<?xmlversion="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 2.6.10) -->version='1.0' encoding='UTF-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"><!ENTITY RFC7643 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7643.xml"> <!ENTITY RFC7644 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7644.xml"> <!ENTITY RFC2119 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY RFC8174 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"> <!ENTITY RFC8520 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8520.xml"> <!ENTITY RFC4648 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"> <!ENTITY RFC5280 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"> <!ENTITY RFC6241 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml"> <!ENTITY RFC8040 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml"> <!ENTITY RFC7950 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"> <!ENTITY RFC8995 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8995.xml"> <!ENTITY I-D.ietf-asdf-nipc SYSTEM "https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-asdf-nipc.xml"> <!ENTITY I-D.brinckman-nipc SYSTEM "https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.brinckman-nipc.xml">]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-scim-device-model-18" number="9944" updates="" obsoletes="" xml:lang="en" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true"symRefs="true">symRefs="true" version="3"> <!-- [rfced] Please note that the title of the document has been updated as follows: Abbreviations have been expanded per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review. Original: Device Schema Extensions to the SCIM model Current: Device Schema Extensions to the System for Cross-Domain Identity Management (SCIM) Model --> <front> <title abbrev="SCIM Device Schema Extensions">Device Schema Extensions to theSCIM model</title>System for Cross-Domain Identity Management (SCIM) Model</title> <seriesInfo name="RFC" value="9944"/> <author initials="M." surname="Shahzad" fullname="Muhammad Shahzad"> <organization>North Carolina State University</organization> <address> <postal> <street>Department of Computer Science</street> <street>890 Oval Drive</street> <street>Campus Box 8206</street><city>Raleigh, NC</city><city>Raleigh</city><region>NC</region> <code>27695-8206</code><country>USA</country><country>United States of America</country> </postal> <email>mshahza@ncsu.edu</email> </address> </author> <author initials="H." surname="Iqbal" fullname="Hassan Iqbal"> <organization>North Carolina State University</organization> <address> <postal> <street>Department of Computer Science</street> <street>890 Oval Drive</street> <street>Campus Box 8206</street><city>Raleigh, NC</city><city>Raleigh</city><region>NC</region> <code>27695-8206</code><country>USA</country><country>United States of America</country> </postal> <email>hassaniqbal931@gmail.com</email> </address> </author> <author initials="E." surname="Lear" fullname="Eliot Lear"> <organization>Cisco Systems</organization> <address> <postal> <street>Richtistrasse 7</street> <city>Wallisellen</city><code>CH-8304</code><code>8304</code> <country>Switzerland</country> </postal> <phone>+41 44 878 9200</phone> <email>lear@cisco.com</email> </address> </author> <dateyear="2025" month="September" day="03"/> <keyword>Internet-Draft</keyword>year="2026" month="March"/> <area>SEC</area> <workgroup>scim</workgroup> <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. --> <keyword>example</keyword> <abstract><?line 117?><t>The initial core schema forSCIM (Systemthe System for Cross-domain IdentityManagement)Management (SCIM) was designed for provisioning users. This memo specifies schema extensions thatenablesenable provisioning ofdevices,devices using various underlying bootstrappingsystems,systems such asWi-fiWi-Fi Easy Connect, FIDO device onboarding vouchers,BLEBluetooth Low Energy (BLE) passcodes, and MACauthenticated bypass.</t>Authenticated Bypass (MAB).</t> </abstract> </front> <middle><?line 125?><sectionanchor="introduction"><name>Introduction</name>anchor="introduction"> <name>Introduction</name> <t>The Internet of Things presents a management challenge in many dimensions. One of them is the ability to onboard and manage a large number of devices. There are many models for bootstrapping trust between devices and network deployments.IndeedIndeed, it is expected that different manufacturers will make use of different methods.</t><t>SCIM (System<t>The System for Cross-domain IdentityManagement)Management (SCIM) <xref target="RFC7643"/> <xref target="RFC7644"/> defines a protocol and a schema for the provisioning of users. However, it can easily be extended to provision device credentials and other attributes into a network. The protocol and core schema were designed to permit just such extensions. Bulk operations are supported. This is good because often devices are procured in bulk.</t> <t>A primary purpose of this specification is to provision the network for onboarding and communications access to and from devices within a local deployment based on the underlying capabilities of those devices.</t> <t>The underlying security mechanisms of some devices range from non-existent such as the Bluetooth Low Energy (BLE) "Just Works" pairing method to a robust FIDO Device Onboard (FDO) mechanism. Information from the SCIM server is dispatched to control functions based on selected schema extensions to enable these communications within a network. The SCIM database is therefore essentially equivalent to a network's Authentication, Authorization, and Accounting (AAA)database,database and should be carefully managed as such.</t> <sectionanchor="why-scim-for-devices"><name>Whyanchor="why-scim-for-devices"> <name>Why SCIM fordevices?</name>Devices?</name> <t>There are a number of existing models that might provide the basis for a scheme for provisioning devices onto a network, including twostandardisedstandardized by the IETF: NETCONF <xref target="RFC6241"/> or RESTCONF <xref target="RFC8040"/> with YANG <xref target="RFC7950"/>. SCIM was chosen for the following reasons:</t><t><list style="symbols"><ul spacing="normal"> <li> <t>NETCONF and RESTCONF focus on <strong>configuration</strong> rather than provisioning.</t> </li> <li> <t>SCIM is designed with inter-domain provisioning in mind. The use of HTTP as a substrate permits both user-based authentication for local provisioning applications, as well as OAUTH or certificate- based authentication. The inter-domain nature of these operations does not expose local policy, which itself must be (and often is) configured with other APIs, many of which are not standardized.</t> </li> <li> <t>SCIM is also a familiar tool within the enterpriseenviroment,environment, used extensively to configure federated user accounts.</t> </li> <li> <t>Finally, once one chooses a vehicle such as SCIM, one is beholden to its data model. The SCIM data model is more targeted to provisioning as articulated in <xref target="RFC7643"/>.</t></list></t></li> </ul> <t>This taken together with the fact that end devices are not intended to be <strong>directly</strong> configuredleaveleaves us with SCIM as the best standard option.</t> </section> <sectionanchor="protocol-participants"><name>Protocolanchor="protocol-participants"> <name>Protocol Participants</name> <t>In the normal SCIM model, it was presumed that large federated deployments would be SCIM clients who provision and remove employees and contractors as they enter and depart those deployments, and federated services such as sales, payment, or conferencing services would be the servers.</t> <t>In the device model, the roles arereversed,reversed and may be somewhat more varied. The SCIM server resides within a deployment and is used for receiving information about devices that are expected to be connected to its network. That server will apply appropriate local policies regarding whether/how the device should be connected.</t> <t>The client may be one of a number of entities:</t><t><list style="symbols"><ul spacing="normal"> <li> <t>A vendor who is authorized to add devices to a network as part of a sales transaction. This is similar to the sales integration sometimes envisioned by Bootstrapping Remote Secure Key Infrastructure (BRSKI) <xref target="RFC8995"/>.</t> </li> <li> <t>A client application that administrators or employees use to add, remove, or get information about devices. An example might beana tablet or phone app that scansWi-fiWi-Fi Easy Connect QR codes.</t></list></t></li> </ul> <figuretitle="Basicanchor="arch"> <name>Basic Architecture -non-IP example" anchor="arch"><artset><artworkNon-IP Example</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="496" viewBox="0 0 496 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,64 L 8,112" fill="none" stroke="black"/> <path d="M 8,176 L 8,224" fill="none" stroke="black"/> <path d="M 104,64 L 104,112" fill="none" stroke="black"/> <path d="M 104,176 L 104,224" fill="none" stroke="black"/> <path d="M 200,32 L 200,72" fill="none" stroke="black"/> <path d="M 200,128 L 200,256" fill="none" stroke="black"/> <path d="M 224,64 L 224,112" fill="none" stroke="black"/> <path d="M 224,176 L 224,208" fill="none" stroke="black"/> <path d="M 264,120 L 264,168" fill="none" stroke="black"/> <path d="M 304,64 L 304,112" fill="none" stroke="black"/> <path d="M 328,176 L 328,208" fill="none" stroke="black"/> <path d="M 408,176 L 408,208" fill="none" stroke="black"/> <path d="M 472,176 L 472,208" fill="none" stroke="black"/> <path d="M 488,32 L 488,256" fill="none" stroke="black"/> <path d="M 200,32 L 488,32" fill="none" stroke="black"/> <path d="M 8,64 L 104,64" fill="none" stroke="black"/> <path d="M 224,64 L 304,64" fill="none" stroke="black"/> <path d="M 112,80 L 216,80" fill="none" stroke="black"/> <path d="M 112,96 L 216,96" fill="none" stroke="black"/> <path d="M 8,112 L 104,112" fill="none" stroke="black"/> <path d="M 224,112 L 304,112" fill="none" stroke="black"/> <path d="M 8,176 L 104,176" fill="none" stroke="black"/> <path d="M 224,176 L 328,176" fill="none" stroke="black"/> <path d="M 408,176 L 472,176" fill="none" stroke="black"/> <path d="M 224,208 L 328,208" fill="none" stroke="black"/> <path d="M 408,208 L 472,208" fill="none" stroke="black"/> <path d="M 8,224 L 104,224" fill="none" stroke="black"/> <path d="M 200,256 L 488,256" fill="none" stroke="black"/> <polygon class="arrowhead" points="272,168 260,162.4 260,173.6" fill="black" transform="rotate(90,264,168)"/> <polygon class="arrowhead" points="224,80 212,74.4 212,85.6" fill="black" transform="rotate(0,216,80)"/> <polygon class="arrowhead" points="120,96 108,90.4 108,101.6" fill="black" transform="rotate(180,112,96)"/> <g class="text"> <text x="160" y="68">Request</text> <text x="60"y="84">onboarding</text>y="84">Onboarding</text> <text x="260" y="84">SCIM</text> <text x="56"y="100">app</text>y="100">App</text> <text x="260" y="100">Server</text> <text x="140" y="116">Ctrl</text> <text x="184" y="116">Endpt</text> <text x="296"y="148">(device</text>y="148">(Device</text> <text x="352"y="148">info)</text>y="148">Info)</text> <text x="56" y="196">Control</text> <text x="152" y="196">...........</text> <text x="212" y="196">..</text> <text x="272" y="196">ALG</text> <text x="368" y="196">.........</text> <text x="436"y="196">device</text>y="196">Device</text> <text x="56" y="212">App</text> <text x="296" y="244">Local</text> <text x="352"y="244">network</text>y="244">Network</text> </g> </svg></artwork><artwork</artwork> <artwork type="ascii-art"><![CDATA[ +-----------------------------------+ | | +-----------+ Request | +---------+ | |onboarding|------------->|Onboarding|------------->| SCIM | | |appApp |<-------------| Server | | +-----------+ Ctrl Endpt +---------+ | | | | ||(device info)|(Device Info) | | v | +-----------+ | +------------+ +-------+ | | Control |...........|..| ALG|.........|device|.........|Device | | | App | | +------------+ +-------+ | +-----------+ | | | LocalnetworkNetwork | +-----------------------------------+]]></artwork></artset></figure>]]></artwork> </artset> </figure> <t>In <xref target="arch"/>, the onboarding application (app) provides the device particulars, which will vary based on the type of device, as indicated by the selection of schema extensions. As part of the response, the SCIM server might provide additional information, especially in the case of non-IP devices, where an application-layer gateway may need to be used to communicate with the device (c.f., <xref target="I-D.ietf-asdf-nipc"/>). The control endpoint is one among a number of objects that may be returned. That control endpoint will then communicate with theapplication layer gatewayApplication Layer Gateway (ALG) to reach the device.</t> <figuretitle="Interactionanchor="arch2"> <name>Interaction withAAA" anchor="arch2"><artset><artworkAAA</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="272" width="504" viewBox="0 0 504 272" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,64 L 8,112" fill="none" stroke="black"/> <path d="M 8,144 L 8,192" fill="none" stroke="black"/> <path d="M 104,64 L 104,112" fill="none" stroke="black"/> <path d="M 104,144 L 104,192" fill="none" stroke="black"/> <path d="M 200,32 L 200,72" fill="none" stroke="black"/> <path d="M 200,128 L 200,224" fill="none" stroke="black"/> <path d="M 224,64 L 224,112" fill="none" stroke="black"/> <path d="M 224,144 L 224,176" fill="none" stroke="black"/> <path d="M 304,64 L 304,112" fill="none" stroke="black"/> <path d="M 328,144 L 328,176" fill="none" stroke="black"/> <path d="M 336,64 L 336,96" fill="none" stroke="black"/> <path d="M 376,64 L 376,96" fill="none" stroke="black"/> <path d="M 408,144 L 408,176" fill="none" stroke="black"/> <path d="M 416,64 L 416,96" fill="none" stroke="black"/> <path d="M 440,104 L 440,136" fill="none" stroke="black"/> <path d="M 472,64 L 472,96" fill="none" stroke="black"/> <path d="M 472,144 L 472,176" fill="none" stroke="black"/> <path d="M 496,32 L 496,224" fill="none" stroke="black"/> <path d="M 200,32 L 496,32" fill="none" stroke="black"/> <path d="M 8,64 L 104,64" fill="none" stroke="black"/> <path d="M 224,64 L 304,64" fill="none" stroke="black"/> <path d="M 336,64 L 376,64" fill="none" stroke="black"/> <path d="M 416,64 L 472,64" fill="none" stroke="black"/> <path d="M 112,80 L 216,80" fill="none" stroke="black"/> <path d="M 312,80 L 328,80" fill="none" stroke="black"/> <path d="M 384,80 L 408,80" fill="none" stroke="black"/> <path d="M 112,96 L 216,96" fill="none" stroke="black"/> <path d="M 336,96 L 376,96" fill="none" stroke="black"/> <path d="M 416,96 L 472,96" fill="none" stroke="black"/> <path d="M 8,112 L 104,112" fill="none" stroke="black"/> <path d="M 224,112 L 304,112" fill="none" stroke="black"/> <path d="M 8,144 L 104,144" fill="none" stroke="black"/> <path d="M 224,144 L 328,144" fill="none" stroke="black"/> <path d="M 408,144 L 472,144" fill="none" stroke="black"/> <path d="M 224,176 L 328,176" fill="none" stroke="black"/> <path d="M 408,176 L 472,176" fill="none" stroke="black"/> <path d="M 8,192 L 104,192" fill="none" stroke="black"/> <path d="M 200,224 L 496,224" fill="none" stroke="black"/> <polygon class="arrowhead" points="416,80 404,74.4 404,85.6" fill="black" transform="rotate(0,408,80)"/> <polygon class="arrowhead" points="392,80 380,74.4 380,85.6" fill="black" transform="rotate(180,384,80)"/> <polygon class="arrowhead" points="336,80 324,74.4 324,85.6" fill="black" transform="rotate(0,328,80)"/> <polygon class="arrowhead" points="224,80 212,74.4 212,85.6" fill="black" transform="rotate(0,216,80)"/> <polygon class="arrowhead" points="120,96 108,90.4 108,101.6" fill="black" transform="rotate(180,112,96)"/> <g class="text"> <text x="160" y="68">Request</text> <text x="60"y="84">onboarding</text>y="84">Onboarding</text> <text x="260" y="84">SCIM</text> <text x="360" y="84">AAA</text> <text x="444"y="84">switch</text>y="84">Switch</text> <text x="56"y="100">app</text>y="100">App</text> <text x="260" y="100">Server</text> <text x="140" y="116">Ctrl</text> <text x="184" y="116">Endpt</text> <text x="56" y="164">Control</text> <text x="152" y="164">...........</text> <text x="212" y="164">..</text> <text x="272"y="164">router/fw</text>y="164">Router/fw</text> <text x="368" y="164">.........</text> <text x="436"y="164">device</text>y="164">Device</text> <text x="56" y="180">App</text> <text x="304" y="212">Local</text> <text x="360"y="212">network</text>y="212">Network</text> </g> </svg></artwork><artwork</artwork> <artwork type="ascii-art"><![CDATA[ +------------------------------------+ | | +-----------+ Request | +---------+ +----+ +------+ | |onboarding|------------->|Onboarding|------------->| SCIM |-->|AAA|<-->|switch|AAA|<-->|Switch| | |appApp |<-------------| Server | +----+ +------+ | +-----------+ Ctrl Endpt +---------+ | | | | | +-----------+ | +------------+ +-------+ | | Control |...........|..|router/fw |.........|deviceRouter/fw |.........|Device | | | App | | +------------+ +-------+ | +-----------+ | | | LocalnetworkNetwork | +------------------------------------+]]></artwork></artset></figure>]]></artwork> </artset> </figure> <t><xref target="arch2"/> shows how IP-based endpoints can be provisioned. In this case, the onboarding application provisions a device via SCIM. The necessary information is passed to the Authentication, Authorization, and Accounting (AAA) subsystem, such that the device is permitted to connect. Once it is online, since the device is based on IP, it will not need an ALG, but it will use the normal IP infrastructure to communicate with its control application.</t> </section> <sectionanchor="schema-description"><name>Schemaanchor="schema-description"> <name>Schema Description</name><t>RFC 7643<!-- [rfced] In the text below, we have updated "JSON Schema" to "JSON Schemas" (plural) and "OpenAPI" to "OpenAPI versions" (for consistency with the first sentence). Please review to confirm these changes are accurate. Original: In addition, we provide non-normative JSON Schema [JSONSchema] and OpenAPI [OpenAPI] versions in the appendices for ease of implementation, neither of which existed when SCIM was originally developed. The only difference the authors note between the normative schema representations is that JSON Schema and OpenAPI do not have a means to express... Current: In addition, we provide non-normative JSON Schemas [JSONSchema] and OpenAPI [OpenAPI] versions in the appendices for ease of implementation, neither of which existed when SCIM was originally developed. The only difference the authors note between the normative schema representations is that the JSON Schemas and OpenAPI versions do not have a means to express... --> <t><xref target="RFC7643"/> does not prescribe a language to describe aschema,schema but instead uses a narrative description with examples. We follow that approach. In addition, we provide non-normative JSONSchemaSchemas <xref target="JSONSchema"/> and OpenAPI <xref target="OpenAPI"/> versions in the appendices for ease of implementation, neither of which existed when SCIM was originally developed. The only difference the authors note between the normative schema representations is that the JSONSchemaSchemas and OpenAPI versions do not have a means to express case sensitivity, and thus attributes that are not case sensitive must be manually validated.</t> <t>Several additional schemas specify specific onboarding mechanisms, such as Bluetooth LowenergyEnergy (BLE) <xref target="BLE54"/>,Wi-fiWi-Fi Easy Connect <xref target="DPP2"/>, and FIDO Device Onboard <xref target="FDO11"/>.</t> </section> <sectionanchor="schema-representation"><name>Schemaanchor="schema-representation"> <name>Schema Representation</name><t>Attributes<!-- [rfced] Could the citations below be updated as follows for clarity? We ask because it appears that attribute characteristics are defined in Section 2.2 of RFC 7643, and that attribute datatypes are defined in Section 2.3 of RFC 7643. Original: Attributes defined in the device core schema and extensions comprise characteristics and SCIM datatypes defined in Sections 2.2 and 2.3 of [RFC7643]. Perhaps: Attributes defined in the device core schema (see Section 2.2 of [RFC7643]) and extensions comprise characteristics and the SCIM datatypes (defined in Section 2.3 of [RFC7643]). --> <t>Attributes defined in the device core schema and extensions comprise characteristics and SCIM datatypes defined in Sections <xref target="RFC7643" sectionFormat="bare" section="2.2"/> and <xref target="RFC7643" sectionFormat="bare" section="2.3"/> of <xref target="RFC7643"/>. This specification does not define new characteristics and datatypes for the SCIM attributes.</t> </section> <sectionanchor="terminology"><name>Terminology</name> <t>Theanchor="terminology"> <name>Terminology</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> <t>The reader is also expected to be familiar with the narrative schema language used in <xref target="RFC7643"/>.</t> </section> </section> <sectionanchor="resourcetype-device"><name>ResourceTypeanchor="resourcetype-device"> <name>ResourceType Device</name> <t>A new resource type 'Device' is specified. The "ResourceType" schema specifies the metadata about a resource type (seeSection 6 of<xreftarget="RFC7643"/>).target="RFC7643" section="6"/>). It comprises a core device schema and several extension schemas. This schema provides a minimal resource representation, whereas extension schemas extend it depending on the device's capability.</t> <sectionanchor="commonatts"><name>Commonanchor="commonatts"> <name>Common Attributes</name> <t>The Device schema contains three common attributes as defined inSection 3.1 of<xreftarget="RFC7643"/>.target="RFC7643" section="3.1"/>. No semantic or syntax changes are made here, but the attributes are listed merely for completeness.</t> <dl> <dt>id:</dt> <dd> <t>A required and unique attribute of the core device schema (seesection 3.1 of<xreftarget="RFC7643"/>).</t>target="RFC7643" section="3.1"/>).</t> </dd> <dt>externalId:</dt> <dd> <t>An optional attribute (seesection 3.1 of<xreftarget="RFC7643"/>).</t>target="RFC7643" section="3.1"/>).</t> </dd> <dt>meta:</dt> <dd> <t>A required and complex attributeand is required(seesection 3.1 of<xreftarget="RFC7643"/>).</t>target="RFC7643" section="3.1"/>).</t> </dd> </dl> </section> </section> <sectionanchor="scim-core-device-schema"><name>SCIManchor="scim-core-device-schema"> <name>SCIM Core Device Schema</name> <t>The core device schema provides the minimal representation of a resource "Device". It contains only those attributes that any device may need, and only one attribute is required. It is identified using the schema URI:</t><t>"urn:ietf:params:scim:schemas:core:2.0:Device".</t><t>urn:ietf:params:scim:schemas:core:2.0:Device</t> <t>The following attributes are defined in the core device schema.</t> <sectionanchor="singular-attributes"><name>Singularanchor="singular-attributes"> <name>Singular Attributes</name> <dl> <dt>displayName:</dt> <dd> <t>A string that provides a human-readable name for a device. It is intended to be displayed toend-usersend users and should be suitable for that purpose. The attribute is notrequired,required and is notcase-sensitive.case sensitive. It may be modified andSHOULD<bcp14>SHOULD</bcp14> be returned by default. No uniqueness constraints are imposed on this attribute.</t> </dd> <!-- [rfced] For clarity, may we update the text below as follows? Note that this update is similar to text that appears in Appendix A.2. Original: For example, when used in conjunction with NIPC [I-D.brinckman-nipc], commands such as connect, disconnect, subscribe that control application sends to the controller for the devices any command will be rejected by the controller. Perhaps: For example, when used in conjunction with Non-IP Device Control (NIPC) [NIPC], commands (such as connect, disconnect, and subscribe) that control application sends to the controller for devices will be rejected by the controller. --> <dt>active:</dt> <dd> <t>A mutable boolean that is required. If set to TRUE, it means that this device is intended to be operational. Attempts to control or access a device where this value is set to FALSE may fail. For example, when used in conjunction withNIPCNon-IP Device Control (NIPC) <xref target="I-D.brinckman-nipc"/>, commands such as connect, disconnect, and subscribe that control application sends to the controller for the devices any command will be rejected by the controller.</t> </dd> <!-- [rfced] To make this definition more concise, may we combine the second and fifth sentences as follows? Original: mudUrl: A string that represents the URL to the Manufacturer Usage Description (MUD) file associated with this device. This attribute is optional and mutable. The mudUrl value is case sensitive and not unique. When present, this attribute may be used as described in [RFC8520]. This attribute is case sensitive and returned by default. Perhaps: mudUrl: A string that represents the URL to the Manufacturer Usage Description (MUD) file associated with this device. This attribute is optional, case sensitive, mutable, and returned by default. When present, this attribute may be used as described in [RFC8520]. The mudUrl value is case sensitive and not unique. --> <dt>mudUrl:</dt> <dd> <t>A string that represents the URL to the Manufacturer Usage Description (MUD) file associated with this device. This attribute is optional and mutable. The mudUrl value is case sensitive and not unique. When present, this attribute may be used as described in <xref target="RFC8520"/>. This attribute is case sensitive and returned by default.</t> </dd> <dt>groups:</dt> <dd> <t>An optional read-only complex object that indicates group membership. Its form is precisely the same as that defined in <xref section="4.1.2" sectionFormat="of" target="RFC7643"/>.</t> </dd> </dl><texttable title="Characteristics<table anchor="tabDevice"> <name>Characteristics ofdevice schema attributes. (Req = Required, T = True, F = False, RO = ReadOnly, RW = ReadWrite,Device Schema Attributes</name> <thead> <tr> <th align="left">Attribute</th> <th align="left">Multi Value</th> <th align="left">Req</th> <th align="left">Case Exact</th> <th align="left">Mutable</th> <th align="left">Return</th> <th align="left">Unique</th> </tr> </thead> <tbody> <tr> <td align="left">displayName</td> <td align="left">F</td> <td align="left">F</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">active</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">mudUrl</td> <td align="left">F</td> <td align="left">F</td> <td align="left">T</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">groups</td> <td align="left">T</td> <td align="left">F</td> <td align="left">T</td> <td align="left">RO</td> <td align="left">Def</td> <td align="left">n/a</td> </tr> </tbody> </table> <!-- [rfced] Please review the following questions regarding the notation used in Tables 1 through 8: a) We note different notation used for "ReadOnly" in these tables ("R" vs. "RO"). Please review andDef = Default)" anchor="tabDevice"> <ttcol align='left'>Attribute</ttcol> <ttcol align='left'>Multi Value</ttcol> <ttcol align='left'>Req</ttcol> <ttcol align='left'>Case Exact</ttcol> <ttcol align='left'>Mutable</ttcol> <ttcol align='left'>Return</ttcol> <ttcol align='left'>Unique</ttcol> <c>displayName</c> <c>F</c> <c>F</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>active</c> <c>F</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>mudUrl</c> <c>F</c> <c>F</c> <c>T</c> <c>RW</c> <c>Def</c> <c>None</c> <c>groups</c> <c>T</c> <c>F</c> <c>T</c> <c>RO</c> <c>Def</c> <c>n/a</c> </texttable>let us know which form you prefer so we may update for consistency: R: ReadOnly RO: ReadOnly b) We note these notations also appear with and without a space. Please review and let us know how to update for consistency: WO: Write Only WO: WriteOnly c) We note that "Manuf" is not included in Table 2. May we remove it from the legend listed directly after the table? Manuf: Manufacturer --> <t>Legend:</t> <dl spacing="compact" newline="false"> <dt>Req:</dt><dd>Required</dd> <dt>T:</dt><dd>True</dd> <dt>F:</dt><dd>False</dd> <dt>RO:</dt><dd>ReadOnly</dd> <dt>RW:</dt><dd>ReadWrite</dd> <dt>Def:</dt><dd>Default</dd> </dl> <figuretitle="Coreanchor="coreExample"> <name>Core Device ExampleEntries" anchor="coreExample"><artwork><![CDATA[ <CODE BEGINS>Entries</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Devices/e9e30dba-f08f -4109-8486-d5c6a3316111" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> </section> </section> <sectionanchor="groups"><name>Groups</name>anchor="groups"> <name>Groups</name> <t>Device and EndpointApp groups are created using the SCIM groups as defined in <xref section="4.2" sectionFormat="of" target="RFC7643"/>. If set, the "type" subattribute of the "members" attributeMUST<bcp14>MUST</bcp14> be set to "Device" for devices and "EndpointApp" for endpoint applications.</t> </section> <sectionanchor="resource-type-endpointapp"><name>Resourceanchor="resource-type-endpointapp"> <name>Resource Type EndpointApp</name> <t>This section defines the 'EndpointApp' resource type. The "ResourceType" schema specifies the metadata about a resource type (seeSection 6 of<xreftarget="RFC7643"/>).target="RFC7643" section="6"/>). The resource "EndpointApp" represents client applications that can control and/or receive data from the devices.</t> </section> <sectionanchor="endpointapp-schema"><name>SCIManchor="endpointapp-schema"> <name>SCIM EndpointApp Schema</name> <t>The EndpointApp schema is used to authorize control or telemetry services for clients. The schema identifies the application and how clients are to authenticate to the various services.</t> <t>The schema for "EndpointApp" is identified using the schemaURI: "urn:ietf:params:scim:schemas:core:2.0:EndpointApp". TheURI:</t> <t>urn:ietf:params:scim:schemas:core:2.0:EndpointApp</t> <t>The following attributes are defined in this schema.</t> <sectionanchor="common-attributes"><name>Commonanchor="common-attributes"> <name>Common Attributes</name> <t>Like <xreftarget="commonatts"/> Thetarget="commonatts"/>, the EndpointApp schema contains the three common attributes specified inSection 3.1<xreftarget="RFC7643"/>.</t>target="RFC7643" section="3.1"/>.</t> </section> <sectionanchor="singular-attributes-1"><name>Singularanchor="singular-attributes-1"> <name>Singular Attributes</name> <dl> <dt>applicationType:</dt> <dd> <t>A string that represents the type of application. It will only contain twovalues;values: 'deviceControl' or 'telemetry'.'deviceControl'deviceControl is the application that sends commands to control the device.'telemetry'telemetry is the application that receives data from the device. The attribute isrequired,required and is notcase-sensitive.case sensitive. The attribute is readOnly and should be returned by default. No uniqueness constraints are imposed on this attribute.</t> </dd> <dt>applicationName:</dt> <dd><t>a<t>A string that represents ahuman readablehuman-readable name for the application. This attribute is required and mutable. The attribute should be returned by default and there is no uniquenesscontraintconstraint on the attribute.</t> </dd> <!-- [rfced] May we adjust these definitions below in order to clarify what list items "not" refers to? Original: It is not mutable, read-only, generated if no certificateInfo object is provisioned, case sensitive and returned by default if it exists. ... This attribute is not required, mutable, singular and NOT case sensitive. ... It is not required, multivalued, mutable, and returned by default. Perhaps: It is not mutable. It is read only, case sensitive, and generated if no certificateInfo object is provisioned. It is returned by default if it exists. ... This attribute is not required and not case sensitive. It is mutable and singular. ... It is not required. It is multivalued, mutable, and returned by default. --> <dt>clientToken:</dt> <dd> <t>A string that contains a token that the client will use to authenticate itself. Each token may be a string up to 500 characters in length. It is not mutable,read-only,read only, generated if no certificateInfo object is provisioned, casesensitivesensitive, and returned by default if it exists. The SCIM server should expect that client tokens will be shared by the SCIM client with other components within the client'sinfrastructure. groups:</t>infrastructure.</t> </dd><dt/><dt>groups:</dt> <dd> <t>An optional read-only complex object that indicates group membership. Its form is precisely the same as that defined in <xref section="4.1.2" sectionFormat="of" target="RFC7643"/>.</t> </dd> </dl> </section> <sectionanchor="complex-attributes"><name>Complexanchor="complex-attributes"> <name>Complex Attributes</name> <sectionanchor="certificateinfo"><name>certificateInfo</name>anchor="certificateinfo"> <name>certificateInfo</name> <t>certificateInfo is a complex attribute that containsx509an X.509 certificate's subject name and rootCACertificate Authority (CA) information associated with application clients that will connect for purposes of device control or telemetry.</t> <dl> <!-- [rfced] How may we clarify "a trust anchor certificate" in the first sentence below? In addition, may we adjust the second sentence as follows, in order to clarify what list items "not" refers to? Original: rootCA: A base64-encoded string as described in [RFC4648] Section 4 a trust anchor certificate. This trust anchor is applicable for certificates used for client application access. The object is not required, singular, case sensitive, and read/write. Perhaps: rootCA: A base64-encoded string as described in Section 4 of [RFC4648]. It is a trust anchor certificate applicable for certificates used for client application access. The object is not required. It is singular, case sensitive, and read/write. --> <dt>rootCA:</dt> <dd> <t>A base64-encoded string as described in <xreftarget="RFC4648"/> Section 4target="RFC4648" section="4"/> a trust anchor certificate. This trust anchor is applicable for certificates used for client application access. The object is not required, singular, case sensitive, and read/write. If not present, a set of trust anchorsMUST<bcp14>MUST</bcp14> be configured out of band.</t> </dd> <dt>subjectName:</dt> <dd><t>when<t>When present, a stringtahtthat contains one of twoone of two names: </t> <t><list style="symbols">names:</t> <ul spacing="normal"> <li> <t>a distinguished nameasthat will be present in the certificate subject field, as described inSection 4.1.2.4 of<xreftarget="RFC5280"/>;target="RFC5280" section="4.1.2.4"/> or</t><t>or a</li> <li> <t>a dnsName as part of asubjectAlternateNamesubjectAlternateName, as described inSection 4.2.1.6 of<xreftarget="RFC5280"/>.</t> </list></t>target="RFC5280" section="4.2.1.6"/>.</t> </li> </ul> <t>In the latter case, servers validating such certificatesSHALL<bcp14>SHALL</bcp14> reject connections when the name of the peer as resolved by a DNS reverse lookup does not match the dnsName in the certificate. If multiple dnsNames are present, it is left to server implementations to address any authorization conflicts associated with those names. This attribute is not required, mutable,singularsingular, and NOT case sensitive.</t> </dd> </dl><texttable title="Characteristics<table anchor="tabEndpointApp"> <name>Characteristics of EndpointAppschema attributes. (Req = Required, T = True, F = False, R = ReadOnly, RW = ReadWrite, Manuf = Manufacturer, N = No, and Def = Default)" anchor="tabEndpointApp"> <ttcol align='left'>Attribute</ttcol> <ttcol align='left'>Multi Value</ttcol> <ttcol align='left'>Req</ttcol> <ttcol align='left'>Case Exact</ttcol> <ttcol align='left'>Mutable</ttcol> <ttcol align='left'>Return</ttcol> <ttcol align='left'>Unique</ttcol> <c>applicationType</c> <c>F</c> <c>T</c> <c>F</c> <c>R</c> <c>Def</c> <c>None</c> <c>applicationName</c> <c>F</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>clientToken</c> <c>F</c> <c>F</c> <c>T</c> <c>R</c> <c>N</c> <c>None</c> <c>certificateInfo</c> <c>F</c> <c>F</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>rootCA</c> <c>F</c> <c>F</c> <c>T</c> <c>RW</c> <c>Def</c> <c>None</c> <c>subjectName</c> <c>F</c> <c>T</c> <c>T</c> <c>RW</c> <c>Def</c> <c>None</c> </texttable>Schema Attributes</name> <thead> <tr> <th align="left">Attribute</th> <th align="left">Multi Value</th> <th align="left">Req</th> <th align="left">Case Exact</th> <th align="left">Mutable</th> <th align="left">Return</th> <th align="left">Unique</th> </tr> </thead> <tbody> <tr> <td align="left">applicationType</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">R</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">applicationName</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">clientToken</td> <td align="left">F</td> <td align="left">F</td> <td align="left">T</td> <td align="left">R</td> <td align="left">N</td> <td align="left">None</td> </tr> <tr> <td align="left">certificateInfo</td> <td align="left">F</td> <td align="left">F</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">rootCA</td> <td align="left">F</td> <td align="left">F</td> <td align="left">T</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">subjectName</td> <td align="left">F</td> <td align="left">T</td> <td align="left">T</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> </tbody> </table> <t>Legend:</t> <dl spacing="compact" newline="false"> <dt>Req:</dt><dd>Required</dd> <dt>T:</dt><dd>True</dd> <dt>F:</dt><dd>False</dd> <dt>R:</dt><dd>ReadOnly</dd> <dt>RW:</dt><dd>ReadWrite</dd> <dt>Manuf:</dt><dd>Manufacturer</dd> <dt>N:</dt><dd>No</dd> <dt>Def:</dt><dd>Default</dd> </dl> <t>Note that either clientToken or certificateInfoareis used for the authentication of the application. If certificateInfo is NOT present when an endpointAppisobject is created, then the serverSHOULD<bcp14>SHOULD</bcp14> return a clientToken. Otherwise, if the server accepts the certificateInfo object for authentication, itSHOULD NOT<bcp14>SHOULD NOT</bcp14> return a clientToken. If the server accepts and produces a clientToken, then control and telemetry serversMUST<bcp14>MUST</bcp14> validate both. The SCIM client will know that this is the case based on the SCIM object that is returned.</t> <t>certificateInfo is preferred in situations where client functions are federated such that different clients may connect for different purposes.</t> <figuretitle="Endpointanchor="eaExample"> <name>Endpoint AppExample" anchor="eaExample"><artwork><![CDATA[ <CODE BEGINS>Example</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:EndpointApp"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316212", "applicationType": "deviceControl", "applicationName": "Device Control App 1", "certificateInfo": { "rootCA" : "MIIBIjAN...", "subjectName": "www.example.com" }, "meta": { "resourceType": "EndpointApp", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/EndpointApps/e9e30dba-f08f -4109-8486-d5c6a3316212" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> </section> </section> </section> <!-- [rfced] May we adjust the text below as follows to make these list items more parallel and readable? Original: SCIM provides various extension schemas, their attributes, JSON representation, and example object. Perhaps: SCIM provides various extension schemas and their attributes, along with JSON representations and example objects. --> <sectionanchor="extensions"><name>SCIManchor="extensions"> <name>SCIM Device Extensions</name> <t>SCIM provides various extension schemas, their attributes, JSON representation, and example object. The core schema is extended with a new resource type, Device. No schemaExtensions list is specified in that definition. Instead, IANA registry entriesarehave been created, where all values for "required" are set to false. All extensions to the Device schemaMUST<bcp14>MUST</bcp14> be registered via IANA, as described in <xreftarget="device-schema-extensions"></xref>.target="device-schema-extensions"/>. The schemas below demonstrate how this model is to work. All the SCIMServer related Schemaserver-related schema URIs are valid only with Device resource types.</t> <sectionanchor="ble-extension"><name>Bluetoothanchor="ble-extension"> <name>Bluetooth Low Energy (BLE) Extension</name> <t>This schema extends the device schema to represent the devices supporting BLE. The extension is identified using the following schema URI:</t> <t>urn:ietf:params:scim:schemas:extension:ble:2.0:Device</t> <t>The attributes are asfollows:</t>follows.</t> <sectionanchor="singular-attributes-2"><name>Singularanchor="singular-attributes-2"> <name>Singular Attributes</name> <dl> <dt>deviceMacAddress:</dt> <dd> <t>A string value thatrepresentrepresents a public MAC address assigned by the manufacturer. It is a unique 48-bit value. It is required, case insensitive,ismutable, andisreturned by default. The ECMA regular expression pattern <xref target="ECMA"/> is the following:</t></dd> </dl> <figure><artwork><![CDATA[<artwork><![CDATA[ ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$]]></artwork></figure> <dl>]]></artwork> </dd> <dt>isRandom:</dt> <dd> <t>A boolean flag taken from <xref target="BLE54"/>. If FALSE, the device is using a public MAC address. If TRUE, the device uses a random address. If anIdenifyingIdentifying Resolving Key (IRK) is present, the address represents a resolvable private address. Otherwise, the address is assumed to be a random static address. Non-resolvable private addresses are not supported by this specification. This attribute is not required. It ismutable,mutable and is returned by default. The default value is FALSE.</t> </dd> <dt>separateBroadcastAddress:</dt> <dd> <t>When present, this string represents an address used for broadcasts/advertisements. This valueMUST NOT<bcp14>MUST NOT</bcp14> be set when an IRK is provided. Its form is the same as deviceMacAddress. It is not required, multivalued, mutable, and returned by default.</t> </dd> <dt>irk:</dt> <dd> <t>A string value that specifies theidentity resolving key (IRK),IRK, which is unique to each device. It is used to resolve a private random address. It should only be provisioned when isRandom is TRUE. It is mutable and never returned. For more information about the use of the IRK, see Volume 1, Part A, Section 5.4.5 of <xref target="BLE54"/>.</t> </dd> <dt>mobility:</dt> <dd> <t>A boolean attribute to enable BLE device mobility. If set to TRUE, the device could be expected to move within a network of APs. For example, if a BLE device is connected with AP-1 and moves out of range but comes in range of AP-2, it will be disconnected with AP-1 andconnectsconnected with AP-2. It is returned by default and mutable.</t> </dd> </dl> </section> <sectionanchor="multivalued-attributes"><name>Multivaluedanchor="multivalued-attributes"> <name>Multivalued Attributes</name> <dl> <dt>versionSupport:</dt> <dd> <t>A multivalued set of strings that specifies the BLE versions supported by the device in the form of anarray. Forarray, for example, ["4.1", "4.2", "5.0", "5.1", "5.2", "5.3", "5.4"]. It is required, mutable, andreturn asreturned by default.</t> </dd> <dt>pairingMethods:</dt> <dd><t>An<t>A multivalued set of strings that specifies pairing methods associated with the BLE device. The pairing methods may requiresub-attributes,subattributes such askey/password,key/password for the device pairing process. To enable the scalability of pairing methods in the future, they are represented as extensions to incorporate various attributes that are part of the respective pairing process. Pairing method extensions are nested inside the BLE extension. It is required, case sensitive, mutable, and returned by default.</t> </dd> </dl> </section> <sectionanchor="ble-pairing-method-extensions"><name>BLEanchor="ble-pairing-method-extensions"> <name>BLE Pairing Method Extensions</name> <t>The details on pairing methods and their associated attributes are insectionVolume 1, Part A, Section 5.2.4 of <xref target="BLE54"/>. This memo defines extensions for four pairing methods that are nestedinsidedinside the BLE extension schema. Each extension contains the common attributes in <xreftarget="common-attributes"></xref>.target="common-attributes"/>. Theseextensionextensions are as follows:</t><t>(i)<!--[rfced] Because these following URNs appear in an ordered list, the indentation causes the lines to exceed the 72-character limit. In order to fit the character limit, we suggest converting the ordered list into a definitions list as follows. Please review. Current: ii. The pairingJustWorks extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device The Just Works pairing method does not require a key to pair devices. For completeness, the key attribute is included and is set to 'null'. The key attribute is required, immutable, and returned by default. iii. The pairingPassKey extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device The passkey pairing method requires a 6-digit key to pair devices. This extension has one singular integer attribute, "key", which is required, mutable, and returned by default. The key pattern is as follows: ^[0-9]{6}$ Perhaps: pairingJustWorks extension: Identified using the following schema URI: urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device The Just Works pairing method does not require a key to pair devices. For completeness, the key attribute is included and is set to 'null'. The key attribute is required, immutable, and returned by default. pairingPassKey extension: Identified using the following schema URI: urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device The passkey pairing method requires a 6-digit key to pair devices. This extension has one singular integer attribute, "key", which is required, mutable, and returned by default. The key pattern is as follows: ^[0-9]{6}$ --> <ol type="i"> <li><t>The pairingNull extension is identified using the following schema URI:</t> <t>urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device</t> <t>pairingNull does not have any attribute. It allows pairing for BLE devices that do not require a pairingmethod.</t> <t>(ii)method.</t></li> <li><t>The pairingJustWorks extension is identified using the following schema URI:</t> <t>urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device</t><t>Just<t>The Just Works pairing method does not require a key to pair devices. For completeness, the key attribute is included and is set to 'null'.KeyThe key attribute is required, immutable, and returned bydefault.</t> <t>(iii)default.</t></li> <li><t>The pairingPassKey extension is identified using the following schema URI:</t> <t>urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device</t> <t>The passkey pairing method requires a 6-digit key to pair devices. This extension has one singular integer attribute, "key", which is required,mutablemutable, and returned by default. The key pattern is as follows:</t><figure><artwork><![CDATA[<artwork><![CDATA[ ^[0-9]{6}$]]></artwork></figure> <t>(iv)]]></artwork></li> <li><t>The pairingOOB extension is identified using the following schema URI:</t> <t>urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device</t> <t>The out-of-band (OOB) pairing method includes three singularattributes, i.e.,attributes: key, randomNumber, and confirmationNumber.</t> <dl> <dt>key:</dt> <dd> <t>A stringvalue,value that is required and received from out-of-band sources such asNFC.Near Field Communication (NFC). It is case sensitive, mutable, and returned by default.</t> </dd> <dt>randomNumber:</dt> <dd> <t>An integer that represents a nonce added to the key. It is a required attribute. It is mutable and returned by default.</t> </dd> <dt>confirmationNumber:</dt> <dd> <t>An integerwhichthat some solutions require in a RESTful message exchange. It is not required. It is mutable and returned by default if it exists.</t> </dd> </dl><texttable title="Characteristics</li> </ol> <table anchor="tabBLE"> <name>Characteristics of BLEextension schema attributes. sepBroadcastAdd is short for separateBroadcastAddress. (Req = Required, T = True, F = False, RW = ReadWrite, WO=Write Only, Def = Default, Nev = Never, and Manuf = Manufacturer)." anchor="tabBLE"> <ttcol align='left'>Attribute</ttcol> <ttcol align='left'>Multi Value</ttcol> <ttcol align='left'>Req</ttcol> <ttcol align='left'>Case Exact</ttcol> <ttcol align='left'>Mutable</ttcol> <ttcol align='left'>Return</ttcol> <ttcol align='left'>Unique</ttcol> <c>deviceMacAddress</c> <c>F</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>Manuf</c> <c>isRandom</c> <c>F</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>sepBroadcastAdd</c> <c>T</c> <c>F</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>irk</c> <c>F</c> <c>F</c> <c>F</c> <c>WO</c> <c>Nev</c> <c>Manuf</c> <c>versionSupport</c> <c>T</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>mobility</c> <c>F</c> <c>F</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>pairingMethods</c> <c>T</c> <c>T</c> <c>T</c> <c>RW</c> <c>Def</c> <c>None</c> </texttable>Extension Schema Attributes</name> <thead> <tr> <th align="left">Attribute</th> <th align="left">Multi Value</th> <th align="left">Req</th> <th align="left">Case Exact</th> <th align="left">Mutable</th> <th align="left">Return</th> <th align="left">Unique</th> </tr> </thead> <tbody> <tr> <td align="left">deviceMacAddress</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">Manuf</td> </tr> <tr> <td align="left">isRandom</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">sepBroadcastAdd</td> <td align="left">T</td> <td align="left">F</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">irk</td> <td align="left">F</td> <td align="left">F</td> <td align="left">F</td> <td align="left">WO</td> <td align="left">Nev</td> <td align="left">Manuf</td> </tr> <tr> <td align="left">versionSupport</td> <td align="left">T</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">mobility</td> <td align="left">F</td> <td align="left">F</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">pairingMethods</td> <td align="left">T</td> <td align="left">T</td> <td align="left">T</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> </tbody> </table> <t>Legend:</t> <dl spacing="compact" newline="false"> <dt>sepBroadcastAdd:</dt><dd>separateBroadcastAddress</dd> <dt>Req:</dt><dd>Required</dd> <dt>T:</dt><dd>True</dd> <dt>F:</dt><dd>False</dd> <dt>RW:</dt><dd>ReadWrite</dd> <dt>WO:</dt><dd>Write Only</dd> <dt>Def:</dt><dd>Default</dd> <dt>Nev:</dt><dd>Never</dd> <dt>Manuf:</dt><dd>Manufacturer</dd> </dl> <figuretitle="BLE Example" anchor="btExample"><artwork><![CDATA[ <CODE BEGINS>anchor="btExample"> <name>BLE Example</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "versionSupport": ["5.3"], "deviceMacAddress": "2C:54:91:88:C9:E2", "isRandom": false, "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77 :22:12"], "mobility": true, "pairingMethods": ["urn:ietf:params:scim:schemas:extension :pairingPassKey:2.0:Device"], "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device" : { "key": 123456 } }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 -8486-d5c6a3316111" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> <t>In the above example, the pairing method is "pairingPassKey", which implies that this BLE device pairs using only a passkey. In another example below, the pairing method is "pairingOOB", denoting that this BLE device uses the out-of-band pairing method.</t> <figuretitle="BLEanchor="btExample2"> <name>BLE withpairingOOB" anchor="btExample2"><artwork><![CDATA[ <CODE BEGINS>pairingOOB</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "versionSupport": ["5.3"], "deviceMacAddress": "2C:54:91:88:C9:E2", "isRandom": false, "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77 :22:12"], "mobility": true, "pairingMethods": ["urn:ietf:params:scim:schemas:extension :pairingOOB:2.0:Device"], "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device": { "key": "TheKeyvalueRetrievedFromOOB", "randomNumber": 238796813516896 } }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 -8486-d5c6a3316111" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> <t>However, a device can have more than one pairing method. Support for multiple pairing methods is also provided by themulti-valuedmultivalued attribute pairingMethods. In the example below, the BLE device can pair with both passkey and OOB pairing methods.</t> <figuretitle="BLEanchor="btExample3"> <name>BLE Pairing withboth passkeyBoth Passkey andOOB" anchor="btExample3"><artwork><![CDATA[ <CODE BEGINS>OOB</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "versionSupport": ["5.3"], "deviceMacAddress": "2C:54:91:88:C9:E2", "isRandom": false, "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77 :22:12"], "mobility": true, "pairingMethods": ["urn:ietf:params:scim:schemas:extension :pairingPassKey:2.0:Device", "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0 :Device"], "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device" : { "key": 123456 }, "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device": { "key": "TheKeyvalueRetrievedFromOOB", "randomNumber": 238796813516896 } }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 -8486-d5c6a3316111" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> </section> </section> <sectionanchor="wi-fi-easy-connect-extension"><name>Wi-Fianchor="wi-fi-easy-connect-extension"> <name>Wi-Fi Easy Connect Extension</name><t>A<!-- [rfced] How may we make the two instances below complete sentences in order to provide more context for the reader? Original: 7.2. Wi-Fi Easy Connect Extension A schema that extends the device schema to enable Wi-Fi Easy Connect (otherwise known as Device Provisioning Protocol or DPP). 7.5. Zigbee Extension A schema that extends the device schema to enable the provisioning of Zigbee devices [Zigbee]. Perhaps: 7.2. Wi-Fi Easy Connect Extension This section describes a schema that extends the device schema to enable Wi-Fi Easy Connect (otherwise known as Device Provisioning Protocol (DPP)). 7.5. Zigbee Extension This section describes a schema that extends the device schema to enable the provisioning of Zigbee devices [Zigbee]. --> <t>A schema that extends the device schema to enable Wi-Fi Easy Connect (otherwise known as Device Provisioning Protocol (DPP)). Throughout thisspecificationspecification, we use the termDPP."DPP". The extension is identified using the following schema URI:</t> <t>urn:ietf:params:scim:schemas:extension:dpp:2.0:Device</t> <t>The attributes in this extension are adopted from <xref target="DPP2"/>. The attributes are asfollows:</t>follows.</t> <sectionanchor="singular-attributes-3"><name>Singularanchor="singular-attributes-3"> <name>Singular Attributes</name> <dl> <dt>dppVersion:</dt> <dd> <t>An integer that represents the version of DPP the device supports. This attribute is required, case insensitive, mutable, and returned by default.</t> </dd> <dt>bootstrapKey:</dt> <dd> <t>A string value representing anElliptic-CurveElliptic Curve Diffie-Hellman (ECDH) public key. Thebase64 encodedbase64-encoded lengths for P-256, P-384, and P-521 are 80, 96, and 120 characters. This attribute is required,case-sensitive,case sensitive, mutable, and returned by default.</t> </dd> <dt>deviceMacAddress:</dt> <dd> <t>A MAC address stored as a string. It is a unique 48-bit value. Thisattributattribute is optional, case insensitive, mutable, and returned by default. Its form is identical to that of the deviceMacAddress for BLE devices.</t> </dd> <dt>serialNumber:</dt> <dd> <t>An alphanumeric serialnumber,number stored asstring,a string. It may also be passed as bootstrapping information. This attribute is optional, case insensitive, mutable, and returned by default.</t> </dd> </dl> </section> <sectionanchor="multivalued-attributes-1"><name>Multivaluedanchor="multivalued-attributes-1"> <name>Multivalued Attributes</name> <dl> <dt>bootstrappingMethod:</dt> <dd> <t>One or more strings of all the bootstrapping methods available on the enrolleedevice. Fordevice, for example, [QR, NFC]. This attribute is optional, case insensitive, mutable, and returned by default.</t> </dd> <dt>classChannel:</dt> <dd> <t>One or more strings representing the global operating class and channel shared as bootstrapping information. It is formatted asclass/channel. Forclass/channel, for example, ['81/1','115/36']. This attribute is optional, case insensitive, mutable, and returned by default.</t> </dd> </dl><texttable title="Characteristics<table anchor="tabDPP"> <name>Characteristics of DPPextension schema attributes. (Req = Required, T = True, F = False, RW = ReadWrite, WO = Write Only, Def = Default, Nev = Never, and Manuf = Manufacturer)." anchor="tabDPP"> <ttcol align='left'>Attribute</ttcol> <ttcol align='left'>Multi Value</ttcol> <ttcol align='left'>Req</ttcol> <ttcol align='left'>Case Exact</ttcol> <ttcol align='left'>Mutable</ttcol> <ttcol align='left'>Return</ttcol> <ttcol align='left'>Unique</ttcol> <c>dppVersion</c> <c>F</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>bootstrapKey</c> <c>F</c> <c>T</c> <c>T</c> <c>WO</c> <c>Nev</c> <c>None</c> <c>deviceMacAddress</c> <c>F</c> <c>F</c> <c>F</c> <c>RW</c> <c>Def</c> <c>Manuf</c> <c>serialNumber</c> <c>F</c> <c>F</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>bootstrappingMethod</c> <c>T</c> <c>F</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>classChannel</c> <c>T</c> <c>F</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> </texttable>Extension Schema Attributes</name> <thead> <tr> <th align="left">Attribute</th> <th align="left">Multi Value</th> <th align="left">Req</th> <th align="left">Case Exact</th> <th align="left">Mutable</th> <th align="left">Return</th> <th align="left">Unique</th> </tr> </thead> <tbody> <tr> <td align="left">dppVersion</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">bootstrapKey</td> <td align="left">F</td> <td align="left">T</td> <td align="left">T</td> <td align="left">WO</td> <td align="left">Nev</td> <td align="left">None</td> </tr> <tr> <td align="left">deviceMacAddress</td> <td align="left">F</td> <td align="left">F</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">Manuf</td> </tr> <tr> <td align="left">serialNumber</td> <td align="left">F</td> <td align="left">F</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">bootstrappingMethod</td> <td align="left">T</td> <td align="left">F</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">classChannel</td> <td align="left">T</td> <td align="left">F</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> </tbody> </table> <t>Legend:</t> <dl spacing="compact" newline="false"> <dt>Req:</dt><dd>Required</dd> <dt>T:</dt><dd>True</dd> <dt>F:</dt><dd>False</dd> <dt>RW:</dt><dd>ReadWrite</dd> <dt>WO:</dt><dd>Write Only</dd> <dt>Def:</dt><dd>Default</dd> <dt>Nev:</dt><dd>Never</dd> <dt>Manuf:</dt><dd>Manufacturer</dd> </dl> <figuretitle="DPP Example" anchor="dPPExample"><artwork><![CDATA[ <CODE BEGINS>anchor="dPPExample"> <name>DPP Example</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:dpp:2.0 :Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "WiFi Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device" : { "dppVersion": 2, "bootstrappingMethod": ["QR"], "bootstrapKey": "MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADURzxmt tZoIRIPWGoQMV00XHWCAQIhXruVWOz0NjlkIA=", "deviceMacAddress": "2C:54:91:88:C9:F2", "classChannel": ["81/1", "115/36"], "serialNumber": "4774LH2b4044" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Devices/e9e30dba-f08f -4109-8486-d5c6a3316111" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> </section> </section> <sectionanchor="ethernet-mab-extension"><name>Ethernetanchor="ethernet-mab-extension"> <name>Ethernet MAB Extension</name> <t>This extension enables a legacy means of (very) weak authentication, known as MAC Authenticated Bypass (MAB), that is supported in many wired ethernet solutions. If the MAC address is known, then the device may be permitted (perhaps limited) access. The extension is identified by the following URI:</t> <t>urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device</t> <t>Note that this method is not likely to work properly with MAC address randomization.</t> <sectionanchor="single-attribute"><name>Singleanchor="single-attribute"> <name>Single Attribute</name> <t>This extension has a singular attribute:</t> <dl> <dt>deviceMacAddress:</dt> <dd> <t>This is the Ethernet address to be provisioned onto the network. It takes the identical form as found in the BLE extension.</t> </dd> </dl><texttable title="Characteristics<table anchor="tabMAB"> <name>Characteristics of MABextension schema attributes (Req = Required, T = True, F = False, RW = ReadWrite, and Def = Default)" anchor="tabMAB"> <ttcol align='left'>Attribute</ttcol> <ttcol align='left'>Multi Value</ttcol> <ttcol align='left'>Req</ttcol> <ttcol align='left'>Case Exact</ttcol> <ttcol align='left'>Mutable</ttcol> <ttcol align='left'>Return</ttcol> <ttcol align='left'>Unique</ttcol> <c>deviceMacAddress</c> <c>F</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> </texttable>Extension Schema Attributes</name> <thead> <tr> <th align="left">Attribute</th> <th align="left">Multi Value</th> <th align="left">Req</th> <th align="left">Case Exact</th> <th align="left">Mutable</th> <th align="left">Return</th> <th align="left">Unique</th> </tr> </thead> <tbody> <tr> <td align="left">deviceMacAddress</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> </tbody> </table> <t>Legend:</t> <dl spacing="compact" newline="false"> <dt>Req:</dt><dd>Required</dd> <dt>T:</dt><dd>True</dd> <dt>F:</dt><dd>False</dd> <dt>RW:</dt><dd>ReadWrite</dd> <dt>Def:</dt><dd>Default</dd> </dl> <figuretitle="MAB Example" anchor="MABExample"><artwork><![CDATA[ <CODE BEGINS>anchor="MABExample"> <name>MAB Example</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 :Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "Some random Ethernet Device", "active": true, "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device" : { "deviceMacAddress": "2C:54:91:88:C9:E2" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 -8486-d5c6a3316111" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> </section> </section> <sectionanchor="fido-device-onboard-extension"><name>FIDOanchor="fido-device-onboard-extension"> <name>FIDO Device Onboard Extension</name> <t>This extension specifies a voucher to be used by the FDO Device Onboard (FDO) protocols <xref target="FDO11"/> to complete a trusted transfer of ownership and control of the device to the environment. The SCIM server <bcp14>MUST</bcp14> know how to process the voucher, either directly or by forwarding it along to an owner process as defined in the FDO specification. The extension is identified using the following schema URI:</t> <!-- [rfced] Section 7.4: FYI - We have added an introductory sentence to the URN below to match other instances in the document. Please review and let us know if any further updates are needed. Original: The SCIM server MUST know how to process the voucher, either directly or by forwarding it along to an owner process as defined in the FDOspecification.</t>specification. urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device Current: The SCIM server MUST know how to process the voucher, either directly or by forwarding it along to an owner process as defined in the FDO specification. The extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device --> <t>urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device</t> <sectionanchor="single-attribute-1"><name>Singleanchor="single-attribute-1"> <name>Single Attribute</name> <t>This extension has a singular attribute:</t> <dl> <dt>fdoVoucher:</dt> <dd> <t>The voucher isformatedformatted as a PEM-encoded object in accordance with <xref target="FDO11"/>.</t> </dd> </dl><texttable title="Characteristics<table anchor="tabFDO"> <name>Characteristics of FDOextension schema attributes (Req = Required, T = True, F = False, WO = WriteOnly, and Nev = Never)" anchor="tabFDO"> <ttcol align='left'>Attribute</ttcol> <ttcol align='left'>Multi Value</ttcol> <ttcol align='left'>Req</ttcol> <ttcol align='left'>Case Exact</ttcol> <ttcol align='left'>Mutable</ttcol> <ttcol align='left'>Return</ttcol> <ttcol align='left'>Unique</ttcol> <c>fdoVoucher</c> <c>F</c> <c>T</c> <c>F</c> <c>WO</c> <c>Nev</c> <c>None</c> </texttable>Extension Schema Attributes</name> <thead> <tr> <th align="left">Attribute</th> <th align="left">Multi Value</th> <th align="left">Req</th> <th align="left">Case Exact</th> <th align="left">Mutable</th> <th align="left">Return</th> <th align="left">Unique</th> </tr> </thead> <tbody> <tr> <td align="left">fdoVoucher</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">WO</td> <td align="left">Nev</td> <td align="left">None</td> </tr> </tbody> </table> <t>Legend:</t> <dl spacing="compact" newline="false"> <dt>Req:</dt><dd>Required</dd> <dt>T:</dt><dd>True</dd> <dt>F:</dt><dd>False</dd> <dt>WO:</dt><dd>WriteOnly</dd> <dt>Nev:</dt><dd>Never</dd> </dl> <figuretitle="FDO Example" anchor="fdoExample"><artwork><![CDATA[ <CODE BEGINS>anchor="fdoExample"> <name>FDO Example</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Devices", "urn:ietf:params:scim:schemas:extension:fido-device-onboard :2.0:Devices"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "Some random Ethernet Device", "active": true, "urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0 :Devices" : { "fdoVoucher": "{... voucher ...}" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 -8486-d5c6a3316111" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> </section> </section> <sectionanchor="zigbee-extension"><name>Zigbeeanchor="zigbee-extension"> <name>Zigbee Extension</name> <t>A schema that extends the device schema to enable the provisioning of Zigbee devices <xref target="Zigbee"/>. The extension is identified using the following schema URI:</t> <t>urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device</t> <t>It has one singular attribute and one multivalued attribute. The attributes are asfollows:</t>follows.</t> <sectionanchor="singular-attribute"><name>Singularanchor="singular-attribute"> <name>Singular Attribute</name> <dl> <dt>deviceEui64Address:</dt> <dd><t>An EUI-64 (Extended<t>A 64-bit Extended UniqueIdentifier)Identifier (EUI-64) device address stored as string. This attribute is required, case insensitive, mutable, and returned by default. It takes the same form as the deviceMACaddress in the BLE extension.</t> </dd> </dl> </section> <sectionanchor="multivalued-attribute"><name>Multivaluedanchor="multivalued-attribute"> <name>Multivalued Attribute</name> <dl> <dt>versionSupport:</dt> <dd> <t>One or more strings of all the Zigbee versions supported by thedevice. Fordevice, for example, [3.0]. This attribute is required, case insensitive, mutable, and returned by default.</t> </dd> </dl><texttable title="Characteristics<table anchor="tabZigbee"> <name>Characteristics of Zigbeeextension schema attributes. (Req = Required, T = True, F = False, RW = ReadWrite, and Def = Default)" anchor="tabZigbee"> <ttcol align='left'>Attribute</ttcol> <ttcol align='left'>Multi Value</ttcol> <ttcol align='left'>Req</ttcol> <ttcol align='left'>Case Exact</ttcol> <ttcol align='left'>Mutable</ttcol> <ttcol align='left'>Return</ttcol> <ttcol align='left'>Unique</ttcol> <c>deviceEui64Address</c> <c>F</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>versionSupport</c> <c>T</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> </texttable>Extension Schema Attributes</name> <thead> <tr> <th align="left">Attribute</th> <th align="left">Multi Value</th> <th align="left">Req</th> <th align="left">Case Exact</th> <th align="left">Mutable</th> <th align="left">Return</th> <th align="left">Unique</th> </tr> </thead> <tbody> <tr> <td align="left">deviceEui64Address</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">versionSupport</td> <td align="left">T</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> </tbody> </table> <t>Legend:</t> <dl spacing="compact" newline="false"> <dt>Req:</dt><dd>Required</dd> <dt>T:</dt><dd>True</dd> <dt>F:</dt><dd>False</dd> <dt>RW:</dt><dd>ReadWrite</dd> <dt>Def:</dt><dd>Default</dd> </dl> <figuretitle="Zigbee Example" anchor="zigBeeExample"><artwork><![CDATA[ <CODE BEGINS>anchor="zigBeeExample"> <name>Zigbee Example</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "Zigbee Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device" : { "versionSupport": ["3.0"], "deviceEui64Address": "50:32:5F:FF:FE:E7:67:28" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 -8486-d5c6a3316111" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> </section> </section> <sectionanchor="endpointsappext-schema"><name>Theanchor="endpointsappext-schema"> <name>The Endpoint Applications Extension Schema</name> <t>Sometimes non-IP devices such as those using BLE or Zigbee require an application gateway interface to manage them. SCIM clientsMUST NOT<bcp14>MUST NOT</bcp14> specify this to describe native IP-based devices.</t> <t>endpointAppsExt provides the list of applications that connect to an enterprise gateway.TheendpointAppsExt has one multivalued attribute and two singular attributes. The extension is identified using the following schema URI:</t> <t>urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device</t> <sectionanchor="singular-attributes-4"><name>Singularanchor="singular-attributes-4"> <name>Singular Attributes</name> <dl> <dt>deviceControlEnterpriseEndpoint:</dt> <dd> <t>A string representing the URL of the enterprise endpoint to reach the enterprise gateway. When the enterprise receives the SCIM object from the onboarding application, it adds this attribute to it and sends it back as a response to the onboarding application. This attribute is required,case-sensitive,case sensitive, mutable, and returned by default. The uniqueness is enforced by the enterprise.</t> </dd> <dt>telemetryEnterpriseEndpoint:</dt> <dd> <t>A string representing a URL of the enterprise endpoint to reachthean enterprise gateway for telemetry. When the enterprise receives the SCIM object from the onboarding application, it adds this attribute to it and sends it back as a response to the onboarding application. This attribute is optional,case-sensitive,case sensitive, mutable, and returned by default. The uniqueness is enforced by the enterprise. An implementationMUST<bcp14>MUST</bcp14> generate an exception if telemetryEnterpriseEndpoint is not returned and telemetry is required for the proper functioning of a device.</t> </dd> </dl> </section> <sectionanchor="multivalued-attribute-1"><name>Multivaluedanchor="multivalued-attribute-1"> <name>Multivalued Attribute</name> <dl> <dt>applications:</dt> <dd> <t>A multivalued attribute of one or more complex attributes that represent a list of endpointapplicationsapplications, i.e., deviceControl and telemetry. Each entry in the list comprises two attributes including "value" and "$ref".</t> </dd> <dt>value:</dt> <dd> <t>A stringcontainingthecontaining the identifier of the endpoint applicationformatedformatted asUUID.a Universally Unique Identifier (UUID). It is the same as the common attribute "$id" of the resource "endpointApp". It is read/write, required, caseinsensitiveinsensitive, and returned by default.</t> </dd> <dt>$ref:</dt> <dd> <t>A reference to the respective endpointApp resource object stored in the SCIM server. It is readOnly, required, casesensitivesensitive, and returned by default.</t> </dd> </dl><texttable title="Characteristics<table anchor="tabEndpointAppsExt"> <name>Characteristics of EndpointAppsExtextension schema attributes. DevContEntEndpoint represents attribute deviceControlEnterpriseEndpoint and telEntEndpoint represents telemetryEnterpriseEndpoint. (Req = Required, T = True, F = False, R = ReadOnly, RW = ReadWrite, Ent = Enterprise, and Def = Default)." anchor="tabEndpointAppsExt"> <ttcol align='left'>Attribute</ttcol> <ttcol align='left'>Multi Value</ttcol> <ttcol align='left'>Req</ttcol> <ttcol align='left'>Case Exact</ttcol> <ttcol align='left'>Mutable</ttcol> <ttcol align='left'>Return</ttcol> <ttcol align='left'>Unique</ttcol> <c>devContEntEndpoint</c> <c>F</c> <c>T</c> <c>T</c> <c>R</c> <c>Def</c> <c>Ent</c> <c>telEntEndpoint</c> <c>F</c> <c>F</c> <c>T</c> <c>R</c> <c>Def</c> <c>Ent</c> <c>applications</c> <c>T</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>value</c> <c>F</c> <c>T</c> <c>F</c> <c>RW</c> <c>Def</c> <c>None</c> <c>$ref</c> <c>F</c> <c>T</c> <c>F</c> <c>R</c> <c>Def</c> <c>None</c> </texttable>Extension Schema Attributes</name> <thead> <tr> <th align="left">Attribute</th> <th align="left">Multi Value</th> <th align="left">Req</th> <th align="left">Case Exact</th> <th align="left">Mutable</th> <th align="left">Return</th> <th align="left">Unique</th> </tr> </thead> <tbody> <tr> <td align="left">devContEntEndpoint</td> <td align="left">F</td> <td align="left">T</td> <td align="left">T</td> <td align="left">R</td> <td align="left">Def</td> <td align="left">Ent</td> </tr> <tr> <td align="left">telEntEndpoint</td> <td align="left">F</td> <td align="left">F</td> <td align="left">T</td> <td align="left">R</td> <td align="left">Def</td> <td align="left">Ent</td> </tr> <tr> <td align="left">applications</td> <td align="left">T</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">value</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">RW</td> <td align="left">Def</td> <td align="left">None</td> </tr> <tr> <td align="left">$ref</td> <td align="left">F</td> <td align="left">T</td> <td align="left">F</td> <td align="left">R</td> <td align="left">Def</td> <td align="left">None</td> </tr> </tbody> </table> <t>Legend:</t> <dl spacing="compact" newline="false"> <dt>devContEntEndpoint:</dt><dd>deviceControlEnterpriseEndpoint</dd> <dt>telEntEndpoint:</dt><dd>telemetryEnterpriseEndpoint</dd> <dt>Req:</dt><dd>Required</dd> <dt>T:</dt><dd>True</dd> <dt>F:</dt><dd>False</dd> <dt>R:</dt><dd>ReadOnly</dd> <dt>RW:</dt><dd>ReadWrite</dd> <dt>Ent:</dt><dd>Enterprise</dd> <dt>Def:</dt><dd>Default</dd> </dl> <figuretitle="Endpointanchor="eaExtension"> <name>Endpoint Applications ExtensionExample" anchor="eaExtension"><artwork><![CDATA[ <CODE BEGINS>Example</name> <sourcecode markers="true"><![CDATA[ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device", "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 :Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "versionSupport": ["5.3"], "deviceMacAddress": "2C:54:91:88:C9:E2", "isRandom": false, "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77 :22:12"], "mobility": false, "pairingMethods": [ "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device"], "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device" : { "key": 123456 } }, "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 :Device": { "applications": [ { "value" : "e9e30dba-f08f-4109-8486-d5c6a3316212", "$ref" : "https://example.com/v2/EndpointApps/e9e30dba-f08f -4109-8486-d5c6a3316212" }, { "value" : "e9e30dba-f08f-4109-8486-d5c6a3316333", "$ref" : "https://example.com/v2/EndpointApps/e9e30dba-f08f -4109-8486-d5c6a3316333" } ], "deviceControlEnterpriseEndpoint": "https ://example.com/device_control_app_endpoint/", "telemetryEnterpriseEndpoint": "https ://example.com/telemetry_app_endpoint/" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 -8486-d5c6a3316111" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </figure> <t>The schema for the endpointAppsExt extension along with BLE extension is presented in JSON format in <xref target="endpointappsext-extension-schema-json"/>, while theopenAPIOpenAPI representation is provided in <xref target="endpointappsext-extension-schema-openapi-representation"/>.</t> </section> </section> </section> <sectionanchor="security-considerations"><name>Securityanchor="security-considerations"> <name>Security Considerations</name> <t>Because provisioning operations permit device access to a network, each SCIM clientMUST<bcp14>MUST</bcp14> be appropriately authenticated.</t> <sectionanchor="scim-operations"><name>SCIM operations</name>anchor="scim-operations"> <name>SCIM Operations</name> <t>An attacker that has authenticated to a trusted SCIM client could manipulate portions of the SCIM database. To be clear on the risks, we specify each operationbelow:</t>below.</t> <sectionanchor="unauthorized-object-creation"><name>Unauthorizedanchor="unauthorized-object-creation"> <name>Unauthorized Object Creation</name> <t>An attacker that is authenticated could attempt to add elements that the enterprise would not normally permit on a network. For instance, an enterprise may not wish specific devices that have well-known vulnerabilities to be introduced to their environment. To mitigate the attack, network administrators should layer additional policies regarding what devices are permitted on the network.</t> <t>An attacker that gains access to SCIM could attempt to add an IP-based device that itself attempts unauthorized access, effectively acting as aBot.bot. Network administratorsSHOULD<bcp14>SHOULD</bcp14> establish appropriate access-control policies that follow the principle of least privilege to mitigate this attack.</t> </section> </section> <sectionanchor="object-deletion"><name>Objectanchor="object-deletion"> <name>Object Deletion</name> <t>Once granted, even if the object is removed, the server may or may not act on that removal. The deletion of the object is a signal of intent by the application that it no longer expects the device to be on the network. It is strictly up to the SCIM server and its back end policy to decide whether or not to revoke access to the infrastructure. It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that SCIM delete operations trigger a workflow in accordance with local network policy.</t> </section> <sectionanchor="read-operations"><name>Read operations</name>anchor="read-operations"> <name>Read Operations</name> <t>Read operations are necessary in order for an application to sync its state to know what devices it is expected to manage. An attacker with access to SCIM objects may gain access to the devices themselves. To prevent one SCIM client from interfering with devices that it has no business managing, only clients that have created objects or those they authorizeSHOULD<bcp14>SHOULD</bcp14> have the ability to read those objects.</t> </section> <sectionanchor="update-operations"><name>Updateanchor="update-operations"> <name>Update Operations</name> <t>Update operations may be necessary if a device has been modified in some way. Attackers with update access may be able to disable network access to devices or device access to networks. To avoid this, the same access control policy for read operations isRECOMMENDED<bcp14>RECOMMENDED</bcp14> here.</t> </section> <sectionanchor="higher-level-protection-for-certain-systems"><name>Higher level protectionanchor="higher-level-protection-for-certain-systems"> <name>Higher Level Protection forcertain systems</name>Certain Systems</name> <t>Devices provisioned with this model may be completely controlled by the administrator of the SCIM server, depending on how those systems are defined. For instance, if BLE passkeys are provided, the device can be connected to, and perhaps paired with. If the administrator of the SCIM client does not wish the network to have complete access to the device, the device itselfMUST<bcp14>MUST</bcp14> support finer levels of access control and additional authentication mechanisms. Any additional security must be provided at higher application layers. For example, if client applications wish to keep private information to and from the device, they should encrypt that information over-the-top.</t> </section> <sectionanchor="logging"><name>Logging</name>anchor="logging"> <name>Logging</name> <t>An attacker could learn what devices are on a network by examining SCIM logs. Due to the sensitive nature of SCIM operations, logsSHOULD<bcp14>SHOULD</bcp14> be encrypted both on the disk and in transit.</t> </section> </section> <sectionanchor="iana-considerations"><name>IANAanchor="iana-considerations"> <name>IANA Considerations</name> <sectionanchor="new-schemas"><name>New Schemas</name> <t>The IANA is requested to add the following additions toanchor="new-schemas"> <!--[rfced] We acknowledge this note included in the"SCIM Schema URIs for Data Resources" registry as follows:</t> <texttable> <ttcol align='left'>URN</ttcol> <ttcol align='left'>Name</ttcol> <ttcol align='left'>Reference</ttcol> <c>urn:ietf:params:scim:schemas:core: 2.0:Device</c> <c>Core Device Schema</c> <c>This memo, <xref target="scim-core-device-schema"></xref></c> <c>urn:ietf:params:scim:schemas:core: 2.0:EndpointApp</c> <c>Endpoint Application</c> <c>This memo, <xref target="endpointapp-schema"/></c> </texttable> <t>NoteIANA Considerations section: Note that the line break in URNs should be removed, as should thiscomment.</t>comment. However, without the line breaks in the URNs, the tables exceed the 72-character line limit. We have left the line breaks as is. To keep the URN lines unbroken, we suggest reformatting to lists rather than tables. For example: URN: urn:iet:params:scim:schemas:extension:fido-device-onboard:2.0:Device Description: FIDO Device Onboard Resource Type: Device Reference: RFC 9944, Section 7.4 --> <name>New Schemas</name> <t>IANA has added the following additions to the "SCIM Schema URIs for Data Resources" registry:</t> <table> <thead> <tr> <th align="left">Schema URI </th> <th align="left">Name</th> <th align="left">Reference</th> </tr> </thead> <tbody> <tr> <td align="left">urn:ietf:params:scim:schemas:core: 2.0:Device</td> <td align="left">Core Device Schema</td> <td align="left">RFC 9944, <xref target="scim-core-device-schema"/></td> </tr> <tr> <td align="left">urn:ietf:params:scim:schemas:core: 2.0:EndpointApp</td> <td align="left">Endpoint Application</td> <td align="left">RFC 9944, <xref target="endpointapp-schema"/></td> </tr> </tbody> </table> </section> <sectionanchor="device-schema-extensions"><name>Deviceanchor="device-schema-extensions"> <name>Device Schema Extensions</name> <t>IANAis requested to createhas created the following extensions in theSCIM"SCIM Server-Related SchemaURIsURIs" registry as described in <xref target="extensions"/>:</t><texttable> <ttcol align='left'>URN</ttcol> <ttcol align='left'>Description</ttcol> <ttcol align='left'>Resource Type</ttcol> <ttcol align='left'>Reference</ttcol> <c>urn:ietf:params:scim:<table> <thead> <tr> <th align="left">Schema URI</th> <th align="left">Description</th> <th align="left">Resource Type</th> <th align="left">Reference</th> </tr> </thead> <tbody> <tr> <td align="left">urn:ietf:params:scim: schemas:extension:ble:2.0:Device</c> <c>BLE Extension</c> <c>Device</c> <c>This memo, <xref target="ble-extension"></xref></c> <c>urn:ietf:params:scim:ble:2.0:Device</td> <td align="left">BLE Extension</td> <td align="left">Device</td> <td align="left">RFC 9944, <xref target="ble-extension"/></td> </tr> <tr> <td align="left">urn:ietf:params:scim: schemas:extension:ethernet-mab:2.0:Device</c> <c>Ethernet MAB</c> <c>Device</c> <c>This memo, <xref target="ethernet-mab-extension"></xref></c> <c>urn:ietf:params:scim:ethernet-mab:2.0:Device</td> <td align="left">Ethernet MAB</td> <td align="left">Device</td> <td align="left">RFC 9944, <xref target="ethernet-mab-extension"/></td> </tr> <tr> <td align="left">urn:ietf:params:scim: schemas:extension:fido-device-onboard:2.0:Device</c> <c>FIDOfido-device-onboard:2.0:Device</td> <td align="left">FIDO DeviceOnboard</c> <c>Device</c> <c>This memo, <xref target="fido-device-onboard-extension"></xref></c> <c>urn:ietf:params:scim:Onboard</td> <td align="left">Device</td> <td align="left">RFC 9944, <xref target="fido-device-onboard-extension"/></td> </tr> <tr> <td align="left">urn:ietf:params:scim: schemas:extension:dpp:2.0:Device</c> <c>Wi-fidpp:2.0:Device</td> <td align="left">Wi-Fi EasyConnect</c> <c>Device</c> <c>This memo, <xref target="wi-fi-easy-connect-extension"></xref></c> <c>urn:ietf:params:scim:Connect</td> <td align="left">Device</td> <td align="left">RFC 9944, <xref target="wi-fi-easy-connect-extension"/></td> </tr> <tr> <td align="left">urn:ietf:params:scim: schemas:extension:endpointAppsExt:2.0:Device</c> <c>ApplicationendpointAppsExt:2.0:Device</td> <td align="left">Application EndpointExtension</c> <c>Device</c> <c>This memo, <xref target="ble-pairing-method-extensions"></xref></c> <c>urn:ietf:params:scim:Extension</td> <td align="left">Device</td> <td align="left">RFC 9944, <xref target="ble-pairing-method-extensions"/></td> </tr> <tr> <td align="left">urn:ietf:params:scim: schemas:extension:pairingJustWorks:2.0:Device</c> <c>JustpairingJustWorks:2.0:Device</td> <td align="left">Just Works AuthBLE</c> <c>Device</c> <c>This memo, <xref target="ble-pairing-method-extensions"></xref></c> <c>urn:ietf:params:scim:BLE</td> <td align="left">Device</td> <td align="left">RFC 9944, <xref target="ble-pairing-method-extensions"/></td> </tr> <tr> <td align="left">urn:ietf:params:scim: schemas:extension:pairingOOB:2.0:Device</c> <c>Out of BandpairingOOB:2.0:Device</td> <td align="left">Out-of-Band Pairing forBLE</c> <c>Device</c> <c>This memo, <xref target="ble-pairing-method-extensions"></xref></c> <c>urn:ietf:params:scim:BLE</td> <td align="left">Device</td> <td align="left">RFC 9944, <xref target="ble-pairing-method-extensions"/></td> </tr> <tr> <td align="left">urn:ietf:params:scim: schemas:extension:pairingPassKey:2.0:Device</c> <c>PasskeypairingPassKey:2.0:Device</td> <td align="left">Passkey Pairing forBLE</c> <c>Device</c> <c>This memo, <xref target="ble-pairing-method-extensions"></xref></c> </texttable>BLE</td> <td align="left">Device</td> <td align="left">RFC 9944, <xref target="ble-pairing-method-extensions"/></td> </tr> </tbody> </table> </section> </section><section anchor="acknowledgments"><name>Acknowledgments</name> <t>The authors</middle> <back> <!-- [rfced] [BLE54]: Please review the following questions regarding this reference: a) We were unable to find "isRandom" mentioned in [BLE54] as seen below. Should this citation be updated? Original: isRandom: A boolean flag taken from [BLE54]. b) We also note a few instances of "BLE core specifications 5.3" mentioned throughout this document. However, the Normative References section cites Version 5.4. Please review and let us know if/how to update accordingly. For example: "description": "The isRandom flag is taken from the BLE core specifications 5.3. If TRUE, device is using a random address. Default value is false.", c) Please review our updates to the text below. There are multiple volumes in [BLE54]; it appears Section 5.4.5 is referring to Volume 1, Part A, Section 5.4.5 of [BLE54]. Is this the correct section? Original: For more information about the use of the IRK, see Section 5.4.5 of [BLE54]. Current: For more information about the use of the IRK, see Volume 1, Part A, Section 5.4.5 of [BLE54]. --> <!-- [rfced] References: a) We note that [draft-brinckman-nipc] was replaced by [draft-ietf-asdf-nipc]. Should these remain as two separate references? Or, would you like tothank Bart Brinckman, Rohit Mohan, Lars Streubesand, Christian Amsüss, Jason Livingwood, Mike Ounsworth, Monty Wiseman, Geoffrey Cooper, Paulo Jorge N. Correia, Phil Hunt, and Elwyn Davies for their reviews,remove the citation to [draft-brinckman-nipc] andNick Ross for his contributiononly keep the reference to [draft-ietf-asdf-nipc]? b) [JSONSchema] also exists as an Internet-Draft: https://datatracker.ietf.org/doc/draft-bhutton-json-schema/. May we update this reference to point to theAppendix.</t> </section> </middle> <back>Internet-Draft? c) We were unable to find Version 2.0 of [DPP2] "Wi-Fi Easy Connect Specification". We did find Version 3.0 from 2022: https://www.wi-fi.org/system/files/Wi-Fi_Easy_Connect_Specification_v3.0.pdf. Should we update this reference to point to Version 3.0 of the "Wi-Fi Easy Connect Specification"? Current: [DPP2] Wi-Fi Alliance, "Wi-Fi Easy Connect Specification", Version 2.0, 2020. Perhaps: [DPP3] Wi-Fi Alliance, "Wi-Fi Easy Connect Specification", Version 3.0, 2020, <https://www.wi-fi.org/system/files/Wi- Fi_Easy_Connect_Specification_v3.0.pdf>. --> <displayreference target="I-D.brinckman-nipc" to="NIPC"/> <displayreference target="I-D.ietf-asdf-nipc" to="NIPC-API"/> <referencestitle='References'anchor="sec-combined-references"> <name>References</name> <referencestitle='Normative References'anchor="sec-normative-references"> <name>Normative References</name> <reference anchor="BLE54" target="https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=587177"> <front> <title>Bluetooth CoreSpecification, Version 5.4</title> <author >Specification</title> <author> <organization>Bluetooth SIG</organization> </author> <date year="2023"/> </front> <refcontent>Version 5.4</refcontent> </reference> <reference anchor="DPP2"> <front> <title>Wi-Fi Easy Connect Specification</title> <author> <organization>Wi-Fi Alliance</organization> </author> <date year="2020"/> </front> <refcontent>Version 2.0</refcontent> </reference> <!-- Note to PE: XML for possible update to [DPP2] <reference anchor="DPP2">target="https://www.wi-fi.org/system/files/Wi-Fi_Easy_Connect_Specification_v3.0.pdf"> <front> <title>Wi-Fi Easy ConnectSpecification, Version 2.0</title> <author >Specification</title> <author> <organization>Wi-Fi Alliance</organization> </author> <date year="2020"/> </front> <refcontent>Version 3.0</refcontent> </reference> --> <reference anchor="ECMA" target="https://ecma-international.org/publications-and-standards/standards/ecma-262/"> <front><title>ECMA-262, 16th Edition</title> <author ><title>ECMAScript(R) 2025 Language Specification</title> <author> <organization>ECMA International</organization> </author> <date year="2025" month="June"/> </front> <refcontent>ECMA-262, 16th Edition</refcontent> </reference> <reference anchor="FDO11">target="https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-PS-v1.1-20220419/FIDO-Device-Onboard-PS-v1.1-20220419.html"> <front> <title>FIDO Device Onboard Specification 1.1</title><author ><author> <organization>FIDO Alliance</organization> </author> <date year="2022" month="April"/> </front> <refcontent>Proposed Standard</refcontent> </reference> <reference anchor="Zigbee" target="https://zigbeealliance.org/wp-content/uploads/2019/11/docs-05-3474-21-0csg-zigbee-specification.pdf"> <front> <title>Zigbee Specification</title><author ><author> <organization>Zigbee Alliance</organization> </author> <date year="2015" month="August"/> </front> <refcontent>ZigBee Document 05-3474-21</refcontent> </reference>&RFC7643; &RFC7644; &RFC2119; &RFC8174; &RFC8520; &RFC4648; &RFC5280;<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7643.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7644.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8520.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> </references> <referencestitle='Informative References'anchor="sec-informative-references"> <name>Informative References</name> <reference anchor="JSONSchema" target="https://json-schema.org/draft/2020-12/json-schema-core"> <front> <title>JSON Schema- A Media Type for Describing JSON Documents</title> <author initials="A." surname="Wright" fullname="Austin Wright" role="editor"><organization></organization><organization/> </author> <author initials="H. A." surname="Andrews" fullname="Henry Andrews" role="editor"><organization></organization><organization/> </author> <author initials="B." surname="Hutton" fullname="Ben Hutton" role="editor"> <organization>Postman</organization> </author> <author initials="G." surname="Dennis" fullname="Greg Dennis"><organization></organization><organization/> </author> <date year="2022" month="December"/> </front> </reference> <reference anchor="OpenAPI" target="https://swagger.io/specification/"> <front> <title>OpenAPISpecification, Version 3.1.1</title> <author > <organization>swagger.io</organization>Specification</title> <author> <organization>Swagger</organization> </author> <date year="2024" month="October"/> </front> <refcontent>Version 3.1.1</refcontent> </reference>&RFC6241; &RFC8040; &RFC7950; &RFC8995; &I-D.ietf-asdf-nipc; &I-D.brinckman-nipc;<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8995.xml"/> <!-- draft-brinckman-nipc-01 IESG State: Replaced by draft-ietf-asdf-nipc --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-asdf-nipc.xml"/> <!-- draft-ietf-asdf-nipc-14 IESG State: I-D Exists as of 11/26/25 --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.brinckman-nipc.xml"/> </references> </references><?line 1364?><sectionanchor="changes-from-earlier-versions"><name>Changes from Earlier Versions</name> <t>[RFC Editor to remove this section.]</t> <t>Draft 17:</t> <t><list style="symbols"> <t>Fix example.</t> </list></t> <t>Draft 16:</t> <t><list style="symbols"> <t>More DISCUSS resolution: make clear that JSON Schema is not normative</t> <t>Add reference for ECMA for regex</t> <t>lots of typo/spelling error cleanup</t> <t>Add figure labels for examples</t> <t>fix an aasvg rendering problem</t> <t>add some reference targets.</t> <t>Elwyn Davies review suggestions.</t> </list></t> <t>Drafts 17: * Post DISCUSS hiccup with groups. * Add OpenAPI header * multivalues->multivalued * externalID->externalId * remove nullable (wasn't doing anything) * Update appropriate json schema and openapi accordingly.</t> <t>Drafts 14, 15, 16: * Resolve DISCUSSes</t> <t>Draft 13: * post IANA and IETF LC</t> <t>Drafts 10-12: * additional WGLC and shepherd comments</t> <t>Draft -09: * last call comments, bump BLE version, add acknowledgments. * Also, recapture Rohit comments and those of Christian.</t> <t>Drafts 04-08: * Lots of cleanup * Security review responses * Removal of a tab * Dealing with certificate stuff</t> <t>Draft -03: * Add MAB, FDO * Some grammar improvements * fold OpenAPI * IANA considerations</t> <t>Draft -02: * Clean up examples * Move openapi to appendix Draft -01:</t> <t><list style="symbols"> <t>Doh! We forgot the core device scheme!</t> </list></t> <t>Draft -00:</t> <t><list style="symbols"> <t>Initial revision</t> </list></t> </section> <section anchor="json-schema-representation"><name>JSONanchor="json-schema-representation"> <name>JSON Schema Representation</name> <sectionanchor="resource-schema"><name>Resourceanchor="resource-schema"> <name>Resource Schema</name><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ [ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0 :ResourceType"], "id": "Device", "name": "Device", "endpoint": "/Devices", "description": "DeviceAccount",account.", "schema": "urn:ietf:params:scim:schemas:core:2.0:Device", "meta": { "location": "https://example.com/v2/ResourceTypes/Device", "resourceType": "ResourceType" } }, { "schemas": ["urn:ietf:params:scim:schemas:core:2.0 :ResourceType"], "id": "EndpointApp", "name": "EndpointApp", "endpoint": "/EndpointApp", "description": "Endpoint application such as device control and telemetry.", "schema": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp", "meta": { "location": "https ://example.com/v2/ResourceTypes/EndpointApp", "resourceType": "ResourceType" } }] <CODE ENDS> ]]></artwork></figure>]]]></sourcecode> </section> <sectionanchor="device-schema-json"><name>Coreanchor="device-schema-json"> <name>Core Device Schema</name><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ { "id": "urn:ietf:params:scim:schemas:core:2.0:Device", "name": "Device", "description": "Entry containing attributes about adevice",device.", "attributes" : [ { "name": "displayName", "type": "string", "description":"Human readable"Human-readable name of the device, suitable for displaying toend-users. Forend users, for example, 'BLE HeartMonitor'Monitor', etc.", "multiValued": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "active", "type": "boolean", "description": "A mutable boolean value indicating the device administrative status. If set TRUE, the commands (such as connect, disconnect, subscribe) that control app sends to the controller for the devices will beprocesseedprocessed by the controller. If set FALSE, any commandcommingcoming from the control app for the device will be rejected by the controller.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "mudUrl", "type": "reference", "description": "A URL to MUD file of the device (RFC 8520).", "multiValued": false, "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "groups", "type": "complex", "multiValued": true, "description": "A list of groups to which the device belongs, either through direct membership, through nested groups, or dynamically calculated.", "required": false, "subAttributes": [ { "name": "value", "type": "string", "multiValued": false, "description": "The identifier of the Device's group.", "required": false, "caseExact": false, "mutability": "readOnly", "returned": "default", "uniqueness": "none" }, { "name": "$ref", "type": "reference", "referenceTypes": [ "Group" ], "multiValued": false, "description": "The URI of the corresponding 'Group' resource to which the device belongs.", "required": false, "caseExact": false, "mutability": "readOnly", "returned": "default", "uniqueness": "none" }, { "name": "display", "type": "string", "multiValued": false, "description": "A human-readable name, primarily used for display purposes.READ-ONLY.",READ ONLY.", "required": false, "caseExact": false, "mutability": "readOnly", "returned": "default", "uniqueness": "none" }, { "name": "type", "type": "string", "multiValued": false, "description": "A label indicating the attribute's function, e.g., 'direct' or 'indirect'.", "required": false, "caseExact": false, "canonicalValues": [ "direct", "indirect" ], "mutability": "readOnly", "returned": "default", "uniqueness": "none" } ], "mutability": "readOnly", "returned": "default" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </section> <sectionanchor="endpointapp-schema-json"><name>EndpointAppanchor="endpointapp-schema-json"> <name>EndpointApp Schema</name><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ { "id": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp", "name": "EndpointApp", "description": "Endpoint application and theircredentials",credentials.", "attributes" : [ { "name": "applicationType", "type": "string", "description": "This attribute will only contain twovalues;values: 'deviceControl' or 'telemetry'.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readOnly", "returned": "default", "uniqueness": "none" }, { "name": "applicationName", "type": "string", "description":"Human readable"Human-readable name of the application.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "certificateInfo", "type": "complex", "description": "Containsx509X.509 certificate's subject name and root CA information associated with the device control or telemetry app.", "multiValued": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none", "subAttributes" : [ { "name" : "rootCA", "type" : "string", "description" : "The base64 encoding of the DER encoding of the CAcertificate",certificate.", "multiValued" : false, "required" : false, "caseExact" : true, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" }, { "name" : "subjectName", "type" : "string", "description" : "A Common Name (CN) of the form of CN =dnsName",dnsName.", "multiValued" : false, "required" : true, "caseExact" : true, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" } ] }, { "name": "clientToken", "type": "string", "description": "This attribute contains a token that the client will use to authenticate itself. Each token may be a string up to 500 characters in length.", "multiValued": false, "required": false, "caseExact": true, "mutability": "readOnly", "returned": "default", "uniqueness": "none" }, { "name": "groups", "type": "complex", "multiValued": true, "description": "A list of groups to which an endpoint application belongs, either through direct membership, through nested groups, or dynamically calculated.", "required": false, "subAttributes": [ { "name": "value", "type": "string", "multiValued": false, "description": "The identifier of the endpoint application's group.", "required": false, "caseExact": false, "mutability": "readOnly", "returned": "default", "uniqueness": "none" }, { "name": "$ref", "type": "reference", "referenceTypes": [ "Group" ], "multiValued": false, "description": "The URI of the corresponding 'Group' resource to which the endpoint application belongs.", "required": false, "caseExact": false, "mutability": "readOnly", "returned": "default", "uniqueness": "none" }, { "name": "display", "type": "string", "multiValued": false, "description": "A human-readable name, primarily used for display purposes.READ-ONLY.",READ ONLY.", "required": false, "caseExact": false, "mutability": "readOnly", "returned": "default", "uniqueness": "none" }, { "name": "type", "type": "string", "multiValued": false, "description": "A label indicating the attribute's function, e.g., 'direct' or 'indirect'.", "required": false, "caseExact": false, "canonicalValues": [ "direct", "indirect" ], "mutability": "readOnly", "returned": "default", "uniqueness": "none" } ], "mutability": "readOnly", "returned": "default" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </section> <sectionanchor="ble-extension-schema-json"><name>BLEanchor="ble-extension-schema-json"> <name>BLE Extension Schema</name><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ [ { "id": "urn:ietf:params:scim:schemas:extension:ble:2.0:Device", "name": "bleExtension", "description":"Ble"BLE extension for deviceaccount",account.", "attributes" : [ { "name": "versionSupport", "type": "string", "description": "Provides a list of all the BLE versions supported by thedevice. Fordevice, for example, [4.1, 4.2, 5.0, 5.1, 5.2, 5.3].", "multiValued": true, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "deviceMacAddress", "type": "string", "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$", "description": "A unique public MAC address assigned by the manufacturer.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" }, { "name": "isRandom", "type": "boolean", "description": "The isRandom flag is taken from the BLE core specifications 5.3. If TRUE, device is using a random address. Default value is false.", "multiValued": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "separateBroadcastAddress", "type": "string", "description": "When present, this address is used for broadcasts/advertisements. This value MUST NOT be set when an IRK is provided. Its form is the same asdeviceMa`cAddress.",deviceMacAddress.", "multiValued": true, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "irk", "type": "string", "description": "Identityresolving key,Resolving Key (IRK), which is unique for every device. It is used to resolve a random address. This value MUST NOT be set when separateBroadcastAddress is set.", "multiValued": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" }, { "name": "mobility", "type": "bool", "description": "If set to True, the BLE device will automatically connect to the closest AP. For example, if a BLE device is connected with AP-1 and moves out of range but comes in range of AP-2, it will be disconnected with AP-1 andconnectsconnected with AP-2.", "multiValued": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "pairingMethods", "type": "string", "description": "List of pairing methods associated with thebleBLE device, stored as schema URI.", "multiValued": true, "required": true, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:ble:2.0:Device" } }, { "id": "urn:ietf:params:scim:schemas:extension:pairingNull:2.0 :Device", "name": "nullPairing", "description": "Null pairing method forble.BLE. It is included for the devices that do not have a pairing method.", "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:pairingNull:2.0:Device" } }, { "id": "urn:ietf:params:scim:schemas:extension:pairingJustWorks :2.0:Device", "name": "pairingJustWorks", "description": "JustworksWorks pairing method forble.",BLE.", "attributes" : [ { "name": "key", "type": "integer", "description": "JustworksWorks does not have any key value. For completeness, it is added with a key value 'null'.", "multiValued": false, "required": true, "caseExact": false, "mutability": "immutable", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:pairingJustWorks:2.0:Device" } }, { "id": "urn:ietf:params:scim:schemas:extension:pairingPassKey :2.0:Device", "name": "pairingPassKey", "description":"Pass key"Passkey pairing method forble.",BLE.", "attributes" : [ { "name": "key", "type": "integer", "description": "Asix digitsix-digit passkey forbleBLE device. The pattern of key is ^[0-9]{6}$.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:pairingPassKey:2.0:Device" } }, { "id": "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0 :Device", "name": "pairingOOB", "description":"Pass key"Passkey pairing method forble.",BLE.", "attributes" : [ { "name": "key", "type": "string", "description": "A key value retrieved fromout of bandout-of-band source such as NFC.", "multiValued": false, "required": true, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "randomNumber", "type": "integer", "description": "Nonce added to the key.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "confirmationNumber", "type": "integer", "description": "Some solutions require confirmation number in RESTful message exchange.", "multiValued": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:pairingOOB:2.0:Device" } }] <CODE ENDS> ]]></artwork></figure>]]]></sourcecode> </section> <sectionanchor="dpp-extension-schema-json"><name>DPPanchor="dpp-extension-schema-json"> <name>DPP Extension Schema</name><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ { "id": "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device", "name": "dppExtension", "description": "Device extension schema for Wi-Fi Easy Connect / Device Provisioning Protocol(DPP)",(DPP).", "attributes" : [ { "name": "dppVersion", "type": "integer", "description": "Version of DPP this device supports.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "bootstrappingMethod", "type": "string", "description": "The list of all the bootstrapping methods available on the enrolleedevice. Fordevice, for example, [QR, NFC].", "multiValued": true, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "bootstrapKey", "type": "string", "description": "A base64-encodedElliptic-Curve Diffie -HellmanElliptic Curve Diffie- Hellman public key (may be P-256, P-384, or P-521).", "multiValued": false, "required": true, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "deviceMacAddress", "type": "string", "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$", "description": "A unique public MAC address assigned by the manufacturer.", "multiValued": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" }, { "name": "classChannel", "type": "string", "description": "A list of global operating class and channel shared as bootstrapping information. It is formatted asclass/channel. Forclass/channel, for example, '81/1', '115/36'.", "multiValued": true, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "serialNumber", "type": "string", "description": "An alphanumeric serial number that may also be passed as bootstrapping information.", "multiValued": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:dpp:2.0:Device" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </section> <sectionanchor="ethernet-mab-extension-schema-json"><name>Ethernetanchor="ethernet-mab-extension-schema-json"> <name>Ethernet MAB Extension Schema</name><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ { "id": "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 :Device", "name": "ethernetMabExtension", "description": "Device extension schema for MACauthenticationAuthentication Bypass.", "attributes" : [ { "name": "deviceMacAddress", "type": "string", "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$", "description": "A MAC address assigned by themanufacturer",manufacturer.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:ethernet-mab:2.0:Device" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </section> <sectionanchor="fdo-extension-schema-json"><name>FDOanchor="fdo-extension-schema-json"> <name>FDO Extension Schema</name><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ { "id": "urn:ietf:params:scim:schemas:extension:fido-device-onboard :2.0:Devices", "name": "FDOExtension", "description": "Device extension schema for FIDO Device Onboard (FDO).", "attributes" : [ { "name": "fdoVoucher", "type": "string", "description": "A voucher as defined in the FDOspecification",specification.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:fido-device-onboard:2.0:Devices" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </section> <sectionanchor="zigbee-extension-schema-json"><name>Zigbeeanchor="zigbee-extension-schema-json"> <name>Zigbee Extension Schema</name><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ { "id": "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device", "name": "zigbeeExtension", "description": "Device extension schema forzigbee.",Zigbee.", "attributes" : [ { "name": "versionSupport", "type": "string", "description": "Provides a list of all thezigbeeZigbee versions supported by thedevice. Fordevice, for example, [3.0].", "multiValued": true, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "deviceEui64Address", "type": "string", "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){7}$", "description": "TheEUI-64 (Extended64-bit Extended UniqueIdentifier)Identifier (EUI-64) device address.", "multiValued": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:zigbee:2.0:Device" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </section> <sectionanchor="endpointappsext-extension-schema-json"><name>EndpointAppsExtanchor="endpointappsext-extension-schema-json"> <name>EndpointAppsExt Extension Schema</name><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ { "id": "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 :Device", "name": "endpointAppsExt", "description": "Extension for partner endpoint applications that can onboard, control, and communicate with the device.", "attributes" : [ { "name": "applications", "type": "complex", "description": "Includes references to two types ofapplicationapplications that connect withentrprise,enterprise, i.e., deviceControl and telemetry.", "multiValued": true, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none", "subAttributes" : [ { "name" : "value", "type" : "string", "description" : "The identifier of the endpointApp.", "multiValued" : false, "required" : true, "caseExact" : false, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" }, { "name" : "$ref", "type" : "reference", "referenceTypes" : "EndpointApps", "description" : "The URI of the corresponding 'EndpointApp' resourcewhichthat will control or obtain data from the device.", "multiValued" : false, "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" } ] }, { "name": "deviceControlEnterpriseEndpoint", "type": "reference", "description": "The URL of the enterprise endpointwhichthat device control apps use to reach enterprise network gateway.", "multiValued": false, "required": true, "caseExact": true, "mutability": "readOnly", "returned": "default", "uniqueness": "Enterprise" }, { "name": "telemetryEnterpriseEndpoint", "type": "reference", "description": "The URL of the enterprise endpointwhichthat telemetry apps use to reach enterprise network gateway.", "multiValued": false, "required": false, "caseExact": true, "mutability": "readOnly", "returned": "default", "uniqueness": "Enterprise" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:endpointAppsExt:2.0:Device" }} <CODE ENDS> ]]></artwork></figure>}]]></sourcecode> </section> </section> <sectionanchor="openapi-representation"><name>OpenAPI representation</name>anchor="openapi-representation"> <name>OpenAPI Representation</name> <t>The following sections are provided for informational purposes.</t> <sectionanchor="device-schema-openapi-representation"><name>Coreanchor="device-schema-openapi-representation"> <name>Core Device Schema OpenAPI Representation</name> <t>OpenAPI representation of core device schema is as follows:</t><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ openapi: 3.1.0 info: title: SCIM Device Schema version: 1.0.0 components: schemas: Group: type: object description: A list of groups to which the device belongs, either through direct membership, through nested groups, or dynamically calculated. properties: value: type: string description:theThe unique identifier of a group, typically a UUID. readOnly: true writeOnly: false display: type: string description:aA display string for the group. readOnly: true writeOnly: false $ref: type: string format: uri description:referenceReference to the groupobjectobject. readOnly: true writeOnly: true Device: description: Entry containing attributes about adevicedevice. type: object properties: displayName: type: string description:"Human readable"Human-readable name of the device, suitable for displaying toend-users. Forend users, for example, 'BLE Heart Monitor' etc." readOnly: false writeOnly: false active: type: boolean description: A mutable boolean value indicating the device administrative status. If set TRUE, the commands (such as connect, disconnect, subscribe) that control app sends to the controller for the devices will beprocesseedprocessed by the controller. If set FALSE, any commandcommingcoming from the control app for the device will be rejected by the controller. readOnly: false writeOnly: false mudUrl: type: string format: uri description: A URL to MUD file of the device (RFC 8520). It is added for future use. Current usage is not defined yet. readOnly: false writeOnly: false groups: type: array description:listList of groups to which a device belongstoto. items: $ref: '#/components/schemas/Group' required: - active additionalProperties: false allOf: - $ref: '#/components/schemas/CommonAttributes' CommonAttributes: type: object properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:core:2.0:Device description: The list of schemas that define the resource. id: type: string format: uri description: The unique identifier for a resource. readOnly: true writeOnly: false externalId: type: string description: An identifier for the resource that is defined by the provisioning client. readOnly: false writeOnly: false meta: type: object readOnly: true properties: resourceType: type: string description: The name of the resource type of the resource. readOnly: true writeOnly: false location: type: string format: uri description: The URI of the resource being returned. readOnly: true writeOnly: false created: type: string format: date-time description: The date and time the resource was added to the service provider. readOnly: true writeOnly: false lastModified: type: string format: date-time description: The most recent date and time that the details of this resource were updated at the service provider. readOnly: true writeOnly: false version: type: string description: The version of the resource. readOnly: true writeOnly: false additionalProperties:false <CODE ENDS> ]]></artwork></figure>false]]></sourcecode> </section> <sectionanchor="endpointapp-schema-openapi-representation"><name>EndpointAppanchor="endpointapp-schema-openapi-representation"> <name>EndpointApp Schema OpenAPI Representation</name> <t>OpenAPI representation of endpointApp schema is as follows:</t><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ openapi: 3.1.0 info: title: SCIMendpoint app schemaEndpoint App Schema version: 1.0.0 components: schemas: Group: type: object description: A list of groups to which the endpoint application belongs, either through direct membership, through nested groups, or dynamically calculated. properties: value: type: string description:theThe unique identifier of a group, typically a UUID. readOnly: true writeOnly: false display: type: string description:aA display string for the group. readOnly: true writeOnly: false $ref: type: string format: uri description:referenceReference to the groupobjectobject. readOnly: true writeOnly: true EndpointApp: title: EndpointApp description: Endpoint applicationresourceresource. type: object properties: applicationType: type: string description: This attribute will only contain twovalues;values: 'deviceControl' or 'telemetry'. readOnly: false writeOnly: false applicationName: type: string description:Human readableHuman-readable name of the application. readOnly: false writeOnly: false groups: type: array description:listList of groups to which the endpointApp belongs. items: $ref: '#/components/schemas/Group' required: - applicationType - applicationName additionalProperties: true oneOf: - $ref: '#/components/schemas/clientToken' - $ref: '#/components/schemas/certificateInfo' allOf: - $ref: '#/components/schemas/CommonAttributes' clientToken: type: string description: "This attribute contains a token that the client will use to authenticate itself. Each token may be a string up to 500 characters in length." readOnly: true writeOnly: false certificateInfo: type: object description: "Containsx509X.509 certificate's subject name and root CA information associated with the device control or telemetry app." properties: rootCA: type: string description: "The base64 encoding of a trust anchorcertificate,ascertificate, as per RFC46484648, Section 4." readOnly: false writeOnly: false subjectName: type: string description: "Also known as the Common Name (CN), the Subject Name is a field in the X.509 certificate that identifies the primary domain or IP address for which the certificate is issued." readOnly: false writeOnly: false required: - subjectName CommonAttributes: type: object properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:core:2.0:EndpointApp description: The list of schemas that define the resource. id: type: string format: uri description: The unique identifier for a resource. readOnly: true writeOnly: false meta: type: object readOnly: true properties: resourceType: type: string description: The name of the resource type of the resource. readOnly: true writeOnly: false location: type: string format: uri description: The URI of the resource being returned. readOnly: true writeOnly: false created: type: string format: date-time description: The date and time the resource was added to the service provider. readOnly: true writeOnly: false lastModified: type: string format: date-time description: The most recent date and time that the details of this resource were updated at the service provider. readOnly: true writeOnly: false version: type: string description: The version of the resource. readOnly: true writeOnly: false additionalProperties:false <CODE ENDS> ]]></artwork></figure>false]]></sourcecode> </section> <sectionanchor="ble-extension-schema-openapi-representation"><name>BLEanchor="ble-extension-schema-openapi-representation"> <name>BLE Extension Schema OpenAPI Representation</name> <t>OpenAPI representation of BLE extension schema is as follows:</t><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ openapi: 3.1.0 info: title: SCIM Bluetooth Extension Schema version: 1.0.0 components: schemas: BleDevice: type: object description: BLE Device schema. properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:ble:2.0 :Device urn:ietf:params:scim:schemas:extension:ble:2.0:Device: $ref: '#/components/schemas/BleDeviceExtension' required: true BleDeviceExtension: type: object properties: versionSupport: type: array items: type: string description: Provides a list of all the BLE versions supported by thedevice. Fordevice, for example, [4.1, 4.2, 5.0, 5.1, 5.2, 5.3]. readOnly: false writeOnly: false deviceMacAddress: type: string description: It is the public MAC address assigned by the manufacturer. It is a unique48 bit48-bit value. The regex pattern is ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. readOnly: false writeOnly: false isRandom: type: boolean description: AddressType flag is taken from the BLE core specifications 5.3. If FALSE, the device is using a public MAC address. If TRUE, device is using a random address. readOnly: false writeOnly: false separateBroadcastAddress: type: string description: "When present, this address is used for broadcasts/advertisements. This value MUST NOT be set when an IRK is provided. Its form is the same asdeviceMa`cAddress."deviceMacAddress." readOnly: false writeOnly: false irk: type: string description: Identityresolving key,Resolving Key (IRK), which is unique for every device. It is used to resolve a random address. readOnly: false writeOnly: true mobility: type: boolean description: If set to True, the BLE device will automatically connect to the closest AP. For example, if a BLE device is connected with AP-1 and moves out of range but comes in range ofAP -2,AP-2, it will be disconnected with AP-1 andconnectsconnected with AP-2. readOnly: false writeOnly: false pairingMethods: type: array items: type: string description: List of pairing methods associated with thebleBLE device, stored as schema URI. readOnly: false writeOnly: false urn:ietf:params:scim:schemas:extension:pairingNull:2.0 :Device: $ref: '#/components/schemas/NullPairing' required: false urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0 :Device: $ref: '#/components/schemas/PairingJustWorks' required: false urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device: $ref: '#/components/schemas/PairingPassKey' required: false urn:ietf:params:scim:schemas:extension:pairingOOB:2.0 :Device: $ref: '#/components/schemas/PairingOOB' required: false required: - versionSupport - deviceMacAddress - AddressType - pairingMethods additionalProperties: false NullPairing: type: object PairingJustWorks: type: object description: JustworksWorks pairing method forbleBLE. properties: key: type: integer description: JustworksWorks does not have any key value. For completeness, it is added with a key value 'null'. readOnly: false writeOnly: false required: - key PairingPassKey: type: object description:Pass keyPasskey pairing method forbleBLE. properties: key: type: integer description: Asix digitsix-digit passkey forbleBLE device. The pattern of key is ^[0-9]{6}$. readOnly: false writeOnly: true required: - key PairingOOB: type: object description: Out-of-band pairing method forBLEBLE. properties: key: type: string description: The OOB key value forbleBLE device. readOnly: false writeOnly: false randomNumber: type: integer description: Nonce added to thekeykey. readOnly: false writeOnly: true confirmationNumber: type: integer description: Some solutions require a confirmation number in the RESTful message exchange. readOnly: false writeOnly: true required: - key -randomNumber <CODE ENDS> ]]></artwork></figure>randomNumber]]></sourcecode> </section> <sectionanchor="dpp-extension-schema-openapi-representation"><name>DPPanchor="dpp-extension-schema-openapi-representation"> <name>DPP Extension Schema OpenAPI Representation</name> <t>OpenAPI representation of DPP extension schema is as follows:</t><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ openapi: 3.1.0 info: title: SCIM Device Provisioning Protocol Extension Schema version: 1.0.0 components: schemas: DppDevice: type: object description: Wi-Fi Easy Connect (DPP) device extensionschemaschema. properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:dpp:2.0 :Device urn:ietf:params:scim:schemas:extension:dpp:2.0:Device: $ref: '#/components/schemas/DppDeviceExtension' required: true DppDeviceExtension: type: object properties: dppVersion: type: integer description: Version of DPP this device supports. readOnly: false writeOnly: false bootstrappingMethod: type: array items: type: string description: The list of all the bootstrapping methods available on the enrolleedevice. Fordevice, for example, [QR, NFC]. readOnly: false writeOnly: false bootstrapKey: type: string description: AnElliptic-Curve Diffie HellmanElliptic Curve Diffie-Hellman (ECDH) public key. Thebase64 encodedbase64-encoded length for P-256, P-384, and P-521 is 80, 96, and 120 characters. readOnly: false writeOnly: true deviceMacAddress: type: string description: The MAC address assigned by the manufacturer. The regex pattern is ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. readOnly: false writeOnly: false classChannel: type: array items: type: string description: A list of global operating class and channel shared as bootstrapping information. It is formatted asclass/channel. Forclass/channel, for example, '81/1', '115/36'. readOnly: false writeOnly: false serialNumber: type: string description: An alphanumeric serial number that may also be passed as bootstrapping information. readOnly: false writeOnly: false required: - dppVersion - bootstrapKey additionalProperties:false <CODE ENDS> ]]></artwork></figure>false]]></sourcecode> </section> <sectionanchor="ethernet-mab-extension-schema-openapi-representation"><name>Ethernetanchor="ethernet-mab-extension-schema-openapi-representation"> <name>Ethernet MAB Extension Schema OpenAPI Representation</name> <t>OpenAPI representation of Ethernet MAB extension schema is as follows:</t><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ openapi: 3.1.0 info: title: SCIM MAC Authentication Bypass Extension Schema version: 1.0.0 components: schemas: EthernetMABDevice: type: object description: Ethernet MAC AuthenticatedBypassBypass. properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:ethernet-mab :2.0:Device urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 :Device: $ref: '#/components/schemas/EthernetMABDeviceExtension' required: true EthernetMABDeviceExtension: type: object properties: deviceMacAddress: type: string description: It is the public MAC address assigned by the manufacturer. It is a unique48 bit48-bit value. The regex pattern is ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. readOnly: false writeOnly: false required: - deviceMacAddress description: Device extension schema forEthernet-MAB <CODE ENDS> ]]></artwork></figure>Ethernet-MAB.]]></sourcecode> </section> <sectionanchor="fdo-extension-schema-openapi-representation"><name>FDOanchor="fdo-extension-schema-openapi-representation"> <name>FDO Extension Schema OpenAPI Representation</name> <t>OpenAPI representation of FDO extension schema is as follows:</t><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ openapi: 3.1.0 info: title: SCIMFidoFIDO Device Onboarding Extension Schema version: 1.0.0 components: schemas: FDODevice: type: object description: FIDO Device OnboardingExtension(FDO) extension. properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:fido-device -onboard:2.0:Devices urn:ietf:params:scim:schemas:extension:fido-device-onboard :2.0:Devices: $ref: '#/components/schemas/FDODeviceExtension' required: true FDODeviceExtension: type: object properties: fdoVoucher: type: string description: A FIDO Device Onboard (FDO)Vouchervoucher. readOnly: false writeOnly: false required: - fdoVoucher description: DeviceExtensionextension for a FIDO Device Onboard(FDO) <CODE ENDS> ]]></artwork></figure>(FDO).]]></sourcecode> </section> <sectionanchor="zigbee-extension-schema-openapi-representation"><name>Zigbeeanchor="zigbee-extension-schema-openapi-representation"> <name>Zigbee Extension Schema OpenAPI Representation</name> <t>OpenAPI representation ofzigbeeZigbee extension schema is as follows:</t><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ openapi: 3.1.0 info: title: SCIM Zigbee Extension Schema version: 1.0.0 components: schemas: ZigbeeDevice: type: object description: Zigbee Device schema. properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:zigbee:2.0 :Device urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device: $ref: '#/components/schemas/ZigbeeDeviceExtension' required: true ZigbeeDeviceExtension: type: object properties: versionSupport: type: array items: type: string description: Provides a list of all the Zigbee versions supported by thedevice. Fordevice, for example, [3.0]. readOnly: false writeOnly: false deviceEui64Address: type: string description: TheEUI-64 (Extended64-bit Extended UniqueIdentifier)Identifier (EUI-64) device address. The regex pattern is ^[0-9A-Fa-f]{16}$. readOnly: false writeOnly: false required: - versionSupport - deviceEui64Address description: Device extension schema forZigbee. <CODE ENDS> ]]></artwork></figure>Zigbee.]]></sourcecode> </section> <sectionanchor="endpointappsext-extension-schema-openapi-representation"><name>EndpointAppsExtanchor="endpointappsext-extension-schema-openapi-representation"> <name>EndpointAppsExt Extension Schema OpenAPI Representation</name> <t>OpenAPI representation of endpoint Apps extension schema is as follows:</t><figure><artwork><![CDATA[ <CODE BEGINS><sourcecode markers="true"><![CDATA[ openapi: 3.1.0 info: title: SCIM Endpointextension schemaExtension Schema version: 1.0.0 components: schemas: EndpointAppsExt: type: object properties: applications: $ref: '#/components/schemas/applications' deviceControlEnterpriseEndpoint: type: string format: url description: The URL of the enterprise endpointwhichthat device control apps use to reach an enterprise network gateway. readOnly: true writeOnly: false telemetryEnterpriseEndpoint: type: string format: url description: The URL of the enterprise endpointwhichthat telemetry apps use to reach an enterprise network gateway. readOnly: true writeOnly: false required: - applications - deviceControlEnterpriseEndpoint applications: type: array items: value: type: string description: The identifier of the endpointApp. readOnly: false writeOnly: false ref: type: string format: uri description: The URI of the corresponding 'EndpointApp' resourcewhichthat will control or obtain data from the device. readOnly: true writeOnly: false required: - value -ref <CODE ENDS> ]]></artwork></figure>ref]]></sourcecode> </section> </section> <sectionanchor="fido-device-onboarding-example-flow"><name>Fidoanchor="fido-device-onboarding-example-flow"> <name>FIDO Device Onboarding Example Flow</name> <t>The following diagrams are included to demonstrate how FDO can be used. In this first diagram, a device is onboarded not only to the device ownerprocess,process but also to the AAA server for initial onboarding. The voucher contains a device certificate that is used by the AAA system for authentication.</t><figure><artset><artwork<artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="592" width="520" viewBox="0 0 520 592" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,96 L 8,144" fill="none" stroke="black"/> <path d="M 16,32 L 16,80" fill="none" stroke="black"/> <path d="M 48,152 L 48,576" fill="none" stroke="black"/> <path d="M 72,32 L 72,80" fill="none" stroke="black"/> <path d="M 200,32 L 200,80" fill="none" stroke="black"/> <path d="M 232,152 L 232,576" fill="none" stroke="black"/> <path d="M 256,32 L 256,80" fill="none" stroke="black"/> <path d="M 272,120 L 272,144" fill="none" stroke="black"/> <path d="M 272,224 L 272,256" fill="none" stroke="black"/> <path d="M 384,32 L 384,80" fill="none" stroke="black"/> <path d="M 416,80 L 416,416" fill="none" stroke="black"/> <path d="M 416,504 L 416,576" fill="none" stroke="black"/> <path d="M 448,32 L 448,80" fill="none" stroke="black"/> <path d="M 480,48 L 480,80" fill="none" stroke="black"/> <path d="M 496,80 L 496,576" fill="none" stroke="black"/> <path d="M 512,48 L 512,80" fill="none" stroke="black"/> <path d="M 16,32 L 72,32" fill="none" stroke="black"/> <path d="M 200,32 L 256,32" fill="none" stroke="black"/> <path d="M 384,32 L 448,32" fill="none" stroke="black"/> <path d="M 480,48 L 512,48" fill="none" stroke="black"/> <path d="M 16,80 L 72,80" fill="none" stroke="black"/> <path d="M 200,80 L 256,80" fill="none" stroke="black"/> <path d="M 384,80 L 448,80" fill="none" stroke="black"/> <path d="M 480,80 L 512,80" fill="none" stroke="black"/> <path d="M 8,96 L 248,96" fill="none" stroke="black"/> <path d="M 8,144 L 272,144" fill="none" stroke="black"/> <path d="M 56,192 L 224,192" fill="none" stroke="black"/> <path d="M 240,224 L 272,224" fill="none" stroke="black"/> <path d="M 240,256 L 272,256" fill="none" stroke="black"/> <path d="M 240,352 L 408,352" fill="none" stroke="black"/> <path d="M 240,400 L 408,400" fill="none" stroke="black"/> <path d="M 240,448 L 488,448" fill="none" stroke="black"/> <path d="M 240,496 L 488,496" fill="none" stroke="black"/> <path d="M 56,544 L 224,544" fill="none" stroke="black"/> <path d="M 264,96 L 276,120" fill="none" stroke="black"/> <polygon class="arrowhead" points="496,448 484,442.4 484,453.6" fill="black" transform="rotate(0,488,448)"/> <polygon class="arrowhead" points="416,352 404,346.4 404,357.6" fill="black" transform="rotate(0,408,352)"/> <polygon class="arrowhead" points="248,496 236,490.4 236,501.6" fill="black" transform="rotate(180,240,496)"/> <polygon class="arrowhead" points="248,400 236,394.4 236,405.6" fill="black" transform="rotate(180,240,400)"/> <polygon class="arrowhead" points="248,256 236,250.4 236,261.6" fill="black" transform="rotate(180,240,256)"/> <polygon class="arrowhead" points="232,192 220,186.4 220,197.6" fill="black" transform="rotate(0,224,192)"/> <polygon class="arrowhead" points="64,544 52,538.4 52,549.6" fill="black" transform="rotate(180,56,544)"/> <g class="text"> <text x="36" y="52">SCIM</text> <text x="220" y="52">SCIM</text> <text x="408" y="52">Owner</text> <text x="44" y="68">Client</text> <text x="228" y="68">Server</text> <text x="416" y="68">Service</text> <text x="496" y="68">AAA</text> <text x="256" y="100">!</text> <text x="40"y="116">voucher</text>y="116">Voucher</text> <text x="108" y="116">contains</text> <text x="260" y="116">|_</text> <text x="20" y="132">an</text> <text x="56" y="132">X.509</text> <text x="100" y="132">cert</text> <text x="144" y="132">chain</text> <text x="56" y="164">1</text> <text x="84" y="164">POST</text> <text x="164" y="164">[FDO(voucher)]</text> <text x="72" y="180">/HTTP</text> <text x="288" y="244">2</text> <text x="328" y="244">Recover</text> <text x="384" y="244">X.509</text> <text x="300" y="260">cert</text> <text x="344" y="260">chain</text> <text x="300" y="276">from</text> <text x="352" y="276">voucher</text> <text x="240" y="324">3</text> <text x="264" y="324">Add</text> <text x="344" y="324">device(voucher)</text> <text x="256" y="340">/HTTP</text> <text x="280" y="388">4</text> <text x="304" y="388">200</text> <text x="340"y="388">"ok"</text>y="388">"ok"</text> <text x="336" y="436">5</text> <text x="360"y="436">add</text>y="436">Add</text> <text x="412" y="436">identity</text> <text x="416" y="468">|</text> <text x="352" y="484">6</text> <text x="376" y="484">200</text> <text x="412"y="484">"ok"</text>y="484">"ok"</text> <text x="96" y="532">7</text> <text x="120" y="532">200</text> <text x="156"y="532">"ok"</text>y="532">"ok"</text> </g> </svg></artwork><artwork</artwork> <artwork type="ascii-art"><![CDATA[ ,------. ,------. ,-------. |SCIM | |SCIM | |Owner | ,---. |Client| |Server| |Service| |AAA| `---+--' `---+--' `---+---' `-+-' ,------------------------------!. | ||voucher|Voucher contains |_\ | | |an X.509 cert chain | | | `--------------------------------' | | |1 POST [FDO(voucher)] | | | |/HTTP | | | |--------------------->| | | | | | | | |----. | | | | | 2 Recover X.509 | | | |<---' cert chain | | | | from voucher | | | | | | | | | | | |3 Add device(voucher) | | | |/HTTP | | | |--------------------->| | | | | | | | 4 200 "ok" | | | |<---------------------| | | | | | | | 5addAdd identity | | |------------------------------->| | | | | | | 6 200 "ok" | | |<-------------------------------| | | | | | 7 200 "ok" | | | |<---------------------| | | | | | | | | | |]]></artwork></artset></figure>]]></artwork> </artset> <!-- [rfced] Appendix C: Please review the ASCII artwork that appears at the end of this section. The submitted ASCII artwork does not render or match its SVG equivalent. --> <t>After this flow is complete, the device can then first provisionallyonboard,onboard and then later receive a trust anchor through FDO's TO2 process. This is shown below.</t><figure><artset><artwork<artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="864" width="576" viewBox="0 0 576 864" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,640 L 8,704" fill="none" stroke="black"/> <path d="M 16,32 L 16,80" fill="none" stroke="black"/> <path d="M 48,80 L 48,632" fill="none" stroke="black"/> <path d="M 48,712 L 48,824" fill="none" stroke="black"/> <path d="M 80,32 L 80,80" fill="none" stroke="black"/> <path d="M 152,480 L 152,528" fill="none" stroke="black"/> <path d="M 168,48 L 168,80" fill="none" stroke="black"/> <path d="M 184,80 L 184,472" fill="none" stroke="black"/> <path d="M 184,536 L 184,600" fill="none" stroke="black"/> <path d="M 184,712 L 184,824" fill="none" stroke="black"/> <path d="M 200,48 L 200,80" fill="none" stroke="black"/> <path d="M 256,192 L 256,256" fill="none" stroke="black"/> <path d="M 288,368 L 288,416" fill="none" stroke="black"/> <path d="M 296,32 L 296,80" fill="none" stroke="black"/> <path d="M 328,80 L 328,184" fill="none" stroke="black"/> <path d="M 328,264 L 328,360" fill="none" stroke="black"/> <path d="M 328,424 L 328,472" fill="none" stroke="black"/> <path d="M 328,536 L 328,600" fill="none" stroke="black"/> <path d="M 328,712 L 328,824" fill="none" stroke="black"/> <path d="M 352,32 L 352,80" fill="none" stroke="black"/> <path d="M 360,504 L 360,528" fill="none" stroke="black"/> <path d="M 400,96 L 400,176" fill="none" stroke="black"/> <path d="M 400,216 L 400,256" fill="none" stroke="black"/> <path d="M 448,48 L 448,80" fill="none" stroke="black"/> <path d="M 480,184 L 480,360" fill="none" stroke="black"/> <path d="M 480,424 L 480,632" fill="none" stroke="black"/> <path d="M 480,712 L 480,824" fill="none" stroke="black"/> <path d="M 504,48 L 504,80" fill="none" stroke="black"/> <path d="M 520,392 L 520,416" fill="none" stroke="black"/> <path d="M 520,664 L 520,704" fill="none" stroke="black"/> <path d="M 568,120 L 568,176" fill="none" stroke="black"/> <path d="M 16,32 L 80,32" fill="none" stroke="black"/> <path d="M 296,32 L 352,32" fill="none" stroke="black"/> <path d="M 168,48 L 200,48" fill="none" stroke="black"/> <path d="M 448,48 L 504,48" fill="none" stroke="black"/> <path d="M 16,80 L 80,80" fill="none" stroke="black"/> <path d="M 168,80 L 200,80" fill="none" stroke="black"/> <path d="M 296,80 L 352,80" fill="none" stroke="black"/> <path d="M 448,80 L 504,80" fill="none" stroke="black"/> <path d="M 400,96 L 544,96" fill="none" stroke="black"/> <path d="M 400,176 L 568,176" fill="none" stroke="black"/> <path d="M 256,192 L 376,192" fill="none" stroke="black"/> <path d="M 256,256 L 400,256" fill="none" stroke="black"/> <path d="M 336,288 L 472,288" fill="none" stroke="black"/> <path d="M 192,336 L 320,336" fill="none" stroke="black"/> <path d="M 288,368 L 496,368" fill="none" stroke="black"/> <path d="M 288,416 L 520,416" fill="none" stroke="black"/> <path d="M 192,448 L 320,448" fill="none" stroke="black"/> <path d="M 152,480 L 336,480" fill="none" stroke="black"/> <path d="M 152,528 L 360,528" fill="none" stroke="black"/> <path d="M 336,560 L 472,560" fill="none" stroke="black"/> <path d="M 56,608 L 472,608" fill="none" stroke="black"/> <path d="M 8,640 L 496,640" fill="none" stroke="black"/> <path d="M 8,704 L 520,704" fill="none" stroke="black"/> <path d="M 336,736 L 472,736" fill="none" stroke="black"/> <path d="M 336,784 L 472,784" fill="none" stroke="black"/> <path d="M 352,480 L 364,504" fill="none" stroke="black"/> <path d="M 512,640 L 524,664" fill="none" stroke="black"/> <path d="M 392,192 L 404,216" fill="none" stroke="black"/> <path d="M 512,368 L 524,392" fill="none" stroke="black"/> <path d="M 560,96 L 572,120" fill="none" stroke="black"/> <polygon class="arrowhead" points="480,560 468,554.4 468,565.6" fill="black" transform="rotate(0,472,560)"/> <polygon class="arrowhead" points="344,784 332,778.4 332,789.6" fill="black" transform="rotate(180,336,784)"/> <polygon class="arrowhead" points="344,736 332,730.4 332,741.6" fill="black" transform="rotate(180,336,736)"/> <polygon class="arrowhead" points="344,288 332,282.4 332,293.6" fill="black" transform="rotate(180,336,288)"/> <polygon class="arrowhead" points="328,448 316,442.4 316,453.6" fill="black" transform="rotate(0,320,448)"/> <polygon class="arrowhead" points="200,336 188,330.4 188,341.6" fill="black" transform="rotate(180,192,336)"/> <polygon class="arrowhead" points="64,608 52,602.4 52,613.6" fill="black" transform="rotate(180,56,608)"/> <g class="text"> <text x="40" y="52">Owner</text> <text x="324" y="52">Access</text> <text x="48" y="68">Service</text> <text x="184" y="68">AAA</text> <text x="320" y="68">Point</text> <text x="476" y="68">Device</text> <text x="552" y="100">!</text> <text x="428" y="116">Device</text> <text x="500" y="116">configured</text> <text x="556" y="116">|_</text> <text x="420" y="132">with</text> <text x="484" y="132">well-known</text> <text x="420" y="148">RCOI</text> <text x="456" y="148">and</text> <text x="488" y="148">for</text> <text x="528" y="148">trust</text> <text x="412" y="164">on</text> <text x="448" y="164">first</text> <text x="488" y="164">use</text> <text x="384" y="196">!</text> <text x="276" y="212">WLAN</text> <text x="348" y="212">configured|_</text> <text x="276" y="228">with</text> <text x="340" y="228">well-known</text> <text x="276" y="244">RCOI</text> <text x="344" y="276">1</text> <text x="408" y="276">EAP-TLS/EAPOL</text> <text x="192" y="324">2</text> <text x="260" y="324">EAP-TLS/Radius</text> <text x="504" y="372">!</text> <text x="316" y="388">Device</text> <text x="368" y="388">skips</text> <text x="508" y="388">|_</text> <text x="316" y="404">server</text> <text x="404" y="404">authentication</text> <text x="192" y="436">3</text> <text x="260" y="436">Result=Success</text> <text x="344" y="484">!</text> <text x="184" y="500">Limited</text> <text x="244" y="500">access</text> <text x="348" y="500">|_</text> <text x="168" y="516">for</text> <text x="200" y="516">now</text> <text x="336" y="548">4</text> <text x="404" y="548">Result=Success</text> <text x="224" y="596">5</text> <text x="248" y="596">FDO</text> <text x="280" y="596">TO2</text> <text x="184" y="628">|</text> <text x="328" y="628">|</text> <text x="504" y="644">!</text> <text x="32" y="660">FSIM,</text> <text x="88" y="660">Runtime</text> <text x="144" y="660">SSID,</text> <text x="508" y="660">|_</text> <text x="56" y="676">Credentials</text> <text x="128" y="676">incl.</text> <text x="32" y="692">local</text> <text x="80" y="692">trust</text> <text x="132" y="692">anchor</text> <text x="344" y="724">6</text> <text x="404" y="724">dissasociate</text> <text x="336" y="772">7</text> <text x="376" y="772">EAP-TLS</text> <text x="420" y="772">w/</text> <text x="448" y="772">LSC</text> <text x="48" y="836">.</text> <text x="184" y="836">.</text> <text x="264" y="836">etc</text> <text x="328" y="836">.</text> <text x="480" y="836">.</text> </g> </svg></artwork><artwork</artwork> <artwork type="ascii-art"><![CDATA[ ,-------. ,------. |Owner | ,---. |Access| ,------. |Service| |AAA| |Point | |Device| `---+---' `-+-' `---+--' `---+--' | | | ,------------------!. | | | |Device configured |_\ | | | |with well-known | | | | |RCOI and for trust | | | | |on first use | | | | `--------------------' | | ,---------------!. | | | |WLAN configured|_\ | | | |with well-known | | | | |RCOI | | | | `-----------------' | | | | 1 EAP-TLS/EAPOL | | | |<-----------------| | | | | | |2 EAP-TLS/Radius | | | |<----------------| | | | | | | | ,--------------------------!. | | |Device skips |_\ | | |server authentication | | | `----------------------------' | |3 Result=Success | | | |---------------->| | | | | | | ,-----------------------!. | | |Limited access |_\ | | |for now | | | `-------------------------' | | | |4 Result=Success | | | |----------------->| | | | | | | 5 FDO TO2 | | |<----------------------------------------------------| | | | | ,-------------------------------------------------------------!. |FSIM, Runtime SSID, |_\ |Credentials incl. | |local trust anchor | `---------------------------------------------------------------' | | | 6 dissasociate | | | |<-----------------| | | | | | | |7 EAP-TLS w/ LSC | | | |<-----------------| | | | | | | | | . . etc . .]]></artwork></artset></figure>]]></artwork> </artset> </section> <section anchor="acknowledgments" numbered="false"> <name>Acknowledgments</name> <t>The authors would like to thank <contact fullname="Bart Brinckman"/>, <contact fullname="Rohit Mohan"/>, <contact fullname="Lars Streubesand"/>, <contact fullname="Christian Amsüss"/>, <contact fullname="Jason Livingwood"/>, <contact fullname="Mike Ounsworth"/>, <contact fullname="Monty Wiseman"/>, <contact fullname="Geoffrey Cooper"/>, <contact fullname="Paulo Jorge N. Correia"/>, <contact fullname="Phil Hunt"/>, and <contact fullname="Elwyn Davies"/> for their reviews and <contact fullname="Nick Ross"/> for his contribution to the appendix.</t> </section> </back> </rfc> <!--##markdown-source: H4sIAAAAAAAAA+196VobV7bo/3qK3aS/D0gkMWNbp5NzZIaYjg0EcPt0J7nd JakkKpSqdKokMDH0k91/98XuGvZYgybAsXNcX3csatjD2muvea9Vr9e9UTiK gqbYD67DTiDOO5fBwBcH70dBnIVJnIlRIkaX8GDv6I0YJN0g8vx2Ow2um3yr 6juvm3RifwAtd1O/N6qHwahXzzrhoN6lL+rUVn3juZeN24Mww48ubofw/tHB xaHX8UdBP0lvmyIbdT0vHKZNMUrH2Whzff3F+qZ3FdzeJGkX3o5HQRoHo/o+ duN52ciPu//0oySGpuLEG4ZN8dMo6dRElqSjNOhl8Ot2gD9+8Tx/PLpM0qYn 6kKEcdYUbxri/NK//M3vegIunsGb8aU/GPhd51GS9pviGNq8FHt+mkRh7Ivz EQxbvI3D6yDNwtEtvZhBr8GoSb/rAK+hn44GQTwSSU/sJYPhGCYA8AuDuBPI l56/WBcn134k9lNoSt7c8+HdTLxM3ovnm+u7dLcDnTTFmR8FYf+yJo73+C6A tik2n+2+2KmbV5NxPEKAvj1v0Q1YrzBqikFGk/qvuJONG0F3DLCgxwSOVw1x 9D9tP7KA8crPMj+2bv9RAHFJEwtxXi+2Nv6rj3cbnWTgAOSgIV4HfmrB4yAK k5G5SdDYC7NOIs5vs1EwyOy5i7OwczkK4S/oLBDPrFHuvao/31rftmbzzo+i MAuiKIjdgZ/fhKPfgjQCTKcHw0vC9m+2N8T2tnj+7Ll4AdvEnlsEw/uvDo6K ZuTFSTrwRwBSXI2Xrw92tnlZJDF4GY2DUZLgiiYpbO5h0Al7IexJ2KQ18Tdc 0yQWOw0erd5EdNXlvxIUpqnzo+/pURdQAxZlfXOLu/TTPkLmcjQaZs21tZub m0ZbfdSANtb2k84bP167hOlG0DX8fRNHid+F+w0/u3z/n0Bq/hl2v915/mzj 2TMPWt0/Pd10JvQurB+G4sDPbmFGcRx0RlWT2mysT58UN9eC5fEVrupZreMA DvbetJwB4I365u5mTWzsAiwOuiF2W+xJd0T94FeSwtEw5Y7jvv46joMa9rhT CsegM/Drof0tAXM4bkdy0lkdIFongumn3WzN/KJvYbRrOJfD/ZONDWcyh0f7 J4rwn8TtBL5xwSk2GhvT5kaNlICwNUzDSGy8oKltwoN/hP12EDgD4Ftun9P6 k9+U9TjuA2PB/jbKQfkbferLLwmMN8N6JwHgxqO18RCRMVuDz1+sbWysATZm 9fWd+tb2s+365kZ9vZP169xEPbNH3Bh2e8Da4p69Gf96fnLMzNSZMd6WTLYu WuJN0A19gfxSwNewFlknDdth3OcXYWeMkbJmE4BC5KzVEO9SoJgjdZdpWgvg Eca5R0Da4RF0PErSsraAV0BzrbibBjeZ296rIE5v84+mtfeyIV6NRyO5srqt l0Gcu0/Le5pko4Efz9r49w0AWhyHuYF+nwZ9+wEjyH7QCQbtINUoWUSRX7Mk BvEG14fwg4SeNSQH9Y1N+ymgTYrIdzIM4tbpkbPI8l4VadpqTNxWBIbsxu/3 g7QRJtb4TzqjRA1/u3T45rM1B0WBANTrdeG3kWN1QLy6AFEwjIF4AU/GmQie FWEhyYMrzPXoxl6aZFm9mwAPAoGhCwiJogDQcr8fIHquihs/E90gC/tx0KVP hmlyHeJsEZfHGcy8IS4uw0wMgkEi5NiCzJPdBpaceumPRBD77SjI3GZAvGCZ E0S/cYZ3rv00TMaZN467wEZv8VYb2A1OcjjEvzJm3SAqjjuXAgYJFL/nMpAa UTCPWxYJk0FqPIFvYOA1ZKxiCIweGTz8CdRVvGnt0eohLFDG7Yr2Lb7SYEAP wi7wOM8Dmp8m3XGHCNu31sUroIRenBpAJ+7jjIMMd7zwxUADWHQufRQf+rho eP/W64YDCbEG0O4AW4DRDESYkZjvt8MIFgmlfjklGjY3KSJEGy8e42awwIpL FAAu+PB/7IT1hIwW1IUrifBeOxjdBLCN5efUA8wGBPoruAfk9JaIF8iesD4A onCEwwvew+ojxHClYR69HvQJc4Qexz1AznEKQBc3YRTBrasAsYfGaF4MYNd0 EdSzYaqwMfXDhz+dHe49293eur83f2zf3wMG9MIYZ4FYB5pGEtGEfHtr5PFR Yvar5Ca4xo0ZjkDjiUXgZ2F0K9oBI3YXJ5uYjyXARCcNaIh+xLADQSlIPX80 Ah4AQnQGiw2f+QqmtDzu4Oyte4NLpzahh/0F6QBA/issFeO/2WUN8XIcXYkE XmERgtY8Gw+HIP8HXblXgXj2kwRQO+j4vAoje7VTGkwH1quLaNmGFmFNWnAz HPjAJ4bjdJhkEjWhOYciEaLaMEGslRP1ENTWTuSZDgbjWEk8wu/AEKgFfNhL k4EeFwjVsJWE70VJB6ibQUTR9jMYquzLohkdf8j7BSgSjxaG7alNwVvVej0L YM6IV4MA9iWwmAF9lSWDQA8i9XGz4rhARo/rwXvQFXAIig7hCIxI/Tq5EQdx kPZvxQoQm1Wx9FdctHcAi2zJG/phiv0y3tOcgS+28Y0yCW4FBL1VM7YGECEp mcDMCVLaDgDYC2iLS9ENs6E/AkSi9lEkAs4reuOYSFfmadCBHsO7t4RyJ5Ju Ywew7u6SeWpdDDoTPtNAgL/52IUkX6DVI2LDCvP2iG694H/GISiQCEN7Tyxn IORoMkxstkVMNfxN/onKVatDOhcCcaXVaq3q/piYZ5fJOEI0B0yArsfQn6SU XVwrXDPAgneXtzxYxE65zv+J1L54eYaOwkg1mSUsoJVkukqsboCyGe+DLkEO 0TQkoutJ2hMUaY/Cs8ShEECA4k40pk0DNzylCYQZMShqHc0yTSGODy72To4P gQT+J5DA3c3tDaCH0MvZwbn94Pn69jrQRlw78ffW8ffy9rMXO3C7wfBA5t/B LRPTOLGTXhJFyQ0OIwVaCKvfBL6o+0SY6356QEFwHuLrrwHtemF/zCTp669h EyEuIJhQHrTn34DWqO/QkjtokKQpKQ7ggAw5Zxh3Gx7jnWQrry4uTnGRAdRj ko5GgSScGfA8aBBJfJ3R33cwDdrB6TKVcXoCJql1sxo2fgPKP/570np78Qqh 3AnSEZPCAMW+subl9nDmAxogUFvJ63H8mn5DI90E8CFORshgkezKgSUwlNua uLkMgfLArIKoJwZIOwDdV4jrEFUPs1UPTRO8AgqaxJEEyLIwD5IIoGtuCXEb O9Mo9huwDWtVgKchYvb8ARBWHxYxAXoiSQBiSIDzAk6R4c/rEMgS3EG5LkBb iKQq10F0K+kRD0v0gGOmJG/huiAbwI2dYc+HYYyUoga4RIJcgEgJgMC1vQ5g 0FGgyS+OskbvwFDbwWUSdck4A33hwiN54E2aJ1J8F78aIIVi+TvH3gEFoCnE KVjkzjii4cK0bdGDuAoSO5BwACAJtIKQJqDTBgJBSInCXYflItARKaRUAUIY 7JxumAJVjm5h01hLGAX+NSI6N0tzkKynHWRm6QCNCOE871TJFqc09HDoo+5Z TuKArTDPRt4SWXZllIKIJqAoC+orC3osc5r18ywBUdwo+kutdKKQ717a8gGi agrKA8woGOCnAagPLBnEpNQkIDXy9G4Zu+iTLpknmaXbQikzBoNOyAoJxgpF MmA28NbQv2XMxF0LoEURtMNSAH/g6cEjNJijotAgwSNFPQkZvIMqLS9likIj IHxNyuYkMaIYcUOMARVM1HBYHnNZNoAW2IURdmwxBxsD1MKtRFwEUCMIr5kE GknAbyfjkcYsWiIck5HOE2KIrCSxQIlbw5JF4Qs5GhLWkerd4n/TBPY10lGL AqGuBzq5FOhuLgnd1y5B7rGAZPFh1a2UvhglFIgS1ncc1oqSPnQCfEagYeUa 9gesGKIQEiMpEvC0/K7ZUTb3xFUnZEl6qFz7jAKg6/hx5neYJku5WGQh0DUi a7zs9CZuy36qrVi4kiNQ0zKicIjEzIVfOqrUGeA0wOoHwFoQ1FIfnoxJCcIm Vl6enf9wtKqY8YsXO0Q6aIoSJhazkavYBTZHpmnaEgAFvV+I6TEEatg87yfC bSBA1eiB5iDADB/aCaTAAsvAVpoRSnwjbILM1zgeHkcGmlCZwi1+PCNTOW6S f//738L3s+u+pw2zZdc3pSTIvb6Z2MLdpIfqHS/f1zfw9xlInkgt7+xH30xq 4c7SXe6cMX4HjdAurhyQagEuBCT+/ovTxJ045z03uYXcLPZGaQQaRnc4mnkW lVDK/fuAFlbkvke8W12kheupY8ivptWCg1Tm2Tf6jl6LPakOibuGueA3DaP1 +ntu0TyR07qzV7MlV3OhMUyYxdRrNkgK0EGRWCtSOHsLs+1N3Oneh6b4yk+B vZKd9Null6DodEQL7oSjgGgeEDZUl49OFbVZuidO+uEDfnd/zxzUNg1Y1G8F /lhVmlRmM5ahksTSrOax/Eos6xrNFI5VYISmeG0RI+EddAZt4sN3PFaBsUfU +vNqMNDKzJNshPl9kA3hflAr6N2u6gdEOZTOIYsQ10ALRrsJirZCys4dn3UX CSptFL1hrTP2LKjUI/8WuurDBG78W+KgcaDZO8kIJGArVT0gkcKzgLfSafQa NWRBR/X9Bvn//azbq8fhsHN/v8qyibIYANsdJsAHvTAjNu0PElwli1Mn7V8B epnHyi8z9DSAxY9RzmGxIt8arxZqR/ZIPS0t21jgzncFtucqzhD00M6lhROP y3wegfvMy36+0cTgG31zHv5Df7VaLeQv391lAMvO5d3cDKh6FItxoDsbFouB 02niIfR/FgaQJhjtsNa7KWcAj8ABHoEFzA7Op2QCeS6wqdgAeUFYwGZNFbAS 6T4T/c37e1QMbjKB2sLRqbTFKNKQCTS4twOjKRIZIe0rzLyOrwhvBdPQn2Wk RNG6XYc+bRMmbSCzBlkGnMImy6gDoL+HySe2P90MKYwZ0mMzJJqcyHkhHVRE Ey3SCxNgW9RI22VRgob5naCNg/0pSRyFGEGQhXjP+Zp5mwfDPTpltRzpKFoQ iAcA4IA81kR7LJ+QemB0+qNTnLKlkpSxCtIKFcG2IIvuGeaN7NUmG0OJLcHz QLMRaBUxFiy0HKAjHM2nkR/3x+i0gr675jbzXR57GAMM/a43RmNP7KcpeeHl 20ODV1KmABYt3ikbpdSZUGv10cwLiKMYMTDUQHNn5LU62sZ24wvAU+PsB2TF lVYe4A8f5C+4f83u30xxcegzQNEiYAebF0iuHuIYUZGXmBMHIdmGtOmNnQld ZPexscACrvXZAoaeiyBKhpKfIuqD7KD8ZxJHWCUmcAfakafXniYpRZs0kD5J 6XoJpbXAhoE1Z6+b0Bpeou3JF4PAl66B99hMxsJLhsISdBKObnlrjC7HsAGN 54t8g8rc5XwSaOslOgxJLLr2oxA95GgtOEebCuCukabkPJT/6Vb7oWySYFw5 NU9ZgFz/TGD7Zz58oGArFEhLFNwPHzBwCR6SfarMR/PhA0XjkDL/1VcKimcO pD2vZeDBzsmuwh3lQLTcf9iV5YyBbUrWVQ/mhcQ1SNH30GFHozZnorjrNH7O km0mNhub9OpmYwvtIY7tkq0grjtP711uDLD2prRr06vyFbBdUk8VLT5I8+Ik Svq3NsEgS9BVcCswYjQTS2/enl8s1fhfcXxCv88Ofnx7dHawj7/PX7Vev9Y/ PPnG+auTt6/3zS/z5d7JmzcHx/v8MdwVzi1v6U3r70uMrUsnpxdHJ8et10u8 IOiFkKE6ZERj4TpkEzfZh/3MU8SL4Pxy71RsbEuT8ObGxgvtjX6+8QzwijY3 d0a7l/9E2yYK94GfYiOA/Oi7DEd+xH4G5JOxQC1A2s1A6u2yg4/s8TnjnjbO a0HaEE/GKk9TX9IUikbssyBLxmknoBAmRnInzsHEO7QQJVAZovdZ0VrmL5aF QSdl7FyyW15Sw9GBIzTaQTDyySjPxio/1/pKhrFlUlXbzWPxKkoJI71PkP3T dlK2SLOrMiYpnt5diqKojcCvasXTRz9TiAxUjcdzaajU1PxMFJqUAQMYSNAN iD9goIG96Zcz46++ZfKxBywZ3rHIxYevOnQPtlV2z6iw78wLGbYfUrhNGrCr Fo1+pgW/jCx4W40N5EMuNRDHCcAIqPEIaWoqslto+z3GrMR9aekeABoSXjLD Ri3a7gveiJinDeAdQPceWduREQI0AgqrCbtN4TVFC4D6P+MwDTigBSQR0I/M wJXSXVxKMqciRmQSI0rmsgr94AKkwDaOuk3sLpbeEWQpupNZ2kHkpBbkRN5b 30sLvZ7JLO1xsAvF8Tqx+qXbTUcYlaC0YyAxmGojKFnXPb2blrjDpQZvGIk5 RJfYr5Jj3AI9hdyppwwOFi0ju4CGhQUH3pFoYKewGCQGMtCLzC48/LdnR03P WxqncRNtEc0h8JhB1sQjCU25iZo46+ZmY72pB87QMG7pHPbl2GsRapJPw6do RbK2mudh6ETk3x5j4CGtN4jLPGZ/ZBOFyzFskTpSZIqRwEBF0qkQ15Xq0VAA MA4+JNSyC/4bHtQp7siNXeDw9HFI9njJXHEAHITDRNWBOjJrBfmaQkm4yTHq IHLVtchFw5K2mkHS5ZUhQYJZqGXCoa/buPw9fxyBqgLEgTdpTNIfyBaj1CfF DQEPwm6izW+hJQICwFElvJYwHYx5Xu0kiUCi5Lk5qHPUgx1EwSEXZ28PSNuR sicrVRQpQCgJAyyCWLvS/aiByxsMhqPMjoVJUhV05FsNscmNWgcpdEyAlcM4 bL0+PyCo9fAEgjhETwxrIDWW3SVPxXagl19lsA1z4+Oj0z1lc2sDPnWuEHvY 5lYjeg3w195K2QTHM3bxfID8jRomq0wj27Bma8Cwyl11PEi2g+9EIDcoEc0E +N2qrllhpIX/lWUKGV9iPkciOO6+TaPittDkhqnQ27PXSo1+Y0UBircZih62 /ohE/M3b/VXRCwEbQAFPOiHZZqUIo1dZ8mYH4w0lR3crYxSGg9De4KGaVcwp HRTbCDuGcbkh3uECyknUcriLTcrdQkvMwbFG+JOC3s7muhamnXFi1+RAdHpX O8zeXZ7XT5PxMMuzKqQydSK2ivmw2VXuG2nRzgR9jTG5baAnl+GQKHDGkS0U Swoz7ODZlVvp5hwE7GP3RzbN/PBBiVnbjQ1QHIB92ELinaGXZG56A0MPxd8I 0ndo4YT/7iG4D97DyuNz3uz4DOcMP94yn7/zXIPmnfPvnXvT+mV+wGAsgk22 r0O2gR2q/9LNs3fSNLYf9PjHMfKtxxkBUzZjfZOdXny8EUhsz4/gUI3j6UfA iGtGcFE6gpP8CES85uMI0IoIWCJFIWlJ3MspnNqRo8V5o2aKFUS8b8nATizQ u4C/LtIxUOdD+HUIGhP8hBHgO373JMbYIgAJ//kuDUcyfBDH9i3+F7fkKlou 0c7Jl/eXvZP9A/Hy4Puj4/PvvA/airokZZWlpvhpPmHml5ppJOzC90vBi2Br vdv2673157369sb6i/rz7ee79e5OZ9ff2trY3djYWLK+sjYAfo7h7a8C9Fi9 SWI8aGG/y6i6RKc2A+s+irdw94NlFl5KbZWtqcVG9dVSB8gS0Gp8hAcw6usb 9c2ti/Xt5s5uc3PzH1a38HLkZ6M3UtYwX+zUN+iL7c3m1nbuC2lgw5ff/bz2 8xJMfb3d2dnure8+2+i8+Hkp10HCDBDf14etmD/j4bq16801nkC25gDYNYRX gVu/de/dSyQ4ON4HFDCogSiMi3sgAysUElsivnp0ADwVtF7Ere9p33g5WV++ j+h4IC3j6G+QmwwlLQl8I1Cz4UW9odU9L0fPc9RcSEGLjepLI9bOx23D/KQG tiS5ypLF28hSgzFOLCEpBLEjaiksa8maAz/VnkA7thK1ImUm4ENU1ndVehFr RiSm8RRV3D8OetlqYNk1J5AE7ZWaJcQ8ZgmvYJbIqXqCDTdK93JAYeQmrxj+ I/ky+kO0nBd31xKMFsMIsIAjGFUIuA5wF0q5tDFHmiQ/fKUgDx3Jo0/3k1VO uxUJHxWNhqFHKhRLjdFDGTNAi/covTVheGQB4EBAacVWbSndMMu7fsnaik4i FUAoTXH2OR0lZsqTQ7o/aS+zjnq4gK9QSoWtlM5Ixu12ebG1Wpo3ijhqqbY0 VRh9PO91eBUAMlmmn3tRsSKW/SdwbUD2GLRNzrIBkX0iZwWsUo2txaGcANP0 ABl9QdF3licJtU9SN6RES0PHAHeW1rP/EMuMy9JPu4wNwBIua7xabuRf0Qel 8uFzrA4pBYsi3IwSaMUP2K1XNiY3HjXjbD5LS6kwhuRV8rxGXvIhCym5Iw22 Yv5IermZpTJ6+FWrSmY3snwIx/KhVUtnnYuqkG3sI7VKam256Rena81VOphQ USdwYjvu1Hnmys5qz5VJyUVyFcQO9ur94wN6UAi3ct1Kuqz8qRKBHBrEUfgN cUAhKfS5VBc1HEErg692+PS/9qOQ7xDPAY4ulaUIdVIJlJpR+2qij/4qjjyn /RQn9qEDPBKkVMIws33ntTLFtxyHoGW0spA7MrMD5WV4k1wUdjpI3kTAYZjA tDNtRchgisaGYIWB2+cQUJeFMVJsOMU9U0Ma5ssIHttd3fgstGOm5TQMm3Z+ BfdzKwbomFvCkN0WefuytvUQir7fWX9hN7WMZiOasEdbkVY4ATzaa7khwDnr ik3dFIslPy0tojQ58VElNjraCphlRtN0EyaP/e61eGthsMLudj2IMTq4q3YC G7dK7Cfbu9vPgcFp2OJWxGOpMJ/OpXvGRhp5kErbbyD0eE6we/CVnvuZiaEv C7Zma6BysTM8hShaVjPJGfM7qya3lt9du0FlkkVrSe21ZcknYRllamvkmZak rdMeKGvCe20fzzh5coWJQKPf5MaxVxl67V86Jn12oNwk9k9EEgqsF+JrNH7y IbZxmOFpwdhGerWbZT/anG5AymqRHJwA0SLq1gr2MWe7NLaNiLyz+Xz9/v4/ BOcC+Fqw5TzOjuUgVNilr3poRZw3I1Bv2P3wWCxNB7rbzXfWoHnLwxwRbDGk QxRUJI96qOgDOhOC1lgHgcj1LG2klpGWpHVaEoKfVJmGAR5ayUj4j66ZHPpi //hcnRQRUZJcjYe0IZS/fYDHNlmkkIAoQp1Ra4BmN9Qm5Yu0sfgUr0QLDiiK gh6pZ+p0qBOPksnzAxTLgQfRhdAyvSQNgJKwSZD5F8yz6CwidGqIHLMv3Tqa sak9RFsGXfPuVnJtjPMbGCvti4ubt3Kib7WVT+QtXOU2tkcZCa76g+2Ni4/E EqZkVxV2RwWT4ycah8tFH2wDXnwkzP4mA+PJB2GxitxILkpGUjoUaY21Fc1q k2yJOmrbZb28YVaUG2Yn2WU99iPBPdufVAOE+hbGXGW2PU6U7CRD7myEdUUD kr6QdmoJgWIanBhQRdYdFQcJcYkUhzRNkmGP+AJmkbDghN4r5pnSjlfjcHhz 5lD5YllW93x78BgwihO6CRFyYc/+DMWYodS/8/Km7JI81LnwVmAVJn5Kdirc Tr2j0o4Q9kPKisJBN+aLmgrx18Yrz7UMBUryURF/dETbVj1s7esqTm484/2V OjpxDufMB33oaACZOZFQKnPDSvWCVOa9ABY09jVHT7UGaJIn+M7BZRPpa1Ka KHEa1UBbkNZveEqkbkx2LizgVrDtUeRbmNWrsLmxSRb1pRyvw48dY0vhLeV5 kFZrFV6PiM6OiqUc0C1PwxLTzCUB3785Onp59GvruNFoGC+DRc6wD8xDZ5n1 0TB/T104HoyC78KGCjc9o/tiHsfFzC6LWZwV1ogrPBZVi+hN81IEfs5Hofqi JTswR7XsVKJW7tEPX5nI1CrrsfxYB8woC20hRI6oRJhaPKNGsciFIDuOiOVx 8/ZWZ5VM1GyYmRQ9rOR6hTDFmpwRRbrJMCRrchi55gQwsgCubAChovscpF7z jlrHGMTWxyO6dFIdPTu2i0Yf5IpkOAJbw5eUXLzEyXrIh+L1kBtC8y14OShk e3WD/pTSyJ0HSL/wqAMOqObllbCffln5SqZ4lRnPTPOrjkkeMyhgJH03GLAV EejyJZFeSpMg8yXAiGTWlxaf5WK6e67Os3OahHNtT2eQEKEnuy+f9pITctYn YyPKhHQ6erUAE0HuNzO5V74g6xRf1zk6KJ/QCTKl1lohMZ7MmYTaH3TFCGZQ tsptYCz+TlTbRIKtW23CFCyHMHsucp4DP5N9oOL+VWXoGjXwxu+0WKFzTJwc CeMadDE5FiWe5ARoSg3MZAYWeUAS7bSW2KVMlb6K1tx+Xm+D/EAdqIdG6VPR L2FsmUoQk5QyqKMni/Ew7O7Ye9Pi0+08Y3nygE77kAKPFiR86f5eCQV6PZqK vXr/56f1+otW/RBI6C8fNu9Xmu7fqx927v+s3vXC7AxGlQykIUsGqfUivy8z fJDdX58aoGg1ig+rKROmObPDWFIGaPqMo9usT+jUC9nZUxqDeRtf9zkPWti7 5WQDaFnAX5hvYOXo7IdVKc+oOCYCvVpY25AvrRKkNw/T8Bp3uenJEi9zbYSE H5wHJGEbtxxnhoS6YzUC2kTd9MJmMKcjKwWKzlXGSJc/jyDtCzSQqqBHhXqz IJaKElOmbx0mRquI9jbMMwJDfZkmfhdQeGRtqZJYMbnHbADHGmRap2irxrI1 v3uNIlEWcEo9bdDkgagjEMq5rlQIWGBt3+/yjDNtvZYLlWnTmEsMbA+DbZKJ RiF1atlnCMyVIWpheiVDt4uUxfWchypjX6rx9ErhqUxhJO1EkpJgOCw6Udzo WeVrlnY0jUWMdxZy0gfSTUH+APccIYNR7W1sGTef7MXyRsnEh8zH9ElmjPek JEHFtBojnX9KbX+YIVoUTWDATmO7scPGSEU0PG+QcNi/BKeiM5bhX6dgw6Ae nXtGHhYoxMhKDNAmeulDs4+JUMKdfOo2HFfrNONJYgs6rtXqNsxMGhd5rvO0 vsGxl9BopgzWnCoPhs/20QElUpF3qZ/6pjm7yMHQVe3K+7Q26smm4TDlnkEd CEp88o3Bb4dVSkn9nMmOCko270orPWN4VobcCBp9BjBHvuxlkOZb2qUJEXA8 lHPrBhDj+z//tLTd2MDDStuNTfxnp7HO/2zwP/LmFv+zvfTzL0VuaxM/Zpqs yWfWBpYJCN9w3k3pTZt98m7+wjKzMAHHgEAmusx9hrqxHDearOq2/G+FQQPB WMOTuXhIrJaLYNZtYt5K2v8Xds5CooYdP1LJU2FK+UGoxRmjZMMHsmQqJ0nI +ayXEDlhPIxB64AVRzKkNJvCqYk0EFbiCF4NBCP5YQtDP3XTQlr9EY8M8DyN lKNUZkFEQf1eueRl+6fKcSNP3nHXYMNqPIwmdgkJjznnyA8jyvRXQAj2z6NO Z1AjJ9CGsZdp0qidQlqeMrmFVTiXBQ9Egh7oC16+Yw12hpYEVbcIKxV5Qy57 6yCYE0ZTPESFOhTftbCVI7xAxjXNFCT2lXBVQel4bGt20zUKsYhGYfXlaBb2 GLTHiU/2xrdWoASikk+D14uLQMdd7WQYk2eD1Tb2c6jQwJmbqWMSVMqB+uQa Vb5DBwgmF2tuuAYkZkIor2AyQHjRZM9CLmkfZ2P5HV91hFNO3imP1piDJMsx gH+5gSK7VxEqFA4cIbZ8oyJsDXBPYa+hEvCRQCu7K+itSKoREDnIyqmh3rFb 74Z94P9lkGXt3Uzh0mcntvYXUkq2wDIWASuEhpZ0QkxMS5fjhZUgFOoAslIj 4Wtn21qa4y8fdpV+iIC/1nA/OXn5sWAOXRXgDUJXPenV22SFd2Eu0U+dCTU+ V8NovbARNGoIg5qUpo/HnFFfil+9UEq6fB+wDt4tmhVq7ilOGSYnEzlbQySO TJYek5jx+HBPsa5JDKsq8M3z7IFLYUahSSF8DfM+dEj/NJk+YEZqAKRLWHNx CKJRLSdsyiLMckNiPKXk0qDNjNnRoOgNiCOYSLc3jmARMzwtxaIHn70t0+Bm HJmMGjPhXZ+ehz2vr87u2Gbf4CMORauI8pp9KOxAfUxnbjC0TRDFozUfbyhh PoVQlZ/9nTrlcxxcP80Cudqbc+DoYy+Q0sanQuXph+LqdSVQqYxB0EORjn8U lqsd/mWitJPxI4+0IaWySNkHWmVZm/kEV+7I1ruTb+mX4MgBJwyg5iEKfouI qJhaWSDBagOdXY/rhnUPS03+qMoVgP7bORy46ljYbAfCikfBFhyk0E5Xd1sS sNBcIU+4LeUpPHlT95o7280XG83nz5t7L5oHm8pDqmgwvEQ+MXm7Cnuos1ar +fIltvTsWXNzs7lBdhPrpnKc0sNNPS61hZ1TcUvubpq+8ho+updKUVn3vLDM rfvIr4FgebgpNja3tne4st79jD7yxc73/W4O8tLTfLQvtIO89BxflW+ciF97 lHON4+Y5cJKXUgxQmxKXKzPpqGDfQpq35K6bUVLgI0ygbWJZLDMrfqOcRmTD 9pVOhXV3gIRx7LxyhJOrtuZNHgAoDtA56CXJSB/qyPdLbic0U1VrFI0vNPIL jXwaGumqtgvSx1wjqkikyJPGJVCcYT+S5grqTBqCdNA9BFWV9omOS7LUSvho c+v5sxe7zze2djZ2n7/4QlgXJqybNmUlh4FFpYDC6uJbOn8nnoAlIyXX6ABd mIxCOeIklDaAQqaKjS+YiFXqNOVCVUeU6IO69H8Yq5yL4A1F/l3qq+3L1njJ rEWzo6ozyixGiRVPXqp2PVP77Atl/UJZP5L0aaV9WIjA6s8tAfQjS7Rf+MMf lj9s2fxBOSErKSlyjK++KiskrR2WHiarVHF/dBpgUligdB8XG/RWEhUURaHo 5FSX8YundrkwXXUJKwCfnpJ/ME3G/UsOFQkzz021ehPoRM2jIB3gNzIe02zq p3ETdofDSYGHKk1BzrHZTYYjZdtXqXE5m8akoMUJUYvDoSylO8V6T4keZNHd pIdwcpaQ6b4VS1XhXCMvgxONOJtjXJdM/aHMBWIGyiUuxUEUYZKzTn1vnILs sh/2YO3qr4IowtPzKwd7+69WZVCgjHNghxQfmxXq2CwfD2en92l9c2e3Bv9s Pd9ma9ZpfWdzA4GNTTxfr4kXu/xgY3PdOmc+6Sh+LZeKoGZFQk1yP5YHm9px pBkwe1lykQA1JXDUGaKMC1NnvKetWrl/T4fHydZ4C2FKfHL9+LqmR34uyttt HJNeFqShHzkuHT8agiw6HsCTjuDnsjBGrTD3GsW7kOjZDmSqefI2ZblSvFZ0 2aScdxVxtbO4jSeFRTljYeEDJ8sliWX8mwoLwmAmGfrtTkHHgVz7YaRCPxNV J5CSCZqEGU4axZ9/+vGshh5BDG0qTJ6aeQhCYP4HgPwerFocUBrDsnk5GxnH 3I+SNiytTCmJ2SKwFUUsOtyaSnkweUF5A/ANE1tE7a3JhgogWX6+sbaxXFve 2NhZ29pdLoLmMfbKJ+gP1GxBC5vKp3KxsF/FHsOM47DJftk4lFOl4PV65HEU aJQZx+HC7tEFxmETwhw8Jo/jqdbFkCrl6Pqo47BJioHHxx6Hyp+IMlGl4w6f TnTczXhUt+CBg78tH5zn+uDE4/jgpG70UFuIfc2qP0o5udiAcBRgM8hHyeP4 LgQNZO5EjguJ/ra2bYHHkGBUcIsAXCrZg7QwP57ZaS2Lr6M3pFkKzqU3+1c3 Bzd/f/VD8o+j335d32v9+Pcj+Xu/9WNn/6jf2n979tv7wajs+9E/kqOzo9N3 3yc/vvnb+vp/v3oHDRxd/nc6/tu7k9/Wj3+Nro5a35bgwizmocPNsg/t/U+T R3aNph/m16WAsGkodrT97Nn261eb7e317W0r1aSNUl8SdPK1cIJOIpHd09Oc fw9pouXfA9n4ANX8OIBd13ppWxFysYlsKEBtJgr6fudWpicHMrsCgLldBb3e v8qfs/e05QAVJavGFEhjL29RLRAr0O1qTZ9cNycLsOA5huneIGn2AjVKHUVG 50FQXrV1MGiBurTyC6hjJP4tFps2BalW4OelP8QTsHAn6K7qlEgTDkF60n5u DBFzWSDULOoDv+2YIkzuBj52qn2aGPwWhVeykjidXsEKxUGKVVWw1KE9e7bR yUw2DcsIAeuvpd3Cyl5y/fhCvGSzXOm9sLIRaNxRI+AzcvYhpCSWcYe69PIR Z1Dzr5xjU6im0qERMqOMY13NwI36/wQF94UD+fJhSLgBq6UZfDpBmllQmEGt rphK5FPwzuT3iqZ4j+uvOcfQVHmkU6OzNeLFPTcVm31J8Ey0eXw2T42nGOQX 4/pU4zpslRzbY95ms72yumbV3M8cB/PFdTLuYEyKVYNWcoVD3aSnmlyBe1TV l2zkmSmdJosR0qEKlfsPg7SxXHuP6uV5wMc4c6MKT+cUhLYNTwV1Y4n2NInx dK2VT8aTuWvofC3yRcovPErUKSw2MfN0aiprUBeoR2cU3WJm4zbVMrqRVeZC PCWDBXExh1osaHi6Kb9Q5Q0m6pr+GzPzyV7YTeoyfYMsc+ewy4fytV43+RtP mzmahoIxV7FtyxenB290TkeVcpSyJyZp18fgevLV2BXxPjUGZSbLG6qSQVWb dCSDQvyuZlD49OEMymjXHOCKDMrSqJ+MPWXz8qcSHDUsym73U+dTFZvNs5lt ZqnMSwahcGAfGo2G3j7w+/4Lq5qDVQEsc6wKt5HFqohZ/SPst4PA5k/zu3gp ZtJ23AKHke2qQ44fPvAN6eBc/KDXrHT+N+rOIe1Ho+IxOLf0HD6yjm971rGl aalkKryyStE5GIe727Z/LxYHb4/qu9ti5UClWZLk+UhBI11VEK/0Az7MQ2v7 L7Al7e4DSBklKpNZyQeczVb7+Fp7WjXW6hS2YmtUlR6ysrwBU1xjEqOKmQKw UykmVfjCthrrpX6wacl1PkdnTwHd7MSZH/UUTf5skXt+Zh71VS59tYAgX3gC k/ynq8UWKNwjiQMSlo8ZaVgc6sRgQ9iuuWBDG59xjDvrza3N5s5h8xD+d9A8 eNbcfdbcfP5FPphDPoBFeRnkayxpccBICUDCL6xaKZjZ0BTWMQnkCnVxMqzH /H6ka+N4KGeOwgFlBojrR6daOFAHmDkNNosAaJsDIi7Ho9MIxHaRDdGHRbvx b7mgdM9npXXgx1gcEdjBoGHnPs10MihPFTwni+go0fn9RMw1no9O65wI1USt WDlnM5i0WyyWMh0iqyrWHJIxdKPEC7jqNUa9yXFLUSjXspJR7DwyJkKBUoLc JGWH0GeUrLyHhbrlhluqPFfk05PpTA80IBROuVmwCmEjWAXTpH6x4KiLX1FO K1+mey8D9DtlszcPOT6Ny9AU0t1iTB7ZkjEzAGsuFI1mFphSL4EElAm3Dgwl tRnJ+tgoOcMfbb9zJSNUKF3cEPBDG1jKm58orVCoixtrNkMQF2KHVd6Fw4AC DKrpGEOTgQ8gvU4yXLJklSvmW+s1dbEIJHHJknGCIl0Qo2wBP7PV01FFH2f1 BAWAOiUKmACqAjhITElcx+zTRC96YsKCm3wJcnBEidT7MnJKJ3xQ6aXYo6RT PrNyaKo6Twqic+opyaDIcqKITSaW8lCo+5LlImB5KRXVLi2hJzihh0O43CnL nEdEkNJbpQRRozgAhF1GpNoJBMZMIgiFJZrEEjW59Oc06C0BMOheWTmlEENX A0POU7O/imN3zIxv3x7tS8cY+kB1UZJiViYYBkiOqmFTZy+wy7J5QifHUuVZ ahP0zQmKE865KevWUypv6EttKiu7l53rXY/JFJWRGnFoJSxny3TDGieb+6rS eTEJ+oz0O8TGA/yfXPqcglcoFqG0KvhGPKqCB1vBHofs7lA4I/pIY3H2rrZG z6dtPpriSwjiXBOV8CcdDO4zMdtgKsdSrGJBkupMlSzozbxi7tlS634Rpe1M Q5ofTBEiFXUub2eSLFNMmFFqG/AmVtYglP5WmNbLiml8qukx5nWgF3WAMh/6 lyOPH/HIo91V8czj3GGN1ecKC4v8O6TfeCie6pOLav1t9mHBywqXlfLaPPU/ 5Jck3YmH1KfAa0KNCoJN7UFD3tra+jhDxo7UkOlfHdW5NIW+a/uY6SI3MG7g nzKc4Z+wpv9UGLBmbH0TGMH0LvTHuda9L+dTZ7U7BqZGSFnVlDLbomWOvLh0 ilGPSgxo1ilLiimhMAo31RZozyYtMSgPWCZFqk1cR9Mq7p2hEVN/qmp+/Jol 8f09JaKJAsoaA4pu3Do9Em61FTvL/IxNY0P+MKy7DVEAyHnQGaeYIw12CWbk TRlU1XXHXwYdH8/Euu7ZofpQBq1qP2OnI0MtdUbzmkemGruGlKqWAhMA7T7F rMSYXccOwZWlr8kkozvzvBapm37nSp1JpUAaJ3aX+lYhS3avlITdG/hxOBxj SRRB1UUSDhTWyh/WkkbTLYYqURBVJwLxQZ2Zg71+ldW8m0AoCzBNTg+R01DI wiBvY12SvStO2LC0h/uVveT5qYT5mXDWeDydNhiOZHFIL2BzTKYich171g19 gUaWGFExAqjK9UmsHPMND72boGSPMEioljOf4eFIbOEmzC515QdtaZdAB6X3 JoiiOsdQX48jtAiRJEE52QlwIRJRrEWm0nuGqRML5gF8YWhhn4rHs3ccwFHT qfD97iCMQyp7g4VZZTUBEO4w62y3G7I1zBsmsOOx2zToS0PaDdcI4iFT8m8d Wi0XUoOiuA59rj6tMZlxqGQtqAyENPR7KuaNVpKqUKu3saSChQjccE0EvR5b KBD1O2z4zDxfvEwwTO64HAayMFyQoZkAF8jaQrLluuReBi40JrbZS5NaGHeo XCkgPmB3NqI6DkCG+uz/MIuCaXgJOLwfJRLvAxIyEp+g0aWf+jEVVwqug1jV wDMlsNMAixJwWT1VsQ6RLEkVrnkwf2EKu8PrftRQVUG4K7VHTbMYPtfHmtPw BN038UgFwBdqxYe4HwSSckrXhZYhJx6F8ZUxw9Ox4NL+g3Y0jDmUhcNzViJO KA3NkY03wERdCPZbj5xCHUwPf3NJ0bY4X9xXZLy+Tq5sYkmmObfAtuzeOzvY O3nzBrjgwT5PhqlUQLGZFh2GUfYpHTMF4vdwrZ1YQC7yhCw70huMh8pLi3qo Q2pzN2Qydxyxz8ZKaBgNs1jBMHZhnojsNu4gWDysREMAphBPZ19ySVynIgY5 3tjwrPcknSTI7UbGAi5cgNs1B0pDrIIB7MRrLoqbIMe+DqgavVvTkPInsAsw MDkuHJIXMquJE6+NfjDsjEZL58m54LlVt5tzJEnZTI+WpI0kI2Z/q0v7BmpT 0zec0Y7TmLKboyu9mrIVXq23Q6rReGKtl7xlrRhCp+0smjGc02zaAezXgRQL qQ4ABvKRuwuNlgR/LggPyN81JEa1zLFbCdYNoZ8Sr6zVUjBM0qKEIN/mtRH+ dRJ2ieJw8RQ2NPPLKryY8ZVQLs1hJ2CSvVOwyhtD6lXYx80XwcpHFOssSx2o guSIPdktCAsDgKEUV91KNVxIQxdck3NX8dFU6p6GF3EYFK2gTbUd8YKpBroF QEbrcmZBjnymRVYjwc0mQ5Y5Fslw65CzvsrkK5K9SfnQrl7lYe4rrmMeqx3G FiV1uAiVaTlBfWApP3JPj1zuFZ2Yn+QDi5XikjLa68hxtdSeGZVTX0vySRIH M5UyLIzVcnHwFjXiWZVLLd6fO9MlBgGe3A+zAWyTFpZRMG9mUvD1BlhzoG1g JnC7MpLYRIzEjCwXCAawZzA4niUJCqBxQTDUJZHs2kQUlC7ztFiwYEIg5Zog 7qS3Q1Un1foYmGdahzfro2TIOP066SPhcWUXllBQWI2L8o8t/qF7AmdETiEu DRklfdyG+2PtlTQOmNhHfoRLkZPGa/SZJ6kXFjfiGeA2wPRAUtIC4nDFXDLm EwQhekWoVON0HcTzjoMbGRmSeZYlm/U4akV6DbnOiJTM3HNwCg00g1iiEwh2 RUQkB/sg+lMdN8qKv2QqSTpxmnfwwTHatpFAoZ9G+Z7QVg4jE/xf/ocu/A3P pltjhbEs3gFwUl1lUo70zhRjqVEFFGyijp+qGGlubhWGMmNvlh3mrkyJvrN6 dDRPFZVzf+eeEEQHJrDXdopHLmHJAVhadKcCmVIY9PVdoq3oSySlwHOnbNW6 KbozFCqUogFz3xwmWKVrLI+fx6Uy62clpTJtJHCqeAI0TOXVewzgVZixT6+x S/xOI5RAE04eYXIOmPxfzu8qFBJFs6VwzdTQK+fOVdaLO4VYdzmEckp4roq5 +qw4U3bnnuI1XeeR2f5+4UFMPp2DiSBKzlZVj6mkOWtoc43MPeYPXb0L671c orTqgdzgy3XQ1W7rkqEvvk6V8Vd39s438XpleJMfHyKONM7X+YSwXdR2rvFN qBgE/Volg/DMNiH2xxyWm7nwTpxwqb2XlALMLdD0UcdVTC4JvZ7KDH2PNzDv K9HqoC4H0m6fDFEyVx1pM5m0QOGpcJnYK74C2IBc9xKNDlegM9XEWXIZoj/u Ev947acgQ4zSYNwOMgBiTexdkh8YpNfWIPt//xdtJX/1M8C+1yHWrbxJEnjp DfZwMo6xGN3osobePZDt3mEVT2z1+yDp9dIAdxYKLDWAwDhKxF+TtB+I4wYy 1zQIfbh/GUbi1Rirh+IKHkQ3t7G371+HsjQ0m61AbwyDm4zfOQ5B0z9LZGoy Zl4xu5ilrId8BXYSCvjvgaOhCIDmAc/bo+IxGQuCB34aYSCOzOtRaYOVktDP P50d7omDLjoxWTWkApJc85SVmsbPvwD/TP3eSGw8a2IU89fiMHyv5NeGfrgr H74hGePofO/t+TnX9KQ5NEHJuVKWT+LrZN4+14W9tYVRhr98LbC2hAnDQcBg GWCpqvWD9/RSlIzY2Ho7TNayYRBFxJPTFHUxrLc5HurGemEfxc7Ib6Mi0DNS eEav9GBaaHbws2uMHoy7gSrhBxg8oFdQDiSF1oxr5MP6kw6NL9BiC7nYvMSg hvRhgTiJgwRXRsDED04ToD0KXJdhpzMesnrYT5PxkNId8uBPpCX/ErTUIKXb Ju4sq39nHxHCh7jFUtBSjvbr3+nf/EguMxYqIx175cbP4mXUwzi54S3WD+2v 0rvSBGDbBNHLoM8yxKQyo2tAGobwmOqtNc/tmtjYqRF+YHtnssqrnDLG4UoE 2uIXhggQkr6w7aODi0Pxes80t17f2GyqtVCK2LvvX+9xeORlMASO31Wyn269 vv6Cv0Kvlejg8R31Sk20x4OhXfCzxpZYlybJlYiyBKO2Ov6QVBimO6opWRuR TCs9Q3QMNNa36+vPeSCvJeLaSKo9KRJzVFxnJkFHVkyOVRz5bbq5H/iRNi+h 8YGPH+NhpXGvZ6YvoYuYBCJTjU4rU5eIzX1gBwOsvzZADZadAbwlkkhjHt2g hem4OpbuQy6M2KM6t4DIzvYCynAdaGRBpUqSM/39hiQhYj+5/JN4R3u+n4xk YGDqnvUL/mQ6XpcfHsWAEQAhBJ/MDWtTmTPHdzWFNrIBU8rZ+hyB8p2aAwT/ roicQW+9dLjOHT+jAxDObFetimvg8BXHa7sUy9gU925guZCV33RJR49ojcJ8 CIwYdH74oGaPHJ8vEPeTT2o0i3PXnnC2lvdM5z3XDnjcaIynBL2l4ObhX/LI WYSS57mFMJFjltysDqPIDWBZrnRQgAkBXnTxSsY2dQUrYxIKa1lsffYF9X4p 9dz/mzZpiVHjw1eO7YL94l71Xv1gosLmxvOyrVdcU9T2Tdi0c2iXaowrG7oM JdOPMd6F4370Gqj+7Kg0E0ciAcmR2ktWGIszoFdjzFKMBm82sqPdyUm0gUWa w5HK7iovlJhkryGnxQDcro+zolFzWcfIWZ/LaLll0Oo7DTM0ElwofLnrRowR fnDsY+EBRktTfHPhCR1aUPFnS6kKhbRxjkOqCYYcAmkemsMM+DhOYoWGtfJF kEF/BfjLYu+VC9DSJR1VWXiOzw2BIXZ8fchImt0NDC1bOhpS0RU2znSpeF0n niQSH4+KrFjFtuUllf2aVZsdl7vNhqhVfUaMScxwKA+djBKrDe5D+ijSXOHu TFd/l9lSAqdyuhmG/FyP/7D1+vygRtWK5QToX1IzpZ272AANMVc5XPWfBr+y n2JS73Ojop2T8ZPBxMG4+zaNipioNZUJuIhno2A3v3m7D0pQlCMFYgWVxOc7 m+urj7lrHSB+XFCxalUElTyiUzVJZ8QFGKqDO9w4Za+jcmAWIDGQJ+5ndtpE mYRoxCUEZDIitJ20ORVSTT+SRc+5ebsJJMq3MDVMKYeeQz/qUCxSt7E0fUVg 25sjkU5MrpOKUkGOgzedvI8VHGcakpQB8aL0NBHz1eWMp95we6iaWAHdik+L OIch9Pnmq9FuIupZ6FcJTIpnLYVlcc/K0cjbJFE5q0XPv0cALVn3fnnoarw9 O1LL0EHzFqqj5GFepr6Wnf6FOQs1Afv/QAsoZaEn2w8tcYlyWt2R02roDQZl PcTwoYxPNeaWQY5LDMfpMMkoUuXsoLVfPzl+/fc/EPgJ0k8HezIT5gUyLZkv Zzmgq9OkNRE0+g0QgZmWLyN9XsZW6K/HA3/HB2ghzac5lVAD7jGX03hJjWQS mXjqdfVy3U7rsrQ7qR3+YgLcRXmEO54YYL2wEGQuVJbqJdRXZUjA2lwqoFcd WM7qqaX3FtNRGKe30lEfTUXN69uVJoqZDBBs2ES/RQfQFVk0IOQcyqrV1oW9 bWdVWHMn10m+5xA5VqrpTDObwv/DwsNl5/gG70VtKFn+iJL/dHxeXAU1oH1s W4CdPOCPoSVZFvKjuJfMoAPkoLXH+JaJ9zvrL2yD+zKmjOFIYgKhbZsDyShJ RmKv5QRh+VmWdEKKDpEBgUHewOewdo24uC6fkQGlQtkQk7UNJNsItb1WCY8X FUzeXiwhZVi74pZM9UBqxcGZvpdj5fINWC5rfaulCVHGnjXgS58a6It8iQd3 BUTpErjLIGZgwmI+6Yrgy9js0JT5VwAj8iilA8W2rewdryrwUvY+dJMdi2/z AmycFbudC+QFmH4KEFdyz2QKRcGgF8lVED+US3YUrcK8mFdBrOPprCHLEFxi qGPOIGOfGJLxtKBBHFByHGoGawuYFjBoW2UG4fMMO+t2dToMbOMydx/RfPSE /PajWo/oHBXLYxbIbclMGZWmm5JsVlJqVPrDm5JKQJkD5xcz02drZirNOvTF 6PTF6PTF6PTF6PS4RifZzCdrdkK7kxudry1PTjS+a3uaIZJpBgPUlHQ+eiPB Uz28ilCYl5GdObTnHPizo5TKLFBOzhEtc7gJdQzyVG/i/JhOVYpVk6pP5QK3 IgjdfWqKfE3KCP7TdmOjJrYbmzWx01h3d9AOPtrhR1u/2Pt5gpRZbY6ZvM+n WgCm7sUJO7EsJYxmbfmERjMt0BDPxKe0OP/np/X6i1b90K/3fvmweb/SdP9e /bBz/+cJa9tSlau5brdTac3P8Gh4WSSBwFO7utDlhLXJg/nTWBy7Sucsi6QT SZUsTj7qpQzIJJnLNkQv8vtUXM1HvVKfZZRJ+62Lwj+d6joZbgWKHOGoF3X+ M5NJhf280Mg9yvVsCJX+TAXeZAzpxdYv/+hT3F2Vqb4WIYOU+VZG09ZkulpT k7BURGyrfrM1v3uNhrWMI40bslwEL4TKh412hSxwVbUb7BUzZJz9YKewsUrB q0p9Mqeo87UiL/9S9GUhOvo5LHWYXi20qlzlg+LPMUoft9FVcFuTShYuLNPH /NJipaJbzdU4xwXhAJ0p4YD//P5zGqhef1pzl5tW4DEl1ghGn98GnpcC6/x6 FRR40gJznB0sC+eRVGKLFTbnwNofjxL0Vkh7kM4bz6p6hHreSLROXUnGacFq nU81ycQB5PFondY3yLWI51EykdC5N+fzFA83CZDtMBCQchXLWyB3wdeblDJb Rvu5m13HNhY6k/czfXvz88OZWSlBLuniIkThtRRzZVOyWGtW5r5y6X1kBROb GkH6HPRjS7G5R08KcfpX57t0tMCpeqCrCc6uAxrgVutYWj+1z0DMpbTJVT4e R1FZKsycEodHyORB0AodDhvKoQ5pcjBwxSk4/3hOYnBz7mDqiYSOCFI6ED/X oj7y8HsuRQ5yj74k+vCyXpNq5Tr/ScXi0MFnSphTtURzq9iYH7WEymAmpH6Q TiAz1lh0Phhe7PgWpRAWD4jTOGRGpYaJKQMaJ4ACIUNRJd98K5YRXZc/soYW DmSk/x+M8kw4Uv94OC9PoM+O8fKDCnzHp4QPvzu2t0QWvgchpQ8IK9MuqVFo Ofoix1CloQN5Mb4OeE72jl8+7N7/+bMzO3zSSF1MfPB4KC2TPUxhrObl3xmV p4qHLYvAAgakISiDMi0Vy/Oi7YZCgQbH3jt1qPH4cO/R0fdjCoMTxG9Weo/H 6INfjFAcJzHX2tQpTxHen/d2nwAw0M16oQyQewjY6Fi7yj2hSwAJu3kRU/sO ZoJ6eXZwftEbR7CfsgxLtgXvO5Rh4zPXET81EuvmvJn1rO/+6WnRqYXHfYfD eb1ai5BwN99SnmbD02keLXlMuVASFKn2u7B+6OZu0vBbU+ebT+2M2fDHKOkk kVgBsKzOTfBhuDJNzGJbTH6MFB6XhWzAKkEDO7wmGVg/bzLVTpIRHsIdDrVx ZSHmeWHXaZRuRKdtZW1xqJR/7YecuSVR5efoKGuVY/HHM9cmBwx3MR/iJ0PN ZlmaHxYWaDhiuE7RwQEmcIrwaae+N04xc03Y64WOZF5/FUQRBtFLvyEKRCsy p+tpfXNntwb/bD3fpgC70/rO5sbqH1Xg+d/rwv2cPAidCGCBicPiIFpwj+iA 1ShpY04iTuGKxQGxbZEX+TvcmcgufWkIdsmcdS5CmgWdz/mhrB5IPazJFvOJ J55vrG0su+RueWNjZ21rd5Lh5/MmeVmQhn5ULS5PX06sSjIEgI4H0FRHcINS QGbzK5IzmG7iQBYzPMBaTFvQz24/uZLzJyM658RPS2aecPzQTpRaJjqXp0gt kaEXPJBoFb7KJXPlOZbm0lGvvvHbrkg9j0BNtN9J5i2h+vIWsZbRcg55+Xdn bROYmcPAPjepu5R9eQ8Ospx/t01A1mmBl7TZDvdPSvdYr5s87dYqySksd5cZ euZuMRjr4lurLOMxd7gC7a7Ou7UAPn9LxtD8guxLXPPXnCKNShyoXNyc59Bc TgzZl43y8I0yOTt2NnnD/CPst4OgdM/8Ro8WserMt3W4n8qsbvx48Z3C30/Y EIXzZRVByrOeAZwQoMxjKYtRnjFCeauxbhkOJh1w+9TPgfP8Dsbh7naenVcC eh5W/sxi5WVGn4O3R/XdbbFCiIVGBlmT+0ifWVu1lkeFvefDFj+Po/i/M4Eq bvAqklSWs4OKN5aco5itFuMj0qmpZWNdAdp9u5RsmVkhoYLeR1gmp+wYHYfg SNhiDSBJ6GsqUUFNqFx945jPDecyGsxDAJ2yt4VdOS1BwxFHE2UmRTeXaLlJ MEc4RhnaEYaFum4qxpHGD3tRlc0OG0GjVtiSe1YJoUIC1k+eQupncydmqDq8 O09ehurjua1h/vztI579n3im8HdMt1BxTJdHNMs5XXzTJlzTV6Dq2K0jMAux bLW6bA7fclA4xd6adCUiaWPKgVwLWAA1X6nqISv8CAk1JhwvfMrsDtPKSRfI 3fT0nbySr80m0mVXNSmnpSrKE1YC1Uwlf0ip+KzViCrAZ77GOp5Y0O/xxJCn SuZgADxZGpxUffvjrIiT22fqYiy+BB8/oUZhDX5ncbC6VNHUQ7W6BodbBJur 1ZiCYLJyiltGkWQsyyjuR+akfFUac9WdW7egkN28ojS355UPl4pO5KspUAkW pyZdleQqe2uKrcYGiKA4JTzOTEXTm1zPz5kFPJMKZ1PAB/CJhyIc0M54lOGX StSltaJ8D+p4NO64pixS6inKpXdaUyyadFdf82bfLWtjeu4U+RUWUMFTb0HW 1O2QHNW06QBNmUUoh2Bb08bJSS+nK0P5PJjSqcrG5eh88fbt0X7DelHtcSYE 1oMbFIX4CREP/UgmfJh39L7OFCFzBqnU3Zx35UFDQhlqhvHwJmyKcRpWjdKq 75OY0bm4OOsY9RPeF80yVJ69QkD13ihDMKtIwLwLtWCRAPeauWRAVQumkkCu fkDpIrjoMAFTOG9/ESTyBHMVTBZN2+9cM+bwr/q8kNq/NKF/1dez5Pmf3Psc Sf+rGpFGRrsCQHUJgElwsCsDTKgHUNVERZkAe2APQzNOyv84JGmONP25+R7l E17pS5+VQXj1xlTSCjZnQ+yNQR8EOXVMMbBcnq2qEeVxuQ1GDwQX89IiuPw0 dVLOOXDJyQAu23erVoRYCLvpzINYhlj+as0IJWtSIlmTyac8NR+Wos33dUlG 5A1TkOzUUGJnhsB7T3r295N657yJxi7DWbDydyfISmX8wBG2JoG4BFQVqAti VDweNHPYUZ+hNrERvavW1o6PlJ/K04CEc4T+Sm8wuBd2H2fHXZQKWrhV/JJe FxFYTGG+eblzK86PyYaFrPidTxcld+oUsjy0g4w5P+RDySBoesUJzi5MlWEy f2BUxjwCVmJrySLboo0BIdZW5puV4o01hjzRrZzMREjhpTTdOWZUjsylc7WM fnqq7QCXWin1jzcTrpfdXWAiWHSyPgoH+e4K0+HqlGh+h5fdWd34krtNWj5d mz4ltiHV9fQRV9PPRm+SLu7TJwXEAOtmgv6KXDsPlELW18LVhR0aRlxJ9ZLK nisgBigSUBHQrvArZQCazZPCURkRHrDNr82JhXLG8bAxTuL/ExK1lRQIqDT8 lNQNqLL+VBt/LAvYNOPP/LYf230oW//dLEAV6V55saan0C377IuJ6IuJ6ClN RBYx0HuAd5f1pGwnlFbtUBRuPh0hV6tj3tVbsFSHc02p27GYNFo2wUUMYzMW zPj9VeFSYmjwp3CpZMlPqjG7yFX+BFdFNVLOVa2tBEOYXam2susvz/qJWzJE z+6Byjx9aA3HZXkOBrpm2VmT/MvGSxd7arr/ymz/NrbMnvdfI0QJKSzfpzmo zyoQLFqfxVzzVWopbcIKh8jVbJlAdbnWydxG+ooKJz5CGIiBH3cuC6m6rZEa +NRAAIRBCbQibu9uP8di9DT57UVt7fqZVUlk7vm1oiwRV3Fyg6vAZVly9UQm GsvFuVxzeh03jgBRKNLh4f/dADSZBTzSoqKEqUxaSjApevn2oKkkA2R4gAdH p/rkBgozmizP1DXmyMqyMZZheNBK5Olx3V4ZfumPZl4sSk20Lv+bbIxfjG9z mWu+GN++GN++GN/+8Ma3CUUSyq1vEwxq2Erh8M/jmdRegqo8AunwsjBUby7L 2ssocCNQpgnTOK99O0hskp3qU2H9hdyoxV2TdzouVM/CHtYkzU9DXS+eXc5I i2QG3YsfzCmEuQfIHnNBHOxYpBKGdc105Kzq41ytjHx9jAfqK/mT3vMqLZzW lhSE+bKQWJeTkESlVGc5EXSzdjhS+VDzWSKtKw36wXudNrLgDdbXDAfTHwpS VfFh/ogrBhsKmROqRVBAayWmlZeNkJFGVgRNNYS4pERxNcvqT0xuw88nwn+o bl2RDX9uRXuBig72NUd1h0liDGb+r+7DVASYWgWishGrOkRZRYiH4nl6NTe1 WLDognXNXn+hqoVFsdER0lRhgrk3+bxlCeyBz1GhoBJ86oDz1GIFk1B3Qqii Xd5gSkmDCT3UNyv5oSmCMKHwwaTBq5oIVe+YUgmLbRD1wK1H8GSyyaI1C6xr avmChwHiYen48ZpTDj02qfrLBdCHjM/JAv6AQZ7mmnv8kVqpnR8+TtnY448y lyR68RFCQ9NHV+anc5UI60FeOLYeWbKaddfd8vLBJHWdXrHQtVT9oXt5dJlV sZ1a92CCdgW8uUi2ZLbUKnK0aG0D65q9zEFVC7L6wUPIVhmiQL/OYqgNNuNS TMlj/sgLMUPa/SrwoQ1rYgb+B4hOs8AVScKMMD0Zj+pJr45518vAaqrrzQzW aREfgYDhWYngq2G6AKu0k6jPveLl+dMfJOYWc5TPPaqK9OT+1ATl1iU9mJX5 yp8AH81f9ppU2Fer0nXPbV7FVp7QvDoxtfbDLK77w+F8FtdiDnBO7q20kjwY JuzjT88eK9NXFvF5QXusmw5zVsFIr8ms9tjiB3PaY02i9bnpxCw51h9GXEsy mT+ZVrZYtnPrminx+VQtH/Ohcw70RwLdD/OzzFZcnlZcyFTiVZNYOdjbf7Vq JRonA7ATAQSMjsOuqtroURZyOy05CgqUlxzJ6vP1mnixW5tmMdjYLNnJfJkY sIfZkx5qh0fIzJozdaLc9/sb0jVorczdT7ZPZ8nurTJ6V4FiwUTf1jVrzu9K fYdTgZv03w+DvJ1ke4HdvlB+bZGvampdsyTefmxdz3Ay66ZNBmfQ7iuFxcmZ queWGp3mnlB8RALTcrJMy/zSD5Qd1fhh+PPJkNbEnZEBsvDAPiuh0c7DXCI5 lhwhflA2ctnsfCJlYalmFS2rP5xXxPzisX5URltK/MoNnw4cJ2UCVotdh9Wu poKlKcTnJn7YyhPSvMOwm+TSfyPreRjBgzHPR+hKkpA7o/is6JyVRruI9GWJ teeld5Up4vmym56V7ukVm5XeFT+Yk86ZRPFzi2ClOespW72QTT42wTCDnUAq 3CS8fvUoq0lGVRL1uamGzA/+hISjYqjzEQpuZD5aITv+jKMZTRrrEjFoMRGo kBl71o1vr8Cse7/0m88usvEflSn0nWuefPoPU0uLiewXsZLMl47e9Fs1fx0e t7D1ZGMRl9oDndo2FOeV7hgxGhPU22k55WdJ+lCean7xFBACR1P0KjwewdfH 0ks8F3mSP1EbzmVtnY9u2BnlZ6Vx9jfL+djgygTOcx0KiyZtyTkTCJuxVW2v BbM9O5fKO1y6MacdSNPPJqRb/l3hZ3qeKRtz1dd4fQQ4TjldnxXIWyXScotl m6TIVnMsdaHsJNOz/z+MJz5aio9JSfLdtPgVCz1TsnxKjz8BmTDQveKxJVos hErq/RJW6YQS1RGmQKEruFu1QYAkHXEIfCSfJbsb+n0UTilLdshFOyhEoxsM AAMxO2ogLpMbsmVgzZE2paakMO+YPaG9MAXpTDZUMxly4ZHUcKFFjLWi9CMy +kO6T5MbLHYiU5XWKBwXze/qrVarRcfp5FncMA5HaLFP9NwaNB1Vd8xKwqBy 6xeOjsuQbCkQUge3GewmVvwcC3KDWK7w/ewaMLZWp6uRW/vJt+uAEHfEgsVd 7o2q2ycEErpfkw3sUQqJYgMEmdLbMHe8fwfzu/PEv6Cdb+r15dybk2/T/X/B r2VPTabi+lN+8sKeFvzy7gor5L78z5+nNQCYR0kCaEXR6wUbtvz18gb+NXkK RSjkG+AfG+L05PxC/AS7YUXOafWXks4rG1h7dXFxOuHNqQ2UDv67ORqY9uai DZTtgrlHcCc2QfLuJLjjeb3naOAvtIx5BJkbBnSiSSHsIg1U3376BrYw/FdS P42h8zQwDUFnwoNJCPqRgLgtNtfXxVJytTR/A38pncPvhQc7qMdLSW10O2MD U6jddx8blXfzy7HoKjjr8ahTeFaNMVMbmIYxs43gwVNYrAGSHlu9EQVBoEAH siGfvOJgd+d0JsqAKCRJsU9nKaaDX7ogHSVewLcwsWJKORkwQ7ebD0nnbARu upyJi5NNJQmq04rwv+wSkw5hTrSbUnmshOfoq0I2sy/PEbis7+yP7lodHJUN zHzTniN36e9A/LLbOSWl17nF4vqdaccWv+RFUpiw/y4IbvlbFVgxQUwqEfJA sJu/HTkjjqHujzH8COS7BdqhExU3QRTVOfEU3VygnbO9kyNCSMpfSfi3UDuJ wnk0RKib87dTKokuT2snvzq2zG1/Na2du3evW8fW2tii91ztFFbnrvjSLO3Q 6pQ+mqudIlSXiy/N0I51Z0MctE7rF6/P1+Dfk9eLtlNkDQuOZ+KtqnY29STO /G44zhZtpzCLBduZ+NGC7UxQT/U2maUdRbmyq3BYpaHO1I40WbjWBPfNWdqZ qLMuT25nC9SobByNvj0fE+9aFM75bss0zY+07lXLXDA/TGnn7nU4CCmglSGj 7+etENPaQX4CtG/yRKa3U73MOZvEYnDezmPCgu0URvfdR1p3fWOHjJAoJs7c zjQdovR6knlNsaFNuQwduzs8P3pTE2fjmBKbnZ8f7deKXVddho7d7QH3R+rk RxkZfidJyWUtqXYwVV/kyvWLtDPVQDflmkIPS/rdxSQNmS9TEYhF98Xvy9+L Hz1THF/crInX53t/lHnN0k4Bh/WNYNQR5a+4t0jF9P4/Q2sQgByqAQA=[rfced] Please review the "type" attribute of each sourcecode element in the XML file to ensure correctness. If the current list of preferred values for "type" (https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types) does not contain an applicable type, then feel free to let us know. Also, it is acceptable to leave the "type" attribute not set. In addition, review each artwork element. Specifically, should any artwork element be tagged as sourcecode or another element? --> <!-- [rfced] Terminology: a) We note that the following items appear differently throughout this document (with different quotation marks, capitalization, spacing, etc.). Please review and let us know if any of these should be updated for consistency: the device the Device Device schema device schema "ResourceType" schema EndpointApp schema endpointApp schema endpoint Apps extension schema schema for "EndpointApp" resource type 'Device' resource type, Device Device resource types resource "Device" 'EndpointApp' resource type 'EndpointApp' resource resource "EndpointApp" resource "endpointApp" endpointApp resource object 'deviceControl' deviceControl 'telemetry' telemetry b) We note that different forms of "true" and "false" are used throughout this document in running text. May we make these items consistent by updating to "true" and "false" (lowercase) throughout? TRUE, True > true FALSE > false c) We note a few instances of "NOT" capitalized throughout this document. May we make these instances lowercase (change "NOT" to "not") for consistency and so that these do not get mistaken for a BCP 14 keyword? --> <!-- [rfced] Abbreviations: a) Per Section 3.6 of RFC 7322 ("RFC Style Guide"), abbreviations should be expanded upon first use. Please review the items below and let us know if/how they should be expanded: i) How may we expand "TO2" below? After this flow is complete, the device can then first provisionally onboard, and then later receive a trust anchor through FDO's TO2 process. ii) Should "AP" be expanded as "Access Point", "Authenticating Party", or something else? If set to TRUE, the device could be expected to move within a network of APs. b) May we expand "RESTful" by providing a definition as follows? Original: confirmationNumber: An integer which some solutions require in RESTful message exchange. Perhaps: confirmationNumber: An integer that some solutions require in a RESTful message exchange (where RESTful refers to the Representational State Transfer (REST) architecture). c) FYI - We have added expansions for the following abbreviations. Please review each expansion in the document carefully to ensure correctness. Certificate Authority (CA) Near Field Communication (NFC) Non-IP Device Control (NIPC) Universally Unique Identifier (UUID) --> <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Updates of this nature typically result in more precise language, which is helpful for readers. For example, please consider whether "native" should be updated: SCIM clients MUST NOT specify this to describe native IP-based devices. --></rfc>