Internet-Draft Erik Synchronization Protocol for RPKI September 2025
Snijders, et al. Expires 29 March 2026 [Page]
Workgroup:
SIDROPS
Published:
Intended Status:
Standards Track
Expires:
Authors:
J. Snijders
T. Bruijnzeels
RIPE NCC
T. Harrison
APNIC
W. Ohgai
JPNIC

The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI)

Abstract

This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI). Erik Synchronization can be characterized as a data replication system using Merkle trees, a content-addressable naming scheme, concurrency control using monotonically increasing sequence numbers, and HTTP transport. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols. The protocol's design is intended to be efficient, fast, and easy to implement.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 29 March 2026.

Table of Contents

1. Introduction

This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI) [RFC6480]. Erik Synchronization can be characterized as a data replication system using Merkle Trees [M1987], a content-addressable naming scheme [RFC6920], concurrency control using monotonically increasing sequence numbers [RFC0677], and HTTP transport [RFC9110]. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols ([RFC5781] and [RFC8182]). The protocol's design is intended to be efficient, fast, and easy to implement [RFC1925].

The notion of cache-to-cache data replication was documented in Section 3 of [RFC7115].

Validated caches may also be created and maintained from other validated caches. Network operators SHOULD take maximum advantage of this feature to minimize load on the global distributed RPKI database. Of course, the recipient relying parties should re-validate the data.

— RFC7115, section 3

Historic records show that experiments have been performed in this space using, for example, peer-to-peer file sharing technology (see [P2P]), but no standardised and widely-deployed mechanism for cache-to-cache replication emerged since then. The authors hope that the Erik Synchronization protocol might be suitable to fill this gap and help reduce load on the global RPKI.

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

1.3. Glossary

This section describes the terminology and abbreviations used in this document. Though the definitions might not be clear on a first read, later on the terms will be introduce with more detail.

Erik relay
An intermediate between CA publication repositories and Relying Parties.
FQDN
The fully qualified domain name of a RPKI repository instance referenced in an end-entity certificate's Subject Information Access (SIA) extension's id-ad-signedObject accessDescription.
Hash
A message digest calculated for an object using the SHA-256 algorithm.
ErikIndex
An ordered listing of Partition identifiers and associated ErikPartition objects' hashes.
ErikPartition
An ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their certificates' SIA extension values.

2. Informal Overview

In this synchronization protocol Merkle trees are used to determine whether differences exist between client and relay. Merkle trees are hierarchical data structures: the hash value of each node is computed recursively by hashing the concatenated hash values of the node's children. The hash of the ErikIndex represents the entire dataset related to a given FQDN. If the ErikIndex hash is not the same between two replicas, the relay provides the client with hashes of smaller and smaller portions of the to-be-replicated dataset until the exact list of out-of-sync or missing objects is identified. Sequence numbers are then used to determine whether these differences are relevant enough for the client to fetch. All data is fetched using addresses derived from hashes (except for ErikIndex objects). This approach reduces unnecessary data transfer between caches which contain mostly similar data.

The client starts by querying an Erik relay for the relay's current ErikIndex for a given FQDN. If the ErikIndex is different compared to the previous run (or compared to the Index calculated from the locally cached objects). With the ErikIndex in hand, the client can determine which ErikParitions are missing and fetch accordingly. The client then can compare the manifestNumber sequence number and thisUpdate for each manifest listed in the ErikPartition, and proceed to fetch (purportedly) newer versions of manifests of interest. Whenever a relay has manifests with a lower sequence number on offer, the client can ignore those. The client now has sufficient information to proceed to fetch any missing Certificates, Signed objects, and CRLs. With the information contained within manifests, clients can fetch addressed by content (by hash) and store by name (or some other scheme).

3. Erik Synchronization Data Structure Definitions

In this synchronization protocol the signal layer makes use of DER-encoded messages [X.690].

Design note: DER encoding was selected for its canonical properities and because RPKI cache implementations already support ASN.1 encoding.


RpkiErikSynchronization-2025
  { iso(1) member-body(2) us(840) rsadsi(113549)
    pkcs(1) pkcs9(9) smime(16) mod(0)
    id-mod-rpkiErikSynchronization-2025(TBD) }

DEFINITIONS EXPLICIT TAGS ::=
BEGIN

IMPORTS
  CONTENT-TYPE, Digest, DigestAlgorithmIdentifier
  FROM CryptographicMessageSyntax-2010 -- in [RFC6268]
  { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }

  AccessDescription, KeyIdentifier
  FROM PKIX1Implicit88 -- in [RFC5280]
  { iso(1) identified-organization(3) dod(6) internet(1) security(5)
    mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) }
;

ct-rpkiErikIndex CONTENT-TYPE ::=
  { TYPE ErikIndex IDENTIFIED BY id-ct-rpkiErikIndex }

id-ct-rpkiErikIndex OBJECT IDENTIFIER ::=
  { iso(1) identified-organization(3) dod(6) internet(1) private(4)
    enterprise(1) snijders(41948) erikindex(826) }

ErikIndex ::= SEQUENCE {
  version [0]      INTEGER DEFAULT 0,
  indexScope       IA5String,
  indexTime        GeneralizedTime,
  hashAlg          DigestAlgorithmIdentifier,
  partitionList    SEQUENCE SIZE (1..ub-Partitions) OF PartitionRef }

ub-Partitions INTEGER ::= 1024

PartitionRef ::= SEQUENCE {
  identifier       INTEGER (1..ub-Partitions),
  hash             Digest,
  size             INTEGER (100..MAX) }

ct-rpkiErikPartition CONTENT-TYPE ::=
  { TYPE ErikPartition IDENTIFIED BY id-ct-rpkiErikPartition }

id-ct-rpkiErikPartition OBJECT IDENTIFIER ::=
  { iso(1) identified-organization(3) dod(6) internet(1) private(4)
    enterprise(1) snijders(41948) erikpartition(827) }

ErikPartition ::= SEQUENCE {
  version [0]      INTEGER DEFAULT 0,
  partitionTime    GeneralizedTime,
  hashAlg          DigestAlgorithmIdentifier,
  manifestList     SEQUENCE SIZE (1..MAX) OF ManifestRef }

ManifestRef ::= SEQUENCE {
  hash             Digest,
  size             INTEGER (1000..MAX),
  aki              KeyIdentifier,
  manifestNumber   INTEGER (0..MAX),
  thisUpdate       GeneralizedTime,
  location         SEQUENCE SIZE (1..MAX) OF AccessDescription }
END

3.1. ErikIndex

An ErikIndex represents all current manifest objects available under a given FQDN and thus the complete state of the repository as it is known to the relay.

3.1.1. The version field

The version number of the ErikIndex object MUST be 0.

3.1.2. The indexScope field

The indexScope field contains the fully qualified domain name of the Signed Object location of the manifests referenced through this particular ErikIndex. The FQDN MUST be in the "preferred name syntax", as specified by Section 3.5 of [RFC1034] and modified by Section 2.1 of [RFC1123].

3.1.3. The indexTime field

The indexTime is the most recent partitionTime value among the ErikPartitions referenced from this ErikIndex. The field's value roughly indicates when the ErikIndex was generated and can be used for troubleshooting and measurement purposes.

For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See Section 4.1.2.5.2 of [RFC5280].

Design note: using the most recent partitionTime, rather than the local system's notion of "now", helps reduce churn in distributed systems.

3.1.4. The hashAlg field

This field contains the OID of the hash algorithm used to hash the ErikPartitions. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification [RFC7935].

3.1.5. The partitionList field

This field is a sequence of PartitionRef instances. There is one PartitionRef for each current ErikPartition. Each PartitionRef is a 3-tuple consisting of the partition identifier, the hash of the partition object, and the size of the partition object.

Information elements are unique with respect to one another and sorted in ascending order of the partition identifier.

3.2. ErikPartition

An ErikPartition represents a subset of manifest objects available under a given FQDN. Each ErikPartition is an ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their end-entity certificates' SIA extension values.

3.2.1. The version field

The version number of the ErikPartition object MUST be 0.

3.2.2. The partitionTime field

The partitionTime is the most recent thisUpdate value among the manifests contained within this ErikPartition. The field's value roughly indicates when the ErikPartition was generated and can be used for troubleshooting and measurement purposes.

For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See Section 4.1.2.5.2 of [RFC5280].

Design note: using the most recent manifest thisUpdate value, rather than the local system's notion of "now", helps reduce churn in distributed systems.

3.2.3. The hashAlg field

This field contains the OID of the hash algorithm used to hash the manifest objects referenced in this ErikPartition. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification [RFC7935].

3.2.4. The manifestList field

This field is a sequence of ManifestRef instances. There is one ManifestRef for each current manifest. A manifest is nominally current until the time specified in nextUpdate or until a manifest is issued with a greater manifestNumber, whichever comes first (see Section 4.2.1 of [RFC9286]).

A ManifestRef is a 4-tuple consisting of the hash of the manifest object, the size of the manifest object, the manifest issuer's key identifier, the manifestNumber, and the thisUpdate contained within the object, and a sequence of AccessDescription instances from the manifest's End-Entity certificate's Subject Information Access extension.

Information elements are unique with respect to one another and sorted in ascending order of the hash.

4. Client-side Processing

A client can decide whether or not to fetch ErikIndex and ErikPartition objects, by comparing the hash to previous fetches.

A client can decide whether or not to fetch a given manifest object, by comparing the manifestNumber and thisUpdate with what's locally cached and what's offered by the remote relay.

A client can compute which products listed in the manifest's fileList need to be fetched from the relay.

As there is no concept of 'sessions' (like in RRDP), clients can interchangably use different Erik relay. When one Erik relay generates a HTTP error, the client can try fetching the requested object from another Erik relay.

5. Querying an Erik Relay

5.1. Fetching objects by hash

This specification uses "Named Information" identifiers mapped to .well-known HTTP/HTTPS URLs for object retrieval, as described in [RFC6920].

For example, issuance #54 of ripe-ncc-ta.mft has the following SHA256 digest: c2d0427bc5a32c42eea1ab5663d592b1fc29c7d4ef16ab0b5e1d631d039dcc21.

To fetch the aforementioned object from an relay hosted at relay.example.net, a client would access the following HTTP URL: https://relay.example.net/.well-known/ni/sha-256/wtBCe8WjLELuoatWY9WSsfwpx9TvFqsLXh1jHQOdzCE

5.2. Fetching ErikIndex objects

The URIs to fetch ErikIndex objects can be constructed using the following Well-Known URI template with the erik keyword as suffix and the IndexScope as parameter: https://{relay_host}/.well-known/erik/{indexScope}.

For example, the URI to fetch an ErikIndex for the rpki.ripe.net indexScope from a relay at relay.example.net would be: https://relay.example.net/.well-known/erik/rpki.ripe.net.

6. Transport Error Detection and Handling

The client MUST calculate the hash of fetched objects and verify it is the same as the expected hash (which is embedded in the name through which the object was retrieved). If there is a hash mismatch, the client may try fetching the object from a different Erik relay or treat this as a failed fetch (see Section 6.6 of [RFC9286]).

7. Setting Up an Erik Relay

Erik relays can be operated by third parties, without permission from or coordination with publication point operators or CAs.

Relays generate ErikIndexes and ErikPartitions derived from their current validation state, the client then cherry-picks which objects (if any) it wishes to fetch. Relays fetch fresh data from other relays or from CA-designated publication points.

Design notes: a decision must be made a deterministic "manifest-to-partition" assignment scheme. Job's proof-of-concept relay (see Appendix A) uses the first few octets of the the Manifest's AKI as a stable partition assignment scheme. Other strategies could be to assign manifests to ErikPartitions based on the "hour-of-day" of the CMS signing timestamp, or the first few octets of the SHA-256 of the manifest object.

8. Comparison with other RPKI transport protocols

Ignoring obvious "on the wire format" differences between Erik, Rsync, and RRDP; there are a number of key design differences between the protocols. Rsync and RRDP can be described as "general purpose" synchronisation protocols, while the Erik protocol design is RPKI-specific. In the Erik protocol, manifest objects (which RPs require for validation anyway) are an integral part of the signaling layer.

8.1. Comparison with Rsync

In Rsync, the server and the client construct and transfer a full listing of all available objects, and then transfer objects as necessary. In effect, this allows clients to 'jump' to the latest repository state, regardless of the state of the local cache.

A major downside of Rsync is that the list of files itself can become a burden to transfer. As of June 2025, in order to merely establish whether a client is synchronized or not with the RIPE NCC repository at rpki.ripe.net, as much as 5.8 megabytes of data are exchanged without exchanging any RPKI data.

When synchronizing once an hour, Rsync generally consumes less network traffic than RRDP.

8.2. Comparison with RRDP

The key concept in RRDP is that the client downloads a "journal", containing all add/update/delete operations and replays this journal to arrive at the current repository state.

A major downside of RRDP is that (depending on the RRDP polling interval) clients end up downloading data which has become outdated. Imagine a hypothetical CA which issues and revokes a ROA every 10 minutes and a client that synchronizes every 60 minutes; in effect the client must fetch 5 outdated states, wasting bandwidth.

When synchronizing every 15 minutes, RRDP generally consumes less network traffic than Rsync.

8.2.1. Garbage Collection

In contrast to RRDP, the Erik protocol has no concept of server-specific "stateful" sessions that persist across polling attempts. This obviates the need for withdraw instructions as part of the protocol exchange: clients can simply delete objects that are no longer referenced from their current validation state and refetch them later on if needed.

9. Open Questions

This section is to be removed before publishing as an RFC.

10. Operational Considerations

As of July 2025, the global Internet's RPKI churn rate appears to be 2 new objects per second. The ecosystem is estimated to be composed of ~ 5000 RPKI cache instances and ~ 50 repository servers. Assuming 10 minute fetching intervals and 150 metadata requests per synchronization run (for exchange of Merkle tree data), an Erik relay serving all the Internet's RPKI cache instances would probably need to be able to sustain serving an average of at least 11,000 HTTP requests per second. This order of magnitude in terms of scaling requirements can easily be handled by a single commodity server.

11. Security Considerations

This document makes no changes to RPKI certificate validation procedures.

See Section 5 of [RFC8182] for applicable security considerations.

12. IANA Considerations

12.1. S/MIME Module Identifier

The IANA is requested to add an item to the "SMI Security for S/MIME Module Identifier" registry as follows:


Decimal  Description                           References
--------------------------------------------------------------
    TDB  id-mod-rpkiErikSynchronization-2025   [this-draft]

12.2. OIDs for Content Types

For the current proof-of-concept phase the id-ct-rpkiErikIndex and id-ct-rpkiErikPartition OIDs were assigned from a PEN arc. This section will be updated once it is clear which IANA-managed registries would be best suited for OID assignment for these object identifiers.

12.3. Well-Known URI

An URI Suffix in the Well-Known URIs registry specific to Erik synchronization will be requested. See https://github.com/protocol-registries/well-known-uris/issues/67 for the request.

The proposed suffix is erik.

13. References

13.1. Normative References

[RFC1034]
Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, , <https://www.rfc-editor.org/info/rfc1034>.
[RFC1123]
Braden, R., Ed., "Requirements for Internet Hosts - Application and Support", STD 3, RFC 1123, DOI 10.17487/RFC1123, , <https://www.rfc-editor.org/info/rfc1123>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC5280]
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, , <https://www.rfc-editor.org/info/rfc5280>.
[RFC6920]
Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B., Keranen, A., and P. Hallam-Baker, "Naming Things with Hashes", RFC 6920, DOI 10.17487/RFC6920, , <https://www.rfc-editor.org/info/rfc6920>.
[RFC7935]
Huston, G. and G. Michaelson, Ed., "The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935, , <https://www.rfc-editor.org/info/rfc7935>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC9110]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, , <https://www.rfc-editor.org/info/rfc9110>.
[RFC9286]
Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, , <https://www.rfc-editor.org/info/rfc9286>.
[X.690]
ITU-T, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, , <https://www.itu.int/rec/T-REC-X.690-202102-I/en>.

13.2. Informative References

[M1987]
Merkle, R., "A Digital Signature Based on a Conventional Encryption Function", Advances in Cryptology -- CRYPTO '87 Proceedings, Lecture Notes in Computer Science, Vol. 293, DOI 10.1007/3-540-48184-2_32, , <https://doi.org/10.1007/3-540-48184-2_32>.
[P2P]
Austein, R., Bush, R., Elkins, M., and L. Johansson, "RPKI Over Bittorrent", , <https://www.ietf.org/proceedings/83/slides/slides-83-sidr-9.pdf>.
[RFC0677]
Johnson, P. and R. Thomas, "Maintenance of duplicate databases", RFC 677, DOI 10.17487/RFC0677, , <https://www.rfc-editor.org/info/rfc677>.
[RFC1925]
Callon, R., "The Twelve Networking Truths", RFC 1925, DOI 10.17487/RFC1925, , <https://www.rfc-editor.org/info/rfc1925>.
[RFC5781]
Weiler, S., Ward, D., and R. Housley, "The rsync URI Scheme", RFC 5781, DOI 10.17487/RFC5781, , <https://www.rfc-editor.org/info/rfc5781>.
[RFC6480]
Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, , <https://www.rfc-editor.org/info/rfc6480>.
[RFC7115]
Bush, R., "Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI)", BCP 185, RFC 7115, DOI 10.17487/RFC7115, , <https://www.rfc-editor.org/info/rfc7115>.
[RFC8182]
Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, "The RPKI Repository Delta Protocol (RRDP)", RFC 8182, DOI 10.17487/RFC8182, , <https://www.rfc-editor.org/info/rfc8182>.
[rpkitouch]
Snijders, J., "rpkitouch", , <https://www.github.com/job/rpkitouch>.

Appendix A. Implementation status

This section is to be removed before publishing as an RFC.

This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.

According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".

A few experimental Erik relays are available, each running on slightly different schedules. Client implementers are encouraged to round-robin between these instances to observe results.

http://aws.rpki-servers.org/
Dublin, Ireland, - distributed computing cluster (6 machines, NFS backend)
http://atl.rpki-servers.org/
Atlanta, USA, - distributed computing cluster (2 machines, NFS backend)
http://miso.sobornost.net/
Amsterdam, NL, single node
http://nyc1.digitalocean.rpkiviews.org/
New York, USA, - single node

An experimental Erik static content generator was developed by Job Snijders in the form of [rpkitouch] using C.

Appendix B. Example objects

Included in this section are an ErikIndex for rpki.ripe.net and an ErikPartition referenced from the aforementioned ErikIndex, both Base64 encoded.

B.1. Example ErikIndex

This object was retrieved from http://miso.sobornost.net/.well-known/erik/rpki.ripe.net.

MIIrxwYKKwYBBAGCx1yGOqCCK7cEgiuzMIIrrxYNcnBraS5yaXBlLm5ldBgPMjAyNTA5MjMw
NzQzMjRaBglghkgBZQMEAgEwgiuAMCkCAQAEIMQZXNoo1VHt7ExBd0EM0uv+/oqftDzHqo3m
KNRkIPj8AgI7/zApAgEBBCAoNYzf0h4GMfXQgF6r+ZBZtQCpIMjA+Hjo/MximoIk5AICRZAw
KQIBAgQgOf7md8O+smDgtzzFzZWJr2nsPRTevG3zO6or479L/gACAj2VMCkCAQMEIMNDymEH
tI02zXKe3S3iRy1o9wNJ7d67xd6/X6qIpYTuAgJGWzApAgEEBCB9S1ZqZS7oRGL4flxkG1zW
85irPg8RC6ACjrMU5LdPqgICPZYwKQIBBQQgWChTaYoMduMdh0l/2M15X42Fha3lscqvjSoR
Sq1BA5MCAky6MCkCAQYEIDluxOgSRpTAgyuRKrZ59hRRvSmN64rqWFwyi3q7MO4HAgI/+zAp
AgEHBCDF+bRH/b3ZLAeGkHFZ+fXqjYdw3XhoEssgA2GQF6ucJAICR/QwKQIBCAQgpbf75mXQ
vks5nE1JkMcAiQ6JrV886N5HjM/fOvPr2WkCAki9MCkCAQkEIBQSg0aKaex+jJuJ/V50d2Jt
2Ml+yHiNZgh4QZhrIOFEAgJJiTApAgEKBCA58F26WIwAkHsp70tCBzFlLIgFAVFpgrQGp92z
uzwT5AICOAMwKQIBCwQgPu7gxZWUyYwG9Vb6VDJZEQr8EkVi8vF+ZMmyZXjHg6wCAkZbMCkC
AQwEIJjrocdQZxfxV5uLc2F4IwHgRhfeleB/rFwwNSe/yL42AgI5mzApAgENBCA+UHxU3nBN
xFHoIcSfy0ysoO0niOQy9+CplPZWcF9ESQICSlYwKQIBDgQgw8Z/uL9p7y7Rj/u2qeK8BJgF
4Ehn3XF6CI2XWsl9LgUCAkMsMCkCAQ8EIC/TzbiXWkH8Yh2mP8iodVK7X1GO9QeSsTO/5Qek
CeaUAgI8zDApAgEQBCDVpNTqAs38MWvEqlDzJ1TFckJ9CVgYmt6FSFSQ42xygAICQMYwKQIB
EQQgOZeS+kJLCc4PvMVb4lk36n7cxbtefYYg/94q/UmpXacCAkWPMCkCARIEIMQ/ozLa/Pjn
RU7q6BdUaQTdiPcapM7R3nZ8BGBtB6kYAgI/MDApAgETBCAHDUEkVfsUAOXfLipmGKrVE/VI
NzGXRmv2cn2eaH/qtQICQyswKQIBFAQgft7T086QzTfzkdIA4mbDWnNTHvfR9cv7Qkf6qSWp
iEsCAjDWMCkCARUEIFJgtg1gsk63fKXzOOAWpXOF4dTJal6+Kj8EGaVg1xcEAgJD+DApAgEW
BCDXPJFNnFRND7Tt38BcKhSjmyhesDE6JQvozfXV2qWj+gICSlYwKQIBFwQgIPAqhHGmrcdE
SBvsFxOAUMWU0c7FnxaVomXjUGDvHWgCAk/nMCkCARgEIEwrNbh0U2GXmOBcdXXG/Zq+tRYq
OOhOVkgMjWktHYxUAgI0BzApAgEZBCAGJ6OlmtTISMftkbnawVG6o6AD648aLZeXGgb/nSn1
LQICSlgwKQIBGgQgbPQOuOGKA92uXYX+jGOay7rU3CWee7y4+7JgcMyE2AECAk2IMCkCARsE
IDx6NSUB07GVhDfDaAKg85VA1syyVuuPe+eH1+FysJnXAgJD+DApAgEcBCAXh9E7r1iTkXXU
X8jdIvbh0A4nrYlNtQ86zT0DbmYS0AICS+4wKQIBHQQg48JuqRvkZAgHgfzYOZg5meIZ/AxK
MExy7maWh499kFwCAkMsMCkCAR4EIFReiG1PQYEn2NqKd/V9BHKJKyHjCRLnviEl2sKqs0Wy
AgJHJzApAgEfBCDwm7LyCy/LF2CBQLBm/HI+leFRcwPi9+QSN/Uo4uNAYQICRycwKQIBIAQg
EGsvGiA5MU8RmJ3UPnpTrzg5edaDZjaOIjjJxJ1FiRECAkZaMCkCASEEIAE1i5NaZGpClrxR
IhTRBmNSNyLNnlNeFq/hZbjeGIRrAgI4ATApAgEiBCCvjQN8pjyQdwv4npj5yKleFGb228Oj
MNCgchn/TgCj6QICOZswKQIBIwQgy8lv2EvCBuW5PEe5WF9Mgv/tY3zMUaGM2YIJjAW/Y4kC
Aky4MCkCASQEIK8S9WY8uEH+o13ywoyrI1aAZEVHMLmY7qQZPoePLagPAgI8zDApAgElBCBI
b3IEFsxamFjwc0Mb6SErStl9vycM+ks917jbexU+ewICPzAwKQIBJgQgRUf0S817BPFYDGHR
f8Ypk/PhqmnSLzrlO3atfj/6thgCAkJgMCkCAScEIP/gBrFfzcCAt5FTNm+kEX50gGvpXcNV
4c+UsIYkuJzEAgJOVDApAgEoBCB2HaaEs07TKd8Sa+dPd74VLxQIyKoLLYjjda21x89PPwIC
PMswKQIBKQQg0rKzmpODTukXeU4rb9WPX2RUPPgNcLoMTfynBiCf0s0CAlWAMCkCASoEIB2U
82jsoBByaKImCjYPgMosPq7kebkZYTnM7VGVx40PAgI7DDApAgErBCCn4mFQ8D9ZyZhEkOT3
g2UqG2/iN/aIGUas65A9NqhohgICOzIwKQIBLAQg3SuXjf7EBPmHbz5dAzBe28SCOPnonS8+
jS3B3kSHDPgCAjmcMCkCAS0EIK4vPdPDJ3rJl5keYW1aQncvIogHGtW3AhjGmiUwHODFAgI2
azApAgEuBCABO4uMPvD4uVPNdmIWYq9jfTr/ZfeWOG7jqDgSsHIARgICRY0wKQIBLwQg2yRc
rxYv0gYnSd8oH0rH9yzo5F6CQnEZ4AK659+CZwECAk2GMCkCATAEIHyIJjOmb1X7tpQ+hhvG
rSL7Gub/Ati/ZiK12pM6CxFpAgJGXDApAgExBCDaeWd7ItQNpvvH4Wi/6NJmesMcLwmJyYOF
XgDOEQ/adwICOzMwKQIBMgQgf4PqCNiyzaVwZALeZSZSo6jKqTY9j9PjTerq7ChU/fECAkjA
MCkCATMEIH5zpoCHWQfrqijk87T0LYoNyWFDPIcvGSMJTs4VDDyKAgI7MzApAgE0BCAirpuD
iutSDpC2o36up5TcENBmn+QBCq7iqUv/LZUfMAICSlgwKQIBNQQg//kB5S436tznJCDNt1/v
jJjliHfdN5bkwEXajoYP1sACAjzMMCkCATYEIPsflQxbdluw4f8w9Vf1Ptbc3dURvkApzeOn
aJ7lY6suAgJKVzApAgE3BCAoiXuOwRBpkz3DEGrMwRsXNfiPS2mRjyk7M2TSSNmgWwICPmMw
KQIBOAQgiMm+9YwiHo3zFWW9MyxUNG7zFN2djCMWZ7Te9MqauAsCAkcnMCkCATkEIOjc0lLT
1Fyc6jMtezlsVnP5l8j/DLbdk2jD8B27GYdpAgJCYDApAgE6BCBXPaUC3JNUr0lT+7XDu89F
v5KUDUeGNGFZkUZVMt+b1QICRMIwKQIBOwQgDU5QaUAeD/kOyh94j30C1xbM/GfBNnlxKrAJ
QwQ22r0CAj/8MCkCATwEIOBYxCoKbHIfuOXXYKV+x5vtRwdSWlgEVdOso7nHIVjGAgI5nDAp
AgE9BCCyhZlF4N1pdQbYiZ35JGqt7kFgPfADwZs/pL231D1KDAICOzMwKQIBPgQgvQyEeAbx
WWhkAdp59KTMk6DHq0lscxqRvxbf/urHC1sCAkpWMCkCAT8EIO9O3XHgxVAThAWuhNWcpWwY
J4sRtchwHB/SVkBTqn9eAgI3ODApAgFABCD5c8CSzCIVL/SOHxLBTJpxcfqDXKhJmF58sO0x
xU30kQICSYwwKQIBQQQgKbyx6u9nWR8mpvFBDHGutbNqCa22wkNPa3WYmBXP7M8CAkjAMCkC
AUIEIKUMi0hOCEio3qemMf7BVbdtDv1MjKazMXa6rVUaaRVqAgJExDApAgFDBCCfY0q2Ggwe
cwkj1txl1+P1HRWJw5x6wCVtdssAuI//wgICQMYwKQIBRAQgAZfBjOikGBYDmO+vBIW0M1JZ
PPzGHJ4cWB+Ql2EP1gACAksjMCkCAUUEII2qWEcjRcWhW7pxxf29VrG8UXKBO2woJX7z+aT9
BINmAgI1nzApAgFGBCBY1SBEz6wAnlO18ozEUIELA1MmqLoJUJ3fHZrethqS9wICQ/cwKQIB
RwQgKEQlaT9x7BsXFEMaeTDgenADknbXsXhdXsqYArIt/FgCAkGSMCkCAUgEIF2kp9NZAHl+
HFPLk4+sAYFzv3J45frBnjecNI+ua5AmAgI/MDApAgFJBCCwjoBtFb0R4DzoUrRYEwG7nOj3
yTS41wMi3GDAq3bKIgICRMMwKQIBSgQgXW7ZhJY3Q4B0N/gb+PiOuYflI/SQcxrm8MmARfaU
iesCAj8wMCkCAUsEIKDpYvcxg5dN5v4SC6cOVkcMYun16w9sTWI54y0M6T++AgJFkDApAgFM
BCCJEC2pnbSHsAVLkMDTcqbfwDHElUwRa7ZPcLsaJhZTHAICTlQwKQIBTQQgKOV9QZ0lGnsK
PXgm0mWH84+NyPSAYHAAY08XcXNh2TgCAkTCMCkCAU4EIMyKM1NKY0xrfLBECPMga73tbtib
+MsQUHPdp5dJsBj8AgJIvjApAgFPBCAX7oVWy+iUis/3E4o79ykQ1kgL1NtcwhOTVY3ri3N8
awICPMswKQIBUAQg5q66DsfGviCnY2QurViJW9Pj0QS1IULj9nKB9qLfNvsCAkJgMCkCAVEE
INBr2RynL0fYLv3kChzeVctoWIdO7UX95/FN292Clh8CAgI7MjApAgFSBCAUfQEnV+fPPoyd
ZkbjmoCYBw4gWebvRhvsFxAIevEo4wICRycwKQIBUwQgEPGot59Yjv0mpWVJZdqp4ohc93rE
dFVlTzaOfV/IAvQCAlJQMCkCAVQEIGzpxOH8NE+bV3pQEcSj473dW5uvW4v0LAwkWqNEBbVi
AgJH8jApAgFVBCCIY99guAcOGUeIHMcOrA41GZMhKnt4g/x29AZbP+3JjgICQMYwKQIBVgQg
Z9DT88fkjGmJJ05dyjvyX8L8VLPAjLfbeq3VKANYsX4CAjDYMCkCAVcEIBsyD47yBjRiv5IC
4ApGyuc0iOQ83+ds+1PwPX3fY5jhAgJNhzApAgFYBCAnrR6ExogF072thbuvi3AT0R4MOm0Y
mbu1kdnUCkMvbAICR/QwKQIBWQQgTk/L34ToQpRgWfPQwTSNK77xkjhOMAnXWpR2se22ynsC
Aj/8MCkCAVoEICMyz9/tu+V3JwZ8MViHoCzPUmIcZg8+q1IbjIoJtozVAgJDKzApAgFbBCBN
SKD4zohF+nW4sYZb1DDAPS1nmL3wYuA8fzJvANrxiQICQMcwKQIBXAQgirchc+d/kc6J9bz4
AwYM+FDD5FYsTE8ns0ScxLojED4CAjmbMCkCAV0EIO2ZoR83S8ofRgPI2YrYoD9yVp57mfw6
QcZ74anFGS56AgI//DApAgFeBCBPvKhdgeRa2L+L6WjPO27zoJGX9nvfFCiocIEL6iHrDQIC
SlgwKQIBXwQg8jwdAgVrYCXxipFZrmcRO0kOeWtrqrrxHXUTzG359IECAj5jMCkCAWAEIM2j
ntkBHb9blIQe78oxeWT/IEDvQcKBPWxVyDvPiQEUAgJMuzApAgFhBCAIh/zMmD+SVhj3JVl1
2QZmMpC+26y12F8Ak7AiIA66tQICQZIwKQIBYgQgq1p0vHJFSWdlLjZqldp82S4jIfnpI1Bg
OyZFmLCPGIMCAkGSMCkCAWMEIMOT9zPTo3YIZOFF/SFESqccXjojVGW+DsHyJk7HK3xdAgI+
ZTApAgFkBCA6Rh20Q7/0hjAlJHGe+v/dgERHj4zdZ29axLt/YWmu4AICQMcwKQIBZQQgYxkg
x2WcquxlJNi9OiB8bPakkFkMhmzIyROeDydzNQMCAj/8MCkCAWYEIBH/lYkwYg1J2Q9/DvHS
SUXdDO32g+3RwLyeLBAoxMiIAgJHKDApAgFnBCC6uyOvK4LsQwWuBJCBF4r5DU4j+KJXvUFZ
vfsGEHfbpwICRY8wKQIBaAQg8EY69QtWbahOfG92DEVHy2eHCUCUdSj1YSmuHmITxSACAkmM
MCkCAWkEIJpcOYmZ8MujSJaFYvM5K5j9lbXhofkljxcaIqGxoPPYAgJQtzApAgFqBCAlGv05
Rh5OQ7mwJv87osh8bQPbAuDkUGJ3ANiMPpwZRgICNNIwKQIBawQgkQr4E3vuKamjxV2L3GUL
Ib56KS4xv9wQGg2HjboCz5oCAkpYMCkCAWwEIIlZR9bVw2sUzhd4chOS4zB3l3agMaYZBmWb
SI9qNa6SAgJBkzApAgFtBCDLgFJhRjU7OwGDJ4ixNMvZmLPv+D2NMjp92cKzLFDuBQICPy8w
KQIBbgQg/6GZNBQON3bz9atx2tBF2S2RZqKGVcjpAsCBu6OhEvACAjc3MCkCAW8EIJDgoKBE
E8zDAxt36MhQ20IMJnG3Ofv/myfiKrfGtcPdAgJMuzApAgFwBCD/nzdfcH5SlgbOlblVbIHq
MlaA85t5iBnJSG6IzKttEwICSMAwKQIBcQQg+0fv3Yt6vW5CId1VipE5GVuaBojCaQYKSWdT
73gCs8cCAjTUMCkCAXIEINTtL6cL26i/1lPuKkpnwoD4Ph7L0Q7l9SRIlWNHKnA0AgJIvTAp
AgFzBCBuWOIXRwE/Q+ziP5kEspdY+PssCCT0T3PS2mDIFhJ8eAICPMswKQIBdAQgkbdzZz2w
SqQLl8RW1yRQEuN2F2f8uwk6Ug7ksSiJe0ECAky6MCkCAXUEIOy9+08NQoiPOemcy11H2yNS
I4UXnDPq3pulLxT5Pqs+AgJAxjApAgF2BCBT/WixkHycPN22wsCcJO7D2+joskxG9q/ObJqa
QtIh9QICP/owKQIBdwQgFlFqMwGbI8zHeGrsrGGjoyFs332p5f9P1nNYA7WFaV4CAkvvMCkC
AXgEIK417E+03KRfdd8tCuZ/EshTg09TBt9eZ+KI94MRAH39AgI/+jApAgF5BCA8W0kiSgm9
ST/HtL915ri1GBZxmz7PbPtxvmCD5MQh6gICSMAwKQIBegQg7nJOr9Sn1Nuk485VKrSHzF5+
WlYwr1+eTRZfBrOT95wCAj/8MCkCAXsEIMzFBzjNexi2DyyGC6ZLDdRfD/ngU0gXDH74jKyf
e8c2AgJCYDApAgF8BCAi+tuZqcUztoTPAGg/rubUNuADN5I3nfCZpk1/vZksxwICOzQwKQIB
fQQgeGe1demh7yKilG6h1iZ35idSvJFM4WGZ9WQZTi+vaAgCAkMqMCkCAX4EIOKJbuD69Omx
Q9jCeBWmvMw2fg6XkYVmBmHhJphuNFIIAgJBkzApAgF/BCBzbNJpRXMUBbtdjsEMZfMa+MtH
TGVGajaAP8W4LvSYZAICLNwwKgICAIAEIBmwuy0E0KEftqKHrKS1FoRmcJZD2Mx5MtwfOcYT
YnLAAgI00zAqAgIAgQQgs7q9UiE3n8/cL3NwGZfM+CHHTteiwUHYMxPcGVAHQsMCAjv/MCoC
AgCCBCC5tAa5suux9IjOhjNXzo2JQrOmd3bZt4yolbA4RoBaUwICPZYwKgICAIMEIOO2WG64
XV2nwvEm037cQ5zw5wmrE1NIETSzis9B7V+SAgJLIjAqAgIAhAQg8y9txNa25EqOsNBYWGJ2
jl3PDrVqtV1EH9ca+4Bt4w4CAkMsMCoCAgCFBCC56nWQBPPxY7mWrXV0XXcih+1jKZ0wZ4dS
boF4hX+LEwICQ/QwKgICAIYEILenjosqw4L0iHrlIq+JUzsKmRKgOa4BEGWj5vWRjcjLAgI8
yjAqAgIAhwQgglxs1x5WVw9seADyiGaE72CYnvZ4nEqLcmQe8MqpEvoCAj2XMCoCAgCIBCD3
vFCHTeh+KPeAhRn2SIOmE6fjkDgC/4gghCaq9P8lJAICQywwKgICAIkEIKK5PWakgV6iKlqG
ldKlGbeXGdwLrWWIylO8Gi69c73RAgI/LzAqAgIAigQguXQmiZhvCosCTZdjTTvmOk56i6M3
HI4DIwed6siSerICAkvuMCoCAgCLBCDIndMvo3ogQRaKXF8uEic0LpuLLolrS0YPslOEaL1P
mwICQZQwKgICAIwEILo5JUDxlO91w20Ude5lnpYiuUZwHK1ywKU2sX+/TQn0AgI4BDAqAgIA
jQQgyDjhvs1Ob7Dc6yYbN08t5R0TYiTl3G9uyiT957fW1RcCAkcmMCoCAgCOBCCKqHZUbgVm
3zReAZqBd2MdDV+iS2WcsNAlBxwH8snp0wICRyYwKgICAI8EIDW9whMf/QNCi+PKtfHbydjf
3jt+m11IUj6eFyjQcwQiAgJHJzAqAgIAkAQg7E4WFHqR1HrB+HnZrQ+/4AtECG8D97J3JqWT
Yg+x8bgCAjc3MCoCAgCRBCBhVOInUbYQkuVELKIRji/vu7cgkar/aFqq/XoKbClQaQICNAUw
KgICAJIEIDllMVlBs9V1YVEHOYOUgj7hb6XlsDonJt+mEL+lwyB4AgJNhzAqAgIAkwQgE5e8
KYVNqnWPJKAcMHgF3Lgvt2BJNiLnyi4Laz2odqgCAkcoMCoCAgCUBCC4NrKPK3eyKwjbc8Y8
o2jl7lV1mq4ZfrnjnBYS6kIu2wICOmgwKgICAJUEIHszD38FxLhd7dvfUIBlc0SXUJKcNv5M
6LNEr0EirdCeAgI+YzAqAgIAlgQgr55IZx76I8XqDtSN0uRcYSj8PNgZNfezaUPZ3lV8EvsC
AkZaMCoCAgCXBCBjyIayuHs54RGrfnchDlz57+Y7KitWUEgYLS0B114abAICPmIwKgICAJgE
IHzwBCY7/XyKsIzCI5YtPL31L76j2X91xkLIQMTPR18SAgI7MjAqAgIAmQQg29bTNylDheAO
SxXftQWRJqXf6QYTwlos4kvHsmk0JysCAkcoMCoCAgCaBCBExQTXszxRqIISbBqGakhu4B/T
Oflrod8D6rm+sQqXEgICSL8wKgICAJsEIORHLmBpWcm9fivUbCRqivIiFW+4qFi+enRZZRAp
pAZgAgI/MDAqAgIAnAQgokB+ngs/047/lCN68n4ibrUAOw2zHByu7pSF+2oabLMCAj5kMCoC
AgCdBCDCwJOOdbMZtU35d3QC+LOJCGF6lUZviiGsR7t9E7kIqwICQZQwKgICAJ4EIAkL7mcK
RoqLjWguzWm+Ex/sRiUD0JJvREkU9DAqODBdAgJOVDAqAgIAnwQgRuDth3cAlosUwaepMGIt
OcvVqyVMebhfpHOZu6xzfvUCAkTEMCoCAgCgBCC07q37BjH9GRcI34q6Nmv+oP0md8NhUBg1
ng0lSuz8UwICPMwwKgICAKEEIEvDhTg+59Xw04TMSndzamKo+g4pdrrc7YD7bq7y+WpBAgI/
LzAqAgIAogQglqCQc5fqXUhrSiITZBuJAw+jgGHrxpvn+Uiz/RfSjyYCAjgDMCoCAgCjBCBa
NixpBhu/UtsarRFcP9ZQbZ0C9ayMkRoZ23r5pYFjYAICQZMwKgICAKQEIEJtI1laLExnxUZC
arC0Vucxn9O9KxMrRKemPxKvB2bQAgJOUTAqAgIApQQg6gJi3c/MAuJxFV0yUc5B2bMfTBKd
8FzLaoMBwJYQyJ8CAkTAMCoCAgCmBCA1rfuygRz/Ir7ZkrPUe9p4Rpg9vK1SoEn0sJz1uM8E
LgICPy4wKgICAKcEIOdvizJLM6O4sLN7KoizKWmm4UioRu1m9gr2SHSC2Nd3AgI/LjAqAgIA
qAQg5HV5XtWcW5u+M1iilDZmQpdW0+FsA/RQAHEywOJaqSoCAkGSMCoCAgCpBCCxj1yZvKV+
4waavugsqEmC9jnjCQPF+HFqB9cfwzRwxwICPMswKgICAKoEIOyuxv9jKsR/NtqvyMdj5/lP
yUq6gDqXiTQs/pMe4N5oAgJBlDAqAgIAqwQg4+vGsAxV4Ht+l+xqELNM1T/x3O2Xp7hFfFjl
97Gvd5wCAkGTMCoCAgCsBCCAqbZwusWzJxat6N2i/Rb+1MWKRGWd4KnP6eHG/jMYNQICRyYw
KgICAK0EIDmdH/De0DDAcvGX4XPf82kzmHEFmzCJco37zywJhJXjAgJBkjAqAgIArgQghZvl
JOdIcIDjYiDLCWZ2LJphfmkmDqkadrY4nTfE5zECAkMsMCoCAgCvBCCyjM7WHojIyKdqQLPi
M4L1MKh2s6eDG396EkwbLHa3AQICU+gwKgICALAEIK7P40FO2XS7mLyFa4UpesUvsZxsmi5+
pcrpDsFu78sgAgI9lzAqAgIAsQQgg4JPqGViXRg3GFBI1TtzZKjVwhRDpxeB+Gnlgv4ynOsC
AkZaMCoCAgCyBCAKUL6DC90lM1/jLa2SdI10rSWaSYKJscSXAvUJpiQokgICQZMwKgICALME
IEBRG5NI0iXjttKDR5iHTcDKbpW4sLyuu/3aQ22hWPj3AgI+YzAqAgIAtAQgVB/+e0OP0oBx
Hs3oQCqZ/qEdWm6+ae1C1Ty3z3vgoyQCAk2IMCoCAgC1BCCL/70uF9gdMCXijxThwj7wL47Q
S0QBspMPgU5LjuPYSAICSyIwKgICALYEIILr6tKk2wQAx0MfxtHZDUwuHrfR7HVEuUtXN3jB
B697AgI8ADAqAgIAtwQgPlxT8ipyGINO9i5Ly/yLmNXUl+OdVrzCfYWbDAGsc5ACAkJgMCoC
AgC4BCDWOOhy68Q10ETFUrYWQTp2VsLcQDvZ49URxfbup66KVwICPZcwKgICALkEIDOu16H0
Jw5bKTT4eeGwQ4TFa9AltvpDnj9k+n3AYS3bAgJJizAqAgIAugQg7br4DtGjjP3coqwDRr4V
8CZuzaWGxpTSlHRFXtqTWNcCAj/5MCoCAgC7BCB7q69j9Ux/mKwTcHwFHE84rRcxdYgpKuUH
A4B5nMZ+QwICP/owKgICALwEIM+YZHUZwQyE9IxYloBaC2RDSRHD5yMG7pwkGDqh7O8+AgJH
8DAqAgIAvQQgKOYWtxHkUkfJ3k4+pi6TpOaFj7kOnzNNR+0pFUzzlLECAj5jMCoCAgC+BCCN
7A2TSITXQ39jU7SCNY9DNKLMu6MaIz0X7TluPzh8jAICOzQwKgICAL8EIIDNtWA+ClMRGQRz
hwkQQJgxjiWXG32sm4/XxJ89M9WiAgJExDAqAgIAwAQg3Ga6ranqXbMq5frKEF3gs5crvyce
GL9vG51jRgNe3lkCAkMqMCoCAgDBBCDDJPgkdEztcFimEqezOuJCrRSECo0J8n6OwlSpG35P
0AICULcwKgICAMIEIGo51OjqMJ/6uV4aM66Ccs7RkrcwVwPD3xgsrVSsDRKKAgJDKzAqAgIA
wwQgbp7rR9MyK7N+csFpnDz5Y/k0uUva57AVbCqb5SBRk5cCAjzLMCoCAgDEBCBPZtYttDeA
QJhK84UVm9qHTn248Z0mATix9mxQh++kegICP/wwKgICAMUEILF+KzZKi4HjUJ9395oYFMyf
juPYor1gBfIBUgex5m2FAgJH8jAqAgIAxgQguDxTOdjZj6QosUbHKqGMVtYgZG4nV+9di/ad
DRJQ2PkCAjzKMCoCAgDHBCDrh4tE3YJ7CJPm2I0Ju4HK6jaytmplxCZg3pTQywvoywICQ/cw
KgICAMgEIGemjtDrFSbCzW4o8Nj0CGajSBRks6v5+RwFGsNcTnAMAgI/+zAqAgIAyQQgbClv
5v98UfjKYn0Fyn55t5bBWR4vmW77sCe111vt4ocCAj/7MCoCAgDKBCDkOJ9vGgnTdyl4jloP
y/CxswJPMcPOwJVwBflsn1is6AICSYwwKgICAMsEIBTgYcoS7IkCsOTEUuUY9wJXcb0SuPir
gdVrlA2YEuUpAgJL7TAqAgIAzAQgsGheWVvilMiczSOxaI4HdiOu/OfXXn1dXetUaKKpPqoC
AjQIMCoCAgDNBCB8Hh8omWkEpLKouQjM5a1nj5PDUlQ/LRkXBD9R06xkuwICSlgwKgICAM4E
ICcqyQeXM1FlSAMNYvyJ+0ohVIPXUX9RpecJr+QuYcHOAgJDLDAqAgIAzwQgc+YPSnZZzRdQ
D/o8mO5H84xop4Wku1nE14Yuk0pTaaoCAkP3MCoCAgDQBCCUopVQSXjJJW5FTbKoQemKZEyv
3sHSUWJEjN4BGWr0ugICRMMwKgICANEEINzwqsQ9DADesBaS0IxlCFK4XiVaSN58f2D5Qkmi
8mqfAgI/+zAqAgIA0gQgK5ZGjRsQ/avSf+ZWoBno8EBX5GgndYK0EVeGgIajpo4CAk8fMCoC
AgDTBCAzzjJFmnf1OGtRNSj+xuRdNpeDNqHMiUKvCRAKIrtiTAICQywwKgICANQEIGj12Lz9
xhO04PnzXnm22rD1ixCevYvyBtMLnPZpoEKMAgJFjzAqAgIA1QQgeM+PRSwcFJ9jNNwgW7gb
HfeSaPlIn9cW1VLLBhCSASACAkDHMCoCAgDWBCDick0Xb4gK7A7hCR7QTdSxcavQkCi+rtok
thd4HemXswICOmYwKgICANcEINSubGAg/zG7itqj78MrzqAV0IjhUXgfKi+Wn97bbIYGAgI8
yTAqAgIA2AQgzrrf0mo3oZNH12kaP5YJg0/68fUA3EYrhD07CuvkpAECAj/4MCoCAgDZBCDr
XgOaBsLQMUN1WW4Hfg3hIJ2W4732xOeQ/zh8UggZCwICQyswKgICANoEIJN8F23BOUxr9ytR
7OiBUYoxUtYoSMGZF5LMgUg7XnvJAgJJizAqAgIA2wQgScKLPMmcID4UIrEe0s1hM6UYFG6E
Z4Mhp2m/iTifFmQCAj/7MCoCAgDcBCCpnAxOmkkLvxWJSQP8mw8tMTCS5iqROzTi3ofJUxGo
mwICT+wwKgICAN0EIIGe5weMmbhVu1qwGbiT3SJFr89xtgVhwxA0U9Z4SK5xAgI5mzAqAgIA
3gQgRr11O877dhCJ58SLBBj73ZL1z+tx/avHaewgJYXWblYCAki/MCoCAgDfBCDqHlZveqkE
tUIpfTlq0bE/ZPsaVyfMXs8VnSmxMcV3HgICNmwwKgICAOAEIJKicAXor8ec7/putzWFTulw
fASlj/rGEc0OQirHGn8RAgI/+DAqAgIA4QQgbBKfuN+i8Pld6VoA/J3vDqEETrE4l8Hc1HEk
AjjyZ0YCAkcnMCoCAgDiBCDjOq8wNSc72ET5lFT5GJsHZEuToPnADpjbAUglu29vdgICT+sw
KgICAOMEIMMunP77bxEi/TPfmbv23tejLSO9sgsF17QLi1XIJQvQAgI8ADAqAgIA5AQg/HIJ
56MNRwTWFfObMxudYylIOM/mlwmIZSWZqMnG9NYCAkGRMCoCAgDlBCBqwcPVkU9f9bFaLeN9
ncVWpiTwA6r51OZi2X2NaTZDsgICPzAwKgICAOYEINoi8+Mdwb2e9sMkOJNFuFgIjbUshx7F
9nndrhI5xESoAgI8yzAqAgIA5wQgEawwnpqhtkuBYzdGSLagC/usXOPAhOlGb41EJsK4W6cC
AkWPMCoCAgDoBCCO4/5rdbpG3uJKFxGFQtxOaNDwBx0P5TSvlQLSTxWEZAICThIwKgICAOkE
IFxFi8kv2Pa01D22STJF/R8ZfJCfb65u+a4QLV2pdZA0AgJDLDAqAgIA6gQgtqdiQL6I34Oj
mwEZUbIbBSXuBLhoxVnRlLPUJ1kH/QECAjgCMCoCAgDrBCB8juePUk3yDnCBhfHskziOT5YS
Sr0cO0AtmQnz7xwKwwICOZgwKgICAOwEIKBPTnXfmtX/4RhWcmSNdRW1MBhL+W1Gqhlo8CD1
jY6qAgI4ozAqAgIA7QQgxmbLfDqRcWU62ii6Z2WHqBonGhMHISHIhE2g+4pwdOcCAj2XMCoC
AgDuBCCSucEbgymnj8Kya4QX9Z4woH+IskKwWl0UsuC4C4PobgICPZcwKgICAO8EIAsdcveE
GDqHzjQ0ukJh3cVMlb2T9Lt0GmHoDOPVbkTfAgJDLDAqAgIA8AQgWVfUlP4yqiM61AEfVcUk
94LD/12uG1Z/c9MLVDcPRi8CAjv/MCoCAgDxBCC1FQ8kFl8T89kQqh2sPXHQhGnLo0dhSCAN
PGvW5C2ZzAICOmcwKgICAPIEIB66DhxH5jXOyLOhw4HNNoH6aJI97nJ48jctiEw0j6+uAgI8
zDAqAgIA8wQgJa1EXD4yCDaHAKNxBRVGGPqxgoRBwzyMPhMOPs95edcCAjpnMCoCAgD0BCAo
3FTszzQJMmseV2Ksx2VvFY3GIYVCADmG9MZS+ZSjAAICNzgwKgICAPUEIEkeQ+/DpMinvxL3
WftXjKm6jWPN/1ICRxWPJLVOSgRVAgJAxTAqAgIA9gQg3G2pqs0/o48IXg1ytP1hDx5Az+JV
esKoS7azwQfbbWECAjv/MCoCAgD3BCDpz9CX9T+wdO3RGoejDfd8g45IlNVkTWkQvlOp+Any
vAICOZkwKgICAPgEIE2kjZzd4f06F4OkC618FyDLzSj3fpkL0ziut8C1BWDXAgI+sjAqAgIA
+QQgn4XbqAvQ7X/bQhbDeU783K0sYqWCs/UJ14FDEK2Js18CAjUWMCoCAgD6BCBwTbJIbR3u
B/5UGCue0sbfe+gwwI1r85ZWjRNHfqjudAICQEswKgICAPsEIKD3lTXhwZ+14VI+2zea1LHg
GhiJ29RpVFdkbdFTCmlSAgI/fDAqAgIA/AQgq99/XBu3PCo412fjNZ2Y1ur8JuyRCZUAeC7E
mMKkG9cCAkJgMCoCAgD9BCCGUNfF0q+JK9WdgWcjvqqghhnaJr7ByVCpqqccIcrGBQICNNMw
KgICAP4EIMV4EJ78f5L126U8DQpKc6WS+/0rxvm6LlVJvANUHJW0AgI9ljAqAgIA/wQgH50b
PHPlVD2ttD8e6YpSB2T+yyl52SyUhzTjCjY4aa8CAkP4

B.2. Example ErikPartition

This object was retrieved from http://miso.sobornost.net/.well-known/ni/sha-256/c2zSaUVzFAW7XY7BDGXzGvjLR0xlRmo2gD_FuC70mGQ.

MIIs2AYKKwYBBAGCx1yGO6CCLMgEgizEMIIswBgPMjAyNTA5MjMwNzAxMDNaBglghkgBZQME
AgEwgiygMIHJBCAG6UIxgyjIq982vxxKMJv/bowmDbMWO3LvgqHevfX87QICB4QEFH/v69Ff
vGUUh6yvZ0JPR4PUPrQgAgIWlxgPMjAyNTA5MjMwNDAxMDRaMHYwdAYIKwYBBQUHMAuGaHJw
a2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzlhLzI2ZWY2My1iNzJmLTRiM2MtOGRm
Yy0yYmM4NDUxOTIyN2EvMS9mLV9yMFYtOFpSU0hySzluUWs5SGc5US10Q0EubWZ0MIHJBCAJ
C/5rz8EctTLdokjtJcRbxjNkGTUDXvS/ul5awnE/6gICCGAEFH8rqG33h4iPb4WSqAam/+ow
RsB6AgIWnxgPMjAyNTA5MjIyMzAxMTlaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQv
cmVwb3NpdG9yeS9ERUZBVUxULzYwLzVlNjc4Ni02Mzc3LTQyMjQtYmEwNi1kYzQ3NjllZmYx
ZjUvMS9meXVvYmZlSGlJOXZoWktvQnFiXzZqQkd3SG8ubWZ0MIHJBCANOJm2BGv14ec2gL92
ALy6rhSrwWaoZ9RvLtuakvPH/AICB84EFH+oFqMzjTJ0HNT/+PSd2yzIOP3FAgIEDBgPMjAy
NTA5MjMwNjAwNTdaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9E
RUZBVUxULzUzL2E0NTI4YS05MGU2LTRkOTEtYTUyYy1mMDcxN2VhNDg1YzYvMS9mNmdXb3pP
Tk1uUWMxUF80OUozYkxNZzRfY1UubWZ0MIHJBCAQcLeR03m/qXv7ORS2kMM/0AGF7sbyiKRM
FWUjx4lyHAICB84EFH+S33YQ8Ej0O/RMM21BxsEVfvDiAgIWLhgPMjAyNTA5MjIyMzAwMzla
MHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzE3LzU4
YmUxOC0yZjM1LTRjNmEtYWE2YS03ZjcyZjQ0Yjg5ODIvMS9mNUxmZGhEd1NQUTc5RXd6YlVI
R3dSVi04T0kubWZ0MIHJBCAWJLJq5NgRwoTGQyjxWd8kyvlpHldouFIaEXTVe2eCigICCF8E
FH9W8olIyDLy1DS7RNXeDqEiYBsFAgIWnBgPMjAyNTA5MjMwNDAyMjlaMHYwdAYIKwYBBQUH
MAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzNhLzIxZmJjYS04MGUwLTRi
OGMtODYyMi00ZTg2YWQ2NGY3NzQvMS9mMWJ5aVVqSU12TFVOTHRFMWQ0T29TSmdHd1UubWZ0
MIHJBCAZtE87O4WQcce5Xl54WOqwv/CMhhnDW7u/ZfNdcTsxlgICB84EFH/mixIjS9cDQwG8
lrE4quJ3hgo+AgIFBxgPMjAyNTA5MjMwNDAxMDdaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlw
ZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzhiLzRhMTExMS04ZjNjLTRlZGYtYjc3Yy0yZmEy
NjMxYmMzMWMvMS9mLWFMRWlOTDF3TkRBYnlXc1RpcTRuZUdDajQubWZ0MIHJBCAdR5bZgtQs
WmbdFbwYysmBReKtzDzrYIAbMAd65FUgdQICB84EFH/3TavU6xqhFHFE4VsCZp6YL95NAgIG
RxgPMjAyNTA5MjMwNTAwNTBaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3Np
dG9yeS9ERUZBVUxULzdkLzBmYmJmNS1jODNkLTRiOTctOWNlYS0wNTVjNDlhYzY4MjgvMS9m
X2ROcTlUckdxRVVjVVRoV3dKbW5wZ3YzazAubWZ0MIHJBCAk8vdyICFceQZP/jwTVpd1m7oN
8aINdZ9yBdwal5r/wAICCBgEFH8DofjDNP2/S3je8MWS/wSQ3fSwAgIWUxgPMjAyNTA5MjMw
MDAwNDdaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxU
LzY2LzNmZTFhMC1jNmZkLTRiYzQtYWFlMS05ZWUwMDY5NDJiNGIvMS9md09oLU1NMF9iOUxl
Tjd3eFpMX0JKRGQ5TEEubWZ0MIHJBCAtzQRAh0RvVm5t5cEliNTCNV61ummB7bPmMHHs2Q6B
qAICB84EFH9YvAhkEvTSxU+gcC2SziVJbOR5AgIUFBgPMjAyNTA5MjMwMDAwMzVaMHYwdAYI
KwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2NjLzUzMDkzMy01
OTE1LTRmZjItYjFmOS01MDEwZDA1Zjk5YTgvMS9mMWk4Q0dRUzlOTEZUNkJ3TFpMT0pVbHM1
SGsubWZ0MIHJBCAvHd/7VSM5LDf/9vv6NdM4wyOY6FW5vdaHrNFW4G+5agICB4QEFH8HV8Mx
mB4EK3RxNzUn0PZKE1a0AgISPxgPMjAyNTA5MjMwNDAxMzFaMHYwdAYIKwYBBQUHMAuGaHJw
a2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzc4LzRmOTZmOS01NjlmLTQzM2MtYjlh
OC02YTI2MTJkNDBmNTAvMS9md2RYd3pHWUhnUXJkSEUzTlNmUTlrb1RWclEubWZ0MIHJBCAv
uosewYqBhxMMwPDzG2Bb7HOXqIP4n3Xrkoa4ANMKtwICB84EFH9Wid5KfOdovzq12fhUboVs
yxk2AgIWmxgPMjAyNTA5MjMwMDAwNTZaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQv
cmVwb3NpdG9yeS9ERUZBVUxULzc3LzY0ZDUwNS0yMjA0LTRkY2EtYTk1ZS04YjUzNzI1ODRh
Y2QvMS9mMWFKM2twODUyaV9PclhaLUZSdWhXekxHVFkubWZ0MIHJBCAw/TNRg+KR3AigQmsm
fTMLWK6AgvtqWcYmyXrbYW2gjwICB84EFH/RimpJkQzDMdyREUrlm3GF1fMNAgIWnBgPMjAy
NTA5MjMwNDAyMjBaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9E
RUZBVUxUL2JhLzA5NDdmMi0yMmNhLTQ3Y2ItODlhZC0zZTUwYTVmMDE5OTgvMS9mOUdLYWtt
UkRNTXgzSkVSU3VXYmNZWFY4dzAubWZ0MIHJBCA2FDd/pvoShAkRHeWEYTHP3p34AkM9F4UJ
yiPR4yK2vAICB4QEFH9za4igJATUMEvdrV/1UEpoM+e3AgIWmBgPMjAyNTA5MjMwNDAxMDFa
MHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzk5LzBm
MjVjZS1iOTc3LTQ4NTMtOWVjMy05ZTU2Y2I1NGZlZjcvMS9mM05yaUtBa0JOUXdTOTJ0WF9W
UVNtZ3o1N2MubWZ0MIHJBCA3ePsvoey6JSimntoFj7+Uj2Jp7o3x9lxHSCHA+CvngQICCKUE
FH/K2J3xv5mjbykMw+8PHntNAnUzAgIWdxgPMjAyNTA5MjMwNDAxMzJaMHYwdAYIKwYBBQUH
MAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzU1LzlmOGIxNi0yODRmLTQ1
MTItYjNkYy0wMTVkOWYxYjRiNTAvMS9mOHJZbmZHX21hTnZLUXpEN3c4ZWUwMENkVE0ubWZ0
MIHJBCA6w7i2aTE856qUWrqtHvcV2pGAytPzW+ItBY72cJRyTQICB4QEFH+LIYNYmDp9eiU4
qdqbofNJTXGrAgIAwRgPMjAyNTA5MjMwMTAwMjRaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlw
ZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2Q5Lzc2Y2QwMy1lYWEyLTQ5NjUtOTRlZi05OGRi
YjY0MDJjZGQvMS9mNHNoZzFpWU9uMTZKVGlwMnB1aDgwbE5jYXMubWZ0MIHJBCA78jSLajj1
eEmavbdMS0bHcK7ucyNY/5GhcB/BhvNRbQICB4QEFH8UzoEDt4XzUEvEsy8fTJtwzj9/AgIP
WBgPMjAyNTA5MjMwNDAxMDVaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3Np
dG9yeS9ERUZBVUxUL2I2L2Y2OWRiZS1lMDc1LTQ0MzgtYjUzYi1mNjE2MGZhMWZiMDIvMS9m
eFRPZ1FPM2hmTlFTOFN6THg5TW0zRE9QMzgubWZ0MIHJBCA+CnuiFF/Cda/T10RjLbIbhGiA
6yw/wmdbNs/E5YVk6gICB84EFH/uPzggc/LD5PzP/KOExbDNgmwmAgICbBgPMjAyNTA5MjMw
MjAxMDRaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxU
L2E3LzhjY2ViZi1mOWZhLTRjNDYtYWVlOC1jY2JmYTczNDI0YTcvMS9mLTRfT0NCejhzUGtf
TV84bzRURnNNMkNiQ1kubWZ0MIHJBCBC7monZzoZgLqRkbEUcIq3ToeoeEYEbRf/yR3KXgbP
lwICB84EFH/JVqUrc1BKTx/zRUcZkpen9d6dAgIKTxgPMjAyNTA5MjMwNTAwNTRaMHYwdAYI
KwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2FhLzcxYWI2OS02
OTY1LTRiNzAtOTY4ZC1iYjU3YTRlZjcxNTMvMS9mOGxXcFN0elVFcFBIX05GUnhtU2w2ZjEz
cDAubWZ0MIHJBCBEoOAA8szwjyi9uxLlSyErul1XChsoH4xs3+leR8c4pgICB84EFH8Yitq1
tVIIHsrIIcmwkDlIc7MVAgIRCxgPMjAyNTA5MjMwMTAwMzBaMHYwdAYIKwYBBQUHMAuGaHJw
a2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzkwL2E2NTUyMi1mN2M1LTQ4N2ItYjdi
OC0yZTQ2MTQxNDFhYTQvMS9meGlLMnJXMVVnZ2V5c2doeWJDUU9VaHpzeFUubWZ0MIHJBCBH
59+1gS6pkImGH3tVdnqkYpyPqpt5h0mEJaJjiaVljAICB84EFH+F6ZA1Q5fjbAypA6DGIMdw
nv3NAgICyhgPMjAyNTA5MjMwNjAwNDFaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQv
cmVwb3NpdG9yeS9ERUZBVUxULzVlLzRhZTE3NS01NWQwLTQ4NGQtOGQxMS04YzlkNTgyM2Jh
ZDkvMS9mNFhwa0RWRGwtTnNES2tEb01ZZ3gzQ2VfYzAubWZ0MIHJBCBIo5YvqeKZhIwAq5xN
WIHFPQYXdGHXx++Snc9OR3VklQICB4QEFH+ZGMq28fNe8bXlg8soOem3SLFYAgITcBgPMjAy
NTA5MjMwNDAxMDhaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9E
RUZBVUxULzI2L2RmODJmYS0xMThkLTQyMTktYmExNi0xYTk2ODNjOWQ2Y2IvMS9mNWtZeXJi
eDgxN3h0ZVdEeXlnNTZiZElzVmcubWZ0MIHJBCBUcrrYoOMnP+lR0dGSwp10yTI0ji2xK0XG
VtH/jO9z8QICB84EFH93NN/qEgZXQS6oZ928e4TRMr94AgIPSRgPMjAyNTA5MjMwNDAyMDRa
MHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzdlLzY4
MDMyNC1lZTFmLTQwZjItODhkZi0xOTY5MzE5NjJkM2MvMS9mM2MwMy1vU0JsZEJMcWhuM2J4
N2hORXl2M2cubWZ0MIHJBCBk8ncmsVu05KJS64WUkhA4F/2Z6hhjsHEvOjGWkevNmwICB4QE
FH9K5X7m4KnFEB/BSoelM0FQu6tGAgIF6hgPMjAyNTA5MjIyMzAwNTlaMHYwdAYIKwYBBQUH
MAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzJiLzExZmE0NC04ODc5LTRk
MTktYjQ2OC01YjVkOThmNTM2MWUvMS9mMHJsZnViZ3FjVVFIOEZLaDZVelFWQzdxMFkubWZ0
MIHJBCBloCeMud+A0BsPMrfdU2mQjsCbeBScISC/gPsgvPsQ0wICB84EFH9C0nwh2obH6fv0
SuDlbJjz0vgLAgIOORgPMjAyNTA5MjMwNDAyMjNaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlw
ZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2E5Lzk4YjAyNC05ZDhmLTQ4NjktYTJhOS0wYWZi
N2MzZmJmMzAvMS9mMExTZkNIYWhzZnAtX1JLNE9Wc21QUFMtQXMubWZ0MIHJBCBw8y/EDCcY
Mb7gP8H5htrkZe4PVZuH0MnAfrIjELHbvAICB84EFH811a5Bf0XuhQXXbOqhs0xFg5SgAgIP
dhgPMjAyNTA5MjMwNDAyMDRaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3Np
dG9yeS9ERUZBVUxUL2U2L2M1NDY3Yi0zOTYyLTRiNzQtYWUwZC0zNDQ3M2JjOTFkODAvMS9m
elhWcmtGX1JlNkZCZGRzNnFHelRFV0RsS0EubWZ0MIHJBCBxZXk3VbhMC3pspd6F9s5+5rzX
iCgmDS87bxAxcC5v9AICB84EFH/8glhd9pt8lLFqYZMv/ItuM1FWAgIScxgPMjAyNTA5MjMw
NDAxMTRaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxU
L2U0LzUzMWQyYi1lMTcwLTQ5YTUtODQwNC05MmY3M2Y1NmZjNjIvMS9mX3lDV0YzMm0zeVVz
V3Boa3lfOGkyNHpVVlkubWZ0MIHJBCB0NGwcUNfXmz+slvqbDJuuAJNSASxeJtVG+WIScDUZ
EgICCBgEFH/g51k1ToPMGTIDgRCd4i2g8acAAgIWoRgPMjAyNTA5MjMwMTAwNTRaMHYwdAYI
KwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzRjLzBjNzI0My0x
ZmZiLTQ5ZDItYjVjMS1iNDAyZThhMWQ5MzQvMS9mLURuV1RWT2c4d1pNZ09CRUozaUxhRHhw
d0EubWZ0MIHJBCB0tjF6xFCQL8EVImZnEluq5kDbLBDcWemir9s7lRBErwICCKUEFH9RXq0J
Xu2axMq8WrStC1hn2fAbAgIWsRgPMjAyNTA5MjMwNjAxMjBaMHYwdAYIKwYBBQUHMAuGaHJw
a2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2E3LzVjMmE1OS02MDI1LTQwMGUtYWIy
OC1mMGE2MjRkNDA5MTIvMS9mMUZlclFsZTdackV5cnhhdEswTFdHZlo4QnMubWZ0MIHJBCB3
xsZEFIeGsX7ix102aTWQSKjQ7xeNF/o+rvPRBN0+MAICB84EFH/j1jtKW0BLX/g8vysVJaME
d/ZcAgID3RgPMjAyNTA5MjMwNjAwNTRaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQv
cmVwb3NpdG9yeS9ERUZBVUxUL2Y2LzgxYTY3Mi1mZTk4LTRkM2YtOWI4My0yY2I3YTNiNmU0
MmYvMS9mLVBXTzBwYlFFdGYtRHlfS3hVbG93UjM5bHcubWZ0MIHJBCB4jbeXyKKmxw2qL7qN
knQE9sC8Mbp3PB65S4tWNTn7YgICCF8EFH8+Cye45NeY+Sud4Vfx2lpDzUnlAgIQ2BgPMjAy
NTA5MjMwNzAwNDFaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9E
RUZBVUxULzVmL2EwYzlhYy0zYTQ3LTRkNmMtYWExNS1hNDJlYzg3NzZmYmIvMS9mejRMSjdq
azE1ajVLNTNoVl9IYVdrUE5TZVUubWZ0MIHJBCB6I7Br1qhj6mFvJAZLnxbwXjsrWAGCtEbu
MY5nuQrj+gICB4QEFH8pZlevjQDCX9dfVuzIoos1FQV1AgIP0RgPMjAyNTA5MjMwNzAxMDNa
MHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2QwL2U4
MGIzMy0zYmVlLTQ2ZWMtYjM1ZC1iYWY5NWE1MDZkMTkvMS9meWxtVjYtTkFNSmYxMTlXN01p
aWl6VVZCWFUubWZ0MIHJBCCDkqyKnrs6AkI2WpmX5t8Dwi55XFHtP0mT5xiZIIGFcQICB84E
FH8Xj69kAeLzcW4xdkVp33Md9Y8iAgIRDxgPMjAyNTA5MjMwNjAwNDlaMHYwdAYIKwYBBQUH
MAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzY2LzFiNzk2OC1jYTRkLTQ1
ZjQtYjY3MS0yZTdmNzg0ODljZDMvMS9meGVQcjJRQjR2TnhiakYyUlduZmN4MzFqeUkubWZ0
MIHJBCCFDDrzBUzNkumvliEbQSphMBB2WbYuFwD4ZYxe7f2+ogICCBgEFH8WgCjsDatmimfV
v29TWMqr4zeoAgILChgPMjAyNTA5MjMwMDAxMDVaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlw
ZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2NjL2IxNTI4Ni1mZDRkLTQ5ZmUtYTY5ZS03ZmFk
ZjUwYTJlMzcvMS9meGFBS093TnEyYUtaOVdfYjFOWXlxdmpONmcubWZ0MIHJBCCKsbiYxCks
WitfT9wl//KbqqkzkoXS5g++SNBP0lbHOwICB84EFH8dWNYt3X5HryGW/XVLs/8meYkqAgIW
mRgPMjAyNTA5MjMwNDAxNTlaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3Np
dG9yeS9ERUZBVUxULzQ2LzI5MGE2MC03OTJmLTQ0NzUtYTlmNC1lM2I5ZTBiYWU2YWIvMS9m
eDFZMWkzZGZrZXZJWmI5ZFV1el95WjVpU28ubWZ0MIHJBCCOXbx/KCDd6GY3H2VwgqZj6ils
X1nuORbCFThWKwFR1wICB84EFH8RQWrjkp3ze/ZqRZzTrKY4kelGAgIWlxgPMjAyNTA5MjMw
MDAwMzBaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxU
LzJmLzZiMjJlOC0zZGNkLTQ0ZGQtOTUxNC02NzU2ZjdiMGMwZGIvMS9meEZCYXVPU25mTjc5
bXBGbk5Pc3BqaVI2VVkubWZ0MIHJBCCRycPVPeYtsaCCsUTfyqBHbPAAwsIA/BFmYeDB5Isx
dgICB84EFH/WLkLAjhYBxFceDYijSaBQnepeAgISIxgPMjAyNTA5MjMwMDAwNTlaMHYwdAYI
KwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzc4L2I5MzRlZS1j
NGJhLTQzOTEtODBiMC1lNzVhNWVhODlmZDEvMS9mOVl1UXNDT0ZnSEVWeDROaUtOSm9GQ2Q2
bDQubWZ0MIHJBCCTyRLdagxVGYugDu6T6ET54lM06pyPjvE5S27+B9xA/QICB84EFH8z/EDS
4DM7vHveqyvYWZVDAcDxAgIF5BgPMjAyNTA5MjIyMzAwMzVaMHYwdAYIKwYBBQUHMAuGaHJw
a2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2I0LzY1YmYxZC1lYzFkLTQwZTYtODQ5
ZC03OTc5MGQ2NmQ3ZDMvMS9melA4UU5MZ016dThlOTZySzloWmxVTUJ3UEUubWZ0MIHJBCCU
2IRpBytL/B62SPheK1y8NuGHwWPbU8iyvkhFLuXp3gICCb0EFH9r0aawRiXFcdgw+HixwCOC
R0CMAgIFPxgPMjAyNTA5MjMwNzAwNDRaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQv
cmVwb3NpdG9yeS9ERUZBVUxULzQ4L2JjNjZkNy01N2FiLTQ3NWQtOTZiYS04OWI2YzMyMzE1
YzIvMS9mMnZScHJCR0pjVngyREQ0ZUxIQUk0SkhRSXcubWZ0MIHJBCCYquVwfhlYMcmkDOxQ
2HCsPWT69GGOnzJ/g90EwQ8rIgICB84EFH8+CHSJ7iOpQk1T+sIW7kuOASgOAgIWLhgPMjAy
NTA5MjIyMzAwNDZaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9E
RUZBVUxUL2M2L2MyYzk5ZC1jZjkxLTRkZmItOTRkZS1hN2M2M2Q1NjJlNTYvMS9mejRJZElu
dUk2bENUVlA2d2hidVM0NEJLQTQubWZ0MIHJBCCfyEBs3iVYfhQ3nM9w6BpR5fISnWVCBV62
cPxv9KUEnQICB84EFH/7ARXErN3RtK3EBzeAcmrPwBr5AgILpRgPMjAyNTA5MjMwNjAxMDZa
MHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzYxLzUy
NjhmYy1jZmVlLTRhYTgtOTdiZi1jYmUwMjA2NjVlZmUvMS9mX3NCRmNTczNkRzByY1FITjRC
eWFzX0FHdmsubWZ0MIHJBCCn6U5KB9Ulxw7GIPFbaOmCIDKf8lpmKqI33H2DHzZksgICB84E
FH9RIoN0dC31RKqTBYxaO9PRZCGZAgIODBgPMjAyNTA5MjMwNTAwNDlaMHYwdAYIKwYBBQUH
MAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzBhLzkzODVhYS0xYjc5LTRh
MDItYTA5Mi0wMWViMDM2ODRmMDkvMS9mMUVpZzNSMExmVkVxcE1GakZvNzA5RmtJWmsubWZ0
MIHJBCCpi80UrfSzwmVwcehboPdQHhrh6h9xGsVXEPoezAH0XwICB84EFH9qjl1VwkmKgmNv
mfj8njGeB3ceAgIPnBgPMjAyNTA5MjIyMzAwNDFaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlw
ZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzc0LzI3ZmNlMS0xMWNlLTRhMzItYTY0OS1lMDc2
YjUxNzIxYWQvMS9mMnFPWFZYQ1NZcUNZMi1aLVB5ZU1aNEhkeDQubWZ0MIHJBCCsI4WNFfQO
MibfaZfwiXVbi3HpxPKq0qlzWTjOSZ0K6AICB84EFH8qMrpCGWgNzdWPYQHlx67BVApzAgIW
nBgPMjAyNTA5MjMwNDAyMTZaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3Np
dG9yeS9ERUZBVUxULzU1LzE0M2U5ZS05NmU2LTQ3NGUtYWQyYy0yMmU2ZGY0NTg0YWYvMS9m
eW95dWtJWmFBM04xWTloQWVYSHJzRlVDbk0ubWZ0MIHJBCCv8OQ2OEccYyrWLhsQ9GBsMkL+
U1qihaQnp4htBZJ7xAICCF8EFH9QB30t2KZ6Gui2q9a7s0iQKKW7AgIWohgPMjAyNTA5MjMw
MjAxMDJaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxU
LzVjL2MxYzFjZS1lYTU5LTRkY2YtYmNjYy0zZTdjYWRkODhjNzAvMS9mMUFIZlMzWXBub2E2
TGFyMXJ1elNKQW9wYnMubWZ0MIHJBCCwbYH58Q1Hr3LbAk6xc1G6KS2L4M6cMSMGeGSmORmj
0wICB84EFH+0PeI3/QtqKHOJIwkh0losLtGoAgIWLRgPMjAyNTA5MjMwMjAwNDFaMHYwdAYI
KwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzA5L2Q0ZDEyYS1h
YjRlLTRkYmEtOTVkZS1iYzYzNzEzMGRlNmUvMS9mN1E5NGpmOUMyb29jNGtqQ1NIU1dpd3Uw
YWcubWZ0MIHJBCC5qxrhGsdwpb32aH8xthnZZzwSXC/uTEJLN0VxpfIVKAICCBgEFH/xuBz+
arsRjpfgMltmLq+YTy9qAgINBxgPMjAyNTA5MjMwMDAwNTRaMHYwdAYIKwYBBQUHMAuGaHJw
a2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzc1LzE4NmExOC01ZDdmLTQzZWQtYjA2
YS1jZWE3ZWIzNTA1MzcvMS9mX0c0SFA1cXV4R09sLUF5VzJZdXI1aFBMMm8ubWZ0MIHJBCC6
bbXg9NGOUIrRUF7O4Kkx7JJK2UGvi48vcupkrHBNoQICB84EFH8xNg/8Gv1fHaZtgUBORmNR
LUlnAgIUJBgPMjAyNTA5MjMwMjAwNDJaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQv
cmVwb3NpdG9yeS9ERUZBVUxULzJkL2ZlZjVkZC0zOGVlLTRiYzUtODJmZi01ODRkNzhhMjVm
OGMvMS9mekUyRF93YV9WOGRwbTJCUUU1R1kxRXRTV2MubWZ0MIHJBCDFP/VzX+fQNa0KUtTt
8P0j61eHwFvSwrx0LHWDrDI3oAICB4QEFH9R3x306IZ+QeXn+S3n+dH6DBVNAgILgRgPMjAy
NTA5MjMwNjAxMTRaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9E
RUZBVUxUL2ZhLzVlNzMxZi01MjhiLTRlMDItYWQ2OC02ZDkwMzVhZjE1MzUvMS9mMUhmSGZU
b2huNUI1ZWY1TGVmNTBmb01GVTAubWZ0MIHJBCDNGMH6y/iAIm2VqfNabCpnclgk0F5FdiQx
b45atOgcBwICB84EFH+bTP3JsNnjwx4Ou4Hm8bHLvcnkAgIMexgPMjAyNTA5MjMwMjAwMzRa
MHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzViLzgy
NDZlYi04NDY5LTQyZGYtYTA4Zi05MGM0MjFmNTVhZGIvMS9mNXRNX2NtdzJlUERIZzY3Z2Vi
eHNjdTl5ZVEubWZ0MIHJBCDULZ9V9GVvzrX6km+uZVhinNo5qZQvNZyoPq6ckfF4AwICB84E
FH8dDjKYvtOn85+zskTtkYv2xNe/AgIUcRgPMjAyNTA5MjIyMzAwNDZaMHYwdAYIKwYBBQUH
MAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2Y3L2U2NTA2ZS03Njg1LTQ4
ZTctYTU4My0yMWFmM2RlZThlZTkvMS9meDBPTXBpLTA2ZnpuN095Uk8yUmlfYkUxNzgubWZ0
MIHJBCDWykkLSOqpzcVFkVfC4KEZhaQ5iW2klfJdHpTsrQ5k1wICB4QEFH9+Xr1vpGnF43C/
wQbE1KrR4duUAgIPBBgPMjAyNTA5MjMwNjAwMjNaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlw
ZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzIzL2MzZThlZC01OTdhLTQ4NWEtOTRhMy05ODJj
ZmIzNTlhZWUvMS9mMzVldlcta2FjWGpjTF9CQnNUVXF0SGgyNVEubWZ0MIHJBCDi1bM+jh+B
MioiQZihpFhx0f5+snIoLoL7iYheLRGulAICB4QEFH/xeuVHufJkHmBXf+VT3bb3SaCHAgID
2hgPMjAyNTA5MjMwNDAxMDlaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3Np
dG9yeS9ERUZBVUxUL2E1LzFiYzBmOS1iZDdjLTRmN2EtYTQwNC1hNDNmZjI1ZDQ0N2QvMS9m
X0Y2NVVlNThtUWVZRmRfNVZQZHR2ZEpvSWMubWZ0MIHJBCDrroFYFly0MZks0keOew0RIvBM
lIz4sQ5J3U+8VQ+iOAICB84EFH9NWRwjrSxpR31/eh1M6OvO6VlsAgIE9RgPMjAyNTA5MjMw
MjAwNDBaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxU
LzNlLzBkNjdhMi1iYzM2LTRiOTMtYjYwNC1kNGY1YzkyZDkwOTUvMS9mMDFaSENPdExHbEhm
WDk2SFV6bzY4N3BXV3cubWZ0MIHJBCDrysEF0Mb4O38e4Yom6HOu56DkNiYSzsnLEu0z9ENq
kwICB84EFH9DnZQkJvxnOyecyYqzX9vX6pf1AgISMxgPMjAyNTA5MjIyMzAwNDBaMHYwdAYI
KwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzJhLzY5YTA5Zi01
ODA5LTQ2NTYtYjM1NS0xNDZmMjU0YWMxMzEvMS9mME9kbENRbV9HYzdKNXpKaXJOZjI5ZnFs
X1UubWZ0MIHJBCDwigCSeW8JjL525MGaphNOYxoTjA+2y7/nxhBX30rm0QICB4QEFH8Xtvky
OZ1YUJPRhzOU6/4bKfmMAgIOHBgPMjAyNTA5MjMwMTAwNDJaMHYwdAYIKwYBBQUHMAuGaHJw
a2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzMxL2NjMDIwMC1iYjJjLTQ1ZjYtYWM3
NS04Mjc1NzdkZjhlZGMvMS9meGUyLVRJNW5WaFFrOUdITTVUcl9oc3AtWXcubWZ0MIHJBCD2
OipMOZLdHyqDhwoMxCAgn3UjHiGo1ihS07IdefH2zwICB84EFH8km5VEYgaD+Us4inVRpopk
k+0SAgICyxgPMjAyNTA5MjMwMTAwNDdaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQv
cmVwb3NpdG9yeS9ERUZBVUxULzhiLzdhYTA0ZS00ODA3LTQ5ODgtOTEwMy04NDIzOTdlMzA2
NDMvMS9meVNibFVSaUJvUDVTemlLZFZHbWltU1Q3UkkubWZ0

Acknowledgements

The authors wish to thank George Michaelson, Theo de Raadt, Bob Beck, and Theo Buehler for the lovely conversations that led to this proposal.

This protocol is named after Erik Bais, who passed away in 2024, as a small token of appreciation for his friendship.

Authors' Addresses

Job Snijders
The Netherlands
Tim Bruijnzeels
RIPE NCC
The Netherlands
Tom Harrison
APNIC
Australia
Wataru Ohgai
JPNIC
Japan