The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI)

The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI) BSD Software Development

Amsterdam The Netherlands job@bsd.nl https://www.bsd.nl/

RIPE NCC

The Netherlands tim@ripe.net

APNIC

AU tomh@apnic.net

JPNIC

JP alt@nic.ad.jp

Operations and Management Area (OPS) SIDROPS Data synchronization This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI). Erik Synchronization can be characterized as a data replication system using Merkle trees, a content-addressable naming scheme, concurrency control using monotonically increasing sequence numbers, and HTTP transport. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols. The protocol's design is intended to be efficient, fast, easy to implement, and robust in the face of partitions or faults in the network.

Introduction This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI) . Erik Synchronization can be characterized as a data replication system using Merkle trees , a content-addressable naming scheme , concurrency control using monotonically increasing sequence numbers , and HTTP transport . Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols ( and ). The protocol's design is intended to be efficient, fast, easy to implement , and robust in the face of partitions or faults in the network.

Background The notion of cache-to-cache data replication of unvalidated data was documented in .

Validated caches may also be created and maintained from other validated caches. Network operators SHOULD take maximum advantage of this feature to minimize load on the global distributed RPKI database. Of course, the recipient relying parties should re-validate the data.

Historic records show that experiments have been performed in this space using, for example, peer-to-peer file sharing technology (see ), but no standardised and widely-deployed mechanism for cache-to-cache replication emerged since then. The authors hope that the Erik Synchronization protocol might be suitable to fill this gap and improve propagation speed of validly signed repository data as well as help reduce load on the global RPKI.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Related Work The reader is assumed to be familiar with the terms and concepts described in "" , "" , "" , "" , "" .

Glossary This section describes the terminology and abbreviations used in this document. Though the definitions might not be clear on a first read, later on the terms will be introduce with more detail.

Erik relay: An intermediate between CA publication repositories and Relying Parties.
FQDN: The fully qualified domain name of a RPKI repository instance referenced in an end-entity certificate's Subject Information Access (SIA) extension's id-ad-signedObject accessDescription.
Hash: A message digest calculated for an object using the SHA-256 algorithm.
ErikIndex: The relay's Merkle root for a given FQDN. An ErikIndex is an ordered listing of ErikPartition object hashes.
ErikPartition: An ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their certificates' SIA extension values.

Informal Overview Erik Synchronisation is an architecture to reliably distribute RPKI repository data from cache to cache using so-called Erik relays. Relays maintain a validated cache themselves and can be clients of other relays. While this property suggests that a group of relays should converge to the exact same state, the distributed nature of the RPKI prevents relays from achieving strict synchronization. In this synchronization protocol, Merkle trees are used to determine whether differences exist between client and relay. Merkle trees are hierarchical data structures: the hash value of each node is computed recursively by hashing the concatenated hash values of the node's children. The hash of the ErikIndex represents the entire dataset related to a given FQDN. If the ErikIndex hash is not the same between two replicas, the relay provides the client with hashes of smaller and smaller portions of the to-be-replicated dataset until the exact list of out-of-sync or missing objects is identified. Sequence numbers are then used to determine whether these differences are relevant enough for the client to fetch. All data, except for ErikIndex objects, is fetched using static addresses derived from object hashes. This approach reduces unnecessary data transfer between caches which contain mostly similar data. The client starts by querying an Erik relay for the relay's current ErikIndex for a given FQDN. If the ErikIndex is different compared to the previous run (or compared to the Index calculated from the locally cached objects). With the ErikIndex in hand, the client can determine which ErikPartition are missing and fetch accordingly. The client then can compare the manifestNumber sequence number and thisUpdate for each manifest listed in the ErikPartition, and proceed to fetch (purportedly) newer versions of manifests of interest. Whenever a relay has manifests with a lower sequence number on offer, the client can ignore those. The client now has sufficient information to proceed to fetch any missing Certificates, Signed objects, and CRLs. With the information contained within manifests, clients can fetch addressed by content (by hash) and store by name (or some other scheme).

Erik Synchronization Data Structure Definitions In this synchronization protocol the signal layer makes use of DER-encoded messages . Design note: DER encoding was selected for its canonical properties and because RPKI cache implementations already support ASN.1 encoding. RpkiErikSynchronization-2025 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiErikSynchronization-2025(TBD) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS CONTENT-TYPE, Digest, DigestAlgorithmIdentifier FROM CryptographicMessageSyntax-2010 -- in [RFC6268] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } AccessDescription, KeyIdentifier FROM PKIX1Implicit-2009 -- in [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } ; EncapsulatedContentInfo ::= SEQUENCE { eContentType CONTENT-TYPE.&id({ContentSet}), eContent [0] EXPLICIT OCTET STRING (CONTAINING CONTENT-TYPE.&Type({ContentSet}{@eContentType})) OPTIONAL } ContentSet CONTENT-TYPE ::= { ct-rpkiErikIndex | ct-rpkiErikPartition, ... } ct-rpkiErikIndex CONTENT-TYPE ::= { TYPE ErikIndex IDENTIFIED BY id-ct-rpkiErikIndex } id-ct-rpkiErikIndex OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) snijders(41948) erikindex(826) } ErikIndex ::= SEQUENCE { version [0] INTEGER DEFAULT 0, indexScope IA5String, indexTime GeneralizedTime, hashAlg DigestAlgorithmIdentifier, partitionList SEQUENCE SIZE (1..ub-Partitions) OF PartitionRef } ub-Partitions INTEGER ::= 256 PartitionRef ::= SEQUENCE { hash Digest, size INTEGER (100..MAX) } ct-rpkiErikPartition CONTENT-TYPE ::= { TYPE ErikPartition IDENTIFIED BY id-ct-rpkiErikPartition } id-ct-rpkiErikPartition OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) snijders(41948) erikpartition(827) } ErikPartition ::= SEQUENCE { version [0] INTEGER DEFAULT 0, partitionTime GeneralizedTime, hashAlg DigestAlgorithmIdentifier, manifestList SEQUENCE SIZE (1..MAX) OF ManifestRef } ManifestRef ::= SEQUENCE { hash Digest, size INTEGER (1000..MAX), aki KeyIdentifier, manifestNumber INTEGER (0..MAX), thisUpdate GeneralizedTime, locations SEQUENCE SIZE (1..MAX) OF AccessDescription } END

General Syntax The content of an Erik object is an instance of EncapsulatedContentInfo.

eContentType The eContentType is an OID specifying the type of payload in this object.

eContent The eContent is the payload of the Erik object encapsulated in an OCTET STRING.

ErikIndex An ErikIndex represents all current manifest objects available under a given FQDN and thus the complete state of the repository as it is known to the relay.

The version number of the ErikIndex object MUST be 0.

The indexScope field contains the fully qualified domain name of the Signed Object location of the manifests referenced through this particular ErikIndex. The FQDN MUST be in the "preferred name syntax", as specified by and modified by .

The indexTime is the most recent partitionTime value among the ErikPartitions referenced from this ErikIndex. The field's value roughly indicates when the ErikIndex was generated and can be used for troubleshooting and measurement purposes. For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See . Design note: using the most recent partitionTime, rather than the local system's notion of "now", helps reduce churn in distributed systems.

This field contains the OID of the hash algorithm used to hash the ErikPartitions. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification .

This field is a sequence of PartitionRef instances. There is one PartitionRef for each current ErikPartition. Each PartitionRef is a tuple consisting of the hash of the partition object and the size of the partition object. Information elements are unique with respect to one another and sorted in ascending order of the hash.

ErikPartition An ErikPartition represents a subset of manifest objects available under a given FQDN. Each ErikPartition is an ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their end-entity certificates' SIA extension values.

The version number of the ErikPartition object MUST be 0.

The partitionTime is the most recent thisUpdate value among the manifests contained within this ErikPartition. The field's value roughly indicates when the ErikPartition was generated and can be used for troubleshooting and measurement purposes. For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See . Design note: using the most recent manifest thisUpdate value, rather than the local system's notion of "now", helps reduce churn in distributed systems.

This field contains the OID of the hash algorithm used to hash the manifest objects referenced in this ErikPartition. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification .

This field is a sequence of ManifestRef instances. There is one ManifestRef for each current manifest. A manifest is nominally current until the time specified in nextUpdate or until a manifest is issued with a greater manifestNumber, whichever comes first (see ). A ManifestRef is a structure consisting of the hash of the manifest object, the size of the manifest object, the manifest issuer's key identifier, the manifestNumber, and the thisUpdate contained within the object, and a sequence of AccessDescription instances from the manifest's End-Entity certificate's Subject Information Access extension. Information elements are unique with respect to one another and sorted in ascending order of the hash.

Client-side Processing Clients start by fetching an ErikIndex, which is represents the relay's current Merkle tree head for a given FQDN. A client MUST verify the requested FQDN exactly matches the indexScope value in the ErikIndex, and if not proceed to use a different relay. Then, clients can decide whether or not to fetch ErikPartition objects listed on the ErikIndex, for instance, by checking whether the object associated with the hash was already fetched at some point in the client's past. Before using a ErikPartition, the client MUST verify that all URIs in the accessLocations in the id-ad-signedObject accessMethod instances in the ErikPartition are encompassed in the requested indexScope. A client can then decide whether or not to fetch a given manifest object, by comparing the manifestNumber and thisUpdate with what's locally cached and what's offered by the remote relay. A client can compute which products listed in the manifest's fileList need to be fetched from one relay or another in order to achieve a successful fetch. A client MUST verify that the URI in the accessLocation in one of the id-ad-signedObject accessMethod instances in the manifest's Subject Information Access (SIA) is encompassed in the requested indexScope. As there is no concept of 'sessions' (like in RRDP), clients can interchangeably use different Erik relays. When one Erik relay generates a HTTP error, the client can try fetching the requested object from another Erik relay. To improve reliability, clients should alternate among different relays in successive query and fetch attempts.

Querying an Erik Relay

This specification uses "Named Information" identifiers mapped to .well-known HTTP/HTTPS URLs for object retrieval, as described in . For example, issuance #54 of ripe-ncc-ta.mft has the following SHA256 digest: c2d0427bc5a32c42eea1ab5663d592b1fc29c7d4ef16ab0b5e1d631d039dcc21. To fetch the aforementioned object from an relay hosted at relay.example.net, a client would access the following HTTP URL: https://relay.example.net/.well-known/ni/sha-256/wtBCe8WjLELuoatWY9WSsfwpx9TvFqsLXh1jHQOdzCE

The URIs to fetch ErikIndex objects can be constructed using the following Well-Known URI template with the erik keyword as suffix and the FQDN as parameter: https://{relay_host}/.well-known/erik/index/{FQDN}. For example, the URI to fetch an ErikIndex for the rpki.ripe.net FQDN from a relay at relay.example.net would be: https://relay.example.net/.well-known/erik/index/rpki.ripe.net. A client MAY use the If-Modified-Since HTTP header when fetching ErikIndex objects.

Transport Error Detection and Handling The client MUST calculate the hashes of fetched objects and verify they are the same as the expected hashes (which are embedded in the URIs through which the objects were retrieved). If there is a hash mismatch, the client may try fetching the object from a different Erik relay or treat this as a failed fetch (see ) and try again at a later point in time in a next validation run.

Setting Up an Erik Relay Erik relays can be operated by any party, without permission from or coordination with publication point operators or CAs. Relays are made accessible via either HTTP or HTTPS or both. Relays generate and make accessible ErikIndexes and ErikPartitions derived from their current validation state, the client then cherry-picks which objects (if any) it wishes to fetch. In turn, relays fetch fresh data from other relays, or from CA-designated publication points accessible via Rsync () and RRDP (). Design notes: a decision must be made on a deterministic "manifest-to-partition" assignment scheme. Job's proof-of-concept relay (see ) uses the first few octets of the the Manifest's AKI as a stable partition assignment scheme. Other strategies could be to assign manifests to ErikPartitions based on the "hour-of-day" of the CMS signing timestamp, or the first few octets of the SHA-256 of the manifest object.

Comparison with other RPKI transport protocols Ignoring obvious mechanical "on the wire" differences between Erik, Rsync, and RRDP; there are a number of concept differences between the protocols. Rsync and RRDP can be described as "general purpose" synchronisation protocols: they could be used to transfer any arbitrary set of files, on the other hand the Erik protocol is RPKI-specific: part of its signaling layer are RPKI manifest objects, which RPs require as recourse for validation anyway. This property by itself causes a small deduplication in the data to be transferred.

Comparison with Rsync In Rsync, the server and the client construct and transfer a full listing of all available objects, and then transfer objects as necessary. In effect, this allows clients to 'jump' to the latest repository state, regardless of the state of the local cache. A major downside of Rsync is that the list of files itself can become a burden to transfer. As of June 2025, in order to merely establish whether a client is synchronized or not with the RIPE NCC repository at rpki.ripe.net, as much as 5.8 megabytes of data are exchanged without exchanging any RPKI data. Experimentation suggests that when synchronizing once an hour, Erik consumes less network traffic than Rsync generally would consume which, in turn, is less network traffic than RRDP would.

Comparison with RRDP The key concept in RRDP is that the client downloads a "journal", containing all add/update/delete operations and replays this journal to arrive at the current repository state. A major downside of RRDP is that (depending on the RRDP polling interval) clients end up downloading data which has become outdated. Imagine a hypothetical CA which issues and revokes a ROA every 10 minutes and a client that synchronizes every 60 minutes; in effect the client must fetch 5 outdated states, wasting bandwidth. Experimentation suggests that when synchronizing every 15 minutes, Erik consumes less network traffic than RRDP generally would consume which, in turn, is less network traffic than Rsync would consume.

Garbage Collection In contrast to RRDP, the Erik protocol has no concept of server-specific "stateful" sessions that persist across polling attempts. This obviates the need for withdraw instructions as part of the protocol exchange: clients can simply delete objects that are no longer referenced from their current validation state and refetch them later on if needed.

Open Questions

Which of the possible deterministic manifest-to-partition assignment strategies yield the best results? AKI?
Are deterministic and cheap Snapshots possible? If so, what is the best archive format for Snapshots? The ustar/gzip combo might not easily yield deterministic results across different implementations.
Is the concept of Differentials/Deltas needed in Erik Synchronization?
What will be the upper bound for the number of partitions? (ub-Partitions)

Operational Considerations

Scaling considerations As of July 2025, the global Internet's RPKI churn rate appears to be 2 new objects per second. The ecosystem is estimated to be composed of ~ 5000 RPKI cache instances and ~ 50 repository servers. Assuming 10 minute fetching intervals and 150 metadata requests per synchronization run (for exchange of Merkle tree data), an Erik relay serving all the Internet's RPKI cache instances would probably need to be able to sustain serving an average of at least 11,000 HTTP requests per second. This order of magnitude in terms of scaling requirements can easily be handled by a single commodity server.

HTTP Compression Using gzip compression on average tends to yield a 20% reduction in RPKI object size, therefore it is RECOMMENDED for clients and relays to offer support for compressed content coding, as described in . Using a previous version of a RPKI object as a compression dictionary for a newer version enables delivery of a delta-compressed version of the changes, usually resulting in significantly smaller responses than what can be achieved by compression alone. Clients can facilitate delta compression by sending an Available-Dictionary request header, using a previously fetched version of the RPKI object as the dictionary. It is RECOMMENDED for clients and relays to make use of Compression Dictionary Transport ().

Security Considerations This document makes no changes to RPKI certificate validation procedures. Paraphrasing : The RPKI relies on object, not server or transport, trust. That is, the Regional Internet Registry root trust anchors are distributed through some out-of-band means, and can then be used by each relying party to validate certificate chains and Signed Objects. The inter-cache relationships are based on this object security model; hence, any cache-to-cache transport is assumed to be unreliable at times. See for more security considerations. To avoid certain forms of replay attack, clients MUST verify purported indexScope, ManifestRef location values, and manifest Subject Information Access (SIA) extensions match the expected FQDN. Byzantine events or faults in relay-to-client communication can be overcome by the client rotating requests for objects among different Erik relays.

IANA Considerations

The IANA is requested to add an item to the "SMI Security for S/MIME Module Identifier" registry as follows:

The IANA is requested to allocate for this document in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry: Upon publication of this document, IANA is requested to reference the RFC publication instead of this draft. For the current proof-of-concept phase, OIDs for id-ct-rpkiErikIndex and id-ct-rpkiErikPartition were assigned from a PEN arc. Implementers are not expected to make any special accommodations to retain backwards compatibility with these PEN OIDs, after IANA assigns OIDs.

An URI Suffix in the Well-Known URIs registry specific to Erik synchronization will be requested. See https://github.com/protocol-registries/well-known-uris/issues/67 for the request. The proposed suffix is erik.

References Normative References Domain names - concepts and facilities This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them. Requirements for Internet Hosts - Application and Support This RFC is an official specification for the Internet community. It incorporates by reference, amends, corrects, and supplements the primary protocol standards documents relating to hosts. [STANDARDS-TRACK] Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] The Resource Public Key Infrastructure (RPKI) to Router Protocol In order to verifiably validate the origin Autonomous Systems of BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC 6480) prefix origin data from a trusted cache. This document describes a protocol to deliver validated prefix origin data to routers. [STANDARDS-TRACK] Naming Things with Hashes This document defines a set of ways to identify a thing (a digital object in this case) using the output from a hash function. It specifies a new URI scheme for this purpose, a way to map these to HTTP URLs, and binary and human-speakable formats for these names. The various formats are designed to support, but not require, a strong link to the referenced object, such that the referenced object may be authenticated to the same degree as the reference to it. The reason for this work is to standardise current uses of hash outputs in URLs and to support new information-centric applications and other uses of hash outputs in protocols. The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure This document specifies the algorithms, algorithms' parameters, asymmetric key formats, asymmetric key size, and signature format for the Resource Public Key Infrastructure (RPKI) subscribers that generate digital signatures on certificates, Certificate Revocation Lists (CRLs), Cryptographic Message Syntax (CMS) signed objects and certification requests as well as for the relying parties (RPs) that verify these digital signatures. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. HTTP Semantics The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. Manifests for the Resource Public Key Infrastructure (RPKI) This document defines a "manifest" for use in the Resource Public Key Infrastructure (RPKI). A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository. For each certificate, Certificate Revocation List (CRL), or other type of signed objects issued by the authority that are published at this repository publication point, the manifest contains both the name of the file containing the object and a hash of the file content. Manifests are intended to enable a relying party (RP) to detect certain forms of attacks against a repository. Specifically, if an RP checks a manifest's contents against the signed objects retrieved from a repository publication point, then the RP can detect replay attacks, and unauthorized in-flight modification or deletion of signed objects. This document obsoletes RFC 6486. Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) ITU-T Informative References A Digital Signature Based on a Conventional Encryption Function Advances in Cryptology -- CRYPTO '87 Proceedings Lecture Notes in Computer Science, Vol. 293 RPKI Over BitTorrent Maintenance of duplicate databases The Twelve Networking Truths This memo documents the fundamental truths of networking for the Internet community. This memo does not specify a standard, except in the sense that all standards must implicitly follow the fundamental truths. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. The rsync URI Scheme This document specifies the rsync Uniform Resource Identifier (URI) scheme. This document is not an Internet Standards Track specification; it is published for informational purposes. An Infrastructure to Support Secure Internet Routing This document describes an architecture for an infrastructure to support improved security of Internet routing. The foundation of this architecture is a Resource Public Key Infrastructure (RPKI) that represents the allocation hierarchy of IP address space and Autonomous System (AS) numbers; and a distributed repository system for storing and disseminating the data objects that comprise the RPKI, as well as other signed objects necessary for improved routing security. As an initial application of this architecture, the document describes how a legitimate holder of IP address space can explicitly and verifiably authorize one or more ASes to originate routes to that address space. Such verifiable authorizations could be used, for example, to more securely construct BGP route filters. This document is not an Internet Standards Track specification; it is published for informational purposes. Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI) Deployment of BGP origin validation that is based on the Resource Public Key Infrastructure (RPKI) has many operational considerations. This document attempts to collect and present those that are most critical. It is expected to evolve as RPKI-based origin validation continues to be deployed and the dynamics are better understood. The RPKI Repository Delta Protocol (RRDP) In the Resource Public Key Infrastructure (RPKI), Certificate Authorities (CAs) publish certificates, including end-entity certificates, Certificate Revocation Lists (CRLs), and RPKI signed objects to repositories. Relying Parties retrieve the published information from those repositories. This document specifies a new RPKI Repository Delta Protocol (RRDP) for this purpose. RRDP was specifically designed for scaling. It relies on an Update Notification File which lists the current Snapshot and Delta Files that can be retrieved using HTTPS (HTTP over Transport Layer Security (TLS)), and it enables the use of Content Distribution Networks (CDNs) or other caching infrastructures for the retrieval of these files. Compression Dictionary Transport This document specifies a mechanism for dictionary-based compression in the Hypertext Transfer Protocol (HTTP). By utilizing this technique, clients and servers can reduce the size of transmitted data, leading to improved performance and reduced bandwidth consumption. This document extends existing HTTP compression methods and provides guidelines for the delivery and use of compression dictionaries within the HTTP protocol. rpkitouch

This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". A few experimental Erik relays are available, each running on slightly different schedules. Client implementers are encouraged to round-robin between these instances to observe results.

http://relay.rpki-servers.org/: Dublin, Montreal, Osaka, São Paulo, Sydney - anycasted distributed computing cluster
http://dub.rpki-servers.org/: Dublin, Ireland, - distributed computing cluster (6 machines, NFS backend)
http://atl.rpki-servers.org/: Atlanta, USA, - distributed computing cluster (2 machines, NFS backend)
http://miso.sobornost.net/: Amsterdam, NL, single node
http://nyc.rpki-servers.org/: New York, USA, - single node
http://fnllwqoupfrhso6643whm6lpkgsftjtc6crpehmyz2o7pffirnqy7rad.onion/: Erik relay service via Tor

An experimental Erik static content generator was developed by Job Snijders in the form of using C.

Example objects Included in this section are an ErikIndex for rpki.ripe.net and an ErikPartition referenced from the aforementioned ErikIndex, both Base64 encoded.

Example ErikIndex This object was retrieved from http://miso.sobornost.net/.well-known/erik/rpki.ripe.net. MIIoRwYKKwYBBAGCx1yGOqCCKDcEgigzMIIoLxYNcnBraS5yaXBlLm5ldBgPMjAyNTEyM DEwOTIyNDhaBglghkgBZQMEAgEwgigAMCYEIJm6Qc5v76CJXTU7zp0/HcG67UMfx4hjL0 8aqRLMi6mBAgJA0TAmBCAcTufmA6MnsbZe0oeb+tA7VmBlTJPZZ3O6KQ8Ajr4khQICSEc wJgQg1zsloP5tep632vk6UCpupg+qf7XGb7XWKVxuQmMDMEkCAkDUMCYEIClfD749+8UF 1ICwDp3cIaAqq4aCDiEp9d6vZY5fdUADAgJJHDAmBCB9NnRXUJo6NvDSSN2uAEychpqwt BcdkLq+FyvTQg0t/gICPywwJgQgm9DmwNnJtMOlZ58Djt5vS0+ntfzzOsKulAxqSj43cJ 8CAk7oMCYEIPRtTRfJM4AYtcWJDnGy4PdS9RzrpRGIO1kSVkgXvHGbAgJDTzAmBCAY5iC NfPi6GD3MApzsZTmGcLGwB5NB0q+a993xEL2z6gICS5YwJgQgDn5WEDBZaSNOAlbJLXDP 7E7Nmw6cb/xqMX9T6GTgLtUCAk0/MCYEIEnW8XjOgcNyUj+WTwAajiTzEtzeRP9WmWzkB exM28bUAgJNQDAmBCDaW09JigMf+Xw+onBHNlormOoLJzcwNTaFm7WzqFe8mwICPK4wJg Qg6knwoHJPFgTQAyNeBTIl1VJt8auGEnlLREbVKQgdXscCAknvMCYEIA0NJ1m6ulP7uqQ BzO4fU3w40TBTL67imnV4faMN9FJ8AgI73DAmBCDHgzAi6TFfQ1wAPs5EvS00L+vl3C4H 36Xf4Ucahrl9SgICTUAwJgQguu4A4/e92Expr7Jz/Mmu0FxGu8MnhOpxoSRtqe00+ogCA kXKMCYEIFn6o+bxEa7/PPPtYuVpnCRP1jx17vCREU/AnGnfBh/RAgI/KzAmBCB8TWYXLm tE//h2Ptsj88vhVb0chpvKZkY9DTzWg3ekgQICRPgwJgQgHBXsRUcwsyRrmQiAIorc+/9 rm9+AdlfyvfBMsBDM3MgCAkhIMCYEIMxQm3+4Np3uwYnGBGBesAAAQ/x0N/8LLhJVspwI Kk4IAgJEIzAmBCAc8uObkjFbot3H96+bH/K5pRehM0T/NZQvTCJNGsd0AwICRp8wJgQgD nWV3UlXxIDH4ATnTNrG1pN/OV/ZJJO8JdYNIYetK50CAjOTMCYEIFT8on+bMYhEzPzRdC gmH1RY6sAdLPycobat6lL8LAXtAgJIRjAmBCBMOHNlTZRvDQnUTKpyBuWzIOCQk6JSgZI adBlwoFTnZwICS5gwJgQgMAcWQorLYcfrZBclb+x26PkyB3er9G3I6NsHbZH9fjwCAlI4 MCYEIJHiD4XO81pMmOzb9C8AjlE1XqPa5M7A4ftwbiMrJWG3AgI3tjAmBCDhfGLZRgV/j 6fFq55vbFR6ChQyExPMIEOzWeBSWAMevwICT7owJgQgFiuWVV9R7uuuIcplhQYoLC2av/ 1ZU76d2wz/lAwEK+ACAlCNMCYEIGcC+2ztht/xgdxbDYme5Kqj9Bmkhi5S6s4Avza6ee7 4AgJGoDAmBCAQb69v+MSC6IUM4naoQBCYTR8g0GSUAmjtNpT8ZWIZUwICTucwJgQg+e2V C2bIyeBGX9DrWy9TpgjvdgSe37Cf6bPYeWxxltYCAkhFMCYEIK7G3YYLScDHdUGMxOT7X ALSajaXynKV9hjHwJQcaKFXAgJMajAmBCCOax3V5ACWQumT772S0ennlDkxaSMMBce5zp kCzyIVWQICSe8wJgQgNp4afzMf62jAyRQa+rWpBFgSNeoUDZEp2qjchvWyBwQCAkkcMCY EIMuYs/izqz6nqHaBCcaTqiUawyow9rROBGwmUGnlDlBDAgI8rTAmBCBTPtK5kcoYoSfM aoWKHaF2RsbWcwLX8uxJ0hdgn1O73wICPK4wJgQgxMXYQJFeSbFxCcZmVZ5ZY+g3Q8l62 C0qscvOlC0oksICAlMJMCYEILbXbTHhiZOX5eCx7Hggbct07oGpPN0AroTvjJcs2dvdAg I/LDAmBCBxJaAZm7fd/XT8vKzGT3bF2xomKWY6sq7jVeQGq3gx0wICRCEwJgQg0P95wdw Ywfne/WoKoer+SW2uAgs9s7H/HXfNecfFr+kCAkQkMCYEIDK0m+fCj78bfgoRxhtGf4kK STBvwhXOvcr8c8E+aC9MAgJSODAmBCAsYFXk5IYn6qg0Q++w6EIWSgBIgmRvViON0FNk4 KQq4AICPYQwJgQgXBLpjthb+HQfXsCaxRTXwZKTXz7l8izp3IU8NKZRY6wCAlp/MCYEIB Qvo3KYKpp5H0u3HYEtG9/AQR7j4vHBcNbewgnSaE1oAgI/BDAmBCAgvwzKSCmDtIzq/4E fi/y9EYlfKyvrQCKC7RgLhZTRNQICP/wwJgQgoilwWrmGmk/af0oj7Is48b/WMhiwGoRF Vgcc0SNTuqQCAjyvMCYEIEm/120q0Lze8eurbZYW415zu8eTtsV1FgtDukI3zjL2AgI6M zAmBCC/a8TNdUQrmgRw2OX5mGA47usiW1lMwObnYGksxEfpBAICRcwwJgQgsHKix46fwP bb61BPPgK1XU5kWZpcq4O9/srSLcGGJ28CAk7oMCYEIDLqy9SOZK2A3W6/Zq9OnW23zQ1 avtvTLFt2/cKfvA/kAgJJGjAmBCBenxwruFujR7e7yvuelR9XEBIRhXinSHF/RYJXUBdx XAICQNAwJgQgurlzQaIWn2ySyLtWLfWwW38OEeqtoqo4Bedwl8D0/YUCAkuWMCYEILwX7 Olu5yveF/5dVrQ5g+bsGAvsJZzOqSLM5Uha/MYrAgI8rzAmBCB/qbDHlFKouKfhB2D0vr epMDoMS32dif0omjBE+pmPagICS5YwJgQg0abgkuID2IxiRvOjvd0pjSeu3n58+BKA0EQ hdl+XILsCAj8rMCYEIMpL4r9J/byxlhTGqJM3Ucx8BtflJP9upC6/F9IFDRelAgJNQDAm BCDgJPZx2Ih7gmfRqKyiaekB13ZeZuyg8gYy2TL+lRHmYwICQAAwJgQgN83id6CTSidQv EjSrJRzfRRwqh/JP1DSgHrl+x1w0gUCAkhHMCYEIJtTT5++B0CUU4qoGVWlpdfy8J5inu PWWGofWioSK2u4AgJHczAmBCBm3TzvbMyuY5cB91u/6CQMsrspLs/EASWl7kV/9qpFjgI CRp4wJgQg5ylrCUOF3xWCxb0UHObx690jpqsVPYkHX/7Xv0YJWIYCAkGoMCYEIA0DWD+e NKpPgla4G3PjsjmYCL2KCw9qVn0j7nGaSekMAgI/KTAmBCB+Ve+Fmk5gyHBuJao0pA9mI o0dyBOrdl3t6HvPHBdQbwICP/4wJgQgTre+8X/9Ga9KXSHD2y1sPKWCohttY4kcVvHgjL 6y9xsCAk7nMCYEILcz+lH4qgI1+bTn6OUZhU0kyzY4UHT1qE7PpYRn4pcBAgI6MzAmBCB ECWxsMF9t4M5rmXckcoM6t8G4TpvWMEkRd3UaPuDALAICTUAwJgQgtC9mV90vgGIKcFEe MqsvSBpwpjJrOQsjxwqDmYbvBVQCAknvMCYEIDsp7wNAViGmFITETrdAyklaecFUZ3I6n twlLuIG7vvzAgJIRzAmBCCv6F3foBWPjkSEmjnu4yWcKSYvfATDzzi+iGS31w02hAICRc owJgQgUMO1Akx1qfFQdQvldd7T9CVTErzlH53B56sXx/Ay3+8CAk4UMCYEIO9e/xofPIa 7cB8JWrC/lFZQGQvwZAHq1X3rKDHdybAJAgI5XjAmBCANKkQWzMoQOpaehRTPEw4iGHcO cC3A9iqISJdj93JbrAICR3MwJgQgbWNtUgkRwJd7doAzAlW2tGpfz0Jvt3O+PuF3dUrFs uwCAkNQMCYEILuwwTJVahumjd2F9uuPCtTVMuKrgoUcSTF/D4ph4JBnAgI//zAmBCC4dn nZAOd+QaxWmTZRshIrVr0QHzufucaGY2478eY/zQICSEgwJgQg1ynMPVo/xhJWzV6vTo5 +7OP8neT1KDe5E8bzwmefhP4CAkDUMCYEIPhfsn+OvupCQhN83TrQaF67UjZkOQckpQQ0 31frlcB8AgJIRjAmBCAEjK3BxQbPCgzKkrdL/HdDMqQHwGID7k2leG3uWItS0QICUI8wJ gQgMxgfKAz7P9eTrI2ciTHcIRClc5MkkTFbWuqOUn5RasUCAkhGMCYEIBD6HMeUhJw+d0 xECajeKgm5msz8k5if64F/oenSIKmLAgJNPzAmBCDAcYusmCIk9sI7otjkBcougnjZ13y wLm2O2/hmp/SbYgICPywwJgQg5IC8XKF8GaP7SSo7s8U+jfizsTntRY34elUcQUq8VmMC AkT2MCYEIJeYJz/qaJnZOvMAgYJsg2ZsAyjKZok9biZ4rd3/ic7VAgI8rzAmBCBNUCOgK VhQOTlvbFqwm1fT/LmV2H3SQ869WRgBJBkKVQICSRwwJgQgBsARSOQM2q1vq5rueC4dxB C3r1coY+KWJ7CwFuJg0scCAlcuMCYEIHvxXfNQt/rmNszESnRRq+JiyYjam/4GqjoN+SU j1lekAgJMajAmBCD5KNvTDwNh4WBN1zA8MSldKAbYpdjjbBSBnisSPLu6sAICQ1AwJgQg y4hvvN0L3U7cInVVWVl1ygJXSsu/VfTYzrRJo54N6+ECAjOTMCYEIFj006tgBMmhSDomi tbmGl9Z16s6m2/4lzwuPzfniCCaAgJTCTAmBCBblplqvzcQq9TQHB3+7mwM4RjuSgSPRu wuAJKeXhY0FgICTGowJgQgCIvMmfItgUb4SmChB9x+UNMJqXalcbRyXZG83RTsw/cCAkG nMCYEIIhI9/8QVT00wKW6UXZQptfytJYFV1I8wANROt7g1OGTAgJE+DAmBCD8q3k28PVy dTnL4JFB5LnKfXD7jQxplSmxyTbZZ6HFSwICQnwwJgQg2yTp6+1TdBPDCtDl/hEgs5hpB JWHdSGrW2t8Ndb0SS4CAjvcMCYEINSjPt6JxgSn4DGBYe3jenpeb0jWr0QlNvfbs9BDtD txAgJDTzAmBCDUrng4MJV0VyuKD7I3tyGLyUvw9f99TU1cIvaTNG9+DwICSsQwJgQgSNp c7deWFGk35aIUOkHMGG595e2J3YXBvkFQ2+m12+oCAkDTMCYEIFNzuczQTerE7TzqDG/y /0UZ6pQ8dK6+5+93ueRWdi2VAgJO6DAmBCD0FmWyvgFVlBfgb3sPhfaQJ0nezHpcW7eNo dI5VAYc/AICRCQwJgQgTpLd/obeScPqpbyxYBjzOj9XIP4q3keYRQAvJBzmpIYCAkadMC YEIO1MFaqZnAZo0QNXBaZboZShUHjG5zFvZFLvvqs8v/ILAgJA1TAmBCCsAAxjYn02NoO ignQl5JNQ1ZOBfLiyOfmUVUbzH5yOdQICQnswJgQgBHYcBl+B3Gv9WWtxCEfrJrgXuUp4 LzVoondyCS05sm8CAkJ8MCYEIAvdwbKz+o6uPdBr17NDqi3wL2SNOe5VKsius0mEAM95A gJOEjAmBCD47+yVTwGYmNIyIWzH6cVeKbta80ej0Yjb7lc1fdmjogICSRowJgQganjHUW t/dFNUs15pl/LTgfTv0IRKadbKfIR6HSbM6uwCAk4SMCYEIId5w8ffhjZxsJMLH6bAX1h RW3S/3X/lPlc+m6PxW+gtAgJVhzAmBCCEkKRjW4mXgPLnkYWJu3btPTzHLcEIbWOfeZkM 2KCHRgICNuMwJgQgRdIB2OV3XEghVlhXjnQgN8D/L8MYJ1hyZ89asdSJRckCAk4SMCYEI DCl5joJHfReDTOLs0GiWVrsqdlb6aJkX7pEmBM3ISSrAgJFyjAmBCD1P4UbgrKyQbrczV Lz6MGCUZXP9mcBNuTJzbXq6+4rOAICQNQwJgQg3SjwjH+Z1bDoNeNiwgO5huLAGi8XDR8 fQvV/HN300VECAjlfMCYEINE1Ch6jeBGu6HCPE9Zc0bphstf3UXxS42+DKIEHvUnrAgJQ jjAmBCATljBBPQaGzlJWF6zDvBdUESHM1TwwM0sIKr36J92fRgICT7gwJgQgEMl9p2be7 3CrnuMOhFxxdD4SVRw1dCr4V1XZ7I6j9w8CAjiKMCYEIBOVkInRmDcpuWJ6Ui4OSoUQN2 8ZHbKRWAQvTFWayYSjAgJPuDAmBCAy0hmbVw3x87if8Vo19idjBow9pEcuWxDUGDLPIPw PoQICPlgwJgQgFzhZx8opXQkPzaMBnKkCgGiEKb2jZU4o8Oz+iMxSTr4CAlCOMCYEIHqT dfK0juFTUHJAVKHG8AdNwMmsFb4EdoFAGaVhoGI7AgJDUDAmBCBTkZSxohXu5gtPQTF/y sgNVxSumPy/xGCLeqpQmZUCSgICQagwJgQgbK+mBeBPQ6DiRq+wKjbx3+GkC2dwAHQhv1 GFR0QnnVcCAk+7MCYEICx/dKiFArzl4hBRstZ1DRjBE03PcrYJ699sSqHKR62RAgJEIzA mBCDasmIg5X82lO6WP/6Ah/l7WXIHGAFcITQ7kk/haDxLlAICTT4wJgQgKn72VRSHzz58 4i7eCt5GTr2VA3Xux58a7rFagHCRogsCAkNPMCYEIPbJ0Yx6ehC5xD3W+/x5e6Vr4pPt8 I4jJe6NsUM33G+JAgJEJDAmBCBal1QHWFPDyNWIZjHzkhF9aJIRBIl/2SNivsFsDuI8aw ICPlcwJgQg+6H7OBIm+LJU8OW782eBzZEfxxUPPVOMFdvmV9RCtkMCAkdyMCYEIO1/K1p a7XYXrbjqduaJPEQpxZRreMei4Y3BnyLrgPs5AgJEIzAmBCDROI7O2pgB+uAPfB5bM7IX lEz7wBwvOudCXAldGytLKwICMRUwJgQgQgeg1crXV6+tSL/u9rLCIyf6A4Hc1N1Cx6mqV fSLUn4CAjowMCYEIIMRmcSEH/r2rtqgEAi0apG+lWAjvTGmmLBwPItVEbEhAgI72jAmBC Bb1kMSHVN4GZ+ThbfimLvGekFVo7Zbke8uHgOTsmoqhgICQAAwJgQgTOl1UT/Z5awtssA VtKy3ouTsEb2pj07xKbJkrBkte8cCAk7nMCYEIIjy4tQvD1bLA91J+nfTY8e3wc44nGwN 2r4YooCPE1l4AgJE+DAmBCAIAWmBXOHnfsEXdNOsior3tbkV0VcHsuzoBnUAyucFRgICR p8wJgQgn2wCs/9NWfMwUXaMrrlHldYrxe93C6LyKzRN7VEaUmMCAkGmMCYEIHcIbyGQFw fZo6XjmBBr7O7kKtdHw2l17VmriIq1nIheAgJBpjAmBCDejuTfymQidKujxVXvltAkbTp LwzuY/9imaBtSS7Um9wICRp8wJgQgMHcCA8Lf3w5bIg3sOOPeLIKNNtO57fJpd3aXjlF+ ZdICAkGoMCYEIK2k25LAYsRdFyhUdAtZWpXAy6xBeN/1x8iOTjznYnt5AgJOFDAmBCDAL voLQ4ZaISo8OTull3b2wILJZB3fkxhtKaGL5Dvt+AICQnwwJgQgbnFpor0tKo3aa4FfRZ 6lWStL9BcIAtr7IL45LEdPY3gCAjvaMCYEIHderU+1EymZMbQ2MLvaIPY3NRP8+zKiJnt sP4GHZra5AgJKwjAmBCC8XuLlH1Hz0Zu22oFAv1vC4eehmeqEG7f5Wt4HwltUhwICS5Uw JgQgoJWO5QLN1t+AWAHjRM9cWYgzzlDTEDNt7Bkc4gMBViQCAkuWMCYEIOuyY0wjvNPWg tC8jcvwuvyjWL9ys8SKWFtLGsemmpGXAgI6MjAmBCAIFEelsWTmGx1AHPuLnx24nCMx2A 0efJ8ZBV/jYX9fGgICN7YwJgQgRT3KTipLYFgIVB4l3zym8tBRvVS9r41FQXEo7g7yEHw CAk+8MCYEID8m02PPTnRveTlonsjkPdWrJBffsMGFIm0spdXQ3+HYAgJLlTAmBCCFzY4i 3IXkrswW8IZirVwOvd5EjK7B3ua8DNAmN+2kfwICPLAwJgQggVh6fotdqjZVtcYE63zEv JauHnqxSMfaFAkVmc6LIDUCAkGnMCYEIN14sJzOtQJSb+UFlyASzKmLaMkNqEWsV/5p02 u88FZsAgJISDAmBCAdJm3lxYr3DdfrF1ASTxScxVja8DP+bCoRJIe3Vuy63wICQagwJgQ g2Y/USMmCw8uFYowOaT9acOtYpaG6lA2AFU5L/fCm3iECAjsIMCYEINLeS1+js7s4W+3c b5KQcf1wXHIur87tKNgQwW5PFGiRAgJODzAmBCC24ZY+6G1Es/NX6fL8nPDS+1l7VC/R7 rbHngwraFDtKQICS5cwJgQgOQIb5NbwG8KFNo1LTwpaerprwXi8n34rrj52PBQd0eICAj /9MCYEIJVSOlJffU7guQv6GGKorZrgDKx8+M1mss0av50M0Tf5AgI//zAmBCA/rJ53Wru DbgaDy0Ryv/6NhI9h7C6np0vOrGve2o9PvwICRPcwJgQg3/1W934mF6fJYTWSl3gaxRWI kHOsqrVn9kt3nxYNh1oCAlFjMCYEIDa4+mOYnwP3GZyAtYOmhMy6rGy14svz3xfx8JF0T XCsAgJIRzAmBCA6y19k5qgBhPchPyhsyVILBsZuCXl2eXRkAirCsikWKgICQNMwJgQgRA w01NU5eNei9DiAXE4wvi8mEedosNr3xJFLkk6dZzYCAkJ6MCYEIP90BDLFNVEp5symt29 3gm8pUMPuQ6ArrhI9IZXYy+QYAgI6MzAmBCDWXNBy0N7gAAV8zkiK0W0PIEfM5p+nNo+A F2+LtDlh9QICRp4wJgQgPpMa9PMRZ97AGehM8AlR9PTktqLO3IYjTjHIYx6gpBYCAk7oM CYEIMB7U7nF4Y0nc1vWgocH8jSyPSczqJEvyguzNABe7NIBAgJHczAmBCCDmuszoj/iBh 5FcpgrLVl2DtpfN17ff6BFPl6IsTCOMgICQNMwJgQgiS8y1mWOV1+Cq0vKU5bLeSVldNx rv7h9C8dbrbhyW3UCAkDUMCYEIAyNOGMAgu5aHEFxAos9ELBRtTtxoeejQnTsGEYyXVQW AgJDUDAmBCBQtQwpqflFflxMWQu24sbxlYwNDNf3U9rHDJnWFlSq1QICPywwJgQgyxmRV Mmc53bDk42kEbtlOAEr+YNgS8oQlYnEOFxbXNwCAkQjMCYEIBgNzNVneOxbsIIcyFKuAJ GbtnQEBRV/zstLn4G4e4AXAgJCfDAmBCAccKWUSKl6+GuxflnHhizt5Z8df9sOtcwzuDs jkAg4RgICTGkwJgQgt5vzIMAMC5TCd37sfW7JzASp8J+ESQ/22DcDRx9k3vUCAkNQMCYE IHqxWhc5sUVaDB9F8zBtT8M8YBvM2iUamhMffCsKv+HqAgJHczAmBCBqpChePocR1tmqI Wey9PDZwP+ndHr8jhu0mtdkrRKpxgICVlswJgQgbY0DyNeqlitidVzeM/P8HpwUCwLcIX TzHP0wqwzYtJECAkDTMCYEIC3M+WntM2y9QP5Rv9k9zGaO6dj9erzGP7by7kcVHNISAgJ LmDAmBCDiNhn3eBF/Ilm+zD73QrePKgHBwg4YnLVgGOlMIlKg2wICQ08wJgQgLCGZ5PVu EfZX2+xmaiJxeuYIYN10smafz/7+W635J3ECAj8rMCYEIGHRDB9iKN2JnIJrCILjC3RCM BFt+70rpjpm7NgUFB/uAgJO6DAmBCCy2C+9SMlXkK+Czjn6Eo1r45Gy/7w80Sf0tNPUNt Yk5QICTucwJgQgZSP2pikTzwfpr+F5jJ4LG/eq1s0VVOwFc7XsjCkQptMCAj8rMCYEIDF Ugp2+SP0kZbS77ZYzlhghZH4y9Q9xoPeAxkSDTdezAgJE9jAmBCB6WJaHEPMTNRANsTp2 hA3y60ZiP4s4ZV9zNxnGH6VBJQICQNMwJgQgCLPuylaB51qjvYTxDmtSJT/8yOqfNtQ2r Ayvww6TF5MCAk4SMCYEICaTNXT5maeGJ0tVN9VRd89yWG8rAeaHwM9038Ti6K5XAgJDTz AmBCC8Ih1NieJj9rTRBXY3LWI10vp65bBLY2MALhEwxlKXMQICQagwJgQgT484v+B5ilC uNbIdU74nYvbQkHC1+std0vkNirt300MCAkrEMCYEIJVtJ8/cjl2HX1OJBj2cyaSo23T7 VrPwa5hvqygRxAcuAgJDTTAmBCAYVDRoeYEyYrClhoYFpcG/UEv3mI0Bw5Zj65UF7dM4H gICQNAwJgQgmzmCMFDCaT6DiAqdtI8nsm0uY5ZCx4MWZSu5Srtg21ECAkkZMCYEINEgwm rxFif18t72qRZEUZLFKUTjp8LlD88fHNj471C5AgJE+DAmBCA6fgeYbmtRYXyfZGDMVg7 zqqROCbziPc7304HYb3AoLQICVLIwJgQgZ+FlKygzpF+2EyKMnKTOyVRxrOjLWyb8lZAj scLFR74CAkT3MCYEIPEG6Bn1cVGkhqUbb7yhzGeDhFdbMOef8AcsD0lh0gMZAgI9hDAmB CBmRL039G591iE6exMG6e0Gvlq60bV7U6zMfTg19MaPMQICQacwJgQgi57uMH/S+CpOIv 80OabGfX/pL1TRIkygzrLEnH3BzuUCAkrDMCYEIK7ww2wk0fDFtQu2/l/6u3A8DGVgSKr +ETDoDxJQUezlAgI//zAmBCCzzv/ZSPqu97xKIDQcyXyid8Vw+6oSW7+s2+No25CEQQIC SEUwJgQg73sAt24nQyGyOdfiigI569jAJ+kXrfOaRYeFrVHT2PECAkJ8MCYEIEpXqjt/B 1Je20vwGJOn4Et+wAQd41gqj3LBg/YEPbLDAgJCfDAmBCB75tCchNTQhSU+Njic+1xQip NTj0fW/bniddg33YkBuAICTGwwJgQg7BfE0liC5tBUJVeaTFD3/mRD74QISf7mBsR5y9s X6O8CAkxsMCYEIBQi18eI6V/18OlgicEkzpLaUMNxVa4Ztj035EddMQAJAgI2EDAmBCDo PtQiS/Y2QFiBN5Ju+FlF1EGr3Y9LO86GnFVfceBr+wICSsQwJgQg2jYjV46UVpPLGKANG dQUw9lCeUIYX+1z7rlIsDqNb+ICAkafMCYEIHBvuIuktJ47oAHo1MWDChawJykDRmFd4g EBBwiXn0WfAgJFyzAmBCAl/vdKpk+pUT5n/5NuTLJ+8XKKf/7MhqkvO+xum/+ucgICSe0 wJgQgQBwzbMKZg3AvHyVKujTRT1ThjK26eB80Hla2/tIXx5YCAkNQMCYEIGGu0wp25uCh mPfq4OMgdQN6kOkKZ618F41NcGLVPELDAgJSODAmBCAWKGbal73eE+sy7xQqP21CgGgax iYce9IKrvpDf+tU8AICRcswJgQgQcnF+h+whhze/Fclf2cq5Z4mnkeCXgiF+Ttlsr/KaF MCAkhIMCYEIPoNqpmL7lB5ZJW9OAtzVMCQvWG1mzRAiQpUgmVjWBdZAgJEJDAmBCBV7ny kMdhMOc/zPQ/k9/DRpF5n/o/SiH2wKUl9h1iIRgICPlYwJgQgQL69mK950xF/XcgHdawk K/dteDavZeqSaBaQJWnivsECAj//MCYEIKuzkNDTLxSrplSVb3Z3+p0NNZCD478HZbOgv BLSJ5LKAgJE9TAmBCAFPXTtQWPvr+sl6+cJ9HmigJ+ZH4XYQ968zZ2ESawFtAICRcswJg Qgrw5/ioGj68fnXPZICKCq74eTDZY+SQeCu8LnEPJPFlQCAkrCMCYEIEiBETmNjLp4P7T +UQMMSP43+pShO1hpun+veLMrSY49AgJCezAmBCD2InyavmODTAvF98htj5hqcUdL32lX K69hCVCwxzI5PwICUwwwJgQgPsdc92EELLLMq7RGCMpIRcG8jPT7+Dj3VXYSQhvb/TYCA j2CMCYEIEicdhyhD1l5sAOHchE57cSr6kVfoUmQZ0aHi/znUw9fAgJNPTAmBCDAq7Rofb e8lnA6PufDnI/pFHeZUgEekIGG6O+UHkewwwICN7YwJgQgyjGfb185muGcBoRBCG29ZVt VH2MqOkJzpOIMtGCk4EUCAkNOMCYEIOE6VxvB8Lsfy59Q2gZ1++61/5cdKIdHyZMSNb0k XK4GAgJKwzAmBCBfJYKwX6QgC6vjgQ88Uj92h4q0ILmOxARJ5d3n+YlJ7gICUjcwJgQge gsMYig+Y/8TzKCsXP/CwPuZrrGqKsYbYhTunkoxTfoCAkGlMCYEIAg1SmFygNkko4XuSi PLSIAFnAcZcZJhEXncdjBG+hrJAgJCfDAmBCBnPQPAlhzFcy0q6dgKOBZM+AEjNiYYM28 mToWgT5TERQICQnswJgQgAnL9F9+1vxYWIkBDSRpShNZdLyrWGBsrRJ3M8MusluECAj// MCYEIPOZrrOKTVxojdN+4by1wLpmmLndc97WTy45VWVlAgaYAgJGnzAmBCA1hNkmKFUfV R76xiksk7so3PEN51jBOkLdRQl1yswHFgICUfQwJgQg4cPoEmDm9LLvi2tQsJDeYSd7gP IWKIMwpZyAvkhJLzQCAkT4MCYEIJie4IMIJyPlGtOXy0qJwDh90IrkZJIbLJIQj9+PKPe pAgI7BzAmBCB/umLFCpdjTytm2nlTSNb7GgdLDQJK683BNMgN0GT5rwICOWAwJgQgqUrX jQOoc63dz+XUs6v3ISdQv99oJ7QmlHgx6teMGh0CAjrbMCYEINb4ha11RvjP2yO0huEAI dzoTcoUf1IEd1tym0rqGoeGAgJA0jAmBCDgBlO2cmMtCIoijokRaX44WVwBiaaQjlaK5s TXK4prGwICQ04wJgQgHIF1y5CX/MJN34DCwaibVj5+BbYlRN/uuQN0WBmH5F0CAkT3MCY EIF13zOvcjW3nyG4/bxttrqC4Sd2KZRXuNKRE3yfxbntdAgI//zAmBCCvjgjAqm0ync4j TuncwDKmVHZCVVWBci4oNKtY3RBT/wICOwgwJgQgGwxTC8k0y+kf9sHHusO60uRdeSjPS ZUZ0We4o1wZhdYCAj8rMCYEIJ0vFxPdqBwh3CgDf0u7/p7Wf+iqF7ftAB+yVQxpDxVNAg I73DAmBCC7m+SWtEC8+IMh5oLIebUbsDNVssvyRlJIhHuPfeqqhQICOjQwJgQgXBcIRjl rCyONJRJbHRKk5TLVtxtobt5OHPMgbCrUNvACAkNPMCYEIHBnHSIszZ5xXTJIHgioCFlO XnEB2qZrlqotdeN/ffhaAgJCejAmBCCHPJl/Ma7hPE1+fPgiODrhdIUc+aVDS0v9m78QR qBNuwICPK8wJgQgnB7Ec8BHk0BjVKxVmve7sLhqatU3I90fnaFH96+E4BQCAkH1MCYEIF BJ7faWL+jfEH/CMnJlM9fVJywDgrwP/eD+xptal6HrAgI3+zAmBCDejHC+8HL/li1VppA 3Nl91wI6hZHk4fwDJuhemZP0t4QICRh8wJgQgrWSnYCYVvK+Vk87SWk6d+6gh6qEKkP+2 es00YWyN3OACAkLKMCYEIGXcCNYUDz8k2EVhcWdoWydtGNwfxgNebK8brvmpQNx6AgJIR TAmBCDDWdSUn0MqmLY16UuFl7Ow+r8yBfe49BEr23UPKc2EcgICOV4wJgQgdN9jYYDa4J rZ1TuNaO+VGk9wFVJhdz+f3U6dQYzsln4CAkDRMCYEIFkpsSjpV0BKiqdvBRP3ptf/uXY w29YQHmym2PG3UMRpAgJHcw==

Example ErikPartition This object was retrieved from http://miso.sobornost.net/.well-known/ni/sha-256/0TiOztqYAfrgD3weWzOyF5RM-8AcLzrnQlwJXRsrSys. MIIxEQYKKwYBBAGCx1yGO6CCMQEEgjD9MIIw+RgPMjAyNTEyMDEwOTAxMjlaBglghkgBZ QMEAgEwgjDZMIHRBCAA8ZAigYAlPniDrD+cr6MSo3DuGnvP9yZHKdLztpfOXgICB4QEFH 9K5X7m4KnFEB/BSoelM0FQu6tGAgIGoxgPMjAyNTEyMDEwODAxMzRaMH4wfAYIKwYBBQU HMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMmIvMTFm YTQ0LTg4NzktNGQxOS1iNDY4LTViNWQ5OGY1MzYxZS8xL2YwcmxmdWJncWNVUUg4RktoN lV6UVZDN3EwWS5tZnQwgdEEIAQ+zjDZL1aUp3PJ9fGOw6mAn+oGTAMYanVh6p/+gir6Ag IHzgQUfzE2D/wa/V8dpm2BQE5GY1EtSWcCAhTcGA8yMDI1MTIwMTAyMDExOFowfjB8Bgg rBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC8y ZC9mZWY1ZGQtMzhlZS00YmM1LTgyZmYtNTg0ZDc4YTI1ZjhjLzEvZnpFMkRfd2FfVjhkc G0yQlFFNUdZMUV0U1djLm1mdDCB0QQgC52jD3kluIOiK/4OUeuxqCg24u//CAfU4EboGW E9sD8CAgfOBBR/7+vRX7xlFIesr2dCT0eD1D60IAICF08YDzIwMjUxMjAxMDMwMDU2WjB +MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZB VUxULzlhLzI2ZWY2My1iNzJmLTRiM2MtOGRmYy0yYmM4NDUxOTIyN2EvMS9mLV9yMFYtO FpSU0hySzluUWs5SGc5US10Q0EubWZ0MIHRBCAV/aw4S/WZhqF33vjVGJBiIOmP2xGYSU F1vLaibIF5cAICB84EFH/JVqUrc1BKTx/zRUcZkpen9d6dAgILBxgPMjAyNTEyMDEwNTA xMjdaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5 L0RFRkFVTFQvYWEvNzFhYjY5LTY5NjUtNGI3MC05NjhkLWJiNTdhNGVmNzE1My8xL2Y4b FdwU3R6VUVwUEhfTkZSeG1TbDZmMTNwMC5tZnQwgdEEIBYhrvmfIUdmMqivTVunxBx6eI pvT7QCZkT+bGbGy1qzAgIIYAQUfyuobfeHiI9vhZKoBqb/6jBGwHoCAhdYGA8yMDI1MTI wMTA4MDE0M1owfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9z aXRvcnkvREVGQVVMVC82MC81ZTY3ODYtNjM3Ny00MjI0LWJhMDYtZGM0NzY5ZWZmMWY1L zEvZnl1b2JmZUhpSTl2aFpLb0JxYl82akJHd0hvLm1mdDCB0AQgGF+uv2O9nv3sxjM1h0 4SdgkWUExdoGcHrabRZTPLIpECAgeDBBR/N3KD18I1qT3HvSuDF7J0jyhf9wIBRRgPMjA yNTEyMDEwNTAxMTZaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9y ZXBvc2l0b3J5L0RFRkFVTFQvOTIvMGZhZGZjLWY0OWItNDNlOC1iNjIxLTgzMWUyOTQ0Z jhmYS8xL2Z6ZHlnOWZDTmFrOXg3MHJneGV5ZEk4b1hfYy5tZnQwgdEEIBxEo94JY8JaQq Gzo4BIk97wLav+UT1pMctKlnu6YQ+3AgIHhAQUfxe2+TI5nVhQk9GHM5Tr/hsp+YwCAg7 UGA8yMDI1MTIwMTAxMDEzM1owfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu bmV0L3JlcG9zaXRvcnkvREVGQVVMVC8zMS9jYzAyMDAtYmIyYy00NWY2LWFjNzUtODI3N Tc3ZGY4ZWRjLzEvZnhlMi1USTVuVmhRazlHSE01VHJfaHNwLVl3Lm1mdDCB0QQgHmdy58 dUxBqKunNs2IYseugYILVAKGtMrsY/RlKPhA8CAgfOBBR/GIratbVSCB7KyCHJsJA5SHO zFQICEcMYDzIwMjUxMjAxMDEwMDUzWjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2ku cmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzkwL2E2NTUyMi1mN2M1LTQ4N2ItYjdiO C0yZTQ2MTQxNDFhYTQvMS9meGlLMnJXMVVnZ2V5c2doeWJDUU9VaHpzeFUubWZ0MIHRBC ApJYzOeRBRyJJP5XVlTMV9BbCr2FLy3reByODRl7Ud0QICB4QEFH+ZGMq28fNe8bXlg8s oOem3SLFYAgIUKBgPMjAyNTEyMDEwNDAxMTZaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8v cnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMjYvZGY4MmZhLTExOGQtNDIxO S1iYTE2LTFhOTY4M2M5ZDZjYi8xL2Y1a1l5cmJ4ODE3eHRlV0R5eWc1NmJkSXNWZy5tZn QwgdEEICvnXavLyieUCo6TaPSVhVq/EyzoCrsNfLDajtwIMXOQAgIHzgQUfzP8QNLgMzu 8e96rK9hZlUMBwPECAgadGA8yMDI1MTIwMTA1MDEwM1owfjB8BggrBgEFBQcwC4ZwcnN5 bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9iNC82NWJmMWQtZWMxZ C00MGU2LTg0OWQtNzk3OTBkNjZkN2QzLzEvZnpQOFFOTGdNenU4ZTk2cks5aFpsVU1Cd1 BFLm1mdDCB0QQgL10y1HJI84RSfC0LxOCWg3GX+Z8NpQFtvk6ENpRimksCAgeEBBR/c2u IoCQE1DBL3a1f9VBKaDPntwICF1AYDzIwMjUxMjAxMDQwMDU4WjB+MHwGCCsGAQUFBzAL hnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzk5LzBmMjVjZ S1iOTc3LTQ4NTMtOWVjMy05ZTU2Y2I1NGZlZjcvMS9mM05yaUtBa0JOUXdTOTJ0WF9WUV NtZ3o1N2MubWZ0MIHRBCAyPrwYWQ8LxOXzhGZeh+8XxbkNmGafJhwqjmAaZriyzgICB84 EFH/RimpJkQzDMdyREUrlm3GF1fMNAgIXVBgPMjAyNTEyMDEwNDAxMDRaMH4wfAYIKwYB BQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYmEvM Dk0N2YyLTIyY2EtNDdjYi04OWFkLTNlNTBhNWYwMTk5OC8xL2Y5R0tha21SRE1NeDNKRV JTdVdiY1lYVjh3MC5tZnQwgdEEIDnBREYJKP6j1rETOS53IdzOZn3sJ+uChwwifS9QXQL FAgIIGAQUf/G4HP5quxGOl+AyW2Yur5hPL2oCAg3AGA8yMDI1MTIwMTA5MDEwMlowfjB8 BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMV C83NS8xODZhMTgtNWQ3Zi00M2VkLWIwNmEtY2VhN2ViMzUwNTM3LzEvZl9HNEhQNXF1eE dPbC1BeVcyWXVyNWhQTDJvLm1mdDCB0QQgOwQ/rlodU9eD2T0kGq5GuhR5fh/woMKRniH oq5eAftkCAgfOBBR/kt92EPBI9Dv0TDNtQcbBFX7w4gICFucYDzIwMjUxMjAxMDgwMTAy WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ER UZBVUxULzE3LzU4YmUxOC0yZjM1LTRjNmEtYWE2YS03ZjcyZjQ0Yjg5ODIvMS9mNUxmZG hEd1NQUTc5RXd6YlVIR3dSVi04T0kubWZ0MIHQBCBDmmc4+wow2jqcznZMDpzu4gCFEVl n1V724kiXa5XJ7wICB80EFH8xKwnR9pDyVwC9Xc8HyRgMXpZjAgF8GA8yMDI1MTIwMTAy MDEyOVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvc nkvREVGQVVMVC9iYy8yOWRhYzktOWExNS00NjYxLWFmNzgtMTUyMmUyOTY0ZmNlLzEvZn pFckNkSDJrUEpYQUwxZHp3ZkpHQXhlbG1NLm1mdDCB0QQgROtnobgIbiWRn16WLRqJwWY 9inB8r0i3Yt83QLYe+IwCAggYBBR/FoAo7A2rZopn1b9vU1jKq+M3qAICC8MYDzIwMjUx MjAxMDkwMTIxWjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb 3NpdG9yeS9ERUZBVUxUL2NjL2IxNTI4Ni1mZDRkLTQ5ZmUtYTY5ZS03ZmFkZjUwYTJlMz cvMS9meGFBS093TnEyYUtaOVdfYjFOWXlxdmpONmcubWZ0MIHRBCBYxAOpY8YFSTATAiG GpvVSRSgQAJ1iw4wVZFDe0tpFFAICB84EFH8dDjKYvtOn85+zskTtkYv2xNe/AgIVKhgP MjAyNTEyMDEwODAxMzFaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ld C9yZXBvc2l0b3J5L0RFRkFVTFQvZjcvZTY1MDZlLTc2ODUtNDhlNy1hNTgzLTIxYWYzZG VlOGVlOS8xL2Z4ME9NcGktMDZmem43T3lSTzJSaV9iRTE3OC5tZnQwgdEEIFqLUxEtqFQ 8nsQjuHOdgA3R1jCjEfWfGUSP7Os1L/6rAgIHzgQUf9YuQsCOFgHEVx4NiKNJoFCd6l4C AhLcGA8yMDI1MTIwMTA5MDA0OVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpc GUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC83OC9iOTM0ZWUtYzRiYS00MzkxLTgwYjAtZT c1YTVlYTg5ZmQxLzEvZjlZdVFzQ09GZ0hFVng0TmlLTkpvRkNkNmw0Lm1mdDCB0QQgW8F Etd6qgbHQ44YHJ6wkE5VITxuCQjtIWmg1zqa1MYMCAghfBBR/UAd9LdimehrotqvWu7NI kCiluwICF1oYDzIwMjUxMjAxMDEwMTI0WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa 2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzVjL2MxYzFjZS1lYTU5LTRkY2YtYm NjYy0zZTdjYWRkODhjNzAvMS9mMUFIZlMzWXBub2E2TGFyMXJ1elNKQW9wYnMubWZ0MIH RBCBcXbY5z24axrfKcJW6XGc7um2xXgBZ/C1L9bWyjOkmvwICB4QEFH/xeuVHufJkHmBX f+VT3bb3SaCHAgIEkhgPMjAyNTEyMDEwNDAxMjVaMH4wfAYIKwYBBQUHMAuGcHJzeW5jO i8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYTUvMWJjMGY5LWJkN2MtNG Y3YS1hNDA0LWE0M2ZmMjVkNDQ3ZC8xL2ZfRjY1VWU1OG1RZVlGZF81VlBkdHZkSm9JYy5 tZnQwgdEEIF03R0Dq2PGbGO3ujphrcTC8ZE8AEIWfD0YwqVctVCAwAgIHhAQUfylmV6+N AMJf119W7MiiizUVBXUCAhCJGA8yMDI1MTIwMTA3MDE0MlowfjB8BggrBgEFBQcwC4Zwc nN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9kMC9lODBiMzMtM2 JlZS00NmVjLWIzNWQtYmFmOTVhNTA2ZDE5LzEvZnlsbVY2LU5BTUpmMTE5VzdNaWlpelV WQlhVLm1mdDCB0QQgZaPGuCpDJjZdQOpvmnyTiFp4QnW+r9TsifuV30oH+GgCAgfOBBR/ KjK6QhloDc3Vj2EB5ceuwVQKcwICF1QYDzIwMjUxMjAxMDQwMTQ2WjB+MHwGCCsGAQUFB zALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzU1LzE0M2 U5ZS05NmU2LTQ3NGUtYWQyYy0yMmU2ZGY0NTg0YWYvMS9meW95dWtJWmFBM04xWTloQWV YSHJzRlVDbk0ubWZ0MIHRBCBuGWGOvesQalq8v3IAS+XZ7/ThSna7tG+2nGaxTvgargIC B84EFH93NN/qEgZXQS6oZ928e4TRMr94AgIQARgPMjAyNTEyMDEwNDAyNTRaMH4wfAYIK wYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvN2 UvNjgwMzI0LWVlMWYtNDBmMi04OGRmLTE5NjkzMTk2MmQzYy8xL2YzYzAzLW9TQmxkQkx xaG4zYng3aE5FeXYzZy5tZnQwgdEEIG4v5Rd8XOjTOwstfz3AxIMD8/CBhcb/zzP2697e qe+bAgIHzgQUfxePr2QB4vNxbjF2RWnfcx31jyICAhHHGA8yMDI1MTIwMTA2MDE1Mlowf jB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQV VMVC82Ni8xYjc5NjgtY2E0ZC00NWY0LWI2NzEtMmU3Zjc4NDg5Y2QzLzEvZnhlUHIyUUI 0dk54YmpGMlJXbmZjeDMxanlJLm1mdDCB0QQgcnk/0dikRdTd+awyXTbblVwIV405YHxY Gz331fV1//ACAgilBBR/UV6tCV7tmsTKvFq0rQtYZ9nwGwICF2kYDzIwMjUxMjAxMDYwM TIyWjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS 9ERUZBVUxUL2E3LzVjMmE1OS02MDI1LTQwMGUtYWIyOC1mMGE2MjRkNDA5MTIvMS9mMUZ lclFsZTdackV5cnhhdEswTFdHZlo4QnMubWZ0MIHRBCB1mD2in3JeRV+fgI/8j4u9wnAK br2+4DPcvrpJk8W2YwICB84EFH/3TavU6xqhFHFE4VsCZp6YL95NAgIG/xgPMjAyNTEyM DEwNTAxMjZaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2 l0b3J5L0RFRkFVTFQvN2QvMGZiYmY1LWM4M2QtNGI5Ny05Y2VhLTA1NWM0OWFjNjgyOC8 xL2ZfZE5xOVRyR3FFVWNVVGhXd0ptbnBndjNrMC5tZnQwgdEEIHZ7XRZ6keXbidAtOaYz 6UWK0Bqy9drRHdf2MSiM/iodAgIIGAQUf+DnWTVOg8wZMgOBEJ3iLaDxpwACAhdZGA8yM DI1MTIwMTAxMDA1MlowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3 JlcG9zaXRvcnkvREVGQVVMVC80Yy8wYzcyNDMtMWZmYi00OWQyLWI1YzEtYjQwMmU4YTF kOTM0LzEvZi1EbldUVk9nOHdaTWdPQkVKM2lMYUR4cHdBLm1mdDCB0QQged79Kaf+7JzI GJt1GETYyDCtCkzPbiJwN/afQa0CUEECAgfOBBR/+wEVxKzd0bStxAc3gHJqz8Aa+QICD F0YDzIwMjUxMjAxMDYwMTU4WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS 5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzYxLzUyNjhmYy1jZmVlLTRhYTgtOTdiZi1jYmU wMjA2NjVlZmUvMS9mX3NCRmNTczNkRzByY1FITjRCeWFzX0FHdmsubWZ0MIHRBCCCOIX0 WYimv4KU4OlM2vc1PSbqae0UKOxGrvhS5Bio3wICB84EFH/mixIjS9cDQwG8lrE4quJ3h go+AgIFvxgPMjAyNTEyMDEwMzAwNTlaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS 5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvOGIvNGExMTExLThmM2MtNGVkZi1iNzd jLTJmYTI2MzFiYzMxYy8xL2YtYUxFaU5MMXdOREFieVdzVGlxNG5lR0NqNC5tZnQwgdEE IIPAhDVKKA18D7bXbpfqegxAJonCF313EQyrwBqxJP6qAgIHhAQUfwdXwzGYHgQrdHE3N SfQ9koTVrQCAhL3GA8yMDI1MTIwMTA0MDA1MlowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly 9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC83OC80Zjk2ZjktNTY5Zi00MzN jLWI5YTgtNmEyNjEyZDQwZjUwLzEvZndkWHd6R1lIZ1FyZEhFM05TZlE5a29UVnJRLm1m dDCB0QQgiBLeB6fTcd+GI68Xb2SO5F1CGDvaW+xwe53CPdheYaUCAgfOBBR/NdWuQX9F7 oUF12zqobNMRYOUoAICEC4YDzIwMjUxMjAxMDQwMjU1WjB+MHwGCCsGAQUFBzALhnByc3 luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2U2L2M1NDY3Yi0zOTY yLTRiNzQtYWUwZC0zNDQ3M2JjOTFkODAvMS9melhWcmtGX1JlNkZCZGRzNnFHelRFV0Rs S0EubWZ0MIHRBCCJCiFTDJIL5Eu/g127lCb3vMM3g5snpcUrKpwZjaQM5QICB84EFH9Dn ZQkJvxnOyecyYqzX9vX6pf1AgIS7BgPMjAyNTEyMDEwODAxMzFaMH4wfAYIKwYBBQUHMA uGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMmEvNjlhMDl mLTU4MDktNDY1Ni1iMzU1LTE0NmYyNTRhYzEzMS8xL2YwT2RsQ1FtX0djN0o1ekppck5m MjlmcWxfVS5tZnQwgdEEIJMmOJymBCe0/6nb4mYG9VCaJoVc6goEzLn+d39KOCSnAgIIp QQUfz4LJ7jk15j5K53hV/HaWkPNSeUCAhGQGA8yMDI1MTIwMTAyMDEzNlowfjB8BggrBg EFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC81Zi9 hMGM5YWMtM2E0Ny00ZDZjLWFhMTUtYTQyZWM4Nzc2ZmJiLzEvZno0TEo3amsxNWo1SzUz aFZfSGFXa1BOU2VVLm1mdDCB0QQglVtjJ9PwBWwCnbqwZxmB8Gn5Xnqulmyt4RRrfdAaD akCAgeEBBR/Ud8d9OiGfkHl5/kt5/nR+gwVTQICDDkYDzIwMjUxMjAxMDYwMDUxWjB+MH wGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUx UL2ZhLzVlNzMxZi01MjhiLTRlMDItYWQ2OC02ZDkwMzVhZjE1MzUvMS9mMUhmSGZUb2hu NUI1ZWY1TGVmNTBmb01GVTAubWZ0MIHQBCCXQ734ecoE7Ee+ixR9hRJ8KbAoVKjQH+eaa hezBcanUwICB80EFH+1Dn07f9KJTPtw5JRgizIMwhXBAgFoGA8yMDI1MTIwMTAyMDEyN1 owfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREV GQVVMVC85Ni9hOTE4Y2ItMjA0NC00ZjFjLTk3MDAtOTM2MDFhMzRmNjJmLzEvZjdVT2ZU dF8wb2xNLTNEa2xHQ0xNZ3pDRmNFLm1mdDCB0QQgmQxoxMiDEfXNMsYlQoH6yKDxXwQIL 5MPYTqHFYS8ZrUCAgfOBBR/TVkcI60saUd9f3odTOjrzulZbAICBa0YDzIwMjUxMjAxMD IwMTE4WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9 yeS9ERUZBVUxULzNlLzBkNjdhMi1iYzM2LTRiOTMtYjYwNC1kNGY1YzkyZDkwOTUvMS9m MDFaSENPdExHbEhmWDk2SFV6bzY4N3BXV3cubWZ0MIHRBCCZV0Ko51mfPhdE0KS2jxkbh 8xqmbPVE1L7xwvXyv7prQICB84EFH+0PeI3/QtqKHOJIwkh0losLtGoAgIW5RgPMjAyNT EyMDEwMjAxMjBaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXB vc2l0b3J5L0RFRkFVTFQvMDkvZDRkMTJhLWFiNGUtNGRiYS05NWRlLWJjNjM3MTMwZGU2 ZS8xL2Y3UTk0amY5QzJvb2M0a2pDU0hTV2l3dTBhZy5tZnQwgdEEIJvN0WGb67xEP4DUB yx/BMvvtHEW6vxQg2hp/+d94gzLAgIHzgQUfySblURiBoP5SziKdVGmimST7RICAgODGA 8yMDI1MTIwMTAxMDE0MFowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV 0L3JlcG9zaXRvcnkvREVGQVVMVC84Yi83YWEwNGUtNDgwNy00OTg4LTkxMDMtODQyMzk3 ZTMwNjQzLzEvZnlTYmxVUmlCb1A1U3ppS2RWR21pbVNUN1JJLm1mdDCB0QQgndOjuhvMa SgIlh1phbQk1WorikTAGzMZ1yYZh4hOnFsCAgfOBBR/HVjWLd1+R68hlv11S7P/JnmJKg ICF1EYDzIwMjUxMjAxMDQwMTA3WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucml wZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzQ2LzI5MGE2MC03OTJmLTQ0NzUtYTlmNC1l M2I5ZTBiYWU2YWIvMS9meDFZMWkzZGZrZXZJWmI5ZFV1el95WjVpU28ubWZ0MIHRBCCgt UF13WSGcG3ftTwitpC3tn1l3QrSgona2FtWDW6MMQICB4QEFH9+Xr1vpGnF43C/wQbE1K rR4duUAgIPvBgPMjAyNTEyMDEwNjAxNDVaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnB raS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMjMvYzNlOGVkLTU5N2EtNDg1YS05 NGEzLTk4MmNmYjM1OWFlZS8xL2YzNWV2Vy1rYWNYamNMX0JCc1RVcXRIaDI1US5tZnQwg dEEIKToobNubCUkpHLMcGeRdi3NPy6FTNc5vWcdzn4WHJCJAgIHzgQUf1i8CGQS9NLFT6 BwLZLOJUls5HkCAhTNGA8yMDI1MTIwMTA5MDEwM1owfjB8BggrBgEFBQcwC4ZwcnN5bmM 6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9jYy81MzA5MzMtNTkxNS00 ZmYyLWIxZjktNTAxMGQwNWY5OWE4LzEvZjFpOENHUVM5TkxGVDZCd0xaTE9KVWxzNUhrL m1mdDCB0QQgpUbbc2l7xyPdCsTyvKWAYLb60Na07P5Z/LuLmjbWor0CAgeEBBR/FM6BA7 eF81BLxLMvH0ybcM4/fwICEBAYDzIwMjUxMjAxMDQwMjQwWjB+MHwGCCsGAQUFBzALhnB yc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2I2L2Y2OWRiZS1l MDc1LTQ0MzgtYjUzYi1mNjE2MGZhMWZiMDIvMS9meFRPZ1FPM2hmTlFTOFN6THg5TW0zR E9QMzgubWZ0MIHRBCCl0WdrMOFv0BMgl2VQQAx9uI5t4Kxtvqn52hF7AMg48AICB84EFH /uPzggc/LD5PzP/KOExbDNgmwmAgIDJBgPMjAyNTEyMDEwMjAxMTNaMH4wfAYIKwYBBQU HMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYTcvOGNj ZWJmLWY5ZmEtNGM0Ni1hZWU4LWNjYmZhNzM0MjRhNy8xL2YtNF9PQ0J6OHNQa19NXzhvN FRGc00yQ2JDWS5tZnQwgdEEILGPAJJw5GgG/qYFP8SGleANcjVwi/NR03QswU5WeDJ/Ag IHhAQUf4shg1iYOn16JTip2puh80lNcasCAgF5GA8yMDI1MTIwMTAxMDEzN1owfjB8Bgg rBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9k OS83NmNkMDMtZWFhMi00OTY1LTk0ZWYtOThkYmI2NDAyY2RkLzEvZjRzaGcxaVlPbjE2S lRpcDJwdWg4MGxOY2FzLm1mdDCB0QQgtdKlBX5qKFRZa8MYepUoG+bDYSrxmJWomXIWH6 3MuI8CAgfOBBR/QtJ8IdqGx+n79Erg5WyY89L4CwICDvEYDzIwMjUxMjAxMDQwMTUxWjB +MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZB VUxUL2E5Lzk4YjAyNC05ZDhmLTQ4NjktYTJhOS0wYWZiN2MzZmJmMzAvMS9mMExTZkNIY WhzZnAtX1JLNE9Wc21QUFMtQXMubWZ0MIHRBCDC15K5tTx2P8RH7fIclKElwISZkRMir7 Y+gbiT32PblAICB84EFH9Wid5KfOdovzq12fhUboVsyxk2AgIXVBgPMjAyNTEyMDEwOTA xMjlaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5 L0RFRkFVTFQvNzcvNjRkNTA1LTIyMDQtNGRjYS1hOTVlLThiNTM3MjU4NGFjZC8xL2YxY Uoza3A4NTJpX09yWFotRlJ1aFd6TEdUWS5tZnQwgdEEIMNtO2By45vHeZpPh29jREqwPT dNK3wpji89aE46wzvqAgIHzgQUf/yCWF32m3yUsWphky/8i24zUVYCAhMrGA8yMDI1MTI wMTA0MDMwNVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9z aXRvcnkvREVGQVVMVC9lNC81MzFkMmItZTE3MC00OWE1LTg0MDQtOTJmNzNmNTZmYzYyL zEvZl95Q1dGMzJtM3lVc1dwaGt5XzhpMjR6VVZZLm1mdDCB0QQgxPtJfkFu3DgrwLJ83s 9z3QLegjHDr/Uw5o+t2ZtVwq0CAgilBBR/ytid8b+Zo28pDMPvDx57TQJ1MwICFzAYDzI wMjUxMjAxMDgwMTM4WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQv cmVwb3NpdG9yeS9ERUZBVUxULzU1LzlmOGIxNi0yODRmLTQ1MTItYjNkYy0wMTVkOWYxY jRiNTAvMS9mOHJZbmZHX21hTnZLUXpEN3c4ZWUwMENkVE0ubWZ0MIHRBCDHV1gO79ba9G 7o6jISax/iwzwo7/27uamcO+yMpmhMeAICB84EFH8RQWrjkp3ze/ZqRZzTrKY4kelGAgI XUBgPMjAyNTEyMDEwOTAxMjBaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBl Lm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMmYvNmIyMmU4LTNkY2QtNDRkZC05NTE0LTY3N TZmN2IwYzBkYi8xL2Z4RkJhdU9TbmZONzltcEZuTk9zcGppUjZVWS5tZnQwgdEEINCnxy tYU3cWzpJpRz7uemPZtS57LAE1K67EdsvmYP34AgIIXwQUf1byiUjIMvLUNLtE1d4OoSJ gGwUCAhdUGA8yMDI1MTIwMTA0MDI1MlowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtp LnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC8zYS8yMWZiY2EtODBlMC00YjhjLTg2M jItNGU4NmFkNjRmNzc0LzEvZjFieWlVaklNdkxVTkx0RTFkNE9vU0pnR3dVLm1mdDCB0Q Qg0k6pzrsR7newSZBveJZbL9gOfj9KW4FiV/ymMyIXPv0CAggYBBR/A6H4wzT9v0t43vD Fkv8EkN30sAICFwwYDzIwMjUxMjAxMDkwMTI2WjB+MHwGCCsGAQUFBzALhnByc3luYzov L3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzY2LzNmZTFhMC1jNmZkLTRiY zQtYWFlMS05ZWUwMDY5NDJiNGIvMS9md09oLU1NMF9iOUxlTjd3eFpMX0JKRGQ5TEEubW Z0MIHRBCDU0f6D7ydNBUqXYgWA47zL8lFv5uZQZu+mIp+MDlb/ZwICB84EFH+bTP3JsNn jwx4Ou4Hm8bHLvcnkAgINMxgPMjAyNTEyMDEwMjAxMDVaMH4wfAYIKwYBBQUHMAuGcHJz eW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNWIvODI0NmViLTg0N jktNDJkZi1hMDhmLTkwYzQyMWY1NWFkYi8xL2Y1dE1fY213MmVQREhnNjdnZWJ4c2N1OX llUS5tZnQwgdEEINT4ChVgdLoApQkOqhPAtCjBikQI2ivxT1aIQ0QkjJV5AgIHzgQUf2q OXVXCSYqCY2+Z+PyeMZ4Hdx4CAhBVGA8yMDI1MTIwMTA3MDA0OVowfjB8BggrBgEFBQcw C4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC83NC8yN2ZjZ TEtMTFjZS00YTMyLWE2NDktZTA3NmI1MTcyMWFkLzEvZjJxT1hWWENTWXFDWTItWi1QeW VNWjRIZHg0Lm1mdDCB0QQg1XajHa4+9/hV1MAjIOObhtTaXYak8BxLNMythZRR8nUCAgf OBBR/Pgh0ie4jqUJNU/rCFu5LjgEoDgICFucYDzIwMjUxMjAxMDgwMTQzWjB+MHwGCCsG AQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2M2L 2MyYzk5ZC1jZjkxLTRkZmItOTRkZS1hN2M2M2Q1NjJlNTYvMS9mejRJZEludUk2bENUVl A2d2hidVM0NEJLQTQubWZ0MIHRBCDmfe+L/cGZ/775whLRd2lc2xLwqySNmWI/UwS0TKr GnwICB84EFH/j1jtKW0BLX/g8vysVJaMEd/ZcAgIElRgPMjAyNTEyMDEwNjAxMzVaMH4w fAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVT FQvZjYvODFhNjcyLWZlOTgtNGQzZi05YjgzLTJjYjdhM2I2ZTQyZi8xL2YtUFdPMHBiUU V0Zi1EeV9LeFVsb3dSMzlsdy5tZnQwgdEEIPG8PInX4YXP8xwIuII6Dd0J+VC/iUx5eHH MlHFh8KxqAgIHzgQUf6gWozONMnQc1P/49J3bLMg4/cUCAgTEGA8yMDI1MTIwMTA1MDEx OFowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvR EVGQVVMVC81My9hNDUyOGEtOTBlNi00ZDkxLWE1MmMtZjA3MTdlYTQ4NWM2LzEvZjZnV2 96T05NblFjMVBfNDlKM2JMTWc0X2NVLm1mdDCB0QQg8o1obyN6PNR2LhKZZlHrvknGPo/ 3ntp69h6hJcuBI/kCAgfOBBR/USKDdHQt9USqkwWMWjvT0WQhmQICDsQYDzIwMjUxMjAx MDUwMTA3WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3Npd G9yeS9ERUZBVUxULzBhLzkzODVhYS0xYjc5LTRhMDItYTA5Mi0wMWViMDM2ODRmMDkvMS 9mMUVpZzNSMExmVkVxcE1GakZvNzA5RmtJWmsubWZ0MIHRBCD67XBv0HfJ+GUWju8p9NQ kMukS3ghuD9OUpvOP+hnw0wICCo8EFH9r0aawRiXFcdgw+HixwCOCR0CMAgIF+BgPMjAy NTEyMDEwNjAwNTNaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZ XBvc2l0b3J5L0RFRkFVTFQvNDgvYmM2NmQ3LTU3YWItNDc1ZC05NmJhLTg5YjZjMzIzMT VjMi8xL2YydlJwckJHSmNWeDJERDRlTEhBSTRKSFFJdy5tZnQwgdEEIP8uT1mBLUAiXKV FgcTBM/TUk/zOtjhPa2Vo2rQg3+i7AgIHzgQUf4XpkDVDl+NsDKkDoMYgx3Ce/c0CAgOC GA8yMDI1MTIwMTA2MDA1MVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUub mV0L3JlcG9zaXRvcnkvREVGQVVMVC81ZS80YWUxNzUtNTVkMC00ODRkLThkMTEtOGM5ZD U4MjNiYWQ5LzEvZjRYcGtEVkRsLU5zREtrRG9NWWd4M0NlX2MwLm1mdA==

Acknowledgements The authors wish to thank , , , , and for the lovely conversations that led to this proposal. The authors wish to thank and for their review of the ASN.1 notation. This protocol is named after Erik Bais, who passed away in 2024, as a small token of appreciation for his friendship.