Internet-Draft Erik Synchronization Protocol for RPKI December 2025
Snijders, et al. Expires 4 June 2026 [Page]
Workgroup:
SIDROPS
Published:
Intended Status:
Standards Track
Expires:
Authors:
J. Snijders
BSD
T. Bruijnzeels
RIPE NCC
T. Harrison
APNIC
W. Ohgai
JPNIC

The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI)

Abstract

This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI). Erik Synchronization can be characterized as a data replication system using Merkle trees, a content-addressable naming scheme, concurrency control using monotonically increasing sequence numbers, and HTTP transport. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols. The protocol's design is intended to be efficient, fast, easy to implement, and robust in the face of partitions or faults in the network.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 4 June 2026.

Table of Contents

1. Introduction

This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI) [RFC6480]. Erik Synchronization can be characterized as a data replication system using Merkle trees [M1987], a content-addressable naming scheme [RFC6920], concurrency control using monotonically increasing sequence numbers [RFC0677], and HTTP transport [RFC9110]. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols ([RFC5781] and [RFC8182]). The protocol's design is intended to be efficient, fast, easy to implement [RFC1925], and robust in the face of partitions or faults in the network.

1.1. Background

The notion of cache-to-cache data replication of unvalidated data was documented in Section 3 of [RFC7115].

Validated caches may also be created and maintained from other validated caches. Network operators SHOULD take maximum advantage of this feature to minimize load on the global distributed RPKI database. Of course, the recipient relying parties should re-validate the data.

— RFC7115, section 3

Historic records show that experiments have been performed in this space using, for example, peer-to-peer file sharing technology (see [P2P]), but no standardised and widely-deployed mechanism for cache-to-cache replication emerged since then. The authors hope that the Erik Synchronization protocol might be suitable to fill this gap and improve propagation speed of validly signed repository data as well as help reduce load on the global RPKI.

1.2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

1.4. Glossary

This section describes the terminology and abbreviations used in this document. Though the definitions might not be clear on a first read, later on the terms will be introduce with more detail.

Erik relay
An intermediate between CA publication repositories and Relying Parties.
FQDN
The fully qualified domain name of a RPKI repository instance referenced in an end-entity certificate's Subject Information Access (SIA) extension's id-ad-signedObject accessDescription.
Hash
A message digest calculated for an object using the SHA-256 algorithm.
ErikIndex
The relay's Merkle root for a given FQDN. An ErikIndex is an ordered listing of ErikPartition object hashes.
ErikPartition
An ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their certificates' SIA extension values.

2. Informal Overview

Erik Synchronisation is an architecture to reliably distribute RPKI repository data from cache to cache using so-called Erik relays. Relays maintain a validated cache themselves and can be clients of other relays. While this property suggests that a group of relays should converge to the exact same state, the distributed nature of the RPKI prevents relays from achieving strict synchronization.

In this synchronization protocol, Merkle trees are used to determine whether differences exist between client and relay. Merkle trees are hierarchical data structures: the hash value of each node is computed recursively by hashing the concatenated hash values of the node's children. The hash of the ErikIndex represents the entire dataset related to a given FQDN. If the ErikIndex hash is not the same between two replicas, the relay provides the client with hashes of smaller and smaller portions of the to-be-replicated dataset until the exact list of out-of-sync or missing objects is identified. Sequence numbers are then used to determine whether these differences are relevant enough for the client to fetch. All data, except for ErikIndex objects, is fetched using static addresses derived from object hashes. This approach reduces unnecessary data transfer between caches which contain mostly similar data.

The client starts by querying an Erik relay for the relay's current ErikIndex for a given FQDN. If the ErikIndex is different compared to the previous run (or compared to the Index calculated from the locally cached objects). With the ErikIndex in hand, the client can determine which ErikPartition are missing and fetch accordingly. The client then can compare the manifestNumber sequence number and thisUpdate for each manifest listed in the ErikPartition, and proceed to fetch (purportedly) newer versions of manifests of interest. Whenever a relay has manifests with a lower sequence number on offer, the client can ignore those. The client now has sufficient information to proceed to fetch any missing Certificates, Signed objects, and CRLs. With the information contained within manifests, clients can fetch addressed by content (by hash) and store by name (or some other scheme).

3. Erik Synchronization Data Structure Definitions

In this synchronization protocol the signal layer makes use of DER-encoded messages [X.690].

Design note: DER encoding was selected for its canonical properties and because RPKI cache implementations already support ASN.1 encoding.


RpkiErikSynchronization-2025
  { iso(1) member-body(2) us(840) rsadsi(113549)
    pkcs(1) pkcs9(9) smime(16) mod(0)
    id-mod-rpkiErikSynchronization-2025(TBD) }

DEFINITIONS EXPLICIT TAGS ::=
BEGIN

-- EXPORTS ALL --

IMPORTS
  CONTENT-TYPE, Digest, DigestAlgorithmIdentifier
  FROM CryptographicMessageSyntax-2010 -- in [RFC6268]
  { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }

  AccessDescription, KeyIdentifier
  FROM PKIX1Implicit-2009 -- in [RFC5912]
  { iso(1) identified-organization(3) dod(6) internet(1) security(5)
    mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
;

EncapsulatedContentInfo ::= SEQUENCE {
  eContentType     CONTENT-TYPE.&id({ContentSet}),
  eContent         [0] EXPLICIT OCTET STRING
    (CONTAINING CONTENT-TYPE.&Type({ContentSet}{@eContentType}))
    OPTIONAL }

ContentSet CONTENT-TYPE ::= {
  ct-rpkiErikIndex | ct-rpkiErikPartition, ... }

ct-rpkiErikIndex CONTENT-TYPE ::=
  { TYPE ErikIndex IDENTIFIED BY id-ct-rpkiErikIndex }

id-ct-rpkiErikIndex OBJECT IDENTIFIER ::=
  { iso(1) identified-organization(3) dod(6) internet(1) private(4)
    enterprise(1) snijders(41948) erikindex(826) }

ErikIndex ::= SEQUENCE {
  version [0]      INTEGER DEFAULT 0,
  indexScope       IA5String,
  indexTime        GeneralizedTime,
  hashAlg          DigestAlgorithmIdentifier,
  partitionList    SEQUENCE SIZE (1..ub-Partitions) OF PartitionRef }

ub-Partitions INTEGER ::= 256

PartitionRef ::= SEQUENCE {
  hash             Digest,
  size             INTEGER (100..MAX) }

ct-rpkiErikPartition CONTENT-TYPE ::=
  { TYPE ErikPartition IDENTIFIED BY id-ct-rpkiErikPartition }

id-ct-rpkiErikPartition OBJECT IDENTIFIER ::=
  { iso(1) identified-organization(3) dod(6) internet(1) private(4)
    enterprise(1) snijders(41948) erikpartition(827) }

ErikPartition ::= SEQUENCE {
  version [0]      INTEGER DEFAULT 0,
  partitionTime    GeneralizedTime,
  hashAlg          DigestAlgorithmIdentifier,
  manifestList     SEQUENCE SIZE (1..MAX) OF ManifestRef }

ManifestRef ::= SEQUENCE {
  hash             Digest,
  size             INTEGER (1000..MAX),
  aki              KeyIdentifier,
  manifestNumber   INTEGER (0..MAX),
  thisUpdate       GeneralizedTime,
  locations        SEQUENCE SIZE (1..MAX) OF AccessDescription }
END

3.1. General Syntax

The content of an Erik object is an instance of EncapsulatedContentInfo.

3.1.1. eContentType

The eContentType is an OID specifying the type of payload in this object.

3.1.2. eContent

The eContent is the payload of the Erik object encapsulated in an OCTET STRING.

3.2. ErikIndex

An ErikIndex represents all current manifest objects available under a given FQDN and thus the complete state of the repository as it is known to the relay.

3.2.1. The version field

The version number of the ErikIndex object MUST be 0.

3.2.2. The indexScope field

The indexScope field contains the fully qualified domain name of the Signed Object location of the manifests referenced through this particular ErikIndex. The FQDN MUST be in the "preferred name syntax", as specified by Section 3.5 of [RFC1034] and modified by Section 2.1 of [RFC1123].

3.2.3. The indexTime field

The indexTime is the most recent partitionTime value among the ErikPartitions referenced from this ErikIndex. The field's value roughly indicates when the ErikIndex was generated and can be used for troubleshooting and measurement purposes.

For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See Section 4.1.2.5.2 of [RFC5280].

Design note: using the most recent partitionTime, rather than the local system's notion of "now", helps reduce churn in distributed systems.

3.2.4. The hashAlg field

This field contains the OID of the hash algorithm used to hash the ErikPartitions. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification [RFC7935].

3.2.5. The partitionList field

This field is a sequence of PartitionRef instances. There is one PartitionRef for each current ErikPartition. Each PartitionRef is a tuple consisting of the hash of the partition object and the size of the partition object.

Information elements are unique with respect to one another and sorted in ascending order of the hash.

3.3. ErikPartition

An ErikPartition represents a subset of manifest objects available under a given FQDN. Each ErikPartition is an ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their end-entity certificates' SIA extension values.

3.3.1. The version field

The version number of the ErikPartition object MUST be 0.

3.3.2. The partitionTime field

The partitionTime is the most recent thisUpdate value among the manifests contained within this ErikPartition. The field's value roughly indicates when the ErikPartition was generated and can be used for troubleshooting and measurement purposes.

For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See Section 4.1.2.5.2 of [RFC5280].

Design note: using the most recent manifest thisUpdate value, rather than the local system's notion of "now", helps reduce churn in distributed systems.

3.3.3. The hashAlg field

This field contains the OID of the hash algorithm used to hash the manifest objects referenced in this ErikPartition. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification [RFC7935].

3.3.4. The manifestList field

This field is a sequence of ManifestRef instances. There is one ManifestRef for each current manifest. A manifest is nominally current until the time specified in nextUpdate or until a manifest is issued with a greater manifestNumber, whichever comes first (see Section 4.2.1 of [RFC9286]).

A ManifestRef is a structure consisting of the hash of the manifest object, the size of the manifest object, the manifest issuer's key identifier, the manifestNumber, and the thisUpdate contained within the object, and a sequence of AccessDescription instances from the manifest's End-Entity certificate's Subject Information Access extension.

Information elements are unique with respect to one another and sorted in ascending order of the hash.

4. Client-side Processing

Clients start by fetching an ErikIndex, which is represents the relay's current Merkle tree head for a given FQDN. A client MUST verify the requested FQDN exactly matches the indexScope value in the ErikIndex, and if not proceed to use a different relay.

Then, clients can decide whether or not to fetch ErikPartition objects listed on the ErikIndex, for instance, by checking whether the object associated with the hash was already fetched at some point in the client's past.

Before using a ErikPartition, the client MUST verify that all URIs in the accessLocations in the id-ad-signedObject accessMethod instances in the ErikPartition are encompassed in the requested indexScope. A client can then decide whether or not to fetch a given manifest object, by comparing the manifestNumber and thisUpdate with what's locally cached and what's offered by the remote relay.

A client can compute which products listed in the manifest's fileList need to be fetched from one relay or another in order to achieve a successful fetch. A client MUST verify that the URI in the accessLocation in one of the id-ad-signedObject accessMethod instances in the manifest's Subject Information Access (SIA) is encompassed in the requested indexScope.

As there is no concept of 'sessions' (like in RRDP), clients can interchangeably use different Erik relays. When one Erik relay generates a HTTP error, the client can try fetching the requested object from another Erik relay. To improve reliability, clients should alternate among different relays in successive query and fetch attempts.

5. Querying an Erik Relay

5.1. Fetching objects by hash

This specification uses "Named Information" identifiers mapped to .well-known HTTP/HTTPS URLs for object retrieval, as described in [RFC6920].

For example, issuance #54 of ripe-ncc-ta.mft has the following SHA256 digest: c2d0427bc5a32c42eea1ab5663d592b1fc29c7d4ef16ab0b5e1d631d039dcc21.

To fetch the aforementioned object from an relay hosted at relay.example.net, a client would access the following HTTP URL: https://relay.example.net/.well-known/ni/sha-256/wtBCe8WjLELuoatWY9WSsfwpx9TvFqsLXh1jHQOdzCE

5.2. Fetching ErikIndex objects

The URIs to fetch ErikIndex objects can be constructed using the following Well-Known URI template with the erik keyword as suffix and the FQDN as parameter: https://{relay_host}/.well-known/erik/index/{FQDN}.

For example, the URI to fetch an ErikIndex for the rpki.ripe.net FQDN from a relay at relay.example.net would be: https://relay.example.net/.well-known/erik/index/rpki.ripe.net.

A client MAY use the If-Modified-Since HTTP header when fetching ErikIndex objects.

6. Transport Error Detection and Handling

The client MUST calculate the hashes of fetched objects and verify they are the same as the expected hashes (which are embedded in the URIs through which the objects were retrieved). If there is a hash mismatch, the client may try fetching the object from a different Erik relay or treat this as a failed fetch (see Section 6.6 of [RFC9286]) and try again at a later point in time in a next validation run.

7. Setting Up an Erik Relay

Erik relays can be operated by any party, without permission from or coordination with publication point operators or CAs. Relays are made accessible via either HTTP or HTTPS or both.

Relays generate and make accessible ErikIndexes and ErikPartitions derived from their current validation state, the client then cherry-picks which objects (if any) it wishes to fetch. In turn, relays fetch fresh data from other relays, or from CA-designated publication points accessible via Rsync ([RFC5781]) and RRDP ([RFC8182]).

Design notes: a decision must be made on a deterministic "manifest-to-partition" assignment scheme. Job's proof-of-concept relay (see Appendix A) uses the first few octets of the the Manifest's AKI as a stable partition assignment scheme. Other strategies could be to assign manifests to ErikPartitions based on the "hour-of-day" of the CMS signing timestamp, or the first few octets of the SHA-256 of the manifest object.

8. Comparison with other RPKI transport protocols

Ignoring obvious mechanical "on the wire" differences between Erik, Rsync, and RRDP; there are a number of concept differences between the protocols. Rsync and RRDP can be described as "general purpose" synchronisation protocols: they could be used to transfer any arbitrary set of files, on the other hand the Erik protocol is RPKI-specific: part of its signaling layer are RPKI manifest objects, which RPs require as recourse for validation anyway. This property by itself causes a small deduplication in the data to be transferred.

8.1. Comparison with Rsync

In Rsync, the server and the client construct and transfer a full listing of all available objects, and then transfer objects as necessary. In effect, this allows clients to 'jump' to the latest repository state, regardless of the state of the local cache.

A major downside of Rsync is that the list of files itself can become a burden to transfer. As of June 2025, in order to merely establish whether a client is synchronized or not with the RIPE NCC repository at rpki.ripe.net, as much as 5.8 megabytes of data are exchanged without exchanging any RPKI data.

Experimentation suggests that when synchronizing once an hour, Erik consumes less network traffic than Rsync generally would consume which, in turn, is less network traffic than RRDP would.

8.2. Comparison with RRDP

The key concept in RRDP is that the client downloads a "journal", containing all add/update/delete operations and replays this journal to arrive at the current repository state.

A major downside of RRDP is that (depending on the RRDP polling interval) clients end up downloading data which has become outdated. Imagine a hypothetical CA which issues and revokes a ROA every 10 minutes and a client that synchronizes every 60 minutes; in effect the client must fetch 5 outdated states, wasting bandwidth.

Experimentation suggests that when synchronizing every 15 minutes, Erik consumes less network traffic than RRDP generally would consume which, in turn, is less network traffic than Rsync would consume.

8.2.1. Garbage Collection

In contrast to RRDP, the Erik protocol has no concept of server-specific "stateful" sessions that persist across polling attempts. This obviates the need for withdraw instructions as part of the protocol exchange: clients can simply delete objects that are no longer referenced from their current validation state and refetch them later on if needed.

9. Open Questions

This section is to be removed before publishing as an RFC.

10. Operational Considerations

10.1. Scaling considerations

As of July 2025, the global Internet's RPKI churn rate appears to be 2 new objects per second. The ecosystem is estimated to be composed of ~ 5000 RPKI cache instances and ~ 50 repository servers. Assuming 10 minute fetching intervals and 150 metadata requests per synchronization run (for exchange of Merkle tree data), an Erik relay serving all the Internet's RPKI cache instances would probably need to be able to sustain serving an average of at least 11,000 HTTP requests per second. This order of magnitude in terms of scaling requirements can easily be handled by a single commodity server.

10.2. HTTP Compression

Using gzip compression on average tends to yield a 20% reduction in RPKI object size, therefore it is RECOMMENDED for clients and relays to offer support for compressed content coding, as described in Section 8.4.1 of [RFC9110].

Using a previous version of a RPKI object as a compression dictionary for a newer version enables delivery of a delta-compressed version of the changes, usually resulting in significantly smaller responses than what can be achieved by compression alone. Clients can facilitate delta compression by sending an Available-Dictionary request header, using a previously fetched version of the RPKI object as the dictionary. It is RECOMMENDED for clients and relays to make use of Compression Dictionary Transport ([RFC9842]).

11. Security Considerations

This document makes no changes to RPKI certificate validation procedures.

Paraphrasing Section 11 of [RFC6810]: The RPKI relies on object, not server or transport, trust. That is, the Regional Internet Registry root trust anchors are distributed through some out-of-band means, and can then be used by each relying party to validate certificate chains and Signed Objects. The inter-cache relationships are based on this object security model; hence, any cache-to-cache transport is assumed to be unreliable at times. See Section 5 of [RFC8182] for more security considerations.

To avoid certain forms of replay attack, clients MUST verify purported indexScope, ManifestRef location values, and manifest Subject Information Access (SIA) extensions match the expected FQDN.

Byzantine events or faults in relay-to-client communication can be overcome by the client rotating requests for objects among different Erik relays.

12. IANA Considerations

12.1. S/MIME Module Identifier

The IANA is requested to add an item to the "SMI Security for S/MIME Module Identifier" registry as follows:


Decimal  Description                          References
----------------------------------------------------------
  TDB    id-mod-rpkiErikSynchronization-2025  [this-draft]

12.2. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)

The IANA is requested to allocate for this document in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry:


Decimal  Description              References
----------------------------------------------
  TBD    id-ct-rpkiErikIndex      [this-draft]
  TBD    id-ct-rpkiErikPartition  [this-draft]

Upon publication of this document, IANA is requested to reference the RFC publication instead of this draft.

For the current proof-of-concept phase, OIDs for id-ct-rpkiErikIndex and id-ct-rpkiErikPartition were assigned from a PEN arc. Implementers are not expected to make any special accommodations to retain backwards compatibility with these PEN OIDs, after IANA assigns OIDs.

12.3. Well-Known URI

An URI Suffix in the Well-Known URIs registry specific to Erik synchronization will be requested. See https://github.com/protocol-registries/well-known-uris/issues/67 for the request.

The proposed suffix is erik.

13. References

13.1. Normative References

[RFC1034]
Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, , <https://www.rfc-editor.org/info/rfc1034>.
[RFC1123]
Braden, R., Ed., "Requirements for Internet Hosts - Application and Support", STD 3, RFC 1123, DOI 10.17487/RFC1123, , <https://www.rfc-editor.org/info/rfc1123>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC5280]
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, , <https://www.rfc-editor.org/info/rfc5280>.
[RFC6810]
Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol", RFC 6810, DOI 10.17487/RFC6810, , <https://www.rfc-editor.org/info/rfc6810>.
[RFC6920]
Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B., Keranen, A., and P. Hallam-Baker, "Naming Things with Hashes", RFC 6920, DOI 10.17487/RFC6920, , <https://www.rfc-editor.org/info/rfc6920>.
[RFC7935]
Huston, G. and G. Michaelson, Ed., "The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935, , <https://www.rfc-editor.org/info/rfc7935>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC9110]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, , <https://www.rfc-editor.org/info/rfc9110>.
[RFC9286]
Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, , <https://www.rfc-editor.org/info/rfc9286>.
[X.690]
ITU-T, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, , <https://www.itu.int/rec/T-REC-X.690-202102-I/en>.

13.2. Informative References

[M1987]
Merkle, R., "A Digital Signature Based on a Conventional Encryption Function", Advances in Cryptology -- CRYPTO '87 Proceedings, Lecture Notes in Computer Science, Vol. 293, DOI 10.1007/3-540-48184-2_32, , <https://doi.org/10.1007/3-540-48184-2_32>.
[P2P]
Austein, R., Bush, R., Elkins, M., and L. Johansson, "RPKI Over BitTorrent", , <https://www.ietf.org/proceedings/83/slides/slides-83-sidr-9.pdf>.
[RFC0677]
Johnson, P. and R. Thomas, "Maintenance of duplicate databases", RFC 677, DOI 10.17487/RFC0677, , <https://www.rfc-editor.org/info/rfc677>.
[RFC1925]
Callon, R., "The Twelve Networking Truths", RFC 1925, DOI 10.17487/RFC1925, , <https://www.rfc-editor.org/info/rfc1925>.
[RFC5781]
Weiler, S., Ward, D., and R. Housley, "The rsync URI Scheme", RFC 5781, DOI 10.17487/RFC5781, , <https://www.rfc-editor.org/info/rfc5781>.
[RFC6480]
Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, , <https://www.rfc-editor.org/info/rfc6480>.
[RFC7115]
Bush, R., "Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI)", BCP 185, RFC 7115, DOI 10.17487/RFC7115, , <https://www.rfc-editor.org/info/rfc7115>.
[RFC8182]
Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, "The RPKI Repository Delta Protocol (RRDP)", RFC 8182, DOI 10.17487/RFC8182, , <https://www.rfc-editor.org/info/rfc8182>.
[RFC9842]
Meenan, P., Ed. and Y. Weiss, Ed., "Compression Dictionary Transport", RFC 9842, DOI 10.17487/RFC9842, , <https://www.rfc-editor.org/info/rfc9842>.
[rpkitouch]
Snijders, J., "rpkitouch", , <https://www.github.com/job/rpkitouch>.

Appendix A. Implementation status

This section is to be removed before publishing as an RFC.

This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.

According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".

A few experimental Erik relays are available, each running on slightly different schedules. Client implementers are encouraged to round-robin between these instances to observe results.

http://relay.rpki-servers.org/
Dublin, Montreal, Osaka, São Paulo, Sydney - anycasted distributed computing cluster
http://dub.rpki-servers.org/
Dublin, Ireland, - distributed computing cluster (6 machines, NFS backend)
http://atl.rpki-servers.org/
Atlanta, USA, - distributed computing cluster (2 machines, NFS backend)
http://miso.sobornost.net/
Amsterdam, NL, single node
http://nyc.rpki-servers.org/
New York, USA, - single node
http://fnllwqoupfrhso6643whm6lpkgsftjtc6crpehmyz2o7pffirnqy7rad.onion/
Erik relay service via Tor

An experimental Erik static content generator was developed by Job Snijders in the form of [rpkitouch] using C.

Appendix B. Example objects

Included in this section are an ErikIndex for rpki.ripe.net and an ErikPartition referenced from the aforementioned ErikIndex, both Base64 encoded.

B.1. Example ErikIndex

This object was retrieved from http://miso.sobornost.net/.well-known/erik/rpki.ripe.net.

MIIoRwYKKwYBBAGCx1yGOqCCKDcEgigzMIIoLxYNcnBraS5yaXBlLm5ldBgPMjAyNTEyM
DEwOTIyNDhaBglghkgBZQMEAgEwgigAMCYEIJm6Qc5v76CJXTU7zp0/HcG67UMfx4hjL0
8aqRLMi6mBAgJA0TAmBCAcTufmA6MnsbZe0oeb+tA7VmBlTJPZZ3O6KQ8Ajr4khQICSEc
wJgQg1zsloP5tep632vk6UCpupg+qf7XGb7XWKVxuQmMDMEkCAkDUMCYEIClfD749+8UF
1ICwDp3cIaAqq4aCDiEp9d6vZY5fdUADAgJJHDAmBCB9NnRXUJo6NvDSSN2uAEychpqwt
BcdkLq+FyvTQg0t/gICPywwJgQgm9DmwNnJtMOlZ58Djt5vS0+ntfzzOsKulAxqSj43cJ
8CAk7oMCYEIPRtTRfJM4AYtcWJDnGy4PdS9RzrpRGIO1kSVkgXvHGbAgJDTzAmBCAY5iC
NfPi6GD3MApzsZTmGcLGwB5NB0q+a993xEL2z6gICS5YwJgQgDn5WEDBZaSNOAlbJLXDP
7E7Nmw6cb/xqMX9T6GTgLtUCAk0/MCYEIEnW8XjOgcNyUj+WTwAajiTzEtzeRP9WmWzkB
exM28bUAgJNQDAmBCDaW09JigMf+Xw+onBHNlormOoLJzcwNTaFm7WzqFe8mwICPK4wJg
Qg6knwoHJPFgTQAyNeBTIl1VJt8auGEnlLREbVKQgdXscCAknvMCYEIA0NJ1m6ulP7uqQ
BzO4fU3w40TBTL67imnV4faMN9FJ8AgI73DAmBCDHgzAi6TFfQ1wAPs5EvS00L+vl3C4H
36Xf4Ucahrl9SgICTUAwJgQguu4A4/e92Expr7Jz/Mmu0FxGu8MnhOpxoSRtqe00+ogCA
kXKMCYEIFn6o+bxEa7/PPPtYuVpnCRP1jx17vCREU/AnGnfBh/RAgI/KzAmBCB8TWYXLm
tE//h2Ptsj88vhVb0chpvKZkY9DTzWg3ekgQICRPgwJgQgHBXsRUcwsyRrmQiAIorc+/9
rm9+AdlfyvfBMsBDM3MgCAkhIMCYEIMxQm3+4Np3uwYnGBGBesAAAQ/x0N/8LLhJVspwI
Kk4IAgJEIzAmBCAc8uObkjFbot3H96+bH/K5pRehM0T/NZQvTCJNGsd0AwICRp8wJgQgD
nWV3UlXxIDH4ATnTNrG1pN/OV/ZJJO8JdYNIYetK50CAjOTMCYEIFT8on+bMYhEzPzRdC
gmH1RY6sAdLPycobat6lL8LAXtAgJIRjAmBCBMOHNlTZRvDQnUTKpyBuWzIOCQk6JSgZI
adBlwoFTnZwICS5gwJgQgMAcWQorLYcfrZBclb+x26PkyB3er9G3I6NsHbZH9fjwCAlI4
MCYEIJHiD4XO81pMmOzb9C8AjlE1XqPa5M7A4ftwbiMrJWG3AgI3tjAmBCDhfGLZRgV/j
6fFq55vbFR6ChQyExPMIEOzWeBSWAMevwICT7owJgQgFiuWVV9R7uuuIcplhQYoLC2av/
1ZU76d2wz/lAwEK+ACAlCNMCYEIGcC+2ztht/xgdxbDYme5Kqj9Bmkhi5S6s4Avza6ee7
4AgJGoDAmBCAQb69v+MSC6IUM4naoQBCYTR8g0GSUAmjtNpT8ZWIZUwICTucwJgQg+e2V
C2bIyeBGX9DrWy9TpgjvdgSe37Cf6bPYeWxxltYCAkhFMCYEIK7G3YYLScDHdUGMxOT7X
ALSajaXynKV9hjHwJQcaKFXAgJMajAmBCCOax3V5ACWQumT772S0ennlDkxaSMMBce5zp
kCzyIVWQICSe8wJgQgNp4afzMf62jAyRQa+rWpBFgSNeoUDZEp2qjchvWyBwQCAkkcMCY
EIMuYs/izqz6nqHaBCcaTqiUawyow9rROBGwmUGnlDlBDAgI8rTAmBCBTPtK5kcoYoSfM
aoWKHaF2RsbWcwLX8uxJ0hdgn1O73wICPK4wJgQgxMXYQJFeSbFxCcZmVZ5ZY+g3Q8l62
C0qscvOlC0oksICAlMJMCYEILbXbTHhiZOX5eCx7Hggbct07oGpPN0AroTvjJcs2dvdAg
I/LDAmBCBxJaAZm7fd/XT8vKzGT3bF2xomKWY6sq7jVeQGq3gx0wICRCEwJgQg0P95wdw
Ywfne/WoKoer+SW2uAgs9s7H/HXfNecfFr+kCAkQkMCYEIDK0m+fCj78bfgoRxhtGf4kK
STBvwhXOvcr8c8E+aC9MAgJSODAmBCAsYFXk5IYn6qg0Q++w6EIWSgBIgmRvViON0FNk4
KQq4AICPYQwJgQgXBLpjthb+HQfXsCaxRTXwZKTXz7l8izp3IU8NKZRY6wCAlp/MCYEIB
Qvo3KYKpp5H0u3HYEtG9/AQR7j4vHBcNbewgnSaE1oAgI/BDAmBCAgvwzKSCmDtIzq/4E
fi/y9EYlfKyvrQCKC7RgLhZTRNQICP/wwJgQgoilwWrmGmk/af0oj7Is48b/WMhiwGoRF
Vgcc0SNTuqQCAjyvMCYEIEm/120q0Lze8eurbZYW415zu8eTtsV1FgtDukI3zjL2AgI6M
zAmBCC/a8TNdUQrmgRw2OX5mGA47usiW1lMwObnYGksxEfpBAICRcwwJgQgsHKix46fwP
bb61BPPgK1XU5kWZpcq4O9/srSLcGGJ28CAk7oMCYEIDLqy9SOZK2A3W6/Zq9OnW23zQ1
avtvTLFt2/cKfvA/kAgJJGjAmBCBenxwruFujR7e7yvuelR9XEBIRhXinSHF/RYJXUBdx
XAICQNAwJgQgurlzQaIWn2ySyLtWLfWwW38OEeqtoqo4Bedwl8D0/YUCAkuWMCYEILwX7
Olu5yveF/5dVrQ5g+bsGAvsJZzOqSLM5Uha/MYrAgI8rzAmBCB/qbDHlFKouKfhB2D0vr
epMDoMS32dif0omjBE+pmPagICS5YwJgQg0abgkuID2IxiRvOjvd0pjSeu3n58+BKA0EQ
hdl+XILsCAj8rMCYEIMpL4r9J/byxlhTGqJM3Ucx8BtflJP9upC6/F9IFDRelAgJNQDAm
BCDgJPZx2Ih7gmfRqKyiaekB13ZeZuyg8gYy2TL+lRHmYwICQAAwJgQgN83id6CTSidQv
EjSrJRzfRRwqh/JP1DSgHrl+x1w0gUCAkhHMCYEIJtTT5++B0CUU4qoGVWlpdfy8J5inu
PWWGofWioSK2u4AgJHczAmBCBm3TzvbMyuY5cB91u/6CQMsrspLs/EASWl7kV/9qpFjgI
CRp4wJgQg5ylrCUOF3xWCxb0UHObx690jpqsVPYkHX/7Xv0YJWIYCAkGoMCYEIA0DWD+e
NKpPgla4G3PjsjmYCL2KCw9qVn0j7nGaSekMAgI/KTAmBCB+Ve+Fmk5gyHBuJao0pA9mI
o0dyBOrdl3t6HvPHBdQbwICP/4wJgQgTre+8X/9Ga9KXSHD2y1sPKWCohttY4kcVvHgjL
6y9xsCAk7nMCYEILcz+lH4qgI1+bTn6OUZhU0kyzY4UHT1qE7PpYRn4pcBAgI6MzAmBCB
ECWxsMF9t4M5rmXckcoM6t8G4TpvWMEkRd3UaPuDALAICTUAwJgQgtC9mV90vgGIKcFEe
MqsvSBpwpjJrOQsjxwqDmYbvBVQCAknvMCYEIDsp7wNAViGmFITETrdAyklaecFUZ3I6n
twlLuIG7vvzAgJIRzAmBCCv6F3foBWPjkSEmjnu4yWcKSYvfATDzzi+iGS31w02hAICRc
owJgQgUMO1Akx1qfFQdQvldd7T9CVTErzlH53B56sXx/Ay3+8CAk4UMCYEIO9e/xofPIa
7cB8JWrC/lFZQGQvwZAHq1X3rKDHdybAJAgI5XjAmBCANKkQWzMoQOpaehRTPEw4iGHcO
cC3A9iqISJdj93JbrAICR3MwJgQgbWNtUgkRwJd7doAzAlW2tGpfz0Jvt3O+PuF3dUrFs
uwCAkNQMCYEILuwwTJVahumjd2F9uuPCtTVMuKrgoUcSTF/D4ph4JBnAgI//zAmBCC4dn
nZAOd+QaxWmTZRshIrVr0QHzufucaGY2478eY/zQICSEgwJgQg1ynMPVo/xhJWzV6vTo5
+7OP8neT1KDe5E8bzwmefhP4CAkDUMCYEIPhfsn+OvupCQhN83TrQaF67UjZkOQckpQQ0
31frlcB8AgJIRjAmBCAEjK3BxQbPCgzKkrdL/HdDMqQHwGID7k2leG3uWItS0QICUI8wJ
gQgMxgfKAz7P9eTrI2ciTHcIRClc5MkkTFbWuqOUn5RasUCAkhGMCYEIBD6HMeUhJw+d0
xECajeKgm5msz8k5if64F/oenSIKmLAgJNPzAmBCDAcYusmCIk9sI7otjkBcougnjZ13y
wLm2O2/hmp/SbYgICPywwJgQg5IC8XKF8GaP7SSo7s8U+jfizsTntRY34elUcQUq8VmMC
AkT2MCYEIJeYJz/qaJnZOvMAgYJsg2ZsAyjKZok9biZ4rd3/ic7VAgI8rzAmBCBNUCOgK
VhQOTlvbFqwm1fT/LmV2H3SQ869WRgBJBkKVQICSRwwJgQgBsARSOQM2q1vq5rueC4dxB
C3r1coY+KWJ7CwFuJg0scCAlcuMCYEIHvxXfNQt/rmNszESnRRq+JiyYjam/4GqjoN+SU
j1lekAgJMajAmBCD5KNvTDwNh4WBN1zA8MSldKAbYpdjjbBSBnisSPLu6sAICQ1AwJgQg
y4hvvN0L3U7cInVVWVl1ygJXSsu/VfTYzrRJo54N6+ECAjOTMCYEIFj006tgBMmhSDomi
tbmGl9Z16s6m2/4lzwuPzfniCCaAgJTCTAmBCBblplqvzcQq9TQHB3+7mwM4RjuSgSPRu
wuAJKeXhY0FgICTGowJgQgCIvMmfItgUb4SmChB9x+UNMJqXalcbRyXZG83RTsw/cCAkG
nMCYEIIhI9/8QVT00wKW6UXZQptfytJYFV1I8wANROt7g1OGTAgJE+DAmBCD8q3k28PVy
dTnL4JFB5LnKfXD7jQxplSmxyTbZZ6HFSwICQnwwJgQg2yTp6+1TdBPDCtDl/hEgs5hpB
JWHdSGrW2t8Ndb0SS4CAjvcMCYEINSjPt6JxgSn4DGBYe3jenpeb0jWr0QlNvfbs9BDtD
txAgJDTzAmBCDUrng4MJV0VyuKD7I3tyGLyUvw9f99TU1cIvaTNG9+DwICSsQwJgQgSNp
c7deWFGk35aIUOkHMGG595e2J3YXBvkFQ2+m12+oCAkDTMCYEIFNzuczQTerE7TzqDG/y
/0UZ6pQ8dK6+5+93ueRWdi2VAgJO6DAmBCD0FmWyvgFVlBfgb3sPhfaQJ0nezHpcW7eNo
dI5VAYc/AICRCQwJgQgTpLd/obeScPqpbyxYBjzOj9XIP4q3keYRQAvJBzmpIYCAkadMC
YEIO1MFaqZnAZo0QNXBaZboZShUHjG5zFvZFLvvqs8v/ILAgJA1TAmBCCsAAxjYn02NoO
ignQl5JNQ1ZOBfLiyOfmUVUbzH5yOdQICQnswJgQgBHYcBl+B3Gv9WWtxCEfrJrgXuUp4
LzVoondyCS05sm8CAkJ8MCYEIAvdwbKz+o6uPdBr17NDqi3wL2SNOe5VKsius0mEAM95A
gJOEjAmBCD47+yVTwGYmNIyIWzH6cVeKbta80ej0Yjb7lc1fdmjogICSRowJgQganjHUW
t/dFNUs15pl/LTgfTv0IRKadbKfIR6HSbM6uwCAk4SMCYEIId5w8ffhjZxsJMLH6bAX1h
RW3S/3X/lPlc+m6PxW+gtAgJVhzAmBCCEkKRjW4mXgPLnkYWJu3btPTzHLcEIbWOfeZkM
2KCHRgICNuMwJgQgRdIB2OV3XEghVlhXjnQgN8D/L8MYJ1hyZ89asdSJRckCAk4SMCYEI
DCl5joJHfReDTOLs0GiWVrsqdlb6aJkX7pEmBM3ISSrAgJFyjAmBCD1P4UbgrKyQbrczV
Lz6MGCUZXP9mcBNuTJzbXq6+4rOAICQNQwJgQg3SjwjH+Z1bDoNeNiwgO5huLAGi8XDR8
fQvV/HN300VECAjlfMCYEINE1Ch6jeBGu6HCPE9Zc0bphstf3UXxS42+DKIEHvUnrAgJQ
jjAmBCATljBBPQaGzlJWF6zDvBdUESHM1TwwM0sIKr36J92fRgICT7gwJgQgEMl9p2be7
3CrnuMOhFxxdD4SVRw1dCr4V1XZ7I6j9w8CAjiKMCYEIBOVkInRmDcpuWJ6Ui4OSoUQN2
8ZHbKRWAQvTFWayYSjAgJPuDAmBCAy0hmbVw3x87if8Vo19idjBow9pEcuWxDUGDLPIPw
PoQICPlgwJgQgFzhZx8opXQkPzaMBnKkCgGiEKb2jZU4o8Oz+iMxSTr4CAlCOMCYEIHqT
dfK0juFTUHJAVKHG8AdNwMmsFb4EdoFAGaVhoGI7AgJDUDAmBCBTkZSxohXu5gtPQTF/y
sgNVxSumPy/xGCLeqpQmZUCSgICQagwJgQgbK+mBeBPQ6DiRq+wKjbx3+GkC2dwAHQhv1
GFR0QnnVcCAk+7MCYEICx/dKiFArzl4hBRstZ1DRjBE03PcrYJ699sSqHKR62RAgJEIzA
mBCDasmIg5X82lO6WP/6Ah/l7WXIHGAFcITQ7kk/haDxLlAICTT4wJgQgKn72VRSHzz58
4i7eCt5GTr2VA3Xux58a7rFagHCRogsCAkNPMCYEIPbJ0Yx6ehC5xD3W+/x5e6Vr4pPt8
I4jJe6NsUM33G+JAgJEJDAmBCBal1QHWFPDyNWIZjHzkhF9aJIRBIl/2SNivsFsDuI8aw
ICPlcwJgQg+6H7OBIm+LJU8OW782eBzZEfxxUPPVOMFdvmV9RCtkMCAkdyMCYEIO1/K1p
a7XYXrbjqduaJPEQpxZRreMei4Y3BnyLrgPs5AgJEIzAmBCDROI7O2pgB+uAPfB5bM7IX
lEz7wBwvOudCXAldGytLKwICMRUwJgQgQgeg1crXV6+tSL/u9rLCIyf6A4Hc1N1Cx6mqV
fSLUn4CAjowMCYEIIMRmcSEH/r2rtqgEAi0apG+lWAjvTGmmLBwPItVEbEhAgI72jAmBC
Bb1kMSHVN4GZ+ThbfimLvGekFVo7Zbke8uHgOTsmoqhgICQAAwJgQgTOl1UT/Z5awtssA
VtKy3ouTsEb2pj07xKbJkrBkte8cCAk7nMCYEIIjy4tQvD1bLA91J+nfTY8e3wc44nGwN
2r4YooCPE1l4AgJE+DAmBCAIAWmBXOHnfsEXdNOsior3tbkV0VcHsuzoBnUAyucFRgICR
p8wJgQgn2wCs/9NWfMwUXaMrrlHldYrxe93C6LyKzRN7VEaUmMCAkGmMCYEIHcIbyGQFw
fZo6XjmBBr7O7kKtdHw2l17VmriIq1nIheAgJBpjAmBCDejuTfymQidKujxVXvltAkbTp
LwzuY/9imaBtSS7Um9wICRp8wJgQgMHcCA8Lf3w5bIg3sOOPeLIKNNtO57fJpd3aXjlF+
ZdICAkGoMCYEIK2k25LAYsRdFyhUdAtZWpXAy6xBeN/1x8iOTjznYnt5AgJOFDAmBCDAL
voLQ4ZaISo8OTull3b2wILJZB3fkxhtKaGL5Dvt+AICQnwwJgQgbnFpor0tKo3aa4FfRZ
6lWStL9BcIAtr7IL45LEdPY3gCAjvaMCYEIHderU+1EymZMbQ2MLvaIPY3NRP8+zKiJnt
sP4GHZra5AgJKwjAmBCC8XuLlH1Hz0Zu22oFAv1vC4eehmeqEG7f5Wt4HwltUhwICS5Uw
JgQgoJWO5QLN1t+AWAHjRM9cWYgzzlDTEDNt7Bkc4gMBViQCAkuWMCYEIOuyY0wjvNPWg
tC8jcvwuvyjWL9ys8SKWFtLGsemmpGXAgI6MjAmBCAIFEelsWTmGx1AHPuLnx24nCMx2A
0efJ8ZBV/jYX9fGgICN7YwJgQgRT3KTipLYFgIVB4l3zym8tBRvVS9r41FQXEo7g7yEHw
CAk+8MCYEID8m02PPTnRveTlonsjkPdWrJBffsMGFIm0spdXQ3+HYAgJLlTAmBCCFzY4i
3IXkrswW8IZirVwOvd5EjK7B3ua8DNAmN+2kfwICPLAwJgQggVh6fotdqjZVtcYE63zEv
JauHnqxSMfaFAkVmc6LIDUCAkGnMCYEIN14sJzOtQJSb+UFlyASzKmLaMkNqEWsV/5p02
u88FZsAgJISDAmBCAdJm3lxYr3DdfrF1ASTxScxVja8DP+bCoRJIe3Vuy63wICQagwJgQ
g2Y/USMmCw8uFYowOaT9acOtYpaG6lA2AFU5L/fCm3iECAjsIMCYEINLeS1+js7s4W+3c
b5KQcf1wXHIur87tKNgQwW5PFGiRAgJODzAmBCC24ZY+6G1Es/NX6fL8nPDS+1l7VC/R7
rbHngwraFDtKQICS5cwJgQgOQIb5NbwG8KFNo1LTwpaerprwXi8n34rrj52PBQd0eICAj
/9MCYEIJVSOlJffU7guQv6GGKorZrgDKx8+M1mss0av50M0Tf5AgI//zAmBCA/rJ53Wru
DbgaDy0Ryv/6NhI9h7C6np0vOrGve2o9PvwICRPcwJgQg3/1W934mF6fJYTWSl3gaxRWI
kHOsqrVn9kt3nxYNh1oCAlFjMCYEIDa4+mOYnwP3GZyAtYOmhMy6rGy14svz3xfx8JF0T
XCsAgJIRzAmBCA6y19k5qgBhPchPyhsyVILBsZuCXl2eXRkAirCsikWKgICQNMwJgQgRA
w01NU5eNei9DiAXE4wvi8mEedosNr3xJFLkk6dZzYCAkJ6MCYEIP90BDLFNVEp5symt29
3gm8pUMPuQ6ArrhI9IZXYy+QYAgI6MzAmBCDWXNBy0N7gAAV8zkiK0W0PIEfM5p+nNo+A
F2+LtDlh9QICRp4wJgQgPpMa9PMRZ97AGehM8AlR9PTktqLO3IYjTjHIYx6gpBYCAk7oM
CYEIMB7U7nF4Y0nc1vWgocH8jSyPSczqJEvyguzNABe7NIBAgJHczAmBCCDmuszoj/iBh
5FcpgrLVl2DtpfN17ff6BFPl6IsTCOMgICQNMwJgQgiS8y1mWOV1+Cq0vKU5bLeSVldNx
rv7h9C8dbrbhyW3UCAkDUMCYEIAyNOGMAgu5aHEFxAos9ELBRtTtxoeejQnTsGEYyXVQW
AgJDUDAmBCBQtQwpqflFflxMWQu24sbxlYwNDNf3U9rHDJnWFlSq1QICPywwJgQgyxmRV
Mmc53bDk42kEbtlOAEr+YNgS8oQlYnEOFxbXNwCAkQjMCYEIBgNzNVneOxbsIIcyFKuAJ
GbtnQEBRV/zstLn4G4e4AXAgJCfDAmBCAccKWUSKl6+GuxflnHhizt5Z8df9sOtcwzuDs
jkAg4RgICTGkwJgQgt5vzIMAMC5TCd37sfW7JzASp8J+ESQ/22DcDRx9k3vUCAkNQMCYE
IHqxWhc5sUVaDB9F8zBtT8M8YBvM2iUamhMffCsKv+HqAgJHczAmBCBqpChePocR1tmqI
Wey9PDZwP+ndHr8jhu0mtdkrRKpxgICVlswJgQgbY0DyNeqlitidVzeM/P8HpwUCwLcIX
TzHP0wqwzYtJECAkDTMCYEIC3M+WntM2y9QP5Rv9k9zGaO6dj9erzGP7by7kcVHNISAgJ
LmDAmBCDiNhn3eBF/Ilm+zD73QrePKgHBwg4YnLVgGOlMIlKg2wICQ08wJgQgLCGZ5PVu
EfZX2+xmaiJxeuYIYN10smafz/7+W635J3ECAj8rMCYEIGHRDB9iKN2JnIJrCILjC3RCM
BFt+70rpjpm7NgUFB/uAgJO6DAmBCCy2C+9SMlXkK+Czjn6Eo1r45Gy/7w80Sf0tNPUNt
Yk5QICTucwJgQgZSP2pikTzwfpr+F5jJ4LG/eq1s0VVOwFc7XsjCkQptMCAj8rMCYEIDF
Ugp2+SP0kZbS77ZYzlhghZH4y9Q9xoPeAxkSDTdezAgJE9jAmBCB6WJaHEPMTNRANsTp2
hA3y60ZiP4s4ZV9zNxnGH6VBJQICQNMwJgQgCLPuylaB51qjvYTxDmtSJT/8yOqfNtQ2r
Ayvww6TF5MCAk4SMCYEICaTNXT5maeGJ0tVN9VRd89yWG8rAeaHwM9038Ti6K5XAgJDTz
AmBCC8Ih1NieJj9rTRBXY3LWI10vp65bBLY2MALhEwxlKXMQICQagwJgQgT484v+B5ilC
uNbIdU74nYvbQkHC1+std0vkNirt300MCAkrEMCYEIJVtJ8/cjl2HX1OJBj2cyaSo23T7
VrPwa5hvqygRxAcuAgJDTTAmBCAYVDRoeYEyYrClhoYFpcG/UEv3mI0Bw5Zj65UF7dM4H
gICQNAwJgQgmzmCMFDCaT6DiAqdtI8nsm0uY5ZCx4MWZSu5Srtg21ECAkkZMCYEINEgwm
rxFif18t72qRZEUZLFKUTjp8LlD88fHNj471C5AgJE+DAmBCA6fgeYbmtRYXyfZGDMVg7
zqqROCbziPc7304HYb3AoLQICVLIwJgQgZ+FlKygzpF+2EyKMnKTOyVRxrOjLWyb8lZAj
scLFR74CAkT3MCYEIPEG6Bn1cVGkhqUbb7yhzGeDhFdbMOef8AcsD0lh0gMZAgI9hDAmB
CBmRL039G591iE6exMG6e0Gvlq60bV7U6zMfTg19MaPMQICQacwJgQgi57uMH/S+CpOIv
80OabGfX/pL1TRIkygzrLEnH3BzuUCAkrDMCYEIK7ww2wk0fDFtQu2/l/6u3A8DGVgSKr
+ETDoDxJQUezlAgI//zAmBCCzzv/ZSPqu97xKIDQcyXyid8Vw+6oSW7+s2+No25CEQQIC
SEUwJgQg73sAt24nQyGyOdfiigI569jAJ+kXrfOaRYeFrVHT2PECAkJ8MCYEIEpXqjt/B
1Je20vwGJOn4Et+wAQd41gqj3LBg/YEPbLDAgJCfDAmBCB75tCchNTQhSU+Njic+1xQip
NTj0fW/bniddg33YkBuAICTGwwJgQg7BfE0liC5tBUJVeaTFD3/mRD74QISf7mBsR5y9s
X6O8CAkxsMCYEIBQi18eI6V/18OlgicEkzpLaUMNxVa4Ztj035EddMQAJAgI2EDAmBCDo
PtQiS/Y2QFiBN5Ju+FlF1EGr3Y9LO86GnFVfceBr+wICSsQwJgQg2jYjV46UVpPLGKANG
dQUw9lCeUIYX+1z7rlIsDqNb+ICAkafMCYEIHBvuIuktJ47oAHo1MWDChawJykDRmFd4g
EBBwiXn0WfAgJFyzAmBCAl/vdKpk+pUT5n/5NuTLJ+8XKKf/7MhqkvO+xum/+ucgICSe0
wJgQgQBwzbMKZg3AvHyVKujTRT1ThjK26eB80Hla2/tIXx5YCAkNQMCYEIGGu0wp25uCh
mPfq4OMgdQN6kOkKZ618F41NcGLVPELDAgJSODAmBCAWKGbal73eE+sy7xQqP21CgGgax
iYce9IKrvpDf+tU8AICRcswJgQgQcnF+h+whhze/Fclf2cq5Z4mnkeCXgiF+Ttlsr/KaF
MCAkhIMCYEIPoNqpmL7lB5ZJW9OAtzVMCQvWG1mzRAiQpUgmVjWBdZAgJEJDAmBCBV7ny
kMdhMOc/zPQ/k9/DRpF5n/o/SiH2wKUl9h1iIRgICPlYwJgQgQL69mK950xF/XcgHdawk
K/dteDavZeqSaBaQJWnivsECAj//MCYEIKuzkNDTLxSrplSVb3Z3+p0NNZCD478HZbOgv
BLSJ5LKAgJE9TAmBCAFPXTtQWPvr+sl6+cJ9HmigJ+ZH4XYQ968zZ2ESawFtAICRcswJg
Qgrw5/ioGj68fnXPZICKCq74eTDZY+SQeCu8LnEPJPFlQCAkrCMCYEIEiBETmNjLp4P7T
+UQMMSP43+pShO1hpun+veLMrSY49AgJCezAmBCD2InyavmODTAvF98htj5hqcUdL32lX
K69hCVCwxzI5PwICUwwwJgQgPsdc92EELLLMq7RGCMpIRcG8jPT7+Dj3VXYSQhvb/TYCA
j2CMCYEIEicdhyhD1l5sAOHchE57cSr6kVfoUmQZ0aHi/znUw9fAgJNPTAmBCDAq7Rofb
e8lnA6PufDnI/pFHeZUgEekIGG6O+UHkewwwICN7YwJgQgyjGfb185muGcBoRBCG29ZVt
VH2MqOkJzpOIMtGCk4EUCAkNOMCYEIOE6VxvB8Lsfy59Q2gZ1++61/5cdKIdHyZMSNb0k
XK4GAgJKwzAmBCBfJYKwX6QgC6vjgQ88Uj92h4q0ILmOxARJ5d3n+YlJ7gICUjcwJgQge
gsMYig+Y/8TzKCsXP/CwPuZrrGqKsYbYhTunkoxTfoCAkGlMCYEIAg1SmFygNkko4XuSi
PLSIAFnAcZcZJhEXncdjBG+hrJAgJCfDAmBCBnPQPAlhzFcy0q6dgKOBZM+AEjNiYYM28
mToWgT5TERQICQnswJgQgAnL9F9+1vxYWIkBDSRpShNZdLyrWGBsrRJ3M8MusluECAj//
MCYEIPOZrrOKTVxojdN+4by1wLpmmLndc97WTy45VWVlAgaYAgJGnzAmBCA1hNkmKFUfV
R76xiksk7so3PEN51jBOkLdRQl1yswHFgICUfQwJgQg4cPoEmDm9LLvi2tQsJDeYSd7gP
IWKIMwpZyAvkhJLzQCAkT4MCYEIJie4IMIJyPlGtOXy0qJwDh90IrkZJIbLJIQj9+PKPe
pAgI7BzAmBCB/umLFCpdjTytm2nlTSNb7GgdLDQJK683BNMgN0GT5rwICOWAwJgQgqUrX
jQOoc63dz+XUs6v3ISdQv99oJ7QmlHgx6teMGh0CAjrbMCYEINb4ha11RvjP2yO0huEAI
dzoTcoUf1IEd1tym0rqGoeGAgJA0jAmBCDgBlO2cmMtCIoijokRaX44WVwBiaaQjlaK5s
TXK4prGwICQ04wJgQgHIF1y5CX/MJN34DCwaibVj5+BbYlRN/uuQN0WBmH5F0CAkT3MCY
EIF13zOvcjW3nyG4/bxttrqC4Sd2KZRXuNKRE3yfxbntdAgI//zAmBCCvjgjAqm0ync4j
TuncwDKmVHZCVVWBci4oNKtY3RBT/wICOwgwJgQgGwxTC8k0y+kf9sHHusO60uRdeSjPS
ZUZ0We4o1wZhdYCAj8rMCYEIJ0vFxPdqBwh3CgDf0u7/p7Wf+iqF7ftAB+yVQxpDxVNAg
I73DAmBCC7m+SWtEC8+IMh5oLIebUbsDNVssvyRlJIhHuPfeqqhQICOjQwJgQgXBcIRjl
rCyONJRJbHRKk5TLVtxtobt5OHPMgbCrUNvACAkNPMCYEIHBnHSIszZ5xXTJIHgioCFlO
XnEB2qZrlqotdeN/ffhaAgJCejAmBCCHPJl/Ma7hPE1+fPgiODrhdIUc+aVDS0v9m78QR
qBNuwICPK8wJgQgnB7Ec8BHk0BjVKxVmve7sLhqatU3I90fnaFH96+E4BQCAkH1MCYEIF
BJ7faWL+jfEH/CMnJlM9fVJywDgrwP/eD+xptal6HrAgI3+zAmBCDejHC+8HL/li1VppA
3Nl91wI6hZHk4fwDJuhemZP0t4QICRh8wJgQgrWSnYCYVvK+Vk87SWk6d+6gh6qEKkP+2
es00YWyN3OACAkLKMCYEIGXcCNYUDz8k2EVhcWdoWydtGNwfxgNebK8brvmpQNx6AgJIR
TAmBCDDWdSUn0MqmLY16UuFl7Ow+r8yBfe49BEr23UPKc2EcgICOV4wJgQgdN9jYYDa4J
rZ1TuNaO+VGk9wFVJhdz+f3U6dQYzsln4CAkDRMCYEIFkpsSjpV0BKiqdvBRP3ptf/uXY
w29YQHmym2PG3UMRpAgJHcw==

B.2. Example ErikPartition

This object was retrieved from http://miso.sobornost.net/.well-known/ni/sha-256/0TiOztqYAfrgD3weWzOyF5RM-8AcLzrnQlwJXRsrSys.

MIIxEQYKKwYBBAGCx1yGO6CCMQEEgjD9MIIw+RgPMjAyNTEyMDEwOTAxMjlaBglghkgBZ
QMEAgEwgjDZMIHRBCAA8ZAigYAlPniDrD+cr6MSo3DuGnvP9yZHKdLztpfOXgICB4QEFH
9K5X7m4KnFEB/BSoelM0FQu6tGAgIGoxgPMjAyNTEyMDEwODAxMzRaMH4wfAYIKwYBBQU
HMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMmIvMTFm
YTQ0LTg4NzktNGQxOS1iNDY4LTViNWQ5OGY1MzYxZS8xL2YwcmxmdWJncWNVUUg4RktoN
lV6UVZDN3EwWS5tZnQwgdEEIAQ+zjDZL1aUp3PJ9fGOw6mAn+oGTAMYanVh6p/+gir6Ag
IHzgQUfzE2D/wa/V8dpm2BQE5GY1EtSWcCAhTcGA8yMDI1MTIwMTAyMDExOFowfjB8Bgg
rBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC8y
ZC9mZWY1ZGQtMzhlZS00YmM1LTgyZmYtNTg0ZDc4YTI1ZjhjLzEvZnpFMkRfd2FfVjhkc
G0yQlFFNUdZMUV0U1djLm1mdDCB0QQgC52jD3kluIOiK/4OUeuxqCg24u//CAfU4EboGW
E9sD8CAgfOBBR/7+vRX7xlFIesr2dCT0eD1D60IAICF08YDzIwMjUxMjAxMDMwMDU2WjB
+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZB
VUxULzlhLzI2ZWY2My1iNzJmLTRiM2MtOGRmYy0yYmM4NDUxOTIyN2EvMS9mLV9yMFYtO
FpSU0hySzluUWs5SGc5US10Q0EubWZ0MIHRBCAV/aw4S/WZhqF33vjVGJBiIOmP2xGYSU
F1vLaibIF5cAICB84EFH/JVqUrc1BKTx/zRUcZkpen9d6dAgILBxgPMjAyNTEyMDEwNTA
xMjdaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5
L0RFRkFVTFQvYWEvNzFhYjY5LTY5NjUtNGI3MC05NjhkLWJiNTdhNGVmNzE1My8xL2Y4b
FdwU3R6VUVwUEhfTkZSeG1TbDZmMTNwMC5tZnQwgdEEIBYhrvmfIUdmMqivTVunxBx6eI
pvT7QCZkT+bGbGy1qzAgIIYAQUfyuobfeHiI9vhZKoBqb/6jBGwHoCAhdYGA8yMDI1MTI
wMTA4MDE0M1owfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9z
aXRvcnkvREVGQVVMVC82MC81ZTY3ODYtNjM3Ny00MjI0LWJhMDYtZGM0NzY5ZWZmMWY1L
zEvZnl1b2JmZUhpSTl2aFpLb0JxYl82akJHd0hvLm1mdDCB0AQgGF+uv2O9nv3sxjM1h0
4SdgkWUExdoGcHrabRZTPLIpECAgeDBBR/N3KD18I1qT3HvSuDF7J0jyhf9wIBRRgPMjA
yNTEyMDEwNTAxMTZaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9y
ZXBvc2l0b3J5L0RFRkFVTFQvOTIvMGZhZGZjLWY0OWItNDNlOC1iNjIxLTgzMWUyOTQ0Z
jhmYS8xL2Z6ZHlnOWZDTmFrOXg3MHJneGV5ZEk4b1hfYy5tZnQwgdEEIBxEo94JY8JaQq
Gzo4BIk97wLav+UT1pMctKlnu6YQ+3AgIHhAQUfxe2+TI5nVhQk9GHM5Tr/hsp+YwCAg7
UGA8yMDI1MTIwMTAxMDEzM1owfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC8zMS9jYzAyMDAtYmIyYy00NWY2LWFjNzUtODI3N
Tc3ZGY4ZWRjLzEvZnhlMi1USTVuVmhRazlHSE01VHJfaHNwLVl3Lm1mdDCB0QQgHmdy58
dUxBqKunNs2IYseugYILVAKGtMrsY/RlKPhA8CAgfOBBR/GIratbVSCB7KyCHJsJA5SHO
zFQICEcMYDzIwMjUxMjAxMDEwMDUzWjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2ku
cmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzkwL2E2NTUyMi1mN2M1LTQ4N2ItYjdiO
C0yZTQ2MTQxNDFhYTQvMS9meGlLMnJXMVVnZ2V5c2doeWJDUU9VaHpzeFUubWZ0MIHRBC
ApJYzOeRBRyJJP5XVlTMV9BbCr2FLy3reByODRl7Ud0QICB4QEFH+ZGMq28fNe8bXlg8s
oOem3SLFYAgIUKBgPMjAyNTEyMDEwNDAxMTZaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8v
cnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMjYvZGY4MmZhLTExOGQtNDIxO
S1iYTE2LTFhOTY4M2M5ZDZjYi8xL2Y1a1l5cmJ4ODE3eHRlV0R5eWc1NmJkSXNWZy5tZn
QwgdEEICvnXavLyieUCo6TaPSVhVq/EyzoCrsNfLDajtwIMXOQAgIHzgQUfzP8QNLgMzu
8e96rK9hZlUMBwPECAgadGA8yMDI1MTIwMTA1MDEwM1owfjB8BggrBgEFBQcwC4ZwcnN5
bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9iNC82NWJmMWQtZWMxZ
C00MGU2LTg0OWQtNzk3OTBkNjZkN2QzLzEvZnpQOFFOTGdNenU4ZTk2cks5aFpsVU1Cd1
BFLm1mdDCB0QQgL10y1HJI84RSfC0LxOCWg3GX+Z8NpQFtvk6ENpRimksCAgeEBBR/c2u
IoCQE1DBL3a1f9VBKaDPntwICF1AYDzIwMjUxMjAxMDQwMDU4WjB+MHwGCCsGAQUFBzAL
hnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzk5LzBmMjVjZ
S1iOTc3LTQ4NTMtOWVjMy05ZTU2Y2I1NGZlZjcvMS9mM05yaUtBa0JOUXdTOTJ0WF9WUV
NtZ3o1N2MubWZ0MIHRBCAyPrwYWQ8LxOXzhGZeh+8XxbkNmGafJhwqjmAaZriyzgICB84
EFH/RimpJkQzDMdyREUrlm3GF1fMNAgIXVBgPMjAyNTEyMDEwNDAxMDRaMH4wfAYIKwYB
BQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYmEvM
Dk0N2YyLTIyY2EtNDdjYi04OWFkLTNlNTBhNWYwMTk5OC8xL2Y5R0tha21SRE1NeDNKRV
JTdVdiY1lYVjh3MC5tZnQwgdEEIDnBREYJKP6j1rETOS53IdzOZn3sJ+uChwwifS9QXQL
FAgIIGAQUf/G4HP5quxGOl+AyW2Yur5hPL2oCAg3AGA8yMDI1MTIwMTA5MDEwMlowfjB8
BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMV
C83NS8xODZhMTgtNWQ3Zi00M2VkLWIwNmEtY2VhN2ViMzUwNTM3LzEvZl9HNEhQNXF1eE
dPbC1BeVcyWXVyNWhQTDJvLm1mdDCB0QQgOwQ/rlodU9eD2T0kGq5GuhR5fh/woMKRniH
oq5eAftkCAgfOBBR/kt92EPBI9Dv0TDNtQcbBFX7w4gICFucYDzIwMjUxMjAxMDgwMTAy
WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ER
UZBVUxULzE3LzU4YmUxOC0yZjM1LTRjNmEtYWE2YS03ZjcyZjQ0Yjg5ODIvMS9mNUxmZG
hEd1NQUTc5RXd6YlVIR3dSVi04T0kubWZ0MIHQBCBDmmc4+wow2jqcznZMDpzu4gCFEVl
n1V724kiXa5XJ7wICB80EFH8xKwnR9pDyVwC9Xc8HyRgMXpZjAgF8GA8yMDI1MTIwMTAy
MDEyOVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvc
nkvREVGQVVMVC9iYy8yOWRhYzktOWExNS00NjYxLWFmNzgtMTUyMmUyOTY0ZmNlLzEvZn
pFckNkSDJrUEpYQUwxZHp3ZkpHQXhlbG1NLm1mdDCB0QQgROtnobgIbiWRn16WLRqJwWY
9inB8r0i3Yt83QLYe+IwCAggYBBR/FoAo7A2rZopn1b9vU1jKq+M3qAICC8MYDzIwMjUx
MjAxMDkwMTIxWjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb
3NpdG9yeS9ERUZBVUxUL2NjL2IxNTI4Ni1mZDRkLTQ5ZmUtYTY5ZS03ZmFkZjUwYTJlMz
cvMS9meGFBS093TnEyYUtaOVdfYjFOWXlxdmpONmcubWZ0MIHRBCBYxAOpY8YFSTATAiG
GpvVSRSgQAJ1iw4wVZFDe0tpFFAICB84EFH8dDjKYvtOn85+zskTtkYv2xNe/AgIVKhgP
MjAyNTEyMDEwODAxMzFaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ld
C9yZXBvc2l0b3J5L0RFRkFVTFQvZjcvZTY1MDZlLTc2ODUtNDhlNy1hNTgzLTIxYWYzZG
VlOGVlOS8xL2Z4ME9NcGktMDZmem43T3lSTzJSaV9iRTE3OC5tZnQwgdEEIFqLUxEtqFQ
8nsQjuHOdgA3R1jCjEfWfGUSP7Os1L/6rAgIHzgQUf9YuQsCOFgHEVx4NiKNJoFCd6l4C
AhLcGA8yMDI1MTIwMTA5MDA0OVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpc
GUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC83OC9iOTM0ZWUtYzRiYS00MzkxLTgwYjAtZT
c1YTVlYTg5ZmQxLzEvZjlZdVFzQ09GZ0hFVng0TmlLTkpvRkNkNmw0Lm1mdDCB0QQgW8F
Etd6qgbHQ44YHJ6wkE5VITxuCQjtIWmg1zqa1MYMCAghfBBR/UAd9LdimehrotqvWu7NI
kCiluwICF1oYDzIwMjUxMjAxMDEwMTI0WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa
2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzVjL2MxYzFjZS1lYTU5LTRkY2YtYm
NjYy0zZTdjYWRkODhjNzAvMS9mMUFIZlMzWXBub2E2TGFyMXJ1elNKQW9wYnMubWZ0MIH
RBCBcXbY5z24axrfKcJW6XGc7um2xXgBZ/C1L9bWyjOkmvwICB4QEFH/xeuVHufJkHmBX
f+VT3bb3SaCHAgIEkhgPMjAyNTEyMDEwNDAxMjVaMH4wfAYIKwYBBQUHMAuGcHJzeW5jO
i8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYTUvMWJjMGY5LWJkN2MtNG
Y3YS1hNDA0LWE0M2ZmMjVkNDQ3ZC8xL2ZfRjY1VWU1OG1RZVlGZF81VlBkdHZkSm9JYy5
tZnQwgdEEIF03R0Dq2PGbGO3ujphrcTC8ZE8AEIWfD0YwqVctVCAwAgIHhAQUfylmV6+N
AMJf119W7MiiizUVBXUCAhCJGA8yMDI1MTIwMTA3MDE0MlowfjB8BggrBgEFBQcwC4Zwc
nN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9kMC9lODBiMzMtM2
JlZS00NmVjLWIzNWQtYmFmOTVhNTA2ZDE5LzEvZnlsbVY2LU5BTUpmMTE5VzdNaWlpelV
WQlhVLm1mdDCB0QQgZaPGuCpDJjZdQOpvmnyTiFp4QnW+r9TsifuV30oH+GgCAgfOBBR/
KjK6QhloDc3Vj2EB5ceuwVQKcwICF1QYDzIwMjUxMjAxMDQwMTQ2WjB+MHwGCCsGAQUFB
zALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzU1LzE0M2
U5ZS05NmU2LTQ3NGUtYWQyYy0yMmU2ZGY0NTg0YWYvMS9meW95dWtJWmFBM04xWTloQWV
YSHJzRlVDbk0ubWZ0MIHRBCBuGWGOvesQalq8v3IAS+XZ7/ThSna7tG+2nGaxTvgargIC
B84EFH93NN/qEgZXQS6oZ928e4TRMr94AgIQARgPMjAyNTEyMDEwNDAyNTRaMH4wfAYIK
wYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvN2
UvNjgwMzI0LWVlMWYtNDBmMi04OGRmLTE5NjkzMTk2MmQzYy8xL2YzYzAzLW9TQmxkQkx
xaG4zYng3aE5FeXYzZy5tZnQwgdEEIG4v5Rd8XOjTOwstfz3AxIMD8/CBhcb/zzP2697e
qe+bAgIHzgQUfxePr2QB4vNxbjF2RWnfcx31jyICAhHHGA8yMDI1MTIwMTA2MDE1Mlowf
jB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQV
VMVC82Ni8xYjc5NjgtY2E0ZC00NWY0LWI2NzEtMmU3Zjc4NDg5Y2QzLzEvZnhlUHIyUUI
0dk54YmpGMlJXbmZjeDMxanlJLm1mdDCB0QQgcnk/0dikRdTd+awyXTbblVwIV405YHxY
Gz331fV1//ACAgilBBR/UV6tCV7tmsTKvFq0rQtYZ9nwGwICF2kYDzIwMjUxMjAxMDYwM
TIyWjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS
9ERUZBVUxUL2E3LzVjMmE1OS02MDI1LTQwMGUtYWIyOC1mMGE2MjRkNDA5MTIvMS9mMUZ
lclFsZTdackV5cnhhdEswTFdHZlo4QnMubWZ0MIHRBCB1mD2in3JeRV+fgI/8j4u9wnAK
br2+4DPcvrpJk8W2YwICB84EFH/3TavU6xqhFHFE4VsCZp6YL95NAgIG/xgPMjAyNTEyM
DEwNTAxMjZaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2
l0b3J5L0RFRkFVTFQvN2QvMGZiYmY1LWM4M2QtNGI5Ny05Y2VhLTA1NWM0OWFjNjgyOC8
xL2ZfZE5xOVRyR3FFVWNVVGhXd0ptbnBndjNrMC5tZnQwgdEEIHZ7XRZ6keXbidAtOaYz
6UWK0Bqy9drRHdf2MSiM/iodAgIIGAQUf+DnWTVOg8wZMgOBEJ3iLaDxpwACAhdZGA8yM
DI1MTIwMTAxMDA1MlowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3
JlcG9zaXRvcnkvREVGQVVMVC80Yy8wYzcyNDMtMWZmYi00OWQyLWI1YzEtYjQwMmU4YTF
kOTM0LzEvZi1EbldUVk9nOHdaTWdPQkVKM2lMYUR4cHdBLm1mdDCB0QQged79Kaf+7JzI
GJt1GETYyDCtCkzPbiJwN/afQa0CUEECAgfOBBR/+wEVxKzd0bStxAc3gHJqz8Aa+QICD
F0YDzIwMjUxMjAxMDYwMTU4WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS
5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzYxLzUyNjhmYy1jZmVlLTRhYTgtOTdiZi1jYmU
wMjA2NjVlZmUvMS9mX3NCRmNTczNkRzByY1FITjRCeWFzX0FHdmsubWZ0MIHRBCCCOIX0
WYimv4KU4OlM2vc1PSbqae0UKOxGrvhS5Bio3wICB84EFH/mixIjS9cDQwG8lrE4quJ3h
go+AgIFvxgPMjAyNTEyMDEwMzAwNTlaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS
5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvOGIvNGExMTExLThmM2MtNGVkZi1iNzd
jLTJmYTI2MzFiYzMxYy8xL2YtYUxFaU5MMXdOREFieVdzVGlxNG5lR0NqNC5tZnQwgdEE
IIPAhDVKKA18D7bXbpfqegxAJonCF313EQyrwBqxJP6qAgIHhAQUfwdXwzGYHgQrdHE3N
SfQ9koTVrQCAhL3GA8yMDI1MTIwMTA0MDA1MlowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly
9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC83OC80Zjk2ZjktNTY5Zi00MzN
jLWI5YTgtNmEyNjEyZDQwZjUwLzEvZndkWHd6R1lIZ1FyZEhFM05TZlE5a29UVnJRLm1m
dDCB0QQgiBLeB6fTcd+GI68Xb2SO5F1CGDvaW+xwe53CPdheYaUCAgfOBBR/NdWuQX9F7
oUF12zqobNMRYOUoAICEC4YDzIwMjUxMjAxMDQwMjU1WjB+MHwGCCsGAQUFBzALhnByc3
luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2U2L2M1NDY3Yi0zOTY
yLTRiNzQtYWUwZC0zNDQ3M2JjOTFkODAvMS9melhWcmtGX1JlNkZCZGRzNnFHelRFV0Rs
S0EubWZ0MIHRBCCJCiFTDJIL5Eu/g127lCb3vMM3g5snpcUrKpwZjaQM5QICB84EFH9Dn
ZQkJvxnOyecyYqzX9vX6pf1AgIS7BgPMjAyNTEyMDEwODAxMzFaMH4wfAYIKwYBBQUHMA
uGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMmEvNjlhMDl
mLTU4MDktNDY1Ni1iMzU1LTE0NmYyNTRhYzEzMS8xL2YwT2RsQ1FtX0djN0o1ekppck5m
MjlmcWxfVS5tZnQwgdEEIJMmOJymBCe0/6nb4mYG9VCaJoVc6goEzLn+d39KOCSnAgIIp
QQUfz4LJ7jk15j5K53hV/HaWkPNSeUCAhGQGA8yMDI1MTIwMTAyMDEzNlowfjB8BggrBg
EFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC81Zi9
hMGM5YWMtM2E0Ny00ZDZjLWFhMTUtYTQyZWM4Nzc2ZmJiLzEvZno0TEo3amsxNWo1SzUz
aFZfSGFXa1BOU2VVLm1mdDCB0QQglVtjJ9PwBWwCnbqwZxmB8Gn5Xnqulmyt4RRrfdAaD
akCAgeEBBR/Ud8d9OiGfkHl5/kt5/nR+gwVTQICDDkYDzIwMjUxMjAxMDYwMDUxWjB+MH
wGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUx
UL2ZhLzVlNzMxZi01MjhiLTRlMDItYWQ2OC02ZDkwMzVhZjE1MzUvMS9mMUhmSGZUb2hu
NUI1ZWY1TGVmNTBmb01GVTAubWZ0MIHQBCCXQ734ecoE7Ee+ixR9hRJ8KbAoVKjQH+eaa
hezBcanUwICB80EFH+1Dn07f9KJTPtw5JRgizIMwhXBAgFoGA8yMDI1MTIwMTAyMDEyN1
owfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREV
GQVVMVC85Ni9hOTE4Y2ItMjA0NC00ZjFjLTk3MDAtOTM2MDFhMzRmNjJmLzEvZjdVT2ZU
dF8wb2xNLTNEa2xHQ0xNZ3pDRmNFLm1mdDCB0QQgmQxoxMiDEfXNMsYlQoH6yKDxXwQIL
5MPYTqHFYS8ZrUCAgfOBBR/TVkcI60saUd9f3odTOjrzulZbAICBa0YDzIwMjUxMjAxMD
IwMTE4WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9
yeS9ERUZBVUxULzNlLzBkNjdhMi1iYzM2LTRiOTMtYjYwNC1kNGY1YzkyZDkwOTUvMS9m
MDFaSENPdExHbEhmWDk2SFV6bzY4N3BXV3cubWZ0MIHRBCCZV0Ko51mfPhdE0KS2jxkbh
8xqmbPVE1L7xwvXyv7prQICB84EFH+0PeI3/QtqKHOJIwkh0losLtGoAgIW5RgPMjAyNT
EyMDEwMjAxMjBaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXB
vc2l0b3J5L0RFRkFVTFQvMDkvZDRkMTJhLWFiNGUtNGRiYS05NWRlLWJjNjM3MTMwZGU2
ZS8xL2Y3UTk0amY5QzJvb2M0a2pDU0hTV2l3dTBhZy5tZnQwgdEEIJvN0WGb67xEP4DUB
yx/BMvvtHEW6vxQg2hp/+d94gzLAgIHzgQUfySblURiBoP5SziKdVGmimST7RICAgODGA
8yMDI1MTIwMTAxMDE0MFowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV
0L3JlcG9zaXRvcnkvREVGQVVMVC84Yi83YWEwNGUtNDgwNy00OTg4LTkxMDMtODQyMzk3
ZTMwNjQzLzEvZnlTYmxVUmlCb1A1U3ppS2RWR21pbVNUN1JJLm1mdDCB0QQgndOjuhvMa
SgIlh1phbQk1WorikTAGzMZ1yYZh4hOnFsCAgfOBBR/HVjWLd1+R68hlv11S7P/JnmJKg
ICF1EYDzIwMjUxMjAxMDQwMTA3WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucml
wZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzQ2LzI5MGE2MC03OTJmLTQ0NzUtYTlmNC1l
M2I5ZTBiYWU2YWIvMS9meDFZMWkzZGZrZXZJWmI5ZFV1el95WjVpU28ubWZ0MIHRBCCgt
UF13WSGcG3ftTwitpC3tn1l3QrSgona2FtWDW6MMQICB4QEFH9+Xr1vpGnF43C/wQbE1K
rR4duUAgIPvBgPMjAyNTEyMDEwNjAxNDVaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnB
raS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMjMvYzNlOGVkLTU5N2EtNDg1YS05
NGEzLTk4MmNmYjM1OWFlZS8xL2YzNWV2Vy1rYWNYamNMX0JCc1RVcXRIaDI1US5tZnQwg
dEEIKToobNubCUkpHLMcGeRdi3NPy6FTNc5vWcdzn4WHJCJAgIHzgQUf1i8CGQS9NLFT6
BwLZLOJUls5HkCAhTNGA8yMDI1MTIwMTA5MDEwM1owfjB8BggrBgEFBQcwC4ZwcnN5bmM
6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9jYy81MzA5MzMtNTkxNS00
ZmYyLWIxZjktNTAxMGQwNWY5OWE4LzEvZjFpOENHUVM5TkxGVDZCd0xaTE9KVWxzNUhrL
m1mdDCB0QQgpUbbc2l7xyPdCsTyvKWAYLb60Na07P5Z/LuLmjbWor0CAgeEBBR/FM6BA7
eF81BLxLMvH0ybcM4/fwICEBAYDzIwMjUxMjAxMDQwMjQwWjB+MHwGCCsGAQUFBzALhnB
yc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2I2L2Y2OWRiZS1l
MDc1LTQ0MzgtYjUzYi1mNjE2MGZhMWZiMDIvMS9meFRPZ1FPM2hmTlFTOFN6THg5TW0zR
E9QMzgubWZ0MIHRBCCl0WdrMOFv0BMgl2VQQAx9uI5t4Kxtvqn52hF7AMg48AICB84EFH
/uPzggc/LD5PzP/KOExbDNgmwmAgIDJBgPMjAyNTEyMDEwMjAxMTNaMH4wfAYIKwYBBQU
HMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYTcvOGNj
ZWJmLWY5ZmEtNGM0Ni1hZWU4LWNjYmZhNzM0MjRhNy8xL2YtNF9PQ0J6OHNQa19NXzhvN
FRGc00yQ2JDWS5tZnQwgdEEILGPAJJw5GgG/qYFP8SGleANcjVwi/NR03QswU5WeDJ/Ag
IHhAQUf4shg1iYOn16JTip2puh80lNcasCAgF5GA8yMDI1MTIwMTAxMDEzN1owfjB8Bgg
rBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9k
OS83NmNkMDMtZWFhMi00OTY1LTk0ZWYtOThkYmI2NDAyY2RkLzEvZjRzaGcxaVlPbjE2S
lRpcDJwdWg4MGxOY2FzLm1mdDCB0QQgtdKlBX5qKFRZa8MYepUoG+bDYSrxmJWomXIWH6
3MuI8CAgfOBBR/QtJ8IdqGx+n79Erg5WyY89L4CwICDvEYDzIwMjUxMjAxMDQwMTUxWjB
+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZB
VUxUL2E5Lzk4YjAyNC05ZDhmLTQ4NjktYTJhOS0wYWZiN2MzZmJmMzAvMS9mMExTZkNIY
WhzZnAtX1JLNE9Wc21QUFMtQXMubWZ0MIHRBCDC15K5tTx2P8RH7fIclKElwISZkRMir7
Y+gbiT32PblAICB84EFH9Wid5KfOdovzq12fhUboVsyxk2AgIXVBgPMjAyNTEyMDEwOTA
xMjlaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5
L0RFRkFVTFQvNzcvNjRkNTA1LTIyMDQtNGRjYS1hOTVlLThiNTM3MjU4NGFjZC8xL2YxY
Uoza3A4NTJpX09yWFotRlJ1aFd6TEdUWS5tZnQwgdEEIMNtO2By45vHeZpPh29jREqwPT
dNK3wpji89aE46wzvqAgIHzgQUf/yCWF32m3yUsWphky/8i24zUVYCAhMrGA8yMDI1MTI
wMTA0MDMwNVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9z
aXRvcnkvREVGQVVMVC9lNC81MzFkMmItZTE3MC00OWE1LTg0MDQtOTJmNzNmNTZmYzYyL
zEvZl95Q1dGMzJtM3lVc1dwaGt5XzhpMjR6VVZZLm1mdDCB0QQgxPtJfkFu3DgrwLJ83s
9z3QLegjHDr/Uw5o+t2ZtVwq0CAgilBBR/ytid8b+Zo28pDMPvDx57TQJ1MwICFzAYDzI
wMjUxMjAxMDgwMTM4WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQv
cmVwb3NpdG9yeS9ERUZBVUxULzU1LzlmOGIxNi0yODRmLTQ1MTItYjNkYy0wMTVkOWYxY
jRiNTAvMS9mOHJZbmZHX21hTnZLUXpEN3c4ZWUwMENkVE0ubWZ0MIHRBCDHV1gO79ba9G
7o6jISax/iwzwo7/27uamcO+yMpmhMeAICB84EFH8RQWrjkp3ze/ZqRZzTrKY4kelGAgI
XUBgPMjAyNTEyMDEwOTAxMjBaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBl
Lm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMmYvNmIyMmU4LTNkY2QtNDRkZC05NTE0LTY3N
TZmN2IwYzBkYi8xL2Z4RkJhdU9TbmZONzltcEZuTk9zcGppUjZVWS5tZnQwgdEEINCnxy
tYU3cWzpJpRz7uemPZtS57LAE1K67EdsvmYP34AgIIXwQUf1byiUjIMvLUNLtE1d4OoSJ
gGwUCAhdUGA8yMDI1MTIwMTA0MDI1MlowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtp
LnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC8zYS8yMWZiY2EtODBlMC00YjhjLTg2M
jItNGU4NmFkNjRmNzc0LzEvZjFieWlVaklNdkxVTkx0RTFkNE9vU0pnR3dVLm1mdDCB0Q
Qg0k6pzrsR7newSZBveJZbL9gOfj9KW4FiV/ymMyIXPv0CAggYBBR/A6H4wzT9v0t43vD
Fkv8EkN30sAICFwwYDzIwMjUxMjAxMDkwMTI2WjB+MHwGCCsGAQUFBzALhnByc3luYzov
L3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzY2LzNmZTFhMC1jNmZkLTRiY
zQtYWFlMS05ZWUwMDY5NDJiNGIvMS9md09oLU1NMF9iOUxlTjd3eFpMX0JKRGQ5TEEubW
Z0MIHRBCDU0f6D7ydNBUqXYgWA47zL8lFv5uZQZu+mIp+MDlb/ZwICB84EFH+bTP3JsNn
jwx4Ou4Hm8bHLvcnkAgINMxgPMjAyNTEyMDEwMjAxMDVaMH4wfAYIKwYBBQUHMAuGcHJz
eW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNWIvODI0NmViLTg0N
jktNDJkZi1hMDhmLTkwYzQyMWY1NWFkYi8xL2Y1dE1fY213MmVQREhnNjdnZWJ4c2N1OX
llUS5tZnQwgdEEINT4ChVgdLoApQkOqhPAtCjBikQI2ivxT1aIQ0QkjJV5AgIHzgQUf2q
OXVXCSYqCY2+Z+PyeMZ4Hdx4CAhBVGA8yMDI1MTIwMTA3MDA0OVowfjB8BggrBgEFBQcw
C4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC83NC8yN2ZjZ
TEtMTFjZS00YTMyLWE2NDktZTA3NmI1MTcyMWFkLzEvZjJxT1hWWENTWXFDWTItWi1QeW
VNWjRIZHg0Lm1mdDCB0QQg1XajHa4+9/hV1MAjIOObhtTaXYak8BxLNMythZRR8nUCAgf
OBBR/Pgh0ie4jqUJNU/rCFu5LjgEoDgICFucYDzIwMjUxMjAxMDgwMTQzWjB+MHwGCCsG
AQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2M2L
2MyYzk5ZC1jZjkxLTRkZmItOTRkZS1hN2M2M2Q1NjJlNTYvMS9mejRJZEludUk2bENUVl
A2d2hidVM0NEJLQTQubWZ0MIHRBCDmfe+L/cGZ/775whLRd2lc2xLwqySNmWI/UwS0TKr
GnwICB84EFH/j1jtKW0BLX/g8vysVJaMEd/ZcAgIElRgPMjAyNTEyMDEwNjAxMzVaMH4w
fAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVT
FQvZjYvODFhNjcyLWZlOTgtNGQzZi05YjgzLTJjYjdhM2I2ZTQyZi8xL2YtUFdPMHBiUU
V0Zi1EeV9LeFVsb3dSMzlsdy5tZnQwgdEEIPG8PInX4YXP8xwIuII6Dd0J+VC/iUx5eHH
MlHFh8KxqAgIHzgQUf6gWozONMnQc1P/49J3bLMg4/cUCAgTEGA8yMDI1MTIwMTA1MDEx
OFowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvR
EVGQVVMVC81My9hNDUyOGEtOTBlNi00ZDkxLWE1MmMtZjA3MTdlYTQ4NWM2LzEvZjZnV2
96T05NblFjMVBfNDlKM2JMTWc0X2NVLm1mdDCB0QQg8o1obyN6PNR2LhKZZlHrvknGPo/
3ntp69h6hJcuBI/kCAgfOBBR/USKDdHQt9USqkwWMWjvT0WQhmQICDsQYDzIwMjUxMjAx
MDUwMTA3WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3Npd
G9yeS9ERUZBVUxULzBhLzkzODVhYS0xYjc5LTRhMDItYTA5Mi0wMWViMDM2ODRmMDkvMS
9mMUVpZzNSMExmVkVxcE1GakZvNzA5RmtJWmsubWZ0MIHRBCD67XBv0HfJ+GUWju8p9NQ
kMukS3ghuD9OUpvOP+hnw0wICCo8EFH9r0aawRiXFcdgw+HixwCOCR0CMAgIF+BgPMjAy
NTEyMDEwNjAwNTNaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZ
XBvc2l0b3J5L0RFRkFVTFQvNDgvYmM2NmQ3LTU3YWItNDc1ZC05NmJhLTg5YjZjMzIzMT
VjMi8xL2YydlJwckJHSmNWeDJERDRlTEhBSTRKSFFJdy5tZnQwgdEEIP8uT1mBLUAiXKV
FgcTBM/TUk/zOtjhPa2Vo2rQg3+i7AgIHzgQUf4XpkDVDl+NsDKkDoMYgx3Ce/c0CAgOC
GA8yMDI1MTIwMTA2MDA1MVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUub
mV0L3JlcG9zaXRvcnkvREVGQVVMVC81ZS80YWUxNzUtNTVkMC00ODRkLThkMTEtOGM5ZD
U4MjNiYWQ5LzEvZjRYcGtEVkRsLU5zREtrRG9NWWd4M0NlX2MwLm1mdA==

Acknowledgements

The authors wish to thank George Michaelson, Theo de Raadt, Bob Beck, Theo Buehler, and William McCall for the lovely conversations that led to this proposal. The authors wish to thank Sean Turner and Russ Housley for their review of the ASN.1 notation.

This protocol is named after Erik Bais, who passed away in 2024, as a small token of appreciation for his friendship.

Authors' Addresses

Job Snijders
BSD Software Development
Amsterdam
The Netherlands
URI: https://www.bsd.nl/
Tim Bruijnzeels
RIPE NCC
The Netherlands
Tom Harrison
APNIC
Australia
Wataru Ohgai
JPNIC
Japan