c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6676196ea99721144319970f5160211765be6185
ietf-wimse-ect/draft-nennemann-wimse-execution-context-00.xml
Christian Nennemann 3595b0d2e2 Add compiled draft output (XML and TXT) and .gitignore 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 06:35:57 +01:00

2800 lines
115 KiB
XML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.31 (Ruby 3.4.5) -->
<!DOCTYPE rfc [
<!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;">
]>
<rfc ipr="trust200902" docName="draft-nennemann-wimse-execution-context-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
<front>
<title abbrev="WIMSE Execution Context">Execution Context Tokens for Distributed Agentic Workflows</title>
<author fullname="Christian Nennemann">
<organization>Independent Researcher</organization>
<address>
<email>ietf@nennemann.de</email>
</address>
</author>
<date year="2026" month="February" day="24"/>
<area>Security</area>
<keyword>execution context</keyword> <keyword>workload identity</keyword> <keyword>agentic workflows</keyword> <keyword>audit trail</keyword> <keyword>compliance</keyword> <keyword>regulated systems</keyword>
<abstract>
<?line 84?>
<t>This document defines Execution Context Tokens (ECTs), an extension
to the Workload Identity in Multi System Environments (WIMSE)
architecture for distributed agentic workflows in regulated
environments. ECTs provide cryptographic proof of task execution
order, policy enforcement decisions, and compliance state across
agent-to-agent communication. By extending WIMSE Workload Identity
Tokens with execution context claims in JSON Web Token (JWT)
format, this specification enables regulated systems to maintain
structured audit trails that support compliance verification.
ECTs use a directed acyclic graph (DAG) structure to represent task
dependencies, record policy evaluation outcomes at each decision
point, and integrate with WIMSE Workload Identity Tokens (WIT) and
Workload Proof Tokens (WPT) using the same signing model and
cryptographic primitives. A new HTTP header field,
Execution-Context, is defined for transporting ECTs alongside
existing WIMSE headers. ECTs are a technical building block that
supports, but does not by itself constitute, compliance with
regulatory frameworks.</t>
</abstract>
</front>
<middle>
<?line 105?>
<section anchor="introduction"><name>Introduction</name>
<section anchor="motivation"><name>Motivation</name>
<t>The Workload Identity in Multi System Environments (WIMSE)
framework <xref target="I-D.ietf-wimse-arch"/> provides robust workload
authentication through Workload Identity Tokens (WIT) and Workload
Proof Tokens (WPT). The WIMSE service-to-service protocol
<xref target="I-D.ietf-wimse-s2s-protocol"/> defines how workloads authenticate
each other across call chains using the Workload-Identity and
Workload-Proof-Token HTTP headers.</t>
<t>However, workload identity alone does not address execution
accountability. Knowing who performed an action does not prove
what was done, what policy was applied, or whether compliance
requirements were satisfied at each decision point.</t>
<t>Regulated environments increasingly deploy autonomous agents that
coordinate across organizational boundaries. Multiple regulatory
frameworks motivate the need for structured execution records:</t>
<t><list style="symbols">
<t>The EU Artificial Intelligence Act <xref target="EU-AI-ACT"/> Article 12
requires high-risk AI systems to be designed with capabilities
enabling automatic recording of events ("logs") while the
system is operating.</t>
<t>The U.S. FDA 21 CFR Part 11 <xref target="FDA-21CFR11"/> requires
computer-generated, timestamped audit trails that independently
record the date, time, operator identity, and actions taken
(Section 11.10(e)).</t>
<t>The Markets in Financial Instruments Directive (MiFID II)
<xref target="MIFID-II"/> requires firms to maintain records of transactions
and orders that are sufficient to enable supervisory authorities
to monitor compliance.</t>
<t>The Digital Operational Resilience Act (DORA) <xref target="DORA"/> Article 12
requires financial entities to have logging policies that record
ICT activities and anomalies.</t>
</list></t>
<t>This document defines an extension to the WIMSE architecture that
addresses the gap between workload identity and execution
accountability. WIMSE authenticates agents; this extension records
what they did, in what order, and what policy was evaluated.</t>
<t>As identified in <xref target="I-D.ni-wimse-ai-agent-identity"/>, call context
in agentic workflows must always be visible and preserved. ECTs
provide a mechanism to address this requirement with cryptographic
assurances.</t>
</section>
<section anchor="problem-statement"><name>Problem Statement</name>
<t>Three core gaps exist in current approaches to regulated agentic
systems:</t>
<t><list style="numbers" type="1">
<t>WIMSE authenticates agents but does not record what they
actually did. A WIT proves "Agent A is authorized" but not
"Agent A executed Task X, under Policy Y, producing Output Z."</t>
<t>No standard mechanism exists to record policy evaluation
outcomes at each decision point in a multi-agent workflow.</t>
<t>No mechanism exists to cryptographically link compensation and
rollback decisions to original actions.</t>
</list></t>
<t>Existing observability tools such as distributed tracing
<xref target="OPENTELEMETRY"/> provide visibility for debugging and monitoring
but do not provide cryptographic assurances. Tracing data is not
cryptographically signed, not tamper-evident, and not designed for
regulatory audit scenarios.</t>
</section>
<section anchor="scope-and-applicability"><name>Scope and Applicability</name>
<t>This document defines:</t>
<t><list style="symbols">
<t>The Execution Context Token (ECT) format (<xref target="ect-format"/>)</t>
<t>DAG structure for task dependency ordering (<xref target="dag-validation"/>)</t>
<t>Policy checkpoint recording (<xref target="policy-claims"/>)</t>
<t>Integration with the WIMSE identity framework
(<xref target="wimse-integration"/>)</t>
<t>An HTTP header for ECT transport (<xref target="http-header"/>)</t>
<t>Audit ledger interface requirements (<xref target="ledger-interface"/>)</t>
</list></t>
<t>The following are out of scope and are handled by WIMSE:</t>
<t><list style="symbols">
<t>Workload authentication and identity provisioning</t>
<t>Key distribution and management</t>
<t>Trust domain establishment and management</t>
<t>Credential lifecycle management</t>
</list></t>
</section>
<section anchor="relationship-to-regulatory-compliance"><name>Relationship to Regulatory Compliance</name>
<t>ECTs are a technical mechanism that can support compliance programs
by providing structured, cryptographically signed execution
records. ECTs do not by themselves constitute compliance with any
regulatory framework referenced in this document.</t>
<t>Compliance with each referenced regulation requires organizational
controls, policies, procedures, validation, and governance measures
beyond the scope of this specification. The regulatory references
in this document are intended to motivate the design requirements,
not to claim that implementing ECTs satisfies these regulations.</t>
<t>ECTs provide evidence of claimed execution ordering and policy
evaluation. They do not independently verify that the claimed
execution actually occurred as described, that the policy
evaluation was correct, or that the agent faithfully performed the
stated action. The trustworthiness of ECT claims depends on the
trustworthiness of the signing agent and the integrity of the
broader deployment environment.</t>
</section>
</section>
<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
<?line -18?>
<t>The following terms are used in this document:</t>
<dl>
<dt>Agent:</dt>
<dd>
<t>An autonomous workload, as defined by WIMSE
<xref target="I-D.ietf-wimse-arch"/>, that executes tasks within a workflow.</t>
</dd>
<dt>Task:</dt>
<dd>
<t>A discrete unit of agent work that consumes inputs and produces
outputs.</t>
</dd>
<dt>Directed Acyclic Graph (DAG):</dt>
<dd>
<t>A graph structure representing task dependency ordering where
edges are directed and no cycles exist.</t>
</dd>
<dt>Execution Context Token (ECT):</dt>
<dd>
<t>A JSON Web Token <xref target="RFC7519"/> defined by this specification that
records task execution details and policy evaluation outcomes.</t>
</dd>
<dt>Audit Ledger:</dt>
<dd>
<t>An append-only, immutable log of all ECTs within a workflow or
set of workflows, used for regulatory audit and compliance
verification.</t>
</dd>
<dt>Policy Checkpoint:</dt>
<dd>
<t>A point in a workflow where a policy evaluation outcome is
recorded within an ECT.</t>
</dd>
<dt>Workload Identity Token (WIT):</dt>
<dd>
<t>A WIMSE credential proving a workload's identity within a trust
domain.</t>
</dd>
<dt>Workload Proof Token (WPT):</dt>
<dd>
<t>A WIMSE proof-of-possession token used for request-level
authentication.</t>
</dd>
<dt>Trust Domain:</dt>
<dd>
<t>A WIMSE concept representing an organizational boundary with a
shared identity issuer, corresponding to a SPIFFE <xref target="SPIFFE"/>
trust domain.</t>
</dd>
<dt>Witness:</dt>
<dd>
<t>A third-party entity that observes and attests to the execution
of a task, providing additional accountability.</t>
</dd>
</dl>
</section>
<section anchor="wimse-integration"><name>WIMSE Architecture Integration</name>
<section anchor="wimse-foundation"><name>WIMSE Foundation</name>
<t>The WIMSE architecture <xref target="I-D.ietf-wimse-arch"/> defines:</t>
<t><list style="symbols">
<t>Workload Identity Tokens (WIT) that prove a workload's identity
within a trust domain ("I am Agent X in trust domain Y")</t>
<t>Workload Proof Tokens (WPT) that prove possession of the private
key associated with a WIT ("I control the key for Agent X")</t>
<t>Multi-hop authentication via the service-to-service protocol
<xref target="I-D.ietf-wimse-s2s-protocol"/></t>
</list></t>
<t>The following execution accountability needs are complementary to
the WIMSE scope and are not addressed by workload identity alone:</t>
<t><list style="symbols">
<t>Recording what agents actually do with their authenticated
identity</t>
<t>Recording policy evaluation outcomes at each hop</t>
<t>Maintaining structured execution records</t>
<t>Linking compensation or rollback actions to original tasks</t>
</list></t>
</section>
<section anchor="extension-model"><name>Extension Model</name>
<t>ECTs extend WIMSE by adding an execution accountability layer
between the identity layer and the application layer:</t>
<figure title="WIMSE Extension Architecture Layers" anchor="fig-layers"><artwork type="ascii-art"><![CDATA[
+--------------------------------------------------+
| WIMSE Layer (Identity) |
| WIT: "I am Agent X (spiffe://td/agent/x)" |
| WPT: "I prove I control the key for Agent X" |
+--------------------------------------------------+
|
v
+--------------------------------------------------+
| ECT Layer (Execution Accountability) [This Spec]|
| ECT: "Task executed, dependencies met, |
| policy evaluated, outcome recorded" |
+--------------------------------------------------+
|
v
+--------------------------------------------------+
| Ledger Layer (Immutable Record) |
| "All ECTs appended to audit ledger" |
+--------------------------------------------------+
]]></artwork></figure>
<t>This extension reuses the WIMSE signing model, extends JWT claims
using standard JWT extensibility <xref target="RFC7519"/>, and maintains WIMSE
concepts including trust domains and workload identifiers.</t>
</section>
<section anchor="integration-points"><name>Integration Points</name>
<t>An ECT integrates with the WIMSE identity framework through the
following mechanisms:</t>
<t><list style="symbols">
<t>The ECT JOSE header "kid" parameter <bcp14>MUST</bcp14> reference the public
key identifier from the agent's WIT.</t>
<t>The ECT "iss" claim <bcp14>MUST</bcp14> use the WIMSE workload identifier
format (a SPIFFE ID <xref target="SPIFFE"/>).</t>
<t>The ECT <bcp14>MUST</bcp14> be signed with the same private key used to
generate the agent's WPT.</t>
<t>The ECT signing algorithm (JOSE header "alg" parameter) <bcp14>MUST</bcp14>
match the algorithm used in the corresponding WIT.</t>
</list></t>
<t>When an agent makes an HTTP request to another agent, the three
tokens are carried in their respective HTTP header fields:</t>
<figure title="HTTP Header Stacking" anchor="fig-http-headers"><artwork type="ascii-art"><![CDATA[
HTTP Request from Agent A to Agent B:
Workload-Identity: <WIT for Agent A>
Workload-Proof-Token: <WPT proving A controls key>
Execution-Context: <ECT recording what A did>
]]></artwork></figure>
<t>The receiving agent (Agent B) verifies in order:</t>
<t><list style="numbers" type="1">
<t>WIT and WPT (WIMSE layer): Proves who Agent A is and that the
request is authentic.</t>
<t>ECT (this extension): Records what Agent A did, what policy was
evaluated, and what precedent tasks exist.</t>
<t>Ledger: Appends the verified ECT to the audit ledger.</t>
</list></t>
</section>
</section>
<section anchor="ect-format"><name>Execution Context Token Format</name>
<t>An Execution Context Token is a JSON Web Token (JWT) <xref target="RFC7519"/>
signed as a JSON Web Signature (JWS) <xref target="RFC7515"/> using the Compact
Serialization. JWS JSON Serialization <bcp14>MUST NOT</bcp14> be used for ECTs.</t>
<section anchor="jose-header"><name>JOSE Header</name>
<t>The ECT JOSE header <bcp14>MUST</bcp14> contain the following parameters:</t>
<figure title="ECT JOSE Header Example" anchor="fig-header"><sourcecode type="json"><![CDATA[
{
"alg": "ES256",
"typ": "wimse-exec+jwt",
"kid": "agent-a-key-id-123"
}
]]></sourcecode></figure>
<dl>
<dt>alg:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. The digital signature algorithm used to sign the ECT.
<bcp14>MUST</bcp14> match the algorithm in the corresponding WIT.
Implementations <bcp14>MUST</bcp14> support ES256 <xref target="RFC7518"/>. The "alg"
value <bcp14>MUST NOT</bcp14> be "none". Symmetric algorithms (e.g., HS256,
HS384, HS512) <bcp14>MUST NOT</bcp14> be used, as ECTs require asymmetric
signatures for non-repudiation.</t>
</dd>
<dt>typ:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. <bcp14>MUST</bcp14> be set to "wimse-exec+jwt" to distinguish ECTs
from other JWT types, consistent with the WIMSE convention for
type parameter values.</t>
</dd>
<dt>kid:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. The key identifier referencing the public key from
the agent's WIT <xref target="RFC7517"/>. Used by verifiers to look up the
correct public key for signature verification.</t>
</dd>
</dl>
</section>
<section anchor="jwt-claims"><name>JWT Claims</name>
<t>The ECT payload contains both WIMSE-compatible standard JWT claims
and execution context claims defined by this specification.</t>
<section anchor="wimse-compatible-claims"><name>WIMSE-Compatible Claims</name>
<t>The following standard JWT claims <xref target="RFC7519"/> <bcp14>MUST</bcp14> be present in
every ECT:</t>
<dl>
<dt>iss:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. StringOrURI. The issuer of the ECT, which <bcp14>MUST</bcp14> be
the workload's SPIFFE ID in the format
<spanx style="verb">spiffe://&lt;trust-domain&gt;/&lt;path&gt;</spanx>. This <bcp14>MUST</bcp14> match the "sub"
claim of the agent's WIT.</t>
</dd>
<dt>sub:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. StringOrURI. The subject of the ECT. When present,
<bcp14>MUST</bcp14> equal the "iss" claim.</t>
</dd>
<dt>aud:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. StringOrURI or array of StringOrURI. The intended
recipient(s) of the ECT. Typically the next agent in the
workflow or the ledger endpoint.</t>
</dd>
<dt>iat:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. NumericDate. The time at which the ECT was issued.
The ECT records a completed action, so the "iat" value reflects
when the record was created, not when task execution began.</t>
</dd>
<dt>exp:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. NumericDate. The expiration time of the ECT.
Implementations <bcp14>SHOULD</bcp14> set this to 5 to 15 minutes after "iat"
to limit the replay window while allowing for reasonable clock
skew and processing time.</t>
</dd>
<dt>jti:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. A unique identifier for the ECT, useful for
additional replay detection.</t>
</dd>
</dl>
</section>
<section anchor="exec-claims"><name>Execution Context Claims</name>
<t>The following claims are defined by this specification:</t>
<dl>
<dt>wid:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. A workflow identifier that groups related
ECTs into a single workflow. When present, <bcp14>MUST</bcp14> be a UUID
<xref target="RFC9562"/>. When absent, the "tid" uniqueness requirement
applies globally across the entire ledger.</t>
</dd>
<dt>tid:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. String. A globally unique task identifier in UUID
format <xref target="RFC9562"/>. Each task <bcp14>MUST</bcp14> have a unique "tid" value.
When "wid" is present, uniqueness is scoped to the workflow;
when "wid" is absent, uniqueness <bcp14>MUST</bcp14> be enforced globally
across the ledger.</t>
</dd>
<dt>exec_act:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. String. The action or task type identifier describing
what the agent performed (e.g., "process_payment",
"validate_safety", "calculate_dosage"). Note: this claim is
intentionally named "exec_act" rather than "act" to avoid
collision with the "act" (Actor) claim registered by
<xref target="RFC8693"/>.</t>
</dd>
<dt>par:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. Array of strings. Parent task identifiers
representing DAG dependencies. Each element <bcp14>MUST</bcp14> be a valid
"tid" from a previously executed task. An empty array indicates
a root task with no dependencies. A workflow <bcp14>MAY</bcp14> contain
multiple root tasks.</t>
</dd>
</dl>
</section>
<section anchor="policy-claims"><name>Policy Claims</name>
<t>The following claims record policy evaluation outcomes:</t>
<dl>
<dt>pol:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. String. The identifier of the policy rule that was
evaluated for this task (e.g.,
"clinical_data_access_policy_v1").</t>
</dd>
<dt>pol_decision:</dt>
<dd>
<t><bcp14>REQUIRED</bcp14>. String. The result of the policy evaluation. <bcp14>MUST</bcp14>
be one of: "approved", "rejected", or "pending_human_review".</t>
</dd>
<dt>pol_enforcer:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. StringOrURI. The identity of the entity (system or
person) that evaluated the policy decision. When present,
<bcp14>SHOULD</bcp14> use SPIFFE ID format.</t>
</dd>
<dt>pol_timestamp:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. NumericDate. The time at which the policy decision
was made. When present, <bcp14>MUST</bcp14> be equal to or earlier than the
"iat" claim.</t>
</dd>
</dl>
</section>
<section anchor="data-integrity-claims"><name>Data Integrity Claims</name>
<t>The following claims provide integrity verification for task
inputs and outputs without revealing the data itself:</t>
<dl>
<dt>inp_hash:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. A cryptographic hash of the input data,
formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
"sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg"). The
hash algorithm identifier <bcp14>SHOULD</bcp14> be "sha-256". The hash <bcp14>MUST</bcp14> be
computed over the raw octets of the input data.</t>
</dd>
<dt>out_hash:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. A cryptographic hash of the output data,
using the same format as "inp_hash".</t>
</dd>
<dt>inp_classification:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. The data sensitivity classification of the
input (e.g., "public", "confidential", "restricted").</t>
</dd>
</dl>
</section>
<section anchor="operational-claims"><name>Operational Claims</name>
<t>The following claims provide additional operational context:</t>
<dl>
<dt>exec_time_ms:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. Integer. The execution duration of the task in
milliseconds. <bcp14>MUST</bcp14> be a non-negative integer.</t>
</dd>
<dt>regulated_domain:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. The regulatory domain applicable to this
task. Values are drawn from an extensible set; initial values
include "medtech", "finance", and "military".</t>
</dd>
<dt>model_version:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. The version identifier of the AI or ML model
used to perform the task, if applicable.</t>
</dd>
</dl>
</section>
<section anchor="witness-claims"><name>Witness Claims</name>
<dl>
<dt>witnessed_by:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. Array of StringOrURI. Identifiers of third-party
entities that observed or attested to the execution of this
task. When present, each element <bcp14>SHOULD</bcp14> use SPIFFE ID format.
In regulated environments, implementations <bcp14>SHOULD</bcp14> use witness
attestation for critical decision points to mitigate the risk
of single-agent false claims.</t>
</dd>
</dl>
</section>
<section anchor="compensation-claims"><name>Compensation Claims</name>
<dl>
<dt>compensation_required:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. Boolean. Indicates whether this task is a
compensation or rollback action for a previous task.</t>
</dd>
<dt>compensation_reason:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. A human-readable reason for the compensation
action. <bcp14>MUST</bcp14> be present if "compensation_required" is true.</t>
</dd>
</dl>
<t>Note: compensation ECTs reference historical parent tasks via the
"par" claim. The referenced parent ECTs may have passed their own
"exp" time; ECT expiration applies to the verification window of
the ECT itself, not to its validity as a parent reference in the
ledger.</t>
</section>
<section anchor="extension-claims"><name>Extension Claims</name>
<dl>
<dt>ext:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. Object. An extension object for domain-specific
claims not defined by this specification. Implementations
that do not understand extension claims <bcp14>SHOULD</bcp14> ignore them.
To avoid key collisions between different domains, extension
key names <bcp14>SHOULD</bcp14> use reverse domain notation (e.g.,
"com.example.custom_field").</t>
</dd>
</dl>
<t>The "ext" claim is a generic extension mechanism; it is not
registered in the IANA JWT Claims registry because its semantics
depend on the domain-specific claims within it.</t>
</section>
</section>
<section anchor="complete-ect-example"><name>Complete ECT Example</name>
<t>The following is a complete ECT payload example:</t>
<figure title="Complete ECT Payload Example" anchor="fig-full-ect"><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://example.com/agent/clinical",
"sub": "spiffe://example.com/agent/clinical",
"aud": "spiffe://example.com/agent/safety",
"iat": 1772064150,
"exp": 1772064750,
"wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",
"tid": "550e8400-e29b-41d4-a716-446655440001",
"exec_act": "recommend_treatment",
"par": [],
"pol": "clinical_reasoning_policy_v2",
"pol_decision": "approved",
"pol_enforcer": "spiffe://example.com/policy/clinical-engine",
"pol_timestamp": 1772064145,
"inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
"inp_classification": "confidential",
"exec_time_ms": 245,
"regulated_domain": "medtech",
"model_version": "clinical-reasoning-v4.2",
"witnessed_by": [
"spiffe://example.com/audit/observer-1"
]
}
]]></sourcecode></figure>
</section>
</section>
<section anchor="http-header"><name>HTTP Header Transport</name>
<section anchor="execution-context-header-field"><name>Execution-Context Header Field</name>
<t>This specification defines the Execution-Context HTTP header field
<xref target="RFC9110"/> for transporting ECTs between agents.</t>
<t>The header field value is the ECT in JWS Compact Serialization
format <xref target="RFC7515"/>. The value consists of three Base64url-encoded
parts separated by period (".") characters.</t>
<t>An agent sending a request to another agent includes the
Execution-Context header alongside the WIMSE Workload-Identity
and Workload-Proof-Token headers:</t>
<figure title="HTTP Request with ECT Header" anchor="fig-http-example"><artwork><![CDATA[
GET /api/safety-check HTTP/1.1
Host: safety-agent.example.com
Workload-Identity: eyJhbGci...WIT...
Workload-Proof-Token: eyJhbGci...WPT...
Execution-Context: eyJhbGci...ECT...
]]></artwork></figure>
<t>When multiple parent tasks contribute context to a single request,
multiple Execution-Context header field lines <bcp14>MAY</bcp14> be included, each
carrying a separate ECT in JWS Compact Serialization format.</t>
</section>
</section>
<section anchor="dag-validation"><name>DAG Validation</name>
<section anchor="overview"><name>Overview</name>
<t>ECTs form a Directed Acyclic Graph (DAG) where each task
references its parent tasks via the "par" claim. This structure
provides a cryptographically signed record of execution ordering,
enabling auditors to reconstruct the complete workflow and verify
that required predecessor tasks were recorded before dependent
tasks.</t>
</section>
<section anchor="validation-rules"><name>Validation Rules</name>
<t>When receiving and verifying an ECT, implementations <bcp14>MUST</bcp14> perform
the following DAG validation steps:</t>
<t><list style="numbers" type="1">
<t>Task ID Uniqueness: The "tid" claim <bcp14>MUST</bcp14> be unique within the
applicable scope (the workflow identified by "wid", or the
entire ledger if "wid" is absent). If a task with the same
"tid" already exists, the ECT <bcp14>MUST</bcp14> be rejected.</t>
<t>Parent Existence: Every task identifier listed in the "par"
array <bcp14>MUST</bcp14> correspond to a task that has been previously
recorded in the ledger. If any parent task is not found, the
ECT <bcp14>MUST</bcp14> be rejected.</t>
<t>Temporal Ordering: The "iat" value of every parent task <bcp14>MUST</bcp14> be
less than the "iat" value of the current task plus a
configurable clock skew tolerance (<bcp14>RECOMMENDED</bcp14>: 30 seconds).
If any parent task has an "iat" that violates this constraint,
the ECT <bcp14>MUST</bcp14> be rejected.</t>
<t>Acyclicity: Following the chain of parent references <bcp14>MUST NOT</bcp14>
lead back to the current task's "tid". If a cycle is detected,
the ECT <bcp14>MUST</bcp14> be rejected.</t>
<t>Trust Domain Consistency: Parent tasks <bcp14>SHOULD</bcp14> belong to the
same trust domain or to a trust domain with which a federation
relationship has been established.</t>
</list></t>
</section>
<section anchor="dag-validation-algorithm"><name>DAG Validation Algorithm</name>
<t>The following pseudocode describes the DAG validation procedure:</t>
<figure title="DAG Validation Pseudocode" anchor="fig-dag-validation"><sourcecode type="pseudocode"><![CDATA[
function validate_dag(ect, ledger, clock_skew_tolerance):
// Step 1: Uniqueness check
if ledger.contains(ect.tid, ect.wid):
return error("Task ID already exists in ledger")
// Step 2: Parent existence and temporal ordering
for parent_id in ect.par:
parent = ledger.get(parent_id)
if parent is null:
return error("Parent task not found: " + parent_id)
if parent.iat >= ect.iat + clock_skew_tolerance:
return error("Parent task not earlier than current")
// Step 3: Cycle detection
visited = set()
if has_cycle(ect.tid, ect.par, ledger, visited):
return error("Circular dependency detected")
return success
function has_cycle(target_tid, parent_ids, ledger, visited):
for parent_id in parent_ids:
if parent_id == target_tid:
return true
if parent_id in visited:
continue
visited.add(parent_id)
parent = ledger.get(parent_id)
if parent is not null:
if has_cycle(target_tid, parent.par, ledger, visited):
return true
return false
]]></sourcecode></figure>
<t>The cycle detection traverses the ancestor graph rooted at the
current task's parents. The complexity is O(V) where V is the
number of ancestor nodes reachable from the current task's parent
references. For typical workflows with shallow DAGs, this is
efficient. Implementations <bcp14>SHOULD</bcp14> cache cycle detection results
for previously verified tasks to avoid redundant traversals.</t>
</section>
</section>
<section anchor="verification"><name>Signature and Token Verification</name>
<section anchor="verification-procedure"><name>Verification Procedure</name>
<t>When an agent receives an ECT, it <bcp14>MUST</bcp14> perform the following
verification steps in order:</t>
<t><list style="numbers" type="1">
<t>Parse the JWS Compact Serialization to extract the JOSE header,
payload, and signature components per <xref target="RFC7515"/>.</t>
<t>Verify that the "typ" header parameter is "wimse-exec+jwt".</t>
<t>Verify that the "alg" header parameter is not "none" and is
not a symmetric algorithm.</t>
<t>Verify the "kid" header parameter references a known, valid
public key from a WIT within the trust domain.</t>
<t>Retrieve the public key identified by "kid" and verify the JWS
signature per <xref target="RFC7515"/> Section 5.2.</t>
<t>Verify the "alg" header parameter matches the algorithm in the
corresponding WIT.</t>
<t>Verify the "iss" claim matches the "sub" claim of the WIT
associated with the "kid" public key.</t>
<t>Verify the "aud" claim contains the verifier's own workload
identity or an expected recipient identifier.</t>
<t>Verify the "exp" claim indicates the ECT has not expired.</t>
<t>Verify the "iat" claim is not unreasonably far in the past
(implementation-specific threshold, <bcp14>RECOMMENDED</bcp14> maximum of
15 minutes).</t>
<t>Verify all required claims ("tid", "exec_act", "par", "pol",
"pol_decision") are present and well-formed.</t>
<t>Verify "pol_decision" is one of "approved", "rejected", or
"pending_human_review".</t>
<t>Perform DAG validation per <xref target="dag-validation"/>.</t>
<t>If all checks pass, the ECT <bcp14>MUST</bcp14> be appended to the audit
ledger.</t>
</list></t>
<t>If any verification step fails, the ECT <bcp14>MUST</bcp14> be rejected and the
failure <bcp14>MUST</bcp14> be logged for audit purposes. Error messages
<bcp14>SHOULD NOT</bcp14> reveal whether specific parent task IDs exist in the
ledger, to prevent information disclosure.</t>
</section>
<section anchor="verification-pseudocode"><name>Verification Pseudocode</name>
<figure title="ECT Verification Pseudocode" anchor="fig-verification"><sourcecode type="pseudocode"><![CDATA[
function verify_ect(ect_jws, verifier_id,
trust_domain_keys, ledger):
// Parse JWS
(header, payload, signature) = parse_jws(ect_jws)
// Verify header
if header.typ != "wimse-exec+jwt":
return reject("Invalid typ parameter")
if header.alg == "none" or is_symmetric(header.alg):
return reject("Prohibited algorithm")
// Look up public key
public_key = trust_domain_keys.get(header.kid)
if public_key is null:
return reject("Unknown key identifier")
// Verify signature
if not verify_jws_signature(header, payload,
signature, public_key):
return reject("Invalid signature")
// Verify algorithm alignment
wit = get_wit_for_key(header.kid)
if header.alg != wit.alg:
return reject("Algorithm mismatch with WIT")
// Verify issuer matches WIT subject
if payload.iss != wit.sub:
return reject("Issuer does not match WIT subject")
// Verify audience
if verifier_id not in payload.aud:
return reject("ECT not intended for this recipient")
// Verify not expired
if payload.exp < current_time():
return reject("ECT has expired")
// Verify iat freshness
if payload.iat < current_time() - max_age_threshold:
return reject("ECT issued too long ago")
// Verify required claims
for claim in ["tid", "exec_act", "par",
"pol", "pol_decision"]:
if claim not in payload:
return reject("Missing required claim: " + claim)
// Validate pol_decision value
if payload.pol_decision not in
["approved", "rejected", "pending_human_review"]:
return reject("Invalid pol_decision value")
// Validate DAG
result = validate_dag(payload, ledger,
clock_skew_tolerance)
if result is error:
return reject("DAG validation failed")
// All checks passed; append to ledger
ledger.append(payload)
return accept
]]></sourcecode></figure>
</section>
</section>
<section anchor="ledger-interface"><name>Audit Ledger Interface</name>
<section anchor="overview-1"><name>Overview</name>
<t>ECTs are designed to be recorded in an immutable audit ledger for
compliance verification and post-hoc analysis. This specification
defines the logical interface for the ledger but does not mandate
a specific storage technology. Implementations <bcp14>MAY</bcp14> use
append-only logs, databases with cryptographic commitment schemes,
distributed ledgers, or any storage mechanism that provides the
required properties.</t>
</section>
<section anchor="required-properties"><name>Required Properties</name>
<t>An audit ledger implementation <bcp14>MUST</bcp14> provide:</t>
<t><list style="numbers" type="1">
<t>Append-only semantics: Once an ECT is recorded, it <bcp14>MUST NOT</bcp14> be
modified or deleted.</t>
<t>Ordering: The ledger <bcp14>MUST</bcp14> maintain a total ordering of ECT
entries via a monotonically increasing sequence number.</t>
<t>Lookup by task ID: The ledger <bcp14>MUST</bcp14> support efficient retrieval
of ECT entries by "tid" value.</t>
<t>Integrity verification: The ledger <bcp14>SHOULD</bcp14> provide a mechanism
to verify that no entries have been tampered with (e.g.,
hash chains or Merkle trees).</t>
</list></t>
<t>The ledger <bcp14>SHOULD</bcp14> be maintained by an entity independent of the
workflow agents to reduce the risk of collusion.</t>
</section>
<section anchor="ledger-entry-structure"><name>Ledger Entry Structure</name>
<t>Each ledger entry is a logical record containing:</t>
<figure title="Ledger Entry Example" anchor="fig-ledger-entry"><sourcecode type="json"><![CDATA[
{
"ledger_sequence": 42,
"task_id": "550e8400-e29b-41d4-a716-446655440001",
"agent_id": "spiffe://example.com/agent/clinical",
"action": "recommend_treatment",
"parents": [],
"ect_jws": "eyJhbGciOiJFUzI1NiIs...<complete JWS>",
"signature_verified": true,
"verification_timestamp": "2026-02-24T15:42:31.000Z",
"stored_timestamp": "2026-02-24T15:42:31.050Z"
}
]]></sourcecode></figure>
<t>The "ect_jws" field contains the full JWS Compact Serialization
and is the authoritative record. The other fields ("agent_id",
"action", "parents") are convenience indexes derived from the
ECT payload; if they disagree with the JWS payload, the JWS
payload takes precedence.</t>
</section>
</section>
<section anchor="use-cases"><name>Use Cases</name>
<t>This section describes representative use cases demonstrating how
ECTs provide execution records in regulated environments. These
examples demonstrate ECT mechanics; production deployments would
include additional domain-specific requirements beyond the scope
of this specification.</t>
<t>Note: task identifiers in this section are abbreviated for
readability. In production, all "tid" values <bcp14>MUST</bcp14> be UUIDs per
<xref target="RFC9562"/>.</t>
<section anchor="medical-device-sdlc-workflow"><name>Medical Device SDLC Workflow</name>
<t>In a medical device software development lifecycle (SDLC),
AI agents assist across multiple phases from requirements
analysis through release approval. Regulatory frameworks
including <xref target="FDA-21CFR11"/> Section 11.10(e) and <xref target="EU-MDR"/> require
audit trails documenting the complete development process for
software used in medical devices.</t>
<figure title="Medical Device SDLC Workflow" anchor="fig-medtech-sdlc"><artwork><![CDATA[
Agent A (Spec Reviewer):
tid: task-001 par: []
exec_act: review_requirements_spec
pol: spec_review_policy_v2 pol_decision: approved
Agent B (Code Generator):
tid: task-002 par: [task-001]
exec_act: implement_module
pol: coding_standards_v3 pol_decision: approved
Agent C (Test Agent):
tid: task-003 par: [task-002]
exec_act: execute_test_suite
pol: test_coverage_policy_v1 pol_decision: approved
Agent D (Build Agent):
tid: task-004 par: [task-003]
exec_act: build_release_artifact
pol: build_validation_v2 pol_decision: approved
Human Release Manager:
tid: task-005 par: [task-004]
exec_act: approve_release
pol: release_approval_policy pol_decision: approved
pol_enforcer: spiffe://meddev.example/human/release-mgr-42
witnessed_by: [spiffe://meddev.example/audit/qa-observer-1]
]]></artwork></figure>
<t>ECTs record that requirements were reviewed before implementation
began, that tests were executed against the implemented code, that
the build artifact was validated, and that a human release manager
explicitly approved the release. The DAG structure ensures no
phase was skipped or reordered.</t>
<section anchor="fda-audit-with-dag-reconstruction"><name>FDA Audit with DAG Reconstruction</name>
<t>During a regulatory audit, an FDA reviewer requests evidence of
the development process for a specific software release. The
auditing authority retrieves all ECTs sharing the same workflow
identifier ("wid") from the audit ledger and reconstructs the
complete DAG:</t>
<figure title="Reconstructed DAG for FDA Audit" anchor="fig-fda-audit"><artwork><![CDATA[
task-001 (review_requirements_spec)
|
v
task-002 (implement_module)
|
v
task-003 (execute_test_suite)
|
v
task-004 (build_release_artifact)
|
v
task-005 (approve_release) [human, witnessed]
]]></artwork></figure>
<t>The reconstructed DAG provides cryptographic evidence that:</t>
<t><list style="symbols">
<t>Each phase was executed by an identified and authenticated agent.</t>
<t>Policy checkpoints were evaluated at every phase transition.</t>
<t>The execution sequence was maintained (no step was bypassed).</t>
<t>A human-in-the-loop approved the final release, with independent
witness attestation.</t>
<t>Timestamps and execution durations are recorded for each step.</t>
</list></t>
<t>This can contribute to compliance with:</t>
<t><list style="symbols">
<t><xref target="FDA-21CFR11"/> Section 11.10(e): Computer-generated audit trails
that record the date, time, and identity of the operator.</t>
<t><xref target="EU-MDR"/> Annex II: Technical documentation traceability for the
software development lifecycle.</t>
<t><xref target="EU-AI-ACT"/> Article 12: Automatic logging capabilities for
high-risk AI systems involved in the development process.</t>
<t><xref target="EU-AI-ACT"/> Article 14: ECTs can record evidence that human
oversight events occurred during the release process.</t>
</list></t>
</section>
</section>
<section anchor="financial-trading-workflow"><name>Financial Trading Workflow</name>
<t>In a financial trading workflow, agents perform risk assessment,
compliance verification, and trade execution. The DAG structure
records that compliance checks were evaluated before trade
execution.</t>
<figure title="Financial Trading Workflow" anchor="fig-finance"><artwork><![CDATA[
Agent A (Risk Assessment):
tid: task-001 par: []
exec_act: calculate_risk_exposure
pol: risk_limits_policy_v2 pol_decision: approved
Agent B (Compliance):
tid: task-002 par: [task-001]
exec_act: verify_compliance
pol: compliance_check_v1 pol_decision: approved
Agent C (Execution):
tid: task-003 par: [task-002]
exec_act: execute_trade
pol: execution_policy_v3 pol_decision: approved
]]></artwork></figure>
<t>This can contribute to compliance with:</t>
<t><list style="symbols">
<t><xref target="MIFID-II"/>: ECTs provide cryptographic records of the execution
sequence that can support transaction audit requirements.</t>
<t><xref target="DORA"/> Article 12: ECTs contribute to ICT activity logging.</t>
<t><xref target="EU-AI-ACT"/> Article 12: Logging of decisions made by AI-driven
systems.</t>
</list></t>
</section>
<section anchor="compensation-and-rollback"><name>Compensation and Rollback</name>
<t>When a compliance violation is discovered after execution, ECTs
provide a mechanism to record authorized compensation actions with
a cryptographic link to the original task:</t>
<figure title="Compensation ECT Example" anchor="fig-compensation"><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://bank.com/agent/operations",
"sub": "spiffe://bank.com/agent/operations",
"aud": "spiffe://bank.com/system/ledger",
"iat": 1772150550,
"exp": 1772151150,
"wid": "d3e4f5a6-b7c8-9012-def0-123456789012",
"tid": "550e8400-e29b-41d4-a716-446655440099",
"exec_act": "initiate_trade_rollback",
"par": ["550e8400-e29b-41d4-a716-446655440003"],
"pol": "compensation_policy_v1",
"pol_decision": "approved",
"pol_enforcer": "spiffe://bank.com/human/compliance-officer",
"compensation_required": true,
"compensation_reason": "policy_violation_in_parent_trade"
}
]]></sourcecode></figure>
<t>The "par" claim links the compensation action to the original
trade, creating an auditable chain from execution through
violation discovery to remediation.</t>
</section>
<section anchor="autonomous-logistics-coordination"><name>Autonomous Logistics Coordination</name>
<t>In a logistics workflow, multiple compliance checks must complete
before shipment commitment. The DAG structure records that all
required checks were completed:</t>
<figure title="Logistics Workflow with Parallel Tasks" anchor="fig-logistics"><artwork><![CDATA[
Agent A (Route Planning):
tid: task-001 par: []
exec_act: plan_route
pol: route_policy_v1 pol_decision: approved
Agent B (Customs):
tid: task-002 par: [task-001]
exec_act: validate_customs
pol: customs_policy_v2 pol_decision: approved
Agent C (Safety):
tid: task-003 par: [task-001]
exec_act: verify_cargo_safety
pol: safety_policy_v1 pol_decision: approved
Agent D (Payment):
tid: task-004 par: [task-002, task-003]
exec_act: authorize_payment
pol: payment_policy_v3 pol_decision: approved
System (Commitment):
tid: task-005 par: [task-004]
exec_act: commit_shipment
pol: commitment_policy_v1 pol_decision: approved
]]></artwork></figure>
<t>Note that tasks 002 and 003 both depend only on task-001 and can
execute in parallel. Task 004 depends on both, demonstrating the
DAG's ability to represent parallel execution with a join point.</t>
</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>
<t>This section addresses security considerations following the
guidance in <xref target="RFC3552"/>.</t>
<section anchor="threat-model"><name>Threat Model</name>
<t>The following threat actors are considered:</t>
<t><list style="symbols">
<t>Malicious agent (insider threat): An agent within the trust
domain that intentionally creates false ECT claims.</t>
<t>Compromised agent (external attacker): An agent whose private
key has been obtained by an external attacker.</t>
<t>Ledger tamperer: An entity attempting to modify or delete ledger
entries after they have been recorded.</t>
<t>Time manipulator: An entity attempting to manipulate timestamps
to alter perceived execution ordering.</t>
</list></t>
</section>
<section anchor="self-assertion-limitation"><name>Self-Assertion Limitation</name>
<t>ECTs are self-asserted by the executing agent. The agent claims
what it did, and this claim is signed with its private key. A
compromised or malicious agent could create ECTs with false claims
(e.g., setting "pol_decision" to "approved" without actually
evaluating the policy).</t>
<t>ECTs do not independently verify that:</t>
<t><list style="symbols">
<t>The claimed execution actually occurred as described</t>
<t>The policy evaluation was correctly performed</t>
<t>The input/output hashes correspond to the actual data processed</t>
<t>The agent faithfully performed the stated action</t>
</list></t>
<t>The trustworthiness of ECT claims depends on the trustworthiness
of the signing agent. To mitigate single-agent false claims,
regulated environments <bcp14>SHOULD</bcp14> use the "witnessed_by" mechanism
to include independent third-party observers at critical decision
points.</t>
</section>
<section anchor="organizational-prerequisites"><name>Organizational Prerequisites</name>
<t>ECTs operate within a broader trust framework. The guarantees
provided by ECTs are only meaningful when the following
organizational controls are in place:</t>
<t><list style="symbols">
<t>Key management governance: Controls over who provisions agent
keys and how keys are protected.</t>
<t>Ledger integrity governance: The ledger is maintained by an
entity independent of the workflow agents.</t>
<t>Policy lifecycle management: Policy identifiers in ECTs map to
actual, validated policy rules.</t>
<t>Agent deployment governance: Agents are deployed and maintained
in a manner that preserves their integrity.</t>
</list></t>
</section>
<section anchor="signature-verification"><name>Signature Verification</name>
<t>ECTs <bcp14>MUST</bcp14> be signed with the agent's private key using JWS
<xref target="RFC7515"/>. The signature algorithm <bcp14>MUST</bcp14> match the algorithm
specified in the agent's WIT. Receivers <bcp14>MUST</bcp14> verify the ECT
signature against the WIT public key before processing any
claims. Receivers <bcp14>MUST</bcp14> verify that the signing key has not been
revoked within the trust domain.</t>
<t>If signature verification fails, the ECT <bcp14>MUST</bcp14> be rejected entirely
and the failure <bcp14>MUST</bcp14> be logged.</t>
<t>Implementations <bcp14>MUST</bcp14> use established JWS libraries and <bcp14>MUST NOT</bcp14>
implement custom signature verification.</t>
</section>
<section anchor="replay-attack-prevention"><name>Replay Attack Prevention</name>
<t>ECTs include short expiration times (<bcp14>RECOMMENDED</bcp14>: 5-15 minutes) to
limit the window for replay attacks. The "aud" claim restricts
replay to unintended recipients: an ECT intended for Agent B
will be rejected by Agent C. The "iat" claim enables receivers to
reject ECTs that are too old, even if not yet expired.</t>
<t>The DAG structure provides additional replay protection: an ECT
referencing parent tasks that already have a recorded child task
with the same action can be flagged as a potential replay.</t>
<t>Implementations <bcp14>SHOULD</bcp14> maintain a cache of recently-seen "jti"
values (when present) to detect replayed ECTs within the
expiration window.</t>
</section>
<section anchor="man-in-the-middle-protection"><name>Man-in-the-Middle Protection</name>
<t>ECTs do not replace transport-layer security. ECTs <bcp14>MUST</bcp14> be
transmitted over TLS or mTLS connections. When used with the WIMSE
service-to-service protocol <xref target="I-D.ietf-wimse-s2s-protocol"/>,
transport security is already established. HTTP Message Signatures
<xref target="RFC9421"/> provide an alternative channel binding mechanism.</t>
<t>The defense-in-depth model provides:</t>
<t><list style="symbols">
<t>TLS/mTLS (transport layer): Prevents network-level tampering.</t>
<t>WIT/WPT (WIMSE identity layer): Proves agent identity and
request authorization.</t>
<t>ECT (execution accountability layer): Records what the agent did
and under what policy.</t>
</list></t>
</section>
<section anchor="key-compromise"><name>Key Compromise</name>
<t>If an agent's private key is compromised, an attacker can forge
ECTs that appear to originate from that agent. To mitigate this
risk:</t>
<t><list style="symbols">
<t>Implementations <bcp14>SHOULD</bcp14> use short-lived keys and rotate them
frequently (hours to days, not months).</t>
<t>Private keys <bcp14>SHOULD</bcp14> be stored in Hardware Security Modules (HSMs)
or equivalent secure key storage.</t>
<t>Trust domains <bcp14>MUST</bcp14> support rapid key revocation.</t>
<t>Upon suspected compromise, the trust domain <bcp14>MUST</bcp14> revoke the
compromised key and issue a new WIT with a fresh key pair.</t>
</list></t>
<t>ECTs signed with a compromised key that were recorded in the
ledger before revocation remain valid historical records but <bcp14>SHOULD</bcp14>
be flagged in the ledger as "signed with subsequently revoked key"
for audit purposes.</t>
</section>
<section anchor="collusion-and-false-claims"><name>Collusion and False Claims</name>
<t>A single malicious agent cannot forge parent task references
because DAG validation requires parent tasks to exist in the
ledger. However, multiple colluding agents could potentially
create a false execution history if they control the ledger.</t>
<t>Mitigations include:</t>
<t><list style="symbols">
<t>Independent ledger maintenance: The ledger <bcp14>SHOULD</bcp14> be maintained
by an entity independent of the workflow agents.</t>
<t>Witness attestation: Using the "witnessed_by" claim to include
independent third-party observers.</t>
<t>Cross-verification: Multiple independent ledger replicas can be
compared for consistency.</t>
<t>Out-of-band audit: External auditors periodically verify ledger
contents against expected workflow patterns.</t>
</list></t>
</section>
<section anchor="denial-of-service"><name>Denial of Service</name>
<t>ECT signature verification is computationally inexpensive
(approximately 1ms per ECT on modern hardware for ES256). DAG
validation complexity is O(V) where V is the number of ancestor
nodes reachable from the parent references; for typical shallow
DAGs this is efficient.</t>
<t>Implementations <bcp14>SHOULD</bcp14> apply rate limiting at the API layer to
prevent excessive ECT submissions. DAG validation <bcp14>SHOULD</bcp14> be
performed after signature verification to avoid wasting resources
on unsigned or incorrectly signed tokens.</t>
</section>
<section anchor="timestamp-accuracy"><name>Timestamp Accuracy</name>
<t>ECTs rely on timestamps ("iat", "exp") for temporal ordering.
Clock skew between agents can lead to incorrect ordering
judgments. Implementations <bcp14>SHOULD</bcp14> use synchronized time sources
(e.g., NTP) and <bcp14>SHOULD</bcp14> allow a configurable clock skew tolerance
(<bcp14>RECOMMENDED</bcp14>: 30 seconds).</t>
<t>The temporal ordering check in DAG validation incorporates the
clock skew tolerance to account for minor clock differences
between agents.</t>
</section>
<section anchor="ect-size-constraints"><name>ECT Size Constraints</name>
<t>ECTs with many parent tasks or large extension objects can
increase HTTP header size. Implementations <bcp14>SHOULD</bcp14> limit the "par"
array to a reasonable size and <bcp14>SHOULD</bcp14> set maximum size limits for
the "ext" object to prevent abuse.</t>
</section>
</section>
<section anchor="privacy-considerations"><name>Privacy Considerations</name>
<section anchor="data-exposure-in-ects"><name>Data Exposure in ECTs</name>
<t>ECTs necessarily reveal:</t>
<t><list style="symbols">
<t>Agent identities ("iss", "aud") for accountability purposes</t>
<t>Action descriptions ("exec_act") for audit trail completeness</t>
<t>Policy evaluation outcomes ("pol", "pol_decision") for
compliance verification</t>
<t>Timestamps ("iat", "exp") for temporal ordering</t>
</list></t>
<t>ECTs are designed to NOT reveal:</t>
<t><list style="symbols">
<t>Actual input or output data values (replaced with cryptographic
hashes via "inp_hash" and "out_hash")</t>
<t>Internal computation details or intermediate steps</t>
<t>Proprietary algorithms or intellectual property</t>
<t>Personally identifiable information (PII)</t>
</list></t>
</section>
<section anchor="data-minimization"><name>Data Minimization</name>
<t>Implementations <bcp14>SHOULD</bcp14> minimize the information included in ECTs.
The "exec_act" claim <bcp14>SHOULD</bcp14> use structured identifiers (e.g.,
"process_payment") rather than natural language descriptions.
The "pol" claim <bcp14>SHOULD</bcp14> reference policy identifiers rather than
embedding policy content.</t>
</section>
<section anchor="storage-and-access-control"><name>Storage and Access Control</name>
<t>ECTs stored in audit ledgers <bcp14>SHOULD</bcp14> be access-controlled so that
only authorized auditors and regulators can read them.
Implementations <bcp14>SHOULD</bcp14> consider encryption at rest for ledger
storage containing sensitive regulatory data.</t>
<t>Full input and output data (corresponding to the hashes in ECTs)
<bcp14>SHOULD</bcp14> be stored separately from the ledger with additional access
controls, since auditors may need to verify hash correctness but
general access to the data values is not needed.</t>
</section>
<section anchor="regulatory-access"><name>Regulatory Access</name>
<t>ECTs are designed for interpretation by qualified human auditors
and regulators. ECTs provide structural records of execution
ordering and policy evaluation; they are not intended for public
disclosure.</t>
</section>
</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>
<section anchor="media-type-registration"><name>Media Type Registration</name>
<t>This document requests registration of the following media type
in the "Media Types" registry maintained by IANA:</t>
<dl>
<dt>Type name:</dt>
<dd>
<t>application</t>
</dd>
<dt>Subtype name:</dt>
<dd>
<t>wimse-exec+jwt</t>
</dd>
<dt>Required parameters:</dt>
<dd>
<t>none</t>
</dd>
<dt>Optional parameters:</dt>
<dd>
<t>none</t>
</dd>
<dt>Encoding considerations:</dt>
<dd>
<t>8bit; an ECT is a JWT that is a JWS using the Compact
Serialization, which is a sequence of Base64url-encoded values
separated by period characters.</t>
</dd>
<dt>Security considerations:</dt>
<dd>
<t>See the Security Considerations section of this document.</t>
</dd>
<dt>Interoperability considerations:</dt>
<dd>
<t>none</t>
</dd>
<dt>Published specification:</dt>
<dd>
<t>This document</t>
</dd>
<dt>Applications that use this media type:</dt>
<dd>
<t>Applications that implement regulated agentic workflows requiring
execution context tracing and audit trails.</t>
</dd>
<dt>Additional information:</dt>
<dd>
<t>Magic number(s): none
File extension(s): none
Macintosh file type code(s): none</t>
</dd>
<dt>Person and email address to contact for further information:</dt>
<dd>
<t>Christian Nennemann, ietf@nennemann.de</t>
</dd>
<dt>Intended usage:</dt>
<dd>
<t>COMMON</t>
</dd>
<dt>Restrictions on usage:</dt>
<dd>
<t>none</t>
</dd>
<dt>Author:</dt>
<dd>
<t>Christian Nennemann</t>
</dd>
<dt>Change controller:</dt>
<dd>
<t>IETF</t>
</dd>
</dl>
</section>
<section anchor="header-registration"><name>HTTP Header Field Registration</name>
<t>This document requests registration of the following header field
in the "Hypertext Transfer Protocol (HTTP) Field Name Registry"
maintained by IANA:</t>
<dl>
<dt>Field name:</dt>
<dd>
<t>Execution-Context</t>
</dd>
<dt>Status:</dt>
<dd>
<t>permanent</t>
</dd>
<dt>Specification document:</dt>
<dd>
<t>This document, <xref target="http-header"/></t>
</dd>
</dl>
</section>
<section anchor="claims-registration"><name>JWT Claims Registration</name>
<t>This document requests registration of the following claims in
the "JSON Web Token Claims" registry maintained by IANA:</t>
<texttable title="JWT Claims Registrations" anchor="_table-claims">
<ttcol align='center'>Claim Name</ttcol>
<ttcol align='left'>Claim Description</ttcol>
<ttcol align='center'>Change Controller</ttcol>
<ttcol align='center'>Reference</ttcol>
<c>wid</c>
<c>Workflow Identifier</c>
<c>IETF</c>
<c><xref target="exec-claims"/></c>
<c>tid</c>
<c>Task Identifier</c>
<c>IETF</c>
<c><xref target="exec-claims"/></c>
<c>exec_act</c>
<c>Action/Task Type</c>
<c>IETF</c>
<c><xref target="exec-claims"/></c>
<c>par</c>
<c>Parent Task Identifiers</c>
<c>IETF</c>
<c><xref target="exec-claims"/></c>
<c>pol</c>
<c>Policy Rule Identifier</c>
<c>IETF</c>
<c><xref target="policy-claims"/></c>
<c>pol_decision</c>
<c>Policy Decision Result</c>
<c>IETF</c>
<c><xref target="policy-claims"/></c>
<c>pol_enforcer</c>
<c>Policy Enforcer Identity</c>
<c>IETF</c>
<c><xref target="policy-claims"/></c>
<c>pol_timestamp</c>
<c>Policy Decision Timestamp</c>
<c>IETF</c>
<c><xref target="policy-claims"/></c>
<c>inp_hash</c>
<c>Input Data Hash</c>
<c>IETF</c>
<c><xref target="data-integrity-claims"/></c>
<c>out_hash</c>
<c>Output Data Hash</c>
<c>IETF</c>
<c><xref target="data-integrity-claims"/></c>
<c>inp_classification</c>
<c>Input Data Classification</c>
<c>IETF</c>
<c><xref target="data-integrity-claims"/></c>
<c>exec_time_ms</c>
<c>Execution Time (ms)</c>
<c>IETF</c>
<c><xref target="operational-claims"/></c>
<c>witnessed_by</c>
<c>Witness Identities</c>
<c>IETF</c>
<c><xref target="witness-claims"/></c>
<c>regulated_domain</c>
<c>Regulatory Domain</c>
<c>IETF</c>
<c><xref target="operational-claims"/></c>
<c>model_version</c>
<c>AI/ML Model Version</c>
<c>IETF</c>
<c><xref target="operational-claims"/></c>
<c>compensation_required</c>
<c>Compensation Flag</c>
<c>IETF</c>
<c><xref target="compensation-claims"/></c>
<c>compensation_reason</c>
<c>Compensation Reason</c>
<c>IETF</c>
<c><xref target="compensation-claims"/></c>
</texttable>
</section>
</section>
</middle>
<back>
<references title='References' anchor="sec-combined-references">
<references title='Normative References' anchor="sec-normative-references">
<reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author fullname="S. Bradner" initials="S." surname="Bradner"/>
<date month="March" year="1997"/>
<abstract>
<t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC3339">
<front>
<title>Date and Time on the Internet: Timestamps</title>
<author fullname="G. Klyne" initials="G." surname="Klyne"/>
<author fullname="C. Newman" initials="C." surname="Newman"/>
<date month="July" year="2002"/>
<abstract>
<t>This document defines a date and time format for use in Internet protocols that is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3339"/>
<seriesInfo name="DOI" value="10.17487/RFC3339"/>
</reference>
<reference anchor="RFC7515">
<front>
<title>JSON Web Signature (JWS)</title>
<author fullname="M. Jones" initials="M." surname="Jones"/>
<author fullname="J. Bradley" initials="J." surname="Bradley"/>
<author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
<date month="May" year="2015"/>
<abstract>
<t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7515"/>
<seriesInfo name="DOI" value="10.17487/RFC7515"/>
</reference>
<reference anchor="RFC7519">
<front>
<title>JSON Web Token (JWT)</title>
<author fullname="M. Jones" initials="M." surname="Jones"/>
<author fullname="J. Bradley" initials="J." surname="Bradley"/>
<author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
<date month="May" year="2015"/>
<abstract>
<t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7519"/>
<seriesInfo name="DOI" value="10.17487/RFC7519"/>
</reference>
<reference anchor="RFC7518">
<front>
<title>JSON Web Algorithms (JWA)</title>
<author fullname="M. Jones" initials="M." surname="Jones"/>
<date month="May" year="2015"/>
<abstract>
<t>This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7518"/>
<seriesInfo name="DOI" value="10.17487/RFC7518"/>
</reference>
<reference anchor="RFC9562">
<front>
<title>Universally Unique IDentifiers (UUIDs)</title>
<author fullname="K. Davis" initials="K." surname="Davis"/>
<author fullname="B. Peabody" initials="B." surname="Peabody"/>
<author fullname="P. Leach" initials="P." surname="Leach"/>
<date month="May" year="2024"/>
<abstract>
<t>This specification defines UUIDs (Universally Unique IDentifiers) --
also known as GUIDs (Globally Unique IDentifiers) -- and a Uniform
Resource Name namespace for UUIDs. A UUID is 128 bits long and is
intended to guarantee uniqueness across space and time. UUIDs were
originally used in the Apollo Network Computing System (NCS), later
in the Open Software Foundation's (OSF's) Distributed Computing
Environment (DCE), and then in Microsoft Windows platforms.</t>
<t>This specification is derived from the OSF DCE specification with the
kind permission of the OSF (now known as "The Open Group"). Information from earlier versions of the OSF DCE specification have
been incorporated into this document. This document obsoletes RFC
4122.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9562"/>
<seriesInfo name="DOI" value="10.17487/RFC9562"/>
</reference>
<reference anchor="RFC9110">
<front>
<title>HTTP Semantics</title>
<author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
<author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
<author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
<date month="June" year="2022"/>
<abstract>
<t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
<t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
</abstract>
</front>
<seriesInfo name="STD" value="97"/>
<seriesInfo name="RFC" value="9110"/>
<seriesInfo name="DOI" value="10.17487/RFC9110"/>
</reference>
<reference anchor="I-D.ietf-wimse-arch">
<front>
<title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
<author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
<organization>CyberArk</organization>
</author>
<author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
<organization>Zscaler</organization>
</author>
<author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
<organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
</author>
<date day="30" month="September" year="2025"/>
<abstract>
<t> The increasing prevalence of cloud computing and micro service
architectures has led to the rise of complex software functions being
built and deployed as workloads, where a workload is defined as a
running instance of software executing for a specific purpose. This
document discusses an architecture for designing and standardizing
protocols and payloads for conveying workload identity and security
context information.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch-06"/>
</reference>
<reference anchor="I-D.ietf-wimse-s2s-protocol">
<front>
<title>WIMSE Workload-to-Workload Authentication</title>
<author fullname="Brian Campbell" initials="B." surname="Campbell">
<organization>Ping Identity</organization>
</author>
<author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
<organization>CyberArk</organization>
</author>
<author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
<organization>SPIRL</organization>
</author>
<author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
<organization>Intuit</organization>
</author>
<date day="16" month="October" year="2025"/>
<abstract>
<t> The WIMSE architecture defines authentication and authorization for
software workloads in a variety of runtime environments, from the
most basic ones up to complex multi-service, multi-cloud, multi-
tenant deployments. This document defines the simplest, atomic unit
of this architecture: the protocol between two workloads that need to
verify each other&#x27;s identity in order to communicate securely. The
scope of this protocol is a single HTTP request-and-response pair.
To address the needs of different setups, we propose two protocols,
one at the application level and one that makes use of trusted TLS
transport. These two protocols are compatible, in the sense that a
single call chain can have some calls use one protocol and some use
the other. Workload A can call Workload B with mutual TLS
authentication, while the next call from Workload B to Workload C
would be authenticated at the application level.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-wimse-s2s-protocol-07"/>
</reference>
</references>
<references title='Informative References' anchor="sec-informative-references">
<reference anchor="RFC3552">
<front>
<title>Guidelines for Writing RFC Text on Security Considerations</title>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<author fullname="B. Korver" initials="B." surname="Korver"/>
<date month="July" year="2003"/>
<abstract>
<t>All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="72"/>
<seriesInfo name="RFC" value="3552"/>
<seriesInfo name="DOI" value="10.17487/RFC3552"/>
</reference>
<reference anchor="RFC7517">
<front>
<title>JSON Web Key (JWK)</title>
<author fullname="M. Jones" initials="M." surname="Jones"/>
<date month="May" year="2015"/>
<abstract>
<t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7517"/>
<seriesInfo name="DOI" value="10.17487/RFC7517"/>
</reference>
<reference anchor="RFC8693">
<front>
<title>OAuth 2.0 Token Exchange</title>
<author fullname="M. Jones" initials="M." surname="Jones"/>
<author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
<author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
<author fullname="J. Bradley" initials="J." surname="Bradley"/>
<author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
<date month="January" year="2020"/>
<abstract>
<t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8693"/>
<seriesInfo name="DOI" value="10.17487/RFC8693"/>
</reference>
<reference anchor="RFC9421">
<front>
<title>HTTP Message Signatures</title>
<author fullname="A. Backman" initials="A." role="editor" surname="Backman"/>
<author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
<author fullname="M. Sporny" initials="M." surname="Sporny"/>
<date month="February" year="2024"/>
<abstract>
<t>This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9421"/>
<seriesInfo name="DOI" value="10.17487/RFC9421"/>
</reference>
<reference anchor="I-D.ni-wimse-ai-agent-identity">
<front>
<title>WIMSE Applicability for AI Agents</title>
<author fullname="Ni Yuan" initials="N." surname="Yuan">
<organization>Huawei</organization>
</author>
<author fullname="Peter Chunchi Liu" initials="P. C." surname="Liu">
<organization>Huawei</organization>
</author>
<date day="20" month="October" year="2025"/>
<abstract>
<t> This document discusses WIMSE applicability to Agentic AI, so as to
establish independent identities and credential management mechanisms
for AI agents.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ni-wimse-ai-agent-identity-01"/>
</reference>
<reference anchor="SPIFFE" target="https://spiffe.io/docs/latest/spiffe-about/overview/">
<front>
<title>Secure Production Identity Framework for Everyone (SPIFFE)</title>
<author >
<organization></organization>
</author>
<date />
</front>
</reference>
<reference anchor="EU-AI-ACT" target="https://eur-lex.europa.eu/eli/reg/2024/1689">
<front>
<title>Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)</title>
<author >
<organization>European Parliament and Council of the European Union</organization>
</author>
<date year="2024" month="June" day="13"/>
</front>
</reference>
<reference anchor="FDA-21CFR11" target="https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11">
<front>
<title>Title 21, Code of Federal Regulations, Part 11: Electronic Records; Electronic Signatures</title>
<author >
<organization>U.S. Food and Drug Administration</organization>
</author>
<date />
</front>
</reference>
<reference anchor="MIFID-II" target="https://eur-lex.europa.eu/eli/dir/2014/65">
<front>
<title>Directive 2014/65/EU of the European Parliament and of the Council on markets in financial instruments (MiFID II)</title>
<author >
<organization>European Parliament and Council of the European Union</organization>
</author>
<date year="2014" month="May" day="15"/>
</front>
</reference>
<reference anchor="DORA" target="https://eur-lex.europa.eu/eli/reg/2022/2554">
<front>
<title>Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA)</title>
<author >
<organization>European Parliament and Council of the European Union</organization>
</author>
<date year="2022" month="December" day="14"/>
</front>
</reference>
<reference anchor="EU-MDR" target="https://eur-lex.europa.eu/eli/reg/2017/745">
<front>
<title>Regulation (EU) 2017/745 on medical devices (MDR)</title>
<author >
<organization>European Parliament and Council of the European Union</organization>
</author>
<date year="2017" month="April" day="05"/>
</front>
</reference>
<reference anchor="OPENTELEMETRY" target="https://opentelemetry.io/docs/specs/otel/">
<front>
<title>OpenTelemetry Specification</title>
<author >
<organization>Cloud Native Computing Foundation</organization>
</author>
<date />
</front>
</reference>
</references>
</references>
<?line 1431?>
<section numbered="false" anchor="related-work"><name>Related Work</name>
<section numbered="false" anchor="wimse-workload-identity"><name>WIMSE Workload Identity</name>
<t>The WIMSE architecture <xref target="I-D.ietf-wimse-arch"/> and service-to-
service protocol <xref target="I-D.ietf-wimse-s2s-protocol"/> provide the
identity foundation upon which ECTs are built. WIT/WPT answer
"who is this agent?" and "does it control the claimed key?" while
ECTs record "what did this agent do?" and "what policy was
evaluated?" Together they form an identity-plus-accountability
framework for regulated agentic systems.</t>
</section>
<section numbered="false" anchor="oauth-20-token-exchange"><name>OAuth 2.0 Token Exchange</name>
<t><xref target="RFC8693"/> defines the OAuth 2.0 Token Exchange protocol and
registers the "act" (Actor) claim in the JWT Claims registry.
ECTs intentionally use the distinct claim name "exec_act" for the
action/task type to avoid collision with the "act" claim.
Transaction tokens in OAuth establish API authorization context;
ECTs serve the complementary purpose of recording execution
accountability across multi-step workflows.</t>
</section>
<section numbered="false" anchor="distributed-tracing-opentelemetry"><name>Distributed Tracing (OpenTelemetry)</name>
<t>OpenTelemetry <xref target="OPENTELEMETRY"/> and similar distributed tracing
systems provide observability for debugging and monitoring. ECTs
differ in several important ways: ECTs are cryptographically
signed per-task with the agent's private key; ECTs are
tamper-evident through JWS signatures; ECTs enforce DAG validation
rules; and ECTs are designed for regulatory audit rather than
operational monitoring. OpenTelemetry data is typically controlled
by the platform operator and can be modified or deleted without
detection. ECTs and distributed traces are complementary: traces
provide observability while ECTs provide signed execution records.
ECTs may reference OpenTelemetry trace identifiers in the "ext"
claim for correlation.</t>
</section>
<section numbered="false" anchor="blockchain-and-distributed-ledgers"><name>Blockchain and Distributed Ledgers</name>
<t>Both ECTs and blockchain systems provide immutable records. This
specification intentionally defines only the ECT token format and
is agnostic to the storage mechanism. ECTs can be stored in
append-only logs, databases with cryptographic commitments,
blockchain networks, or any storage providing the required
properties defined in <xref target="ledger-interface"/>.</t>
</section>
<section numbered="false" anchor="w3c-verifiable-credentials"><name>W3C Verifiable Credentials</name>
<t>W3C Verifiable Credentials represent claims about subjects (e.g.,
identity, qualifications). ECTs represent execution records of
actions (what happened, in what order, under what policy). While
both use JWT/JWS as a serialization format, their semantics and
use cases are distinct.</t>
</section>
</section>
<section numbered="false" anchor="implementation-guidance"><name>Implementation Guidance</name>
<section numbered="false" anchor="minimal-implementation"><name>Minimal Implementation</name>
<t>A minimal conforming implementation should:</t>
<t><list style="numbers" type="1">
<t>Create JWTs with all required claims ("iss", "aud", "iat",
"exp", "tid", "exec_act", "par", "pol", "pol_decision").</t>
<t>Sign ECTs with the agent's private key using an algorithm
matching the WIT (ES256 recommended).</t>
<t>Verify ECT signatures against WIT public keys.</t>
<t>Perform DAG validation (parent existence, temporal ordering,
cycle detection).</t>
<t>Append verified ECTs to an audit ledger.</t>
</list></t>
</section>
<section numbered="false" anchor="storage-recommendations"><name>Storage Recommendations</name>
<t><list style="symbols">
<t>Append-only log: Simplest approach; immutability by design.</t>
<t>Database with hash chains: Periodic cryptographic commitments
over batches of entries.</t>
<t>Distributed ledger: Maximum immutability guarantees for
cross-organizational audit.</t>
<t>Hybrid: Hot storage in a database, cold archive in immutable
storage.</t>
</list></t>
</section>
<section numbered="false" anchor="performance-considerations"><name>Performance Considerations</name>
<t><list style="symbols">
<t>ES256 signature verification: approximately 1ms per ECT on
modern hardware.</t>
<t>DAG validation: O(V) where V is the number of reachable ancestor
nodes (typically small for shallow workflows).</t>
<t>JSON serialization: sub-millisecond per ECT.</t>
<t>Total per-request overhead: approximately 5-10ms, acceptable
for regulated workflows where correctness is prioritized over
latency.</t>
</list></t>
</section>
<section numbered="false" anchor="interoperability"><name>Interoperability</name>
<t>Implementations should use established JWT/JWS libraries (JOSE)
for token creation and verification. Custom cryptographic
implementations should not be used. Implementations should be
tested against multiple JWT libraries to ensure interoperability.</t>
</section>
</section>
<section numbered="false" anchor="regulatory-compliance-mapping"><name>Regulatory Compliance Mapping</name>
<t>The following table summarizes how ECTs can contribute to
compliance with various regulatory frameworks. ECTs are a
technical building block; achieving compliance requires
additional organizational measures beyond this specification.</t>
<texttable title="Regulatory Compliance Mapping" anchor="_table-regulatory">
<ttcol align='left'>Regulation</ttcol>
<ttcol align='left'>Requirement</ttcol>
<ttcol align='left'>ECT Contribution</ttcol>
<c>FDA 21 CFR Part 11</c>
<c>Audit trails recording date, time, operator, actions (11.10(e))</c>
<c>Cryptographic signatures and append-only ledger contribute to audit trail requirements</c>
<c>EU MDR</c>
<c>Technical documentation traceability (Annex II)</c>
<c>ECTs provide signed records of AI-assisted decision sequences</c>
<c>EU AI Act Art. 12</c>
<c>Automatic logging capabilities for high-risk AI</c>
<c>ECTs contribute cryptographic activity logging</c>
<c>EU AI Act Art. 14</c>
<c>Human oversight capability</c>
<c>ECTs can record evidence that human oversight events occurred</c>
<c>MiFID II</c>
<c>Transaction records for supervisory authorities</c>
<c>ECTs provide cryptographic execution sequence records</c>
<c>DORA Art. 12</c>
<c>ICT activity logging policies</c>
<c>ECT ledger contributes to ICT activity audit trail</c>
</texttable>
</section>
<section numbered="false" anchor="examples"><name>Examples</name>
<section numbered="false" anchor="example-1-simple-two-agent-workflow"><name>Example 1: Simple Two-Agent Workflow</name>
<t>Agent A executes a data retrieval task and sends the ECT to
Agent B:</t>
<t>ECT JOSE Header:</t>
<figure><sourcecode type="json"><![CDATA[
{
"alg": "ES256",
"typ": "wimse-exec+jwt",
"kid": "agent-a-key-2026-02"
}
]]></sourcecode></figure>
<t>ECT Payload:</t>
<figure><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://example.com/agent/data-retrieval",
"sub": "spiffe://example.com/agent/data-retrieval",
"aud": "spiffe://example.com/agent/validator",
"iat": 1772064150,
"exp": 1772064750,
"wid": "b1c2d3e4-f5a6-7890-bcde-f01234567890",
"tid": "550e8400-e29b-41d4-a716-446655440001",
"exec_act": "fetch_patient_data",
"par": [],
"pol": "clinical_data_access_policy_v1",
"pol_decision": "approved",
"inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
"exec_time_ms": 142,
"regulated_domain": "medtech"
}
]]></sourcecode></figure>
<t>Agent B receives the ECT, verifies it, executes a validation
task, and creates its own ECT:</t>
<figure><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://example.com/agent/validator",
"sub": "spiffe://example.com/agent/validator",
"aud": "spiffe://example.com/system/ledger",
"iat": 1772064160,
"exp": 1772064760,
"wid": "b1c2d3e4-f5a6-7890-bcde-f01234567890",
"tid": "550e8400-e29b-41d4-a716-446655440002",
"exec_act": "validate_safety",
"par": ["550e8400-e29b-41d4-a716-446655440001"],
"pol": "safety_validation_policy_v2",
"pol_decision": "approved",
"exec_time_ms": 89,
"regulated_domain": "medtech"
}
]]></sourcecode></figure>
<t>The resulting DAG:</t>
<figure><artwork><![CDATA[
task-...-0001 (fetch_patient_data)
|
v
task-...-0002 (validate_safety)
]]></artwork></figure>
</section>
<section numbered="false" anchor="example-2-medical-device-sdlc-with-release-approval"><name>Example 2: Medical Device SDLC with Release Approval</name>
<t>A multi-step medical device software lifecycle workflow with
autonomous agents and human release approval:</t>
<t>Task 1 (Spec Review Agent):</t>
<figure><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://meddev.example/agent/spec-reviewer",
"sub": "spiffe://meddev.example/agent/spec-reviewer",
"aud": "spiffe://meddev.example/agent/code-gen",
"iat": 1772064150,
"exp": 1772064750,
"wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
"tid": "a1b2c3d4-0001-0000-0000-000000000001",
"exec_act": "review_requirements_spec",
"par": [],
"pol": "spec_review_policy_v2",
"pol_decision": "approved",
"regulated_domain": "medtech",
"model_version": "spec-review-v3.1",
"inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
}
]]></sourcecode></figure>
<t>Task 2 (Code Generation Agent):</t>
<figure><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://meddev.example/agent/code-gen",
"sub": "spiffe://meddev.example/agent/code-gen",
"aud": "spiffe://meddev.example/agent/test-runner",
"iat": 1772064200,
"exp": 1772064800,
"wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
"tid": "a1b2c3d4-0001-0000-0000-000000000002",
"exec_act": "implement_module",
"par": ["a1b2c3d4-0001-0000-0000-000000000001"],
"pol": "coding_standards_v3",
"pol_decision": "approved",
"regulated_domain": "medtech",
"model_version": "codegen-v2.4"
}
]]></sourcecode></figure>
<t>Task 3 (Autonomous Test Agent):</t>
<figure><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://meddev.example/agent/test-runner",
"sub": "spiffe://meddev.example/agent/test-runner",
"aud": "spiffe://meddev.example/agent/build",
"iat": 1772064260,
"exp": 1772064860,
"wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
"tid": "a1b2c3d4-0001-0000-0000-000000000003",
"exec_act": "execute_test_suite",
"par": ["a1b2c3d4-0001-0000-0000-000000000002"],
"pol": "test_coverage_policy_v1",
"pol_decision": "approved",
"regulated_domain": "medtech",
"exec_time_ms": 4523
}
]]></sourcecode></figure>
<t>Task 4 (Build Agent):</t>
<figure><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://meddev.example/agent/build",
"sub": "spiffe://meddev.example/agent/build",
"aud": "spiffe://meddev.example/human/release-mgr-42",
"iat": 1772064310,
"exp": 1772064910,
"wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
"tid": "a1b2c3d4-0001-0000-0000-000000000004",
"exec_act": "build_release_artifact",
"par": ["a1b2c3d4-0001-0000-0000-000000000003"],
"pol": "build_validation_v2",
"pol_decision": "approved",
"regulated_domain": "medtech",
"out_hash": "sha-256:Ry1YfOoW2XpC5Mq8HkGzNx3dL9vBa4sUjE7iKt0wPZc"
}
]]></sourcecode></figure>
<t>Task 5 (Human Release Manager Approval):</t>
<figure><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://meddev.example/human/release-mgr-42",
"sub": "spiffe://meddev.example/human/release-mgr-42",
"aud": "spiffe://meddev.example/system/ledger",
"iat": 1772064510,
"exp": 1772065110,
"wid": "c2d3e4f5-a6b7-8901-cdef-012345678901",
"tid": "a1b2c3d4-0001-0000-0000-000000000005",
"exec_act": "approve_release",
"par": ["a1b2c3d4-0001-0000-0000-000000000004"],
"pol": "release_approval_policy",
"pol_decision": "approved",
"pol_enforcer": "spiffe://meddev.example/human/release-mgr-42",
"witnessed_by": [
"spiffe://meddev.example/audit/qa-observer-1"
],
"regulated_domain": "medtech"
}
]]></sourcecode></figure>
<t>The resulting DAG records the complete SDLC: spec review preceded
implementation, implementation preceded testing, testing preceded
build, and a human release manager approved the final release
with independent witness attestation.</t>
<figure><artwork><![CDATA[
task-...-0001 (review_requirements_spec)
|
v
task-...-0002 (implement_module)
|
v
task-...-0003 (execute_test_suite)
|
v
task-...-0004 (build_release_artifact)
|
v
task-...-0005 (approve_release) [human, witnessed]
]]></artwork></figure>
<t>An FDA auditor reconstructs this DAG by querying the audit ledger
for all ECTs with wid "c2d3e4f5-a6b7-8901-cdef-012345678901" and
verifying each signature. The DAG provides cryptographic evidence
that the SDLC followed the prescribed process with human oversight
at the release gate.</t>
</section>
<section numbered="false" anchor="example-3-parallel-execution-with-join"><name>Example 3: Parallel Execution with Join</name>
<t>A workflow where two tasks execute in parallel and a third task
depends on both:</t>
<figure><artwork><![CDATA[
task-...-0001 (assess_risk)
| \
v v
task-...-0002 task-...-0003
(check (verify
compliance) liquidity)
| /
v v
task-...-0004 (execute_trade)
]]></artwork></figure>
<t>Task 004 ECT payload:</t>
<figure><sourcecode type="json"><![CDATA[
{
"iss": "spiffe://bank.example/agent/execution",
"sub": "spiffe://bank.example/agent/execution",
"aud": "spiffe://bank.example/system/ledger",
"iat": 1772064250,
"exp": 1772064850,
"wid": "d3e4f5a6-b7c8-9012-def0-123456789012",
"tid": "f1e2d3c4-0004-0000-0000-000000000004",
"exec_act": "execute_trade",
"par": [
"f1e2d3c4-0002-0000-0000-000000000002",
"f1e2d3c4-0003-0000-0000-000000000003"
],
"pol": "trade_execution_policy_v3",
"pol_decision": "approved",
"regulated_domain": "finance"
}
]]></sourcecode></figure>
<t>The "par" array with two entries records that both compliance
checking and liquidity verification were completed before trade
execution.</t>
</section>
</section>
<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>
<t>The author thanks the WIMSE working group for their foundational
work on workload identity in multi-system environments. The
concepts of Workload Identity Tokens and Workload Proof Tokens
provide the identity foundation upon which execution context
tracing is built.</t>
</section>
</back>
<!-- ##markdown-source:
H4sIAAAAAAAAA8192Xbb2JXoO74CTT+EvCEoUYPtolPVLUtyWRXLViS5nOp0
LTVIQhTKJMAAoGTGcX/L/Zb7ZXePZwBASXaStbpWUiWSwBn22WfPQxRFQZVW
82QUdo4/JZNVleZZeJhnVfKpCi/zj0lWhtd5ER6lZVWk41WVTMODWZJV6ST8
kBcfr+f5XdkJ4vG4SG5hkA8npxfHYWOoTjCJq2SWF+tRWFbTYJpPsngBs06L
+LqKsiTLkkWcZdFduiiTKNH3owm/H21vB+VqvEjLEr6t1kt49eT48lWQrRbj
pBgFUxh+FMAKdoO4SGJYyQUMUaTVuhN8TNZ3eTEdBWEYhWboUIamb+H3j/M8
nobpFPdWrenbWDZ6pxvlb1fTtAqrIk7n9HmSL5bzNM4mCX0sktlqHiOcynVZ
JYsyCOJVdZMXND/8PwyvV/M5b//wpgDAwsvhWwUBPZEXszhL/xbjQmGn2TRZ
JhkuLTxPyiQuJjdJQQ/CK+l8FKZJdf0fBoqDaRIEWV4s4P3bBOc9f3W4Mxx+
J38+Hz7bkz93d3f122f7w337p/Ptc/nzu/2nO/rncLiNf55ERwOcW84NF9by
dblTRssir/JJPh8FQZpd19a2u7+/Y+d7pst8+t2uzre3M9SBs1RnSyM6oUgP
DZ+4ODt59ep4RMBRzCZUSMKzIp+uJnT2J/JG+KqAc8DzJSw/vk2KdZ4lYZeH
6XV4nLiYJdUovKmqZTna2iqX6fV1MkjzLcDjcgtPu6zk2yge56tqK4eRbtPk
bosGIOwMr+N5iThy/D46OIkODi/9VZ4z4uDyusfve+HO9s7e1vDp8+/C/Dqs
bpLweFXkywRw5SwuAOEWiA5xNtWfD/NVNknn4Txep9ksnOZ3WXgTF4s8S0vA
xmI1T8oQBo+LKr1OJ2k8D1O4AfN5CkCcwJ4P7A8n7g8Hk2oDIJJVEc2TT4ME
VxbDf7aSeboFN2DLLN7ZP34XbT+Nhrv0pb0V+E+EOD/auEfdXB0U7zOAFwzx
6ugg2hkevjofDn2oXuJ/w51hH4aYJvj+q2SaFLBHC++yj9NVIbwbHs+TSVUA
zCbwwATIRvnC/e4inWVxBdhUtkPk7u5ukEyui8Esv90CrCtgA1u0Flje1uQm
XlZJEZ1sATHTDwdbS5g8Gg5bUGUDlN4PLgbhqzyfEmyOitUsPJgu0gyJNO0I
Hj89eXVyFJ2c+OA4SgvYC9w8OI3h3tbT/a3j91+JX4BCi7j4mFQl4E94nWZA
+hiZYPYVvlWG3dMUZg9PTr4KcaZpsSXL8tBmCGizHw33//loc/Tu/ODBW7iz
tbO/v4f7nqaztIKtwiAMZ/gbUCGdp3RRkITgNBYmJQAbvuziPN9yh3hq/w7t
REP4394/HxhAl06Pzh8Cx/DZ1rO9fcKCZJpOYJPT5DadJHjoR+ffsEke0D/w
Z9E2nvk/f4/vzo7fXh6/OT49vjz/xd/qO2Cxl8k8WSRVsQ4vlskEqSHtvX1T
MDKSSX7BcIMSXiy3cvihjfZv2M7hPF9Nw7fEE2EPiyWIKEDDX8FupnyhgygC
0WOMF3xSBcHlTVoCiZ/QfYMTAJSDE9gownWPDy/LXh9ABAJQBd/gkFVOMPqg
so9hinCtT1fzKg0vSIIJj7PbFMifXG0S8XoB8vq0AvxG1oqYP3VExIbkhGMa
yShInAEHgHiwuBAEhFtg5OGkWC+rfFbEyxsYAL6Fo8TTjMuPVngLgDAnRT9c
5vN0sg4TlCgmicBikpZM1BEhrHQGgidMHsaTIi/LgCWHKmcRAh9brDI5bljS
yzUDaorHwEJtA06BAPcurW6acmU4mccgpuDGf7p49zb8kIz5NMLuTx8uewHL
QH04AjjJ0sU22E48RmbdECVDODIQ+LIK/h8gtSXoT12RFJ65iauwXC2XeVG5
2weJxEwxCAjmqxLgAQeHPAGHmawnAM+QgA9E6+DHXmhmwbmLZAnkDuGFxxGo
VDpJE4B2QezSHMltPF/xdkAegmXAfmBdSTy5MUcULHPYC58TiiIwLxwQgXMD
yA0+fzi57OF7gXnkjDDF/H4Gv69KPD3E8RIoRFgC78YvFiAIzOnlOq6lixRv
IOLkQZgld+Hry8uz8CaJAdmAqifzaT8wdyySO9YP8SrSDZwyCyjirETo42QE
53ieZ7MSsDtIPqG8b3CKhzZ3AFQXOA+4VDcZUdbxKp0TBo7n+eQjnWwgJwsA
h6sGJADgmuVVOIZrW5XJ/BrxD6ao4B723eNHsAaCUaCHhdcq+ZYDJi6LdDqd
g+LwBKU/IyrD5yfhaQ5gETp0+e0kw0wZfv7cojl8+aJEAFA/H6/KyuhlpEIR
SWGUqm6KfDW7eQSCmEeCJoIA2Gk3dBQlCuyTBEmC/BmqzhI0lutqNLBspb83
+Z1Zchk6a4aDR8TP4YtCKFAIBzwPQQgEucnBVF1uZHbkYnlEm4iYjjjIiWf4
Or9LbpEoNpRZwr/E4ko8ncI1Lh1yGk8mwGqqeAyiTLUGuPwxy+9wSXc3eQjC
DhIrJBCgPbACZcbCE0uCO6Q5dzGypAzQjj4KIcBv4yVgYTLtA7OD3xKCgqM2
F8lfV0CDGFnukgLva5WWcOGmDZoREs2A7Z4b4uhyE0DECej/CM75Gl5azvM1
HkSe5Yt8VTJjYhoZTHKgVyCqGabgqd14/Yj9FikRBELvJegS9g5ZhC6BqNAV
SegQs0RIgUOjLYNgQlmCJhwR/oEEfo/qBXfFKIyAavjkBFYx3AEJQgAHiJfO
bqIiBRZ5cOIyizGceoJ0DxZAdHUSL/mQYVMwAHEaPGcEEarkE1kdfge3BRCK
LnBnns/KTg8OL53TFuFdngaJn4jD2WygW2IF5egAFK8QlDJVr2AvjqIGu9EN
wHATknpAH4Kd43CILlUKbKOKF8tWHpdas8h8TdAgBoQHgEIXv96X1cFh6HVg
hsOIDEPFcJfg7e5Fwqg9HA6G292k1zO7ObXqzisj2p846o7VqqziA0N+/qxK
mLNV4COFz8kVIUjMQd4hS4MRSP1CUUe2jAyiXF0jqhAXzkVWQH6PRKtEys4S
ph4xTgSqKwLAXjmztSPRaN45Gs251WgQ/1h5gc3gfzdioNV5CMgwN858EwNM
AHdmiE9EEOgH3ApvGm06h5d0GLf8Fp0N3NZ4jvduk6TrCrKhCrJExz25lO65
kDuaOAln8RKuRXWXAAVtoZTZ9D6yKFM4hF1JygsW5Oyi5FCZNMLzQI1SQGk4
bvpGBFicr04tRXRKprD7g1LWRsQQXmZWtNkG9uVLXziLmDfhnaY0vkDmGs/v
4nWJNAIQJ0UswtWQhFfcwuwslAQqmMeg8AG7ytJygRBXJkLbdii40BlXsgri
slwViHd4oCBPABeD6RbhBUrk+BIec5GA8J8XdEIISBCUcMNiREEeUuTACRix
rGgsmwuE6gFVHd57UL7YJDTDHBKraIA8AEI6MRIFQZhgRleGHbJ+w3dpqRft
b8m0Q6PCgPS+eYYxCRZ5idrLn/sh8BNgfWd81r/0cVCQs/ByvFtVQP7C/xx0
gmAHJn2bo76C7GfqwJ2gIgBol7bZfLxJ4mbuiWCF00SGJuqPYgYczy5P3jan
d6gEIOAdH4msANKzZIbSCi6hyOfzcQxCq9HHcASAFpACIBJC4mC+Y5WI8zHi
ndw1eDgHOl+uYPEoVji6JWrA8DwIZZ4yb6VHRmcehhTTZLxiCoT4LcQQR2BM
MGJMU/t08BZERZ4XeUuMp4+n3YQIM9s+DUqcq4iSW7qcfNnxe8OSYXWuSM4s
rpwATS/SXO7KxQQYGL16gFLURAC0gTBaoaLdFECWgF7IymfY/fwZCGXEn758
6cG7oPQ5Oh+pM4i7RtVbM+VCQMDb03gWAeqlbKTgEQS74aZOPjK6WZECXmGM
jVg75jdORPfD1RL1sNTcEGYjaiGr/vyZqV9qX+SRDjJfZUObPrAXo5Hhq2i+
ifgBeYnAPk+mM3gFhyyu40kSelIpvMcPROYBfJm0oWtAdZaWkT3D3UNGXppj
wy/hKoFuNUUtjfZFx2SUl5pyQ+qw7psQE+8PImwU/pH4iFwGfXgRZ3CNiY7C
4RdI26c5ShchSk8g4JU3xkDmPXsIginOAxdynl4nqP4n7hOIf+eJGMlv0iVe
4XOLr4dWhA9a9VeHYSCBnQDXbjFMwBbhEBdlMJbtEqpY0bnfQnjkAllWLexW
NWm51jAigBZQZY6022rGdcUYQLNuVY4BC65BIYHniPtW7p2D+3lYG4aIrfNK
Yc2nRlLylYwA+TQQy7Jv5CNiC/A2ehn6ob1eTEBm6FrKaMoFKDr4UDBO1nnG
ki/jHZk/63YlUXedbZqVlkF9c3SWiOtw66csRDoKDlMw74r0AyJ5Odu9REIH
6NCvxhKiih3JYmXiAIh4gWsIZLI5oc3QmJ4SZagQySxEUwLLBXmra0UDT1Ng
Q9iaV4ibkcEDO7gRAPIJiR9T4kFJOYFrR3qJvtqYmAQ4wETUB0jdNY8yo72O
AU3Q/7t21GrUp8g4qVqJnFSFVxmwEA4mQ1ELAIHUTAyLvCVy6eEALQ8TPojR
i6ePBUuYcCJ94ceCMchWSDFZYyYEcNRq5ETIR1AbJFZObifkOClrKkQHPwLA
70iR6Zy+v7js9Pm/4dt39Pf58Z/en5wfH+HfF68P3rwxfwTyxMXrd+/fHNm/
7JuH705Pj98e8cvwbeh9FXROD37p8PXovDu7PHn39uBNp3FfCaVZKSYiDpIu
gbwMzNHiOy8Pz/7f/x3ugaT9b+I2B9GCP6DjHD7cAbXm2fIMDpI/kvQIQmoS
FyRfoQgeL1G5Qks0YP4NOWThvgE0/89fEDK/jsI/jCfL4d4P8gVu2PtSYeZ9
STBrftN4mYHY8lXLNAaa3vc1SPvrPfjF+6xwd778w7+DfJiE0fD5v/8Q1Hkl
HMCCOcaqbCGuwCFJih4FI+TqjglHlbY+X0q2uypjJa271bYot1ZE8pLEGrbd
kzTsSMAorNO0yGkniCQgt6fE1a20LBwNkH+FgnaagfReigKFMj3p3jkJ9UjZ
jtTGfiA29h+tjZ3nYqO7Fb2MrZ2AtUkGu0OEQkMOyCYMTWvNJ2kzJKYu+hSJ
2/fIhbySmrvi82eJCDGGzinz1YbfgrTt0JgzfJcNvFuR7cYS7DYnAeq8JI+9
IXFLj3+JW4/wuoEKvVisKrJ6zHOyUuFdI9bROE0AFFqqEjo8o/72GeVQOmxI
377PCF723SaBSLeHRrplmDl6lZmbzga+2LhZ0CIMuMRAhyNkuBmYaoNxm23b
PC0LyRMrxhHzRHJvrsnvSitMGvgQs4C5WUx053Ks5Gwkdycib1wE/1vmaE8R
4ws+6gD0ryuQOqN5cptgfJQv2+LtIvn0iCb2NpEDvJeVj/dxtsEmuxaxDU/3
JkYObTaZgtKGphXiwiD1sw8PLRYSHAQYzX98+YL2MUdeRkCkFbJPXhlAq5hG
GJ6xDmV0uvasqqqxqsLwn1KtUFYkDQk36Rr0HcE2nk5T2UzNvoRcloFx4Bqx
XPXo85Om5kNiOr/nOowv201im1wvrgL5gFuFYED2kHY8g537mKbqSLdzEsYL
DiAM/0w03/35l07PnbzFo+fM7KCgiDrLggRUmB0lEdDd80lKQhWjCllxcAUi
cdM7+CSirSyJFkCW/ugmX9YVs9s0ZpnqHldRC//xnUV1PuhKnS42kBOBSTrR
I5KjEfGrPLD6sa9mOs4dJtIbXEF0yOdGKyfrl1jHrO0rN7p4WniWNDTwmKN2
x3mE6xegihAWy7ev5zVdJPDomzT7iI95RiakM2pfMnZ8x7pEvJ2uxbGxx56i
11dUDHbtCwgBTHglmdpsPI15vE6KQA3HJEMrSOknI1rHbKWhMegXAPb//M//
AD5O0hQuWxX8Pvrqf34f/F1tmm9otq7ezF648Z+/40v42uUo9C9el2MVR1tb
1XSLDn7rU6/jvnPG7/BVu//K4EvftKWNy97ww+03Qw61JoGblX8OvAPuhX8h
gxrG/fwqUIDXMILQijGo+7lBD6CBg5bng5v/8a8CuT6F5yu77+hb/8thx3KY
QTsje/G1b6KfgKFzoEIZy25sRIgdU1vHe+mblgf3Kvg8Cp9cp7OI7lrJ0Vzf
mzh0vf0eQ6W9lJ0vYkN1fTYrdRMJeXVDRvpCN8rwpw+qhQfsuTemevxFxhPC
4YjPfbHAMfErRWMRwYdc1/MVCysOV2Qho0bIr1P2+T954kkHZyiFliAkOOJB
RKJpCZs9IMHSRtqUDxtbTaAF2ggszzJ2PcfeDCP/9M6EtISdjymgOIhOMBKo
eiGpt8bexPx6NYZLIuza7gtmzxfWZPI7hNPlwJ2nAyJeR+xMNC7GMdlttMAK
JlGTt5ECT44cQbDnTUCDjpPQ9ZybMCIRM2jVJPYCQw5D9Vr7Cz/zF26MMfMZ
OmhvFmHXgxl878CsR+uAsWHdE16AfdEqzUlN0mVofQB2TfEaRKUX8Ud2mpJ1
XGR0upCZxKTMyEOBo1XoiQsqFrtI/IiLIjWzpSjjo95H/u5GgFTZYHf0yLlM
SWer7jGYn/98ieGQjciXEVKGP6DUZtnNwQ/uk040zAiePLs0+s+BsqwSzwlf
asRt8fB4LIUvCaHeP/3BIy6Oz8CQGNrXa976RQWiCAzQEfEORkzSW2t368o+
e6JOksWAtXjjsLzkcCXYBMdLsfTQG6EcjLoGhuK4zkeSN9i4yB43AXHqRB4N
2JmIm+z6/mkYV+LbZdMyMjmpax5pzjSxrMw6rXGfU40HtEYG9CGK/o5eK6KZ
iFqy+Sk7ZVhfclkCaUCbLBSv+AJ/fuK4rJiobXgBAdEae+nS5EDueOw9bML8
8YUL+8I+KEo2Vgut/xiNewHbiueio8LW4RUeyvshVAsfUhajLyOLZEJOlEDw
6fOT33LQHMRLxThVp7A0HGJ5LGTA0mdDQuQ2/laCQvgZjpEoDOZ6XezsP+30
8ZtqvcRvbOLV73+7q/gnJOHwEwcYxBFcpCidRsOd3U7wxb8evCK5GGahspnj
TzHqL3g3YHrUrNWsKXZuDasvDdRrdA5QhfwNFYNhgOkNuPs2wriZJobhidGj
WGegQdQjRTAxJ/38yxdZHcEMDUGA/4l3iJ0MdKkOPHaxXmAQOHqMdR2gsSaD
2aAfvsZhEZyvL3af7+Hn/eFOr4EMZM0keUmcKvBZR0Ujh8k7IayBiaMiWcLV
UbMKHGMNsoaJJUTp6yeM303Z9b5KyxuO9QiZQDNPQFkGU+3KPtk54VkT3mGZ
7cR4BcibHdIbDt8nqCGGAzK1HH2N9auAoDeMRQRWOWBhOLwvF5jzekbn9V70
XiE0BamF8zz/GK6WQijFOeMNjZF6BvdqBj+8mQCIQ3a6wMW8q9R5be/lMl6T
xCHXsQzHuQYxR6i5wmAUpeWKiSJAehFH9eDxe+2ttDix/ESHdhZeat3O0DK3
Z9pVdNEI7zQLMJx0TVpQEKRsE3OO76JCC/S74v35iRwmW95M7sXhJXKSFG6o
jC3H51iMrChmaBjSdXjwv42K+geShiOWhn/Y+gNs8+aH/6Yp07JOBzrlaoyX
lYVDWYkvR8ITuBP1V7TuBJ75DZHEbgVZNIpUAp6+kiC4rDHrxY5UOsCczzq6
O7OgAQOEqpjcby1wFLcrG4fTJcb6dcuev5rL9VJ84Rxx+klMOAJJtMFZIzg9
IxEOMLTG0AL1qC3y7WoB6D85AkavTsgUZF6M7qWTlPnJzUnHPUW6qtdALf+x
mKysR7MflrlAKQbaw7QUbjtm1iHZQR8a/a4BWehGLRKWN9CsxQ/4HoVxMovx
FiSf6rSvuQ14JhUtiXbkwLKFMYifjEgnYhlQkX3813A/XKQZ+Y/iayRvtB2O
spxj9oDsYQmyG1DKbEpuAIyZjfUespE8Bo5MavQEI/uRwH9M7tR9NEG7JlJA
WChs77cqbUVYCk1bZSmIfZ76JMdN9w9Yy/VqLqTZsTzLEqdJxVGvQkuaopSh
ewh2n/BZ2iLkhNxP91EsoCN3zAbaN2Mw1tkOybgz0EKXyBrnYn8kTglIjFZ9
CvZOrAevdlMNZYvD9+9PjshCK9nMxDNYUxqXRgHqVKi6MmDJle6EOSAUKZi9
DGfzfEz3T4LHyfgPqy4SK81WDabn7NYMIGdI2O3sHC6yLFh0V3/dx2hPpXdo
gxRqG+tYvAe6ZojftEeQAOC7tLSQcfaIR4W25KnK5QrOF3o7zesKK+dtBbEk
Yk3N3hBeFjwGLohMV0AZNgEH0UsyDTQCjeQKBzris8ewqNDEbwoJtKEVIoR1
5FZdAaPGY2T5VkJrkqsyvk6qNcYWAEWdUGDp1TQvYbBOj8IhMYWP0Jn5Cvnt
iErzdYIzxHz+adjRjXVCIDY3jL4AOvoGkfU2T6ckhMznHJBpxCl+pnuACaM9
madIZih1FXSfFHExLR4QIAhAyKrB70B5SkmAxGios7hQ/cy1HRFrcRxtGPbn
WjYVvxImi84dIqCR4oDoQOJijBh1m+arcr62Ma84Ja4pC5PFEj0PtDigiRyO
i5gRgv4uayM4ZHl9EQ5NOD34ReUrtImYdAwdohQaph5aJVx+wOEG0vVg8hqQ
riVWL9iMrw5uqkOKR8PMeyZjrEsbTVpIdSqucsZVBO1knlIA3RXGmgI6MerS
aFe3ww4aq+DTlYbW3rcqOGKAVG1FXqCUGJngcDFJKL9GjW9Jhv8p3ogi+Y3i
CToUztRZck7k1c1qEWdXeOzJXUfWI7e/eFC8MoZGWZZ86kpKCTEruMPAI8Xl
Z0Hm7EK33yKaCf9Gu6AVMZmKylpNakltsY8RgGrzI/0BcWUByu5G3iNiIvqo
wgRTlpU0sKjGUpHKjojFRxhlfGLCtAw2I0ZEJnzrAazWUDob7uUqNya6N3Ci
VyRkhe4jhrLCCSfxXPUxjn2mPEMq5LG8uonLm80M3Q+nxmf1yGlKGq9vGBxH
Y4UdfC4ymvRoHJfJ071VMY+ALOQgF0f4QMe5L+VNHIGWPcr2xn+a/XJzev3h
Q/wm+uvs08/Fn17F7/7r6vJTWRzunZTbPw/LV+Oju8PZrCPpf/A+rcuxINiL
LHiEur7M0RGsoHesXiPZSwC/24TFryIGwRsuTlU2twxnDLD9ZtjxGRng1dJc
RVhAQOoB4QXFvwEtQLK00lj71Jd60CWaCikxZx36r2rYYCibMmyWlGpipHl2
nUpUCpMR5ElESHqC4m7OkcFvp7TCI5HbkWrdugyiSY9E2MBbfLUoa3umCwYS
ieoIJlZpVbj7FPZJfCdFzg3cIqNgY8sX0SSTgUJCZvFUxg0Ck6hyNTUhL5uA
7gQjSUSEOJNRUSCxjAQPYaw/k2WFhW5Atkx4sUmMIoNDUr0IKUoTIMKmGDoz
dDQBToPIgsHaeD6cv5VoFOUCnVdxsUbMIefXFeB1+QDSyCMtnPCAVN7TN+xI
I5xlSVMkNQPkfpheO7tWEwcH5VgsueMvLIbIFwDm8bq2xIN2RfvECkMSLq2h
PpQXqTlsTrjPlNR2ivaxYrITkXxdOyCfEySuOHUvf0K0dBKc3PTWvg2p9jVV
HElggIIVLdIS+QlmA3KpDjcPiLMQ4aeZOq4whZTjllipijRqeV5KnLRKWYdu
PIY5FzdKwx6O++2VKFN1LfBlns+TOKM7KRKiSRW2IhJqH0Jt7wkGoT1boZTP
o7EMVME3U1+SbyJ4akq3jx83urU7FKk4jizlGdGukRK27J4UqapA7Sxg9cLb
kxiC1VsK+8eUJTzBpZXnSw1ICjrwrYoPSkpMDoK8QUMu4CaQoriMKUSI/Xn5
XRaA5rLskKzzgkw5jr1EFV7BeE+EEBtHfh2oZYilA0mAyvEjqwwUfISmIVmP
3Z0YrKwLyIvbcQwQ8pVFLKLv3gm+I7udqB1mjJyteZQMRoQ1UrOEmgpLScy6
z9zaMBORPTM2OWSU3EdmVmdqGV2uaTrLckpLTRZkNxONkKzQRicsTX7qFE2g
BC2JBeg75VvYb456p0cFUGArykQ5CCxMyvdY7SJfDBL2yQwmK8CsxRW5bokx
k8cDK/YZVReOjJzbIITYbZkIAGAvlWbDOeqqmHNPDt4euOZzfgL42ziZxLha
RI8Si9YBfSqloIhkNNSPSkEpoYVpxcb5Q7E0EvKJq6kuMaSuSdIz2Asc6m4y
NOWCHmRs0AZc+ULipVRFY0sCWp2/5vl4NX3geTVJqHIwCofPnu1sP90b7m/T
l3hfzZfP8Ev89k5cdtvj4WRnuhsle9f70dNnz7+L4vFkGiXX28Od3b19/Ebc
f/zC/v528nxveztKdr4bR3vD6V4UPxs+jfb2nj7d39+DX7aHHZlXLBwjFOqw
bg4c2VWFtlprWUF6NAr/8isvCvQlfNpotUxMUYtUnXZHXnOU2o6nh+qvqmJu
hB6PaMANKsMMrrQdwOh9DkT39nmdRlwePahStGoUNIkK9u4gbw7j7Xjnt6tP
+dX+Yvv989eXL1++ffn28M2fX36cPYtm0S/LJP3xp8X+0z058YawTgD0ZGpz
GCLawhM7uJMQz8UXOvFlI+vhA55I555NZM4mut0b4LEwVlnpCs+Vs5zbsRfd
+VsiMRXREI3jv9bcxZj/FCFBFoexd4XP5GY6XuMnoRtrcWmSOT8/cXM5Jd6z
FuWhb71CCicBX37WgpYUqNysWft6PcAlYCvscLj95cuGcj9KvjmkVoiqO4b4
P9LS+FOwStSHC40o8AMHAtf8y0EIKnDTMOKcFTEW0+hf1jVmtBUSpUXHbMUc
DkTvNJ+G3c6g08M6NFhYjKPKDjRsqJQCWPHGkCHVJWgnzdpIumtTAMnxHDfi
fQK3XI9X6UYib5hKBz8eX4Zb8TIVGhlRpjEd1NZwMAxe52U1CuU3WuTAQdCg
JcwoWf90M/5xkg4GA3QRDgat9Xb8587ouZagIuchdC7BQ41AIlmOF0ikAVJk
B0WMYLxF9Cc9wtg7PQGQgpwoL954jl2XiJxaPzBvbzwhxss53QS0tFKSHB3t
lHWXAMPA1owNikcPoq61uT0hE/PPJpmVTFle8jjd33dSN1UCtUk3jMP7sqck
zSZRb0hgk1pJumgTmMO6wIxEQePQteAFyQybEo/FXowlchopqf3AKaszxWID
pmJDxrMYHYKonrFwI/5zcmogJVJYWUB1AtgiUGAx2EmVJJM5NE6uc/K9SZJr
YO3hLsjPsQSs4JMToWZmlRh4chzW9UzSbERbD/xoIzxYe44AyGSpZTgodhpU
2/fGVTTimBpyHjgRnONEPVci3mlUm2MB4VyHruuccoujAEkj8UfSbvl1zyFH
6pjvxUIj4Ilm6fiBnszkaKHxHBXBtZTC6BuqrUtXG7mE24nPhSpbICKOuLBw
w8E3T8mSILIy4STvmSwWEt+lYUx8sdkVhsgBMgZMzRYG8b1IGKAghQwrahVv
M1u790HkdjhKUF36BmYbdoZBfZfJAjgd1gsSXJfjdJz6XDWq8CeyhtIQFkTe
wDhrxAOIsUgrvtCby/mKdX7U+kH8ma0K6zdnr3mVzxOq0hF2nWTVUbi7HYqh
rjegAVoggFBEBx2tguAKsKSCzuLvoyuLEdt9GuKek99DrZPpE3GVVzbVFTeF
hd5wh3X1tzShYAIdkH3IliHqtguN35WMkIq0XLCByg9WtIwHF7lPhUxsBh76
+TmyawJLPnNppbF9I++W1dDwZGX2ErfwwuX1ZC+6TOw0icNrKrpsCtQUblEJ
g8mmWgUt9UmDZRyoib6u3y3LZDXNUdIxWfosWtVIk6mrIEHK9r3gepWx7cg4
hYE9dSmLn29Qn1HuClHuyqBcDyOXt7bCCyB64XDkEDougILW1mu9gxodhsMO
Kgy0xT+AIPVGAhXgPwCGosiLbkdpp0988FpL/kQvcObeMaeXKNnhEGG9scqd
2NsiaHiVEp3AZZA3mVJXeJjvddWzpOqap3v0SGrQGCkISPNaztbfget7NnQG
lI3w9+GmAQdwEcMfvqcV4Z+/b4X646bz/GxyjXyg7Y7CQ7pCJg4G4zxB/USy
/D1az7s9PkHA0Su6bf7ZwaItfsiLrYd5mBYYV1C4Sdx6aXlN8ny5Im9vYBHS
Ts0FiK9odgPAsn0BjTO2L4x8kOPv338f2sFr0EUrZfONNNPp9HHE7jSTZ+W3
QTyd1pHnq/ELjtLFMe80miC570yau5JPXJ7ZFdR94VRF9RpBOjP0QwP/Jz46
oXJI5jgmR1RKCivxcbI/hi5wiUskrTVCz7spRdNjYfET5zeH77o/q9z7s2iR
0gmDUo51liynUqooGhPPNIk1rVM5gjNM+gppOocYOnXjiKaXNxTMhsS1lPrF
aRkkWpWwaSdVVjLB8m0NEHGEQhkQxto4EpMrwNxIg2fg8SnmOGeVwhaOjvQL
G7OPdI8Vx59dW/XnJ67pmvUN74EzZQ/19BkWljmDhqXjyhOI/fD7wLOQkzhc
z/YAUiUpS5tVJyzu+InKffODNvS/L/doLWUwYLs2fBkxJc8QdXB1ntGApdOf
a+VvKANA1UAbuA2nWg8ZFyGwMQClLbUNgFeXg+S5qBVnklCWclg2Y+ZFiDLj
J5JF1hjaEZ7i8GOW32V9E5cU1oPGJfPb6hX1lH+Uic5xKSC31qPOa/oFLccq
THqCLBaZI6jBPdTKovuDHZjuaW2L7dCjkGYlG7XkBpGGm0lfz2pDO3ly7nhk
rvZDpOF9Vj1qWfP2ECxQYKLn9T2sjDpnQuCtrygpgMhg9RtTzpnouAkCKthr
vWQd34Q8O6oSTPldbUryV4mPwngMVfJFkZJEAPRikTQ53B74oIldFwe7b0xY
LiAOV/EhbIhLLuvY9XVi65hAo1t5k8/hLjoKCID8U7pYIYjpdRs7jH6W4dCs
B8uXGFVfnBxdkvP7jrm9zwpin83pTAJ8g3mPYgHU9UhJWsl8HnEkJE65Y6b0
X6QavhT7dU/ol0y4IfxrCIThTIhhXeim21CvFIjvwGU/4eotJCuX5JVsatdu
AjFdBzSqiLIkLkPR7BqEF+ttze9R2DVrP8Dn8OrqA1izVgL0OEFtuSqWecmB
kSjShQuQ0oA7lIGtqSTBUsZvbRDE1ThPjpziptbv2adoiIIKLoemQxL1HClB
BMY6b4MWjmUVmM0KDR35FewXZder37D+jd5LkLj6RjLy/iEaKe6DK7j0RsxU
jYdZGBO/rvAly5MMMeyBoLfER3FiXYAK4YKN/LYI2vT3AHhS+G/fNziQJ1rz
IXY7JxkhFoorloCyUG0HBBqKUq5wI6wGXV4ZFtS1D/VapwDJ4CYdk1pgiLFR
Jd5IfpGlkIEyIYQcAKABTBJ6ZdKPLPWizGvf8fSq2mLeZ8TyarlTnRpQzQnw
2EjhBBPgAK7Mr42ja0cH+495s++stx1qejDmlfoaLWOD52aZBNgD4wGYoVgP
f13BTcAZmtByDhYwBR4dUHZhyzqM3QAIcMm5QtJk4rK+IklhUm6JgoPkAskR
MZQG8JzOSvlEbbvnoUypYZ7YGbEBDSA0CRedgpmcKyo1DM3klFvUMiNSOH5U
yjaa+GLDU+tzOkzS3yB8Gf5BFQVyMXbbD1nZrYzSAGiMSd/AHiU0yYUh/FSf
IoyQbV4BYb0yXHXjtJyAhKWCQ7JRxbO8Pn2Nr4pirGJD+JeNbLZ5DZjv1ljn
r0aZ5jH9k6pp0rr205Tze/zFsWGE/jSbEFtU6M7JxlIflN7vvAae+i+bGHo7
J//13nvcXEWnsVJg/qRWU9T59741zXAHYXmbSU2rqY23LENjLjvy4dYF1yQQ
ZO4OZh74AkcyfSEiBmVx0dICI1vwL7r0njUZYFT+svJsBp744SRDb2DZ7Np2
q91RPCpXH/78pFFvuM1BxilX4pTi2pauAwDkalstz820p4ywDc2BpEJfWUU3
OWhnWTxfl2lp/GSu8zxwnecgM5G5wJZQvvYzD73K6wtMR62SILZiEhot4OZz
AeEchlu32BLQObkqk8ApCYgzg3yCMcsYK162lKCnBk8pRaiEJRw+SG/9wK0q
zkss+6yNrM1aaiWMjW8QJTfHP4eRx1Wq9e3P9Ycz8wN71b1K097GxJ7Aw4uV
4MDZogmSGoXv2LbLztfSnLe1SnBaOV2MRT5l7ZXqoFNGppgBfA+OrEmyaaUv
RQwYVTmmYylAq441bIxCHtUYi6rnVZ6Jj9T2YIFlozkc1svmKa0NARITCEzj
tYrEzUVoVr4xK+G9QxU9ntP8UgtXl4HKuZvyRoaEk9a0B28uEd5behywJyX3
qgVnuZmQoijJa8FV3lVhNmF2klYgDX4w+jkB5ReNDwlrgM1VjBMDe7Y3oFqs
/ZVsC1iJvbduY+lpk5NtbGIjealycj6fr0qTyi505jijHnfG5R1QspdJEMYf
KWZOr7S4u0W3R6ypBczxq1d63J1RuLfD8WVwwFdfG2NGO5K3Hh9TN9E4qfvC
0hBUEpqG8VOsj+BLGrfxLv3p1fu/nQzfpiflYDD4g3HTg6rzg0T7qTx7pUZK
GAANypxV6OCaF27W2dneeRpt70Q7e5fD/dHezmh3OIBN/6eMChQnmT7ijX14
oxZRJbyCT044j3fUTjQVR3jKxiXuwzPaYHjWPdFIbMkTTZw7zXDSAyOJGKw5
RohLAoVde6L9QA+qb8+jJ2UOsZREKjHBUxDJ0LFZpBh5r6brwAnefIHiQMWd
VUAVx8AnY7PC5RtxQ610GvRZUTUkLV5D3XCeYOmI8JC4x+cnwF+iCf6tJcJK
seBZ76LJnuS9YywrvQGPLNhnTPFgN/ldrap5vcah1xkxrHVGvMQi6YFgvjs2
mzOEWE3KF1J1WBapNbyxWPJqPg004cNJlakH13rdDur15IP2evIaul5PLjXF
nBVs1BeAWoSnmvcYcGi9NtY5yZwd9Mkm5NBzm2CMCdFk2A7cZGhuUiftSI+o
HWl4cfTm0LQoD4ITannidSwNy/y6umMJ6jaZ50uSDmwjhC4O0esHByemOGaJ
vnLNaLYhWTd08oSjLhwDlZ1CLaNWAAuOy4Sb2cDWyPLc0pIvsLXg6i2z6m2q
SFqjHmGnR+e2z1Tg9cvSqtomGkGJmrtzyZGm0zGg0TpjtWavAw7F06pRXSyb
CFtByVRMROhIJMyIgKwjO0QHM9Bd+Mlkf4esdly5QLtCHAuoguKI8E10Exsr
TBqCl/8aqpIjRcPDl2GX2j3/yFXZ8uaSduySdJH+0ox4dgUy1Gqe6JJAcke1
ScuplFe3u6K03L+kw7B7iQF+9KmxnN3Gcnb85Uha9RUm9lyVq7QyC6JvJph3
iFqzyRJ+cEFHYfcl9pfcsKK9xop2/RVRc8orwegr6ioek5mEVsW/WiVMz23z
ql6jIortRuiGnFIXkqK+qv3Gqvb8Vcl4ui5djlmmXDyB0+bl8A8mozk0Yghc
BLgDGlK6RerzlgwfLWZFtLfDNiybjxb+ZdPbHC391ziyAdO/eoxdorajcjqf
KGO/j9Ahg5fkIWmGZ+MInf6KfKVs5KCviwRUWEXbXFBxa3rLpPbHMxQW2Ptn
XkU7Btw5fo1CBAkHQsUMSpJWe4C4LbmpHSdbGeLIDWgKLOtCsVRYYkOOhUVb
fk4EDb9hUZJRRxSQ1AOiyjRp+TFdLlkHKhJSZiTA6An1KGQNnEQHHOzcxmki
LIKjVaEx0H6teGqnjAMINE3x89LtXUKQ2EBmQ1f5VYrrbY/JuHRoJFlrrYoQ
Oj+1xirWQPeSgFU5CJxwwy7FPvac+pquOorH4YSosoZr+AQARqKvDUnvbiLe
aCTBQrS3gaG13To1bTyzC5pTg8Q1ntoLu+1kp/HkftitkYJe+BfCs769nP5d
u57GkXBNvmgOJgD2IG7gmRmUcYo91h4zVgLfBmGwAtGeKqeS2mUR1Vww1v0c
5zNV+HZrcLNIMmjrt6W31dRMoAIKFJJJM1HCQsoSXFRLfDb6Olc0MMpoN8vZ
oYbfj9dsN+vh+5oqCcIkLC+a51g33b2u1ykXHKJD6PM9c9RZSyzdtFVamWpC
pd+W0WRns/nL2LuuqbbC5IYWqp0jseeUEyWP/Yn8nk10Dg8JWSNpyu62J/U6
kgahktrWHqReSy/N4pe+pAOa38hvB1mWfApPTkbhpemjpeJbrDFFkyR2Gtxx
SMD90qyZpaWT7AjwWdu/arNOt1GslI9qbTKbZrf5/NaGG7dQunum3hsx/ZrE
qg/5l4RxC+bOKVdpdlNpS1rTmWm6MpRPGYiZF9UC27H1sog5VsJXCmzn0koe
UOLZV7lfw3xo8zH1HcAN9jdZUIW5wXDO3WrjV9q2LJRuMmY0sU/XLrJwaxrY
tquqy+LndERmlY+Xxm3xI9zoFfBf8jsbGQq/pCpnpSuMP0IS1219vRQuLkuv
I4uI4frNFcGKJd6HZXCTAPMPiOAEflmHOQUDkt171uGxG664oMxmM56aQuWP
pWW267Bcr/bulm7b4Ru/cYlhA42+fU6DYiGALv/nq95oFKy33Fu70/d3rWTn
fir1RmgTLNh2FcWyO8gv4Y0p2opo+UycbIKw2540PJdqARrl50KRo/+piAV1
HSW9Cmk9VfszIOrf2xpXKJltD1trkSodK/DEglqOEXdUlUAXr5/FQynK4zj7
6NhGTSmUsj1D+YHH6wnK5nEG7ZaEoNfSk4f72/uN9OTh/lBzliU7ebqLacnx
02j8bPI8+m57uBNNk+vtyKQmwzdfmZ383XfN7GSue6IX9kqLRHgZyo8xSu92
ftX0Yc7Cdeo52KJc/0gCs4Eua5MWH6Mc3R8K6PZKEo7puaXCBc6ji1Tcvkph
4RxxTaCpW5M9bHVydN3yFA2Lss2oIxwuG3UytDhHDbkDWkKfq31KBhoRFk7z
obQZ0lis/CfWtMBeVr2pa75+aKxy6vce2OZxQEKw5vGkBLJANd+lWRJJAnPz
o5UAjJGvyZypibZqSIHwZsxoIeHHOhxbFVWP8YMeZ52JLus3ZVRHdR6fIxU9
m8cZemMez+KXc3T248uGq+MHz2z0SPsaVY4ov4Gla0gA154oDUfnjzU738Mc
/YIyfR/BzjeIFnExy6UCpDE70qcGUB60p51xdclH2NJ2+mG7Vc0wDS1VqWuS
j76YsXlNF1xKD4UvQcPGqh60pTEKXylKO6KXDPkYa6PnpjIXTH1U5gsVdlg/
PIsLuBPJnBJIqVMLehrEIEX5AIhoyMzxoKnYtqkdgm1bM3sRqKEf6BAivUkq
DI2uCap4QE43VRyuX/PjoIoFF/h3mDeqDcqtD8iM6BApaTr2W55KtSVOUoCf
uaAf5t1pTlxZczNpDy/6hp+feM+7fTRhZbMV3CgppUN+kd39feMXubxByqr9
r/zEuYp/iyeUpCxOOJqHSA526kITHFJOaWSR8s/yZo+7M3JXzFqAfaDtBfnY
/HKpXNu5lMpStqstCoDIaoDgp6VaOdA0VGHT4zmaCICFU1sMO/FNXta7v5mc
wnzsu9PrA+GE4ikVR35BQ4uujiaJxbKSDoIUTbG2sRQ2WkjDAlhOJKekjRBQ
C4UaNdDCmS7ZlnjPZPoQl6BkS0hAMQnxHGeBxVJaSltbZOkdn8yvI9QEC/rx
DepuwvBM9BBWa4piekYrHxldQPuXaEVeArdE0lHJXRD/qWEI23Kd+rhe6xxK
w7ddczCyhTRnPWSMpq7h2QT9loIltrenV4gskKKDZVLRSmsx7djywIhfppyl
trczLZu10QARsp72oH6ob7Rpe9RsTH1/72h5rVln1ukb7faGluepyuKW1H3E
uJKkrKWGkz2XpubajWIDMSPc33469NpPM5X4mu7T9YeDtu7TAyp4ZerNbaww
1w/a/eFulSvK4fDK0jiRO1h2TDzebtyM281T/S3UmbBRHi9gOypfond+A9Iz
oBAoqmFeYSnowtqTqV0Qh9pOmzONjF9X7tFsBewCyGFiNEi6eOZKEg9bJDGC
Dqu3m+L4NsWs1hXVNDviru0o5k24y+MfgRKxQ4WkUts9fkQl3uklqlmK7YVo
NaxW07EwMWXz6w3wZv5QcLtLSSk35NMWmXUncaKc0rIR3hSEmwOcwlqAk2Pr
tj56u7WR/lgLRJC6d0tu08VXpG/9UG6RZpqChTmnD7q7mwOJA+BiG/CEmObt
vjBIlUINQDLX6vUkJVC/2Irq7RlICZU2iWNuoKig1qZWZNrTwu9GhncNI12a
pYLaeuts6qETiFPKWnXdDhoYskB8p5DVOblwGB3ozOS4CTHu3cmrE23JaXYQ
Z+tAZIDNM0jGoZIV5fRIq5HTAuG4zT/aVsotyX4n1xtavTyYKpRQKZE5lymi
29iaM4RztNVOQarlFDigCKV5Oi5ilhtgTFMHwjjLRCe6tznNOXdyOCB5BqmT
tOMR/FFCWN5QNKXfBaOsVczYj5wkNbwwtqeFFHrk7hU0I0tQmqDspgBqrd8y
kEeBIK8yk5VgkhHKkQljdTMWRMUM7tL53DsBtPKx1qeTOll8VHOHArMUdWD9
/CrTANa00Xye5yEl6yGoNDdmnbjZgk193RYFajTREGLIag/tJ3D7GHkFiETd
54oO0rLBOLAmN+gvpyJGfstBsZygHRbgcT2PKTmNq2nmJFab1bSgn7BNJ6yX
E7HzawIWyjZRiXJq57cq7QQScdW9c8rX9qhbFKVsyzzcxK10y/U4yMXYInFZ
1jl4mk6nQLTPDMB8cYtGniS2oho39TRK0ED6fmg1GXoOENTU3b58c0HCJP4X
WGLGk5Rai5dimfz+VcE9vZwf6uTcD8xCrZ6GYbNasMMpZxJyIblTThq0JL+U
OLa9HXQ7GntyxiJ+xsGFKNdkoFyOU072NZKOYOoUsC2jpuARcCXYHpX3MyjL
wuqbiy2CS9cu2jYYFKdalqAM95Gbt4s+JFZ5oN9bTm9Cv/mxbVIoReFMt+mM
mxhxbTO1bRgPL/UlvL/lcr1PoeFGqHggQwfCSYVX3aaFjHgo+lhdUpJEWxkn
Ffox+gjFdah+SJcOqNIsCRwqslwmceG0nK5McQXtpF0TdqkyNDrQ6DA23FBk
EUSnozmpdUb2KrCIK5eNxQwmgiepJF1Qari62DTGFE1KrACx7qYk3/yZ3aNT
zyfkSGPk7a/jYko+Y2OXOKXwDLj+ry9OS4yqQKc6iLtAFSh3Ap9joEmGBCm1
Xr9aL36/iJdS3xZ588Qc/fslRhusSkn6tuDvN7i29o5F1i6+bld7pGbvFJNc
rqgQe3JnEv7RvYtZZPTQMk4LVfBccSpuDMfNOrwSa16yroovdktodMalcqKU
U69Z7byY+8InEDgk3KvRRSX73YWVq3FpjlpFG1hfJ2jJSxZfl0T7E0RekVKl
7eAOtCpgQ9cG6kLVeQDJvVRlW2Yh0Hq9tcwqMVrXquxR5YpGhjPSwPwOA1E8
q/pc4lzF1c6Kv+FqIG6JESAWHdGSC4by2kSBu03KTWb4Kd9AumYiC/EVdPQN
AT8xyKSpt7RlZwAOPpCf0aa+fGgGuozC96Z9Q02hZbnGKrOkWjygzpL9DKOT
Iz/l5VQBnjb3jWwXHixFvpDrFRcijk1shTAc/d2qivLraMwRSYCCIyrWzUY1
LXfItUUlHUikd2Mro0qVpEaJfmBKPxiQLRFCRSZYfZRkKOBgCX9m0XSJN8nx
QsxXVWysjXBin9APBVQ14LCwTynoPSDMh8MF10nBAbGuNXDOAmsuCV2kFq3Y
wRMLBWJuo4P8D9bkCZs1eYKNNXkadeFecGyP1OCRojtohJbSdJgBaWrubJT6
sH7iOiTrBAnzdNWYjR6cnTCPRUlZSw8kn0ghu5WG1avxApNVWYiqXX5zLwJr
S2L754aTMTV87mLqO4qKAvAvpC/w6yoT2ofJ+Zm1hZnkRmxILSZttYeGB2hk
iydrE/Uq1n8bOtYlJaHPHukew7ReE20QHNpygn71XroUVJSPL6J0DzXV1H5b
TWearXEfW19nk5sizygagDoK6c7Fivn28oxD+fXcqMRS/HDRw+Ceoodsx6vv
lj2MSJxrB0rbw2ellErQWmQRT5EFNQImqIuUUY1Par165hi1IshYnRlQ6gJA
QN4PLquoJjRieItaeUbKm5tjia9GMX86mEAyDf0+5CXMsPk0rErLBTe52CaV
L3TaMuIY7nFgJ0it50K/cRwURcZJORrQRKXPgFPJIx7D6ZPnh2SxSdPxo72e
jiXaSm1WApeM6r7GRcoiQBLPiX0duHI2GhC6FBDSZz2c0bwmTqukgG+72UxL
Bk/Xxk70nLonFN5o/NBk2zVmuJY2aTBMW5p8T0IIN8TL+cGej7mxG9KfbREW
hhIbxLlHEQzjNE7SxKKuKJ3TlqThIFRbO2a52vLw3CLHFHrvkTghLNBhPagw
U/ZNzia/gsMSEi4JRuJ5DlpIgn123MbR8vgce6Pi8iW7eI1vUFM05mli5iR0
dQvGdM9OTnoWr07TDFD1bxrnsME2wA+xXd0dTGtAK1YOtEGEtjlkIcWldGoy
mXqWWMmLbTRi7HmNEolrwJbncTZboaLsoqjMjfjlT2tbiSybJmBn+CABdjwl
aVMeFFFE7LCS8o2ne0BVGNVErkqD0ZvcyHlXs+JWfZFIovA7t72Nq4Bs+k5E
mBGVOO5eMgs0EjYmCyPo95sq6QkRAfGTMJYk/ooMb3RfRNbSJHabt2t6evnd
prgn2StM/OTLYlvB8W3p+uXGxOEkt0Nwoxc0VEwtFD5fW0FHpE5WvawxjUEX
qCcDSwhRnrvCCVvXZAlfc5EoOcGaOTLJ1aBkBRyfrePpSt0rrzUlYTAtNOsk
4R1I/c0mfbnWewzEXW446ADY2I9t5ZzFogsO/INV25WaePSaOCqiW0w8MMya
izHU6O0L1nhweY2CL2xlD/y6UdyJpYX3YDJRjM2kEwRCygEP7AJMbd6gzWwp
nIdU07HxBEThqFVroFWt7QRlJzT9X3xHEC4OCDatAhvaYFMfKfzNi7lYjSv3
R78sVBCYggum/hN1esNiT0Hwbiko1vbjccYJfbUAC3zg+TitXjiFFmLqZMPB
DPzpwum9J8nSwDO8dGltgU5vmLBaAFyjR4Ptz9bWpsFr0HDRHhWCi75ImIhv
CDQxISaa0asnjBoE4ja5MkViaI7OMDtbqROj1t15FHpYEwQH9hDFdMbOW3QF
GlTB95oPWieI9QaTLJlOnIKkbIDgssbWMmB6IQDI9A652RrY48JSHoff4VJO
4xlMwapbt+zJpsPwFbbxNmKo+8spzlLlQIyu8RnCVDxS+0zAjJvzWBYoUUmI
Dwdxw1WQ9lTXq4LYVW1NhzcFxkkBLr5NsgxLgQBioWH6PzL9PMAacCdKCFZo
ZqY3QTV49xZvCPtkCMCobekDvL4D4kwbpgqCQ+CewkeIr9GTJ8eXr4iGuN1Z
qM+KR0qwTQv9Frm048s3UhivFYvSmNdrFJDwxKk5DEgD5GMgI34XV9eTdb1F
b4osbt0JWqkQP6mUptEwA24fEP8VXQeYFeBDmH7h95SRXTWuRD/8/NltWsNF
fZwOWTXIsUf0nwI5CdxIM1ZYfrp49zb8kIylUi5P/xCF/js/x3DUD0dWRsPv
GFUODarAd+dGQPt78PdRFEUj+rfz5wh+AKo+hYdNJKDt0AjfIrLBfz5/dvvQ
f8HxMKYRfuFy6Y98ReVX+Jl1oS16nRjQvS8CYYZfpNJ4bcrygVcBGf+uqhO2
4tiwWr9ftXnXVt4ygxzpN+dcE+sRg2j4uR3kWL/RfjiPGcbYV1oWc+n8du9A
qk/hcyR0kr7yWr7RN9sbHvMIqoLBg+9YWP3qIZqdtvzlHDZ+e8yobl8ueNgQ
EQ7/6y7KnjtSS89bHsa1B+PNEPPxiVX7nVFqPVF5hHonMLqMRtY90u8eXorX
MQyvzcnW6RsOKsWwlbIGnI3jtOYwINlwMwVezeOZO1pbW9HW4ahJZ22wc/32
weEwTJnSDuRLjVLeQJ4pLhloV8jJRKhFsJiCFAwGYxEimX7fIc9Fh2m93/zK
3Lr25y/VTw2i/uQmRa85mogajmn8FbZAlcCtQzv4Wo+20U7Q+GecuNS2gWG5
Qq8dC7RGP8KEbHR3qocYGPAd6J4dDChLxVZNgtu/i+GESsClleev0TjKj8ka
HoMZ5olXx6BD3t1pOnXGAw6oQzq+XzQuByZlEh4ABjfTPrLJWlpKZcZHHWGH
mci3lQUmYk8CXuoCqJdg9g6Fp3BnsC2s9PjThHhg+5GSv//50+92Adxu9bxN
o9jDQ2e6ttiUQt5kgukeYPh2z1a15HpHjaabA40IcgOxNZgSa+GBwl1pHUtk
8I6ZR9OMORJli9sQIbc0Nn3TvtQpHG4tRIPg0kkcZFs+LpV3bSIlyCfhhQmo
LP9CTDDo5nJK2JBppDDGTYlpocyemaNN10yhbgGfiNPaVaMQj5NTGfBSlIju
OyAal9TBGYDZaz9d7xm4bu/Ojt9eHr85Pj2+PP9Fb2i6SKkViDOJaCqBplXr
RWTHnpvsPU3GK06DpMDDPENrA3ctJrMx2+ARtiX6WlG/QdtphR0T7uJ1ObI3
t9HdLBBLBxDvyG+I1RI18cIMFHCkSMSp25WpdoQKsnEFlfK8SCA130NA8Zcv
aE/tlpd69Q3PsOc2fvdA4p8HWYGQJrFTbb62Gs00kND3JUxCNELz8zWDhBzA
zXKKGloemI4WaurB9+pnnGiWhYO8I/klaD90IoY14xGDpVFLTG44msqsTdQH
AU3VLNYlHgyOwBS3b6FdmvhOvEQXD+fj4c7cK8IRwGX7lXiZVzcWIGM7Sh3X
baVS3Q6XHA38fp0+/VISSvZVjd0k+iK9B4lsEsvIckw1Uotgo8CnHpsctTH2
fnul0bIfONuV4KpmiVHevy1iwDJRYIuKmr7UlN7TqAsreT4fdg8lgJhgeIg9
AymGYsO5bH7eSWwSQSgeY/KE1K02xnxloX01gooBp6egtOM0y97l14EmQnfv
uKEdwpnqmGYczEU20H4zvKtHAX0oIlDm14rq0F9uIbmJ2czWbEHZl9hrU0eV
8MKW7SN6IzyQDaZ+edYfJcVqo1xHfhYgP/577Y8fsMOFA/dxfdSk2p+wvMFI
GKkEe8gxMLBLQbn2nhGOC7DPwbHSJwI9af3woZ4SdafdgArFYqyik4Jzf/A5
RS5qGDkVoMXwcsVtDMvqUjhFaGp0UhkZp62MF9lhY0T8+HGgdFjgdUPHCWkn
ZTuh9ZsORAZMrRcRrGTf1N21HYg48C83mck2usjxGp3rhsS43nrwkVfTF4jJ
CMBLtR0rzpiMJzcvlBAy+R+vhQ9i8M2REB4+CqfA7AhhQSE3m6mRlFEBdYWL
26O/gdPWaOhGMWQ0hbLH21uQzV5Rpy7FG9UyUghQOO7r9bjApNPXeWUoHgUh
KxHto+g4ZQXnln4zjABt4RpliLCW8yb/cc2XsQHcjGzt8SiSpLohFCgI68FA
BCUP00YPRP3YMB8T/xNKV66ulUHKBd5m5LnaWctIoxTFSZY6j6aNkBRHIEWC
zEzBHrpuCsakms1Lsrdy3C2eOtob6xvej4bbC+BHXMpcAO4rPE7rrxtOSLfe
tpQIAN518mjiLFg3PZZQMTywukuh/ZjqTk4mfS0ZE0zjbdZEF5ti9Sgaklk+
FxEQQ7uXKwE0lHMpfA9/vc2tTM0JJRQw3hJJIg9hBHpSuvXwTFgjal92mRgP
mUlshw+PAZsNjGRrS+XA3VsuUSPYaBdwsng5ZGW1WMToXC4pV8vIMl7VFbdi
EdGQW3gFQ0GLtjKkRpLFZJ6gMvWoqAYbzkziDUjtcHWTW/aimeE1NjRwnLw1
IrFIYi7XZwrOttSYNRYrNjGd23IzaFmDu3qoG6QHAmta5n/BAFiybWcYHr46
R9NtFQ6HaMFyC6RapdEt26UqQN/UbOlqRTA04B16lNZlWuhvcgk9u7z9+jdu
fI1XoRFXfPw+PD06R7P2Y4qAdbVoWI9B0tAUHBfzwUnEZWyxdpbabNUxaSY/
OEHDOFbfGYTDHYLWQxXC/Ppgf2+U/PH5Ur3yT+vEezAMlwW19b/MtGszx73F
w+4pHYZTnqavTo4Acghqx0KhACOqvFqiHa1k1ZOrMLLt9Z7iSi0l9XRMnBZL
JDnQbauFxMKumaiJRGWjipKLUq4507ncprThPTSHG1NIgZcNrPWJeQDb3rIQ
E17e5RFHppkaa+3yr5QxkZoMpUgDtsQ/x5+zOTOblo5ipwVIRhwDTF0R2fVY
L5CEffVGYYckAKkmtKai6rWeUvTTRy40RIJtFEcgYkZSe12L49B0Z9rX5f5a
TM1S9eQsMNtrL8n0uLfqlZmab4l8kjfKM20/3Rs2yjPBl8/88kzj4WQHSzRF
VKMJyzFF48k0ia63bYGmryzPpIX93fJM1wmIoVdLoCmw6CvcqleZya+5JJX+
6bErDu35utpLJngPYXcTR4AUo2xv/KfZLzen1x8+xG+iv84+/Vz86VX87ury
U1kc7p2U2z8Py1fjo7vD2YwHMSF/ziBvDuPteOe3q0/51f5i+/3z15cvX759
+fbwzZ9ffpw9i2bRL8sk/fGnxf7TPQcG4hvCM5BGCXVPDc4h1X8NCmrxHdOP
VO6FaeiGdvW+e60cCxteKa7UoMU3MIAVG4nBCF+P0TUsexiZay/ch8f3FhlD
LH7ahsVP/+VYvNPEYlPNiGsGfXVxsaFfXEwqDzl1s005pMdgeQ23nn/3aNTi
QrboRkbWUyv3OxgMom2q+du8tLXKu/LoTtitQabH8zh8Y2fUWrOfxFItA34g
9bo32lGsCX9TcX9bLODOrTEUxLYqmJb3z6a1UtRaLhyD05AjDb1K96Zy+v13
p17zm24DSrmRFo5uv0KPfa9+k1rfw3gkrF37jTyB79L1fhQ/HT+LsEJfBJfp
OnIu09C7TfFwvDPZBYRHvMF/bdt/yT8tPGFTSenNnKG1Q8Bjrsp9l4Ie8Dze
OpWAPrrdHQz/FzEWc4sRSXf85gcog/4DiOojzqNw1H/lUeiJinRUrLBmRguG
7my3YOjz7X85hrbQ+3ohc5/gPwrra9UkG+0k/jXYi4cCoI5udwY1fNkF/dHS
Qq9JxTfgS+MkH4UyjbcehTVkh2jDlzb54PnTfzm+7DbxpVnU/qsxZsfHmA39
Pv4pWFOTH/b2d3Y9VNmr9wz5BgRxDu1RqOE8/wBStPXiaMGO3WELdnw3/Jdj
x14TO9qbGXw1htQq1Lb0XvmnYEcblzpfD3+5fpd/2Pnz8nD/9K/PX3/88W9v
P+1O33x3+zLeK9//dvws/WO1fXf2nxOf6uyH3daOL0bk+1rs2nz6D6DZ5hcf
wLeH1JT9FkTbH/7rEW2/iWi1XhhfjWF7PoZtaKfzDxVBfvSpeFnysH52cX5F
i50OvPHrt2tGTu1ep5MW6i7csEr6wWiDuWnNydCve3r1OWq1g65J/cOOQDea
lfcN3XLu6bkR1FtutDfcaFP3HtnixSp9D/R5kQcf0+xFHn1sxxd5/CvavmBD
VnQMSMJWvflNWtJZU4ZXUqzVhe06gLkMh/bgIShjCPvj7jTFH3AiG8WqUeMS
dSE4JaMf6CUTmKJopDyzU0iwAIMvuOykaTrEfmPfLh7IAIpRWLBm4GnquyNb
kdfGMtNYP+XpxiAHq2+T77C6yyWru6UWr+A2FbXgEli1irzt9ghuxkH9Kggh
3CbS/4XY4bWVrqNr6CFl0OXEeP2ny6fjuMx6+PU8hcsASLBuTLhVm7CByV4H
iZ7DDPFXp7Plo2r9+1KS8TfcU+7/3jdaK/4/ltPttJkQnv+DVf+vhwlcpAmx
pb1Hi1QejD0+x3zCHXXnPrWv9uzuJtHLMBOVz6nbQEtfkG+VwaRRiMeQuNw+
1y7gsJw725vYqy1PIVJO/xTCcQ0fNbjsF+rwa89vbjvzJDyYfMzyO8QLDjHZ
6K1mxxlFa0pvAI5rRxqBq5kV+WqpYcZp4QSdx3NqdYx04E6j5k1sOnamZBMg
1ztv9k/FjGIMbyDnZyPsnoOt2fRnfjwrcniWfwmckPjwgZD4RgJioAmIaSlh
8sH/B28hvgty8QAA
-->
</rfc>
Reference in New Issue View Git Blame Copy Permalink