Christian Nennemann
ff795c72e6
Address 11 items from peer review: - Fix area designation from Security to ART (WIMSE is in ART area) - Switch inp_hash/out_hash to fixed SHA-256 without algorithm prefix, matching DPoP (RFC 9449) and WIMSE WPT tth claim patterns - Add partial DAG verification guidance for unavailable parents - Add DAG integrity attacks subsection (false parents, pruning, shadow DAGs) - Add privilege escalation subsection (ECTs are not authorization) - Add revocation propagation semantics through the DAG - Add W3C PROV Data Model to Related Work - Strengthen Txn-Token differentiation with fan-in/convergence bullet - Add explicit token binding paragraph to replay prevention - Switch verification step 3 to algorithm allowlist model - Add par/ext claim naming justification notes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2178 lines
96 KiB
XML
2178 lines
96 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
|
||
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.31 (Ruby 3.4.5) -->
|
||
|
||
|
||
<!DOCTYPE rfc [
|
||
<!ENTITY nbsp " ">
|
||
<!ENTITY zwsp "​">
|
||
<!ENTITY nbhy "‑">
|
||
<!ENTITY wj "⁠">
|
||
|
||
]>
|
||
|
||
|
||
<rfc ipr="trust200902" docName="draft-nennemann-wimse-ect-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
|
||
<front>
|
||
<title abbrev="WIMSE Execution Context">Execution Context Tokens for Distributed Agentic Workflows</title>
|
||
|
||
<author fullname="Christian Nennemann">
|
||
<organization>Independent Researcher</organization>
|
||
<address>
|
||
<email>ietf@nennemann.de</email>
|
||
</address>
|
||
</author>
|
||
|
||
<date year="2026" month="February" day="25"/>
|
||
|
||
<area>ART</area>
|
||
<workgroup>WIMSE</workgroup>
|
||
<keyword>execution context</keyword> <keyword>workload identity</keyword> <keyword>agentic workflows</keyword> <keyword>audit trail</keyword>
|
||
|
||
<abstract>
|
||
|
||
|
||
<?line 54?>
|
||
|
||
<t>This document defines Execution Context Tokens (ECTs), an extension
|
||
to the Workload Identity in Multi System Environments (WIMSE)
|
||
architecture for distributed agentic workflows. ECTs provide
|
||
signed, structured records of task execution order across
|
||
agent-to-agent communication. By extending WIMSE Workload Identity
|
||
Tokens with execution context claims in JSON Web Token (JWT)
|
||
format, this specification enables systems to maintain structured
|
||
audit trails of agent execution. ECTs use a directed acyclic
|
||
graph (DAG) structure to represent task dependencies and integrate
|
||
with WIMSE Workload Identity Tokens (WIT) using the same signing
|
||
model and cryptographic primitives. A new HTTP header field,
|
||
Execution-Context, is defined for transporting ECTs alongside
|
||
existing WIMSE headers.</t>
|
||
|
||
|
||
|
||
</abstract>
|
||
|
||
|
||
|
||
</front>
|
||
|
||
<middle>
|
||
|
||
|
||
<?line 70?>
|
||
|
||
<section anchor="introduction"><name>Introduction</name>
|
||
|
||
<section anchor="motivation"><name>Motivation</name>
|
||
|
||
<t>The Workload Identity in Multi System Environments (WIMSE)
|
||
framework <xref target="I-D.ietf-wimse-arch"/> provides robust workload
|
||
authentication through Workload Identity Tokens (WIT) and Workload
|
||
Proof Tokens (WPT). The WIMSE service-to-service protocol
|
||
<xref target="I-D.ietf-wimse-s2s-protocol"/> defines how workloads authenticate
|
||
each other across call chains using the Workload-Identity and
|
||
Workload-Proof-Token HTTP headers.</t>
|
||
|
||
<t>However, workload identity alone does not address execution
|
||
accountability. Knowing who performed an action does not record
|
||
what was done or in what order.</t>
|
||
|
||
<t>Regulated environments increasingly deploy autonomous agents that
|
||
coordinate across organizational boundaries. Domains such as
|
||
healthcare, finance, and logistics require structured, auditable
|
||
records of automated decision-making and execution.</t>
|
||
|
||
<t>This document defines an extension to the WIMSE architecture that
|
||
addresses the gap between workload identity and execution
|
||
accountability. WIMSE authenticates agents; this extension records
|
||
what they did and in what order.</t>
|
||
|
||
<t>As identified in <xref target="I-D.ni-wimse-ai-agent-identity"/>, call context
|
||
in agentic workflows needs to be visible and preserved. ECTs
|
||
provide a mechanism to address this requirement with cryptographic
|
||
assurances.</t>
|
||
|
||
</section>
|
||
<section anchor="problem-statement"><name>Problem Statement</name>
|
||
|
||
<t>Three core gaps exist in current approaches to regulated agentic
|
||
systems:</t>
|
||
|
||
<t><list style="numbers" type="1">
|
||
<t>WIMSE authenticates agents but does not record what they
|
||
actually did. A WIT proves "Agent A is authorized" but not
|
||
"Agent A executed Task X, producing Output Z."</t>
|
||
<t>No standard mechanism exists to cryptographically order and
|
||
link task execution across a multi-agent workflow.</t>
|
||
<t>No mechanism exists to reconstruct the complete execution
|
||
history of a distributed workflow for audit purposes.</t>
|
||
</list></t>
|
||
|
||
<t>Existing observability tools such as distributed tracing
|
||
<xref target="OPENTELEMETRY"/> provide visibility for debugging and monitoring
|
||
but do not provide cryptographic assurances. Tracing data is not
|
||
cryptographically signed, not tamper-evident, and not designed for
|
||
regulatory audit scenarios.</t>
|
||
|
||
</section>
|
||
<section anchor="scope-and-applicability"><name>Scope and Applicability</name>
|
||
|
||
<t>This document defines:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>The Execution Context Token (ECT) format (<xref target="ect-format"/>)</t>
|
||
<t>DAG structure for task dependency ordering (<xref target="dag-validation"/>)</t>
|
||
<t>Integration with the WIMSE identity framework
|
||
(<xref target="wimse-integration"/>)</t>
|
||
<t>An HTTP header for ECT transport (<xref target="http-header"/>)</t>
|
||
<t>Audit ledger interface requirements (<xref target="ledger-interface"/>)</t>
|
||
</list></t>
|
||
|
||
<t>The following are out of scope and are handled by WIMSE:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>Workload authentication and identity provisioning</t>
|
||
<t>Key distribution and management</t>
|
||
<t>Trust domain establishment and management</t>
|
||
<t>Credential lifecycle management</t>
|
||
</list></t>
|
||
|
||
</section>
|
||
</section>
|
||
<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>
|
||
|
||
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
|
||
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
|
||
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
|
||
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
|
||
appear in all capitals, as shown here.</t>
|
||
|
||
<?line -18?>
|
||
|
||
<t>The following terms are used in this document:</t>
|
||
|
||
<dl>
|
||
<dt>Agent:</dt>
|
||
<dd>
|
||
<t>An autonomous workload, as defined by WIMSE
|
||
<xref target="I-D.ietf-wimse-arch"/>, that executes tasks within a workflow.</t>
|
||
</dd>
|
||
<dt>Task:</dt>
|
||
<dd>
|
||
<t>A discrete unit of agent work that consumes inputs and produces
|
||
outputs.</t>
|
||
</dd>
|
||
<dt>Directed Acyclic Graph (DAG):</dt>
|
||
<dd>
|
||
<t>A graph structure representing task dependency ordering where
|
||
edges are directed and no cycles exist.</t>
|
||
</dd>
|
||
<dt>Execution Context Token (ECT):</dt>
|
||
<dd>
|
||
<t>A JSON Web Token <xref target="RFC7519"/> defined by this specification that
|
||
records task execution details.</t>
|
||
</dd>
|
||
<dt>Audit Ledger:</dt>
|
||
<dd>
|
||
<t>An append-only, immutable log of all ECTs within a workflow or
|
||
set of workflows, used for audit and verification.</t>
|
||
</dd>
|
||
<dt>Workload Identity Token (WIT):</dt>
|
||
<dd>
|
||
<t>A WIMSE credential proving a workload's identity within a trust
|
||
domain.</t>
|
||
</dd>
|
||
<dt>Workload Proof Token (WPT):</dt>
|
||
<dd>
|
||
<t>A WIMSE proof-of-possession token used for request-level
|
||
authentication.</t>
|
||
</dd>
|
||
<dt>Trust Domain:</dt>
|
||
<dd>
|
||
<t>A WIMSE concept representing an organizational boundary with a
|
||
shared identity issuer, corresponding to a SPIFFE <xref target="SPIFFE"/>
|
||
trust domain.</t>
|
||
</dd>
|
||
</dl>
|
||
|
||
</section>
|
||
<section anchor="wimse-integration"><name>WIMSE Architecture Integration</name>
|
||
|
||
<section anchor="wimse-foundation"><name>WIMSE Foundation</name>
|
||
|
||
<t>The WIMSE architecture <xref target="I-D.ietf-wimse-arch"/> defines:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>Workload Identity Tokens (WIT) that prove a workload's identity
|
||
within a trust domain ("I am Agent X in trust domain Y")</t>
|
||
<t>Workload Proof Tokens (WPT) that prove possession of the private
|
||
key associated with a WIT ("I control the key for Agent X")</t>
|
||
<t>Multi-hop authentication via the service-to-service protocol
|
||
<xref target="I-D.ietf-wimse-s2s-protocol"/></t>
|
||
</list></t>
|
||
|
||
<t>The following execution accountability needs are complementary to
|
||
the WIMSE scope and are not addressed by workload identity alone:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>Recording what agents actually do with their authenticated
|
||
identity</t>
|
||
<t>Maintaining structured execution records</t>
|
||
<t>Linking actions to their predecessors with cryptographic assurance</t>
|
||
</list></t>
|
||
|
||
</section>
|
||
<section anchor="extension-model"><name>Extension Model</name>
|
||
|
||
<t>ECTs extend WIMSE by adding an execution accountability layer
|
||
between the identity layer and the application layer:</t>
|
||
|
||
<figure title="WIMSE Extension Architecture Layers" anchor="fig-layers"><artwork type="ascii-art"><![CDATA[
|
||
+--------------------------------------------------+
|
||
| WIMSE Layer (Identity) |
|
||
| WIT: "I am Agent X (spiffe://td/agent/x)" |
|
||
| WPT: "I prove I control the key for Agent X" |
|
||
+--------------------------------------------------+
|
||
|
|
||
v
|
||
+--------------------------------------------------+
|
||
| ECT Layer (Execution Accountability) [This Spec]|
|
||
| ECT: "Task executed, dependencies met, |
|
||
| inputs/outputs hashed" |
|
||
+--------------------------------------------------+
|
||
|
|
||
v
|
||
+--------------------------------------------------+
|
||
| Optional: Audit Ledger (Immutable Record) |
|
||
| "ECTs MAY be appended to an audit ledger" |
|
||
+--------------------------------------------------+
|
||
]]></artwork></figure>
|
||
|
||
<t>This extension reuses the WIMSE signing model, extends JWT claims
|
||
using standard JWT extensibility <xref target="RFC7519"/>, and maintains WIMSE
|
||
concepts including trust domains and workload identifiers.</t>
|
||
|
||
</section>
|
||
<section anchor="integration-points"><name>Integration Points</name>
|
||
|
||
<t>An ECT integrates with the WIMSE identity framework through the
|
||
following mechanisms:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>The ECT JOSE header "kid" parameter <bcp14>MUST</bcp14> reference the public
|
||
key identifier from the agent's WIT.</t>
|
||
<t>In WIMSE deployments, the ECT "iss" claim <bcp14>SHOULD</bcp14> use the WIMSE
|
||
workload identifier format (a SPIFFE ID <xref target="SPIFFE"/>).</t>
|
||
<t>The ECT <bcp14>MUST</bcp14> be signed with the same private key associated
|
||
with the agent's WIT.</t>
|
||
<t>The ECT signing algorithm (JOSE header "alg" parameter) <bcp14>MUST</bcp14>
|
||
match the algorithm used in the corresponding WIT.</t>
|
||
</list></t>
|
||
|
||
<t>When an agent makes an HTTP request to another agent, the
|
||
Execution-Context header is carried alongside WIMSE identity
|
||
headers:</t>
|
||
|
||
<figure title="HTTP Header Stacking" anchor="fig-http-headers"><artwork type="ascii-art"><![CDATA[
|
||
HTTP Request from Agent A to Agent B:
|
||
Workload-Identity: <WIT for Agent A>
|
||
Execution-Context: <ECT recording what A did>
|
||
]]></artwork></figure>
|
||
|
||
<t>When a Workload Proof Token (WPT) is available per
|
||
<xref target="I-D.ietf-wimse-s2s-protocol"/>, agents <bcp14>SHOULD</bcp14> include it
|
||
alongside the WIT and ECT. ECT verification does not depend
|
||
on the presence of a WPT; the ECT is independently verifiable
|
||
via the WIT public key.</t>
|
||
|
||
<t>The receiving agent (Agent B) verifies in order:</t>
|
||
|
||
<t><list style="numbers" type="1">
|
||
<t>WIT (WIMSE layer): Verifies Agent A's identity within the
|
||
trust domain. WPT verification, if present, per
|
||
<xref target="I-D.ietf-wimse-s2s-protocol"/>.</t>
|
||
<t>ECT (this extension): Records what Agent A did and what
|
||
precedent tasks exist.</t>
|
||
<t>Ledger (if deployed): Appends the verified ECT to the audit
|
||
ledger.</t>
|
||
</list></t>
|
||
|
||
</section>
|
||
</section>
|
||
<section anchor="ect-format"><name>Execution Context Token Format</name>
|
||
|
||
<t>An Execution Context Token is a JSON Web Token (JWT) <xref target="RFC7519"/>
|
||
signed as a JSON Web Signature (JWS) <xref target="RFC7515"/>. ECTs <bcp14>MUST</bcp14> use
|
||
JWS Compact Serialization (the base64url-encoded
|
||
<spanx style="verb">header.payload.signature</spanx> format) so that they can be carried in
|
||
a single HTTP header value.</t>
|
||
|
||
<section anchor="jose-header"><name>JOSE Header</name>
|
||
|
||
<t>The ECT JOSE header <bcp14>MUST</bcp14> contain the following parameters:</t>
|
||
|
||
<figure title="ECT JOSE Header Example" anchor="fig-header"><sourcecode type="json"><![CDATA[
|
||
{
|
||
"alg": "ES256",
|
||
"typ": "wimse-exec+jwt",
|
||
"kid": "agent-a-key-id-123"
|
||
}
|
||
]]></sourcecode></figure>
|
||
|
||
<dl>
|
||
<dt>alg:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. The digital signature algorithm used to sign the ECT.
|
||
<bcp14>MUST</bcp14> match the algorithm in the corresponding WIT.
|
||
Implementations <bcp14>MUST</bcp14> support ES256 <xref target="RFC7518"/>. The "alg"
|
||
value <bcp14>MUST NOT</bcp14> be "none". Symmetric algorithms (e.g., HS256,
|
||
HS384, HS512) <bcp14>MUST NOT</bcp14> be used, as ECTs require asymmetric
|
||
signatures for non-repudiation.</t>
|
||
</dd>
|
||
<dt>typ:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. <bcp14>MUST</bcp14> be set to "wimse-exec+jwt" to distinguish ECTs
|
||
from other JWT types, consistent with the WIMSE convention for
|
||
type parameter values.</t>
|
||
</dd>
|
||
<dt>kid:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. The key identifier referencing the public key from
|
||
the agent's WIT <xref target="RFC7517"/>. Used by verifiers to look up the
|
||
correct public key for signature verification.</t>
|
||
</dd>
|
||
</dl>
|
||
|
||
</section>
|
||
<section anchor="jwt-claims"><name>JWT Claims</name>
|
||
|
||
<t>The ECT payload contains both WIMSE-compatible standard JWT claims
|
||
and execution context claims defined by this specification.</t>
|
||
|
||
<section anchor="standard-jwt-claims"><name>Standard JWT Claims</name>
|
||
|
||
<t>The following standard JWT claims <xref target="RFC7519"/> <bcp14>MUST</bcp14> be present in
|
||
every ECT:</t>
|
||
|
||
<dl>
|
||
<dt>iss:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. StringOrURI. A URI identifying the issuer of the
|
||
ECT. In WIMSE deployments, this <bcp14>SHOULD</bcp14> be the workload's
|
||
SPIFFE ID in the format <spanx style="verb">spiffe://<trust-domain>/<path></spanx>,
|
||
matching the "sub" claim of the agent's WIT. Non-WIMSE
|
||
deployments <bcp14>MAY</bcp14> use other URI schemes (e.g., HTTPS URLs or
|
||
URN:UUID identifiers).</t>
|
||
</dd>
|
||
<dt>aud:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. StringOrURI or array of StringOrURI. The intended
|
||
recipient(s) of the ECT. Because ECTs serve as both inter-agent
|
||
messages and audit records, the "aud" claim <bcp14>SHOULD</bcp14> contain the
|
||
identifiers of all entities that will verify the ECT. In
|
||
practice this means:
|
||
</t>
|
||
|
||
<t><list style="symbols">
|
||
<t><strong>Point-to-point delivery</strong>: when an ECT is sent from one
|
||
agent to a single next agent, "aud" contains that agent's
|
||
workload identity. The receiving agent verifies the ECT and
|
||
forwards it to the ledger on behalf of the issuer.</t>
|
||
<t><strong>Direct-to-ledger submission</strong>: when an ECT is submitted
|
||
directly to the audit ledger (e.g., after a join or at
|
||
workflow completion), "aud" contains the ledger's identity.</t>
|
||
<t><strong>Multi-audience</strong>: when an ECT must be verified by both the
|
||
next agent and the ledger independently, "aud" <bcp14>MUST</bcp14> be an
|
||
array containing both identifiers (e.g.,
|
||
["spiffe://example.com/agent/next",
|
||
"spiffe://example.com/system/ledger"]). Each verifier checks
|
||
that its own identity appears in the array.</t>
|
||
</list></t>
|
||
|
||
<t>In multi-parent (join) scenarios where a task depends on ECTs
|
||
from multiple parent agents, the joining agent creates a new ECT
|
||
with the parent task IDs in "par". The "aud" of this new ECT
|
||
is set according to the rules above based on where the ECT will
|
||
be delivered — it is independent of the "aud" values in the
|
||
parent ECTs.</t>
|
||
</dd>
|
||
<dt>iat:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. NumericDate. The time at which the ECT was issued.
|
||
The ECT records a completed action, so the "iat" value reflects
|
||
when the record was created, not when task execution began.</t>
|
||
</dd>
|
||
<dt>exp:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. NumericDate. The expiration time of the ECT.
|
||
Implementations <bcp14>SHOULD</bcp14> set this to 5 to 15 minutes after "iat"
|
||
to limit the replay window while allowing for reasonable clock
|
||
skew and processing time.</t>
|
||
</dd>
|
||
</dl>
|
||
|
||
<t>The standard JWT "nbf" (Not Before) claim is not used in ECTs
|
||
because ECTs record completed actions and are valid immediately
|
||
upon issuance.</t>
|
||
|
||
<dl>
|
||
<dt>jti:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. String. A globally unique identifier for both the
|
||
ECT and the task it records, in UUID format <xref target="RFC9562"/>. Since
|
||
each ECT represents exactly one task, "jti" serves as both the
|
||
token identifier (for replay detection) and the task identifier
|
||
(for DAG parent references in "par"). Receivers <bcp14>MUST</bcp14> reject
|
||
ECTs whose "jti" has already been seen within the expiration
|
||
window. When "wid" is present, uniqueness is scoped to the
|
||
workflow; when "wid" is absent, uniqueness <bcp14>MUST</bcp14> be enforced
|
||
globally across the ECT store.</t>
|
||
</dd>
|
||
</dl>
|
||
|
||
</section>
|
||
<section anchor="exec-claims"><name>Execution Context</name>
|
||
|
||
<t>The following claims are defined by this specification:</t>
|
||
|
||
<dl>
|
||
<dt>wid:</dt>
|
||
<dd>
|
||
<t><bcp14>OPTIONAL</bcp14>. String. A workflow identifier that groups related
|
||
ECTs into a single workflow. When present, <bcp14>MUST</bcp14> be a UUID
|
||
<xref target="RFC9562"/>.</t>
|
||
</dd>
|
||
<dt>exec_act:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. String. The action or task type identifier describing
|
||
what the agent performed (e.g., "process_payment",
|
||
"validate_safety", "calculate_dosage"). Note: this claim is
|
||
intentionally named "exec_act" rather than "act" to avoid
|
||
collision with the "act" (Actor) claim registered by
|
||
<xref target="RFC8693"/>.</t>
|
||
</dd>
|
||
<dt>par:</dt>
|
||
<dd>
|
||
<t><bcp14>REQUIRED</bcp14>. Array of strings. Parent task identifiers
|
||
representing DAG dependencies. Each element <bcp14>MUST</bcp14> be the "jti"
|
||
value of a previously verified ECT. An empty array indicates
|
||
a root task with no dependencies. A workflow <bcp14>MAY</bcp14> contain
|
||
multiple root tasks. Parent ECTs may have passed their own
|
||
"exp" time; ECT expiration applies to the verification window
|
||
of the ECT itself, not to its validity as a parent reference
|
||
in the ECT store. Note: "par" is not a registered JWT claim
|
||
and does not conflict with OAuth Pushed Authorization Requests
|
||
(RFC 9126), which defines an endpoint, not a token claim.</t>
|
||
</dd>
|
||
</dl>
|
||
|
||
</section>
|
||
<section anchor="data-integrity-claims"><name>Data Integrity</name>
|
||
|
||
<t>The following claims provide integrity verification for task
|
||
inputs and outputs without revealing the data itself:</t>
|
||
|
||
<dl>
|
||
<dt>inp_hash:</dt>
|
||
<dd>
|
||
<t><bcp14>OPTIONAL</bcp14>. String. The base64url encoding (without padding) of
|
||
the SHA-256 hash of the input data, computed over the raw octets
|
||
of the input. This follows the same fixed-algorithm pattern
|
||
used by the DPoP "ath" claim <xref target="RFC9449"/> and the WIMSE WPT
|
||
"tth" claim <xref target="I-D.ietf-wimse-s2s-protocol"/>: SHA-256 is the
|
||
mandatory algorithm with no algorithm prefix in the value.</t>
|
||
</dd>
|
||
<dt>out_hash:</dt>
|
||
<dd>
|
||
<t><bcp14>OPTIONAL</bcp14>. String. The base64url encoding (without padding) of
|
||
the SHA-256 hash of the output data, using the same format as
|
||
"inp_hash".</t>
|
||
</dd>
|
||
</dl>
|
||
|
||
</section>
|
||
<section anchor="extension-claims"><name>Extensions</name>
|
||
|
||
<dl>
|
||
<dt>ext:</dt>
|
||
<dd>
|
||
<t><bcp14>OPTIONAL</bcp14>. Object. A general-purpose extension object for
|
||
domain-specific claims not defined by this specification. The
|
||
short name "ext" follows the JWT convention of concise claim
|
||
names and is chosen over alternatives like "extensions" for
|
||
compactness. Implementations that do not understand extension
|
||
claims <bcp14>MUST</bcp14> ignore them.</t>
|
||
</dd>
|
||
</dl>
|
||
|
||
<t>To avoid key collisions between different domains, extension
|
||
key names <bcp14>SHOULD</bcp14> use reverse domain notation (e.g.,
|
||
"com.example.custom_field") to avoid collisions between
|
||
independently developed extensions. To prevent abuse and
|
||
excessive token size, the serialized JSON representation of
|
||
the "ext" object <bcp14>SHOULD NOT</bcp14> exceed 4096 bytes, and the JSON
|
||
nesting depth within the "ext" object <bcp14>SHOULD NOT</bcp14> exceed 5
|
||
levels. Implementations <bcp14>SHOULD</bcp14> reject ECTs whose "ext" claim
|
||
exceeds these limits.</t>
|
||
|
||
<t>Extension keys for domain-specific use cases <bcp14>MAY</bcp14> be defined in
|
||
future documents.</t>
|
||
|
||
</section>
|
||
</section>
|
||
<section anchor="complete-ect-example"><name>Complete ECT Example</name>
|
||
|
||
<t>The following is a complete ECT payload example:</t>
|
||
|
||
<figure title="Complete ECT Payload Example" anchor="fig-full-ect"><sourcecode type="json"><![CDATA[
|
||
{
|
||
"iss": "spiffe://example.com/agent/clinical",
|
||
"aud": "spiffe://example.com/agent/safety",
|
||
"iat": 1772064150,
|
||
"exp": 1772064750,
|
||
"jti": "550e8400-e29b-41d4-a716-446655440001",
|
||
|
||
"wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",
|
||
"exec_act": "recommend_treatment",
|
||
"par": [],
|
||
|
||
"inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
|
||
"out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
|
||
|
||
"ext": {
|
||
"com.example.trace_id": "abc123"
|
||
}
|
||
}
|
||
]]></sourcecode></figure>
|
||
|
||
</section>
|
||
</section>
|
||
<section anchor="http-header"><name>HTTP Header Transport</name>
|
||
|
||
<section anchor="execution-context-header-field"><name>Execution-Context Header Field</name>
|
||
|
||
<t>This specification defines the Execution-Context HTTP header field
|
||
<xref target="RFC9110"/> for transporting ECTs between agents.</t>
|
||
|
||
<t>The header field value is the ECT in JWS Compact Serialization
|
||
format <xref target="RFC7515"/>. The value consists of three Base64url-encoded
|
||
parts separated by period (".") characters.</t>
|
||
|
||
<t>An agent sending a request to another agent includes the
|
||
Execution-Context header alongside the WIMSE Workload-Identity
|
||
header:</t>
|
||
|
||
<figure title="HTTP Request with ECT Header" anchor="fig-http-example"><artwork><![CDATA[
|
||
GET /api/safety-check HTTP/1.1
|
||
Host: safety-agent.example.com
|
||
Workload-Identity: eyJhbGci...WIT...
|
||
Execution-Context: eyJhbGci...ECT...
|
||
]]></artwork></figure>
|
||
|
||
<t>When multiple parent tasks contribute context to a single request,
|
||
multiple Execution-Context header field lines <bcp14>MAY</bcp14> be included, each
|
||
carrying a separate ECT in JWS Compact Serialization format.</t>
|
||
|
||
<t>When a receiver processes multiple Execution-Context headers, it
|
||
<bcp14>MUST</bcp14> individually verify each ECT per the procedure in
|
||
<xref target="verification"/>. If any single ECT fails verification, the
|
||
receiver <bcp14>MUST</bcp14> reject the entire request. The set of verified
|
||
parent task IDs across all received ECTs represents the complete
|
||
set of parent dependencies available for the receiving agent's
|
||
subsequent ECT.</t>
|
||
|
||
</section>
|
||
</section>
|
||
<section anchor="dag-validation"><name>DAG Validation</name>
|
||
|
||
<section anchor="overview"><name>Overview</name>
|
||
|
||
<t>ECTs form a Directed Acyclic Graph (DAG) where each task
|
||
references its parent tasks via the "par" claim. This structure
|
||
provides a cryptographically signed record of execution ordering,
|
||
enabling auditors to reconstruct the complete workflow and verify
|
||
that required predecessor tasks were recorded before dependent
|
||
tasks.</t>
|
||
|
||
<t>DAG validation is performed against the ECT store — either an
|
||
audit ledger or the set of parent ECTs received inline.</t>
|
||
|
||
</section>
|
||
<section anchor="validation-rules"><name>Validation Rules</name>
|
||
|
||
<t>When receiving and verifying an ECT, implementations <bcp14>MUST</bcp14> perform
|
||
the following DAG validation steps:</t>
|
||
|
||
<t><list style="numbers" type="1">
|
||
<t>Task ID Uniqueness: The "jti" claim <bcp14>MUST</bcp14> be unique within the
|
||
applicable scope (the workflow identified by "wid", or the
|
||
entire ECT store if "wid" is absent). If an ECT with the same
|
||
"jti" already exists, the ECT <bcp14>MUST</bcp14> be rejected.</t>
|
||
<t>Parent Existence: Every task identifier listed in the "par"
|
||
array <bcp14>MUST</bcp14> correspond to a task that is available in the ECT
|
||
store (either previously recorded in the ledger or received
|
||
inline as a verified parent ECT). If any parent task is not
|
||
found, the ECT <bcp14>MUST</bcp14> be rejected.</t>
|
||
<t>Temporal Ordering: The "iat" value of every parent task <bcp14>MUST
|
||
NOT</bcp14> be greater than the "iat" value of the current task plus a
|
||
configurable clock skew tolerance (<bcp14>RECOMMENDED</bcp14>: 30 seconds).
|
||
That is, for each parent: <spanx style="verb">parent.iat < child.iat +
|
||
clock_skew_tolerance</spanx>. The tolerance accounts for clock skew
|
||
between agents; it does not guarantee strict causal ordering
|
||
from timestamps alone. Causal ordering is primarily enforced
|
||
by the DAG structure (parent existence in the ECT store), not by
|
||
timestamps. If any parent task violates this constraint, the
|
||
ECT <bcp14>MUST</bcp14> be rejected.</t>
|
||
<t>Acyclicity: Following the chain of parent references <bcp14>MUST NOT</bcp14>
|
||
lead back to the current ECT's "jti". If a cycle is detected,
|
||
the ECT <bcp14>MUST</bcp14> be rejected.</t>
|
||
<t>Trust Domain Consistency: Parent tasks <bcp14>SHOULD</bcp14> belong to the
|
||
same trust domain or to a trust domain with which a federation
|
||
relationship has been established.</t>
|
||
</list></t>
|
||
|
||
<t>To prevent denial-of-service via extremely deep or wide DAGs,
|
||
implementations <bcp14>SHOULD</bcp14> enforce a maximum ancestor traversal limit
|
||
(<bcp14>RECOMMENDED</bcp14>: 10000 nodes). If the limit is reached before cycle
|
||
detection completes, the ECT <bcp14>SHOULD</bcp14> be rejected.</t>
|
||
|
||
</section>
|
||
<section anchor="handling-unavailable-parent-ects"><name>Handling Unavailable Parent ECTs</name>
|
||
|
||
<t>In distributed deployments, a parent ECT referenced in the "par"
|
||
array may not yet be available in the local ECT store at the time
|
||
of validation — for example, due to replication lag in a
|
||
distributed ledger or out-of-order message delivery.</t>
|
||
|
||
<t>Implementations <bcp14>MUST</bcp14> distinguish between two cases:</t>
|
||
|
||
<t><list style="numbers" type="1">
|
||
<t>Parent not found and definitively absent: The parent "jti"
|
||
does not exist in any accessible ECT store. The ECT <bcp14>MUST</bcp14> be
|
||
rejected.</t>
|
||
<t>Parent not yet available: The parent "jti" is not present
|
||
locally but may arrive due to known replication delays.
|
||
Implementations <bcp14>MAY</bcp14> defer validation for a bounded period
|
||
(<bcp14>RECOMMENDED</bcp14>: no more than 60 seconds).</t>
|
||
</list></t>
|
||
|
||
<t>Deferred ECTs <bcp14>MUST NOT</bcp14> be treated as verified until all parent
|
||
references are resolved. If any parent reference remains
|
||
unresolved after the deferral period or after the ECT's own "exp"
|
||
time (whichever comes first), the ECT <bcp14>MUST</bcp14> be rejected.</t>
|
||
|
||
</section>
|
||
</section>
|
||
<section anchor="verification"><name>Signature and Token Verification</name>
|
||
|
||
<section anchor="verification-procedure"><name>Verification Procedure</name>
|
||
|
||
<t>When an agent receives an ECT, it <bcp14>MUST</bcp14> perform the following
|
||
verification steps in order:</t>
|
||
|
||
<t><list style="numbers" type="1">
|
||
<t>Parse the JWS Compact Serialization to extract the JOSE header,
|
||
payload, and signature components per <xref target="RFC7515"/>.</t>
|
||
<t>Verify that the "typ" header parameter is "wimse-exec+jwt".</t>
|
||
<t>Verify that the "alg" header parameter appears in the
|
||
verifier's configured allowlist of accepted signing algorithms.
|
||
The allowlist <bcp14>MUST NOT</bcp14> include "none" or any symmetric
|
||
algorithm (e.g., HS256, HS384, HS512). Implementations <bcp14>MUST</bcp14>
|
||
include ES256 in the allowlist; additional asymmetric algorithms
|
||
<bcp14>MAY</bcp14> be included per deployment policy.</t>
|
||
<t>Verify the "kid" header parameter references a known, valid
|
||
public key from a WIT within the trust domain.</t>
|
||
<t>Retrieve the public key identified by "kid" and verify the JWS
|
||
signature per <xref target="RFC7515"/> Section 5.2.</t>
|
||
<t>Verify that the signing key identified by "kid" has not been
|
||
revoked within the trust domain. Implementations <bcp14>MUST</bcp14> check
|
||
the key's revocation status using the trust domain's key
|
||
lifecycle mechanism (e.g., certificate revocation list, OCSP,
|
||
or SPIFFE trust bundle updates).</t>
|
||
<t>Verify the "alg" header parameter matches the algorithm in the
|
||
corresponding WIT.</t>
|
||
<t>Verify the "iss" claim matches the "sub" claim of the WIT
|
||
associated with the "kid" public key.</t>
|
||
<t>Verify the "aud" claim contains the verifier's own workload
|
||
identity. When "aud" is an array, it is sufficient that the
|
||
verifier's identity appears as one element; the presence of
|
||
other audience values does not cause verification failure.
|
||
When the verifier is the audit ledger, the ledger's own
|
||
identity <bcp14>MUST</bcp14> appear in "aud".</t>
|
||
<t>Verify the "exp" claim indicates the ECT has not expired.</t>
|
||
<t>Verify the "iat" claim is not unreasonably far in the past
|
||
(implementation-specific threshold, <bcp14>RECOMMENDED</bcp14> maximum of
|
||
15 minutes) and is not unreasonably far in the future
|
||
(<bcp14>RECOMMENDED</bcp14>: no more than 30 seconds ahead of the
|
||
verifier's current time, to account for clock skew).</t>
|
||
<t>Verify all required claims ("jti", "exec_act", "par") are
|
||
present and well-formed.</t>
|
||
<t>Perform DAG validation per <xref target="dag-validation"/>.</t>
|
||
<t>If all checks pass and an audit ledger is deployed, the ECT
|
||
<bcp14>SHOULD</bcp14> be appended to the ledger.</t>
|
||
</list></t>
|
||
|
||
<t>If any verification step fails, the ECT <bcp14>MUST</bcp14> be rejected and the
|
||
failure <bcp14>MUST</bcp14> be logged for audit purposes. Error messages
|
||
<bcp14>SHOULD NOT</bcp14> reveal whether specific parent task IDs exist in the
|
||
ECT store, to prevent information disclosure.</t>
|
||
|
||
<t>When ECT verification fails during HTTP request processing, the
|
||
receiving agent <bcp14>SHOULD</bcp14> respond with HTTP 403 (Forbidden) if the
|
||
WIT is valid but the ECT is invalid, and HTTP 401
|
||
(Unauthorized) if the ECT signature verification fails. The
|
||
response body <bcp14>SHOULD</bcp14> include a generic error indicator without
|
||
revealing which specific verification step failed. The receiving
|
||
agent <bcp14>MUST NOT</bcp14> process the requested action when ECT verification
|
||
fails.</t>
|
||
|
||
</section>
|
||
</section>
|
||
<section anchor="ledger-interface"><name>Audit Ledger Interface</name>
|
||
|
||
<t>ECTs <bcp14>MAY</bcp14> be recorded in an immutable audit ledger for compliance
|
||
verification and post-hoc analysis. A ledger is <bcp14>RECOMMENDED</bcp14> for
|
||
regulated environments but is not required for point-to-point
|
||
operation. This specification does not mandate a specific storage
|
||
technology. Implementations <bcp14>MAY</bcp14> use append-only logs, databases
|
||
with cryptographic commitment schemes, distributed ledgers, or
|
||
any storage mechanism that provides the required properties.</t>
|
||
|
||
<t>When an audit ledger is deployed, the implementation <bcp14>MUST</bcp14> provide:</t>
|
||
|
||
<t><list style="numbers" type="1">
|
||
<t>Append-only semantics: Once an ECT is recorded, it <bcp14>MUST NOT</bcp14> be
|
||
modified or deleted.</t>
|
||
<t>Ordering: The ledger <bcp14>MUST</bcp14> maintain a total ordering of ECT
|
||
entries via a monotonically increasing sequence number.</t>
|
||
<t>Lookup by ECT ID: The ledger <bcp14>MUST</bcp14> support efficient retrieval
|
||
of ECT entries by "jti" value.</t>
|
||
<t>Integrity verification: The ledger <bcp14>SHOULD</bcp14> provide a mechanism
|
||
to verify that no entries have been tampered with (e.g.,
|
||
hash chains or Merkle trees).</t>
|
||
</list></t>
|
||
|
||
<t>The ledger <bcp14>SHOULD</bcp14> be maintained by an entity independent of the
|
||
workflow agents to reduce the risk of collusion.</t>
|
||
|
||
</section>
|
||
<section anchor="security-considerations"><name>Security Considerations</name>
|
||
|
||
<t>This section addresses security considerations following the
|
||
guidance in <xref target="RFC3552"/>.</t>
|
||
|
||
<section anchor="threat-model"><name>Threat Model</name>
|
||
|
||
<t>The following threat actors are considered:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>Malicious agent (insider threat): An agent within the trust
|
||
domain that intentionally creates false ECT claims.</t>
|
||
<t>Compromised agent (external attacker): An agent whose private
|
||
key has been obtained by an external attacker.</t>
|
||
<t>Ledger tamperer: An entity attempting to modify or delete ledger
|
||
entries after they have been recorded.</t>
|
||
<t>Time manipulator: An entity attempting to manipulate timestamps
|
||
to alter perceived execution ordering.</t>
|
||
</list></t>
|
||
|
||
</section>
|
||
<section anchor="self-assertion-limitation"><name>Self-Assertion Limitation</name>
|
||
|
||
<t>ECTs are self-asserted by the executing agent. The agent claims
|
||
what it did, and this claim is signed with its private key. A
|
||
compromised or malicious agent could create ECTs with false claims
|
||
(e.g., claiming an action was performed when it was not).</t>
|
||
|
||
<t>ECTs do not independently verify that:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>The claimed execution actually occurred as described</t>
|
||
<t>The input/output hashes correspond to the actual data processed</t>
|
||
<t>The agent faithfully performed the stated action</t>
|
||
</list></t>
|
||
|
||
<t>The trustworthiness of ECT claims depends on the trustworthiness
|
||
of the signing agent and the integrity of the broader deployment
|
||
environment.</t>
|
||
|
||
</section>
|
||
<section anchor="organizational-prerequisites"><name>Organizational Prerequisites</name>
|
||
|
||
<t>ECTs operate within a broader trust framework. The guarantees
|
||
provided by ECTs are only meaningful when the following
|
||
organizational controls are in place:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>Key management governance: Controls over who provisions agent
|
||
keys and how keys are protected.</t>
|
||
<t>Ledger integrity governance: The ledger is maintained by an
|
||
entity independent of the workflow agents.</t>
|
||
<t>Agent deployment governance: Agents are deployed and maintained
|
||
in a manner that preserves their integrity.</t>
|
||
</list></t>
|
||
|
||
</section>
|
||
<section anchor="signature-verification"><name>Signature Verification</name>
|
||
|
||
<t>ECTs <bcp14>MUST</bcp14> be signed with the agent's private key using JWS
|
||
<xref target="RFC7515"/>. The signature algorithm <bcp14>MUST</bcp14> match the algorithm
|
||
specified in the agent's WIT. Receivers <bcp14>MUST</bcp14> verify the ECT
|
||
signature against the WIT public key before processing any
|
||
claims. Receivers <bcp14>MUST</bcp14> verify that the signing key has not been
|
||
revoked within the trust domain (see step 6 in
|
||
<xref target="verification"/>).</t>
|
||
|
||
<t>If signature verification fails or if the signing key has been
|
||
revoked, the ECT <bcp14>MUST</bcp14> be rejected entirely and the failure <bcp14>MUST</bcp14>
|
||
be logged.</t>
|
||
|
||
<t>Implementations <bcp14>MUST</bcp14> use established JWS libraries and <bcp14>MUST NOT</bcp14>
|
||
implement custom signature verification.</t>
|
||
|
||
</section>
|
||
<section anchor="replay-attack-prevention"><name>Replay Attack Prevention</name>
|
||
|
||
<t>ECTs include short expiration times (<bcp14>RECOMMENDED</bcp14>: 5-15 minutes) to
|
||
limit the window for replay attacks. The "aud" claim restricts
|
||
replay to unintended recipients: an ECT intended for Agent B
|
||
will be rejected by Agent C. The "iat" claim enables receivers to
|
||
reject ECTs that are too old, even if not yet expired.</t>
|
||
|
||
<t>The DAG structure provides additional replay protection: an ECT
|
||
referencing parent tasks that already have a recorded child task
|
||
with the same action can be flagged as a potential replay.</t>
|
||
|
||
<t>Implementations <bcp14>MUST</bcp14> maintain a cache of recently-seen "jti"
|
||
values to detect replayed ECTs within the expiration window.
|
||
An ECT with a duplicate "jti" value <bcp14>MUST</bcp14> be rejected.</t>
|
||
|
||
<t>Additionally, each ECT is cryptographically bound to the issuing
|
||
agent via the JOSE "kid" parameter, which references the agent's
|
||
WIT public key. Verifiers <bcp14>MUST</bcp14> confirm that the "kid" resolves
|
||
to the "iss" agent's key (step 8 in <xref target="verification"/>), preventing
|
||
one agent from replaying another agent's ECT as its own.</t>
|
||
|
||
</section>
|
||
<section anchor="man-in-the-middle-protection"><name>Man-in-the-Middle Protection</name>
|
||
|
||
<t>ECTs do not replace transport-layer security. ECTs <bcp14>MUST</bcp14> be
|
||
transmitted over TLS or mTLS connections. When used with the WIMSE
|
||
service-to-service protocol <xref target="I-D.ietf-wimse-s2s-protocol"/>,
|
||
transport security is already established. HTTP Message Signatures
|
||
<xref target="RFC9421"/> provide an alternative channel binding mechanism.</t>
|
||
|
||
<t>The defense-in-depth model provides:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>TLS/mTLS (transport layer): Prevents network-level tampering.</t>
|
||
<t>WIT/WPT (WIMSE identity layer): Proves agent identity and
|
||
request authorization.</t>
|
||
<t>ECT (execution accountability layer): Records what the agent did.</t>
|
||
</list></t>
|
||
|
||
</section>
|
||
<section anchor="key-compromise"><name>Key Compromise</name>
|
||
|
||
<t>If an agent's private key is compromised, an attacker can forge
|
||
ECTs that appear to originate from that agent. To mitigate this
|
||
risk:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>Implementations <bcp14>SHOULD</bcp14> use short-lived keys and rotate them
|
||
frequently (hours to days, not months).</t>
|
||
<t>Private keys <bcp14>SHOULD</bcp14> be stored in Hardware Security Modules (HSMs)
|
||
or equivalent secure key storage.</t>
|
||
<t>Trust domains <bcp14>MUST</bcp14> support rapid key revocation.</t>
|
||
<t>Upon suspected compromise, the trust domain <bcp14>MUST</bcp14> revoke the
|
||
compromised key and issue a new WIT with a fresh key pair.</t>
|
||
</list></t>
|
||
|
||
<t>ECTs signed with a compromised key that were recorded in the
|
||
ledger before revocation remain valid historical records but <bcp14>SHOULD</bcp14>
|
||
be flagged in the ledger as "signed with subsequently revoked key"
|
||
for audit purposes.</t>
|
||
|
||
<t>ECT revocation does not propagate through the DAG. If a parent
|
||
ECT's signing key is later revoked, child ECTs that were verified
|
||
and recorded before that revocation remain valid — they captured
|
||
a legitimate execution record at the time of issuance. However,
|
||
auditors reviewing a workflow <bcp14>SHOULD</bcp14> flag any ECT in the DAG
|
||
whose signing key was subsequently revoked, so that the scope of
|
||
a potential compromise can be assessed. New ECTs <bcp14>MUST NOT</bcp14> be
|
||
created with a "par" reference to an ECT whose signing key is
|
||
known to be revoked at creation time.</t>
|
||
|
||
</section>
|
||
<section anchor="collusion-and-false-claims"><name>Collusion and False Claims</name>
|
||
|
||
<t>A single malicious agent cannot forge parent task references
|
||
because DAG validation requires parent tasks to exist in the
|
||
ledger. However, multiple colluding agents could potentially
|
||
create a false execution history if they control the ledger.</t>
|
||
|
||
<t>Mitigations include:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>Independent ledger maintenance: The ledger <bcp14>SHOULD</bcp14> be maintained
|
||
by an entity independent of the workflow agents.</t>
|
||
<t>Cross-verification: Multiple independent ledger replicas can be
|
||
compared for consistency.</t>
|
||
<t>Out-of-band audit: External auditors periodically verify ledger
|
||
contents against expected workflow patterns.</t>
|
||
</list></t>
|
||
|
||
</section>
|
||
<section anchor="dag-integrity-attacks"><name>DAG Integrity Attacks</name>
|
||
|
||
<t>Because the DAG structure is the primary mechanism for establishing
|
||
execution ordering, attackers may attempt to manipulate it:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>False parent references: A malicious agent creates an ECT that
|
||
references parent tasks from an unrelated workflow, inserting
|
||
itself into a legitimate execution history. DAG validation
|
||
(<xref target="dag-validation"/>) mitigates this by requiring parent existence
|
||
in the ECT store, and the "wid" claim scopes parent references
|
||
to a single workflow when present.</t>
|
||
<t>Parent omission (pruning): An agent deliberately omits one or
|
||
more actual parent dependencies from the "par" array to hide
|
||
that certain tasks influenced its output. Because ECTs are
|
||
self-asserted (<xref target="self-assertion-limitation"/>), no mechanism can
|
||
force an agent to declare all dependencies. External auditors
|
||
can detect omission by comparing the declared DAG against
|
||
expected workflow patterns.</t>
|
||
<t>Shadow DAGs: Multiple colluding agents fabricate an entire
|
||
execution history by creating a sequence of ECTs with mutual
|
||
parent references. Independent ledger maintenance and
|
||
cross-verification (see <xref target="collusion-and-false-claims"/> above)
|
||
are the primary mitigations.</t>
|
||
</list></t>
|
||
|
||
<t>Verifiers <bcp14>SHOULD</bcp14> validate that the declared "wid" of parent ECTs
|
||
matches the "wid" of the child ECT, rejecting cross-workflow
|
||
parent references unless explicitly permitted by deployment
|
||
policy.</t>
|
||
|
||
</section>
|
||
<section anchor="privilege-escalation-via-ects"><name>Privilege Escalation via ECTs</name>
|
||
|
||
<t>ECTs record execution history; they do not convey authorization.
|
||
Verifiers <bcp14>MUST NOT</bcp14> interpret the presence of an ECT, or a
|
||
particular set of parent references in "par", as an authorization
|
||
grant. The "par" claim demonstrates that predecessor tasks were
|
||
recorded, not that the current agent is authorized to act on
|
||
their outputs. Authorization decisions <bcp14>MUST</bcp14> remain with the
|
||
identity and authorization layer (WIT, WPT, and deployment
|
||
policy). As noted in <xref target="I-D.ni-wimse-ai-agent-identity"/>,
|
||
AI intermediaries introduce novel escalation vectors; ECTs
|
||
<bcp14>MUST NOT</bcp14> be used to circumvent authorization boundaries.</t>
|
||
|
||
</section>
|
||
<section anchor="denial-of-service"><name>Denial of Service</name>
|
||
|
||
<t>ECT signature verification is computationally inexpensive
|
||
(approximately 1ms per ECT on modern hardware for ES256). DAG
|
||
validation complexity is O(V) where V is the number of ancestor
|
||
nodes reachable from the parent references; for typical shallow
|
||
DAGs this is efficient.</t>
|
||
|
||
<t>Implementations <bcp14>SHOULD</bcp14> apply rate limiting at the API layer to
|
||
prevent excessive ECT submissions. DAG validation <bcp14>SHOULD</bcp14> be
|
||
performed after signature verification to avoid wasting resources
|
||
on unsigned or incorrectly signed tokens.</t>
|
||
|
||
</section>
|
||
<section anchor="timestamp-accuracy"><name>Timestamp Accuracy</name>
|
||
|
||
<t>ECTs rely on timestamps ("iat", "exp") for temporal ordering.
|
||
Clock skew between agents can lead to incorrect ordering
|
||
judgments. Implementations <bcp14>SHOULD</bcp14> use synchronized time sources
|
||
(e.g., NTP) and <bcp14>SHOULD</bcp14> allow a configurable clock skew tolerance
|
||
(<bcp14>RECOMMENDED</bcp14>: 30 seconds).</t>
|
||
|
||
<t>Cross-organizational deployments where agents span multiple trust
|
||
domains with independent time sources <bcp14>MAY</bcp14> require a higher clock
|
||
skew tolerance. Deployments using trust domain federation <bcp14>SHOULD</bcp14>
|
||
document their configured clock skew tolerance value and <bcp14>SHOULD</bcp14>
|
||
ensure all participating trust domains agree on a common tolerance.</t>
|
||
|
||
<t>The temporal ordering check in DAG validation incorporates the
|
||
clock skew tolerance to account for minor clock differences
|
||
between agents.</t>
|
||
|
||
</section>
|
||
<section anchor="ect-size-constraints"><name>ECT Size Constraints</name>
|
||
|
||
<t>ECTs with many parent tasks or large extension objects can
|
||
increase HTTP header size. Implementations <bcp14>SHOULD</bcp14> limit the "par"
|
||
array to a maximum of 256 entries. Workflows requiring more
|
||
parent references <bcp14>SHOULD</bcp14> introduce intermediate aggregation
|
||
tasks. The "ext" object <bcp14>SHOULD NOT</bcp14> exceed 4096 bytes when
|
||
serialized as JSON and <bcp14>SHOULD NOT</bcp14> exceed a nesting depth of
|
||
5 levels (see also <xref target="extension-claims"/>).</t>
|
||
|
||
</section>
|
||
</section>
|
||
<section anchor="privacy-considerations"><name>Privacy Considerations</name>
|
||
|
||
<section anchor="data-exposure-in-ects"><name>Data Exposure in ECTs</name>
|
||
|
||
<t>ECTs necessarily reveal:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>Agent identities ("iss", "aud") for accountability purposes</t>
|
||
<t>Action descriptions ("exec_act") for audit trail completeness</t>
|
||
<t>Timestamps ("iat", "exp") for temporal ordering</t>
|
||
</list></t>
|
||
|
||
<t>ECTs are designed to NOT reveal:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>Actual input or output data values (replaced with cryptographic
|
||
hashes via "inp_hash" and "out_hash")</t>
|
||
<t>Internal computation details or intermediate steps</t>
|
||
<t>Proprietary algorithms or intellectual property</t>
|
||
<t>Personally identifiable information (PII)</t>
|
||
</list></t>
|
||
|
||
</section>
|
||
<section anchor="data-minimization"><name>Data Minimization</name>
|
||
|
||
<t>Implementations <bcp14>SHOULD</bcp14> minimize the information included in ECTs.
|
||
The "exec_act" claim <bcp14>SHOULD</bcp14> use structured identifiers (e.g.,
|
||
"process_payment") rather than natural language descriptions.
|
||
Extension keys in "ext" (<xref target="extension-claims"/>) deserve particular
|
||
attention: human-readable values risk exposing sensitive operational
|
||
details. See <xref target="extension-claims"/> for guidance on using
|
||
structured identifiers.</t>
|
||
|
||
</section>
|
||
<section anchor="storage-and-access-control"><name>Storage and Access Control</name>
|
||
|
||
<t>ECTs stored in audit ledgers <bcp14>SHOULD</bcp14> be access-controlled so that
|
||
only authorized auditors can read them. Implementations <bcp14>SHOULD</bcp14>
|
||
consider encryption at rest for ledger storage. ECTs provide
|
||
structural records of execution ordering; they are not intended
|
||
for public disclosure.</t>
|
||
|
||
<t>Full input and output data (corresponding to the hashes in ECTs)
|
||
<bcp14>SHOULD</bcp14> be stored separately from the ledger with additional access
|
||
controls, since auditors may need to verify hash correctness but
|
||
general access to the data values is not needed.</t>
|
||
|
||
</section>
|
||
</section>
|
||
<section anchor="iana-considerations"><name>IANA Considerations</name>
|
||
|
||
<section anchor="media-type-registration"><name>Media Type Registration</name>
|
||
|
||
<t>This document requests registration of the following media type
|
||
in the "Media Types" registry maintained by IANA:</t>
|
||
|
||
<dl>
|
||
<dt>Type name:</dt>
|
||
<dd>
|
||
<t>application</t>
|
||
</dd>
|
||
<dt>Subtype name:</dt>
|
||
<dd>
|
||
<t>wimse-exec+jwt</t>
|
||
</dd>
|
||
<dt>Required parameters:</dt>
|
||
<dd>
|
||
<t>none</t>
|
||
</dd>
|
||
<dt>Optional parameters:</dt>
|
||
<dd>
|
||
<t>none</t>
|
||
</dd>
|
||
<dt>Encoding considerations:</dt>
|
||
<dd>
|
||
<t>8bit; an ECT is a JWT that is a JWS using the Compact
|
||
Serialization, which is a sequence of Base64url-encoded values
|
||
separated by period characters.</t>
|
||
</dd>
|
||
<dt>Security considerations:</dt>
|
||
<dd>
|
||
<t>See the Security Considerations section of this document.</t>
|
||
</dd>
|
||
<dt>Interoperability considerations:</dt>
|
||
<dd>
|
||
<t>none</t>
|
||
</dd>
|
||
<dt>Published specification:</dt>
|
||
<dd>
|
||
<t>This document</t>
|
||
</dd>
|
||
<dt>Applications that use this media type:</dt>
|
||
<dd>
|
||
<t>Applications that implement agentic workflows requiring execution
|
||
context tracing and audit trails.</t>
|
||
</dd>
|
||
<dt>Additional information:</dt>
|
||
<dd>
|
||
<t>Magic number(s): none
|
||
File extension(s): none
|
||
Macintosh file type code(s): none</t>
|
||
</dd>
|
||
<dt>Person and email address to contact for further information:</dt>
|
||
<dd>
|
||
<t>Christian Nennemann, ietf@nennemann.de</t>
|
||
</dd>
|
||
<dt>Intended usage:</dt>
|
||
<dd>
|
||
<t>COMMON</t>
|
||
</dd>
|
||
<dt>Restrictions on usage:</dt>
|
||
<dd>
|
||
<t>none</t>
|
||
</dd>
|
||
<dt>Author:</dt>
|
||
<dd>
|
||
<t>Christian Nennemann</t>
|
||
</dd>
|
||
<dt>Change controller:</dt>
|
||
<dd>
|
||
<t>IETF</t>
|
||
</dd>
|
||
</dl>
|
||
|
||
</section>
|
||
<section anchor="header-registration"><name>HTTP Header Field Registration</name>
|
||
|
||
<t>This document requests registration of the following header field
|
||
in the "Hypertext Transfer Protocol (HTTP) Field Name Registry"
|
||
maintained by IANA:</t>
|
||
|
||
<dl>
|
||
<dt>Field name:</dt>
|
||
<dd>
|
||
<t>Execution-Context</t>
|
||
</dd>
|
||
<dt>Status:</dt>
|
||
<dd>
|
||
<t>permanent</t>
|
||
</dd>
|
||
<dt>Specification document:</dt>
|
||
<dd>
|
||
<t>This document, <xref target="http-header"/></t>
|
||
</dd>
|
||
</dl>
|
||
|
||
</section>
|
||
<section anchor="claims-registration"><name>JWT Claims Registration</name>
|
||
|
||
<t>This document requests registration of the following claims in
|
||
the "JSON Web Token Claims" registry maintained by IANA:</t>
|
||
|
||
<texttable title="JWT Claims Registrations" anchor="_table-claims">
|
||
<ttcol align='center'>Claim Name</ttcol>
|
||
<ttcol align='left'>Claim Description</ttcol>
|
||
<ttcol align='center'>Change Controller</ttcol>
|
||
<ttcol align='center'>Reference</ttcol>
|
||
<c>wid</c>
|
||
<c>Workflow Identifier</c>
|
||
<c>IETF</c>
|
||
<c><xref target="exec-claims"/></c>
|
||
<c>exec_act</c>
|
||
<c>Action/Task Type</c>
|
||
<c>IETF</c>
|
||
<c><xref target="exec-claims"/></c>
|
||
<c>par</c>
|
||
<c>Parent Task Identifiers</c>
|
||
<c>IETF</c>
|
||
<c><xref target="exec-claims"/></c>
|
||
<c>inp_hash</c>
|
||
<c>Input Data Hash</c>
|
||
<c>IETF</c>
|
||
<c><xref target="data-integrity-claims"/></c>
|
||
<c>out_hash</c>
|
||
<c>Output Data Hash</c>
|
||
<c>IETF</c>
|
||
<c><xref target="data-integrity-claims"/></c>
|
||
<c>ext</c>
|
||
<c>Extension Object</c>
|
||
<c>IETF</c>
|
||
<c><xref target="extension-claims"/></c>
|
||
</texttable>
|
||
|
||
</section>
|
||
</section>
|
||
|
||
|
||
</middle>
|
||
|
||
<back>
|
||
|
||
|
||
<references title='References' anchor="sec-combined-references">
|
||
|
||
<references title='Normative References' anchor="sec-normative-references">
|
||
|
||
|
||
|
||
<reference anchor="RFC7515">
|
||
<front>
|
||
<title>JSON Web Signature (JWS)</title>
|
||
<author fullname="M. Jones" initials="M." surname="Jones"/>
|
||
<author fullname="J. Bradley" initials="J." surname="Bradley"/>
|
||
<author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
|
||
<date month="May" year="2015"/>
|
||
<abstract>
|
||
<t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="RFC" value="7515"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC7515"/>
|
||
</reference>
|
||
<reference anchor="RFC7517">
|
||
<front>
|
||
<title>JSON Web Key (JWK)</title>
|
||
<author fullname="M. Jones" initials="M." surname="Jones"/>
|
||
<date month="May" year="2015"/>
|
||
<abstract>
|
||
<t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="RFC" value="7517"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC7517"/>
|
||
</reference>
|
||
<reference anchor="RFC7519">
|
||
<front>
|
||
<title>JSON Web Token (JWT)</title>
|
||
<author fullname="M. Jones" initials="M." surname="Jones"/>
|
||
<author fullname="J. Bradley" initials="J." surname="Bradley"/>
|
||
<author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
|
||
<date month="May" year="2015"/>
|
||
<abstract>
|
||
<t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="RFC" value="7519"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC7519"/>
|
||
</reference>
|
||
<reference anchor="RFC7518">
|
||
<front>
|
||
<title>JSON Web Algorithms (JWA)</title>
|
||
<author fullname="M. Jones" initials="M." surname="Jones"/>
|
||
<date month="May" year="2015"/>
|
||
<abstract>
|
||
<t>This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="RFC" value="7518"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC7518"/>
|
||
</reference>
|
||
<reference anchor="RFC9562">
|
||
<front>
|
||
<title>Universally Unique IDentifiers (UUIDs)</title>
|
||
<author fullname="K. Davis" initials="K." surname="Davis"/>
|
||
<author fullname="B. Peabody" initials="B." surname="Peabody"/>
|
||
<author fullname="P. Leach" initials="P." surname="Leach"/>
|
||
<date month="May" year="2024"/>
|
||
<abstract>
|
||
<t>This specification defines UUIDs (Universally Unique IDentifiers) --
|
||
also known as GUIDs (Globally Unique IDentifiers) -- and a Uniform
|
||
Resource Name namespace for UUIDs. A UUID is 128 bits long and is
|
||
intended to guarantee uniqueness across space and time. UUIDs were
|
||
originally used in the Apollo Network Computing System (NCS), later
|
||
in the Open Software Foundation's (OSF's) Distributed Computing
|
||
Environment (DCE), and then in Microsoft Windows platforms.</t>
|
||
<t>This specification is derived from the OSF DCE specification with the
|
||
kind permission of the OSF (now known as "The Open Group"). Information from earlier versions of the OSF DCE specification have
|
||
been incorporated into this document. This document obsoletes RFC
|
||
4122.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="RFC" value="9562"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC9562"/>
|
||
</reference>
|
||
<reference anchor="RFC9110">
|
||
<front>
|
||
<title>HTTP Semantics</title>
|
||
<author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
|
||
<author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
|
||
<author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
|
||
<date month="June" year="2022"/>
|
||
<abstract>
|
||
<t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
|
||
<t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="STD" value="97"/>
|
||
<seriesInfo name="RFC" value="9110"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC9110"/>
|
||
</reference>
|
||
|
||
<reference anchor="I-D.ietf-wimse-arch">
|
||
<front>
|
||
<title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
|
||
<author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
|
||
<organization>CyberArk</organization>
|
||
</author>
|
||
<author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
|
||
<organization>Zscaler</organization>
|
||
</author>
|
||
<author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
|
||
<organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
|
||
</author>
|
||
<date day="30" month="September" year="2025"/>
|
||
<abstract>
|
||
<t> The increasing prevalence of cloud computing and micro service
|
||
architectures has led to the rise of complex software functions being
|
||
built and deployed as workloads, where a workload is defined as a
|
||
running instance of software executing for a specific purpose. This
|
||
document discusses an architecture for designing and standardizing
|
||
protocols and payloads for conveying workload identity and security
|
||
context information.
|
||
|
||
</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch-06"/>
|
||
|
||
</reference>
|
||
|
||
<reference anchor="I-D.ietf-wimse-s2s-protocol">
|
||
<front>
|
||
<title>WIMSE Workload-to-Workload Authentication</title>
|
||
<author fullname="Brian Campbell" initials="B." surname="Campbell">
|
||
<organization>Ping Identity</organization>
|
||
</author>
|
||
<author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
|
||
<organization>CyberArk</organization>
|
||
</author>
|
||
<author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
|
||
<organization>SPIRL</organization>
|
||
</author>
|
||
<author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
|
||
<organization>Intuit</organization>
|
||
</author>
|
||
<date day="16" month="October" year="2025"/>
|
||
<abstract>
|
||
<t> The WIMSE architecture defines authentication and authorization for
|
||
software workloads in a variety of runtime environments, from the
|
||
most basic ones up to complex multi-service, multi-cloud, multi-
|
||
tenant deployments. This document defines the simplest, atomic unit
|
||
of this architecture: the protocol between two workloads that need to
|
||
verify each other's identity in order to communicate securely. The
|
||
scope of this protocol is a single HTTP request-and-response pair.
|
||
To address the needs of different setups, we propose two protocols,
|
||
one at the application level and one that makes use of trusted TLS
|
||
transport. These two protocols are compatible, in the sense that a
|
||
single call chain can have some calls use one protocol and some use
|
||
the other. Workload A can call Workload B with mutual TLS
|
||
authentication, while the next call from Workload B to Workload C
|
||
would be authenticated at the application level.
|
||
|
||
</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="Internet-Draft" value="draft-ietf-wimse-s2s-protocol-07"/>
|
||
|
||
</reference>
|
||
<reference anchor="RFC2119">
|
||
<front>
|
||
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
|
||
<author fullname="S. Bradner" initials="S." surname="Bradner"/>
|
||
<date month="March" year="1997"/>
|
||
<abstract>
|
||
<t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="BCP" value="14"/>
|
||
<seriesInfo name="RFC" value="2119"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
|
||
</reference>
|
||
<reference anchor="RFC8174">
|
||
<front>
|
||
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
|
||
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
|
||
<date month="May" year="2017"/>
|
||
<abstract>
|
||
<t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="BCP" value="14"/>
|
||
<seriesInfo name="RFC" value="8174"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
|
||
</reference>
|
||
|
||
|
||
|
||
</references>
|
||
|
||
<references title='Informative References' anchor="sec-informative-references">
|
||
|
||
|
||
|
||
<reference anchor="RFC3552">
|
||
<front>
|
||
<title>Guidelines for Writing RFC Text on Security Considerations</title>
|
||
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
|
||
<author fullname="B. Korver" initials="B." surname="Korver"/>
|
||
<date month="July" year="2003"/>
|
||
<abstract>
|
||
<t>All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="BCP" value="72"/>
|
||
<seriesInfo name="RFC" value="3552"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC3552"/>
|
||
</reference>
|
||
<reference anchor="RFC8693">
|
||
<front>
|
||
<title>OAuth 2.0 Token Exchange</title>
|
||
<author fullname="M. Jones" initials="M." surname="Jones"/>
|
||
<author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
|
||
<author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
|
||
<author fullname="J. Bradley" initials="J." surname="Bradley"/>
|
||
<author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
|
||
<date month="January" year="2020"/>
|
||
<abstract>
|
||
<t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="RFC" value="8693"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC8693"/>
|
||
</reference>
|
||
<reference anchor="RFC9421">
|
||
<front>
|
||
<title>HTTP Message Signatures</title>
|
||
<author fullname="A. Backman" initials="A." role="editor" surname="Backman"/>
|
||
<author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
|
||
<author fullname="M. Sporny" initials="M." surname="Sporny"/>
|
||
<date month="February" year="2024"/>
|
||
<abstract>
|
||
<t>This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="RFC" value="9421"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC9421"/>
|
||
</reference>
|
||
|
||
<reference anchor="I-D.ni-wimse-ai-agent-identity">
|
||
<front>
|
||
<title>WIMSE Applicability for AI Agents</title>
|
||
<author fullname="Ni Yuan" initials="N." surname="Yuan">
|
||
<organization>Huawei</organization>
|
||
</author>
|
||
<author fullname="Peter Chunchi Liu" initials="P. C." surname="Liu">
|
||
<organization>Huawei</organization>
|
||
</author>
|
||
<date day="20" month="October" year="2025"/>
|
||
<abstract>
|
||
<t> This document discusses WIMSE applicability to Agentic AI, so as to
|
||
establish independent identities and credential management mechanisms
|
||
for AI agents.
|
||
|
||
</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="Internet-Draft" value="draft-ni-wimse-ai-agent-identity-01"/>
|
||
|
||
</reference>
|
||
|
||
<reference anchor="SPIFFE" target="https://spiffe.io/docs/latest/spiffe-about/overview/">
|
||
<front>
|
||
<title>Secure Production Identity Framework for Everyone (SPIFFE)</title>
|
||
<author >
|
||
<organization></organization>
|
||
</author>
|
||
<date />
|
||
</front>
|
||
</reference>
|
||
<reference anchor="OPENTELEMETRY" target="https://opentelemetry.io/docs/specs/otel/">
|
||
<front>
|
||
<title>OpenTelemetry Specification</title>
|
||
<author >
|
||
<organization>Cloud Native Computing Foundation</organization>
|
||
</author>
|
||
<date />
|
||
</front>
|
||
</reference>
|
||
|
||
|
||
|
||
<reference anchor="I-D.ietf-scitt-architecture">
|
||
<front>
|
||
<title>An Architecture for Trustworthy and Transparent Digital Supply Chains</title>
|
||
<author fullname="Henk Birkholz" initials="H." surname="Birkholz">
|
||
<organization>Fraunhofer SIT</organization>
|
||
</author>
|
||
<author fullname="Antoine Delignat-Lavaud" initials="A." surname="Delignat-Lavaud">
|
||
<organization>Microsoft Research</organization>
|
||
</author>
|
||
<author fullname="Cedric Fournet" initials="C." surname="Fournet">
|
||
<organization>Microsoft Research</organization>
|
||
</author>
|
||
<author fullname="Yogesh Deshpande" initials="Y." surname="Deshpande">
|
||
<organization>ARM</organization>
|
||
</author>
|
||
<author fullname="Steve Lasker" initials="S." surname="Lasker">
|
||
</author>
|
||
<date day="10" month="October" year="2025"/>
|
||
<abstract>
|
||
<t> Traceability in supply chains is a growing security concern. While
|
||
verifiable data structures have addressed specific issues, such as
|
||
equivocation over digital certificates, they lack a universal
|
||
architecture for all supply chains. This document defines such an
|
||
architecture for single-issuer signed statement transparency. It
|
||
ensures extensibility, interoperability between different
|
||
transparency services, and compliance with various auditing
|
||
procedures and regulatory requirements.
|
||
|
||
</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="Internet-Draft" value="draft-ietf-scitt-architecture-22"/>
|
||
|
||
</reference>
|
||
<reference anchor="RFC9449">
|
||
<front>
|
||
<title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
|
||
<author fullname="D. Fett" initials="D." surname="Fett"/>
|
||
<author fullname="B. Campbell" initials="B." surname="Campbell"/>
|
||
<author fullname="J. Bradley" initials="J." surname="Bradley"/>
|
||
<author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
|
||
<author fullname="M. Jones" initials="M." surname="Jones"/>
|
||
<author fullname="D. Waite" initials="D." surname="Waite"/>
|
||
<date month="September" year="2023"/>
|
||
<abstract>
|
||
<t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="RFC" value="9449"/>
|
||
<seriesInfo name="DOI" value="10.17487/RFC9449"/>
|
||
</reference>
|
||
|
||
<reference anchor="I-D.ietf-oauth-transaction-tokens">
|
||
<front>
|
||
<title>Transaction Tokens</title>
|
||
<author fullname="Atul Tulshibagwale" initials="A." surname="Tulshibagwale">
|
||
<organization>SGNL</organization>
|
||
</author>
|
||
<author fullname="George Fletcher" initials="G." surname="Fletcher">
|
||
<organization>Practical Identity LLC</organization>
|
||
</author>
|
||
<author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
|
||
<organization>Defakto Security</organization>
|
||
</author>
|
||
<date day="24" month="January" year="2026"/>
|
||
<abstract>
|
||
<t> Transaction Tokens (Txn-Tokens) are designed to maintain and
|
||
propagate user identity and authorization context across workloads
|
||
within a trusted domain during the processing of external requests,
|
||
such as API calls. They ensure that this context is preserved
|
||
throughout the call chain, even when new transactions are initiated
|
||
internally, thereby enhancing security and consistency in complex,
|
||
multi-service architectures.
|
||
|
||
</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="Internet-Draft" value="draft-ietf-oauth-transaction-tokens-07"/>
|
||
|
||
</reference>
|
||
|
||
<reference anchor="I-D.oauth-transaction-tokens-for-agents">
|
||
<front>
|
||
<title>Transaction Tokens For Agents</title>
|
||
<author fullname="Ashay Raut" initials="A." surname="Raut">
|
||
<organization>Amazon</organization>
|
||
</author>
|
||
<date day="10" month="February" year="2026"/>
|
||
<abstract>
|
||
<t> This document specifies an extension to the OAuth Transaction Tokens
|
||
framework (https://drafts.oauth.net/oauth-transaction-tokens/draft-
|
||
ietf-oauth-transaction-tokens.html) to support agent context
|
||
propagation within Transaction Tokens for agent-based workloads. The
|
||
extension defines two new context fields: 'actor' and 'principal'.
|
||
The 'actor' field identifies the agent performing the action, while
|
||
the 'principal' field identifies the human or system entity that
|
||
initiated the agent's action. For autonomous agents operating
|
||
independently, the 'principal' field MAY be omitted. These
|
||
additional context fields enable services within the call graph to
|
||
make more granular access control decisions, thereby enhancing
|
||
security.
|
||
|
||
</t>
|
||
</abstract>
|
||
</front>
|
||
<seriesInfo name="Internet-Draft" value="draft-oauth-transaction-tokens-for-agents-04"/>
|
||
|
||
</reference>
|
||
|
||
|
||
|
||
</references>
|
||
|
||
</references>
|
||
|
||
|
||
<?line 1078?>
|
||
|
||
<section numbered="false" anchor="use-cases"><name>Use Cases</name>
|
||
|
||
<t>This section describes a representative use case demonstrating how
|
||
ECTs provide structured execution records.</t>
|
||
|
||
<t>Note: task identifiers in this section are abbreviated for
|
||
readability. In production, all "jti" values are required to be
|
||
UUIDs per <xref target="exec-claims"/>.</t>
|
||
|
||
<section numbered="false" anchor="cross-organization-financial-trading"><name>Cross-Organization Financial Trading</name>
|
||
|
||
<t>In a cross-organization trading workflow, an investment bank's
|
||
agents coordinate with an external credit rating agency. The
|
||
agents operate in separate trust domains with a federation
|
||
relationship. The DAG records that independent assessments from
|
||
both organizations were completed before trade execution.</t>
|
||
|
||
<figure title="Cross-Organization Trading Workflow" anchor="fig-finance"><artwork><![CDATA[
|
||
Trust Domain: bank.example
|
||
Agent A1 (Portfolio Risk):
|
||
jti: task-001 par: []
|
||
iss: spiffe://bank.example/agent/risk
|
||
exec_act: analyze_portfolio_risk
|
||
|
||
Trust Domain: ratings.example (external)
|
||
Agent B1 (Credit Rating):
|
||
jti: task-002 par: []
|
||
iss: spiffe://ratings.example/agent/credit
|
||
exec_act: assess_credit_rating
|
||
|
||
Trust Domain: bank.example
|
||
Agent A2 (Compliance):
|
||
jti: task-003 par: [task-001, task-002]
|
||
iss: spiffe://bank.example/agent/compliance
|
||
exec_act: verify_trade_compliance
|
||
|
||
Agent A3 (Execution):
|
||
jti: task-004 par: [task-003]
|
||
iss: spiffe://bank.example/agent/execution
|
||
exec_act: execute_trade
|
||
]]></artwork></figure>
|
||
|
||
<t>The resulting DAG:</t>
|
||
|
||
<figure title="Cross-Organization DAG" anchor="fig-finance-dag"><artwork><![CDATA[
|
||
task-001 (analyze_portfolio_risk) task-002 (assess_credit_rating)
|
||
[bank.example] [ratings.example]
|
||
\ /
|
||
v v
|
||
task-003 (verify_trade_compliance)
|
||
[bank.example]
|
||
|
|
||
v
|
||
task-004 (execute_trade)
|
||
[bank.example]
|
||
]]></artwork></figure>
|
||
|
||
<t>Task 003 has two parents from different trust domains,
|
||
demonstrating cross-organizational fan-in. The compliance agent
|
||
verifies both parent ECTs — one signed by a local key and one by
|
||
a federated key from the rating agency's trust domain.</t>
|
||
|
||
</section>
|
||
</section>
|
||
<section numbered="false" anchor="related-work"><name>Related Work</name>
|
||
|
||
<section numbered="false" anchor="wimse-workload-identity"><name>WIMSE Workload Identity</name>
|
||
|
||
<t>The WIMSE architecture <xref target="I-D.ietf-wimse-arch"/> and service-to-
|
||
service protocol <xref target="I-D.ietf-wimse-s2s-protocol"/> provide the
|
||
identity foundation upon which ECTs are built. WIT/WPT answer
|
||
"who is this agent?" and "does it control the claimed key?" while
|
||
ECTs record "what did this agent do?" Together they form an
|
||
identity-plus-accountability framework for regulated agentic
|
||
systems.</t>
|
||
|
||
</section>
|
||
<section numbered="false" anchor="oauth-20-token-exchange-and-the-act-claim"><name>OAuth 2.0 Token Exchange and the "act" Claim</name>
|
||
|
||
<t><xref target="RFC8693"/> defines the OAuth 2.0 Token Exchange protocol and
|
||
registers the "act" (Actor) claim in the JWT Claims registry.
|
||
The "act" claim creates nested JSON objects representing a
|
||
delegation chain: "who is acting on behalf of whom." While
|
||
the nesting superficially resembles a chain, it is strictly
|
||
linear (each "act" object contains at most one nested "act"),
|
||
represents authorization delegation rather than task execution,
|
||
and carries no task identifiers or input/output integrity
|
||
data. The "act" chain cannot represent
|
||
branching (fan-out) or convergence (fan-in) and therefore
|
||
cannot form a DAG.</t>
|
||
|
||
<t>ECTs intentionally use the distinct claim name "exec_act" for the
|
||
action/task type to avoid collision with the "act" claim. The
|
||
two concepts are orthogonal: "act" records "who authorized whom,"
|
||
ECTs record "what was done, in what order."</t>
|
||
|
||
</section>
|
||
<section numbered="false" anchor="transaction-tokens"><name>Transaction Tokens</name>
|
||
|
||
<t>OAuth Transaction Tokens <xref target="I-D.ietf-oauth-transaction-tokens"/>
|
||
propagate authorization context across workload call chains.
|
||
The Txn-Token "req_wl" claim accumulates a comma-separated list
|
||
of workloads that requested replacement tokens, which is the
|
||
closest existing mechanism to call-chain recording.</t>
|
||
|
||
<t>However, "req_wl" cannot form a DAG because:</t>
|
||
|
||
<t><list style="symbols">
|
||
<t>It is linear: a comma-separated string with no branching or
|
||
merging representation. When a workload fans out to multiple
|
||
downstream services, each receives the same "req_wl" value and
|
||
the branching is invisible.</t>
|
||
<t>It is incomplete: only workloads that request a replacement
|
||
token from the Transaction Token Service appear in "req_wl";
|
||
workloads that forward the token unchanged are not recorded.</t>
|
||
<t>It carries no task-level granularity, no parent references,
|
||
and no execution content.</t>
|
||
<t>It cannot represent convergence (fan-in): when two independent
|
||
paths must both complete before a dependent task proceeds, a
|
||
linear "req_wl" string cannot express that relationship.</t>
|
||
</list></t>
|
||
|
||
<t>Extensions for agentic use cases
|
||
(<xref target="I-D.oauth-transaction-tokens-for-agents"/>) add agent
|
||
identity and constraints ("agentic_ctx") but no execution
|
||
ordering or DAG structure.</t>
|
||
|
||
<t>ECTs and Transaction Tokens are complementary: a Txn-Token
|
||
propagates authorization context ("this request is authorized
|
||
for scope X on behalf of user Y"), while an ECT records
|
||
execution accountability ("task T was performed, depending on
|
||
tasks P1 and P2"). An
|
||
agent request could carry both a Txn-Token for authorization
|
||
and an ECT for execution recording. The WPT "tth" claim
|
||
defined in <xref target="I-D.ietf-wimse-s2s-protocol"/> can hash-bind a
|
||
WPT to a co-present Txn-Token; a similar binding mechanism
|
||
for ECTs is a potential future extension.</t>
|
||
|
||
</section>
|
||
<section numbered="false" anchor="distributed-tracing-opentelemetry"><name>Distributed Tracing (OpenTelemetry)</name>
|
||
|
||
<t>OpenTelemetry <xref target="OPENTELEMETRY"/> and similar distributed tracing
|
||
systems provide observability for debugging and monitoring. ECTs
|
||
differ in several important ways: ECTs are cryptographically
|
||
signed per-task with the agent's private key; ECTs are
|
||
tamper-evident through JWS signatures; ECTs enforce DAG validation
|
||
rules; and ECTs are designed for regulatory audit rather than
|
||
operational monitoring. OpenTelemetry data is typically controlled
|
||
by the platform operator and can be modified or deleted without
|
||
detection. ECTs and distributed traces are complementary: traces
|
||
provide observability while ECTs provide signed execution records.
|
||
ECTs may reference OpenTelemetry trace identifiers in the "ext"
|
||
claim for correlation.</t>
|
||
|
||
</section>
|
||
<section numbered="false" anchor="w3c-provenance-data-model-prov"><name>W3C Provenance Data Model (PROV)</name>
|
||
|
||
<t>The W3C PROV Data Model defines an Entity-Activity-Agent ontology
|
||
for representing provenance information. PROV's concepts map
|
||
closely to ECT structures: PROV Activities correspond to ECT
|
||
tasks, PROV Agents correspond to WIMSE workloads, and PROV's
|
||
"wasInformedBy" relation corresponds to ECT "par" references.
|
||
However, PROV uses RDF/OWL ontologies designed for post-hoc
|
||
documentation, while ECTs are runtime-embeddable JWT tokens with
|
||
cryptographic signatures. ECT audit data could be exported to
|
||
PROV format for interoperability with provenance-aware systems.</t>
|
||
|
||
</section>
|
||
<section numbered="false" anchor="scitt-supply-chain-integrity-transparency-and-trust"><name>SCITT (Supply Chain Integrity, Transparency, and Trust)</name>
|
||
|
||
<t>The SCITT architecture <xref target="I-D.ietf-scitt-architecture"/> defines a
|
||
framework for transparent and auditable supply chain records.
|
||
ECTs and SCITT are complementary: the ECT "wid" claim can serve
|
||
as a correlation identifier in SCITT Signed Statements, linking
|
||
an ECT audit trail to a supply chain transparency record.</t>
|
||
|
||
</section>
|
||
</section>
|
||
<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>
|
||
|
||
<t>The author thanks the WIMSE working group for their foundational
|
||
work on workload identity in multi-system environments. The
|
||
concepts of Workload Identity Tokens and Workload Proof Tokens
|
||
provide the identity foundation upon which execution context
|
||
tracing is built.</t>
|
||
|
||
</section>
|
||
|
||
|
||
</back>
|
||
|
||
<!-- ##markdown-source:
|
||
H4sIAAAAAAAAA819a3bbSJbm/1hFDP0jqWpCtmzJmSlXV7csy2lV25baojMr
|
||
p7qOCyRAEmkQYAGgZJbTfWYRs4BZyyxlVjL3GRF4UK6qmTNndPIhkUA8b9zn
|
||
d29EUWSarMnTUzu6+JTOt01WFva8LJr0U2On5ce0qO2irOyLrG6qbLZt0sSe
|
||
LdOiyeb2p7L6uMjLu3pk4tmsSm+hkZ8u39xc2F5TIzOPm3RZVrtTWzeJScp5
|
||
Ea+h16SKF01UpEWRruOiiO6ydZ1G6byJHj0y9Xa2zuoa2ml2G3j48mL60hTb
|
||
9SytTk0CDZ4a6POJias0hr7P3k1H5g4GtazK7UYHMzIf0x18mpwaayObuqHN
|
||
eWj0Kb6Vl3FiswTn1uzo01gmeqcT5U+3SdbYpoqz3Jh426zKipqGf61dbPOc
|
||
Z3a+qmDNsriwb3V29ERZLeMi+2uMY4ApFUm6SQvs1b5L6zSu5qu0ogfhlSw/
|
||
tVnaLP7VLdBhkhpTlNUa3r9Nsd93L8+/PTk68b9+63/93v/6nfz6/cnTx/rr
|
||
0dEj/PUyenGIvcji4xAGPq4f19GmKptyXuanxmTFojOKJycn2vJ3T79/op0c
|
||
Pz7S1opMu8giWttIlxufuLm+fPny4pTmrjR5A5tVpfa6KpPtnHbtUt6wLytY
|
||
ZtwZos+L27TalUVqx9zMwYjbiatl2pzaVdNs6tOHD+tNtlikh1n5ECiwfpgD
|
||
DdWNfBrFs3LbPCyhpdssvXtIDRCV2UWc1yn8fXV98XZ68frizcX03c/tkV7B
|
||
Lk7TPF2nTbWzN5t0ni2yOe3y8FBKeKHRF9yIanixfljCF0P9W+vpDX8ipCYg
|
||
tbzcJvYtbQacuPUGCLxY2pfltkhoBOFu1vOsaWiTswbOGSyv26nj71v7XmJn
|
||
ERB6Uce0+FFDDEEf2vd9BBvC+wuPmiiCIzMD7gHPGDNdZbWFmW7XSPFJusiK
|
||
tO7zC2U944vzaX0wsXCK4FP4BCfTlLZZpcR+6Mw6ksgK+2abN5m92dVNurYX
|
||
xW1WlQV2BU0RNzgw4cyJdJKAtfVO/KG1OAQLlH8LxGrqbFmkyQSYWLWlJhJb
|
||
pXPgLrUtF7DH9ceAw8DHaWXjeVXWtWGCb0peGeA+6/W2EAqBXp7veIYJ7hxz
|
||
0d4EjazKXdas+ozMzvMYTheuwu9vrt7an9IZL6Md//6n6YHh8zqBtYMtqEMC
|
||
tWkRz3LYh5rWrbawwsB8igb+DWZqAs5H0+WZuIHoWm3r1MawrLAwtKbz3TzP
|
||
5mZZxZuVHb84++HAN4pdVemmAtYHTdH6KUOcZzCiuACeDNODl5vU0MT3LI4j
|
||
mZ8upwcwBlxHJJMa2ITFbYMPzLpM0pwanVe7TVPSmGC/N1W2zvD44Iaf2SK9
|
||
s6+m02u7SmPcwkWW5snEODKNhEwnFqmZiDghWqLDsCkrOn+0GHFeFssaSSf9
|
||
hPLA7S43XR/yCVlnSZIDa38AEqFx3A7+fmDflDAwPsZwfP5hul84fvn58wDH
|
||
//JFaby2VTnb1o0TiiTk6FwwtTQrkK/L1de2AFdZHzHAwYFg3PfX0wNYaJoN
|
||
LUaNPHee4vGQX63KGtMbbiiJYNjKRFblnRtybYMxw9LH85Ut4QM9jXYe57md
|
||
r4DA64BWdLiRmxFMwrhPaRIRn6mAPHAPX5V3KQiOSV+TIApIgefBEIuysXGS
|
||
ALXX/tiYeD4HTt3EsyyH52Fd/q0o73BId6vSbtIKDy6eo8Iym/VtMesxd6sY
|
||
ditGxgo9ARkCQdBnxIBgdO/S5RZlXQInPSCNrJiD5oSzz3d47PJyh+tWFuW6
|
||
3NZ8vIEZQEtmXkJbWQFt6AqGekyc2xkJmyqjE/SiXNPK1ltY97g2sE55s5qD
|
||
njaBs1TExTydEH3k5RIPxRxoLv3LFjhGwG4mrGkhZzIBj8UBrmkuCbAwFAjR
|
||
Ov6Iy4UNema0T9aEosSqKCEibEkGmrXsVVrTU8t4Y2dpc5fC9g9sc9h7f0+l
|
||
i4AqdYGfMUf2g5LJ8rbC87A3WSKcsL2vZ7X0DwyKvuWzsl/P+vJlIqQvyi+8
|
||
05N5wP7ShITALLW3sMSwA9Q9senqNk2E0xvhGMDt1ykcpiKr1/iakjjNSzaW
|
||
9oD4d4vzmriutxUSBJ4i4HZwxqC7tb1pYInwJdzHKk1hxBVtAa4U0AzOFnTD
|
||
CpuNNzAQOOJpzeJEiV1mZkSsgTJydO9OWFACuofLul1g/QuoA9aPtoREBbA6
|
||
Ypzw0ogMI/gsq0VPy/6aJiNqFRqk990zTCowyCnKvD9MsBHg+kjHV9sGNDj7
|
||
Xw9HxjyGTt6WcCpiPF1JsM60CjTh1oLS4ETxAN6FfeZZ8bGrmsghho1DwSE6
|
||
iVIA7MQT7neoO1yXgo8pHQvQZDZ5CozBUz/2CnvfgL1HR7alY2kvJDBZpdhs
|
||
q01ZEwlcqJQsZ0hrcoCg3zJ3/KTVHCqWKNo/f25p516eMQlzM6TvpbPtcqkM
|
||
Y10WGYwTW+Ddp73XV9taQkCrILy4X9TQY9xx3OH+Tqi+iI028Rq4eZTe0mlk
|
||
Boifg8ilp3B0RqgXV47Xpp6DdlZlpZyPmzkYDvTq2WYDapUs0B5uh/o3idk9
|
||
GjYp2AeWVUM7/vwZLW/+68uXA3gXtLVAWSMVp6WjCa3hQsDbSbyMbuM8Y6uD
|
||
W7gU7Q37pvPvGa7jnU43AcqBZph5Zf5FbumsaCtlaPadT73Oha+idRXxA/IS
|
||
LWKeJsu0Ik2yWsSgXQRcqcb3+IHIPYAvk7a1KPOcpTFILwsGIhJ07TYBP4QT
|
||
ArpbYmc7nhctulOOOsoTsXGdN5EZ8nwkv8j+G7F6IW19GKx+OJ3ECWErK1TM
|
||
EhKvFkxXEI5ZvaId7z17DjIU+wHhnGeLFLXwNHwCdE2ghVt8BM4zvf8CqSaj
|
||
v3n2H2FEdyR5R2/e30xHE/6/fXtFv7+7+Pf3l+8uXuDvN6/OXr92vxh54ubV
|
||
1fvXL/xv/s3zqzdvLt6+4JfhU9v6yIzenP084jMyurqeXl69PXs9QqbftOg8
|
||
ZhMCBBVtHUgoYvy1gUM1h3Vksfj8/Pp//o+jYxCP/wUM3cdHR98De+A/vjv6
|
||
9hj+uIM94t7KAo4t/0lcH4RLGpNKRXIz3oBKktcTZEM1qJwFkGOVwtn8zR9x
|
||
Zf50an87m2+Ojn8nH+CEWx/qmrU+pDXrf9J7mRdx4KOBbtxqtj7vrHR7vGc/
|
||
t/7WdQ8+/O2/gDRJbXT03b/8znRPCGwAGI+4JWACJr3NgnNB0u/UnOJZDjRN
|
||
1aZoVdWe0uMEPGGPxTIhLU1FaU2sia1j3K1QnKGQpW7xfM2RSCwY3403Yskw
|
||
otZQuMFwUTsGKVyL4oOyOUX/X0nCGZnxCzVwz9jAtT94A5f7YovXs09n6NJi
|
||
7eOjd0hQ0BNyJF5Nb0qTxLB0lEUPIpF5D2/nkXQcAp8/i3/QmU+03AOeAVKD
|
||
rfNxdLSIJG3QF4CaKLHZ18RFdX83OLcIzxPYyev1llR5VPlp2eEwkYHc2y5Y
|
||
CeixTml3nFI6YZryOgOuBVhcbqgwiD0GKdujvBAseOaeNRILRu7uiPCb2jNo
|
||
N7gGGS8Mi1lv2Fdg2bJhG3a0IYsR/gH1BvQbsTnwUTcblETAyaMc7Mfc2I68
|
||
QNolns8mVWsSJWgim6ZNVXGxxzDjudgYl3YVo9/KTTIDtQZNV9hiaGhTsg8K
|
||
9XjxyQK98C9fvsDrTSCDUCeR4ZyF1lMo9D8/6MtzUmX4vcBLaabDttg+h0Wo
|
||
5HzFGUFHm/T04Z2GebX3WoXseHRp4zXHPOwfiKeFX/88Ogg777s5wp4DIkBn
|
||
4QqdHOjawdOOkhb0y3KekenCm0XWBY4AzbWqzOkdfBIJR4ZEAyD3T7QqN111
|
||
4zaL2Qt2j4NlgL+2XSxdPh+aEaGZK4Yjsiw2CpDrI+k1pfFaX1t5ClwizIT2
|
||
OFBok98RG2ImCasqVpu3yUqnYWZVy8JDQ8htNSyXODexpcCT6+elJnhkX4Px
|
||
RAdrzmoSewyg+Q3yEJAJdVnVA4atNxaI1i+cdf8GXZDAtJH3scdX1gXmDgsh
|
||
h3jvEufxLq2MuiFwVd060Ve0sPhxzOYBtUHfwAr+53/+J4xrnoHBVzXmn6K/
|
||
++efzK9qQL+m3sZ63A7s3p9f8SV8bXpq26dpzJGX04cPm+Qh7ebDTwej8J1r
|
||
fofPz/3nAF/6h6a0d9h7vrj9h1cOzRVZNy+0z1obfGD/SJYcRpD+JKsAr8Eq
|
||
TL3sRYuy5SZfp2BPtpebf1iJeShaC5gq9QpdEkOz/f987a42LNBObahrAAE6
|
||
zYK5w4EbAi3DiA4aaLZoI7BKgk6DktypgW04+j9ZBThX5vOpfbDIlhGdtZrj
|
||
gv/s4uF6+ltSkkihHn0R4z30AG7V6Sg8k+MXluIXE+Ebtf39T1OJ+hh2Yjs/
|
||
EX4j7QnjCHS+iRiLzARrUbNFnyC3cL5lHSAQdawJd7jzImP394MHLZF/XWbI
|
||
mD8/CGQ+qED4IUwWdEM8CC6sU3/dL+BiDvCQ8YLIuacCRwe0/PsrF1+xo48Z
|
||
0PsmxpbAPrFkk1XpAnRsmC4L4e0M41Msg/28oPdyzawUOcw3uE5TDNfAVGWg
|
||
7DMnJwJZi9T7CPSpEW+LFeMMI2Jueqhq9FfR+WCc0nX5ItC7Dg7DCdIkZql4
|
||
l/zyUaxLdIqORiEKzuB8tFmlsjhflhU8vLbj1lLC58FSHtAwoF0Y9lwadi96
|
||
AzDt6JXc6U8gmukIEvNexx/ZM0/+HdGI+ZBK1GZJHjPc/V4QToeXYVSnqtAT
|
||
7oJuHYIyErDpiULq9530S/uufloYBP/6HMPevQDRKXKN36Ka5kXR2e/gyd4w
|
||
+Ulc5qqtxaBNmvyuxUMCL5bjJDTEVzzVmyaeo1aCrINXclAFFQ0U3dG3YKcR
|
||
k9yA9vAVdW+iipVQL/MDUDQa4xeWyXlKTAEmxRGBlkHmPeksqkxZiM6L1gqc
|
||
PfIMwwifuaOTIfNxgBjQ6Lg9CgGpJksOdzqxSOGHrJvCkqYZ23G0BWPZswNp
|
||
gcx5NrFdFGAqoVHWjg5O7Y/6qGzjgCGIBIj72LKBSE1pTR3s3YXME6h2I4Ce
|
||
ryz7IXv7cR3G7YgQjO2dGOBMMUKbGha6YyPdYpdzsmzFFaIeAvTmq7yEkTHb
|
||
ShNo94wkIosaWaqEvaocGSMRyVEEep8Mvn0Oh5fMwj4/CLzIzO73vICUOQhW
|
||
CKWVYC7QNRQ8fAMfxiRF4YUb/8IJLKTgEIhLAiMy8ADBYkCHtzcwyTgX8xgX
|
||
OrWzuE6fHm+rPAKyBAGbmD/z2TvcxDs8U4e1dvZnYdMHti7ZsqP43BxYF7Bj
|
||
ZT9ZYWJLYdW05bG+jfNtytKS+Kqc5s8PfimBGsRrzQTdFWM0F9R+Y2GqXgg6
|
||
hixs7ZcaTOnPsGfErxHYd/P45Ologp80uw1+Iig72JV/+uWu4a9QTsJXHC+M
|
||
IzhbUZZER4+fjMyXNnPiEQlbcgOVyVx8itHyQ84E3aO/Qh2eEvBPsiV6UK1b
|
||
067UAMrD75QpHMLgaPZDYma/hLH20lmgbLlRI/V2Q6ECWhNHNN8R0eDoaM3g
|
||
Zdoqqw5c3NxRAVboCB672a0Rs4Umno4DbP30cHk4sa+wWVzOVzdPvjvGv0+O
|
||
Hh+02sE5kp+TaFTD3nGtraKDRpeGsZfQcVSlGziJ6hKCbeysrNMIUpKb3R3G
|
||
zxIOrG2zesXRW8uSjiUsKoyIsqwn5AGFZ13A1itmcxcvoFiVpTcC5YpWDfVB
|
||
IKaBre/oV6qFKfrCc3UaGDbfVlbcfn1L+/VePAbCtyoyzvOy/Gi3G+HURBjz
|
||
ptU0rKinvY4HEU8mLMQ5I6ngYN41ESvYwbkUrqDHsbazUmFJEfo9oDGUtC1d
|
||
XLT0FkigC9y61xNLg3uAkt83ysPsemcG+m05fJVUFHQF3AqhKzsyM40B7bWz
|
||
dTcN+qWvqvfvLinkDf/Xbdzp3rEPUdxaxopKsE9RzpxuMWNNwnvkHBAU9V/H
|
||
60iu/Nl5C35L8jdi+fu7h7+FJV/97s8T1UV1UKN6O1NNXBxuoeqLEe4iUp08
|
||
GCKZi6iz89HA+dbzVYpBAT3nwNVv4IvXNXur3797e/r+PY7Ym0WosoP43L+Y
|
||
iNQBiRFTjLy9yLijaB+hscru92yTQcvj+kBnwiv8PJ3HOFJiJgTOQNZCBEkB
|
||
MY7s48KkdR0vBVHHhq84udhyGcFnHaslEDfOfcbnTPz3pBtlKUOEgFfAR3Se
|
||
dsEALxENsEHwZ0bmVobOihhBpPD5b+Cf35CxiI5JMhBhH/IMyfE3vzmlMBya
|
||
BaIbErkyzypYDxN1j3zVInALPFFiL8ik9Jw2zmlIdGZ7hhghdYb0SadFqqaq
|
||
2AqkzbsYNbOsUZ1Jgs0l6gSrOF/ojvEZOXQT5wASzlze8Hj3ocnjlw1bcvDD
|
||
MaF811LUtGuh0niBTDm2v5Sk/FrREn2kRaAbqGIOLJbOJNCD/eDZ44y9oi7f
|
||
He8a1eNZoFICTyOiVAU62CbnsXRB+sAC0GEp04oL2Xc6NzJY3Ccm+YBGeQ34
|
||
6f/448jxjpQVlEOYu7gccSgjeXL4OQYQPRRP0X/8CcGLF4gpVNFjgT3MPwpR
|
||
EZllwEYwOuy92BRHrpWn0QRoOYFJMggH5CjZLrhdBx73wQFBjEv4iGGN1BUK
|
||
cWphk5MwpjVdeqcEtudJGSF/BHkilCu0EXoG5G3q6fIFDXYEn42cdoR7QeSM
|
||
iBf3Pp3NhlzVlQaPsLlqi3HKeIbOW9SyMbou09GDhFwDWoCtlYMPD/2v//bf
|
||
8Ti1rUE9RTwG1jSs404ycFwSWFRQlDps9+12DVs1fwFTl7k02RoWFdjWKhO1
|
||
koYD3JPOaYIqpEp8DX/GDuyUSEBgwoYADAv6lGGhYpPD4cTNoUPRMEchNBm0
|
||
zzsgoCB+oB1WnaXLGAV++qmr5vWnAc9k4nWjGQXSYUAHFs5OWiJuIezTCf7n
|
||
6MSus4KC6Mw0aDqogYFGhdBomcMGbGXYsiJBrO0qQ1ygqh0cy4zB+CA/wzwv
|
||
5wjnqT8ClUgMHaMlRB0wUDHcW8rKqJgtRnb8FpbleQrtpQcikBhe5ZxKRPiz
|
||
UPLJ6nZ3p3ZhJkIlYRQ6RS06zXdmC+YCbTXGaGA0vzTZoKgmlWeZlzMKMW2L
|
||
7C/btOO3C1mbCAdaL9rWUNDC2ElLEIWGtDJMyCF19ibDYJG1BFZmqhMVDQ35
|
||
mJg94nuxVWCLMN4RS/zaiXweAgeYgyGOeW9o85IUvc/I8TvDdI8jBotSvs5+
|
||
0GPl/KWeIyALfEdSEpmteFV/gaaNWN93KzBqZZgrtN1zoI4ExADGrWrC0Dqf
|
||
SkDFxI2QvtCtgmcDTBk471nt/Sm8BwUiTJHxYDgxEY5jvHB7xkfLvR7Pem+r
|
||
UEkxl2lOktVttAAklS8gljEVHbzvzfj8AA9v21LwCrno4ITkuE/FB5Xoju0m
|
||
Bd60idCJ7WBrSdZQvhseglw8vbQBoEwFapEDw8iyutV0kpVIk4LBniqRB6Xz
|
||
D0B8+84GTlVg6QoOJKMwGKNAsRDjZh2cVqSRh7eLzjISPvEBrCxkXOycEFBh
|
||
+qGOF2mzQ8jYPM7nhPP9kJSo2RJFAutIT3lplXOgeEJNmqNHsLOYnpfYkU5s
|
||
ZIHwVryUQC70CS7cbZklZEHmOUH0vJDkZ8Znc6AJ5VBVikB2kl6znS4ipsHR
|
||
IsKB6azfmer9NS0kAkqvA9kbKDKk/gcIDzyWYexPVZGUGb3bTxopnj7nzSB/
|
||
K7R0m5Xb2jlXU/XfnhU2XW9QU6GxwSFkcDRiUmxVljI0Woai7I4hIE+0nkQz
|
||
Q8NDNRPXRDBZItQ19LaKER8REwiA4+ugPOHOA2cYkcB4RucwEHcU4E41It92
|
||
PTMLQbiWE4eokaX5QqC4JSloRFaknKFs7zI7opwOB1ASIx6ocikOt99Z3bhu
|
||
wGGdFxyWZJFnc3GqXJ1t4b/XW4zH2jNBi/PgJQ6BCz8GKrLfHz1+Cvo5Kyph
|
||
GkORkMk0kUEw36e+hVO9QGwyB+YoBPgAwcoCxIEPvsKwFATtnm+vsYKBTQCU
|
||
0zgzThGxskBsKayx2OMMlaZtoAzSzQeMR+9jeNPQNWvJNUswY217w2gJNIjF
|
||
VXTz6ixCtx626owuHBz1PCH1gDDjmOPJGk18Z8t5k9Jih29Q/1kti1L76Noi
|
||
+5QmkfdAbmKwySok1W2tjD21L67La+ATzUpNamaqx8fogFG5K4ls11PyzIbP
|
||
3hsnOHXzzGqReWtUohgz7gam5zQYKlB29klpWp3RsJT/D7aBCUP2oZOcJ9pQ
|
||
jHswUqoYOWErQZCapKz84SkXI2vtkV/NUA1htQ3kfBXnkeQXBBH2kh4SLyb7
|
||
kSIVxkr/HLq6zydHq0OIOvQpo2BBhgXCISQbYgjecQoLgpH2rE4dm8AXJdUR
|
||
5BbqTQWTaJwjbVFebw16+EduXtZjJKOfc2QDNZrDvsZPCoJkNWwLDCg27ITU
|
||
bFqr0yXBkS2Lkq0z5CFTkYPkOHWSsHZZUAnaysQ0BSMwCRrGd3hmQRQcGUJV
|
||
pwqfg1FJIIat9RFM5tBZ3lvguesPlHw5OnBCeWAgph01TBBKSVqhXy3cq5Kk
|
||
H5nHM0pSLRKgH7JKblNhn3X213SikDmKFCFPx6iTk8Kx7CNh2ni/hZw8Ftti
|
||
u/Dm8aPvnwLxNOhX13OPrRnYLhLnMG44p4Eq/JUGTwwBRYe2Wh5mNbylhFOT
|
||
TG3cDFEmfEO2Hafd6MmAbeOwQ/dU4IrNY8SlCJpGzwaI+cWWvOmK9BZIyLlm
|
||
BqH8lMBQV9ZkoVXdcq8LGXSDWoiuON3jp2F/zhwEDqbfsOqI7oL7n1edkloH
|
||
s/fUHn377eNHT4+PTh5NVAdxH34rH6JqBe2enDxKvzt+9ChKH38/i46PkuMo
|
||
/vboaXR8/PTpyckxfPPoCJrGN+4kwvZodjR/nDyJ0uPFSfT02+++j+LZPInS
|
||
xaOjx0+OT/CTkfQrKiq8hTYkWK9F8qFB94FXjVERObV//BP34dgnvFIcz/59
|
||
+fPqzeKnn+LX0V+Wn36s/v1lfPVh+qmuzo8v60c/HtUvZy/uzpdLbkpFAb78
|
||
+jx+FD/+5cOn8sPJ+tH7715Nnz9/+/zt+es/PP+4/DZaRj9v0uyH369Pnh7L
|
||
9JDITu1nTnMLzzFmaKUfZPKzOYUUrf3SCSti5Qws/KGBxRbxXAtNBNHFBzZE
|
||
RExdEtDnB2EOkIAvu5AReeslshZBX7Vx76pmNWHulH+9mxtuWL4fHT0C+T6c
|
||
CK48kz1z4v4I2xAtPfNGJ2by7wtdm9CH4OLeUxXsGsTjsgSUQPm8F+YG0mnQ
|
||
c4cBvIaFHNhjWQnG2OgQOO58FaPjniFeZwrWqaVIQbwXqKOIkfp+wE4XTBKm
|
||
9TuAjUB2mAuYHy6m9mG8yeTMRuR2pe14eHR4ZF6VdXNq5TsaymFw3M0Aeifd
|
||
/X41+2GeHR4eYkjo8LA/3NZDaCrBQz2wjnTTAusonog0MdxPpjoH2un6bBmz
|
||
QRBXym108cHQjpc1nxj39t71ZarKiY6FZcvGJBPyMhkELOx4L5UKvkp4oq45
|
||
DJfEStJKPXwIR/3a2NAX1hjWOICawMxgBLeEj5wLbCN6OjWdoIgBYfP5c2iH
|
||
EN1fgmlb7HSN8M0FFalog3KQGt1oA5cVu6CAIiq3vnKWJAtFLWXT9Y9rGm2e
|
||
6zIk6pB0vrsmyJE10qC00y514TBaxED6UahvaqyIVOMA2XQmMA76A350OZdk
|
||
47WSMIkDXklRG8Gd4xbCzt2XwSRuetoJsvJCHyDMqkWzis1iq5gtUDGgHLze
|
||
uPIS8UDGsmB8xI8LK9SpogKLMDFUpoSWA4NdZXV/OrLzR7hMoZ0hbVgwF0kI
|
||
4dfcsbRSVz3yQ3JCu11qDHsvjME190tMzklfpmGJinDT9htQSCPNmEUWphWs
|
||
k81uU4Z6tZmksgJPMStVwV6/w/CKnMOAVtx0JZcA2sIErAE0jIzatAFFndnV
|
||
TbrR3PkpE75975yopxwYIjcvm6/qgBJXeQc5J2kJBJCgRJCxxv/brk2SRqQy
|
||
TWSF6HU5pX5hs0XXxXug/EDiSwE2lnUTGqu6ozmv3aN3dfTMGTAMRKg89Vd9
|
||
ImDMPD3lilNdbx1w27rxyFc6D8bHKwXFpWAlZuzsM6WYYcgEvOuJGuDZjoWG
|
||
Ai+eo1Z5wVOVko/hRABK3CRHl3P8eWI78Ew05HGS186BbjAf710nRBlO0zVo
|
||
PXFur+TUCn0E0TE83LR2YUcCJbaKklpSjEycst34mvgUtPwDNbDJsWIJNYGO
|
||
tmy5rXwciqNQTZmnlJFjx0EG7Kl98ggOH7yUIGQDG5jyZkyIERMH5KGe2j/z
|
||
L4cwGPtb0I+yPKHfORGC+vqAfX1wff1Zw42uc0noYSPLD49aaCuJzzB45PyH
|
||
yy0IaBCiVCMF/YgY/4KVVv7Iu0SY9WyNueHrDZcfQq/leftZjqdk67jKgISC
|
||
+Id1HqxW4v9Y9ipV+u95Rg/YCznjMhl+BMN0BcRLtdfEVU8MPM4U4o0t7KGx
|
||
Y/TrsLQi/e2lTz5GisCCPgEXDWSWQvAEywq2xCyGlRfnsZIS9PpNzRxCBs7J
|
||
tlznqaFRMFLgnnNwQtUhfNImhokYUDeHEV+HgtOhoFAV9jEsy46xVqYhMsGy
|
||
m51I3I0dw7FdgDRzQTTL4SDk9atsQxE4iry5ogE01MAlAjwMlDzMVdUEQZTq
|
||
oLJhlQRyqqQbHMQdKuxAHfXEdGWKzEbICYuLxJ+y9RZUDdyChs0i9P9QSYI1
|
||
aIDtg3gExvIjICNQEoQfEUOj+DNVksEaL04s08YYF890gj9g5h5kFmwPyNBX
|
||
WLEBieZ94RluEJIw5rJoFRlp4dfigG96EuswfWb4GNrAY7FLCQ7T4+5w+uM8
|
||
kGYSG8PjY1Dv9FIYFQhiR2xoTGyy1eJpQZrfkuoUmHDoXh6AeY/by8VhBA/m
|
||
4FawMIOA2RA16rIO70r2BIlWICuHEyUpwXEPqSVxi8TDkpllgSyexqas53Cu
|
||
sA+yC2CT6Jib5e3wy7R97oTSh2S1rrtb9H73GsARXZ15Q8kaKVaDwe1DTPdt
|
||
qsv9sUBQT7josIDxrmbB0VtBsLoSJJBwJymFndOyUQSTwU1vtw9DUdo1u2JB
|
||
Aj4NRZR5gU1WamqE4OKGoSUo5p2QB1mT5WSi8NRDTT4mdbcucy7q1ObUPkuq
|
||
Ssm7a7aFPiwwEYrq0GgwlZ59Bzg99yUzVFwz8qIZwqiMiWOhEoCHFlHOWVU3
|
||
B/cqFw8CxD+SFycL/BgGpD4/aNmFrC2HD1yrFdnNPxJNqfbactNSkNuIe9MK
|
||
g5F63M0uARKUlK/9djRQE3LXWOyWAO3PEkb8oOw39ohlZHMg01GBQOs49P8w
|
||
+f+oEExhJgT6V5+Ax2oD6XdR4qLD9RqgvK9eA21AGw1Z4XDf1E4Jo2wsWDdU
|
||
jCkCPcckwzTpJ5vVqnylwRuOuDUJiWH4RGRo8AeoeRvmrYVw/DYYf8Bx7pRP
|
||
7YSzAxSpp4N5RvnZUlbBA/aDGVAjHVcL7ZKXH3ZTAuvYiSrjljqVRMXeKoeH
|
||
lbnPhJkJ00gbMi8VA4JoQqdYwwmhdmDU6W2Y+9hG5rPpRcPxtqQSM2snjho7
|
||
JAgkzsL45PAxdPd0gJp03/d1iZoKaZIY12HufgtnPdk7qz2ZHuQadKoa9PZN
|
||
TU25YwsTCGs/hm3Cox+l4FtQOsnVQhPqmqdVw3wgDVtGUpnYq/Obaz7HQKqC
|
||
aOcuZlssF2W3GwS0ED//tkMJw+eNoO3iku5mwIjd08+z/K7TdJCbGrY3gJSH
|
||
9/lQdYpSeFptZeF9352Dh5O3IMUBi0Cp4GqM0vHzIGyGflEjGbFl0qcmAgut
|
||
twtY94z0aKGrLv/p4W7jmtBzApN5Jm5Fl4rIW8UOGgE1K8jUIzgIcNgGQYBu
|
||
sUVkGL7+k4I9HSxYnPmhv2cSWOm8CK25M/H6olO0BrC+R48OW+tLuBjBOClS
|
||
x8lPPUOEliHxeXTUfp2s6Ta4snDoTWAm3DmtUVyzYjRuq/s+MIjhhXpV5iCq
|
||
Ag3GKf+yth5ieqCh7vu65Yji1/Qib7rbGA+MT0BpCyP1FID2MSEzim3wjgmO
|
||
Z/HosVso9uqKr1CC5GPSGydBbG4ieEjUpZgnS14NZWameR6xYxDbBul6LRpF
|
||
x8nGfLRbPw/fATFxyekWjDEnlBTjWtsVDNhG5cxOp0rRiLwZFBZA8GSIuj9r
|
||
fj3Nhv3o+zUzDWobOQjugbxcLlv1mlyNR7Dtq6p0FkhtgiA344XQ90wn0ZFY
|
||
1+/uLAUKMKl5QFur9qwrUF+SKQe7XNNBZdWvl6zM8QJQDpF3ttLQPXA5jCB4
|
||
QL0Lu7NPj5gkNXD86IkdvyyrWZbA4T5AVyW+jxI6E+wZWRku3Ie6FH3MOp80
|
||
cmTGYKa6eqLajsvY7yey8WQEncLjAr41K5NdN6U7ZogMrHBKeyKshMx8gvcY
|
||
j+BiN4PbkmFSITNiGsYuuPC5V+RkOSXAQUvs8NoM2e3ujVlIkbEH7dIfl66a
|
||
4+cHvfqNEukQZSx0ksKx8dXIWgeIuAF6ETKq29OaIUHYy7qJViVofKAB7uqM
|
||
cY/+9IXcL6jl2S27jHueaY1ZYS/Y9aaVCGXKjXhzXCilHaFWqcTgL9xLtzd4
|
||
GmDZTQMqS1HCUdwNaUmS5BbUacNTC4cdUVoI+arNQF0jhCFkhD/QpLiJ7fsb
|
||
avTaG1LReSxhhWCtiJVJiDiMyOCsMacsrBFxL5NrSyUx27hxMcbOggnWeIsG
|
||
Fpw+tVfkjHX5VUoi3vhjm5o46LpMWE2l+rGUYiDWVtvPLYOUfGWpoI/IzCZ0
|
||
voKQUtacYrA35QhajMVoy6YsJCbmy3NbDvrBePn2E03pL8uP2w2qzjiHyxf9
|
||
MWi6c+r0pYq1/zhnhWfBqFoZBSrh5BdRcOAxZfANwT9bfQlXGSgHzQp46Y2I
|
||
GB0zrkOC/ZJfkovjqpIZJG8RilAqtcPqv0lBYSRHB+vO/VHMUrf0bFcQVFYK
|
||
5XfTiYyPEkq1c3SpYbFHJswMBA4h9vJ8W0sarqVbSbA9cuyq07VWIImYQL54
|
||
eK3Pz1vPh5UzYSTLLch9ca2TSYUXqpAO8OCBxRrYsHRSPKwNoWr4u3hOIVGu
|
||
vsb9pAnVxXkTo7vclXQHTY6/ljcPuFwj18HsGFkOHSkRqhaSXlPJ6HoSIiTW
|
||
kg6x+izwUbBIs1rrcMOefiI0I9jODdYvoZobvmNCqrXr4TmndTlr72a3IexQ
|
||
hILQUUVNqwnQNIhsl8Q0Oss7f5KFfIw/jM59tQsIVPkD9jVFLxYwkmzDtZrv
|
||
6UwfSoOYCOdVEbgTFT8J8vYj3lLxOc0X0RkQUkVfvkZ3uDq8EEodxfpdlLvv
|
||
VP4hNQQPeYSy9KZajGZycIog55XfcR4jlhlR8GKQV9EqPkSIAF93CJmumQcU
|
||
gOpehwhBAc8TISFfCVRoSUaghjb+JcFsVRTiMOZOakPGdyAAB0W+QC0K7nWg
|
||
pgyzIlc1inpo7YErKljOyXpIuDStFBWW1wgqLsXVuLZa3QnvNpweA00x+l0x
|
||
MtoCrwUoOM0KAXC7YFLkLGlirx3xuadjCVwLzynqUcLCXQ0Blx7a9B82Yts7
|
||
31sr/9bj/OWxWVWSD8J7r0ygyDB1XrWrjV7D0UNhXmeYOcK7wIqMQwLErl32
|
||
h7giX0KDLs7p7hdIRMQxOZMcxxxymAGsmU+x9A7aTglUqRrIr8MINjloiLT3
|
||
WHHbl8S2S0Rd0/UUp5TbRS8REpuu4tBq3ULCzKXYFsPLR/iPiitrit/a8SW/
|
||
uGEngfTCxPiO2GKWNCy4bEdwYVdcFyjwNYZdnUmxTAa0kALVKgPHNTILitoV
|
||
haaW6ZUPpKdlwTSENzn7I3S0q+69p0qZ1mAIC5WxHw79i31A41ClmH0VYYzo
|
||
wD4c16740ElZbJcrMEFPAYqnXXFKw49BPiuouUYk3/4eBtyfLVfnV9ycdlxT
|
||
5B/srKdDILgDNuLvMwjpZpjF4CjCEdxj7DP6Jt85lhFa/cZZ/ftiiWhtBPFn
|
||
io3k2ayKK73qyUXpnVZvOQvg3pIt7zi19Yy0AWRBkmshdKjGLmdpdBKm6457
|
||
6SQKHVVNaXz6s+Q9B8m0rH/Urex4zQdkkEZt5FGQBdtCS3r4gh5gh8S+HCJ9
|
||
5wvJPTdUUyPcAeAL/N25dhp48vQar8qRIIw/TAfgAhhUMr+05LDDpUKi0GCp
|
||
9xhOeyAQD+DzYRCZnXA8sgt4Pias7tMCC/IgBH5F+lXs7XOC1DDgsF3VUOS+
|
||
VNpa5DG5lzhvrySl1I1mH/kFBtkckQTISXGpUCuIKCOZY9Li9sWSSQQukGY1
|
||
3jqYtqxJy1rcUuo3J1sOFKehXTUU3jxzS4o1Lxz+FfWtHlaSQseqXGAGu/ey
|
||
KBCTgomd0peaQRhElAL+aDp19ayWw1NGRgG9ah2EBal5CQjXeisfRxiU6SJ/
|
||
GRPT+o7Nmg7Tmqi7jqR24fQhjGXxqjN/DcDl39ScY19riQ3mAW/iIsqKCJ6L
|
||
3tBdahjtFZpsa4PULtp3CtHnkq3OSmuVjwP7n57j0iusC0xf35BCi/+HVSm4
|
||
k1qjFpQH2C6cZe4pv/21dL+J8RecOEMy8/n0IaDHss/wjWA7nHSuJT/h+PFR
|
||
cC8OatM+wQxtbJgLsJuMA0jOhhdmgHH+guq4R5y0xJfpKVdgXfr1zUNal7Ef
|
||
tJZXFL6MdUNQJf3IFe/FYCNrJ0JR+xCLKY47hWB9G3TTkmQZhJe0WeevjcNk
|
||
WmyUKireX1C7W2HRHQy654kIDFVFb9SKx3xQlyFEm7N96PJKNVSJfwGDX6Ym
|
||
YMgc7IEDBMNe8iVrUntW6xVx9hpeUbgkUxIMMYO+CVr0PXlgKG1J5EU52ZdO
|
||
V60w6Y5z/Kh8DAPKgbGMV+WWQdVJvKsZ0LcGNXiFnpYIFt/NMazfRa53Urde
|
||
xVVyh+LFOUjelAmVgBm/unlTHxgKhqJ5AHyQHIh8vSsumrgJDzuX3HTK9gEX
|
||
lGxEH3DFV95jMY96i8ofHlO//JO+IiXAf9R1JFYUWqpUNZfCU/U2lSI5GlNH
|
||
jB2GuuihTZxVameGGm7ca46rY7WQ5RK5ENVfNMoghsyAG4kR8E1ayPxdIRp0
|
||
IfMOmEAathHAwCFH4cB87kC+c0F1GN/IDF/EdT4NR+TczeiijYUKXU1m1BQU
|
||
MCkoI0b+tKL9tc1jxjSIosnS3p8EWiSXbEG02sHiC4B/eKEQI9dwPc6N3FgK
|
||
i7GEU4MXBvbK+4doO9QFXDEYYKNynaNxmQYIuE7v/E0hZHrJIcD1p/CZ5M7I
|
||
ghj2aYVLgA6KoX2YhPVEBRhfLkyo23iqUiUoptskiO2/5VJMLTCYkTpDSpac
|
||
nBGUvi4dRr43TmAvjHTju5WUWmIpH6XKs6Z5inOUDs5LcuC4CorOcxrBlxF5
|
||
d3zy9plm7PScQyCKCE0InLIV/PPKiysA1ImkSiyhk6FCYKsgZiiBT7/TPmeJ
|
||
Rpw490gtniq3E/lOVhbZAU3WE5Zeesdm1q51X4GLtb5hNk68WmwT5uOBkS9n
|
||
mFTWtO8sGHJ1G/s1Z/eQz+AcE5iitmf/jS5F1h+RQB9rIULNP9cY1txDnbH1
|
||
K4aczlzRwVNK6GfnrR4txg2Kciv2svPJUg4cOS7EIgedm5m8m4yUYJCkYyQH
|
||
H7Jgm7A2RgslNj2zRjAaDIffBXEqgtuqdoUK6kBOkpPsXMZEnL8dz2/GjkY+
|
||
GT1oOt7o06N/LdLGB9TdwuQ09xZxM/SrICwFxxt1bbDkFDmHKT2AS29oYaBB
|
||
zigEjHe4to6VsYP3+zmVRJD8s52cv8DqczkDA/VUfFI8J/GwHUv8r+6vlPjN
|
||
uyWN2AMosAtSVPjFUoop2vGmQtt7GcYbEPc8I78k+njXZEvQ5blYToOg2Oy1
|
||
HcrUcxcDMEtlqDeMbIXXPEv9PwSHUdiEdigrFvlWUOLYE3mMu+U7GUDS9tbD
|
||
ou/38X+hpIuAYufkMxT0vc6U7FhYWPKf5b3aQd3jiGcuLtT0dWs428lBd8Vc
|
||
uM2ECEUOJzos7zmekb1ZxehCwfSBgM30OO4inlVsNgs74wvRemx2JjEoTWGV
|
||
ICm7xCWgsN7iPhrbJyeKbd7HcsWwmPdYJDvjPn++R7h94bKHqPPGUu7QcRjP
|
||
/4FleTNbmLrWuvL6gFtqPiTtLEHTwvHpAw1lw4h2NRFPA9X2ocno5pjeogAT
|
||
yfl66g3l2HBIQszf2S6MBTgkK13bm91mwFGAlGtg5P7yKU6nCIv09bbxGctK
|
||
Mc+pVMqua8V1nBGMCJYLH7tQPofiRrWWktwzrBRWdVIsB4raUV1uQhwEnePF
|
||
9S5AFmS4wlKsOXGp0RK4wwmlxkMLqPaUbqu7vpit2fDSYMaowWgLw353vXbQ
|
||
dmpF6R3YrgSfTwtCNad1O3VrVnJbFN6ONsEaRBNJ2ujsLsKlz0jxT//WC6bN
|
||
2SXvDdVarPjuBb7THq/7Qps/DWgkpbD1MyaUbqF0ut44q+bbNZdtac0guHKc
|
||
JT9lMFExZfaxsBGzxyUuVvq2iV08G7Qo4F4FVoMxY7pU+hPJR/jqaM1we2wQ
|
||
XkbXRwUErAYv3UWLoPEDlpwmUEg5L+mTuG2uxj9qbvWPqnowqIMplxOlDCVB
|
||
ccYTp4SryOkR7zNOF99tyECsVwRXxwxlEcl4kYSiPwY8o8J0MC13ZylMRwKG
|
||
OCqT6dn1pRBLUxpF1/myObTErnBx3dMcvK5qgiRpirDv2RlX6AesJRoI+hi3
|
||
FSoAJSo5YtQSXE0KvPsMcqriIwQx1Yg73rG1reL5znEiqqUZJkqOyZE+YWDt
|
||
Aa+p5rL6ePy5zyZtp2qSzKS0Qiwtp8PyuZm/bJMlV8bZW7eH/DW7Yg5WdcE8
|
||
AO1SnbmEwt9Orxk+q/uWkzr/9ZxXc0/Oq2EjoBM1DQuiSwlinmq9iYPiFQwT
|
||
UW8NowECqRpOgiBn7sYDYP9L9Opypdj2aJGKgu4FpR96cXyyozpC3J3AzDGD
|
||
BJTBHGB2xfulNEA2W9GRWGZkG9YsOrdgLbGYSlmwo2dN9Kqjlgh9l24YuYvs
|
||
s1s4AAkFnxXwthkcaQevvM4Kh1rWAlxsD3cKzGDlG0yCBGIipBKn2Ko0ZuWo
|
||
k5hLMUIQlct+rTQicSOYtPa9Jlgzaz9d+wBamBlJiryHiFtMuBH8zSHfs0TX
|
||
vgbmBGrlA/qKQ7SqiPGyB/XHJWwXK1tGa09OV39H2S4yLkxQCww0BCoHFhzC
|
||
4EV0GIaFvcqFObFcsYuVRtARS5CivUp2FMBlPQr4VA9ZpsUcLz5tCMfsyiDz
|
||
ZhakdXA2NyN2yeI8C/3kKIjHFJ6RourM5TrucPUA4ttzUTEQ9LLhPR174PtB
|
||
AO5G0spdBi5BTSLPfv827hoglqBL5eYBLJynxGYZl3Usq7CwoOZrjCXCkwxc
|
||
y2ms4nRQOfXlsviicVcASy+urwrxvImaoDces/AJ6IyyAMlHXoKan9Ktp8H1
|
||
MPJ4jmXBt3zrMOJc8S7Sa1BqVf+QdCjJEPb49fH15eWBJ4I3WQFn6q++4EsT
|
||
R+vgsy97xbw8lQrex/fgstWErg6NnBItktu7zy64N3Wg7H6vjO9Bq8wuiX3M
|
||
Ao+L5ZbTkD2RHXar0WWFnNfx4MHBl+nmC6/qG7Q5C/ZmrbbA5SIMltG6CpEQ
|
||
sjPF08T4WmiTomAOdQ02o15vbUGhTAcPLVGyA26idoLNmeG1EciM4KGR4M4o
|
||
x1mhRhpMcPGUEPgcRlw4NToS52KOyZTsPTaEjQrMCOdjQ/WkIvUEKzvu49VG
|
||
gaNY5xOPDTl1G0Iz0FT1ogoJ1kikVEKAbtpBoGKwko8YfHr9r7vohEDwHIJu
|
||
ZWy83OZ64n2RWT7y496l1UjZcsSFlg9ML1il1a7yndesZW7sLQ8SPWmxjWLI
|
||
Juh9mqd+ZSnFP2VeJc5LhiyzCkgYvdm2MVKLVNrTkYZ8S3ICsDFJeb48e3s2
|
||
JAreINexU6yz/Y4qD0vZBwYgO0VIIqK1lCeutHBlGy1niYdR1W6jJQx8B/VI
|
||
39518Gk4OGDJNAqs84llWINLh4252c6a8Mt2trEx7xzqP7jBDBO8CrDc9LrX
|
||
wS8vtAptG1CND3w3yzBR18H6Y77ZSsvrEObIJ31KZrax7dxshUrQG6FbqVdD
|
||
T/aO/Hb9MnqtAno3wyhwHDSyFxzOHmC5g5TrzRu6w2jPoRQipiUCvN86r9n1
|
||
VmFXnaLzp7ZFNcac+U0UvwY7zunqHiUVuom+96CHbZEWCgf5bkCTcxxB/fuf
|
||
SIOYa/WqQKeoW9iYUGThAN7ES+iCzedxfSBTtfYl3kzhuHX4zRvspSnhfC7w
|
||
GaJP3Ej/jGGBTANBb0quQH7yRWAqK9cNtottRQKtM6bzVYUlM4AC36ZFgekm
|
||
eB1k2iz+tdC/D5OUN47wXlvEatCbYJ5dvcVzwdgxWlaSKfIAj48dQHu6AlsO
|
||
5OsytU440JOXF9OXXPkkqJlJ1S9bDASLZ9J3UcgxvvyDfKVVIFM5y6sdKj50
|
||
BSQiRLA2xrUiYcY4ugMZ11tEfcngdiMzyHv4SeUvvWKDcOYoyxu/RCdmXBB9
|
||
33TyqHhWvYMwAYkflhL90r0errNyrBP8X1k5AXNnBZcY7tyQyd1/jS//ys/x
|
||
OuofL7yahZ8xqZw7UoHP3rn48K/m19Moik7pv8Gvp3iz9l2WwMNqptlLXwHt
|
||
VyI2+B/qS/5SjC90Ibfqk/A1WxcPqaIcyZB7XwTeCt9IYIer0AVK572vqo6P
|
||
T5EOQTr0K/lE3xuujM8tqFkAD16x7vF3N4EE/2twDzgXKW8PvKdc/ko1RilR
|
||
UT7U+qJ7qJDuEoctotpWqEC8x1A81Wz+/GCLwQn8/Qs0yzwzTf55RFELdwe5
|
||
ShrNdKgJnOkLX9+mrg504P+m017emVAbDA2ELvICubpc1dG57YIjhGEWFbpk
|
||
ZjOEX5Bw5bxK1OVJ3PElgxsy/Vlyo/8mAFtqjRtRNQjPYPCmEy2f0iIYATSQ
|
||
OyzMbACehBEhdC8D20LVY3gNL8kt1POmoSzjC59dXBazUItb4AXEF2Zx8fGb
|
||
2jjAAV2jpTkTrZSnOXSIVwrFLndnLpfW6duabpEVvqhr24WlWCZfLyysFSYe
|
||
EnRVqRYvuV/eq8fQE3bO0V2ddP1QOGWppelvZFIAD6xEEHA+5Lq+Ybm0U1oN
|
||
LdwLMluuOz4CM7isGuCSWWnfgfl2cEoJgnhxE9FR9OjRERfOqbAgNpdVwAqV
|
||
rvZ32LAU/0Y7kDMx9aIbzu79a/pho719oIc6g+QdqLU5n9524Ib8HIZ8zvv1
|
||
jp4eGPHj+0fc6UUrnFOj3WHTnnzg7z7wi91BD6/sYximS3seGOMTP0Zd54kb
|
||
/9+4zkFedXvYbDN9ILr4EDzlh/fEjp1oHxjdcW90T/7GMYV6aDgk/jzlMbWL
|
||
lGccGNYa5X1GIezBicbRF72hvEaPOZdXlWrWjmjHwyR3gLmzSibjof1FWvtj
|
||
OLM/2cGfP3boiBeIf/5j+BX9eRg8am/ve/LWP+kIZ7xnew/CVtszMP2WLYjC
|
||
v63HY0X6yu7d18/AxkZJvLxnc2HraD9RaOHsMHUGi+GxV1qAIf5SjBbXnZi2
|
||
vOxLCeDuC0KxCwf2qyX5Zu4WUuK2YaVgRD4ifEXcpogDk9qCimfFb2c747i+
|
||
YFOd96MlUL6pu4WjMMmGoUVI2MPCDyRnu4i7dUXc9ygcWvU9ruarDPEm6Nnu
|
||
4eHxW7k2J8DRm78XSO8Uk1ZgnAoW8u7SjYBs+DtP9Gyb5Rj7V2A6mCwg18wI
|
||
8wEzibDS5vyLuJAJJ5s1LeSfZpfCgsNjdG9iCxExIsx5kiVBe7D08Cxo/MtU
|
||
3KZ8dzUCvdzoI6x6G3U8+C6fUjKVtAaFWOSGLzMVbyRfQ/X48JHYFhef5mwU
|
||
OFwWeX9J1xzexeCms9atCXtbdvuF6Bq9OKsOOmvfrCaGY6Dxqt0jPurAPa2w
|
||
uYKLipDdpNGr1iVqscHc76UE6FckG3VPYwbKtK7vha/WhyNM8MC9o5i9hHnq
|
||
LUa1szkBQ5HLp2vKwYq5WVexiiz6fGewCnOMN/Riig+PXaJQrkxWjKh7rJZX
|
||
pDoTevBgYoKy8nEHB+KmE/rZ2xeLTghSjUX/MwJz97VvilMEOc3OmjFo3Lg8
|
||
N1pxqrUrQF03LjPDmCXdwD1GZgbtHFjGhQL3WpJhOWYu5y6grEgzNB7zS7Xp
|
||
z344dPl7YdEBBXFyYdK5ZKu7y5c0XiE19A3njT30FxP2rxHq3uzn69fDVt+R
|
||
0wdrFkr2cQXLvsSxnMrjqiQT/QS+d6SZyWjgoCMIPIHNpftA6RNyjB+OGLSA
|
||
bhHJdqOTUw+fOz5f/adDNljicKLGPxMxPOLLF+Nh/G1CUn+c3GzgLsiecwUq
|
||
JFA+d9NPRcQnewTW1Ye7XA8hsKPtepvLJcMYI48j7xzF6niYhq4N1wrp10pA
|
||
ErzjSD6NNvDGSoy8TmvBlbYSlchDB+OMmDZ50bmOgoN5+8F2yc0KoJyx2HRq
|
||
+bCeDkyDr210l6x5qmcAKZA6A1fCK6M0QSz2qwongdCgBBgWRAWV3LhDRSGN
|
||
1yrxakkKdJVKXWKkm5ADNBgr2fs6Ji4slVEx3UM3OQQfsHF2yjn1w1vCDgDd
|
||
EqPXyzrFoUeBir4Ki9jJGJ8Z2+1F7k/nRAx6fVuwoEhcgCgsvXHZdBmY5JEh
|
||
Sg9Df8CsCBXbQwpgORnkOFh+xvkjBF7uWm5zs0G2JTedI2cITGICmDarWq4+
|
||
RwXN3UQhpm9sA1gM1azHGGmKFwNj4XqRDG4/hcRkTOmnDTuheWsCcz24vItr
|
||
yqvr3V3YZcbME/axA6xQxzg+CqfGiSgLbfigr9KO8Xzp5MO8+TQ6oHykcF2N
|
||
r3VUteH2ytSphm+fecXOZ0DByWqHh8+xGs+1uvJP2dZ4RCqU0m4LVEnxRc6t
|
||
+UNbvMNKVfbnEV+ymbuqUMLZzd7cQeiN3JftciQT2WfWIhh2Yq+PaMrXj+me
|
||
2rPCaOVhHqhUQ8H7eJh4glkLziKEpEr5P7rohoqCt/1r/uZG1FmDuyWNv7Pt
|
||
q+oyhozR6xlhQihQKDZFqJ15Gen5cGN8RrD8dYYw214CKS08i/J2vrZcG+dc
|
||
n4LjDKqJTSUsNL6CFZ1S8U7Q/A72iMTwGZjf1fXF2+nF64s3F9N3P6sFIYMM
|
||
S5ZJ7Ek1Y2colDPkvk6vpopBs+1yqXEqMOcwBsyrTWgctv3Y9XZL4d4MUS5N
|
||
jBWO4l196i2LXl63EeMN6CjyN+3uKZjxzKcMcAJtlN5mzFkkKw8DnQ5gKfha
|
||
V5q/k9xRYZLmM5pTH4MTWBF0w+hW/I+qZJoAMtFekvZ+8O2vtUJV852PUSVG
|
||
qhKBnGlIInObVOU50Xy3gSJsrkyhuwZAMQmEZu7scTrIX/gbM7zpzA/afm1e
|
||
lgGftrvN2CfZtZeAuuq7uwWOxjVEJI2qUh7PZ+KnJ+ec/Mz+J4YBUf71+Prd
|
||
1Y97DgRxAHwTHgnfCS4RvmBDEqMxt/QLsSXYGCobaKTYhbecNn4QQeATS55D
|
||
H1z3m5XldbxhVS0nsB+n/IgQgHNAQ5Jes17ZJCwgQXxzIg+qYzx8iH0HTp9g
|
||
BDsPAwz0uL4smB8/342cxAyaqHVYncRI2EinLVLnW4yfvHvx8uHVT691ZXDI
|
||
rROitSEdDNUDCXKf32MrrMa/TiOwEtOEAUmET2Dph9Rs2uUW/RFmypbzR4eJ
|
||
hcaM6lCUlC7UlIaGLJcDLhSmFgIEiK34bYxiQrC3vAI355fTqR3fbAkVfk7a
|
||
tMupm8hli6hfzXcTkeSg9dxDhNzgPjdPPc+aJgq/DXwJsWk7NBrXeePBAnyf
|
||
FA83VP71UBJYU8bQZwCSkRamoCHLIVCZidmKcecxvO0J+uFWb5gQMNycyi0h
|
||
oM59pMIcRbBtjJPkJLZwtE2wojJ0rnc6xzRcRCZRq/sXmNUD4scfa194gk4H
|
||
HtslCIWNGsVZFbi94pxqIKJC5MwSp/dlAvSOmDxadUzFQnYHHvSonuPPqXVF
|
||
4r8EPgbPim0bOOXsV5xyHa39U2MUNIKZh+SoM/8b45XZ1tG4AAA=
|
||
|
||
-->
|
||
|
||
</rfc>
|
||
|