<?xml version='1.0' encoding='utf-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?><!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.5.26 (Ruby 2.3.7) --> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lamps-5g-nftypes-08" number="9310" category="std" consensus="true" updates="" obsoletes="" submissionType="IETF" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.15.3 --> <front> <title abbrev="5GNFTypeNFTypes in X.509 Certificates">X.509 Certificate Extension for 5G Network Function Types</title> <seriesInfoname="Internet-Draft" value="draft-ietf-lamps-5g-nftypes-08"/>name="RFC" value="9310"/> <author initials="R." surname="Housley" fullname="Russ Housley"> <organization abbrev="Vigil Security">Vigil Security, LLC</organization> <address> <postal><city>Herndon, VA</city> <country>US</country><city>Herndon</city> <region>VA</region> <country>United States of America</country> </postal> <email>housley@vigilsec.com</email> </address> </author> <author initials="S." surname="Turner" fullname="Sean Turner"> <organization>sn3rd</organization> <address> <postal><city>Washington, DC</city> <country>US</country><city>Washington</city> <region>DC</region> <country>United States of America</country> </postal> <email>sean@sn3rd.com</email> </address> </author> <authorinitials="J. P." surname="Mattsson"initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson"> <organization>Ericsson</organization> <address> <postal> <city>Kista</city> <country>Sweden</country> </postal> <email>john.mattsson@ericsson.com</email> </address> </author> <author initials="D." surname="Migault" fullname="Daniel Migault"> <organization>Ericsson</organization> <address> <postal> <city>Saint Laurent, QC</city> <country>Canada</country> </postal> <email>daniel.migault@ericsson.com</email> </address> </author> <date year="2022"month="November" day="29"/>month="December"/> <area>Security</area><keyword>Internet-Draft</keyword><workgroup>lamps</workgroup> <keyword>Digital Certificate</keyword> <abstract> <t>This document specifies the certificate extension for including Network Function Types (NFTypes) for the 5G System inX.509v3X.509 v3 public key certificates as profiled in RFC 5280.</t> </abstract> </front> <middle> <section anchor="intro"> <name>Introduction</name> <t>The 3rd Generation Partnership Project (3GPP) has specified several Network Functions (NFs) as part of the service-based architecture within the 5G System. There are4956 NF Types defined for 3GPP Release 17; they are listed in Table 6.1.6.3.3-1 of <xref target="TS29.510"/>, and each NF type is identified by a short ASCII string.</t> <t>Operators of 5GsystemsSystems make use of an internal PKI to identify interface instances in the NFs in a 5Gsystem. X.509v3System. X.509 v3 public key certificates <xref target="RFC5280"/> are used, and the primary function of a certificate is to bind a public key to the identity of an entity that holds the corresponding private key, known as the certificate subject. The certificate subject and thesubjectAltNameSubjectAltName certificate extension can be used to support identity-based access control decisions.</t> <t>This document specifies the NFTypes certificate extension to support role-based access control decisions by providing a list of NF Types associated with the certificate subject. The NFTypes certificate extension can be used by operators of 5GsystemsSystems or later.</t> </section> <section anchor="terms"> <name>Terminology</name> <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t> </section> <section anchor="extn"> <name>NetworkFunctionsFunction Types Certificate Extension</name> <t>This section specifies the NFTypes certificate extension, which provides a list of NF Types associated with the certificate subject.</t> <t>The NFTypes certificate extension <bcp14>MAY</bcp14> be included in public key certificates <xref target="RFC5280"/>. The NFTypes certificate extension <bcp14>MUST</bcp14> be identified by the following object identifier:</t><artwork><![CDATA[ id-pe-nftypes<sourcecode name="" type="asn.1"><![CDATA[ id-pe-nftype OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-pe(1) 34 }]]></artwork>]]></sourcecode> <t>This extension <bcp14>MUST NOT</bcp14> be marked critical.</t> <t>The NFTypes extension <bcp14>MUST</bcp14> have the following syntax:</t><artwork><![CDATA[<sourcecode name="" type="asn.1"><![CDATA[ NFTypes ::= SEQUENCE SIZE (1..MAX) OF NFType NFType ::= IA5String (SIZE (1..32))]]></artwork>]]></sourcecode> <t>The NFTypes <bcp14>MUST</bcp14> contain at least one NFType.</t> <t>Each NFType <bcp14>MUST</bcp14> contain only an ASCII string; however, the string <bcp14>MUST NOT</bcp14> include control characters (values 0 through 31), the space character (value 32), or the delete character (value 127).</t> <t>Each NFType <bcp14>MUST</bcp14> contain at least one ASCII character and <bcp14>MUST NOT</bcp14> contain more than 32 ASCII characters.</t> <t>The NFTypes <bcp14>MUST NOT</bcp14> contain the same NFType more than once.</t> <t>If the NFTypes contain more than one NFType, the NFTypes <bcp14>MUST</bcp14> appear in ascendingsort order.</t>lexicographic order using the ASCII values.</t> <t>The NFType uses the IA5String type to permit inclusion of the underscore character ('_'), which is not part of the PrintableString character set.</t> </section> <section anchor="asn1-mod"> <name>ASN.1 Module</name> <t>This section provides an ASN.1moduleModule <xref target="X.680"/> for the NFTypes certificate extension, and it follows the conventions established in <xref target="RFC5912"/> and <xref target="RFC6268"/>.</t> <sourcecode type="asn.1" markers="true"><![CDATA[ NFTypeCertExtn { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-nftype(106) } DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS EXTENSION FROM PKIX-CommonTypes-2009 -- RFC 5912 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } ; -- NFTypes Certificate Extension ext-NFType EXTENSION ::= { SYNTAX NFTypes IDENTIFIED BY id-pe-nftype } -- NFTypes Certificate Extension OID id-pe-nftype OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-pe(1) 34 } -- NFTypes Certificate Extension Syntax NFTypes ::= SEQUENCE SIZE (1..MAX) OF NFType NFType ::= IA5String (SIZE (1..32)) END ]]></sourcecode> </section> <section anchor="sec-cons"> <name>Security Considerations</name> <t>TheSecurity Considerationssecurity considerations of <xref target="RFC5280"/> are applicable to this document.</t> <t>Some of the ASCII strings that specify the NF Types are standard. SeeAppendix A<xref target="nftypes"/> for values defined in3GPP.3GPP Release 17. Additionally, an operator <bcp14>MAY</bcp14> assign its own NF Types for use in their own network. Since the NF Type is used for role-based access control decisions, an operator-assigned NF Type <bcp14>MUST NOT</bcp14> overlap with a value already defined in the commonly defined set. Use of the same ASCII string by two different operators for different roles could lead to confusion or incorrect access control decisions. The mechanism for an operator to determine whether an ASCII string associated with a NF Type is unique across operators is outside the scope of this document.</t> <t>The certificate extension supports many different forms of role-based access control to support the diversity of activities that NFs are trusted to perform in the overall system. Different levels of confidence that the NFTypes were properly assigned might be needed to contribute to the overall security of the 5Gsystem.System. For example, more confidence might be needed to make access control decisions related to a scarce resource than implementation of filtering policies. As a result, different operators might have different trust models for the NFTypes certificate extension.</t> </section> <section anchor="priv-cons"> <name>Privacy Considerations</name> <t>In some security protocols, such as TLS 1.2 <xref target="RFC5246"/>, certificates are exchanged in the clear. In other security protocols, such as TLS 1.3 <xref target="RFC8446"/>, the certificates are encrypted. The inclusion ofNFTypethe NFTypes certificate extension can help an observer determine which systems are of most interest based on the plaintext certificate transmission.</t> </section> <section anchor="iana"> <name>IANA Considerations</name> <t>For theNFTypeNFTypes certificate extension defined in <xref target="extn"/>, IANAis requested to assignhas assigned an object identifier (OID) for the certificate extension. The OID for the certificate extensionshould behas been allocated in the "SMI Security for PKIX Certificate Extension" registry (1.3.6.1.5.5.7.1).</t> <t>For the ASN.1 Module defined in <xref target="asn1-mod"/>, IANAis requested to assignhas assigned anobject identifier (OID)OID for the module identifier. The OID for the moduleshould behas been allocated in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).</t> </section><section anchor="acknowledgements"> <name>Acknowledgements</name> <t>Many thanks to Ben Smeets, Michael Li, Tim Hollebeek, Roman Danyliw, Bernie Volz, and Eric Vyncke for their review, comments, and assistance.</t> </section></middle> <back> <references> <name>References</name> <references> <name>Normative References</name><reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280"> <front> <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> <author fullname="D. Cooper" initials="D." surname="Cooper"> <organization/> </author> <author fullname="S. Santesson" initials="S." surname="Santesson"> <organization/> </author> <author fullname="S. Farrell" initials="S." surname="Farrell"> <organization/> </author> <author fullname="S. Boeyen" initials="S." surname="Boeyen"> <organization/> </author> <author fullname="R. Housley" initials="R." surname="Housley"> <organization/> </author> <author fullname="W. Polk" initials="W." surname="Polk"> <organization/> </author> <date month="May" year="2008"/> <abstract> <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5280"/> <seriesInfo name="DOI" value="10.17487/RFC5280"/> </reference><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <reference anchor="X.680" target="https://www.itu.int/rec/T-REC-X.680"> <front> <title>Information technology -- Abstract Syntax Notation One (ASN.1): Specification of basic notation</title> <author> <organization>ITU-T</organization> </author> <date year="2021" month="February"/> </front><seriesInfo name="ITU-T Recommendation" value="X.680"/> <seriesInfo name="ISO/IEC" value="8824-1:2021"/><refcontent>ITU-T Recommendation X.680</refcontent> <refcontent>ISO/IEC 8824-1:2021</refcontent> </reference> <reference anchor="TS29.510"target="https://www.3gpp.org/ftp/Specs/archive/29_series/29.510/29510-h50.zip">target="https://www.3gpp.org/ftp/Specs/archive/29_series/29.510/29510-h80.zip"> <front><title>5G<title>Technical Specification Group Core Network and Terminals; 5G System; Network Function Repository Services; Stage 3 (Release 17)</title> <author> <organization>3rd Generation Partnership Project</organization> </author> <date year="2022"month="March"/>month="December"/> </front><seriesInfo name="3GPP<refcontent>3GPP TS:29.510V17.5.0" value=""/>V17.8.0</refcontent> </reference> <reference anchor="TS33.310"target="https://www.3gpp.org/ftp/Specs/archive/33_series/33.310/33310-h20.zip">target="https://www.3gpp.org/ftp/Specs/archive/33_series/33.310/33310-h40.zip"> <front><title>Network<title>Technical Specification Group Services and System Aspects; Network Domain Security (NDS); Authentication Framework (AF) (Release 17)</title> <author> <organization>3rd Generation Partnership Project</organization> </author> <date year="2022"month="March"/>month="September"/> </front><seriesInfo name="3GPP<refcontent>3GPP TS:33.310V17.2.0" value=""/>V17.4.0</refcontent> </reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6268.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <referenceanchor="TS23.003" target="https://www.3gpp.org/ftp/Specs/archive/23_series/23.003/23003-h50.zip">anchor="TS29.571" target="https://www.3gpp.org/ftp/Specs/archive/29_series/29.571/29571-h80.zip"> <front> <title>Technical Specification Group Core Network and Terminals;Numbering, addressing and identification (Release 17)</title> <author> <organization>3rd Generation Partnership Project</organization> </author> <date year="2022" month="March"/> </front> <seriesInfo name="3GPP TS:23.003 V17.5.0" value=""/> </reference> <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"> <organization/> </author> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"> <organization/> </author> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> </references> <references> <name>Informative References</name> <reference anchor="RFC5246" target="https://www.rfc-editor.org/info/rfc5246"> <front> <title>The Transport Layer Security (TLS) Protocol Version 1.2</title> <author fullname="T. Dierks" initials="T." surname="Dierks"> <organization/> </author> <author fullname="E. Rescorla" initials="E." surname="Rescorla"> <organization/> </author> <date month="August" year="2008"/> <abstract> <t>This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5246"/> <seriesInfo name="DOI" value="10.17487/RFC5246"/> </reference> <reference anchor="RFC5912" target="https://www.rfc-editor.org/info/rfc5912"> <front> <title>New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)</title> <author fullname="P. Hoffman" initials="P." surname="Hoffman"> <organization/> </author> <author fullname="J. Schaad" initials="J." surname="Schaad"> <organization/> </author> <date month="June" year="2010"/> <abstract> <t>The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="5912"/> <seriesInfo name="DOI" value="10.17487/RFC5912"/> </reference> <reference anchor="RFC6268" target="https://www.rfc-editor.org/info/rfc6268"> <front> <title>Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)</title> <author fullname="J. Schaad" initials="J." surname="Schaad"> <organization/> </author> <author fullname="S. Turner" initials="S." surname="Turner"> <organization/> </author> <date month="July" year="2011"/> <abstract> <t>The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normative version. There are no bits- on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="6268"/> <seriesInfo name="DOI" value="10.17487/RFC6268"/> </reference> <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446"> <front> <title>The Transport Layer Security (TLS) Protocol Version 1.3</title> <author fullname="E. Rescorla" initials="E." surname="Rescorla"> <organization/> </author> <date month="August" year="2018"/> <abstract> <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t> <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t> </abstract> </front> <seriesInfo name="RFC" value="8446"/> <seriesInfo name="DOI" value="10.17487/RFC8446"/> </reference> <reference anchor="TS29.571" target="https://www.3gpp.org/ftp/Specs/archive/29_series/29.571/29571-h50.zip"> <front> <title>5G5G System; Common Data Types for Service Based Interfaces; Stage 3 (Release 17)</title> <author> <organization>3rd Generation Partnership Project</organization> </author> <date year="2022"month="March"/>month="December"/> </front><seriesInfo name="3GPP<refcontent>3GPP TS:29.571V17.5.0" value=""/>V17.8.0</refcontent> </reference> </references> </references> <section anchor="nftypes"> <name>NFType Strings</name> <t>Table 6.1.6.3.3-1 of <xref target="TS29.510"/> defines the ASCII strings for the NF Types specified in 3GPPdocuments, whichdocuments; these enumeration values in 3GPP Release 17 are listed below inalphabeticalascending lexicographic order. This list is not exhaustive.</t> <artwork><![CDATA[ "5G_DDNMF""ICSCF" "SCEF""LMF" "PKMF" "5G_EIR""IMS_AS" "SCP""MBSF" "SCEF" "AANF""LMF" "SCSAS""MBSTF" "SCP" "ADRF""MB-SMF" "SCSCF""MB_SMF" "SCSAS" "AF""MB-UPF" "SEPP""MB_UPF" "SCSCF" "AMF" "MFAF""SMF""SEPP" "AUSF" "MME""SMSF""SMF" "BSF""N3IWF" "SOR_AF""MNPF" "SMSF" "CBCF""NEF" "SPAF""N3IWF" "SMS_GMSC" "CEF""NRF" "TSCTSF""NEF" "SMS_IWMSC" "CHF""NSACF" "UCMF""NRF" "SOR_AF" "DCCF""NSSAAF" "UDM""NSACF" "SPAF" "DRA""NSSF" "UDR""NSSAAF" "TSCTSF" "EASDF""NSWOF" "UDSF""NSSF" "UCMF" "GBA_BSF""NWDAF" "UPF""NSWOF" "UDM" "GMLC""PCF""NWDAF" "UDR" "HSS" "PANF" "UDSF" "ICSCF" "PCF" "UPF" "IMS_AS" "PCSCF" ]]></artwork> </section> <section anchor="example"> <name>Example Certificate Containing a NFTypes Extension</name> <t>The example certificateconformesconforms to the certificate profile in Table 6.1.3c.3-1 of <xref target="TS33.310"/>. In addition, the NFTypes certificate is included with only one NFType, and it is "AMF". The SubjectAltName certificate extension contains a fully qualified domainnamesname (FQDN) and a uniformResourceIdentifier, which carries the NF Instance ID as specified in Clause 5.3.2 of <xref target="TS29.571"/>.</t> <artwork><![CDATA[ -----BEGIN CERTIFICATE----- MIIC0DCCAlagAwIBAgIUDD5o44zEdfSghT2hMK+P/EjGHlowCgYIKoZIzj0EAwMw FTETMBEGA1UECgwKRXhhbXBsZSBDQTAeFw0yMjExMjkxODE0NThaFw0yMzExMjkx ODE0NThaMDkxCzAJBgNVBAYTAlVTMSowKAYDVQQKEyE1Z2MubW5jNDAwLm1jYzMx MS4zZ3BwbmV0d29yay5vcmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATJ6IFHI683 q/JJjsJUfEiRFqGQ6uKDGJ0oqDP6wEhRAuvyEyz5pgRmz/7Mze1+s1qcnPU9mo1v rIW9rjKhb/Hm8H9TPvnMQwCRCtKvCD90MkWvc/G8qyCBpCms3zNOJOijggFBMIIB PTATBggrBgEFBQcBIgQHMAUWA0FNRjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMDAw DgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBRM Z5KgwYlYn885mKID55ZcEznIBzAfBgNVHSMEGDAWgBSIf6IE6QtqjXR2+p/xCtRh 4PqzNTAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vZXhhbXBsZS5jb20vZXhhbXBs ZWNhLmNybDB1BgNVHREBAf8EazBpgjhhbWYxLmNsdXN0ZXIxLm5ldDIuYW1mLjVn Yy5tbmM0MDAubWNjMzExLjNncHBuZXR3b3JrLm9yZ4YtdXJuOnV1aWQ6ZjgxZDRm YWUtN2RlYy0xMWQwLWE3NjUtMDBhMGM5MWU2YmY2MAoGCCqGSM49BAMDA2gAMGUC MEtQEut9kelkiMIMR+QzkSNGIuR30Lr23ftarLi9wMp3ZRIJYQgaAWc6gmf3MVAp 7QIxAKMoYAtw5srkNjE+Zg6CqEkf9f2banFltRuPbTp4B0Xraz5z/jn3NDPM9ata SHUxOQ== -----END CERTIFICATE----- ]]></artwork> <t>The following shows the example certificate. The values on the left are the ASN.1 tag (in hexadecimal) and the length (in decimal).</t> <artwork><![CDATA[ 30 720: SEQUENCE { 30 598: SEQUENCE { A0 3: [0] { 02 1: INTEGER 2 : } 02 20: INTEGER : 0C 3E 68 E3 8C C4 75 F4 A0 85 3D A1 30 AF 8F FC : 48 C6 1E 5A 30 10: SEQUENCE { 06 8: OBJECT IDENTIFIER ecdsaWithSHA384 (1 2 840 10045 4 3 3) : } 30 21: SEQUENCE { 31 19: SET { 30 17: SEQUENCE { 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 0C 10: UTF8String 'Example CA' : } : } : } 30 30: SEQUENCE { 17 13: UTCTime 29/11/2022 18:14:58 GMT 17 13: UTCTime 29/11/2023 18:14:58 GMT : } 30 57: SEQUENCE { 31 11: SET { 30 9: SEQUENCE { 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 13 2: PrintableString 'US' : } : } 31 42: SET { 30 40: SEQUENCE { 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 13 33: PrintableString '5gc.mnc400.mcc311.3gppnetwork.org' : } : } : } 30 118: SEQUENCE { 30 16: SEQUENCE { 06 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 06 5: OBJECT IDENTIFIER secp384r1 (1 3 132 0 34) : } 03 98: BIT STRING : 04 C9 E8 81 47 23 AF 37 AB F2 49 8E C2 54 7C 48 : 91 16 A1 90 EA E2 83 18 9D 28 A8 33 FA C0 48 51 : 02 EB F2 13 2C F9 A6 04 66 CF FE CC CD ED 7E B3 : 5A 9C 9C F5 3D 9A 8D 6F AC 85 BD AE 32 A1 6F F1 : E6 F0 7F 53 3E F9 CC 43 00 91 0A D2 AF 08 3F 74 : 32 45 AF 73 F1 BC AB 20 81 A4 29 AC DF 33 4E 24 : E8 : } A3 321: [3] { 30 317: SEQUENCE { 30 19: SEQUENCE { 06 8: OBJECT IDENTIFIER nfTypes (1 3 6 1 5 5 7 1 34) 04 7: OCTET STRING, encapsulates { 30 5: SEQUENCE { 16 3: IA5String 'AMF' : } : } : } 30 23: SEQUENCE { 06 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32) 04 16: OCTET STRING, encapsulates { 30 14: SEQUENCE { 30 12: SEQUENCE { 06 10: OBJECT IDENTIFIER '2 16 840 1 101 3 2 1 48 48' : } : } : } : } 30 14: SEQUENCE { 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 01 1: BOOLEAN TRUE 04 4: OCTET STRING, encapsulates { 03 2: BIT STRING 7 unused bits : '1'B (bit 0) : } : } 30 19: SEQUENCE { 06 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37) 04 12: OCTET STRING, encapsulates { 30 10: SEQUENCE { 06 8: OBJECT IDENTIFIER clientAuth (1 3 6 1 5 5 7 3 2) : } : } : } 30 29: SEQUENCE { 06 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 04 22: OCTET STRING, encapsulates { 04 20: OCTET STRING : 4C 67 92 A0 C1 89 58 9F CF 39 98 A2 03 E7 96 5C : 13 39 C8 07 : } : } 30 31: SEQUENCE { 06 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 04 24: OCTET STRING, encapsulates { 30 22: SEQUENCE { 80 20: [0] : 88 7F A2 04 E9 0B 6A 8D 74 76 FA 9F F1 0A D4 61 : E0 FA B3 35 : } : } : } 30 49: SEQUENCE { 06 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 04 42: OCTET STRING, encapsulates { 30 40: SEQUENCE { 30 38: SEQUENCE { A0 36: [0] { A0 34: [0] { 86 32: [6] 'http://example.com/exampleca.crl' : } : } : } : } : } : } 30 117: SEQUENCE { 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) 01 1: BOOLEAN TRUE 04 107: OCTET STRING, encapsulates { 30 105: SEQUENCE { 82 56: [2] : 'amf1.cluster1.net2.amf.5gc.mnc400.mcc311.3gppnet' : 'work.org' 86 45: [6] : 'urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6' : } : } : } : } : } : } 30 10: SEQUENCE { 06 8: OBJECT IDENTIFIER ecdsaWithSHA384 (1 2 840 10045 4 3 3) : } 03 104: BIT STRING, encapsulates { 30 101: SEQUENCE { 02 48: INTEGER : 4B 50 12 EB 7D 91 E9 64 88 C2 0C 47 E4 33 91 23 : 46 22 E4 77 D0 BA F6 DD FB 5A AC B8 BD C0 CA 77 : 65 12 09 61 08 1A 01 67 3A 82 67 F7 31 50 29 ED 02 49: INTEGER : 00 A3 28 60 0B 70 E6 CA E4 36 31 3E 66 0E 82 A8 : 49 1F F5 FD 9B 6A 71 65 B5 1B 8F 6D 3A 78 07 45 : EB 6B 3E 73 FE 39 F7 34 33 CC F5 AB 5A 48 75 31 : 39 : } : } : } ]]></artwork> </section> <section anchor="acknowledgements" numbered="false"> <name>Acknowledgements</name> <t>Many thanks to <contact fullname="Ben Smeets"/>, <contact fullname="Michael Li"/>, <contact fullname="Tim Hollebeek"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Bernie Volz"/>, and <contact fullname="Éric Vyncke"/> for their review, comments, and assistance.</t> </section> </back><!-- ##markdown-source: H4sIANlMhmMAA81b61LjyJL+r6eopX8AO9jo4vvsnBjdDAZkjGWay8REhyyX bYEsuSUZY4jeV9l9lt0X28wqSbaM6abnnI1zujsaqZRVlZmV+eVFolQqCXHi BKMvjh8GtEWSaEEFbx6xqziRRbEpysIodANnBo9HkTNOSh5NxiXfmc3jUnVS CsbJak7jktgQXCdpkTgZCW4YxDSIF3GL7OOS+8LcawmEJKELIysa78NNHEZJ RMfxxshqtjmQeIkPm+7flqtik+g0SryxB3tQYj4nsLwXBmQcRqR6Qro0WYbR I2kvAjfB8QHytC84w2FEn1qMpI1jxAvIm/ViIV4MZ16MKyJRi3TMQVtwIuq0 iE3dReQlK+FxCeNBQqOAJiUDNSGMYHKLyKIslySpJDcFwVkk0zBqCSXCNdZf xDE5DRexT1cgYRhNWuSzN/H8fN0jcnGhw6OM1eJTeODCjxY5hX1HYXBEPqs4 Fi6CJILhaxvu6Mzx/BaZ8m1+f8IVYuqW3XCWM2JTB7SyAOajjI84UKJRvsGN E0+9YJLgHob+3h4xLPM7m1hY/SycBqQX0cX//hexnCSJ4zDItjEjz03v+U7n Htjc5gb2ko5osN7kAVYrz9Jlfqfp/MKGhhN41CeWN3EWfvLuVrbjBQm5cBYR DZIjclWQS3cCZ+Sstx2xNcszvmZxX8ELwNSAJ++JoiX323pVrtSyy6Ykp5c1 udZILxsVTjCw5Wa5WpfwGnzAiSYU/GSaJPO4dXy8XC7LymQ+L4MEx+NkfmzP qRsfO5E7hb2O5eaXGDih8TFfBH7A/6VpVSy/eHO+IveTv7EbgrZur+KEzn4l ejibgTMYTuJwj2D+YtPoyXMp0ZyYjrhJjx2Xxr8SO3EmlCjkoE99Ck+JVD9k q2ZmjdclrmswAXJCwZwc5nA9J0rgBmxoDoYQPlA3YdQbLiIqbISLg/pspRwr J70eaKnFJSSfpXq5WhYFIXij8YaIl7flGr/YrU0vWZTh2I8j6h4PSn1TL7EJ u3TVyU4VJEioOw1CP5ysCMAif64O4yRy3AQ0GiTOM+mGCSe+DCg5UO1uWTrM pMBz44CCBOGYDJ3Yc0mQTnlPj53BdWlQVJVUAtDdrSpGTfoUbHJGgxFbuUXW 8gGFfXncMfUWaTTkSklq4Xq5EUrfUduHjVAS0Qgl8YNG+Aab+3Qexl4SRqvM FP81TE8Sc9NDfSlKWfmL+lKUTF98EfihoL7kd/WVKckIAYuCHP7JQdewD38l KigBECwzrnYEIMjoD9T24T9LZ1w2pjM51ZmslEVR+Ws2luuMLwI/4P/v2dgA HRZU4m+53kkULuaAfRHN1QopDpBHMy9wfDC27mI2hL2CyRFxRqOIQuQPJozI G6Ga86X+WdbINLAGQqFUKkGCwLFIEAZTLyaQlC0AAhISc+EB3MFGiLuRJtFC muQFrr8YgaDC7mwJbI2lSPEhI8fFci/O06YnhcwXQ99zhUe62twsJk5M5lE4 9nwIKkAOeE0QsMuc+5k3GvlUED5hwInC0YLv/PrJw9tvKBT9gCrJAerokExh t0zwEWjyCeb4bwRjMoE8yBqshaCMYsUcdUpDFgCZAQL4J5AkkKWXQBYkFIQv g6lNKTyEhJBUmpBJpgob0bEXwAqoLnZ0a2v5FTdaYQpJfEh3uEoGztCnpFaW yrUy+E5JQoZeXzNo/vbtiNkgddwpbpKwfDUWMpuERYYr4pAYLDAhqq13OpBt oxmDji/nqLUwinFNYD1mrMdk5jxSsgCeYBgyQI8lsOAyvfMOpOOZva8EL0sD gARLAgBlZBkVASrES2e9bJlsWQMBaxAK1vD6mgbsb9+Y3oCFERcPl5xH3swB /B9nFojcbS4AciN7Qw8mOBub4CAuwPkGgORipTfJ1EmEaeiPUl8II/DteRig 1eOeT7gyrHJEHoNwGaBdbPsMVAJoZ2Vmjzse5CKk96qfdAGM3/E71wmEIRce OY8X8zmeXcZ9ZoEuaDsGdtEVfDAr18PZcfn7rp666ztbr7cTYFH6g63QssB7 nzymKocZLeo2s3XBgVTY9Ry0ZPSRd/XGfGUXa0JBKyTTCuwbvmO64FU+TIxA DQAbHL55fvb6CYZncYoaaBbg9nDoe9a1Pdg74j9J95Jd982r607fNPDaPlUv LvILIaWwTy+vL4z11XqmfmlZZtfgk2GUFIaEPUu92+NWvXfZG3Quu+rFHneb zWND+0djptz95hFFNTqxMKKxG3lDjg6a3vuf/5Yq4Dn/Bq4jS1ITXIffNKR6 BW6WkAPw3cLAX6W3HGfmc+pEzEt9H/Q79xIIdEdo4IAWYOmIX6DHf/8DNfNn i/zH0J1Llb+lAyhwYTDTWWGQ6eztyJvJXIk7hnZsk2uzML6l6SK/6l3hPtP7 xiCzl7exYHcH4fUTGGbwLXU1KJsZHv2Epx3BQXiA2Nx90FXeeA/5qPdwg/6+ Y4MCuClhOOems4GPmyAsbIDw+465uTTawpCSYsQBZoVx6PvhErEh5DCYk0Ay JPwn/IEUxhuV5jRrCBFyqZ2Z+oB0DLM76LQ7Zp+QVus3nuq8AsCHB9LhxlYl yKagAn9hsf9AOQT/GR3UDtOQRROgTtMkPCWWHh9UD8kMskCYFs9ivJs/es8H 9UPOCq6vVMg3zh8/4C1h0dJAYAhGjyAsOCPm2P7WOWzNmTpPlJ3gWikxKw/X mshmgrzEBl8yu7pJ7M69SQ6kctlSbw/JZTulEnJ6Rt5RqzYL6uQgn6DIh4e5 EGu+GDcI5VgyOAnB5APsLsgoQAyT5xJs9QI5QxDA4c004lcCWIGpFEMVgQ+u 9ZRaXB48QO+Yj0KCRg6eHH8BHIkwEbLvyZQo0uERS6PiOSYVOW1KSkCkI5Km mSNIm5IdNJJcP/yeDAWRuSDrNQAmhZz1bMYMiwLIEgLYf3tGXN6h3c3JTBqM 9Skv68VCSJdgdmdcRIs3m66P5miTkvO5geGxS3nOgj1S0NKIBcE1cxg6OTKt rYVlixBl5hgnE35YcZpaIeUigFViSImosKHo/S/7hxmAgXcEYVLIlHuwdIJZ a7rJemZMEx6XWROEWJDRQ277+smJA6k0C0fbgJqhI7c5nDJLp7yy7gWEt6zq yLTyDtqyMi1JnS9L9IInhBFEeRojw148pSNIatM8tCnJmIfCTHaPTTqARO6u oO6gLOVOiFECogPv1/xdMPUhlAItHIjZDH6fIuiBJMKy3xAeDLPd6XYwztmk Y/UuOnpnQAbqiZ0CqmaedLpICA8v+wObLWfeDsyuDXPYXbt/aWHSf1viTUGm 4hI2+KGQLfFqDbSUMvL3wfNfkDyXHQk4hyVRPqgC6Tfyq4CyAZeZZ+2M5EgD ZlJKXSQXn6HqK9vHvusO1NvcwFi7LItOBtHuChGMq/5Hu5LLjiFsxb5/pdD3 ERF4c1P4f4pbBOggjePx67UFmLaIXOqGI1piYTeKf+Mvib4xPMlbXzp4M6iI 9wKgoPwEopfwzVKa9r9HyGrqYvEJ0Ar5Eau+Wf24kZwDCNjhjGaAtxkOY1ZP pqngKoWmLKGDVdmbMycaQWplUyqogN+A2s9EZUiWRsSsRwBQhC0CoFVHIw85 hUx9hWiW1z+Y2WGd5U2gTk9AEMjb8w1xSSzjeRzyIvY04DkuMgB4TzdZFEBG VmDhxA8UgAVOSpwLQNB0tXUwDCE98J05T2MdLiUUHRF1RqtNYTksox/7KyEb x6BByHWcq5uF002ds3xzGZKRNx5TfGmzrg4FlGQ9jjKhHAt/hFkAq69BqnEa 9Fi/C+t/LNkLMgvr+prnxLkbMV1tHggsOaIJKzwpllvAcpQnTVl+tJ3bO9kR YEBdBN5XVJAbhcDButKFR+EiQbPlSZILj7hSira53YVYp6JpcY8dnmC1oRd8 ocGcYH3owtahb3QiWPrlwZnGWTMFwvUT2CdNrR+bP2DsAnsfzLsYIARukp1y yHpv/ro1ZOS8+JBM+owZPBnEOxfldZJCnrTE3hrkB7Au5qSp6ZGZN5kmmJwH lI5odr6g8+EiSf2YCvnmGRikhrXZqmrDSdJnZzb3Ie1iydiam3wXYb0La5m9 2yiJqO+kinDg3BzAMhjjoMayPMHDnfD88jdBY89PWL+ZzEMAIlAu4gAoFmcu /ORop71z1li1sX7MzgFzJ1Qs2ut3K7oyYZjaw9aXuwNSsSeWYWoHbAqRMFcl HEkSuiH2EeIF5IdOTAYXNpHKcgawlRr2LItd4Ag7PehQkw0gAAeNyvi6jYTM h368h8L3wHeosIewVTBzAIYDjFZzOIzUkQs5bxqadqpFwA7UlPpz5u1D7AcD U5uujvlw1ofCrWDBWRgnPCJDikk4moa8VTz38T0zLF/YLomcIE4/K+C5ckft qm8PwXMCB/TfLqS/73g9y2hZwwIUz5bz0CQBY9A7BTRKHkCYYFuVOjmAZGXd 3X/HYlCVAhB+nw77Sgi9Q0R/P3SdZH3ce7bVWX/BgMtg4rk7+dgD7iceQOkK MwaljN3xKvytlyWs/TKlFKoMpoS80NilCLKpCOFHikgrkfXzMjOnTR1wEuGj QpNc6JTlTr72nvCewOJhWlG52J326WjCUCQWBAshHrHlkXXFNQo524zSBLzG Akt1qE8uvCMy8GbkFMoiOqT08Yj0QwgN+KXEyveWR4IGqaRHyefQf+FFFH4t QT6vAveRZnJCXhHRJ48ujwh/w5zEnBaVyV8LlNPXUUPHfWR9Nm6udpoyvX5K +z+Ypf3ofUeaMMQ7Uq+UISFPgNZve9JUKg+TcVbAbrxtGVIoDoFScPz51BlS 1tZJK2m0cDAW1qRLa176PHUAVyEQ8qKQZdt71ZMvhtG12ntZjbLX0W19fYsj tm6293Jys9PfeLrXsewvqr1XIO+l1KraLaxE9i6s4gBS2zA9pTf6W/SWVrIL U5Bez7hRtxZj9Ne9Ir3Zy9l5s7nV3lpiD3dLqa/tbWYsc5t5y87INXt78a7S udlS5GX/i5pN0DV9a/2u+UY5vTX5m4fd/vbIwNYHOUP66ZsJtrp1std6Lq6h v2HHttWCevauDSuj7qtvFt9W17XRT6lN1TaKG3ftm8stVoyc8xNN/VJQ5173 xlC3yHs5tXWhFzfu5QZyattbbPa4+bA+4yeAaJYyFWBb5y0t/o4oyzyKvXQ2 KS3R0rtCBMHcC7JHypBs80H68hiddg0ciruJG/yLA9bMhlTCSQupo3e7Rl68 bpOz3Jx1PTe7cGkzCQiZB6TRz/7Quz2uC8zixguo5cjXheNzhBqxrzgE/FQt JgftK6N7yFEU6wGUvp8mjOuwkGEYJJRR+toBsa+TvowlEIucLRDUfQcrwipg q7yJrHUp620hUJdKrDtEdLOPrQhdHZhsVLA6HV0Ey1Z9Z6IuO5o66VwbRjWs VF7M0dieTAfy1Dr/pXdsPpycAprqk7vOeXjfeXkQTXVpLYX2wBxYsLgqXZv6 ZHnev51Oh7dafG9rxtVApe2luLIezGfr4fH50jDF7mDqsLEXPiZkg5bx+Ky/ qGfapPtZU+8Gqv95YNnh8ly9Mz5fXZ2bK1O6l63F8Kb60DXU5cVMerh7sZ4F y6683Cvacjj7LI7k5spZVZ/cmbscPahX2sT9On18uOxddTRtch1Nrq7UzqTr qergrNZpn3ZqDUX4enx29hCfXY9Nr9/+enJVW5wbJ2di+NXo1ZbmtK8unlbm 6qU6n/RnL8d164VKv8TSVzfoXTdnofQkRJ2bZvRwPh0en84ap81B7ymwrpZ6 X0/On3SjKVqPN0/u8Unj60rX5vosVl66l2eX3sNk0tbgADShN1AH2mQSaROz rV25WmdydWqp1zeq2O72H9Rb1MmprZqmoV5a6vJEn+knttr28cQs0IVgTEBJ fbGnXp0ea+qVoU6oamkWnsro7OrKstTwRNfjE/Xquq0tLd3SRPbMmFzdaFrf Eu6r55PlnX8XNBrV2XnHqFbvXfMl6Ggv6pjvbpknhnoz0ezOuNYxa1fJ14fb vvzL/PhZT/pTodL7+tIdqM+MuN8wzx/U0NKdydm56k09LRyd9peXXuPpPreP 6sNQFvN74f6mO72YdVdDQ5P4Iqamjhum86LNJw9AdHP3DM/j0W1XvL/twHXV Hxmdxd2NNLt4+BwId6tqMpxZIigEjKT7gBZ28dAN3FNtcX/bV4bKWXQxa67u K3fJ6PZscRl8lpybq9r9w+T53ujPhLub66Qr9/27lfhs3VwtL25MpftwnViG NrVOrKp1cy3fze5krsyvJ7ZVaWoqbCdPVOvkWhcsM7kyF0nzkfqPntWx+r9c vTza3ZPOoq+IF5GsjBMnuvCaS2uu3Pc7Z3dXE0e9cWuT2VixPqtzoX7VeVbP rfBOTZbVOHrsPpi/3E9q+lfzcdwcy0MnaPtJf9EbDuYVTbyNnJfqy/FDoHSN ntV0EkewT6+fL69++437vNk13np8/gJp48XVNOuh78DqtKxKO1khz3N9Ok7Y dy3rtDxxJuTAw4rq2cFCeeb4h/l3Ej4NJoC8+Dx7loKTIpK6LLbWjcZXHKo2 Gy2yOaaKEJsUGCN/iH/CvSjDpYT3pNMdmCdmn2RtazZIvjESXDmn2Hwu6kQx Sa1BTIU0dKJXSL1K2hUC+zSqRDGIKhHgQ22TRpu09c2plQbRa0QySVVFVonE 9tjgVazBfYPRvm0BU3cUOzcQhuxTVWlUIP0nMmlURFhGrFRJhShEOdySBHeR pa1dFAm2bjIS2xxwtRGpzudsc6Pw4R38bDadWZw7kAmyIYmHAigplQ7+XA/a jbS3u59nBep+gVVktnD/bYckyra+pDpswzm8HuhQv1AiN48l6Ri/kyNSoyVV WtUGObEG3yVViqRvN67Wd6lQ2lIhaf6sCtNvyTe1VzsUJAWI5XTS9iu0/Wv7 h5pD7iryFncV8R95wMijorzHY3XilmeBWxHF8sx1FUliX25m7WZY9+cPX5Ia 22eAVltr7ZIpteVdPtRj3zqc09W2/4C9HPLZ1fdmx9Sdg+dFEs4Fo1FkIhKl crjNvAjKaXI31joDYg/6ne5JgUisEL1JzAZpSKRSJ2CBgBdKnagaacv4kWDD JDpoG8BFB9gozG1KIDaiTFMkpkpMEAINmDQNIjeI2oBzIW2V6CLiTVUq7isT k20B5yfrpN0kag2ZqdWIDmgFmwKiGcQ0SN0kmlKYW1VJU8d/bQZzTZU0DFJr E1VH4NMA+Ez2WlzCwXZxX7NG2gDXbVJVED1hX9ioohBRRHFElRgyakAE5tuk XinMhTXheOBpHeSSiKajlmQRVadWwImRAaONUldMIhfnmo0tS1Jhfw6Ifyh/ ciNSUujbNq13vLnxrr8E4/RDWDQOwHlwliqpw080EVBybpfkUofcN7WLI+xD OvN44fMPHzmUVDPP2ES7TXclG2/M9qH22PaoNz71diAND8pPo9Y6xPfSfjSH BjgLReaipo75AVEBd9+Kyh7IOedbvOWRZSd7+zL6B3NsoMSzgAH0hUrjrZLe aumjesv4/rjeHunqOsZfU8iUJVVBWYDVaToCaHF5eWGqXTLoX5vcYiofUaO4 GTA2IAeMbxHwzyS9JN4Wa1/a18gBPCHi4QdF/ukAB+Xu+bbUSj01EfnDJiLu MJGCM+40U9+D6hh/9WHbI8Ei3kj8YXf5aR2kH+eBHjobHeTMBFJokD+kDEaZ K2OTdJv5ik5qddKUMS3VJdJoEkhumm1EeaUJwYmoELsUYgJNjVT17ekQHoBM bxCx/jG1KNLPqoX/KoSXrHYrRqmmivmQB7CTkXdYSUPc1BiWANvyNBoYl1Ad FWI2iaiRGotsdYi9NQykTYxmLEZBnJS2p5si0migr+pfNanKz+eN/QsD3wHg u0xIznoh5F8bGCxx1VU+7GCVXQ7GjnXtYFsllVJby8kLKzZaWY+mw40ahvCN YfJH7U+yj7/W0zo+TstG/CXJ7Np1ym7k74DqXWC9c+yvYrr080XQ1mf8uVvX f4DskvjRXEASd+UCDShRq+sj+EN+Y9dk35mNpTK+0kxoJJUh+5bLMFR+Nzl/ q/L9db6Ox1iprjes7dhwEQWtxcIbtcYNaVQZO7RUh5q9JEkjseTUa9WSKDqi 25RobTiu/aWEpXC/XSVs3H1bx42dIeMfUF2zNF8S0eDXEXf3AW4X4NhfqHDP 2tFgIBWNVGEaS9XrBibIgEu1CiIV1ARQWkPFYFYw4YVHcjFJr9QAB/FpvU4M kWgqadeIYZC2hvk7ZMpaA1N1KA50FWgKc2tV3FSEvSTMxCWVgAlDFFEAD2W8 aMO1hLyBhZsGF6P5rhiQ20O2DSVJTURUrYtYBcCuyHoNF8I2ClQfJq6uFhN1 qICkNhYabZCfIXJdQv40YFHDxkrNQLbqGKDALIs5P9BruDjWCybGMeSb6Utn xYvKdAEJYR0KmSKgK83v2dT6hn0TLvwfSjd7DABBAAA= --></rfc>