<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-wimse-workload-creds-02" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="WIMSE Workload Credentials">WIMSE Workload Credentials</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-workload-creds-02"/>
    <author fullname="Brian Campbell">
      <organization>Ping Identity</organization>
      <address>
        <email>bcampbell@pingidentity.com</email>
      </address>
    </author>
    <author fullname="Joe Salowey">
      <organization>CyberArk</organization>
      <address>
        <email>joe@salowey.net</email>
      </address>
    </author>
    <author fullname="Arndt Schwenkschuster">
      <organization>Defakto Security</organization>
      <address>
        <email>arndts.ietf@gmail.com</email>
      </address>
    </author>
    <author fullname="Yaron Sheffer">
      <organization>Intuit</organization>
      <address>
        <email>yaronf.ietf@gmail.com</email>
      </address>
    </author>
    <author fullname="Yaroslav Rosomakho">
      <organization>Zscaler</organization>
      <address>
        <email>yrosomakho@zscaler.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>Applications and Real-Time</area>
    <workgroup>Workload Identity in Multi System Environments</workgroup>
    <keyword>workload</keyword>
    <keyword>identity</keyword>
    <abstract>
      <?line 64?>

<t>The WIMSE architecture defines authentication and authorization for software workloads
in a variety of runtime environments, from the most basic ones up to complex
multi-service, multi-cloud, multi-tenant deployments.</t>
      <t>This document defines the credentials that workloads use to represent their identity. They can be used in various protocols to authenticate workloads to each other. To use these credentials, workloads must provide proof of possession of the associated private key material, which is covered in other documents. This document focuses on the credentials alone, independent of the proof-of-possession mechanism.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-wimse.github.io/draft-ietf-wimse-s2s-protocol/draft-ietf-wimse-workload-creds.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-creds/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Workload Identity in Multi System Environments Working Group mailing list (<eref target="mailto:wimse@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/wimse/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/wimse/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-wimse/draft-ietf-wimse-s2s-protocol"/>.</t>
    </note>
  </front>
  <middle>
    <?line 72?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document defines authentication and authorization in the context of interaction between two workloads.
This is the core component of the WIMSE architecture <xref target="I-D.ietf-wimse-arch"/>.
This document focuses on the credentials that carry workload identity and bind the key material to the identity. The presentation of the proof of possession of the key material is part of other documents and out of scope for this one.</t>
      <t>In this document, two credentials are defined:</t>
      <ul spacing="normal">
        <li>
          <t>The Workload Identity Token (WIT) is a JWT that represents the identity of a workload and binds a public key to that identity.</t>
        </li>
        <li>
          <t>The Workload Identity Certificate (WIC) is an X.509 certificate that represents the identity of a workload and binds a public key to that identity.</t>
        </li>
      </ul>
      <t>The Workload Identity Token is targeted for application-layer protocols. The Workload Identity Certificate is targeted for transport-layer protocols. This does not preclude the use of the WIT in transport-layer protocols or the WIC in application-layer protocols, but these are the primary intended uses.</t>
      <t>The various protocol bindings that use these credentials to authenticate workloads to each other are specified in separate documents and are out of scope for this document. At the time of writing, three such protocol bindings are defined:</t>
      <ul spacing="normal">
        <li>
          <t>Transport-layer authentication using mutual TLS with the Workload Identity Certificate, specified in <xref target="I-D.ietf-wimse-mutual-tls"/>.</t>
        </li>
        <li>
          <t>Application-layer authentication using the Workload Identity Token in conjunction with a JWT-based proof of possession, the Workload Proof Token (WPT), specified in <xref target="I-D.ietf-wimse-wpt"/>.</t>
        </li>
        <li>
          <t>Application-layer authentication using the Workload Identity Token in conjunction with HTTP Message Signatures, specified in <xref target="I-D.ietf-wimse-http-signature"/>.</t>
        </li>
      </ul>
      <section anchor="use-in-other-protocols">
        <name>Use In Other Protocols</name>
        <t>The credentials defined in this document are designed to be used in various protocols. This document does not define the protocols themselves, but rather the credentials that can be used within them. Additional protocols <bcp14>MAY</bcp14> be defined in the future that use these credentials for workload authentication.</t>
      </section>
      <section anchor="deployment-architecture-and-message-flow">
        <name>Deployment Architecture and Message Flow</name>
        <t>Independent of the transport between the workloads, we assume the following logical architecture
(numbers refer to the sequence of steps listed below):</t>
        <figure anchor="high-level-seq">
          <name>Sequence of Operations</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="368" width="352" viewBox="0 0 352 368" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,176" fill="none" stroke="black"/>
                <path d="M 8,272 L 8,352" fill="none" stroke="black"/>
                <path d="M 56,184 L 56,264" fill="none" stroke="black"/>
                <path d="M 72,224 L 72,264" fill="none" stroke="black"/>
                <path d="M 112,32 L 112,176" fill="none" stroke="black"/>
                <path d="M 112,272 L 112,352" fill="none" stroke="black"/>
                <path d="M 240,32 L 240,176" fill="none" stroke="black"/>
                <path d="M 240,272 L 240,352" fill="none" stroke="black"/>
                <path d="M 256,184 L 256,224" fill="none" stroke="black"/>
                <path d="M 272,144 L 272,176" fill="none" stroke="black"/>
                <path d="M 304,184 L 304,264" fill="none" stroke="black"/>
                <path d="M 344,32 L 344,176" fill="none" stroke="black"/>
                <path d="M 344,272 L 344,352" fill="none" stroke="black"/>
                <path d="M 8,32 L 112,32" fill="none" stroke="black"/>
                <path d="M 240,32 L 344,32" fill="none" stroke="black"/>
                <path d="M 120,62 L 232,62" fill="none" stroke="black"/>
                <path d="M 120,66 L 232,66" fill="none" stroke="black"/>
                <path d="M 120,110 L 232,110" fill="none" stroke="black"/>
                <path d="M 120,114 L 232,114" fill="none" stroke="black"/>
                <path d="M 272,144 L 344,144" fill="none" stroke="black"/>
                <path d="M 120,158 L 232,158" fill="none" stroke="black"/>
                <path d="M 120,162 L 232,162" fill="none" stroke="black"/>
                <path d="M 8,176 L 112,176" fill="none" stroke="black"/>
                <path d="M 240,176 L 344,176" fill="none" stroke="black"/>
                <path d="M 72,224 L 256,224" fill="none" stroke="black"/>
                <path d="M 8,272 L 112,272" fill="none" stroke="black"/>
                <path d="M 240,272 L 344,272" fill="none" stroke="black"/>
                <path d="M 8,352 L 112,352" fill="none" stroke="black"/>
                <path d="M 240,352 L 344,352" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="312,264 300,258.4 300,269.6" fill="black" transform="rotate(90,304,264)"/>
                <polygon class="arrowhead" points="312,184 300,178.4 300,189.6" fill="black" transform="rotate(270,304,184)"/>
                <polygon class="arrowhead" points="264,184 252,178.4 252,189.6" fill="black" transform="rotate(270,256,184)"/>
                <polygon class="arrowhead" points="240,112 228,106.4 228,117.6" fill="black" transform="rotate(0,232,112)"/>
                <polygon class="arrowhead" points="240,64 228,58.4 228,69.6" fill="black" transform="rotate(0,232,64)"/>
                <polygon class="arrowhead" points="128,160 116,154.4 116,165.6" fill="black" transform="rotate(180,120,160)"/>
                <polygon class="arrowhead" points="128,64 116,58.4 116,69.6" fill="black" transform="rotate(180,120,64)"/>
                <polygon class="arrowhead" points="80,264 68,258.4 68,269.6" fill="black" transform="rotate(90,72,264)"/>
                <polygon class="arrowhead" points="64,264 52,258.4 52,269.6" fill="black" transform="rotate(90,56,264)"/>
                <polygon class="arrowhead" points="64,184 52,178.4 52,189.6" fill="black" transform="rotate(270,56,184)"/>
                <g class="text">
                  <text x="176" y="52">(2)</text>
                  <text x="52" y="100">Workload</text>
                  <text x="96" y="100">A</text>
                  <text x="176" y="100">(3)</text>
                  <text x="284" y="100">Workload</text>
                  <text x="328" y="100">B</text>
                  <text x="176" y="148">(5)</text>
                  <text x="304" y="164">PEP</text>
                  <text x="168" y="212">(1)</text>
                  <text x="32" y="228">(1)</text>
                  <text x="328" y="228">(4)</text>
                  <text x="60" y="308">Identity</text>
                  <text x="288" y="308">PDP</text>
                  <text x="60" y="324">Server</text>
                  <text x="292" y="324">(optional)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+------------+               +------------+
|            |      (2)      |            |
|            |<=============>|            |
|            |               |            |
| Workload A |      (3)      | Workload B |
|            |==============>|            |
|            |               |            |
|            |      (5)      |   +--------+
|            |<==============|   |  PEP   |
+------------+               +---+--------+
      ^                        ^     ^
      |            (1)         |     |
  (1) | +----------------------+     | (4)
      | |                            |
      v v                            v
+------------+               +------------+
|            |               |            |
|  Identity  |               |    PDP     |
|   Server   |               | (optional) |
|            |               |            |
+------------+               +------------+
]]></artwork>
          </artset>
        </figure>
        <t>The Identity Server provisions credentials to each of the workloads. At least Workload A (and possibly both) must be provisioned
with a credential before the call can proceed. Details of communication with the Identity Server are out of scope
of this document, however we do describe the credential received by the workload.</t>
        <t>PEP is a Policy Enforcement Point, the component that allows the message to go through or blocks it. PDP is an optional
Policy Decision Point, which may be deployed in architectures where policy management is centralized. All details of
policy management and message authorization are out of scope of this document.</t>
        <t>The high-level message flow is as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>Workload A (and similarly, Workload B) obtains a credential from the Identity Server. This happens periodically, typically on the order of hours.</t>
          </li>
          <li>
            <t>A transport connection is set up. This may already include the use of the Workload Identity Certificate with transport-layer security, such as TLS.</t>
          </li>
          <li>
            <t>Workload A prepares to call Workload B. This may include adding application-layer authentication information, such as the Workload Identity Token and proof of possession. Workload B authenticates Workload A.</t>
          </li>
          <li>
            <t>Workload B authorizes the call. This policy enforcement (Policy Enforcement Point, PEP) may include consulting with an external server (Policy Decision Point, PDP) when making this decision.</t>
          </li>
          <li>
            <t>Workload B returns a response to Workload A, which may be an error response or a regular one.</t>
          </li>
        </ol>
        <t>Depending on the protocol, the workload authentication may happen during step (2) at the transport-layer or at step (3) at the application-layer, or both.</t>
      </section>
      <section anchor="granular-auth">
        <name>Workload Identifiers and Authentication Granularity</name>
        <t>The Workload Identifier is a URI and its baseline syntax and processing requirements are defined in <xref target="WIMSE-ID"/>.
While deployments define how they assign identifiers and what the path portion means, implementations <bcp14>MUST</bcp14> enforce the URI requirements outlined in <xref section="4.1" sectionFormat="of" target="WIMSE-ID"/>.</t>
        <t>Prior to WIMSE, many use cases did not allow for fully granular authentication in containerized runtime platforms.
For instance, with mutual TLS,
there's often no clear way to map the request's external access reference
(e.g., Kubernetes Ingress path, service name, or host header)
to the SubjectAltName value in the server certificate. This means that the client could only verify
if the server certificate is valid within a trust domain, not if it's tied to a specific workload.</t>
        <t>To enable mutual and granular authentication between workloads, two things must be in place:</t>
        <ul spacing="normal">
          <li>
            <t>Each workload must know its own identifier.</t>
          </li>
          <li>
            <t>There needs to be an explicit mapping from the external handle used to access a workload (such as an Ingress path or service DNS name)
to its workload identifier.</t>
          </li>
        </ul>
        <t>Once these conditions are met, the methods described in this document can be used for the caller and callee to mutually authenticate.</t>
        <t>Implementations <bcp14>MUST</bcp14> allow for defining this mapping between the workload's access path and the workload identifier (e.g., through
callback functions). Deployments <bcp14>SHOULD</bcp14> use these features to establish a consistent set of identifiers within their environment.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>All terminology in this document follows <xref target="I-D.ietf-wimse-arch"/>.</t>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="trust-anchors">
      <name>Establishing Trust Anchors</name>
      <t>This specification expects that trust anchors used to validate Workload Identity Certificates and Workload Identity Tokens are associated with a trust domain and are provisioned to consumers together with trust domain metadata for that domain. Trust anchors can be represented in different ways depending on the deployment; for example, as a set of public keys (such as a JWKS), as an X.509 certification authority used to validate certificate chains, or as other deployment-specific material.</t>
      <t>This specification does not define a mechanism for discovering trust anchor information. Consumers <bcp14>MUST</bcp14> bind each trust domain to an authorized issuer (or set of issuers) and to the corresponding trust anchors. That mapping <bcp14>MUST</bcp14> be distributed via a secure out-of-band mechanism. In particular, the <tt>iss</tt> claim <bcp14>MUST NOT</bcp14> be used to look up trust anchor material directly from information carried only in the token (such as by fetching a JWKS from a URL found only in the WIT).</t>
      <t>To validate a WIT, the receiving workload verifies the JWS signature using key material from the trust anchors configured for the trust domain in the <tt>sub</tt> claim. Trust anchor material for WIT validation <bcp14>MAY</bcp14> include more than one public key so that operators can rotate signing keys. Verification follows <xref target="RFC7515"/> and the JWT best practices in <xref target="RFC8725"/>. In practice, the <tt>alg</tt> header parameter would identify an algorithm that the validator accepts for that trust domain, and the signature would be checked under a key drawn from the configured trust anchors. If the JWS header contains a <tt>kid</tt> parameter, the validator would use the key in the trust anchor material with the same <tt>kid</tt> value. If <tt>kid</tt> is absent, deployment policy would need to provide unambiguous key selection (for example, when only a single key is configured for that trust domain).</t>
      <t>For Workload Identity Certificates, validators use the trust anchors for the peer's trust domain to validate the X.509 chain and the workload identifier in the certificate, as described in <xref target="to-wic"/> and in companion specifications such as <xref target="I-D.ietf-wimse-mutual-tls"/>.</t>
    </section>
    <section anchor="single-workload-identity">
      <name>One Workload Identity per Credential</name>
      <t>Each WIMSE credential carries exactly one Workload Identifier (<xref target="WIMSE-ID"/>) that is used for authentication and authorization. Requiring a single identifier per credential keeps authorization and auditing unambiguous and aligns with common practice for workload X.509 certificates (for example, a single URI in an X.509-SVID).</t>
      <t>For a Workload Identity Token, that identifier is the value of the <tt>sub</tt> claim. For a Workload Identity Certificate, that identifier is carried in the single URI SubjectAltName described in <xref target="to-wic"/>.</t>
      <t>Deployments that distinguish several labels for the same runtime (for example a stable service identity and a specific instance) <bcp14>MUST</bcp14> place the identity required for the access decision in that one credential. Additional correlation for logging or operations <bcp14>MUST NOT</bcp14> be encoded as a second workload identifier in the same WIT or WIC. Deployments <bcp14>MAY</bcp14> use other mechanisms, such as the optional <tt>jti</tt> claim, separate credentials, or additional claims as described in <xref target="add-claims"/>.</t>
    </section>
    <section anchor="app-layer">
      <name>Application-Layer Workload-to-Workload Authentication</name>
      <t>In many deployments communication between workloads cannot use end-to-end transport security such as TLS. For these deployment styles, this document proposes a credential that can be used at the application-layer.</t>
      <section anchor="to-wit">
        <name>The Workload Identity Token</name>
        <t>The Workload Identity Token (WIT) is a JWS <xref target="RFC7515"/> signed JWT <xref target="RFC7519"/> that represents the identity of a workload.
It is issued by the Identity Server and binds a public key to the workload identity. See <xref target="workload-identity-key-management"/> for security considerations.</t>
        <t>A WIT <bcp14>MUST</bcp14> contain the following content, except where noted:</t>
        <ul spacing="normal">
          <li>
            <t>in the JOSE header:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>alg</tt>: An identifier for a JWS asymmetric digital signature algorithm
   (registered algorithm identifiers are listed in the IANA JOSE Algorithms registry <xref target="IANA.JOSE.ALGS"/>). The value <tt>none</tt> <bcp14>MUST NOT</bcp14> be used.</t>
              </li>
              <li>
                <t><tt>typ</tt>: the WIT is explicitly typed, as recommended in <xref section="3.11" sectionFormat="of" target="RFC8725"/>, using the <tt>wit+jwt</tt> media type.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>in the JWT claims:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>iss</tt>: The issuer of the token, which is the Identity Server, represented by a URI. The <tt>iss</tt> claim is <bcp14>RECOMMENDED</bcp14> but optional; when present, it is particularly useful for auditing and operations (for example, identifying which Identity Server issued the WIT in logs or compliance records). See <xref target="wit-iss-note"/> for key distribution and validation context.</t>
              </li>
              <li>
                <t><tt>sub</tt>: The subject of the token, which is the single Workload Identifier for the workload used for authentication and authorization, as defined in <xref target="WIMSE-ID"/> and <xref target="single-workload-identity"/>. <xref target="granular-auth"/> provides additional requirements associated with these identifiers, so they can be used to secure workload-to-workload communication.</t>
              </li>
              <li>
                <t><tt>exp</tt>: The expiration time of the token (as defined in <xref section="4.1.4" sectionFormat="of" target="RFC7519"/>).
WITs should be refreshed regularly, e.g. on the order of hours.</t>
              </li>
              <li>
                <t><tt>jti</tt>: A unique identifier for the token. This claim is <bcp14>OPTIONAL</bcp14>. The <tt>jti</tt> claim is frequently useful for auditing issuance of individual WITs or to revoke them, but some token generation environments do not support it.</t>
              </li>
              <li>
                <t><tt>cnf</tt>: A confirmation claim referencing the public key of the workload.
                </t>
                <ul spacing="normal">
                  <li>
                    <t><tt>jwk</tt>: Within the cnf claim, a <tt>jwk</tt> key <bcp14>MUST</bcp14> be present that contains the public key of the workload as defined in <xref section="3.2" sectionFormat="of" target="RFC7800"/>. The workload <bcp14>MUST</bcp14> prove possession of the corresponding private key when presenting the WIT to another party. As such, it <bcp14>MUST NOT</bcp14> be used as a bearer token and is not intended for use in the <tt>Authorization</tt> header.
                    </t>
                    <ul spacing="normal">
                      <li>
                        <t><tt>alg</tt>: Within the jwk object, an <tt>alg</tt> field <bcp14>MUST</bcp14> be present. Allowed values are listed in the IANA "JSON Web Signature and Encryption Algorithms" registry established by <xref target="RFC7518"/>. The presented proof <bcp14>MUST</bcp14> be produced with the algorithm specified in this field. The value <tt>none</tt> <bcp14>MUST NOT</bcp14> be used. Algorithms used in combination with symmetric keys <bcp14>MUST NOT</bcp14> be used. Also encryption algorithms <bcp14>MUST NOT</bcp14> be used as this would require additional key distribution outside of the WIT. To promote interoperability, the <tt>ES256</tt> signing algorithm <bcp14>MUST</bcp14> be supported by general purpose implementations of this document.</t>
                      </li>
                    </ul>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
        </ul>
        <t>As noted in <xref target="WIMSE-ID"/>, a workload identifier is a URI that includes a trust domain in the authority component.
The runtime environment often determines which
URI scheme is used, e.g. if SPIFFE is used to authenticate workloads, it mandates "spiffe" URIs.
For deployments that do not use an environment-specific scheme, the <tt>wimse</tt> URI scheme <bcp14>MAY</bcp14> be used; it is defined in <xref target="WIMSE-ID"/>, which also registers it with IANA.</t>
        <t>An example WIT might look like this:</t>
        <figure anchor="example-wit">
          <name>An example Workload Identity Token (WIT)</name>
          <sourcecode type="jwt"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

eyJhbGciOiJFUzI1NiIsImtpZCI6Ikp1bmUgNSIsInR5cCI6IndpdCtqd3QifQ.eyJjb\
mYiOnsiandrIjp7ImFsZyI6IkVkRFNBIiwiY3J2IjoiRWQyNTUxOSIsImt0eSI6Ik9LU\
CIsIngiOiIxQ1hYdmZsTl9MVlZzSXNZWHNVdkIwM0ptbEdXZUNIcVFWdW91Q0Y5MmJnI\
n19LCJleHAiOjE3NDU1MTI1MTAsImlhdCI6MTc0NTUwODkxMCwianRpIjoieC1fMUNUT\
DJjY2EzQ1NFNGN3Yl9sIiwic3ViIjoid2ltc2U6Ly9leGFtcGxlLmNvbS9zcGVjaWZpY\
y13b3JrbG9hZCJ9.6KraSQUxWdl9dxFQ3Fj6dPY0Vi88OkwFwZpAIOhLeq6AbXAnLLQg\
Op8U9UDGcBuYF3KiNv6oKQD1ZWAzrMZOJw
]]></sourcecode>
        </figure>
        <t>The decoded JOSE header of the WIT from the example above is shown here:</t>
        <figure>
          <name>Example WIT JOSE Header</name>
          <sourcecode type="json"><![CDATA[
{
  "alg": "ES256",
  "kid": "June 5",
  "typ": "wit+jwt"
}
]]></sourcecode>
        </figure>
        <t>The decoded JWT claims of the WIT from the example above are shown here:</t>
        <figure>
          <name>Example WIT Claims</name>
          <sourcecode type="json"><![CDATA[
{
  "cnf": {
    "jwk": {
      "alg": "EdDSA",
      "crv": "Ed25519",
      "kty": "OKP",
      "x": "1CXXvflN_LVVsIsYXsUvB03JmlGWeCHqQVuouCF92bg"
    }
  },
  "exp": 1745512510,
  "iat": 1745508910,
  "jti": "x-_1CTL2cca3CSE4cwb_l",
  "sub": "wimse://example.com/specific-workload"
}
]]></sourcecode>
        </figure>
        <t>The claims indicate that the example WIT:</t>
        <ul spacing="normal">
          <li>
            <t>is valid until Thu Apr 24 2025 16:35:10 GMT (represented as NumericDate <xref section="2" sectionFormat="of" target="RFC7519"/> value <tt>1745512510</tt>).</t>
          </li>
          <li>
            <t>identifies the workload to which the token was issued as <tt>wimse://example.com/specific-workload</tt>.</t>
          </li>
          <li>
            <t>has a unique identifier of <tt>x-_1CTL2cca3CSE4cwb_l</tt>.</t>
          </li>
          <li>
            <t>binds the public key represented by the <tt>jwk</tt> confirmation method to the workload <tt>wimse://example.com/specific-workload</tt>.</t>
          </li>
          <li>
            <t>requires the proof to be produced with the <tt>EdDSA</tt> signature algorithm.</t>
          </li>
        </ul>
        <t>For elucidative purposes only, the workload's key, including the private part, is shown below in JWK <xref target="RFC7517"/> format:</t>
        <figure anchor="example-caller-jwk">
          <name>Example Workload's Key</name>
          <sourcecode type="jwk"><![CDATA[
{
 "kty": "OKP",
 "crv": "Ed25519",
 "x": "1CXXvflN_LVVsIsYXsUvB03JmlGWeCHqQVuouCF92bg",
 "d": "sdLX8yCYKqo_XvGBLn-ZWeKT7llYeeQpgeCaXVxb5kY"
}
]]></sourcecode>
        </figure>
        <t>The example WIT is signed with one of the Identity Server's signing keys; the JOSE header <tt>kid</tt> identifies which key was used.
Validators use the Identity Server's public keys from the trust anchors configured for that trust domain to verify the signature (see <xref target="trust-anchors"/>).
The Identity Server's public key from this example is shown below in JWK <xref target="RFC7517"/> format:</t>
        <figure>
          <name>Example Identity Server Key</name>
          <sourcecode type="jwk"><![CDATA[
{
 "kty": "EC",
 "kid": "June 5",
 "crv": "P-256",
 "x": "kXqnA2Op7hgd4zRMbw0iFcc_hDxUxhojxOFVGjE2gks",
 "y": "n__VndPMR021-59UAs0b9qDTFT-EZtT6xSNs_xFskLo"
}
]]></sourcecode>
        </figure>
        <section anchor="wit-http-header">
          <name>The WIT HTTP Header</name>
          <t>A WIT is conveyed in an HTTP header field named <tt>Workload-Identity-Token</tt>.</t>
          <t>ABNF <xref target="RFC5234"/> for the value of <tt>Workload-Identity-Token</tt> header field is provided in <xref target="wit-header-abnf"/>:</t>
          <figure anchor="wit-header-abnf">
            <name>Workload-Identity-Token Header Field ABNF</name>
            <sourcecode type="abnf"><![CDATA[
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
DIGIT = %x30-39 ; 0-9
base64url = 1*(ALPHA / DIGIT / "-" / "_")
JWT =  base64url "." base64url "." base64url
WIT =  JWT
]]></sourcecode>
          </figure>
          <t>The following shows the WIT from <xref target="example-wit"/> in an example of a <tt>Workload-Identity-Token</tt> header field:</t>
          <figure>
            <name>An example Workload Identity Token HTTP Header Field</name>
            <sourcecode type="http-message"><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

Workload-Identity-Token: eyJhbGciOiJFUzI1NiIsImtpZCI6Ikp1bmUgNSIsInR\
5cCI6IndpdCtqd3QifQ.eyJjbmYiOnsiandrIjp7ImFsZyI6IkVkRFNBIiwiY3J2Ijoi\
RWQyNTUxOSIsImt0eSI6Ik9LUCIsIngiOiIxQ1hYdmZsTl9MVlZzSXNZWHNVdkIwM0pt\
bEdXZUNIcVFWdW91Q0Y5MmJnIn19LCJleHAiOjE3NDU1MTI1MTAsImlhdCI6MTc0NTUw\
ODkxMCwianRpIjoieC1fMUNUTDJjY2EzQ1NFNGN3Yl9sIiwic3ViIjoid2ltc2U6Ly9l\
eGFtcGxlLmNvbS9zcGVjaWZpYy13b3JrbG9hZCJ9.6KraSQUxWdl9dxFQ3Fj6dPY0Vi8\
8OkwFwZpAIOhLeq6AbXAnLLQgOp8U9UDGcBuYF3KiNv6oKQD1ZWAzrMZOJw
]]></sourcecode>
          </figure>
          <t>Note that per <xref target="RFC9110"/>, header field names are case insensitive;
thus, <tt>Workload-Identity-Token</tt>, <tt>workload-identity-token</tt>, <tt>WORKLOAD-IDENTITY-TOKEN</tt>,
etc., are all valid and equivalent header field names. However, case is significant in the header field value.</t>
        </section>
        <section anchor="add-claims">
          <name>Including Additional Claims</name>
          <t>The WIT contains JSON structures and therefore can be trivially extended by adding more claims beyond those defined in the current specification.
This, however, could result in interoperability issues, which the following rules are addressing.</t>
          <ul spacing="normal">
            <li>
              <t>To ensure interoperability in WIMSE environments, the use of Private claim names (Sec. 4.3 of <xref target="RFC7519"/>) is <bcp14>NOT RECOMMENDED</bcp14>.</t>
            </li>
            <li>
              <t>In closed environments, deployers <bcp14>MAY</bcp14> freely add claims to the WIT. Such claims <bcp14>SHOULD</bcp14> be collision-resistant, such as <tt>example.com/myclaim</tt>.</t>
            </li>
            <li>
              <t>A recipient that does not understand such claims <bcp14>MUST</bcp14> ignore them, as per Sec. 4 of <xref target="RFC7519"/>.</t>
            </li>
            <li>
              <t>Outside of closed environments, new claims <bcp14>MUST</bcp14> be registered with IANA <xref target="IANA.JWT.CLAIMS"/> before they can be used.</t>
            </li>
          </ul>
        </section>
        <section anchor="wit-iss-note">
          <name>A note on <tt>iss</tt> claim and key distribution</name>
          <t>It is <bcp14>RECOMMENDED</bcp14> that the WIT carries an <tt>iss</tt> claim, including for the auditing and operational uses described above. Validators are not required to use <tt>iss</tt> when validating the WIT or establishing the workload identity: the trust domain and workload identity are carried in the mandatory <tt>sub</tt> claim (<xref target="WIMSE-ID"/>). Implementations <bcp14>MAY</bcp14> include the <tt>iss</tt> claim in the form of a <tt>https</tt> URL to facilitate key distribution via mechanisms like the <tt>jwks_uri</tt> from <xref target="RFC8414"/>, only when the issuer and verification keys (or metadata such as <tt>jwks_uri</tt>) are configured out of band as in <xref target="trust-anchors"/>. Alternative key distribution methods may use only the trust domain from the <tt>sub</tt> claim.</t>
        </section>
      </section>
      <section anchor="error-conditions">
        <name>Error Conditions</name>
        <t>Errors may occur during the processing of the WIT. If the WIT validation fails for any reason,
such as an invalid signature, an expired validity time window, or a malformed data structure, an error is returned. Typically,
this will be in response to an API call, so an HTTP status code such as 400 (Bad Request) is appropriate. This response could
include more details as per <xref target="RFC9457"/>, such as an indicator that the wrong key material or algorithm was used.  The use of HTTP
status code 401 is <bcp14>NOT RECOMMENDED</bcp14> for this purpose because it requires a WWW-Authenticate with acceptable http auth mechanisms in
the error response and an associated Authorization header in the subsequent request. The use of these headers for the WIT is not compatible
with this specification.</t>
      </section>
      <section anchor="coexist">
        <name>Coexistence with JWT Bearer Tokens</name>
        <t>The WIT defines new HTTP headers. It can therefore be presented along with existing headers used for JWT bearer tokens. This
property allows for transition from mechanisms using identity tokens based on bearer JWTs to proof of possession based WITs.
A workload may implement a policy that accepts both bearer tokens and WITs during a transition period. This policy may be configurable
per-caller to allow the workload to reject bearer tokens from callers that support WITs. Once a deployment fully supports WITs, then the use of
bearer tokens for identity can be disabled through policy.  Implementations should be careful when implementing such a transition strategy,
since the decision which token to prefer is made when the caller's identity has still not been authenticated, and needs to be revalidated following the authentication step.</t>
        <t>The WIT can also coexist with tokens used to establish security context, such as transaction tokens <xref target="I-D.ietf-oauth-transaction-tokens"/>. In this case a workload's
authorization policy may take into account both the sending workload's identity and the information in the context token. For example, the
identity in the WIT may be used to establish which API calls can be made and information in the context token may be used to determine
which specific resources can be accessed.</t>
      </section>
    </section>
    <section anchor="transport-layer">
      <name>Transport-Layer Workload-to-Workload Authentication</name>
      <t>As noted in the introduction, for many deployments, transport-layer protection of application traffic is ideal.</t>
      <section anchor="to-wic">
        <name>The Workload Identity Certificate</name>
        <t>The Workload Identity Certificate is an X.509 certificate. The Workload Identifier used for WIMSE authentication and authorization <bcp14>MUST</bcp14> appear in exactly one SubjectAltName extension of type URI, as required by <xref target="single-workload-identity"/>. The certificate <bcp14>MUST NOT</bcp14> contain more than one URI SAN that carries a workload identifier.</t>
        <t>When the certificate is also used for TLS server authentication, it is <bcp14>RECOMMENDED</bcp14> to include SubjectAltName extensions of type DNSName with the appropriate DNS names for clients that validate the server by host name rather than by workload identity. The certificate <bcp14>MAY</bcp14> contain SubjectAltName extensions of other types for PKIX or local policy, but only the URI SAN above is the WIMSE workload identity.</t>
      </section>
    </section>
    <section anchor="client-name">
      <name>Client Authorization Using the Workload Identity</name>
      <t>The receiving application uses the authenticated peer's workload identifier in authorization, accounting, and auditing.
For example, the full workload identifier may be matched against ACLs to authorize actions requested by the peer and the identifier may be included in log messages to associate actions to the client workload for audit purposes.
A deployment may specify other authorization policies based on the specific details of how the workload identifier is constructed. The path portion of the workload identifier <bcp14>MUST</bcp14> always be considered in the scope of the trust domain.
See <xref target="granular-auth"/> on additional security implications of workload identifiers.</t>
      <t>How the receiving application obtains the workload identifier depends on the credential used to authenticate the peer:</t>
      <ul spacing="normal">
        <li>
          <t>Application-layer: After successfully validating the WIT, the receiving application retrieves the workload identifier from the <tt>sub</tt> claim.</t>
        </li>
        <li>
          <t>Transport-layer: When the client is authenticated with a Workload Identity Certificate, the receiving application retrieves the workload identifier from the client certificate's SubjectAltName extension of type URI.</t>
        </li>
      </ul>
      <t>A workload <bcp14>MAY</bcp14> use other standard and deployment specific fields in the workload credential for accounting or authorization purposes.</t>
    </section>
    <section anchor="implementation-status">
      <name>Implementation Status</name>
      <t><cref>Note to RFC Editor: please remove this section, as well as the reference to RFC 7942, before publication.</cref>
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in <xref target="RFC7942"/>. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs.  Please note that the listing of any individual implementation here does not imply endorsement by the IETF.  Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features.  Readers are advised to note that other implementations may exist.</t>
      <t>According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.  It is up to the individual working groups to use this information as they see fit".</t>
      <t>SPIFFE (Standard)</t>
      <ul spacing="normal">
        <li>
          <t>Organization: CNCF</t>
        </li>
        <li>
          <t>Maturity:
          </t>
          <ul spacing="normal">
            <li>
              <t>Workload Identity Certificate: fully compatible with the X509-SVID and widely used.</t>
            </li>
            <li>
              <t>Workload Identity Token: beta</t>
            </li>
          </ul>
        </li>
        <li>
          <t>Coverage: Workload Identity Certificate, WIT</t>
        </li>
        <li>
          <t>Contact: <eref target="https://github.com/spiffe/spiffe/tree/main/community/sig-spec">SPIFFE sig-spec community</eref></t>
        </li>
      </ul>
      <t>Defakto Security</t>
      <ul spacing="normal">
        <li>
          <t>Organization: Defakto Security (prior SPIRL)</t>
        </li>
        <li>
          <t>Maturity:
          </t>
          <ul spacing="normal">
            <li>
              <t>Workload Identity Certificate: production</t>
            </li>
            <li>
              <t>Workload Identity Token: alpha</t>
            </li>
          </ul>
        </li>
        <li>
          <t>Coverage: Workload Identity Certificate, WIT</t>
        </li>
        <li>
          <t>Contact: arndt@defakto.security</t>
        </li>
      </ul>
      <t>Teleport - Machine &amp; Workload Identity</t>
      <ul spacing="normal">
        <li>
          <t>Organization: Teleport</t>
        </li>
        <li>
          <t>Maturity:
          </t>
          <ul spacing="normal">
            <li>
              <t>Workload Identity Certificate: production</t>
            </li>
            <li>
              <t>Workload Identity Token: research</t>
            </li>
          </ul>
        </li>
        <li>
          <t>Coverage: Workload Identity Certificate</t>
        </li>
        <li>
          <t>Contact: noah@goteleport.com</t>
        </li>
      </ul>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="workload-identity">
        <name>Workload Identity</name>
        <t>Workload Identifiers (<xref target="WIMSE-ID"/>) are scoped to a trust domain (the URI authority component) and <bcp14>MUST</bcp14> be interpreted in that trust domain context. Using a Workload Identifier without taking into account the trust domain could allow one domain to issue tokens to spoof identities in another domain. See <xref target="trust-anchors"/> for binding trust domains to issuers and trust anchors.</t>
        <t>When a deployment uses the <tt>iss</tt> claim for key distribution as described in <xref target="wit-iss-note"/>, validators <bcp14>MUST</bcp14> enforce an allowlist of accepted issuers. Absent such a restriction, any entity could stand up an issuer, present a WIT with that issuer's <tt>iss</tt> value, and have it accepted by a validator that fetches and trusts the corresponding key material without verifying the issuer's legitimacy.</t>
      </section>
      <section anchor="wit-pop">
        <name>Workload Identity Token and Proof of Possession</name>
        <t>The Workload Identity Token (WIT) is bound to a secret cryptographic key and is always presented with a proof of possession as described in <xref target="to-wit"/>. The WIT is a general purpose token that can be presented in multiple contexts. The WIT and its PoP are only used in the application-layer options, and both are not used in MTLS. The WIT <bcp14>MUST NOT</bcp14> be used as a bearer token. While this helps reduce the sensitivity of the token it is still possible that a token and its proof of possession may be captured and replayed within the PoP's lifetime. The following are some mitigations for the capture and reuse of the WIT and its proof of possession (PoP):</t>
        <section anchor="limiting-workload-identity-token-lifespan">
          <name>Limiting Workload Identity Token Lifespan</name>
          <t>The WIT <bcp14>MUST</bcp14> have a limited lifetime expressed through the <tt>exp</tt> claim. If both a WIT and its corresponding private key are compromised, an attacker can impersonate the workload until the WIT expires. Because JWT-based credentials such as the WIT are not generally revocable on demand, a short expiration is the primary mitigation against continued use of a compromised WIT and key. WITs <bcp14>SHOULD</bcp14> therefore be short-lived, typically on the order of hours, with the chosen lifetime balancing the operational cost of frequent refresh against the window of exposure if a credential is compromised.</t>
        </section>
        <section anchor="limiting-proof-of-possession-lifespan">
          <name>Limiting Proof of Possession Lifespan</name>
          <t>The proof of possession <bcp14>MUST</bcp14> be time limited. A PoP should only be valid over the time necessary for it to be successfully used for the purpose it is needed. This will typically be on the order of minutes.  PoPs received outside their validity time <bcp14>MUST</bcp14> be rejected.</t>
        </section>
        <section anchor="limiting-proof-of-possession-scope">
          <name>Limiting Proof of Possession Scope</name>
          <t>In order to reduce the risk of theft and replay the PoP should have a limited scope. For example, a PoP may be targeted for use with a specific workload and even a specific transaction to reduce the impact of a stolen PoP. In some cases a workload may wish to reuse a PoP for a period of time or have it accepted by multiple target workloads. A careful analysis is warranted to understand the impacts to the system if a PoP is disclosed allowing it to be presented by an attacker along with a captured WIT.</t>
        </section>
        <section anchor="replay-protection">
          <name>Replay Protection</name>
          <t>Proof of possession mechanisms should include replay protection to prevent reuse of a captured PoP. Without it an attacker can replay a captured PoP within its validity period.</t>
        </section>
        <section anchor="binding-to-tls-endpoint">
          <name>Binding to TLS Endpoint</name>
          <t>The POP <bcp14>MAY</bcp14> be bound to a transport layer sender such as the client identity of a TLS session or TLS channel binding parameters. The mechanisms for binding are outside the scope of this specification.</t>
        </section>
      </section>
      <section anchor="workload-identity-certificate">
        <name>Workload Identity Certificate</name>
        <t>The Workload Identity Certificate carries the workload identifier in a single URI SubjectAltName (<xref target="to-wic"/>). As with the WIT, the identifier is meaningful only within its trust domain. A relying party <bcp14>MUST</bcp14> validate the certificate against the trust anchors configured for the peer's trust domain (<xref target="trust-anchors"/>) and <bcp14>MUST</bcp14> reject the certificate if the workload identifier is not within that trust domain and the trust anchor used. Evaluating the path or other components of the identifier without also considering the trust domain and the trust anchor can allow one trust domain to impersonate workloads in another. Protocol-specific certificate validation requirements are defined in <xref target="I-D.ietf-wimse-mutual-tls"/>.</t>
        <section anchor="limiting-workload-identity-certificate-lifespan">
          <name>Limiting Workload Identity Certificate Lifespan</name>
          <t>Workload Identity Certificates are frequently issued to dynamic and/or short-lived workloads. Deployments <bcp14>SHOULD</bcp14> use certificate lifetimes appropriate to the workload environment. Long-lived certificates increase the impact of private-key compromise.</t>
          <t>The lifetime of Workload Identity Certificates is bounded by the lifetime and rotation cadence of the trust anchors of the trust domain (<xref target="trust-anchors"/>). Compromise of a trust anchor permits issuance of certificates for the trust domain for as long as that anchor remains trusted. Deployments should therefore consider leaf and trust-anchor lifetimes together rather than the leaf lifetime in isolation.</t>
        </section>
      </section>
      <section anchor="workload-identity-key-management">
        <name>Workload Identity Key Management</name>
        <t>Both the Workload Identity Token and the Workload Identity Certificate carry a public key. The corresponding private key:</t>
        <ul spacing="normal">
          <li>
            <t><bcp14>MUST</bcp14> be kept private</t>
          </li>
          <li>
            <t><bcp14>MUST</bcp14> be bound to a single Workload Identifier (<xref target="WIMSE-ID"/>)</t>
          </li>
          <li>
            <t><bcp14>MUST NOT</bcp14> be used once the credential is expired</t>
          </li>
          <li>
            <t><bcp14>SHOULD</bcp14> be re-generated for each new Workload Identity Token or Certificate.</t>
          </li>
        </ul>
      </section>
      <section anchor="middleboxes">
        <name>Transport Security</name>
        <t>An attacker observing or intercepting the communication channel can view the Workload Identity Token and its proof of possession and attempt to replay them to gain an advantage. To prevent this, the WIT and its proof of possession <bcp14>MUST</bcp14> be sent over a secure, server-authenticated TLS connection unless a secure channel is provided by some other mechanism.</t>
        <t>In some deployments the Workload Identity Token and proof of possession may pass through multiple systems. Communication between systems is over TLS, but the token and PoP are available in the clear at each intermediary.  While an intermediary cannot modify the token or the information within the PoP, it can attempt to capture and replay the token or modify data not protected by the PoP. Mitigations listed in <xref target="wit-pop"/> can reduce this risk. Deployments should analyze their situation to determine whether it is appropriate to trust and allow traffic to pass through a middle box.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>WITs and the proofs of possession may contain private information such as user names or other identities. Care should be taken to prevent the disclosure of this information. The use of TLS helps protect the privacy of WITs and proofs of possession in transit. Workload Identity Certificates likewise expose the workload identifier, and any attributes carried in the certificate, to the peer, to any TLS-terminating intermediary, and to logs; in particular, client-certificate authentication discloses the client's workload identity to the server during the TLS handshake.</t>
      <t>WITs and certificates with workload identifiers are typically associated with a workload and not a specific user, however in some deployments the workload may be associated directly to a user. While these are exceptional cases a deployment should evaluate if the disclosure of WITs or certificates can be used to track a user.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="media-type-registration">
        <name>Media Type Registration</name>
        <t>IANA is requested to register the following entries to the "Media Types" registry <xref target="IANA.MEDIA.TYPES"/>:</t>
        <ul spacing="normal">
          <li>
            <t>application/wit+jwt, per <xref target="iana-wit"/>.</t>
          </li>
        </ul>
        <section anchor="iana-wit">
          <name>application/wit+jwt</name>
          <t>Type name: application</t>
          <t>Subtype name: wit+jwt</t>
          <t>Required parameters: N/A</t>
          <t>Optional parameters: N/A</t>
          <t>Encoding considerations: Encoding considerations are identical to those specified for the "application/jwt" media type. See <xref target="RFC7519"/>.</t>
          <t>Security considerations: See the Security Considerations section of RFC XXX.</t>
          <t>Interoperability considerations: N/A</t>
          <t>Published specification: RFC XXX, <xref target="to-wit"/>.</t>
          <t>Applications that use this media type: Identity servers that vend Workload Identity Tokens, and Workloads that
use these tokens to authenticate to each other.</t>
          <t>Fragment identifier considerations: N/A</t>
          <t>Additional information:</t>
          <t>Deprecated alias names for this type: N/A</t>
          <t>Magic number(s): N/A</t>
          <t>File extension(s): None</t>
          <t>Macintosh file type code(s): N/A</t>
          <t>Person &amp; email address to contact for further information:</t>
          <t>See the Authors' Addresses section of RFC XXX.</t>
          <t>Intended usage: COMMON</t>
          <t>Restrictions on usage: N/A</t>
          <t>Author: See the Authors' Addresses section of RFC XXX.</t>
          <t>Change controller: Internet Engineering Task Force (iesg@ietf.org).</t>
        </section>
      </section>
      <section anchor="hypertext-transfer-protocol-http-field-name-registration">
        <name>Hypertext Transfer Protocol (HTTP) Field Name Registration</name>
        <t>IANA is requested to register the following entries to the "Hypertext Transfer Protocol (HTTP) Field Name Registry" <xref target="IANA.HTTP.FIELDS"/>:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Workload-Identity-Token</tt>, per <xref target="iana-wit-field"/>.</t>
          </li>
        </ul>
        <section anchor="iana-wit-field">
          <name>Workload-Identity-Token</name>
          <ul spacing="normal">
            <li>
              <t>Field Name: Workload-Identity-Token</t>
            </li>
            <li>
              <t>Status: permanent</t>
            </li>
            <li>
              <t>Structured Type: N/A</t>
            </li>
            <li>
              <t>Specification Document: RFC XXX, <xref target="wit-http-header"/></t>
            </li>
            <li>
              <t>Comments: see reference above for an ABNF syntax of this field</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5234">
          <front>
            <title>Augmented BNF for Syntax Specifications: ABNF</title>
            <author fullname="D. Crocker" initials="D." role="editor" surname="Crocker"/>
            <author fullname="P. Overell" initials="P." surname="Overell"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="68"/>
          <seriesInfo name="RFC" value="5234"/>
          <seriesInfo name="DOI" value="10.17487/RFC5234"/>
        </reference>
        <reference anchor="RFC7515">
          <front>
            <title>JSON Web Signature (JWS)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7515"/>
          <seriesInfo name="DOI" value="10.17487/RFC7515"/>
        </reference>
        <reference anchor="RFC7517">
          <front>
            <title>JSON Web Key (JWK)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7517"/>
          <seriesInfo name="DOI" value="10.17487/RFC7517"/>
        </reference>
        <reference anchor="RFC7518">
          <front>
            <title>JSON Web Algorithms (JWA)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7518"/>
          <seriesInfo name="DOI" value="10.17487/RFC7518"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC7800">
          <front>
            <title>Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="April" year="2016"/>
            <abstract>
              <t>This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of- possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7800"/>
          <seriesInfo name="DOI" value="10.17487/RFC7800"/>
        </reference>
        <reference anchor="RFC8725">
          <front>
            <title>JSON Web Token Best Current Practices</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="225"/>
          <seriesInfo name="RFC" value="8725"/>
          <seriesInfo name="DOI" value="10.17487/RFC8725"/>
        </reference>
        <reference anchor="RFC9110">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-mutual-tls">
          <front>
            <title>Workload Authentication Using Mutual TLS</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="5" month="May" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones to complex multi-service, multi-cloud, multi-tenant
   deployments.  This document profiles a workload authentication based
   on X.509 workload identity certificates using mutual TLS (mTLS).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-mutual-tls-01"/>
        </reference>
        <reference anchor="WIMSE-ID">
          <front>
            <title>Workload Identifier</title>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document defines a canonical identifier for workloads, referred
   to as the Workload Identifier.  A Workload Identifier is a URI that
   uniquely identifies a workload within the context of a specific trust
   domain.  This identifier can be embedded in digital credentials,
   including X.509 certificates and security tokens, to support
   authentication, authorization, and policy enforcement across diverse
   systems.  The Workload Identifier format ensures interoperability,
   facilitates secure identity federation, and enables consistent
   identity semantics.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-identifier-02"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8414">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="RFC7942">
          <front>
            <title>Improving Awareness of Running Code: The Implementation Status Section</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.</t>
              <t>This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="205"/>
          <seriesInfo name="RFC" value="7942"/>
          <seriesInfo name="DOI" value="10.17487/RFC7942"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="IANA.HTTP.FIELDS" target="https://www.iana.org/assignments/http-fields">
          <front>
            <title>Hypertext Transfer Protocol (HTTP) Field Name Registry</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.JOSE.ALGS" target="https://www.iana.org/assignments/jose">
          <front>
            <title>JSON Web Signature and Encryption Algorithms</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.JWT.CLAIMS" target="https://www.iana.org/assignments/jwt">
          <front>
            <title>JSON Web Token Claims</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.MEDIA.TYPES" target="https://www.iana.org/assignments/media-types">
          <front>
            <title>Media Types</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="RFC9457">
          <front>
            <title>Problem Details for HTTP APIs</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="E. Wilde" initials="E." surname="Wilde"/>
            <author fullname="S. Dalal" initials="S." surname="Dalal"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>This document defines a "problem detail" to carry machine-readable details of errors in HTTP response content to avoid the need to define new error response formats for HTTP APIs.</t>
              <t>This document obsoletes RFC 7807.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9457"/>
          <seriesInfo name="DOI" value="10.17487/RFC9457"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-arch">
          <front>
            <title>Workload Identity in a Multi System Environment (WIMSE) Architecture</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The increasing prevalence of cloud computing and micro service
   architectures has led to the rise of complex software functions being
   built and deployed as workloads, where a workload is defined as
   software executing for a specific purpose, potentially comprising one
   or more running instances.  This document discusses an architecture
   for designing and standardizing protocols and payloads for conveying
   workload identity and security context information.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch-07"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-wpt">
          <front>
            <title>WIMSE Workload Proof Token</title>
            <author fullname="Brian Campbell" initials="B." surname="Campbell">
              <organization>Ping Identity</organization>
            </author>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from basic
   deployments to complex multi-service, multi-cloud, multi-tenant
   systems.  This document specifies the Workload Proof Token (WPT), a
   mechanism for workloads to prove possession of the private key
   associated with a Workload Identity Token (WIT).  The WPT is a signed
   JWT that binds the workload's authentication to a specific HTTP
   request, providing application-level proof of possession for
   workload-to-workload communication.  This specification is designed
   to work alongside the WIT credential format defined in draft-ietf-
   wimse-workload-creds and can be combined with other WIMSE protocols
   in multi-hop call chains.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-wpt-01"/>
        </reference>
        <reference anchor="I-D.ietf-wimse-http-signature">
          <front>
            <title>WIMSE Workload-to-Workload Authentication with HTTP Signatures</title>
            <author fullname="Joseph A. Salowey" initials="J. A." surname="Salowey">
              <organization>CyberArk</organization>
            </author>
            <author fullname="Yaron Sheffer" initials="Y." surname="Sheffer">
              <organization>Intuit</organization>
            </author>
            <date day="7" month="April" year="2026"/>
            <abstract>
              <t>   The WIMSE architecture defines authentication and authorization for
   software workloads in a variety of runtime environments, from the
   most basic ones to complex multi-service, multi-cloud, multi-tenant
   deployments.  This document defines one of the mechanisms to provide
   workload authentication, using HTTP Signatures.  While only
   applicable to HTTP traffic, the protocol provides end-to-end
   protection of requests (and optionally, responses), even when service
   traffic is not end-to-end encrypted, that is, when TLS proxies and
   load balancers are used.  Authentication is based on the Workload
   Identity Token (WIT).

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-http-signature-03"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-transaction-tokens">
          <front>
            <title>Transaction Tokens</title>
            <author fullname="Atul Tulshibagwale" initials="A." surname="Tulshibagwale">
              <organization>CrowdStrike</organization>
            </author>
            <author fullname="George Fletcher" initials="G." surname="Fletcher">
              <organization>Practical Identity LLC</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Transaction Tokens (Txn-Tokens) are designed to maintain and
   propagate user identity, workload identity and authorization context
   throughout the Call Chain within a trusted domain during the
   processing of external requests (e.g. such as API calls) or requests
   initiated internally within the trust domain.  Txn-Tokens ensure that
   this context is preserved throughout the Call Chain thereby enhancing
   security and consistency in complex, multi-service architectures.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-transaction-tokens-08"/>
        </reference>
      </references>
    </references>
    <?line 586?>

<section anchor="document-history">
      <name>Document History</name>
      <t><cref>RFC Editor: please remove before publication.</cref></t>
      <section anchor="draft-ietf-wimse-workload-creds-02">
        <name>draft-ietf-wimse-workload-creds-02</name>
        <ul spacing="normal">
          <li>
            <t>Add a section requiring exactly one Workload Identifier per credential (the <tt>sub</tt> claim for a WIT, a single URI SubjectAltName for a WIC).</t>
          </li>
          <li>
            <t>Add a Trust Anchors section and clarify WIT validation, key selection, and key rotation.</t>
          </li>
          <li>
            <t>Rework the Security Considerations, including WIT lifetime, WIC validation and lifetime, and privacy of the workload identifier.</t>
          </li>
          <li>
            <t>Generalize client authorization to cover both the WIT and the WIC.</t>
          </li>
          <li>
            <t>Reference the protocol binding documents (mutual TLS, WPT, and HTTP Message Signatures).</t>
          </li>
          <li>
            <t>Rename "level" to "layer" throughout.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-workload-creds-01">
        <name>draft-ietf-wimse-workload-creds-01</name>
        <ul spacing="normal">
          <li>
            <t>Clarify that the <tt>iss</tt> claim is <bcp14>RECOMMENDED</bcp14> in part for auditing and operations, and that validation of workload identity uses <tt>sub</tt>, not <tt>iss</tt>.</t>
          </li>
          <li>
            <t>Remove the <tt>wimse</tt> URI scheme definition and IANA registration from this document; both are specified in <xref target="WIMSE-ID"/>.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-workload-creds-00">
        <name>draft-ietf-wimse-workload-creds-00</name>
        <ul spacing="normal">
          <li>
            <t>Remove WPT, HTTP-Sig and mutual TLS sections, which are going to be covered by individual documents. This includes re-phrasing of various sections to focus on the credentials only.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-s2s-protocol-07">
        <name>draft-ietf-wimse-s2s-protocol-07</name>
        <ul spacing="normal">
          <li>
            <t>Rework the WPT's <tt>oth</tt> claim.</t>
          </li>
          <li>
            <t>update the media types.</t>
          </li>
          <li>
            <t>Discuss extensibility of WIT and WPT.</t>
          </li>
          <li>
            <t>Clarify error handling, specifically why not HTTP 401.</t>
          </li>
          <li>
            <t>Correct the code examples.</t>
          </li>
          <li>
            <t>Add registration request content for a <tt>wimse</tt> URI scheme.</t>
          </li>
          <li>
            <t>New section on key management.</t>
          </li>
          <li>
            <t>Use of the <tt>Accept-Signature</tt> header.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-s2s-protocol-06">
        <name>draft-ietf-wimse-s2s-protocol-06</name>
        <ul spacing="normal">
          <li>
            <t>Explicit definition of the Workload Identity Certificate.</t>
          </li>
          <li>
            <t>Definition of the validation of workload identifiers as part of workload authentication. Still work in progress.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-s2s-protocol-05">
        <name>draft-ietf-wimse-s2s-protocol-05</name>
        <ul spacing="normal">
          <li>
            <t>Removed the entire Workload Identity section which is now covered in the Architecture document.</t>
          </li>
          <li>
            <t>Content-Digest is mandatory with HTTP-Sig.</t>
          </li>
          <li>
            <t>Some wording on extending the protocol beyond HTTP.</t>
          </li>
          <li>
            <t>IANA considerations.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-s2s-protocol-04">
        <name>draft-ietf-wimse-s2s-protocol-04</name>
        <ul spacing="normal">
          <li>
            <t>Require <tt>cnf.jwk.alg</tt> in WIT which restricts signature algorithm of WPT or HTTP-Sig.</t>
          </li>
          <li>
            <t>Replay protection as a <bcp14>SHOULD</bcp14> for both WPT and HTTP-Sig.</t>
          </li>
          <li>
            <t>Consolidate terminology with the Architecture draft.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-s2s-protocol-03">
        <name>draft-ietf-wimse-s2s-protocol-03</name>
        <ul spacing="normal">
          <li>
            <t>Consistently use "workload".</t>
          </li>
          <li>
            <t>Implement comments from the SPIFFE community.</t>
          </li>
          <li>
            <t>Make <tt>iss</tt> claim in WIT optional and add wording about its relation to key distribution.</t>
          </li>
          <li>
            <t>Remove <tt>iss</tt> claim from WPT.</t>
          </li>
          <li>
            <t>Make <tt>jti</tt> claim in WIT optional.</t>
          </li>
          <li>
            <t>Error handling for the application-level methods.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-s2s-protocol-02">
        <name>draft-ietf-wimse-s2s-protocol-02</name>
        <ul spacing="normal">
          <li>
            <t>Coexistence with bearer tokens.</t>
          </li>
          <li>
            <t>Improve the architecture diagram.</t>
          </li>
          <li>
            <t>Some more ABNF.</t>
          </li>
          <li>
            <t>Clarified identifiers and URIs.</t>
          </li>
          <li>
            <t>Moved an author to acknowledgments.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-s2s-protocol-01">
        <name>draft-ietf-wimse-s2s-protocol-01</name>
        <ul spacing="normal">
          <li>
            <t>Addressed multiple comments from Pieter.</t>
          </li>
          <li>
            <t>Clarified WIMSE identity concepts, specifically "trust domain"
and "workload identifier".</t>
          </li>
          <li>
            <t>Much more detail around mTLS, including some normative language.</t>
          </li>
          <li>
            <t>WIT (the identity token) is now included in the WPT proof of possession.</t>
          </li>
          <li>
            <t>Added a section comparing the DPoP-inspired app-level security option to
the Message Signature-based alternative.</t>
          </li>
        </ul>
      </section>
      <section anchor="draft-ietf-wimse-s2s-protocol-00">
        <name>draft-ietf-wimse-s2s-protocol-00</name>
        <ul spacing="normal">
          <li>
            <t>Initial WG draft, an exact copy of draft-sheffer-wimse-s2s-protocol-00</t>
          </li>
          <li>
            <t>Added this document history section</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank Pieter Kasselman for his detailed comments.</t>
      <t>We thank Daniel Feldman for his contributions to earlier versions of this document.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA7V96XrTWLbofz2FbvjuqaTbNkkIU6qru0wGMGSCBAI0fYgs
b9sisuSS5CQuin6W8yz3ye6a9iTZIZzurh4qtqU9rL3mabfb7aBKqlRthyvn
vcPTvfA8Ly7TPBqEO4UaqKxKorRcCaJ+v1BX33kojio1yov5dlhWgyAY5HEW
TWDkQRENq3aiqmH7OpmUqn0tr7djeL1sr28G5aw/ScoyybNqPoVXentn+2F4
L4Rxc5g1yQZqqjKcaqUVrqhBUuUFTIofet1n8K+8gL/enO2vBNls0lfFdjCA
1WwHcZ6VKitn5XZYFTMVwB4eBFGhIhi1O52mCSwaZi3DKBuEb1SUts+SiVoJ
cImjIp9Ncc96tz3aazUPkyw8nKVVEp7Oy0pNwr3sKinybAI/Axwu1RxeH2wH
YTvUW8W/E3k9uFLZDNYWhv/bGcKQwUQvJtkofI4D4feTKEnhe4LzrwjyTl6M
8IeoiMfww7iqpuX2/fv4HH6VXKmOfuw+fnG/X+TXpbpPI9zHN0dJNZ718RTo
BEd8iPcbp1pulu1pkVd5nKf4XgoHUFbOnN77HR62k+S3j9T81ceezriawHRB
NKvGeYEwh6nDcDhLU8a+lWeAKVm4E02mfZXSykJAl1GUJb/T2cMjJwhDDXt+
QjEk+7G89+sUntEn2InzyYKZXuYqPI3S/FrNF02zMwfE7BaX7vhfcvVrya90
MlUtGLRbZIMqPI3H1yq7LOPxDPChWDT8rhpGl1Uenqp4ViCaOdNEOEhJJ/3r
CL9asoMPESBZeDpWw+HiSXpZNUsqd+iVOb4zrI29smTwMo2uwjd5mU+iy3G+
aIaPZRylqvCnKPQbv/7OP/McQZYXE3jviqjpzf7Ow80HW/Ln44cbD+2fj+2f
T+yfT/WfT9bX5c8njzf1a083NuDbIMmG7iy97lG38+Ls7KSz39s72D3d5m8Q
ydvDRKWDUj/08vh0r9M9eK4f+ZKX6vO16rfLZJRF1axQbZXFxXyKG29HKfBO
oImJff/8rLNz0AWOqwe4rj7HaZTYRw73dnvdztmHkz39zASYY9RG9lDKLrYe
wuaDdrsdRv2yKqK4CoKzsQqZlRMTqFSMywkHaphkCpghEBNiOjNH4o1MX3JK
IUAkLPNhdQ2s1PC4EkAVRuFVVAAuzMN8GBYzGGSiQuVwr1Y4LPJJCBOEk7ys
wn5UJnGY47SzaQj4Cyc7TdVNMEH+1y5VcZXEqhXyxzjNZwP9oVJZlFWw6mma
z2nwDm4tKUOQPTP8wuwIp4utsILPUWUXHs5KhVMXalqoEt+D55PCcOxOCACb
hzHwkb7ChwfIoHGj+awMNasqcQgHdA5k8BcVxeMwh18LGC7nKccwm7uulvPK
BCgdx76CVeC/AZ7w32lelookJX7CbUVlmccJTDeAp5IrnBckEEgC4BMwJgw5
TmBmgEqcX6mC107rMGAqcYMu2IbwB0wDx9KAHDCrDI7DEcl6IbTGNvzXWeNE
xWMg7nLSYRScJINBqoLgHnKSIh/MYsSnZaf2XTxMZH2gN6gbWkgCfyGO4699
VV0rBY9c5xauHZ4rEZzIC0UYB5uyO1lAGl+//q3X3u04cgh//vatE9wZcoRz
cVQUc7Mag2G0tz4Ald5yzw9RB7/zcDEUPGUouPBfjCPegLDcaVTQZmtoQKvI
Z/RTGedTRYRe4QYBPnCEvYw/6TdaBFsPPQwbAQUo+BMttqnenOWXcC6r572z
NVxOFAKvY/gYEiy9XeOKIgs2DS18dTrrgxpHWyRQwSAGVstXsKOKKhkymcI6
dngdWfi+83D9aRg7v/5HlnUbWBA1o2KkkKIR/pHVU9tpNIcDMxync4fd1YcD
EZCV07yoFg1GZwvom+XIe1SczgbEpohdGeo4I8JbNk5IOIPP7eBztyy/FfZn
lXBBRBzG4mQSFXMiZGAvA5y5FIjVOS4BG/Qyoa2FLPWuTJkWUE5VDHBjHlkq
IBN8w6cPfG4xjejnOmGXdhWS8IPnrkGwwzKBWsaFgllmMGlzDw3SqQG4xg1n
JWqtk1k1A5o+OzgNr0F7YMDfhg8tf5NNvsYjtqu0RO4G6+g2DnDhShbPLCid
IY/+MsuYMdNKiejbIP5JcDVYV8sf8ISe0Hzj5Gztu/u4nlb/2Q2gEhgewmqj
Eej9Wqcrv7swUhWNDkhrvHcvfAtoC+z1mHDxRFMI472LzoIhLPpcycPog+PC
r4Dat2kqdXlvaJ5H1+JEqzVjBetOr5QQLBAFLnKJfLM6EkKJJfQESGIAVjvA
DpDVjnzY/YBPe3sCgpqRyL2FppHkLNf1DpOhuWt0wrDrinEkYH1k+2B2oUhr
KDKGs1kNYuzwDdCoSOsC0PFy8xRGQgxK8xGsIvU0h2CVPRIlyJAhQo3Feal+
m4H2T+wBLLppGaZJiSwajM38eg0YwD//+c8wisqrUfDntvPPn0P/H//H4A/3
N/mwurnmfZYPtWf/8ov7z19vfba2hsazhoy6Zg0PzBrMj88a4/7yb1xD87fV
hw4c/rwMZj4cfvmDnz/ZO6Fxv3sWzrj85X+HS/7hH/47WLD+1Y212uL/CPjb
P/wDr6/lj3B1a82MWIeR988f8tgV/OeWf67+ZfRb/JmOyHDZxc+e7J7YZ8NT
MAWBgBY9u5pPmbes/SCa/MjegCCDr9vhvXEyGrdTdaVSsE5/C8l/+svKqUPQ
x1OwQcivuPKNObjZqGyC7LqSPI81XYU1kqHPckijSFUEFqFDWqvIzVBiJv10
HvZBjVljq7Gv7ARqEIi4tRPBA8Nc9C3gVylxbXgjVmrQAd5ZRQmqcUO0jCaz
TItJo2DUd1NXiQJav2cnjPNrhY9eozqFcioukr6qyRBgkbFKrpALzj0AAFNH
AiRT4SQHYT4P99AtEyti8Sd5QrbI2LXlSHxEyJpZZ58I2wcYj5AHF/lsNEZd
tZ/m8SVYhKC3IcKxHaARKpDpdkGkk0Ulc7FRPYnmLL9Q2rAAc3l/CY+BxQ1n
RGNMogwWQCtGaxz+XURp8jvCvAuHMDBwD5ov4FHrHfg2cEMfrQNflGeLtmag
IQCH9luKECtB7mx0GjhWJhN0F6fzlsO818K8DwtG37l7hMa7U0MSUTnGYA4o
eAcoJMkHKC1x1Go+5T+13ZwXA0AW2Mk4nxWg/m8CiBy5DLpYplgVgzFLBXrC
VCbAI4nSQkUDtCEWGzC32kuM5TXduxSnaouVdwAYaNyd4IEHKzCYwGJQRMZE
VhZYzuL0oqIBqv0LzKOacmr8j6gT69lv01WJKzQV6o4reF2LqHT20Am2Gs8h
qmkXGuxKtiIoqhwyXF1OmkC9a97uMTCDTjyAALOnLFQ3lSpQPyyZq6wuIT0g
0jUkrAwGvGTFHbFdnuoED70dFAookZAUTmaK4SA8HrvjGinjOooCuIJ5Gi1w
+DSaAQWIG2SXNEacWtBVa7Qtj2vVTxKnYPwPB4BN8DpqfqSeRZWveQoq4NyV
PPXAPNVAGYp/If9n5beGGGCJFGy6dv31PIfZcFeIOl/vjeRTG1f9baGLAkdi
Jvz2TY9GTMAoRhMuRauhnGdVdKPxL0a0gz0WIBiTQokBXXja/tev/4d8be3e
7i81KykxM6KFdD5OUuV6erWlAnIFYTJHhRxMnzCpbfl6LECbgtESImjZLQlw
boUJepon2o8G5sjb0zON0fQSbtNbPzDa1C7+VHjQVmcDaU1vhUy6E+BvpO3T
ty3k5XNiQnGE/sFBMiCDiwQU2TMYKZmH+hSaXIC8nMBvFZLjwPjWp2lUIYMA
JrkPowA/rqIMHeZEVtY90ArQaFM/oXypAAMz4FGgUYBEjshDNYmmtGXcrior
eM7QYxTjWbL9gipOsKo6o04rfDUDuyZTyEF62ajAZxDKrVCc9iEGfgg3x+jp
HwNPVsVaIBbQ6az/BeDXTasjeAxs1HSmtAUoHMBxw2kGigfHop34UZogk4nz
WToAWgT4wWvJcB4kwyXjIPrCVImxTiMMDJdoAk8AuC06FHg7QQhUCZvSkTbp
Y1cjOQNlLYv6gJcCZcS3ZeenLUnHikTXKS5hVBqtDdYD5xkrDNiEe6gJGl5C
j1xmKLARD69dVO/A02ekaWSgwZVi/RNLRU6RVHi6GMC00tkc7hhWnYrBjlvl
s3acmqta5sB47jHjueqD3j06pcOmw8X11RzcvMjgOIuNNZ9n7A9gnjBRor/B
H+N8UBoNcYGjw3UxDMXXiIIJRSecAP1JTJ6PBZDClXboxV5E9pYQibMYuaIh
t8gVACgi8CKAROK+X7D5UEhG1M4AF9mP4kugenYplWsdx2lRhqcvjt8e7Dru
j6Fi9xLZCEDj/TQpSauHd9FzAIBBPQhDIA4LtC6YpHDDcCgowp08u8JHdf7D
Lm2cPgcBaqSAIpMky9N8NG8eg2iMt0RGSISgAxzTIcpwBeGMKRsE76Nj+vvN
3uu3vTd7u/j36YvuwYH5I5AnGBL2L/vmzvHh4d7RLr8M34beV8HKYfcD/II7
Wzk+OesdH3UPVhb7zZhgKHYEShy6YaIy8FDw2c7J//ufjS2UWG/2dzY3Np5+
+yYfnmw83oIPqJHwbMSI+COKpgBFflSQcUC21jSpKNYHNFWOkZKRdNFT+XeE
zD+2w7/04+nG1l/lC9yw96WGmfclwaz5TeNlBuKCrxZMY6DpfV+DtL/e7gfv
s4a78+Vf/kbKQnvjyd/+GiAa7mlsRjI7I2bczWJQOwG37hFzbkf8+ZsECjU3
ZtYKTA7kiJYK9L48b7gacXzk/req/kwFS9Rq5lNOsFWsald6mPiAY31zSDtD
b2GBxDtS5DwVK8N5FzhfBGuMhKdF+oeOwETvSdifiUgxfg6SIUnnCuU5ss+a
hmpVp59pAnUTIRckJIw057Axq9Jh++HL81enay0RAfUAGZmgbCVU8ybAXdEb
j9FcJIUAxpLYo1lX28hYHansLDzuuq86skFmZt9JSYFu4uAO5FxDqoO8T46E
SIxCr+R68c4EBWJmjSCAdFnOkJuT7GNuS9+Ua8z9cx1VZvNhUF8Eed4jK495
coWLroDXzPA0r5KIjiSesWWPIfU+2/86mI6RAozhJjHqGiw5L2AlFyHlh4Sa
bRg5CQtL8/ySUixcmJig8ABU3LgCvkUaggMqilijHkRcTfSziuMwGkX68Jqq
YiJgRhceBu2EAziUWea/jnFfVqAMnkT4ZUs0UHQCkWWoSZG0ukSM0Jfnp6EJ
n0jsxgtwGyXHZwZAhcNkNCsctcE7bFncRTnrCxx90nMmgA8YBZXVI5QwkqFt
2wn71tCLBPjpBIJLCQTn5B/UxAy2I0IAtyRbASx5RzuOdbqNFrWS2ATiRisb
GDnvK0oVwbQH0EbYNpFcJpDDhCzyo6BKlI4uRB9HPALNrUKeRGq0qA9zwnyd
lGRVbtkz0jCoPtOqtPzKV6T1Au1R8fh9ZAQqvsTQboYLiAg2gyICSWiOzjms
Gv30hgYLZAdiGCGrurhMBhd2S63aknkFolTRtBqhF56zcXiWaKHw2GSn0Cr4
M5rD/ZJ8nJaXae8Iz4dKOVKgTuaZgarch81hSI7QQqViSK56rJl8HEQ3wA4A
NVJZ8gJUrkEfqQutwdvFXctCpjRA8WlGE8pUqQINohpzNOSLz4hkGGtBuEwV
1kk7bkw6qmn8X79WOWiTsSA6Wb+TKTA/AJInDkrjEgNl7PZI9r3wOFukAQAx
OonMoHMwrG2iqc7bAPWDbDJOD3J8nswi0WKOiIfmzXnYCPj61foI1iQppLSW
zPfynTrhG3JGMJ8VlHAgiztxlnWpMK5Y8xbTmAPKR/AQkX5IgVbZaCDXf24Z
hx9ybWTJlDXUNatDDwrhA7/TPn3X29XYGS3TtVpuvox2Ogklz4wb12PUy8bz
Mh8WjKqlm3Y82FXX/BNL0JO9gcZsY70NhDmMM0MDrcSoB5xFGvVVaumJGIp2
4bigQ8hV5FTQtrWXIuZ4IrSnZ42lPfkN/OQk8VxZcSfGqnaV8qZRHmVuFMaL
1ZMqk9qsT7AFR6RWFiLFrAUt+obK4nxAFhRrMTl64ZazAYIEClOSqTu+FYxS
lRz3pCsa/af0HeE6VhNefKkSwYiWTd/x8isRTZzdUTbtAu4Dz7T5R2Edbg7J
AflmNa61ARWsO9mn4K/3QM9jH+03yp4jL6DrxvQjbA0vESoIqOsiEEChx7kU
slYTCdGBCS8uQdTAbgNHJpXVPEWm75u/IJSmOXokvShOI5djmeuZPc63pbOB
DYe0Ui12KS9OBjz1VB3JaUFNR3+N1vfdE/M6QY8YLenqJrjYiGLekr3XkGSY
iHmqMC+0ISba8Fbbhu5gpZQurQ+KHDYDTToAvy6hP5GQaDK1tBJKb0UFQ92g
xiVBRUALSRSTFzDfXFSibYrt/4kVvW0wp13CI0lDQI7K+QT0pAJ2OkhG6JVw
tDWj+3GewGqhRuhnQn5i1ULP3Q4vSRKLrAgz0nlZXZPdHvI4xRxA56fJg0jk
fEbm8hcZsKWLhinT0Vur5lPYmklILI2zEwQw5r8PSKsAYwIojDMJPZ/9g84G
Oe2Nntxy0sAuAF///OW6uggpn57G6ziQBkxk7mAAjcbXNq1eTESdS8TyzORg
L0C8lmfL9+ccXmFQuEYdvO24XSgTS3O+n1lXlFFaYVLpLF+2EFOyzIezVNQM
kf/krLJc3Bfh2g4gQ4yWXycYISdzBBlKB0r/pBz+BKUTHUAxQPemkEtSteHF
NqKvkAap/9oA1kqKY1tJerc5eZT7DOuSZfRtwBaJvkgd02LRkPadFTFRWJ04
ltXr6OmvX5cqkWCQff3qB9u+adOgdIWTHzirOZ6Yuzvk12LrslamAMxLHAnX
jrgyG/akj4EvEJLAF/5KGDtMLqtj/tdh4ITDOltCW8yr1zqSbAR4Qk5PMQQL
NQSUHWM4iwOsmAyAnvJleQCyQpTzwNZAgU1+m6k6czNLlKCRIR/tjRTastoC
/jikyFdWLaEVRPZI8nswYxeOC2M+tCEO9BXqCialdEfOkyzziYbVSGVCZl4x
DObCoHgvZ1OS5olF8jgb0hbJ1DO+GFqsDsRpbuUIq1rikAY7A+36EkY8NxGB
EKbQylLEP9MY2idla2GiytrYt0/YoAvLbjc1RjxZX0ciOHNfYxUWiEAtqF7w
3WlukYvL9UwKL7Ai8tux0ohMEGR1lw1FYo0N7xipqn0FAqyQ8yKjk92MJhEd
0QH1MO0n6rocQbtTLMQ9CexAHeAc5sS20EcivhiqHKtDntKC8ms1YIm4VMKu
vDw9PgrPVd9mIdMG9kx1mSN/V6wANmEkFjtat3qiT8cKJU4nscvDwh2HEzkK
gZf7TJombe0ugt1VEnTmMjAoUMmc9DOrsZCXetEgJcZlzc5tXd3Cc6clsptG
+K3LghuSKZ9VqLw5pRBUzAUQmeSVRJBIovaTlNKFCFP2TjcfProwHj4LLQ1R
oX8+B+YVKVBZgZp5I0thQX5Xt2R1sC6LWm4g1zd8OYeDLWL2W5b1aIbgmPXu
m+S6DqnyC8r7JLlgoDh0SBlwIIwDnKuMgTMq7fAQPp8Mw9OT3v7+nnGELK3X
INoFvXpA/oaVcoohjxXchuQ+DBqGOHNXJNrIY7w21sCLammtb1ICZjqLlQR1
XNjPolUtEfta7cCS9VDryphVyHhLqi4cVGYMfeRTk2Q0rtgznyYkO5JSUr9B
+wz8TORfEHf3tsOfPv0UUgjtupAoAvp9gHbDJ4+fboa1l34JAjV/Oe4/j5Pj
5OX+2997G0dJr+xNqunHnd6j3uV0oz95Ozo6he+yNw9j/C4bTAc71W+DB6+T
4esOvP6l/ymYfEiOwXIB+Be9L9PHvcl++XGOA7y7fLN/9KyXXCcfHrzc7H3J
kzfnr+dHZ29vjk9ponV1is89PXj7KdjBaUawlN7N643xh8HkY3mWPj18l378
/fT90cfzF0fvBpe968P1adXfG7z/+PaoF7/bPx+cP914vf7h4eHkZdb7FGQb
Tw92XqbqRTc5/rL34Gj37cbhWQ/+14X50vEANnF4Fq/DGq6Pdy9vDneuYd1v
prg2tbMxPHx79PbsU7D78suHzb3fX28c7R89P3rwIX1a4i7iB+8SfHKwmVbx
5ttHB/OnqXq+X8XPb9KDydFV//Tp7/Hzd1+i84/TD5+C+caD/oOXRf/50/HH
nZdPO49eFdHp67c354P06eBm//WD/S+PBicf1t8lT54cX17vX3+cdnvH4wP1
26Nu/303Ozh4PfoUHE+fvH36dvd5/Gz2Yf/Bq+To6lH+6vXuxsfz7u/F4cfj
l9cm/1gQCG1qnXzsotVt9rVORx4o9tE4JqNb3eVkiYhTqo+SOXHj1RpNyzwL
voLQWwGutrIdrhCvW2nhN5fJAL95OQNcfchfgSG1Qv0JyLxaCb7pXclG9hzi
oMW9oMU11m0MsDssmwq7lq8btCBY0leS2ysgnM0HZ0+D3dMubYC+jYsr/nbz
IWi39vvLao7fH786sd/d4DcbO+/fXw3To88H796VvfLD+/Lt1bP1By8n6fNz
tfPit9fvZvlsZ//pZn/EJfHf4P+/EcBAA4cRNh5vwVSbDzfW6UuwA/SX60+e
ypegzeJcN+3PGztnB5txHD3YOd3biq/7n1MGPlhLK7o5xPb9+wIlLKW/r/mh
MQ1uP5odgr0+FTkJ1IptxaR7DvAKOyp07hUKjhRUglnYnRbh5la4ub75MNx4
tP3g4fbGevj88Az9DVb/AEF9hNHaJN7FCaxauemZGVrBsOC6WCOzXUu+0ldW
QdQw07ZGzXVk3ETw18WdYHWBc4xJiWwaJLC+i4VnQm+xv6mmU9fcASSaSDv3
bAHOlGq4p35gyaLwyPyk4nEiTFPBuyASuFjkHhJnvkpnMRnsqMKz5lJS8MrP
if2JQl4t0TmMBSM6PSrrLctnqBYKBe3L81dGPX3MXgOAgpGUl0jJNfJbQKU/
Toz4EvGwcnDw/sl858Or3/LP76+ePzvI2h/P1auzx2n6QanX05Haid6/u+k/
vPzgUI5h1Zye1kbVv05NFi6v1FxTlKsjIDTYAUqngb564Xk1f8xPpRdD/rnu
FNQBS0sMjPxkSEWleNfeNUOCzXncRJG7RttrIUoKH1KyZi1KvFqSn8hP/EEP
wtl3lqJXQq5Aht+/hkl7O4QADTGmUeukLaKOEevy/W9Zd/N4+ng8Gmz9/uaw
f72e7Mfx5/Huzdubcf7l5nj/3fMve5ujy5Jeojmyz5/fZYOTwzfrmxvth0/f
dsv1/tPfds/2z9p7H6uzRzenR+Xnm/3y8iBfzpLrjjnBpHvaMw9YRMWqLEzD
r/fQCUdlqIwZ37QTmkPLV0rXsmT8nuAPG6mY5wlsxoQ/9ORt0jMuUMl9drTP
QMZ+LOLk88J3S9/2p0pK7RgTdZvWTU+0o342/PZN10nCh6B7cPKiG/4S/t+b
LQBlN7wPfz3aaD/uhj+H3fZH+By1fw92e89ho/jUg/X2g6fw23r7aYA57I+2
ZkUKv2z8aZWHuh/yw/fDlfYK/v/nlbUAVY9fwtC+sNJZWfYpOKepUF3BZTJP
qO1Bn+USiOgz2yeAIGQ1j7DxAUTx0teCvn51tEQ4AT5MTRYUHLnbGQiACVmk
bOjfZZYsmX87/AF75VOw1GL5AXvlU7DUYvkBe+VTsNRi+QF7BUyBZRbLD9gr
n4KlFssP2CufgqUWy93tlbubKC6PInxHVD/KtUaJ6ERcBRszocHdYEvsIcMC
C4yOKzh9VEd+DqrxrGwtR3j4qRnEq/RP58dvXh0cd3fByt87OuudfWifHb/a
O7poBaqKOy1OC01T0WzR74ZqFXxCd0hziZ3wBZdCtmShIrUxRwELA9nn4r3H
KUfMz3tGb3KC9KyOY7TZhq11k6cz67olN2EJglWKEyVJp+BiUAkbVKCKJZQ1
jyUC5PjEkBQXq1Fmm6j7fTXPaYC8bFTwx7OCclG9VB1ulWNKQVtStgErmaW0
8br3jBXxsuUo6ZbpFbNUzhvWVnCtEfd7QfdfiZpEc7xMcnf8hlQ4sJQHnogi
yo52xqlVMDY64VbnAT7gBKApWl1Lhka1uod++hxdWf40UiVacFrDsFAqJcBq
gIomTz7FU4zmy/eSno15c7B7ytxow4YTTP+obCbEhavwT+b0Mqn5XYzBJdPE
+PJNBi3l3+EwAx5FJiSvJOCklAhPKNqF1MeAqIEBpzi2btGFW8/UtTc4hX5M
ONk4yExI2HQ+A9Fla5W90JbQQ5ccnxguckOluKOG75bVHhN7DCQpwI2pGsuV
6EayuiJvbNd0MXk1CwOqQJjUCsqmlpA/ohM6KnbEgXybqlNxZzCekMIbOhDq
hDfQ3HKT5hfmJ2w3M1yjZioO5hUR8XtpUOxlzYu5m2RVS1/rhI06GicHtqoH
r3VSQzER9YPaQl5QhjBsehjFSKM6sOMdHCZE29wf7Sllo7j8PCuSC630UDnG
1sYWSgdThcGJIRyVp8iym1rLue6Y9KnT7w09mdHXGETWoJFya0rKjiTftmav
YCCCKqzIIG5sSZc5YUkosR5cbOO8jGnlprpRws0e1ajumCKqIKBveMA8Bv6r
S0zFttfVmG7gomddZ060fUhF6BT7zNAXEZV51gqcIrAkY1FnTLaWlJoRAtNv
iFYUGgBWPcivOe0K1pbi+cNDDGgtiVq26jYppWAXQzlnuiocaxcxTJOkqVTJ
ubW88HL3pEd1XxQE11YLUEg1Q4NmoMyhbq2vh6vPogElUgINccbRFJOgisSW
GZrhSUQFXmK3LtMXnsgaydbDx4hzHpTIG2ZMXyRRYIi1VHWEi4kGGSM8JLNN
RBLuJXD3srW+sUDy2DZUOm7UV3FE8crKenqi8Pz8vN314itUx0K53JR3iHRJ
ERiX5pIsIIeeXxpN+J+5uQleTFRrMTrTb9bnrjeVLjLtuPvkjAZ+xSZKilWK
PJIygKsE1hiIX6peG8K0sZOrG6qIi2VzaLI94+iulPJ8vRfzQ46apJsOoqxy
rF7MOOdUOKsq9d3YKDZElCJ2GhKpTO/CJJRwlr4NMEsHpmBK+gkyYc7wNw3a
EqZFZADOMXCGkuHcPFTIPbQofZBmgMlKyTdvNATkZzFroQM2v60uxdJ8zc4x
/43z17mHhuT5Y4G5vwmul8IMCGE2kbt4bvHgtwuQKnvNSxHhAnhOHGREzVSH
WXfTForyfPzZCTr8pgT8dB4F7S+kctPITYHkGmt5qqTHSP3LHB0wqE2S2z6g
Wv8AVo4rR+WXu4jw7oBu6yLRprqAhKWkEpJIBtRkvhPTcCGHbVorNQK+B+ct
Wb0maVeUYbKY6JCprRRVqgJzMAKP4fJTaRePHmpAT+ChSE19zDN1A60DLtlw
K4gLpRP8B47mrWPCToIUdijoOBYHlY6UWPhGJCF+ZAaoDvLaIlY3NRITvZzs
XoSJdPOU191y0xyX0XYeYqutlKIXYhBkZEWO/znwE+IdxKyiSzIaqAo6nwG+
EMoT75JqOseN7eVlk4rhFE3VGpNKNtK+m18HvwdmDFsYpUmkCSY+eC3qTCEg
HTsXSdw+f31kE6QPeGQTEwfWls8KrCSSKThvnHVupy3hj+RB1zpbfPNzFhh8
tiFsi8iunizdWthzUiJBqFTa5GR8ckhZ8nRQVEu4NE/Z7f4i2crx0mzlWmvN
RS1DF3blpGCQkQfSYfZ7/W25Mt2UD7v1JbXyBDLWTdLUfEo1DJIBK6YFpfjc
lpZ45lfl2HwZnZbsF7ZRkUT3SOeKi7G0pPT/3PClGvyQTRiwYBtL6dngw0an
tHrGWm6sjWXAKA00do9O6SebsmSVPtO+gLk9N5UQieJVOMnSAJDU0CKjIg7d
DBFJZUFn3wVgBTNJQ/TWhXMCG/XypoWdvOq9D6kGA5sMMuPiTENjPugzMQF7
5iqIbM2VUQ8A7qDh621vb+mHCaoTvdLG3QuV2IpNlwTJ+K0JC8wl41KyJSUh
9TRbZsTUPNUtXeKEH5eXkmxfOKqwPeCMMWa6RSN0hsGWdw5Mc1iq7g1ZhpRa
O7XRV1yyZfONkQULB5IBrdtr8ehaNzaj6xphBrxZsEk2NdFTVNAc3QUnYxY9
1x1rm4IMSdCog4Symqnb7mK6Z86yzDAsUCDTTEnantc6p57w6bwrfTSoAJ2V
PCp0cKqrbH8y39LtBJwcXk+LRqZo3ZxGT0D1ydT/YX/d5mKwsOKF7HMxeuru
Zct2wyX0Czp5L05T03iyvbDj7HbYHWKJLSg2KEpZD216duoF0O56C0x7VFf1
HAY393mhu6DRSHg7tMyYkTApazQqvQ2+W073b1irbuFjBwbmcBfhRpUzNoHY
qxQjn2ZUsDveLYHS1MA3NWi8tPnwTh87rnAW7hPmDXIzVIrN7D21Pzwlaz0I
/gLjDf/KEYycQmF7dHXNdjjFZo4IvQnyabZkVWxKC64V8DKpbjNtl/QYj59u
bba0W5TD32z9/uU+zSdNE0QvkvoLpj/2IgAQsZFQtjiz1HYzM159YoONRgyR
3+QaoFEZD1OCLaEq6g7V3sUbXFo6pdpwp0hKz7D5gF98h1483KTWSfjnqWY/
9VXrROPSdgQ0OdvMgdEEoUQGvFYIAw2VUwQpzjGum4cPIwkm8L1FpUAdzMnw
hA8ty90cpzQx20Z11SkN8NdJyWfW9Y4/Yve8QV6UbHTrqjRYI8y1PysQk1Hj
wp5UoRoO0bBFG44sNzgKdOd7ORSuAWD9EzQv33eBBuAMyZTPlMCBmgi5JaU5
Bd+N4CW+RyWfHrWgYttRCwndahoTjQEtIhR/CIkrvF8IvUkNFCO3TlKYfkaw
1zfiLeFgzlUi7NXCmYm6PhQKRDIvkRPEiOXESV0iWbF+Q/YrgEWbqGvTHE6u
T6J7mLS4xi5yg5kVX2JP5E4beFrUOLpirt9XGdBJJReeZFyxN1BuY0FSHJGg
FSYzSBUJhvUIRtjApkgspuDShmCGU4MoOxcZenTOGhCcmS+9tEk5nxBQ0RHB
leVTc32ExcvmrjnRh+jGYhCzH1w76FZJtQJQlkzt1VNhr2so6479S46Odvbh
y0NcBwYhpJzlVkmyLX4Z6+Czavp7XTTOBwbQ4/ocUwe4JJi8jbW0EaxkB3vB
gDa2/T1pBuKXHodTiKvt8O+yWcAHyhbXtVLV/B+r+kYrucOKM+wwG13/qyqU
wju2svvmrft6oDWsGK9d1dQAY/2JcHVK/QRhUW8O1n4cwFN718p3wBal0/G/
Aje6aurXAa+/U5odnqlUkW+uDWvHVjEq/K/m0E1I6Pf+k3tGXolNy+6+bXfH
WR6Nfx0Bs+KF0tVaqBSYs9vxKn4XtejEjS/s2lnrGEGpzKhES1tCL1q0qg3A
BQUb3J5Ix17dRme6B4A3lK64FEuwoQmSCoc0ipGwiruweo6zRiiLY/3MhNF5
YJMAKTKnvXtYrzjNTRO7KmGxrIu5dEes00UpgqSyyW0a3uSlmUb4vt9RRpwT
nqPY2K5uDHNxrWqjd4Bf4eo1WfEajJKTFOCBGgQJTfKzmyZT2PSbGstoBzFg
KRY+iZKYofbATmkCLYfxgeFj7IkGaJkKPmqupHkq9RzB30HP5t1RfgmLeBI0
SWXXQuXItoEOvU69npQDSnOXklOm54W5NKqwsqINHrOMVAEnTSZRPF/YwNbr
bHyigxonNqjBkf1pPr1rj4E+taTizp4KlGawP7BeDHS/aDqWbFLRV8WetfqU
2EaLgitLuthUWpGVYFbUKPESb77TdMFr7kbXnWHmlNBlaYfTTXhP8hPuBJ6J
fDTVW43+0lw0Ljodebh1FoJ+75CaSOgpvl8u2Qm5Py/pEGOVTtGHghnk2ndO
iVjSlqEyufbs0uOQhLSxF4Uvcsswq3IhsHUoKZpWFJTHZwug4Giu3KtHEDKI
YglgLehYvC0bzCCOinW6E1jiSDRL21V0aoopC1W7Aum2ta3CpHiHB2aoHCQT
Tg5ZhpUHsLRyGmU2fkIQJ1KMYOHwOuxIbwC1xYK88Sb6RHwKi7Z1M5zeUM7V
W+jyMtpILkEDmzwpORAE1h1It0tsKBSRoQgMKc+0o8NWzFMhhwYJ5wAAdj6T
0LO94ce95cBrYo4LFPQTqkjnVEodk26MDf8UpqNQT6ExKhBOUXqiaxf4zih7
hsbLhxSTZGinyPFF7k4NfAAKHY5kSraVF+yledsp3kzw3V71Lau7xpgal9mT
60dpZKu23TyhOGcRoGvQdWG82QYBnXIp8DGAQM4ZbkO/bQt578zuOjUEXMQ6
feRbhMtaaaAtCDZiN37kOBLeJKbTl0ZrIWpQ1jOQKbSu8XQoklpJaNFzhHmt
fE3ZK3EHDEcqHUQmQ87Cv68aRzCBs67IqITllfY+CV23y7ann6NiM9LQ53Q3
sJ3SNRfY0YenphC14XhFUl4KqxhWDmPS/EjDrUbipNnVooQRPS+8zrvHDfFZ
ZFGjOzWnoV6RVmN+9IOp7nqBvCPuooFZOXmqsNf+CcVQiTdyy/LITxe4xpgk
jUP1tbRObi3DgX8CAPmGioVqhRFqvCvvshMTLY+AOuYl+ySuowJ2UEmSnE1d
tDswzvWSb00m8sB1YdluUkpqYqR5v0FGv/uKw/uc3I7IShpMnmIcecPHemLC
kNj3fYGoshkccvI6cCV44cQxOaR/xUzA8iw9N53LuahTCNEap5YB/Te0OEQp
YHBf0jN4I8+02pxTDG4vG0zxsgXmCifHJ7oQ2lGcbA8qfUUGdXN0mbt2L3tN
mTjGJw0eOOSH0MmUuQrP9m8URceBn6vjy80nmrBr158syAy63aS7Q8BXRzmX
Rk8yv/NdzY+9avvGrVFLCntln/b9+6EYbHcPoyElcDqjPUcvfEI5vulcYFdJ
Dw8vdulGIF2p8t0eqYtaP64267OsgSm5Oo1g7/LAkTgcjdJWN0c1lXtdOjlT
bo+8aCaGohvTs7lozF/j2k6a5qskqrCJrsf5/vSxNt/InK1XtrkKk23mZi3Z
jrniz7YicIHl5GN+5/6M7/S8vF0BdXHbagLfa5INa3Ca5eguUHk4mGfRBDYC
8LqPHc+s1uQy9yVd7t3da43JS81sVLq67ezDA2DUMpfXlhIYbUFee1/OifaL
rdocjUlSmIzChnd63A4LbUvaWLF5mcR+Xukmysbt2yS6BQHRRRSGTav1SpmV
egg5xWSeqvQaFXmgWNj0eMjNuEnOReLZlgELJc4TfJ4vBrMnJ3LMqsmagvCa
sqF1Dcj6nSM1LdDdzAmCHL5owIdsrszTW7n3K+xWZBrtBcEzna51mwNh8e91
Lj/3mgBKEscyA4pivlqNvMQWffKj87Xrcljeksz39+nXXeM71wmBvtov6dfw
hi0XKVRb+k4JO6cG55jfugw+mFPu5DFxzpSR88ah+fUe3+Pdz28UVhp1HSUk
71PjUg6ZkqMRVT7NV/12l1ruIy/FuMx3z26ZvU2pIRWofNNK7nEXbXtC170x
E8fYEuiPgC3Ss4e1rIqKku5i1ZtuPfgaWTm6TXtLUoPafhiddBt7VdksS/lu
FWnJprfvlrn256xy1zqe8t3b9Ivf5eaHrwEj3X0alaVxHxhFnLXmkvjMgqak
8jMulzaPlwrpC5wdf432RDkxQJ1sgGlswF8IDQk1qLtigYmz7ECKMu973f10
kg90jLPSeFoPePoeH8oXi1k51ljhe3OMPWZGlFmoNoHvvyal3LJ20r0PHT+R
7cXFXl/0QH4TNVyMKywmAGtwIfMk4+Z3bZSWSTWzsUadm4kJvRz9rGqlCiQP
RQBoz7rOekQjwj3iKGSCBS50QwkLVOcWN0MT5ALRXJKwp1yAPjp7TbNA9xy0
/g/MqpCkOqOPWac+4Ji0ZZH0aMy99YwfXIDYbHQPwrARofSqB5DU2PMox6Yd
Q7RNupxLdrZwV0mm86873xP5WH50jSKYvDA1f5jVLyVfLZsjCvLVDo1u014L
dFFvUN1ucVnLHHfVZkRgFdcljpa+cQKbbv5MyQvOjRCSpOdp/X62qTaIXVOt
mZdXmQa4kvzolBURzGER5RgOr+Mgj6d2kI2zKEOLb94x3pzm1SqeN4MuS7PO
DEQve6tosoQ3eg6Lvnd9i7nwgkQyDme92Po+eu63Ky468YG42USMvYpNEGPh
+FirG0R6MKm16ATUiy/1Kih2SNWQC+KGh9SO9gxToN5wG7+I3Q70QuLmLla2
DRkty/q8FWZ8KOMsWbGDut0BpRbzcG+31+2cfTjZO6V2C39yIwr3pZFTS0qh
EmBpEvBg22PBs6A9mMdA38atIJvYdp8NArCcK/uTvBoEb3Qys3URbIdH97tB
cKwPqvHLHjYklz7KDjy3wyU/0NEznmKeLUEJCd22NtSa9Iq7Pexn5bYLpiDl
36VM9h+YPbG4A/Q2PYjDLQkYm8QmbnUUvn//ntSBWnFzfVTa+8lMN3j03CHb
eqCWG6MCRW7qJFY696+TK0LvbNsyRuYJOlVa3XJ7Usu7W4nfCOztZjb86ydV
6vuQyWYOgv0iGk2sS4lU5oX7dorjHYmxTc36ge4jLtxKQE7ZvG/aJm+QxjiM
RsBo+Pb21XJNvt1PUichkb/PM4WPxxgCL8fhkLgIYi/mAdlXT8glEP5XiIZV
quvW5YIozCWQeyALFpbeujWOcKJ2+ROW/xectrYUPcgsnZWUzYBp88dHSEAm
iEyprfIzA43Gtvh417l2QAiMODhZ5Fh1tG2S/4DGRqDFsGPlLCov0bsNitEq
8J/Rr+i36OTFaI0tjRdzrIXDehWyObCsSXtJwlUsyVuTNijkTPv38b//1bzz
Fc0h8YnOfm/vYFdzyFs6Tfh8sk15qIZbLusBYzmmvICT2CVtL3sRrUFK+dwm
70CErjD6TgpvB8T0+fThay+7c1ey3TxWUe8b9I3yYCYkcLcpU8xmq3IJAtcR
U+MafT+sVuVoK0HQbrdDzHRDsacnDV8AiPNiLhm0yzNnb8mCRYyiFM624x4z
dS9oPZft9U3K1h4M2Chz/G2EJ9+5zqV23Qrl37j18hwNIdfubV5h/dgO9arj
xfjX4OmlkW6FF/aCmeJXbbf8i4RapgOC9kDh0G8Ubv82UeM2N8AJtDcGs7x2
XKckDm9/ZLXaqNpLNGJcwnMO8WK1hQQH/Kxq4oVUY5Nbz7h12/R2eB8mI9rN
VtZhAZunuepcfxuen5zxSqm491CuQDcdk8s1HpqKelbonvQVXM4KRTdWtCmV
z6rO3VBrA1FrR07LpAvf0tBfNPjbWvTrW7VsYZIw46bWThlMhI18py1NzFuU
nPOFDW8H5g5QmorYauFwWqfJmobzzzaJxOv+7Lqy7giz9cAukM4Lz6oNZyT5
x/o0NUWY3jA4+SiXCBalJ18pqXlzMl8NZuhEZ934uFDt6biIdIeEKzg0vBNJ
z0INKuDdBcUg3ONwyfbKzbKt0bO9/jjwaRA2iClYADunVmM2NREbq3GV+Msu
mBWzstS6h2h9bGGwcnVy1nFQjmv16XpfKp8yCmBKfTHmhBVEC1vrG/Qiujd1
4AYbDUgQutRsycMDEbT6chLhYk2MwpeP1LXVHDJJDdNuW3zgrU2tuehSjLht
CNN2Vr8DjB8hjPf0rccOMuvEndtse4Jy45VbCU0MWb5rw/vdt7bBGqA0Jzp8
p87gTpt6aKmC+SCOWyzajAayuQED74vWtCBOh24RjxP0kMyoHkH3EOeEVvQZ
7CYjPFiqKNdtYMgi18SID5+iuX0tOfd4qwE1i3IajghP5iZRpCJhayRkJ40L
cL4PgS2GAPdnx6sROl+uLzvUOZ96Op3JjnWKZLmoUSnRygl1z3F38qYRgqf8
NnGjU7wZ2Ru+qaWHfhWFZ65jrM5dySas68Ma93in7T4IZHC+2JkzZMIV05uX
QGm6NcSigNmaKkldN7nnHUqevmx05KFeQtpuJnfVYGAOFfQ3SjFA7pga6VzP
f3Ukipcqi0sRhsQzu5dt+DPjM3ses7KNldzkRRTJunHOncC4yWCsdQPx23Aw
JAstESPvwJJoVEQTg+5UYYGarGWzJOpcTgBA5Ib0sG+iV3N/LN+ujoVXqRqM
WAzdZRcboqJK0p+TC+oe+0mCLg9/YVz3a5tXYOhoimX0nihYceOBKwFdl72A
yxHSHaJz1+mCA/CisNaENCyrO5IzLmPzFSCbgn04w7gLDIEnv2pD8bqLyZrm
Vm4xrUjJRWEMkUnK1dypfsR4J3dP8pN2kpXclojuYSMMMlWkjH8wPbW2aSiE
krgY2TZOdzouUmF6KELwdpjn/Lh0SEITP86nJLV5mHKs8N7mJSPpLfo3to3Z
NtLbptvpfLwKvm6z20INflkZgpKidNNQRkV94wV30qJLabNLQaHwVQQwToH1
ExXSzHTWamBQDn29St7ajTKw48J9sOXcd0xZmdafgOpSNJrQX2SLDb1rLP4/
xXbt8Y6gAAA=

-->

</rfc>
