Request.</t>
          </li>
          <li>
            <t>The OSCORE Sender ID of the intended consumer of the KEM ciphertext is the Sender ID of the requesting Client in the group.</t>
          </li>
        </ul>
        <t>If no such tuple is found, the Group Manager replies with a 2.04 (Changed) KEM Ciphertext Retrieval Response that has no payload.</t>
        <t>Instead, if such a tuple is found, the Group Manager retrieves from the tuple the KEM ciphertext CT as well as the hash HASH of the KEM public key used to compute CT. Then, the Group Manager deletes the tuple from its local storage.</t>
        <t>After that, the Group Manager replies with a 2.04 (Changed) KEM Ciphertext Retrieval Response, which <bcp14>MUST</bcp14> have Content-Format "application/ace-groupcomm+cbor". The payload of the response is formatted as a CBOR map, which <bcp14>MUST</bcp14> contain the following fields with the value specified below:</t>
        <ul spacing="normal">
          <li>
            <t>'kem_ciphertext': encoded as a CBOR byte string, whose value is the KEM ciphertext CT retrieved above.</t>
          </li>
          <li>
            <t>'kem_pubkey_hash': encoded as a CBOR byte string, whose value is the hash HASH retrieved above.</t>
          </li>
        </ul>
        <t>When receiving a KEM Ciphertext Retrieval Response conveying a payload, the requesting Client P performs the following steps:</t>
        <ul spacing="normal">
          <li>
            <t>It retrieves the hash specified in the 'kem_pubkey_hash' parameter of the KEM Ciphertext Retrieval Response, and it uses the hash to retrieve the corresponding pair (KEM public key, KEM private key) from its local storage.  </t>
            <t>
That is, P retrieves the pair such that the hash from the KEM Ciphertext Retrieval Response is equal to the hash of the KEM public key within the pair.</t>
          </li>
          <li>
            <t>If such a pair is found, P uses the KEM private key within the pair to decrypt the KEM ciphertext specified in the 'kem_ciphertext' parameter of the KEM Ciphertext Retrieval Response, thereby retrieving the shared secret computed by the other group member Q.  </t>
            <t>
Consistent with what is specified in <xref section="3" sectionFormat="of" target="I-D.tiloca-core-group-oscore-kem"/>, P uses the shared secret to derive its Pairwise Recipient Key associated with Q. That is, such Pairwise Recipient Key is used by P for processing incoming messages from Q that are protected with the pairwise mode of Group OSCORE and intended to P.  </t>
            <t>
Finally, P deletes from its local storage the found pair (KEM public key, KEM private key) as well as the hash of the KEM public key as the corresponding identifier.</t>
          </li>
        </ul>
        <t><xref target="fig-kem-ciphertext-retrieval-req-resp"/> gives an overview of the exchange described above, while <xref target="fig-kem-ciphertext-retrieval-resp-ex"/> shows an example of KEM Ciphertext Retrieval Request-Response.</t>
        <figure anchor="fig-kem-ciphertext-retrieval-req-resp">
          <name>Message Flow of KEM Ciphertext Retrieval Request-Response</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="568" viewBox="0 0 568 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,64 L 24,160" fill="none" stroke="black"/>
                <path d="M 536,64 L 536,160" fill="none" stroke="black"/>
                <path d="M 32,96 L 528,96" fill="none" stroke="black"/>
                <path d="M 32,144 L 72,144" fill="none" stroke="black"/>
                <path d="M 488,144 L 528,144" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="536,96 524,90.4 524,101.6" fill="black" transform="rotate(0,528,96)"/>
                <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" fill="black" transform="rotate(180,32,144)"/>
                <g class="text">
                  <text x="24" y="36">Group</text>
                  <text x="536" y="36">Group</text>
                  <text x="28" y="52">Member</text>
                  <text x="536" y="52">Manager</text>
                  <text x="160" y="84">KEM</text>
                  <text x="220" y="84">Ciphertext</text>
                  <text x="304" y="84">Retrieval</text>
                  <text x="376" y="84">Request</text>
                  <text x="132" y="116">POST</text>
                  <text x="300" y="116">/ace-group/GROUPNAME/kem-ciphertexts</text>
                  <text x="96" y="148">KEM</text>
                  <text x="156" y="148">Ciphertext</text>
                  <text x="240" y="148">Retrieval</text>
                  <text x="320" y="148">Response:</text>
                  <text x="380" y="148">2.04</text>
                  <text x="440" y="148">(Changed)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
Group                                                           Group
Member                                                         Manager
  |                                                               |
  |               KEM Ciphertext Retrieval Request                |
  |-------------------------------------------------------------->|
  |           POST /ace-group/GROUPNAME/kem-ciphertexts           |
  |                                                               |
  |<----- KEM Ciphertext Retrieval Response: 2.04 (Changed) ------|
  |                                                               |
]]></artwork>
          </artset>
        </figure>
        <figure anchor="fig-kem-ciphertext-retrieval-resp-ex">
          <name>Example of KEM Ciphertext Retrieval Request-Response</name>
          <artwork><![CDATA[
   Request:

   Header: POST (Code=0.02)
   Uri-Host: "kdc.example.com"
   Uri-Path: "ace-group"
   Uri-Path: "g1"
   Uri-Path: "kem-ciphertexts"
   Content-Format: 261 (application/ace-groupcomm+cbor)
   Payload (in CBOR diagnostic notation):
   {
     / group_senderId / 21: h'00'
   }


   Response:

   Header: Changed (Code=2.04)
   Content-Format: 261 (application/ace-groupcomm+cbor)
   Payload (in CBOR diagnostic notation):
   {
      e'kem_ciphertext': h'1388...aa42', / elided for brevity /
     e'kem_pubkey_hash': h'9bef...ccd2' / elided for brevity /
   }
]]></artwork>
        </figure>
      </section>
    </section>
    <section anchor="sec-removal">
      <name>Removal of a Group Member</name>
      <t>In addition to what is defined in <xref section="10" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, the Group Manager performs the following actions when removing a node NODENAME from a KEM-based group GROUPNAME.</t>
      <ul spacing="normal">
        <li>
          <t>The Group Manager deletes from its local storage the leaving node's KEM public keys that the leaving node uploaded at the Group Manager, as intended to other members of the group.</t>
        </li>
        <li>
          <t>The Group Manager deletes from its local storage the KEM ciphertexts that the leaving node uploaded as intended to other members of the group, as well as the KEM ciphertexts that other members of the group uploaded as intended to the leaving node.  </t>
          <t>
The Group Manager also deletes the stored tuples pertaining to the deleted ciphertexts above, as including:  </t>
          <ul spacing="normal">
            <li>
              <t>The hash of the KEM public key used to compute the pertaining KEM ciphertext.</t>
            </li>
            <li>
              <t>The OSCORE Sender IDs identifying the producer and the intended consumer of the pertaining KEM ciphertext.</t>
            </li>
          </ul>
        </li>
      </ul>
      <t>The resources at /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys and at /ace-group/GROUPNAME/nodes/NODENAME/kem-ciphertexts are deleted when deleting their parent resource at /ace-group/GROUPNAME/nodes/NODENAME (see <xref section="5" sectionFormat="of" target="RFC9594"/>).</t>
    </section>
    <section anchor="sec-ace-groupcomm-parameters">
      <name>ACE Groupcomm Parameters</name>
      <t>In addition to what is defined in <xref section="8" sectionFormat="of" target="RFC9594"/> and <xref section="12" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, this document defines additional parameters used during the second part of the message exchange with the Group Manager, i.e., after the exchange of Token Transfer Request and Response (see <xref section="5.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>). The table below summarizes them and specifies the CBOR key to use instead of the full descriptive name.</t>
      <t>Note that the media type "application/ace-groupcomm+cbor" <bcp14>MUST</bcp14> be used when these parameters are transported in the respective message fields.</t>
      <table align="center" anchor="tab-ACE-Groupcomm-Parameters">
        <name>ACE Groupcomm Parameters</name>
        <thead>
          <tr>
            <th align="left">Name</th>
            <th align="left">CBOR Key</th>
            <th align="left">CBOR Type</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">max_kem_pubkeys</td>
            <td align="left">22</td>
            <td align="left">uint</td>
            <td align="left">[RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">client_kem_pubkey</td>
            <td align="left">35</td>
            <td align="left">bstr</td>
            <td align="left">[RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">kem_pubkeys</td>
            <td align="left">36</td>
            <td align="left">array</td>
            <td align="left">[RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">kem_ciphertext</td>
            <td align="left">37</td>
            <td align="left">bstr</td>
            <td align="left">[RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">kem_pubkey_hash</td>
            <td align="left">38</td>
            <td align="left">bstr</td>
            <td align="left">[RFC-XXXX]</td>
          </tr>
          <tr>
            <td align="left">pqkem_info</td>
            <td align="left">39</td>
            <td align="left">array</td>
            <td align="left">[RFC-XXXX]</td>
          </tr>
        </tbody>
      </table>
      <t>Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t>
      <t>The Group Manager is expected to support all the parameters above. Instead, a Client is required to support the parameters above as specified below (REQ29):</t>
      <ul spacing="normal">
        <li>
          <t>The following parameters <bcp14>MUST</bcp14> be supported by a Client that intends to join a KEM-based group and to use the pairwise mode of Group OSCORE to process messages in the group:  </t>
          <ul spacing="normal">
            <li>
              <t>max_kem_pubkeys.</t>
            </li>
            <li>
              <t>client_kem_pubkey.</t>
            </li>
            <li>
              <t>kem_pubkeys.</t>
            </li>
            <li>
              <t>kem_ciphertext.</t>
            </li>
            <li>
              <t>kem_pubkey_hash.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>'pqkem_info' <bcp14>MUST</bcp14> be supported by a Client that intends to join a KEM-based group.</t>
        </li>
      </ul>
    </section>
    <section anchor="sec-ace-groupcomm-errors">
      <name>ACE Groupcomm Error Identifiers</name>
      <t>In addition to what is defined in <xref section="9" sectionFormat="of" target="RFC9594"/> and <xref section="13" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, this document defines new values that the Group Manager can use as error identifiers (OPT5). These are used in error responses with Content-Format "application/concise-problem-details+cbor" <xref target="RFC9290"/>, as values of the 'error-id' field within the Custom Problem Detail entry 'ace-groupcomm-error' (see <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>).</t>
      <table align="center" anchor="tab-ACE-Groupcomm-Error-Identifiers">
        <name>ACE Groupcomm Error Identifiers</name>
        <thead>
          <tr>
            <th align="left">Value</th>
            <th align="left">Description</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">13</td>
            <td align="left">Reached limit of KEM public keys</td>
          </tr>
          <tr>
            <td align="left">14</td>
            <td align="left">KEM public key incompatible with the group configuration</td>
          </tr>
          <tr>
            <td align="left">15</td>
            <td align="left">KEM ciphertext incompatible with the group configuration</td>
          </tr>
        </tbody>
      </table>
      <t>If the Client supports the problem-details format <xref target="RFC9290"/> and the Custom Problem Detail entry 'ace-groupcomm-error' defined in <xref section="4.1.2" sectionFormat="of" target="RFC9594"/>, and it is able to understand the error specified in the 'error-id' field therein, then the Client may use that information to determine what actions to take next. If the Concise Problem Details data item specified in the error response includes the 'detail' entry and the Client supports it, such an entry may provide additional context.</t>
      <ul spacing="normal">
        <li>
          <t>In the case of error 13, the Client should refrain from uploading at the Group Manager an own KEM public key intended to group members of the targeted group, until a pre-defined amount of time has elapsed or the Group Manager indicates that the number of the Client's currently stored KEM public keys is below the limit.  </t>
          <t>
In a group with group name GROUPNAME, a Client with name NODENAME can obtain that indication by sending a GET request to /ace-group/GROUPNAME/nodes/NODENAME/kem-pub-keys (see <xref target="sec-nodename-kem-pub-keys-get"/> and <xref target="sec-counter-kem-pub-keys"/>). If the resource is observable <xref target="RFC7641"/>, the Client can additionally subscribe for updates about the resource representation, instead of only relying on polling.</t>
        </li>
        <li>
          <t>In the case of error 14, the Client has to self-generate a different pair of KEM public key and KEM private key, as aligned to the Pairwise Key Agreement Algorithm and parameters used in the targeted group. After that, the Client should provide the Group Manager with the new KEM public key.</t>
        </li>
        <li>
          <t>In the case of error 15, the Client should retrieve from the Group Manager a different KEM public key associated with the other group member for which the KEM ciphertext was computed. After that, the Client computes a KEM ciphertext using the latest retrieved KEM public key and uploads the KEM ciphertext at the Group Manager.</t>
        </li>
      </ul>
    </section>
    <section anchor="sec-default-values">
      <name>Default Values for Group Configuration Parameters</name>
      <t>Building on what is defined in <xref section="14" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, this section defines additional default values that the Group Manager refers to for the configuration parameters of a KEM-based group, in the case that values for those parameters are not explicitly specified when creating and configuring the group (for example, by means of the admin interface defined in <xref target="I-D.ietf-ace-oscore-gm-admin"/>). These default values are <bcp14>RECOMMENDED</bcp14> to use for the configuration parameters.</t>
      <t>Exceptionally, the Group Manager <bcp14>MAY</bcp14> choose different default values instead of those recommended in this section. A possible reason is to ensure that each of those are consistent with what the Group Manager supports, e.g., in terms of the Pairwise Key Agreement Algorithm used in the OSCORE group.</t>
      <t>This ensures that the Group Manager is able to perform the operations defined in this document. For example, if the KEM-based group is specifically a pairwise-only group, this ensures that the Group Manager is able to achieve proof of possession of a joining node's private key, as well as to provide a joining node with its own authentication credential and the associated proof-of-possession evidence.</t>
      <t>Editor's note: in the document body, explicitly cover the case where the KEM-based group is specifically a pairwise-only group.</t>
      <t>The following builds on the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/> and the "COSE Key Types" registry <xref target="IANA.COSE.Key.Types"/>.</t>
      <ul spacing="normal">
        <li>
          <t>For 'max_kem_pubkeys', the Group Manager <bcp14>SHOULD</bcp14> consider the value 200 as the maximum number of KEM public keys that the Group Manager stores at any given time as associated with the same Client within the same group.</t>
        </li>
        <li>
          <t>For the Pairwise Key Agreement Algorithm 'pqkem_alg' used to compute quantum secure shared secrets in the group, the Group Manager <bcp14>SHOULD</bcp14> use ML-KEM-512 (COSE algorithm encoding: TBD) registered by <xref target="I-D.ietf-jose-pqc-kem"/>, which indicates the ML-KEM-512 parameter set of the standard ML-KEM <xref target="FIPS203"/>.  </t>
          <t>
In such case, the parameter 'pqkem_params' (see <xref target="sec-send-join-response"/>) specifies the array [[AKP], [AKP]]. This indicates to use the COSE key type AKP registered by <xref target="RFC9964"/>.</t>
        </li>
      </ul>
      <t>Editor's note: at the moment, the configuration parameters above are not reflected by an admin interface such as that defined in <xref target="I-D.ietf-ace-oscore-gm-admin"/>. That interface can also be updated, in order for an Administrator to (re-)configure an OSCORE group as per those parameters too.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security considerations from <xref target="RFC9200"/>, <xref target="RFC9594"/>, and <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> hold for this document too. The security considerations for the specific KEM used as Pairwise Key Agreement Algorithm in the OSCORE group also apply.</t>
      <t>Editor's note: add further security considerations.</t>
    </section>
    <section anchor="sec-iana">
      <name>IANA Considerations</name>
      <t>This document has the following actions for IANA.</t>
      <t>Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t>
      <section anchor="iana-oauth-parameters">
        <name>OAuth Parameters</name>
        <t>IANA is asked to register the following entry in the "OAuth Parameters" registry <xref target="IANA.OAuth.Parameters"/> within the "OAuth Parameters" registry group, following the procedure specified in <xref section="11.2" sectionFormat="of" target="RFC6749"/>.</t>
        <ul spacing="normal">
          <li>
            <t>Name: pqkem_info</t>
          </li>
          <li>
            <t>Parameter Usage Location: client-rs request, rs-client response</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-oauth-parameters-cbor">
        <name>OAuth Parameters CBOR Mappings</name>
        <t>IANA is asked to register the following entry in the "OAuth Parameters CBOR Mappings" registry <xref target="IANA.OAuth.CBOR.Mappings"/> within the "Authentication and Authorization for Constrained Environments (ACE)" registry group, following the procedure specified in <xref section="8.10" sectionFormat="of" target="RFC9200"/>.</t>
        <ul spacing="normal">
          <li>
            <t>Name: pqkem_info</t>
          </li>
          <li>
            <t>CBOR Key: TBD (value between 1 and 255)</t>
          </li>
          <li>
            <t>Value Type: Null or array</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
          <li>
            <t>Original Specification: [RFC-XXXX]</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-ace-groupcomm-parameters">
        <name>ACE Groupcomm Parameters</name>
        <t>IANA is asked to register the following entries to the "ACE Groupcomm Parameters" registry <xref target="IANA.ACE.Groupcomm.Parameters"/> within the "Authentication and Authorization for Constrained Environments (ACE)" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>Name: max_kem_pubkeys</t>
          </li>
          <li>
            <t>CBOR Key: 22 (suggested)</t>
          </li>
          <li>
            <t>CBOR Type: unsigned integer</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Name: client_kem_pubkey</t>
          </li>
          <li>
            <t>CBOR Key: 35 (suggested)</t>
          </li>
          <li>
            <t>CBOR Type: bstr</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Name: kem_pubkeys</t>
          </li>
          <li>
            <t>CBOR Key: 36 (suggested)</t>
          </li>
          <li>
            <t>CBOR Type: array</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Name: kem_ciphertext</t>
          </li>
          <li>
            <t>CBOR Key: 37 (suggested)</t>
          </li>
          <li>
            <t>CBOR Type: bstr</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Name: kem_pubkey_hash</t>
          </li>
          <li>
            <t>CBOR Key: 38 (suggested)</t>
          </li>
          <li>
            <t>CBOR Type: bstr</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Name: pqkem_info</t>
          </li>
          <li>
            <t>CBOR Key: 39 (suggested)</t>
          </li>
          <li>
            <t>CBOR Type: array</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-oscore-security-context-parameter">
        <name>OSCORE Security Context Parameters</name>
        <t>IANA is asked to register the following entries in the "OSCORE Security Context Parameters" registry <xref target="IANA.OSCORE.Security.Context.Parameters"/> within the "Authentication and Authorization for Constrained Environments (ACE)" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>Name: pqkem_alg</t>
          </li>
          <li>
            <t>CBOR Label: 14 (suggested)</t>
          </li>
          <li>
            <t>CBOR Type: text string / integer</t>
          </li>
          <li>
            <t>Registry: <xref target="IANA.COSE.Algorithms"/> Values</t>
          </li>
          <li>
            <t>Description: OSCORE Pairwise Key Agreement Algorithm Value, identifying a Key Encapsulation Mechanism (KEM)</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Name: pqkem_params</t>
          </li>
          <li>
            <t>CBOR Label: 15 (suggested)</t>
          </li>
          <li>
            <t>CBOR Type: array</t>
          </li>
          <li>
            <t>Registry: <xref target="IANA.COSE.Algorithms"/> Capabilities, <xref target="IANA.COSE.Key.Types"/> Capabilities</t>
          </li>
          <li>
            <t>Description: OSCORE Pairwise Key Agreement Algorithm Parameters, when that algorithm is a Key Encapsulation Mechanism (KEM)</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
      </section>
      <section anchor="iana-ace-groupcomm-errors">
        <name>ACE Groupcomm Errors</name>
        <t>IANA is asked to register the following entries in the "ACE Groupcomm Errors" registry <xref target="IANA.ACE.Groupcomm.Errors"/> within the "Authentication and Authorization for Constrained Environments (ACE)" registry group.</t>
        <ul spacing="normal">
          <li>
            <t>Value: 13 (suggested)</t>
          </li>
          <li>
            <t>Description: Reached limit of KEM public keys.</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Value: 14 (suggested)</t>
          </li>
          <li>
            <t>Description: KEM public key incompatible with the group configuration.</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
        <t><br/></t>
        <ul spacing="normal">
          <li>
            <t>Value: 15 (suggested)</t>
          </li>
          <li>
            <t>Description: KEM ciphertext incompatible with the group configuration.</t>
          </li>
          <li>
            <t>Reference: [RFC-XXXX]</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC7641">
          <front>
            <title>Observing Resources in the Constrained Application Protocol (CoAP)</title>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a RESTful application protocol for constrained nodes and networks. The state of a resource on a CoAP server can change over time. This document specifies a simple protocol extension for CoAP that enables CoAP clients to "observe" resources, i.e., to retrieve a representation of a resource and keep this representation updated by the server over a period of time. The protocol follows a best-effort approach for sending new representations to clients and provides eventual consistency between the state observed by each client and the actual resource state at the server.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7641"/>
          <seriesInfo name="DOI" value="10.17487/RFC7641"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9053">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).</t>
              <t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9053"/>
          <seriesInfo name="DOI" value="10.17487/RFC9053"/>
        </reference>
        <reference anchor="RFC9200">
          <front>
            <title>Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)</title>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE-OAuth. The framework is based on a set of building blocks including OAuth 2.0 and the Constrained Application Protocol (CoAP), thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to better serve the IoT use cases.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9200"/>
          <seriesInfo name="DOI" value="10.17487/RFC9200"/>
        </reference>
        <reference anchor="RFC9290">
          <front>
            <title>Concise Problem Details for Constrained Application Protocol (CoAP) APIs</title>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="October" year="2022"/>
            <abstract>
              <t>This document defines a concise "problem detail" as a way to carry machine-readable details of errors in a Representational State Transfer (REST) response to avoid the need to define new error response formats for REST APIs for constrained environments. The format is inspired by, but intended to be more concise than, the problem details for HTTP APIs defined in RFC 7807.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9290"/>
          <seriesInfo name="DOI" value="10.17487/RFC9290"/>
        </reference>
        <reference anchor="RFC9594">
          <front>
            <title>Key Provisioning for Group Communication Using Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="M. Tiloca" initials="M." surname="Tiloca"/>
            <date month="September" year="2024"/>
            <abstract>
              <t>This document defines how to use the Authentication and Authorization for Constrained Environments (ACE) framework to distribute keying material and configuration parameters for secure group communication. Candidate group members that act as Clients and are authorized to join a group can do so by interacting with a Key Distribution Center (KDC) acting as the Resource Server, from which they obtain the keying material to communicate with other group members. While defining general message formats as well as the interface and operations available at the KDC, this document supports different approaches and protocols for secure group communication. Therefore, details are delegated to separate application profiles of this document as specialized instances that target a particular group communication approach and define how communications in the group are protected. Compliance requirements for such application profiles are also specified.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9594"/>
          <seriesInfo name="DOI" value="10.17487/RFC9594"/>
        </reference>
        <reference anchor="RFC9964">
          <front>
            <title>ML-DSA for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)</title>
            <author fullname="M. Prorock" initials="M." surname="Prorock"/>
            <author fullname="O. Steele" initials="O." surname="Steele"/>
            <date month="May" year="2026"/>
            <abstract>
              <t>This document specifies JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for the Module-Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum Cryptography (PQC) digital signature scheme defined in US NIST FIPS 204.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9964"/>
          <seriesInfo name="DOI" value="10.17487/RFC9964"/>
        </reference>
        <reference anchor="I-D.ietf-ace-key-groupcomm-oscore">
          <front>
            <title>Key Management for Group Object Security for Constrained RESTful Environments (Group OSCORE) Using Authentication and Authorization for Constrained Environments (ACE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <date day="14" month="March" year="2026"/>
            <abstract>
              <t>   This document defines an application profile of the Authentication
   and Authorization for Constrained Environments (ACE) framework, to
   request and provision keying material in group communication
   scenarios that are based on the Constrained Application Protocol
   (CoAP) and are secured with Group Object Security for Constrained
   RESTful Environments (Group OSCORE).  This application profile
   delegates the authentication and authorization of Clients, which join
   an OSCORE group through a Resource Server acting as Group Manager for
   that group.  This application profile leverages protocol-specific
   transport profiles of ACE to achieve communication security, server
   authentication, and proof of possession of a key owned by the Client
   and bound to an OAuth 2.0 access token.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-key-groupcomm-oscore-21"/>
        </reference>
        <reference anchor="I-D.ietf-core-groupcomm-bis">
          <front>
            <title>Group Communication for the Constrained Application Protocol (CoAP)</title>
            <author fullname="Esko Dijk" initials="E." surname="Dijk">
              <organization>IoTconsultancy.nl</organization>
            </author>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="10" month="February" year="2026"/>
            <abstract>
              <t>   The Constrained Application Protocol (CoAP) is a web transfer
   protocol for constrained devices and constrained networks.  In a
   number of use cases, constrained devices often naturally operate in
   groups (e.g., in a building automation scenario, all lights in a
   given room may need to be switched on/off as a group).  This document
   specifies the use of CoAP for group communication, including the use
   of UDP/IP multicast as the default underlying data transport.  Both
   unsecured and secured CoAP group communication are specified.
   Security is achieved by use of the Group Object Security for
   Constrained RESTful Environments (Group OSCORE) protocol.  The target
   application area of this specification is any group communication use
   cases that involve resource-constrained devices or networks that
   support CoAP.  This document replaces and obsoletes RFC 7390, while
   it updates RFC 7252 and RFC 7641.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-groupcomm-bis-18"/>
        </reference>
        <reference anchor="I-D.ietf-core-oscore-groupcomm">
          <front>
            <title>Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <date day="23" month="December" year="2025"/>
            <abstract>
              <t>   This document defines the security protocol Group Object Security for
   Constrained RESTful Environments (Group OSCORE), providing end-to-end
   security of messages exchanged with the Constrained Application
   Protocol (CoAP) between members of a group, e.g., sent over IP
   multicast.  In particular, the described protocol defines how OSCORE
   is used in a group communication setting to provide source
   authentication for CoAP group requests, sent by a client to multiple
   servers, and for protection of the corresponding CoAP responses.
   Group OSCORE also defines a pairwise mode where each member of the
   group can efficiently derive a symmetric pairwise key with each other
   member of the group for pairwise OSCORE communication.  Group OSCORE
   can be used between endpoints communicating with CoAP or CoAP-
   mappable HTTP.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-groupcomm-28"/>
        </reference>
        <reference anchor="I-D.ietf-jose-pqc-kem">
          <front>
            <title>Post-Quantum Key Encapsulation Mechanisms (PQ KEMs) for COSE</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Aritra Banerjee" initials="A." surname="Banerjee">
              <organization>Nokia</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   This document describes conventions for using Post-Quantum Key
   Encapsulation Mechanisms (PQ-KEMs) with CBOR Object Signing and
   Encryption (COSE).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-jose-pqc-kem-06"/>
        </reference>
        <reference anchor="I-D.tiloca-core-group-oscore-kem">
          <front>
            <title>Using Quantum-Resistant Key Encapsulation Mechanisms (KEMs) in the Pairwise Mode of Group Object Security for Constrained RESTful Environments (Group OSCORE)</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   Group communication for the Constrained Application Protocol (CoAP)
   can be protected end-to-end by using the security protocol Group
   Object Security for Constrained RESTful Environments (Group OSCORE).
   The pairwise mode of Group OSCORE provides authenticated encryption
   of CoAP messages, by means of symmetric keys that two group members
   establish only among themselves to achieve pairwise secure
   communication.  This document defines the use of quantum-resistant
   Key Encapsulation Mechanisms (KEMs) as Pairwise Key Agreement
   Algorithm of Group OSCORE, enabling post-quantum secure derivation of
   the symmetric keys used in the pairwise mode.  The Group Manager
   facilitates the exchange of KEM public keys and KEM ciphertexts among
   group members.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-tiloca-core-group-oscore-kem-00"/>
        </reference>
        <reference anchor="FIPS203" target="https://doi.org/10.6028/NIST.FIPS.203">
          <front>
            <title>Module-Lattice-Based Key-Encapsulation Mechanism Standard</title>
            <author>
              <organization/>
            </author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="NIST" value="FIPS 203"/>
        </reference>
        <reference anchor="SHA-256" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">
          <front>
            <title>Secure Hash Standard</title>
            <author>
              <organization>NIST</organization>
            </author>
            <date year="2015" month="August"/>
          </front>
          <seriesInfo name="NIST FIPS PUB 180-4, DOI 10.6028/NIST.FIPS.180-4" value=""/>
        </reference>
        <reference anchor="IANA.COSE.Header.Parameters" target="https://www.iana.org/assignments/cose/cose.xhtml#header-parameters">
          <front>
            <title>COSE Header Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.OAuth.Parameters" target="https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters">
          <front>
            <title>OAuth Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.OAuth.CBOR.Mappings" target="https://www.iana.org/assignments/ace/ace.xhtml#oauth-parameters-cbor-mappings">
          <front>
            <title>OAuth Parameters CBOR Mappings</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.ACE.Groupcomm.Parameters" target="https://www.iana.org/assignments/ace/ace.xhtml#ace-groupcomm-parameters">
          <front>
            <title>ACE Groupcomm Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.OSCORE.Security.Context.Parameters" target="https://www.iana.org/assignments/ace/ace.xhtml#oscore-security-context-parameters">
          <front>
            <title>OSCORE Security Context Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.ACE.Groupcomm.Errors" target="https://www.iana.org/assignments/ace/ace.xhtml#ace-groupcomm-errors">
          <front>
            <title>ACE Groupcomm Errors</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.COSE.Algorithms" target="https://www.iana.org/assignments/cose/cose.xhtml#algorithms">
          <front>
            <title>COSE Algorithms</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA.COSE.Key.Types" target="https://www.iana.org/assignments/cose/cose.xhtml#key-type">
          <front>
            <title>COSE Key Types</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-ace-oscore-gm-admin">
          <front>
            <title>Admin Interface for the OSCORE Group Manager</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Rikard Höglund" initials="R." surname="Höglund">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Peter Van der Stok" initials="P." surname="Van der Stok">
         </author>
            <author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization>
            </author>
            <date day="26" month="March" year="2026"/>
            <abstract>
              <t>   Group communication for the Constrained Application Protocol (CoAP)
   can be secured using Group Object Security for Constrained RESTful
   Environments (Group OSCORE).  A Group Manager is responsible for
   handling the joining of new group members, as well as for managing
   and distributing the group keying material.  This document defines a
   RESTful admin interface at the Group Manager that allows an
   Administrator entity to create and delete OSCORE groups, as well as
   to retrieve and update their configuration.  The Authentication and
   Authorization for Constrained Environments (ACE) framework is used to
   enforce authentication and authorization of the Administrator at the
   Group Manager.  Protocol-specific transport profiles of ACE are used
   to achieve communication security, proof of possession, and server
   authentication.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-oscore-gm-admin-17"/>
        </reference>
        <reference anchor="I-D.tiloca-core-oscore-discovery">
          <front>
            <title>Discovery of OSCORE Groups with the CoRE Resource Directory</title>
            <author fullname="Marco Tiloca" initials="M." surname="Tiloca">
              <organization>RISE AB</organization>
            </author>
            <author fullname="Christian Amsüss" initials="C." surname="Amsüss">
         </author>
            <author fullname="Peter Van der Stok" initials="P." surname="Van der Stok">
         </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Group communication over the Constrained Application Protocol (CoAP)
   can be secured by means of Group Object Security for Constrained
   RESTful Environments (Group OSCORE).  At deployment time, devices may
   not know the exact security groups to join, the respective Group
   Manager, or other information required to perform the joining
   process.  This document defines how a CoAP endpoint can use
   descriptions and links of resources registered at the CoRE Resource
   Directory to discover security groups and to acquire information for
   joining them through the respective Group Manager.  A given security
   group can be used to protect communications in multiple application
   groups, which are separately announced in the Resource Directory as
   sets of endpoints sharing a pool of resources.  This approach is
   consistent with, but not limited to, the joining of security groups
   based on the ACE framework for Authentication and Authorization in
   constrained environments.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-tiloca-core-oscore-discovery-19"/>
        </reference>
        <reference anchor="NIST-800-56A" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf">
          <front>
            <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography - NIST Special Publication 800-56A, Revision 3</title>
            <author initials="E." surname="Barker" fullname="Elaine Barker">
              <organization/>
            </author>
            <author initials="L." surname="Chen" fullname="Lily Chen">
              <organization/>
            </author>
            <author initials="A." surname="Roginsky" fullname="Allen Roginsky">
              <organization/>
            </author>
            <author initials="A." surname="Vassilev" fullname="Apostol Vassilev">
              <organization/>
            </author>
            <author initials="R." surname="Davis" fullname="Richard Davis">
              <organization/>
            </author>
            <date year="2018" month="April"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 1268?>

<section anchor="sec-profile-reqs">
      <name>Profile Requirements</name>
      <t>This section updates how the requirements listed in <xref section="A" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> are additionally fulfilled.</t>
      <t>The following includes only the requirements for which the present document provides an update.</t>
      <section anchor="mandatory-to-address-requirements">
        <name>Mandatory-to-Address Requirements</name>
        <t>The mandatory-to-address requirements initially specified in <xref section="A.1" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> are updated as below.</t>
        <ul spacing="normal">
          <li>
            <t>REQ11: Define what specific actions (e.g., CoAP methods) are allowed on each resource accessible through the KDC interface, depending on: whether the Client is a current group member; the roles that a Client is authorized to take as per the obtained access token; and the roles that the Client has as a current group member: see <xref section="8.5" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> and <xref target="sec-methods-gm"/> of the present document.</t>
          </li>
          <li>
            <t>REQ12: Categorize possible newly defined operations for Clients into primary operations expected to be minimally supported and secondary operations, and provide accompanying considerations: see <xref section="8.6" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> and <xref target="sec-operations-clients"/> of the present document.</t>
          </li>
          <li>
            <t>REQ14: TBD  </t>
            <t>
Editor's note: Approaches used to compute and verify the PoP evidence to include in the 'client_cred_verify' parameter. Reference from <xref target="sec-send-join-request"/> and <xref target="sec-receive-join-request"/>, once also covered the case of a KEM-based group that is a pairwise-only group, with the joining node still able to prove possession of its own private key upon joining the group, through a MAC used as PoP evidence and encoded by the 'client_cred_verify' parameter of the Join Request.</t>
          </li>
          <li>
            <t>REQ17: Specify the format of the group keying material that is conveyed in the 'key' parameter: see <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> and <xref target="sec-send-join-response"/> of the present document.</t>
          </li>
          <li>
            <t>REQ21: TBD  </t>
            <t>
Editor's note: Approaches used to compute and verify the PoP evidence to include in the 'kdc_cred_verify' parameter. Reference from <xref target="sec-send-join-response"/> and <xref target="sec-receive-join-response"/>, once also covered the case of a KEM-based group that is a pairwise-only group, with the Group Manager still able to prove possession of its own private key, through a MAC used as PoP evidence and encoded by the 'kdc_cred_verify' parameter of the Join Response.</t>
          </li>
          <li>
            <t>REQ29: Categorize newly defined parameters according to the same criteria of <xref section="8" sectionFormat="of" target="RFC9594"/>: see <xref section="12" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> and <xref target="sec-ace-groupcomm-parameters"/> of the present document.</t>
          </li>
        </ul>
      </section>
      <section anchor="optional-to-address-requirements">
        <name>Optional-to-Address Requirements</name>
        <t>The optional-to-address requirements initially specified in <xref section="A.2" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> are updated as below.</t>
        <ul spacing="normal">
          <li>
            <t>OPT2: Optionally, specify the additional parameters used in the exchange of Token Transfer Request and Response:  </t>
            <ul spacing="normal">
              <li>
                <t>'ecdh_info', to negotiate the ECDH algorithm, ECDH algorithm parameters, ECDH key parameters, and exact format of authentication credentials used in the group, in the case that the joining node supports the pairwise mode of Group OSCORE (see <xref section="5.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>).</t>
              </li>
              <li>
                <t>'kdc_dh_creds', to ask for and retrieve the Group Manager's Diffie-Hellman authentication credentials, in the case that the joining node supports the pairwise mode of Group OSCORE and the access token authorizes to join pairwise-only groups (see <xref section="5.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>).</t>
              </li>
              <li>
                <t>'pqkem_info', to negotiate the quantum-resistant KEM used as Pairwise Key Agreement Algorithm, the KEM algorithm parameters, the KEM key parameters, and exact format of authentication credentials used in the group, in the case that the group is a KEM-based group and the joining node supports the pairwise mode of Group OSCORE (see <xref target="sec-token-transferring"/> of the present document).</t>
              </li>
            </ul>
          </li>
          <li>
            <t>OPT4: Optionally, specify possible or required payload formats for specific error cases: send a 4.00 (Bad Request) error response to a Join Request (see <xref section="6.2" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> and <xref target="sec-receive-join-request"/> of the present document).</t>
          </li>
          <li>
            <t>OPT5: Optionally, specify additional identifiers of error types as values of the 'error-id' field within the Custom Problem Detail entry 'ace-groupcomm-error': see Sections <xref target="I-D.ietf-ace-key-groupcomm-oscore" section="13" sectionFormat="bare"/> and <xref target="I-D.ietf-ace-key-groupcomm-oscore" section="17.11" sectionFormat="bare"/> of <xref target="I-D.ietf-ace-key-groupcomm-oscore"/> as well as <xref target="sec-ace-groupcomm-errors"/> and <xref target="iana-ace-groupcomm-errors"/> of the present document.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-future-cose-algs">
      <name>Extensibility for Future COSE Algorithms</name>
      <t>As defined in <xref section="8.1" sectionFormat="of" target="RFC9053"/>, future algorithms can be registered in the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/> as specifying none or multiple COSE capabilities.</t>
      <t>To enable the seamless use of such future registered algorithms, this section defines a general, agile format for:</t>
      <ul spacing="normal">
        <li>
          <t>Each 'pqkem_info_entry' of the 'pqkem_info' parameter in the Token Transfer Response (see <xref target="pqkem-info"/>).  </t>
          <t><xref section="B" sectionFormat="of" target="RFC9594"/> describes the analogous general format for each 'sign_info_entry' of the 'sign_info' parameter in the Token Transfer Response (see <xref target="sec-token-transferring"/> of this document).  </t>
          <t><xref section="B.1" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> describes the analogous general format for each 'ecdh_info_entry' of the 'ecdh_info' parameter in the Token Transfer Response (see <xref target="sec-token-transferring"/> of this document).</t>
        </li>
        <li>
          <t>The 'pqkem_params' parameter within the 'key' parameter (see <xref target="sec-send-join-response"/>), as part of the response payloads used in <xref target="sec-send-join-response"/>, <xref target="sec-retrieve-group-keying-material"/>, and <xref target="sec-retrieve-group-keying-material-sid"/>.</t>
        </li>
      </ul>
      <t>If any of the currently registered COSE algorithms is considered, using this general format yields the same structure defined in this document for the items above, thus ensuring backward compatibility.</t>
      <section anchor="sec-future-cose-algs-pqkem-info-entry">
        <name>Format of 'pqkem_info_entry'</name>
        <t>The format of each 'pqkem_info_entry' (see <xref target="sec-token-transferring"/> and <xref target="pqkem-info"/>) is generalized as follows.</t>
        <ul spacing="normal">
          <li>
            <t>'pqkem_parameters' includes N &gt;= 0 elements, each of which is a COSE capability of the KEM algorithm indicated in 'pqkem_alg'.  </t>
            <t>
In particular, 'pqkem_parameters' has the same format and value of the COSE capabilities array for the KEM algorithm indicated in 'pqkem_alg', as specified for that algorithm in the 'Capabilities' column of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/>.</t>
          </li>
          <li>
            <t>'pqkem_key_parameters' is replaced by N elements 'pqkem_capab', each of which is a CBOR array.  </t>
            <t>
The i-th 'pqkem_capab' array (i = 0, ..., N-1) is the array of COSE capabilities for the algorithm capability specified in 'pqkem_parameters'[i].  </t>
            <t>
In particular, each 'pqkem_capab' array has the same format and value of the COSE capabilities array for the algorithm capability specified in 'pqkem_parameters'[i].  </t>
            <t>
Such a COSE capabilities array is currently defined for the algorithm capability COSE key type, in the "Capabilities" column of the "COSE Key Types" registry <xref target="IANA.COSE.Key.Types"/>.</t>
          </li>
        </ul>
        <t>The CDDL notation <xref target="RFC8610"/> of the 'pqkem_info_entry' parameter is given below.</t>
        <figure anchor="fig-pqkem-info-entry-general">
          <name>'pqkem_info_entry' with General Format</name>
          <sourcecode type="cddl"><![CDATA[
pqkem_info_entry =
[
    id: gname / [+ gname],
    pqkem_alg: int / tstr,
    pqkem_parameters : [* pqkem_capab: any],
  * pqkem_capab: [* capab: any],
    cred_fmt: int / null
]

gname = tstr
]]></sourcecode>
        </figure>
      </section>
      <section anchor="sec-future-cose-algs-key">
        <name>Format of 'key'</name>
        <t>In addition to what is defined in <xref section="B.2" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/>, the format of 'key' (see <xref section="6.3" sectionFormat="of" target="I-D.ietf-ace-key-groupcomm-oscore"/> and <xref target="sec-send-join-response"/> of the present document) is generalized as follows.</t>
        <ul spacing="normal">
          <li>
            <t>The 'pqkem_params' array includes M+1 elements, whose exact structure and value depend on the value of the KEM algorithm specified in 'pqkem_alg'.  </t>
            <ul spacing="normal">
              <li>
                <t>The first element, i.e., 'pqkem_params'[0], is the array of the M COSE capabilities for the KEM algorithm, as specified for that algorithm in the "Capabilities" column of the "COSE Algorithms" registry <xref target="IANA.COSE.Algorithms"/> (see <xref section="8.1" sectionFormat="of" target="RFC9053"/>).</t>
              </li>
              <li>
                <t>Each following element 'pqkem_params'[i], i.e., with index i &gt; 0, is the array of COSE capabilities for the algorithm capability specified in 'pqkem_params'[0][i-1].</t>
              </li>
            </ul>
            <t>
For example, if 'pqkem_params'[0][0] specifies the key type as capability of the algorithm, then 'pqkem_params'[1] is the array of COSE capabilities for the COSE key type associated with the KEM algorithm, as specified for that key type in the "Capabilities" column of the "COSE Key Types" registry <xref target="IANA.COSE.Key.Types"/> (see <xref section="8.2" sectionFormat="of" target="RFC9053"/>).</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="sec-cddl-model" removeInRFC="true">
      <name>CDDL Model</name>
      <figure anchor="fig-cddl-model">
        <name>CDDL Model</name>
        <sourcecode type="cddl"><![CDATA[
; ACE Groupcomm Parameters
client_kem_pubkey = 35
kem_pubkeys = 36
kem_ciphertext = 37
kem_pubkey_hash = 38
]]></sourcecode>
      </figure>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The work on this document has been partly supported by the Sweden's Innovation Agency VINNOVA and the Celtic-Next project CYPRESS.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+19+Xbb1vng/3qKO/I5I6klaC22Y7NNf6NIcqxfLUuW7HZ6
khwXJEEJNUkwAChZdTzPMs8yTzbfcndcgIuo2Ent00YSCdzlu9++3SiK1q47
Ym9trUzLYdIRr6fxuJyOovOkSIsSfhd/TW7F0bgXT4rpMC7TbCxOkt5VPE6L
USE2/3p0UmyJ6zQW5VUiTi8OTs+PxPd5Np2Ik3gcXya5eFuk40uxP4UHxmXa
4zHicZ8+yvL03/zJIMvFQTYuyjxOx0kf5rxO82w8gpdgnv2Do621uNvNE1gu
Tto451o/643jEeynn8eDMirTYdaLo7iXRFnRy/IkuhxF75NRBDtKinJtLZ3k
HVHm06Lc3d5+tr27FudJ3BEXSW+ap+Xt2s1lR8ASxN+z/D3uhmZbe3/TEcfj
MsnHSRkd4kxrsL2OKMr+WjHtjtKigJ2VtxNYyPHRm+dra72sD693xLQcRE/X
1mKCQGdN0L9I/hQiHRcdcdIWb2jd+mPe0kmc9zL/qyyHUc+PL47E/nf6Q4Bl
ksB6jot48K8s7xeXMRyp2N3VT/RgcwBPPGrzWdaHWS6Oop0nj8Sjbevz6bjM
4fGLm6SfjPXnyShOhx0xwmW1GdL/K0/bRbK2Ns7yEZzudYJbPH9+8OSbR886
IsNt8wff7D7e7cDI8UT+/eTRDjzQLZL8OuGPnj7Z2YZH+v2h/nsPHqFjlJ88
w1F73Sznv59t86BFov/e47+jeHhZyA/hoDsCMEL9+Qz+nORZdwho0U9K2JN6
8vGzRx3xvt+Tfz578kiONhpG/QIBdxwdttMEzhQx7H1yG10ifvSy0UjiW0dc
juznGAf1Q90Uzpv+jCQs3CcV0qoX1MMaCvrxf+G6Jj/3ELs7wv5LPiVJwYyn
BqcX/E/gpefHZxe723uMpJJLnGT96TCJXsYlEHQSfRcXQLDAKKIaRiEuAO/6
cd6nQfpAdB2xu737KNp+Sp/AcafAcMaDTNHC+qvjizfrHbGO08Oze+s8f5xf
IkZfleWk6Dx82M/SNqD+w53t9pPt3acP8a02vtKGV+CNixf70e7jJzyqS21E
Mfi8vTEi+ES8iIsrd83WCuklAos4e/ud2Hm6HT1qicPTY1FdBX1pbXp/egk8
Bvaz8zi4n/H1cDLtFm0AWtm+zK4f4i/4yUMczh+4PekP8Fj3X+23D04vjtov
krif5O2zOAdOAXypqN04vmOtaxAPiVo0IHA4wcMJM1xwzTc3N+0U+C4dRAws
75KZ9kOkEfpP+8NVORo+uKLhook9HK39FCXBKlZNAy29XuJL1vIqH8h91G3g
4LvT8/ZJPJkAi1/dHgQOK9Swi+0I2BH+X67b306ELDMamZFpLyDm2t8rRrOK
Q0G5qQdc+nDcrSCfNewzcCCkFLSV/G6DYlEmH8qV4BjrG2poIYde0cYk6y3k
6MCnafTAFt1zOsrzbGVnxIOt7nwSNZ7hVPvDS1D9yqvRHVmUGeduvCm2xzHL
BJnWfgP62x1XiTo0DXO3RaJmgdok6KsgiCzVytE/jIYb90fpGFUP/i2gAchn
+yn8vE5Qucv75i94ASVO9HR7O3r8ZD8EA09nPWqL7+L8fZJ7OuvREJV69zvv
1ZdtcXBlqZX84st0eGt/7r203xbn2SX8+v7We3F/OEzG/pfVt/+G8B4m1/7b
k6wos6H/tff+eVscxtdp4b18noLak/et7yQunCdIDgloFdriOYvTPPp7WiSs
PoEe3h2mxRWev7joXSWjpJAG1CGcSg4cQLzMLmNCVXGQ307K7DKPJ1e3ImK9
5GKS9NJ4KM6mMJA0tuT5tWABsCL8ZM9RxHaeRtuPFtRH5DzWNAWrJxdnbTlf
vkcKyhqafWBmoDp29PI56HQ/gBod/W/499P62tpaFEUi7qLd1wNLDL4SqHGL
fjIAlClETNQDuy/ztDul/RwkaHSB8Xl4sCXKDNV2uS+gEIQVUAboawAFBHHB
Oh2xI4EHMB3LFbfElECLZuQK7FMxQB59AyZiW+yPEUVAg+wlIhsIWKlIC5rI
NY5xVL18XIu/g3QcWrkoeskYsCDDMeMS9pHQ4PYC9ycTjQFneVZmPUDozYNs
/2yLtofPKzmDa+AHeHmn3X8lvdIIOX/z50cXbwbToQcE+S4JyC2wXjPYxnte
2ATw/AbRfATWJULEflYgtUU/s+tBnldLpCWCDL4qUjDK8JzzBJgBHo6Qz0b5
PG4K8lLAnhn+Z2ol+Mb+JVjIRGxakCAs+zgb6KrAXs3K4WQK2NQVLKqf9ab0
FohmIGceOEWkHMR84IRSB0dRl0wj98xhbDg82hM8lXzAZV4ymhydiAlRFM1G
x4Sf9dLJVZKjIgCfjTLAD8aJUTLqooqofCHOPC34aFrgESgcpx0xcGAyZ2OI
Z7OOpM20OkrBFgcZ9AB9HzlYgj0a8YH4+CDFDz6trX03TYfo6MDDWg6VJBKJ
jx+ljPr0qXXfGIuT2Qbwp09Mmn3gQnDKUZlF8MOsAKdYhOhgeLTuYdgbYDWM
Z3XknZTTSWEWxO8RW5Hnw28BLoKEyoATlzDYDeAvEIeHBWk7abcAlQTzYaCi
YgIrJqLCLYzwQTws2Cg8MUgRoxDzAqwIt8sz4wP4NuBuf6gQ7F8ZPAMw6yVF
gWge9/suprYk+mbwNAAvLt4XgFX7yOXHWUk0MUjikui/vMk8NO/hJhS5gGQs
YIMFIQIcvdr/bG6zWSQJgBZQhaUjPuAd/BYstHeVgriExerRQF7GcFDjAUMq
HiI4ERBFNs2B7mNXhnRvYZHxuMDxkTlcEtaU8SWxkRjZG+O03Aqc+hjt7Qmw
EdDuCns82F0y7qG8l9TLiLd/pl+G2ViaxaK4BS0DxGXPoXGWFIAxAMIhPHqN
3LQATUVjzpiPxQa64pq4flhcX0+Xg/ifpLC6trgITgfLzyXLgdcGeTaClekH
5LxAS6DTtIAgQGciBJvmY1wjkMNkWqoXcQWx2RWNLmHgwQ5PQy+tBTArgFYR
KA4oERqxYv2AgMeM2ck18nQCU2wrV/DWEGB1noAmiLJGOskB/rRI0EQOzl+D
KkLrRl4wRXRsiX6eTSLYVJ5MhiAXmOcgVADQIr6O02GsiHAuyeQh7m57p72z
HcZeCdBCSzMJUOahNvAZwvx8/flVpn7c3gnN3AahAMPkAGmQwznjt9nqrC3y
pCw0SdD30xzZ+tFwmALq98TBNAeZfJgOgE1FL5LhELgXeurgu4h/uIcLa7ZN
GOChwG5KWlWZjog33MDMgCK0VJgcYDbORCGdf+m/YSXudA9fZeOI3P6gsKKG
QKqHYkubhy9AD/4rSBPCI2RZ3YRPgXS9qlgViaP1S7wOEgiqU8UcHO56OhzD
8qTapKaLyzLuvVc6jFwZsGgQCLg8i4EsoV61RDGFFQK7OHkZoc7y8aP0HKPk
XoXu5Ytn9E/TedraxspVeZwVaFerH2j2DNTQ8N37fg8E+q9grMBG34QWcAlA
ID0AdmopHzDNACxXRA29SoSEXmnFQFGawr0aKSSyZlof7L3DDc+tbLsr5l2S
eqVA9Ctp3ZK6YGkpqAcYXqRncO8wVYwDS6NgFjHch/7+8SP8GkncAPL+uQDI
TCd9WudVdkPTwMdTYLtMDsCXSgVIxf33mfMjVJFdAwtJ8XMSkqBjw9jDpA+z
PXgg3iT5KB1nw+zyVjxAE6E0H3xijEZ+fYPRSbF+8vbizXqLf4pXp/T7+dHr
t8fnR4f4+8WL/Zcv9S9r8omLF6dvXx6a38ybB6cnJ0evDvll+FQ4H62tn+z/
Y71F571+evbm+PTV/st1VnNtvMM9AvZ0JdZN0AvTB5a2BoZBD+icwfPdwdn/
+787jwBM/+P8+cHuzs4zAA//8XTnm0dS6+fZsjFAiv8EgN+uAeEmcY6jAAyB
M08Ac4YFsc0CTmUsUDIBQP/wA0Lmp474c7c32Xn0F/kBbtj5UMHM+ZBgVv2k
8jIDMfBRYBoNTedzD9Luevf/4fyt4G59+Of/GqKzMNp5+l9/WVtbO6ewEWsG
yYcJq/p8HoN4BFQGkEP9tQPwEYhQiGJMxaCN9ZIJYHGeDGP5GjD+HlLNISrz
h8gnCHnFS2AHU9QkNw8OD1+ytQaGLjJ+9cp3KbCzW2VqnieACaB2lkyRmxin
4de6WU5CD1ZAwRtlm6aXxD3x8yOjzG+ii1hahwUIGvkLxapJvs23K+CrxsDE
x0IcmSUfP+pYlg2zSO5fSuLH76SJRzJ34JghyO1g3MsrxYcsA17yff7aYVZV
w3uWREE2C8AH3Yn9kEBP6RjMmn4CaCDEH3wjWCogNSZwBuiGlnCmRG+B1Al/
OLMzCjIvlSaTJ69wYk/7APVNGot6EWDcs0koffgIVN+IV9Z6S26LRQAIUf54
o7AkFh+JCRj6g5G+qJ9u2/AZUa4H2VFBvxy5P1Il+SKwf5JhvRlsHg8bxOrs
wUIFUiAzX6As7feZhdJCtTXvWLee/fFN0PbgnZ3ZqnHD5oxOrpdtzFNWw1zk
6yblTZKMyTGhdACU6Z5PZh73gr9UFOEd4Vm4ShlWDhVNYvP5Ofw5atQMhlDs
quC+NoFgYguSDYSwHb+kKVlnxWqmFA8xx4qiXY06ENCXp/hVzIWWtrZ7oIRJ
Kp/fNJFIWvHBLWMxwfaeT3M0OpHvtIAp3V3OORqJ9EFbtgzuPa5aR7FjHSmD
p60nUQocvk78J00KNQE6PIAPIBLEee8qReKdshltnQUnNey2t0ke4Hw8floo
tl2IgyH6bEAcbmGgSnKQC0wEA+vp/GKrFbDk1Nf7F0xSb8dDpBTyY9FppuM+
+3zYrsHdiHWwIiYZ6HLr2kFCaDDIhsPshjyhAEpect8oCGblsJJ0hBsu4ftx
RjSRyxUX2g5+WGbvEwbwQ3KMo6gq8SU6mAvez0Mc8t8RCgP11fkFg54YoFmA
5dRZ//GH+MeftEeX/S3pJKaVyIOht5VhtW50gxZ7OEoLoS1ld051w/a8sRQr
fMVAGqqaFskEbVVtSfbYjZObpQxL7bSoIHvLEjfNRjm6cXAhhY92hFKsZ0gs
ZV5Jaaip1AlA1/5AmwBN9oPBB3xwPEUhgU5TdCaVWX6LMQTpcWFDYMKGk/25
bX61SFVJyM80vA071xpWkycDjjdVzDrCKVKbvHMK2Xh4sByGu5XGonw4YExK
c1yqxsvg1Swvho9Yl8TWmTaUd6PqEYhDLo/Z/hhHoM7SOc8BwgmYy3lHec8D
6gFpcQU5MnJ+3tKdMxkZsdQLHXJpq0lQd+3PMUme9BLAm8A8JKcbZoLTz9U0
AI9b8mCDLgrUhitnHUAq0YYRWHhGUJBncoVWLDvWE38pck8nwAqAPGbuiB3s
g/SSNHA8UmudiFPjBMWBgq67vkqkyD9bGj2XAxZqOywyMAtkjOeGfGFd886K
4SI3dKH024hMfXqmE94TDFWwQ8AE10idW0LlXXQ2V39cQHH9/vz07dmr/ZOj
jiTqDyVmmyNiKNC8PT8mGMqoIlgICrlOkQC10xtFM4f60/E1MPUYQ0rHwBau
4+EU9QugMQrBaq2Xt4O5NgprLYvHJpVXp4dHCy/SQsFVLXiM0G1ar5wUNcKU
3GgtzwVFx4ZvGh0F8ZJUQeNRnHnw1TNHoqGvyDOJJDVLEWa/3quM3R4F+vBI
zGbT0l10C7TYeDQZJuxCIE8ImY6gI460miuDD3AW9AD7eOGDfhpfjrMCAzpj
OVdFv3cxld0utKOPH/cnE2RUH8T3/B15csTmemDY9a02KAfV2ThXS0bsskGp
QvZKZiD0CKmmICty1xmkpKA2yjeMa5nQpDBRRwZMYAFBBa1lQoyaaaMGJpKN
i9OTo3eI7xu0ZBl1pMAOPsXoyfmFvA39gtYZDw9fEl4Mpd+RwAz8lgAY0Tcs
41n225+2xXM0D/jIW+JjsgEG1zvjQ9/oiKuNXm8Qb+883mm32zvPHj3dAByh
xybTLsDnHYiKK3ru8eNBbyeJY3guTrYfb3zigBxj0se9b8Jj7T0NvgugBnQl
+YTZZUd9ljVnwwRNQFh8Uib6uCjgK1I4+j4S6BCDEyBHpQOGVecEBOSwyFoa
bAue4IRnlgekzahZh6r5yf2fpOJCEw9Gav+Y/XMKkvA6TW5wkFfw43SS5FIL
RUc/jprJRz6tNpQTF5IPIhX9HXNpYuaxKqqD7OwNWV9v8nhcoBIsdTOiwMpX
UlHQAHZX4MnFx+09rRu3DH/HeGpcvA+8bzEMx+fXZZaZ+Bxchsv0yKhAddHx
pOx0PnNMtlE2tMcYEfZkfUal3CRKPdJObHDhCIUTkwp6sJ7o7W5p38N/Y6aP
gilrd1lg6z3Sudl0ir1AmzpuWgr7OQogTLar6+JqoZ2iuhfhXiKpXWopgN9K
Ldh7oO1tRGKAzjZxt6FMjkIdF1P2HNLSSZoCbMkuE1K7CdWMtsnOR11nMt9e
ec1Nm1VPmHO3tRv/2HP0PSZoMCgjr2IRhcHj4cszlRoyolQUAplvgP92IK6g
EjEwIgUMG6rGnQ0MjzLoLGDW7JBUIWmTEz3Tq7dmLJIETVlulq3g+7YpKU1S
5Uz6ftZ+4p+Xtl/E32hD0hynmNlv8OgAphGBN0KocxJQDwZkqc6MawwizDjx
KmNpKUXuP0VHZ2FKQrYns/g8rT3usYTs3rLck76nsOQhbvt2MsziME9ETR9l
u8dXda4eHv6YQzOgl/VKyp5OHMPfs/trQYlMGi0YqpqGuZAaigiTDCQvPZew
thxfOHZ1eVK6oYbam8KRjnFZDYwfEcfeUZPbYsHlA3rJ1WNxBZZsYPgdnb+h
ZX+eNU6mFQjX0F1FvspERpUxJALZna+B1SN63ee+7O3IrTTitJd7Y7m9HcSe
sS9EejuPFAjuTOe3VRWR1/MejJUUNOe5KC5o3ryHkzmbcQD+si2mJlmSlcWG
s2VGm9faqLPAM4fLAXjjnnL9V9kp6LrXaDWw7bXBVkRHDDj+Jc0BzxoIbbtF
Rw+2l6AKtVAgz+fFABGdM4cuWxO8tLxlZNC4ZgH5iZQhE1CmyX5XqU+4rBvp
oQy6KKpGgyUT0OGdaIejnZq2hBEDovSSzbfwSvbkSsiZrtXgmolO9v/hpndh
PWosxbTZgZbGkljBMh4ovb/fEpSjdBVfK1PXFuTsDdFL7SYwpNg8PXuzu0Ve
dRGJjcnP6CNA22nD3RN9QbEzFXlw7GySqmwsazO9SNE/IT/953g6HP5TbG5/
GDzZ4goj3nfYTgsEeRfQblqaE5hgu1FjzLfIkezPVbYkiXAZbSO1oy7RpHBi
1fXGpQy4zmVe5ir3PWWmj9/i8ZHxVkwnkywv58lMDjvMAUg6ws/OT28GjkFo
DYNkgTkhYD5KMgH+Ek4f8zId1NFApboyGaCSUKqhpjpSpUh4DFIJwEKnbE30
LsE2KRvSB72R9je8Mh27/oJQ1PbWWuqRf3JqRJ4KkGhDlJQQzsisxc/63/Dv
dSC04XSkfZHrXr30OgD0Ek2yWziUUGG2DmbICW1n5pVKZUKntkRJ7dvU5Sk4
YS+exF1MhUWwxXkem7oplxR0pB6PxNojZ0HqmB+/jNP5VsP6gTXVyneP7smV
Q4C+J1XtdqJfMrk/2iq4G6T0BPMDShes18BJ18UbMCH/eTcYlXVI+TIG3h6e
rdJnpGbWSnsTSiJBhQDMVYaWnVf0KBDAapGaMuFSMy17UBsBxWAO3soQ1WWB
xPCsRLxC3CRgQlBkElXPPIFhkNRDSX9e3NseRwdbSDgTjqlEG6mUySU0CXeq
oDG7VXkaxuqqliBZp6g4Gwy3gT4JyUSRA96qxAhPJ81GqRQCdXy3kdlS/RUK
GOdtkyLUr32fhLZ2x5NCKHnEkD4JMFhLAKZFQPTpOq0AF+ZoAozSUoWMoLAJ
lW5CAT7Ud92czDm0sRrBR5pT1i25WIXSizzpZyfIsQx0gzH244BH18mtAWbN
UemJSTUARI5M5L0lJLpUlprE+dCS1CkGAduX7ZabpwM4lGcxpWtY6WqgGtjN
J7hkQ/1ZOUatFg3T8XudOuLFVSNpql6lE22MhL3LFNR0QKG5DBkBlqbJVQv1
mgWGX2VSu/WFZHi5pcFXExSU6t83uaYGTdWG7YwxlclmUseq0YqdbemPJefV
liqrMUuLKZQSmgqGw7IZZZBUteJg4iPHkTUj1Opzg8JKKUa2iyhDzsUOOkw6
KphFUfInJZfZaacFh99ZPy6SUYxz6ByjUpVw2HlFyiLkKGwg40hyiS6WlonM
TmArXeBZJZYNcNJC/O5wUdWEJO5Sw/UkczPKgQz7aqMVrZSerMymxMQCrXdy
d20AkU2SDdEbxmmlzHSvvWtY1JZyetsmRo3xaIeFMNmqMq7F+qTfuYaqXJfy
DDvO8oSgtxNRqeDU14ZzwSzYeQ7EL6d1EVFm4ls5yf7xLGB8CVoxO2jotEOg
N6ZJnVDVGtjdjoCynAnyrMKib9eqmpDaAtdlWP5f9Tm9X8KzRel5iFcBGHFk
22LSR1EEzpscf5ZU1sfecOQ1BSLSwcgzcEGYFZVmr8ogzWG/2kZUpqCTwZRX
4Gq+LSznp1/VIZeBq+Nn2Ov2AV0E09wAnhU2hpAxDqwVmJO1M6Tk9tCtFg9K
CmhJJkIEJTYu8eUNvVWggAzjDK49TEaqmYC6IOCx5zJ1Rs3G2X2SdZnAUbUq
weZ0ql2FZnVyTSbDRpAaFGTvdkap00InjP8q5UtV1nGRMip0xosrzQkazd4/
+knRJlKHyVVEQ47mafKUBkKNPDUF8ncyaGUO7lWaV47KNm59Yg8cj0VFckXa
F7bgMZHwVoK6n0woMUSWcmtr2oLnr3WutEvVfUieLcVVKU9nmhurSdOaWagF
TcMNMnR3+3D3HQtLwR6NxqrL4OtBVMBrseaBfRaW3ZuSSVdlWvIMlBGzsCN2
zmMg6TaXomPaphjkkEIUZX0/S7jQA8WkzJUGMGIA5nbGshGeTq0744blTFBA
UceBwZcYFZD7dvhIr36RqWzarDBIgYEh75iUZ00qBZyOpewJqbFru7QeIoau
UItimzYW8DarI92YKmF7SV5ytkRSbH02+WP2Z9Ca00axln9cms0EvEONiIHm
0vLuGQU+WU1ul9Qs5S9qKRPGIkflZOGAo9CeGn4mTcCaIzUMVVPUiKp+e8/Y
0EpaQDvjqB/rXnEoBqDiBW2xT34BwLdkwrVcChgYYUO/2ZfkNhuTujuwudZ8
PjM7k1yrbqadi2e1syOFMlV1xqyuulfz15sjlynumwKGMNT/Mf+4Wbx5T3wr
rJPJk5/FQ/eDYrK25j3xrUBOK6r//hSG5lrg0eC/P2nz2FjG3uzFBKb/4Y/C
R6efVjN7wC50FkBziW/XfoBR035HkHQCkMGK6NefWvCF1gI6KArg2xKYt/nC
SNyO+CEe31rvuAK5QxtVf2LtAj+rGJcaHk9j7ae1NV7MtzSdfebSqSW5gGzE
ZbM7LAy69TDTeMJZ+lCtXhdFkNNHn2omqTUO1+YbXZyogt2zqqTGDelwkCjN
vUgQ2GOcgDGYUpGQ1e+hEsbWTlLToMWoHnU8TDZ3ukywDdSQaFR2n5JND2he
e9vBXWH/rQHgF5c+0YyVkBalTrAz9b+lO1hlTbAPVjqJvbaQofRi6Vwr5BeG
EasUBJ0joRzPutegipnqODW1WFSP2skglWw99v1eqAQUJ7NZ7aSaYrxY+scT
KyW2LqZMKUGOR532YArunJVZ1bf6pdDWjgPxerkHguYmoN8WMW/N7UlptIPU
pDyOuEavVQWSWgqKMluoB/JDKKNxo0cy5J0p/NjoYHfDrK+K+kjx7d6if438
A6jpaj1PH6IdMRsnN5jLQ/huOT+dbaPNwOPQ+EPUTzm3QVMBHRr24o7qOszL
gOdBQJu6S6qrv1a1Exlk1n4bb9vKUe/m1NBD1CYh0R0/9sN9QSRZjAUdpdZM
3PQOTHzkhRgAc5ZKmvtpuviUvHUDfXgUkeU/jUz3N1EE9mCakVbTxrBw2MoC
S/pGfwmm46ra0WDqF5apTbA9uZApZMhZaT+bZRZ1k0gS9JadzhbMyMulZz6E
ezA8Be5wkS2wXoxC5VHmiDyXqnUfRnnZ+E3oLiEKIcv8VOuExRTApkdy8EqV
wJ/sHxjkzM5AHiKEe0wViviUQSoJlIQwp6VvVENZNg9gHnrO1Qf1bDRYi7Eo
J92dh5NWj4eYKS9gxewUddFMZpJ7nLSRi44Dq+Q6Y6wsvxxrqgswTMcyHKhs
JljgaSlbXwT0+pljBRKjbCiFegOaOgcfLkCuHqEbNoaLTNKxAag7aFp4ueEK
rUfxh3SErSz7YDIhGzJxBD9dW6e/+HTosV13ZkpVpGp31U35cXt7T2xiQ4gU
qOXtWCdNbAm610KHcTn0oYO6JunxgF1q0XNW21CRAkxZt9wCD3vcYSzyLqD6
I9a0Uu8O7wtZ9OPHH4IU86i9Y0fw2uLvsDFVJjgF6I6wUzWOLg5pdMEWwEbg
Eo+NlusNJIyibyK0qtnApp13E7XRHQDf+jlqqrCyYYq2bvW41rcMLvjlDOzF
wogbAAsZ46ok7qyjf9Te3hab38V9RQBfj3zOI38ER16pSgmdoOruwqklqh5b
10a7vMvnPMzt5z0sftA7GedInN3zQSgRowwu7ZYdxZNKKo2eaRLfUoFDakrp
THSQspsfbYU9cgN01noJ9yGjpcNVK9I4w76bypwnkFldmWqlJ35jIod6KvIY
+9O13I2rppNOOrgVldhIev0rlTAGSLsBaPgOPkGFwvLBu+PZY9U5QVehvgsv
/SWUyZk53jTyyTSlnhNhqj5WWA44vhwmDbnBynM/SXKOVEuzttq2oaJs0Grz
1HK6adzxFLKvSvNvQmn2HQ+ShYQ8D7KcVwtKtw1nRetOqRcZPoEXXyhTUZ4u
XfRjVu+/WMMB3MOj+YGia+XQE6fqxTA5rbGPsr6uLi3q2H4F/5FFcbTJ1q+J
A2fcLMpxVniL1rcrDIvMNyB6aiH7A2YN19zbTXOYynpUjxmp3jtFlQ4565Y5
DC0n8dHI7T12FMlrR5WJQ5dsJFKflaeeBNxVgHvsM7jJrLIdmwYDLgB7Oy0x
5Q56HFezXhxie8JbADhAQmyyO9Q2MEy/HHhL+fy4X4CRqw81EB7ibMVDBb2H
dpGgylKqLYqkewbeTjg2ZUJ9arUtonavIwv5FbXTnSTIdCwbaKhgJlG0Go0V
nu32IjuwO4bXbcKpxNPpdAFLUDfIcBhDjc3bsYpe7kovLiMi2ezE6sAIs8zH
whPQMl1pQalccXvrFHPHOK16Cf1D5HopsDHcMJ4yHOvtxRotUzq/4jDtkM4g
Q2I3RsdW3gJWc1RKhVKeqzZ3SEk8P3q9883dtUSszVhGT9y7g55Y0QQpDYoU
QfqTvge80WpkVzdY7MtykjdGCaSXDbiUqWHKC/mkbxXhLm0Uel1u6Xyd9rYm
ksm7tHvPqhQUp/ytomtapTHF/RVsWcBToF4Afg2ZXfO0B/O37OUzmaQVqS67
7Awll8ri4fpPUwAKiPCOIk8bHX9Ihx5/z/VoFjgwkIpBxnuFye+kQu2NY8Qz
B3ZSRX67IWPUiBYNG4fE0K8bMj4O2SsqX2W2n1oZM0FVR0Z85/TC15kHQctA
978KKgkB56XTrHYOX770RWBhYFH6g80Ob0qHgtXWRqkiQjjNxgOWuFJvgvvQ
hK6vv6aeq8eHThu6kAVvFsG93NXjlYFSmzXo1Eh88x1f7nbct1HAUrd8VHaN
YanH+k3NLA1nqx04U5KT75NkwnSlwENt/SbYrxlVNsG1aenIhFusS+Qq4FDd
6ai/eGX/Id3RXZO6qYetnVDHSbvKbWG7ixogDDAxncYyunKlUY+vPFcw02kV
YmzkBhQ1VyKmA3b7yPkB+K/YV2Oidz7vYIRWarQGQtUGXMj423wl/ih2tn53
vjQJa6vuz3nUKm+yHJuhgGClWU9buJexxTUxw6Ucdkt75tD7PJdbTkZ16oLZ
nmsu3Gxvbe2ti6ux9zo8OR2ShUEGgPQxSaFVY1E55zOH2+3RYm437TqwTMkg
puIzDrjpUTgM5qCeW1ZiEaMYnphdIk1qqZO/heRJXgp5boH4vWuduTGphlNu
4v0WgJTm0pNU2G7Dtr47ROH5lQH8ZzGAPwhyy1ke9nkVjXoHHZrmQGfdTN/e
U+smsTwfVLrcLaihkfPW3M6Ng2w0wjsv0A31Qev/TlsefW22ekg6eECD16qI
gyLadaPKFprb/oRuMXLj8WnYKgmqcrqyRWFmEKSe04n+xFKN5med8qYHprnb
W6lb/JVbop6olqhGGNS0Ca1Le33WkBKKXpBi2pWJsIrLV9NgrSZt3VtVXbhg
j1dzCadbF8vPz9cBliXm92Du8cczgcSZwVVQvbHzf6n4nirQqEu91H0bs8Oe
4WVSGqw6jmPCYNTPW9N04GYYzdiQWX9/9EZ3bFDd2VTHhZB2HeJ1yEkz1Xy/
vg9unSx3d7SYNJdLT72bSw39kMU+V0ygfuGLxgcwrqR1be5Tqzo2pFYgPi48
eeOacbW9kLPw/TPmMrGA+70+oWbRaRqUibSs8i3LxL2omrizqIqu+fGtyPlI
LSrS/orIbffzkZtnzN4T9e1+pb7fCPW1Z4EePYTzADzsVlqcfIWwWkVhT6mx
6lTIKS1kNLBvxSJhu/JOrVzpY9pBRgRTJDhbmdhnDBgi8JqrJPa9aIE1NnjR
XPWnqSF4heV47bbrNaAntRqQvqZ8PpXnC2/Arnx6s9hjc9v1u3BKcxwzueRc
vd/rGeaTRdnlqX9XTk0Kunfb2LKsqGVff2UsgMv3JeblERHAj/F0hD/AMOcf
6QYnFmCG7DudwvBOlnOzleYtex446iyHCl9U4VG9WIs2YAQyJyM3QQJ2cfW+
P8AF99iMA1pvOUXgG5eTd8D+ZTCO+/rJwBxujv6WIWN12501vAodm2oDtYYN
N0hfCQLbkX4NporLqQjcmtYWdkVD2bQGY+bdx0JkX4ZqUcj8CwzlMyy1wmDu
xeyFPBDHjd21NSc3lx3UFufUXBv51C/mnHHlT3AZXdm62u4lDuZwZN2x6s7e
kCnWCnahb83MzGpZt6qEGqhXgzOgW5XVxDndKRhPy3YGlpwl5VxE3l6sFspL
82/xRCpZUJUH253Y68Kb1xaHMu2r1EhSplo5UpaCZTUE0LpM8G4JqZvZU4kB
Vja4OY7VtP49sfk8y7tpH87qawXGfBUY22JzXV/Ihacu66VYnGRud5f1raWO
XMXbZ2jUXhB4aTT4WoqzVCkOFV/pBItAMqEiWjy2+VDBvf7c6WdkspydGr6Y
bjCu3DBq2dZby2LG1/q8O2LIM8AQlmTmvGTbKDiz9S2to4J+cpWRpURvWqjD
mFCUoDORHwE7KsrZqbNoJTtJZ+laok2lnGFt5xidHXGpGj3W3w5YvQw6ovet
S0542QXnsurO3aDkTUejONfX0NF96fJZoftJGM5ptVVqvOkkeGsJvkXOKsZa
kyJFROdmoVLmL2UdPHiweA6HUuHC6lBIb9FFA1eskMj8kRmmqpt9kQ74OnOU
LqkV4jIaBnaHlJb8VTbs60SqmhoJrWm76TB6eaa5mVOYAIswQUI2/1SxRDVd
xK3fQGlWyRwzC2rqiSEpRMav6WIe7l88lbdee1fUyPB4xPcvmtn0Jeu6Kxmj
hyy3wJ5nmGpUNCS03VzhdenmSVi27hOnYcYZCIh1mEgYKqGQ/akjeU18+m9q
yVCpqpB6cEO+TW2WPi+JA7Wy01Zzaj5SYyXNaGYJTqX2Bju+3sfVYxQuvv9y
lFluD93eW58JtQ/krog4ztnpxZsW+o+YBZ+9faMEK+r9R54B4fKEqiZQudk6
aBjAZ3hzQmZOyu6LOM2H0STGLr73YyEgH31A+xYv5AiNTJJvtWPMVlMmH0DO
YAdEHke53tifblX7xrqmtZLnXmlZU0HmKuw4+2LJ2/xsVOG7xOxtMqoAxPGO
BMf8Y6af9BuBvtvefiQ2D7hb/ZbRqrxaghkZeSpJ2n504Qodj5QpLWoWo6jP
QzS8oi29a3y4Jr+SNzozcBECucRF9N7Oh4p4Q2EdJlo+4Due5GM4SdaB609S
WwmzT/L3coIkv5O8eoFhVYeSLS1HIP49ObpEGi7llWXdAkwaSpACtZb/Stir
Bjo2TMQS2crPl+qzC6eSE0moEoAeUXFd0+2+/kRlFAkAR207tMIrc8RI28sT
4kOwjuEQHlDc9u3czHbawGvfagxvVXnt8oKTrzOvlJR+yexwc3vrt09QQbg3
2DlBw2ZJe4YSyAGRgKLS4kodSNj6qNgz+KhfZqkMk5nalsKZJkXkPvQPC/di
VYrjp4tUq1pD2q1NO1ae269JPXoHHgVInzd8weqWg+VhY8ApTrP0rjsidw1g
FjPj7QLyIN+0wxBfjfmvxvw8xvyqmFQdIt4Lw/JuTLbvcQ7bSuSYG9daQ36f
SnX5nnNHTKXCPy6dSEmNSWXWqQzwJu/5b8NmXjkzlyWiiLQKAWaI/hAzXJ4H
flkKQM1+7oGUrF06RZsOplt3kYdEJp2dJsEKcdouijBC1ykQPuWsGuuamcrM
dS/HNAIDrVK3sGHGFHSmgxQnMn6h0MuKfWA4BJBfffTpk7xrW+VlvCFbc1de
TEHBEkpioyhJ+m9199qMKIkbHrHiHHMESDbH2TjashRQ1VDI3HfFfNOiU3nJ
HzUx8WZEactwH8aYJneTwWc3WrPlay/odixO0uOW2ziV4dCK+Uqmzu9MVaac
VeTT7ebJdWrlT3wvvrWBhd4a+PTM+xQpGj+e+p+/xY+xf8EOfHPCJEnKgVR6
uAb+YaaugYDtyxd2vRdOWJuQ3+7Bt68AzEqeuZc4YFCwkkm5JV995L1KCts8
r6/9gotk9rjAv1/k/uUvu/Lnnvz5SPyy9ku0zL9f/F8qP2HFsw3S0IrP1C9R
+OdnWbEtR7/8FTd5xmhh38OagWC+6BXbIJ8Dxh874oHFm0WZlsPk23XD14k3
KOaehdqFKQor1vk67G/Xewl6L9c/kYg4NWnTF9PJJMulLs3iyQgMk14dcaOK
wkvfnpmQtmNSGWT8wsn4sNODqSE/y1VdKiMv8g02rwu5uiqy0uQuNlTpxHbT
rgC/Z9FWMKTUpWtNBY64FbYAqzV389mdpPSTqsfMVE6u77C2Et/Nvd20SMyA
D8IreDmAujmTRtIaiwtUSkHY3WJ/JFn3juoJq1uUdKn8IctR/cRECrKdamKu
Yyr7rd4RsHwgzPgvSTIfrXAn+qprN/BR3YGlLa049uxtz3Ka3317eP12nPcJ
CVVBtr+ve9nEPOg2x6nUlH4s502sdy4ss/pmqbEAvazcVWLr1ytwmix2oLUw
mH2mn8+6w9T6fcOCj+dgsU6qvXzWr8hURVAkflScbw7+zbVmVhY5J6VXc+VU
NLNwJK4zg3OpErlDEHscIy3Y7EKJr/lEJ+VhLpxLTJrNW0kbdPxnTMtYL6kA
HIjDr63tu2497H22sExqLS+RwCzN2D2VjKVfw1kP936tbElu1btAzq/E132U
aoclbdKnSHx6kWpbL2Y9l27WkG+D1WLkU3fCBiRVLVep465DcGuFTT3sO1c9
TvTG0G99BvCsSwFqvDm6ebbjzKmmBFW63Rs/Aifoaqrm2LXVFQ09Nqu6Qwsn
6KZjTIGt9hKb94KtEC/8eqXL7z1l/OuVLv95R373K11m+vbdw/tNdeIM525+
hnac9THFSivOAK3cvd9ldeLVNr0MZ5qvsHPlYie5cNfKRpXuvttYAnDH4X5s
TcG0uiWrEJul1czUppr0JyfrRzXuZ/priX8Bj1skf24J6HB3hvmOy+715urY
tQyIDYwaT0kr4KnzrvFsaYfeyu/X/PgReLWtlOPljFRVAIPiPdt0eznS/nWa
3KhpwFYjFLFuM6Fe2i0hM1dCwxaTKPkAoxZXGIujO9FjDJkrBaKWNiKrZ4J9
2XccF9eXawzM5f/R+2sybrbsP3mWa+jav9u/X4JjNJuDwTGWCoXof38x6yBz
cZmATc1eloDHn+WqZhBlx+dfOn6zinXYd45j2KaOcFQM50S2K3mOsfa5cXxd
xHl5k+Xvo0owx14ArEi+yXclvEiAweQdPqzNAziYb7fb27tb+N3bPI1egKXd
EeugQbYl2bVBg1tXX5/F5RV8rQ/Z/+Jyx/+Ezt7/sLezXXnQxgr6zhUScGZP
dsRms91N2ziTUmMTNAfi8f00vhzDvgCgYFPQu1sdfPIjXZcgkqCpfLXxaOfZ
s3a7/aT3ON4QD0UyTPsyf4FC+eWteIgDAMQZzBK5HDhLFJOgRrTbCu3tyba7
tSU2I8TjOVCPmKvCvKNFGasMFeqeT6+0FrWvA06n0g1mRjOxw2C9RNDXNsuX
O2cwpfpiKPG9XnVbxgcngbIaH9wdG96tzgWHdUa/ogfOqzmqA/EsG/xumuWc
FU1p2VDH6iqUX07hU0ilg9Xdl1rHQy+g2rlU9FW1m8FlgmOsTLVDLrSUZnf/
qp3HCjo+5/hVVTubgOZU72rw/I7qHR6Y1u52vjjtrklhklfhaYXp8edUmCy2
NVtpqjtKVpoOZaJEk34UKn+rUY+kSlBVjPAGOhyFNSd0qQ2zXjwk+YF4qLKF
FrugpdnDtYyapOCxoljl2y9ET8Jq1S82UjlXbHIh39h2XTRPXn0yx8FXyhRM
hrZW/udfz6qCPKuORsCAz9O8CF52wQRb3Jlil63XDXp853Sqd5PFEeZ5OoY9
3d7Zz2ww6ffhaN6ez8Vc3XaFN86BUXXJeqr3ZKMzusFqdmov4CATmCvoX/ac
15yNajuuYf0zXdfFLN91EbR0ZNbiHa2dOmPHjL6AweOxxa8WzwyxERxjZRYP
6hNfhsUzi/o/rzPbJ6Q5rZ46ZL+rV/utZfbsfXFmj7gnO2b7S/FAby+AL3Ma
VbWY4rmifZNK55CeyETUwDVMd3VCNzfsUvnTjta+nK0kdwkS/HNldi5hH60i
g/P3lI85SZL8naWYBNMx6W7ttqAue/KWc7VcvnY7nTtzM5T4M6P5oW7kynPZ
jeaT0aQEjV1/pG44QZ1GrpOzuh2Vee7kI05dqIw+wnswkTEkpmReT8JGD91G
488DG6F2i/Ydm7NoamnL0VRpD4y+zxA8P3r9bv/8fP8fiD3XyS2ftUI8y+aV
4KWyi1t1uaHe9NJAxXx4fRtNcRdw2jcHrNowDuV06QtHYheeF2cSoLDpV3of
irG80gxFB1r0VuF3fRxVCrNGTgtuAlxQsQOGXrw+nAW1cJDU9s/xdDj8p9jc
/jB4slWzmQJPZox9UrHbiyxG54WGl4d0yP1Crcp1fDyNSm/Z8pXgpS1XSe89
XtDFJSwcp6rmWCPGeYKM0OImLowV2Hhrc00rVbfxdxB1K/d58zmrHU7pOQUE
1VFWiLoEcroBydoW5dv5RRnVN0fZdcJVs5mejNEIy4RC4AZ1CPt/3HLva4s4
qoMD9hQ1Z6dRbgX5+PhlNuwHUlFlXqNq/2ediudQFLXOIOVP4Jtng7OEXQ26
jffXi8nrHTo1ougesjwjzmMUgt1Mdbfv3o0e6pBoId+eDZNlvHvzK4E1LVbu
SQu0L97r+F14gpKuJvtSguf+8jDNBAt4sSqo/B/vx5ppyoXGWJkfS/6rz82s
bViyYj/WbPqucWT9WkmZPj3N6cmqR/jfSobm50u8fCh8mxg+2nncET9cbWzv
bLQE/NjlH3sbP60q1/Ie80hd5v7DWg06Xm3Eve6Tdrv97JsnCeyvPrc0/Ha3
O9iFt+Pk6dOF30ZrJfydBPAilDKnD6+BRj5VK7QPTIF+oELb6m1W8dmdzS7T
bmoBEHLYidfyjkptSdT0UTgT08L4GSy9GMDxehG3n7X9u1Zzn91DPbfdt2iJ
PAnvBr17T5MQZ78RF2Ixt/ZoQLhUQXcjDvvXSbzmXXvvwKTxpJgOuU08qIUx
GlZw1sAbZg6ILPvAu2RsxpWRe9wRCs8jyooemHGIS4g/Z6bVnrsKSoPK8UYx
NEl1mbB0PPyVap7cvh2vLTOOiD30EqyRSo9pb8hvrSbJ2bS8zOgC24YLgWc3
uvCh5dgM7zAuvtSxN1WEvd4ogg6gM94sGYF0qBxpN4hQrZj1ENS5LPoP6prp
Ql0zvcxGQt7P136VaND5W8tZV+L5lX5bl7S9NtimJtmHhHW9q3H2gjCr7LaU
pEK9Ff0erbCEpgs2F5p8IU9zqFwYfc3AEbFPi9bwivDroI9x4WKe0M2uJba1
G8uK4HAp8BbS4CiJx7pLFFA+dpVEjj0dq0bHdpGyymzBFsONrXqslgTLIbud
q1Ivz7/2OPjt9Th4LHscOCrkIj0O7hBHURUgopyini0jJP0q1zFRkXnStDRP
umd8t64NLa5qCpGJl4cntgXgsjPPlh2ByeuZ5Txz0xlI/qf9fFrGo3N1OnKH
MhBuXPeZu+7ALEBn/WmvbnClmIY0eM1/VXKdFCqLNpEI9V43XSSsphHEv9k/
z8jd2EXCErXYs9nW9wupc75eqKkEpvrSLZ0+aRcz0iDd9nA6fqqP1eqnjvED
dSDmY9Qh+RyU9VldgrrzwovjVLItS1R68BvZkUQv3RuSbjjsEdMaE7I0ECSd
Fh7GDciaxEGGbGzuJeVDcxaIihuejrlJ5q6ZvyEac0MDlcsDjF/b7F95E1bs
OA9NMMtxXss1/uO95mKG7hQcY0Ve84UaGXits++n3q0e8z9P9mc9MTV5zWdj
+2/FZb5Q/qeFIb+uex3/JVWX0dXGzt7Tp+g/jh/tzvYfJwH3w9XGs24ygCF6
vf6sIR4KV4GCD3Z3cIjtbzaWcukvgpRNDuo50NHLMa31T9fdvlHjoZ6nuYEn
s1nvMXewhDzV1v0rIOFn1m/YjqazWR7qszof9QpSU+/spl7OLx28WOc/O0X1
S3HP3U9u5lcP3e/GQ3cHL0owKVLnDEpLZqbThEMEtN7Fbz+snFazpa5d+IGs
yWWdFBUKa/Q1LOCzqC52XlcBGOHjTMKVDoGY3nQcPMWFrMVqrokI3zV3zPcZ
mzy+eK6lsDQvjDjnlwLAOXjj10SS7f1i/+JFjQHuR2AO3tSX7JosTbWEcFKm
LjOty/+7I3S/+Ey9zxVsPXijsUU6ElYX4DOIVJ1iEXkrgcz1Cvy0PIhWDR2f
1WX4AzFNWKAelxaZ6NWuwNEbQj6VcVzYc/k3sbj1whiWFZt+orhXobxVT07C
xI7PvJ3S0EZa6AVpZjH7LOzLPvX7YXZxY+IhODGh17FmZrQWw8us6Lm3VX8c
jqf38ttJeT+hsdA5Km1DwlO5tevTDfDbkGH0eXMOzmH8CRHKYmkH7ntNmQcU
gXIyDwi5Xgtz/eJdMxHOuCO1ct+ezeowwIxgik7v+UgrJBbv3qzW8gmsKmO6
we+7SM50ky72H+/9neljCI2xIu+v+tecMh2+MfE+cqYbmeRnyZluJKo5HcC/
j7Tpz+barXeqbi/nVP01F39Xp/Rsj3Rjt94F0XpOF/KMHGf4dJTht1SEbXcm
sJzI9MQnNEOdu7kaL9Tc2WZFhVSTqiXXXHuLXhA0DGBi1vTdDlIk2xtuq6yp
dp1DNRgm8bW6nqeSfGg1Q7Wfm9Uef+6bBJdftqv2zl7nvCuqdEoKTtRwN2Ld
lP7adIG/Fw0YFpnjPbBzMUIpRPxs31mj1I9oBVhvDo8T35mZ9BNKMrWmrOTE
qCF9T1VDBoy6F6HWidU0H7v3rTtmF28oOO4v8p4D1dxAm6iV/pAbBM0aDCun
RfF804jNIkksLvLY5NRt8V2FB0eMI8jrgcVL6820UXET6rR5VyzIvp6aiQlK
FmPbdRgbDiAv59W3Hlo3EpoFMDr1p7pkHlabkR2S61Ya0k4yWn7tLYnUxC2W
zjLrBRjoTfYejuNNHo+LQWI68eIutOXug7m9pze1xU4uvjCevE5g/41GMd6V
TkQ4oqFcdz/JV8rPznCfAEtyWOqwxhRYCFsskxINUQxawXm+ysrEMKtRAhJa
lLeTZKYjTuc/ElBvZIIRtWvU8EYMLREK8s5o6QJAyYnbvjbgZt9bG697f4XR
NFff5M2hrSt/xTvcBd4Mr65+/mXtjwHN/Zfgr+7vMOMo/mA1+C9oxt1dPfkU
o4vy948f/+fF0cvngJJ3mrFyqwAMvfdYz9gtynzFM7r746H3nuhfubJ45TNa
jiCe8ZtfZ4+k+/GMT+9zxsnPOCfe+Wpwde/ZTKiqK9uBlUaalUYWK5U6ZR2r
DVzTznScifPnB+Koj9edgsED8r2g3gDDuMetHbMexxhRXAFnWNerWjeMDocw
XRKIv6rkAhmXA+YjOwnTt0jxl3k8uQpmdc64mtxmF+STFjrUoi9aT7kxTpq7
Q4ReRyXDc9nTjeS7z7Z0rM0ou9bbOp3bvuFer4DDj6QiUEcJvEQyoP+SMsH8
d7YjDR6UnjrjnbMDX1JF8riT1HIqHER+Xn3SpcPKY0QqHGsw2LyxEnAE1IUj
qiU4tsp6w1oDJdsvqjE8q9cY9mZqDJjjS1GT+gsXsIK0IAzjkgi7Onnz9OzN
Yxbc+Egu5SKszy2fkPGlxu6zC1dJkGotF19XrnBzh3IIX1nxai22SG7/jUJO
db6lQ6V6wOs1/4ChBtjsgv+QK+NxC1IPmi8ZrVvIKlfyiFay7N2Xq1zJY72S
ZSpUaqUWUXRkU3RQeFUIPyDDZHGV5DGS8xTKXLNRXkZ5ASVBWD3bfbYtKX45
7J6nnkjHDjHrHoGFbB6ty6JUEzOhVwNePiVS8CodW1n5csej+FaKDuKu5iJ5
Ch/JvBpmgcpLg0Z3/J6777RV76sDZiAeCIDnxWUMW4BPKot0mZRpC0cbYKBv
SBhqOHvHlJYyTIURDXoS90Pt0vrOFfEYfVclLMc8fQ/1FOzIRsvY2Ws5M1xl
0yH2OhrkGLQnJwx7NcgzNfed6477w60MUSUjcX5J5rR0vUwBWYcYHM2TSCFJ
PMKbquiNdETOC5EM4wlVW+WBpaTjPjJ2W6zYypXa5Ybffi3QjwpQjxUa8t0g
U+OOZyh6eT9EwfwrJSXaDbcVOOkZ+lab/CjZsq5MiSDc6ytdr3tLKZjsA/Su
nFrY2SHFyIyrpKTsrr0VDO3jY68xGIAm6xZJfk20CTKS/0qU61NdJxuPLUxE
SE+7HMQjd7DqRAaa5LR0J6j0cDfmdTYeYiR6SL4lANkE1Ev4tQG/HzmLQhRC
rTYZDiLVcgyAbe46oDhpRXwRmKrXfBbMV42Tb2aRaMwuEMdJoop3HIJoV3qD
uRSqaL1KBFqyqEoqs40GMD0Os4FZnXcN4CrhYTfAXpMUYAqvAvkM2PlQJRbU
wkM+oHKirde5EwjRL1dimYycwOkylwvmC4XYHunbh8kgng5LVsf42nt+6MAR
5wG/XZ/fjFiRBHn83TQd9iVSN0caHvnqdSG/Cfjj5DQzlO0cXTtEF6qozVVH
LISluIlneujaQEIpmuPaAKSU94o4jipMygVDFeCfEg/WIpJ8W708iUvuHdnX
S1FnyeiziUPLCGKrkuEa90F6kwjKB2iNO4AE0EX0gHL+FYkPJ1zi+dHB6cnJ
0avDo0NlZs6CDuDE0YdeMlEcL5gujU1orzKEiaEdb3rHnZiRVwFVKJanBGtz
6kAXwASLgpRKgFshOxJmoBcUmOZL54HKuRkuzrk2spKHU12u0jhaImlftvmk
EwxkSUjPZHg2h6vk61OdA66yFjUtDVDG0JiTTGQbUodIHGOzLZ7bKJLqmIfj
RLD9LSijYu1HiEjU6Gr+hZYK0Ca2CUwaZdaATgizhLjNZkw2vBV486WKjkFl
Rqdz3uEzU3eHxFPUbkulRgD59LnNrdYfLW5Ma4rgf9aaEpxi3EMfNfuzNihv
Pumok9MWfDfrwxIt0u1xibCifq7aWBrS0qllnEZdZIvcAxM+Xz84vTgyyAV2
TZ5cAhaD/vvx4/H+q/02PtA2D1imCr+LaIoO7bpX4fs2ff/pEwlLxKENzyu0
EaLrixenb18eum06OTF0d3tbxRNhoHQ0HS1+/6TqOcBF15guNWaVGFWQgKSl
8mdLB5XHSB+b4Otzyc9mErH0VsXDy41KmPDnaTwuYU+yqsDJxXN9bA1gQ+56
8jJCnHm8sys26axiPb/qotoRb7473JInl+TsKAOO/q8MXTg/91RuIGsUtjXg
DG9VcSQ6GEW2JV5xwA/CsM+Pzy52t/cIE0jzJ4sL0bzlukMVfOiDYsNWvVGf
j5ByI2XvgdTxoknsuf7xhx9/2P/r2Y8/tYT85cefUDylhb0R4+8kEFEMCuMz
8EIVLD0Ey2gY9YuYNuHRtopDZSNqUt4o96W/V4pu2eNXOirHFXnLpqnE5jrh
qzIu9VtkMGAIvKub7pLAyfK+1BThgX18Gek2LjPKh90Ee3FLrTuxSoF0Q4ZJ
EtBCyiwjFe4C0RbTUg7s7tYF86FCfem0vpa5CbAZWDWiG/xm+S1ok8B4sORE
qgy2DxQnFo2DS6rURYbLdKFxYYBARa/nbQAJ+rDIaU6aec2KCE7IIj0YaWU2
BWL+JOW53udVXJftghskjvvlRFIePBCn+yBFfVUddxZlKF+92DpCAwV+8Z65
oaI9b8vsm5Fnsu5PUZVB9ETbPAFoZLHvpgEkhzVTS09eL+kTWw6nV+8ovxvt
Uco8DAp3rHAbfKSnFG8phPwyY6B2ZGwkyvV1Ci2RFxF/qn1cMAJnu5EvPoc1
YgLc8dGb5/CNDix3TNwufCIUjj4BRIb9NZxPhM77lR2SO2vdkeFDbfWQd2r7
rnqGeIgfAcH+mz9BgkDSKtHnBks9Gl+neTbmCwk29w+Otu580E/bMkONWFbd
MavQP8lZscn6SzcpbxLQN3Zo5buPH2/BkxyAQE2pI15hugNyZ5RjdQf6B3Ga
p5eYuC4ubLL0D70x44WOuynlZYETT1mc8gnVxn7904Yn2/rJekK9hyO3zszT
R52D2wXtqZheXgIlJv0t9RUflN+dvpb4/tzN/2Kmq4Q/nQn3HtdPiFkAc05S
t5+9J/XDNyJcYHzj0nGn+GbFO6AwrzvF05VMUUOse8+WhRFyWZW+Z/QgcnoF
JSFX4Cg9IZLRBUOES9Cg5rsz1xHgvfROW73Tlu98LrrUVpI6gpdxNxl20GVX
ez5cuEX1hOKhQ5g8SafesmWvIzxrxXs76jxnKor0dsvJ1Yzp4SPdVhYBcpJg
ql1ajKh4aGshRGV7yAdGA78wyDpz8wfxJO6mw7QEHGrVmfDOU8sCyiBTS6Xe
oR1uNO7iToCryDyK3tbKO5OssSSdhSabJef4qV+JlggxO5hX4OKJc3iz0g3a
MxFVTePTpjPNsrkE80/vU0Nl+mUSCOqnj6JIdOPeezTpzvJsgEV055zuxeei
bLoJf4kFRYWy7VSgQYXurmR4NLcHGCISetrnvg5ZkAvBiQoOpkOYaJj0K74/
HRgn/2BlIjd0JCOGxv6UjlMq+uMFs513gm4eMDRvsevhfr+fY06YDQJexsh+
LJaPOfOn41ReJVajc++3d9x9q5uEYhlbJnQ/P3q9s9PBUJJOONCWv7KYN9n5
Tn15gBVdZf1iiyGJsMJo+Jhd/Cb/vEdVqeSPvgIEuZQBtsMD43BpgTk8kfFm
xDbVi8MKrhFvU51S7MDdn/g8sqHyh9v5g7FkAzIuijkT2g2TyOB30pdrhEfe
J+M/aT+tNaYXt43rFtMRbsrU0/ZjC/A6wC0hxx/rlh8u2ugj2e2A8ABhTPsw
EZZxcjO81S4tKwxBzI7WSqUf6LhPR3hFmPWMnZrZBRQDDBrJyLhK/KNcc8qU
d99tqc6VHAyw20a6zpoqLJ6EYGFGlrZ6MQdMHpFdiM5Qz4m0P4GVIUMuKu5h
nJKawjAFn2VnOtqAj6kbJlX+jrQ1MITxjl+zm5dbSejSBef7WMkF4eyU+y0k
3gMtwHhyLhUZhzCSvhMVr6abqn5CNREizY6dME1RphjJURGsHJ2obixIxXDs
qn+6qkyN47jPmZJjcbJ/YFyCNkhx36pphSzFb4apOvT/xqxSuwkNHvg3HWms
30qlghLBnJKn99ydAvsX5RhxUmDSF22aVgT2tD6aPrFKMqzDC7nPZ6EpVmDe
N5q+7/eWx1G9kVokVU/cH5b64aUl0HRpfKwHnoeMuvqez/WZw5JdTmyHKoA5
5n2rSo57AWPjXMBQnCJY9+RjpFX4ZB1UrfOpCS3RypZJAc1KR2Y9tazOsTuH
znF69gbk26mVqGDfPdtQz6UyGBerv6Lk+khsJL3+Fae8t/BsxnCUZar6Th8d
HL4wVlXL+9taifwKGaX9IWHaB9CYLDZVGxh3t1OXxVJl506abGPBQWPJmYQH
EgJABJdVMEjAmJOBLiv5qkKvwNAO0wEcfvQiGQ5HcUMGQLHibemEAkt3M/qe
qU8IcJ9iLphYdREBJJHBZmSRKQZsy4WCYy2VmFCDV+rbXwm1dF5ETW3L3bEP
ORYdUVRK+kQ/Uz2v2lLc4VGYO2g1mPKXZZGQ6g/GsGFNWFswnF2I+ybNFAtw
Z197QZTgaCQ+6jxpB7lzWNebudvH4d1afNCuPtE5kxh4L+65GsSTSgW6RXC/
O9+0d2zr0uQMheRUovw3DKp6t1KjFBNHH8oEbA1yqN3SOT+flhh08tJytBNh
QF9zHgKQHDoS9usqkKWxbJ4F7YffN9RaUI5AN7FTHdI7pAapEPEt09iYEFvf
zk4j9iwPInooMK+OFSUK4cejIfLBKetjlPcgF20t0ay/LmNTXn88BF5ziS4Z
yWfgBxXS0S3pFmt8RxizoTHOLiYzypSETEVAu0XR9G6E7youbA7lO6vIS3Vg
kjkrQBXZZTZVFzcPrSWzK2IDY03B1eovFl9sM0Oz0g8qO7F9MQtvRSsu/laM
RnO/W5HtaN00IzOjxWE8O2tmLhJfTmMV5WsmLPm6kWf1o7Q0/5UNuLlhG9uG
kbINTYLM7GejIu1TnPrYaRhsyjYs8nKTxQppfZJPBDOIVBp4WjngW25CqW0E
4BbTHhFvXVKpub29TEa610Z5NZXZoZSyGPfe32AimXLWErtkM+C51h8C1Pyg
jm1GhkYjevaTcpWq0ZIaBjEL1/g4HBYgDJzIgxcX0iVb2IWrRj3aMH7aV+Iv
34pt694jlXYs8/GoiabDVPXBukqZSnijA7CSD1UiHuJr2psO47wVWpBKPaJD
lUAiA9++Y6rC3WUenjrh+VbUcmug+WU3PCTp0g5FbQBuDKejsVrLEsLLPgwM
OTsHUqjsKTK6X+kTUS/QtjfC56PvPtdNatKovHLflKDaTAWcd0u02+2WeBXt
bKkmqPw1DFwFsgKvAZCFDI5RWz3YH39If/wphAM2+jsrXAkm3G2pF9zzs26S
1K5FU2yncWYn8bNl9B9r7PUgfi2W+4wnf3B4+FI3D+MC0KdPdraNmhhgOZYc
LGSmsnI82E0Ue/3+cM1/W3y7xrc1p/2OuKS6uYfihz/yrz+16CtNe5icXsL3
JWzE/sryWXTED38QFlp0UJbQON7H8Jj3gCCT7t1gVKp56Mrmn9bWeF3f0rzB
LmY+t46U2JHFugGgkV/ue/kYCwl564UlMUiy1wsJ+HrBGv7v2m5zH1ui8GwV
s+vOXtpZ8iWg50hCUVLm5I87lojhFsxsnRv5bWicQ1yqgMChe5fDhwhay5yI
e1mkOZiicm7Vlchd7I8/bGMGt88H8Y+TBm7oLGVumTIHzS9mEG36saOKTab8
NGSRVK46rAAjJWAQnLhiZdxPPohU/AXFxn0JC3kKMHu0I5mwXwoUfBz+42Xm
6/R6LESs6Cyx41eqrgEmX2CPbj5/qKhjLiTRI9yLXKhiyG4IQx6w5DjJ+slQ
OwOQ40forRp+AlZJ3Q6TdJwPep8CkuFPtYmga9V+Tt+KvcdrdtMl+ODJmtcT
CT77xnqIuxbBh0+DPNwsVnFtsyPuJLnfez/OboZJ/5Id+B87nH2e9L9dH8RD
bjiJXAObqDL/8dPju5hWi3qMEwKWYZKLG/QobhSg64yza5bA+8A4e7fib8ev
Xp3+bd90B0iGoApFr3Cbkzz7FxyOOPjH2fnRxUV77f8D7yeAJTqMAQA=

-->

</rfc>
