<?xmlversion="1.0" encoding="utf-8"?> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.10 (Ruby 2.7.2) -->version='1.0' encoding='utf-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?rfc rfcedstyle="yes"?> <?rfc strict="yes"?> <?rfc compact="no"?> <?rfc subcompact="no"?> <?rfc comments="yes"?> <?rfc inline="yes"?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" number="9444" docName="draft-ietf-acme-subdomains-07" category="std"consensus="yes"submissionType="IETF" consensus="true" tocDepth="2" tocInclude="true" sortRefs="true"symRefs="true">symRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.17.1 --> <front> <titleabbrev="ACME-SUBDOMAINS">Automatedabbrev="ACME for Subdomains">Automated Certificate Management Environment (ACME) for Subdomains</title> <seriesInfo name="RFC" value="9444"/> <author initials="O." surname="Friel" fullname="Owen Friel"> <organization>Cisco</organization> <address> <email>ofriel@cisco.com</email> </address> </author> <author initials="R." surname="Barnes" fullname="Richard Barnes"> <organization>Cisco</organization> <address> <email>rlb@ipv.sx</email> </address> </author> <author initials="T." surname="Hollebeek" fullname="Tim Hollebeek"> <organization>DigiCert</organization> <address> <email>tim.hollebeek@digicert.com</email> </address> </author> <author initials="M." surname="Richardson" fullname="Michael Richardson"> <organization>Sandelman Software Works</organization> <address> <email>mcr+ietf@sandelman.ca</email> </address> </author> <date year="2023"month="March" day="01"/>month="August"/> <area>Security</area> <workgroup>ACME Working Group</workgroup> <keyword>BRSKI</keyword> <keyword>BRSKI-Cloud</keyword> <keyword>ACME-Integrations</keyword> <abstract> <t>This document specifies how Automated Certificate Management Environment (ACME) can be used by a client to obtain a certificate for a subdomain identifier from a certification authority.ThisAdditionally, this document specifies how a client can fulfill a challenge against an ancestor domain but may not need to fulfill a challenge against the explicit subdomain if certification authority policy allows issuance of the subdomain certificate without explicit subdomain ownership proof.</t> </abstract> </front> <middle> <sectionanchor="introduction"><name>Introduction</name>anchor="introduction"> <name>Introduction</name> <t>ACME <xref target="RFC8555"/> defines a protocol that a certification authority (CA) and an applicant can use to automate the process of domain name ownership validation and X.509v3 (PKIX) <xref target="RFC5280"/> certificate issuance. The CA is the ACME server and the applicant is the ACME client, and the client uses the ACME protocol to request certificate issuance from the server. This document outlines how ACME can be used to issue subdomaincertificates,certificates without requiring the ACME client to explicitly fulfill an ownership challenge against the subdomain identifiers--- the ACME client need only fulfill an ownership challenge against an ancestor domain identifier.</t> </section> <sectionanchor="terminology"><name>Terminology</name> <t>Theanchor="terminology"> <name>Terminology</name> <t> The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> <t>The following terms are defined inDNS Terminology"DNS Terminology" <xref target="RFC8499"/> and are reproduced here:</t><t><list style="symbols"> <t>Label: An<dl newline="true"> <dt>Label:</dt> <dd>An ordered list of zero or more octets that makes up a portion of a domain name. Using graph theory, a label identifies one node in a portion of the graph of all possible domainnames.</t> <t>Domain Name: Annames.</dd> <dt>Domain Name:</dt> <dd>An ordered list of one or morelabels.</t> <t>Fully-Qualifiedlabels.</dd> <dt>Fully-Qualified Domain Name(FQDN): This(FQDN):</dt> <dd>This is often just a clear way of saying the same thing as "domain name of a node", as outlined above. However, the term is ambiguous. Strictly speaking, a fully-qualified domain name would include every label, including the zero-length label of the root: such a name would be written"www.example.net."<tt>www.example.net.</tt> (note the terminating dot). But, because every name eventually shares the common root, names are often written relative to the root (such as"www.example.net")<tt>www.example.net</tt>) and are still called "fully qualified". This term first appeared in <xref target="RFC0819"/>. In this document, names are often written relative to theroot.</t> </list></t>root.</dd> </dl> <t>The following definition for "subdomain" is taken fromDNS Terminology"DNS Terminology" <xref target="RFC8499"/> and reproducedhere, howeverhere; however, the definition is ambiguous and is further clarified below:</t><t><list style="symbols"> <t>Subdomain: "A<dl newline="true"> <dt>Subdomain:</dt> <dd>"A domain is a subdomain of another domain if it is contained within that domain. This relationship can be tested by seeing if the subdomain's name ends with the containing domain's name." (Quoted from <xref section="3.1" sectionFormat="of" target="RFC1034"/>.) For example, in the host name"nnn.mmm.example.com",<tt>nnn.mmm.example.com</tt>, both"mmm.example.com"<tt>mmm.example.com</tt> and"nnn.mmm.example.com"<tt>nnn.mmm.example.com</tt> are subdomains of"example.com".<tt>example.com</tt>. Note that the comparisons here are done on whole labels; that is,"ooo.example.com"<tt>ooo.example.com</tt> is not a subdomain of"oo.example.com".</t> </list></t><tt>oo.example.com</tt>.</dd> </dl> <t>The definition is ambiguous as it appears to allow a subdomain to include the given domain. That is,"mmm.example.com"<tt>mmm.example.com</tt> ends with"mmm.example.com"<tt>mmm.example.com</tt> and thus is a subdomain of itself. This document interprets the first sentence of the above definition as meaning"A"a domain is a subdomain of a different domain if it is contained within that differentdomain.".domain". A domain cannot be a subdomain of itself. For example,"mmm.example.com"<tt>mmm.example.com</tt> is not a subdomain of"mmm.example.com".</t><tt>mmm.example.com</tt>.</t> <t>The following additional terms are used in this document:</t><t><list style="symbols"> <t>Certification<dl newline="true"> <dt>Certification Authority(CA): An(CA):</dt> <dd>An organization that is responsible for the creation, issuance, revocation, and management of Certificates. The term applies equally to bothRootroot CAs andSubordinatesubordinate CAs. Refer to <xref target="RFC5280"/> for detailed information on CertificationAuthorities.</t> <t>CSR: CertificateAuthorities.</dd> <dt>CSR:</dt> <dd>Certificate SigningRequestRequest, as defined in <xreftarget="RFC2986"/></t> <t>Ancestor Domain: atarget="RFC2986"/>.</dd> <dt>Ancestor Domain:</dt> <dd>A domain is an ancestor domain of a subdomain if it contains that subdomain and has less labels than that subdomain. A domain cannot be an ancestor domain of itself. For example, for the host name"nnn.mmm.example.com",<tt>nnn.mmm.example.com</tt>, both"mmm.example.com"<tt>mmm.example.com</tt> and"example.com"<tt>example.com</tt> are ancestor domains of"nnn.mmm.example.com".<tt>nnn.mmm.example.com</tt>. However,"nnn.mmm.example.com"<tt>nnn.mmm.example.com</tt> is not an ancestor domain of"nnn.mmm.example.com".<tt>nnn.mmm.example.com</tt>. Note that the comparisons here are done on whole labels; that is,"oo.example.com"<tt>oo.example.com</tt> is not an ancestor domain of"ooo.example.com".</t> </list></t> <t>ACME <xref<tt>ooo.example.com</tt>.</dd> </dl> <t><xref target="RFC8555"/> defines the following object typeswhichthat are used in this document:</t><t><list style="symbols"> <t>Order Object: An<dl newline="false"> <dt>Order Object:</dt> <dd>An ACME order object represents a client's request for a certificate and is used to track the progress of that order through toissuance.</t> <t>Authorization Object: Anissuance.</dd> <dt>Authorization Object:</dt> <dd>An ACME authorization object represents a server's authorization for an account to represent anidentifier.</t> <t>Challenge Object: Anidentifier.</dd> <dt>Challenge Object:</dt> <dd>An ACME challenge object represents a server's offer to validate a client's possession of an identifier in a specificway.</t> </list></t>way.</dd> </dl> <t>ACME <xreftarget="RFC8555"/> Section 6.3target="RFC8555" sectionFormat="comma" section="6.3"/> introduces the following term which is used in this document:</t><t><list style="symbols"> <t>POST-as-GET Request: When<dl newline="true"> <dt>POST-as-GET Request:</dt> <dd>When a client wishes to fetch a resource from the server, then it <bcp14>MUST</bcp14> send a POST request with a signedJWSJSON Web Signature (JWS) body, where the JWS body is specified in ACME <xreftarget="RFC8555"/> Section 6.2.target="RFC8555" sectionFormat="comma" section="6.2"/>. ACME refers to these as "POST-as-GET"requests.</t> </list></t>requests.</dd> </dl> </section> <sectionanchor="acme-workflow-and-identifier-requirements"><name>ACMEanchor="acme-workflow-and-identifier-requirements"> <name>ACME Workflow and Identifier Requirements</name> <t>A typical ACME<xref target="RFC8555"/>workflow for issuance of certificates is as follows:</t><t><list style="numbers"> <t>client<ol spacing="normal" type="1"> <li>Client POSTs a newOrder request that contains a set of"identifiers"</t> <t>serveridentifier objects in the <tt>identifiers</tt> field of the ACME order object.</li> <li>Server replies with an order object that contains a set of links to authorization object(s) and a"finalize" URI</t> <t>client<tt>finalize</tt> URI.</li> <li>Client sends POST-as-GET requests to retrieve the authorization object(s), with the downloaded authorization object(s) containing the"identifier"<tt>identifier</tt> that the client must prove that they control, and a set of links to associated challenges objects, one of which the client mustfulfill</t> <t>clientfulfill.</li> <li>Client proves control over the"identifier"<tt>identifier</tt> in the authorization object by completing one of the specified challenges, for example, by publishing a DNS TXTrecord</t> <t>clientrecord.</li> <li>Client POSTs a CSR to the"finalize" API</t> <t>server<tt>finalize</tt> API.</li> <li>Server replies with an updated order object that includes a"certificate" URI</t> <t>client<tt>certificate</tt> URI.</li> <li>Client sends a POST-as-GET request to the"certificate"<tt>certificate</tt> URI to download thecertificate</t> </list></t>certificate.</li> </ol> <t>ACME places the following restrictions on"identifiers":</t> <t><list style="symbols"> <t><xref<tt>identifiers</tt>:</t> <ul spacing="normal"> <li> <xref section="7.1.3" sectionFormat="comma" target="RFC8555"/>:The"The authorizations required are dictated by server policy; there may not be a 1:1 relationship between the order identifiers and the authorizationsrequired.</t> <t><xrefrequired."</li> <li> <xref section="7.1.4" sectionFormat="comma" target="RFC8555"/>:theThe only type of"identifier"<tt>identifier</tt> defined by the ACME specification is an FQDN: "The only type of identifier defined by this specification is a fully qualified domain name (type: "dns"). The domain name <bcp14>MUST</bcp14> be encoded in the form in which it would appear in acertificate."</t> <t><xrefcertificate."</li> <li> <xref section="7.4" sectionFormat="comma" target="RFC8555"/>:the "identifier"The <tt>identifier</tt> in the CSR request must match the"identifier"<tt>identifier</tt> in the newOrder request: "The CSR <bcp14>MUST</bcp14> indicate the exact same set of requested identifiers as the initial newOrderrequest."</t> <t><xrefrequest."</li> <li> <xref section="8.3" sectionFormat="comma" target="RFC8555"/>:the "identifier",The <tt>identifier</tt>, or FQDN, in the authorization object must be used when fulfilling challenges via HTTP: "Construct a URL by populating the URL template ... where thedomain<tt>domain</tt> field is set to the domain name beingverified"</t> <t><xrefverified."</li> <li> <xref section="8.4" sectionFormat="comma" target="RFC8555"/>:the "identifier",The <tt>identifier</tt>, or FQDN, in the authorization object must be used when fulfilling challenges via DNS: "The client constructs the validation domain name by prepending the label "_acme-challenge" to the domain name beingvalidated."</t> </list></t>validated."</li> </ul> <t>ACME does not mandate that the"identifier"<tt>identifier</tt> in a newOrder request matches the"identifier"<tt>identifier</tt> in authorization objects.</t> <t>ThebaseACME base document <xref target="RFC8555"/>documentonly specifies the "dns" identifier type. Additional identifiers may be defined and registered in the IANA <xref target="ACME-Identifier-Types"/> registry. For example, <xref target="RFC8738"/> specifies the "ip" identifier type. This document is only relevant for the "dns" identifier type.</t> <t>Notealsothat ACME supports multiple different validation methods that can be used to fulfill challenges and prove ownership of identifiers. Validation methods are registered in the IANA <xref target="ACME-Validation-Methods"/> registry. This document does not mandate use of any particular validation method or methods. ACME server policy dictates which validation methods are supported. See <xref target="acme-server-policy-considerations"/> for more information on ACME server policy.</t> </section> <sectionanchor="acme-issuance-of-subdomain-certificates"><name>ACMEanchor="acme-issuance-of-subdomain-certificates"> <name>ACME Issuance of Subdomain Certificates</name> <t>As noted in the previous section, ACME <xref target="RFC8555"/> does not mandate that the"identifier"<tt>identifier</tt> in a newOrder request matches the"identifier"<tt>identifier</tt> in authorization objects. This means that the ACME specification does not preclude an ACME server processing newOrder requests and issuing certificates for a subdomain without requiring a challenge to be fulfilled against that explicit subdomain.</t> <t>ACME server policy could allow issuance of certificates for a subdomain to a client where the client only has to fulfill an authorization challenge for an ancestor domain of that subdomain.ThisFor example, this allows for a flow where a client proves ownershipof, for example, "example.org"of <tt>example.org</tt> and then successfully obtains a certificate for"sub.example.org".</t><tt>sub.example.org</tt>.</t> <t>ACME server policy is out of scope of thisdocument,document; however, some commentary is provided in <xref target="acme-server-policy-considerations"/>.</t> <t>Clients need a mechanism to instruct the ACME server that they are requesting authorization for all subdomains subordinate to the specified domain, as opposed to just requesting authorization for an explicit domain identifier. Clients need a mechanism to do this in both newAuthz and newOrder requests. ACME servers need a mechanism to indicate to clients that authorization objects are valid for all subdomains under the specified domain. These are described in this section.</t> <sectionanchor="authorization-object"><name>Authorizationanchor="authorization-object"> <name>Authorization Object</name> <t>ACME (<xref section="7.1.4" sectionFormat="comma" target="RFC8555"/>) defines the authorization object. This document defines a new"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> field for the authorization object. When ACME server policy allows authorization for subdomains subordinate to a domain, the server indicates this by including the new"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> field in the authorization object for that domain identifier:</t><figure><artwork><![CDATA[ subdomainAuthAllowed<dl> <dt><tt>subdomainAuthAllowed</tt> (optional,boolean): Ifboolean):</dt> <dd>If present, this fieldMUST<bcp14>MUST</bcp14> be true for authorizations where ACME server policy allows certificates to be issued for any subdomain subordinate to the domain specified in the'identifier'<tt>identifier</tt> field of the authorizationobject. ]]></artwork></figure>object.</dd> </dl> <!--[rfced] Regarding the use of fixed-width font: where the spanx element was used in the provided XML file, now the <tt> element is present. Please review whether you would like to use that element elsewhere for consistent usage. It yields fixed-width font in the PDF and HTML files. Example of usage: ... for the domain <tt>example.org</tt> --> <t>The following example shows an authorization object for the domain<spanx style="verb">example.org</spanx><tt>example.org</tt>, where the authorization covers the subdomains subordinate to<spanx style="verb">example.org</spanx>.</t> <figure><artwork><![CDATA[<tt>example.org</tt>.</t> <sourcecode type="json"><![CDATA[ { "status": "valid", "expires": "2023-09-01T14:09:07.99Z", "identifier": { "type": "dns", "value": "example.org" }, "challenges": [ { "url": "https://example.com/acme/chall/prV_B7yEyA4", "type": "http-01", "status": "valid", "token": "DGyRejmCefe7v4NfDGDKfA", "validated": "2014-12-01T12:05:58.16Z" } ], "subdomainAuthAllowed": true }]]></artwork></figure>]]></sourcecode> <t>If the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> field is not included, then the assumed default value is false.</t> <t>If ACME server policy allows issuance of certificates containing wildcard identifiers under that authorization object, then the server <bcp14>SHOULD</bcp14> include the"wildcard"<tt>wildcard</tt> field with a value of true, as per <xref section="7.1.4" sectionFormat="comma" target="RFC8555"/>.</t> </section> <sectionanchor="pre-authorization"><name>Pre-Authorization</name>anchor="pre-authorization"> <name>Pre-authorization</name> <t>The basic ACME workflow has authorization objects created reactively in response to a certificate order. ACME also allows for pre-authorization, where clients obtain authorization for an identifier proactively, outside of the context of a specific issuance. With the ACME pre-authorization flow, a client can pre-authorize for a domainonce,once and then issue multiple newOrder requests for certificates with identifiers in the subdomains subordinate to that domain.</t> <t>ACME<xref(<xref section="7.4.1" sectionFormat="comma"target="RFC8555"/>target="RFC8555"/>) defines the"identifier"<tt>identifier</tt> object for newAuthz requests. This document defines a new"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> field for the"identifier"<tt>identifier</tt> object:</t><figure><artwork><![CDATA[ subdomainAuthAllowed<dl> <dt><tt>subdomainAuthAllowed</tt> (optional,boolean): Anboolean):</dt> <dd>An ACME client sets this flag to indicate to the server that it is requesting an authorization for the subdomains subordinate to the specified domain identifiervalue ]]></artwork></figure>value.</dd> </dl> <t>Clients include the new"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> field in the"identifier"<tt>identifier</tt> object of newAuthz requests to indicate that they are requesting a subdomain authorization. In the following example of a newAuthz payload, the client is requesting pre-authorization for the subdomains subordinate to<spanx style="verb">example.org</spanx>.</t> <figure><artwork><![CDATA[<tt>example.org</tt>.</t> <sourcecode type="json"><![CDATA[ "payload": base64url({ "identifier": { "type": "dns", "value": "example.org", "subdomainAuthAllowed": true } })]]></artwork></figure>]]></sourcecode> <t>If the server is willing to allow a single authorization for thesubdomains,subdomains and there is not an existing authorization object for the identifier, then it will create an authorization object and include the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> flag with a value of true.</t> <t>If the server policy does not allow creation of subdomain authorizations subordinate to that domain, the server can create an authorization object for the indicatedidentifier,identifier and <bcp14>MAY</bcp14> include the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> flag with a value of false. If the server creates an authorization object and does not include the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> flag, then the assumed value is false.</t> <t>In both scenarios, handling of the pre-authorization follows the process documented in ACME <xref section="7.4.1" sectionFormat="comma" target="RFC8555"/>.</t> </section> <sectionanchor="new-orders"><name>Newanchor="new-orders"> <name>New Orders</name> <t>Clients need a mechanism to optionally indicate to servers whether or not they are authorized to fulfill challenges against an ancestor domain for a given identifier. For example, if a client places an order for an identifier<spanx style="verb">foo.bar.example.org</spanx>,<tt>foo.bar.example.org</tt> and is authorized to fulfill a challenge against the ancestor domains<spanx style="verb">bar.example.org</spanx><tt>bar.example.org</tt> or<spanx style="verb">example.org</spanx>,<tt>example.org</tt>, then the client needs a mechanism to indicate control over the ancestor domains to the ACME server.</t> <t>In order to accomplish this, this document defines a new"ancestorDomain"<tt>ancestorDomain</tt> field for the identifier that is included in order objects.</t><figure><artwork><![CDATA[ ancestorDomain<dl> <dt><tt>ancestorDomain</tt> (optional,string): Thisstring):</dt> <dd>This is an ancestor domain of the requested identifier. The clientMUST<bcp14>MUST</bcp14> be able to fulfill a challenge against the ancestordomain. ]]></artwork></figure>domain.</dd> </dl> <t>This field specifies an ancestor domain of the identifier that the client has DNS controlover,over and is capable of fulfilling challenges against. Based on server policy, the server can choose to issue a challenge against any ancestor domain of the identifier up to and including the specified"ancestorDomain",<tt>ancestorDomain</tt> and create a corresponding authorization object against the chosen identifier.</t> <t>In the following example of a newOrder payload, the client requests a certificate for identifier<spanx style="verb">foo.bar.example.org</spanx><tt>foo.bar.example.org</tt> and indicates that it can fulfill a challenge against the ancestor domain<spanx style="verb">bar.example.org</spanx>.<tt>bar.example.org</tt>. The server can then choose to issue a challenge against either<spanx style="verb">foo.bar.example.org</spanx><tt>foo.bar.example.org</tt> or<spanx style="verb">bar.example.org</spanx><tt>bar.example.org</tt> identifiers.</t><figure><artwork><![CDATA[<sourcecode type="json"><![CDATA[ "payload": base64url({ "identifiers": [ { "type": "dns", "value": "foo.bar.example.org", "ancestorDomain": "bar.example.org" } ], "notBefore": "2023-09-01T00:04:00+04:00", "notAfter": "2023-09-08T00:04:00+04:00" })]]></artwork></figure>]]></sourcecode> <t>In the following example of a newOrder payload, the client requests a certificate for identifier<spanx style="verb">foo.bar.example.org</spanx><tt>foo.bar.example.org</tt> and indicates that it can fulfill a challenge against the ancestor domain<spanx style="verb">example.org</spanx>.<tt>example.org</tt>. The server can then choose to issue a challenge against any one of<spanx style="verb">foo.bar.example.org</spanx>, <spanx style="verb">bar.example.org</spanx><tt>foo.bar.example.org</tt>, <tt>bar.example.org</tt>, or<spanx style="verb">example.org</spanx><tt>example.org</tt> identifiers.</t><figure><artwork><![CDATA[<sourcecode type="json"><![CDATA[ "payload": base64url({ "identifiers": [ { "type": "dns", "value": "foo.bar.example.org", "ancestorDomain": "example.org" } ], "notBefore": "2023-09-01T00:04:00+04:00", "notAfter": "2023-09-08T00:04:00+04:00" })]]></artwork></figure>]]></sourcecode> <t>If the client is unable to fulfill authorizations against an ancestor domain, the client should not include the"ancestorDomain"<tt>ancestorDomain</tt> field.</t> <t>Server newOrder handling generally follows the process documented inACME, <xrefACME (<xref section="7.4" sectionFormat="of"target="RFC8555"/>.target="RFC8555"/>). If the server is willing to allow subdomain authorizations for the domain specified in"ancestorDomain",<tt>ancestorDomain</tt>, then it creates an authorization object against that ancestor domain and includes the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> flag with a value of true.</t> <t>If the server policy does not allow creation of subdomain authorizations against that ancestor domain, then it can create an authorization object for the indicated identifiervalue,value and <bcp14>SHOULD NOT</bcp14> include the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> flag. As the client requested a subdomain authorization for the ancestordomain,domain and not for the indicated identifier, there is no need for the server to include the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> flag in the authorization object for the indicated identifier.</t> </section> <sectionanchor="directory-object-metadata"><name>Directoryanchor="directory-object-metadata"> <name>Directory Object Metadata</name> <t>This document defines a new"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> ACME directory metadata field. An ACME server can advertise support for authorization of subdomains by including the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> boolean flag in its "ACME Directory Metadata Fields" registry:</t><figure><artwork><![CDATA[ subdomainAuthAllowed<dl> <dt><tt>subdomainAuthAllowed</tt> (optional,bool): Indicatesbool):</dt> <dd>Indicates if an ACME server supports authorization ofsubdomains. ]]></artwork></figure>subdomains.</dd> </dl> <t>If not specified, then the assumed default value is false. If an ACME server supports authorization of subdomains, it can indicate this by including this field with a value of "true".</t> </section> </section> <sectionanchor="illustrative-call-flow"><name>Illustrativeanchor="illustrative-call-flow"> <name>Illustrative Call Flow</name> <t>The call flow illustrated here uses the ACME pre-authorization flow using DNS-based proof of ownership.</t><figure><artwork><![CDATA[<artwork><![CDATA[ +--------+ +------+ +-----+ | Client | | ACME | | DNS | +--------+ +------+ +-----+ | | |STEPStep 1:Pre-AuthorizationPre-authorization of ancestordomaindomain. | | | | POST /newAuthz | | | "example.org" | | |--------------------------->| | | | | | 201 authorizations | | |<---------------------------| | | | | | Publish DNS TXT | | | "example.org" | | |--------------------------------------->| | | | | POST /challenge | | |--------------------------->| | | | Verify | | |---------->| | 200 status=valid | | |<---------------------------| | | | | | Delete DNS TXT | | | "example.org" | | |--------------------------------------->| | | |STEPStep 2: Place order forsub1.example.orgsub1.example.org. | | | | POST /newOrder | | | "sub1.example.org" | | |--------------------------->| | | | | | 201 status=ready | | |<---------------------------| | | | | | POST /finalize | | | CSR SAN "sub1.example.org" | | |--------------------------->| | | | | | 200 OK status=valid | | |<---------------------------| | | | | | POST /certificate | | |--------------------------->| | | | | | 200 OK | | | PEM SAN "sub1.example.org" | | |<---------------------------| | | | |STEPStep 3: Place order forsub2.example.orgsub2.example.org. | | | | POST /newOrder | | | "sub2.example.org" | | |--------------------------->| | | | | | 201 status=ready | | |<---------------------------| | | | | | POST /finalize | | | CSR SAN "sub2.example.org" | | |--------------------------->| | | | | | 200 OK status=valid | | |<---------------------------| | | | | | POST /certificate | | |--------------------------->| | | | | | 200 OK | | | PEM SAN "sub2.example.org" | | |<---------------------------| |]]></artwork></figure> <t><list style="symbols"> <t>STEP]]></artwork> <ul> <li> <t>Step 1: Pre-authorization of ancestordomain <vspace blankLines='1'/>domain.</t> <t> The client sends a newAuthz request for the ancestor domainincludingand includes the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> flag in the identifier object.</t></list></t> <figure><artwork><![CDATA[<sourcecode type="http-message"><![CDATA[ POST /acme/new-authz HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/evOfKhNU60wg", "nonce": "uQpSjlRb4vQVCjVYAyyUWg", "url": "https://example.com/acme/new-authz" }), "payload": base64url({ "identifier": { "type": "dns", "value": "example.org", "subdomainAuthAllowed": true } }), "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps" }]]></artwork></figure>]]></sourcecode> <t>The server creates and returns an authorization object for the identifierincludingthat includes the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> flag. The object is initially in "pending" state.</t><figure><artwork><![CDATA[<sourcecode type="json"><![CDATA[ { "status": "pending", "expires": "2023-09-01T14:09:07.99Z", "identifier": { "type": "dns", "value": "example.org" }, "challenges": [ { "url": "https://example.com/acme/chall/prV_B7yEyA4", "type": "dns-01", "status": "pending", "token": "DGyRejmCefe7v4NfDGDKfA", "validated": "2023-08-01T12:05:58.16Z" } ], "subdomainAuthAllowed": true }]]></artwork></figure>]]></sourcecode> <t>The example illustrates the client completing a DNS challenge by publishing a DNS TXT record. The client then posts to the challenge resource to inform the server that it can validate the challenge.</t> <t>Once the server validates the challenge by checking the DNS TXT record, the server will transition the authorization object and associated challenge object status to "valid".</t> <t>The call flow above illustrates the ACME server replying to the client's challenge with status of "valid" after the ACME server has validated the DNS challenge. However, the validation flow may take some time. If this is the case, the ACME server may reply to the client's challenge immediately with a status of"processing","processing" and the client will then need to poll the authorization resource to see when it is finalized. Refer toACME<xref section="7.5.1"sectionFormat="comma"sectionFormat="of" target="RFC8555"/> for more details.</t><t><list style="symbols"> <t>STEP</li> <li> <t>Step 2: The client places a newOrder for<spanx style="verb">sub1.example.org</spanx> <vspace blankLines='1'/><tt>sub1.example.org</tt>.</t> <t> The client sends a newOrder request to the server and includes the subdomain identifier. Note that the identifier is a subdomain of the ancestor domain that has been pre-authorized instepStep 1. The client does not need to include the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> field in the"identifier" object<tt>identifier</tt> object, as it has already pre-authorized the ancestor domain.</t></list></t> <figure><artwork><![CDATA[<sourcecode type="http-message"><![CDATA[ POST /acme/new-order HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/evOfKhNU60wg", "nonce": "5XJ1L3lEkMG7tR6pA00clA", "url": "https://example.com/acme/new-order" }), "payload": base64url({ "identifiers": [ { "type": "dns", "value": "sub1.example.org" } ], "notBefore": "2023-09-01T00:04:00+04:00", "notAfter": "2023-09-08T00:04:00+04:00" }), "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g" }]]></artwork></figure>]]></sourcecode> <t>As an authorization object already exists for the ancestor domain, the server replies with an order object with a status of "ready" that includes a link to the existing "valid" authorization object.</t><figure><artwork><![CDATA[<sourcecode type="http-message"><![CDATA[ HTTP/1.1 201 Created Replay-Nonce: MYAuvOpaoIiywTezizk5vw Link: <https://example.com/acme/directory>;rel="index" Location: https://example.com/acme/order/TOlocE8rfgo { "status": "ready", "expires": "2023-09-01T14:09:07.99Z", "notBefore": "2023-09-01T00:00:00Z", "notAfter": "2023-09-08T00:00:00Z", "identifiers": [ { "type": "dns", "value": "sub1.example.org" } ], "authorizations": [ "https://example.com/acme/authz/PAniVnsZcis" ], "finalize": "https://example.com/acme/order/TOlocrfgo/finalize" }]]></artwork></figure>]]></sourcecode> <t>The client can proceed to finalize the order by posting a CSR to the"finalize"<tt>finalize</tt> resource. The client can then download the certificate for<spanx style="verb">sub1.example.org</spanx>.</t> <t><list style="symbols"> <t>STEP<tt>sub1.example.org</tt>.</t> </li> <li> <t>Step 3: The client places a newOrder for<spanx style="verb">sub2.example.org</spanx> <vspace blankLines='1'/><tt>sub2.example.org</tt>. </t> <t> The client sends a newOrder request to the server and includes the subdomain identifier. Note that the identifier is a subdomain of the ancestor domain that has been pre-authorized instepStep 1. The client does not need to include the"subdomainAuthAllowed"<tt>subdomainAuthAllowed</tt> field in the"identifier" object<tt>identifier</tt> object, as it has already pre-authorized the ancestor domain.</t></list></t> <figure><artwork><![CDATA[<sourcecode type="http-message"><![CDATA[ POST /acme/new-order HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/evOfKhNU60wg", "nonce": "5XJ1L3lEkMG7tR6pA00clA", "url": "https://example.com/acme/new-order" }), "payload": base64url({ "identifiers": [ { "type": "dns", "value": "sub2.example.org" } ], "notBefore": "2023-09-01T00:04:00+04:00", "notAfter": "2023-09-08T00:04:00+04:00" }), "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g" }]]></artwork></figure>]]></sourcecode> <t>As an authorization object already exists for the ancestor domain, the server replies with an order object with a status of "ready" that includes a link to the existing "valid" authorization object.</t><figure><artwork><![CDATA[<sourcecode type="http-message"><![CDATA[ HTTP/1.1 201 Created Replay-Nonce: MYAuvOpaoIiywTezizk5vw Link: <https://example.com/acme/directory>;rel="index" Location: https://example.com/acme/order/TOlocE8rfgo { "status": "ready", "expires": "2023-09-01T14:09:07.99Z", "notBefore": "2023-09-01T00:00:00Z", "notAfter": "2023-09-08T00:00:00Z", "identifiers": [ { "type": "dns", "value": "sub2.example.org" } ], "authorizations": [ "https://example.com/acme/authz/PAniVnsZcis" ], "finalize": "https://example.com/acme/order/ROni7rdde/finalize" }]]></artwork></figure>]]></sourcecode> <t>The client can proceed to finalize the order by posting a CSR to the"finalize"<tt>finalize</tt> resource. The client can then download the certificate for<spanx style="verb">sub2.example.org</spanx>.</t><tt>sub2.example.org</tt>.</t> </li> </ul> </section> <sectionanchor="iana-considerations"><name>IANAanchor="iana-considerations"> <name>IANA Considerations</name> <sectionanchor="authorization-object-fields-registry"><name>Authorizationanchor="authorization-object-fields-registry"> <name>Authorization Object Fields Registry</name> <t>The following fieldishas been added to the "ACME Authorization Object Fields" registry defined in ACME <xref target="RFC8555"/>.</t><figure><artwork><![CDATA[ +----------------------+------------+--------------+-----------+ | Field Name | Field Type | Configurable | Reference | +----------------------+------------+--------------+-----------+ | subdomainAuthAllowed | boolean | false | RFC XXXX | +----------------------+------------+--------------+-----------+ ]]></artwork></figure><table anchor="iana1"> <name/> <thead> <tr> <th>Field Name</th> <th>Field Type</th> <th>Configurable</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>subdomainAuthAllowed</td> <td>boolean</td> <td>false</td> <td>RFC 9444</td> </tr> </tbody> </table> </section> <sectionanchor="directory-object-metadata-fields-registry"><name>Directoryanchor="directory-object-metadata-fields-registry"> <name>Directory Object Metadata Fields Registry</name> <t>The following fieldishas been added to the "ACME Directory Metadata Fields" registry defined inACME<xref target="RFC8555"/>.</t><figure><artwork><![CDATA[ +----------------------+------------+-----------+ | Field Name | Field Type | Reference | +----------------------+------------+-----------+ | subdomainAuthAllowed | boolean | RFC XXXX | +----------------------+------------+-----------+ ]]></artwork></figure><table anchor="iana2"> <name/> <thead> <tr> <th>Field Name</th> <th>Field Type</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>subdomainAuthAllowed</td> <td>boolean</td> <td>RFC 9444</td> </tr> </tbody> </table> </section> </section> <sectionanchor="security-considerations"><name>Securityanchor="security-considerations"> <name>Security Considerations</name> <t>This document specifies enhancements to ACME <xref target="RFC8555"/> that optimize the protocol flows for issuance of certificates for subdomains. The underlying goal of ACME for Subdomains remains the same as that of ACME: managing certificates that attest to identifier/key bindings for these subdomains. Thus, ACME for Subdomains has the same two security goals as ACME:</t><t><list style="numbers"> <t>Only<ol spacing="normal" type="(%d)"><li>Only an entity that controls an identifier can get an authorization for thatidentifier</t> <t>Onceidentifier.</li> <li>Once authorized, an account key's authorizations cannot be improperly used by anotheraccount</t> </list></t>account.</li> </ol> <t>ACME for Subdomains makes no changes to:</t><t><list style="symbols"> <t>account<ul spacing="normal"> <li>account or account keymanagement</t> <t>ACMEmanagement</li> <li>ACME channel establishment, securitymechanismsmechanisms, or threatmodel</t> <t>Validationmodel</li> <li>validation channel establishment, securitymechanismsmechanisms, or threatmodel</t> </list></t>model</li> </ul> <t>Therefore, all Security Considerations in ACME in the following areas are equally applicable to ACME for Subdomains:</t><t><list style="symbols"> <t>Threat Model</t> <t>Integrity of Authorizations</t> <t>Denial-of-Service Considerations</t> <t>Server-Side<ul spacing="normal"> <li>Threat Model</li> <li>Integrity of Authorizations</li> <li>Denial-of-Service Considerations</li> <li>Server-Side RequestForgery</t> <t>CAForgery</li> <li>CA PolicyConsiderations</t> </list></t>Considerations</li> </ul> <t>The only exception is that in order to satisfy goal (1) above, thisdraftdocument assumes that control over a domain may imply control over asubdomain, and thereforesubdomain; therefore, authorization for certificate issuance for the former may imply authorization for certificate issuance for the latter. In many ecosystems, this is a safe assumption, especially because control over the domain can often be leveraged to successfully demonstrate control over subdomains anyway, forexampleexample, by temporarily modifying DNS for the subdomain to point to a server the ancestor domain owner controls, rendering the distinction moot. For example, the CA/Browser Forum Baseline Requirements may consider control of an ancestor domain sufficient for issuance of certificates for subdomains, but only if specific processes and procedures are used for validating ownership of the ancestor domain.</t> <t>In ecosystems where control of an ancestor domain may not imply control over subdomains or authorization for issuance of certificates for subdomains, a more complicated threat analysis and server policy might be needed.</t> <t>Some additional comments on ACME server policy are given later in this section.</t> <sectionanchor="client-account-security"><name>Clientanchor="client-account-security"> <name>Client Account Security</name> <t>There may be scenarios were a client wishes to deactivate an authorization object for an ancestordomain,domain or deactivate its account completely. For example, a client may want to do this if an account key iscompromised,compromised or ifaan authorization object covering domains subordinate to an ancestor domain is no longer needed. The client can deactivate an authorization using the mechanism specified in <xref section="7.5.2" sectionFormat="comma" target="RFC8555"/> and can deactivate an account using the mechanism specified in <xref section="7.3.6" sectionFormat="comma" target="RFC8555"/>.</t> </section> <sectionanchor="subdomain-determination"><name>Subdomainanchor="subdomain-determination"> <name>Subdomain Determination</name> <t>The <xref target="RFC8499"/> definition of a subdomain is reproduced in <xref target="terminology"/>. When comparing domains to determine if one is a subdomain of the other, it is important to compare entirelabels,labels and not rely on a string prefix match. Relying on string prefix matches may yield incorrect results.</t> </section> <sectionanchor="acme-server-policy-considerations"><name>ACMEanchor="acme-server-policy-considerations"> <name>ACME Server Policy Considerations</name> <t>The ACME for Subdomains and the ACME specifications do not mandate any specific ACME server or CA policies, or any specific use cases for issuance of certificates. For example, an ACME server could be used:</t><t><list style="symbols"> <t>to<ul spacing="normal"> <li>to issue Web PKI certificates where the ACME server must comply with CA/Browser Forum<xref target="CAB"></xref>BaselineRequirements.</t> <t>asRequirements <xref target="CAB"/>.</li> <li>as a Private CA for issuance of certificates within an organization. The organization could enforce whatever policies they desire on the ACMEserver.</t> <t>forserver.</li> <li>for issuance ofIoTInternet of Things (IoT) device certificates. There are currently no IoT device certificate policies that are generally enforced across the industry. Organizations issuing IoT device certificates can enforce whatever policies they desire on the ACMEserver.</t> </list></t>server.</li> </ul> <t>ACME server policy could specify whether:</t><t><list style="symbols"> <t>issuance<ul spacing="normal"> <li>issuance of subdomain certificates is allowed based on proof of ownership of an ancestordomain</t> <t>issuancedomain.</li> <li>issuance of subdomain certificates is allowed, but only for a specific set of ancestordomains</t> <t>DNS based proof of ownership,domains.</li> <li>DNS-based orHTTP basedHTTP-based proof of ownership, or both, areallowed</t> </list></t>allowed.</li> </ul> <t>The CA policy considerations listed in <xref section="10.5" sectionFormat="comma" target="RFC8555"/> are equally applicable here. These include, but are not limited to:</t><t><list style="symbols"> <t>Is<ul spacing="normal"> <li>Is the claimed identifier syntacticallyvalid?</t> <t>Forvalid?</li> <li><t>For domain names:</t><t>Is<ul> <li>Is the name on the Public SuffixList?</t> <t>IsList?</li> <li>Is the name a high-valuename?</t> <t>Isname?</li> </ul> </li> <li>Is the key in the CSR sufficientlystrong?</t> </list></t>strong?</li> </ul> <t>Refer to <xref section="10.5" sectionFormat="comma" target="RFC8555"/> for more CA policy considerations.</t> <t>ACME server policy specification is explicitly out of scope of this document.</t> </section> </section> </middle> <back><references title='Normative References'> <reference anchor='RFC8555' target='https://www.rfc-editor.org/info/rfc8555'> <front> <title>Automatic Certificate Management Environment (ACME)</title> <author fullname='R. Barnes' initials='R.' surname='Barnes'><organization/></author> <author fullname='J. Hoffman-Andrews' initials='J.' surname='Hoffman-Andrews'><organization/></author> <author fullname='D. McCarney' initials='D.' surname='McCarney'><organization/></author> <author fullname='J. Kasten' initials='J.' surname='Kasten'><organization/></author> <date month='March' year='2019'/> <abstract><t>Public Key Infrastructure using X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. As of this writing, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation.</t></abstract> </front> <seriesInfo name='RFC' value='8555'/> <seriesInfo name='DOI' value='10.17487/RFC8555'/> </reference> <reference anchor='RFC2119' target='https://www.rfc-editor.org/info/rfc2119'> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname='S. Bradner' initials='S.' surname='Bradner'><organization/></author> <date month='March' year='1997'/> <abstract><t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract> </front> <seriesInfo name='BCP' value='14'/> <seriesInfo name='RFC' value='2119'/> <seriesInfo name='DOI' value='10.17487/RFC2119'/> </reference> <reference anchor='RFC8174' target='https://www.rfc-editor.org/info/rfc8174'> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname='B. Leiba' initials='B.' surname='Leiba'><organization/></author> <date month='May' year='2017'/> <abstract><t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t></abstract> </front> <seriesInfo name='BCP' value='14'/> <seriesInfo name='RFC' value='8174'/> <seriesInfo name='DOI' value='10.17487/RFC8174'/> </reference> <reference anchor='RFC8499' target='https://www.rfc-editor.org/info/rfc8499'> <front> <title>DNS Terminology</title> <author fullname='P. Hoffman' initials='P.' surname='Hoffman'><organization/></author> <author fullname='A. Sullivan' initials='A.' surname='Sullivan'><organization/></author> <author fullname='K. Fujiwara' initials='K.' surname='Fujiwara'><organization/></author> <date month='January' year='2019'/> <abstract><t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t><t>This document obsoletes RFC 7719 and updates RFC 2308.</t></abstract> </front> <seriesInfo name='BCP' value='219'/> <seriesInfo name='RFC' value='8499'/> <seriesInfo name='DOI' value='10.17487/RFC8499'/> </reference><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8555.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8499.xml"/> </references><references title='Informative References'><references> <name>Informative References</name> <reference anchor="CAB" target="https://cabforum.org/baseline-requirements-documents/"> <front> <title>Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates</title><author ><author> <organization>CA/Browser Forum</organization> </author><date year="n.d."/></front> </reference> <reference anchor="ACME-Identifier-Types"target="https://www.iana.org/assignments/acme/acme.xhtml#acme-identifier-types">target="https://www.iana.org/assignments/acme/"> <front> <title>ACME Identifier Types</title><author ><author> <organization>IANA</organization> </author><date year="n.d."/></front> </reference> <reference anchor="ACME-Validation-Methods"target="https://www.iana.org/assignments/acme/acme.xhtml#acme-validation-methods">target="https://www.iana.org/assignments/acme/"> <front> <title>ACME Validation Methods</title><author ><author> <organization>IANA</organization> </author><date year="n.d."/> </front> </reference> <reference anchor='RFC5280' target='https://www.rfc-editor.org/info/rfc5280'> <front> <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> <author fullname='D. Cooper' initials='D.' surname='Cooper'><organization/></author> <author fullname='S. Santesson' initials='S.' surname='Santesson'><organization/></author> <author fullname='S. Farrell' initials='S.' surname='Farrell'><organization/></author> <author fullname='S. Boeyen' initials='S.' surname='Boeyen'><organization/></author> <author fullname='R. Housley' initials='R.' surname='Housley'><organization/></author> <author fullname='W. Polk' initials='W.' surname='Polk'><organization/></author> <date month='May' year='2008'/> <abstract><t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t></abstract> </front> <seriesInfo name='RFC' value='5280'/> <seriesInfo name='DOI' value='10.17487/RFC5280'/> </reference> <reference anchor='RFC0819' target='https://www.rfc-editor.org/info/rfc819'> <front> <title>The Domain Naming Convention for Internet User Applications</title> <author fullname='Z. Su' initials='Z.' surname='Su'><organization/></author> <author fullname='J. Postel' initials='J.' surname='Postel'><organization/></author> <date month='August' year='1982'/> <abstract><t>This RFC is an attempt to clarify the generalization of the Domain Naming Convention, the Internet Naming Convention, and to explore the implications of its adoption for Internet name service and user applications.</t></abstract></front><seriesInfo name='RFC' value='819'/> <seriesInfo name='DOI' value='10.17487/RFC0819'/> </reference> <reference anchor='RFC1034' target='https://www.rfc-editor.org/info/rfc1034'> <front> <title>Domain names - concepts and facilities</title> <author fullname='P. Mockapetris' initials='P.' surname='Mockapetris'><organization/></author> <date month='November' year='1987'/> <abstract><t>This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.</t></abstract> </front> <seriesInfo name='STD' value='13'/> <seriesInfo name='RFC' value='1034'/> <seriesInfo name='DOI' value='10.17487/RFC1034'/> </reference> <reference anchor='RFC2986' target='https://www.rfc-editor.org/info/rfc2986'> <front> <title>PKCS #10: Certification Request Syntax Specification Version 1.7</title> <author fullname='M. Nystrom' initials='M.' surname='Nystrom'><organization/></author> <author fullname='B. Kaliski' initials='B.' surname='Kaliski'><organization/></author> <date month='November' year='2000'/> <abstract><t>This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community.</t></abstract> </front> <seriesInfo name='RFC' value='2986'/> <seriesInfo name='DOI' value='10.17487/RFC2986'/> </reference> <reference anchor='RFC8738' target='https://www.rfc-editor.org/info/rfc8738'> <front> <title>Automated Certificate Management Environment (ACME) IP Identifier Validation Extension</title> <author fullname='R.B. Shoemaker' initials='R.B.' surname='Shoemaker'><organization/></author> <date month='February' year='2020'/> <abstract><t>This document specifies identifiers and challenges required to enable the Automated Certificate Management Environment (ACME) to issue certificates for IP addresses.</t></abstract> </front> <seriesInfo name='RFC' value='8738'/> <seriesInfo name='DOI' value='10.17487/RFC8738'/></reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.0819.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8738.xml"/> </references> </references> </back><!-- ##markdown-source: H4sIAAAAAAAAA+0963rbNpb/9RRY9UeTjcTYjnPTXDqKnTSexrFrO73NN9+E IiGJCUVqCMqK0mSeZZ9ln2zPBQBBEpSdpJ22O803F4sEgYODc8fBwXA47CXL YiTKYqXKvZ2dhzt7PVWGWfyPMM0zORIbqXplUqbwZ3+8KvNFWMpYHMiiTKZJ BD/EcZiFM7mQWSkeZ5dJkWf0943xwfHjm2KaF+J8NYnhwyRT/fZo4WRSyMuR wObD8xePDk+Ox0fPz3thIcOROJfRqkjKTW894ybi27x4nWQz8WWRr5Y9gGAk VBn3ojxTMlMrNRKfA8yf9+I8ysIFgB0X4bQcJrKcDsNoIYfKQjPcuQ/fxdDb SKzg9YPeMhn1hCimkYxVucFJc2cCxiiSqKx+l3lU+xHLZTmHJ3vUeLMo5FQ5 X+dFWX8S5YtlSB1mObVYTZqP4Ddi0vkoydIks0D1wlU5zwuAeIivoN1JIJ4U iUyhqRA8+5O1zJyHeQFzPUhUlNNPCXhIRyKfYoO/RPg8gGGrHs8C8SgsMiCC qsuzJJqHRey+8HdbpJO/JMvLQL2pOrwIxNM8TeVEytdOnxfJovGcujxMZgnS mttrmSyCuWn6lxhaRNCiDvZxYKBUeeYMc4wPZdp8SWOdA9XLdBFm4jyflmug P6I15Y69iIpbSEl/UaZxEIW9XpIBmQNnJJcS6edg/GhEX9kFEhWSxrcfFfla yUI8yYvVgt5pBnsUKokLLM7kP1dJQTyliIPKuRRHSq3CLJIChnaZLp+K09Uk TaJ0M7xAxqrzJ8NfhsVMAmnNy3KpRrdvR+FkisMHANTtiR53WDjjDoGBVvTX 7R50Qex5FMNv6FcWw4vNUqrOWR6Nn4/dmRHnVl8L+toL2Hq9DhKYHAEWKpXM MgYCeZf+J3gzLxfpZ8TLSQVQSV0aSL8J0ySGBcmz4bEE8OIPhLX6XujvfwJo LyugFrrT3nA4FOEEpAtwfq93MU+UMIgXaikjnJwS83wtPkb6RkDNEylWCr6a bEQoojTB12Uu8kkJMhAfOb0hrYXCSkhR4VdMi3xRa424YXSCfA7ENtDtuAjP dJVOkzTFh/MQ2DibAUnPUB6XQNoCSVyVAIcGYbIqxSLciCwvRSZhHgD7ti6Q VeSbJfBDUrozmXaBLpY5NAbkpCnwpUgMmwFfYV9VFy6i1gl8DZB5RsrXmSzU PFmKZZHn04DXeJHEcSp7vd5n4igrizxeRQhGr0fk9uOP/3X25ODB3bt3378X sZwCMyqYHXQAqiVPAZCw7Ea+uHEwvkliAfG3RIhCjWxYeURYqGmHZgS9AooV TlCDjMLRgbuiU+r0u+DuzsPLO+LG6VdH390EWL8AWO/uPdgBWF2cGMwhLUgQ dPCAxqMZgsC7BCrC/vBZBaXbiKlkYFtpqoFJOI0qpOQCBRZQixcMplhaQhq7 SaKwfCnhmZiLhne4BTrHjjrWXw0sBbDMRIukMQ3swpBHuqlo1qUQP/n6+E+B bmsOQOyQZ9fv3MNe1QgB0uaFLBZJlqf5bIPSSIrXciPWOahK0T9+cX7RH/D/ i+cn9PfZ469fHJ09PsS/z5+Onz2zf/R0i/OnJy+eHVZ/VV8enBwfP35+yB/D U1F71Osfj7/vMy30T04vjk6ej5/1Qb0DGtxlRD0NmIZ1S7JSFstCoogMVS+W KiqSCfyAbx4dnP7v/+zua0bb2919CMSruW73/j78WM9lxqMRRvknYHzTA1qV YYG9AD6BSJZJGaZAAaESCmgnE3NZSMDef/8NMfP3kfjjJFru7v9ZP8AJ1x4a nNUeEs7aT1ofMxI9jzzDWGzWnjcwXYd3/H3tt8G785DJYpqjtCSqB4pRtAos twjdh8/PXVIymN5/iGgnQQXtC7kkOQifIAZHICjFs3Aiwc4aAx0XMTyMRZoo snHeygKUViEWOXyaR6UsFYvFRfgamHi1FKHW6kswtlF2wUehK+ECIV4oBHlW hMs5rm1ebGAZRYqDVpygjHUAlliWx5JW3u0V+ZD7wCGAJpY5qP5JKt3RFAp+ ccgPnpP16ZkVjmEmRWDwZ09WKVhzX69AEANAsduNuPHk68PnN0eCxVmCcrwE G//VSpGKSJFW1+HGTGIqVLgx4klhB8A/8BOot18T/4gtnG6fKFtLx1h3E07y S0Tg03wtQZYSZ9DSIwDhYpLMVvlKQYNz8pOAgcACCNFRG9h1mdKk/mkn5Y6+ zlcpUk6UrgDhOMSG8THQD6En3Q2OjMQwRNlWzvXq6WUBjYsO4Sqa42yqnkE8 rEFVAqJ0L3003eSbcLFMZZDJMuiLG2BiSDuxJAMNCHiK8/ImzOvRCvTSREYh alSCT3dEg8CDrISJ4bzBsdDqCh04oBiEacA0QXTP61UHp5ApuQ8oysw8xA2e h2oB279pmUiVIPd1JxHKe5CWhGhhEd0PNK3Qek2TAgmFZBozKyv0nQcoEwPd 1VFDzHbC74U8aAoJEg0J8Q+amH2r4fqk/4GDM1bXVwqOhtAYoPbG5aCxnWFc sqQP4cF0VUCrAngkLJgEgXLyNQkeG6PAOIdVjqpmDSOLAI1gF5VVmaAJYxYg z9Coho7ROiBVBQKK25pFYHzlGatotjjAoCjJQtf9KCkRa0nDAv1caWrLQB3j CJrKaFCmVW7mkCbQtbjx9SrH/gnDP/54Lsn0FHeCXZwSLv7uzh3QgcFN9EmF JrQB61qpO5vnQDY0fD/LsmCxWFiKBDoHoTEBzIh+8zni3rCc7zsmYhuSQYD6 7ntA23Nmy7B0BADFSooEHHhFdMAKiKQpkOY8T404/QOvQaIGBoo8z+sQwKKg c9FY6X6jmeEMouxOQlNID8xcigxv5IBa12hYajFHegRYJ7MkcqFh9eCxWnQv jqGzlfIQbFKCbz9t2r7WVGJBxTJBwRvpeD4k892pwuwWMiRK28ojIk6mU1iU rGzySReHNNoHsOx2AOARXB5gk46p1WjWg52O9W22awmtMI5p3mHqGDnkHDSN UJIgBzXnbFxzzrTunwHy3vJ7TZUgDtQSiJisBxPpiQpJjQbWlxlAu8s80k9x uRe1AJAb72H3i2Q9eVkgteU/WTehnYxceoba5WDMghEkH1glqO7QaYPPz+QU 5Wle9/QQuFjC4qWEAB3wQoMo65h6om2gg/OzUS1mcZ7MiIjOtPcGdOXYjjzq 3sMH996/x8/HxmM51PI5dEmv7dEQBdYcfyA9TXfaZKzeIgLmMH6KDjFLDGyS Ndr5ydE7tpcqzcp+ghCti0WixcboLDx9/QaV3eYXwoZFvDPq6tPK5Y+VyC0Z ux2OluQOtkVPyhov55NXoPUEBQkBmgTtqq3cfIKGujihz4h7aSQy301naIpI RTFaE+D6XNmQBIfS3MCEtkJMeAFDfq9NQGZW6IgM4YaHKedFvprNTSiCQivE EMxfWpA0QQxrb32gcjgEQK03JYAB8VGUrzh6Yb/C57VAATC1DS40AajCDlsH z6dayuhok3SRiA4VIMR4cbVAJHljOr4YoafjJQNj5NwL7qC2Y5uxSRUkJJka zMJ4ieH05PxiGKrhl48vjNAaiW/nMqsim+tEzSWp/KksyfuAOeeroh2HIt8p Q6FE0QFADFjyNISlHVLzMEmQkwDSX789B7kQg6u6JsbCrswzhNvEWgn4bZjY C/h1gQJeaYMd3Bn0MJwp9g0cikJCdtdtSqYMQOsE8t2dClgGZDAg9tQDxtr0 gHTmBlndsBqJdKVXSAHudwODYAQQCSiTa+ZNgyziGCvfkcJIJfad2Fm/14O5 6xAkkCMpRUZyVufpjs7AFX6tdCC1xV03lHbHwPMCNZomb2VfvDg76vXuWOgV mW8uHRkcM6OB1ywveWk7hhhUFn+cr7M0D2OMc3XA4zgF+IWDjL4jshm2BUYO QAZdVtJ8Qx0UeTrQM2vhQak8Smg3wvK70uODYCexP9Ws1RxKByt7vX2LHhpd mUFFbhy6GtzsjvgF3GRDCiiV5LPr4YnnLHNUcLI+tsoZvl3iBpriuAj7oN/h CkVAG73e3RYNgkVj3F1nycensOT3OulstYwJX2160/4A9tx3uEET0f2ricgC 0/waXxhq4XWoGmipuUzDtmAE2UVxHPRTUX/XmIlEYsXbAyth7ge7wZ3370dk gNaWSekwueSgRQxdh+zxGmzxJgzaBijizIYPGf27o9261zyR5VpKpgbGphsn t1sMfgCCbdDvI/TULcaA0VpoiJK+tVQB9GpzQ2uj0HqEmcAo3Uj0L5qdOZqs 1lUlyJ1uRCOUU4uZ3cAuYYg4U/2bbPW7r0m7TDBaEOWx0WzkZCzwb632Sh0g c4LcLpEE/W50WWT5uBRZxFAncT14C1oW+Jo3pbrGHPZC80iymI0o3t4LgXUo lqnlkv4KZ+lSApM1ua+gk5pjdM/tAZNxE9gBhmpxXQdbZRFN1+wj4T6CkXjI WY60vExC8fTi4hTmegAUWharCL3UF2fPSCTly1XKIUgcCZ+WEgQWIiEIAscW 0IsOIKZkYCJOtEBw6WFCMSXgNQ4Kds/du64/w9xBzuplNrvDBgu8bs42ZG0e gBuQrSALDW44Atz/B22y20H6W5CgTc4YSYA4OM4lux7gV8eh69c0qdVjgRBp axnaau7BktKhBsy78FhK1Q5lxnF0vZNO3SOzuzIEZQCYdVWowmUAFKOTamOG 46ezBBilqAQC5j8AAN4ED4CGPyg2DY+WvfQH9+88gDYNGJOlB8RGAErx7ECu y0vcBjYesn+CvR45m2Gqcl4ZFrurJe7KwDxXaZkscf/FBpIc4tG5Ftq2q+/x mo1ThzQRS2wNVVupNbmtAjc9xPTOO1rbkNvOSamht46gFkHivgP5QkD+Icjn CKRD0Z4m7SZx70Ft511nOWjVa5xgD5o4IEuYBQYBuSBhApw5Rz0Nuachcisg pWD9qiNEtJHViA61oaj8iiPHEbAh+Hr6Um9MiKhwCtx/mWC0VbHIGnh56N/K z7x4GBxV1Uge08CCBXPgGHDYwA/nZqCQaoJltjHUimSp6zU103bauQlupgzv lmvKR7FgUw9CX0KLca/rdBSx1UDh7U5vrgkXOg7WYbb6Sz8geYCxODfBp4nw ahYmXNGOEzVDd7Q2OrsHLCqEmAcPG+6Hy+8NH8EG3/JiZuLtoNzUKsLlYiuN M6qUJ6UK97sCtwc/ThPadqUt2yhfahemtgk3N2E8lS+kSRANC/oUJ5HEJoZ6 DYYFIA5o/oozSUIgYMBvlqgF71Jok6SZw1M5iSzziDqJyNrxJFhDZ3NHOaFm rZwr/4wb8eYzSB8toGlbe/sYWUW07aQWsW2Kcc4IxjQzDLwCy2Fw7S0tcIv/ avK0C2fGTM01bWl54BUbhD+SwD5krbJYe8FNHJGtr3SE1c1yYS+CpSLK2M+8 sUJNeze2OEE3a2FUH/AtfWWT1gBvzgYvAjBG3gOTU5uoRtX7u6Wwmoc5DAO3 1r+bvkJLU1X0zS6RYmyBNWkTDIwnsh38beYvTy30ECI4zf/61796vo6FuJEv 2XrDDYA8BTWC+R1HU6EDpwOGlcbHbUjj2gF/akFY93VZvLWRiN9qPNbktM6f wnw3TYpgZVRi20Er9lA3q2vRR3z+eTXpzzXKOBbTs/m3jTUnzDQ237S0pAwr 1dYDNXxbWF46Mvalo2EaOiQn/q1trbdop9ZVwIsH8P/Iu8B9BUbUSvXBfyH+ 7evdZVATywTWDF/s7ezdGe48HO7sXuzuj3YejnbuBw8f/gBNdVvHshiZjuEx Grx97dYP7FMYZkWPXTXCb9/bHisrFlr+zXxru4YWqyLFTkz+srObwinL1MPt ZfHNPx7d3zzejPcrEBzQ8HOYV+1dB0b4u/y1zPDV4ZebM/lqcSCn8v7l/vPp 4ZeHX03HtbbWN2Mc7u4Pd/cIh3ujnbujuw+C3Xs/9E379/zH3y0GvIxLB06I /N4zqR1xbHA7m7OhpmNzsY7aEzUBnyxQGMtpCI6HoKWh/BLwT9BXge67BVin seSEbNdJGkd4xMJ15ow+6NAmDoB6XJ0X6GYb9E3PZpZ6p4GngGwKiCIVvIQO tigI1i6nhRzWNIz1a5OIUWCj/mjY+ZUg7XZL9EzDCBOJUpTIZl9cy3HXoKKI n9bF5BBqxKIsAHk5rI1i9kyMMjZZ7z4rwnE6wZYywAzQJkO7yUSUcZ3km1Lv M5t9qCr5+VsTptfZyg2IyAAd1FPi3UYmCd/Ys7T7bw1Ozkm2/m7bR8CPa2RF K+zSkRbT28yyKmnJbq354n/BbmO/teYsOSLa2lWVKfXJ1oNnrG061qti7Zal ia+XlDrFyjYNZ02TzmEuDtzrFI7KOs1EW8sZiK9pCGMH7eMXxKEsvYxF6zL2 da0W3woBIbcWqD7zToPfzaRw5xxwAqFPoduhluEGtyUGrg9Yx6aHd65EZYfe BtWgxwNtgHG3e/ugCm9UWtevjLvUcZdCrinE7arIUV/vb9bUkjFUkXc5cOom ksHvtGnRtNFiRUYhnaQK+SbxeVENY6pCRbVVvaYgGUnqTmOMwhOusumgR2Qs kko1rRM0528CViZkwhgwuVHkJfuJb5tAq7kCKHqvmJPFieaFuIYdOok3/v4j Z83mgqjPmuHptnhxSIuSa47rsV3aNot2gVUks7BIcqAgcGtjIj+t+HzsyKpX J7HQqSIj02vpCF3ag82I5yC8SI2p7REJI8LJQqiksnHIQdMjwWMEFJFjBZbV rJ0R3+7jMayLOUnTjSrU82SnTiiJt1NtXkHbtng5zfNgEhZuQOjlwGQH+YHt OujWygB72ewYsfGyPpIlBucYkeqMZLT25FtjagXmmLxMTzqLKaeUIhg/UXNS rYN6VKup/E3/hzpBvK723Z0BnUJpTHSkN3dzXWnxX+/QtQRwkzub3RzZoxTe gCKbBNK7ycjbrhqRxi0PMZmzWj2yCK63gNYVNt6+s7XSFexs48RZWzS7MZ/B XUVLa1G4JFBRFnl36TSkAZ1MxoNRddncFqbzPGeTne1U/xHPzTXmsVoS4ViN Yg+w2GhDk054Vkacw4QLdiHiTn3nrgNArmQjyW2bCcNWt8+EqaL1rTDwVUJA z7eKT7GJedWhWQ8dteUAE6qzViQFrrNgMiGp6ocYpUvrobtVxix4beOrFrgQ 4sdO+8u1wDyQNZo2aAW+aba3xhhFE8x3oEceSVg62Qjo7OyMdvZHOzu36H/7 tQ/G05KMyKr9g2b7htn3W6azn4bGUCjopK0O9Xi1YvtNkN2vheSmDa9rlTWU VtOk7raRalSp5rQv2DJOvUodVumcicVSurU5ZzKTBZl61zMyB87BJjAukZLs bnDTxvZ5Vp2+RCPEXAt3t3WQ8ZeuNOPdPdcmUzmOlLqeTxH+fL7UNkid+X6a K8XgswqvjjNf178JxFh5RCM5EB3zqjahmjOirb/8Ks/P8azZVbEuuA4P5dd2 Cq/eT/IDwb7TYVJAw7zY6M09LFcSxmEZNouJXCvExrlQtsuF7kuzq42XOSI+ jC9R+yibM9Lej6qRl2fHrQMWHaazSEpA1/Vp+GrOZrLiCQKo+jad5gNCgWD+ H1ldmExtRgZKTD1Rm2i0ZV6BlaxIPVZMXH/fAIVUIxvkOuMODPs54br2vqb1 J5rioo/yok8JOUdpusJCNHSa9wB3o58Awjikj0eLOXUiMa30CdxWdQ5fvBsa IRzgiQwn5EpQaRQ6AG9yLrTK7t0a6n+3RPvfLfcV/7jVe6f3+MU7zxfvGKx3 +gf6Qu8+Ygz+ess/9+W7nji/eHwqdkftHRLO4arJnA/unJ7QgZHbNpp6VfOG 5XFF82H3vz/7ev9A2Pd2dptqZkvzP26B5icA5pRz/23a/xXNfzJE1pH6KURQ 2dMfDcyHr+o3mEi8uW5zz1T3dnYEbxr/iXNgtsL+MxPBoUwliE4PDfyqiYDE zB6IGYw6OhFHUA+7rl/yiSKGbfMrkdIctb+t+U9KjO3mKGI0dYFZGm+2N/+5 RQwh0pwUurI5nno4Hz/3IfSXQOSOOPnKy6m/FCLdeMe25v8ezFwb9sfHH7Cq Px8iSWbc8cqMvV9EZuz9LjM8zT9BZuz9LjNEE5G/fZlx9apeH5HkaQ1rXkrL xWx6KTiGs9nFh1HDVupIV2Tlek6/GxFxwkMmUdSkc/CaUsYijE+wv6WzdLd3 g11s8DTHM4ROeiM+PMDMrayko00jU4ISp3v7Va7krVdYDthN8sRKkzCs7Iof h+kMg66Pz/fu3nMCsq+TeGuOZRhF5W15eTL9av78xb2d9awWzAWs4derr5fn r9Kzyf7l198cvPrm+/Fm8+Jbt+VVmZwWLzb0a3JUf82JMAZGLH0AwoOj4Nnq /PDofPLtlw8Wx7PH958GQfD15psXz+492Lyd3vkhXC9V38nu1HTaSqjAFEPo Mrs6nbhWbeKaVMubH7oj2pWmU6eczdjXxxX7JBPltnxi0/I/K6M4xmrsXQnF DZTwhx+fUoxIfPBTpxRrojNbd1WUrBaZdmoUcJ2BynXfXoWglmdAEcVlrtP0 ePvadGOrjlAEmg57e7IWMV5o667UOqAyZ/jfE8xRdj41zVVjQKy8MJfRa8Mi dbhrKQKURAZIyVSia2B1hL2p5oSnwoR5z6SBU9TJ5hbqeqySK5g118KNsGKR ho3eCKrW6XPljEkRUz0iBkx5RBHinlurP8y3sORm8VFht15A0zl9SfDieV0s hsjHu8pkYdLDODuFAASRPWgNix/SVLbMI1ksZIwIxeq2usBMNavq4GG/VX+Z 1w2JzhTgXub8pLF8LvEpKfkAOCfJGkM2duqLdSeH3aXUYnuglOuOcTUxE/Jw +MHkXFXbiPjly6af9XKLCdMoKVNL9W1tx/nqMzfLYbkqpFUhz2ce0ZdIPhMs bVHLCKe9RlXKpdityQG7nWeW5TpbTldlA3MJQ0rXT9kLasDiTVvqMMzYu/x/ ZZjd/e6vu8/upI9fH395vzy7txzv7ETp+AMNM8LLRxtmV2QrOKq9HWr4BVIO vDbd03s/fFd++erih82L7FR+lYFNt3483r94nT6K53fk/t39mWvTjbdspWsy peRm1b2x63D01hJQbdlI/eu6SU6tHiyGZESFzay26sF70M2wieEICjkc8AEY fH4GgIWb4XMktpE4/n68ujxZhvlRsllfyLfJ29d3L9fY7hkMPRJ/7KQxu4X7 5z8UMv1TP8li+Ybw+UxXkazusGh9TNi4fXGS5tHjB8V0ltd4rzLLGC0fY6du Izj8zw+21y2UZhq2bN+6qfoRzFHZfvVNKrffLVIEna7bp+Ms+SZTP0SJ6jd7 tSWjtokJZxVwDWwkyOUKRxfwMSLQ4Tpx2MSNkDiZvKmmjDm34a9gZfR3TcvY RK6uQlId2rbS1neuqa33ftfWv2vr/2xtvfe7tv5dW/+urT+EOX5F2vrsJEvu F3Esfwvaeq+prT/jalUHtTIxnVVEdModMAFn3DULONhT9GEc64LHCD75/Fv6 q1L43JrgrQJPQc9K1Fv+DY9bnT/qP2/Zjt4xCHzLSvXPPEZ1hxtteTZNZquC 8qXfcTCDqua/+zkg8iYwvrO5kdSG0gerTwBH4jv4J35KiLammn4KKVwjl/O6 hPDBs6wQfc219y32p416nfX1LehHjAr8bW5TbfF41+V9MpujZuaLKKuInVNo jeuVL8tkYeSXvZ9tassybC0Q5qTQkiCjOhcclJ3lId3sQ8PWb5IF6tCnD+f6 WqNQn2TR7Ud8RUKrVhrnsZel9hwqRXQbrzqbJLTVYA0TJRvwrdTAC848dEAp 1xj/1LjGSVAtUoKKSlqfYKkzPI8NQ5cbYYtOF3mqGqdFUZ7PZNm2p2ypoaox VbmmuH3lAAzcmu4ww2bZd+VcaJAsYO2WiPzqxkh9343uQZeDaMydb+DKcgw2 07nBMqcawWbYvHAhcK6uoGr2umZ8lslUwKKEtAfC5c4sDu3RVCVo2miDiUUe yxS7cKoxfkpHF5jOjHbOgEpxdTCLlUJJ89gW3ljMNb3MfRvaN9InazyoIzRd MBTHZjpH4F7NaGQk5dpi0ZViMkvCdJhPh3h4JoHVbnIzuN1c+O0cy5aYWzae gJrHa6uweP9YnPKJkLYg0OWK5ZtILk0dYm1LVyd6FbRXU6ZtcWP3Ju+0mIO9 eOGyznZXNeLmQ8S2tgnuWgDNpZvme8tyThkDXBgPC/hvftReBW5/6d0RHucD v09RThQBXYe1wDNqMsrVBnz7hTnEzNGCcKqz+5dcc0aSBCUSMFeGtY5RV9eJ 6Au1gAFT3BoC3iAdWastGMsFFcdtnch2DlYAgOtwUytcSKWl5WKZF2GRQDdA 6cl0o1Px22UjeGsn4dsfwmrTsB3/oLR9K7PwehqU2mYPMCb3ijdzFngfmKgf mMc2zYuQO24/xrUzhQurmU99p6HVagoLSVbwByidAd0wSzSfTKt6Pno/rKoH G8l4VUjnEiDsxmzgYZEEt1isP+oCVFQRkClMtHVKpg66h0vcO7OaB24+aPoh 77HxEf1I71uSRAI5nW5UwiionyRbJLM56QwMZlFR9XPcsnSuTDK3l/srwBIa uawCVrQu/NUL9bmOsVYe9jJ4FtWmvLEtWSHWtaqe1ZUcMZeWuup0mu9sI916 ZL/GM0hGlem9fJk2SyNbABC+dcjcZEtNThsKmW/FQs27SBTqa1w7LCjhBZNq 11VXvbVLHnpueCXVnOagmQuzXE2PcRuC+OgOUnRVIKJ2CtJfJuxusKev7PMM oKf/kV3fCe6R4Y8kUhUNPpT22kZTiKx2e6BzkVnziijlXitIw5bVHYR4fpSK UuobjhzkE2lxU4mLhkeY/fFjsqIGei88QYFcasLgXiXZgvYS0OoYYoHb9Tld eUPFKjC+O03ecI1i3EtnSxlLM7TfS5afGx1FppoIdCGPWqV8u4suw6yP4W4x Cnx2n0kTaBc6RmeiVn6ZCkoa2eqKA+gRrBESCgnezGGKT5q2pDtDJbc7Ek0O bJxTNFeAotwmk8seRv9WTsTpV0eNkmm2cGQtxwIr0RLT6/yJlgb728H40d/9 eow2Q9A6FKcFswHMequY1vfjhfV743SWmXuTHM9OYq5PhCkX8LWVs7okO9oP CqlLJ93US7UMW4Ac5RfwBdmWdSxf2Ju9QBJjnfUU9VNHexeEkC9qrk51a3hj kAVFrsxFDfGKa6GfOBNUtuZ1B1gkYD5h/p3VrZkIN6awEFGOiyb/1eDCVJtG D8rUTWmfd/Rr/A8ewjFfdLVtwzn6aoxmuR5yIcD46zqHSSyIEe/tLbBY1IDL KzEgLCYML1dGm15DvPC4W6bv7gQYTOjwneh+bV3zWEf0edrYHqVMmiwSslvY 7zwyOXdhsqgfM1ebrERFFNEQZL19gV+Q+HDuiUDHTAh4rrviG5KZeOi8YARy cIpy9hnM6wtP41DMwUQa8jlbfPKFAxmp/eqelMpwxfsewMTLZtDauYaxE2E2 Q6oL737ybl0049xTv7UCedD7P1ZGop0yiAAA --></rfc>