<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<?rfc strict="yes"?>
<?rfc compact="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-bertoldi-regext-rdap-reliability-scoring-01" category="exp" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="RDAP Reliability Assessment">RDAP Extension for Structured Reliability Assessment Metadata</title>
    <seriesInfo name="Internet-Draft" value="draft-bertoldi-regext-rdap-reliability-scoring-01"/>
    <author initials="A." surname="Bertoldi" fullname="Alessandro Bertoldi">
      <organization>Bertoldi Cybersecurity</organization>
      <address>
        <email>alessandro@bertoldicybersecurity.com</email>
      </address>
    </author>
    <author initials="S. P." surname="Romano" fullname="Simon Pietro Romano">
      <organization abbrev="UNINA">Universita' degli Studi di Napoli Federico II</organization>
      <address>
        <postal>
          <street>Via Claudio 21</street>
          <city>Naples</city>
          <code>80125</code>
          <country>Italy</country>
        </postal>
        <email>spromano@unina.it</email>
      </address>
    </author>
    <date year="2026" month="July" day="18"/>
    <area>Applications and Real-Time</area>
    <workgroup>REGEXT</workgroup>
    <abstract>
      <?line 100?>

<t>This document proposes an extension to the Registration Data Access Protocol
(RDAP) that enables the representation and exchange of structured reliability
assessment metadata for registrars and domain names. The extension defines a
structured assessment envelope through which an RDAP server can expose
assessment results produced by a registry, registrar, or third-party assessor
in a common, machine-readable format within RDAP responses.</t>
      <t>The extension standardizes how assessment results are transported and
referenced, not how they are computed. Scoring methodologies, thresholds,
criteria, and governance frameworks are intentionally left to the operational
and policy layer.</t>
    </abstract>
  </front>
  <middle>
    <?line 114?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The domain registration ecosystem relies on registrars as critical
intermediaries between domain owners and the global DNS infrastructure.
Research <xref target="DEEPSEC2025"/> has identified recurring systemic vulnerabilities
in registrar processes, including credential recovery, identity verification,
and email authentication configurations, that represent structural risks
affecting large numbers of domains and their owners. These issues have in
several cases remained unaddressed for extended periods despite responsible
disclosure.</t>
      <t>The Registration Data Access Protocol (RDAP), defined in <xref target="RFC7480"/>,
<xref target="RFC7481"/>, <xref target="RFC9082"/>, <xref target="RFC9083"/>, and <xref target="RFC9224"/>, was designed as the
successor to WHOIS and introduces structured JSON responses, authentication
and authorization support, and a well-defined extensibility model. These
properties make RDAP a suitable foundation for exposing structured security
and reliability metadata in a standardized, interoperable way.</t>
      <t>This document defines an RDAP extension that provides an envelope for
carrying assessment results related to the security posture and reliability
of registrars and domain names. The extension standardizes the transport and
referencing of such results; it does not define scoring methodologies,
thresholds, or enforcement mechanisms. The protocol enables representation;
the ecosystem decides how to populate and consume the exposed fields.</t>
      <t>The proposal is intended as complementary to
<xref target="I-D.loffredo-regext-rdap-verified-contacts"/>, which establishes that contact data has been verified. The present extension adds a parallel layer:
structured metadata about the security posture of the registrar and the
domain itself.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.</t>
      <t>The following terms are used throughout this document:</t>
      <dl>
        <dt>Assessment Envelope:</dt>
        <dd>
          <t>The structured set of fields defined by this extension, representing the
result of a security or reliability assessment of a registrar or domain.
The envelope carries the result and points to the methodology; it does not
define the methodology itself.</t>
        </dd>
        <dt>Score Scheme:</dt>
        <dd>
          <t>An identifier or URI that denotes the scoring methodology used to produce
an assessment result. The scheme defines the semantics of the score value,
its range, and its criteria. Scheme definitions are maintained externally
to this document.</t>
        </dd>
        <dt>Score Issuer:</dt>
        <dd>
          <t>An opaque identifier for the entity that performed the assessment and
produced the score value. The format and resolution of this identifier
are defined by the scoreScheme.</t>
        </dd>
        <dt>Extension Identifier:</dt>
        <dd>
          <t>The RDAP extension string registered in the IANA RDAP Extensions Registry
that identifies this extension.</t>
        </dd>
      </dl>
    </section>
    <section anchor="motivation-and-problem-statement">
      <name>Motivation and Problem Statement</name>
      <t>Research <xref target="DEEPSEC2025"/> has identified recurring systemic vulnerabilities in
domain registrar processes that cannot be addressed by conventional technical
security controls. These vulnerabilities arise from weaknesses in the
interface between digital systems and human processes, and include
deficiencies in credential recovery, identity verification, and email
authentication configurations.</t>
      <t>A notable characteristic of these vulnerabilities is their persistence: in several documented cases, exploitable issues remained unresolved for extended periods following responsible disclosure, reflecting diffuse accountability and the absence of structured incentives for timely remediation.</t>
      <t>These findings suggest that while technical standards such as SPF <xref target="RFC7208"/>,
DKIM <xref target="RFC6376"/>, and DMARC <xref target="RFC7489"/> are sound, their adoption and correct
configuration cannot be reliably ensured without structured, machine-readable
signaling mechanisms. The full technical details of the underlying research
are documented in <xref target="DEEPSEC2025"/>.</t>
      <section anchor="why-protocol-level-representation-helps">
        <name>Why Protocol-Level Representation Helps</name>
        <t>Structured representation of assessment metadata at the protocol level offers
several complementary benefits relative to existing operational approaches.</t>
        <t>First, publicly accessible, machine-readable assessment data creates
reputational and commercial incentives for registrars and domain owners to
adopt and maintain security best practices, analogous to the role of
Certificate Transparency in the TLS ecosystem.</t>
        <t>Second, a standardized RDAP extension enables any registry, registrar,
browser, or security tool to consume assessment metadata through a common
interface, eliminating dependency on proprietary or registry-specific systems.</t>
        <t>Third, protocol-level representation does not replace operational scoring or
enforcement programs. Rather, it provides a standardized channel through
which the outputs of such programs can be expressed and consumed by the
broader ecosystem.</t>
      </section>
    </section>
    <section anchor="design-principles">
      <name>Design Principles</name>
      <t>The following principles guide the design of this extension.</t>
      <dl>
        <dt>Separation of concerns:</dt>
        <dd>
          <t>This document defines the structured assessment envelope and extension points. The governance of who computes scores, the specific scoring methodology, any thresholds applied, and any enforcement actions based on scores belong to the operational and policy layer and are intentionally outside the scope of this document.</t>
        </dd>
        <dt>Envelope, not methodology:</dt>
        <dd>
          <t>The extension standardizes how assessment results are transported and referenced within RDAP. It does not standardize how assessments are performed, what criteria are evaluated, or what thresholds apply.</t>
        </dd>
        <dt>Extensibility:</dt>
        <dd>
          <t>The extension is designed to accommodate additional fields without breaking backward compatibility, consistent with RDAP's existing extensibility model.</t>
        </dd>
        <dt>Interoperability:</dt>
        <dd>
          <t>The extension is not tied to any specific registry, registrar, or policy framework. Any conformant RDAP server may implement it independently.</t>
        </dd>
        <dt>Complementarity:</dt>
        <dd>
          <t>The extension is designed to coexist with and complement <xref target="I-D.loffredo-regext-rdap-verified-contacts"/>, rather than replace or duplicate it.</t>
        </dd>
      </dl>
    </section>
    <section anchor="rdap-extension-data-model">
      <name>RDAP Extension: Data Model</name>
      <section anchor="extension-identifier">
        <name>Extension Identifier</name>
        <t>This extension is identified by the string "reliabilityScoring", to be
registered in the IANA RDAP Extensions Registry (see <xref target="iana"/>). RDAP responses
that include this extension MUST include the extension identifier in the
"rdapConformance" array. Consistent with <xref target="I-D.ietf-regext-rdap-extensions"/>,
the extension identifier contains no underscore character, and the JSON member
defined by this extension is prefixed with the extension identifier.</t>
      </section>
      <section anchor="namespacing-approach">
        <name>Namespacing Approach</name>
        <t>This extension groups all its fields under a single top-level JSON member
named "reliabilityScoring_assessment". The member name is prefixed with the
extension identifier, while its child members (scoreScheme, scoreValue, and so
on) are not individually prefixed. This follows the guidance in Section 2.5.2
of <xref target="I-D.ietf-regext-rdap-extensions"/>, which permits a prefixed container
object whose children need not be prefixed, and avoids the bare extension
identifier pattern disallowed in Section 2.3 of that document. The authors
welcome working group feedback on this approach and on the choice of extension
identifier.</t>
      </section>
      <section anchor="assessment-envelope">
        <name>Assessment Envelope</name>
        <t>The assessment envelope is the JSON object carried by the
"reliabilityScoring_assessment" member. This member MAY appear within entity
objects (objectClassName: "entity") and domain objects
(objectClassName: "domain").
An entity is considered to represent a registrar when its "roles" array
includes the value "registrar" as defined in Section 10.2.4 of <xref target="RFC9083"/>.
Each field within the envelope is individually OPTIONAL, subject to the
constraints stated in the following section. Implementers SHOULD populate only
those fields for which they have authoritative data.</t>
        <t>The envelope carries the result of an external assessment and points to
the methodology used. It does not define the methodology, the criteria, or
the thresholds.</t>
      </section>
      <section anchor="field-definitions">
        <name>Field Definitions</name>
        <t>The fields defined by this extension are described in the following table.
Each field is individually OPTIONAL, subject to the constraints stated after
the table.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Type</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">scoreScheme</td>
              <td align="left">string (URI or identifier)</td>
              <td align="left">Identifies the scoring methodology used to produce the assessment. When expressed as a URI, it MUST conform to <xref target="RFC3986"/>. The scheme defines the semantics, range, and criteria of the score. Scheme definitions are maintained externally.</td>
            </tr>
            <tr>
              <td align="left">scoreValue</td>
              <td align="left">number</td>
              <td align="left">The non-negative numeric result of the assessment, as defined by the scoreScheme. If scoreMaxValue is present, scoreValue SHOULD NOT exceed scoreMaxValue unless the scoreScheme explicitly defines otherwise.</td>
            </tr>
            <tr>
              <td align="left">scoreMaxValue</td>
              <td align="left">number</td>
              <td align="left">The non-negative maximum possible value under the scoreScheme. Together with scoreValue, helps consumers interpret the numeric result.</td>
            </tr>
            <tr>
              <td align="left">scoreDate</td>
              <td align="left">string (date-time)</td>
              <td align="left">The date and time at which the assessment was last performed, in the format defined in <xref target="RFC3339"/>.</td>
            </tr>
            <tr>
              <td align="left">scoreIssuer</td>
              <td align="left">string</td>
              <td align="left">An opaque identifier for the entity that performed the assessment and issued the score. The format and resolution of this identifier are defined by the scoreScheme; it may be a local name, a URI, or a registered identifier.</td>
            </tr>
            <tr>
              <td align="left">evidenceUri</td>
              <td align="left">string (URI)</td>
              <td align="left">An OPTIONAL URI pointing to supporting documentation, a detailed report, or the full assessment record maintained by the scoreIssuer.</td>
            </tr>
          </tbody>
        </table>
        <t>Implementers MUST NOT infer normative meaning from the illustrative field
values used in the examples in this document or in
<xref target="example-rdap-responses"/>.</t>
        <t>The assessment envelope MUST contain at least one member. If scoreValue or
scoreMaxValue is present, scoreScheme MUST also be present, so that the
numeric result can be interpreted. If scoreValue is present, scoreDate and
scoreIssuer SHOULD also be present. A member for which no value is available
is omitted rather than being included with a null value.</t>
      </section>
      <section anchor="registrar-object-extension">
        <name>Registrar Object Extension</name>
        <t>The following example illustrates how the assessment envelope MAY appear
within an entity object representing a registrar.</t>
        <artwork><![CDATA[
{
  "rdapConformance": [
    "rdap_level_0",
    "reliabilityScoring"
  ],
  "objectClassName": "entity",
  "handle": "REGISTRAR-EXAMPLE",
  "roles": ["registrar"],
  "reliabilityScoring_assessment": {
    "scoreScheme": "urn:example:registrar-security-assessment:v1",
    "scoreValue": 8,
    "scoreMaxValue": 10,
    "scoreDate": "2026-01-15T10:30:00Z",
    "scoreIssuer": "example-assessor",
    "evidenceUri": "https://example-assessor.org/reports/reg-example"
  }
}
]]></artwork>
      </section>
      <section anchor="domain-object-extension">
        <name>Domain Object Extension</name>
        <t>The following example illustrates how the assessment envelope MAY appear
within a domain object.</t>
        <artwork><![CDATA[
{
  "rdapConformance": [
    "rdap_level_0",
    "reliabilityScoring"
  ],
  "objectClassName": "domain",
  "handle": "example.tld",
  "ldhName": "example.tld",
  "reliabilityScoring_assessment": {
    "scoreScheme": "urn:example:domain-security-posture:v2",
    "scoreValue": 7,
    "scoreMaxValue": 10,
    "scoreDate": "2026-02-01T08:00:00Z",
    "scoreIssuer": "example-assessor"
  },
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "2024-01-01T00:00:00Z"
    }
  ]
}
]]></artwork>
      </section>
    </section>
    <section anchor="relationship-to-existing-work">
      <name>Relationship to Existing Work</name>
      <section anchor="relationship-to-draft-loffredo-regext-rdap-verified-contacts">
        <name>Relationship to draft-loffredo-regext-rdap-verified-contacts</name>
        <t>The <xref target="I-D.loffredo-regext-rdap-verified-contacts"/> extension establishes that
contact data associated with a domain or registrar has been verified. The
present extension adds a complementary and orthogonal layer: structured
metadata about the security posture of the registrar and the domain itself.</t>
        <t>The two extensions answer different questions. The verified-contacts extension
addresses which contact fields have been verified and how the verification
was performed. The reliability-scoring extension addresses what the assessed
security posture of the entity managing that domain is. Both are expressible
within the RDAP framework and are designed to coexist within the same RDAP
response.</t>
      </section>
      <section anchor="relationship-to-pir-abuse-intervention-program">
        <name>Relationship to PIR Abuse Intervention Program</name>
        <t>PIR's Abuse Intervention Program (AIP) and Quality Performance Index (QPI)
<xref target="PIR-AIP"/> represent an example of a registry-specific operational
assessment program. This document does not standardize such a program; it
defines a generic RDAP representation that could carry outputs produced by
programs such as PIR/QPI or other assessment frameworks.</t>
        <t>An operational scoring system such as PIR/QPI could, in principle, expose its
outputs through the envelope defined in this document, enabling broader
interoperability without modifying its internal methodology.</t>
      </section>
      <section anchor="relationship-to-rdap-core-specifications">
        <name>Relationship to RDAP Core Specifications</name>
        <t>This extension is designed to be fully conformant with the RDAP core
specifications <xref target="RFC7480"/> <xref target="RFC7481"/> <xref target="RFC9082"/> <xref target="RFC9083"/> <xref target="RFC9224"/>.
It uses the JSON response format defined in <xref target="RFC9083"/>, the extensibility
model provided in <xref target="RFC7480"/>, and the security framework of <xref target="RFC7481"/>.
Query formats follow <xref target="RFC9082"/> and service discovery follows <xref target="RFC9224"/>.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The fields defined in this extension are informational. They do not constitute
enforcement mechanisms and MUST NOT be interpreted as authoritative security
certifications.</t>
      <dl>
        <dt>Score integrity:</dt>
        <dd>
          <t>This document does not define an interface for creating or modifying
assessment metadata. Any administrative or provisioning interface used for
that purpose MUST authenticate and authorize the submitting entity and MUST
provide appropriate integrity and confidentiality protection. Without
authentication of the scoring entity, assessment metadata is susceptible to
manipulation.</t>
        </dd>
        <dt>Gaming and abuse:</dt>
        <dd>
          <t>Any publicly visible scoring system creates incentives for gaming. The
governance framework, which is outside the scope of this document, SHOULD
address verification, audit, and revocation mechanisms.</t>
        </dd>
        <dt>False assurance:</dt>
        <dd>
          <t>Consumers of assessment metadata MUST NOT treat scores as equivalent to
security certifications. A high score value does not guarantee the absence
of vulnerabilities. Consumers SHOULD treat scores as one signal among
many and SHOULD NOT make high-stakes trust decisions based solely on RDAP
assessment fields.</t>
        </dd>
        <dt>Staleness:</dt>
        <dd>
          <t>Scores reflect the state at the time indicated by the "scoreDate" field.
Consumers SHOULD check the freshness of assessment data and SHOULD treat
scores that have not been updated recently with appropriate skepticism.
Implementers MAY define an expiration policy based on the scoreScheme.</t>
        </dd>
        <dt>Scheme trust:</dt>
        <dd>
          <t>The reliability of assessment data depends on the trustworthiness of both
the scoreIssuer and the scoreScheme. Consumers SHOULD establish out-of-band
trust in the scoreIssuer before acting on assessment data.</t>
        </dd>
        <dt>Evidence URI:</dt>
        <dd>
          <t>The resource identified by evidenceUri is maintained by the scoreIssuer
and is outside the control of the RDAP server. Its content may change over
time, may be subject to access control, and may become unavailable.
Consumers SHOULD NOT assume that the evidence resource is publicly
accessible or immutable.</t>
        </dd>
      </dl>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>The fields defined in this extension describe security posture at the
registrar and domain level and are not intended to expose personal data.
They are designed to be compatible with the access control framework defined
in <xref target="RFC7481"/>.</t>
      <t>Implementers MUST ensure that the presence or absence of assessment metadata
does not inadvertently reveal information about the identity of natural
persons. The separation between assessment metadata, which is designed to be publicly
accessible where server policy and applicable access controls permit, and
contact data, which is subject to access control per <xref target="RFC7481"/>, MUST be
maintained in conformant implementations.</t>
      <t>This extension is intended to be compatible with applicable data protection
regulations, including the General Data Protection Regulation <xref target="GDPR"/> and
equivalent frameworks.</t>
      <t>The evidenceUri field, if populated, SHOULD NOT point to resources that expose
personal data or operationally sensitive details beyond what is necessary for
the consumer to understand the assessment result.</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document requests the registration of the following entry in the IANA
RDAP Extensions Registry:</t>
      <dl>
        <dt>Extension identifier:</dt>
        <dd>
          <t>reliabilityScoring</t>
        </dd>
        <dt>Registry operator:</dt>
        <dd>
          <t>Any</t>
        </dd>
        <dt>Published specification:</dt>
        <dd>
          <t>this document</t>
        </dd>
        <dt>Contact:</dt>
        <dd>
          <t>Alessandro Bertoldi (alessandro@bertoldicybersecurity.com)</t>
        </dd>
      </dl>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC3339">
          <front>
            <title>Date and Time on the Internet: Timestamps</title>
            <author fullname="G. Klyne" initials="G." surname="Klyne"/>
            <author fullname="C. Newman" initials="C." surname="Newman"/>
            <date month="July" year="2002"/>
            <abstract>
              <t>This document defines a date and time format for use in Internet protocols that is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3339"/>
          <seriesInfo name="DOI" value="10.17487/RFC3339"/>
        </reference>
        <reference anchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC7480">
          <front>
            <title>HTTP Usage in the Registration Data Access Protocol (RDAP)</title>
            <author fullname="A. Newton" initials="A." surname="Newton"/>
            <author fullname="B. Ellacott" initials="B." surname="Ellacott"/>
            <author fullname="N. Kong" initials="N." surname="Kong"/>
            <date month="March" year="2015"/>
            <abstract>
              <t>This document is one of a collection that together describes the Registration Data Access Protocol (RDAP). It describes how RDAP is transported using the Hypertext Transfer Protocol (HTTP). RDAP is a successor protocol to the very old WHOIS protocol. The purpose of this document is to clarify the use of standard HTTP mechanisms for this application.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="95"/>
          <seriesInfo name="RFC" value="7480"/>
          <seriesInfo name="DOI" value="10.17487/RFC7480"/>
        </reference>
        <reference anchor="RFC7481">
          <front>
            <title>Security Services for the Registration Data Access Protocol (RDAP)</title>
            <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
            <author fullname="N. Kong" initials="N." surname="Kong"/>
            <date month="March" year="2015"/>
            <abstract>
              <t>The Registration Data Access Protocol (RDAP) provides "RESTful" web services to retrieve registration metadata from Domain Name and Regional Internet Registries. This document describes information security services, including access control, authentication, authorization, availability, data confidentiality, and data integrity for RDAP.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="95"/>
          <seriesInfo name="RFC" value="7481"/>
          <seriesInfo name="DOI" value="10.17487/RFC7481"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9082">
          <front>
            <title>Registration Data Access Protocol (RDAP) Query Format</title>
            <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
            <author fullname="A. Newton" initials="A." surname="Newton"/>
            <date month="June" year="2021"/>
            <abstract>
              <t>This document describes uniform patterns to construct HTTP URLs that may be used to retrieve registration information from registries (including both Regional Internet Registries (RIRs) and Domain Name Registries (DNRs)) using "RESTful" web access patterns. These uniform patterns define the query syntax for the Registration Data Access Protocol (RDAP). This document obsoletes RFC 7482.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="95"/>
          <seriesInfo name="RFC" value="9082"/>
          <seriesInfo name="DOI" value="10.17487/RFC9082"/>
        </reference>
        <reference anchor="RFC9083">
          <front>
            <title>JSON Responses for the Registration Data Access Protocol (RDAP)</title>
            <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
            <author fullname="A. Newton" initials="A." surname="Newton"/>
            <date month="June" year="2021"/>
            <abstract>
              <t>This document describes JSON data structures representing registration information maintained by Regional Internet Registries (RIRs) and Domain Name Registries (DNRs). These data structures are used to form Registration Data Access Protocol (RDAP) query responses. This document obsoletes RFC 7483.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="95"/>
          <seriesInfo name="RFC" value="9083"/>
          <seriesInfo name="DOI" value="10.17487/RFC9083"/>
        </reference>
        <reference anchor="RFC9224">
          <front>
            <title>Finding the Authoritative Registration Data Access Protocol (RDAP) Service</title>
            <author fullname="M. Blanchet" initials="M." surname="Blanchet"/>
            <date month="March" year="2022"/>
            <abstract>
              <t>This document specifies a method to find which Registration Data Access Protocol (RDAP) server is authoritative to answer queries for a requested scope, such as domain names, IP addresses, or Autonomous System numbers. This document obsoletes RFC 7484.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="95"/>
          <seriesInfo name="RFC" value="9224"/>
          <seriesInfo name="DOI" value="10.17487/RFC9224"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-regext-rdap-extensions">
          <front>
            <title>RDAP Extensions</title>
            <author fullname="Andy Newton" initials="A." surname="Newton">
              <organization>ICANN</organization>
            </author>
            <author fullname="Jasdip Singh" initials="J." surname="Singh">
              <organization>ARIN</organization>
            </author>
            <author fullname="Tom Harrison" initials="T." surname="Harrison">
              <organization>APNIC</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   This document describes and clarifies the usage of extensions in
   RDAP.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-regext-rdap-extensions-14"/>
        </reference>
        <reference anchor="I-D.loffredo-regext-rdap-verified-contacts">
          <front>
            <title>Registration Data Access Protocol (RDAP) Extension for Verified Contact Information</title>
            <author fullname="Mario Loffredo" initials="M." surname="Loffredo">
              <organization>IIT-CNR/Registro.it</organization>
            </author>
            <author fullname="Maurizio Martinelli" initials="M." surname="Martinelli">
              <organization>IIT-CNR/Registro.it</organization>
            </author>
            <author fullname="James Gould" initials="J." surname="Gould">
              <organization>VeriSign, Inc.</organization>
            </author>
            <author fullname="Paweł Kowalik" initials="P." surname="Kowalik">
              <organization>DENIC eG</organization>
            </author>
            <date day="23" month="February" year="2026"/>
            <abstract>
              <t>   This document describes an extension to the Registration Data Access
   Protocol (RDAP) that allows the inclusion of verification status
   information for contact fields such as email addresses and phone
   numbers.  The goal is to improve data quality and trustworthiness of
   RDAP responses by indicating which pieces of contact data have been
   verified and how.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-loffredo-regext-rdap-verified-contacts-03"/>
        </reference>
        <reference anchor="RFC4033">
          <front>
            <title>DNS Security Introduction and Requirements</title>
            <author fullname="R. Arends" initials="R." surname="Arends"/>
            <author fullname="R. Austein" initials="R." surname="Austein"/>
            <author fullname="M. Larson" initials="M." surname="Larson"/>
            <author fullname="D. Massey" initials="D." surname="Massey"/>
            <author fullname="S. Rose" initials="S." surname="Rose"/>
            <date month="March" year="2005"/>
            <abstract>
              <t>The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4033"/>
          <seriesInfo name="DOI" value="10.17487/RFC4033"/>
        </reference>
        <reference anchor="RFC6376">
          <front>
            <title>DomainKeys Identified Mail (DKIM) Signatures</title>
            <author fullname="D. Crocker" initials="D." role="editor" surname="Crocker"/>
            <author fullname="T. Hansen" initials="T." role="editor" surname="Hansen"/>
            <author fullname="M. Kucherawy" initials="M." role="editor" surname="Kucherawy"/>
            <date month="September" year="2011"/>
            <abstract>
              <t>DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author's organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer's domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.</t>
              <t>This memo obsoletes RFC 4871 and RFC 5672. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="76"/>
          <seriesInfo name="RFC" value="6376"/>
          <seriesInfo name="DOI" value="10.17487/RFC6376"/>
        </reference>
        <reference anchor="RFC7208">
          <front>
            <title>Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1</title>
            <author fullname="S. Kitterman" initials="S." surname="Kitterman"/>
            <date month="April" year="2014"/>
            <abstract>
              <t>Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the "MAIL FROM" of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.</t>
              <t>This document obsoletes RFC 4408.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7208"/>
          <seriesInfo name="DOI" value="10.17487/RFC7208"/>
        </reference>
        <reference anchor="RFC7489">
          <front>
            <title>Domain-based Message Authentication, Reporting, and Conformance (DMARC)</title>
            <author fullname="M. Kucherawy" initials="M." role="editor" surname="Kucherawy"/>
            <author fullname="E. Zwicky" initials="E." role="editor" surname="Zwicky"/>
            <date month="March" year="2015"/>
            <abstract>
              <t>Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.</t>
              <t>Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.</t>
              <t>DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7489"/>
          <seriesInfo name="DOI" value="10.17487/RFC7489"/>
        </reference>
        <reference anchor="ISO27001">
          <front>
            <title>Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements</title>
            <author>
              <organization/>
            </author>
            <date year="2022"/>
          </front>
          <seriesInfo name="ISO/IEC" value="27001:2022"/>
        </reference>
        <reference anchor="ISO27701">
          <front>
            <title>Privacy information management systems -- Requirements and guidelines</title>
            <author>
              <organization/>
            </author>
            <date year="2025"/>
          </front>
          <seriesInfo name="ISO/IEC" value="27701:2025"/>
        </reference>
        <reference anchor="GDPR" target="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679">
          <front>
            <title>Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)</title>
            <author>
              <organization>European Parliament and Council of the European Union</organization>
            </author>
            <date year="2016" month="April"/>
          </front>
        </reference>
        <reference anchor="PIR-AIP" target="https://icann85.sched.com/event/2GwoE/ssac-work-session-pir-abuse-intervention-program">
          <front>
            <title>PIR Abuse Intervention Program and Quality Performance Index</title>
            <author>
              <organization>Public Interest Registry</organization>
            </author>
            <date year="2025"/>
          </front>
        </reference>
        <reference anchor="DEEPSEC2025" target="https://bcsec.io/research/deepsec2025/deepsec2025.pdf">
          <front>
            <title>Forever-Day at Scale: Hijacking Registrars, Defeating 2FA and Spoofing 17,000+ Domains (Even with DMARC p=reject)</title>
            <author initials="A." surname="Bertoldi" fullname="Alessandro Bertoldi">
              <organization/>
            </author>
            <author initials="S. P." surname="Romano" fullname="Simon Pietro Romano">
              <organization/>
            </author>
            <date year="2025"/>
          </front>
          <seriesInfo name="DeepSec" value="Vienna 2025"/>
        </reference>
      </references>
    </references>
    <?line 480?>

<section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors thank Pawel Kowalik, Mario Loffredo, Maurizio Martinelli,
James Gould, and James Galvin for their early engagement and feedback during
IETF 125.</t>
    </section>
    <section anchor="example-rdap-responses">
      <name>Example RDAP Responses</name>
      <t>The examples in this appendix are provided for illustrative purposes only.
Score values, scheme identifiers, and issuer names are fictional.</t>
      <section anchor="domain-lookup-with-assessment">
        <name>Domain Lookup with Assessment</name>
        <artwork><![CDATA[
{
  "rdapConformance": [
    "rdap_level_0",
    "reliabilityScoring"
  ],
  "objectClassName": "domain",
  "handle": "example.tld",
  "ldhName": "example.tld",
  "reliabilityScoring_assessment": {
    "scoreScheme": "urn:example:domain-security-posture:v2",
    "scoreValue": 9,
    "scoreMaxValue": 10,
    "scoreDate": "2026-01-01T00:00:00Z",
    "scoreIssuer": "example-assessor",
    "evidenceUri": "https://example-assessor.org/reports/example.tld"
  },
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "2024-01-01T00:00:00Z"
    }
  ]
}
]]></artwork>
      </section>
      <section anchor="registrar-entity-lookup-with-assessment">
        <name>Registrar Entity Lookup with Assessment</name>
        <artwork><![CDATA[
{
  "rdapConformance": [
    "rdap_level_0",
    "reliabilityScoring"
  ],
  "objectClassName": "entity",
  "handle": "REGISTRAR-EXAMPLE",
  "roles": ["registrar"],
  "reliabilityScoring_assessment": {
    "scoreScheme": "urn:example:registrar-security-assessment:v1",
    "scoreValue": 10,
    "scoreMaxValue": 10,
    "scoreDate": "2026-01-01T00:00:00Z",
    "scoreIssuer": "example-assessor"
  }
}
]]></artwork>
      </section>
      <section anchor="domain-lookup-without-assessment">
        <name>Domain Lookup without Assessment</name>
        <t>When no assessment metadata is conveyed, the "reliabilityScoring_assessment"
member is omitted. Its absence MUST NOT be interpreted as evidence that the
object has not been assessed. For example:</t>
        <artwork><![CDATA[
{
  "rdapConformance": [
    "rdap_level_0"
  ],
  "objectClassName": "domain",
  "handle": "plain.tld",
  "ldhName": "plain.tld",
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "2025-06-01T00:00:00Z"
    }
  ]
}
]]></artwork>
      </section>
    </section>
    <section anchor="illustrative-scoring-dimensions">
      <name>Illustrative Scoring Dimensions</name>
      <t>This appendix describes possible dimensions that an operational scoring
program might evaluate when producing assessment results to be carried by
the envelope defined in this document. This content is entirely
non-normative. Nothing in this appendix constrains implementers or defines
mandatory evaluation criteria.</t>
      <t>The intent is to demonstrate that the envelope model is expressive enough
to carry results from real-world assessment programs, including those
derived from existing empirical research on registrar security posture
<xref target="DEEPSEC2025"/>.</t>
      <section anchor="possible-registrar-assessment-dimensions">
        <name>Possible Registrar Assessment Dimensions</name>
        <t>An operational program might evaluate registrars across dimensions such as:
the strength of customer identity verification procedures; the adoption
and enforcement of multi-factor authentication for customer-facing and
internal systems; the possession of recognized information security
certifications such as ISO/IEC 27001 <xref target="ISO27001"/> or ISO/IEC 27701
<xref target="ISO27701"/>; the correctness of email authentication configurations
including SPF <xref target="RFC7208"/>, DKIM <xref target="RFC6376"/>, and DMARC <xref target="RFC7489"/> on
registrar-operated domains; the existence of documented security policies;
and the regularity of cybersecurity training programs for staff.</t>
      </section>
      <section anchor="possible-domain-assessment-dimensions">
        <name>Possible Domain Assessment Dimensions</name>
        <t>An operational program might evaluate individual domains across dimensions
such as: the strength of owner identity verification at registration or
renewal; the level of SSL/TLS certificate used; the correctness of SPF,
DKIM, and DMARC configurations; the implementation of DNSSEC <xref target="RFC4033"/>;
and the absence of the domain from monitored abuse blacklists over a
defined observation period.</t>
      </section>
      <section anchor="note-on-existing-operational-programs">
        <name>Note on Existing Operational Programs</name>
        <t>Existing programs such as PIR's Quality Performance Index <xref target="PIR-AIP"/> focus
on observable abuse outcomes and operational metrics within a single registry
context. The assessment dimensions described above focus on structural
security posture. The envelope defined in this document is agnostic to the
methodology and could carry results from either type of program.</t>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1caXMbyZH9Xr+ilvNhpFgABKlzOOFd0ySloa2DQ1Ke8W5s
TDS6C0BZjW64D1IYjfzb92VmVXV1A9Th8REbsREei+ijKisrz5dZPR6PVWOb
3BzpvcvT4wt99q4xRW3LQs/LSl81VZs2bWUyfWlym8xsbpuNPq5rU9crUzT6
pWmSLGmSPZXMZpW58ePsfnxPZWVaJCtMl1XJvBnPTNWUeWbHlVmYd824ypI1
/g7vjuu0rGyxGE8PVJo0ZlFWmyNt3q1V3c5WtiZKm80a452fXT9Tyq6rIw2i
6+ZwOv1meqiSyiRH+ni9zi3ex9O1TgpaTZKPr+3KqNuyeruoynZ9pC/Pnp/9
eK1U3eCRn5K8LDDuxtRqbY+U1k2Zyk+t67JqKjOvw+/NqvezqWza+F9puVon
/qdK2mZZVjTeGP9pbQu8djzRv3Oc4IvCouMcbAMpVdm/W1aLo3BFn2zAxNqk
bQV+8X2zSmx+pJPw+m89m9P42QkI65NxNdEXE31ZrpKijOi4sivIw4U1DSiJ
7jIdbwp7gzFtk3ytM7PILYSmBVn436tkXeL3M5MZ8KPU5+f8mheUN6/OXx3z
FfDLGDDojzbRJ3mC10t9eMC3UhB6RCPlzEviZkbC+nR6cPhoz11pi4bE4rxJ
8h4H6nXF1P62LWyRTGyjVFFWK8jBjaEduHx2cnhw8I3788GDB+HPb54+dn8+
efh02v154P58evDkofvzm+nTw+7PB/7Pw0M8oGwxjyc8H59OwMZ5T9yNV7na
P5KX8zl0ruw9Bi7buTXZOIXIQ55qN9PD6QM/6eMHTwLZh9OnHdm8rvOr14dP
plNeAqRZtP4/+AduekKx015ARronL6w468reJOkG/5aNSfnx8fgjY2jwP1kY
thX1pm7MqsYL0L+/tLbiy7KtNVZnamLXkR/t6vX++dkJ9lqoPpweHsqGw96A
cvrtV/XkjlVdOGptRNmnCeKFLlqbwQ4V5nPoeyL0PRrQ9wg/n59eXO6k7dIs
2lxIunf25j6eP3i8//jJN7qc62Zp9FlblWuTQPGSCvaQCSbC3O0TSH1qczcY
BqGL0a7gsSKB6U5yvcYekuG7tc1SQ6SSKoMx8y+ksBKwsHjBjSWP4z2y6zKl
jA6ZNHpV3gjzMEHdpkt+asSPVQb0gmULN9ApGJqS6OtvHu0/fLx/dqLvPTeF
IZpOaeyLjtyOG/d7PDx4PJ4+FLMRDGewPXexyPFmi5OwVWUhe5FUC7I4e8um
WddH+/umrca5eTcx9GyCf/ZzMCpnZcOw+2ev9q9/vN7/Twj1b07OXpz9ePSA
iLucYsdo1y/OL8fH5xe9nd7DRX08a2sD1WhMdYOBaK1Y9qJKVkzq923CPvLC
VCyiRUoPZ+bdDlHayYOLdgbXJhOYuiFGWtjTze5lwgkWxdNHkzpdmowcwL4h
qvYPn9+WZ/twF+mYHOKYHDZIHa9tNU5oBWMbrWC8lhUQjadnZxdXZydE4k4x
f1bC2JtqfJrAgDT6Kk3o7nf2z0n6lsTO0ZtU9UifmrmBDODq4bNjYo8b42pd
lnO6fPBkNJ1O/12fwqzDY0FxQJHI9enL48sTvf5NZf4Mkbr/ae55q3WHC/60
G94aYst9dmPc5UK3zcqpMesrg0hj74/WFEWiO7uytZuzFGZ2Yst97LxJqnS5
n+FtXKN34r8n62y+p9QYhi6ZEbdTuMLrpa014rGW9QZbui6x7WC7Dh7Jmwm/
SSy+rLrHKdkN1uAyLXN1j6K++3gYe2yKZAae8ZuwCUQcPBa/SyJv3qXLpFgY
tiBdgBlFfSrpAsyVCzA5Hq2CsPBIGYsBs7ie6GtM11GemTkZb52oaI5oXFPc
mBxmAVQi+lss9e3Swpph9Ry/1iTslU6ZG8SYmCasqM3hJ8CzrE0x7gyy7YmD
2wxkjqCjmMBW2XidVORCeZCyQmCAN6B/EIsRXFK6BLFw91gqWKfFW7FgW0cQ
5lzDiGOhtHPxSjlchU23P2O5y/JW76AUYTDC4qTAGFVDjIBuIWKFyYDByUa6
KBt+FVu24YcpaG3x5AQayxE4bcSyzMq8XEBiR8Q2Uy+hDPVIpfD0EGTnBhbw
EFXBlmwOI2HIoAgFlm2pJeeSb3Ru5o0XMGyESFeSKw4zEDjCb+fJxlQTEdyV
zbLcKPUV2TpmPD0vzHCCUMViatJS/DtLFlhTFj35qTWRDYOYK7ZtK5PZhLRR
z0xza2BX3KjlLVyWCByRusjLGTmwV1cUVlRJEK+JunRqqN+/j8zihw96idkQ
TmDtFMGBDARHzFShEPb7ps3JMbL8gwYVrabyXprYbos0R3yMV1MINI0IWjAe
8RySJ5NA0CRalJRnxCzlmJhtID0id7DNxdwuWmEZ72rSdDob1JPmsPXbWiXz
OTlsTJ+TMdJFu6IIkVQ5czbZ8clWjnGsmHCBSNZaEtDkhgRB1eQVMG6akNGp
iLoCrGmLJMsqWmzGGs9inuEHBMSWGQwW9ADS5vXBQl1UZus0L2veA5aHT9or
LfZq5MxEBoqwaS7c//BhpPyPA/yQOxTnxz8e0A9arFxAvE8XbhMm0S4KNjfE
CaSqPDmZglL/8N3r8yt+zzoxxvIjE/X7q9evOmUfDTaMd1L8mP3ZRdrtmpRa
aEn0rcnzsV+VMxIuD18hdcrddiiy9/BmJO+r5K0RI5NgNGRyYoJaWJXGIwFs
BFliO1JD0inBX5fwB5vNVi6yT9mIbQBPzbPcJpvJ0BMFy+0sX+SNSDpB+A3E
XByVN+IgUaVJVW2IxB32D9QlZPecuQnZCRZFa9GDFSjI8xf4mp4FpvGDqe0Z
WomyJWp2hH2rLRZc4jWywLJyXe+0uCqyuORWDOU0qXFOklyqrVeOtLUXc++K
+274W0VEdgYyMylzlD1ACaasKRYXrsBC1NgXXpZ4QiimNaDC6ZoEDtBk7CEb
+EwknzxIzuQl1QbDQqU+P7dlVWKHjJgWS7D1klmL/XePSHZChnVGttqP4Ncv
9qvbIlgV7KOGF4bvMbl4lqM4NghCm8zKttktJi6h6CyzM3bKSYdtapPPwRh4
qWu4FFvQ7m2EUW/hWuELQcfeyzdX13sj+Ve/es1/X559/+b88uyU/r767vjF
i/CHf+Lqu9dvXuC+cn91b568fvny7NWpvIyrenDp5fGf9sRA7L2+uD5//er4
xR4pJ8KLWgXF4yChBD9FScHERrYSsgFfORMz+buTC33wUKweoSdwb/w3QSIf
PqhbWKuRyxrh5OWnhBVrJGEV24Sc7D7MeJKThYP9g+QVemmCAZ+XeV7ekhKQ
Z5booSXRc9Ga7FBkNY6UilDJM2cXjtQRy0PPaHHqKiIczD8COB4uCMyoUxmm
AnusndLS60knGxyWdrYvMj78XCcreFDEZIKh2IB460WWy4aAmeeQIMgSGuFs
VmcNNj2rgcGc3Rg81UkjhXAGgdwS6kgsOS66aITpenN5LsqFq0jJhZJtM7Rx
e1D6yBdzwwpv2VtRwprnC+ZcFAqZD3xZ7TWpZspukrw1IwxmyVRTbiASRD99
bDlx9Mt41kG5eJk42iTB3VUcXDJc25eQwIdzCkQqxwck+39pTcyOOYfstDsc
SInPkezcSAQYrVdy1JAHDJYkfHDBvLiYusxbj88wed3MxMzK9EXSDSdLxwo6
eP48vOeFfOAsCYTG7on8mUqUl0Y8P351rPtgfx3DBrziQFY9UAwxbi/Lxt50
KR3CKriZlb6Cf2GTr/6OsTBFi4MAPwqJnVNICnKgMF1d+AgGwlfc+IwDliRd
FhzvB90lX1KVeYhRhzMjH6gpiylXiKuSt4XMKHyUrGGeIM0JCYNdkE0LuCKx
ZtlC5OMIXkI/iuLhNrDXqaXQQIb9gpheh5hefTSmp/06JjvB8RbCBEr+MVCN
550W7li4rV0MT2AgyQ+yuSOi0IftXqvAZ47gRxQc5KULHl2sH0X1LPk3dwX1
nbmPwnrdhfVkjee5yzwyO58TppakjPwHw+vys2RWE7UDdAEcJxbdmFoU3K4M
vBMBvsj6GifXIgRQP0qw4JXaxYIgNZYwRCMgKchQiPlqiecg1FcXz1wOcTh9
SjnE6R/OX8oVAuZ9uiBAlc8vyH2S1tcUbo8c05OsXAfdgv4TjKp62xoJvDgf
LAb6yUsl1ID8Y7f6bYRBUYbCWO1W7Dhv80hXYI5gXPNgsEGlqfKN2yrWcMVW
q5MHTqV6Og/efvWV/mG5CfnX+AXkKIfV6aFD35l8XcNMx6BQ7wHyqDugoaQJ
6DdHvTkPjkATwtslmr14dGYK6J7PDAijhr8w70gtKErv4AgKW6oS7GPk5Zmt
aqRaawZdwfOEMzuS1h0oTkQqkwnthnmskQ+s2yYMz1u8WpkqJbUfyOnuJMQh
EoipWVL4lneDXWAyI9ldk7rbVAxPAh9etiGigOUjNVEnlAeyYTH6mjOXhNKV
jXcY1y+uumSB3Ch+kLD2U7uh//GpR1JsdkJjalaVt7URjCwQ3ZTYP9Dn045d
2+0ROw+gdZYYVii3iLoFRM7MmswMraRkE7xGlMW733F2M67XyH6wem+1JR+t
sD4vT2ORp4EshqwN13PyArHQ+NgJaWmcpzncHJp2mYCzWLuNE9o+P0ktC8zr
lqskH2K0rG0gQXVIJv2wDFfOOE9zPjDK4HxEQXxPoMS9LYVLP2XUgkpmcEdc
bh1E4utwR4pjTIpgHSGaicOEK0PZltdbUJEiOKslWtmV7zf9QH0XVivwsZcw
iY/FakWgIya7XZYewawlgmJsC+OHzd4Obkcsql2WTZqfW7KejKwUm17KnaQS
gs4S4jPFWzwN2J+XlDBs4Zp6iGvKsFuwKDa39tzFmGsTmBtFsj7BEeQ2WoQP
Bn81PKw7eDjGoSf6PAIsorEHQ8uYIW6mbJ7CNBfM801DMTKhMmwB+P6A+Zsu
4hUnv706G8Ft4DnFBDAJGaMXWWYd61225z3jDIaYi0+zJH17S+VQ7tFo3Cwj
VhmOegSD55V/XXf+YReuptR5B23dTS2xrbGOWshUkMi7ygdOZAKUPkHawpGr
1AubXr1ilcBqez9HxgWxjLOCDbPzJPKCn8PQtORFCxucr/LDfymgU7HNo3Cq
6IwmkuJWmnOgCI2Yon5yciQI7kvisn7/Vb9nYkweYcw78IGjjF0ZkkMYe4uM
UhCfaUnCtBdl8672sTcSXER9YTKl79XGgE0WrvfDh/uTQSVHSaYlucDAfmqG
hrp7vS3qklWXiuwRU068SKRmDwpWJZuJPhkIsmzZR1pQKG69czbeTML4i1IC
Qcl1Q1IxCkE4o9grQ8UBdSfGQtsARzW375yNuXOdEkC+Iux1nTCOeuyisq2t
5V6umiEmCu+c5jO15GDxLoXx5do59ZhQwnazXfv/U2fX9sTdyBuMBu9chdq1
ipFLIhjWwF+ZG6aGnHRZ/kg8yR8ZE2GG1qUqi/tsM8l6UHqCgKFlb+FnnohT
FW8tvpScNDtECMmVa7M4nDyaHBK6/TmC4BDYNQGZDaOnfplOEMCzckbldnK4
tZFFwWfowuAhl5/4l5wbvSltJvTN2An4CVUkZzDFBORQApjQekTdujU8EJdI
eJV3ibwrUhip1a3JYaYMoa1s5lkm9BxEkcGXdhZbh8g+7nFJl6WVGGIXZSKH
O4BGiZV2hSySSYucOWYJ3BfisU8InBMSt8FO8F4e/8njqc45C0bg9gMSJX+c
5BjpFbcg7MkTe/d7mYQ8rnY8Lk/s3Z+oYz86LYZdY8YmEDaxKxXGSCeBvizl
e5Ri1M4aKWfNhCEMkJGyuZf2BGgO1Ti/2wfTyeHkoWaRDYW3iTqjfWPl9gxo
YkSVaxGRmnjUG8rVyiZIgEZZNU3PQGvdJE1n2bvAtxZSEPp410c66zD4UCwh
uBums2QEgY3OnMMaF7RvpPLpaneN5JzkvHw9/yNgMKW9RUA3B/hjBxOrIQBM
aG0/YNuNFEts3FXxkbVwFStEYyL3z5jdpx3+6jKET0DpDtWMSgh99jJk1NvR
z909vWP3kjkWIeTLuOoXR/gv+noD/v5CmQ5oEYTlF/XL0Xg8jv4Pz0fWGI+7
uOAegeTY0c4a3MfN8xgn/SzMfAAhT/QPpC1RykaWFnNxbshRgIv1aAzWAepO
hQ58EmQfxVh6CL1j5P3LQPWJDsxh74TlS/2fWLsk51SMC7MQ0cYd6vqNRLi/
7lGs7zuwbn0+l98vk3cym/jZmt+NiOhqYdRZRI6n/1pbUP/WcHyGK21qERUH
5pUUnt7a2kQLDcN8bK2r5J1dtSsqEwpyeeNmzky1vbDrcmE4EOZgIXb2S8K/
fL5e1V0ZjgfpczSi8ZTMTyenlPyMCeC872jNfC2XLmrBMh2SEJkS6lyA+W/i
pC3oKlcwer0S/+Y6pkkQAyVSWulo+eXvU2IRPDmL5fZLCiufKKtwNY0SJ6oe
6Lwk1JMCu5HXw7IK3k1C/y4e4KUbgm8QaL2pbN9c3BcGePPFZTa21lYQAte6
wViVC2Q8uO9wV4FAub3D8Yzh2V4Kj5VkscLGK5QNITJVz3n5wjO1MFEc65vU
YbiSgujhmgcNY/O8lVaaG2fqFUt3LXbNO953yYqRIVdU7tAdspiFev/ePeFP
eLgUiLHhu0Inb/wY1sRG54bEsyxMCIm8jRAVhdv6hMVwus8DJ3lduvjUPVGK
JFJYMLBeDleLyuLDubemOnVKp2LFcLZqMDUyeh/XdSEDUqwbP3JyA1Fg2B4/
SgTj5OjibHpmaM9cfOWykAQGA6IihUj236HVVr8WLxpS1iHU5zar23zfHHLX
ToVwVLloLAkxowt6e+X0KFgEaX/961/Ve6X1VhZ7pP+bG1/5xk+csP003Ru5
a9tpOm78D93dG0Sze130y7fBsiznq5dnz8+vri+PL8dnPx6/vHhxJg9I2Irp
o/hURv54rH6k3wtxkbTRNG1VHDmeHoURxx70HncjHN0c+PV1woURnsYXvXzj
+sE0vkEyR9MdTg8fj6cH44NH1wfTowfTo+n0v3rDijgyW5xa+sZU/1hk0/bi
NvnB45OyWuyLharx72LsHqCt+KA+8NaS6EnD9j9D7vqZzT9LulyyNJAut5xJ
k2dyK8+WQR6H9369ZAkRnVi5rqWjm8OdMvXkb5CpQ4jV9fQpBOpLZIqEgdfI
hw3qwPn3ruddrh9zlkUDxH28bg7/UETOQxJxImfqyeEnP9A+edEjMNHIuZJ6
adfkdM88iPtDWb11drH/hBxN/DxcUyT4y5DQuEg26G5Tve42MLBMLac1zqR7
4Y4qg3f0wKk7e+D6hVDGPipkKwtGyqUvLqrDqF/TF6eHfXHErOa27Iii+mB9
Cz9GVX2qNzQawWItrQsc5W0xMEJmfLNH7Zym555LSTnj7rFGWjKcRYn7KRSF
vyEGlZl3nEPtczPM7QrQIvDg2V0Mci6Rj6BJWxljWMIjrPd3Je1yFSp43N0c
4RuMH4dKQCgg3QXYu7dqQinpVeXjrslOuf/4cSWlcP/r+mMHmu4dn1/c//ix
Jn3v+4vz+4gH3YEpaEOEIRXBA8S9c1GNtndOoHMIrgA6GVYWd9WppF3Dv0LB
vwodx3pBx9MwjwPqewVf133a5hljNJtQho2OgahQivVdIVjnPpZMKsv5ZezH
uuMR2BDOlLYryK5Fdzgc08EJWijLjlx/Lmmb8rT5WnkPHYsSuV6wPpKiPVfG
pEis7KCmFWpoqxIay30gBPTxY0R2BHzsFjLm7An3I7pNTQKWNCwOxHI9k9Sn
V/kKNQMelJyQqnuDxj39Omrpjzv6Y1wx7uWfqPOGcpwIv/XqszMhjk4FRGUM
10/OBSpf6d86bRDMZbAbnY574FMIn6jv4WQ3jgCP9/eWwxUD6CbB2NRBxV1k
oTDQWyC5xys/5YkDdpO7oT0vL31oLzpcm8jxgg0kivWO8TnbtI1Ru9vVmdqQ
jG53Hvfh0nDgIA0dK67FTTo76eVFV9bcaQocAgpT0/XvUdbFzTnSstHJNrVk
bjegSAU2yVa2sCE1LivZXmKLJGN+9NadZfGtleu2YjWVLLTr3ROMxh/ucA0A
9JWDRmrO4js8w6TtlMRJ6hgwA1xC9SzwrR9z6zoK2R2FA7cT/YMostLDM0ER
QNjNO9rZiWPJztWpWTcMezV0qBGaadfuLC925nmy4oyPlkaeQ/puN10LFbGM
Xh4YPNcsNWyIWvBwEuHonUfNfNmKUuVPtlKMXEpOXBB/PuyybDPb+OPNN6Vj
UdQzp9QzpPPs+9uKKKEFngQI746OtSDyDS3T945A4OkYOlJ2epi52bWq9kVe
H+ulXSzjbuNOxhdtAlIaY+KGSAwGYgaNnpOIVAdODCkivEW6BXWyKlknVtS4
QCyJsFc+REQkjeFs35LVpK9w8NGSOmqUqZFZ59yPxQFJT7/CsZKrhjiAy8TL
K6HENYC6Sj1ri/xgUJPKBSkHyg79ipIXGZea7rfWijQqfSuwGpU6aMrBjoUz
8DF3aF+EKlZoDjOl2olQs11nTEhlUm66cKF7pKP1W1IY8GVFRPVxOSS0nYWC
P7eug8p1gYRuo+3WcIdtMdt9W0d8MGHHuqQ1pPbj8au3lAxYz4kZYha2Wz08
sfNXMa69xd2Q3JAijsv5eCbt8iIZttgadmbmJM2J9PmWxZBgagdyuARhqd0q
67KtUjPo6YhhWaqcfgwh5YMM2dBmuPZwbxGjRhuqqjFSz60VBB77M803PBgJ
5ciDylHRSvpF/cAj17lJT3HBui0C1LdTXknRyNDweSwn/36ZERvqYF1pXaFF
lbHY1ar1hTF4f/+BjL/J+fua3o7jdIKi9vNBl+dI34VPXaShwbWDcwsu+8be
Nygm6tofSx5EhL5ti04S+liwz+IoknILUVHwxRHVDmRcWqk7HkseIO1KUX/5
DsuughG2RZJBGBoxAvQRBG7v7T5E0uXTocO/+2iHch/tcFW+rpXSnzXYMXfk
+QZ8CuIQCcMtHbfyfWPOvPCuyLeSuIG5x8radYKw1PaAimjiO2WdXta9U7XM
6ZlRkWLaIg7vQyNbCPN2tHFFsrNDIKLFsMXrAiASThel9I5V0358+iMlWAl9
2EXCbRU57V5Kdx2pJ1kh1ihMNg9dA9koVm2uDUlbhaiyczDuCwT9D7NQQtnl
ixCxmrgibQWuZ39mNiV2lPEJaj00tCGJpA/K18/JwNCc0tDVhGMUW4e62GBw
v1vfWuj3X3GD2/Acb2UYyfGdDNGJbGdPI9yXPuAUt9Spu1rqjuIzULZ3Bmob
QKVTSK4TT1hVumNfG6X4uyn1kkKSOGWk+70IkVomWdL5ze1Pgeh7n/OdrftK
PmJA/UfExuP0bVHe5iZbyCeQVNS+xCWdt/oiuYWd/EN5i9AdQe3LpLKlfuEg
RvqNwX/GJdyAuzR5bkfq99Qhp58LNkA76S4k+Y0tfNnVVtokFR8YWfgvIdGz
oT8qa5l59EU1fXD4SDb+zAEz7uturn6Hvb+jsOe/UjGoCxJaj1jtnbQH+3yY
KOsVGl2OVHNXzcSld1J3HPmeh273/akqiSL4iDaPj011WWlchHhRlm/btdiH
rpXr/wsFdxYKvvmbik89ZP4fX3yK2fSvqzf0qqxn4tT/pfL2f7vs2Zewf6jo
7S5YRntHwVq8fdy2VZR34SJ89HRj5EzfpxioXPm/K+9LguFjzY8gZCH8D70L
ruBOZaGQlPrKxIS+x+Wt8tEXy+CXW7Z1Tgfed9m1wZ2/q6o+Gk8ff0Zp8Dx2
Of47R6dI3VzQgcAmeiJ8izQLT/iYJ3g1nxLVXS9Y97RsUbIT5/eFA72yi2UT
zsZIK60UGO74tIkLfENPsfosqN+VSnwGS2E1LAWkdKO4tc03BE30q5LwgMW2
Bw/Nl3UXqTPkVfmOOoT29A2Zstr4BfHRVX+iX0IEGyig0qtZyahNnOH6xQiK
zimAlMdu6CYfjqPKFxdlPFu4gamiz7wiGs97x8l8jaYf9lOETR8q5UPK9HJ3
2me1thUfhvVHXnvfktpKf9XO468XXiA6BxE1kndSt1UJukMy4qOhaYXBY0lz
5aIjJXBZhVAP3oeO4UGcS4r4d54ql3PqiP9M/a1kAe4ksnxBKoLwMdQKfLbj
OUJjyor7GDIj6m4qesRBwCrUidxhS5mFdEU+OKj5wztpuSj4CKTd8UXRAfgf
KmPue5yavxZKFXn3uVPkaCCmu/tkeqDc3Sd091sH9fApa497fcbHslQnPMOT
3/pzT35LGur8ouy58UCJ4w1LoQccolPWkdBRHys2TPnUTTLbygEK/W+4ssLK
aU5XqKStQto3nw/E1HnAXyWjXRd393mwoawqL6t6KKt8zPkOQeXPlMUpZQVO
FgbJkrDNHwHXV1cv9ukAcxodcqaKzM5tx0bKsf14w/rbLu/1oQl69fTVFRRe
dpc+yQvBChsSQUZRUwQbGZg7C/0xrjqiZzkyMCSmdLqXgJkkHJ8qZ4TVODXl
7ya4U1ElHz7o+lpeR/viKvM1Zc3u9q4K9df1Ryr2ca1+DgGsFa1YqGGUiAlH
eEQQplT0YtFAUFTRF19Cg5Y7g+WL+4wkmXf+CE+E+HbmrDs9kMxK6kMlMrR8
5MR9oG6r52LS/8bOXY6Q+ysXRcnfw3CHQuLufSmjdUX/nn8xVnowN1Ja8m0I
6n8BzmDsY1ddAAA=

-->

</rfc>
