The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI)

The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI) BSD Software Development

Amsterdam The Netherlands job@bsd.nl https://www.bsd.nl/

RIPE NCC

The Netherlands tim@ripe.net

APNIC

AU tomh@apnic.net

JPNIC

JP alt@nic.ad.jp

Operations and Management Area (OPS) SIDROPS Data synchronization This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI). Erik Synchronization can be characterized as a data replication system using Merkle trees, a content-addressable naming scheme, concurrency control using monotonically increasing sequence numbers, and HTTP transport. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols. The protocol's design is intended to be efficient, fast, easy to implement, and robust in the face of partitions or faults in the network.

Introduction This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI) . Erik Synchronization can be characterized as a data replication system using Merkle trees , a content-addressable naming scheme , concurrency control using monotonically increasing sequence numbers , and HTTP transport . Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols ( and ). The protocol's design is intended to be efficient, fast, easy to implement , and robust in the face of partitions or faults in the network.

Background The notion of cache-to-cache data replication of unvalidated data was documented in .

Validated caches may also be created and maintained from other validated caches. Network operators SHOULD take maximum advantage of this feature to minimize load on the global distributed RPKI database. Of course, the recipient relying parties should re-validate the data.

Historic records show that experiments have been performed in this space using, for example, peer-to-peer file sharing technology (see ), but no standardised and widely-deployed mechanism for cache-to-cache replication emerged since then. The authors hope that the Erik Synchronization protocol might be suitable to fill this gap and improve propagation speed of validly signed repository data as well as help reduce load on the global RPKI.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Related Work The reader is assumed to be familiar with the terms and concepts described in "" , "" , "" , "" , "" .

Glossary This section describes the terminology and abbreviations used in this document. Though the definitions might not be clear on a first read, later on the terms will be introduce with more detail.

Erik relay: An intermediate between CA publication repositories and Relying Parties.
FQDN: The fully qualified domain name of a RPKI repository instance referenced in an end-entity certificate's Subject Information Access (SIA) extension's id-ad-signedObject accessDescription.
Hash: A message digest calculated for an object using the SHA-256 algorithm.
ErikIndex: The relay's Merkle root for a given FQDN. An ErikIndex is an ordered listing of ErikPartition object hashes.
ErikPartition: An ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their certificates' SIA extension values.

Informal Overview Erik Synchronisation is an architecture to reliably distribute RPKI repository data from cache to cache using so-called Erik relays. Relays maintain a validated cache themselves and can be clients of other relays. While this property suggests that a group of relays should converge to the exact same state, the distributed nature of the RPKI prevents relays from achieving strict synchronization. In this synchronization protocol, Merkle trees are used to determine whether differences exist between client and relay. Merkle trees are hierarchical data structures: the hash value of each node is computed recursively by hashing the concatenated hash values of the node's children. The hash of the ErikIndex represents the entire dataset related to a given FQDN. If the ErikIndex hash is not the same between two replicas, the relay provides the client with hashes of smaller and smaller portions of the to-be-replicated dataset until the exact list of out-of-sync or missing objects is identified. Sequence numbers are then used to determine whether these differences are relevant enough for the client to fetch. All data, except for ErikIndex objects, is fetched using static addresses derived from object hashes. This approach reduces unnecessary data transfer between caches which contain mostly similar data. The client starts by querying an Erik relay for the relay's current ErikIndex for a given FQDN. If the ErikIndex is different compared to the previous run (or compared to the Index calculated from the locally cached objects). With the ErikIndex in hand, the client can determine which ErikPartition are missing and fetch accordingly. The client then can compare the manifestNumber sequence number and thisUpdate for each manifest listed in the ErikPartition, and proceed to fetch (purportedly) newer versions of manifests of interest. Whenever a relay has manifests with a lower sequence number on offer, the client can ignore those. The client now has sufficient information to proceed to fetch any missing Certificates, Signed objects, and CRLs. With the information contained within manifests, clients can fetch addressed by content (by hash) and store by name (or some other scheme).

Erik Synchronization Data Structure Definitions In this synchronization protocol the signal layer makes use of DER-encoded messages . Design note: DER encoding was selected for its canonical properties and because RPKI cache implementations already support ASN.1 encoding. RpkiErikSynchronization-2025 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiErikSynchronization-2025(TBD) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS CONTENT-TYPE, Digest, DigestAlgorithmIdentifier FROM CryptographicMessageSyntax-2010 -- in [RFC6268] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } AccessDescription, KeyIdentifier FROM PKIX1Implicit-2009 -- in [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } ; ContentInfo ::= SEQUENCE { contentType CONTENT-TYPE.&id({ContentSet}), content [0] EXPLICIT CONTENT-TYPE.&Type({ContentSet}{@contentType}) } ContentSet CONTENT-TYPE ::= { ct-rpkiErikIndex | ct-rpkiErikPartition, ... } ct-rpkiErikIndex CONTENT-TYPE ::= { TYPE ErikIndex IDENTIFIED BY id-ct-rpkiErikIndex } id-ct-rpkiErikIndex OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) id-smime(16) id-ct(1) erikindex(55) } ct-rpkiErikPartition CONTENT-TYPE ::= { TYPE ErikPartition IDENTIFIED BY id-ct-rpkiErikPartition } id-ct-rpkiErikPartition OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) id-smime(16) id-ct(1) erikpartition(56) } ErikIndex ::= SEQUENCE { version [0] INTEGER DEFAULT 0, indexScope IA5String, indexTime GeneralizedTime, hashAlg DigestAlgorithmIdentifier, partitionList SEQUENCE (SIZE(1..ub-Partitions)) OF PartitionRef } ub-Partitions INTEGER ::= 256 PartitionRef ::= SEQUENCE { hash Digest, size INTEGER (100..MAX) } ErikPartition ::= SEQUENCE { version [0] INTEGER DEFAULT 0, partitionTime GeneralizedTime, hashAlg DigestAlgorithmIdentifier, manifestList SEQUENCE (SIZE(1..MAX)) OF ManifestRef } ManifestRef ::= SEQUENCE { hash Digest, size INTEGER (1000..MAX), aki KeyIdentifier, manifestNumber INTEGER (0..MAX), thisUpdate GeneralizedTime, locations SEQUENCE (SIZE(1..MAX)) OF AccessDescription } END

General Syntax At the top level the content of an Erik object is an instance of ContentInfo.

contentType The contentType is an OID specifying the type of payload in the object, in this profile either id-ct-rpkiErikIndex or id-ct-rpkiErikPartition.

content The content field contains an instance of ErikIndex or ErikPartition.

ErikIndex An ErikIndex represents all current manifest objects available under a given FQDN and thus the complete state of the repository as it is known to the relay.

The version number of the ErikIndex object MUST be 0.

The indexScope field contains the fully qualified domain name of the Signed Object location of the manifests referenced through this particular ErikIndex. The FQDN MUST be in the "preferred name syntax", as specified by and modified by .

The indexTime is the most recent partitionTime value among the ErikPartitions referenced from this ErikIndex. The field's value roughly indicates when the ErikIndex was generated and can be used for troubleshooting and measurement purposes. For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See . Design note: using the most recent partitionTime, rather than the local system's notion of "now", helps reduce churn in distributed systems.

This field contains the OID of the hash algorithm used to hash the ErikPartitions. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification .

This field is a sequence of PartitionRef instances. There is one PartitionRef for each current ErikPartition. Each PartitionRef is a tuple consisting of the hash of the partition object and the size of the partition object. Information elements are unique with respect to one another and sorted in ascending order of the hash.

ErikPartition An ErikPartition represents a subset of manifest objects available under a given FQDN. Each ErikPartition is an ordered listing of the manifest objects' hashes, manifestNumber values, thisUpdate values, and their end-entity certificates' SIA extension values.

The version number of the ErikPartition object MUST be 0.

The partitionTime is the most recent thisUpdate value among the manifests contained within this ErikPartition. The field's value roughly indicates when the ErikPartition was generated and can be used for troubleshooting and measurement purposes. For the purposes of this profile, GeneralizedTime values MUST be expressed UTC (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. See . Design note: using the most recent manifest thisUpdate value, rather than the local system's notion of "now", helps reduce churn in distributed systems.

This field contains the OID of the hash algorithm used to hash the manifest objects referenced in this ErikPartition. The hash algorithm used MUST conform to the RPKI Algorithms and Key Size Profile specification .

This field is a sequence of ManifestRef instances. There is one ManifestRef for each current manifest. A manifest is nominally current until the time specified in nextUpdate or until a manifest is issued with a greater manifestNumber, whichever comes first (see ). A ManifestRef is a structure consisting of the hash of the manifest object, the size of the manifest object, the manifest issuer's key identifier, the manifestNumber, and the thisUpdate contained within the object, and a sequence of AccessDescription instances from the manifest's End-Entity certificate's Subject Information Access extension. Information elements are unique with respect to one another and sorted in ascending order of the hash.

Client-side Processing Clients start by fetching an ErikIndex, which is represents the relay's current Merkle tree head for a given FQDN. A client MUST verify the requested FQDN exactly matches the indexScope value in the ErikIndex, and if not proceed to use a different relay. Then, clients can decide whether or not to fetch ErikPartition objects listed on the ErikIndex, for instance, by checking whether the object associated with the hash was already fetched at some point in the client's past. Before using a ErikPartition, the client MUST verify that all URIs in the accessLocations in the id-ad-signedObject accessMethod instances in the ErikPartition are encompassed in the requested indexScope. A client can then decide whether or not to fetch a given manifest object, by comparing the manifestNumber and thisUpdate with what's locally cached and what's offered by the remote relay. A client can compute which products listed in the manifest's fileList need to be fetched from one relay or another in order to achieve a successful fetch. A client MUST verify that the URI in the accessLocation in one of the id-ad-signedObject accessMethod instances in the manifest's Subject Information Access (SIA) is encompassed in the requested indexScope. As there is no concept of 'sessions' (like in RRDP), clients can interchangeably use different Erik relays. When one Erik relay generates a HTTP error, the client can try fetching the requested object from another Erik relay. To improve reliability, clients should alternate among different relays in successive query and fetch attempts.

Querying an Erik Relay

This specification uses "Named Information" identifiers mapped to .well-known HTTP/HTTPS URLs for object retrieval, as described in . For example, issuance #54 of ripe-ncc-ta.mft has the following SHA256 digest: c2d0427bc5a32c42eea1ab5663d592b1fc29c7d4ef16ab0b5e1d631d039dcc21. To fetch the aforementioned object from an relay hosted at relay.example.net, a client would access the following HTTP URL: https://relay.example.net/.well-known/ni/sha-256/wtBCe8WjLELuoatWY9WSsfwpx9TvFqsLXh1jHQOdzCE

The URIs to fetch ErikIndex objects can be constructed using the following Well-Known URI template with the erik keyword as suffix and the FQDN as parameter: https://{relay_host}/.well-known/erik/index/{FQDN}. For example, the URI to fetch an ErikIndex for the rpki.ripe.net FQDN from a relay at relay.example.net would be: https://relay.example.net/.well-known/erik/index/rpki.ripe.net. A client MAY use the If-Modified-Since HTTP header when fetching ErikIndex objects.

Transport Error Detection and Handling The client MUST calculate the hashes of fetched objects and verify they are the same as the expected hashes (which are embedded in the URIs through which the objects were retrieved). If there is a hash mismatch, the client may try fetching the object from a different Erik relay or treat this as a failed fetch (see ) and try again at a later point in time in a next validation run.

Setting Up an Erik Relay Erik relays can be operated by any party, without permission from or coordination with publication point operators or CAs. Relays are made accessible via either HTTP or HTTPS or both. Relays generate and make accessible ErikIndexes and ErikPartitions derived from their current validation state, the client then cherry-picks which objects (if any) it wishes to fetch. In turn, relays fetch fresh data from other relays, or from CA-designated publication points accessible via Rsync () and RRDP (). Design notes: a decision must be made on a deterministic "manifest-to-partition" assignment scheme. Job's proof-of-concept relay (see ) uses the first few octets of the the Manifest's AKI as a stable partition assignment scheme. Other strategies could be to assign manifests to ErikPartitions based on the "hour-of-day" of the CMS signing timestamp, or the first few octets of the SHA-256 of the manifest object.

Comparison with other RPKI transport protocols Ignoring obvious mechanical "on the wire" differences between Erik, Rsync, and RRDP; there are a number of concept differences between the protocols. Rsync and RRDP can be described as "general purpose" synchronisation protocols: they could be used to transfer any arbitrary set of files, on the other hand the Erik protocol is RPKI-specific: part of its signaling layer are RPKI manifest objects, which RPs require as recourse for validation anyway. This property by itself causes a small deduplication in the data to be transferred.

Comparison with Rsync In Rsync, the server and the client construct and transfer a full listing of all available objects, and then transfer objects as necessary. In effect, this allows clients to 'jump' to the latest repository state, regardless of the state of the local cache. A major downside of Rsync is that the list of files itself can become a burden to transfer. As of June 2025, in order to merely establish whether a client is synchronized or not with the RIPE NCC repository at rpki.ripe.net, as much as 5.8 megabytes of data are exchanged without exchanging any RPKI data. Experimentation suggests that when synchronizing once an hour, Erik consumes less network traffic than Rsync generally would consume which, in turn, is less network traffic than RRDP would.

Comparison with RRDP The key concept in RRDP is that the client downloads a "journal", containing all add/update/delete operations and replays this journal to arrive at the current repository state. A major downside of RRDP is that (depending on the RRDP polling interval) clients end up downloading data which has become outdated. Imagine a hypothetical CA which issues and revokes a ROA every 10 minutes and a client that synchronizes every 60 minutes; in effect the client must fetch 5 outdated states, wasting bandwidth. Experimentation suggests that when synchronizing every 15 minutes, Erik consumes less network traffic than RRDP generally would consume which, in turn, is less network traffic than Rsync would consume.

Garbage Collection In contrast to RRDP, the Erik protocol has no concept of server-specific "stateful" sessions that persist across polling attempts. This obviates the need for withdraw instructions as part of the protocol exchange: clients can simply delete objects that are no longer referenced from their current validation state and refetch them later on if needed.

Open Questions

Which of the possible deterministic manifest-to-partition assignment strategies yield the best results? AKI?
Are deterministic and cheap Snapshots possible? If so, what is the best archive format for Snapshots? The ustar/gzip combo might not easily yield deterministic results across different implementations.
Is the concept of Differentials/Deltas needed in Erik Synchronization?
What will be the upper bound for the number of partitions? (ub-Partitions)

Operational Considerations

Scaling considerations As of July 2025, the global Internet's RPKI churn rate appears to be 2 new objects per second. The ecosystem is estimated to be composed of ~ 5000 RPKI cache instances and ~ 50 repository servers. Assuming 10 minute fetching intervals and 150 metadata requests per synchronization run (for exchange of Merkle tree data), an Erik relay serving all the Internet's RPKI cache instances would probably need to be able to sustain serving an average of at least 11,000 HTTP requests per second. This order of magnitude in terms of scaling requirements can easily be handled by a single commodity server.

HTTP Compression Using gzip compression on average tends to yield a 20% reduction in RPKI object size, therefore it is RECOMMENDED for clients and relays to offer support for compressed content coding, as described in . Using a previous version of a RPKI object as a compression dictionary for a newer version enables delivery of a delta-compressed version of the changes, usually resulting in significantly smaller responses than what can be achieved by compression alone. Clients can facilitate delta compression by sending an Available-Dictionary request header, using a previously fetched version of the RPKI object as the dictionary. It is RECOMMENDED for clients and relays to make use of Compression Dictionary Transport ().

Security Considerations This document makes no changes to RPKI certificate validation procedures. Paraphrasing : The RPKI relies on object, not server or transport, trust. That is, the Regional Internet Registry root trust anchors are distributed through some out-of-band means, and can then be used by each relying party to validate certificate chains and Signed Objects. The inter-cache relationships are based on this object security model; hence, any cache-to-cache transport is assumed to be unreliable at times. See for more security considerations. To avoid certain forms of replay attack, clients MUST verify purported indexScope, ManifestRef location values, and manifest Subject Information Access (SIA) extensions match the expected FQDN. Byzantine events or faults in relay-to-client communication can be overcome by the client rotating requests for objects among different Erik relays.

IANA Considerations

The IANA is requested to add an item to the "SMI Security for S/MIME Module Identifier" registry as follows:

The IANA has allocated for this specification in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry as follows: Upon publication of this document, IANA is requested to reference the RFC publication instead of this draft.

An URI Suffix in the Well-Known URIs registry specific to Erik synchronization will be requested. See https://github.com/protocol-registries/well-known-uris/issues/67 for the request. The proposed suffix is erik.

References Normative References Domain names - concepts and facilities This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them. Requirements for Internet Hosts - Application and Support This RFC is an official specification for the Internet community. It incorporates by reference, amends, corrects, and supplements the primary protocol standards documents relating to hosts. [STANDARDS-TRACK] Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] The Resource Public Key Infrastructure (RPKI) to Router Protocol In order to verifiably validate the origin Autonomous Systems of BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC 6480) prefix origin data from a trusted cache. This document describes a protocol to deliver validated prefix origin data to routers. [STANDARDS-TRACK] Naming Things with Hashes This document defines a set of ways to identify a thing (a digital object in this case) using the output from a hash function. It specifies a new URI scheme for this purpose, a way to map these to HTTP URLs, and binary and human-speakable formats for these names. The various formats are designed to support, but not require, a strong link to the referenced object, such that the referenced object may be authenticated to the same degree as the reference to it. The reason for this work is to standardise current uses of hash outputs in URLs and to support new information-centric applications and other uses of hash outputs in protocols. The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure This document specifies the algorithms, algorithms' parameters, asymmetric key formats, asymmetric key size, and signature format for the Resource Public Key Infrastructure (RPKI) subscribers that generate digital signatures on certificates, Certificate Revocation Lists (CRLs), Cryptographic Message Syntax (CMS) signed objects and certification requests as well as for the relying parties (RPs) that verify these digital signatures. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. HTTP Semantics The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. Manifests for the Resource Public Key Infrastructure (RPKI) This document defines a "manifest" for use in the Resource Public Key Infrastructure (RPKI). A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository. For each certificate, Certificate Revocation List (CRL), or other type of signed objects issued by the authority that are published at this repository publication point, the manifest contains both the name of the file containing the object and a hash of the file content. Manifests are intended to enable a relying party (RP) to detect certain forms of attacks against a repository. Specifically, if an RP checks a manifest's contents against the signed objects retrieved from a repository publication point, then the RP can detect replay attacks, and unauthorized in-flight modification or deletion of signed objects. This document obsoletes RFC 6486. Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) ITU-T Informative References A Digital Signature Based on a Conventional Encryption Function Advances in Cryptology -- CRYPTO '87 Proceedings Lecture Notes in Computer Science, Vol. 293 RPKI Over BitTorrent Maintenance of duplicate databases The Twelve Networking Truths This memo documents the fundamental truths of networking for the Internet community. This memo does not specify a standard, except in the sense that all standards must implicitly follow the fundamental truths. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. The rsync URI Scheme This document specifies the rsync Uniform Resource Identifier (URI) scheme. This document is not an Internet Standards Track specification; it is published for informational purposes. An Infrastructure to Support Secure Internet Routing This document describes an architecture for an infrastructure to support improved security of Internet routing. The foundation of this architecture is a Resource Public Key Infrastructure (RPKI) that represents the allocation hierarchy of IP address space and Autonomous System (AS) numbers; and a distributed repository system for storing and disseminating the data objects that comprise the RPKI, as well as other signed objects necessary for improved routing security. As an initial application of this architecture, the document describes how a legitimate holder of IP address space can explicitly and verifiably authorize one or more ASes to originate routes to that address space. Such verifiable authorizations could be used, for example, to more securely construct BGP route filters. This document is not an Internet Standards Track specification; it is published for informational purposes. Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI) Deployment of BGP origin validation that is based on the Resource Public Key Infrastructure (RPKI) has many operational considerations. This document attempts to collect and present those that are most critical. It is expected to evolve as RPKI-based origin validation continues to be deployed and the dynamics are better understood. The RPKI Repository Delta Protocol (RRDP) In the Resource Public Key Infrastructure (RPKI), Certificate Authorities (CAs) publish certificates, including end-entity certificates, Certificate Revocation Lists (CRLs), and RPKI signed objects to repositories. Relying Parties retrieve the published information from those repositories. This document specifies a new RPKI Repository Delta Protocol (RRDP) for this purpose. RRDP was specifically designed for scaling. It relies on an Update Notification File which lists the current Snapshot and Delta Files that can be retrieved using HTTPS (HTTP over Transport Layer Security (TLS)), and it enables the use of Content Distribution Networks (CDNs) or other caching infrastructures for the retrieval of these files. Compression Dictionary Transport This document specifies a mechanism for dictionary-based compression in the Hypertext Transfer Protocol (HTTP). By utilizing this technique, clients and servers can reduce the size of transmitted data, leading to improved performance and reduced bandwidth consumption. This document extends existing HTTP compression methods and provides guidelines for the delivery and use of compression dictionaries within the HTTP protocol. rpkitouch

This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". A few experimental Erik relays are available, each running on slightly different schedules. Client implementers are encouraged to round-robin between these instances to observe results.

http://relay.rpki-servers.org/: Dublin, Montreal, Osaka, São Paulo, Sydney - anycasted distributed computing cluster
http://dub.rpki-servers.org/: Dublin, Ireland, - distributed computing cluster (6 machines, NFS backend)
http://atl.rpki-servers.org/: Atlanta, USA, - distributed computing cluster (2 machines, NFS backend)
http://miso.sobornost.net/: Amsterdam, NL, single node
http://nyc.rpki-servers.org/: New York, USA, - single node
http://fnllwqoupfrhso6643whm6lpkgsftjtc6crpehmyz2o7pffirnqy7rad.onion/: Erik relay service via Tor

An experimental Erik static content generator was developed by Job Snijders in the form of using C.

Example objects Included in this section are an ErikIndex for rpki.ripe.net and an ErikPartition referenced from the aforementioned ErikIndex, both Base64 encoded.

Example ErikIndex This object was retrieved from http://miso.sobornost.net/.well-known/erik/index/rpki.ripe.net. MIIoRgYLKoZIhvcNAQkQATeggig1MIIoMRYNcnBraS5yaXBlLm5ldBgPMjAyNTEyMDQxN TUwMjlaMAsGCWCGSAFlAwQCATCCKAAwJgQg4x/oKSpJWMYfiwmxlXsIihgYTHlw7JG/Xl JIBr85aF8CAj5fMCYEIMobcoUB80mqesZ86of8vdvUHU+IN/Lv36xYLdsG5YWyAgJFjjA mBCCqYaG3CBGrgisIby+kjmrMCmxkM1xRX5h8ySkpbi+YzAICPZcwJgQgnJq0yJdD4sPe /GtzgVElsLXAMgagucbr0xF9ROC7nPgCAkZbMCYEIIR2TnjK1AB/t8ayJgf/iq04FJNPe Mljb1leJ/tedYvLAgI8yzAmBCBFiyaGABNV7VukoKDMU+LlSv5I6vMVdV+IMBgs188oaw ICS+8wJgQgKixW27oZqi19K526VpGlZ+0XAQDsVGknwNLDdNg+oV8CAkDGMCYEIPZtvf6 KEIPf/UyHxTN7ypbDovmhcBeyZf6wypAZcvN3AgJIvTAmBCBaryJe+uBlcLB0dLPQsS46 GA3XKUIcMBdWBFn5gCNWMgICSlYwJgQgklyrCIkF2N7trfYE2d8K7HIaiFSG+Y+EW6Imu GdrxU4CAkpXMCYEIFN2PuEDxaS8Hgl1TTUWLAGzc4tzhDHyjKlaw7PMLJJOAgI6ZTAmBC CTocRYi5ZYYx+H/WTzAY2TDKX5tv9ERa7N0llUqpx7MwICRlswJgQgt/tI2qNsSmxUtAt KfUVbjVlM51s6lArVlXzq7E991BsCAjmbMCYEIEHlKn1Y9XU3FMQpoQ6VOzEk33YkfBfu VaUbqSNB4E7VAgJKVzAmBCB4X6f/hN0fOVLJ41rfduCjNWOtAhA/+hlaC3xHOOVOYgICQ ykwJgQgx1lUblpQQSwopLIWIgg532kTyS61EYHziHmNdl+Ufm0CAj8rMCYEIGADEKt/5p qBqV5sY4Drm3c4e4Xu8iDZeh6siGQ0MVmgAgJCXzAmBCBPAVLtveq6vWiWP4t3Z1YMqfB WfnZYiaJexvnZdhJCQAICRY8wJgQgkkxXQwzVeUbM7QiAf5lFha9sN8Yb+1+zjmOC3lk9 CVQCAkDGMCYEIC9QE9ANo0jFeOT5DBQl7112OjyYHVF01Bsk6yWpvfBRAgJD9jAmBCBI9 WxfgjCrZLA4zOmlamVT7fO/k8+QuIYzr5O5O7dqcwICMaIwJgQgCdEsYGKw3zh0CZg1+q 3Jf/Ezvqnw7kTf1TKY13AlJ4oCAkWNMCYEIJMykWJkE5jvTwuYUx14EBUzyRl0xJHAfiS ZxMxgmXCBAgJIvzAmBCBq4Uan/5q5axCWRQ/E6j8MjyMNtWpft/qyDuRk7DJRdQICT+ow JgQgRnTIHGqCEczZNqIHqLz3Cg4aAfCI/eIBArHUQEwkkf0CAjZoMCYEIG3EQ7dFpc712 c7pghGggSyzcl9f10ZyCVYxtRUYRoLHAgJMuTAmBCBECs+7SNPtDdJeOjmOW7LUudpuXS G5/iwnU57tpnEBSwICTk8wJgQgiE+SNWwGyyWk3UHpdfZVU/cJLmniTYj+Qx5Q/Pg070w CAkP3MCYEIInS7jtJG95+/QHU4B7BzXiCxLJGROQzAGVgP/KTSLUdAgJLIjAmBCB+BtWf llMd6ljeOSVMeWL6XlVupWpmnEdzASHQ8UUEawICRlcwJgQgh+9Wgieq8uWJPWuk1zcHQ tfAzcEtSLu6cFiizLB/FVECAki+MCYEIALfQ6cn1lFUUauKtQWfnAKyip0xavUyTPqyZx 4SKM0bAgJHJzAmBCAhDGSV1JsMYA/0uma1NM8jzhfDFZhVfmVAT290/unlRAICRlswJgQ giXYk6DZycnPrY45Me8jeutomw9j7R7dMp+TAkTlDI+ACAjpkMCYEIK29pj6RIPa4vXrG ZmczHnbGFhkDZWMvtPsb01SMxsh4AgI6ZTAmBCDX9v1Zo/HzOAk/9UBIk7/Rh2iKRxjks fLlZRkSfU80PAICT+kwJgQgzko+CaHpqidtAwCkmgVjjE4yxHwoiR2frTLcof6FbHMCAj zLMCYEIEwbZty1WPIBWZao2qHO882KxcJZ2GBdFxKQZpVgdpOBAgJBkDAmBCBYqw2PTol eEktObKpm2FNcGY5Rtt5H1sxtv3keeKam2wICQZMwJgQgGbxgwo+P90tG/fijIccclzHg 08OI36ywxGAriqp5zt0CAk8fMCYEIB1IaNV+Ur3jGWJdt8nB0JP4EqWph0HzfvLesD8do 6loAgI7MzAmBCD0G+ZuuiYJuO9PUYI3m1IvdjjFq6buMzmMjHRm/MkwmAICVxYwJgQgu6 /IK6huz1bQRFpHRVKwJPr8mCpJTiNQjHlsz2n4qE4CAjyjMCYEIDDvXbCF/QIznVr/82G vLuSerQxYfNjFzk+ADaTmaR8zAgI9kzAmBCDNR60L+r1YrVeecsceLh+r4ZD+RvxL2TdF IeAtaG/ulAICOmYwJgQgQHopBzjK6FHz07A/+gxzp3mfchu1txXIEKyDnIdfiuoCAjgCM CYEIDeyYAHLFhrug/c5UtCmnbYekwutqFLPKwHC262ZFdi/AgJDKzAmBCACtf5OZDKT5K SrDnca+N1PEzE9vUq4m+MWs6s9loxCYQICS+8wJgQgA8jyuvhd7MMbXzxmnFHW/2n96T2 pVEMQyu52XZqRUe0CAkZZMCYEIA8p78+/SITzJVMdg5PC4OAZfg3cRs/fDerB/eyYMaKS AgI+XzAmBCBhmqyqzBYgBCN+cBE2zS5q0ruGxfk8UMUcYNEYIZBkfgICR/EwJgQgJ6mSf oaQQ7V4LDD2eH/mVyVd2Tjcb5erYGFiIJyQCccCAjsxMCYEIDrz2cjTrEVBsunv8BoP+I uo+hq6SMdYYRLFrwmgj1OJAgJIvTAmBCDt+HVE/jz3ENTOPKFAmWPxn+tTHawZHh+rp7d zJPPWBgICPMowJgQgjy7mcvPGelL8IqFiOybwcLN70vvPCmod80FLzwfHRt8CAkpXMCYE IIpl8t92Wdl3Hxtmyo7P56i3iFH+qs+bK/oxdJx4f/IKAgI8yzAmBCCbYaynY0966Y6Nc jVVwbw1KTgHl2nZxiZo7v5Or6/OsAICRY8wJgQgW0VidFJyAhev/M3Ok0HCbvLkB0aU+P cBT5DzUAd4TswCAkTCMCYEII2rRGW333DGPqlsJGDi9JoQj237xGAw1Ot/EKcn/2nwAgJ D9TAmBCD3JPoboP6sGE8/DGW3iGXOK4I3SYKTA90HCAbv9HtJFAICPy8wJgQgo0PstHri 9Zf8NlQBnsikihoCOIgfCNGh2eYKajPUPHMCAjzJMCYEIJHuvkdaX/dACFlrwd4kNxe1j edljz1ZfVGrgXwWN5khAgI9ljAmBCCqRvR92um/FWyUHc6xiwXxZDLzXvKg0v6y+hP3tJ OylwICTLkwJgQghdHSyhKnQ6mONyEiAWXS+7/mLgmWqxkCJiUTmcQ1oAkCAjgCMCYEIJr DVbCc9hcwuJ/Ip95x3d0QkZQ67H43bxHbAwfagaqoAgJLIjAmBCCkBAtAhf0mE/oa1l+P 3fe9j7zo9k6WemIIlqFaSRFwTQICR/EwJgQgbmq5I+ZgR1775kSHEcXnOQLKjYEUHF+rX BSvhRS7iGgCAkWOMCYEIAmSQuvMuE31r+W0fktmUIAJJVxqVjyE+wseOcAwPJilAgJDKT AmBCBlgenBE2JcY1T7yvT4fubh1y2y6cxPkKnxgX6BXhv3YAICSyMwJgQgW6LQnSLgFvA FIWPBaClqFB684DSyXYmYryNd20IQYCECAjZqMCYEIJQhsD7l6CkaD9wvela9pNirzGCs 2KvyMIMqRAgCY6gPAgJEwjAmBCCA5LS4RSCvfTbsg/e/u680U+CaHQzqf05gAzb/dYj7e wICQMcwJgQg9GKlbPIQMTXrXNkSACtRLtU/YR7K+IwtVU2PP+Ht6EICAjzLMCYEIGVHk2 v0JZaQDEb46YWCzq+v6h54XdwZG7njcNmODtj5AgJFjzAmBCAm+h6Ozp0wrtsuNNVZ4Ho WCPonDyz48bztA3mAPW1XaAICPZcwJgQguN84WoVJRbzWHxXI6+jfqBoT+nHl4z1tcaR3 dhur78UCAkWNMCYEIBXef5zKL6wQq9HpQGoy2clKNeaG2SCbc8uTeRw+6x3GAgJMujAmB CBE3HHOWIOxlPyxl+Ntxfz0OwIU7YE5cUX2YsiVgCTIbQICRY0wJgQgYVIRXX1SiDri8j UBNdfzh4tAO9c9FEgbcfcovkeASyUCAkpWMCYEIEU/0TOZq6WswMy3R/GDZ8E6fvWRt0h ruH3D8SqTwxunAgI9ljAmBCA96mh+VUbEdl7anhyu2o+R/Nq17FPlLybZx41f6K2+HAIC Ql0wJgQgzetWrgTL3lvU052dpUlnpYvpZpZkdNb0/d9Ch7bI3U0CAjv8MCYEIPFjJ84Ro 2rqgrSO7GEG5P6SEdmPgCHj1XXMLQd0YwrsAgJGWzAmBCBLxWFOySITGB9+bVw2mCfUVH SHTNqUHJMbgrRw4MmougICUxowJgQgdrh5rk4vAS2mDHPPzU0bZTu9LFoO1OR0pJo2mRH x4cECAkmJMCYEIDjWKGcGrHuWmsSAN66PrJ1GdB6iOCEwVl8wX2CRXdk1AgJAxzAmBCC8 GJe8nPS4biUwc+tVWdx50oxpIsnGXOZ8zDcmhXbbDAICMaIwJgQgpMU1RPwde6nUKGzCU fJBsjI0FmuAPqIHcmncDtbyVO8CAk/oMCYEIL0bhIL0Mv/W08Y33ER2i+fAb9vnpZeAZt fRaXzzlRF4AgJJiTAmBCAUcBWpSH+rULDd8F+VhXBbl8UhKXLufo+qxb/J+yMsLwICPy4 wJgQgrVfKoxFh/O10s2WFWEfwp5UjjqAsPQho8mju04dxJWgCAkJfMCYEIIUbqmWEy+/F A2Bmw/PknIWV/ProvTNA8TirzDxMSmuBAgI/LzAmBCAKX8FQOqNZZBwj4fl8m2zt/B4by 5Uk/Dp5I3jG5odACgICOZswJgQg5XFjDH2PiTa3zA+zHEFE2ZEz2FCFyR5JVJrKk6GZee wCAkGSMCYEIL5cu7mhhCoBDxVOSKKy4S4KkUv4BXot70lTvIIPS6cYAgJH8zAmBCCkbj/ zk66eAZq40ESpZiqRslBAIpGb+e/A5FD1H8HNIwICPmIwJgQgVfcD2Ar+9FjbAfUoP1fT nxF6vvcnitD9dtdeQsbT4A4CAkvvMCYEIF+lCjfkxb3I/1pD+HaA+Uz+k2JysW7RG+CAY 9Xgzl+2AgJBkzAmBCDbhOqNBPRZknT3PHIIwRXkYT6krqee6s28uCz7+BdQrQICQygwJg Qgg2tkk28Zc/y9ajHTABYoz4U70mwtvolE9nPfJG/kxV4CAj5kMCYEIIQhZOMCG310Bfy o9t+yz8z/c3C9XnEyIACN1fGSJV+SAgI/+jAmBCBXtrgcr97BR/ldgoD5DaeSgiCQud/n QLarn+Ii+PoDjAICP/swJgQgDSQ5xCutZkAR8n2aVJioqXLlbBX3lr9b/LqF7QAptecCA kshMCYEIH8dA6UQFwFx4Ja4JQ9jooo6Y7fRuMFF7VaTGTdJ38g8AgJGWTAmBCA0qhqusv mdYzgmPyaJ7uU8qXqI4SiOb5GSBGbrGpchBAICSyEwJgQg8mziFZicz3gCcJQlsoElaw0 rG7sRThxGTqHDlZz7UM0CAlGDMCYEIHO2yUhm3/iHidqqiSTiG7eiRgw6jvWYq50aILSw /SAUAgI00jAmBCDC6EVgfiSGyalDKi/IJqV758ux8eZRU+tQJhJONH8EyQICSyEwJgQg3 0LTyNbgjGHuQBRdrRhNaIcxEmW6RpECZIrx6XI+ahcCAkMqMCYEIEMEM3X/ZDwYUNRHSl Io4IUVHmRafZoQam9bmpbhg57sAgI/LjAmBCAbuenguFontLUzo53mGjeTC6WL965Vhj4 dM7e79HLxIwICNzYwJgQgGdK/YD8SLdHLTD8uZkW75SLOZ5TnypmwxS/nKHsrsWkCAk2F MCYEIAGrCRDxSWi+I+4JsRp43c4oDGVZLGb9ElKuKMM8KEykAgJMuDAmBCAhZgpSawt+o gpkFVFs3nkqA1rcuJgv/wd0sWE6sII2hAICNmkwJgQgWOnhiVcU3/eZ/rRKNQZZcOodt+ f9+vT4iHozUuDSQEUCAky3MCYEIHkhy9yGqafB2PueCoTucb4rbeQTkSf0mIZ87Jwh1Oq LAgI8yjAmBCCAKzGm73IwY8qkZ0+PuSjqHpQSuQAmLTQ/kSF5nGXZlwICTYYwJgQgzsO3 FlLCAo0NS0Sn5D30B9/OzXYCPUU8OQN4oAPJ0kYCAkDHMCYEIFrglpwf9ty+daYdpQ4HK lHcsoQDVtFbswXE8VkUZgE0AgI/LzAmBCBm50p62KeXnutNHrH7W2A64qPkOygS/bt/vM VnW5m9LAICTYUwJgQgBNjqEK50W5r4N8ZoDhCE4o+T1+Wt4jpNc7lK5mrbxqUCAkGSMCY EIBF0xJLV1E7obtFGYgnzIlt9TpHV8D923dRzRJNIQrxlAgJKVTAmBCArhWP57bsqvLfk cNVSDlbZMsaSpgchJA8MudTaFs052AICQZEwJgQg24oKFWlVfxVF/JG4AqlnxhtH6MVoZ bsQrEWirIn0t/4CAkGTMCYEIN/lj6dTPZ5CoHkB36AB5nYmGJWnp79ESeMJRDMojSDQAg I8yTAmBCCDDxAH68UiuM2M/8lwFNE1IgAD7iDj02ZVdfuuxpKpIAICRMEwJgQgLY8RJzD LqMd3b39duwPy9sGs7SNkuaIi1n6ypeo/7skCAkDGMCYEIP4vxPtViJ0bfMvG+zwOceLl NZiYuhssqcF9DfDdGDRtAgIvPTAmBCCp3Dh8bxDaR1RO0nULrVBRQtGNfkBtI1eDeio+r DtKQgICNzMwJgQgXfNe8W9TqCUNjiRgm2Qad0NqL9P0PApp2BfAq4uQrJgCAjmZMCYEIF iVADAOnlYoqnXQn5YsnYbvLc9xIbJ3ANOi5qR21a3yAgI9lzAmBCD5S2gwoQ93W3hgEH2 UGsJ+zCW9iyqM4XXqB004ttnAYAICS+4wJgQg+AtLpyI/11sXB+wfyQOLKtFtbybh7WZH DjKwj/D/dnsCAkJfMCYEICXUfPECIBOTdi97KUK7rNBmbcSET0hDOKDFrsGM5nMqAgJD9 jAmBCCwQ88xfgpyEyAQEDLHlK1dn9lo1WwnCDsb3oKQJv7EgAICPy4wJgQgqBdlKM+0SB inwuEWLGzQWxYGlFnNrXFl+jm5Zz3Nn6gCAj5hMCYEIFBgaunZerApwsFUAo1yR2lGvvA Xq9/9+ujZ8JjU0smcAgJD9jAmBCC4kogNf8/ixq2OMQmKnbnmZa9bYgXKTKyzQCxeTNIt 4gICPmMwJgQgpHaEW/yBLT7Ov6voW42VvoULe1ElBodkhfKy2cLk+rYCAksjMCYEIJSot RDbW5tq7yj1fxgeWhv8zoBvgv/PI7qtG68Dsu1CAgI/LzAmBCD82iIe/5q4LEVwCCUxDC 0KCvouOIWGBOUQ/p28B6ZwsAICOZkwJgQgbmMk0zGC2W2BWxsI5JrNMXlWeIqDxDTd6md T790OwZICAki8MCYEIBpl1R12qiQkIqyS0MJxEgmjPSQAwNLHa2/76OGBJxnaAgJIvTAm BCBboykRJ8LgZPDDH3XRrKAgD9y5f2X3Mh/oUWXuKdNKKQICSL0wJgQgGMaUl5lmiraPE n/Dy4LMDEC1y9ZKIuSiltY345kYqwcCAjgBMCYEIKMU8mSY3VaDe2OUSMqQljO9pBOOUf qHaZhXr/W9P16UAgI1njAmBCBIVFaif9OaLLsEyoozVHBuY4usCebsHsxoFdy9gVdOzwI CTLswJgQg4BPZtxSjMNlDAKNfywsKnRR0i1/eTamhuL+sIfHP8msCAki9MCYEIPemzsZd gSMJfoCw138KI29jhz4vyEy7TcV6pDQe67chAgI6ZzAmBCARX3LYNiDjUsn5gQe1AWNTF vXVJKpnRNMYEeA+zbsJkQICPy4wJgQgJQbTN6bSga5W+5i7BaT+RT4JjBlV+lCyuKTlW4 o9S0cCAkWPMCYEIEmr1s3jwOenh9RoVPFXcNFQePCe8nbAERKrKyapWzSoAgI/LzAmBCA rVG5vjeRsa4RDnVpOekadVMVlhnAwwEBNN5fGvAMBAAICOM8wJgQgVjT0UBl6u2/LnVzM uegzxjlAtPDACnWdO2jQ2J3IpKgCAkseMCYEIIAR2VegdynTimpRoFXhwYecP46WgWsOh W1/5XszgfdGAgJIvjAmBCAn1brvvPX//9sM6SXrRCNDImNHrey0c7mU3xXQSW7FoAICPZ UwJgQgPQeqNYTxJ1pEfneXkPhvoMiSQUp2aV7NzuHLOFd4ebsCAj2WMCYEIMYgsgE7Emg F9wzxLpwXYMDiVKOMmxY3azev/8gGxi8tAgJDKTAmBCBBzmZ6wcIbV0VpyM6n0M/qRl6y nH6IfEYgfKTOA26z9gICTLowJgQguthNljocxUcIGMHnuvWYyL6tBsq/8R1ei/RsQKahT msCAkZZMCYEIC7Ks7X/jb+isMNyUpRQEOHcDpr8pDuXeY0aVzl4xesfAgI/LTAmBCA7RY HzFRNmJYdnwCVb0jU77cR9JQB8HqHCv6AiQ8SlogICP/kwJgQgnh9lnmv6KSL3ny2aWcN PQD9/fqRxydUKT4bepF11s8MCAjgCMCYEILJTBb/33UUkY6DOdinhSSqHG+hT8p2zMliq kwUu2rItAgJEwDAmBCAM4bqBDe1v4ZfffMuU7oj6kkkgtd0t+zXNgQufo12giwICS+8wJ gQgueoq/RQW14ZGgyW/VdGg2M5EzqoW7mvnUjQIOAFb77ACAkTCMCYEIAJvtz6Eb3dPpP k3q0mPOkP1VRBYa/GgY/rXYzfetrO2AgI+YjAmBCD2ys9+Gzi6tA3MDq2g2t9z+sdVngk KD4OdXl6NDg03/gICPmMwJgQg88ymxXKkq1NeKsg25UFsMhVcOO+mXqqRjrFClzIhEIQC AkDHMCYEIGaxs2DRUI7NvCzWyJxdQNC7isr+kHriD7SE/FXlqO64AgI8yzAmBCC8ORrVW K3G+jOQk8Uvpb0Wy8Hey/XvtBapYuAUIK9dGQICQ/QwJgQgbCh7NIxB0CYFuRXiZcGf/C a8rf+Qdf+QpgivLE8i/tsCAj8vMCYEIA8jsS5wh4WDmiBy8xz9nr5nD5MT99QcCeHqM9l 4MnhrAgJJiTAmBCAnaKsbEE0G4GDicwfz9sDx9Cw1KER/vGIZOXGkDnH/egICQMcwJgQg 3zZIcB7DIrxb4Q3zevgFjmRArwPceMi6e8yWUrQHn20CAkP2MCYEIInswVJqKRddPe8Y9 iSGQyBxK/Lf0rwURctIu/CGyJOpAgJSTjAmBCDdy6WhOSuoYZDNh59NfTbkauSm1uyS5c /XvkBfkxGn4wICPZYwJgQgWlPx0zYnwBShJxszztasKd49A3Il8cfqqT5FQZMWf38CAkm KMCYEIJjq08N/JX5NFFVdJmgvxmG5Q66KMm0QF1Vhn1lCuCx6AgJAxjAmBCDwQM8JvwPQ vlCyw6WqA4DtUgzfAsSvQt+tPtt8wRC/QQICO/8wJgQgzjsw75K1vrKh7uEEljRyJlJr8 a90QvkWSjLRg2vhmwYCAkvvMCYEIEnuAEb1foxUnpWzZ23HqOPcN1MIcTfOj3PSCdmBAd csAgJMuTAmBCB3C/cPEYA8tW9GmQYIpPWax5EKc/Zz9XNhpQlweQWZ3QICPZUwJgQg9AV QrKWCVHGE7GZ67jE10Yf7AoS9qzv/uAUeBWg1OnMCAkMoMCYEIBVAH0wPkeI3wXvFQRob zp0qLKUnEc1aZ3Fh5j5kpfpJAgI/LjAmBCCnmKBkVlqYi1JCGsiIJePpEu+sqlhhrog/D ma/2XqqgAICSyEwJgQgI2gf7h21qgaeC71D72B9VskQSmc1jnw6JDY7JRwfT/ACAkDGMC YEIGthUkNF8cObA7zJlGekoWfamGu9lOGXSDBQctwHZOc/AgI/LzAmBCCEMVbli7ike1Z 2yRlUBqPw/8wd/TkC6TTqR0owbRjOMQICR/MwJgQg1ZOPRJhUzEFXtCV/arZnp4uGqHNW H6JFNQ8UhoswbngCAkDEMCYEIOndmi/+jQ2++O5gRTEjjLBszmVi7pBCMCMrUs2wB8f+A gI+XzAmBCD8dQm7VCK52xokiFkgJRJL3/U7JceOQ21vu8FBB1r1wgICRlgwJgQgSO6a2V qH4vXsgXkD13LGCOjwAhSTYjUlrUBXOWUWmWgCAkJfMCYEIKBLFgUB3lJ5T6yZBCk7dom M3OW4XKJZh02GUJCm4SF6AgJRgTAmBCA2exdb0uH32yIPWFxwogpaERMkC4vj0sxmEgUw EIPrLgICQl4wJgQgX0xFcorirB+SK2SUXyYPLhoPSYXzLWE5o8wVHVbhB2UCAjszMCYEI FRTaqDdkVZcVHBW4TGgQtpTtCd8DIBUyDRW9np6M7euAgI/LjAmBCCRSk4M59k8rhUqcP PA6f2lVS8qhaRAb2NbFCN2M/uHWQICR/IwJgQgGJJ8cBg0iNM6/QdQILsMbTquhxF5arP 6ZgwYEwfk8+0CAj2XMCYEINYrOXjqnB8EQn0d1IQ1Ipn0gZjo6krGh2EYOwn7Hen5AgJE wDAmBCAyXckAVX2/Dz57+iJFs5Icf8eUMT9I0b2MWDG0gRKDXQICP/swJgQgSVgbBx/4X T/2hPogXV8MPA5dwA1m0q2gGZzVKH68P8wCAj/7MCYEIClfwSrqY4RnPniQdrNMzH7AKe JMVbNPxkWPi/qE363dAgJJizAmBCA544gg0rS9GU4gG4p2wr6FfwtrUVufS+/9rIHvili ncgICSYswJgQg9FRuesNlpRek7jXdLVVYunwcRLb9doA62yyEbvNTXX0CAjQHMCYEIMAA faQwhdKlsWFz9RzvTQh2/ESGaQF0Q0tjMih31NddAgJH8zAmBCCl9P1vxLv+VIxDI6Eam imf/5BR8AcmvOF+bxuP4vRGfAICRMEwJgQgfoaXT2mGxLY/Ob3Tl0wIHCNGZdvOSlssAE Nv4R3BvZ0CAkMqMCYEIHlof9g+o9SUgSAGQ2EtVXbtDACiqScJ/IhNan2KRnNHAgJHJDA mBCCXjPliITDIuhUM3ZqrAvNX2E+vEmZ031YvQJqDjSrsvQICQMcwJgQgm+0Vx416esms pxxKD4c0S2McWdLqmz4xnypt90x45lgCAk5TMCYEIJ0KCRIm35/pVY17REipoIi0K/goM XhM5mmjtHmtuT1+AgJDKjAmBCD7lJmSu9YsXcxIy+1gmUYxuwc5vc/NpYgq2g8lTDBqng ICRY8wJgQgZG9TqRGWnuQ1qfcE2lUUDJNXhgbduDiQTqd4e1AlXEUCAkGTMCYEIAqqVPh 0do6/dmHHOZhhdJ2KnqA1E0oVgZmZ3/OkjOOLAgI7/TAmBCAmxQMBjHFMHHgokuF59mNZ oFbl41DV0qi3rh3EoqjdXAICPZYwJgQg8yXQ6vY/KdrQEO7xs26S7isiDtGQC3k9JgmPK 12G6loCAkJcMCYEIJHMC6//KuoppKAHO8sXbBYxDl6Bn/cUuhP4GpvvZ13ZAgJDKjAmBC BXdOTQ4Uc3ihk2XzeThCv0eSO5hicUQ98pTfRCq6xXqQICR/EwJgQgUPJfy+Xq7rkjwCv JK6ru2yRxNtywwwIy65JfYLR/j84CAj/6MCYEIASsv2w0ToqnMDJKL/Va1RrOuLK5/6ll 4k21fZoiiPlCAgJP6zAmBCDT0n+sCMW4PhdcQiYu0y678KjlDjkeVBMJaUlEfL2IcgICO mUwJgQgU3HEjdkO7XLMG2bmuU+eroMdsUD7IJjVd/mWXKlHUmECAkpVMCYEIExE8Vi+T+ 3Zxh9wwI3mqUl5kpO/7kPViONQmv/2fVPdAgI1nTAmBCB6NS2c7hHgUfF6zYWLTVbDnAU ztPpmELB/6PcknrQRvgICQMUwJgQgN5+qsgtkVs1DoznIHCRFGems4vF/8MXvELJ/JR3m fhwCAkfyMCYEINPEOBxHx1i8QTz8dTY7ztC3Ut1OkXS79v41vJ7rBfAdAgJPHjAmBCD5q pWCh+lIHiW3MPHq/5f6Z+dZ8TfTgEJ5MqhjR1NjJgICPy0wJgQgdqWrpRWM0Kmk7Cw5Dq 6ClVRT+3T8tKPA2ZXLifuTn/QCAj/7MCYEIM9qgtaQC9RyRBu1WdM/XSUCtFfXqSFadcm q0dAryrUgAgI/+jAmBCAF3xizmbQIrHpSID3SzV/LB4UoYjdhEGOG+/TgP2ImDAICPZYw JgQgzAsIDe3o9/TCB5w1ftflaiDfO049Wmt9BTDJCOLu+GgCAkP2MCYEIHaOTcw7oC+2H k/NI6Eh1vsJRvo2RWD5sWURZ0F0qLwhAgJODzAmBCBsSfcTsZXq9EEtXAYrerJS9zDA39 RxLDloOpbKrhBA9QICQl8wJgQgnNoobYKqzBglJ5Pw1mkBCQweT4iZyjzJPDuM/uG559g CAjjOMCYEIJ0p9rSsg2lYMUa8VFqVZplkqlEn9bvkAMVp5x18Y364AgI3NzAmBCBQd16c NsSwy30XuCtI3M9j6Q5bnZdqjHIUZozG+QzOcwICOKIwJgQgkmLBowUIE8wYO4P9bpeKc rlitxZWuS+w5Ln6KlRPbrYCAj5hMCYEIGMd6IiQEHcKfij2FrnKTvYkDhJ5g8uCFDdgA+ Jr5yJ2AgI/+TAmBCCPcWuPpPKFAILCyrtvUj05K52MGVzQCLEXyQW0n2OCewICQl4wJgQ gu/1jZk6dg8MNt3UpFZmV0hg90+qKXeypSK4416AjbuACAj2WMCYEINCrhwbUxtD83LrE 58NPGpjXsfoDInyjJKE6LbBCtJdZAgI4zzAmBCA6hMsuP177KE2buf1VcoN4fXuCh0yjS VAFRK7ytTUkNgICPMowJgQg9YxJU0NKjXXQoljQkOLY3ZqYMWiIikyKUu0hkhUa7KACAj mbMCYEIJ0NVZs9o7FnwHnygniUvAWYtJR1VMOiJJ1TYHLDOL+6AgI4AzAmBCDFekPZ2Qg ESuQ+xRhauGsTvTgsclIsoga/8HCms+TIggICP/owJgQg9iWTgRml1RJRE3u0q5Q6zl8C oKMooD+Q7oz1kdNf75gCAj/5MCYEIMs7/eck6d/VeSQzlyrroLOagyV2QLXxXENsFXqYH gJJAgI6ZjAmBCAkqjhrUQ+9qofaokuSF+Jz7LWAyBvUYSOn89qv7tuxdgICP3wwJgQg/C 7mvz0TEDzSIVxau2non3Z5yE0RhXQAF1ThJj9p48kCAjXiMCYEIIaU/06NcQnr+eeraHr l3Bco5mTopnT7o0gai1Qiv369AgJESjAmBCBgqkUMpsRvQl9gldMoaRtHflNWW0YEMzmp g1GwRcObLQICQEkwJgQgC5JjhUueyDrBi1CX+6DYsmx3P1fgZWNgx8R0EiTPny0CAkWMM CYEINi6PvXaOO/wWCRyEmINw2gTnPqJKZeXpek+/RsVHbnzAgI3NTAmBCAJTdNkxQDuAl sgy3jH0YjDDyEzAqHN4se8ua9JNhhwFAICPmEwJgQgke6G46FoYOQ06Gv5Wno621xoLZt 3enSh9VwB599H/bgCAkTC

Example ErikPartition This object was retrieved from http://miso.sobornost.net/.well-known/ni/sha-256/_i_E-1WInRt8y8b7PA5x4uU1mJi6GyypwX0N8N0YNG0. MIIvOQYLKoZIhvcNAQkQATiggi8oMIIvJBgPMjAyNTEyMDQxNTAyMDhaMAsGCWCGSAFlA wQCATCCLwIwgckEIAAuJaN8fwRVh+BM2iQU8zwmQ0o+2bRk7aThmHrNmZYSAgIHzgQUf/ yCWF32m3yUsWphky/8i24zUVYCAhM0GA8yMDI1MTIwNDEzMDIyOVowdjB0BggrBgEFBQc wC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvZTQvNTMxZDJiLWUxNzAt NDlhNS04NDA0LTkyZjczZjU2ZmM2Mi8xL2ZfeUNXRjMybTN5VXNXcGhreV84aTI0elVWW S5tZnQwgckEIARfyrvCkwvGfG5+Bnlv9ZPVC+mpSDNaOoEeLrEKI8jSAgIIpQQUfz4LJ7 jk15j5K53hV/HaWkPNSeUCAhGZGA8yMDI1MTIwNDExMDA0MVowdjB0BggrBgEFBQcwC4Z ocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNWYvYTBjOWFjLTNhNDctNGQ2 Yy1hYTE1LWE0MmVjODc3NmZiYi8xL2Z6NExKN2prMTVqNUs1M2hWX0hhV2tQTlNlVS5tZ nQwgckEIASOuTJhwS/R5SCAryuRoUMtud9WKyjk8QuPAwfUp+4nAgIHzgQUf9GKakmRDM Mx3JERSuWbcYXV8w0CAhddGA8yMDI1MTIwNDEzMDAyOFowdjB0BggrBgEFBQcwC4ZocnB raS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYmEvMDk0N2YyLTIyY2EtNDdjYi04 OWFkLTNlNTBhNWYwMTk5OC8xL2Y5R0tha21SRE1NeDNKRVJTdVdiY1lYVjh3MC5tZnQwg ckEIAn+REFBkuOombiOjqMzWBPv1ZOv4G9Es10+CrKkEhFvAgIHzgQUf5tM/cmw2ePDHg 67gebxscu9yeQCAg08GA8yMDI1MTIwNDExMDA0MFowdjB0BggrBgEFBQcwC4ZocnBraS5 yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNWIvODI0NmViLTg0NjktNDJkZi1hMDhm LTkwYzQyMWY1NWFkYi8xL2Y1dE1fY213MmVQREhnNjdnZWJ4c2N1OXllUS5tZnQwgckEI BPL0xOSi2ax+UmPYqJpAp7fbvj7+q5bP13SDWtbiC2GAgIIXwQUf1byiUjIMvLUNLtE1d 4OoSJgGwUCAhddGA8yMDI1MTIwNDEzMDEzOFowdjB0BggrBgEFBQcwC4ZocnBraS5yaXB lLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvM2EvMjFmYmNhLTgwZTAtNGI4Yy04NjIyLTRl ODZhZDY0Zjc3NC8xL2YxYnlpVWpJTXZMVU5MdEUxZDRPb1NKZ0d3VS5tZnQwgckEIBi5m euqRnbENZo8+6a+7cuE8rM0N+CC1RKoU/3F3I0YAgIHzgQUf9YuQsCOFgHEVx4NiKNJoF Cd6l4CAhLkGA8yMDI1MTIwNDA5MDA0N1owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5 ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNzgvYjkzNGVlLWM0YmEtNDM5MS04MGIwLWU3NWE1 ZWE4OWZkMS8xL2Y5WXVRc0NPRmdIRVZ4NE5pS05Kb0ZDZDZsNC5tZnQwgckEICFoZHl/u Qsrstxg5jVsF0o66a2URqYEMxsstCBR6ayzAgIHzgQUf5LfdhDwSPQ79EwzbUHGwRV+8O ICAhbvGA8yMDI1MTIwNDA4MDA1N1owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9 yZXBvc2l0b3J5L0RFRkFVTFQvMTcvNThiZTE4LTJmMzUtNGM2YS1hYTZhLTdmNzJmNDRi ODk4Mi8xL2Y1TGZkaER3U1BRNzlFd3piVUhHd1JWLThPSS5tZnQwgckEICJ/nn7xrOg89 rSC9x8XbrMpnzbgswNkXhjpyNpNg7xcAgIHzgQUf6gWozONMnQc1P/49J3bLMg4/cUCAg TNGA8yMDI1MTIwNDE0MDA0OFowdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXB vc2l0b3J5L0RFRkFVTFQvNTMvYTQ1MjhhLTkwZTYtNGQ5MS1hNTJjLWYwNzE3ZWE0ODVj Ni8xL2Y2Z1dvek9OTW5RYzFQXzQ5SjNiTE1nNF9jVS5tZnQwgckEICQswPX3MVLYQZFbS l9SvftV8NECr6wRKoRko58Wx6ApAgIHhAQUfwdXwzGYHgQrdHE3NSfQ9koTVrQCAhMAGA 8yMDI1MTIwNDEzMDAxNFowdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l 0b3J5L0RFRkFVTFQvNzgvNGY5NmY5LTU2OWYtNDMzYy1iOWE4LTZhMjYxMmQ0MGY1MC8x L2Z3ZFh3ekdZSGdRcmRIRTNOU2ZROWtvVFZyUS5tZnQwgckEICYTBJJUQ+3w2gdXgi1HA Jjk2s9bQz5PRmBs7DERRx6QAgIHzgQUf1Eig3R0LfVEqpMFjFo709FkIZkCAg7NGA8yMD I1MTIwNDE0MDAzNlowdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J 5L0RFRkFVTFQvMGEvOTM4NWFhLTFiNzktNGEwMi1hMDkyLTAxZWIwMzY4NGYwOS8xL2Yx RWlnM1IwTGZWRXFwTUZqRm83MDlGa0laay5tZnQwgckEIC/IQ9FAvMaiWcF/A1bZhKB/K fg74+e/3Zie2YQJWF6TAgIIGAQUf/G4HP5quxGOl+AyW2Yur5hPL2oCAg3IGA8yMDI1MT IwNDA5MDAzMFowdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0R FRkFVTFQvNzUvMTg2YTE4LTVkN2YtNDNlZC1iMDZhLWNlYTdlYjM1MDUzNy8xL2ZfRzRI UDVxdXhHT2wtQXlXMll1cjVoUEwyby5tZnQwgckEIDklLMNoL6OCi5h03aH7ugigQwxCL LSnJc4vCdXALsLKAgIIGAQUfwOh+MM0/b9LeN7wxZL/BJDd9LACAhcUGA8yMDI1MTIwND A5MDEwN1owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkF VTFQvNjYvM2ZlMWEwLWM2ZmQtNGJjNC1hYWUxLTllZTAwNjk0MmI0Yi8xL2Z3T2gtTU0w X2I5TGVON3d4WkxfQkpEZDlMQS5tZnQwgckEID+yS/tG0LHqjZhYiFes2AulvPEr2jvxX 6JafPugnT66AgIIpQQUf1FerQle7ZrEyrxatK0LWGfZ8BsCAhdyGA8yMDI1MTIwNDE1MD E1M1owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQ vYTcvNWMyYTU5LTYwMjUtNDAwZS1hYjI4LWYwYTYyNGQ0MDkxMi8xL2YxRmVyUWxlN1py RXlyeGF0SzBMV0dmWjhCcy5tZnQwgckEIEAJIGXKzi5KGpg9za9IYPb9rNuRdp0Xq0hpf jWdkseGAgIHhAQUfxTOgQO3hfNQS8SzLx9Mm3DOP38CAhAZGA8yMDI1MTIwNDEzMDIwN1 owdjB0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYjY vZjY5ZGJlLWUwNzUtNDQzOC1iNTNiLWY2MTYwZmExZmIwMi8xL2Z4VE9nUU8zaGZOUVM4 U3pMeDlNbTNET1AzOC5tZnQwgckEIEJDHaQBqaPqUOmcWhoXHmh3rsqoX7YJvabsaFaGJ 6rIAgIHzgQUf0OdlCQm/Gc7J5zJirNf29fql/UCAhL0GA8yMDI1MTIwNDA4MDAwOVowdj B0BggrBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvMmEvNjl hMDlmLTU4MDktNDY1Ni1iMzU1LTE0NmYyNTRhYzEzMS8xL2YwT2RsQ1FtX0djN0o1ekpp ck5mMjlmcWxfVS5tZnQwgckEIEhlydQkfZ5hlO8WFKMoq4jVWC1ibENRvls7Mk/LDNRdA gIHhAQUf3NriKAkBNQwS92tX/VQSmgz57cCAhdZGA8yMDI1MTIwNDEzMDAyNFowdjB0Bg grBgEFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvOTkvMGYyNWN lLWI5NzctNDg1My05ZWMzLTllNTZjYjU0ZmVmNy8xL2YzTnJpS0FrQk5Rd1M5MnRYX1ZR U21nejU3Yy5tZnQwgckEIEkvZOd3R7XuMXNDeK0KvwD0xuGRuIn68D+LMvUdExSrAgIHz gQUf/F65Ue58mQeYFd/5VPdtvdJoIcCAgSbGA8yMDI1MTIwNDExMDAyNFowdjB0BggrBg EFBQcwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvYTUvMWJjMGY5LWJ kN2MtNGY3YS1hNDA0LWE0M2ZmMjVkNDQ3ZC8xL2ZfRjY1VWU1OG1RZVlGZF81VlBkdHZk Sm9JYy5tZnQwgckEIElWmkxQ5zDn9kEarEVcGzsErwGm3tzMoTxHPecasDNTAgIHzgQUf xiK2rW1UggeysghybCQOUhzsxUCAhHMGA8yMDI1MTIwNDEwMDAxOVowdjB0BggrBgEFBQ cwC4ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvOTAvYTY1NTIyLWY3YzU tNDg3Yi1iN2I4LTJlNDYxNDE0MWFhNC8xL2Z4aUsyclcxVWdnZXlzZ2h5YkNRT1VoenN4 VS5tZnQwgckEIEtpn6WHoN8NxcWAH8mINTC00JjclA2iob0AXGaoyitsAgIHzgQUf4Xpk DVDl+NsDKkDoMYgx3Ce/c0CAgOLGA8yMDI1MTIwNDE1MDA1MVowdjB0BggrBgEFBQcwC4 ZocnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNWUvNGFlMTc1LTU1ZDAtNDg 0ZC04ZDExLThjOWQ1ODIzYmFkOS8xL2Y0WHBrRFZEbC1Oc0RLa0RvTVlneDNDZV9jMC5t ZnQwgcgEIEw7N0lIjFqhAU+x7UhDiLTztgGCkJjcM1aExmZ+/IVEAgIHgwQUfzdyg9fCN ak9x70rgxeydI8oX/cCAU4YDzIwMjUxMjA0MTQwMDQ4WjB2MHQGCCsGAQUFBzALhmhycG tpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC85Mi8wZmFkZmMtZjQ5Yi00M2U4LWI 2MjEtODMxZTI5NDRmOGZhLzEvZnpkeWc5ZkNOYWs5eDcwcmd4ZXlkSThvWF9jLm1mdDCB yQQgTdA6hGjvJpvIMPMWoYa7GkUWCpYRzqgfLiUxTPHP/0oCAgfOBBR/WLwIZBL00sVPo HAtks4lSWzkeQICFNUYDzIwMjUxMjA0MDkwMDQ5WjB2MHQGCCsGAQUFBzALhmhycGtpLn JpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9jYy81MzA5MzMtNTkxNS00ZmYyLWIxZjk tNTAxMGQwNWY5OWE4LzEvZjFpOENHUVM5TkxGVDZCd0xaTE9KVWxzNUhrLm1mdDCByQQg U2ajfTLVQztCItG4YsnY6d/RR7JsEdVY0XXJdMVsMTcCAgeEBBR/mRjKtvHzXvG15YPLK Dnpt0ixWAICFDEYDzIwMjUxMjA0MTMwMDM3WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcG UubmV0L3JlcG9zaXRvcnkvREVGQVVMVC8yNi9kZjgyZmEtMTE4ZC00MjE5LWJhMTYtMWE 5NjgzYzlkNmNiLzEvZjVrWXlyYng4MTd4dGVXRHl5ZzU2YmRJc1ZnLm1mdDCByQQgU3Q3 3ZpCBQ9QzulCZ/QmDp2KvNQyeNnef/nECRuq+awCAghgBBR/K6ht94eIj2+FkqgGpv/qM EbAegICF2AYDzIwMjUxMjA0MDgwMDQyWjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubm V0L3JlcG9zaXRvcnkvREVGQVVMVC82MC81ZTY3ODYtNjM3Ny00MjI0LWJhMDYtZGM0NzY 5ZWZmMWY1LzEvZnl1b2JmZUhpSTl2aFpLb0JxYl82akJHd0hvLm1mdDCByQQgVnzJtl+K o+oJONvoZGMHz3kRyeB9lRMKBAQ6qxSKsiwCAgfOBBR/+wEVxKzd0bStxAc3gHJqz8Aa+ QICDGYYDzIwMjUxMjA0MTUwMTUyWjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3 JlcG9zaXRvcnkvREVGQVVMVC82MS81MjY4ZmMtY2ZlZS00YWE4LTk3YmYtY2JlMDIwNjY 1ZWZlLzEvZl9zQkZjU3MzZEcwcmNRSE40Qnlhc19BR3ZrLm1mdDCByQQgY0ifWJ2GsfuX IMj9nN1WaHuqDVhN3K68pHV4NTZfuuECAggYBBR/4OdZNU6DzBkyA4EQneItoPGnAAICF 2IYDzIwMjUxMjA0MTAwMDE1WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG 9zaXRvcnkvREVGQVVMVC80Yy8wYzcyNDMtMWZmYi00OWQyLWI1YzEtYjQwMmU4YTFkOTM 0LzEvZi1EbldUVk9nOHdaTWdPQkVKM2lMYUR4cHdBLm1mdDCByQQgd2zljs3nkCt8UVyi os6rkkzEKWDoYADAKt6+BKg2+8YCAgeEBBR/SuV+5uCpxRAfwUqHpTNBULurRgICBqsYD zIwMjUxMjA0MDgwMDU1WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaX RvcnkvREVGQVVMVC8yYi8xMWZhNDQtODg3OS00ZDE5LWI0NjgtNWI1ZDk4ZjUzNjFlLzE vZjBybGZ1YmdxY1VRSDhGS2g2VXpRVkM3cTBZLm1mdDCByQQgeUGGVlrsbtS7J84seSOi 9pC1lVUD47HrY5uru1+ZobYCAgfOBBR/dzTf6hIGV0EuqGfdvHuE0TK/eAICEAoYDzIwM jUxMjA0MTMwMTQwWjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcn kvREVGQVVMVC83ZS82ODAzMjQtZWUxZi00MGYyLTg4ZGYtMTk2OTMxOTYyZDNjLzEvZjN jMDMtb1NCbGRCTHFobjNieDdoTkV5djNnLm1mdDCByQQgi+WJ0QBPQdU2YnA1Zw3In5jt 9/YyT1/HgWXUL0pQSBACAgfOBBR/7j84IHPyw+T8z/yjhMWwzYJsJgICAy0YDzIwMjUxM jA0MTEwMDI2WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvRE VGQVVMVC9hNy84Y2NlYmYtZjlmYS00YzQ2LWFlZTgtY2NiZmE3MzQyNGE3LzEvZi00X09 DQno4c1BrX01fOG80VEZzTTJDYkNZLm1mdDCByQQgkcSCxNhKVQ6BvKI16mfKJFlL9l0D IlQSi4IMrUzpygQCAgfOBBR/MSsJ0faQ8lcAvV3PB8kYDF6WYwICAIUYDzIwMjUxMjA0M TEwMDEyWjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQV VMVC9iYy8yOWRhYzktOWExNS00NjYxLWFmNzgtMTUyMmUyOTY0ZmNlLzEvZnpFckNkSDJ rUEpYQUwxZHp3ZkpHQXhlbG1NLm1mdDCByQQgltZvAuRIJ/xDUXp93kNCzDxYLudEfOCq acXiUGBBwJICAgfOBBR/KjK6QhloDc3Vj2EB5ceuwVQKcwICF10YDzIwMjUxMjA0MTMwM TA4WjB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC 81NS8xNDNlOWUtOTZlNi00NzRlLWFkMmMtMjJlNmRmNDU4NGFmLzEvZnlveXVrSVphQTN OMVk5aEFlWEhyc0ZVQ25NLm1mdDCByQQgmtm8K2eMiRRnahwOexCQWF1Pbn/kfh7yuFFX PQ1sNzkCAgfOBBR/NdWuQX9F7oUF12zqobNMRYOUoAICEDcYDzIwMjUxMjA0MTMwMTQwW jB2MHQGCCsGAQUFBzALhmhycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9lNi 9jNTQ2N2ItMzk2Mi00Yjc0LWFlMGQtMzQ0NzNiYzkxZDgwLzEvZnpYVnJrRl9SZTZGQmR kczZxR3pURVdEbEtBLm1mdDCByAQgnH4HVrP8PwRGFCkScCL5br/0bjjEzQr9e0AzckDu dkoCAgfNBBR/tQ59O3/SiUz7cOSUYIsyDMIVwQIBcRgPMjAyNTEyMDQxMTAwMjdaMHYwd AYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzk2L2E5MT hjYi0yMDQ0LTRmMWMtOTcwMC05MzYwMWEzNGY2MmYvMS9mN1VPZlR0XzBvbE0tM0RrbEd DTE1nekNGY0UubWZ0MIHJBCCeJ6QFC5ZmQ3/7vRs/OWVTILJZf36LiIafxWbxA6hJQQIC B84EFH8dWNYt3X5HryGW/XVLs/8meYkqAgIXWhgPMjAyNTEyMDQxMzAwMjdaMHYwdAYIK wYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzQ2LzI5MGE2MC 03OTJmLTQ0NzUtYTlmNC1lM2I5ZTBiYWU2YWIvMS9meDFZMWkzZGZrZXZJWmI5ZFV1el9 5WjVpU28ubWZ0MIHJBCClvw/fQEKWORP7i2VDQTPvks4urdw7SYu+gMiCAhRU9AICB4QE FH+LIYNYmDp9eiU4qdqbofNJTXGrAgIBghgPMjAyNTEyMDQxMDAxMDNaMHYwdAYIKwYBB QUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2Q5Lzc2Y2QwMy1lYW EyLTQ5NjUtOTRlZi05OGRiYjY0MDJjZGQvMS9mNHNoZzFpWU9uMTZKVGlwMnB1aDgwbE5 jYXMubWZ0MIHJBCCmWr1WUFj93xFgtJksPmNi/3mZFCpyG8Ol93vskWc2IgICB4QEFH8X tvkyOZ1YUJPRhzOU6/4bKfmMAgIO3RgPMjAyNTEyMDQxMDAwNDZaMHYwdAYIKwYBBQUHM AuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzMxL2NjMDIwMC1iYjJjLT Q1ZjYtYWM3NS04Mjc1NzdkZjhlZGMvMS9meGUyLVRJNW5WaFFrOUdITTVUcl9oc3AtWXc ubWZ0MIHJBCCv+kiA2AMtfiPp5MDsM9paEAw7fvlOjVRQZTYXLFDE+gICB84EFH9NWRwj rSxpR31/eh1M6OvO6VlsAgIFthgPMjAyNTEyMDQxMTAwMzhaMHYwdAYIKwYBBQUHMAuGa HJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzNlLzBkNjdhMi1iYzM2LTRiOT MtYjYwNC1kNGY1YzkyZDkwOTUvMS9mMDFaSENPdExHbEhmWDk2SFV6bzY4N3BXV3cubWZ 0MIHJBCCzpImTAdJ2HceoQv8KjfS6oCbuIsMTQHSsGnoDGtF9DwICB84EFH9Wid5KfOdo vzq12fhUboVsyxk2AgIXXBgPMjAyNTEyMDQwOTAxMTJaMHYwdAYIKwYBBQUHMAuGaHJwa 2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzc3LzY0ZDUwNS0yMjA0LTRkY2EtYT k1ZS04YjUzNzI1ODRhY2QvMS9mMWFKM2twODUyaV9PclhaLUZSdWhXekxHVFkubWZ0MIH JBCC2u0zcRDg/uLDop0zKZHTp3gieFrxul3EA+/D3OsWY8AICB84EFH8Xj69kAeLzcW4x dkVp33Md9Y8iAgIR0BgPMjAyNTEyMDQxNTAyMDhaMHYwdAYIKwYBBQUHMAuGaHJwa2kuc mlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzY2LzFiNzk2OC1jYTRkLTQ1ZjQtYjY3MS 0yZTdmNzg0ODljZDMvMS9meGVQcjJRQjR2TnhiakYyUlduZmN4MzFqeUkubWZ0MIHJBCC 4mKVCEz8nRv88uU7VdtvjP8PHaRPxyN1lc8HZUFxAIQICB84EFH9qjl1VwkmKgmNvmfj8 njGeB3ceAgIQXRgPMjAyNTEyMDQwNzAwNDlaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZ S5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzc0LzI3ZmNlMS0xMWNlLTRhMzItYTY0OS1lMD c2YjUxNzIxYWQvMS9mMnFPWFZYQ1NZcUNZMi1aLVB5ZU1aNEhkeDQubWZ0MIHJBCC+TTG 9Y4u4V/ZR0lzDibQ0mXzOo57fCyjHc0NZC1Q4zAICB84EFH8RQWrjkp3ze/ZqRZzTrKY4 kelGAgIXWBgPMjAyNTEyMDQwOTAwNDZaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZ XQvcmVwb3NpdG9yeS9ERUZBVUxULzJmLzZiMjJlOC0zZGNkLTQ0ZGQtOTUxNC02NzU2Zj diMGMwZGIvMS9meEZCYXVPU25mTjc5bXBGbk5Pc3BqaVI2VVkubWZ0MIHJBCC++Jit9K2 F1/XjfaJTH6xPtMLHpiJaHX8llKtSsECDoAICB84EFH8dDjKYvtOn85+zskTtkYv2xNe/ AgIVMhgPMjAyNTEyMDQwODAwMzFaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvc mVwb3NpdG9yeS9ERUZBVUxUL2Y3L2U2NTA2ZS03Njg1LTQ4ZTctYTU4My0yMWFmM2RlZT hlZTkvMS9meDBPTXBpLTA2ZnpuN095Uk8yUmlfYkUxNzgubWZ0MIHJBCC/O0jiSEwGtsd oyjEJLvSxofM64OqPL10SVvrDu4/QvgICB84EFH/j1jtKW0BLX/g8vysVJaMEd/ZcAgIE nhgPMjAyNTEyMDQxNTAxMDBaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb 3NpdG9yeS9ERUZBVUxUL2Y2LzgxYTY3Mi1mZTk4LTRkM2YtOWI4My0yY2I3YTNiNmU0Mm YvMS9mLVBXTzBwYlFFdGYtRHlfS3hVbG93UjM5bHcubWZ0MIHJBCDDnlIkB2AHFnjoeuu RmURoPcEZp2HB7xpFjvD93UGOxAICB84EFH/3TavU6xqhFHFE4VsCZp6YL95NAgIHCBgP MjAyNTEyMDQxNDAwNDRaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3Npd G9yeS9ERUZBVUxULzdkLzBmYmJmNS1jODNkLTRiOTctOWNlYS0wNTVjNDlhYzY4MjgvMS 9mX2ROcTlUckdxRVVjVVRoV3dKbW5wZ3YzazAubWZ0MIHJBCDIhBaSdTsKqyeZOGQU/75 eJhg79XTzm3XVAWTd1ZQkOgICB84EFH8z/EDS4DM7vHveqyvYWZVDAcDxAgIGphgPMjAy NTEyMDQxNDAwMzNaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9ye S9ERUZBVUxUL2I0LzY1YmYxZC1lYzFkLTQwZTYtODQ5ZC03OTc5MGQ2NmQ3ZDMvMS9mel A4UU5MZ016dThlOTZySzloWmxVTUJ3UEUubWZ0MIHJBCDXLjn63163Ca3eKPJ4GN73t/v GOvBRQZNoR+QZ0npD4gICB84EFH8km5VEYgaD+Us4inVRpopkk+0SAgIDjBgPMjAyNTEy MDQxMDAwNDlaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ER UZBVUxULzhiLzdhYTA0ZS00ODA3LTQ5ODgtOTEwMy04NDIzOTdlMzA2NDMvMS9meVNibF VSaUJvUDVTemlLZFZHbWltU1Q3UkkubWZ0MIHJBCDXa3ekyz4n1eIin/xnA8d0la2km47 PIvC1ft6ktr7efwICB4QEFH9R3x306IZ+QeXn+S3n+dH6DBVNAgIMQhgPMjAyNTEyMDQx NTAxNDdaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBV UxUL2ZhLzVlNzMxZi01MjhiLTRlMDItYWQ2OC02ZDkwMzVhZjE1MzUvMS9mMUhmSGZUb2 huNUI1ZWY1TGVmNTBmb01GVTAubWZ0MIHJBCDa9IYTxSSV2A0NrBtCs+pEMNVvdBr82u0 ZR5Uq5MY0VgICCBgEFH8WgCjsDatmimfVv29TWMqr4zeoAgILyxgPMjAyNTEyMDQwOTAw NTZaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL 2NjL2IxNTI4Ni1mZDRkLTQ5ZmUtYTY5ZS03ZmFkZjUwYTJlMzcvMS9meGFBS093TnEyYU taOVdfYjFOWXlxdmpONmcubWZ0MIHJBCDcnDayEa5hgjfhBtjmq2nvGXYR1i3/QESlKZg Ei3hK9AICB84EFH/JVqUrc1BKTx/zRUcZkpen9d6dAgILEBgPMjAyNTEyMDQxNDAxMDFa MHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2FhL zcxYWI2OS02OTY1LTRiNzAtOTY4ZC1iYjU3YTRlZjcxNTMvMS9mOGxXcFN0elVFcFBIX0 5GUnhtU2w2ZjEzcDAubWZ0MIHJBCDc/EzRgTf4Q9/QnJb4beTDyzGlMtLVUHCz5Og5/zR kyQICCF8EFH9QB30t2KZ6Gui2q9a7s0iQKKW7AgIXYxgPMjAyNTEyMDQxMDAwNDlaMHYw dAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzVjL2MxY zFjZS1lYTU5LTRkY2YtYmNjYy0zZTdjYWRkODhjNzAvMS9mMUFIZlMzWXBub2E2TGFyMX J1elNKQW9wYnMubWZ0MIHJBCDe6iYEgYQQo9TRkKLeQE9J5KtPmTlAiqB67zx/5MO/DgI CB84EFH+0PeI3/QtqKHOJIwkh0losLtGoAgIW7hgPMjAyNTEyMDQxMTAwNTVaMHYwdAYI KwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzA5L2Q0ZDEyY S1hYjRlLTRkYmEtOTVkZS1iYzYzNzEzMGRlNmUvMS9mN1E5NGpmOUMyb29jNGtqQ1NIU1 dpd3UwYWcubWZ0MIHJBCDicOM2K/zhxfbkbS3nPiK8mgUzMZo7+gpnWqMgT84LJAICB4Q EFH8pZlevjQDCX9dfVuzIoos1FQV1AgIQkRgPMjAyNTEyMDQwNzAwMzhaMHYwdAYIKwYB BQUHMAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2QwL2U4MGIzMy0zY mVlLTQ2ZWMtYjM1ZC1iYWY5NWE1MDZkMTkvMS9meWxtVjYtTkFNSmYxMTlXN01paWl6VV ZCWFUubWZ0MIHJBCDtUhQI96etZFj7+yPFh9/sjVYzqGwv+WgIYGmaPanWRAICB4QEFH9 +Xr1vpGnF43C/wQbE1KrR4duUAgIPxRgPMjAyNTEyMDQxNTAxMzdaMHYwdAYIKwYBBQUH MAuGaHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzIzL2MzZThlZC01OTdhL TQ4NWEtOTRhMy05ODJjZmIzNTlhZWUvMS9mMzVldlcta2FjWGpjTF9CQnNUVXF0SGgyNV EubWZ0MIHJBCDthtT5Zt25vilW+Nm/NmioBji8LrE5W+jpL7p7g1nCGQICB84EFH9C0nw h2obH6fv0SuDlbJjz0vgLAgIO+hgPMjAyNTEyMDQxMzAxMTNaMHYwdAYIKwYBBQUHMAuG aHJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2E5Lzk4YjAyNC05ZDhmLTQ4N jktYTJhOS0wYWZiN2MzZmJmMzAvMS9mMExTZkNIYWhzZnAtX1JLNE9Wc21QUFMtQXMubW Z0MIHJBCDup/9OUMMEskDq4ejhRGOl/NuOf352P0Vumb24WVg32wICCKUEFH/K2J3xv5m jbykMw+8PHntNAnUzAgIXOBgPMjAyNTEyMDQwODAwNThaMHYwdAYIKwYBBQUHMAuGaHJw a2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzU1LzlmOGIxNi0yODRmLTQ1MTItY jNkYy0wMTVkOWYxYjRiNTAvMS9mOHJZbmZHX21hTnZLUXpEN3c4ZWUwMENkVE0ubWZ0MI HJBCDxY2vdGydm1KSBwPAftN8mEtoSyEL0Q0RGBV1uVpX2SgICCo8EFH9r0aawRiXFcdg w+HixwCOCR0CMAgIGARgPMjAyNTEyMDQxNTAxNDBaMHYwdAYIKwYBBQUHMAuGaHJwa2ku cmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzQ4L2JjNjZkNy01N2FiLTQ3NWQtOTZiY S04OWI2YzMyMzE1YzIvMS9mMnZScHJCR0pjVngyREQ0ZUxIQUk0SkhRSXcubWZ0MIHJBC D1SG9gKO19W3/LSTHfYvgigrWc8AI/2XMDL5sRP/Q2LgICB84EFH/mixIjS9cDQwG8lrE 4quJ3hgo+AgIFyBgPMjAyNTEyMDQxMjAwMjBaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlw ZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzhiLzRhMTExMS04ZjNjLTRlZGYtYjc3Yy0yZ mEyNjMxYmMzMWMvMS9mLWFMRWlOTDF3TkRBYnlXc1RpcTRuZUdDajQubWZ0MIHJBCD1oD abbCroFrO3IcIz0FpMLzFnoyyAFoppbxl/VwXyUwICB84EFH/v69FfvGUUh6yvZ0JPR4P UPrQgAgIXWBgPMjAyNTEyMDQxMjAwMTlaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5u ZXQvcmVwb3NpdG9yeS9ERUZBVUxULzlhLzI2ZWY2My1iNzJmLTRiM2MtOGRmYy0yYmM4N DUxOTIyN2EvMS9mLV9yMFYtOFpSU0hySzluUWs5SGc5US10Q0EubWZ0MIHJBCD6zXkqe+ S/j+pkybBCNfNcQk+OqU0Ppvg0LCsfes02zgICB84EFH8+CHSJ7iOpQk1T+sIW7kuOASg OAgIW7xgPMjAyNTEyMDQwODAxMDZaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQv cmVwb3NpdG9yeS9ERUZBVUxUL2M2L2MyYzk5ZC1jZjkxLTRkZmItOTRkZS1hN2M2M2Q1N jJlNTYvMS9mejRJZEludUk2bENUVlA2d2hidVM0NEJLQTQubWZ0MIHJBCD7cg8rfmItI9 AKiqK+yXBusjLAUYvAQbN5kRdd7g/VFAICB84EFH8xNg/8Gv1fHaZtgUBORmNRLUlnAgI U5RgPMjAyNTEyMDQxMTAwNDJaMHYwdAYIKwYBBQUHMAuGaHJwa2kucmlwZS5uZXQvcmVw b3NpdG9yeS9ERUZBVUxULzJkL2ZlZjVkZC0zOGVlLTRiYzUtODJmZi01ODRkNzhhMjVmO GMvMS9mekUyRF93YV9WOGRwbTJCUUU1R1kxRXRTV2MubWZ0

Acknowledgements The authors wish to thank , , , , and for the lovely conversations that led to this proposal. The authors wish to thank and for their review of the ASN.1 notation. This protocol is named after Erik Bais, who passed away in 2024, as a small token of appreciation for his friendship.